From e73595293f40d0679de5770452a9be5814332250 Mon Sep 17 00:00:00 2001 From: Automated Publisher Date: Tue, 21 Nov 2023 00:07:03 +0000 Subject: [PATCH] Automated publish: Tue Nov 21 00:07:03 UTC 2023 504d7e93e21a7f948f48be50bdb9e51fabcef09b --- ssg-rhel8-ds-1.2.xml | 131662 ++++++++++++++++---------------- ssg-rhel8-ds.xml | 131662 ++++++++++++++++---------------- ssg-rhel8-guide-stig.html | 27198 +++---- table-rhel8-srgmap-flat.html | 42708 +++++------ 4 files changed, 166615 insertions(+), 166615 deletions(-) diff --git a/ssg-rhel8-ds-1.2.xml b/ssg-rhel8-ds-1.2.xml index cdc82ae..07bb388 100644 --- a/ssg-rhel8-ds-1.2.xml +++ b/ssg-rhel8-ds-1.2.xml @@ -23,7 +23,7 @@ - + Red Hat Enterprise Linux 8 @@ -75,9 +75,9 @@ - + - draft + draft Guide to the Secure Configuration of Red Hat Enterprise Linux 8 This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 8. It is a rendering of @@ -120,170 +120,161 @@ trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies. - - - - - - + - - - - - - + - + - + + + + + + - + - + + - + - + + + + - + - - + - + - - - + + + + + - - + - - + - + - + - + - + - + - + - + - + - + - + - + - + - - - + + + - + - + - + - + + - + - - - - + + - + - + + + - + - - - - + - + - - - - - - + - + - - + - + - + - + - + - + - - + - + - + - + - + + + - + - + @@ -291,48 +282,56 @@ respective companies. - - - - + + + - + - + - + - + - + - + - + - + + + + + - + - - + - + - + - + - + + + + + + + @@ -341,48 +340,44 @@ respective companies. - + - + - + - + - + - - + - + + + + + + - + - + - + - - - - - - - - - - - - - - - - + + + + + + + + @@ -391,118 +386,94 @@ respective companies. - + - - - - + - + - + - - - - + + + - + - - - - + + - + - - - + - - - - - - + - + - + - - + - + - - + - + - + - - - - - - - - - - - - + - + - + - + - + - + + - + - + - + - - + - + - + + - - - + + + + @@ -516,26 +487,55 @@ respective companies. - + - + - + - + + - + + + + - - + + + + + + + + + + + + + + + + + + + - - + + + + + + + + + + @@ -842,246 +842,246 @@ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ - - - + - - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - - - - - - + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + - - - - - - + + + + + + + + + + + + + + + + + + + + + + + - - - - + + + - - - - + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + - - - - - - - - - + + + + + + - - - - - - - - + + - - - + + + + + + + + + + + + + + + - - - - + - - + + + + + + + + - - - - + + + + + + + + + + + + + + - - - - - - + + + + + + + + + + + + + + + + + + - - - - - - + + + + + - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - + + + + - - - - - - - - - - - - - - - - - - - - + + - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1312,320 +1312,320 @@ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - - - + + + + + + - - - - + + + + + - - - - - + + - - + + + - - - - + + + + + + + + + + + - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - + + + + + - - - - - - + + + + + + - - - - - - - - - - - - - - + + - - + + + + + + + + + + + + + + - - - + + - - - - - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - - + + + - - - - - - - - - - + + - - - - - - - - - - - - - + + - - - - - - - - - - - + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + + + - - - - - - - - - - - - + + + + - - + + + + + + + + + + + + + + + + - - - - - - - - - + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - + + + + - + + + + + + + + + + + + + + + + + + + + + + - - + + + + + - - - + + + - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1858,175 +1858,175 @@ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ - - - + - - - - - - - - - - - - - - - - - - + - - - - - - - - - + + - - - - - - - - - - - - - - - - - + + - - - - - - + + + + + + + + + + + + + + - - - + + + - - - - + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + - - - - - + + - + + + + + + + + + + - - - + - + + + + + - - - - - - - - - - - - - - - - - + + + + + + + + + + + - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + - - + + + + + + + + + + + + + + + + + + - - - - - - - - - + + + + + + + + + + - + + - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2267,53 +2267,53 @@ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ - - + + + + + - - + + + - - - - - - + + + + + - + - - - - + + + + - - - - - + + - - - - - - - - - - + - + + + + - - - + + + + + + + + + @@ -2567,365 +2567,365 @@ Linux 8 Benchmark™, v2.0.0, released 2022-02-23. This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content. https://www.cisecurity.org/benchmark/red_hat_linux/ + + + + + + + + + + + + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - + - - - + + + - - - - - - - - - - + + - - - - - - - - - - - - - + + + + + + + + + + - + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - + + + - - - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - - - - - + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - - - - - - + + + + + - + + + + + + + + + + + + + + + + + + + + - - + + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - + + + + + + - - - - - - - - - + + + + + + + + + + + + - - - + + + + + + + + + + + + + + + + + + + - - - - - - - - - + + + + + + + - - - - - + + + + + + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - + + + + + + + + + + + + + + @@ -3130,289 +3130,289 @@ Linux 8 Benchmark™, v2.0.0, released 2022-02-23. This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content. https://www.cisecurity.org/benchmark/red_hat_linux/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + - + + + + + + + + + + + + + + - - - - - - - + + + + - - + + + + + + + + - - - - - - - - + + + + + + + + + + + + + - - - + + + + + + + - - - - - - - - - - - - - - + + + + + + + - - - + + + + + - - - + + + + + + + - - - - - - - - - - - - + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - + - - - - - - + + + + + + + + + + + + - + + + + + + + + + + + + + + + + + + - - - - + + + + + + + + + - + + + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + - - - - - - - - - - - - - - - - - - - - + + + - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - + + + + + + + + + - + + + + + + + + + - - - - - + + + + + + + - - - - - - - - - - - - - + - - - - - - - - - - - - - + + + + + + + + + + + + + - - - + + + + - - - - - - - - + - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + @@ -3623,282 +3623,282 @@ Linux 8 Benchmark™, v2.0.0, released 2022-02-23. This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content. https://www.cisecurity.org/benchmark/red_hat_linux/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + - + + + + + + + + + + + + + + - - - - - - + + + + - - + + + + + + + + - - - - - - - - + + + + + + + + + + + + + - - - + + + + + + + - - - - - - - - - - - - - - + + + + + + + - - - + + + + + - - - + + + + + + + - - - - - - - - - - - - + + + + + + - - - + + + + - - - - - - - - - - - - - - - - + + + + + + + + + - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + + + + + + + + + + + - - - - + - - - - + + + + + + + + + + - - - - - - - - - - - - - - - + + + + + + + + + + + - - - + + + - - - - - - - - - - - - - - - - - - - - + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - + + + + + + + + - + + + + + + + + + - - - - - + + + + + + - - - - - - - - - - - - - + - - - - - - - - - - - + + + + + + + + + + + + - - - + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + @@ -4116,361 +4116,361 @@ Linux 8 Benchmark™, v2.0.0, released 2022-02-23. This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content. https://www.cisecurity.org/benchmark/red_hat_linux/ + + + + + + + + + + + + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - + - - - + + + - - - - - - - - - - + + - - - - - - - - - - - - - + + + + + + + + + + - + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - + + + - - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - - - - - + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - - - - - - + + + + + - + + + + + + + + + + + + + + + + + + + + - - + + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - + + + + + + - - - - - - - - - + + + + + + + + + + + + - - - + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + - - - - - + + + + + + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - + + + + + + + + + + + + + + @@ -4679,111 +4679,111 @@ Policy Resource Center: https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center - - - - - + + + - - - - + + + + + + - - - - + + + + + - - - - - - - - + + - - - - - - - - - - - - + - - - - + + - - - - - - - - - - - - - - - - + + + - - - - - + + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + + + + + + + + + + + + + + + - - - + - - - - - - - - - - - - + + + + + + - + + + + + + + + + - - + + - - + + @@ -5030,216 +5030,216 @@ in NIST Special Publication 800-53. This profile configures Red Hat Enterprise Linux 8 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI)." - - - - - - - - - - - - - - - + + + + + - - - - - - - - + + + + - - - - - - - - - + - - - - - - - - - - - - - - - - - - + + - - - + + + + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + - - - - - - - - - - - - - - - - + + + + + + + - - - + + + + + + + + - - - + + - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + - - - + + - + + + + + + + - - - - + + + + + + + + + + + + - - - + + - - - - - + + + - - - - - - - - - - - - - - - - - - - + + + + + + + - - - - - - - - - - - + + + + - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + @@ -5472,104 +5472,104 @@ ACSC website: https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers + + + + + + + + + - - - + + + + - - - - - - - - - - + + + + + + + + + + + + - - + + + + + + + + + + + + - - + + + - - - - + + + - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - + - - - + + + + + - - + + + - - - - - - + + + + - - - - - - - - - + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - @@ -5795,143 +5795,143 @@ This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security Rule identified for securing of electronic protected health information. Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s). https://www.hhs.gov/hipaa/for-professionals/index.html - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + + - + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + - + + + + + + + + + + - - - - + - - + - - + - + + + + + + + - - - + + + + + + + + + + - - - - - - - - - - - - - - + + + + + + + + - - - - - - - - - - - - - - - + - - - - - - + + + + + + + + + + + - + + - + + + + + + + + + + + + + + + + + + + - - + + + + + + + + + + @@ -6153,157 +6153,157 @@ A copy of the ISM can be found at the ACSC website: https://www.cyber.gov.au/ism https://www.cyber.gov.au/ism - + + + + + + + + + - - - + + + + + + - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - + + + + + + + + + + + - - + + + + - - - - - - + + + + - - - - - - - - - - - - - - - - - - - - - - + - - + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - + - - - - - + + + + + - - - - - - - - - - - - - - - - - - - + + + + + + + + + - + - - - - + + + + + + - - - - - - - - - - - - - - - - + - + + + - - - + + + + + + - + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -6510,216 +6510,216 @@ U.S. National Security Systems to adhere to certain configuration parameters. Accordingly, this configuration profile is suitable for use in U.S. National Security Systems. https://www.niap-ccevs.org/Profile/Info.cfm?PPID=442&id=442 - - - - - - - - - - - - - - - + + + + + - - - - - - - - + + + + - - - - - - - - - + - - - - - - - - - - - - - - - - - - + + - - - + + + + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + - - - - - - - - - - - - - - - - + + + + + + + - - - + + + + + + + + - - - + + - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + - - - + + - + + + + + + + - - - - + + + + + + + + + + + + - - - + + - - - - - + + + - - - - - - - - - - - - - - - - - - - + + + + + + + - - - - - - - - - - - + + + + - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + @@ -6952,263 +6952,263 @@ financial information. This profile ensures Red Hat Enterprise Linux 8 is configured in alignment with PCI-DSS v4.0 requirements. https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + - - - + + + + + + + + + - - - - + + + + + - - - + + + + + - - - + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - + + + + + + + + - - - - - - - - - - - - - + + + + - - - + + + + + + + - - - - - - - - - - - + + + + + + + - - - - + + + + - - - - - - - - - - - - - - - - + + + + + + + + + + + - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + + + + + + + + + + + - - - - + + + + + + + + + - - - - - - - - - - - + + + + + + + + + - - - - - - - - - - - - - - - - - - + + - + + + + + + + + + + + - - - - - - - - - + + + + + + + + + + + + - - - - + + + + + + + + + + + + + + + + + + + - - - - - - + + + + + + + - + + + + - - - - + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - - + - - - + - - - + + + + + + + - - - - - - - - - + + + @@ -7412,77 +7412,77 @@ with PCI-DSS v4.0 requirements. configuration settings recommended by Red Hat, Inc for Red Hat Enterprise Linux 8 instances deployed by Red Hat Certified Cloud Providers. - + + + + + + + - - - + + + + + - - - - - - - - - - - - - - + + - - - - + - - - - - - - + + + + + + + + + - - - - - - - - - - + + + - - - - - - - - - - - - - - + + + + + + + + + + + + - + + + + + - + + + + + + + + + + + + + + - - - - + @@ -7722,85 +7722,85 @@ Cloud Providers. This profile contains rules to ensure standard security baseline of a Red Hat Enterprise Linux 8 system. Regardless of your system's workload all of these checks should pass. - - - + + + - - - - - - - - - + + + + + + + + - + - - - - + - - - - - - + - + + + + + - + + + + - + + + + + + + + + + + - - - - + - - - + + + + + + + + + + - - - - - - - - - - - - - - - - - - + + + + + + + - - - - - - - + - + + + + + - - - - + + + + + @@ -8039,416 +8039,416 @@ Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as: - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 8 image https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - - - - - - - - - - - - - - - - - + + - + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + - - - - - - - - - - - - - - - + + - - - - - - - - - - - - - - - - - - - - - - - - - + + + - - - - - - - - - - - - - + + + + + + + + - + - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + - + + + + - - - - - - - - - - - - - + + + + + + + + + + + + + + + + - - - - - - - + + - - - - - - - - - - - - - - - - - - - + + + + + + + + - - - - - + + + + + + - + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - + + - + + - - + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - - - - - - + + + + + + + - - - - - - + + + + + + + - - - - - - - - - - - - - - + + + + - - - - - + + + + + + + + + - - - - - - - - - - - + + + + + + + + + + + + + + - + + + + + + + + + + + + + + + + + + + + + + + - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - + + + - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + - - + + + + + + + + + + + + + + + + + + + + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + + + + + - + + + + + + + - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - + + + + + + + + + @@ -8670,413 +8670,413 @@ your Information Systems Security Officer (ISSO) lacks a documented operational requirement for a graphical user interface, please consider using the standard DISA STIG for Red Hat Enterprise Linux 8 profile. https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - - - - - - - - - - - - - - - - - + + - + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - + + - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + - - - + + - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + - - - - - - - - - - - - - + + + + + + + + + + + + + + + + - - - - - - - + + - - - - - - - - - - - - - - - - - - - + + + + + + + + - - - - - + + + + + + - + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - + + - + + - - + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - - - - - + + + + + + - - - - - - + + + + + + + - - - - - - - - - - - - - - + + + + - - - - - + + + + + + + + + - - - - - - - - - - - + + + + + + + + + + + + + - + + + + + + + + + + + + + + + + + + + + + + - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - + + + - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + - - + + + + + + + + + + + + + + + + + + + + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + + + + + - + + + + + + + - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - + + + + + + + + + @@ -9418,16 +9418,6 @@ Alternatively, the package can be reinstalled from trusted media using the comma information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system. CCE-80857-6 - -# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names -files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )" - -# From files names get package names and change newline to space, because rpm writes each package to new line -packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')" - - -yum reinstall -y $packages_to_reinstall - - name: 'Set fact: Package manager reinstall command (dnf)' set_fact: package_manager_reinstall_cmd: dnf reinstall -y @@ -9587,6 +9577,16 @@ yum reinstall -y $packages_to_reinstall - no_reboot_needed - restrict_strategy - rpm_verify_hashes + + +# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names +files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )" + +# From files names get package names and change newline to space, because rpm writes each package to new line +packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')" + + +yum reinstall -y $packages_to_reinstall @@ -9727,28 +9727,6 @@ could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated. CCE-82196-7 - -# Declare array to hold set of RPM packages we need to correct permissions for -declare -A SETPERMS_RPM_DICT - -# Create a list of files on the system having permissions different from what -# is expected by the RPM database -readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }') - -for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}" -do - RPM_PACKAGE=$(rpm -qf "$FILE_PATH") - # Use an associative array to store packages as it's keys, not having to care about duplicates. - SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1 -done - -# For each of the RPM packages left in the list -- reset its permissions to the -# correct values -for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}" -do - rpm --setugids "${RPM_PACKAGE}" -done - - name: Read list of files with incorrect ownership command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nomode @@ -9829,6 +9807,28 @@ done - no_reboot_needed - restrict_strategy - rpm_verify_ownership + + +# Declare array to hold set of RPM packages we need to correct permissions for +declare -A SETPERMS_RPM_DICT + +# Create a list of files on the system having permissions different from what +# is expected by the RPM database +readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }') + +for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}" +do + RPM_PACKAGE=$(rpm -qf "$FILE_PATH") + # Use an associative array to store packages as it's keys, not having to care about duplicates. + SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1 +done + +# For each of the RPM packages left in the list -- reset its permissions to the +# correct values +for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}" +do + rpm --setugids "${RPM_PACKAGE}" +done @@ -9983,32 +9983,6 @@ could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated. CCE-80858-4 - -# Declare array to hold set of RPM packages we need to correct permissions for -declare -A SETPERMS_RPM_DICT - -# Create a list of files on the system having permissions different from what -# is expected by the RPM database -readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }') - -for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}" -do - # NOTE: some files maybe controlled by more then one package - readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}") - for RPM_PACKAGE in "${RPM_PACKAGES[@]}" - do - # Use an associative array to store packages as it's keys, not having to care about duplicates. - SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1 - done -done - -# For each of the RPM packages left in the list -- reset its permissions to the -# correct values -for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}" -do - rpm --restore "${RPM_PACKAGE}" -done - - name: Read list of files with incorrect permissions command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup @@ -10092,6 +10066,32 @@ done - no_reboot_needed - restrict_strategy - rpm_verify_permissions + + +# Declare array to hold set of RPM packages we need to correct permissions for +declare -A SETPERMS_RPM_DICT + +# Create a list of files on the system having permissions different from what +# is expected by the RPM database +readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }') + +for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}" +do + # NOTE: some files maybe controlled by more then one package + readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}") + for RPM_PACKAGE in "${RPM_PACKAGES[@]}" + do + # Use an associative array to store packages as it's keys, not having to care about duplicates. + SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1 + done +done + +# For each of the RPM packages left in the list -- reset its permissions to the +# correct values +for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}" +do + rpm --restore "${RPM_PACKAGE}" +done @@ -10194,21 +10194,13 @@ $ sudo yum install aide SV-251710r880730_rule The AIDE package must be installed if it is to be available for integrity checking. CCE-80844-4 + +package --add=aide + [[packages]] name = "aide" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "aide" ; then - yum install -y "aide" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_aide @@ -10237,8 +10229,16 @@ class install_aide { - no_reboot_needed - package_aide_installed - -package --add=aide + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "aide" ; then + yum install -y "aide" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -10341,20 +10341,6 @@ If this check produces any unexpected output, investigate.For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files. CCE-80675-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "aide" ; then - yum install -y "aide" -fi - -/usr/sbin/aide --init -/bin/cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Build and Test AIDE Database - Ensure AIDE Is Installed ansible.builtin.package: name: '{{ item }}' @@ -10435,6 +10421,20 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "aide" ; then + yum install -y "aide" +fi + +/usr/sbin/aide --init +/bin/cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -10472,68 +10472,6 @@ provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files. CCE-85964-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "aide" ; then - yum install -y "aide" -fi - - - - - - - - - - -if grep -i '^.*/usr/sbin/auditctl.*$' /etc/aide.conf; then -sed -i "s#.*/usr/sbin/auditctl.*#/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf -else -echo "/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf -fi - -if grep -i '^.*/usr/sbin/auditd.*$' /etc/aide.conf; then -sed -i "s#.*/usr/sbin/auditd.*#/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf -else -echo "/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf -fi - -if grep -i '^.*/usr/sbin/ausearch.*$' /etc/aide.conf; then -sed -i "s#.*/usr/sbin/ausearch.*#/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf -else -echo "/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf -fi - -if grep -i '^.*/usr/sbin/aureport.*$' /etc/aide.conf; then -sed -i "s#.*/usr/sbin/aureport.*#/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf -else -echo "/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf -fi - -if grep -i '^.*/usr/sbin/autrace.*$' /etc/aide.conf; then -sed -i "s#.*/usr/sbin/autrace.*#/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf -else -echo "/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf -fi - -if grep -i '^.*/usr/sbin/augenrules.*$' /etc/aide.conf; then -sed -i "s#.*/usr/sbin/augenrules.*#/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf -else -echo "/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf -fi - -if grep -i '^.*/usr/sbin/rsyslogd.*$' /etc/aide.conf; then -sed -i "s#.*/usr/sbin/rsyslogd.*#/usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf -else -echo "/usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure aide is installed package: name: '{{ item }}' @@ -10612,6 +10550,68 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "aide" ; then + yum install -y "aide" +fi + + + + + + + + + + +if grep -i '^.*/usr/sbin/auditctl.*$' /etc/aide.conf; then +sed -i "s#.*/usr/sbin/auditctl.*#/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf +else +echo "/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf +fi + +if grep -i '^.*/usr/sbin/auditd.*$' /etc/aide.conf; then +sed -i "s#.*/usr/sbin/auditd.*#/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf +else +echo "/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf +fi + +if grep -i '^.*/usr/sbin/ausearch.*$' /etc/aide.conf; then +sed -i "s#.*/usr/sbin/ausearch.*#/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf +else +echo "/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf +fi + +if grep -i '^.*/usr/sbin/aureport.*$' /etc/aide.conf; then +sed -i "s#.*/usr/sbin/aureport.*#/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf +else +echo "/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf +fi + +if grep -i '^.*/usr/sbin/autrace.*$' /etc/aide.conf; then +sed -i "s#.*/usr/sbin/autrace.*#/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf +else +echo "/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf +fi + +if grep -i '^.*/usr/sbin/augenrules.*$' /etc/aide.conf; then +sed -i "s#.*/usr/sbin/augenrules.*#/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf +else +echo "/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf +fi + +if grep -i '^.*/usr/sbin/rsyslogd.*$' /etc/aide.conf; then +sed -i "s#.*/usr/sbin/rsyslogd.*#/usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf +else +echo "/usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -10720,24 +10720,6 @@ system. The operating system's Information Management Officer (IMO)/Information Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. CCE-80676-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "aide" ; then - yum install -y "aide" -fi - -if ! grep -q "/usr/sbin/aide --check" /etc/crontab ; then - echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab -else - sed -i '\!^.* --check.*$!d' /etc/crontab - echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure AIDE is installed package: name: '{{ item }}' @@ -10845,6 +10827,24 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "aide" ; then + yum install -y "aide" +fi + +if ! grep -q "/usr/sbin/aide --check" /etc/crontab ; then + echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab +else + sed -i '\!^.* --check.*$!d' /etc/crontab + echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -10924,36 +10924,6 @@ system. The operating system's Information Management Officer (IMO)/Information Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. CCE-82891-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "aide" ; then - yum install -y "aide" -fi -var_aide_scan_notification_email='' - - - -CRONTAB=/etc/crontab -CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly' - -# NOTE: on some platforms, /etc/crontab may not exist -if [ -f /etc/crontab ]; then - CRONTAB_EXIST=/etc/crontab -fi - -if [ -f /var/spool/cron/root ]; then - VARSPOOL=/var/spool/cron/root -fi - -if ! grep -qR '^.*/usr/sbin/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*.*@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then - echo "0 5 * * * root /usr/sbin/aide --check | /bin/mail -s \"\$(hostname) - AIDE Integrity Check\" $var_aide_scan_notification_email" >> $CRONTAB -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_aide_scan_notification_email # promote to variable set_fact: var_aide_scan_notification_email: !!str @@ -11000,6 +10970,36 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "aide" ; then + yum install -y "aide" +fi +var_aide_scan_notification_email='' + + + +CRONTAB=/etc/crontab +CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly' + +# NOTE: on some platforms, /etc/crontab may not exist +if [ -f /etc/crontab ]; then + CRONTAB_EXIST=/etc/crontab +fi + +if [ -f /var/spool/cron/root ]; then + VARSPOOL=/var/spool/cron/root +fi + +if ! grep -qR '^.*/usr/sbin/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*.*@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then + echo "0 5 * * * root /usr/sbin/aide --check | /bin/mail -s \"\$(hostname) - AIDE Integrity Check\" $var_aide_scan_notification_email" >> $CRONTAB +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -11146,37 +11146,6 @@ The remediation provided with this rule adds acl to all r ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools. CCE-84220-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "aide" ; then - yum install -y "aide" -fi - -aide_conf="/etc/aide.conf" - -groups=$(LC_ALL=C grep "^[A-Z][A-Za-z_]*" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u) - -for group in $groups -do - config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ') - - if ! [[ $config = *acl* ]] - then - if [[ -z $config ]] - then - config="acl" - else - config=$config"+acl" - fi - fi - sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather list of packages package_facts: manager: auto @@ -11238,6 +11207,37 @@ fi - low_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "aide" ; then + yum install -y "aide" +fi + +aide_conf="/etc/aide.conf" + +groups=$(LC_ALL=C grep "^[A-Z][A-Za-z_]*" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u) + +for group in $groups +do + config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ') + + if ! [[ $config = *acl* ]] + then + if [[ -z $config ]] + then + config="acl" + else + config=$config"+acl" + fi + fi + sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -11288,37 +11288,6 @@ The remediation provided with this rule adds xattrs to al Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. CCE-83733-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "aide" ; then - yum install -y "aide" -fi - -aide_conf="/etc/aide.conf" - -groups=$(LC_ALL=C grep "^[A-Z][A-Za-z_]*" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u) - -for group in $groups -do - config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ') - - if ! [[ $config = *xattrs* ]] - then - if [[ -z $config ]] - then - config="xattrs" - else - config=$config"+xattrs" - fi - fi - sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather list of packages package_facts: manager: auto @@ -11380,6 +11349,37 @@ fi - low_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "aide" ; then + yum install -y "aide" +fi + +aide_conf="/etc/aide.conf" + +groups=$(LC_ALL=C grep "^[A-Z][A-Za-z_]*" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u) + +for group in $groups +do + config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ') + + if ! [[ $config = *xattrs* ]] + then + if [[ -z $config ]] + then + config="xattrs" + else + config=$config"+xattrs" + fi + fi + sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -11407,21 +11407,6 @@ Audit tools must have the correct group owner. Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information. CCE-86239-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -chgrp 0 /sbin/auditctl -chgrp 0 /sbin/aureport -chgrp 0 /sbin/ausearch -chgrp 0 /sbin/autrace -chgrp 0 /sbin/auditd -chgrp 0 /sbin/rsyslogd -chgrp 0 /sbin/augenrules - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Test for existence /sbin/auditctl stat: path: /sbin/auditctl @@ -11659,6 +11644,21 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chgrp 0 /sbin/auditctl +chgrp 0 /sbin/aureport +chgrp 0 /sbin/ausearch +chgrp 0 /sbin/autrace +chgrp 0 /sbin/auditd +chgrp 0 /sbin/rsyslogd +chgrp 0 /sbin/augenrules + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -11686,21 +11686,6 @@ Audit tools must have the correct owner. Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information. CCE-86259-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -chown 0 /sbin/auditctl -chown 0 /sbin/aureport -chown 0 /sbin/ausearch -chown 0 /sbin/autrace -chown 0 /sbin/auditd -chown 0 /sbin/rsyslogd -chown 0 /sbin/augenrules - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Test for existence /sbin/auditctl stat: path: /sbin/auditctl @@ -11938,6 +11923,21 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chown 0 /sbin/auditctl +chown 0 /sbin/aureport +chown 0 /sbin/ausearch +chown 0 /sbin/autrace +chown 0 /sbin/auditd +chown 0 /sbin/rsyslogd +chown 0 /sbin/augenrules + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -11963,27 +11963,6 @@ Audit tools must have a mode of 0755 or less permissive. Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information. CCE-86227-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -chmod u-s,g-ws,o-wt /sbin/auditctl - -chmod u-s,g-ws,o-wt /sbin/aureport - -chmod u-s,g-ws,o-wt /sbin/ausearch - -chmod u-s,g-ws,o-wt /sbin/autrace - -chmod u-s,g-ws,o-wt /sbin/auditd - -chmod u-s,g-ws,o-wt /sbin/rsyslogd - -chmod u-s,g-ws,o-wt /sbin/augenrules - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Test for existence /sbin/auditctl stat: path: /sbin/auditctl @@ -12221,6 +12200,27 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chmod u-s,g-ws,o-wt /sbin/auditctl + +chmod u-s,g-ws,o-wt /sbin/aureport + +chmod u-s,g-ws,o-wt /sbin/ausearch + +chmod u-s,g-ws,o-wt /sbin/autrace + +chmod u-s,g-ws,o-wt /sbin/auditd + +chmod u-s,g-ws,o-wt /sbin/rsyslogd + +chmod u-s,g-ws,o-wt /sbin/augenrules + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -12286,19 +12286,6 @@ protect data. The operating system must implement cryptographic modules adhering standards approved by the federal government since this provides assurance they have been tested and validated. CCE-82155-3 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ); then - -fips-mode-setup --enable -FIPS_CONF="/etc/dracut.conf.d/40-fips.conf" -if ! grep "^add_dracutmodules+=\" fips \"" $FIPS_CONF; then - echo "add_dracutmodules+=\" fips \"" >> $FIPS_CONF -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Check to see the current status of FIPS mode command: /usr/bin/fips-mode-setup --check register: is_fips_enabled @@ -12365,6 +12352,19 @@ fi - medium_disruption - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ); then + +fips-mode-setup --enable +FIPS_CONF="/etc/dracut.conf.d/40-fips.conf" +if ! grep "^add_dracutmodules+=\" fips \"" $FIPS_CONF; then + echo "add_dracutmodules+=\" fips \"" >> $FIPS_CONF +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -12418,33 +12418,6 @@ standards approved by the federal government since this provides assurance they and validated. CCE-80942-6 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -var_system_crypto_policy='' - - -fips-mode-setup --enable - -stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null) -rc=$? - -if test "$rc" = 127; then - echo "$stderr_of_call" >&2 - echo "Make sure that the script is installed on the remediated system." >&2 - echo "See output of the 'dnf provides update-crypto-policies' command" >&2 - echo "to see what package to (re)install" >&2 - - false # end with an error code -elif test "$rc" != 0; then - echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2 - false # end with an error code -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_system_crypto_policy # promote to variable set_fact: var_system_crypto_policy: !!str @@ -12551,6 +12524,33 @@ fi - medium_disruption - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +var_system_crypto_policy='' + + +fips-mode-setup --enable + +stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null) +rc=$? + +if test "$rc" = 127; then + echo "$stderr_of_call" >&2 + echo "Make sure that the script is installed on the remediated system." >&2 + echo "See output of the 'dnf provides update-crypto-policies' command" >&2 + echo "to see what package to (re)install" >&2 + + false # end with an error code +elif test "$rc" != 0; then + echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2 + false # end with an error code +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -12734,15 +12734,13 @@ $ sudo yum install crypto-policies the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. CCE-82723-8 + +package --add=crypto-policies + [[packages]] name = "crypto-policies" version = "*" - - -if ! rpm -q --quiet "crypto-policies" ; then - yum install -y "crypto-policies" -fi include install_crypto-policies @@ -12765,8 +12763,10 @@ class install_crypto-policies { - no_reboot_needed - package_crypto-policies_installed - -package --add=crypto-policies + +if ! rpm -q --quiet "crypto-policies" ; then + yum install -y "crypto-policies" +fi @@ -12878,24 +12878,26 @@ submits to this process. the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. CCE-80935-0 - -var_system_crypto_policy='' - - -stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null) -rc=$? - -if test "$rc" = 127; then - echo "$stderr_of_call" >&2 - echo "Make sure that the script is installed on the remediated system." >&2 - echo "See output of the 'dnf provides update-crypto-policies' command" >&2 - echo "to see what package to (re)install" >&2 - - false # end with an error code -elif test "$rc" != 0; then - echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2 - false # end with an error code -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: configure-crypto-policy.service + enabled: true + contents: | + [Unit] + Before=kubelet.service + [Service] + Type=oneshot + ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}} + RemainAfterExit=yes + [Install] + WantedBy=multi-user.target - name: XCCDF Value var_system_crypto_policy # promote to variable set_fact: @@ -12947,26 +12949,24 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: configure-crypto-policy.service - enabled: true - contents: | - [Unit] - Before=kubelet.service - [Service] - Type=oneshot - ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}} - RemainAfterExit=yes - [Install] - WantedBy=multi-user.target + +var_system_crypto_policy='' + + +stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null) +rc=$? + +if test "$rc" = 127; then + echo "$stderr_of_call" >&2 + echo "Make sure that the script is installed on the remediated system." >&2 + echo "See output of the 'dnf provides update-crypto-policies' command" >&2 + echo "to see what package to (re)install" >&2 + + false # end with an error code +elif test "$rc" != 0; then + echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2 + false # end with an error code +fi @@ -12996,29 +12996,6 @@ line and is not commented out: library violate expectations, and makes system configuration more fragmented. CCE-84254-2 - -CONF_FILE=/etc/crypto-policies/back-ends/gnutls.config -correct_value='+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0' - -grep -q ${correct_value} ${CONF_FILE} - -if [[ $? -ne 0 ]]; then - # We need to get the existing value, using PCRE to maintain same regex - existing_value=$(grep -Po '(\+VERS-ALL(?::-VERS-[A-Z]+\d\.\d)+)' ${CONF_FILE}) - - if [[ ! -z ${existing_value} ]]; then - # replace existing_value with correct_value - sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE} - else - # ***NOTE*** # - # This probably means this file is not here or it's been modified - # unintentionally. - # ********** # - # echo correct_value to end - echo ${correct_value} >> ${CONF_FILE} - fi -fi - - name: 'Configure GnuTLS library to use DoD-approved TLS Encryption: set_fact' set_fact: path: /etc/crypto-policies/back-ends/gnutls.config @@ -13100,6 +13077,29 @@ fi - medium_severity - reboot_required - restrict_strategy + + +CONF_FILE=/etc/crypto-policies/back-ends/gnutls.config +correct_value='+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0' + +grep -q ${correct_value} ${CONF_FILE} + +if [[ $? -ne 0 ]]; then + # We need to get the existing value, using PCRE to maintain same regex + existing_value=$(grep -Po '(\+VERS-ALL(?::-VERS-[A-Z]+\d\.\d)+)' ${CONF_FILE}) + + if [[ ! -z ${existing_value} ]]; then + # replace existing_value with correct_value + sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE} + else + # ***NOTE*** # + # This probably means this file is not here or it's been modified + # unintentionally. + # ********** # + # echo correct_value to end + echo ${correct_value} >> ${CONF_FILE} + fi +fi @@ -13130,10 +13130,6 @@ If the symlink exists, Kerberos is configured to use the system-wide crypto poli Overriding the system crypto policy makes the behavior of Kerberos violate expectations, and makes system configuration more fragmented. CCE-80936-8 - -rm -f /etc/krb5.conf.d/crypto-policies -ln -s /etc/crypto-policies/back-ends/krb5.config /etc/krb5.conf.d/crypto-policies - - name: Configure Kerberos to use System Crypto Policy file: src: /etc/crypto-policies/back-ends/krb5.config @@ -13151,6 +13147,10 @@ ln -s /etc/crypto-policies/back-ends/krb5.config /etc/krb5.conf.d/crypto-policie - low_complexity - low_disruption - reboot_required + + +rm -f /etc/krb5.conf.d/crypto-policies +ln -s /etc/crypto-policies/back-ends/krb5.config /etc/krb5.conf.d/crypto-policies @@ -13187,18 +13187,6 @@ is not commented out or superseded by later includes: service violate expectations, and makes system configuration more fragmented. CCE-80937-6 - -function remediate_libreswan_crypto_policy() { - CONFIG_FILE="/etc/ipsec.conf" - if ! grep -qP "^\s*include\s+/etc/crypto-policies/back-ends/libreswan.config\s*(?:#.*)?$" "$CONFIG_FILE" ; then - # the file might not end with a new line - echo -e '\ninclude /etc/crypto-policies/back-ends/libreswan.config' >> "$CONFIG_FILE" - fi - return 0 -} - -remediate_libreswan_crypto_policy - - name: Configure Libreswan to use System Crypto Policy lineinfile: path: /etc/ipsec.conf @@ -13219,6 +13207,18 @@ remediate_libreswan_crypto_policy - low_disruption - no_reboot_needed - restrict_strategy + + +function remediate_libreswan_crypto_policy() { + CONFIG_FILE="/etc/ipsec.conf" + if ! grep -qP "^\s*include\s+/etc/crypto-policies/back-ends/libreswan.config\s*(?:#.*)?$" "$CONFIG_FILE" ; then + # the file might not end with a new line + echo -e '\ninclude /etc/crypto-policies/back-ends/libreswan.config' >> "$CONFIG_FILE" + fi + return 0 +} + +remediate_libreswan_crypto_policy @@ -13254,37 +13254,6 @@ if there is a [ crypto_policy ] section that contains the Overriding the system crypto policy makes the behavior of the Java runtime violates expectations, and makes system configuration more fragmented. CCE-80938-4 - -OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]' -OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]' - -OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config' - -OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*(?:=\s*)?/etc/crypto-policies/back-ends/opensslcnf.config$' - - - - - - -function remediate_openssl_crypto_policy() { - CONFIG_FILE=/etc/pki/tls/openssl.cnf - if test -f "$CONFIG_FILE"; then - if ! grep -q "^\\s*$OPENSSL_CRYPTO_POLICY_SECTION_REGEX" "$CONFIG_FILE"; then - printf '\n%s\n\n%s' "$OPENSSL_CRYPTO_POLICY_SECTION" "$OPENSSL_CRYPTO_POLICY_INCLUSION" >> "$CONFIG_FILE" - return 0 - elif ! grep -q "^\\s*$OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX" "$CONFIG_FILE"; then - sed -i "s|$OPENSSL_CRYPTO_POLICY_SECTION_REGEX|&\\n\\n$OPENSSL_CRYPTO_POLICY_INCLUSION\\n|" "$CONFIG_FILE" - return 0 - fi - else - echo "Aborting remediation as '$CONFIG_FILE' was not even found." >&2 - return 1 - fi -} - -remediate_openssl_crypto_policy - - name: Configure OpenSSL library to use System Crypto Policy - Search for crypto_policy Section ansible.builtin.find: @@ -13389,6 +13358,37 @@ remediate_openssl_crypto_policy - medium_severity - no_reboot_needed - unknown_strategy + + +OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]' +OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]' + +OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config' + +OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*(?:=\s*)?/etc/crypto-policies/back-ends/opensslcnf.config$' + + + + + + +function remediate_openssl_crypto_policy() { + CONFIG_FILE=/etc/pki/tls/openssl.cnf + if test -f "$CONFIG_FILE"; then + if ! grep -q "^\\s*$OPENSSL_CRYPTO_POLICY_SECTION_REGEX" "$CONFIG_FILE"; then + printf '\n%s\n\n%s' "$OPENSSL_CRYPTO_POLICY_SECTION" "$OPENSSL_CRYPTO_POLICY_INCLUSION" >> "$CONFIG_FILE" + return 0 + elif ! grep -q "^\\s*$OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX" "$CONFIG_FILE"; then + sed -i "s|$OPENSSL_CRYPTO_POLICY_SECTION_REGEX|&\\n\\n$OPENSSL_CRYPTO_POLICY_INCLUSION\\n|" "$CONFIG_FILE" + return 0 + fi + else + echo "Aborting remediation as '$CONFIG_FILE' was not even found." >&2 + return 1 + fi +} + +remediate_openssl_crypto_policy @@ -13478,11 +13478,6 @@ in the /etc/sysconfig/sshd. Overriding the system crypto policy makes the behavior of the SSH service violate expectations, and makes system configuration more fragmented. CCE-80939-2 - -SSH_CONF="/etc/sysconfig/sshd" - -sed -i "/^\s*CRYPTO_POLICY.*$/Id" $SSH_CONF - - name: Configure SSH to use System Crypto Policy lineinfile: dest: /etc/sysconfig/sshd @@ -13504,6 +13499,11 @@ sed -i "/^\s*CRYPTO_POLICY.*$/Id" $SSH_CONF - medium_disruption - medium_severity - reboot_required + + +SSH_CONF="/etc/sysconfig/sshd" + +sed -i "/^\s*CRYPTO_POLICY.*$/Id" $SSH_CONF @@ -13538,15 +13538,6 @@ variable configured with predefined value. are configured e.g. cipher suites. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy. CCE-84286-4 - -cp="Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" -file="/etc/crypto-policies/local.d/opensslcnf-ospp.config" -backend_file="/etc/crypto-policies/back-ends/opensslcnf.config" - -sed -i "/Ciphersuites\s*=\s*/d" "$backend_file" -printf "\n%s\n" "$cp" >> "$file" -update-crypto-policies - - name: Remove configuration from backend file /etc/crypto-policies/back-ends/opensslcnf.config lineinfile: path: /etc/crypto-policies/back-ends/opensslcnf.config @@ -13593,6 +13584,15 @@ update-crypto-policies - medium_severity - reboot_required - restrict_strategy + + +cp="Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" +file="/etc/crypto-policies/local.d/opensslcnf-ospp.config" +backend_file="/etc/crypto-policies/back-ends/opensslcnf.config" + +sed -i "/Ciphersuites\s*=\s*/d" "$backend_file" +printf "\n%s\n" "$cp" >> "$file" +update-crypto-policies @@ -13688,25 +13688,6 @@ specifying a cipher list with the order of ciphers being in a “strongest weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections. CCE-85902-5 - -sshd_approved_ciphers='' - - -if [ -e "/etc/crypto-policies/back-ends/openssh.config" ] ; then - - LC_ALL=C sed -i "/^.*Ciphers\s\+/d" "/etc/crypto-policies/back-ends/openssh.config" -else - touch "/etc/crypto-policies/back-ends/openssh.config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/crypto-policies/back-ends/openssh.config" - -cp "/etc/crypto-policies/back-ends/openssh.config" "/etc/crypto-policies/back-ends/openssh.config.bak" -# Insert at the end of the file -printf '%s\n' "Ciphers ${sshd_approved_ciphers}" >> "/etc/crypto-policies/back-ends/openssh.config" -# Clean up after ourselves. -rm "/etc/crypto-policies/back-ends/openssh.config.bak" - - name: XCCDF Value sshd_approved_ciphers # promote to variable set_fact: sshd_approved_ciphers: !!str @@ -13751,6 +13732,25 @@ rm "/etc/crypto-policies/back-ends/openssh.config.bak" - low_disruption - reboot_required - restrict_strategy + + +sshd_approved_ciphers='' + + +if [ -e "/etc/crypto-policies/back-ends/openssh.config" ] ; then + + LC_ALL=C sed -i "/^.*Ciphers\s\+/d" "/etc/crypto-policies/back-ends/openssh.config" +else + touch "/etc/crypto-policies/back-ends/openssh.config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/crypto-policies/back-ends/openssh.config" + +cp "/etc/crypto-policies/back-ends/openssh.config" "/etc/crypto-policies/back-ends/openssh.config.bak" +# Insert at the end of the file +printf '%s\n' "Ciphers ${sshd_approved_ciphers}" >> "/etc/crypto-policies/back-ends/openssh.config" +# Clean up after ourselves. +rm "/etc/crypto-policies/back-ends/openssh.config.bak" @@ -13800,38 +13800,6 @@ specifying a cipher list with the order of ciphers being in a “strongest weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections. CCE-85897-7 - -sshd_approved_ciphers='' - - -CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config -correct_value="-oCiphers=${sshd_approved_ciphers}" - -# Test if file exists -test -f ${CONF_FILE} || touch ${CONF_FILE} - -# Ensure CRYPTO_POLICY is not commented out -sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE} - -grep -q "'${correct_value}'" ${CONF_FILE} - -if [[ $? -ne 0 ]]; then - # We need to get the existing value, using PCRE to maintain same regex - existing_value=$(grep -Po '(-oCiphers=\S+)' ${CONF_FILE}) - - if [[ ! -z ${existing_value} ]]; then - # replace existing_value with correct_value - sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE} - else - # ***NOTE*** # - # This probably means this file is not here or it's been modified - # unintentionally. - # ********** # - # echo correct_value to end - echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE} - fi -fi - - name: XCCDF Value sshd_approved_ciphers # promote to variable set_fact: sshd_approved_ciphers: !!str @@ -13919,6 +13887,38 @@ fi - medium_severity - reboot_required - restrict_strategy + + +sshd_approved_ciphers='' + + +CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config +correct_value="-oCiphers=${sshd_approved_ciphers}" + +# Test if file exists +test -f ${CONF_FILE} || touch ${CONF_FILE} + +# Ensure CRYPTO_POLICY is not commented out +sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE} + +grep -q "'${correct_value}'" ${CONF_FILE} + +if [[ $? -ne 0 ]]; then + # We need to get the existing value, using PCRE to maintain same regex + existing_value=$(grep -Po '(-oCiphers=\S+)' ${CONF_FILE}) + + if [[ ! -z ${existing_value} ]]; then + # replace existing_value with correct_value + sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE} + else + # ***NOTE*** # + # This probably means this file is not here or it's been modified + # unintentionally. + # ********** # + # echo correct_value to end + echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE} + fi +fi @@ -14005,25 +14005,6 @@ submits to this process. client violate expectations, and makes system configuration more fragmented. CCE-85870-4 - -sshd_approved_macs='' - - -if [ -e "/etc/crypto-policies/back-ends/openssh.config" ] ; then - - LC_ALL=C sed -i "/^.*MACs\s\+/d" "/etc/crypto-policies/back-ends/openssh.config" -else - touch "/etc/crypto-policies/back-ends/openssh.config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/crypto-policies/back-ends/openssh.config" - -cp "/etc/crypto-policies/back-ends/openssh.config" "/etc/crypto-policies/back-ends/openssh.config.bak" -# Insert at the end of the file -printf '%s\n' "MACs ${sshd_approved_macs}" >> "/etc/crypto-policies/back-ends/openssh.config" -# Clean up after ourselves. -rm "/etc/crypto-policies/back-ends/openssh.config.bak" - - name: XCCDF Value sshd_approved_macs # promote to variable set_fact: sshd_approved_macs: !!str @@ -14068,6 +14049,25 @@ rm "/etc/crypto-policies/back-ends/openssh.config.bak" - medium_severity - reboot_required - restrict_strategy + + +sshd_approved_macs='' + + +if [ -e "/etc/crypto-policies/back-ends/openssh.config" ] ; then + + LC_ALL=C sed -i "/^.*MACs\s\+/d" "/etc/crypto-policies/back-ends/openssh.config" +else + touch "/etc/crypto-policies/back-ends/openssh.config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/crypto-policies/back-ends/openssh.config" + +cp "/etc/crypto-policies/back-ends/openssh.config" "/etc/crypto-policies/back-ends/openssh.config.bak" +# Insert at the end of the file +printf '%s\n' "MACs ${sshd_approved_macs}" >> "/etc/crypto-policies/back-ends/openssh.config" +# Clean up after ourselves. +rm "/etc/crypto-policies/back-ends/openssh.config.bak" @@ -14115,38 +14115,6 @@ submits to this process. server violate expectations, and makes system configuration more fragmented. CCE-85899-3 - -sshd_approved_macs='' - - -CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config -correct_value="-oMACs=${sshd_approved_macs}" - -# Test if file exists -test -f ${CONF_FILE} || touch ${CONF_FILE} - -# Ensure CRYPTO_POLICY is not commented out -sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE} - -grep -q "'${correct_value}'" ${CONF_FILE} - -if [[ $? -ne 0 ]]; then - # We need to get the existing value, using PCRE to maintain same regex - existing_value=$(grep -Po '(-oMACs=\S+)' ${CONF_FILE}) - - if [[ ! -z ${existing_value} ]]; then - # replace existing_value with correct_value - sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE} - else - # ***NOTE*** # - # This probably means this file is not here or it's been modified - # unintentionally. - # ********** # - # echo correct_value to end - echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE} - fi -fi - - name: XCCDF Value sshd_approved_macs # promote to variable set_fact: sshd_approved_macs: !!str @@ -14234,6 +14202,38 @@ fi - medium_severity - reboot_required - restrict_strategy + + +sshd_approved_macs='' + + +CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config +correct_value="-oMACs=${sshd_approved_macs}" + +# Test if file exists +test -f ${CONF_FILE} || touch ${CONF_FILE} + +# Ensure CRYPTO_POLICY is not commented out +sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE} + +grep -q "'${correct_value}'" ${CONF_FILE} + +if [[ $? -ne 0 ]]; then + # We need to get the existing value, using PCRE to maintain same regex + existing_value=$(grep -Po '(-oMACs=\S+)' ${CONF_FILE}) + + if [[ ! -z ${existing_value} ]]; then + # replace existing_value with correct_value + sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE} + else + # ***NOTE*** # + # This probably means this file is not here or it's been modified + # unintentionally. + # ********** # + # echo correct_value to end + echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE} + fi +fi @@ -14288,38 +14288,6 @@ openssl() SRG-OS-000480-GPOS-00227 This rule ensures that openssl invocations always uses SP800-90A compliant random number generator as a default behavior. CCE-82721-2 - -cat > /etc/profile.d/openssl-rand.sh <<- 'EOM' -# provide a default -rand /dev/random option to openssl commands that -# support it - -# written inefficiently for maximum shell compatibility -openssl() -( - openssl_bin=/usr/bin/openssl - - case "$*" in - # if user specified -rand, honor it - *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;; - esac - - cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '` - for i in `$openssl_bin list -commands`; do - if $openssl_bin list -options "$i" | grep -q '^rand '; then - cmds=" $i $cmds" - fi - done - - case "$cmds" in - *\ "$1"\ *) - cmd="$1"; shift - exec $openssl_bin "$cmd" -rand /dev/random "$@" ;; - esac - - exec $openssl_bin "$@" -) -EOM - - name: Put a file with shell wrapper to configure OpenSSL to always use strong entropy copy: dest: /etc/profile.d/openssl-rand.sh @@ -14360,6 +14328,38 @@ EOM - no_reboot_needed - openssl_use_strong_entropy - restrict_strategy + + +cat > /etc/profile.d/openssl-rand.sh <<- 'EOM' +# provide a default -rand /dev/random option to openssl commands that +# support it + +# written inefficiently for maximum shell compatibility +openssl() +( + openssl_bin=/usr/bin/openssl + + case "$*" in + # if user specified -rand, honor it + *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;; + esac + + cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '` + for i in `$openssl_bin list -commands`; do + if $openssl_bin list -options "$i" | grep -q '^rand '; then + cmds=" $i $cmds" + fi + done + + case "$cmds" in + *\ "$1"\ *) + cmd="$1"; shift + exec $openssl_bin "$cmd" -rand /dev/random "$@" ;; + esac + + exec $openssl_bin "$@" +) +EOM @@ -14699,18 +14699,6 @@ computer viruses, as well as to limit their spread to other systems. [customizations.services] enabled = ["nails"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'nails.service' -"$SYSTEMCTL_EXEC" start 'nails.service' -"$SYSTEMCTL_EXEC" enable 'nails.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_nails @@ -14747,6 +14735,18 @@ class enable_nails { - medium_severity - no_reboot_needed - service_nails_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'nails.service' +"$SYSTEMCTL_EXEC" start 'nails.service' +"$SYSTEMCTL_EXEC" enable 'nails.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -15591,13 +15591,13 @@ option. Access to this partition should be restricted. CCE-83336-8 + +part /boot + [[customizations.filesystem]] mountpoint = "/boot" size = 1073741824 - - -part /boot @@ -15622,13 +15622,13 @@ of the program. If the program happened to have a security vulnerability, the at could continue to exploit the known flaw. CCE-86282-1 + +part /dev/shm + [[customizations.filesystem]] mountpoint = "/dev/shm" size = 2147483648 - - -part /dev/shm @@ -15677,13 +15677,13 @@ setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage. CCE-81044-0 + +part /home + [[customizations.filesystem]] mountpoint = "/home" size = 1073741824 - - -part /home @@ -15703,13 +15703,13 @@ makes it easier to apply restrictions e.g. through the nosuid CCE-83340-0 + +part /opt + [[customizations.filesystem]] mountpoint = "/opt" size = 1073741824 - - -part /opt @@ -15732,13 +15732,13 @@ more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage. CCE-83387-1 + +part /srv + [[customizations.filesystem]] mountpoint = "/srv" size = 1073741824 - - -part /srv @@ -15784,13 +15784,13 @@ Placing /tmp in its own partition enables the setting of restrictive mount options, which can help protect programs which use it. CCE-80851-9 + +part /tmp + [[customizations.filesystem]] mountpoint = "/tmp" size = 1073741824 - - -part /tmp @@ -15809,13 +15809,13 @@ Putting it on a separate partition allows limiting its size and applying restrictions through mount options. CCE-83343-4 + +part /usr + [[customizations.filesystem]] mountpoint = "/usr" size = 5368709120 - - -part /usr @@ -15863,13 +15863,13 @@ It is not uncommon for the /var directory to contain world-writable directories installed by other software packages. CCE-80852-7 + +part /var + [[customizations.filesystem]] mountpoint = "/var" size = 3221225472 - - -part /var @@ -15947,13 +15947,13 @@ enables better separation between log files and other files in /var/. CCE-80853-5 + +part /var/log + [[customizations.filesystem]] mountpoint = "/var/log" size = 5368709120 - - -part /var/log @@ -16046,13 +16046,13 @@ auditing cannot be halted due to the partition running out of space. CCE-80854-3 + +part /var/log/audit + [[customizations.filesystem]] mountpoint = "/var/log/audit" size = 10737418240 - - -part /var/log/audit @@ -16076,13 +16076,13 @@ Placing /var/tmp in its own partition enables the setting restrictive mount options, which can help protect programs which use it. CCE-82730-3 + +part /var/tmp + [[customizations.filesystem]] mountpoint = "/var/tmp" size = 1073741824 - - -part /var/tmp @@ -16125,24 +16125,8 @@ mode. To do so, run the following command: A graphical environment is unnecessary for certain types of systems including a virtualization hypervisor. CCE-82367-4 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm; then - -# CAUTION: This remediation script will remove gdm -# from the system, and may remove any packages -# that depend on gdm. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "gdm" ; then - - yum remove -y "gdm" - -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +package --remove=gdm include remove_gdm @@ -16184,8 +16168,24 @@ class remove_gdm { - no_reboot_needed - package_gdm_removed - -package --remove=gdm + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm; then + +# CAUTION: This remediation script will remove gdm +# from the system, and may remove any packages +# that depend on gdm. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "gdm" ; then + + yum remove -y "gdm" + +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -16214,15 +16214,6 @@ configuration files have to be compliant, and the database needs to be more rece which gives confidence that it reflects them. CCE-81003-6 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -16253,6 +16244,15 @@ fi - medium_disruption - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -16363,68 +16363,6 @@ After the settings have been set, run dconf update. - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings" -DBDIR="/etc/dconf/db/gdm.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*disable-restart-buttons\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)disable-restart-buttons(\s*=)/#\1disable-restart-buttons\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" -if grep -q "^\\s*disable-restart-buttons\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*disable-restart-buttons\\s*=\\s*.*/disable-restart-buttons=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/login-screen\\]|a\\disable-restart-buttons=${escaped_value}" "${DCONFFILE}" -fi - -dconf update -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/login-screen/disable-restart-buttons$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/gdm.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/login-screen/disable-restart-buttons$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/login-screen/disable-restart-buttons$" /etc/dconf/db/gdm.d/ -then - echo "/org/gnome/login-screen/disable-restart-buttons" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -16501,6 +16439,68 @@ fi - medium_disruption - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings" +DBDIR="/etc/dconf/db/gdm.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*disable-restart-buttons\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)disable-restart-buttons(\s*=)/#\1disable-restart-buttons\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" +if grep -q "^\\s*disable-restart-buttons\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*disable-restart-buttons\\s*=\\s*.*/disable-restart-buttons=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/login-screen\\]|a\\disable-restart-buttons=${escaped_value}" "${DCONFFILE}" +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/login-screen/disable-restart-buttons$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/gdm.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/login-screen/disable-restart-buttons$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/login-screen/disable-restart-buttons$" /etc/dconf/db/gdm.d/ +then + echo "/org/gnome/login-screen/disable-restart-buttons" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -16536,68 +16536,6 @@ with physical access to the system to quickly enumerate known user accounts without logging in. CCE-86195-5 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings" -DBDIR="/etc/dconf/db/gdm.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*disable-user-list\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)disable-user-list(\s*=)/#\1disable-user-list\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" -if grep -q "^\\s*disable-user-list\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*disable-user-list\\s*=\\s*.*/disable-user-list=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/login-screen\\]|a\\disable-user-list=${escaped_value}" "${DCONFFILE}" -fi - -dconf update -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/login-screen/disable-user-list$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/gdm.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/login-screen/disable-user-list$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/login-screen/disable-user-list$" /etc/dconf/db/gdm.d/ -then - echo "/org/gnome/login-screen/disable-user-list" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -16674,51 +16612,7 @@ fi - no_reboot_needed - unknown_strategy - - - - - - - - - Enable the GNOME3 Login Smartcard Authentication - In the default graphical environment, smart card authentication -can be enabled on the login screen by setting enable-smartcard-authentication -to true. - -To enable, add or edit enable-smartcard-authentication to -/etc/dconf/db/gdm.d/00-security-settings. For example: -[org/gnome/login-screen] -enable-smartcard-authentication=true -Once the setting has been added, add a lock to -/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. -For example: -/org/gnome/login-screen/enable-smartcard-authentication -After the settings have been set, run dconf update. - CCI-000765 - CCI-000766 - CCI-000767 - CCI-000768 - CCI-000771 - CCI-000772 - CCI-000884 - CCI-001948 - CCI-001954 - IA-2(3) - IA-2(4) - IA-2(8) - IA-2(9) - IA-2(11) - Req-8.3 - SRG-OS-000375-GPOS-00160 - SRG-OS-000376-GPOS-00161 - SRG-OS-000377-GPOS-00162 - Smart card login provides two-factor authentication stronger than -that provided by a username and password combination. Smart cards leverage PKI -(public key infrastructure) in order to provide and verify credentials. - - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories @@ -16734,10 +16628,10 @@ mkdir -p "${DBDIR}" # Comment out the configurations in databases different from the target one if [ "${#SETTINGSFILES[@]}" -ne 0 ] then - if grep -q "^\\s*enable-smartcard-authentication\\s*=" "${SETTINGSFILES[@]}" + if grep -q "^\\s*disable-user-list\\s*=" "${SETTINGSFILES[@]}" then - sed -Ei "s/(^\s*)enable-smartcard-authentication(\s*=)/#\1enable-smartcard-authentication\2/g" "${SETTINGSFILES[@]}" + sed -Ei "s/(^\s*)disable-user-list(\s*=)/#\1disable-user-list\2/g" "${SETTINGSFILES[@]}" fi fi @@ -16748,16 +16642,16 @@ then fi escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" -if grep -q "^\\s*enable-smartcard-authentication\\s*=" "${DCONFFILE}" +if grep -q "^\\s*disable-user-list\\s*=" "${DCONFFILE}" then - sed -i "s/\\s*enable-smartcard-authentication\\s*=\\s*.*/enable-smartcard-authentication=${escaped_value}/g" "${DCONFFILE}" + sed -i "s/\\s*disable-user-list\\s*=\\s*.*/disable-user-list=${escaped_value}/g" "${DCONFFILE}" else - sed -i "\\|\\[org/gnome/login-screen\\]|a\\enable-smartcard-authentication=${escaped_value}" "${DCONFFILE}" + sed -i "\\|\\[org/gnome/login-screen\\]|a\\disable-user-list=${escaped_value}" "${DCONFFILE}" fi dconf update # Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/login-screen/enable-smartcard-authentication$" "/etc/dconf/db/" \ +LOCKFILES=$(grep -r "^/org/gnome/login-screen/disable-user-list$" "/etc/dconf/db/" \ | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/gdm.d/locks" @@ -16766,12 +16660,12 @@ mkdir -p "${LOCKSFOLDER}" # Comment out the configurations in databases different from the target one if [[ ! -z "${LOCKFILES}" ]] then - sed -i -E "s|^/org/gnome/login-screen/enable-smartcard-authentication$|#&|" "${LOCKFILES[@]}" + sed -i -E "s|^/org/gnome/login-screen/disable-user-list$|#&|" "${LOCKFILES[@]}" fi -if ! grep -qr "^/org/gnome/login-screen/enable-smartcard-authentication$" /etc/dconf/db/gdm.d/ +if ! grep -qr "^/org/gnome/login-screen/disable-user-list$" /etc/dconf/db/gdm.d/ then - echo "/org/gnome/login-screen/enable-smartcard-authentication" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" + echo "/org/gnome/login-screen/disable-user-list" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" fi dconf update @@ -16780,6 +16674,50 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Enable the GNOME3 Login Smartcard Authentication + In the default graphical environment, smart card authentication +can be enabled on the login screen by setting enable-smartcard-authentication +to true. + +To enable, add or edit enable-smartcard-authentication to +/etc/dconf/db/gdm.d/00-security-settings. For example: +[org/gnome/login-screen] +enable-smartcard-authentication=true +Once the setting has been added, add a lock to +/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/login-screen/enable-smartcard-authentication +After the settings have been set, run dconf update. + CCI-000765 + CCI-000766 + CCI-000767 + CCI-000768 + CCI-000771 + CCI-000772 + CCI-000884 + CCI-001948 + CCI-001954 + IA-2(3) + IA-2(4) + IA-2(8) + IA-2(9) + IA-2(11) + Req-8.3 + SRG-OS-000375-GPOS-00160 + SRG-OS-000376-GPOS-00161 + SRG-OS-000377-GPOS-00162 + Smart card login provides two-factor authentication stronger than +that provided by a username and password combination. Smart cards leverage PKI +(public key infrastructure) in order to provide and verify credentials. + - name: Gather the package facts package_facts: manager: auto @@ -16864,92 +16802,60 @@ fi - no_reboot_needed - unknown_strategy - - - - - - - - - Enable the GNOME3 Screen Locking On Smartcard Removal - In the default graphical environment, screen locking on smartcard removal -can be enabled by setting removal-action -to 'lock-screen'. - -To enable, add or edit removal-action to -/etc/dconf/db/local.d/00-security-settings. For example: -[org/gnome/settings-daemon/peripherals/smartcard] -removal-action='lock-screen' -Once the setting has been added, add a lock to -/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. -For example: -/org/gnome/settings-daemon/peripherals/smartcard/removal-action -After the settings have been set, run dconf update. - CCI-000056 - CCI-000058 - SRG-OS-000028-GPOS-00009 - SRG-OS-000030-GPOS-00011 - RHEL-08-020050 - SV-230351r792899_rule - Locking the screen automatically when removing the smartcard can -prevent undesired access to system. - - CCE-83910-0 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/settings-daemon/peripherals/smartcard\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/local.d/00-security-settings" -DBDIR="/etc/dconf/db/local.d" +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings" +DBDIR="/etc/dconf/db/gdm.d" mkdir -p "${DBDIR}" # Comment out the configurations in databases different from the target one if [ "${#SETTINGSFILES[@]}" -ne 0 ] then - if grep -q "^\\s*removal-action\\s*=" "${SETTINGSFILES[@]}" + if grep -q "^\\s*enable-smartcard-authentication\\s*=" "${SETTINGSFILES[@]}" then - sed -Ei "s/(^\s*)removal-action(\s*=)/#\1removal-action\2/g" "${SETTINGSFILES[@]}" + sed -Ei "s/(^\s*)enable-smartcard-authentication(\s*=)/#\1enable-smartcard-authentication\2/g" "${SETTINGSFILES[@]}" fi fi [ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/settings-daemon/peripherals/smartcard\\]" "${DCONFFILE}" +if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}" then - printf '%s\n' "[org/gnome/settings-daemon/peripherals/smartcard]" >> ${DCONFFILE} + printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE} fi -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "'lock-screen'")" -if grep -q "^\\s*removal-action\\s*=" "${DCONFFILE}" +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" +if grep -q "^\\s*enable-smartcard-authentication\\s*=" "${DCONFFILE}" then - sed -i "s/\\s*removal-action\\s*=\\s*.*/removal-action=${escaped_value}/g" "${DCONFFILE}" + sed -i "s/\\s*enable-smartcard-authentication\\s*=\\s*.*/enable-smartcard-authentication=${escaped_value}/g" "${DCONFFILE}" else - sed -i "\\|\\[org/gnome/settings-daemon/peripherals/smartcard\\]|a\\removal-action=${escaped_value}" "${DCONFFILE}" + sed -i "\\|\\[org/gnome/login-screen\\]|a\\enable-smartcard-authentication=${escaped_value}" "${DCONFFILE}" fi dconf update # Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/local.d/locks" +LOCKFILES=$(grep -r "^/org/gnome/login-screen/enable-smartcard-authentication$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/gdm.d/locks" mkdir -p "${LOCKSFOLDER}" # Comment out the configurations in databases different from the target one if [[ ! -z "${LOCKFILES}" ]] then - sed -i -E "s|^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$|#&|" "${LOCKFILES[@]}" + sed -i -E "s|^/org/gnome/login-screen/enable-smartcard-authentication$|#&|" "${LOCKFILES[@]}" fi -if ! grep -qr "^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$" /etc/dconf/db/local.d/ +if ! grep -qr "^/org/gnome/login-screen/enable-smartcard-authentication$" /etc/dconf/db/gdm.d/ then - echo "/org/gnome/settings-daemon/peripherals/smartcard/removal-action" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" + echo "/org/gnome/login-screen/enable-smartcard-authentication" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" fi dconf update @@ -16958,6 +16864,38 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Enable the GNOME3 Screen Locking On Smartcard Removal + In the default graphical environment, screen locking on smartcard removal +can be enabled by setting removal-action +to 'lock-screen'. + +To enable, add or edit removal-action to +/etc/dconf/db/local.d/00-security-settings. For example: +[org/gnome/settings-daemon/peripherals/smartcard] +removal-action='lock-screen' +Once the setting has been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/settings-daemon/peripherals/smartcard/removal-action +After the settings have been set, run dconf update. + CCI-000056 + CCI-000058 + SRG-OS-000028-GPOS-00009 + SRG-OS-000030-GPOS-00011 + RHEL-08-020050 + SV-230351r792899_rule + Locking the screen automatically when removing the smartcard can +prevent undesired access to system. + + CCE-83910-0 - name: Gather the package facts package_facts: manager: auto @@ -17111,90 +17049,60 @@ fi - no_reboot_needed - unknown_strategy - - - - - - - - - Set the GNOME3 Login Number of Failures - In the default graphical environment, the GNOME3 login -screen and be configured to restart the authentication process after -a configured number of attempts. This can be configured by setting -allowed-failures to 3 or less. - -To enable, add or edit allowed-failures to -/etc/dconf/db/gdm.d/00-security-settings. For example: -[org/gnome/login-screen] -allowed-failures=3 -Once the setting has been added, add a lock to -/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. -For example: -/org/gnome/login-screen/allowed-failures -After the settings have been set, run dconf update. - 3.1.8 - FMT_MOF_EXT.1 - Setting the password retry prompts that are permitted on a per-session basis to a low value -requires some software, such as SSH, to re-connect. This can slow down and -draw additional attention to some types of password-guessing attacks. - - CCE-80771-9 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings" -DBDIR="/etc/dconf/db/gdm.d" +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/settings-daemon/peripherals/smartcard\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" mkdir -p "${DBDIR}" # Comment out the configurations in databases different from the target one if [ "${#SETTINGSFILES[@]}" -ne 0 ] then - if grep -q "^\\s*allowed-failures\\s*=" "${SETTINGSFILES[@]}" + if grep -q "^\\s*removal-action\\s*=" "${SETTINGSFILES[@]}" then - sed -Ei "s/(^\s*)allowed-failures(\s*=)/#\1allowed-failures\2/g" "${SETTINGSFILES[@]}" + sed -Ei "s/(^\s*)removal-action(\s*=)/#\1removal-action\2/g" "${SETTINGSFILES[@]}" fi fi [ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}" +if ! grep -q "\\[org/gnome/settings-daemon/peripherals/smartcard\\]" "${DCONFFILE}" then - printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE} + printf '%s\n' "[org/gnome/settings-daemon/peripherals/smartcard]" >> ${DCONFFILE} fi -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "3")" -if grep -q "^\\s*allowed-failures\\s*=" "${DCONFFILE}" +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "'lock-screen'")" +if grep -q "^\\s*removal-action\\s*=" "${DCONFFILE}" then - sed -i "s/\\s*allowed-failures\\s*=\\s*.*/allowed-failures=${escaped_value}/g" "${DCONFFILE}" + sed -i "s/\\s*removal-action\\s*=\\s*.*/removal-action=${escaped_value}/g" "${DCONFFILE}" else - sed -i "\\|\\[org/gnome/login-screen\\]|a\\allowed-failures=${escaped_value}" "${DCONFFILE}" + sed -i "\\|\\[org/gnome/settings-daemon/peripherals/smartcard\\]|a\\removal-action=${escaped_value}" "${DCONFFILE}" fi dconf update # Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/login-screen/allowed-failures$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/gdm.d/locks" +LOCKFILES=$(grep -r "^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" mkdir -p "${LOCKSFOLDER}" # Comment out the configurations in databases different from the target one if [[ ! -z "${LOCKFILES}" ]] then - sed -i -E "s|^/org/gnome/login-screen/allowed-failures$|#&|" "${LOCKFILES[@]}" + sed -i -E "s|^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$|#&|" "${LOCKFILES[@]}" fi -if ! grep -qr "^/org/gnome/login-screen/allowed-failures$" /etc/dconf/db/gdm.d/ +if ! grep -qr "^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$" /etc/dconf/db/local.d/ then - echo "/org/gnome/login-screen/allowed-failures" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" + echo "/org/gnome/settings-daemon/peripherals/smartcard/removal-action" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update @@ -17203,6 +17111,36 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Set the GNOME3 Login Number of Failures + In the default graphical environment, the GNOME3 login +screen and be configured to restart the authentication process after +a configured number of attempts. This can be configured by setting +allowed-failures to 3 or less. + +To enable, add or edit allowed-failures to +/etc/dconf/db/gdm.d/00-security-settings. For example: +[org/gnome/login-screen] +allowed-failures=3 +Once the setting has been added, add a lock to +/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/login-screen/allowed-failures +After the settings have been set, run dconf update. + 3.1.8 + FMT_MOF_EXT.1 + Setting the password retry prompts that are permitted on a per-session basis to a low value +requires some software, such as SSH, to re-connect. This can slow down and +draw additional attention to some types of password-guessing attacks. + + CCE-80771-9 - name: Gather the package facts package_facts: manager: auto @@ -17270,6 +17208,68 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings" +DBDIR="/etc/dconf/db/gdm.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*allowed-failures\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)allowed-failures(\s*=)/#\1allowed-failures\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "3")" +if grep -q "^\\s*allowed-failures\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*allowed-failures\\s*=\\s*.*/allowed-failures=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/login-screen\\]|a\\allowed-failures=${escaped_value}" "${DCONFFILE}" +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/login-screen/allowed-failures$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/gdm.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/login-screen/allowed-failures$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/login-screen/allowed-failures$" /etc/dconf/db/gdm.d/ +then + echo "/org/gnome/login-screen/allowed-failures" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -17318,24 +17318,6 @@ AutomaticLoginEnable=false system security. CCE-80823-8 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -if rpm --quiet -q gdm -then - if ! grep -q "^AutomaticLoginEnable=" /etc/gdm/custom.conf - then - sed -i "/^\[daemon\]/a \ - AutomaticLoginEnable=False" /etc/gdm/custom.conf - else - sed -i "s/^AutomaticLoginEnable=.*/AutomaticLoginEnable=False/g" /etc/gdm/custom.conf - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -17379,6 +17361,24 @@ fi - medium_disruption - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +if rpm --quiet -q gdm +then + if ! grep -q "^AutomaticLoginEnable=" /etc/gdm/custom.conf + then + sed -i "/^\[daemon\]/a \ + AutomaticLoginEnable=False" /etc/gdm/custom.conf + else + sed -i "s/^AutomaticLoginEnable=.*/AutomaticLoginEnable=False/g" /etc/gdm/custom.conf + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -17426,24 +17426,6 @@ TimedLoginEnable=false system security. CCE-80824-6 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -if rpm --quiet -q gdm -then - if ! grep -q "^TimedLoginEnable=" /etc/gdm/custom.conf - then - sed -i "/^\[daemon\]/a \ - TimedLoginEnable=false" /etc/gdm/custom.conf - else - sed -i "s/^TimedLoginEnable=.*/TimedLoginEnable=false/g" /etc/gdm/custom.conf - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -17487,6 +17469,24 @@ fi - medium_disruption - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +if rpm --quiet -q gdm +then + if ! grep -q "^TimedLoginEnable=" /etc/gdm/custom.conf + then + sed -i "/^\[daemon\]/a \ + TimedLoginEnable=false" /etc/gdm/custom.conf + else + sed -i "s/^TimedLoginEnable=.*/TimedLoginEnable=false/g" /etc/gdm/custom.conf + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -17512,28 +17512,6 @@ remote session. If a privileged user were to login using XDMCP, the privileged user password could be compromised due to typed XEvents and keystrokes will traversing over the network in clear text. CCE-86007-2 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm; then - -# Try find '[xdmcp]' and 'Enable' in '/etc/gdm/custom.conf', if it exists, set -# to 'false', if it isn't here, add it, if '[xdmcp]' doesn't exist, add it there -if grep -qzosP '[[:space:]]*\[xdmcp]([^\n\[]*\n+)+?[[:space:]]*Enable' '/etc/gdm/custom.conf'; then - - sed -i "s/Enable[^(\n)]*/Enable=false/" '/etc/gdm/custom.conf' -elif grep -qs '[[:space:]]*\[xdmcp]' '/etc/gdm/custom.conf'; then - sed -i "/[[:space:]]*\[xdmcp]/a Enable=false" '/etc/gdm/custom.conf' -else - if test -d "/etc/gdm"; then - printf '%s\n' '[xdmcp]' "Enable=false" >> '/etc/gdm/custom.conf' - else - echo "Config file directory '/etc/gdm' doesnt exist, not remediating, assuming non-applicability." >&2 - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -17563,6 +17541,28 @@ fi - medium_disruption - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm; then + +# Try find '[xdmcp]' and 'Enable' in '/etc/gdm/custom.conf', if it exists, set +# to 'false', if it isn't here, add it, if '[xdmcp]' doesn't exist, add it there +if grep -qzosP '[[:space:]]*\[xdmcp]([^\n\[]*\n+)+?[[:space:]]*Enable' '/etc/gdm/custom.conf'; then + + sed -i "s/Enable[^(\n)]*/Enable=false/" '/etc/gdm/custom.conf' +elif grep -qs '[[:space:]]*\[xdmcp]' '/etc/gdm/custom.conf'; then + sed -i "/[[:space:]]*\[xdmcp]/a Enable=false" '/etc/gdm/custom.conf' +else + if test -d "/etc/gdm"; then + printf '%s\n' '[xdmcp]' "Enable=false" >> '/etc/gdm/custom.conf' + else + echo "Config file directory '/etc/gdm' doesnt exist, not remediating, assuming non-applicability." >&2 + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -17638,68 +17638,6 @@ It will, however, also prevent desktop users from legitimate use of removable media. CCE-89904-7 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/local.d/00-security-settings" -DBDIR="/etc/dconf/db/local.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*automount\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)automount(\s*=)/#\1automount\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/desktop/media-handling\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")" -if grep -q "^\\s*automount\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*automount\\s*=\\s*.*/automount=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\automount=${escaped_value}" "${DCONFFILE}" -fi - -dconf update -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/automount$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/local.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/desktop/media-handling/automount$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/desktop/media-handling/automount$" /etc/dconf/db/local.d/ -then - echo "/org/gnome/desktop/media-handling/automount" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -17783,6 +17721,68 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*automount\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)automount(\s*=)/#\1automount\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/desktop/media-handling\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")" +if grep -q "^\\s*automount\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*automount\\s*=\\s*.*/automount=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\automount=${escaped_value}" "${DCONFFILE}" +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/automount$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/desktop/media-handling/automount$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/desktop/media-handling/automount$" /etc/dconf/db/local.d/ +then + echo "/org/gnome/desktop/media-handling/automount" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -17855,68 +17855,6 @@ It will, however, also prevent desktop users from legitimate use of removable media. CCE-83693-2 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/local.d/00-security-settings" -DBDIR="/etc/dconf/db/local.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*automount-open\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)automount-open(\s*=)/#\1automount-open\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/desktop/media-handling\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")" -if grep -q "^\\s*automount-open\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*automount-open\\s*=\\s*.*/automount-open=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\automount-open=${escaped_value}" "${DCONFFILE}" -fi - -dconf update -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/automount-open$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/local.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/desktop/media-handling/automount-open$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/desktop/media-handling/automount-open$" /etc/dconf/db/local.d/ -then - echo "/org/gnome/desktop/media-handling/automount-open" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -18000,6 +17938,68 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*automount-open\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)automount-open(\s*=)/#\1automount-open\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/desktop/media-handling\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")" +if grep -q "^\\s*automount-open\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*automount-open\\s*=\\s*.*/automount-open=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\automount-open=${escaped_value}" "${DCONFFILE}" +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/automount-open$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/desktop/media-handling/automount-open$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/desktop/media-handling/automount-open$" /etc/dconf/db/local.d/ +then + echo "/org/gnome/desktop/media-handling/automount-open" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -18070,68 +18070,6 @@ It will, however, also prevent desktop users from legitimate use of removable media. CCE-83742-7 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/local.d/00-security-settings" -DBDIR="/etc/dconf/db/local.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*autorun-never\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)autorun-never(\s*=)/#\1autorun-never\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/desktop/media-handling\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" -if grep -q "^\\s*autorun-never\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*autorun-never\\s*=\\s*.*/autorun-never=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\autorun-never=${escaped_value}" "${DCONFFILE}" -fi - -dconf update -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/autorun-never$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/local.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/desktop/media-handling/autorun-never$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/desktop/media-handling/autorun-never$" /etc/dconf/db/local.d/ -then - echo "/org/gnome/desktop/media-handling/autorun-never" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -18211,6 +18149,68 @@ fi - medium_disruption - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*autorun-never\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)autorun-never(\s*=)/#\1autorun-never\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/desktop/media-handling\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" +if grep -q "^\\s*autorun-never\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*autorun-never\\s*=\\s*.*/autorun-never=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\autorun-never=${escaped_value}" "${DCONFFILE}" +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/autorun-never$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/desktop/media-handling/autorun-never$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/desktop/media-handling/autorun-never$" /etc/dconf/db/local.d/ +then + echo "/org/gnome/desktop/media-handling/autorun-never" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -18309,68 +18309,6 @@ file to exploit this flaw. Assuming the attacker could place the malicious file malicious file would exploit the thumbnailer with the potential for malicious code execution. It is best to disable these thumbnailer applications unless they are explicitly required. - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/thumbnailers\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/local.d/00-security-settings" -DBDIR="/etc/dconf/db/local.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*disable-all\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)disable-all(\s*=)/#\1disable-all\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/desktop/thumbnailers\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/desktop/thumbnailers]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" -if grep -q "^\\s*disable-all\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*disable-all\\s*=\\s*.*/disable-all=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/desktop/thumbnailers\\]|a\\disable-all=${escaped_value}" "${DCONFFILE}" -fi - -dconf update -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/desktop/thumbnailers/disable-all$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/local.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/desktop/thumbnailers/disable-all$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/desktop/thumbnailers/disable-all$" /etc/dconf/db/local.d/ -then - echo "/org/gnome/desktop/thumbnailers/disable-all" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -18443,42 +18381,13 @@ fi - unknown_severity - unknown_strategy - - - - - - - - - - GNOME Network Settings - GNOME network settings that apply to the graphical interface. - - Disable WIFI Network Connection Creation in GNOME3 - GNOME allows users to create ad-hoc wireless connections through the -NetworkManager applet. Wireless connections should be disabled by -adding or setting disable-wifi-create to true in -/etc/dconf/db/local.d/00-security-settings. For example: -[org/gnome/nm-applet] -disable-wifi-create=true - -Once the settings have been added, add a lock to -/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. -For example: -/org/gnome/nm-applet/disable-wifi-create -After the settings have been set, run dconf update. - 3.1.16 - Wireless network connections should not be allowed to be configured by general -users on a given system as it could open the system to backdoor attacks. - - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/nm-applet\\]" "/etc/dconf/db/" \ +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/thumbnailers\\]" "/etc/dconf/db/" \ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/local.d/00-security-settings" DBDIR="/etc/dconf/db/local.d" @@ -18488,30 +18397,30 @@ mkdir -p "${DBDIR}" # Comment out the configurations in databases different from the target one if [ "${#SETTINGSFILES[@]}" -ne 0 ] then - if grep -q "^\\s*disable-wifi-create\\s*=" "${SETTINGSFILES[@]}" + if grep -q "^\\s*disable-all\\s*=" "${SETTINGSFILES[@]}" then - sed -Ei "s/(^\s*)disable-wifi-create(\s*=)/#\1disable-wifi-create\2/g" "${SETTINGSFILES[@]}" + sed -Ei "s/(^\s*)disable-all(\s*=)/#\1disable-all\2/g" "${SETTINGSFILES[@]}" fi fi [ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/nm-applet\\]" "${DCONFFILE}" +if ! grep -q "\\[org/gnome/desktop/thumbnailers\\]" "${DCONFFILE}" then - printf '%s\n' "[org/gnome/nm-applet]" >> ${DCONFFILE} + printf '%s\n' "[org/gnome/desktop/thumbnailers]" >> ${DCONFFILE} fi escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" -if grep -q "^\\s*disable-wifi-create\\s*=" "${DCONFFILE}" +if grep -q "^\\s*disable-all\\s*=" "${DCONFFILE}" then - sed -i "s/\\s*disable-wifi-create\\s*=\\s*.*/disable-wifi-create=${escaped_value}/g" "${DCONFFILE}" + sed -i "s/\\s*disable-all\\s*=\\s*.*/disable-all=${escaped_value}/g" "${DCONFFILE}" else - sed -i "\\|\\[org/gnome/nm-applet\\]|a\\disable-wifi-create=${escaped_value}" "${DCONFFILE}" + sed -i "\\|\\[org/gnome/desktop/thumbnailers\\]|a\\disable-all=${escaped_value}" "${DCONFFILE}" fi dconf update # Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/nm-applet/disable-wifi-create$" "/etc/dconf/db/" \ +LOCKFILES=$(grep -r "^/org/gnome/desktop/thumbnailers/disable-all$" "/etc/dconf/db/" \ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" @@ -18520,12 +18429,12 @@ mkdir -p "${LOCKSFOLDER}" # Comment out the configurations in databases different from the target one if [[ ! -z "${LOCKFILES}" ]] then - sed -i -E "s|^/org/gnome/nm-applet/disable-wifi-create$|#&|" "${LOCKFILES[@]}" + sed -i -E "s|^/org/gnome/desktop/thumbnailers/disable-all$|#&|" "${LOCKFILES[@]}" fi -if ! grep -qr "^/org/gnome/nm-applet/disable-wifi-create$" /etc/dconf/db/local.d/ +if ! grep -qr "^/org/gnome/desktop/thumbnailers/disable-all$" /etc/dconf/db/local.d/ then - echo "/org/gnome/nm-applet/disable-wifi-create" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" + echo "/org/gnome/desktop/thumbnailers/disable-all" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update @@ -18534,6 +18443,35 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + GNOME Network Settings + GNOME network settings that apply to the graphical interface. + + Disable WIFI Network Connection Creation in GNOME3 + GNOME allows users to create ad-hoc wireless connections through the +NetworkManager applet. Wireless connections should be disabled by +adding or setting disable-wifi-create to true in +/etc/dconf/db/local.d/00-security-settings. For example: +[org/gnome/nm-applet] +disable-wifi-create=true + +Once the settings have been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/nm-applet/disable-wifi-create +After the settings have been set, run dconf update. + 3.1.16 + Wireless network connections should not be allowed to be configured by general +users on a given system as it could open the system to backdoor attacks. + - name: Gather the package facts package_facts: manager: auto @@ -18598,34 +18536,7 @@ fi - no_reboot_needed - unknown_strategy - - - - - - - - - Disable WIFI Network Notification in GNOME3 - By default, GNOME disables WIFI notification. This should be permanently set -so that users do not connect to a wireless network when the system finds one. -While useful for mobile devices, this setting should be disabled for all other systems. -To configure the system to disable the WIFI notication, add or set -suppress-wireless-networks-available to true in -/etc/dconf/db/local.d/00-security-settings. For example: -[org/gnome/nm-applet] -suppress-wireless-networks-available=true - -Once the settings have been added, add a lock to -/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. -For example: -/org/gnome/nm-applet/suppress-wireless-networks-available -After the settings have been set, run dconf update. - 3.1.16 - Wireless network connections should not be allowed to be configured by general -users on a given system as it could open the system to backdoor attacks. - - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories @@ -18641,10 +18552,10 @@ mkdir -p "${DBDIR}" # Comment out the configurations in databases different from the target one if [ "${#SETTINGSFILES[@]}" -ne 0 ] then - if grep -q "^\\s*suppress-wireless-networks-available\\s*=" "${SETTINGSFILES[@]}" + if grep -q "^\\s*disable-wifi-create\\s*=" "${SETTINGSFILES[@]}" then - sed -Ei "s/(^\s*)suppress-wireless-networks-available(\s*=)/#\1suppress-wireless-networks-available\2/g" "${SETTINGSFILES[@]}" + sed -Ei "s/(^\s*)disable-wifi-create(\s*=)/#\1disable-wifi-create\2/g" "${SETTINGSFILES[@]}" fi fi @@ -18655,16 +18566,16 @@ then fi escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" -if grep -q "^\\s*suppress-wireless-networks-available\\s*=" "${DCONFFILE}" +if grep -q "^\\s*disable-wifi-create\\s*=" "${DCONFFILE}" then - sed -i "s/\\s*suppress-wireless-networks-available\\s*=\\s*.*/suppress-wireless-networks-available=${escaped_value}/g" "${DCONFFILE}" + sed -i "s/\\s*disable-wifi-create\\s*=\\s*.*/disable-wifi-create=${escaped_value}/g" "${DCONFFILE}" else - sed -i "\\|\\[org/gnome/nm-applet\\]|a\\suppress-wireless-networks-available=${escaped_value}" "${DCONFFILE}" + sed -i "\\|\\[org/gnome/nm-applet\\]|a\\disable-wifi-create=${escaped_value}" "${DCONFFILE}" fi dconf update # Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/nm-applet/suppress-wireless-networks-available$" "/etc/dconf/db/" \ +LOCKFILES=$(grep -r "^/org/gnome/nm-applet/disable-wifi-create$" "/etc/dconf/db/" \ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" @@ -18673,12 +18584,12 @@ mkdir -p "${LOCKSFOLDER}" # Comment out the configurations in databases different from the target one if [[ ! -z "${LOCKFILES}" ]] then - sed -i -E "s|^/org/gnome/nm-applet/suppress-wireless-networks-available$|#&|" "${LOCKFILES[@]}" + sed -i -E "s|^/org/gnome/nm-applet/disable-wifi-create$|#&|" "${LOCKFILES[@]}" fi -if ! grep -qr "^/org/gnome/nm-applet/suppress-wireless-networks-available$" /etc/dconf/db/local.d/ +if ! grep -qr "^/org/gnome/nm-applet/disable-wifi-create$" /etc/dconf/db/local.d/ then - echo "/org/gnome/nm-applet/suppress-wireless-networks-available" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" + echo "/org/gnome/nm-applet/disable-wifi-create" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update @@ -18687,6 +18598,33 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Disable WIFI Network Notification in GNOME3 + By default, GNOME disables WIFI notification. This should be permanently set +so that users do not connect to a wireless network when the system finds one. +While useful for mobile devices, this setting should be disabled for all other systems. +To configure the system to disable the WIFI notication, add or set +suppress-wireless-networks-available to true in +/etc/dconf/db/local.d/00-security-settings. For example: +[org/gnome/nm-applet] +suppress-wireless-networks-available=true + +Once the settings have been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/nm-applet/suppress-wireless-networks-available +After the settings have been set, run dconf update. + 3.1.16 + Wireless network connections should not be allowed to be configured by general +users on a given system as it could open the system to backdoor attacks. + - name: Gather the package facts package_facts: manager: auto @@ -18751,49 +18689,13 @@ fi - no_reboot_needed - unknown_strategy - - - - - - - - - - GNOME Remote Access Settings - GNOME remote access settings that apply to the graphical interface. - - Require Credential Prompting for Remote Access in GNOME3 - By default, GNOME does not require credentials when using Vino for -remote access. To configure the system to require remote credentials, add or set -authentication-methods to ['vnc'] in -/etc/dconf/db/local.d/00-security-settings. For example: -[org/gnome/Vino] -authentication-methods=['vnc'] - -Once the settings have been added, add a lock to -/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. -For example: -/org/gnome/Vino/authentication-methods -After the settings have been set, run dconf update. - 3.1.12 - 164.308(a)(4)(i) - 164.308(b)(1) - 164.308(b)(3) - 164.310(b) - 164.312(e)(1) - 164.312(e)(2)(ii) - Username and password prompting is required for remote access. Otherwise, non-authorized -and nefarious users can access the system freely. - - CCE-80772-7 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/Vino\\]" "/etc/dconf/db/" \ +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/nm-applet\\]" "/etc/dconf/db/" \ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/local.d/00-security-settings" DBDIR="/etc/dconf/db/local.d" @@ -18803,30 +18705,30 @@ mkdir -p "${DBDIR}" # Comment out the configurations in databases different from the target one if [ "${#SETTINGSFILES[@]}" -ne 0 ] then - if grep -q "^\\s*authentication-methods\\s*=" "${SETTINGSFILES[@]}" + if grep -q "^\\s*suppress-wireless-networks-available\\s*=" "${SETTINGSFILES[@]}" then - sed -Ei "s/(^\s*)authentication-methods(\s*=)/#\1authentication-methods\2/g" "${SETTINGSFILES[@]}" + sed -Ei "s/(^\s*)suppress-wireless-networks-available(\s*=)/#\1suppress-wireless-networks-available\2/g" "${SETTINGSFILES[@]}" fi fi [ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/Vino\\]" "${DCONFFILE}" +if ! grep -q "\\[org/gnome/nm-applet\\]" "${DCONFFILE}" then - printf '%s\n' "[org/gnome/Vino]" >> ${DCONFFILE} + printf '%s\n' "[org/gnome/nm-applet]" >> ${DCONFFILE} fi -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "['vnc']")" -if grep -q "^\\s*authentication-methods\\s*=" "${DCONFFILE}" +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" +if grep -q "^\\s*suppress-wireless-networks-available\\s*=" "${DCONFFILE}" then - sed -i "s/\\s*authentication-methods\\s*=\\s*.*/authentication-methods=${escaped_value}/g" "${DCONFFILE}" + sed -i "s/\\s*suppress-wireless-networks-available\\s*=\\s*.*/suppress-wireless-networks-available=${escaped_value}/g" "${DCONFFILE}" else - sed -i "\\|\\[org/gnome/Vino\\]|a\\authentication-methods=${escaped_value}" "${DCONFFILE}" + sed -i "\\|\\[org/gnome/nm-applet\\]|a\\suppress-wireless-networks-available=${escaped_value}" "${DCONFFILE}" fi dconf update # Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/Vino/authentication-methods$" "/etc/dconf/db/" \ +LOCKFILES=$(grep -r "^/org/gnome/nm-applet/suppress-wireless-networks-available$" "/etc/dconf/db/" \ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" @@ -18835,12 +18737,12 @@ mkdir -p "${LOCKSFOLDER}" # Comment out the configurations in databases different from the target one if [[ ! -z "${LOCKFILES}" ]] then - sed -i -E "s|^/org/gnome/Vino/authentication-methods$|#&|" "${LOCKFILES[@]}" + sed -i -E "s|^/org/gnome/nm-applet/suppress-wireless-networks-available$|#&|" "${LOCKFILES[@]}" fi -if ! grep -qr "^/org/gnome/Vino/authentication-methods$" /etc/dconf/db/local.d/ +if ! grep -qr "^/org/gnome/nm-applet/suppress-wireless-networks-available$" /etc/dconf/db/local.d/ then - echo "/org/gnome/Vino/authentication-methods" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" + echo "/org/gnome/nm-applet/suppress-wireless-networks-available" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update @@ -18849,6 +18751,42 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + GNOME Remote Access Settings + GNOME remote access settings that apply to the graphical interface. + + Require Credential Prompting for Remote Access in GNOME3 + By default, GNOME does not require credentials when using Vino for +remote access. To configure the system to require remote credentials, add or set +authentication-methods to ['vnc'] in +/etc/dconf/db/local.d/00-security-settings. For example: +[org/gnome/Vino] +authentication-methods=['vnc'] + +Once the settings have been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/Vino/authentication-methods +After the settings have been set, run dconf update. + 3.1.12 + 164.308(a)(4)(i) + 164.308(b)(1) + 164.308(b)(3) + 164.310(b) + 164.312(e)(1) + 164.312(e)(2)(ii) + Username and password prompting is required for remote access. Otherwise, non-authorized +and nefarious users can access the system freely. + + CCE-80772-7 - name: Gather the package facts package_facts: manager: auto @@ -18916,6 +18854,68 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/Vino\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*authentication-methods\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)authentication-methods(\s*=)/#\1authentication-methods\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/Vino\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/Vino]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "['vnc']")" +if grep -q "^\\s*authentication-methods\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*authentication-methods\\s*=\\s*.*/authentication-methods=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/Vino\\]|a\\authentication-methods=${escaped_value}" "${DCONFFILE}" +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/Vino/authentication-methods$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/Vino/authentication-methods$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/Vino/authentication-methods$" /etc/dconf/db/local.d/ +then + echo "/org/gnome/Vino/authentication-methods" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -18990,68 +18990,6 @@ After the settings have been set, run dconf update. CCE-80773-5 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/Vino\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/local.d/00-security-settings" -DBDIR="/etc/dconf/db/local.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*require-encryption\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)require-encryption(\s*=)/#\1require-encryption\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/Vino\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/Vino]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" -if grep -q "^\\s*require-encryption\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*require-encryption\\s*=\\s*.*/require-encryption=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/Vino\\]|a\\require-encryption=${escaped_value}" "${DCONFFILE}" -fi - -dconf update -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/Vino/require-encryption$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/local.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/Vino/require-encryption$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/Vino/require-encryption$" /etc/dconf/db/local.d/ -then - echo "/org/gnome/Vino/require-encryption" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -19131,6 +19069,68 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/Vino\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*require-encryption\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)require-encryption(\s*=)/#\1require-encryption\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/Vino\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/Vino]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" +if grep -q "^\\s*require-encryption\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*require-encryption\\s*=\\s*.*/require-encryption=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/Vino\\]|a\\require-encryption=${escaped_value}" "${DCONFFILE}" +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/Vino/require-encryption$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/Vino/require-encryption$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/Vino/require-encryption$" /etc/dconf/db/local.d/ +then + echo "/org/gnome/Vino/require-encryption" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -19241,68 +19241,6 @@ login session does not have administrator rights and the display station is loca controlled-access area. CCE-80774-3 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/local.d/00-security-settings" -DBDIR="/etc/dconf/db/local.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*idle-activation-enabled\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)idle-activation-enabled(\s*=)/#\1idle-activation-enabled\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" -if grep -q "^\\s*idle-activation-enabled\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*idle-activation-enabled\\s*=\\s*.*/idle-activation-enabled=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\idle-activation-enabled=${escaped_value}" "${DCONFFILE}" -fi - -dconf update -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/idle-activation-enabled$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/local.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/desktop/screensaver/idle-activation-enabled$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/desktop/screensaver/idle-activation-enabled$" /etc/dconf/db/local.d/ -then - echo "/org/gnome/desktop/screensaver/idle-activation-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -19390,6 +19328,68 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*idle-activation-enabled\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)idle-activation-enabled(\s*=)/#\1idle-activation-enabled\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" +if grep -q "^\\s*idle-activation-enabled\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*idle-activation-enabled\\s*=\\s*.*/idle-activation-enabled=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\idle-activation-enabled=${escaped_value}" "${DCONFFILE}" +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/idle-activation-enabled$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/desktop/screensaver/idle-activation-enabled$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/desktop/screensaver/idle-activation-enabled$" /etc/dconf/db/local.d/ +then + echo "/org/gnome/desktop/screensaver/idle-activation-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -19446,48 +19446,21 @@ After the settings have been set, run dconf update.A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. CCE-83858-1 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm; then - -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/idle-activation-enabled$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/local.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/desktop/screensaver/idle-activation-enabled$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/desktop/screensaver/idle-activation-enabled$" /etc/dconf/db/local.d/ -then - echo "/org/gnome/desktop/screensaver/idle-activation-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83858-1 - - CJIS-5.5.5 - - NIST-800-171-3.1.10 - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_idle_activation_locked - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-83858-1 + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_idle_activation_locked + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy - name: Prevent user modification of GNOME Screensaver idle-activation-enabled lineinfile: @@ -19524,6 +19497,33 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm; then + +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/idle-activation-enabled$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/desktop/screensaver/idle-activation-enabled$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/desktop/screensaver/idle-activation-enabled$" /etc/dconf/db/local.d/ +then + echo "/org/gnome/desktop/screensaver/idle-activation-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -19592,52 +19592,6 @@ system session prior to vacating the vicinity, GNOME3 can be configured to ident a user's session has idled and take action to initiate a session lock. CCE-80775-0 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -inactivity_timeout_value='' - - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/session\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/local.d/00-security-settings" -DBDIR="/etc/dconf/db/local.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*idle-delay\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)idle-delay(\s*=)/#\1idle-delay\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/desktop/session\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/desktop/session]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "uint32 ${inactivity_timeout_value}")" -if grep -q "^\\s*idle-delay\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*idle-delay\\s*=\\s*.*/idle-delay=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/desktop/session\\]|a\\idle-delay=${escaped_value}" "${DCONFFILE}" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -19709,6 +19663,52 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +inactivity_timeout_value='' + + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/session\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*idle-delay\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)idle-delay(\s*=)/#\1idle-delay\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/desktop/session\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/desktop/session]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "uint32 ${inactivity_timeout_value}")" +if grep -q "^\\s*idle-delay\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*idle-delay\\s*=\\s*.*/idle-delay=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/desktop/session\\]|a\\idle-delay=${escaped_value}" "${DCONFFILE}" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -19774,52 +19774,6 @@ After the settings have been set, run dconf update. CCE-80776-8 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -var_screensaver_lock_delay='' - - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/local.d/00-security-settings" -DBDIR="/etc/dconf/db/local.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*lock-delay\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)lock-delay(\s*=)/#\1lock-delay\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "uint32 ${var_screensaver_lock_delay}")" -if grep -q "^\\s*lock-delay\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*lock-delay\\s*=\\s*.*/lock-delay=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\lock-delay=${escaped_value}" "${DCONFFILE}" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -19888,6 +19842,52 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +var_screensaver_lock_delay='' + + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*lock-delay\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)lock-delay(\s*=)/#\1lock-delay\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "uint32 ${var_screensaver_lock_delay}")" +if grep -q "^\\s*lock-delay\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*lock-delay\\s*=\\s*.*/lock-delay=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\lock-delay=${escaped_value}" "${DCONFFILE}" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -19958,68 +19958,6 @@ After the settings have been set, run dconf update. CCE-80777-6 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/local.d/00-security-settings" -DBDIR="/etc/dconf/db/local.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*lock-enabled\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)lock-enabled(\s*=)/#\1lock-enabled\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" -if grep -q "^\\s*lock-enabled\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*lock-enabled\\s*=\\s*.*/lock-enabled=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\lock-enabled=${escaped_value}" "${DCONFFILE}" -fi - -dconf update -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-enabled$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/local.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/desktop/screensaver/lock-enabled$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/desktop/screensaver/lock-enabled$" /etc/dconf/db/local.d/ -then - echo "/org/gnome/desktop/screensaver/lock-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -20225,6 +20163,68 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*lock-enabled\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)lock-enabled(\s*=)/#\1lock-enabled\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" +if grep -q "^\\s*lock-enabled\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*lock-enabled\\s*=\\s*.*/lock-enabled=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\lock-enabled=${escaped_value}" "${DCONFFILE}" +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-enabled$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/desktop/screensaver/lock-enabled$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/desktop/screensaver/lock-enabled$" /etc/dconf/db/local.d/ +then + echo "/org/gnome/desktop/screensaver/lock-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -20285,33 +20285,6 @@ After the settings have been set, run dconf update.A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. CCE-87261-4 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm; then - -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-enabled$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/local.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/desktop/screensaver/lock-enabled$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/desktop/screensaver/lock-enabled$" /etc/dconf/db/local.d/ -then - echo "/org/gnome/desktop/screensaver/lock-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -20366,6 +20339,33 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm; then + +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-enabled$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/desktop/screensaver/lock-enabled$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/desktop/screensaver/lock-enabled$" /etc/dconf/db/local.d/ +then + echo "/org/gnome/desktop/screensaver/lock-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -20434,68 +20434,6 @@ After the settings have been set, run dconf update. CCE-80778-4 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/local.d/00-security-settings" -DBDIR="/etc/dconf/db/local.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*picture-uri\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)picture-uri(\s*=)/#\1picture-uri\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "string ''")" -if grep -q "^\\s*picture-uri\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*picture-uri\\s*=\\s*.*/picture-uri=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\picture-uri=${escaped_value}" "${DCONFFILE}" -fi - -dconf update -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/picture-uri$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/local.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/desktop/screensaver/picture-uri$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/desktop/screensaver/picture-uri$" /etc/dconf/db/local.d/ -then - echo "/org/gnome/desktop/screensaver/picture-uri" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -20588,34 +20526,7 @@ fi - no_reboot_needed - unknown_strategy - - - - - - - - - Disable Full User Name on Splash Shield - By default when the screen is locked, the splash shield will show the user's -full name. This should be disabled to prevent casual observers from seeing -who has access to the system. This can be disabled by adding or setting -show-full-name-in-top-bar to false in -/etc/dconf/db/local.d/00-security-settings. For example: -[org/gnome/desktop/screensaver] -show-full-name-in-top-bar=false - -Once the settings have been added, add a lock to -/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. -For example: -/org/gnome/desktop/screensaver/show-full-name-in-top-bar -After the settings have been set, run dconf update. - FMT_MOF_EXT.1 - Setting the splash screen to not reveal the logged in user's name -conceals who has access to the system from passersby. - - CCE-80779-2 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories @@ -20631,10 +20542,10 @@ mkdir -p "${DBDIR}" # Comment out the configurations in databases different from the target one if [ "${#SETTINGSFILES[@]}" -ne 0 ] then - if grep -q "^\\s*show-full-name-in-top-bar\\s*=" "${SETTINGSFILES[@]}" + if grep -q "^\\s*picture-uri\\s*=" "${SETTINGSFILES[@]}" then - sed -Ei "s/(^\s*)show-full-name-in-top-bar(\s*=)/#\1show-full-name-in-top-bar\2/g" "${SETTINGSFILES[@]}" + sed -Ei "s/(^\s*)picture-uri(\s*=)/#\1picture-uri\2/g" "${SETTINGSFILES[@]}" fi fi @@ -20644,17 +20555,17 @@ then printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE} fi -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")" -if grep -q "^\\s*show-full-name-in-top-bar\\s*=" "${DCONFFILE}" +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "string ''")" +if grep -q "^\\s*picture-uri\\s*=" "${DCONFFILE}" then - sed -i "s/\\s*show-full-name-in-top-bar\\s*=\\s*.*/show-full-name-in-top-bar=${escaped_value}/g" "${DCONFFILE}" + sed -i "s/\\s*picture-uri\\s*=\\s*.*/picture-uri=${escaped_value}/g" "${DCONFFILE}" else - sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\show-full-name-in-top-bar=${escaped_value}" "${DCONFFILE}" + sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\picture-uri=${escaped_value}" "${DCONFFILE}" fi dconf update # Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/show-full-name-in-top-bar$" "/etc/dconf/db/" \ +LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/picture-uri$" "/etc/dconf/db/" \ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" @@ -20663,12 +20574,12 @@ mkdir -p "${LOCKSFOLDER}" # Comment out the configurations in databases different from the target one if [[ ! -z "${LOCKFILES}" ]] then - sed -i -E "s|^/org/gnome/desktop/screensaver/show-full-name-in-top-bar$|#&|" "${LOCKFILES[@]}" + sed -i -E "s|^/org/gnome/desktop/screensaver/picture-uri$|#&|" "${LOCKFILES[@]}" fi -if ! grep -qr "^/org/gnome/desktop/screensaver/show-full-name-in-top-bar$" /etc/dconf/db/local.d/ +if ! grep -qr "^/org/gnome/desktop/screensaver/picture-uri$" /etc/dconf/db/local.d/ then - echo "/org/gnome/desktop/screensaver/show-full-name-in-top-bar" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" + echo "/org/gnome/desktop/screensaver/picture-uri" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update @@ -20677,6 +20588,33 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Disable Full User Name on Splash Shield + By default when the screen is locked, the splash shield will show the user's +full name. This should be disabled to prevent casual observers from seeing +who has access to the system. This can be disabled by adding or setting +show-full-name-in-top-bar to false in +/etc/dconf/db/local.d/00-security-settings. For example: +[org/gnome/desktop/screensaver] +show-full-name-in-top-bar=false + +Once the settings have been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/desktop/screensaver/show-full-name-in-top-bar +After the settings have been set, run dconf update. + FMT_MOF_EXT.1 + Setting the splash screen to not reveal the logged in user's name +conceals who has access to the system from passersby. + + CCE-80779-2 - name: Gather the package facts package_facts: manager: auto @@ -20740,6 +20678,68 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*show-full-name-in-top-bar\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)show-full-name-in-top-bar(\s*=)/#\1show-full-name-in-top-bar\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")" +if grep -q "^\\s*show-full-name-in-top-bar\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*show-full-name-in-top-bar\\s*=\\s*.*/show-full-name-in-top-bar=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\show-full-name-in-top-bar=${escaped_value}" "${DCONFFILE}" +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/show-full-name-in-top-bar$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/desktop/screensaver/show-full-name-in-top-bar$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/desktop/screensaver/show-full-name-in-top-bar$" /etc/dconf/db/local.d/ +then + echo "/org/gnome/desktop/screensaver/show-full-name-in-top-bar" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -20802,33 +20802,6 @@ GNOME desktops can be configured to identify when a user's session has idled and session lock. As such, users should not be allowed to change session settings. CCE-80780-0 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-delay$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/local.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/desktop/screensaver/lock-delay$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/desktop/screensaver/lock-delay$" /etc/dconf/db/local.d/ -then - echo "/org/gnome/desktop/screensaver/lock-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -20881,6 +20854,33 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-delay$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/desktop/screensaver/lock-delay$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/desktop/screensaver/lock-delay$" /etc/dconf/db/local.d/ +then + echo "/org/gnome/desktop/screensaver/lock-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -20945,33 +20945,6 @@ GNOME desktops can be configured to identify when a user's session has idled and session lock. As such, users should not be allowed to change session settings. CCE-80781-8 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/desktop/session/idle-delay$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/local.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/desktop/session/idle-delay$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/desktop/session/idle-delay$" /etc/dconf/db/local.d/ -then - echo "/org/gnome/desktop/session/idle-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -21030,6 +21003,33 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/session/idle-delay$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/desktop/session/idle-delay$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/desktop/session/idle-delay$" /etc/dconf/db/local.d/ +then + echo "/org/gnome/desktop/session/idle-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -21117,68 +21117,6 @@ the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. CCE-84028-0 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/settings-daemon/plugins/media-keys\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/local.d/00-security-settings" -DBDIR="/etc/dconf/db/local.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*logout\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)logout(\s*=)/#\1logout\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/settings-daemon/plugins/media-keys\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/settings-daemon/plugins/media-keys]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "''")" -if grep -q "^\\s*logout\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*logout\\s*=\\s*.*/logout=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/settings-daemon/plugins/media-keys\\]|a\\logout=${escaped_value}" "${DCONFFILE}" -fi - -dconf update -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/settings-daemon/plugins/media-keys/logout$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/local.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/settings-daemon/plugins/media-keys/logout$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/settings-daemon/plugins/media-keys/logout$" /etc/dconf/db/local.d/ -then - echo "/org/gnome/settings-daemon/plugins/media-keys/logout" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -21262,6 +21200,68 @@ fi - medium_disruption - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/settings-daemon/plugins/media-keys\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*logout\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)logout(\s*=)/#\1logout\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/settings-daemon/plugins/media-keys\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/settings-daemon/plugins/media-keys]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "''")" +if grep -q "^\\s*logout\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*logout\\s*=\\s*.*/logout=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/settings-daemon/plugins/media-keys\\]|a\\logout=${escaped_value}" "${DCONFFILE}" +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/settings-daemon/plugins/media-keys/logout$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/settings-daemon/plugins/media-keys/logout$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/settings-daemon/plugins/media-keys/logout$" /etc/dconf/db/local.d/ +then + echo "/org/gnome/settings-daemon/plugins/media-keys/logout" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -21294,6 +21294,101 @@ After the settings have been set, run dconf update. + - name: Gather the package facts + package_facts: + manager: auto + tags: + - dconf_gnome_disable_geolocation + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Disable Geolocation in GNOME3 - location tracking + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/system/location + option: enabled + value: 'false' + create: true + no_extra_spaces: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - dconf_gnome_disable_geolocation + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Disable Geolocation in GNOME3 - clock location tracking + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/clocks + option: gelocation + value: 'false' + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - dconf_gnome_disable_geolocation + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification of GNOME geolocation - location tracking + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/system/location/enabled$ + line: /org/gnome/system/location/enabled + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - dconf_gnome_disable_geolocation + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification of GNOME geolocation - clock location tracking + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/clocks/geolocation$ + line: /org/gnome/clocks/geolocation + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - dconf_gnome_disable_geolocation + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - dconf_gnome_disable_geolocation + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then @@ -21409,101 +21504,6 @@ dconf update else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - dconf_gnome_disable_geolocation - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy - -- name: Disable Geolocation in GNOME3 - location tracking - ini_file: - dest: /etc/dconf/db/local.d/00-security-settings - section: org/gnome/system/location - option: enabled - value: 'false' - create: true - no_extra_spaces: true - when: - - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - dconf_gnome_disable_geolocation - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy - -- name: Disable Geolocation in GNOME3 - clock location tracking - ini_file: - dest: /etc/dconf/db/local.d/00-security-settings - section: org/gnome/clocks - option: gelocation - value: 'false' - create: true - when: - - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - dconf_gnome_disable_geolocation - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy - -- name: Prevent user modification of GNOME geolocation - location tracking - lineinfile: - path: /etc/dconf/db/local.d/locks/00-security-settings-lock - regexp: ^/org/gnome/system/location/enabled$ - line: /org/gnome/system/location/enabled - create: true - when: - - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - dconf_gnome_disable_geolocation - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy - -- name: Prevent user modification of GNOME geolocation - clock location tracking - lineinfile: - path: /etc/dconf/db/local.d/locks/00-security-settings-lock - regexp: ^/org/gnome/clocks/geolocation$ - line: /org/gnome/clocks/geolocation - create: true - when: - - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - dconf_gnome_disable_geolocation - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy - -- name: Dconf Update - command: dconf update - when: - - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - dconf_gnome_disable_geolocation - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy @@ -21562,68 +21562,6 @@ unintended configuration changes as well as a nefarious user the capability to m changes such as adding new accounts, etc. CCE-80769-3 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/lockdown\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/local.d/00-security-settings" -DBDIR="/etc/dconf/db/local.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*user-administration-disabled\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)user-administration-disabled(\s*=)/#\1user-administration-disabled\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/desktop/lockdown\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/desktop/lockdown]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" -if grep -q "^\\s*user-administration-disabled\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*user-administration-disabled\\s*=\\s*.*/user-administration-disabled=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/desktop/lockdown\\]|a\\user-administration-disabled=${escaped_value}" "${DCONFFILE}" -fi - -dconf update -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/desktop/lockdown/user-administration-disabled$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/local.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/desktop/lockdown/user-administration-disabled$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/desktop/lockdown/user-administration-disabled$" /etc/dconf/db/local.d/ -then - echo "/org/gnome/desktop/lockdown/user-administration-disabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -21775,6 +21713,68 @@ fi - medium_disruption - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/lockdown\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*user-administration-disabled\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)user-administration-disabled(\s*=)/#\1user-administration-disabled\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/desktop/lockdown\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/desktop/lockdown]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" +if grep -q "^\\s*user-administration-disabled\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*user-administration-disabled\\s*=\\s*.*/user-administration-disabled=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/desktop/lockdown\\]|a\\user-administration-disabled=${escaped_value}" "${DCONFFILE}" +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/lockdown/user-administration-disabled$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/desktop/lockdown/user-administration-disabled$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/desktop/lockdown/user-administration-disabled$" /etc/dconf/db/local.d/ +then + echo "/org/gnome/desktop/lockdown/user-administration-disabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -21870,21 +21870,13 @@ is to give as few privileges as possible but still allow system users to get their work done. CCE-82214-8 + +package --add=sudo + [[packages]] name = "sudo" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "sudo" ; then - yum install -y "sudo" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_sudo @@ -21910,8 +21902,16 @@ class install_sudo { - no_reboot_needed - package_sudo_installed - -package --add=sudo + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "sudo" ; then + yum install -y "sudo" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -21932,6 +21932,21 @@ in /etc/sudoers.d/. Forcing sudo to reset the environment ensures that environment variables are not passed on to the command accidentaly, preventing leak of potentially sensitive information. CCE-83820-1 + - name: Ensure env_reset is enabled in /etc/sudoers + lineinfile: + path: /etc/sudoers + regexp: ^[\s]*Defaults.*\benv_reset\b.*$ + line: Defaults env_reset + validate: /usr/sbin/visudo -cf %s + tags: + - CCE-83820-1 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sudo_add_env_reset + if /usr/sbin/visudo -qcf /etc/sudoers; then cp /etc/sudoers /etc/sudoers.bak @@ -21952,21 +21967,6 @@ else echo "Skipping remediation, /etc/sudoers failed to validate" false fi - - - name: Ensure env_reset is enabled in /etc/sudoers - lineinfile: - path: /etc/sudoers - regexp: ^[\s]*Defaults.*\benv_reset\b.*$ - line: Defaults env_reset - validate: /usr/sbin/visudo -cf %s - tags: - - CCE-83820-1 - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - sudo_add_env_reset @@ -21987,6 +21987,21 @@ in /etc/sudoers.d/. Ignoring the commands in the user's current directory prevents an attacker from executing commands downloaded locally. CCE-83810-2 + - name: Ensure ignore_dot is enabled in /etc/sudoers + lineinfile: + path: /etc/sudoers + regexp: ^[\s]*Defaults.*\bignore_dot\b.*$ + line: Defaults ignore_dot + validate: /usr/sbin/visudo -cf %s + tags: + - CCE-83810-2 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sudo_add_ignore_dot + if /usr/sbin/visudo -qcf /etc/sudoers; then cp /etc/sudoers /etc/sudoers.bak @@ -22007,21 +22022,6 @@ else echo "Skipping remediation, /etc/sudoers failed to validate" false fi - - - name: Ensure ignore_dot is enabled in /etc/sudoers - lineinfile: - path: /etc/sudoers - regexp: ^[\s]*Defaults.*\bignore_dot\b.*$ - line: Defaults ignore_dot - validate: /usr/sbin/visudo -cf %s - tags: - - CCE-83810-2 - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - sudo_add_ignore_dot @@ -22041,6 +22041,21 @@ in /etc/sudoers.d/. Restricting the capability of sudo allowed commands to execute sub-commands prevents users from running programs with privileges they wouldn't have otherwise. CCE-83747-6 + - name: Ensure noexec is enabled in /etc/sudoers + lineinfile: + path: /etc/sudoers + regexp: ^[\s]*Defaults.*\bnoexec\b.*$ + line: Defaults noexec + validate: /usr/sbin/visudo -cf %s + tags: + - CCE-83747-6 + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - restrict_strategy + - sudo_add_noexec + if /usr/sbin/visudo -qcf /etc/sudoers; then cp /etc/sudoers /etc/sudoers.bak @@ -22061,21 +22076,6 @@ else echo "Skipping remediation, /etc/sudoers failed to validate" false fi - - - name: Ensure noexec is enabled in /etc/sudoers - lineinfile: - path: /etc/sudoers - regexp: ^[\s]*Defaults.*\bnoexec\b.*$ - line: Defaults noexec - validate: /usr/sbin/visudo -cf %s - tags: - - CCE-83747-6 - - high_severity - - low_complexity - - low_disruption - - no_reboot_needed - - restrict_strategy - - sudo_add_noexec @@ -22095,38 +22095,6 @@ The passwd_timeout should be configured by making sure that the in /etc/sudoers.d/. Reducing the time sudo waits for a a password reduces the time the process is exposed. CCE-83964-7 - - -var_sudo_passwd_timeout='' - - -if /usr/sbin/visudo -qcf /etc/sudoers; then - cp /etc/sudoers /etc/sudoers.bak - if ! grep -P '^[\s]*Defaults[\s]*\bpasswd_timeout=\w+\b\b.*$' /etc/sudoers; then - # sudoers file doesn't define Option passwd_timeout - echo "Defaults passwd_timeout=${var_sudo_passwd_timeout}" >> /etc/sudoers - else - # sudoers file defines Option passwd_timeout, remediate if appropriate value is not set - if ! grep -P "^[\s]*Defaults.*\bpasswd_timeout=${var_sudo_passwd_timeout}\b.*$" /etc/sudoers; then - - escaped_variable=${var_sudo_passwd_timeout//$'/'/$'\/'} - sed -Ei "s/(^[\s]*Defaults.*\bpasswd_timeout=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers - fi - fi - - # Check validity of sudoers and cleanup bak - if /usr/sbin/visudo -qcf /etc/sudoers; then - rm -f /etc/sudoers.bak - else - echo "Fail to validate remediated /etc/sudoers, reverting to original file." - mv /etc/sudoers.bak /etc/sudoers - false - fi -else - echo "Skipping remediation, /etc/sudoers failed to validate" - false -fi - - name: XCCDF Value var_sudo_passwd_timeout # promote to variable set_fact: var_sudo_passwd_timeout: !!str @@ -22164,6 +22132,38 @@ fi - no_reboot_needed - restrict_strategy - sudo_add_passwd_timeout + + + +var_sudo_passwd_timeout='' + + +if /usr/sbin/visudo -qcf /etc/sudoers; then + cp /etc/sudoers /etc/sudoers.bak + if ! grep -P '^[\s]*Defaults[\s]*\bpasswd_timeout=\w+\b\b.*$' /etc/sudoers; then + # sudoers file doesn't define Option passwd_timeout + echo "Defaults passwd_timeout=${var_sudo_passwd_timeout}" >> /etc/sudoers + else + # sudoers file defines Option passwd_timeout, remediate if appropriate value is not set + if ! grep -P "^[\s]*Defaults.*\bpasswd_timeout=${var_sudo_passwd_timeout}\b.*$" /etc/sudoers; then + + escaped_variable=${var_sudo_passwd_timeout//$'/'/$'\/'} + sed -Ei "s/(^[\s]*Defaults.*\bpasswd_timeout=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers + fi + fi + + # Check validity of sudoers and cleanup bak + if /usr/sbin/visudo -qcf /etc/sudoers; then + rm -f /etc/sudoers.bak + else + echo "Fail to validate remediated /etc/sudoers, reverting to original file." + mv /etc/sudoers.bak /etc/sudoers + false + fi +else + echo "Skipping remediation, /etc/sudoers failed to validate" + false +fi @@ -22184,6 +22184,21 @@ in /etc/sudoers.d/. Restricting the use cases in which a user is allowed to execute sudo commands reduces the attack surface. CCE-83790-6 + - name: Ensure requiretty is enabled in /etc/sudoers + lineinfile: + path: /etc/sudoers + regexp: ^[\s]*Defaults.*\brequiretty\b.*$ + line: Defaults requiretty + validate: /usr/sbin/visudo -cf %s + tags: + - CCE-83790-6 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sudo_add_requiretty + if /usr/sbin/visudo -qcf /etc/sudoers; then cp /etc/sudoers /etc/sudoers.bak @@ -22204,21 +22219,6 @@ else echo "Skipping remediation, /etc/sudoers failed to validate" false fi - - - name: Ensure requiretty is enabled in /etc/sudoers - lineinfile: - path: /etc/sudoers - regexp: ^[\s]*Defaults.*\brequiretty\b.*$ - line: Defaults requiretty - validate: /usr/sbin/visudo -cf %s - tags: - - CCE-83790-6 - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - sudo_add_requiretty @@ -22241,38 +22241,6 @@ in /etc/sudoers.d/. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. CCE-83860-7 - - -var_sudo_umask='' - - -if /usr/sbin/visudo -qcf /etc/sudoers; then - cp /etc/sudoers /etc/sudoers.bak - if ! grep -P '^[\s]*Defaults[\s]*\bumask=\w+\b\b.*$' /etc/sudoers; then - # sudoers file doesn't define Option umask - echo "Defaults umask=${var_sudo_umask}" >> /etc/sudoers - else - # sudoers file defines Option umask, remediate if appropriate value is not set - if ! grep -P "^[\s]*Defaults.*\bumask=${var_sudo_umask}\b.*$" /etc/sudoers; then - - escaped_variable=${var_sudo_umask//$'/'/$'\/'} - sed -Ei "s/(^[\s]*Defaults.*\bumask=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers - fi - fi - - # Check validity of sudoers and cleanup bak - if /usr/sbin/visudo -qcf /etc/sudoers; then - rm -f /etc/sudoers.bak - else - echo "Fail to validate remediated /etc/sudoers, reverting to original file." - mv /etc/sudoers.bak /etc/sudoers - false - fi -else - echo "Skipping remediation, /etc/sudoers failed to validate" - false -fi - - name: XCCDF Value var_sudo_umask # promote to variable set_fact: var_sudo_umask: !!str @@ -22310,6 +22278,38 @@ fi - no_reboot_needed - restrict_strategy - sudo_add_umask + + + +var_sudo_umask='' + + +if /usr/sbin/visudo -qcf /etc/sudoers; then + cp /etc/sudoers /etc/sudoers.bak + if ! grep -P '^[\s]*Defaults[\s]*\bumask=\w+\b\b.*$' /etc/sudoers; then + # sudoers file doesn't define Option umask + echo "Defaults umask=${var_sudo_umask}" >> /etc/sudoers + else + # sudoers file defines Option umask, remediate if appropriate value is not set + if ! grep -P "^[\s]*Defaults.*\bumask=${var_sudo_umask}\b.*$" /etc/sudoers; then + + escaped_variable=${var_sudo_umask//$'/'/$'\/'} + sed -Ei "s/(^[\s]*Defaults.*\bumask=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers + fi + fi + + # Check validity of sudoers and cleanup bak + if /usr/sbin/visudo -qcf /etc/sudoers; then + rm -f /etc/sudoers.bak + else + echo "Fail to validate remediated /etc/sudoers, reverting to original file." + mv /etc/sudoers.bak /etc/sudoers + false + fi +else + echo "Skipping remediation, /etc/sudoers failed to validate" + false +fi @@ -22334,33 +22334,6 @@ in /etc/sudoers.d/. access to the user's terminal after the main program has finished executing. CCE-83798-9 - # Remediation is applicable only in certain platforms -if rpm --quiet -q sudo; then - -if /usr/sbin/visudo -qcf /etc/sudoers; then - cp /etc/sudoers /etc/sudoers.bak - if ! grep -P '^[\s]*Defaults[\s]*\buse_pty\b.*$' /etc/sudoers; then - # sudoers file doesn't define Option use_pty - echo "Defaults use_pty" >> /etc/sudoers - fi - - # Check validity of sudoers and cleanup bak - if /usr/sbin/visudo -qcf /etc/sudoers; then - rm -f /etc/sudoers.bak - else - echo "Fail to validate remediated /etc/sudoers, reverting to original file." - mv /etc/sudoers.bak /etc/sudoers - false - fi -else - echo "Skipping remediation, /etc/sudoers failed to validate" - false -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -22393,42 +22366,14 @@ fi - restrict_strategy - sudo_add_use_pty - - - - - - - - - Ensure Sudo Logfile Exists - sudo logfile - A custom log sudo file can be configured with the 'logfile' tag. This rule configures -a sudo custom logfile at the default location suggested by CIS, which uses -/var/log/sudo.log. - Req-10.2.5 - 2.2.6 - 5.3.3 - A sudo log file simplifies auditing of sudo commands. - - CCE-83601-5 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q sudo; then -var_sudo_logfile='' - - if /usr/sbin/visudo -qcf /etc/sudoers; then cp /etc/sudoers /etc/sudoers.bak - if ! grep -P '^[\s]*Defaults[\s]*\blogfile=("(?:\\"|\\\\|[^"\\\n])*"\B|[^"](?:(?:\\,|\\"|\\ |\\\\|[^", \\\n])*)\b)\b.*$' /etc/sudoers; then - # sudoers file doesn't define Option logfile - echo "Defaults logfile=${var_sudo_logfile}" >> /etc/sudoers - else - # sudoers file defines Option logfile, remediate if appropriate value is not set - if ! grep -P "^[\s]*Defaults.*\blogfile=${var_sudo_logfile}\b.*$" /etc/sudoers; then - - escaped_variable=${var_sudo_logfile//$'/'/$'\/'} - sed -Ei "s/(^[\s]*Defaults.*\blogfile=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers - fi + if ! grep -P '^[\s]*Defaults[\s]*\buse_pty\b.*$' /etc/sudoers; then + # sudoers file doesn't define Option use_pty + echo "Defaults use_pty" >> /etc/sudoers fi # Check validity of sudoers and cleanup bak @@ -22448,6 +22393,24 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Ensure Sudo Logfile Exists - sudo logfile + A custom log sudo file can be configured with the 'logfile' tag. This rule configures +a sudo custom logfile at the default location suggested by CIS, which uses +/var/log/sudo.log. + Req-10.2.5 + 2.2.6 + 5.3.3 + A sudo log file simplifies auditing of sudo commands. + + CCE-83601-5 - name: Gather the package facts package_facts: manager: auto @@ -22505,6 +22468,43 @@ fi - no_reboot_needed - restrict_strategy - sudo_custom_logfile + + # Remediation is applicable only in certain platforms +if rpm --quiet -q sudo; then + +var_sudo_logfile='' + + +if /usr/sbin/visudo -qcf /etc/sudoers; then + cp /etc/sudoers /etc/sudoers.bak + if ! grep -P '^[\s]*Defaults[\s]*\blogfile=("(?:\\"|\\\\|[^"\\\n])*"\B|[^"](?:(?:\\,|\\"|\\ |\\\\|[^", \\\n])*)\b)\b.*$' /etc/sudoers; then + # sudoers file doesn't define Option logfile + echo "Defaults logfile=${var_sudo_logfile}" >> /etc/sudoers + else + # sudoers file defines Option logfile, remediate if appropriate value is not set + if ! grep -P "^[\s]*Defaults.*\blogfile=${var_sudo_logfile}\b.*$" /etc/sudoers; then + + escaped_variable=${var_sudo_logfile//$'/'/$'\/'} + sed -Ei "s/(^[\s]*Defaults.*\blogfile=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers + fi + fi + + # Check validity of sudoers and cleanup bak + if /usr/sbin/visudo -qcf /etc/sudoers; then + rm -f /etc/sudoers.bak + else + echo "Fail to validate remediated /etc/sudoers, reverting to original file." + mv /etc/sudoers.bak /etc/sudoers + false + fi +else + echo "Skipping remediation, /etc/sudoers failed to validate" + false +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -22594,22 +22594,6 @@ do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. CCE-82202-3 - -for f in /etc/sudoers /etc/sudoers.d/* ; do - if [ ! -e "$f" ] ; then - continue - fi - matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - # comment out "!authenticate" matches to preserve user data - sed -i "s/^${entry}$/# &/g" $f - done <<< "$matching_list" - - /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo" - fi -done - - name: Find /etc/sudoers.d/ files find: paths: @@ -22647,6 +22631,22 @@ done - no_reboot_needed - restrict_strategy - sudo_remove_no_authenticate + + +for f in /etc/sudoers /etc/sudoers.d/* ; do + if [ ! -e "$f" ] ; then + continue + fi + matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + # comment out "!authenticate" matches to preserve user data + sed -i "s/^${entry}$/# &/g" $f + done <<< "$matching_list" + + /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo" + fi +done @@ -22720,22 +22720,6 @@ When operating systems provide the capability to escalate a functional capabilit is critical that the user re-authenticate. CCE-82197-5 - -for f in /etc/sudoers /etc/sudoers.d/* ; do - if [ ! -e "$f" ] ; then - continue - fi - matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - # comment out "NOPASSWD" matches to preserve user data - sed -i "s/^${entry}$/# &/g" $f - done <<< "$matching_list" - - /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo" - fi -done - - name: Find /etc/sudoers.d/ files find: paths: @@ -22773,6 +22757,22 @@ done - no_reboot_needed - restrict_strategy - sudo_remove_nopasswd + + +for f in /etc/sudoers /etc/sudoers.d/* ; do + if [ ! -e "$f" ] ; then + continue + fi + matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + # comment out "NOPASSWD" matches to preserve user data + sed -i "s/^${entry}$/# &/g" $f + done <<< "$matching_list" + + /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo" + fi +done @@ -22840,37 +22840,6 @@ do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. CCE-82279-1 - -for f in /etc/sudoers /etc/sudoers.d/* ; do - if [ ! -e "$f" ] ; then - continue - fi - matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - # comment out "NOPASSWD" matches to preserve user data - sed -i "s/^${entry}$/# &/g" $f - done <<< "$matching_list" - - /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo" - fi -done - -for f in /etc/sudoers /etc/sudoers.d/* ; do - if [ ! -e "$f" ] ; then - continue - fi - matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - # comment out "!authenticate" matches to preserve user data - sed -i "s/^${entry}$/# &/g" $f - done <<< "$matching_list" - - /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo" - fi -done - - name: Find /etc/sudoers.d/ files find: paths: @@ -22946,6 +22915,37 @@ done - no_reboot_needed - restrict_strategy - sudo_require_authentication + + +for f in /etc/sudoers /etc/sudoers.d/* ; do + if [ ! -e "$f" ] ; then + continue + fi + matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + # comment out "NOPASSWD" matches to preserve user data + sed -i "s/^${entry}$/# &/g" $f + done <<< "$matching_list" + + /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo" + fi +done + +for f in /etc/sudoers /etc/sudoers.d/* ; do + if [ ! -e "$f" ] ; then + continue + fi + matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + # comment out "!authenticate" matches to preserve user data + sed -i "s/^${entry}$/# &/g" $f + done <<< "$matching_list" + + /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo" + fi +done @@ -22981,46 +22981,6 @@ When operating systems provide the capability to escalate a functional capabilit is critical that the user re-authenticate. CCE-87838-9 - # Remediation is applicable only in certain platforms -if rpm --quiet -q sudo; then - -var_sudo_timestamp_timeout='' - - -if grep -Px '^[\s]*Defaults.*timestamp_timeout[\s]*=.*' /etc/sudoers.d/*; then - find /etc/sudoers.d/ -type f -exec sed -Ei "/^[[:blank:]]*Defaults.*timestamp_timeout[[:blank:]]*=.*/d" {} \; -fi - -if /usr/sbin/visudo -qcf /etc/sudoers; then - cp /etc/sudoers /etc/sudoers.bak - if ! grep -P '^[\s]*Defaults.*timestamp_timeout[\s]*=[\s]*[-]?\w+.*$' /etc/sudoers; then - # sudoers file doesn't define Option timestamp_timeout - echo "Defaults timestamp_timeout=${var_sudo_timestamp_timeout}" >> /etc/sudoers - else - # sudoers file defines Option timestamp_timeout, remediate if appropriate value is not set - if ! grep -P "^[\s]*Defaults.*timestamp_timeout[\s]*=[\s]*${var_sudo_timestamp_timeout}.*$" /etc/sudoers; then - - sed -Ei "s/(^[[:blank:]]*Defaults.*timestamp_timeout[[:blank:]]*=)[[:blank:]]*[-]?\w+(.*$)/\1${var_sudo_timestamp_timeout}\2/" /etc/sudoers - fi - fi - - # Check validity of sudoers and cleanup bak - if /usr/sbin/visudo -qcf /etc/sudoers; then - rm -f /etc/sudoers.bak - else - echo "Fail to validate remediated /etc/sudoers, reverting to original file." - mv /etc/sudoers.bak /etc/sudoers - false - fi -else - echo "Skipping remediation, /etc/sudoers failed to validate" - false -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -23121,6 +23081,46 @@ fi - no_reboot_needed - restrict_strategy - sudo_require_reauthentication + + # Remediation is applicable only in certain platforms +if rpm --quiet -q sudo; then + +var_sudo_timestamp_timeout='' + + +if grep -Px '^[\s]*Defaults.*timestamp_timeout[\s]*=.*' /etc/sudoers.d/*; then + find /etc/sudoers.d/ -type f -exec sed -Ei "/^[[:blank:]]*Defaults.*timestamp_timeout[[:blank:]]*=.*/d" {} \; +fi + +if /usr/sbin/visudo -qcf /etc/sudoers; then + cp /etc/sudoers /etc/sudoers.bak + if ! grep -P '^[\s]*Defaults.*timestamp_timeout[\s]*=[\s]*[-]?\w+.*$' /etc/sudoers; then + # sudoers file doesn't define Option timestamp_timeout + echo "Defaults timestamp_timeout=${var_sudo_timestamp_timeout}" >> /etc/sudoers + else + # sudoers file defines Option timestamp_timeout, remediate if appropriate value is not set + if ! grep -P "^[\s]*Defaults.*timestamp_timeout[\s]*=[\s]*${var_sudo_timestamp_timeout}.*$" /etc/sudoers; then + + sed -Ei "s/(^[[:blank:]]*Defaults.*timestamp_timeout[[:blank:]]*=)[[:blank:]]*[-]?\w+(.*$)/\1${var_sudo_timestamp_timeout}\2/" /etc/sudoers + fi + fi + + # Check validity of sudoers and cleanup bak + if /usr/sbin/visudo -qcf /etc/sudoers; then + rm -f /etc/sudoers.bak + else + echo "Fail to validate remediated /etc/sudoers, reverting to original file." + mv /etc/sudoers.bak /etc/sudoers + false + fi +else + echo "Skipping remediation, /etc/sudoers failed to validate" + false +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -23138,13 +23138,6 @@ To properly set the permissions of /usr/bin/sudo, run the BP28(R57) Restricting the set of users able to execute commands as privileged user reduces the attack surface. CCE-83574-4 - - - - - -chmod u-wr,g-wrs,o-xwrt /usr/bin/sudo - - name: Test for existence /usr/bin/sudo stat: path: /usr/bin/sudo @@ -23171,6 +23164,13 @@ chmod u-wr,g-wrs,o-xwrt /usr/bin/sudo - medium_severity - no_reboot_needed - sudo_restrict_others_executable_permission + + + + + + +chmod u-wr,g-wrs,o-xwrt /usr/bin/sudo @@ -23243,27 +23243,6 @@ Note that the '#' character doesn't denote a comment in the configuration file.< Use of these configuration options makes it easier for one compromised accound to be used to compromise other accounts. CCE-86377-9 - -sudoers_config_file="/etc/sudoers" -sudoers_config_dir="/etc/sudoers.d" -sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file") -if [ "$sudoers_includedir_count" -gt 1 ]; then - sed -i "/#includedir/d" "$sudoers_config_file" - echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file" -elif [ "$sudoers_includedir_count" -eq 0 ]; then - echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file" -else - if ! grep -q "^#includedir /etc/sudoers.d" "$sudoers_config_file"; then - sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" "$sudoers_config_file" - fi -fi - -sed -Ei "/^#include\s/d; /^@includedir\s/d" "$sudoers_config_file" - -if grep -Pr "^[#@]include(dir)?\s" "$sudoers_config_dir" ; then - sed -Ei "/^[#@]include(dir)?\s/d" "$sudoers_config_dir"/* -fi - - name: Check for duplicate values lineinfile: path: /etc/sudoers @@ -23381,6 +23360,27 @@ fi - medium_severity - no_reboot_needed - sudoers_default_includedir + + +sudoers_config_file="/etc/sudoers" +sudoers_config_dir="/etc/sudoers.d" +sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file") +if [ "$sudoers_includedir_count" -gt 1 ]; then + sed -i "/#includedir/d" "$sudoers_config_file" + echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file" +elif [ "$sudoers_includedir_count" -eq 0 ]; then + echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file" +else + if ! grep -q "^#includedir /etc/sudoers.d" "$sudoers_config_file"; then + sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" "$sudoers_config_file" + fi +fi + +sed -Ei "/^#include\s/d; /^@includedir\s/d" "$sudoers_config_file" + +if grep -Pr "^[#@]include(dir)?\s" "$sudoers_config_dir" ; then + sed -Ei "/^[#@]include(dir)?\s/d" "$sudoers_config_dir"/* +fi @@ -23484,75 +23484,6 @@ or if cvtsudoers not supported: the invoking user for the "root" user password. CCE-83422-6 - # Remediation is applicable only in certain platforms -if rpm --quiet -q sudo; then - -if grep -x '^Defaults targetpw$' /etc/sudoers; then - sed -i "/Defaults targetpw/d" /etc/sudoers \; -fi -if grep -x '^Defaults targetpw$' /etc/sudoers.d/*; then - find /etc/sudoers.d/ -type f -exec sed -i "/Defaults targetpw/d" {} \; -fi -if grep -x '^Defaults rootpw$' /etc/sudoers; then - sed -i "/Defaults rootpw/d" /etc/sudoers \; -fi -if grep -x '^Defaults rootpw$' /etc/sudoers.d/*; then - find /etc/sudoers.d/ -type f -exec sed -i "/Defaults rootpw/d" {} \; -fi -if grep -x '^Defaults runaspw$' /etc/sudoers; then - sed -i "/Defaults runaspw/d" /etc/sudoers \; -fi -if grep -x '^Defaults runaspw$' /etc/sudoers.d/*; then - find /etc/sudoers.d/ -type f -exec sed -i "/Defaults runaspw/d" {} \; -fi - -if [ -e "/etc/sudoers" ] ; then - - LC_ALL=C sed -i "/Defaults !targetpw/d" "/etc/sudoers" -else - touch "/etc/sudoers" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/sudoers" - -cp "/etc/sudoers" "/etc/sudoers.bak" -# Insert at the end of the file -printf '%s\n' "Defaults !targetpw" >> "/etc/sudoers" -# Clean up after ourselves. -rm "/etc/sudoers.bak" -if [ -e "/etc/sudoers" ] ; then - - LC_ALL=C sed -i "/Defaults !rootpw/d" "/etc/sudoers" -else - touch "/etc/sudoers" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/sudoers" - -cp "/etc/sudoers" "/etc/sudoers.bak" -# Insert at the end of the file -printf '%s\n' "Defaults !rootpw" >> "/etc/sudoers" -# Clean up after ourselves. -rm "/etc/sudoers.bak" -if [ -e "/etc/sudoers" ] ; then - - LC_ALL=C sed -i "/Defaults !runaspw/d" "/etc/sudoers" -else - touch "/etc/sudoers" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/sudoers" - -cp "/etc/sudoers" "/etc/sudoers.bak" -# Insert at the end of the file -printf '%s\n' "Defaults !runaspw" >> "/etc/sudoers" -# Clean up after ourselves. -rm "/etc/sudoers.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -23930,6 +23861,75 @@ fi - no_reboot_needed - restrict_strategy - sudoers_validate_passwd + + # Remediation is applicable only in certain platforms +if rpm --quiet -q sudo; then + +if grep -x '^Defaults targetpw$' /etc/sudoers; then + sed -i "/Defaults targetpw/d" /etc/sudoers \; +fi +if grep -x '^Defaults targetpw$' /etc/sudoers.d/*; then + find /etc/sudoers.d/ -type f -exec sed -i "/Defaults targetpw/d" {} \; +fi +if grep -x '^Defaults rootpw$' /etc/sudoers; then + sed -i "/Defaults rootpw/d" /etc/sudoers \; +fi +if grep -x '^Defaults rootpw$' /etc/sudoers.d/*; then + find /etc/sudoers.d/ -type f -exec sed -i "/Defaults rootpw/d" {} \; +fi +if grep -x '^Defaults runaspw$' /etc/sudoers; then + sed -i "/Defaults runaspw/d" /etc/sudoers \; +fi +if grep -x '^Defaults runaspw$' /etc/sudoers.d/*; then + find /etc/sudoers.d/ -type f -exec sed -i "/Defaults runaspw/d" {} \; +fi + +if [ -e "/etc/sudoers" ] ; then + + LC_ALL=C sed -i "/Defaults !targetpw/d" "/etc/sudoers" +else + touch "/etc/sudoers" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/sudoers" + +cp "/etc/sudoers" "/etc/sudoers.bak" +# Insert at the end of the file +printf '%s\n' "Defaults !targetpw" >> "/etc/sudoers" +# Clean up after ourselves. +rm "/etc/sudoers.bak" +if [ -e "/etc/sudoers" ] ; then + + LC_ALL=C sed -i "/Defaults !rootpw/d" "/etc/sudoers" +else + touch "/etc/sudoers" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/sudoers" + +cp "/etc/sudoers" "/etc/sudoers.bak" +# Insert at the end of the file +printf '%s\n' "Defaults !rootpw" >> "/etc/sudoers" +# Clean up after ourselves. +rm "/etc/sudoers.bak" +if [ -e "/etc/sudoers" ] ; then + + LC_ALL=C sed -i "/Defaults !runaspw/d" "/etc/sudoers" +else + touch "/etc/sudoers" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/sudoers" + +cp "/etc/sudoers" "/etc/sudoers.bak" +# Insert at the end of the file +printf '%s\n' "Defaults !runaspw" >> "/etc/sudoers" +# Clean up after ourselves. +rm "/etc/sudoers.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -23952,15 +23952,13 @@ $ sudo yum install binutils foundational system operator activities, such as ld, nm, objcopy and readelf. CCE-82989-5 + +package --add=binutils + [[packages]] name = "binutils" version = "*" - - -if ! rpm -q --quiet "binutils" ; then - yum install -y "binutils" -fi include install_binutils @@ -23983,8 +23981,10 @@ class install_binutils { - no_reboot_needed - package_binutils_installed - -package --add=binutils + +if ! rpm -q --quiet "binutils" ; then + yum install -y "binutils" +fi @@ -24013,15 +24013,13 @@ $ sudo yum install dnf-plugin-subscription-manager CCE-82315-3 + +package --add=dnf-plugin-subscription-manager + [[packages]] name = "dnf-plugin-subscription-manager" version = "*" - - -if ! rpm -q --quiet "dnf-plugin-subscription-manager" ; then - yum install -y "dnf-plugin-subscription-manager" -fi include install_dnf-plugin-subscription-manager @@ -24044,8 +24042,10 @@ class install_dnf-plugin-subscription-manager { - no_reboot_needed - package_dnf-plugin-subscription-manager_installed - -package --add=dnf-plugin-subscription-manager + +if ! rpm -q --quiet "dnf-plugin-subscription-manager" ; then + yum install -y "dnf-plugin-subscription-manager" +fi @@ -24070,15 +24070,13 @@ other required structures. This package contains command line TLS client and server and certificate manipulation tools. CCE-82395-5 + +package --add=gnutls-utils + [[packages]] name = "gnutls-utils" version = "*" - - -if ! rpm -q --quiet "gnutls-utils" ; then - yum install -y "gnutls-utils" -fi include install_gnutls-utils @@ -24101,8 +24099,10 @@ class install_gnutls-utils { - no_reboot_needed - package_gnutls-utils_installed - -package --add=gnutls-utils + +if ! rpm -q --quiet "gnutls-utils" ; then + yum install -y "gnutls-utils" +fi @@ -24122,15 +24122,13 @@ posix capabilities of all the programs running on a system. libcap-ng-utils also lets system operators set the file system based capabilities. CCE-82979-6 + +package --add=libcap-ng-utils + [[packages]] name = "libcap-ng-utils" version = "*" - - -if ! rpm -q --quiet "libcap-ng-utils" ; then - yum install -y "libcap-ng-utils" -fi include install_libcap-ng-utils @@ -24153,8 +24151,10 @@ class install_libcap-ng-utils { - no_reboot_needed - package_libcap-ng-utils_installed - -package --add=libcap-ng-utils + +if ! rpm -q --quiet "libcap-ng-utils" ; then + yum install -y "libcap-ng-utils" +fi @@ -24176,15 +24176,13 @@ server applications. Install the nss-tools package to install command-line tools to manipulate the NSS certificate and key database. CCE-82396-3 + +package --add=nss-tools + [[packages]] name = "nss-tools" version = "*" - - -if ! rpm -q --quiet "nss-tools" ; then - yum install -y "nss-tools" -fi include install_nss-tools @@ -24207,8 +24205,10 @@ class install_nss-tools { - no_reboot_needed - package_nss-tools_installed - -package --add=nss-tools + +if ! rpm -q --quiet "nss-tools" ; then + yum install -y "nss-tools" +fi @@ -24230,15 +24230,13 @@ $ sudo yum install openscap-scanner configuration and vulnerability scanner, capable of performing compliance checking using SCAP content. CCE-82220-5 + +package --add=openscap-scanner + [[packages]] name = "openscap-scanner" version = "*" - - -if ! rpm -q --quiet "openscap-scanner" ; then - yum install -y "openscap-scanner" -fi include install_openscap-scanner @@ -24261,8 +24259,10 @@ class install_openscap-scanner { - no_reboot_needed - package_openscap-scanner_installed - -package --add=openscap-scanner + +if ! rpm -q --quiet "openscap-scanner" ; then + yum install -y "openscap-scanner" +fi @@ -24280,21 +24280,13 @@ $ sudo yum install rear image of a system and restores from backup using this image. CCE-82883-0 + +package --add=rear + [[packages]] name = "rear" version = "*" - - # Remediation is applicable only in certain platforms -if ! ( ( ( grep -q aarch64 /proc/sys/kernel/osrelease && grep -qP "^ID=[\"']?ol[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="9.0"; printf "%s\n%s" "$expected" "$real" | sort -VC; } ) || ( grep -q aarch64 /proc/sys/kernel/osrelease && grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="9.0"; printf "%s\n%s" "$expected" "$real" | sort -VC; } ) || ( grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.4"; printf "%s\n%s" "$real" "$expected" | sort -VC; } && grep -q s390x /proc/sys/kernel/osrelease ) ) ); then - -if ! rpm -q --quiet "rear" ; then - yum install -y "rear" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_rear @@ -24322,8 +24314,16 @@ class install_rear { - no_reboot_needed - package_rear_installed - -package --add=rear + # Remediation is applicable only in certain platforms +if ! ( ( ( grep -q aarch64 /proc/sys/kernel/osrelease && grep -qP "^ID=[\"']?ol[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="9.0"; printf "%s\n%s" "$expected" "$real" | sort -VC; } ) || ( grep -q aarch64 /proc/sys/kernel/osrelease && grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="9.0"; printf "%s\n%s" "$expected" "$real" | sort -VC; } ) || ( grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.4"; printf "%s\n%s" "$real" "$expected" | sort -VC; } && grep -q s390x /proc/sys/kernel/osrelease ) ) ); then + +if ! rpm -q --quiet "rear" ; then + yum install -y "rear" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -24345,21 +24345,13 @@ $ sudo yum install rng-tools such as those used in the formation of x509/PKI certificates. CCE-82968-9 + +package --add=rng-tools + [[packages]] name = "rng-tools" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "rng-tools" ; then - yum install -y "rng-tools" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_rng-tools @@ -24384,8 +24376,16 @@ class install_rng-tools { - no_reboot_needed - package_rng-tools_installed - -package --add=rng-tools + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "rng-tools" ; then + yum install -y "rng-tools" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -24412,15 +24412,13 @@ package, or the SCAP Workbench GUI tool from the scap-workbench CCE-82949-9 + +package --add=scap-security-guide + [[packages]] name = "scap-security-guide" version = "*" - - -if ! rpm -q --quiet "scap-security-guide" ; then - yum install -y "scap-security-guide" -fi include install_scap-security-guide @@ -24443,8 +24441,10 @@ class install_scap-security-guide { - no_reboot_needed - package_scap-security-guide_installed - -package --add=scap-security-guide + +if ! rpm -q --quiet "scap-security-guide" ; then + yum install -y "scap-security-guide" +fi @@ -24475,15 +24475,13 @@ It communicates with the backend subscription service (the Customer Portal or an on-premise server such as Subscription Asset Manager) and works with content management tools such as . CCE-82316-1 + +package --add=subscription-manager + [[packages]] name = "subscription-manager" version = "*" - - -if ! rpm -q --quiet "subscription-manager" ; then - yum install -y "subscription-manager" -fi include install_subscription-manager @@ -24506,8 +24504,10 @@ class install_subscription-manager { - no_reboot_needed - package_subscription-manager_installed - -package --add=subscription-manager + +if ! rpm -q --quiet "subscription-manager" ; then + yum install -y "subscription-manager" +fi @@ -24526,15 +24526,13 @@ can restore individual files (or all of the files) from the archive. includes multivolume support, automatic archive compression/decompression, the the ability to perform incremental and full backups. If CCE-82965-5 + +package --add=tar + [[packages]] name = "tar" version = "*" - - -if ! rpm -q --quiet "tar" ; then - yum install -y "tar" -fi include install_tar @@ -24557,8 +24555,10 @@ class install_tar { - no_reboot_needed - package_tar_installed - -package --add=tar + +if ! rpm -q --quiet "tar" ; then + yum install -y "tar" +fi @@ -24574,15 +24574,13 @@ package --add=tar $ sudo yum install vim-enhanced Vim (Vi IMproved) is an almost compatible version of the UNIX editor vi. CCE-82956-4 + +package --add=vim-enhanced + [[packages]] name = "vim-enhanced" version = "*" - - -if ! rpm -q --quiet "vim-enhanced" ; then - yum install -y "vim-enhanced" -fi include install_vim-enhanced @@ -24605,8 +24603,10 @@ class install_vim-enhanced { - no_reboot_needed - package_vim_installed - -package --add=vim-enhanced + +if ! rpm -q --quiet "vim-enhanced" ; then + yum install -y "vim-enhanced" +fi @@ -24627,18 +24627,8 @@ $ sudo yum erase abrt-addon-ccpp abrt-addon-ccpp contains hooks for C/C++ crashed programs and abrt's C/C++ analyzer plugin. CCE-82919-2 - -# CAUTION: This remediation script will remove abrt-addon-ccpp -# from the system, and may remove any packages -# that depend on abrt-addon-ccpp. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "abrt-addon-ccpp" ; then - - yum remove -y "abrt-addon-ccpp" - -fi + +package --remove=abrt-addon-ccpp include remove_abrt-addon-ccpp @@ -24662,8 +24652,18 @@ class remove_abrt-addon-ccpp { - no_reboot_needed - package_abrt-addon-ccpp_removed - -package --remove=abrt-addon-ccpp + +# CAUTION: This remediation script will remove abrt-addon-ccpp +# from the system, and may remove any packages +# that depend on abrt-addon-ccpp. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "abrt-addon-ccpp" ; then + + yum remove -y "abrt-addon-ccpp" + +fi @@ -24684,18 +24684,8 @@ $ sudo yum erase abrt-addon-kerneloops abrt-addon-kerneloops contains plugins for collecting kernel crash information and reporter plugin which sends this information to a specified server, usually to kerneloops.org. CCE-82926-7 - -# CAUTION: This remediation script will remove abrt-addon-kerneloops -# from the system, and may remove any packages -# that depend on abrt-addon-kerneloops. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "abrt-addon-kerneloops" ; then - - yum remove -y "abrt-addon-kerneloops" - -fi + +package --remove=abrt-addon-kerneloops include remove_abrt-addon-kerneloops @@ -24719,8 +24709,18 @@ class remove_abrt-addon-kerneloops { - no_reboot_needed - package_abrt-addon-kerneloops_removed - -package --remove=abrt-addon-kerneloops + +# CAUTION: This remediation script will remove abrt-addon-kerneloops +# from the system, and may remove any packages +# that depend on abrt-addon-kerneloops. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "abrt-addon-kerneloops" ; then + + yum remove -y "abrt-addon-kerneloops" + +fi @@ -24741,18 +24741,8 @@ $ sudo yum erase abrt-cli abrt-cli contains a command line client for controlling abrt daemon over sockets. CCE-82907-7 - -# CAUTION: This remediation script will remove abrt-cli -# from the system, and may remove any packages -# that depend on abrt-cli. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "abrt-cli" ; then - - yum remove -y "abrt-cli" - -fi + +package --remove=abrt-cli include remove_abrt-cli @@ -24776,8 +24766,18 @@ class remove_abrt-cli { - no_reboot_needed - package_abrt-cli_removed - -package --remove=abrt-cli + +# CAUTION: This remediation script will remove abrt-cli +# from the system, and may remove any packages +# that depend on abrt-cli. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "abrt-cli" ; then + + yum remove -y "abrt-cli" + +fi @@ -24796,18 +24796,8 @@ $ sudo yum erase abrt-plugin-logger abrt-plugin-logger is an ABRT plugin which writes a report to a specified file. CCE-82913-5 - -# CAUTION: This remediation script will remove abrt-plugin-logger -# from the system, and may remove any packages -# that depend on abrt-plugin-logger. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "abrt-plugin-logger" ; then - - yum remove -y "abrt-plugin-logger" - -fi + +package --remove=abrt-plugin-logger include remove_abrt-plugin-logger @@ -24830,8 +24820,18 @@ class remove_abrt-plugin-logger { - no_reboot_needed - package_abrt-plugin-logger_removed - -package --remove=abrt-plugin-logger + +# CAUTION: This remediation script will remove abrt-plugin-logger +# from the system, and may remove any packages +# that depend on abrt-plugin-logger. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "abrt-plugin-logger" ; then + + yum remove -y "abrt-plugin-logger" + +fi @@ -24850,18 +24850,8 @@ $ sudo yum erase abrt-plugin-rhtsupport abrt-plugin-rhtsupport is a ABRT plugin to report bugs into the Red Hat Support system. CCE-82916-8 - -# CAUTION: This remediation script will remove abrt-plugin-rhtsupport -# from the system, and may remove any packages -# that depend on abrt-plugin-rhtsupport. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "abrt-plugin-rhtsupport" ; then - - yum remove -y "abrt-plugin-rhtsupport" - -fi + +package --remove=abrt-plugin-rhtsupport include remove_abrt-plugin-rhtsupport @@ -24884,8 +24874,18 @@ class remove_abrt-plugin-rhtsupport { - no_reboot_needed - package_abrt-plugin-rhtsupport_removed - -package --remove=abrt-plugin-rhtsupport + +# CAUTION: This remediation script will remove abrt-plugin-rhtsupport +# from the system, and may remove any packages +# that depend on abrt-plugin-rhtsupport. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "abrt-plugin-rhtsupport" ; then + + yum remove -y "abrt-plugin-rhtsupport" + +fi @@ -24905,18 +24905,8 @@ $ sudo yum erase abrt-plugin-sosreport SV-230488r627750_rule abrt-plugin-sosreport provides a plugin to include an sosreport in an ABRT report. CCE-82910-1 - -# CAUTION: This remediation script will remove abrt-plugin-sosreport -# from the system, and may remove any packages -# that depend on abrt-plugin-sosreport. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "abrt-plugin-sosreport" ; then - - yum remove -y "abrt-plugin-sosreport" - -fi + +package --remove=abrt-plugin-sosreport include remove_abrt-plugin-sosreport @@ -24940,8 +24930,18 @@ class remove_abrt-plugin-sosreport { - no_reboot_needed - package_abrt-plugin-sosreport_removed - -package --remove=abrt-plugin-sosreport + +# CAUTION: This remediation script will remove abrt-plugin-sosreport +# from the system, and may remove any packages +# that depend on abrt-plugin-sosreport. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "abrt-plugin-sosreport" ; then + + yum remove -y "abrt-plugin-sosreport" + +fi @@ -24957,18 +24957,8 @@ package --remove=abrt-plugin-sosreport $ sudo yum erase geolite2-city geolite2-city is part of the GeoLite2 database packages, offering geolocation databases and tooling. CCE-82939-0 - -# CAUTION: This remediation script will remove geolite2-city -# from the system, and may remove any packages -# that depend on geolite2-city. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "geolite2-city" ; then - - yum remove -y "geolite2-city" - -fi + +package --remove=geolite2-city include remove_geolite2-city @@ -24991,8 +24981,18 @@ class remove_geolite2-city { - no_reboot_needed - package_geolite2-city_removed - -package --remove=geolite2-city + +# CAUTION: This remediation script will remove geolite2-city +# from the system, and may remove any packages +# that depend on geolite2-city. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "geolite2-city" ; then + + yum remove -y "geolite2-city" + +fi @@ -25008,18 +25008,8 @@ package --remove=geolite2-city $ sudo yum erase geolite2-country geolite2-country is part of the GeoLite2 database packages, offering geolocation databases and tooling. CCE-82936-6 - -# CAUTION: This remediation script will remove geolite2-country -# from the system, and may remove any packages -# that depend on geolite2-country. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "geolite2-country" ; then - - yum remove -y "geolite2-country" - -fi + +package --remove=geolite2-country include remove_geolite2-country @@ -25042,8 +25032,18 @@ class remove_geolite2-country { - no_reboot_needed - package_geolite2-country_removed - -package --remove=geolite2-country + +# CAUTION: This remediation script will remove geolite2-country +# from the system, and may remove any packages +# that depend on geolite2-country. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "geolite2-country" ; then + + yum remove -y "geolite2-country" + +fi @@ -25068,19 +25068,6 @@ RHV uses NFS storage, which has dependency on gssproxy. gssproxy is a proxy for GSS API credential handling. CCE-82943-2 - -# CAUTION: This remediation script will remove gssproxy -# from the system, and may remove any packages -# that depend on gssproxy. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "gssproxy" ; then - - yum remove -y "gssproxy" - -fi - include remove_gssproxy class remove_gssproxy { @@ -25102,6 +25089,19 @@ class remove_gssproxy { - medium_severity - no_reboot_needed - package_gssproxy_removed + + +# CAUTION: This remediation script will remove gssproxy +# from the system, and may remove any packages +# that depend on gssproxy. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "gssproxy" ; then + + yum remove -y "gssproxy" + +fi @@ -25123,18 +25123,8 @@ $ sudo yum erase iprutils iprutils provides a suite of utlilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver. CCE-82946-5 - -# CAUTION: This remediation script will remove iprutils -# from the system, and may remove any packages -# that depend on iprutils. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "iprutils" ; then - - yum remove -y "iprutils" - -fi + +package --remove=iprutils include remove_iprutils @@ -25158,8 +25148,18 @@ class remove_iprutils { - no_reboot_needed - package_iprutils_removed - -package --remove=iprutils + +# CAUTION: This remediation script will remove iprutils +# from the system, and may remove any packages +# that depend on iprutils. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "iprutils" ; then + + yum remove -y "iprutils" + +fi @@ -25184,18 +25184,8 @@ RHV hosts require ipa-client package, which has dependency on krb5-workstation.< Kerberos programs (kinit, klist, kdestroy, kpasswd). CCE-82931-7 - -# CAUTION: This remediation script will remove krb5-workstation -# from the system, and may remove any packages -# that depend on krb5-workstation. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "krb5-workstation" ; then - - yum remove -y "krb5-workstation" - -fi + +package --remove=krb5-workstation include remove_krb5-workstation @@ -25219,8 +25209,18 @@ class remove_krb5-workstation { - no_reboot_needed - package_krb5-workstation_removed - -package --remove=krb5-workstation + +# CAUTION: This remediation script will remove krb5-workstation +# from the system, and may remove any packages +# that depend on krb5-workstation. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "krb5-workstation" ; then + + yum remove -y "krb5-workstation" + +fi @@ -25241,18 +25241,8 @@ $ sudo yum erase libreport-plugin-logger libreport-plugin-logger is a ABRT plugin to report bugs into the Red Hat Support system. CCE-89201-8 - -# CAUTION: This remediation script will remove libreport-plugin-logger -# from the system, and may remove any packages -# that depend on libreport-plugin-logger. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "libreport-plugin-logger" ; then - - yum remove -y "libreport-plugin-logger" - -fi + +package --remove=libreport-plugin-logger include remove_libreport-plugin-logger @@ -25276,8 +25266,18 @@ class remove_libreport-plugin-logger { - no_reboot_needed - package_libreport-plugin-logger_removed - -package --remove=libreport-plugin-logger + +# CAUTION: This remediation script will remove libreport-plugin-logger +# from the system, and may remove any packages +# that depend on libreport-plugin-logger. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "libreport-plugin-logger" ; then + + yum remove -y "libreport-plugin-logger" + +fi @@ -25298,18 +25298,8 @@ $ sudo yum erase libreport-plugin-rhtsupport libreport-plugin-rhtsupport is a ABRT plugin to report bugs into the Red Hat Support system. CCE-88955-0 - -# CAUTION: This remediation script will remove libreport-plugin-rhtsupport -# from the system, and may remove any packages -# that depend on libreport-plugin-rhtsupport. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "libreport-plugin-rhtsupport" ; then - - yum remove -y "libreport-plugin-rhtsupport" - -fi + +package --remove=libreport-plugin-rhtsupport include remove_libreport-plugin-rhtsupport @@ -25333,8 +25323,18 @@ class remove_libreport-plugin-rhtsupport { - no_reboot_needed - package_libreport-plugin-rhtsupport_removed - -package --remove=libreport-plugin-rhtsupport + +# CAUTION: This remediation script will remove libreport-plugin-rhtsupport +# from the system, and may remove any packages +# that depend on libreport-plugin-rhtsupport. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "libreport-plugin-rhtsupport" ; then + + yum remove -y "libreport-plugin-rhtsupport" + +fi @@ -25354,18 +25354,8 @@ have not been compiled using recommended compiler flags. The binaries are compiled without sufficient stack protection and its address space layout randomization (ASLR) is weak. CCE-82397-1 - -# CAUTION: This remediation script will remove pigz -# from the system, and may remove any packages -# that depend on pigz. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "pigz" ; then - - yum remove -y "pigz" - -fi + +package --remove=pigz include remove_pigz @@ -25388,8 +25378,18 @@ class remove_pigz { - no_reboot_needed - package_pigz_removed - -package --remove=pigz + +# CAUTION: This remediation script will remove pigz +# from the system, and may remove any packages +# that depend on pigz. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "pigz" ; then + + yum remove -y "pigz" + +fi @@ -25410,18 +25410,8 @@ $ sudo yum erase python3-abrt-addon python3-abrt-addon contains python hook and python analyzer plugin for handling uncaught exceptions in python programs. CCE-86084-1 - -# CAUTION: This remediation script will remove python3-abrt-addon -# from the system, and may remove any packages -# that depend on python3-abrt-addon. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "python3-abrt-addon" ; then - - yum remove -y "python3-abrt-addon" - -fi + +package --remove=python3-abrt-addon include remove_python3-abrt-addon @@ -25445,8 +25435,18 @@ class remove_python3-abrt-addon { - no_reboot_needed - package_python3-abrt-addon_removed - -package --remove=python3-abrt-addon + +# CAUTION: This remediation script will remove python3-abrt-addon +# from the system, and may remove any packages +# that depend on python3-abrt-addon. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "python3-abrt-addon" ; then + + yum remove -y "python3-abrt-addon" + +fi @@ -25473,18 +25473,8 @@ on that information, components will then be put into lower or higher power savi modes to adapt to the current usage. CCE-82904-4 - -# CAUTION: This remediation script will remove tuned -# from the system, and may remove any packages -# that depend on tuned. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "tuned" ; then - - yum remove -y "tuned" - -fi + +package --remove=tuned include remove_tuned @@ -25508,8 +25498,18 @@ class remove_tuned { - no_reboot_needed - package_tuned_removed - -package --remove=tuned + +# CAUTION: This remediation script will remove tuned +# from the system, and may remove any packages +# that depend on tuned. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "tuned" ; then + + yum remove -y "tuned" + +fi @@ -25541,15 +25541,13 @@ $ sudo yum install dnf-automatic dnf-automatic is an alternative command line interface (CLI) to dnf upgrade suitable for automatic, regular execution. CCE-82985-3 + +package --add=dnf-automatic + [[packages]] name = "dnf-automatic" version = "*" - - -if ! rpm -q --quiet "dnf-automatic" ; then - yum install -y "dnf-automatic" -fi include install_dnf-automatic @@ -25572,8 +25570,10 @@ class install_dnf-automatic { - no_reboot_needed - package_dnf-automatic_installed - -package --add=dnf-automatic + +if ! rpm -q --quiet "dnf-automatic" ; then + yum install -y "dnf-automatic" +fi @@ -25625,20 +25625,6 @@ to 1 in /etc/yum.conf. CCE-82476-3 - # Remediation is applicable only in certain platforms -if rpm --quiet -q yum; then - -if grep --silent ^clean_requirements_on_remove /etc/yum.conf ; then - sed -i "s/^clean_requirements_on_remove.*/clean_requirements_on_remove=1/g" /etc/yum.conf -else - echo -e "\n# Set clean_requirements_on_remove to 1 per security requirements" >> /etc/yum.conf - echo "clean_requirements_on_remove=1" >> /etc/yum.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -25680,6 +25666,20 @@ fi - low_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q yum; then + +if grep --silent ^clean_requirements_on_remove /etc/yum.conf ; then + sed -i "s/^clean_requirements_on_remove.*/clean_requirements_on_remove=1/g" /etc/yum.conf +else + echo -e "\n# Set clean_requirements_on_remove to 1 per security requirements" >> /etc/yum.conf + echo "clean_requirements_on_remove=1" >> /etc/yum.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -25713,6 +25713,25 @@ lack of prompt attention to patching could result in a system compromise. The automated installation of updates ensures that recent security patches are applied in a timely manner. CCE-82494-6 + - name: Configure dnf-automatic to Install Available Updates Automatically + ini_file: + dest: /etc/dnf/automatic.conf + section: commands + option: apply_updates + value: 'yes' + create: true + tags: + - CCE-82494-6 + - NIST-800-53-CM-6(a) + - NIST-800-53-SI-2(5) + - NIST-800-53-SI-2(c) + - dnf-automatic_apply_updates + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + found=false @@ -25740,25 +25759,6 @@ if ! $found ; then mkdir -p "$(dirname "$file")" echo -e "[commands]\napply_updates = yes" >> "$file" fi - - - name: Configure dnf-automatic to Install Available Updates Automatically - ini_file: - dest: /etc/dnf/automatic.conf - section: commands - option: apply_updates - value: 'yes' - create: true - tags: - - CCE-82494-6 - - NIST-800-53-CM-6(a) - - NIST-800-53-SI-2(5) - - NIST-800-53-SI-2(c) - - dnf-automatic_apply_updates - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy @@ -25782,6 +25782,25 @@ automatically, set upgrade_type to security CCE-82267-6 + - name: Configure dnf-automatic to Install Only Security Updates + ini_file: + dest: /etc/dnf/automatic.conf + section: commands + option: upgrade_type + value: security + create: true + tags: + - CCE-82267-6 + - NIST-800-53-CM-6(a) + - NIST-800-53-SI-2(5) + - NIST-800-53-SI-2(c) + - dnf-automatic_security_updates_only + - low_complexity + - low_severity + - medium_disruption + - no_reboot_needed + - unknown_strategy + found=false @@ -25809,25 +25828,6 @@ if ! $found ; then mkdir -p "$(dirname "$file")" echo -e "[commands]\nupgrade_type = security" >> "$file" fi - - - name: Configure dnf-automatic to Install Only Security Updates - ini_file: - dest: /etc/dnf/automatic.conf - section: commands - option: upgrade_type - value: security - create: true - tags: - - CCE-82267-6 - - NIST-800-53-CM-6(a) - - NIST-800-53-SI-2(5) - - NIST-800-53-SI-2(c) - - dnf-automatic_security_updates_only - - low_complexity - - low_severity - - medium_disruption - - no_reboot_needed - - unknown_strategy @@ -25919,35 +25919,6 @@ this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA). CCE-80790-9 - # Remediation is applicable only in certain platforms -if rpm --quiet -q yum; then - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^gpgcheck") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "1" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^gpgcheck\\>" "/etc/yum.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^gpgcheck\\>.*/$escaped_formatted_output/gi" "/etc/yum.conf" -else - if [[ -s "/etc/yum.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/yum.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/yum.conf" - fi - cce="CCE-80790-9" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/yum.conf" >> "/etc/yum.conf" - printf '%s\n' "$formatted_output" >> "/etc/yum.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -26005,6 +25976,35 @@ fi - low_complexity - medium_disruption - no_reboot_needed + + # Remediation is applicable only in certain platforms +if rpm --quiet -q yum; then + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^gpgcheck") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "1" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^gpgcheck\\>" "/etc/yum.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^gpgcheck\\>.*/$escaped_formatted_output/gi" "/etc/yum.conf" +else + if [[ -s "/etc/yum.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/yum.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/yum.conf" + fi + cce="CCE-80790-9" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/yum.conf" >> "/etc/yum.conf" + printf '%s\n' "$formatted_output" >> "/etc/yum.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -26062,35 +26062,6 @@ Accordingly, patches, service packs, device drivers, or operating system compone be signed with a certificate recognized and approved by the organization. CCE-80791-7 - # Remediation is applicable only in certain platforms -if rpm --quiet -q yum; then - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^localpkg_gpgcheck") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "1" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^localpkg_gpgcheck\\>" "/etc/yum.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^localpkg_gpgcheck\\>.*/$escaped_formatted_output/gi" "/etc/yum.conf" -else - if [[ -s "/etc/yum.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/yum.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/yum.conf" - fi - cce="CCE-80791-7" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/yum.conf" >> "/etc/yum.conf" - printf '%s\n' "$formatted_output" >> "/etc/yum.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -26150,6 +26121,35 @@ fi - medium_disruption - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q yum; then + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^localpkg_gpgcheck") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "1" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^localpkg_gpgcheck\\>" "/etc/yum.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^localpkg_gpgcheck\\>.*/$escaped_formatted_output/gi" "/etc/yum.conf" +else + if [[ -s "/etc/yum.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/yum.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/yum.conf" + fi + cce="CCE-80791-7" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/yum.conf" >> "/etc/yum.conf" + printf '%s\n' "$formatted_output" >> "/etc/yum.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -26228,9 +26228,6 @@ trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA)." CCE-80792-5 - -sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/yum.repos.d/* - - name: Grep for yum repo section names shell: | set -o pipefail @@ -26292,6 +26289,9 @@ sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/yum.repos.d/* - low_complexity - medium_disruption - no_reboot_needed + + +sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/yum.repos.d/* @@ -26450,34 +26450,6 @@ not been tampered with and that it has been provided by a trusted vendor. The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat. CCE-80795-8 - # The two fingerprints below are retrieved from https://access.redhat.com/security/team/key -readonly REDHAT_RELEASE_FINGERPRINT="567E347AD0044ADE55BA8A5F199E2F91FD431D51" -readonly REDHAT_AUXILIARY_FINGERPRINT="6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792" - -# Location of the key we would like to import (once it's integrity verified) -readonly REDHAT_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" - -RPM_GPG_DIR_PERMS=$(stat -c %a "$(dirname "$REDHAT_RELEASE_KEY")") - -# Verify /etc/pki/rpm-gpg directory permissions are safe -if [ "${RPM_GPG_DIR_PERMS}" -le "755" ] -then - # If they are safe, try to obtain fingerprints from the key file - # (to ensure there won't be e.g. CRC error). - - readarray -t GPG_OUT < <(gpg --show-keys --with-fingerprint --with-colons "$REDHAT_RELEASE_KEY" | grep -A1 "^pub" | grep "^fpr" | cut -d ":" -f 10) - - GPG_RESULT=$? - # No CRC error, safe to proceed - if [ "${GPG_RESULT}" -eq "0" ] - then - echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || { - # If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it - rpm --import "${REDHAT_RELEASE_KEY}" - } - fi -fi - - name: Read permission of GPG key directory stat: path: /etc/pki/rpm-gpg/ @@ -26600,6 +26572,34 @@ fi - medium_disruption - no_reboot_needed - restrict_strategy + + # The two fingerprints below are retrieved from https://access.redhat.com/security/team/key +readonly REDHAT_RELEASE_FINGERPRINT="567E347AD0044ADE55BA8A5F199E2F91FD431D51" +readonly REDHAT_AUXILIARY_FINGERPRINT="6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792" + +# Location of the key we would like to import (once it's integrity verified) +readonly REDHAT_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + +RPM_GPG_DIR_PERMS=$(stat -c %a "$(dirname "$REDHAT_RELEASE_KEY")") + +# Verify /etc/pki/rpm-gpg directory permissions are safe +if [ "${RPM_GPG_DIR_PERMS}" -le "755" ] +then + # If they are safe, try to obtain fingerprints from the key file + # (to ensure there won't be e.g. CRC error). + + readarray -t GPG_OUT < <(gpg --show-keys --with-fingerprint --with-colons "$REDHAT_RELEASE_KEY" | grep -A1 "^pub" | grep "^fpr" | cut -d ":" -f 10) + + GPG_RESULT=$? + # No CRC error, safe to proceed + if [ "${GPG_RESULT}" -eq "0" ] + then + echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || { + # If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it + rpm --import "${REDHAT_RELEASE_KEY}" + } + fi +fi @@ -26662,10 +26662,6 @@ recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. CCE-80865-9 - - -yum -y update - - name: Security patches are up to date package: name: '*' @@ -26686,6 +26682,10 @@ yum -y update - reboot_required - security_patches_up_to_date - skip_ansible_lint + + + +yum -y update @@ -26705,11 +26705,6 @@ The dnf-automatic timer can be enabled with the following The dnf-automatic is an alternative command line interface (CLI) to dnf upgrade with specific facilities to make it suitable to be executed automatically and regularly from systemd timers, cron jobs and similar. The tool is controlled by dnf-automatic.timer SystemD timer. CCE-82360-9 - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" start 'dnf-automatic.timer' -"$SYSTEMCTL_EXEC" enable 'dnf-automatic.timer' - - name: Enable timer dnf-automatic block: @@ -26735,6 +26730,11 @@ SYSTEMCTL_EXEC='/usr/bin/systemctl' - medium_severity - no_reboot_needed - timer_dnf-automatic_enabled + + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" start 'dnf-automatic.timer' +"$SYSTEMCTL_EXEC" enable 'dnf-automatic.timer' @@ -26796,20 +26796,6 @@ profiles instead of letting the administrator manually build the PAM stack. That way, it avoids potential breakage of configuration, as it ships several tested profiles that are well tested and supported to solve different use-cases. CCE-88248-0 - -var_authselect_profile='' - - -authselect select "$var_authselect_profile" - -if test "$?" -ne 0; then - if rpm --quiet --verify pam; then - authselect select --force "$var_authselect_profile" - else - echo "Files in the 'pam' package have been altered, so the authselect configuration won't be forced" >&2 - fi -fi - - name: XCCDF Value var_authselect_profile # promote to variable set_fact: var_authselect_profile: !!str @@ -26880,6 +26866,20 @@ fi - medium_disruption - medium_severity - no_reboot_needed + + +var_authselect_profile='' + + +authselect select "$var_authselect_profile" + +if test "$?" -ne 0; then + if rpm --quiet --verify pam; then + authselect select --force "$var_authselect_profile" + else + echo "Files in the 'pam' package have been altered, so the authselect configuration won't be forced" >&2 + fi +fi @@ -27035,6 +27035,32 @@ with human users and are not required when such human interfaces do not exist. CCE-80763-6 + - @@ -27147,6 +27147,28 @@ with human users and are not required when such human interfaces do not exist. CCE-86147-6 + - @@ -27248,6 +27248,28 @@ with human users and are not required when such human interfaces do not exist. CCE-83496-0 + - @@ -27318,8 +27318,6 @@ verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper group ownership will ensure that only root user can modify the banner. CCE-83708-8 - chgrp 0 /etc/issue - - name: Test for existence /etc/issue stat: path: /etc/issue @@ -27346,6 +27344,8 @@ Proper group ownership will ensure that only root user can modify the banner. + chgrp 0 /etc/issue @@ -27367,8 +27367,6 @@ verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper group ownership will ensure that only root user can modify the banner. CCE-86051-0 - chgrp 0 /etc/issue.net - - name: Test for existence /etc/issue.net stat: path: /etc/issue.net @@ -27397,6 +27395,8 @@ Proper group ownership will ensure that only root user can modify the banner. + chgrp 0 /etc/issue.net @@ -27417,8 +27417,6 @@ verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper group ownership will ensure that only root user can modify the banner. CCE-83728-6 - chgrp 0 /etc/motd - - name: Test for existence /etc/motd stat: path: /etc/motd @@ -27445,6 +27443,8 @@ Proper group ownership will ensure that only root user can modify the banner. + chgrp 0 /etc/motd @@ -27465,8 +27465,6 @@ verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper ownership will ensure that only root user can modify the banner. CCE-83718-7 - chown 0 /etc/issue - - name: Test for existence /etc/issue stat: path: /etc/issue @@ -27493,6 +27491,8 @@ Proper ownership will ensure that only root user can modify the banner. + chown 0 /etc/issue @@ -27514,8 +27514,6 @@ verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper ownership will ensure that only root user can modify the banner. CCE-86054-4 - chown 0 /etc/issue.net - - name: Test for existence /etc/issue.net stat: path: /etc/issue.net @@ -27544,6 +27542,8 @@ Proper ownership will ensure that only root user can modify the banner. + chown 0 /etc/issue.net @@ -27564,8 +27564,6 @@ verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper ownership will ensure that only root user can modify the banner. CCE-83738-5 - chown 0 /etc/motd - - name: Test for existence /etc/motd stat: path: /etc/motd @@ -27592,6 +27590,8 @@ Proper ownership will ensure that only root user can modify the banner. + chown 0 /etc/motd @@ -27612,13 +27612,6 @@ verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper permissions will ensure that only root user can modify the banner. CCE-83348-3 - - - - - -chmod u-xs,g-xws,o-xwt /etc/issue - - name: Test for existence /etc/issue stat: path: /etc/issue @@ -27645,6 +27638,13 @@ chmod u-xs,g-xws,o-xwt /etc/issue - low_disruption - medium_severity - no_reboot_needed + + + + + + +chmod u-xs,g-xws,o-xwt /etc/issue @@ -27666,13 +27666,6 @@ verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper permissions will ensure that only root user can modify the banner. CCE-86047-8 - - - - - -chmod u-xs,g-xws,o-xwt /etc/issue.net - - name: Test for existence /etc/issue.net stat: path: /etc/issue.net @@ -27701,6 +27694,13 @@ chmod u-xs,g-xws,o-xwt /etc/issue.net - low_disruption - medium_severity - no_reboot_needed + + + + + + +chmod u-xs,g-xws,o-xwt /etc/issue.net @@ -27721,13 +27721,6 @@ verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper permissions will ensure that only root user can modify the banner. CCE-83338-4 - - - - - -chmod u-xs,g-xws,o-xwt /etc/motd - - name: Test for existence /etc/motd stat: path: /etc/motd @@ -27754,6 +27747,13 @@ chmod u-xs,g-xws,o-xwt /etc/motd - low_disruption - medium_severity - no_reboot_needed + + + + + + +chmod u-xs,g-xws,o-xwt /etc/motd @@ -27841,68 +27841,6 @@ Executive Orders, directives, policies, regulations, standards, and guidance. For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. CCE-80768-5 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm; then - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings" -DBDIR="/etc/dconf/db/gdm.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*banner-message-enable\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)banner-message-enable(\s*=)/#\1banner-message-enable\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" -if grep -q "^\\s*banner-message-enable\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*banner-message-enable\\s*=\\s*.*/banner-message-enable=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/login-screen\\]|a\\banner-message-enable=${escaped_value}" "${DCONFFILE}" -fi - -dconf update -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/login-screen/banner-message-enable$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/gdm.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/login-screen/banner-message-enable$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/login-screen/banner-message-enable$" /etc/dconf/db/gdm.d/ -then - echo "/org/gnome/login-screen/banner-message-enable" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -27980,6 +27918,68 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings" +DBDIR="/etc/dconf/db/gdm.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*banner-message-enable\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)banner-message-enable(\s*=)/#\1banner-message-enable\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" +if grep -q "^\\s*banner-message-enable\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*banner-message-enable\\s*=\\s*.*/banner-message-enable=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/login-screen\\]|a\\banner-message-enable=${escaped_value}" "${DCONFFILE}" +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/login-screen/banner-message-enable$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/gdm.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/login-screen/banner-message-enable$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/login-screen/banner-message-enable$" /etc/dconf/db/gdm.d/ +then + echo "/org/gnome/login-screen/banner-message-enable" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -28056,87 +28056,6 @@ to begin and end the string with ' and use \n< An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. CCE-80770-1 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm; then - -login_banner_text='' - - -# Multiple regexes transform the banner regex into a usable banner -# 0 - Remove anchors around the banner text -login_banner_text=$(echo "$login_banner_text" | sed 's/^\^\(.*\)\$$/\1/g') -# 1 - Keep only the first banners if there are multiple -# (dod_banners contains the long and short banner) -login_banner_text=$(echo "$login_banner_text" | sed 's/^(\(.*\.\)|.*)$/\1/g') -# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ") -login_banner_text=$(echo "$login_banner_text" | sed 's/\[\\s\\n\]+/ /g') -# 3 - Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*") -login_banner_text=$(echo "$login_banner_text" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/(n)*/g') -# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example). -login_banner_text=$(echo "$login_banner_text" | sed 's/\\//g') -# 5 - Removes the newline "token." (Transforms them into newline escape sequences "\n"). -# ( Needs to be done after 4, otherwise the escapce sequence will become just "n". -login_banner_text=$(echo "$login_banner_text" | sed 's/(n)\*/\\n/g') - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings" -DBDIR="/etc/dconf/db/gdm.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*banner-message-text\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)banner-message-text(\s*=)/#\1banner-message-text\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "'${login_banner_text}'")" -if grep -q "^\\s*banner-message-text\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*banner-message-text\\s*=\\s*.*/banner-message-text=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/login-screen\\]|a\\banner-message-text=${escaped_value}" "${DCONFFILE}" -fi - -dconf update -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/login-screen/banner-message-text$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/gdm.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/login-screen/banner-message-text$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/login-screen/banner-message-text$" /etc/dconf/db/gdm.d/ -then - echo "/org/gnome/login-screen/banner-message-text" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -28266,6 +28185,87 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm; then + +login_banner_text='' + + +# Multiple regexes transform the banner regex into a usable banner +# 0 - Remove anchors around the banner text +login_banner_text=$(echo "$login_banner_text" | sed 's/^\^\(.*\)\$$/\1/g') +# 1 - Keep only the first banners if there are multiple +# (dod_banners contains the long and short banner) +login_banner_text=$(echo "$login_banner_text" | sed 's/^(\(.*\.\)|.*)$/\1/g') +# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ") +login_banner_text=$(echo "$login_banner_text" | sed 's/\[\\s\\n\]+/ /g') +# 3 - Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*") +login_banner_text=$(echo "$login_banner_text" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/(n)*/g') +# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example). +login_banner_text=$(echo "$login_banner_text" | sed 's/\\//g') +# 5 - Removes the newline "token." (Transforms them into newline escape sequences "\n"). +# ( Needs to be done after 4, otherwise the escapce sequence will become just "n". +login_banner_text=$(echo "$login_banner_text" | sed 's/(n)\*/\\n/g') + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings" +DBDIR="/etc/dconf/db/gdm.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*banner-message-text\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)banner-message-text(\s*=)/#\1banner-message-text\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "'${login_banner_text}'")" +if grep -q "^\\s*banner-message-text\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*banner-message-text\\s*=\\s*.*/banner-message-text=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/login-screen\\]|a\\banner-message-text=${escaped_value}" "${DCONFFILE}" +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/login-screen/banner-message-text$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/gdm.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/login-screen/banner-message-text$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/login-screen/banner-message-text$" /etc/dconf/db/gdm.d/ +then + echo "/org/gnome/login-screen/banner-message-text" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -28355,21 +28355,13 @@ of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. + +package --add=libpwquality + [[packages]] name = "libpwquality" version = "*" - - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -if ! rpm -q --quiet "libpwquality" ; then - yum install -y "libpwquality" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_libpwquality @@ -28403,8 +28395,16 @@ class install_libpwquality { - no_reboot_needed - package_pam_pwquality_installed - -package --add=libpwquality + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +if ! rpm -q --quiet "libpwquality" ; then + yum install -y "libpwquality" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -28431,15 +28431,6 @@ have authorization. When operating systems provide the capability to escalate a capability, it is critical the user re-authenticate. CCE-86319-1 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -sed -i '/pam_succeed_if/d' /etc/pam.d/sudo - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -28471,6 +28462,15 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +sed -i '/pam_succeed_if/d' /etc/pam.d/sudo + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -28547,264 +28547,6 @@ account allows the user to determine if any unauthorized activity has occurred a an opportunity to notify administrators. CCE-80788-3 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -if [ -f /usr/bin/authselect ]; then - if authselect list-features minimal | grep -q with-silent-lastlog; then - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - authselect disable-feature with-silent-lastlog - - authselect apply-changes -b - else - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "/etc/pam.d/postlogin") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - if [ -e "$PAM_FILE_PATH" ] ; then - PAM_FILE_PATH="$PAM_FILE_PATH" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "$PAM_FILE_PATH") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*' "$PAM_FILE_PATH"; then - # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*session\s+.*\s+pam_lastlog.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then - # The control is updated only if one single line matches. - sed -i -E --follow-symlinks 's/^(\s*session\s+).*(\bpam_lastlog.so.*)/\1'"\[default=1\]"' \2/' "$PAM_FILE_PATH" - else - LAST_MATCH_LINE=$(grep -nP "^\s*session\s+.*pam_succeed_if\.so.*" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1) - if [ ! -z $LAST_MATCH_LINE ]; then - sed -i --follow-symlinks $LAST_MATCH_LINE' a session '"\[default=1\]"' pam_lastlog.so' "$PAM_FILE_PATH" - else - echo 'session '"\[default=1\]"' pam_lastlog.so' >> "$PAM_FILE_PATH" - fi - fi - fi - # Check the option - if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*\sshowfailed\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks '/\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so.*/ s/$/ showfailed/' "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi - else - echo "$PAM_FILE_PATH was not found" >&2 - fi - if [ -e "$PAM_FILE_PATH" ] ; then - PAM_FILE_PATH="$PAM_FILE_PATH" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "$PAM_FILE_PATH") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - - if grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s.*\bsilent\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks 's/(.*session.*'"\[default=1\]"'.*pam_lastlog.so.*)\ssilent=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi - else - echo "$PAM_FILE_PATH was not found" >&2 - fi - fi -else - if [ -e "/etc/pam.d/postlogin" ] ; then - PAM_FILE_PATH="/etc/pam.d/postlogin" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "/etc/pam.d/postlogin") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*' "$PAM_FILE_PATH"; then - # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*session\s+.*\s+pam_lastlog.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then - # The control is updated only if one single line matches. - sed -i -E --follow-symlinks 's/^(\s*session\s+).*(\bpam_lastlog.so.*)/\1'"\[default=1\]"' \2/' "$PAM_FILE_PATH" - else - LAST_MATCH_LINE=$(grep -nP "^\s*session\s+.*pam_succeed_if\.so.*" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1) - if [ ! -z $LAST_MATCH_LINE ]; then - sed -i --follow-symlinks $LAST_MATCH_LINE' a session '"\[default=1\]"' pam_lastlog.so' "$PAM_FILE_PATH" - else - echo 'session '"\[default=1\]"' pam_lastlog.so' >> "$PAM_FILE_PATH" - fi - fi - fi - # Check the option - if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*\sshowfailed\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks '/\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so.*/ s/$/ showfailed/' "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi - else - echo "/etc/pam.d/postlogin was not found" >&2 - fi - if [ -e "/etc/pam.d/postlogin" ] ; then - PAM_FILE_PATH="/etc/pam.d/postlogin" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "/etc/pam.d/postlogin") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - - if grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s.*\bsilent\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks 's/(.*session.*'"\[default=1\]"'.*pam_lastlog.so.*)\ssilent=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi - else - echo "/etc/pam.d/postlogin was not found" >&2 - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -29191,6 +28933,264 @@ fi - low_disruption - low_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +if [ -f /usr/bin/authselect ]; then + if authselect list-features minimal | grep -q with-silent-lastlog; then + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + authselect disable-feature with-silent-lastlog + + authselect apply-changes -b + else + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "/etc/pam.d/postlogin") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + if [ -e "$PAM_FILE_PATH" ] ; then + PAM_FILE_PATH="$PAM_FILE_PATH" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "$PAM_FILE_PATH") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + fi + if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*' "$PAM_FILE_PATH"; then + # Line matching group + control + module was not found. Check group + module. + if [ "$(grep -cP '^\s*session\s+.*\s+pam_lastlog.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then + # The control is updated only if one single line matches. + sed -i -E --follow-symlinks 's/^(\s*session\s+).*(\bpam_lastlog.so.*)/\1'"\[default=1\]"' \2/' "$PAM_FILE_PATH" + else + LAST_MATCH_LINE=$(grep -nP "^\s*session\s+.*pam_succeed_if\.so.*" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1) + if [ ! -z $LAST_MATCH_LINE ]; then + sed -i --follow-symlinks $LAST_MATCH_LINE' a session '"\[default=1\]"' pam_lastlog.so' "$PAM_FILE_PATH" + else + echo 'session '"\[default=1\]"' pam_lastlog.so' >> "$PAM_FILE_PATH" + fi + fi + fi + # Check the option + if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*\sshowfailed\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks '/\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so.*/ s/$/ showfailed/' "$PAM_FILE_PATH" + fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi + else + echo "$PAM_FILE_PATH was not found" >&2 + fi + if [ -e "$PAM_FILE_PATH" ] ; then + PAM_FILE_PATH="$PAM_FILE_PATH" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "$PAM_FILE_PATH") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + fi + + if grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s.*\bsilent\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks 's/(.*session.*'"\[default=1\]"'.*pam_lastlog.so.*)\ssilent=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" + fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi + else + echo "$PAM_FILE_PATH was not found" >&2 + fi + fi +else + if [ -e "/etc/pam.d/postlogin" ] ; then + PAM_FILE_PATH="/etc/pam.d/postlogin" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "/etc/pam.d/postlogin") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + fi + if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*' "$PAM_FILE_PATH"; then + # Line matching group + control + module was not found. Check group + module. + if [ "$(grep -cP '^\s*session\s+.*\s+pam_lastlog.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then + # The control is updated only if one single line matches. + sed -i -E --follow-symlinks 's/^(\s*session\s+).*(\bpam_lastlog.so.*)/\1'"\[default=1\]"' \2/' "$PAM_FILE_PATH" + else + LAST_MATCH_LINE=$(grep -nP "^\s*session\s+.*pam_succeed_if\.so.*" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1) + if [ ! -z $LAST_MATCH_LINE ]; then + sed -i --follow-symlinks $LAST_MATCH_LINE' a session '"\[default=1\]"' pam_lastlog.so' "$PAM_FILE_PATH" + else + echo 'session '"\[default=1\]"' pam_lastlog.so' >> "$PAM_FILE_PATH" + fi + fi + fi + # Check the option + if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*\sshowfailed\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks '/\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so.*/ s/$/ showfailed/' "$PAM_FILE_PATH" + fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi + else + echo "/etc/pam.d/postlogin was not found" >&2 + fi + if [ -e "/etc/pam.d/postlogin" ] ; then + PAM_FILE_PATH="/etc/pam.d/postlogin" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "/etc/pam.d/postlogin") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + fi + + if grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s.*\bsilent\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks 's/(.*session.*'"\[default=1\]"'.*pam_lastlog.so.*)\ssilent=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" + fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi + else + echo "/etc/pam.d/postlogin was not found" >&2 + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -29211,17 +29211,6 @@ SELinux, user name, security context or both. The polyinstatied directories can be used to dedicate separate temporary directories to each account. CCE-83744-3 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) && rpm --quiet -q pam ); then - -if ! grep -Eq '^\s*session\s+required\s+pam_namespace.so\s*$' '/etc/pam.d/login' ; then - echo "session required pam_namespace.so" >> "/etc/pam.d/login" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -29251,6 +29240,17 @@ fi - low_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) && rpm --quiet -q pam ); then + +if ! grep -Eq '^\s*session\s+required\s+pam_namespace.so\s*$' '/etc/pam.d/login' ; then + echo "session required pam_namespace.so" >> "/etc/pam.d/login" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -29460,99 +29460,6 @@ updates as of version 0.1.65. AC-7 (a) Without auditing of these events it may be harder or impossible to identify what an attacker did after an attack. CCE-86107-0 - -if [ -f /usr/bin/authselect ]; then - if ! authselect check; then -echo " -authselect integrity check failed. Remediation aborted! -This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. -It is not recommended to manually edit the PAM files when authselect tool is available. -In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." -exit 1 -fi -authselect enable-feature with-faillock - -authselect apply-changes -b -else - -AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") -for pam_file in "${AUTH_FILES[@]}" -do - if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then - sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file" - sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file" - sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file" - fi - sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file" -done - -fi - -AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") - -FAILLOCK_CONF="/etc/security/faillock.conf" -if [ -f $FAILLOCK_CONF ]; then - regex="^\s*audit" - line="audit" - if ! grep -q $regex $FAILLOCK_CONF; then - echo $line >> $FAILLOCK_CONF - fi - for pam_file in "${AUTH_FILES[@]}" - do - if [ -e "$pam_file" ] ; then - PAM_FILE_PATH="$pam_file" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "$pam_file") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - - if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\baudit\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\baudit\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi - else - echo "$pam_file was not found" >&2 - fi - done -else - for pam_file in "${AUTH_FILES[@]}" - do - if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*audit' "$pam_file"; then - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ audit/' "$pam_file" - fi - done -fi - - name: Account Lockouts Must Be Logged - Check if system relies on authselect tool ansible.builtin.stat: path: /usr/bin/authselect @@ -30108,6 +30015,99 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + +if [ -f /usr/bin/authselect ]; then + if ! authselect check; then +echo " +authselect integrity check failed. Remediation aborted! +This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. +It is not recommended to manually edit the PAM files when authselect tool is available. +In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." +exit 1 +fi +authselect enable-feature with-faillock + +authselect apply-changes -b +else + +AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") +for pam_file in "${AUTH_FILES[@]}" +do + if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then + sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file" + sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file" + sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file" + fi + sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file" +done + +fi + +AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") + +FAILLOCK_CONF="/etc/security/faillock.conf" +if [ -f $FAILLOCK_CONF ]; then + regex="^\s*audit" + line="audit" + if ! grep -q $regex $FAILLOCK_CONF; then + echo $line >> $FAILLOCK_CONF + fi + for pam_file in "${AUTH_FILES[@]}" + do + if [ -e "$pam_file" ] ; then + PAM_FILE_PATH="$pam_file" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "$pam_file") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + fi + + if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\baudit\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\baudit\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" + fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi + else + echo "$pam_file was not found" >&2 + fi + done +else + for pam_file in "${AUTH_FILES[@]}" + do + if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*audit' "$pam_file"; then + sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ audit/' "$pam_file" + fi + done +fi @@ -30224,201 +30224,6 @@ updated. re-used by a user. CCE-83478-8 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_remember='' -var_password_pam_remember_control_flag='' - - -var_password_pam_remember_control_flag="$(echo $var_password_pam_remember_control_flag | cut -d \, -f 1)" - -if [ -f /usr/bin/authselect ]; then - if authselect list-features minimal | grep -q with-pwhistory; then - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - authselect enable-feature with-pwhistory - - authselect apply-changes -b - else - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - if ! grep -qP '^\s*password\s+'"$var_password_pam_remember_control_flag"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then - # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then - # The control is updated only if one single line matches. - sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "$PAM_FILE_PATH" - else - LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1) - if [ ! -z $LAST_MATCH_LINE ]; then - sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' "$PAM_FILE_PATH" - else - echo 'password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' >> "$PAM_FILE_PATH" - fi - fi - fi - fi -else - if ! grep -qP '^\s*password\s+'"$var_password_pam_remember_control_flag"'\s+pam_pwhistory.so\s*.*' "/etc/pam.d/password-auth"; then - # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "/etc/pam.d/password-auth")" -eq 1 ]; then - # The control is updated only if one single line matches. - sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "/etc/pam.d/password-auth" - else - LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "/etc/pam.d/password-auth" | tail -n 1 | cut -d: -f 1) - if [ ! -z $LAST_MATCH_LINE ]; then - sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' "/etc/pam.d/password-auth" - else - echo 'password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' >> "/etc/pam.d/password-auth" - fi - fi - fi -fi - -PWHISTORY_CONF="/etc/security/pwhistory.conf" -if [ -f $PWHISTORY_CONF ]; then - regex="^\s*remember\s*=" - line="remember = $var_password_pam_remember" - if ! grep -q $regex $PWHISTORY_CONF; then - echo $line >> $PWHISTORY_CONF - else - sed -i --follow-symlinks 's|^\s*\(remember\s*=\s*\)\(\S\+\)|\1'"$var_password_pam_remember"'|g' $PWHISTORY_CONF - fi - if [ -e "/etc/pam.d/password-auth" ] ; then - PAM_FILE_PATH="/etc/pam.d/password-auth" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - - if grep -qP '^\s*password\s.*\bpam_pwhistory.so\s.*\bremember\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks 's/(.*password.*pam_pwhistory.so.*)\bremember\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi - else - echo "/etc/pam.d/password-auth was not found" >&2 - fi -else - PAM_FILE_PATH="/etc/pam.d/password-auth" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then - # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then - # The control is updated only if one single line matches. - sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH" - else - echo 'password '"requisite"' pam_pwhistory.so' >> "$PAM_FILE_PATH" - fi - fi - # Check the option - if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*\sremember\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks '/\s*password\s+'"requisite"'\s+pam_pwhistory.so.*/ s/$/ remember='"$var_password_pam_remember"'/' "$PAM_FILE_PATH" - else - sed -i -E --follow-symlinks 's/(\s*password\s+'"requisite"'\s+pam_pwhistory.so\s+.*)('"remember"'=)[[:alnum:]]+\s*(.*)/\1\2'"$var_password_pam_remember"' \3/' "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -31277,105 +31082,7 @@ fi - medium_severity - no_reboot_needed - - - - - - - - - - - Limit Password Reuse: system-auth - Do not allow users to reuse recent passwords. This can be accomplished by using the -remember option for the pam_pwhistory PAM module. - - -On systems with newer versions of authselect, the pam_pwhistory PAM module -can be enabled via authselect feature: -authselect enable-feature with-pwhistory - -Otherwise, it should be enabled using an authselect custom profile. - -Newer systems also have the /etc/security/pwhistory.conf file for setting -pam_pwhistory module options. This file should be used whenever available. -Otherwise, the pam_pwhistory module options can be set in PAM files. - -The value for remember option must be equal or greater than - - If the system relies on authselect tool to manage PAM settings, the remediation -will also use authselect tool. However, if any manual modification was made in -PAM files, the authselect integrity check will fail and the remediation will be -aborted in order to preserve intentional changes. In this case, an informative message will -be shown in the remediation report. - Newer versions of authselect contain an authselect feature to easily and properly -enable pam_pwhistory.so module. If this feature is not yet available in your -system, an authselect custom profile must be used to avoid integrity issues in PAM files. - 1 - 12 - 15 - 16 - 5 - 5.6.2.1.1 - DSS05.04 - DSS05.05 - DSS05.07 - DSS05.10 - DSS06.03 - DSS06.10 - 3.5.8 - CCI-000200 - 4.3.3.2.2 - 4.3.3.5.1 - 4.3.3.5.2 - 4.3.3.6.1 - 4.3.3.6.2 - 4.3.3.6.3 - 4.3.3.6.4 - 4.3.3.6.5 - 4.3.3.6.6 - 4.3.3.6.7 - 4.3.3.6.8 - 4.3.3.6.9 - 4.3.3.7.2 - 4.3.3.7.4 - SR 1.1 - SR 1.10 - SR 1.2 - SR 1.3 - SR 1.4 - SR 1.5 - SR 1.7 - SR 1.8 - SR 1.9 - SR 2.1 - A.18.1.4 - A.7.1.1 - A.9.2.1 - A.9.2.2 - A.9.2.3 - A.9.2.4 - A.9.2.6 - A.9.3.1 - A.9.4.2 - A.9.4.3 - IA-5(f) - IA-5(1)(e) - PR.AC-1 - PR.AC-6 - PR.AC-7 - Req-8.2.5 - 8.3.7 - SRG-OS-000077-GPOS-00045 - RHEL-08-020221 - 5.5.3 - SV-251717r902749_rule - Preventing re-use of previous passwords helps ensure that a compromised password is not -re-used by a user. - - CCE-83480-4 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then var_password_pam_remember='' @@ -31423,7 +31130,7 @@ if [ -f /usr/bin/authselect ]; then authselect apply-changes -b --backup=after-hardening-custom-profile fi - PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") + PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth") PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" authselect apply-changes -b @@ -31443,17 +31150,17 @@ if [ -f /usr/bin/authselect ]; then fi fi else - if ! grep -qP '^\s*password\s+'"$var_password_pam_remember_control_flag"'\s+pam_pwhistory.so\s*.*' "/etc/pam.d/system-auth"; then + if ! grep -qP '^\s*password\s+'"$var_password_pam_remember_control_flag"'\s+pam_pwhistory.so\s*.*' "/etc/pam.d/password-auth"; then # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "/etc/pam.d/system-auth")" -eq 1 ]; then + if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "/etc/pam.d/password-auth")" -eq 1 ]; then # The control is updated only if one single line matches. - sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "/etc/pam.d/system-auth" + sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "/etc/pam.d/password-auth" else - LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "/etc/pam.d/system-auth" | tail -n 1 | cut -d: -f 1) + LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "/etc/pam.d/password-auth" | tail -n 1 | cut -d: -f 1) if [ ! -z $LAST_MATCH_LINE ]; then - sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' "/etc/pam.d/system-auth" + sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' "/etc/pam.d/password-auth" else - echo 'password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' >> "/etc/pam.d/system-auth" + echo 'password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' >> "/etc/pam.d/password-auth" fi fi fi @@ -31468,8 +31175,8 @@ if [ -f $PWHISTORY_CONF ]; then else sed -i --follow-symlinks 's|^\s*\(remember\s*=\s*\)\(\S\+\)|\1'"$var_password_pam_remember"'|g' $PWHISTORY_CONF fi - if [ -e "/etc/pam.d/system-auth" ] ; then - PAM_FILE_PATH="/etc/pam.d/system-auth" + if [ -e "/etc/pam.d/password-auth" ] ; then + PAM_FILE_PATH="/etc/pam.d/password-auth" if [ -f /usr/bin/authselect ]; then if ! authselect check; then @@ -31496,7 +31203,7 @@ if [ -f $PWHISTORY_CONF ]; then authselect apply-changes -b --backup=after-hardening-custom-profile fi - PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") + PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth") PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" authselect apply-changes -b @@ -31510,10 +31217,10 @@ if [ -f $PWHISTORY_CONF ]; then authselect apply-changes -b fi else - echo "/etc/pam.d/system-auth was not found" >&2 + echo "/etc/pam.d/password-auth was not found" >&2 fi else - PAM_FILE_PATH="/etc/pam.d/system-auth" + PAM_FILE_PATH="/etc/pam.d/password-auth" if [ -f /usr/bin/authselect ]; then if ! authselect check; then @@ -31540,7 +31247,7 @@ else authselect apply-changes -b --backup=after-hardening-custom-profile fi - PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") + PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth") PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" authselect apply-changes -b @@ -31570,6 +31277,104 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + + Limit Password Reuse: system-auth + Do not allow users to reuse recent passwords. This can be accomplished by using the +remember option for the pam_pwhistory PAM module. + + +On systems with newer versions of authselect, the pam_pwhistory PAM module +can be enabled via authselect feature: +authselect enable-feature with-pwhistory + +Otherwise, it should be enabled using an authselect custom profile. + +Newer systems also have the /etc/security/pwhistory.conf file for setting +pam_pwhistory module options. This file should be used whenever available. +Otherwise, the pam_pwhistory module options can be set in PAM files. + +The value for remember option must be equal or greater than + + If the system relies on authselect tool to manage PAM settings, the remediation +will also use authselect tool. However, if any manual modification was made in +PAM files, the authselect integrity check will fail and the remediation will be +aborted in order to preserve intentional changes. In this case, an informative message will +be shown in the remediation report. + Newer versions of authselect contain an authselect feature to easily and properly +enable pam_pwhistory.so module. If this feature is not yet available in your +system, an authselect custom profile must be used to avoid integrity issues in PAM files. + 1 + 12 + 15 + 16 + 5 + 5.6.2.1.1 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + 3.5.8 + CCI-000200 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + IA-5(f) + IA-5(1)(e) + PR.AC-1 + PR.AC-6 + PR.AC-7 + Req-8.2.5 + 8.3.7 + SRG-OS-000077-GPOS-00045 + RHEL-08-020221 + 5.5.3 + SV-251717r902749_rule + Preventing re-use of previous passwords helps ensure that a compromised password is not +re-used by a user. + + CCE-83480-4 - name: Gather the package facts package_facts: manager: auto @@ -32427,95 +32232,15 @@ fi - medium_severity - no_reboot_needed - - - - - - - - - - - Limit Password Reuse - Do not allow users to reuse recent passwords. This can be accomplished by using the -remember option for the pam_unix or pam_pwhistory PAM modules. - If the system relies on authselect tool to manage PAM settings, the remediation -will also use authselect tool. However, if any manual modification was made in -PAM files, the authselect integrity check will fail and the remediation will be -aborted in order to preserve intentional changes. In this case, an informative message will -be shown in the remediation report. - Newer versions of authselect contain an authselect feature to easily and properly -enable pam_pwhistory.so module. If this feature is not yet available in your -system, an authselect custom profile must be used to avoid integrity issues in PAM files. - BP28(R18) - 1 - 12 - 15 - 16 - 5 - 5.6.2.1.1 - DSS05.04 - DSS05.05 - DSS05.07 - DSS05.10 - DSS06.03 - DSS06.10 - 3.5.8 - CCI-000200 - 4.3.3.2.2 - 4.3.3.5.1 - 4.3.3.5.2 - 4.3.3.6.1 - 4.3.3.6.2 - 4.3.3.6.3 - 4.3.3.6.4 - 4.3.3.6.5 - 4.3.3.6.6 - 4.3.3.6.7 - 4.3.3.6.8 - 4.3.3.6.9 - 4.3.3.7.2 - 4.3.3.7.4 - SR 1.1 - SR 1.10 - SR 1.2 - SR 1.3 - SR 1.4 - SR 1.5 - SR 1.7 - SR 1.8 - SR 1.9 - SR 2.1 - A.18.1.4 - A.7.1.1 - A.9.2.1 - A.9.2.2 - A.9.2.3 - A.9.2.4 - A.9.2.6 - A.9.3.1 - A.9.4.2 - A.9.4.3 - IA-5(f) - IA-5(1)(e) - PR.AC-1 - PR.AC-6 - PR.AC-7 - Req-8.2.5 - 8.3.7 - SRG-OS-000077-GPOS-00045 - 5.4.3 - Preventing re-use of previous passwords helps ensure that a compromised password is not -re-used by a user. - - CCE-80666-1 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then -var_password_pam_unix_remember='' +var_password_pam_remember='' +var_password_pam_remember_control_flag='' +var_password_pam_remember_control_flag="$(echo $var_password_pam_remember_control_flag | cut -d \, -f 1)" + if [ -f /usr/bin/authselect ]; then if authselect list-features minimal | grep -q with-pwhistory; then if ! authselect check; then @@ -32559,33 +32284,33 @@ if [ -f /usr/bin/authselect ]; then PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" authselect apply-changes -b - if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then + if ! grep -qP '^\s*password\s+'"$var_password_pam_remember_control_flag"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then # Line matching group + control + module was not found. Check group + module. if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then # The control is updated only if one single line matches. - sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH" + sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "$PAM_FILE_PATH" else LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1) if [ ! -z $LAST_MATCH_LINE ]; then - sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"requisite"' pam_pwhistory.so' "$PAM_FILE_PATH" + sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' "$PAM_FILE_PATH" else - echo 'password '"requisite"' pam_pwhistory.so' >> "$PAM_FILE_PATH" + echo 'password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' >> "$PAM_FILE_PATH" fi fi fi fi else - if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*' "/etc/pam.d/system-auth"; then + if ! grep -qP '^\s*password\s+'"$var_password_pam_remember_control_flag"'\s+pam_pwhistory.so\s*.*' "/etc/pam.d/system-auth"; then # Line matching group + control + module was not found. Check group + module. if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "/etc/pam.d/system-auth")" -eq 1 ]; then # The control is updated only if one single line matches. - sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "/etc/pam.d/system-auth" + sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "/etc/pam.d/system-auth" else LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "/etc/pam.d/system-auth" | tail -n 1 | cut -d: -f 1) if [ ! -z $LAST_MATCH_LINE ]; then - sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"requisite"' pam_pwhistory.so' "/etc/pam.d/system-auth" + sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' "/etc/pam.d/system-auth" else - echo 'password '"requisite"' pam_pwhistory.so' >> "/etc/pam.d/system-auth" + echo 'password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' >> "/etc/pam.d/system-auth" fi fi fi @@ -32594,11 +32319,11 @@ fi PWHISTORY_CONF="/etc/security/pwhistory.conf" if [ -f $PWHISTORY_CONF ]; then regex="^\s*remember\s*=" - line="remember = $var_password_pam_unix_remember" + line="remember = $var_password_pam_remember" if ! grep -q $regex $PWHISTORY_CONF; then echo $line >> $PWHISTORY_CONF else - sed -i --follow-symlinks 's|^\s*\(remember\s*=\s*\)\(\S\+\)|\1'"$var_password_pam_unix_remember"'|g' $PWHISTORY_CONF + sed -i --follow-symlinks 's|^\s*\(remember\s*=\s*\)\(\S\+\)|\1'"$var_password_pam_remember"'|g' $PWHISTORY_CONF fi if [ -e "/etc/pam.d/system-auth" ] ; then PAM_FILE_PATH="/etc/pam.d/system-auth" @@ -32688,9 +32413,9 @@ else fi # Check the option if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*\sremember\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks '/\s*password\s+'"requisite"'\s+pam_pwhistory.so.*/ s/$/ remember='"$var_password_pam_unix_remember"'/' "$PAM_FILE_PATH" + sed -i -E --follow-symlinks '/\s*password\s+'"requisite"'\s+pam_pwhistory.so.*/ s/$/ remember='"$var_password_pam_remember"'/' "$PAM_FILE_PATH" else - sed -i -E --follow-symlinks 's/(\s*password\s+'"requisite"'\s+pam_pwhistory.so\s+.*)('"remember"'=)[[:alnum:]]+\s*(.*)/\1\2'"$var_password_pam_unix_remember"' \3/' "$PAM_FILE_PATH" + sed -i -E --follow-symlinks 's/(\s*password\s+'"requisite"'\s+pam_pwhistory.so\s+.*)('"remember"'=)[[:alnum:]]+\s*(.*)/\1\2'"$var_password_pam_remember"' \3/' "$PAM_FILE_PATH" fi if [ -f /usr/bin/authselect ]; then @@ -32702,6 +32427,89 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + + Limit Password Reuse + Do not allow users to reuse recent passwords. This can be accomplished by using the +remember option for the pam_unix or pam_pwhistory PAM modules. + If the system relies on authselect tool to manage PAM settings, the remediation +will also use authselect tool. However, if any manual modification was made in +PAM files, the authselect integrity check will fail and the remediation will be +aborted in order to preserve intentional changes. In this case, an informative message will +be shown in the remediation report. + Newer versions of authselect contain an authselect feature to easily and properly +enable pam_pwhistory.so module. If this feature is not yet available in your +system, an authselect custom profile must be used to avoid integrity issues in PAM files. + BP28(R18) + 1 + 12 + 15 + 16 + 5 + 5.6.2.1.1 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + 3.5.8 + CCI-000200 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + IA-5(f) + IA-5(1)(e) + PR.AC-1 + PR.AC-6 + PR.AC-7 + Req-8.2.5 + 8.3.7 + SRG-OS-000077-GPOS-00045 + 5.4.3 + Preventing re-use of previous passwords helps ensure that a compromised password is not +re-used by a user. + + CCE-80666-1 - name: Gather the package facts package_facts: manager: auto @@ -33521,124 +33329,217 @@ fi - medium_severity - no_reboot_needed - - - - - - - - - - Account Lockouts Must Be Logged - PAM faillock locks an account due to excessive password failures, this event must be logged. - CCI-000044 - AC-7 (a) - SRG-OS-000021-GPOS-00005 - RHEL-08-020021 - SV-230343r743981_rule - Without auditing of these events it may be harder or impossible to identify what an attacker did after an attack. - - CCE-86099-9 - # Remediation is applicable only in certain platforms -if grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.2"; printf "%s\n%s" "$expected" "$real" | sort -VC; }; then + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_password_pam_unix_remember='' + if [ -f /usr/bin/authselect ]; then - if ! authselect check; then -echo " -authselect integrity check failed. Remediation aborted! -This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. -It is not recommended to manually edit the PAM files when authselect tool is available. -In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." -exit 1 -fi -authselect enable-feature with-faillock + if authselect list-features minimal | grep -q with-pwhistory; then + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + authselect enable-feature with-pwhistory -authselect apply-changes -b + authselect apply-changes -b + else + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then + # Line matching group + control + module was not found. Check group + module. + if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then + # The control is updated only if one single line matches. + sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH" + else + LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1) + if [ ! -z $LAST_MATCH_LINE ]; then + sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"requisite"' pam_pwhistory.so' "$PAM_FILE_PATH" + else + echo 'password '"requisite"' pam_pwhistory.so' >> "$PAM_FILE_PATH" + fi + fi + fi + fi else - -AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") -for pam_file in "${AUTH_FILES[@]}" -do - if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then - sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file" - sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file" - sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file" + if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*' "/etc/pam.d/system-auth"; then + # Line matching group + control + module was not found. Check group + module. + if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "/etc/pam.d/system-auth")" -eq 1 ]; then + # The control is updated only if one single line matches. + sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "/etc/pam.d/system-auth" + else + LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "/etc/pam.d/system-auth" | tail -n 1 | cut -d: -f 1) + if [ ! -z $LAST_MATCH_LINE ]; then + sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"requisite"' pam_pwhistory.so' "/etc/pam.d/system-auth" + else + echo 'password '"requisite"' pam_pwhistory.so' >> "/etc/pam.d/system-auth" + fi + fi fi - sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file" -done - fi -AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") - -FAILLOCK_CONF="/etc/security/faillock.conf" -if [ -f $FAILLOCK_CONF ]; then - regex="^\s*audit" - line="audit" - if ! grep -q $regex $FAILLOCK_CONF; then - echo $line >> $FAILLOCK_CONF +PWHISTORY_CONF="/etc/security/pwhistory.conf" +if [ -f $PWHISTORY_CONF ]; then + regex="^\s*remember\s*=" + line="remember = $var_password_pam_unix_remember" + if ! grep -q $regex $PWHISTORY_CONF; then + echo $line >> $PWHISTORY_CONF + else + sed -i --follow-symlinks 's|^\s*\(remember\s*=\s*\)\(\S\+\)|\1'"$var_password_pam_unix_remember"'|g' $PWHISTORY_CONF fi - for pam_file in "${AUTH_FILES[@]}" - do - if [ -e "$pam_file" ] ; then - PAM_FILE_PATH="$pam_file" - if [ -f /usr/bin/authselect ]; then + if [ -e "/etc/pam.d/system-auth" ] ; then + PAM_FILE_PATH="/etc/pam.d/system-auth" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "$pam_file") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + authselect apply-changes -b + fi + + if grep -qP '^\s*password\s.*\bpam_pwhistory.so\s.*\bremember\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks 's/(.*password.*pam_pwhistory.so.*)\bremember\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" + fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi + else + echo "/etc/pam.d/system-auth was not found" >&2 + fi +else + PAM_FILE_PATH="/etc/pam.d/system-auth" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi - authselect apply-changes -b - fi + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" - if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\baudit\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\baudit\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi + PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + fi + if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then + # Line matching group + control + module was not found. Check group + module. + if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then + # The control is updated only if one single line matches. + sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH" else - echo "$pam_file was not found" >&2 - fi - done -else - for pam_file in "${AUTH_FILES[@]}" - do - if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*audit' "$pam_file"; then - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ audit/' "$pam_file" + echo 'password '"requisite"' pam_pwhistory.so' >> "$PAM_FILE_PATH" fi - done + fi + # Check the option + if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*\sremember\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks '/\s*password\s+'"requisite"'\s+pam_pwhistory.so.*/ s/$/ remember='"$var_password_pam_unix_remember"'/' "$PAM_FILE_PATH" + else + sed -i -E --follow-symlinks 's/(\s*password\s+'"requisite"'\s+pam_pwhistory.so\s+.*)('"remember"'=)[[:alnum:]]+\s*(.*)/\1\2'"$var_password_pam_unix_remember"' \3/' "$PAM_FILE_PATH" + fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi fi else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Account Lockouts Must Be Logged + PAM faillock locks an account due to excessive password failures, this event must be logged. + CCI-000044 + AC-7 (a) + SRG-OS-000021-GPOS-00005 + RHEL-08-020021 + SV-230343r743981_rule + Without auditing of these events it may be harder or impossible to identify what an attacker did after an attack. + + CCE-86099-9 - name: Account Lockouts Must Be Logged - Check if system relies on authselect tool ansible.builtin.stat: path: /usr/bin/authselect @@ -34220,6 +34121,105 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.2"; printf "%s\n%s" "$expected" "$real" | sort -VC; }; then + +if [ -f /usr/bin/authselect ]; then + if ! authselect check; then +echo " +authselect integrity check failed. Remediation aborted! +This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. +It is not recommended to manually edit the PAM files when authselect tool is available. +In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." +exit 1 +fi +authselect enable-feature with-faillock + +authselect apply-changes -b +else + +AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") +for pam_file in "${AUTH_FILES[@]}" +do + if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then + sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file" + sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file" + sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file" + fi + sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file" +done + +fi + +AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") + +FAILLOCK_CONF="/etc/security/faillock.conf" +if [ -f $FAILLOCK_CONF ]; then + regex="^\s*audit" + line="audit" + if ! grep -q $regex $FAILLOCK_CONF; then + echo $line >> $FAILLOCK_CONF + fi + for pam_file in "${AUTH_FILES[@]}" + do + if [ -e "$pam_file" ] ; then + PAM_FILE_PATH="$pam_file" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "$pam_file") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + fi + + if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\baudit\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\baudit\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" + fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi + else + echo "$pam_file was not found" >&2 + fi + done +else + for pam_file in "${AUTH_FILES[@]}" + do + if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*audit' "$pam_file"; then + sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ audit/' "$pam_file" + fi + done +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -34318,114 +34318,6 @@ user password guessing, also known as brute-forcing, is reduced. Limits are impo the account. CCE-80667-9 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_accounts_passwords_pam_faillock_deny='' - - -if [ -f /usr/bin/authselect ]; then - if ! authselect check; then -echo " -authselect integrity check failed. Remediation aborted! -This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. -It is not recommended to manually edit the PAM files when authselect tool is available. -In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." -exit 1 -fi -authselect enable-feature with-faillock - -authselect apply-changes -b -else - -AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") -for pam_file in "${AUTH_FILES[@]}" -do - if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then - sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file" - sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file" - sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file" - fi - sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file" -done - -fi - -AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") - -FAILLOCK_CONF="/etc/security/faillock.conf" -if [ -f $FAILLOCK_CONF ]; then - regex="^\s*deny\s*=" - line="deny = $var_accounts_passwords_pam_faillock_deny" - if ! grep -q $regex $FAILLOCK_CONF; then - echo $line >> $FAILLOCK_CONF - else - sed -i --follow-symlinks 's|^\s*\(deny\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_deny"'|g' $FAILLOCK_CONF - fi - for pam_file in "${AUTH_FILES[@]}" - do - if [ -e "$pam_file" ] ; then - PAM_FILE_PATH="$pam_file" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "$pam_file") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - - if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bdeny\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bdeny\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi - else - echo "$pam_file was not found" >&2 - fi - done -else - for pam_file in "${AUTH_FILES[@]}" - do - if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' "$pam_file"; then - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file" - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file" - else - sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file" - sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file" - fi - done -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -35116,93 +35008,12 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - - Configure the root Account for Failed Password Attempts - This rule configures the system to lock out the root account after a number of -incorrect login attempts using pam_faillock.so. - -pam_faillock.so module requires multiple entries in pam files. These entries must be carefully -defined to work as expected. In order to avoid errors when manually editing these files, it is -recommended to use the appropriate tools, such as authselect or authconfig, -depending on the OS version. - If the system relies on authselect tool to manage PAM settings, the remediation -will also use authselect tool. However, if any manual modification was made in -PAM files, the authselect integrity check will fail and the remediation will be -aborted in order to preserve intentional changes. In this case, an informative message will -be shown in the remediation report. -If the system supports the /etc/security/faillock.conf file, the pam_faillock -parameters should be defined in faillock.conf file. - BP28(R18) - 1 - 12 - 15 - 16 - DSS05.04 - DSS05.10 - DSS06.10 - CCI-002238 - CCI-000044 - 4.3.3.6.1 - 4.3.3.6.2 - 4.3.3.6.3 - 4.3.3.6.4 - 4.3.3.6.5 - 4.3.3.6.6 - 4.3.3.6.7 - 4.3.3.6.8 - 4.3.3.6.9 - SR 1.1 - SR 1.10 - SR 1.2 - SR 1.5 - SR 1.7 - SR 1.8 - SR 1.9 - 0421 - 0422 - 0431 - 0974 - 1173 - 1401 - 1504 - 1505 - 1546 - 1557 - 1558 - 1559 - 1560 - 1561 - A.18.1.4 - A.9.2.1 - A.9.2.4 - A.9.3.1 - A.9.4.2 - A.9.4.3 - CM-6(a) - AC-7(b) - IA-5(c) - PR.AC-7 - FMT_MOF_EXT.1 - SRG-OS-000329-GPOS-00128 - SRG-OS-000021-GPOS-00005 - RHEL-08-020023 - SV-230345r743984_rule - By limiting the number of failed logon attempts, the risk of unauthorized system access via -user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking -the account. - - CCE-80668-7 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then +var_accounts_passwords_pam_faillock_deny='' + + if [ -f /usr/bin/authselect ]; then if ! authselect check; then echo " @@ -35234,10 +35045,12 @@ AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") FAILLOCK_CONF="/etc/security/faillock.conf" if [ -f $FAILLOCK_CONF ]; then - regex="^\s*even_deny_root" - line="even_deny_root" + regex="^\s*deny\s*=" + line="deny = $var_accounts_passwords_pam_faillock_deny" if ! grep -q $regex $FAILLOCK_CONF; then echo $line >> $FAILLOCK_CONF + else + sed -i --follow-symlinks 's|^\s*\(deny\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_deny"'|g' $FAILLOCK_CONF fi for pam_file in "${AUTH_FILES[@]}" do @@ -35275,8 +35088,8 @@ if [ -f $FAILLOCK_CONF ]; then authselect apply-changes -b fi - if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\beven_deny_root\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\beven_deny_root\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" + if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bdeny\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bdeny\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" fi if [ -f /usr/bin/authselect ]; then @@ -35289,9 +35102,12 @@ if [ -f $FAILLOCK_CONF ]; then else for pam_file in "${AUTH_FILES[@]}" do - if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*even_deny_root' "$pam_file"; then - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ even_deny_root/' "$pam_file" - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ even_deny_root/' "$pam_file" + if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' "$pam_file"; then + sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file" + sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file" + else + sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file" + sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file" fi done fi @@ -35300,6 +35116,90 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure the root Account for Failed Password Attempts + This rule configures the system to lock out the root account after a number of +incorrect login attempts using pam_faillock.so. + +pam_faillock.so module requires multiple entries in pam files. These entries must be carefully +defined to work as expected. In order to avoid errors when manually editing these files, it is +recommended to use the appropriate tools, such as authselect or authconfig, +depending on the OS version. + If the system relies on authselect tool to manage PAM settings, the remediation +will also use authselect tool. However, if any manual modification was made in +PAM files, the authselect integrity check will fail and the remediation will be +aborted in order to preserve intentional changes. In this case, an informative message will +be shown in the remediation report. +If the system supports the /etc/security/faillock.conf file, the pam_faillock +parameters should be defined in faillock.conf file. + BP28(R18) + 1 + 12 + 15 + 16 + DSS05.04 + DSS05.10 + DSS06.10 + CCI-002238 + CCI-000044 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + 0421 + 0422 + 0431 + 0974 + 1173 + 1401 + 1504 + 1505 + 1546 + 1557 + 1558 + 1559 + 1560 + 1561 + A.18.1.4 + A.9.2.1 + A.9.2.4 + A.9.3.1 + A.9.4.2 + A.9.4.3 + CM-6(a) + AC-7(b) + IA-5(c) + PR.AC-7 + FMT_MOF_EXT.1 + SRG-OS-000329-GPOS-00128 + SRG-OS-000021-GPOS-00005 + RHEL-08-020023 + SV-230345r743984_rule + By limiting the number of failed logon attempts, the risk of unauthorized system access via +user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking +the account. + + CCE-80668-7 - name: Gather the package facts package_facts: manager: auto @@ -35934,56 +35834,9 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - Lock Accounts Must Persist - This rule ensures that the system lock out accounts using pam_faillock.so persist -after system reboot. From "pam_faillock" man pages: -Note that the default directory that "pam_faillock" uses is usually cleared on system -boot so the access will be reenabled after system reboot. If that is undesirable, a different -tally directory must be set with the "dir" option. - -pam_faillock.so module requires multiple entries in pam files. These entries must be carefully -defined to work as expected. In order to avoid errors when manually editing these files, it is -recommended to use the appropriate tools, such as authselect or authconfig, -depending on the OS version. - -The chosen profile expects the directory to be . - If the system relies on authselect tool to manage PAM settings, the remediation -will also use authselect tool. However, if any manual modification was made in -PAM files, the authselect integrity check will fail and the remediation will be -aborted in order to preserve intentional changes. In this case, an informative message will -be shown in the remediation report. -If the system supports the /etc/security/faillock.conf file, the pam_faillock -parameters should be defined in faillock.conf file. - CCI-000044 - CCI-002238 - AC-7(b) - AC-7(a) - AC-7.1(ii) - SRG-OS-000021-GPOS-00005 - SRG-OS-000329-GPOS-00128 - RHEL-08-020016 - RHEL-08-020017 - SV-230338r627750_rule - SV-230339r743975_rule - Locking out user accounts after a number of incorrect attempts prevents direct password -guessing attacks. In combination with the silent option, user enumeration attacks -are also mitigated. - - CCE-86067-6 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then -var_accounts_passwords_pam_faillock_dir='' - - if [ -f /usr/bin/authselect ]; then if ! authselect check; then echo " @@ -36015,12 +35868,10 @@ AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") FAILLOCK_CONF="/etc/security/faillock.conf" if [ -f $FAILLOCK_CONF ]; then - regex="^\s*dir\s*=" - line="dir = $var_accounts_passwords_pam_faillock_dir" + regex="^\s*even_deny_root" + line="even_deny_root" if ! grep -q $regex $FAILLOCK_CONF; then echo $line >> $FAILLOCK_CONF - else - sed -i --follow-symlinks 's|^\s*\(dir\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_dir"'|g' $FAILLOCK_CONF fi for pam_file in "${AUTH_FILES[@]}" do @@ -36058,8 +35909,8 @@ if [ -f $FAILLOCK_CONF ]; then authselect apply-changes -b fi - if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bdir\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bdir\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" + if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\beven_deny_root\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\beven_deny_root\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" fi if [ -f /usr/bin/authselect ]; then @@ -36072,34 +35923,61 @@ if [ -f $FAILLOCK_CONF ]; then else for pam_file in "${AUTH_FILES[@]}" do - if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*dir' "$pam_file"; then - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ dir='"$var_accounts_passwords_pam_faillock_dir"'/' "$pam_file" - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ dir='"$var_accounts_passwords_pam_faillock_dir"'/' "$pam_file" - else - sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"dir"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_dir"'\3/' "$pam_file" - sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"dir"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_dir"'\3/' "$pam_file" + if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*even_deny_root' "$pam_file"; then + sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ even_deny_root/' "$pam_file" + sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ even_deny_root/' "$pam_file" fi done fi -if ! rpm -q --quiet "python3-libselinux" ; then - yum install -y "python3-libselinux" -fi -if ! rpm -q --quiet "python3-policycoreutils" ; then - yum install -y "python3-policycoreutils" -fi -if ! rpm -q --quiet "policycoreutils-python-utils" ; then - yum install -y "policycoreutils-python-utils" -fi - -mkdir -p "$var_accounts_passwords_pam_faillock_dir" -semanage fcontext -a -t faillog_t "$var_accounts_passwords_pam_faillock_dir(/.*)?" -restorecon -R -v "$var_accounts_passwords_pam_faillock_dir" - else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Lock Accounts Must Persist + This rule ensures that the system lock out accounts using pam_faillock.so persist +after system reboot. From "pam_faillock" man pages: +Note that the default directory that "pam_faillock" uses is usually cleared on system +boot so the access will be reenabled after system reboot. If that is undesirable, a different +tally directory must be set with the "dir" option. + +pam_faillock.so module requires multiple entries in pam files. These entries must be carefully +defined to work as expected. In order to avoid errors when manually editing these files, it is +recommended to use the appropriate tools, such as authselect or authconfig, +depending on the OS version. + +The chosen profile expects the directory to be . + If the system relies on authselect tool to manage PAM settings, the remediation +will also use authselect tool. However, if any manual modification was made in +PAM files, the authselect integrity check will fail and the remediation will be +aborted in order to preserve intentional changes. In this case, an informative message will +be shown in the remediation report. +If the system supports the /etc/security/faillock.conf file, the pam_faillock +parameters should be defined in faillock.conf file. + CCI-000044 + CCI-002238 + AC-7(b) + AC-7(a) + AC-7.1(ii) + SRG-OS-000021-GPOS-00005 + SRG-OS-000329-GPOS-00128 + RHEL-08-020016 + RHEL-08-020017 + SV-230338r627750_rule + SV-230339r743975_rule + Locking out user accounts after a number of incorrect attempts prevents direct password +guessing attacks. In combination with the silent option, user enumeration attacks +are also mitigated. + + CCE-86067-6 - name: Gather the package facts package_facts: manager: auto @@ -36836,39 +36714,12 @@ fi - medium_severity - no_reboot_needed - - - - - - - - - Enforce pam_faillock for Local Accounts Only - The pam_faillock module's local_users_only parameter controls requirements for -enforcing failed lockout attempts only for local user accounts and ignoring centralized user -account management failed attempt configurations. - If the system relies on authselect tool to manage PAM settings, the remediation -will also use authselect tool. However, if any manual modification was made in -PAM files, the authselect integrity check will fail and the remediation will be -aborted in order to preserve intentional changes. In this case, an informative message will -be shown in the remediation report. -If the system supports the /etc/security/faillock.conf file, the pam_faillock -parameters should be defined in faillock.conf file. - Using this rule bypasses pam_faillock's functionality and should be used in cases -where centralized management such as LDAP or Active Directory is in use. - CCI-000015 - AC-2(1) - SRG-OS-000001-GPOS-00001 - The operating system must provide automated mechanisms for supporting account management -functions. Enterprise environments make application account management challenging and -complex. A manual process for account management functions adds the risk of a potential -oversight or other error. Locking out remote accounts may cause unintentional DoS. - - CCE-83401-0 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then +var_accounts_passwords_pam_faillock_dir='' + + if [ -f /usr/bin/authselect ]; then if ! authselect check; then echo " @@ -36900,10 +36751,12 @@ AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") FAILLOCK_CONF="/etc/security/faillock.conf" if [ -f $FAILLOCK_CONF ]; then - regex="^\s*local_users_only" - line="local_users_only" + regex="^\s*dir\s*=" + line="dir = $var_accounts_passwords_pam_faillock_dir" if ! grep -q $regex $FAILLOCK_CONF; then echo $line >> $FAILLOCK_CONF + else + sed -i --follow-symlinks 's|^\s*\(dir\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_dir"'|g' $FAILLOCK_CONF fi for pam_file in "${AUTH_FILES[@]}" do @@ -36941,8 +36794,8 @@ if [ -f $FAILLOCK_CONF ]; then authselect apply-changes -b fi - if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\blocal_users_only\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\blocal_users_only\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" + if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bdir\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bdir\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" fi if [ -f /usr/bin/authselect ]; then @@ -36955,17 +36808,64 @@ if [ -f $FAILLOCK_CONF ]; then else for pam_file in "${AUTH_FILES[@]}" do - if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*local_users_only' "$pam_file"; then - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ local_users_only/' "$pam_file" - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ local_users_only/' "$pam_file" + if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*dir' "$pam_file"; then + sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ dir='"$var_accounts_passwords_pam_faillock_dir"'/' "$pam_file" + sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ dir='"$var_accounts_passwords_pam_faillock_dir"'/' "$pam_file" + else + sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"dir"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_dir"'\3/' "$pam_file" + sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"dir"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_dir"'\3/' "$pam_file" fi done fi +if ! rpm -q --quiet "python3-libselinux" ; then + yum install -y "python3-libselinux" +fi +if ! rpm -q --quiet "python3-policycoreutils" ; then + yum install -y "python3-policycoreutils" +fi +if ! rpm -q --quiet "policycoreutils-python-utils" ; then + yum install -y "policycoreutils-python-utils" +fi + +mkdir -p "$var_accounts_passwords_pam_faillock_dir" +semanage fcontext -a -t faillog_t "$var_accounts_passwords_pam_faillock_dir(/.*)?" +restorecon -R -v "$var_accounts_passwords_pam_faillock_dir" + else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Enforce pam_faillock for Local Accounts Only + The pam_faillock module's local_users_only parameter controls requirements for +enforcing failed lockout attempts only for local user accounts and ignoring centralized user +account management failed attempt configurations. + If the system relies on authselect tool to manage PAM settings, the remediation +will also use authselect tool. However, if any manual modification was made in +PAM files, the authselect integrity check will fail and the remediation will be +aborted in order to preserve intentional changes. In this case, an informative message will +be shown in the remediation report. +If the system supports the /etc/security/faillock.conf file, the pam_faillock +parameters should be defined in faillock.conf file. + Using this rule bypasses pam_faillock's functionality and should be used in cases +where centralized management such as LDAP or Active Directory is in use. + CCI-000015 + AC-2(1) + SRG-OS-000001-GPOS-00001 + The operating system must provide automated mechanisms for supporting account management +functions. Enterprise environments make application account management challenging and +complex. A manual process for account management functions adds the risk of a potential +oversight or other error. Locking out remote accounts may cause unintentional DoS. + + CCE-83401-0 - name: Gather the package facts package_facts: manager: auto @@ -37575,102 +37475,9 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - Set Interval For Counting Failed Password Attempts - Utilizing pam_faillock.so, the fail_interval directive configures the system -to lock out an account after a number of incorrect login attempts within a specified time -period. - -Ensure that the file /etc/security/faillock.conf contains the following entry: -fail_interval = <interval-in-seconds> where interval-in-seconds is or greater. - - -In order to avoid errors when manually editing these files, it is -recommended to use the appropriate tools, such as authselect or authconfig, -depending on the OS version. - If the system relies on authselect tool to manage PAM settings, the remediation -will also use authselect tool. However, if any manual modification was made in -PAM files, the authselect integrity check will fail and the remediation will be -aborted in order to preserve intentional changes. In this case, an informative message will -be shown in the remediation report. -If the system supports the /etc/security/faillock.conf file, the pam_faillock -parameters should be defined in faillock.conf file. - BP28(R18) - 1 - 12 - 15 - 16 - DSS05.04 - DSS05.10 - DSS06.10 - CCI-000044 - CCI-002236 - CCI-002237 - CCI-002238 - 4.3.3.6.1 - 4.3.3.6.2 - 4.3.3.6.3 - 4.3.3.6.4 - 4.3.3.6.5 - 4.3.3.6.6 - 4.3.3.6.7 - 4.3.3.6.8 - 4.3.3.6.9 - SR 1.1 - SR 1.10 - SR 1.2 - SR 1.5 - SR 1.7 - SR 1.8 - SR 1.9 - 0421 - 0422 - 0431 - 0974 - 1173 - 1401 - 1504 - 1505 - 1546 - 1557 - 1558 - 1559 - 1560 - 1561 - A.18.1.4 - A.9.2.1 - A.9.2.4 - A.9.3.1 - A.9.4.2 - A.9.4.3 - CM-6(a) - AC-7(a) - PR.AC-7 - FIA_AFL.1 - SRG-OS-000329-GPOS-00128 - SRG-OS-000021-GPOS-00005 - RHEL-08-020012 - RHEL-08-020013 - SV-230334r627750_rule - SV-230335r743969_rule - By limiting the number of failed logon attempts the risk of unauthorized system -access via user password guessing, otherwise known as brute-forcing, is reduced. -Limits are imposed by locking the account. - - CCE-80669-5 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then -var_accounts_passwords_pam_faillock_fail_interval='' - - if [ -f /usr/bin/authselect ]; then if ! authselect check; then echo " @@ -37702,12 +37509,10 @@ AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") FAILLOCK_CONF="/etc/security/faillock.conf" if [ -f $FAILLOCK_CONF ]; then - regex="^\s*fail_interval\s*=" - line="fail_interval = $var_accounts_passwords_pam_faillock_fail_interval" + regex="^\s*local_users_only" + line="local_users_only" if ! grep -q $regex $FAILLOCK_CONF; then echo $line >> $FAILLOCK_CONF - else - sed -i --follow-symlinks 's|^\s*\(fail_interval\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_fail_interval"'|g' $FAILLOCK_CONF fi for pam_file in "${AUTH_FILES[@]}" do @@ -37745,8 +37550,8 @@ if [ -f $FAILLOCK_CONF ]; then authselect apply-changes -b fi - if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bfail_interval\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bfail_interval\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" + if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\blocal_users_only\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\blocal_users_only\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" fi if [ -f /usr/bin/authselect ]; then @@ -37759,12 +37564,9 @@ if [ -f $FAILLOCK_CONF ]; then else for pam_file in "${AUTH_FILES[@]}" do - if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*fail_interval' "$pam_file"; then - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file" - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file" - else - sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"fail_interval"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file" - sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"fail_interval"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file" + if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*local_users_only' "$pam_file"; then + sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ local_users_only/' "$pam_file" + sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ local_users_only/' "$pam_file" fi done fi @@ -37773,6 +37575,96 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Set Interval For Counting Failed Password Attempts + Utilizing pam_faillock.so, the fail_interval directive configures the system +to lock out an account after a number of incorrect login attempts within a specified time +period. + +Ensure that the file /etc/security/faillock.conf contains the following entry: +fail_interval = <interval-in-seconds> where interval-in-seconds is or greater. + + +In order to avoid errors when manually editing these files, it is +recommended to use the appropriate tools, such as authselect or authconfig, +depending on the OS version. + If the system relies on authselect tool to manage PAM settings, the remediation +will also use authselect tool. However, if any manual modification was made in +PAM files, the authselect integrity check will fail and the remediation will be +aborted in order to preserve intentional changes. In this case, an informative message will +be shown in the remediation report. +If the system supports the /etc/security/faillock.conf file, the pam_faillock +parameters should be defined in faillock.conf file. + BP28(R18) + 1 + 12 + 15 + 16 + DSS05.04 + DSS05.10 + DSS06.10 + CCI-000044 + CCI-002236 + CCI-002237 + CCI-002238 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + 0421 + 0422 + 0431 + 0974 + 1173 + 1401 + 1504 + 1505 + 1546 + 1557 + 1558 + 1559 + 1560 + 1561 + A.18.1.4 + A.9.2.1 + A.9.2.4 + A.9.3.1 + A.9.4.2 + A.9.4.3 + CM-6(a) + AC-7(a) + PR.AC-7 + FIA_AFL.1 + SRG-OS-000329-GPOS-00128 + SRG-OS-000021-GPOS-00005 + RHEL-08-020012 + RHEL-08-020013 + SV-230334r627750_rule + SV-230335r743969_rule + By limiting the number of failed logon attempts the risk of unauthorized system +access via user password guessing, otherwise known as brute-forcing, is reduced. +Limits are imposed by locking the account. + + CCE-80669-5 - name: Gather the package facts package_facts: manager: auto @@ -38442,48 +38334,12 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - - Do Not Show System Messages When Unsuccessful Logon Attempts Occur - This rule ensures the system prevents informative messages from being presented to the user -pertaining to logon information after a number of incorrect login attempts using -pam_faillock.so. - -pam_faillock.so module requires multiple entries in pam files. These entries must be carefully -defined to work as expected. In order to avoid errors when manually editing these files, it is -recommended to use the appropriate tools, such as authselect or authconfig, -depending on the OS version. - If the system relies on authselect tool to manage PAM settings, the remediation -will also use authselect tool. However, if any manual modification was made in -PAM files, the authselect integrity check will fail and the remediation will be -aborted in order to preserve intentional changes. In this case, an informative message will -be shown in the remediation report. -If the system supports the /etc/security/faillock.conf file, the pam_faillock -parameters should be defined in faillock.conf file. - CCI-002238 - CCI-000044 - SRG-OS-000329-GPOS-00128 - SRG-OS-000021-GPOS-00005 - RHEL-08-020018 - RHEL-08-020019 - SV-230340r627750_rule - SV-230341r743978_rule - The pam_faillock module without the silent option will leak information about the existence or -non-existence of a user account in the system because the failures are not recorded for unknown -users. The message about the user account being locked is never displayed for non-existing user -accounts allowing the adversary to infer that a particular account exists or not on the system. - - CCE-87096-4 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then +var_accounts_passwords_pam_faillock_fail_interval='' + + if [ -f /usr/bin/authselect ]; then if ! authselect check; then echo " @@ -38512,18 +38368,72 @@ done fi AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") + FAILLOCK_CONF="/etc/security/faillock.conf" if [ -f $FAILLOCK_CONF ]; then - regex="^\s*silent" - line="silent" + regex="^\s*fail_interval\s*=" + line="fail_interval = $var_accounts_passwords_pam_faillock_fail_interval" if ! grep -q $regex $FAILLOCK_CONF; then echo $line >> $FAILLOCK_CONF + else + sed -i --follow-symlinks 's|^\s*\(fail_interval\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_fail_interval"'|g' $FAILLOCK_CONF fi + for pam_file in "${AUTH_FILES[@]}" + do + if [ -e "$pam_file" ] ; then + PAM_FILE_PATH="$pam_file" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "$pam_file") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + fi + + if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bfail_interval\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bfail_interval\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" + fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi + else + echo "$pam_file was not found" >&2 + fi + done else for pam_file in "${AUTH_FILES[@]}" do - if ! grep -qE '^\s*auth.*pam_faillock\.so\s*preauth.*silent' "$pam_file"; then - sed -i --follow-symlinks '/^\s*auth.*pam_faillock\.so.*preauth/ s/$/ silent/' "$pam_file" + if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*fail_interval' "$pam_file"; then + sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file" + sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file" + else + sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"fail_interval"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file" + sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"fail_interval"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file" fi done fi @@ -38532,6 +38442,45 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Do Not Show System Messages When Unsuccessful Logon Attempts Occur + This rule ensures the system prevents informative messages from being presented to the user +pertaining to logon information after a number of incorrect login attempts using +pam_faillock.so. + +pam_faillock.so module requires multiple entries in pam files. These entries must be carefully +defined to work as expected. In order to avoid errors when manually editing these files, it is +recommended to use the appropriate tools, such as authselect or authconfig, +depending on the OS version. + If the system relies on authselect tool to manage PAM settings, the remediation +will also use authselect tool. However, if any manual modification was made in +PAM files, the authselect integrity check will fail and the remediation will be +aborted in order to preserve intentional changes. In this case, an informative message will +be shown in the remediation report. +If the system supports the /etc/security/faillock.conf file, the pam_faillock +parameters should be defined in faillock.conf file. + CCI-002238 + CCI-000044 + SRG-OS-000329-GPOS-00128 + SRG-OS-000021-GPOS-00005 + RHEL-08-020018 + RHEL-08-020019 + SV-230340r627750_rule + SV-230341r743978_rule + The pam_faillock module without the silent option will leak information about the existence or +non-existence of a user account in the system because the failures are not recorded for unknown +users. The message about the user account being locked is never displayed for non-existing user +accounts allowing the adversary to infer that a particular account exists or not on the system. + + CCE-87096-4 - name: Gather the package facts package_facts: manager: auto @@ -38762,6 +38711,57 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +if [ -f /usr/bin/authselect ]; then + if ! authselect check; then +echo " +authselect integrity check failed. Remediation aborted! +This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. +It is not recommended to manually edit the PAM files when authselect tool is available. +In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." +exit 1 +fi +authselect enable-feature with-faillock + +authselect apply-changes -b +else + +AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") +for pam_file in "${AUTH_FILES[@]}" +do + if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then + sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file" + sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file" + sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file" + fi + sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file" +done + +fi + +AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") +FAILLOCK_CONF="/etc/security/faillock.conf" +if [ -f $FAILLOCK_CONF ]; then + regex="^\s*silent" + line="silent" + if ! grep -q $regex $FAILLOCK_CONF; then + echo $line >> $FAILLOCK_CONF + fi +else + for pam_file in "${AUTH_FILES[@]}" + do + if ! grep -qE '^\s*auth.*pam_faillock\.so\s*preauth.*silent' "$pam_file"; then + sed -i --follow-symlinks '/^\s*auth.*pam_faillock\.so.*preauth/ s/$/ silent/' "$pam_file" + fi + done +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -38869,114 +38869,6 @@ access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. CCE-80670-3 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_accounts_passwords_pam_faillock_unlock_time='' - - -if [ -f /usr/bin/authselect ]; then - if ! authselect check; then -echo " -authselect integrity check failed. Remediation aborted! -This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. -It is not recommended to manually edit the PAM files when authselect tool is available. -In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." -exit 1 -fi -authselect enable-feature with-faillock - -authselect apply-changes -b -else - -AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") -for pam_file in "${AUTH_FILES[@]}" -do - if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then - sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file" - sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file" - sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file" - fi - sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file" -done - -fi - -AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") - -FAILLOCK_CONF="/etc/security/faillock.conf" -if [ -f $FAILLOCK_CONF ]; then - regex="^\s*unlock_time\s*=" - line="unlock_time = $var_accounts_passwords_pam_faillock_unlock_time" - if ! grep -q $regex $FAILLOCK_CONF; then - echo $line >> $FAILLOCK_CONF - else - sed -i --follow-symlinks 's|^\s*\(unlock_time\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_unlock_time"'|g' $FAILLOCK_CONF - fi - for pam_file in "${AUTH_FILES[@]}" - do - if [ -e "$pam_file" ] ; then - PAM_FILE_PATH="$pam_file" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "$pam_file") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - - if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bunlock_time\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bunlock_time\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi - else - echo "$pam_file was not found" >&2 - fi - done -else - for pam_file in "${AUTH_FILES[@]}" - do - if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*unlock_time' "$pam_file"; then - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file" - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file" - else - sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"unlock_time"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file" - sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"unlock_time"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file" - fi - done -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -39676,6 +39568,114 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_accounts_passwords_pam_faillock_unlock_time='' + + +if [ -f /usr/bin/authselect ]; then + if ! authselect check; then +echo " +authselect integrity check failed. Remediation aborted! +This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. +It is not recommended to manually edit the PAM files when authselect tool is available. +In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." +exit 1 +fi +authselect enable-feature with-faillock + +authselect apply-changes -b +else + +AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") +for pam_file in "${AUTH_FILES[@]}" +do + if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then + sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file" + sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file" + sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file" + fi + sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file" +done + +fi + +AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") + +FAILLOCK_CONF="/etc/security/faillock.conf" +if [ -f $FAILLOCK_CONF ]; then + regex="^\s*unlock_time\s*=" + line="unlock_time = $var_accounts_passwords_pam_faillock_unlock_time" + if ! grep -q $regex $FAILLOCK_CONF; then + echo $line >> $FAILLOCK_CONF + else + sed -i --follow-symlinks 's|^\s*\(unlock_time\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_unlock_time"'|g' $FAILLOCK_CONF + fi + for pam_file in "${AUTH_FILES[@]}" + do + if [ -e "$pam_file" ] ; then + PAM_FILE_PATH="$pam_file" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "$pam_file") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + fi + + if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bunlock_time\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bunlock_time\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" + fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi + else + echo "$pam_file was not found" >&2 + fi + done +else + for pam_file in "${AUTH_FILES[@]}" + do + if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*unlock_time' "$pam_file"; then + sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file" + sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file" + else + sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"unlock_time"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file" + sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"unlock_time"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file" + fi + done +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -39935,42 +39935,6 @@ Requiring digits makes password guessing attacks more difficult by ensuring a la search space. CCE-80653-9 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_dcredit='' - - - - - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^dcredit") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_dcredit" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^dcredit\\>" "/etc/security/pwquality.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^dcredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" -else - if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" - fi - cce="CCE-80653-9" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" - printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -40018,6 +39982,42 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_password_pam_dcredit='' + + + + + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^dcredit") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_dcredit" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^dcredit\\>" "/etc/security/pwquality.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^dcredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" +else + if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" + fi + cce="CCE-80653-9" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" + printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -40050,42 +40050,6 @@ password is compromised. Passwords with dictionary words may be more vulnerable to password-guessing attacks. CCE-86233-4 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_dictcheck='' - - - - - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^dictcheck") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_dictcheck" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^dictcheck\\>" "/etc/security/pwquality.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^dictcheck\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" -else - if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" - fi - cce="CCE-86233-4" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" - printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -40129,6 +40093,42 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_password_pam_dictcheck='' + + + + + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^dictcheck") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_dictcheck" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^dictcheck\\>" "/etc/security/pwquality.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^dictcheck\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" +else + if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" + fi + cce="CCE-86233-4" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" + printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -40218,42 +40218,6 @@ newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however. CCE-80654-7 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_difok='' - - - - - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^difok") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_difok" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^difok\\>" "/etc/security/pwquality.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^difok\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" -else - if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" - fi - cce="CCE-80654-7" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" - printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -40299,6 +40263,42 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_password_pam_difok='' + + + + + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^difok") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_difok" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^difok\\>" "/etc/security/pwquality.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^difok\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" +else + if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" + fi + cce="CCE-80654-7" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" + printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -40326,28 +40326,6 @@ complex. A manual process for account management functions adds the risk of a po oversight or other error. CCE-83364-0 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -if [ -e "/etc/security/pwquality.conf" ] ; then - - LC_ALL=C sed -i "/^\s*local_users_only/Id" "/etc/security/pwquality.conf" -else - touch "/etc/security/pwquality.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/security/pwquality.conf" - -cp "/etc/security/pwquality.conf" "/etc/security/pwquality.conf.bak" -# Insert at the end of the file -printf '%s\n' "local_users_only" >> "/etc/security/pwquality.conf" -# Clean up after ourselves. -rm "/etc/security/pwquality.conf.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -40377,6 +40355,28 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +if [ -e "/etc/security/pwquality.conf" ] ; then + + LC_ALL=C sed -i "/^\s*local_users_only/Id" "/etc/security/pwquality.conf" +else + touch "/etc/security/pwquality.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/security/pwquality.conf" + +cp "/etc/security/pwquality.conf" "/etc/security/pwquality.conf.bak" +# Insert at the end of the file +printf '%s\n' "local_users_only" >> "/etc/security/pwquality.conf" +# Clean up after ourselves. +rm "/etc/security/pwquality.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -40418,28 +40418,6 @@ password. The more complex the password, the greater the number of possible comb that need to be tested before the password is compromised. CCE-83377-2 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -if [ -e "/etc/security/pwquality.conf" ] ; then - - LC_ALL=C sed -i "/^\s*enforce_for_root/Id" "/etc/security/pwquality.conf" -else - touch "/etc/security/pwquality.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/security/pwquality.conf" - -cp "/etc/security/pwquality.conf" "/etc/security/pwquality.conf.bak" -# Insert at the end of the file -printf '%s\n' "enforce_for_root" >> "/etc/security/pwquality.conf" -# Clean up after ourselves. -rm "/etc/security/pwquality.conf.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -40475,6 +40453,28 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +if [ -e "/etc/security/pwquality.conf" ] ; then + + LC_ALL=C sed -i "/^\s*enforce_for_root/Id" "/etc/security/pwquality.conf" +else + touch "/etc/security/pwquality.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/security/pwquality.conf" + +cp "/etc/security/pwquality.conf" "/etc/security/pwquality.conf.bak" +# Insert at the end of the file +printf '%s\n' "enforce_for_root" >> "/etc/security/pwquality.conf" +# Clean up after ourselves. +rm "/etc/security/pwquality.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -40576,42 +40576,6 @@ Requiring a minimum number of lowercase characters makes password guessing attac more difficult by ensuring a larger search space. CCE-80655-4 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_lcredit='' - - - - - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^lcredit") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_lcredit" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^lcredit\\>" "/etc/security/pwquality.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^lcredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" -else - if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" - fi - cce="CCE-80655-4" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" - printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -40659,6 +40623,42 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_password_pam_lcredit='' + + + + + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^lcredit") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_lcredit" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^lcredit\\>" "/etc/security/pwquality.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^lcredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" +else + if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" + fi + cce="CCE-80655-4" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" + printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -40740,42 +40740,6 @@ more complex a password, the greater the number of possible combinations that ne password is compromised. CCE-81034-1 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_maxclassrepeat='' - - - - - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^maxclassrepeat") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_maxclassrepeat" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^maxclassrepeat\\>" "/etc/security/pwquality.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^maxclassrepeat\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" -else - if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" - fi - cce="CCE-81034-1" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" - printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -40820,6 +40784,42 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_password_pam_maxclassrepeat='' + + + + + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^maxclassrepeat") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_maxclassrepeat" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^maxclassrepeat\\>" "/etc/security/pwquality.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^maxclassrepeat\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" +else + if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" + fi + cce="CCE-81034-1" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" + printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -40902,42 +40902,6 @@ password is compromised. Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks. CCE-82066-2 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_maxrepeat='' - - - - - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^maxrepeat") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_maxrepeat" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^maxrepeat\\>" "/etc/security/pwquality.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^maxrepeat\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" -else - if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" - fi - cce="CCE-82066-2" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" - printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -40979,6 +40943,42 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_password_pam_maxrepeat='' + + + + + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^maxrepeat") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_maxrepeat" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^maxrepeat\\>" "/etc/security/pwquality.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^maxrepeat\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" +else + if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" + fi + cce="CCE-82066-2" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" + printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -41089,42 +41089,6 @@ Requiring a minimum number of character categories makes password guessing attac by ensuring a larger search space. CCE-82046-4 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_minclass='' - - - - - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^minclass") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_minclass" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^minclass\\>" "/etc/security/pwquality.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^minclass\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" -else - if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" - fi - cce="CCE-82046-4" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" - printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -41168,6 +41132,42 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_password_pam_minclass='' + + + + + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^minclass") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_minclass" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^minclass\\>" "/etc/security/pwquality.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^minclass\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" +else + if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" + fi + cce="CCE-82046-4" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" + printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -41269,42 +41269,6 @@ helps to exponentially increase the time and/or resources required to compromise the password. CCE-80656-2 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_minlen='' - - - - - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^minlen") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_minlen" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^minlen\\>" "/etc/security/pwquality.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^minlen\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" -else - if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" - fi - cce="CCE-80656-2" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" - printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -41354,6 +41318,42 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_password_pam_minlen='' + + + + + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^minlen") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_minlen" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^minlen\\>" "/etc/security/pwquality.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^minlen\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" +else + if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" + fi + cce="CCE-80656-2" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" + printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -41456,6 +41456,50 @@ Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space. CCE-80663-8 + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80663-8 + - DISA-STIG-RHEL-08-020280 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - accounts_password_pam_ocredit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy +- name: XCCDF Value var_password_pam_ocredit # promote to variable + set_fact: + var_password_pam_ocredit: !!str + tags: + - always + +- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters - Ensure + PAM variable ocredit is set accordingly + ansible.builtin.lineinfile: + create: true + dest: /etc/security/pwquality.conf + regexp: ^#?\s*ocredit + line: ocredit = {{ var_password_pam_ocredit }} + when: '"pam" in ansible_facts.packages' + tags: + - CCE-80663-8 + - DISA-STIG-RHEL-08-020280 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - accounts_password_pam_ocredit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then @@ -41491,50 +41535,6 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-80663-8 - - DISA-STIG-RHEL-08-020280 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - - NIST-800-53-IA-5(c) - - accounts_password_pam_ocredit - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy -- name: XCCDF Value var_password_pam_ocredit # promote to variable - set_fact: - var_password_pam_ocredit: !!str - tags: - - always - -- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters - Ensure - PAM variable ocredit is set accordingly - ansible.builtin.lineinfile: - create: true - dest: /etc/security/pwquality.conf - regexp: ^#?\s*ocredit - line: ocredit = {{ var_password_pam_ocredit }} - when: '"pam" in ansible_facts.packages' - tags: - - CCE-80663-8 - - DISA-STIG-RHEL-08-020280 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - - NIST-800-53-IA-5(c) - - accounts_password_pam_ocredit - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy @@ -41560,68 +41560,6 @@ Edit the password section in makes the system less prone to dictionary attacks. CCE-85877-9 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -if [ -e "/etc/pam.d/password-auth" ] ; then - PAM_FILE_PATH="/etc/pam.d/password-auth" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwquality.so\s*.*' "$PAM_FILE_PATH"; then - # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwquality.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then - # The control is updated only if one single line matches. - sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwquality.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH" - else - LAST_MATCH_LINE=$(grep -nP "^account.*required.*pam_permit\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1) - if [ ! -z $LAST_MATCH_LINE ]; then - sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"requisite"' pam_pwquality.so' "$PAM_FILE_PATH" - else - echo 'password '"requisite"' pam_pwquality.so' >> "$PAM_FILE_PATH" - fi - fi -fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi -else - echo "/etc/pam.d/password-auth was not found" >&2 -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -41881,32 +41819,11 @@ fi - medium_severity - no_reboot_needed - - - - - - - - - Ensure PAM password complexity module is enabled in system-auth - To enable PAM password complexity in system-auth file: -Edit the password section in -/etc/pam.d/system-auth to show -password requisite pam_pwquality.so. - CCI-000366 - SRG-OS-000480-GPOS-00227 - RHEL-08-020101 - SV-251713r902740_rule - Enabling PAM password complexity permits to enforce strong passwords and consequently -makes the system less prone to dictionary attacks. - - CCE-85872-0 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then -if [ -e "/etc/pam.d/system-auth" ] ; then - PAM_FILE_PATH="/etc/pam.d/system-auth" +if [ -e "/etc/pam.d/password-auth" ] ; then + PAM_FILE_PATH="/etc/pam.d/password-auth" if [ -f /usr/bin/authselect ]; then if ! authselect check; then @@ -41933,7 +41850,7 @@ if [ -e "/etc/pam.d/system-auth" ] ; then authselect apply-changes -b --backup=after-hardening-custom-profile fi - PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") + PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth") PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" authselect apply-changes -b @@ -41957,13 +41874,34 @@ fi authselect apply-changes -b fi else - echo "/etc/pam.d/system-auth was not found" >&2 + echo "/etc/pam.d/password-auth was not found" >&2 fi else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Ensure PAM password complexity module is enabled in system-auth + To enable PAM password complexity in system-auth file: +Edit the password section in +/etc/pam.d/system-auth to show +password requisite pam_pwquality.so. + CCI-000366 + SRG-OS-000480-GPOS-00227 + RHEL-08-020101 + SV-251713r902740_rule + Enabling PAM password complexity permits to enforce strong passwords and consequently +makes the system less prone to dictionary attacks. + + CCE-85872-0 - name: Gather the package facts package_facts: manager: auto @@ -42223,135 +42161,11 @@ fi - medium_severity - no_reboot_needed - - - - - - - - - Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session - To configure the number of retry prompts that are permitted per-session: - -Edit the /etc/security/pwquality.conf to include - -retry=, or a lower value if site -policy is more restrictive. The DoD requirement is a maximum of 3 prompts -per session. - 1 - 11 - 12 - 15 - 16 - 3 - 5 - 9 - 5.5.3 - BAI10.01 - BAI10.02 - BAI10.03 - BAI10.05 - DSS05.04 - DSS05.05 - DSS05.07 - DSS05.10 - DSS06.03 - DSS06.10 - CCI-000192 - CCI-000366 - 4.3.3.2.2 - 4.3.3.5.1 - 4.3.3.5.2 - 4.3.3.6.1 - 4.3.3.6.2 - 4.3.3.6.3 - 4.3.3.6.4 - 4.3.3.6.5 - 4.3.3.6.6 - 4.3.3.6.7 - 4.3.3.6.8 - 4.3.3.6.9 - 4.3.3.7.2 - 4.3.3.7.4 - 4.3.4.3.2 - 4.3.4.3.3 - SR 1.1 - SR 1.10 - SR 1.2 - SR 1.3 - SR 1.4 - SR 1.5 - SR 1.7 - SR 1.8 - SR 1.9 - SR 2.1 - SR 7.6 - A.12.1.2 - A.12.5.1 - A.12.6.2 - A.14.2.2 - A.14.2.3 - A.14.2.4 - A.18.1.4 - A.7.1.1 - A.9.2.1 - A.9.2.2 - A.9.2.3 - A.9.2.4 - A.9.2.6 - A.9.3.1 - A.9.4.2 - A.9.4.3 - CM-6(a) - AC-7(a) - IA-5(4) - PR.AC-1 - PR.AC-6 - PR.AC-7 - PR.IP-1 - FMT_MOF_EXT.1 - SRG-OS-000069-GPOS-00037 - SRG-OS-000480-GPOS-00227 - RHEL-08-020104 - 5.5.1 - SV-251716r858737_rule - Setting the password retry prompts that are permitted on a per-session basis to a low value -requires some software, such as SSH, to re-connect. This can slow down and -draw additional attention to some types of password-guessing attacks. Note that this -is different from account lockout, which is provided by the pam_faillock module. - - CCE-80664-6 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then -var_password_pam_retry='' - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^retry") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_retry" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^retry\\>" "/etc/security/pwquality.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^retry\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" -else - if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" - fi - cce="CCE-80664-6" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" - printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" -fi - - if [ -e "/etc/pam.d/password-auth" ] ; then - PAM_FILE_PATH="/etc/pam.d/password-auth" +if [ -e "/etc/pam.d/system-auth" ] ; then + PAM_FILE_PATH="/etc/pam.d/system-auth" if [ -f /usr/bin/authselect ]; then if ! authselect check; then @@ -42378,59 +42192,24 @@ fi authselect apply-changes -b --backup=after-hardening-custom-profile fi - PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth") + PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" authselect apply-changes -b fi - -if grep -qP '^\s*password\s+'".*"'\s+pam_pwquality.so\s.*\bretry\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks 's/(.*password.*'".*"'.*pam_pwquality.so.*)\sretry=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" -fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi -else - echo "/etc/pam.d/password-auth was not found" >&2 -fi - - if [ -e "/etc/pam.d/system-auth" ] ; then - PAM_FILE_PATH="/etc/pam.d/system-auth" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile + if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwquality.so\s*.*' "$PAM_FILE_PATH"; then + # Line matching group + control + module was not found. Check group + module. + if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwquality.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then + # The control is updated only if one single line matches. + sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwquality.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH" + else + LAST_MATCH_LINE=$(grep -nP "^account.*required.*pam_permit\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1) + if [ ! -z $LAST_MATCH_LINE ]; then + sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"requisite"' pam_pwquality.so' "$PAM_FILE_PATH" + else + echo 'password '"requisite"' pam_pwquality.so' >> "$PAM_FILE_PATH" fi - PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b fi - -if grep -qP '^\s*password\s+'".*"'\s+pam_pwquality.so\s.*\bretry\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks 's/(.*password.*'".*"'.*pam_pwquality.so.*)\sretry=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" fi if [ -f /usr/bin/authselect ]; then @@ -42444,6 +42223,105 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session + To configure the number of retry prompts that are permitted per-session: + +Edit the /etc/security/pwquality.conf to include + +retry=, or a lower value if site +policy is more restrictive. The DoD requirement is a maximum of 3 prompts +per session. + 1 + 11 + 12 + 15 + 16 + 3 + 5 + 9 + 5.5.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + CCI-000192 + CCI-000366 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 7.6 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + CM-6(a) + AC-7(a) + IA-5(4) + PR.AC-1 + PR.AC-6 + PR.AC-7 + PR.IP-1 + FMT_MOF_EXT.1 + SRG-OS-000069-GPOS-00037 + SRG-OS-000480-GPOS-00227 + RHEL-08-020104 + 5.5.1 + SV-251716r858737_rule + Setting the password retry prompts that are permitted on a per-session basis to a low value +requires some software, such as SSH, to re-connect. This can slow down and +draw additional attention to some types of password-guessing attacks. Note that this +is different from account lockout, which is provided by the pam_faillock module. + + CCE-80664-6 - name: Gather the package facts package_facts: manager: auto @@ -42902,6 +42780,128 @@ fi - medium_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_password_pam_retry='' + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^retry") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_retry" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^retry\\>" "/etc/security/pwquality.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^retry\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" +else + if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" + fi + cce="CCE-80664-6" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" + printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" +fi + + if [ -e "/etc/pam.d/password-auth" ] ; then + PAM_FILE_PATH="/etc/pam.d/password-auth" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + fi + +if grep -qP '^\s*password\s+'".*"'\s+pam_pwquality.so\s.*\bretry\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks 's/(.*password.*'".*"'.*pam_pwquality.so.*)\sretry=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" +fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi +else + echo "/etc/pam.d/password-auth was not found" >&2 +fi + + if [ -e "/etc/pam.d/system-auth" ] ; then + PAM_FILE_PATH="/etc/pam.d/system-auth" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + fi + +if grep -qP '^\s*password\s+'".*"'\s+pam_pwquality.so\s.*\bretry\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks 's/(.*password.*'".*"'.*pam_pwquality.so.*)\sretry=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" +fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi +else + echo "/etc/pam.d/system-auth was not found" >&2 +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -43002,42 +43002,6 @@ complex the password, the greater the number of possible combinations that need the password is compromised. CCE-80665-3 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_ucredit='' - - - - - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^ucredit") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_ucredit" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^ucredit\\>" "/etc/security/pwquality.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^ucredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" -else - if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" - fi - cce="CCE-80665-3" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" - printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -43083,6 +43047,42 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_password_pam_ucredit='' + + + + + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^ucredit") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_ucredit" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^ucredit\\>" "/etc/security/pwquality.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^ucredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" +else + if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" + fi + cce="CCE-80665-3" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" + printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -43178,26 +43178,6 @@ of a strong hashing algorithm that makes password cracking attacks more difficult. CCE-80891-5 - # Remediation is applicable only in certain platforms -if rpm --quiet -q libuser; then - -LIBUSER_CONF="/etc/libuser.conf" -CRYPT_STYLE_REGEX='[[:space:]]*\[defaults](.*(\n)+)+?[[:space:]]*crypt_style[[:space:]]*' - -# Try find crypt_style in [defaults] section. If it is here, then change algorithm to sha512. -# If it isn't here, then add it to [defaults] section. -if grep -qzosP $CRYPT_STYLE_REGEX $LIBUSER_CONF ; then - sed -i "s/\(crypt_style[[:space:]]*=[[:space:]]*\).*/\1sha512/g" $LIBUSER_CONF -elif grep -qs "\[defaults]" $LIBUSER_CONF ; then - sed -i "/[[:space:]]*\[defaults]/a crypt_style = sha512" $LIBUSER_CONF -else - echo -e "[defaults]\ncrypt_style = sha512" >> $LIBUSER_CONF -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -43241,6 +43221,26 @@ fi - no_reboot_needed - restrict_strategy - set_password_hashing_algorithm_libuserconf + + # Remediation is applicable only in certain platforms +if rpm --quiet -q libuser; then + +LIBUSER_CONF="/etc/libuser.conf" +CRYPT_STYLE_REGEX='[[:space:]]*\[defaults](.*(\n)+)+?[[:space:]]*crypt_style[[:space:]]*' + +# Try find crypt_style in [defaults] section. If it is here, then change algorithm to sha512. +# If it isn't here, then add it to [defaults] section. +if grep -qzosP $CRYPT_STYLE_REGEX $LIBUSER_CONF ; then + sed -i "s/\(crypt_style[[:space:]]*=[[:space:]]*\).*/\1sha512/g" $LIBUSER_CONF +elif grep -qs "\[defaults]" $LIBUSER_CONF ; then + sed -i "/[[:space:]]*\[defaults]/a crypt_style = sha512" $LIBUSER_CONF +else + echo -e "[defaults]\ncrypt_style = sha512" >> $LIBUSER_CONF +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -43325,23 +43325,6 @@ that are encrypted with a weak algorithm are no more protected than if they are Using a stronger hashing algorithm makes password cracking attacks more difficult. CCE-80892-3 - # Remediation is applicable only in certain platforms -if rpm --quiet -q shadow-utils; then - -var_password_hashing_algorithm='' - - -if grep --silent ^ENCRYPT_METHOD /etc/login.defs ; then - sed -i "s/^ENCRYPT_METHOD .*/ENCRYPT_METHOD $var_password_hashing_algorithm/g" /etc/login.defs -else - echo "" >> /etc/login.defs - echo "ENCRYPT_METHOD $var_password_hashing_algorithm" >> /etc/login.defs -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -43391,6 +43374,23 @@ fi - no_reboot_needed - restrict_strategy - set_password_hashing_algorithm_logindefs + + # Remediation is applicable only in certain platforms +if rpm --quiet -q shadow-utils; then + +var_password_hashing_algorithm='' + + +if grep --silent ^ENCRYPT_METHOD /etc/login.defs ; then + sed -i "s/^ENCRYPT_METHOD .*/ENCRYPT_METHOD $var_password_hashing_algorithm/g" /etc/login.defs +else + echo "" >> /etc/login.defs + echo "ENCRYPT_METHOD $var_password_hashing_algorithm" >> /etc/login.defs +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -43494,67 +43494,6 @@ of a strong hashing algorithm that makes password cracking attacks more difficult. CCE-85945-4 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -if [ -e "/etc/pam.d/password-auth" ] ; then - PAM_FILE_PATH="/etc/pam.d/password-auth" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*' "$PAM_FILE_PATH"; then - # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*password\s+.*\s+pam_unix.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then - # The control is updated only if one single line matches. - sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_unix.so.*)/\1'"sufficient"' \2/' "$PAM_FILE_PATH" - else - echo 'password '"sufficient"' pam_unix.so' >> "$PAM_FILE_PATH" - fi - fi - # Check the option - if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*\ssha512\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks '/\s*password\s+'"sufficient"'\s+pam_unix.so.*/ s/$/ sha512/' "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi -else - echo "/etc/pam.d/password-auth was not found" >&2 -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -43851,6 +43790,67 @@ fi - medium_severity - no_reboot_needed - set_password_hashing_algorithm_passwordauth + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +if [ -e "/etc/pam.d/password-auth" ] ; then + PAM_FILE_PATH="/etc/pam.d/password-auth" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + fi + if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*' "$PAM_FILE_PATH"; then + # Line matching group + control + module was not found. Check group + module. + if [ "$(grep -cP '^\s*password\s+.*\s+pam_unix.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then + # The control is updated only if one single line matches. + sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_unix.so.*)/\1'"sufficient"' \2/' "$PAM_FILE_PATH" + else + echo 'password '"sufficient"' pam_unix.so' >> "$PAM_FILE_PATH" + fi + fi + # Check the option + if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*\ssha512\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks '/\s*password\s+'"sufficient"'\s+pam_unix.so.*/ s/$/ sha512/' "$PAM_FILE_PATH" + fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi +else + echo "/etc/pam.d/password-auth was not found" >&2 +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -43954,67 +43954,6 @@ of a strong hashing algorithm that makes password cracking attacks more difficult. CCE-80893-1 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -if [ -e "/etc/pam.d/system-auth" ] ; then - PAM_FILE_PATH="/etc/pam.d/system-auth" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*' "$PAM_FILE_PATH"; then - # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*password\s+.*\s+pam_unix.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then - # The control is updated only if one single line matches. - sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_unix.so.*)/\1'"sufficient"' \2/' "$PAM_FILE_PATH" - else - echo 'password '"sufficient"' pam_unix.so' >> "$PAM_FILE_PATH" - fi - fi - # Check the option - if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*\ssha512\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks '/\s*password\s+'"sufficient"'\s+pam_unix.so.*/ s/$/ sha512/' "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi -else - echo "/etc/pam.d/system-auth was not found" >&2 -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -44309,6 +44248,67 @@ fi - medium_severity - no_reboot_needed - set_password_hashing_algorithm_systemauth + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +if [ -e "/etc/pam.d/system-auth" ] ; then + PAM_FILE_PATH="/etc/pam.d/system-auth" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + fi + if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*' "$PAM_FILE_PATH"; then + # Line matching group + control + module was not found. Check group + module. + if [ "$(grep -cP '^\s*password\s+.*\s+pam_unix.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then + # The control is updated only if one single line matches. + sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_unix.so.*)/\1'"sufficient"' \2/' "$PAM_FILE_PATH" + else + echo 'password '"sufficient"' pam_unix.so' >> "$PAM_FILE_PATH" + fi + fi + # Check the option + if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*\ssha512\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks '/\s*password\s+'"sufficient"'\s+pam_unix.so.*/ s/$/ sha512/' "$PAM_FILE_PATH" + fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi +else + echo "/etc/pam.d/system-auth was not found" >&2 +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -44341,23 +44341,6 @@ they are kept in plain text. Using more hashing rounds makes password cracking attacks more difficult. CCE-89707-4 - -if [ -e "/etc/login.defs" ] ; then - - LC_ALL=C sed -i "/^\s*SHA_CRYPT_MIN_ROUNDS\s*/Id" "/etc/login.defs" -else - printf '%s\n' "Path '/etc/login.defs' wasn't found on this system. Refusing to continue." >&2 - return 1 -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/login.defs" - -cp "/etc/login.defs" "/etc/login.defs.bak" -# Insert at the end of the file -printf '%s\n' "SHA_CRYPT_MIN_ROUNDS 5000" >> "/etc/login.defs" -# Clean up after ourselves. -rm "/etc/login.defs.bak" - - name: Set Password Hashing Rounds in /etc/login.defs - Ensure SHA_CRYPT_MIN_ROUNDS has Minimum Value of 5000 ansible.builtin.replace: @@ -44391,6 +44374,23 @@ rm "/etc/login.defs.bak" - no_reboot_needed - restrict_strategy - set_password_hashing_min_rounds_logindefs + + +if [ -e "/etc/login.defs" ] ; then + + LC_ALL=C sed -i "/^\s*SHA_CRYPT_MIN_ROUNDS\s*/Id" "/etc/login.defs" +else + printf '%s\n' "Path '/etc/login.defs' wasn't found on this system. Refusing to continue." >&2 + return 1 +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/login.defs" + +cp "/etc/login.defs" "/etc/login.defs.bak" +# Insert at the end of the file +printf '%s\n' "SHA_CRYPT_MIN_ROUNDS 5000" >> "/etc/login.defs" +# Clean up after ourselves. +rm "/etc/login.defs.bak" @@ -44462,26 +44462,17 @@ access when the system is rebooted. [customizations.services] disabled = ["debug-shell"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'debug-shell.service' -"$SYSTEMCTL_EXEC" disable 'debug-shell.service' -"$SYSTEMCTL_EXEC" mask 'debug-shell.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files debug-shell.socket; then - "$SYSTEMCTL_EXEC" stop 'debug-shell.socket' - "$SYSTEMCTL_EXEC" mask 'debug-shell.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'debug-shell.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - enabled: false + name: debug-shell.service include disable_debug-shell @@ -44562,17 +44553,26 @@ class disable_debug-shell { - no_reboot_needed - service_debug-shell_disabled - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - enabled: false - name: debug-shell.service + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'debug-shell.service' +"$SYSTEMCTL_EXEC" disable 'debug-shell.service' +"$SYSTEMCTL_EXEC" mask 'debug-shell.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files debug-shell.socket; then + "$SYSTEMCTL_EXEC" stop 'debug-shell.socket' + "$SYSTEMCTL_EXEC" mask 'debug-shell.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'debug-shell.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -44671,34 +44671,20 @@ the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. CCE-80784-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q systemd; }; then - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^CtrlAltDelBurstAction=") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s=%s" "$stripped_key" "none" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^CtrlAltDelBurstAction=\\>" "/etc/systemd/system.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^CtrlAltDelBurstAction=\\>.*/$escaped_formatted_output/gi" "/etc/systemd/system.conf" -else - if [[ -s "/etc/systemd/system.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/systemd/system.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/systemd/system.conf" - fi - cce="CCE-80784-2" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/systemd/system.conf" >> "/etc/systemd/system.conf" - printf '%s\n' "$formatted_output" >> "/etc/systemd/system.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,CtrlAltDelBurstAction%3Dnone + mode: 0644 + path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf + overwrite: true - name: Gather the package facts package_facts: @@ -44741,20 +44727,34 @@ fi - low_disruption - no_reboot_needed - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,CtrlAltDelBurstAction%3Dnone - mode: 0644 - path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q systemd; }; then + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^CtrlAltDelBurstAction=") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s=%s" "$stripped_key" "none" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^CtrlAltDelBurstAction=\\>" "/etc/systemd/system.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^CtrlAltDelBurstAction=\\>.*/$escaped_formatted_output/gi" "/etc/systemd/system.conf" +else + if [[ -s "/etc/systemd/system.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/systemd/system.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/systemd/system.conf" + fi + cce="CCE-80784-2" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/systemd/system.conf" >> "/etc/systemd/system.conf" + printf '%s\n' "$formatted_output" >> "/etc/systemd/system.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -44851,15 +44851,17 @@ can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. CCE-80785-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -systemctl disable --now ctrl-alt-del.target -systemctl mask --now ctrl-alt-del.target - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: ctrl-alt-del.target + mask: true - name: Disable Ctrl-Alt-Del Reboot Activation systemd: @@ -44881,17 +44883,15 @@ fi - low_disruption - no_reboot_needed - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: ctrl-alt-del.target - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +systemctl disable --now ctrl-alt-del.target +systemctl mask --now ctrl-alt-del.target + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -45005,40 +45005,6 @@ It is also required to change the runtime configuration, run: or other services, weakening system security. CCE-80826-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then - -# Verify that Interactive Boot is Disabled in /etc/default/grub -CONFIRM_SPAWN_YES="systemd.confirm_spawn\(=\(1\|yes\|true\|on\)\|\b\)" -CONFIRM_SPAWN_NO="systemd.confirm_spawn=no" - -if grep -q "\(GRUB_CMDLINE_LINUX\|GRUB_CMDLINE_LINUX_DEFAULT\)" /etc/default/grub -then - sed -i "s/${CONFIRM_SPAWN_YES}/${CONFIRM_SPAWN_NO}/" /etc/default/grub -fi - -# make sure GRUB_DISABLE_RECOVERY=true -if grep -q '^GRUB_DISABLE_RECOVERY=.*' '/etc/default/grub' ; then - # modify the GRUB command-line if an GRUB_DISABLE_RECOVERY= arg already exists - sed -i 's/GRUB_DISABLE_RECOVERY=.*/GRUB_DISABLE_RECOVERY=true/' /etc/default/grub -else - # no GRUB_DISABLE_RECOVERY=arg is present, append it to file - echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub' -fi - - - -# Remove 'systemd.confirm_spawn' kernel argument also from runtime settings -/sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn" - - -#Regen grub.cfg handle updated GRUB_DISABLE_RECOVERY and confirm_spawn -grub2-mkconfig -o /boot/grub2/grub.cfg - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -45133,6 +45099,40 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then + +# Verify that Interactive Boot is Disabled in /etc/default/grub +CONFIRM_SPAWN_YES="systemd.confirm_spawn\(=\(1\|yes\|true\|on\)\|\b\)" +CONFIRM_SPAWN_NO="systemd.confirm_spawn=no" + +if grep -q "\(GRUB_CMDLINE_LINUX\|GRUB_CMDLINE_LINUX_DEFAULT\)" /etc/default/grub +then + sed -i "s/${CONFIRM_SPAWN_YES}/${CONFIRM_SPAWN_NO}/" /etc/default/grub +fi + +# make sure GRUB_DISABLE_RECOVERY=true +if grep -q '^GRUB_DISABLE_RECOVERY=.*' '/etc/default/grub' ; then + # modify the GRUB command-line if an GRUB_DISABLE_RECOVERY= arg already exists + sed -i 's/GRUB_DISABLE_RECOVERY=.*/GRUB_DISABLE_RECOVERY=true/' /etc/default/grub +else + # no GRUB_DISABLE_RECOVERY=arg is present, append it to file + echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub' +fi + + + +# Remove 'systemd.confirm_spawn' kernel argument also from runtime settings +/sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn" + + +#Regen grub.cfg handle updated GRUB_DISABLE_RECOVERY and confirm_spawn +grub2-mkconfig -o /boot/grub2/grub.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -45253,32 +45253,6 @@ session enabled on the console or console port that has been let unattended. CCE-90784-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ( grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.7"; printf "%s\n%s" "$expected" "$real" | sort -VC; } && grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="9.0"; [[ "$real" != "$expected" ]]; } ) || grep -qP "^ID=[\"']?ol[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.7"; printf "%s\n%s" "$expected" "$real" | sort -VC; }; }; then - -var_logind_session_timeout='' - - - -# Try find '[Login]' and 'StopIdleSessionSec' in '/etc/systemd/logind.conf', if it exists, set -# to '$var_logind_session_timeout', if it isn't here, add it, if '[Login]' doesn't exist, add it there -if grep -qzosP '[[:space:]]*\[Login]([^\n\[]*\n+)+?[[:space:]]*StopIdleSessionSec' '/etc/systemd/logind.conf'; then - - sed -i "s/StopIdleSessionSec[^(\n)]*/StopIdleSessionSec=$var_logind_session_timeout/" '/etc/systemd/logind.conf' -elif grep -qs '[[:space:]]*\[Login]' '/etc/systemd/logind.conf'; then - sed -i "/[[:space:]]*\[Login]/a StopIdleSessionSec=$var_logind_session_timeout" '/etc/systemd/logind.conf' -else - if test -d "/etc/systemd"; then - printf '%s\n' '[Login]' "StopIdleSessionSec=$var_logind_session_timeout" >> '/etc/systemd/logind.conf' - else - echo "Config file directory '/etc/systemd' doesnt exist, not remediating, assuming non-applicability." >&2 - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_logind_session_timeout # promote to variable set_fact: var_logind_session_timeout: !!str @@ -45319,6 +45293,32 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ( grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.7"; printf "%s\n%s" "$expected" "$real" | sort -VC; } && grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="9.0"; [[ "$real" != "$expected" ]]; } ) || grep -qP "^ID=[\"']?ol[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.7"; printf "%s\n%s" "$expected" "$real" | sort -VC; }; }; then + +var_logind_session_timeout='' + + + +# Try find '[Login]' and 'StopIdleSessionSec' in '/etc/systemd/logind.conf', if it exists, set +# to '$var_logind_session_timeout', if it isn't here, add it, if '[Login]' doesn't exist, add it there +if grep -qzosP '[[:space:]]*\[Login]([^\n\[]*\n+)+?[[:space:]]*StopIdleSessionSec' '/etc/systemd/logind.conf'; then + + sed -i "s/StopIdleSessionSec[^(\n)]*/StopIdleSessionSec=$var_logind_session_timeout/" '/etc/systemd/logind.conf' +elif grep -qs '[[:space:]]*\[Login]' '/etc/systemd/logind.conf'; then + sed -i "/[[:space:]]*\[Login]/a StopIdleSessionSec=$var_logind_session_timeout" '/etc/systemd/logind.conf' +else + if test -d "/etc/systemd"; then + printf '%s\n' '[Login]' "StopIdleSessionSec=$var_logind_session_timeout" >> '/etc/systemd/logind.conf' + else + echo "Config file directory '/etc/systemd' doesnt exist, not remediating, assuming non-applicability." >&2 + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -45455,25 +45455,6 @@ in /usr/lib/systemd/system/emergency.service. CCE-82186-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -service_file="/usr/lib/systemd/system/emergency.service" - - -sulogin="/usr/lib/systemd/systemd-sulogin-shell emergency" - - -if grep "^ExecStart=.*" "$service_file" ; then - sed -i "s%^ExecStart=.*%ExecStart=-$sulogin%" "$service_file" -else - echo "ExecStart=-$sulogin" >> "$service_file" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Require emergency mode password lineinfile: create: true @@ -45495,6 +45476,25 @@ fi - no_reboot_needed - require_emergency_target_auth - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +service_file="/usr/lib/systemd/system/emergency.service" + + +sulogin="/usr/lib/systemd/systemd-sulogin-shell emergency" + + +if grep "^ExecStart=.*" "$service_file" ; then + sed -i "s%^ExecStart=.*%ExecStart=-$sulogin%" "$service_file" +else + echo "ExecStart=-$sulogin" >> "$service_file" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -45640,23 +45640,6 @@ in /usr/lib/systemd/system/rescue.service. CCE-80855-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -service_file="/usr/lib/systemd/system/rescue.service" - -sulogin="/usr/lib/systemd/systemd-sulogin-shell rescue" - -if grep "^ExecStart=.*" "$service_file" ; then - sed -i "s%^ExecStart=.*%ExecStart=-$sulogin%" "$service_file" -else - echo "ExecStart=-$sulogin" >> "$service_file" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Require single user mode password lineinfile: create: true @@ -45678,6 +45661,23 @@ fi - no_reboot_needed - require_singleuser_auth - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +service_file="/usr/lib/systemd/system/rescue.service" + +sulogin="/usr/lib/systemd/systemd-sulogin-shell rescue" + +if grep "^ExecStart=.*" "$service_file" ; then + sed -i "s%^ExecStart=.*%ExecStart=-$sulogin%" "$service_file" +else + echo "ExecStart=-$sulogin" >> "$service_file" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -45764,21 +45764,13 @@ session lock. The tmux package allows for a session lock to be implemented and configured. CCE-80644-8 + +package --add=tmux + [[packages]] name = "tmux" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "tmux" ; then - yum install -y "tmux" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_tmux @@ -45805,8 +45797,16 @@ class install_tmux { - no_reboot_needed - package_tmux_installed - -package --add=tmux + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "tmux" ; then + yum install -y "tmux" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -45835,24 +45835,6 @@ immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. CCE-82266-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then - -if ! grep -x ' case "$name" in sshd|login) exec tmux ;; esac' /etc/bashrc; then - cat >> /etc/profile.d/tmux.sh <<'EOF' -if [ "$PS1" ]; then - parent=$(ps -o ppid= -p $$) - name=$(ps -o comm= -p $parent) - case "$name" in sshd|login) exec tmux ;; esac -fi -EOF - chmod 0644 /etc/profile.d/tmux.sh -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -45926,6 +45908,24 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then + +if ! grep -x ' case "$name" in sshd|login) exec tmux ;; esac' /etc/bashrc; then + cat >> /etc/profile.d/tmux.sh <<'EOF' +if [ "$PS1" ]; then + parent=$(ps -o ppid= -p $$) + name=$(ps -o comm= -p $parent) + case "$name" in sshd|login) exec tmux ;; esac +fi +EOF + chmod 0644 /etc/profile.d/tmux.sh +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -45955,24 +45955,6 @@ immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. CCE-90782-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then - -if ! grep -x ' case "$name" in (sshd|login) tmux ;; esac' /etc/bashrc /etc/profile.d/*.sh; then - cat >> /etc/profile.d/tmux.sh <<'EOF' -if [ "$PS1" ]; then - parent=$(ps -o ppid= -p $$) - name=$(ps -o comm= -p $parent) - case "$name" in (sshd|login) tmux ;; esac -fi -EOF - chmod 0644 /etc/profile.d/tmux.sh -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -46051,6 +46033,24 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then + +if ! grep -x ' case "$name" in (sshd|login) tmux ;; esac' /etc/bashrc /etc/profile.d/*.sh; then + cat >> /etc/profile.d/tmux.sh <<'EOF' +if [ "$PS1" ]; then + parent=$(ps -o ppid= -p $$) + name=$(ps -o comm= -p $parent) + case "$name" in (sshd|login) tmux ;; esac +fi +EOF + chmod 0644 /etc/profile.d/tmux.sh +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -46078,22 +46078,6 @@ or equal to 900 in /etc/tmux.conf. CCE-82199-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then - -tmux_conf="/etc/tmux.conf" - -if grep -qP '^\s*set\s+-g\s+lock-after-time' "$tmux_conf" ; then - sed -i 's/^\s*set\s\+-g\s\+lock-after-time.*$/set -g lock-after-time 900/' "$tmux_conf" -else - echo "set -g lock-after-time 900" >> "$tmux_conf" -fi -chmod 0644 "$tmux_conf" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -46150,6 +46134,22 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then + +tmux_conf="/etc/tmux.conf" + +if grep -qP '^\s*set\s+-g\s+lock-after-time' "$tmux_conf" ; then + sed -i 's/^\s*set\s\+-g\s\+lock-after-time.*$/set -g lock-after-time 900/' "$tmux_conf" +else + echo "set -g lock-after-time 900" >> "$tmux_conf" +fi +chmod 0644 "$tmux_conf" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -46184,22 +46184,6 @@ However, the session lock is implemented by an external command. The default configuration does not contain an effective session lock. CCE-80940-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then - -tmux_conf="/etc/tmux.conf" - -if grep -qP '^\s*set\s+-g\s+lock-command' "$tmux_conf" ; then - sed -i 's/^\s*set\s\+-g\s\+lock-command.*$/set -g lock-command vlock/' "$tmux_conf" -else - echo "set -g lock-command vlock" >> "$tmux_conf" -fi -chmod 0644 "$tmux_conf" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -46262,6 +46246,22 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then + +tmux_conf="/etc/tmux.conf" + +if grep -qP '^\s*set\s+-g\s+lock-command' "$tmux_conf" ; then + sed -i 's/^\s*set\s\+-g\s\+lock-command.*$/set -g lock-command vlock/' "$tmux_conf" +else + echo "set -g lock-command vlock" >> "$tmux_conf" +fi +chmod 0644 "$tmux_conf" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -46288,20 +46288,6 @@ However, the session lock is implemented by an external command. The default configuration does not contain an effective session lock. CCE-86135-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then - -tmux_conf="/etc/tmux.conf" - -if ! grep -qP '^\s*bind\s+\w\s+lock-session' "$tmux_conf" ; then - echo "bind X lock-session" >> "$tmux_conf" -fi -chmod 0644 "$tmux_conf" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -46379,6 +46365,20 @@ fi - low_disruption - low_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then + +tmux_conf="/etc/tmux.conf" + +if ! grep -qP '^\s*bind\s+\w\s+lock-session' "$tmux_conf" ; then + echo "bind X lock-session" >> "$tmux_conf" +fi +chmod 0644 "$tmux_conf" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -46407,17 +46407,6 @@ automatic session locking. It should not be listed in prevents malicious program running as user from lowering security by disabling the screen lock. CCE-82361-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if grep -q 'tmux\s*$' /etc/shells ; then - sed -i '/tmux\s*$/d' /etc/shells -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - --- apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig @@ -46432,6 +46421,17 @@ spec: mode: 0644 path: /etc/shells overwrite: true + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if grep -q 'tmux\s*$' /etc/shells ; then + sed -i '/tmux\s*$/d' /etc/shells +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -46523,21 +46523,13 @@ providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. CCE-80846-9 + +package --add=opensc + [[packages]] name = "opensc" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "opensc" ; then - yum install -y "opensc" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_opensc @@ -46563,8 +46555,16 @@ class install_opensc { - no_reboot_needed - package_opensc_installed - -package --add=opensc + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "opensc" ; then + yum install -y "opensc" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -46587,21 +46587,13 @@ $ sudo yum install pcsc-lite The pcsc-lite package must be installed if it is to be available for multifactor authentication using smartcards. CCE-80993-9 + +package --add=pcsc-lite + [[packages]] name = "pcsc-lite" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "pcsc-lite" ; then - yum install -y "pcsc-lite" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_pcsc-lite @@ -46626,8 +46618,16 @@ class install_pcsc-lite { - no_reboot_needed - package_pcsc-lite_installed - -package --add=pcsc-lite + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "pcsc-lite" ; then + yum install -y "pcsc-lite" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -46668,21 +46668,13 @@ as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. CCE-84029-8 + +package --add=openssl-pkcs11 + [[packages]] name = "openssl-pkcs11" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ! grep -q s390x /proc/sys/kernel/osrelease; }; then - -if ! rpm -q --quiet "openssl-pkcs11" ; then - yum install -y "openssl-pkcs11" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_openssl-pkcs11 @@ -46711,8 +46703,16 @@ class install_openssl-pkcs11 { - medium_severity - no_reboot_needed - -package --add=openssl-pkcs11 + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ! grep -q s390x /proc/sys/kernel/osrelease; }; then + +if ! rpm -q --quiet "openssl-pkcs11" ; then + yum install -y "openssl-pkcs11" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -46754,18 +46754,6 @@ Access Card. [customizations.services] enabled = ["pcscd"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'pcscd.service' -"$SYSTEMCTL_EXEC" start 'pcscd.service' -"$SYSTEMCTL_EXEC" enable 'pcscd.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_pcscd @@ -46814,6 +46802,18 @@ class enable_pcscd { - medium_severity - no_reboot_needed - service_pcscd_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'pcscd.service' +"$SYSTEMCTL_EXEC" start 'pcscd.service' +"$SYSTEMCTL_EXEC" enable 'pcscd.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -46918,22 +46918,6 @@ that provided by a username and password combination. Smart cards leverage PKI Configuring the smart card driver in use by your organization helps to prevent users from using unauthorized smart cards. CCE-80766-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_smartcard_drivers='' - - -OPENSC_TOOL="/usr/bin/opensc-tool" - -if [ -f "${OPENSC_TOOL}" ]; then - ${OPENSC_TOOL} -S app:default:card_drivers:$var_smartcard_drivers -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_smartcard_drivers # promote to variable set_fact: var_smartcard_drivers: !!str @@ -46996,6 +46980,22 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_smartcard_drivers='' + + +OPENSC_TOOL="/usr/bin/opensc-tool" + +if [ -f "${OPENSC_TOOL}" ]; then + ${OPENSC_TOOL} -S app:default:card_drivers:$var_smartcard_drivers +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -47097,22 +47097,6 @@ that provided by a username and password combination. Smart cards leverage PKI Forcing the smart card driver in use by your organization helps to prevent users from using unauthorized smart cards. CCE-80821-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_smartcard_drivers='' - - -OPENSC_TOOL="/usr/bin/opensc-tool" - -if [ -f "${OPENSC_TOOL}" ]; then - ${OPENSC_TOOL} -S app:default:force_card_driver:$var_smartcard_drivers -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_smartcard_drivers # promote to variable set_fact: var_smartcard_drivers: !!str @@ -47175,6 +47159,22 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_smartcard_drivers='' + + +OPENSC_TOOL="/usr/bin/opensc-tool" + +if [ -f "${OPENSC_TOOL}" ]; then + ${OPENSC_TOOL} -S app:default:force_card_driver:$var_smartcard_drivers +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -47458,38 +47458,6 @@ Disabling inactive accounts ensures that accounts which may not have been respon Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. CCE-80954-1 - # Remediation is applicable only in certain platforms -if rpm --quiet -q shadow-utils; then - -var_account_disable_post_pw_expiration='' - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^INACTIVE") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s=%s" "$stripped_key" "$var_account_disable_post_pw_expiration" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^INACTIVE\\>" "/etc/default/useradd"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^INACTIVE\\>.*/$escaped_formatted_output/gi" "/etc/default/useradd" -else - if [[ -s "/etc/default/useradd" ]] && [[ -n "$(tail -c 1 -- "/etc/default/useradd" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/default/useradd" - fi - cce="CCE-80954-1" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/default/useradd" >> "/etc/default/useradd" - printf '%s\n' "$formatted_output" >> "/etc/default/useradd" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -47538,6 +47506,38 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q shadow-utils; then + +var_account_disable_post_pw_expiration='' + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^INACTIVE") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s=%s" "$stripped_key" "$var_account_disable_post_pw_expiration" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^INACTIVE\\>" "/etc/default/useradd"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^INACTIVE\\>.*/$escaped_formatted_output/gi" "/etc/default/useradd" +else + if [[ -s "/etc/default/useradd" ]] && [[ -n "$(tail -c 1 -- "/etc/default/useradd" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/default/useradd" + fi + cce="CCE-80954-1" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/default/useradd" >> "/etc/default/useradd" + printf '%s\n' "$formatted_output" >> "/etc/default/useradd" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -47925,22 +47925,6 @@ increases the risk of users writing down the password in a convenient location subject to physical compromise. CCE-80647-1 - # Remediation is applicable only in certain platforms -if rpm --quiet -q shadow-utils; then - -var_accounts_maximum_age_login_defs='' - - -grep -q ^PASS_MAX_DAYS /etc/login.defs && \ - sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS $var_accounts_maximum_age_login_defs/g" /etc/login.defs -if ! [ $? -eq 0 ]; then - echo "PASS_MAX_DAYS $var_accounts_maximum_age_login_defs" >> /etc/login.defs -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -47989,6 +47973,22 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q shadow-utils; then + +var_accounts_maximum_age_login_defs='' + + +grep -q ^PASS_MAX_DAYS /etc/login.defs && \ + sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS $var_accounts_maximum_age_login_defs/g" /etc/login.defs +if ! [ $? -eq 0 ]; then + echo "PASS_MAX_DAYS $var_accounts_maximum_age_login_defs" >> /etc/login.defs +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -48078,22 +48078,6 @@ Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement. CCE-80648-9 - # Remediation is applicable only in certain platforms -if rpm --quiet -q shadow-utils; then - -var_accounts_minimum_age_login_defs='' - - -grep -q ^PASS_MIN_DAYS /etc/login.defs && \ - sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS $var_accounts_minimum_age_login_defs/g" /etc/login.defs -if ! [ $? -eq 0 ]; then - echo "PASS_MIN_DAYS $var_accounts_minimum_age_login_defs" >> /etc/login.defs -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -48138,6 +48122,22 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q shadow-utils; then + +var_accounts_minimum_age_login_defs='' + + +grep -q ^PASS_MIN_DAYS /etc/login.defs && \ + sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS $var_accounts_minimum_age_login_defs/g" /etc/login.defs +if ! [ $? -eq 0 ]; then + echo "PASS_MIN_DAYS $var_accounts_minimum_age_login_defs" >> /etc/login.defs +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -48240,23 +48240,6 @@ must be carefully weighed against usability problems, support costs, or counterp behavior that may result. CCE-80652-1 - # Remediation is applicable only in certain platforms -if rpm --quiet -q shadow-utils; then - -var_accounts_password_minlen_login_defs='' - - -grep -q ^PASS_MIN_LEN /etc/login.defs && \ -sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs/g" /etc/login.defs -if ! [ $? -eq 0 ] -then - echo -e "PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs" >> /etc/login.defs -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -48302,6 +48285,23 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q shadow-utils; then + +var_accounts_password_minlen_login_defs='' + + +grep -q ^PASS_MIN_LEN /etc/login.defs && \ +sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs/g" /etc/login.defs +if ! [ $? -eq 0 ] +then + echo -e "PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs" >> /etc/login.defs +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -48331,16 +48331,6 @@ not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. CCE-82473-0 - -var_accounts_maximum_age_login_defs='' - - -while IFS= read -r i; do - - chage -M $var_accounts_maximum_age_login_defs $i - -done < <(awk -v var="$var_accounts_maximum_age_login_defs" -F: '(/^[^:]+:[^!*]/ && ($5 > var || $5 == "")) {print $1}' /etc/shadow) - - name: XCCDF Value var_accounts_maximum_age_login_defs # promote to variable set_fact: var_accounts_maximum_age_login_defs: !!str @@ -48385,6 +48375,16 @@ done < <(awk -v var="$var_accounts_maximum_age_login_defs" -F: '(/^[^:]+ - medium_severity - no_reboot_needed - restrict_strategy + + +var_accounts_maximum_age_login_defs='' + + +while IFS= read -r i; do + + chage -M $var_accounts_maximum_age_login_defs $i + +done < <(awk -v var="$var_accounts_maximum_age_login_defs" -F: '(/^[^:]+:[^!*]/ && ($5 > var || $5 == "")) {print $1}' /etc/shadow) @@ -48414,16 +48414,6 @@ users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. CCE-82472-2 - -var_accounts_minimum_age_login_defs='' - - -while IFS= read -r i; do - - chage -m $var_accounts_minimum_age_login_defs $i - -done < <(awk -v var="$var_accounts_minimum_age_login_defs" -F: '(/^[^:]+:[^!*]/ && ($4 < var || $4 == "")) {print $1}' /etc/shadow) - - name: XCCDF Value var_accounts_minimum_age_login_defs # promote to variable set_fact: var_accounts_minimum_age_login_defs: !!str @@ -48464,6 +48454,16 @@ done < <(awk -v var="$var_accounts_minimum_age_login_defs" -F: '(/^[^:]+ - medium_severity - no_reboot_needed - restrict_strategy + + +var_accounts_minimum_age_login_defs='' + + +while IFS= read -r i; do + + chage -m $var_accounts_minimum_age_login_defs $i + +done < <(awk -v var="$var_accounts_minimum_age_login_defs" -F: '(/^[^:]+:[^!*]/ && ($4 < var || $4 == "")) {print $1}' /etc/shadow) @@ -48491,14 +48491,6 @@ This profile requirement is CCE-86914-9 - -var_accounts_password_warn_age_login_defs='' - - -while IFS= read -r i; do - chage --warndays $var_accounts_password_warn_age_login_defs $i -done < <(awk -v var="$var_accounts_password_warn_age_login_defs" -F: '(($6 < var || $6 == "") && $2 ~ /^\$/) {print $1}' /etc/shadow) - - name: XCCDF Value var_accounts_password_warn_age_login_defs # promote to variable set_fact: var_accounts_password_warn_age_login_defs: !!str @@ -48544,6 +48536,14 @@ done < <(awk -v var="$var_accounts_password_warn_age_login_defs" -F: '(( - low_disruption - medium_severity - no_reboot_needed + + +var_accounts_password_warn_age_login_defs='' + + +while IFS= read -r i; do + chage --warndays $var_accounts_password_warn_age_login_defs $i +done < <(awk -v var="$var_accounts_password_warn_age_login_defs" -F: '(($6 < var || $6 == "") && $2 ~ /^\$/) {print $1}' /etc/shadow) @@ -48644,23 +48644,6 @@ The profile requirement is CCE-80671-1 - # Remediation is applicable only in certain platforms -if rpm --quiet -q shadow-utils; then - -var_accounts_password_warn_age_login_defs='' - - -grep -q ^PASS_WARN_AGE /etc/login.defs && \ -sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs/g" /etc/login.defs -if ! [ $? -eq 0 ] -then - echo -e "PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs" >> /etc/login.defs -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -48706,6 +48689,23 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q shadow-utils; then + +var_accounts_password_warn_age_login_defs='' + + +grep -q ^PASS_WARN_AGE /etc/login.defs && \ +sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs/g" /etc/login.defs +if ! [ $? -eq 0 ] +then + echo -e "PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs" >> /etc/login.defs +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -48798,14 +48798,6 @@ to be automatically disabled by running the following command: Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies. CCE-86758-0 - -var_account_disable_post_pw_expiration='' - - -while IFS= read -r i; do - chage --inactive $var_account_disable_post_pw_expiration $i -done < <(awk -v var="$var_account_disable_post_pw_expiration" -F: '(($7 > var || $7 == "") && $2 ~ /^\$/) {print $1}' /etc/shadow) - - name: XCCDF Value var_account_disable_post_pw_expiration # promote to variable set_fact: var_account_disable_post_pw_expiration: !!str @@ -48852,6 +48844,14 @@ done < <(awk -v var="$var_account_disable_post_pw_expiration" -F: '(($7 - medium_severity - no_reboot_needed - restrict_strategy + + +var_account_disable_post_pw_expiration='' + + +while IFS= read -r i; do + chage --inactive $var_account_disable_post_pw_expiration $i +done < <(awk -v var="$var_account_disable_post_pw_expiration" -F: '(($7 > var || $7 == "") && $2 ~ /^\$/) {print $1}' /etc/shadow) @@ -49026,73 +49026,6 @@ but requires more CPU resources to authenticate users. Using a higher number of rounds makes password cracking attacks more difficult. CCE-83403-6 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_unix_rounds='' - - - -if [ -e "/etc/pam.d/password-auth" ] ; then - PAM_FILE_PATH="/etc/pam.d/password-auth" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*' "$PAM_FILE_PATH"; then - # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*password\s+.*\s+pam_unix.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then - # The control is updated only if one single line matches. - sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_unix.so.*)/\1'"sufficient"' \2/' "$PAM_FILE_PATH" - else - echo 'password '"sufficient"' pam_unix.so' >> "$PAM_FILE_PATH" - fi - fi - # Check the option - if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*\srounds\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks '/\s*password\s+'"sufficient"'\s+pam_unix.so.*/ s/$/ rounds='"$var_password_pam_unix_rounds"'/' "$PAM_FILE_PATH" - else - sed -i -E --follow-symlinks 's/(\s*password\s+'"sufficient"'\s+pam_unix.so\s+.*)('"rounds"'=)[[:alnum:]]+\s*(.*)/\1\2'"$var_password_pam_unix_rounds"' \3/' "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi -else - echo "/etc/pam.d/password-auth was not found" >&2 -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -49384,6 +49317,73 @@ fi - medium_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_password_pam_unix_rounds='' + + + +if [ -e "/etc/pam.d/password-auth" ] ; then + PAM_FILE_PATH="/etc/pam.d/password-auth" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + fi + if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*' "$PAM_FILE_PATH"; then + # Line matching group + control + module was not found. Check group + module. + if [ "$(grep -cP '^\s*password\s+.*\s+pam_unix.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then + # The control is updated only if one single line matches. + sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_unix.so.*)/\1'"sufficient"' \2/' "$PAM_FILE_PATH" + else + echo 'password '"sufficient"' pam_unix.so' >> "$PAM_FILE_PATH" + fi + fi + # Check the option + if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*\srounds\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks '/\s*password\s+'"sufficient"'\s+pam_unix.so.*/ s/$/ rounds='"$var_password_pam_unix_rounds"'/' "$PAM_FILE_PATH" + else + sed -i -E --follow-symlinks 's/(\s*password\s+'"sufficient"'\s+pam_unix.so\s+.*)('"rounds"'=)[[:alnum:]]+\s*(.*)/\1\2'"$var_password_pam_unix_rounds"' \3/' "$PAM_FILE_PATH" + fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi +else + echo "/etc/pam.d/password-auth was not found" >&2 +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -49410,72 +49410,6 @@ but requires more CPU resources to authenticate users. Using a higher number of rounds makes password cracking attacks more difficult. CCE-83386-3 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_unix_rounds='' - - -if [ -e "/etc/pam.d/system-auth" ] ; then - PAM_FILE_PATH="/etc/pam.d/system-auth" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*' "$PAM_FILE_PATH"; then - # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*password\s+.*\s+pam_unix.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then - # The control is updated only if one single line matches. - sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_unix.so.*)/\1'"sufficient"' \2/' "$PAM_FILE_PATH" - else - echo 'password '"sufficient"' pam_unix.so' >> "$PAM_FILE_PATH" - fi - fi - # Check the option - if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*\srounds\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks '/\s*password\s+'"sufficient"'\s+pam_unix.so.*/ s/$/ rounds='"$var_password_pam_unix_rounds"'/' "$PAM_FILE_PATH" - else - sed -i -E --follow-symlinks 's/(\s*password\s+'"sufficient"'\s+pam_unix.so\s+.*)('"rounds"'=)[[:alnum:]]+\s*(.*)/\1\2'"$var_password_pam_unix_rounds"' \3/' "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi -else - echo "/etc/pam.d/system-auth was not found" >&2 -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -49767,6 +49701,72 @@ fi - medium_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_password_pam_unix_rounds='' + + +if [ -e "/etc/pam.d/system-auth" ] ; then + PAM_FILE_PATH="/etc/pam.d/system-auth" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + fi + if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*' "$PAM_FILE_PATH"; then + # Line matching group + control + module was not found. Check group + module. + if [ "$(grep -cP '^\s*password\s+.*\s+pam_unix.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then + # The control is updated only if one single line matches. + sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_unix.so.*)/\1'"sufficient"' \2/' "$PAM_FILE_PATH" + else + echo 'password '"sufficient"' pam_unix.so' >> "$PAM_FILE_PATH" + fi + fi + # Check the option + if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*\srounds\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks '/\s*password\s+'"sufficient"'\s+pam_unix.so.*/ s/$/ rounds='"$var_password_pam_unix_rounds"'/' "$PAM_FILE_PATH" + else + sed -i -E --follow-symlinks 's/(\s*password\s+'"sufficient"'\s+pam_unix.so\s+.*)('"rounds"'=)[[:alnum:]]+\s*(.*)/\1\2'"$var_password_pam_unix_rounds"' \3/' "$PAM_FILE_PATH" + fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi +else + echo "/etc/pam.d/system-auth was not found" >&2 +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -49987,43 +49987,25 @@ run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. CCE-80841-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -f /usr/bin/authselect ]; then - if ! authselect check; then -echo " -authselect integrity check failed. Remediation aborted! -This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. -It is not recommended to manually edit the PAM files when authselect tool is available. -In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." -exit 1 -fi -authselect enable-feature without-nullok - -authselect apply-changes -b -else - -if grep -qP '^\s*auth\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/system-auth"; then - sed -i -E --follow-symlinks 's/(.*auth.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/system-auth" -fi - -if grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/system-auth"; then - sed -i -E --follow-symlinks 's/(.*password.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/system-auth" -fi - -if grep -qP '^\s*auth\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/password-auth"; then - sed -i -E --follow-symlinks 's/(.*auth.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/password-auth" -fi - -if grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/password-auth"; then - sed -i -E --follow-symlinks 's/(.*password.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/password-auth" -fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A + mode: 0644 + path: /etc/pam.d/password-auth + overwrite: true + - contents: + source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A + mode: 0644 + path: /etc/pam.d/system-auth + overwrite: true - name: Prevent Login to Accounts With Empty Password - Check if system relies on authselect @@ -50153,25 +50135,43 @@ fi - no_empty_passwords - no_reboot_needed - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A - mode: 0644 - path: /etc/pam.d/password-auth - overwrite: true - - contents: - source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A - mode: 0644 - path: /etc/pam.d/system-auth - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -f /usr/bin/authselect ]; then + if ! authselect check; then +echo " +authselect integrity check failed. Remediation aborted! +This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. +It is not recommended to manually edit the PAM files when authselect tool is available. +In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." +exit 1 +fi +authselect enable-feature without-nullok + +authselect apply-changes -b +else + +if grep -qP '^\s*auth\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/system-auth"; then + sed -i -E --follow-symlinks 's/(.*auth.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/system-auth" +fi + +if grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/system-auth"; then + sed -i -E --follow-symlinks 's/(.*password.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/system-auth" +fi + +if grep -qP '^\s*auth\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/password-auth"; then + sed -i -E --follow-symlinks 's/(.*auth.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/password-auth" +fi + +if grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/password-auth"; then + sed -i -E --follow-symlinks 's/(.*password.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/password-auth" +fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -50206,20 +50206,6 @@ run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. CCE-85953-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -readarray -t users_with_empty_pass < <(sudo awk -F: '!$2 {print $1}' /etc/shadow) - -for user_with_empty_pass in "${users_with_empty_pass[@]}" -do - passwd -l $user_with_empty_pass -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Collect users with no password command: | awk -F: '!$2 {print $1}' /etc/shadow @@ -50257,6 +50243,20 @@ fi - no_empty_passwords_etc_shadow - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +readarray -t users_with_empty_pass < <(sudo awk -F: '!$2 {print $1}' /etc/shadow) + +for user_with_empty_pass in "${users_with_empty_pass[@]}" +do + passwd -l $user_with_empty_pass +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -50289,13 +50289,6 @@ entries from a network information service (NIS) should be directly inserted. CCE-83389-7 - -if grep -q '^\+' /etc/group; then -# backup old file to /etc/group- - cp /etc/group /etc/group- - sed -i '/^\+.*$/d' /etc/group -fi - - name: Ensure there are no legacy + NIS entries in /etc/group - Backup the Old /etc/group File ansible.builtin.copy: @@ -50325,6 +50318,13 @@ fi - no_legacy_plus_entries_etc_group - no_reboot_needed - restrict_strategy + + +if grep -q '^\+' /etc/group; then +# backup old file to /etc/group- + cp /etc/group /etc/group- + sed -i '/^\+.*$/d' /etc/group +fi @@ -50341,13 +50341,6 @@ entries from a network information service (NIS) should be directly inserted. CCE-82890-5 - -if grep -q '^\+' /etc/passwd; then -# backup old file to /etc/passwd- - cp /etc/passwd /etc/passwd- - sed -i '/^\+.*$/d' /etc/passwd -fi - - name: Ensure there are no legacy + NIS entries in /etc/passwd - Backup the Old /etc/passwd File ansible.builtin.copy: @@ -50377,6 +50370,13 @@ fi - no_legacy_plus_entries_etc_passwd - no_reboot_needed - restrict_strategy + + +if grep -q '^\+' /etc/passwd; then +# backup old file to /etc/passwd- + cp /etc/passwd /etc/passwd- + sed -i '/^\+.*$/d' /etc/passwd +fi @@ -50393,13 +50393,6 @@ entries from a network information service (NIS) should be directly inserted. CCE-84290-6 - -if grep -q '^\+' /etc/shadow; then -# backup old file to /etc/shadow- - cp /etc/shadow /etc/shadow- - sed -i '/^\+.*$/d' /etc/shadow -fi - - name: Ensure there are no legacy + NIS entries in /etc/shadow - Backup the Old /etc/shadow File ansible.builtin.copy: @@ -50429,6 +50422,13 @@ fi - no_legacy_plus_entries_etc_shadow - no_reboot_needed - restrict_strategy + + +if grep -q '^\+' /etc/shadow; then +# backup old file to /etc/shadow- + cp /etc/shadow /etc/shadow- + sed -i '/^\+.*$/d' /etc/shadow +fi @@ -50702,8 +50702,6 @@ guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner. CCE-80649-7 - awk -F: '$3 == 0 && $1 != "root" { print $1 }' /etc/passwd | xargs --no-run-if-empty --max-lines=1 passwd -l - - name: Get all /etc/passwd file entries getent: database: passwd @@ -50746,6 +50744,8 @@ access to root privileges in an accountable manner. - low_disruption - no_reboot_needed - restrict_strategy + + awk -F: '$3 == 0 && $1 != "root" { print $1 }' /etc/passwd | xargs --no-run-if-empty --max-lines=1 passwd -l @@ -50786,23 +50786,6 @@ It is commonly used to run commands as the root user. Limiting access to such command is considered a good security practice. CCE-86071-8 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_pam_wheel_group_for_su='' - - -if ! grep -q "^${var_pam_wheel_group_for_su}:[^:]*:[^:]*:[^:]*" /etc/group; then - groupadd ${var_pam_wheel_group_for_su} -fi - -# group must be empty -gpasswd -M '' ${var_pam_wheel_group_for_su} - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -50854,6 +50837,23 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_pam_wheel_group_for_su='' + + +if ! grep -q "^${var_pam_wheel_group_for_su}:[^:]*:[^:]*:[^:]*" /etc/group; then + groupadd ${var_pam_wheel_group_for_su} +fi + +# group must be empty +gpasswd -M '' ${var_pam_wheel_group_for_su} + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -50963,14 +50963,20 @@ to privileged (root) access via su / sudo. This is required for FISMA Low and FISMA Moderate systems. CCE-80840-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -echo > /etc/securetty - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:, + mode: 0600 + path: /etc/securetty + overwrite: true - name: Direct root Logins Not Allowed copy: @@ -50991,20 +50997,14 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:, - mode: 0600 - path: /etc/securetty - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +echo > /etc/securetty + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -51038,15 +51038,6 @@ and nfsnobody has an unlocked password, disable it with t Disabling authentication for default system accounts makes it more difficult for attackers to make use of them to compromise a system. CCE-86112-0 - -readarray -t systemaccounts < <(awk -F: \ - '($3 < 1000 && $3 != root && $3 != halt && $3 != sync && $3 != shutdown \ - && $3 != nfsnobody) { print $1 }' /etc/passwd) - -for systemaccount in "${systemaccounts[@]}"; do - usermod -L "$systemaccount" -done - - name: Ensure that System Accounts Are Locked - Get All Local Users From /etc/passwd ansible.builtin.getent: database: passwd @@ -51098,6 +51089,15 @@ done - no_password_auth_for_systemaccounts - no_reboot_needed - restrict_strategy + + +readarray -t systemaccounts < <(awk -F: \ + '($3 < 1000 && $3 != root && $3 != halt && $3 != sync && $3 != shutdown \ + && $3 != nfsnobody) { print $1 }' /etc/passwd) + +for systemaccount in "${systemaccounts[@]}"; do + usermod -L "$systemaccount" +done @@ -51196,15 +51196,6 @@ system to become inaccessible. Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts. CCE-80843-6 - -readarray -t systemaccounts < <(awk -F: '($3 < 1000 && $3 != root \ - && $7 != "\/sbin\/shutdown" && $7 != "\/sbin\/halt" && $7 != "\/bin\/sync") \ - { print $1 }' /etc/passwd) - -for systemaccount in "${systemaccounts[@]}"; do - usermod -s /sbin/nologin "$systemaccount" -done - - name: Ensure that System Accounts Do Not Run a Shell Upon Login - Get All Local Users From /etc/passwd ansible.builtin.getent: @@ -51265,6 +51256,15 @@ done - no_reboot_needed - no_shelllogin_for_systemaccounts - restrict_strategy + + +readarray -t systemaccounts < <(awk -F: '($3 < 1000 && $3 != root \ + && $7 != "\/sbin\/shutdown" && $7 != "\/sbin\/halt" && $7 != "\/bin\/sync") \ + { print $1 }' /etc/passwd) + +for systemaccount in "${systemaccounts[@]}"; do + usermod -s /sbin/nologin "$systemaccount" +done @@ -51348,8 +51348,6 @@ ttyS1 helps ensure accountability for actions taken on the systems using the root account. CCE-80856-8 - sed -i '/ttyS/d' /etc/securetty - - name: Restrict Serial Port Root Logins lineinfile: dest: /etc/securetty @@ -51367,6 +51365,8 @@ using the root account. - no_reboot_needed - restrict_serial_port_logins - restrict_strategy + + sed -i '/ttyS/d' /etc/securetty @@ -51479,8 +51479,6 @@ vc/4 helps ensure accountability for actions taken on the system using the root account. CCE-80864-2 - sed -i '/^vc\//d' /etc/securetty - - name: Restrict Virtual Console Root Logins lineinfile: dest: /etc/securetty @@ -51499,6 +51497,8 @@ using the root account. - no_reboot_needed - restrict_strategy - securetty_root_login_console_only + + sed -i '/^vc\//d' /etc/securetty @@ -51524,16 +51524,6 @@ group ID. It is commonly used to run commands as the root user. Limiting access to such command is considered a good security practice. CCE-83318-6 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -# uncomment the option if commented - sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -51560,6 +51550,16 @@ fi - no_reboot_needed - restrict_strategy - use_pam_wheel_for_su + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +# uncomment the option if commented + sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -51583,29 +51583,6 @@ It is commonly used to run commands as the root user. Limiting access to such command is considered a good security practice. CCE-86064-3 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_pam_wheel_group_for_su='' - - -PAM_CONF=/etc/pam.d/su - -pamstr=$(grep -P '^auth\s+required\s+pam_wheel\.so\s+(?=[^#]*\buse_uid\b)(?=[^#]*\bgroup=)' ${PAM_CONF}) -if [ -z "$pamstr" ]; then - sed -Ei '/^auth\b.*\brequired\b.*\bpam_wheel\.so/d' ${PAM_CONF} # remove any remaining uncommented pam_wheel.so line - sed -Ei "/^auth\s+sufficient\s+pam_rootok\.so.*$/a auth required pam_wheel.so use_uid group=${var_pam_wheel_group_for_su}" ${PAM_CONF} -else - group_val=$(echo -n "$pamstr" | grep -Eo '\bgroup=[_a-z][-0-9_a-z]*' | cut -d '=' -f 2) - if [ -z "${group_val}" ] || [ ${group_val} != ${var_pam_wheel_group_for_su} ]; then - sed -Ei "s/(^auth\s+required\s+pam_wheel.so\s+[^#]*group=)[_a-z][-0-9_a-z]*/\1${var_pam_wheel_group_for_su}/" ${PAM_CONF} - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -51642,6 +51619,29 @@ fi - no_reboot_needed - restrict_strategy - use_pam_wheel_group_for_su + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_pam_wheel_group_for_su='' + + +PAM_CONF=/etc/pam.d/su + +pamstr=$(grep -P '^auth\s+required\s+pam_wheel\.so\s+(?=[^#]*\buse_uid\b)(?=[^#]*\bgroup=)' ${PAM_CONF}) +if [ -z "$pamstr" ]; then + sed -Ei '/^auth\b.*\brequired\b.*\bpam_wheel\.so/d' ${PAM_CONF} # remove any remaining uncommented pam_wheel.so line + sed -Ei "/^auth\s+sufficient\s+pam_rootok\.so.*$/a auth required pam_wheel.so use_uid group=${var_pam_wheel_group_for_su}" ${PAM_CONF} +else + group_val=$(echo -n "$pamstr" | grep -Eo '\bgroup=[_a-z][-0-9_a-z]*' | cut -d '=' -f 2) + if [ -z "${group_val}" ] || [ ${group_val} != ${var_pam_wheel_group_for_su} ]; then + sed -Ei "s/(^auth\s+required\s+pam_wheel.so\s+[^#]*group=)[_a-z][-0-9_a-z]*/\1${var_pam_wheel_group_for_su}/" ${PAM_CONF} + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -51721,37 +51721,6 @@ parameter in /etc/login.defs to yes CCE-83789-8 - # Remediation is applicable only in certain platforms -if rpm --quiet -q shadow-utils; then - -if [ -e "/etc/login.defs" ] ; then - - LC_ALL=C sed -i "/^\s*CREATE_HOME\s\+/Id" "/etc/login.defs" -else - touch "/etc/login.defs" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/login.defs" - -cp "/etc/login.defs" "/etc/login.defs.bak" -# Insert before the line matching the regex '^\s*CREATE_HOME'. -line_number="$(LC_ALL=C grep -n "^\s*CREATE_HOME" "/etc/login.defs.bak" | LC_ALL=C sed 's/:.*//g')" -if [ -z "$line_number" ]; then - # There was no match of '^\s*CREATE_HOME', insert at - # the end of the file. - printf '%s\n' "CREATE_HOME yes" >> "/etc/login.defs" -else - head -n "$(( line_number - 1 ))" "/etc/login.defs.bak" > "/etc/login.defs" - printf '%s\n' "CREATE_HOME yes" >> "/etc/login.defs" - tail -n "+$(( line_number ))" "/etc/login.defs.bak" >> "/etc/login.defs" -fi -# Clean up after ourselves. -rm "/etc/login.defs.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -51803,6 +51772,37 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q shadow-utils; then + +if [ -e "/etc/login.defs" ] ; then + + LC_ALL=C sed -i "/^\s*CREATE_HOME\s\+/Id" "/etc/login.defs" +else + touch "/etc/login.defs" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/login.defs" + +cp "/etc/login.defs" "/etc/login.defs.bak" +# Insert before the line matching the regex '^\s*CREATE_HOME'. +line_number="$(LC_ALL=C grep -n "^\s*CREATE_HOME" "/etc/login.defs.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^\s*CREATE_HOME', insert at + # the end of the file. + printf '%s\n' "CREATE_HOME yes" >> "/etc/login.defs" +else + head -n "$(( line_number - 1 ))" "/etc/login.defs.bak" > "/etc/login.defs" + printf '%s\n' "CREATE_HOME yes" >> "/etc/login.defs" + tail -n "+$(( line_number ))" "/etc/login.defs.bak" >> "/etc/login.defs" +fi +# Clean up after ourselves. +rm "/etc/login.defs.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -51843,38 +51843,6 @@ add or correct the FAIL_DELAY setting in /etc/ enter credentials helps to slow a single-threaded brute force attack. CCE-84037-1 - # Remediation is applicable only in certain platforms -if rpm --quiet -q shadow-utils; then - -var_accounts_fail_delay='' - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^FAIL_DELAY") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s %s" "$stripped_key" "$var_accounts_fail_delay" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^FAIL_DELAY\\>" "/etc/login.defs"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^FAIL_DELAY\\>.*/$escaped_formatted_output/gi" "/etc/login.defs" -else - if [[ -s "/etc/login.defs" ]] && [[ -n "$(tail -c 1 -- "/etc/login.defs" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/login.defs" - fi - cce="CCE-84037-1" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/login.defs" >> "/etc/login.defs" - printf '%s\n' "$formatted_output" >> "/etc/login.defs" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -51913,6 +51881,38 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q shadow-utils; then + +var_accounts_fail_delay='' + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^FAIL_DELAY") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s %s" "$stripped_key" "$var_accounts_fail_delay" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^FAIL_DELAY\\>" "/etc/login.defs"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^FAIL_DELAY\\>.*/$escaped_formatted_output/gi" "/etc/login.defs" +else + if [[ -s "/etc/login.defs" ]] && [[ -n "$(tail -c 1 -- "/etc/login.defs" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/login.defs" + fi + cce="CCE-84037-1" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/login.defs" >> "/etc/login.defs" + printf '%s\n' "$formatted_output" >> "/etc/login.defs" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -51959,24 +51959,6 @@ problems caused by excessive logins. Automated login processes operating imprope maliciously may result in an exceptional number of simultaneous login sessions. CCE-80955-8 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_accounts_max_concurrent_login_sessions='' - - -if grep -q '^[^#]*\<maxlogins\>' /etc/security/limits.d/*.conf; then - sed -i "/^[^#]*\<maxlogins\>/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.d/*.conf -elif grep -q '^[^#]*\<maxlogins\>' /etc/security/limits.conf; then - sed -i "/^[^#]*\<maxlogins\>/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.conf -else - echo "* hard maxlogins $var_accounts_max_concurrent_login_sessions" >> /etc/security/limits.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -52065,6 +52047,24 @@ fi - low_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_accounts_max_concurrent_login_sessions='' + + +if grep -q '^[^#]*\<maxlogins\>' /etc/security/limits.d/*.conf; then + sed -i "/^[^#]*\<maxlogins\>/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.d/*.conf +elif grep -q '^[^#]*\<maxlogins\>' /etc/security/limits.conf; then + sed -i "/^[^#]*\<maxlogins\>/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.conf +else + echo "* hard maxlogins $var_accounts_max_concurrent_login_sessions" >> /etc/security/limits.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -52087,27 +52087,6 @@ which reduces chances of attacks that are made possible by /tmp directories being world-writable. CCE-83732-8 - # Remediation is applicable only in certain platforms -if ! ( [ "${container:-}" == "bwrap-osbuild" ] ); then - -#!/bin/bash - -# shellcheck disable=SC2174 -mkdir -p --mode 000 /tmp/tmp-inst -chmod 000 /tmp/tmp-inst -chcon --reference=/tmp /tmp/tmp-inst - -if ! grep -Eq '^\s*/tmp\s+/tmp/tmp-inst/\s+level\s+root,adm$' /etc/security/namespace.conf ; then - if grep -Eq '^\s*/tmp\s+' /etc/security/namespace.conf ; then - sed -i '/^\s*\/tmp/d' /etc/security/namespace.conf - fi - echo "/tmp /tmp/tmp-inst/ level root,adm" >> /etc/security/namespace.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Create /tmp/tmp-inst directory file: path: /tmp/tmp-inst @@ -52142,6 +52121,27 @@ fi - low_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if ! ( [ "${container:-}" == "bwrap-osbuild" ] ); then + +#!/bin/bash + +# shellcheck disable=SC2174 +mkdir -p --mode 000 /tmp/tmp-inst +chmod 000 /tmp/tmp-inst +chcon --reference=/tmp /tmp/tmp-inst + +if ! grep -Eq '^\s*/tmp\s+/tmp/tmp-inst/\s+level\s+root,adm$' /etc/security/namespace.conf ; then + if grep -Eq '^\s*/tmp\s+' /etc/security/namespace.conf ; then + sed -i '/^\s*\/tmp/d' /etc/security/namespace.conf + fi + echo "/tmp /tmp/tmp-inst/ level root,adm" >> /etc/security/namespace.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -52163,27 +52163,6 @@ which reduces chances of attacks that are made possible by /var/tmp directories being world-writable. CCE-83778-1 - # Remediation is applicable only in certain platforms -if ! ( [ "${container:-}" == "bwrap-osbuild" ] ); then - -#!/bin/bash - -# shellcheck disable=SC2174 -mkdir -p --mode 000 /var/tmp/tmp-inst -chmod 000 /var/tmp/tmp-inst -chcon --reference=/var/tmp /var/tmp/tmp-inst - -if ! grep -Eq '^\s*/var/tmp\s+/var/tmp/tmp-inst/\s+level\s+root,adm$' /etc/security/namespace.conf ; then - if grep -Eq '^\s*/var/tmp\s+' /etc/security/namespace.conf ; then - sed -i '/^\s*\/var\/tmp/d' /etc/security/namespace.conf - fi - echo "/var/tmp /var/tmp/tmp-inst/ level root,adm" >> /etc/security/namespace.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Create /var/tmp/tmp-inst directory file: path: /var/tmp/tmp-inst @@ -52218,6 +52197,27 @@ fi - low_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if ! ( [ "${container:-}" == "bwrap-osbuild" ] ); then + +#!/bin/bash + +# shellcheck disable=SC2174 +mkdir -p --mode 000 /var/tmp/tmp-inst +chmod 000 /var/tmp/tmp-inst +chcon --reference=/var/tmp /var/tmp/tmp-inst + +if ! grep -Eq '^\s*/var/tmp\s+/var/tmp/tmp-inst/\s+level\s+root,adm$' /etc/security/namespace.conf ; then + if grep -Eq '^\s*/var/tmp\s+' /etc/security/namespace.conf ; then + sed -i '/^\s*\/var\/tmp/d' /etc/security/namespace.conf + fi + echo "/var/tmp /var/tmp/tmp-inst/ level root,adm" >> /etc/security/namespace.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -52292,35 +52292,6 @@ management session enabled on the console or console port that has been left unattended. CCE-80673-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_accounts_tmout='' - - -# if 0, no occurence of tmout found, if 1, occurence found -tmout_found=0 - - -for f in /etc/profile /etc/profile.d/*.sh; do - - if grep --silent '^[^#].*TMOUT' $f; then - sed -i -E "s/^(.*)TMOUT\s*=\s*(\w|\$)*(.*)$/declare -xr TMOUT=$var_accounts_tmout\3/g" $f - tmout_found=1 - fi -done - -if [ $tmout_found -eq 0 ]; then - echo -e "\n# Set TMOUT to $var_accounts_tmout per security requirements" >> /etc/profile.d/tmout.sh - echo "declare -xr TMOUT=$var_accounts_tmout" >> /etc/profile.d/tmout.sh - echo "readonly TMOUT" >> /etc/profile.d/tmout.sh - echo "export TMOUT" >> /etc/profile.d/tmout.sh -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_accounts_tmout # promote to variable set_fact: var_accounts_tmout: !!str @@ -52371,6 +52342,35 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_accounts_tmout='' + + +# if 0, no occurence of tmout found, if 1, occurence found +tmout_found=0 + + +for f in /etc/profile /etc/profile.d/*.sh; do + + if grep --silent '^[^#].*TMOUT' $f; then + sed -i -E "s/^(.*)TMOUT\s*=\s*(\w|\$)*(.*)$/declare -xr TMOUT=$var_accounts_tmout\3/g" $f + tmout_found=1 + fi +done + +if [ $tmout_found -eq 0 ]; then + echo -e "\n# Set TMOUT to $var_accounts_tmout per security requirements" >> /etc/profile.d/tmout.sh + echo "declare -xr TMOUT=$var_accounts_tmout" >> /etc/profile.d/tmout.sh + echo "readonly TMOUT" >> /etc/profile.d/tmout.sh + echo "export TMOUT" >> /etc/profile.d/tmout.sh +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -52397,9 +52397,6 @@ of their respective initialization files. Local initialization files for interactive users are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. - -awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chgrp -f " $4" "$6"/.[^\.]?*") }' /etc/passwd - - name: Ensure interactive local users are the group-owners of their respective initialization files ansible.builtin.command: @@ -52412,6 +52409,9 @@ awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chgrp -f " $4" "$ - medium_severity - no_reboot_needed - restrict_strategy + + +awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chgrp -f " $4" "$6"/.[^\.]?*") }' /etc/passwd @@ -52473,9 +52473,6 @@ their respective initialization files. Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. - -awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chown -f " $3" "$6"/.[^\.]?*") }' /etc/passwd - - name: Ensure interactive local users are the owners of their respective initialization files ansible.builtin.command: @@ -52488,6 +52485,9 @@ awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chown -f " $3" "$ - medium_severity - no_reboot_needed - restrict_strategy + + +awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chown -f " $3" "$6"/.[^\.]?*") }' /etc/passwd @@ -52535,14 +52535,6 @@ Therefore, this rule will report a finding for home directories like If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. CCE-84036-3 - -for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1 }' /etc/passwd); do - # This follows the same logic of evaluation of home directories as used in OVAL. - if ! grep -q $user /etc/passwd | cut -d: -f6 | grep '^\/\w*\/\w\{1,\}'; then - sed -i "s/\($user:x:[0-9]*:[0-9]*:.*:\).*\(:.*\)$/\1\/home\/$user\2/g" /etc/passwd; - fi -done - - name: Get all local users from /etc/passwd ansible.builtin.getent: database: passwd @@ -52589,6 +52581,14 @@ done - medium_severity - no_reboot_needed - restrict_strategy + + +for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1 }' /etc/passwd); do + # This follows the same logic of evaluation of home directories as used in OVAL. + if ! grep -q $user /etc/passwd | cut -d: -f6 | grep '^\/\w*\/\w\{1,\}'; then + sed -i "s/\($user:x:[0-9]*:[0-9]*:.*:\).*\(:.*\)$/\1\/home\/$user\2/g" /etc/passwd; + fi +done @@ -52614,11 +52614,6 @@ upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access. CCE-83424-2 - -for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1}' /etc/passwd); do - mkhomedir_helper $user 0077; -done - - name: Get all local users from /etc/passwd ansible.builtin.getent: database: passwd @@ -52663,6 +52658,11 @@ done - medium_severity - no_reboot_needed - restrict_strategy + + +for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1}' /etc/passwd); do + mkhomedir_helper $user 0077; +done @@ -52690,16 +52690,6 @@ of folders or files in their respective home directories. If a local interactive users files are group-owned by a group of which the user is not a member, unintended users may be able to access them. CCE-86534-5 - -for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1 }' /etc/passwd); do - home_dir=$(getent passwd $user | cut -d: -f6) - group=$(getent passwd $user | cut -d: -f4) - # Only update the group-ownership when necessary. This will avoid changing the inode timestamp - # when the group is already defined as expected, therefore not impacting in possible integrity - # check systems that also check inodes timestamps. - find $home_dir -not -group $group -exec chgrp -f $group {} \; -done - - name: Get all local users from /etc/passwd ansible.builtin.getent: database: passwd @@ -52762,6 +52752,16 @@ done - medium_severity - no_reboot_needed - restrict_strategy + + +for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1 }' /etc/passwd); do + home_dir=$(getent passwd $user | cut -d: -f6) + group=$(getent passwd $user | cut -d: -f4) + # Only update the group-ownership when necessary. This will avoid changing the inode timestamp + # when the group is already defined as expected, therefore not impacting in possible integrity + # check systems that also check inodes timestamps. + find $home_dir -not -group $group -exec chgrp -f $group {} \; +done @@ -52789,15 +52789,6 @@ folders or files in their respective home directories. If local interactive users do not own the files in their directories, unauthorized users may be able to access them. Additionally, if files are not owned by the user, this could be an indication of system compromise. - -for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1 }' /etc/passwd); do - home_dir=$(getent passwd $user | cut -d: -f6) - # Only update the ownership when necessary. This will avoid changing the inode timestamp - # when the owner is already defined as expected, therefore not impacting in possible integrity - # check systems that also check inodes timestamps. - find $home_dir -not -user $user -exec chown -f $user {} \; -done - - name: Get all local users from /etc/passwd ansible.builtin.getent: database: passwd @@ -52852,6 +52843,15 @@ done - medium_severity - no_reboot_needed - restrict_strategy + + +for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1 }' /etc/passwd); do + home_dir=$(getent passwd $user | cut -d: -f6) + # Only update the ownership when necessary. This will avoid changing the inode timestamp + # when the owner is already defined as expected, therefore not impacting in possible integrity + # check systems that also check inodes timestamps. + find $home_dir -not -user $user -exec chown -f $user {} \; +done @@ -52873,14 +52873,6 @@ Files that begin with a "." are excluded from this requirement.If a local interactive user files have excessive permissions, unintended users may be able to access or modify them. CCE-85888-6 - -for home_dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 }' /etc/passwd); do - # Only update the permissions when necessary. This will avoid changing the inode timestamp when - # the permission is already defined as expected, therefore not impacting in possible integrity - # check systems that also check inodes timestamps. - find "$home_dir" -perm /7027 -exec chmod u-s,g-w-s,o=- {} \; -done - - name: Get all local users from /etc/passwd ansible.builtin.getent: database: passwd @@ -52944,6 +52936,14 @@ done - medium_severity - no_reboot_needed - restrict_strategy + + +for home_dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 }' /etc/passwd); do + # Only update the permissions when necessary. This will avoid changing the inode timestamp when + # the permission is already defined as expected, therefore not impacting in possible integrity + # check systems that also check inodes timestamps. + find "$home_dir" -perm /7027 -exec chmod u-s,g-w-s,o=- {} \; +done @@ -52964,12 +52964,6 @@ to an interactive user is not group or world accessible Note: While the complete removal of .netrc files is recommended, if any are required on the system, secure permissions must be applied. CCE-87369-5 - -for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1 }' /etc/passwd); do - home_dir=$(getent passwd "$user" | cut -d: -f6) - find "${home_dir}/.netrc" -exec chmod 0600 {} \; -done - - name: Get all local users from /etc/passwd ansible.builtin.getent: database: passwd @@ -53028,6 +53022,12 @@ done - medium_severity - no_reboot_needed - restrict_strategy + + +for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1 }' /etc/passwd); do + home_dir=$(getent passwd "$user" | cut -d: -f6) + find "${home_dir}/.netrc" -exec chmod 0600 {} \; +done @@ -53059,9 +53059,6 @@ not the same as the primary GID of the user, this would allow unauthorized access to the users files, and users that share the same group may not be able to access files that they legitimately should. CCE-83434-1 - -awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chgrp -f " $4" "$6) }' /etc/passwd - - name: Get all local users from /etc/passwd ansible.builtin.getent: database: passwd @@ -53124,6 +53121,9 @@ awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chgrp -f " $4" "$ - medium_severity - no_reboot_needed - restrict_strategy + + +awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chgrp -f " $4" "$6) }' /etc/passwd @@ -53152,9 +53152,6 @@ their respective home directories. users could access or modify the user's files, and the users may not be able to access their own files. CCE-86131-0 - -awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chown -f " $3" "$6) }' /etc/passwd - - name: Get all local users from /etc/passwd ansible.builtin.getent: database: passwd @@ -53212,6 +53209,9 @@ awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chown -f " $3" "$ - medium_severity - no_reboot_needed - restrict_strategy + + +awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chown -f " $3" "$6) }' /etc/passwd @@ -53233,28 +53233,6 @@ following command: upon logon. Malicious modification of these files could compromise accounts upon logon. CCE-84043-9 - -var_user_initialization_files_regex='' - - -readarray -t interactive_users < <(awk -F: '$3>=1000 {print $1}' /etc/passwd) -readarray -t interactive_users_home < <(awk -F: '$3>=1000 {print $6}' /etc/passwd) -readarray -t interactive_users_shell < <(awk -F: '$3>=1000 {print $7}' /etc/passwd) - -USERS_IGNORED_REGEX='nobody|nfsnobody' - -for (( i=0; i<"${#interactive_users[@]}"; i++ )); do - if ! grep -qP "$USERS_IGNORED_REGEX" <<< "${interactive_users[$i]}" && \ - [ "${interactive_users_shell[$i]}" != "/sbin/nologin" ]; then - - readarray -t init_files < <(find "${interactive_users_home[$i]}" -maxdepth 1 \ - -exec basename {} \; | grep -P "$var_user_initialization_files_regex") - for file in "${init_files[@]}"; do - chmod u-s,g-wxs,o= "${interactive_users_home[$i]}/$file" - done - fi -done - - name: XCCDF Value var_user_initialization_files_regex # promote to variable set_fact: var_user_initialization_files_regex: !!str @@ -53314,6 +53292,28 @@ done - medium_severity - no_reboot_needed - restrict_strategy + + +var_user_initialization_files_regex='' + + +readarray -t interactive_users < <(awk -F: '$3>=1000 {print $1}' /etc/passwd) +readarray -t interactive_users_home < <(awk -F: '$3>=1000 {print $6}' /etc/passwd) +readarray -t interactive_users_shell < <(awk -F: '$3>=1000 {print $7}' /etc/passwd) + +USERS_IGNORED_REGEX='nobody|nfsnobody' + +for (( i=0; i<"${#interactive_users[@]}"; i++ )); do + if ! grep -qP "$USERS_IGNORED_REGEX" <<< "${interactive_users[$i]}" && \ + [ "${interactive_users_shell[$i]}" != "/sbin/nologin" ]; then + + readarray -t init_files < <(find "${interactive_users_home[$i]}" -maxdepth 1 \ + -exec basename {} \; | grep -P "$var_user_initialization_files_regex") + for file in "${init_files[@]}"; do + chmod u-s,g-wxs,o= "${interactive_users_home[$i]}/$file" + done + fi +done @@ -53337,14 +53337,6 @@ following command: Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. CCE-84038-9 - -for home_dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 }' /etc/passwd); do - # Only update the permissions when necessary. This will avoid changing the inode timestamp when - # the permission is already defined as expected, therefore not impacting in possible integrity - # check systems that also check inodes timestamps. - find "$home_dir" -maxdepth 0 -perm /7027 -exec chmod u-s,g-w-s,o=- {} \; -done - - name: Get all local users from /etc/passwd ansible.builtin.getent: database: passwd @@ -53408,6 +53400,14 @@ done - medium_severity - no_reboot_needed - restrict_strategy + + +for home_dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 }' /etc/passwd); do + # Only update the permissions when necessary. This will avoid changing the inode timestamp when + # the permission is already defined as expected, therefore not impacting in possible integrity + # check systems that also check inodes timestamps. + find "$home_dir" -maxdepth 0 -perm /7027 -exec chmod u-s,g-w-s,o=- {} \; +done @@ -53493,14 +53493,6 @@ to other users. If a subset of users need read access to one another's home directories, this can be provided using groups or ACLs. CCE-84274-0 - -for home_dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 }' /etc/passwd); do - # Only update the permissions when necessary. This will avoid changing the inode timestamp when - # the permission is already defined as expected, therefore not impacting in possible integrity - # check systems that also check inodes timestamps. - find "$home_dir" -maxdepth 0 -perm /7027 -exec chmod u-s,g-w-s,o=- {} \; -done - - name: Get all local users from /etc/passwd ansible.builtin.getent: database: passwd @@ -53572,6 +53564,14 @@ done - medium_severity - no_reboot_needed - restrict_strategy + + +for home_dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 }' /etc/passwd); do + # Only update the permissions when necessary. This will avoid changing the inode timestamp when + # the permission is already defined as expected, therefore not impacting in possible integrity + # check systems that also check inodes timestamps. + find "$home_dir" -maxdepth 0 -perm /7027 -exec chmod u-s,g-w-s,o=- {} \; +done @@ -53783,26 +53783,6 @@ A misconfigured umask value could result in files with excessive permissions tha written to by unauthorized users. CCE-81036-6 - # Remediation is applicable only in certain platforms -if rpm --quiet -q bash; then - -var_accounts_user_umask='' - - - - - - -grep -q "^\s*umask" /etc/bashrc && \ - sed -i -E -e "s/^(\s*umask).*/\1 $var_accounts_user_umask/g" /etc/bashrc -if ! [ $? -eq 0 ]; then - echo "umask $var_accounts_user_umask" >> /etc/bashrc -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -53883,6 +53863,26 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q bash; then + +var_accounts_user_umask='' + + + + + + +grep -q "^\s*umask" /etc/bashrc && \ + sed -i -E -e "s/^(\s*umask).*/\1 $var_accounts_user_umask/g" /etc/bashrc +if ! [ $? -eq 0 ]; then + echo "umask $var_accounts_user_umask" >> /etc/bashrc +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -53928,16 +53928,6 @@ add or correct the umask setting in /etc/csh.c A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. CCE-81037-4 - -var_accounts_user_umask='' - - -grep -q "^\s*umask" /etc/csh.cshrc && \ - sed -i -E -e "s/^(\s*umask).*/\1 $var_accounts_user_umask/g" /etc/csh.cshrc -if ! [ $? -eq 0 ]; then - echo "umask $var_accounts_user_umask" >> /etc/csh.cshrc -fi - - name: XCCDF Value var_accounts_user_umask # promote to variable set_fact: var_accounts_user_umask: !!str @@ -53999,6 +53989,16 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + +var_accounts_user_umask='' + + +grep -q "^\s*umask" /etc/csh.cshrc && \ + sed -i -E -e "s/^(\s*umask).*/\1 $var_accounts_user_umask/g" /etc/csh.cshrc +if ! [ $? -eq 0 ]; then + echo "umask $var_accounts_user_umask" >> /etc/csh.cshrc +fi @@ -54062,38 +54062,6 @@ A misconfigured umask value could result in files with excessive permissions tha written to by unauthorized users. CCE-82888-9 - # Remediation is applicable only in certain platforms -if rpm --quiet -q shadow-utils; then - -var_accounts_user_umask='' - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^UMASK") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s %s" "$stripped_key" "$var_accounts_user_umask" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^UMASK\\>" "/etc/login.defs"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^UMASK\\>.*/$escaped_formatted_output/gi" "/etc/login.defs" -else - if [[ -s "/etc/login.defs" ]] && [[ -n "$(tail -c 1 -- "/etc/login.defs" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/login.defs" - fi - cce="CCE-82888-9" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/login.defs" >> "/etc/login.defs" - printf '%s\n' "$formatted_output" >> "/etc/login.defs" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -54174,6 +54142,38 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q shadow-utils; then + +var_accounts_user_umask='' + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^UMASK") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s %s" "$stripped_key" "$var_accounts_user_umask" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^UMASK\\>" "/etc/login.defs"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^UMASK\\>.*/$escaped_formatted_output/gi" "/etc/login.defs" +else + if [[ -s "/etc/login.defs" ]] && [[ -n "$(tail -c 1 -- "/etc/login.defs" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/login.defs" + fi + cce="CCE-82888-9" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/login.defs" >> "/etc/login.defs" + printf '%s\n' "$formatted_output" >> "/etc/login.defs" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -54225,20 +54225,6 @@ considered during the check and properly remediated, if necessary. CCE-81035-8 - -var_accounts_user_umask='' - - -readarray -t profile_files < <(find /etc/profile.d/ -type f -name '*.sh' -or -name 'sh.local') - -for file in "${profile_files[@]}" /etc/profile; do - grep -qE '^[^#]*umask' "$file" && sed -i -E "s/^(\s*umask\s*)[0-7]+/\1$var_accounts_user_umask/g" "$file" -done - -if ! grep -qrE '^[^#]*umask' /etc/profile*; then - echo "umask $var_accounts_user_umask" >> /etc/profile -fi - - name: XCCDF Value var_accounts_user_umask # promote to variable set_fact: var_accounts_user_umask: !!str @@ -54326,6 +54312,20 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + +var_accounts_user_umask='' + + +readarray -t profile_files < <(find /etc/profile.d/ -type f -name '*.sh' -or -name 'sh.local') + +for file in "${profile_files[@]}" /etc/profile; do + grep -qE '^[^#]*umask' "$file" && sed -i -E "s/^(\s*umask\s*)[0-7]+/\1$var_accounts_user_umask/g" "$file" +done + +if ! grep -qrE '^[^#]*umask' /etc/profile*; then + echo "umask $var_accounts_user_umask" >> /etc/profile +fi @@ -54351,15 +54351,6 @@ access modes is typically ignored or required to be 0. This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. CCE-84044-7 - -while IFS= read -r dir; do - while IFS= read -r -d '' file; do - if [ "$(basename $file)" != ".bash_history" ]; then - sed -i 's/^\(\s*umask\s*\)/#\1/g' "$file" - fi - done < <(find $dir -maxdepth 1 -type f -name ".*" -print0) -done < <(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6}' /etc/passwd) - - name: Ensure interactive local users are the owners of their respective initialization files ansible.builtin.shell: @@ -54380,6 +54371,15 @@ done < <(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 - medium_severity - no_reboot_needed - restrict_strategy + + +while IFS= read -r dir; do + while IFS= read -r -d '' file; do + if [ "$(basename $file)" != ".bash_history" ]; then + sed -i 's/^\(\s*umask\s*\)/#\1/g' "$file" + fi + done < <(find $dir -maxdepth 1 -type f -name ".*" -print0) +done < <(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6}' /etc/passwd) @@ -54483,21 +54483,13 @@ $ sudo yum install audispd-plugins audit subsystem, audispd. These plugins can do things like relay events to remote machines or analyze events for suspicious behavior. CCE-82953-1 + +package --add=audispd-plugins + [[packages]] name = "audispd-plugins" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "audispd-plugins" ; then - yum install -y "audispd-plugins" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_audispd-plugins @@ -54522,8 +54514,16 @@ class install_audispd-plugins { - no_reboot_needed - package_audispd-plugins_installed - -package --add=audispd-plugins + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "audispd-plugins" ; then + yum install -y "audispd-plugins" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -54602,21 +54602,13 @@ package --add=audispd-plugins SV-230411r744000_rule The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. CCE-81043-2 + +package --add=audit + [[packages]] name = "audit" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "audit" ; then - yum install -y "audit" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_audit @@ -54650,8 +54642,16 @@ class install_audit { - no_reboot_needed - package_audit_installed - -package --add=audit + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "audit" ; then + yum install -y "audit" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -54867,17 +54867,17 @@ can be held accountable for their actions. [customizations.services] enabled = ["auditd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q audit; }; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'auditd.service' -"$SYSTEMCTL_EXEC" start 'auditd.service' -"$SYSTEMCTL_EXEC" enable 'auditd.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: auditd.service + enabled: true include enable_auditd @@ -54959,17 +54959,17 @@ class enable_auditd { - no_reboot_needed - service_auditd_enabled - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: auditd.service - enabled: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q audit; }; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'auditd.service' +"$SYSTEMCTL_EXEC" start 'auditd.service' +"$SYSTEMCTL_EXEC" enable 'auditd.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -55121,15 +55121,6 @@ ensures it is set for every process during boot. CCE-80825-3 [customizations.kernel] append = "audit=1" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then - -grubby --update-kernel=ALL --args=audit=1 --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - name: Gather the package facts package_facts: @@ -55176,6 +55167,15 @@ fi - medium_complexity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then + +grubby --update-kernel=ALL --args=audit=1 --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -55224,15 +55224,6 @@ defined by audit failure flag is taken. CCE-80943-4 [customizations.kernel] append = "audit_backlog_limit=8192" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then - -grubby --update-kernel=ALL --args=audit_backlog_limit=8192 --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - name: Gather the package facts package_facts: @@ -55265,6 +55256,15 @@ fi - medium_complexity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then + +grubby --update-kernel=ALL --args=audit_backlog_limit=8192 --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -55356,6 +55356,323 @@ to the same event is more efficient. See the following example: Auditing these events could serve as evidence of potential system compromise. CCE-80927-7 + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80927-7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Set architecture for audit open tasks + set_fact: + audit_arch: b64 + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) + - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture + == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" + tags: + - CCE-80927-7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Perform remediation of Audit rules for open for 32bit platform + block: + + - name: Declare list of syscalls + set_fact: + syscalls: + - open + syscall_grouping: [] + + - name: Check existence of open in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S + |,)\w+)* -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path + :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten + | map(attribute='path') | list }}" + + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, + 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') + | list }}' + + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') + | last).key }}" + when: found_paths | length >= 1 + + - name: No file with syscall found, set path to /etc/audit/rules.d/modify.rules + set_fact: audit_file="/etc/audit/rules.d/modify.rules" + when: found_paths | length == 0 + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/group -F auid>=1000 + -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/group + -F auid>=1000 -F auid!=unset -F key=modify + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + + - name: Declare list of syscalls + set_fact: + syscalls: + - open + syscall_grouping: [] + + - name: Check existence of open in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S + |,)\w+)* -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: audit.rules + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Set path to /etc/audit/audit.rules + set_fact: audit_file="/etc/audit/audit.rules" + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/group -F auid>=1000 + -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/group + -F auid>=1000 -F auid!=unset -F key=modify + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) + tags: + - CCE-80927-7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Perform remediation of Audit rules for open for 64bit platform + block: + + - name: Declare list of syscalls + set_fact: + syscalls: + - open + syscall_grouping: [] + + - name: Check existence of open in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S + |,)\w+)* -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path + :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten + | map(attribute='path') | list }}" + + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, + 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') + | list }}' + + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') + | last).key }}" + when: found_paths | length >= 1 + + - name: No file with syscall found, set path to /etc/audit/rules.d/modify.rules + set_fact: audit_file="/etc/audit/rules.d/modify.rules" + when: found_paths | length == 0 + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/group -F auid>=1000 + -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/group + -F auid>=1000 -F auid!=unset -F key=modify + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + + - name: Declare list of syscalls + set_fact: + syscalls: + - open + syscall_grouping: [] + + - name: Check existence of open in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S + |,)\w+)* -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: audit.rules + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Set path to /etc/audit/audit.rules + set_fact: audit_file="/etc/audit/audit.rules" + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/group -F auid>=1000 + -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/group + -F auid>=1000 -F auid!=unset -F key=modify + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) + - audit_arch == "b64" + tags: + - CCE-80927-7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then @@ -55683,60 +56000,102 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group + The audit system should collect write events to /etc/group file for all group and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + CCE-80929-3 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80927-7 + - CCE-80929-3 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_group_open + - audit_rules_etc_group_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit open tasks +- name: Set architecture for audit open_by_handle_at tasks set_fact: audit_arch: b64 when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - - CCE-80927-7 + - CCE-80929-3 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_group_open + - audit_rules_etc_group_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open for 32bit platform +- name: Perform remediation of Audit rules for open_by_handle_at for 32bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/rules.d/ + - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -55781,7 +56140,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/group -F auid>=1000 + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -55791,7 +56150,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/group + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -55801,14 +56160,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/audit.rules + - name: Check existence of open_by_handle_at in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -55827,7 +56186,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/group -F auid>=1000 + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -55837,7 +56196,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/group + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -55846,35 +56205,34 @@ fi when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - not ( ansible_architecture == "aarch64" ) tags: - - CCE-80927-7 + - CCE-80929-3 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_group_open + - audit_rules_etc_group_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open for 64bit platform +- name: Perform remediation of Audit rules for open_by_handle_at for 64bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/rules.d/ + - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -55919,7 +56277,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/group -F auid>=1000 + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -55929,7 +56287,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/group + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -55939,14 +56297,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/audit.rules + - name: Check existence of open_by_handle_at in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -55965,7 +56323,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/group -F auid>=1000 + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -55975,7 +56333,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/group + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -55984,65 +56342,21 @@ fi when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - - CCE-80927-7 + - CCE-80929-3 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_group_open + - audit_rules_etc_group_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group - The audit system should collect write events to /etc/group file for all group and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - FAU_GEN.1.1.c - Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. -Auditing these events could serve as evidence of potential system compromise. - CCE-80929-3 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -56370,24 +56684,67 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Record Events that Modify User/Group Information via openat syscall - /etc/group + The audit system should collect write events to /etc/group file for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + CCE-80928-5 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80929-3 + - CCE-80928-5 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_group_open_by_handle_at + - audit_rules_etc_group_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit open_by_handle_at tasks +- name: Set architecture for audit openat tasks set_fact: audit_arch: b64 when: @@ -56396,29 +56753,29 @@ fi - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - - CCE-80929-3 + - CCE-80928-5 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_group_open_by_handle_at + - audit_rules_etc_group_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open_by_handle_at for 32bit platform +- name: Perform remediation of Audit rules for openat for 32bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ + - name: Check existence of openat in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -56487,10 +56844,10 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/audit.rules + - name: Check existence of openat in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -56533,29 +56890,29 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80929-3 + - CCE-80928-5 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_group_open_by_handle_at + - audit_rules_etc_group_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open_by_handle_at for 64bit platform +- name: Perform remediation of Audit rules for openat for 64bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ + - name: Check existence of openat in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -56624,10 +56981,10 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/audit.rules + - name: Check existence of openat in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -56671,62 +57028,19 @@ fi - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - - CCE-80929-3 + - CCE-80928-5 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_group_open_by_handle_at + - audit_rules_etc_group_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify User/Group Information via openat syscall - /etc/group - The audit system should collect write events to /etc/group file for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - FAU_GEN.1.1.c - Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. -Auditing these events could serve as evidence of potential system compromise. - CCE-80928-5 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -57054,59 +57368,104 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Record Events that Modify User/Group Information via open syscall - /etc/gshadow + The audit system should collect write events to /etc/gshadow file for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + + CCE-80959-0 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80928-5 + - CCE-80959-0 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_group_openat + - audit_rules_etc_gshadow_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit openat tasks +- name: Set architecture for audit open tasks set_fact: audit_arch: b64 when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - - CCE-80928-5 + - CCE-80959-0 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_group_openat + - audit_rules_etc_gshadow_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for openat for 32bit platform +- name: Perform remediation of Audit rules for open for 32bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - openat + - open syscall_grouping: [] - - name: Check existence of openat in /etc/audit/rules.d/ + - name: Check existence of open in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -57151,7 +57510,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/group -F auid>=1000 + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -57161,7 +57520,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -57171,14 +57530,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - openat + - open syscall_grouping: [] - - name: Check existence of openat in /etc/audit/audit.rules + - name: Check existence of open in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -57197,7 +57556,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/group -F auid>=1000 + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -57207,7 +57566,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -57216,34 +57575,35 @@ fi when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) tags: - - CCE-80928-5 + - CCE-80959-0 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_group_openat + - audit_rules_etc_gshadow_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for openat for 64bit platform +- name: Perform remediation of Audit rules for open for 64bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - openat + - open syscall_grouping: [] - - name: Check existence of openat in /etc/audit/rules.d/ + - name: Check existence of open in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -57288,7 +57648,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/group -F auid>=1000 + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -57298,7 +57658,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -57308,14 +57668,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - openat + - open syscall_grouping: [] - - name: Check existence of openat in /etc/audit/audit.rules + - name: Check existence of open in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -57334,7 +57694,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/group -F auid>=1000 + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -57344,7 +57704,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -57353,65 +57713,22 @@ fi when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - - CCE-80928-5 + - CCE-80959-0 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_group_openat + - audit_rules_etc_gshadow_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify User/Group Information via open syscall - /etc/gshadow - The audit system should collect write events to /etc/gshadow file for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - FAU_GEN.1.1.c - Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system. -Auditing these events could serve as evidence of potential system compromise. - - CCE-80959-0 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then @@ -57739,60 +58056,102 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow + The audit system should collect write events to /etc/gshadow file for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + CCE-80960-8 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80959-0 + - CCE-80960-8 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_gshadow_open + - audit_rules_etc_gshadow_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit open tasks +- name: Set architecture for audit open_by_handle_at tasks set_fact: audit_arch: b64 when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - - CCE-80959-0 + - CCE-80960-8 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_gshadow_open + - audit_rules_etc_gshadow_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open for 32bit platform +- name: Perform remediation of Audit rules for open_by_handle_at for 32bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/rules.d/ + - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -57837,7 +58196,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/gshadow -F auid>=1000 + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -57847,7 +58206,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/gshadow + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -57857,14 +58216,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/audit.rules + - name: Check existence of open_by_handle_at in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -57883,7 +58242,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/gshadow -F auid>=1000 + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -57893,7 +58252,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/gshadow + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -57902,35 +58261,34 @@ fi when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - not ( ansible_architecture == "aarch64" ) tags: - - CCE-80959-0 + - CCE-80960-8 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_gshadow_open + - audit_rules_etc_gshadow_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open for 64bit platform +- name: Perform remediation of Audit rules for open_by_handle_at for 64bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/rules.d/ + - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -57975,7 +58333,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/gshadow -F auid>=1000 + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -57985,7 +58343,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/gshadow + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -57995,14 +58353,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/audit.rules + - name: Check existence of open_by_handle_at in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -58021,7 +58379,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/gshadow -F auid>=1000 + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -58031,7 +58389,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/gshadow + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -58040,65 +58398,21 @@ fi when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - - CCE-80959-0 + - CCE-80960-8 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_gshadow_open + - audit_rules_etc_gshadow_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow - The audit system should collect write events to /etc/gshadow file for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - FAU_GEN.1.1.c - Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system. -Auditing these events could serve as evidence of potential system compromise. - CCE-80960-8 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -58426,24 +58740,67 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Record Events that Modify User/Group Information via openat syscall - /etc/gshadow + The audit system should collect write events to /etc/gshadow file for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + CCE-80961-6 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80960-8 + - CCE-80961-6 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_gshadow_open_by_handle_at + - audit_rules_etc_gshadow_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit open_by_handle_at tasks +- name: Set architecture for audit openat tasks set_fact: audit_arch: b64 when: @@ -58452,29 +58809,29 @@ fi - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - - CCE-80960-8 + - CCE-80961-6 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_gshadow_open_by_handle_at + - audit_rules_etc_gshadow_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open_by_handle_at for 32bit platform +- name: Perform remediation of Audit rules for openat for 32bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ + - name: Check existence of openat in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -58543,10 +58900,10 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/audit.rules + - name: Check existence of openat in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -58589,29 +58946,29 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80960-8 + - CCE-80961-6 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_gshadow_open_by_handle_at + - audit_rules_etc_gshadow_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open_by_handle_at for 64bit platform +- name: Perform remediation of Audit rules for openat for 64bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ + - name: Check existence of openat in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -58680,10 +59037,10 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/audit.rules + - name: Check existence of openat in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -58727,62 +59084,19 @@ fi - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - - CCE-80960-8 + - CCE-80961-6 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_gshadow_open_by_handle_at + - audit_rules_etc_gshadow_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify User/Group Information via openat syscall - /etc/gshadow - The audit system should collect write events to /etc/gshadow file for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - FAU_GEN.1.1.c - Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system. -Auditing these events could serve as evidence of potential system compromise. - CCE-80961-6 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -59110,59 +59424,104 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Record Events that Modify User/Group Information via open syscall - /etc/passwd + The audit system should collect write events to /etc/passwd file for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + + CCE-80930-1 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80961-6 + - CCE-80930-1 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_gshadow_openat + - audit_rules_etc_passwd_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit openat tasks +- name: Set architecture for audit open tasks set_fact: audit_arch: b64 when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - - CCE-80961-6 + - CCE-80930-1 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_gshadow_openat + - audit_rules_etc_passwd_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for openat for 32bit platform +- name: Perform remediation of Audit rules for open for 32bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - openat + - open syscall_grouping: [] - - name: Check existence of openat in /etc/audit/rules.d/ + - name: Check existence of open in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -59207,7 +59566,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/gshadow -F auid>=1000 + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -59217,7 +59576,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -59227,14 +59586,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - openat + - open syscall_grouping: [] - - name: Check existence of openat in /etc/audit/audit.rules + - name: Check existence of open in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -59253,7 +59612,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/gshadow -F auid>=1000 + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -59263,7 +59622,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -59272,34 +59631,35 @@ fi when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) tags: - - CCE-80961-6 + - CCE-80930-1 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_gshadow_openat + - audit_rules_etc_passwd_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for openat for 64bit platform +- name: Perform remediation of Audit rules for open for 64bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - openat + - open syscall_grouping: [] - - name: Check existence of openat in /etc/audit/rules.d/ + - name: Check existence of open in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -59344,7 +59704,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/gshadow -F auid>=1000 + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -59354,7 +59714,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -59364,14 +59724,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - openat + - open syscall_grouping: [] - - name: Check existence of openat in /etc/audit/audit.rules + - name: Check existence of open in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -59390,7 +59750,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/gshadow -F auid>=1000 + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -59400,7 +59760,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -59409,65 +59769,22 @@ fi when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - - CCE-80961-6 + - CCE-80930-1 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_gshadow_openat + - audit_rules_etc_passwd_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify User/Group Information via open syscall - /etc/passwd - The audit system should collect write events to /etc/passwd file for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - FAU_GEN.1.1.c - Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. -Auditing these events could serve as evidence of potential system compromise. - - CCE-80930-1 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then @@ -59795,60 +60112,102 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd + The audit system should collect write events to /etc/passwd file for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + CCE-80932-7 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80930-1 + - CCE-80932-7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_passwd_open + - audit_rules_etc_passwd_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit open tasks +- name: Set architecture for audit open_by_handle_at tasks set_fact: audit_arch: b64 when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - - CCE-80930-1 + - CCE-80932-7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_passwd_open + - audit_rules_etc_passwd_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open for 32bit platform +- name: Perform remediation of Audit rules for open_by_handle_at for 32bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/rules.d/ + - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -59893,7 +60252,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/passwd -F auid>=1000 + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -59903,7 +60262,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/passwd + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -59913,14 +60272,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/audit.rules + - name: Check existence of open_by_handle_at in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -59939,7 +60298,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/passwd -F auid>=1000 + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -59949,7 +60308,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/passwd + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -59958,35 +60317,34 @@ fi when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - not ( ansible_architecture == "aarch64" ) tags: - - CCE-80930-1 + - CCE-80932-7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_passwd_open + - audit_rules_etc_passwd_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open for 64bit platform +- name: Perform remediation of Audit rules for open_by_handle_at for 64bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/rules.d/ + - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -60031,7 +60389,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/passwd -F auid>=1000 + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -60041,7 +60399,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/passwd + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -60051,14 +60409,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/audit.rules + - name: Check existence of open_by_handle_at in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -60077,7 +60435,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/passwd -F auid>=1000 + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -60087,7 +60445,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/passwd + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -60096,65 +60454,21 @@ fi when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - - CCE-80930-1 + - CCE-80932-7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_passwd_open + - audit_rules_etc_passwd_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd - The audit system should collect write events to /etc/passwd file for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - FAU_GEN.1.1.c - Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. -Auditing these events could serve as evidence of potential system compromise. - CCE-80932-7 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -60482,24 +60796,67 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Record Events that Modify User/Group Information via openat syscall - /etc/passwd + The audit system should collect write events to /etc/passwd file for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + CCE-80931-9 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80932-7 + - CCE-80931-9 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_passwd_open_by_handle_at + - audit_rules_etc_passwd_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit open_by_handle_at tasks +- name: Set architecture for audit openat tasks set_fact: audit_arch: b64 when: @@ -60508,29 +60865,29 @@ fi - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - - CCE-80932-7 + - CCE-80931-9 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_passwd_open_by_handle_at + - audit_rules_etc_passwd_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open_by_handle_at for 32bit platform +- name: Perform remediation of Audit rules for openat for 32bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ + - name: Check existence of openat in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -60599,10 +60956,10 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/audit.rules + - name: Check existence of openat in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -60645,29 +61002,29 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80932-7 + - CCE-80931-9 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_passwd_open_by_handle_at + - audit_rules_etc_passwd_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open_by_handle_at for 64bit platform +- name: Perform remediation of Audit rules for openat for 64bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ + - name: Check existence of openat in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -60736,10 +61093,10 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/audit.rules + - name: Check existence of openat in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -60783,62 +61140,19 @@ fi - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - - CCE-80932-7 + - CCE-80931-9 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_passwd_open_by_handle_at + - audit_rules_etc_passwd_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify User/Group Information via openat syscall - /etc/passwd - The audit system should collect write events to /etc/passwd file for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - FAU_GEN.1.1.c - Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. -Auditing these events could serve as evidence of potential system compromise. - CCE-80931-9 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -61166,59 +61480,104 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Record Events that Modify User/Group Information via open syscall - /etc/shadow + The audit system should collect write events to /etc/shadow file for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + + CCE-80956-6 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80931-9 + - CCE-80956-6 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_passwd_openat + - audit_rules_etc_shadow_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit openat tasks +- name: Set architecture for audit open tasks set_fact: audit_arch: b64 when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - - CCE-80931-9 + - CCE-80956-6 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_passwd_openat + - audit_rules_etc_shadow_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for openat for 32bit platform +- name: Perform remediation of Audit rules for open for 32bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - openat + - open syscall_grouping: [] - - name: Check existence of openat in /etc/audit/rules.d/ + - name: Check existence of open in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -61263,7 +61622,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/passwd -F auid>=1000 + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -61273,7 +61632,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -61283,14 +61642,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - openat + - open syscall_grouping: [] - - name: Check existence of openat in /etc/audit/audit.rules + - name: Check existence of open in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -61309,7 +61668,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/passwd -F auid>=1000 + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -61319,7 +61678,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -61328,34 +61687,35 @@ fi when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) tags: - - CCE-80931-9 + - CCE-80956-6 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_passwd_openat + - audit_rules_etc_shadow_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for openat for 64bit platform +- name: Perform remediation of Audit rules for open for 64bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - openat + - open syscall_grouping: [] - - name: Check existence of openat in /etc/audit/rules.d/ + - name: Check existence of open in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -61400,7 +61760,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/passwd -F auid>=1000 + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -61410,7 +61770,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -61420,14 +61780,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - openat + - open syscall_grouping: [] - - name: Check existence of openat in /etc/audit/audit.rules + - name: Check existence of open in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -61446,7 +61806,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/passwd -F auid>=1000 + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -61456,7 +61816,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -61465,65 +61825,22 @@ fi when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - - CCE-80931-9 + - CCE-80956-6 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_passwd_openat + - audit_rules_etc_shadow_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify User/Group Information via open syscall - /etc/shadow - The audit system should collect write events to /etc/shadow file for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - FAU_GEN.1.1.c - Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system. -Auditing these events could serve as evidence of potential system compromise. - - CCE-80956-6 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then @@ -61851,60 +62168,102 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow + The audit system should collect write events to /etc/shadow file for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + CCE-80957-4 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80956-6 + - CCE-80957-4 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_shadow_open + - audit_rules_etc_shadow_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit open tasks +- name: Set architecture for audit open_by_handle_at tasks set_fact: audit_arch: b64 when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - - CCE-80956-6 + - CCE-80957-4 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_shadow_open + - audit_rules_etc_shadow_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open for 32bit platform +- name: Perform remediation of Audit rules for open_by_handle_at for 32bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/rules.d/ + - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -61949,7 +62308,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/shadow -F auid>=1000 + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -61959,7 +62318,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/shadow + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -61969,14 +62328,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/audit.rules + - name: Check existence of open_by_handle_at in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -61995,7 +62354,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/shadow -F auid>=1000 + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -62005,7 +62364,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/shadow + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -62014,35 +62373,34 @@ fi when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - not ( ansible_architecture == "aarch64" ) tags: - - CCE-80956-6 + - CCE-80957-4 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_shadow_open + - audit_rules_etc_shadow_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open for 64bit platform +- name: Perform remediation of Audit rules for open_by_handle_at for 64bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/rules.d/ + - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -62087,7 +62445,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/shadow -F auid>=1000 + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -62097,7 +62455,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/shadow + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -62107,14 +62465,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/audit.rules + - name: Check existence of open_by_handle_at in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -62133,7 +62491,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/shadow -F auid>=1000 + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -62143,7 +62501,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/shadow + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -62152,65 +62510,21 @@ fi when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - - CCE-80956-6 + - CCE-80957-4 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_shadow_open + - audit_rules_etc_shadow_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow - The audit system should collect write events to /etc/shadow file for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - FAU_GEN.1.1.c - Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system. -Auditing these events could serve as evidence of potential system compromise. - CCE-80957-4 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -62538,24 +62852,67 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Record Events that Modify User/Group Information via openat syscall - /etc/shadow + The audit system should collect write events to /etc/shadow file for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + CCE-80958-2 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80957-4 + - CCE-80958-2 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_shadow_open_by_handle_at + - audit_rules_etc_shadow_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit open_by_handle_at tasks +- name: Set architecture for audit openat tasks set_fact: audit_arch: b64 when: @@ -62564,29 +62921,29 @@ fi - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - - CCE-80957-4 + - CCE-80958-2 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_shadow_open_by_handle_at + - audit_rules_etc_shadow_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open_by_handle_at for 32bit platform +- name: Perform remediation of Audit rules for openat for 32bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ + - name: Check existence of openat in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -62655,10 +63012,10 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/audit.rules + - name: Check existence of openat in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -62701,29 +63058,29 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80957-4 + - CCE-80958-2 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_shadow_open_by_handle_at + - audit_rules_etc_shadow_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open_by_handle_at for 64bit platform +- name: Perform remediation of Audit rules for openat for 64bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ + - name: Check existence of openat in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -62792,10 +63149,10 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/audit.rules + - name: Check existence of openat in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -62839,62 +63196,19 @@ fi - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - - CCE-80957-4 + - CCE-80958-2 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_shadow_open_by_handle_at + - audit_rules_etc_shadow_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify User/Group Information via openat syscall - /etc/shadow - The audit system should collect write events to /etc/shadow file for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - FAU_GEN.1.1.c - Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system. -Auditing these events could serve as evidence of potential system compromise. - CCE-80958-2 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -63221,320 +63535,6 @@ done else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-80958-2 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_etc_shadow_openat - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Set architecture for audit openat tasks - set_fact: - audit_arch: b64 - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture - == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" - tags: - - CCE-80958-2 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_etc_shadow_openat - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Perform remediation of Audit rules for openat for 32bit platform - block: - - - name: Declare list of syscalls - set_fact: - syscalls: - - openat - syscall_grouping: [] - - - name: Check existence of openat in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: '*.rules' - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Reset syscalls found per file - set_fact: - syscalls_per_file: {} - found_paths_dict: {} - - - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path - :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" - loop: '{{ find_command.results | selectattr(''matched'') | list }}' - - - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten - | map(attribute='path') | list }}" - - - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, - 0) }) }}" - loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') - | list }}' - - - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') - | last).key }}" - when: found_paths | length >= 1 - - - name: No file with syscall found, set path to /etc/audit/rules.d/modify.rules - set_fact: audit_file="/etc/audit/rules.d/modify.rules" - when: found_paths | length == 0 - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/shadow -F auid>=1000 - -F auid!=unset (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow - -F auid>=1000 -F auid!=unset -F key=modify - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - - - name: Declare list of syscalls - set_fact: - syscalls: - - openat - syscall_grouping: [] - - - name: Check existence of openat in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: audit.rules - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/shadow -F auid>=1000 - -F auid!=unset (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow - -F auid>=1000 -F auid!=unset -F key=modify - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80958-2 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_etc_shadow_openat - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Perform remediation of Audit rules for openat for 64bit platform - block: - - - name: Declare list of syscalls - set_fact: - syscalls: - - openat - syscall_grouping: [] - - - name: Check existence of openat in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: '*.rules' - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Reset syscalls found per file - set_fact: - syscalls_per_file: {} - found_paths_dict: {} - - - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path - :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" - loop: '{{ find_command.results | selectattr(''matched'') | list }}' - - - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten - | map(attribute='path') | list }}" - - - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, - 0) }) }}" - loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') - | list }}' - - - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') - | last).key }}" - when: found_paths | length >= 1 - - - name: No file with syscall found, set path to /etc/audit/rules.d/modify.rules - set_fact: audit_file="/etc/audit/rules.d/modify.rules" - when: found_paths | length == 0 - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/shadow -F auid>=1000 - -F auid!=unset (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow - -F auid>=1000 -F auid!=unset -F key=modify - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - - - name: Declare list of syscalls - set_fact: - syscalls: - - openat - syscall_grouping: [] - - - name: Check existence of openat in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: audit.rules - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/shadow -F auid>=1000 - -F auid!=unset (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow - -F auid>=1000 -F auid!=unset -F key=modify - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch == "b64" - tags: - - CCE-80958-2 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_etc_shadow_openat - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy @@ -63688,35 +63688,20 @@ well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation. CCE-80708-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# Traverse all of: -# -# /etc/audit/audit.rules, (for auditctl case) -# /etc/audit/rules.d/*.rules (for augenrules case) -# -# files to check if '-e .*' setting is present in that '*.rules' file already. -# If found, delete such occurrence since auditctl(8) manual page instructs the -# '-e 2' rule should be placed as the last rule in the configuration -find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';' - -# Append '-e 2' requirement at the end of both: -# * /etc/audit/audit.rules file (for auditctl case) -# * /etc/audit/rules.d/immutable.rules (for augenrules case) - -for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules" -do - echo '' >> $AUDIT_FILE - echo '# Set the audit.rules configuration immutable per security requirements' >> $AUDIT_FILE - echo '# Reboot is required to change audit rules once this setting is applied' >> $AUDIT_FILE - echo '-e 2' >> $AUDIT_FILE - chmod o-rwx $AUDIT_FILE -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-e%202%0A + mode: 0600 + path: /etc/audit/rules.d/90-immutable.rules + overwrite: true - name: Gather the package facts package_facts: @@ -63819,20 +63804,35 @@ fi - reboot_required - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,-e%202%0A - mode: 0600 - path: /etc/audit/rules.d/90-immutable.rules - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# Traverse all of: +# +# /etc/audit/audit.rules, (for auditctl case) +# /etc/audit/rules.d/*.rules (for augenrules case) +# +# files to check if '-e .*' setting is present in that '*.rules' file already. +# If found, delete such occurrence since auditctl(8) manual page instructs the +# '-e 2' rule should be placed as the last rule in the configuration +find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';' + +# Append '-e 2' requirement at the end of both: +# * /etc/audit/audit.rules file (for auditctl case) +# * /etc/audit/rules.d/immutable.rules (for augenrules case) + +for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules" +do + echo '' >> $AUDIT_FILE + echo '# Set the audit.rules configuration immutable per security requirements' >> $AUDIT_FILE + echo '# Reboot is required to change audit rules once this setting is applied' >> $AUDIT_FILE + echo '-e 2' >> $AUDIT_FILE + chmod o-rwx $AUDIT_FILE +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -63870,30 +63870,6 @@ immutable: If modification of login UIDs is not prevented, they can be changed by unprivileged users and make auditing complicated or impossible. CCE-90783-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# in case auditctl is used -if grep -q '^\s*ExecStartPost=-/sbin/auditctl' /usr/lib/systemd/system/auditd.service; then - if ! grep -q '^\s*--loginuid-immutable\s*$' /etc/audit/audit.rules; then - echo "--loginuid-immutable" >> /etc/audit/audit.rules - fi -else - immutable_found=0 - while IFS= read -r -d '' f; do - if grep -q '^\s*--loginuid-immutable\s*$' "$f"; then - immutable_found=1 - fi - done < <(find /etc/audit/rules.d -maxdepth 1 -name '*.rules' -print0) - if [ $immutable_found -eq 0 ]; then - echo "--loginuid-immutable" >> /etc/audit/rules.d/immutable.rules - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -63978,6 +63954,30 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# in case auditctl is used +if grep -q '^\s*ExecStartPost=-/sbin/auditctl' /usr/lib/systemd/system/auditd.service; then + if ! grep -q '^\s*--loginuid-immutable\s*$' /etc/audit/audit.rules; then + echo "--loginuid-immutable" >> /etc/audit/audit.rules + fi +else + immutable_found=0 + while IFS= read -r -d '' f; do + if grep -q '^\s*--loginuid-immutable\s*$' "$f"; then + immutable_found=1 + fi + done < <(find /etc/audit/rules.d -maxdepth 1 -name '*.rules' -print0) + if [ $immutable_found -eq 0 ]; then + echo "--loginuid-immutable" >> /etc/audit/rules.d/immutable.rules + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -64120,146 +64120,21 @@ utility to read audit rules during daemon startup, add the following line to arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited. CCE-80721-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/selinux/" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/selinux/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/selinux/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/selinux/ -p wa -k MAC-policy" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/MAC-policy.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/selinux/" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/MAC-policy.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/MAC-policy.rules" - # If the MAC-policy.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/selinux/" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/selinux/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/selinux/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/selinux/ -p wa -k MAC-policy" >> "$audit_rules_file" - fi -done + --- -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ -w%20/etc/selinux/%20-p%20wa%20-k%20MAC-policy%0A }} + mode: 0600 + path: /etc/audit/rules.d/75-etcselinux-wa-MAC-policy.rules + overwrite: true - name: Gather the package facts package_facts: @@ -64462,145 +64337,7 @@ fi - reboot_required - restrict_strategy - --- - -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ -w%20/etc/selinux/%20-p%20wa%20-k%20MAC-policy%0A }} - mode: 0600 - path: /etc/audit/rules.d/75-etcselinux-wa-MAC-policy.rules - overwrite: true - - - - - - - - - - Record Events that Modify the System's Mandatory Access Controls in usr/share - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d: --w /usr/share/selinux/ -p wa -k MAC-policy -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --w /usr/share/selinux/ -p wa -k MAC-policy - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.8 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.5.5 - 4.1.3.14 - The system's mandatory access policy (SELinux) should not be -arbitrarily changed by anything other than administrator action. All changes to -MAC policy should be audited. - CCE-86342-3 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' @@ -64627,7 +64364,7 @@ files_to_inspect+=('/etc/audit/audit.rules') for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/usr/share/selinux/" "$audit_rules_file" + if grep -q -P -- "^[\s]*-w[\s]+/etc/selinux/" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits @@ -64635,7 +64372,7 @@ do # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/usr/share/selinux/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/selinux/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) @@ -64651,12 +64388,12 @@ do done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/usr/share/selinux/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + sed -i "s#\($sp*-w$sp\+/etc/selinux/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key - echo "-w /usr/share/selinux/ -p wa -k MAC-policy" >> "$audit_rules_file" + echo "-w /etc/selinux/ -p wa -k MAC-policy" >> "$audit_rules_file" fi done # Create a list of audit *.rules files that should be inspected for presence and correctness @@ -64675,7 +64412,7 @@ files_to_inspect=() # If the audit is 'augenrules', then check if rule is already defined # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. # If rule isn't defined, add '/etc/audit/rules.d/MAC-policy.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/usr/share/selinux/" /etc/audit/rules.d/*.rules) +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/selinux/" /etc/audit/rules.d/*.rules) # For each of the matched entries for match in "${matches[@]}" @@ -64704,7 +64441,7 @@ fi for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/usr/share/selinux/" "$audit_rules_file" + if grep -q -P -- "^[\s]*-w[\s]+/etc/selinux/" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits @@ -64712,7 +64449,7 @@ do # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/usr/share/selinux/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/selinux/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) @@ -64728,12 +64465,12 @@ do done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/usr/share/selinux/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + sed -i "s#\($sp*-w$sp\+/etc/selinux/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key - echo "-w /usr/share/selinux/ -p wa -k MAC-policy" >> "$audit_rules_file" + echo "-w /etc/selinux/ -p wa -k MAC-policy" >> "$audit_rules_file" fi done @@ -64741,6 +64478,128 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Events that Modify the System's Mandatory Access Controls in usr/share + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d: +-w /usr/share/selinux/ -p wa -k MAC-policy +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-w /usr/share/selinux/ -p wa -k MAC-policy + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.8 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + 4.1.3.14 + The system's mandatory access policy (SELinux) should not be +arbitrarily changed by anything other than administrator action. All changes to +MAC policy should be audited. + CCE-86342-3 - name: Gather the package facts package_facts: manager: auto @@ -64925,6 +64784,147 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/usr/share/selinux/" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/usr/share/selinux/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/usr/share/selinux/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /usr/share/selinux/ -p wa -k MAC-policy" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/MAC-policy.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/usr/share/selinux/" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/MAC-policy.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/MAC-policy.rules" + # If the MAC-policy.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/usr/share/selinux/" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/usr/share/selinux/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/usr/share/selinux/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /usr/share/selinux/ -p wa -k MAC-policy" >> "$audit_rules_file" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -65085,334 +65085,6 @@ where classified information, Privacy Act information, and intellectual property trail should be created each time a filesystem is mounted to help identify and guard against information loss. CCE-80722-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# First perform the remediation of the syscall rule -# Retrieve hardware architecture of the underlying system -[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") - -for ARCH in "${RULE_ARCHS[@]}" -do - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="" - AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="mount" - KEY="perm_mod" - SYSCALL_GROUPING="" - - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - -# If audit tool is 'augenrules', then check if the audit rule is defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection -# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection -default_file="/etc/audit/rules.d/$KEY.rules" -# As other_filters may include paths, lets use a different delimiter for it -# The "F" script expression tells sed to print the filenames where the expressions matched -readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) -# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet -if [ ${#files_to_inspect[@]} -eq "0" ] -then - file_to_inspect="/etc/audit/rules.d/$KEY.rules" - files_to_inspect=("$file_to_inspect") - if [ ! -e "$file_to_inspect" ] - then - touch "$file_to_inspect" - chmod 0640 "$file_to_inspect" - fi -fi - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - - -# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# file to the list of files to be inspected -default_file="/etc/audit/audit.rules" -files_to_inspect+=('/etc/audit/audit.rules' ) - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -65743,158 +65415,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify the System's Network Environment - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: --a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification --w /etc/issue -p wa -k audit_rules_networkconfig_modification --w /etc/issue.net -p wa -k audit_rules_networkconfig_modification --w /etc/hosts -p wa -k audit_rules_networkconfig_modification --w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: --a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification --w /etc/issue -p wa -k audit_rules_networkconfig_modification --w /etc/issue.net -p wa -k audit_rules_networkconfig_modification --w /etc/hosts -p wa -k audit_rules_networkconfig_modification --w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - Req-10.5.5 - 10.3.4 - 4.1.3.5 - The network environment should not be modified by anything other -than administrator action. Any change to network parameters should be -audited. - CCE-80723-0 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -65905,10 +65426,11 @@ for ARCH in "${RULE_ARCHS[@]}" do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" - AUID_FILTERS="" - SYSCALL="sethostname setdomainname" - KEY="audit_rules_networkconfig_modification" - SYSCALL_GROUPING="sethostname setdomainname" + AUID_FILTERS="-F auid>=1000 -F auid!=unset" + SYSCALL="mount" + KEY="perm_mod" + SYSCALL_GROUPING="" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' unset syscall_a unset syscall_grouping @@ -66217,541 +65739,161 @@ if [ "$skip" -ne 0 ]; then fi done -# Then perform the remediations for the watch rules -# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/issue" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/issue$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/issue -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/issue" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules" - # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/issue" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/issue$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/issue -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/issue.net" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue.net $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/issue.net$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/issue.net" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules" - # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/issue.net" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue.net $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/issue.net$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/hosts" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/hosts $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/hosts$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/hosts" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules" - # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/hosts" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/hosts $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/hosts$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/sysconfig/network" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/sysconfig/network$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/sysconfig/network" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules" - # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/sysconfig/network" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/sysconfig/network$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" - fi -done - else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Events that Modify the System's Network Environment + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification +-w /etc/issue -p wa -k audit_rules_networkconfig_modification +-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification +-w /etc/hosts -p wa -k audit_rules_networkconfig_modification +-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification +-w /etc/issue -p wa -k audit_rules_networkconfig_modification +-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification +-w /etc/hosts -p wa -k audit_rules_networkconfig_modification +-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + Req-10.5.5 + 10.3.4 + 4.1.3.5 + The network environment should not be modified by anything other +than administrator action. Any change to network parameters should be +audited. + CCE-80723-0 - name: Gather the package facts package_facts: manager: auto @@ -67842,163 +66984,330 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - Record Attempts to Alter Process and Session Initiation Information - The audit system already collects process information for all -users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d in order to watch for attempted manual -edits of files involved in storing such process information: --w /var/run/utmp -p wa -k session --w /var/log/btmp -p wa -k session --w /var/log/wtmp -p wa -k session -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file in order to watch for attempted manual -edits of files involved in storing such process information: --w /var/run/utmp -p wa -k session --w /var/log/btmp -p wa -k session --w /var/log/wtmp -p wa -k session - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - 0582 - 0584 - 05885 - 0586 - 0846 - 0957 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.3 - 10.2.1.3 - SRG-APP-000505-CTR-001285 - 4.1.3.11 - Manual editing of these files may indicate nefarious activity, such -as an attacker attempting to remove evidence of an intrusion. - CCE-80742-0 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="" + AUID_FILTERS="" + SYSCALL="sethostname setdomainname" + KEY="audit_rules_networkconfig_modification" + SYSCALL_GROUPING="sethostname setdomainname" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + +# If audit tool is 'augenrules', then check if the audit rule is defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection +# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection +default_file="/etc/audit/rules.d/$KEY.rules" +# As other_filters may include paths, lets use a different delimiter for it +# The "F" script expression tells sed to print the filenames where the expressions matched +readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) +# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet +if [ ${#files_to_inspect[@]} -eq "0" ] +then + file_to_inspect="/etc/audit/rules.d/$KEY.rules" + files_to_inspect=("$file_to_inspect") + if [ ! -e "$file_to_inspect" ] + then + touch "$file_to_inspect" + chmod 0640 "$file_to_inspect" + fi +fi + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + + +# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# file to the list of files to be inspected +default_file="/etc/audit/audit.rules" +files_to_inspect+=('/etc/audit/audit.rules' ) + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi +done + +# Then perform the remediations for the watch rules # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' # Create a list of audit *.rules files that should be inspected for presence and correctness # of a particular audit rule. The scheme is as follows: @@ -68023,7 +67332,7 @@ files_to_inspect+=('/etc/audit/audit.rules') for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/var/run/utmp" "$audit_rules_file" + if grep -q -P -- "^[\s]*-w[\s]+/etc/issue" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits @@ -68031,7 +67340,7 @@ do # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/run/utmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) @@ -68047,12 +67356,12 @@ do done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/var/run/utmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + sed -i "s#\($sp*-w$sp\+/etc/issue$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key - echo "-w /var/run/utmp -p wa -k session" >> "$audit_rules_file" + echo "-w /etc/issue -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" fi done # Create a list of audit *.rules files that should be inspected for presence and correctness @@ -68070,8 +67379,8 @@ files_to_inspect=() # If the audit is 'augenrules', then check if rule is already defined # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/session.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/run/utmp" /etc/audit/rules.d/*.rules) +# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/issue" /etc/audit/rules.d/*.rules) # For each of the matched entries for match in "${matches[@]}" @@ -68084,9 +67393,9 @@ done # Case when particular audit rule isn't defined yet if [ "${#files_to_inspect[@]}" -eq "0" ] then - # Append '/etc/audit/rules.d/session.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/session.rules" - # If the session.rules file doesn't exist yet, create it with correct permissions + # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules" + # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions if [ ! -e "$key_rule_file" ] then touch "$key_rule_file" @@ -68100,7 +67409,7 @@ fi for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/var/run/utmp" "$audit_rules_file" + if grep -q -P -- "^[\s]*-w[\s]+/etc/issue" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits @@ -68108,7 +67417,7 @@ do # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/run/utmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) @@ -68124,12 +67433,12 @@ do done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/var/run/utmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + sed -i "s#\($sp*-w$sp\+/etc/issue$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key - echo "-w /var/run/utmp -p wa -k session" >> "$audit_rules_file" + echo "-w /etc/issue -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" fi done # Create a list of audit *.rules files that should be inspected for presence and correctness @@ -68155,7 +67464,7 @@ files_to_inspect+=('/etc/audit/audit.rules') for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/var/log/btmp" "$audit_rules_file" + if grep -q -P -- "^[\s]*-w[\s]+/etc/issue.net" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits @@ -68163,7 +67472,7 @@ do # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/btmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue.net $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) @@ -68179,12 +67488,12 @@ do done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/var/log/btmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + sed -i "s#\($sp*-w$sp\+/etc/issue.net$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key - echo "-w /var/log/btmp -p wa -k session" >> "$audit_rules_file" + echo "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" fi done # Create a list of audit *.rules files that should be inspected for presence and correctness @@ -68202,8 +67511,8 @@ files_to_inspect=() # If the audit is 'augenrules', then check if rule is already defined # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/session.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/log/btmp" /etc/audit/rules.d/*.rules) +# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/issue.net" /etc/audit/rules.d/*.rules) # For each of the matched entries for match in "${matches[@]}" @@ -68216,9 +67525,9 @@ done # Case when particular audit rule isn't defined yet if [ "${#files_to_inspect[@]}" -eq "0" ] then - # Append '/etc/audit/rules.d/session.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/session.rules" - # If the session.rules file doesn't exist yet, create it with correct permissions + # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules" + # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions if [ ! -e "$key_rule_file" ] then touch "$key_rule_file" @@ -68232,7 +67541,7 @@ fi for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/var/log/btmp" "$audit_rules_file" + if grep -q -P -- "^[\s]*-w[\s]+/etc/issue.net" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits @@ -68240,7 +67549,7 @@ do # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/btmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue.net $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) @@ -68256,12 +67565,12 @@ do done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/var/log/btmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + sed -i "s#\($sp*-w$sp\+/etc/issue.net$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key - echo "-w /var/log/btmp -p wa -k session" >> "$audit_rules_file" + echo "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" fi done # Create a list of audit *.rules files that should be inspected for presence and correctness @@ -68287,7 +67596,7 @@ files_to_inspect+=('/etc/audit/audit.rules') for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/var/log/wtmp" "$audit_rules_file" + if grep -q -P -- "^[\s]*-w[\s]+/etc/hosts" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits @@ -68295,7 +67604,7 @@ do # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/wtmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/hosts $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) @@ -68311,12 +67620,12 @@ do done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/var/log/wtmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + sed -i "s#\($sp*-w$sp\+/etc/hosts$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key - echo "-w /var/log/wtmp -p wa -k session" >> "$audit_rules_file" + echo "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" fi done # Create a list of audit *.rules files that should be inspected for presence and correctness @@ -68334,8 +67643,8 @@ files_to_inspect=() # If the audit is 'augenrules', then check if rule is already defined # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/session.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/log/wtmp" /etc/audit/rules.d/*.rules) +# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/hosts" /etc/audit/rules.d/*.rules) # For each of the matched entries for match in "${matches[@]}" @@ -68348,9 +67657,9 @@ done # Case when particular audit rule isn't defined yet if [ "${#files_to_inspect[@]}" -eq "0" ] then - # Append '/etc/audit/rules.d/session.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/session.rules" - # If the session.rules file doesn't exist yet, create it with correct permissions + # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules" + # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions if [ ! -e "$key_rule_file" ] then touch "$key_rule_file" @@ -68364,7 +67673,7 @@ fi for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/var/log/wtmp" "$audit_rules_file" + if grep -q -P -- "^[\s]*-w[\s]+/etc/hosts" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits @@ -68372,7 +67681,7 @@ do # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/wtmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/hosts $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) @@ -68388,18 +67697,321 @@ do done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/var/log/wtmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + sed -i "s#\($sp*-w$sp\+/etc/hosts$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key - echo "-w /var/log/wtmp -p wa -k session" >> "$audit_rules_file" + echo "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/sysconfig/network" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/sysconfig/network$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/sysconfig/network" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules" + # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/sysconfig/network" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/sysconfig/network$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" fi done else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Record Attempts to Alter Process and Session Initiation Information + The audit system already collects process information for all +users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d in order to watch for attempted manual +edits of files involved in storing such process information: +-w /var/run/utmp -p wa -k session +-w /var/log/btmp -p wa -k session +-w /var/log/wtmp -p wa -k session +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file in order to watch for attempted manual +edits of files involved in storing such process information: +-w /var/run/utmp -p wa -k session +-w /var/log/btmp -p wa -k session +-w /var/log/wtmp -p wa -k session + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 0582 + 0584 + 05885 + 0586 + 0846 + 0957 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.3 + 10.2.1.3 + SRG-APP-000505-CTR-001285 + 4.1.3.11 + Manual editing of these files may indicate nefarious activity, such +as an attacker attempting to remove evidence of an intrusion. + CCE-80742-0 + --- + + +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %0A-w%20/var/run/utmp%20-p%20wa%20-k%20session%0A-w%20/var/log/btmp%20-p%20wa%20-k%20session%0A-w%20/var/log/wtmp%20-p%20wa%20-k%20session%0A }} + mode: 0600 + path: /etc/audit/rules.d/75-audit-session-events.rules + overwrite: true - name: Gather the package facts package_facts: @@ -68966,76 +68578,7 @@ fi - reboot_required - restrict_strategy - --- - - -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %0A-w%20/var/run/utmp%20-p%20wa%20-k%20session%0A-w%20/var/log/btmp%20-p%20wa%20-k%20session%0A-w%20/var/log/wtmp%20-p%20wa%20-k%20session%0A }} - mode: 0600 - path: /etc/audit/rules.d/75-audit-session-events.rules - overwrite: true - - - - - - - Ensure auditd Collects System Administrator Actions - /etc/sudoers - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: --w /etc/sudoers -p wa -k actions -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --w /etc/sudoers -p wa -k actions - CCI-000018 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-001403 - CCI-001404 - CCI-002130 - CCI-002132 - CCI-002884 - SRG-OS-000004-GPOS-00004 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000304-GPOS-00121 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000470-GPOS-00214 - SRG-OS-000471-GPOS-00215 - SRG-OS-000239-GPOS-00089 - SRG-OS-000240-GPOS-00090 - SRG-OS-000241-GPOS-00091 - SRG-OS-000303-GPOS-00120 - SRG-OS-000466-GPOS-00210 - SRG-OS-000476-GPOS-00221 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - SRG-APP-000503-CTR-001275 - RHEL-08-030171 - SV-230409r627750_rule - The actions taken by system administrators should be audited to keep a record -of what was executed on the system, as well as, for accountability purposes. -Editing the sudoers file may be sign of an attacker trying to -establish persistent methods to a system, auditing the editing of the sudoers -files mitigates this risk. - CCE-90175-1 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' @@ -69062,7 +68605,7 @@ files_to_inspect+=('/etc/audit/audit.rules') for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers" "$audit_rules_file" + if grep -q -P -- "^[\s]*-w[\s]+/var/run/utmp" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits @@ -69070,7 +68613,7 @@ do # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/run/utmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) @@ -69086,12 +68629,12 @@ do done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/sudoers$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + sed -i "s#\($sp*-w$sp\+/var/run/utmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key - echo "-w /etc/sudoers -p wa -k actions" >> "$audit_rules_file" + echo "-w /var/run/utmp -p wa -k session" >> "$audit_rules_file" fi done # Create a list of audit *.rules files that should be inspected for presence and correctness @@ -69109,8 +68652,8 @@ files_to_inspect=() # If the audit is 'augenrules', then check if rule is already defined # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/actions.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/sudoers" /etc/audit/rules.d/*.rules) +# If rule isn't defined, add '/etc/audit/rules.d/session.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/run/utmp" /etc/audit/rules.d/*.rules) # For each of the matched entries for match in "${matches[@]}" @@ -69123,9 +68666,9 @@ done # Case when particular audit rule isn't defined yet if [ "${#files_to_inspect[@]}" -eq "0" ] then - # Append '/etc/audit/rules.d/actions.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/actions.rules" - # If the actions.rules file doesn't exist yet, create it with correct permissions + # Append '/etc/audit/rules.d/session.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/session.rules" + # If the session.rules file doesn't exist yet, create it with correct permissions if [ ! -e "$key_rule_file" ] then touch "$key_rule_file" @@ -69139,7 +68682,7 @@ fi for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers" "$audit_rules_file" + if grep -q -P -- "^[\s]*-w[\s]+/var/run/utmp" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits @@ -69147,7 +68690,7 @@ do # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/run/utmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) @@ -69163,71 +68706,387 @@ do done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/sudoers$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + sed -i "s#\($sp*-w$sp\+/var/run/utmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key - echo "-w /etc/sudoers -p wa -k actions" >> "$audit_rules_file" + echo "-w /var/run/utmp -p wa -k session" >> "$audit_rules_file" fi done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-90175-1 - - DISA-STIG-RHEL-08-030171 - - audit_rules_sudoers - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy -- name: Check if watch rule for /etc/sudoers already exists in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^\s*-w\s+/etc/sudoers\s+-p\s+wa(\s|$)+ - patterns: '*.rules' - register: find_existing_watch_rules_d - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-90175-1 - - DISA-STIG-RHEL-08-030171 - - audit_rules_sudoers - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') -- name: Search /etc/audit/rules.d for other rules with specified key actions - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)actions$ - patterns: '*.rules' - register: find_watch_key - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched - == 0 - tags: - - CCE-90175-1 - - DISA-STIG-RHEL-08-030171 - - audit_rules_sudoers - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/var/log/btmp" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/btmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/var/log/btmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /var/log/btmp -p wa -k session" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/session.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/log/btmp" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/session.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/session.rules" + # If the session.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/var/log/btmp" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/btmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/var/log/btmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /var/log/btmp -p wa -k session" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/var/log/wtmp" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/wtmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/var/log/wtmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /var/log/wtmp -p wa -k session" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/session.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/log/wtmp" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/session.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/session.rules" + # If the session.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/var/log/wtmp" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/wtmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/var/log/wtmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /var/log/wtmp -p wa -k session" >> "$audit_rules_file" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + + + + + + Ensure auditd Collects System Administrator Actions - /etc/sudoers + At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +-w /etc/sudoers -p wa -k actions +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-w /etc/sudoers -p wa -k actions + CCI-000018 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-001403 + CCI-001404 + CCI-002130 + CCI-002132 + CCI-002884 + SRG-OS-000004-GPOS-00004 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000304-GPOS-00121 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000470-GPOS-00214 + SRG-OS-000471-GPOS-00215 + SRG-OS-000239-GPOS-00089 + SRG-OS-000240-GPOS-00090 + SRG-OS-000241-GPOS-00091 + SRG-OS-000303-GPOS-00120 + SRG-OS-000466-GPOS-00210 + SRG-OS-000476-GPOS-00221 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + SRG-APP-000503-CTR-001275 + RHEL-08-030171 + SV-230409r627750_rule + The actions taken by system administrators should be audited to keep a record +of what was executed on the system, as well as, for accountability purposes. +Editing the sudoers file may be sign of an attacker trying to +establish persistent methods to a system, auditing the editing of the sudoers +files mitigates this risk. + CCE-90175-1 + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-90175-1 + - DISA-STIG-RHEL-08-030171 + - audit_rules_sudoers + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Check if watch rule for /etc/sudoers already exists in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/etc/sudoers\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-90175-1 + - DISA-STIG-RHEL-08-030171 + - audit_rules_sudoers + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Search /etc/audit/rules.d for other rules with specified key actions + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)actions$ + patterns: '*.rules' + register: find_watch_key + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched + == 0 + tags: + - CCE-90175-1 + - DISA-STIG-RHEL-08-030171 + - audit_rules_sudoers + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy - name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule set_fact: @@ -69329,62 +69188,7 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: --w /etc/sudoers.d/ -p wa -k actions -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --w /etc/sudoers.d/ -p wa -k actions - CCI-000018 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-001403 - CCI-001404 - CCI-002130 - CCI-002132 - CCI-002884 - SRG-OS-000004-GPOS-00004 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000304-GPOS-00121 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000470-GPOS-00214 - SRG-OS-000471-GPOS-00215 - SRG-OS-000239-GPOS-00089 - SRG-OS-000240-GPOS-00090 - SRG-OS-000241-GPOS-00091 - SRG-OS-000303-GPOS-00120 - SRG-OS-000466-GPOS-00210 - SRG-OS-000476-GPOS-00221 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - SRG-APP-000503-CTR-001275 - RHEL-08-030172 - SV-230410r627750_rule - The actions taken by system administrators should be audited to keep a record -of what was executed on the system, as well as, for accountability purposes. -Editing the sudoers file may be sign of an attacker trying to -establish persistent methods to a system, auditing the editing of the sudoers -files mitigates this risk. - CCE-89497-2 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' @@ -69411,7 +69215,7 @@ files_to_inspect+=('/etc/audit/audit.rules') for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers.d/" "$audit_rules_file" + if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits @@ -69419,7 +69223,7 @@ do # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers.d/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) @@ -69435,12 +69239,12 @@ do done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/sudoers.d/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + sed -i "s#\($sp*-w$sp\+/etc/sudoers$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key - echo "-w /etc/sudoers.d/ -p wa -k actions" >> "$audit_rules_file" + echo "-w /etc/sudoers -p wa -k actions" >> "$audit_rules_file" fi done # Create a list of audit *.rules files that should be inspected for presence and correctness @@ -69459,7 +69263,7 @@ files_to_inspect=() # If the audit is 'augenrules', then check if rule is already defined # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. # If rule isn't defined, add '/etc/audit/rules.d/actions.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/sudoers.d/" /etc/audit/rules.d/*.rules) +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/sudoers" /etc/audit/rules.d/*.rules) # For each of the matched entries for match in "${matches[@]}" @@ -69488,7 +69292,7 @@ fi for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers.d/" "$audit_rules_file" + if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits @@ -69496,7 +69300,7 @@ do # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers.d/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) @@ -69512,12 +69316,12 @@ do done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/sudoers.d/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + sed -i "s#\($sp*-w$sp\+/etc/sudoers$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key - echo "-w /etc/sudoers.d/ -p wa -k actions" >> "$audit_rules_file" + echo "-w /etc/sudoers -p wa -k actions" >> "$audit_rules_file" fi done @@ -69525,6 +69329,61 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ + At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +-w /etc/sudoers.d/ -p wa -k actions +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-w /etc/sudoers.d/ -p wa -k actions + CCI-000018 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-001403 + CCI-001404 + CCI-002130 + CCI-002132 + CCI-002884 + SRG-OS-000004-GPOS-00004 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000304-GPOS-00121 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000470-GPOS-00214 + SRG-OS-000471-GPOS-00215 + SRG-OS-000239-GPOS-00089 + SRG-OS-000240-GPOS-00090 + SRG-OS-000241-GPOS-00091 + SRG-OS-000303-GPOS-00120 + SRG-OS-000466-GPOS-00210 + SRG-OS-000476-GPOS-00221 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + SRG-APP-000503-CTR-001275 + RHEL-08-030172 + SV-230410r627750_rule + The actions taken by system administrators should be audited to keep a record +of what was executed on the system, as well as, for accountability purposes. +Editing the sudoers file may be sign of an attacker trying to +establish persistent methods to a system, auditing the editing of the sudoers +files mitigates this risk. + CCE-89497-2 - name: Gather the package facts package_facts: manager: auto @@ -69677,6 +69536,147 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers.d/" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers.d/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/sudoers.d/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/sudoers.d/ -p wa -k actions" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/actions.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/sudoers.d/" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/actions.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/actions.rules" + # If the actions.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers.d/" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers.d/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/sudoers.d/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/sudoers.d/ -p wa -k actions" >> "$audit_rules_file" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -69717,6 +69717,128 @@ of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. CCE-90209-8 + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-90209-8 + - audit_rules_suid_auid_privilege_function + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Service facts + ansible.builtin.service_facts: null + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-90209-8 + - audit_rules_suid_auid_privilege_function + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Check the rules script being used + ansible.builtin.command: grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service + register: check_rules_scripts_result + changed_when: false + failed_when: false + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-90209-8 + - audit_rules_suid_auid_privilege_function + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Set suid_audit_rules fact + ansible.builtin.set_fact: + suid_audit_rules: + - rule: -a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation + regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-C[\s]+euid!=uid[\s]+-F[\s]+auid!=unset[\s]+-S[\s]+execve[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + - rule: -a always,exit -F arch=b64 -S execve -C euid!=uid -F auid!=unset -k user_emulation + regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-C[\s]+euid!=uid[\s]+-F[\s]+auid!=unset[\s]+-S[\s]+execve[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-90209-8 + - audit_rules_suid_auid_privilege_function + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Update /etc/audit/rules.d/user_emulation.rules to audit privileged functions + ansible.builtin.lineinfile: + path: /etc/audit/rules.d/user_emulation.rules + line: '{{ item.rule }}' + regexp: '{{ item.regex }}' + create: true + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"auditd.service" in ansible_facts.services' + - '"augenrules" in check_rules_scripts_result.stdout' + register: augenrules_audit_rules_privilege_function_update_result + with_items: '{{ suid_audit_rules }}' + tags: + - CCE-90209-8 + - audit_rules_suid_auid_privilege_function + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Update Update /etc/audit/audit.rules to audit privileged functions + ansible.builtin.lineinfile: + path: /etc/audit/audit.rules + line: '{{ item.rule }}' + regexp: '{{ item.regex }}' + create: true + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"auditd.service" in ansible_facts.services' + - '"auditctl" in check_rules_scripts_result.stdout' + register: auditctl_audit_rules_privilege_function_update_result + with_items: '{{ suid_audit_rules }}' + tags: + - CCE-90209-8 + - audit_rules_suid_auid_privilege_function + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Restart Auditd + ansible.builtin.command: /usr/sbin/service auditd restart + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (augenrules_audit_rules_privilege_function_update_result.changed or auditctl_audit_rules_privilege_function_update_result.changed) + - ansible_facts.services["auditd.service"].state == "running" + tags: + - CCE-90209-8 + - audit_rules_suid_auid_privilege_function + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -70044,12 +70166,98 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Record Events When Privileged Executables Are Run + Verify the system generates an audit record when privileged functions are executed. + +If audit is using the "auditctl" tool to load the rules, run the following command: + +$ sudo grep execve /etc/audit/audit.rules + +If audit is using the "augenrules" tool to load the rules, run the following command: + +$ sudo grep -r execve /etc/audit/rules.d + + +-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid +-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid +-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid +-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid + + +If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding. +If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding. + Note that these rules can be configured in a +number of ways while still achieving the desired effect. + CCI-001814 + CCI-001882 + CCI-001889 + CCI-001880 + CCI-001881 + CCI-001878 + CCI-001879 + CCI-001875 + CCI-001877 + CCI-001914 + CCI-002233 + CCI-002234 + CM-5(1) + AU-7(a) + AU-7(b) + AU-8(b) + AU-12(3) + AC-6(9) + 10.2.1.2 + SRG-OS-000326-GPOS-00126 + SRG-OS-000327-GPOS-00127 + SRG-APP-000343-CTR-000780 + SRG-APP-000381-CTR-000905 + RHEL-08-030000 + SV-230386r854037_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have +compromised information system accounts, is a serious and ongoing concern +and can have significant adverse impacts on organizations. Auditing the use +of privileged functions is one way to detect such misuse and identify the +risk from insider threats and the advanced persistent threat. + + CCE-83556-1 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db32%20-S%20execve%20-C%20uid%21%3Deuid%20-F%20euid%3D0%20-k%20execpriv%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20execve%20-C%20uid%21%3Deuid%20-F%20euid%3D0%20-k%20execpriv%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20execve%20-C%20gid%21%3Degid%20-F%20egid%3D0%20-k%20execpriv%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20execve%20-C%20gid%21%3Degid%20-F%20egid%3D0%20-k%20execpriv%0A }} + mode: 0600 + path: /etc/audit/rules.d/75-audit-suid-privilege-function.rules + overwrite: true + + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-90209-8 - - audit_rules_suid_auid_privilege_function + - CCE-83556-1 + - DISA-STIG-RHEL-08-030000 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(3) + - NIST-800-53-AU-7(a) + - NIST-800-53-AU-7(b) + - NIST-800-53-AU-8(b) + - NIST-800-53-CM-5(1) + - PCI-DSSv4-10.2.1.2 + - audit_rules_suid_privilege_function - low_complexity - low_disruption - medium_severity @@ -70062,8 +70270,16 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-90209-8 - - audit_rules_suid_auid_privilege_function + - CCE-83556-1 + - DISA-STIG-RHEL-08-030000 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(3) + - NIST-800-53-AU-7(a) + - NIST-800-53-AU-7(b) + - NIST-800-53-AU-8(b) + - NIST-800-53-CM-5(1) + - PCI-DSSv4-10.2.1.2 + - audit_rules_suid_privilege_function - low_complexity - low_disruption - medium_severity @@ -70079,8 +70295,16 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-90209-8 - - audit_rules_suid_auid_privilege_function + - CCE-83556-1 + - DISA-STIG-RHEL-08-030000 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(3) + - NIST-800-53-AU-7(a) + - NIST-800-53-AU-7(b) + - NIST-800-53-AU-8(b) + - NIST-800-53-CM-5(1) + - PCI-DSSv4-10.2.1.2 + - audit_rules_suid_privilege_function - low_complexity - low_disruption - medium_severity @@ -70090,25 +70314,37 @@ fi - name: Set suid_audit_rules fact ansible.builtin.set_fact: suid_audit_rules: - - rule: -a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation - regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-C[\s]+euid!=uid[\s]+-F[\s]+auid!=unset[\s]+-S[\s]+execve[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - - rule: -a always,exit -F arch=b64 -S execve -C euid!=uid -F auid!=unset -k user_emulation - regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-C[\s]+euid!=uid[\s]+-F[\s]+auid!=unset[\s]+-S[\s]+execve[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + - rule: -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid + regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + - rule: -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid + regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + - rule: -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid + regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + - rule: -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid + regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-90209-8 - - audit_rules_suid_auid_privilege_function + - CCE-83556-1 + - DISA-STIG-RHEL-08-030000 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(3) + - NIST-800-53-AU-7(a) + - NIST-800-53-AU-7(b) + - NIST-800-53-AU-8(b) + - NIST-800-53-CM-5(1) + - PCI-DSSv4-10.2.1.2 + - audit_rules_suid_privilege_function - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Update /etc/audit/rules.d/user_emulation.rules to audit privileged functions +- name: Update /etc/audit/rules.d/privileged.rules to audit privileged functions ansible.builtin.lineinfile: - path: /etc/audit/rules.d/user_emulation.rules + path: /etc/audit/rules.d/privileged.rules line: '{{ item.rule }}' regexp: '{{ item.regex }}' create: true @@ -70120,8 +70356,16 @@ fi register: augenrules_audit_rules_privilege_function_update_result with_items: '{{ suid_audit_rules }}' tags: - - CCE-90209-8 - - audit_rules_suid_auid_privilege_function + - CCE-83556-1 + - DISA-STIG-RHEL-08-030000 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(3) + - NIST-800-53-AU-7(a) + - NIST-800-53-AU-7(b) + - NIST-800-53-AU-8(b) + - NIST-800-53-CM-5(1) + - PCI-DSSv4-10.2.1.2 + - audit_rules_suid_privilege_function - low_complexity - low_disruption - medium_severity @@ -70142,8 +70386,16 @@ fi register: auditctl_audit_rules_privilege_function_update_result with_items: '{{ suid_audit_rules }}' tags: - - CCE-90209-8 - - audit_rules_suid_auid_privilege_function + - CCE-83556-1 + - DISA-STIG-RHEL-08-030000 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(3) + - NIST-800-53-AU-7(a) + - NIST-800-53-AU-7(b) + - NIST-800-53-AU-8(b) + - NIST-800-53-CM-5(1) + - PCI-DSSv4-10.2.1.2 + - audit_rules_suid_privilege_function - low_complexity - low_disruption - medium_severity @@ -70158,77 +70410,22 @@ fi - (augenrules_audit_rules_privilege_function_update_result.changed or auditctl_audit_rules_privilege_function_update_result.changed) - ansible_facts.services["auditd.service"].state == "running" tags: - - CCE-90209-8 - - audit_rules_suid_auid_privilege_function + - CCE-83556-1 + - DISA-STIG-RHEL-08-030000 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(3) + - NIST-800-53-AU-7(a) + - NIST-800-53-AU-7(b) + - NIST-800-53-AU-8(b) + - NIST-800-53-CM-5(1) + - PCI-DSSv4-10.2.1.2 + - audit_rules_suid_privilege_function - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Record Events When Privileged Executables Are Run - Verify the system generates an audit record when privileged functions are executed. - -If audit is using the "auditctl" tool to load the rules, run the following command: - -$ sudo grep execve /etc/audit/audit.rules - -If audit is using the "augenrules" tool to load the rules, run the following command: - -$ sudo grep -r execve /etc/audit/rules.d - - --a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid --a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid --a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid --a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid - - -If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding. -If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding. - Note that these rules can be configured in a -number of ways while still achieving the desired effect. - CCI-001814 - CCI-001882 - CCI-001889 - CCI-001880 - CCI-001881 - CCI-001878 - CCI-001879 - CCI-001875 - CCI-001877 - CCI-001914 - CCI-002233 - CCI-002234 - CM-5(1) - AU-7(a) - AU-7(b) - AU-8(b) - AU-12(3) - AC-6(9) - 10.2.1.2 - SRG-OS-000326-GPOS-00126 - SRG-OS-000327-GPOS-00127 - SRG-APP-000343-CTR-000780 - SRG-APP-000381-CTR-000905 - RHEL-08-030000 - SV-230386r854037_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have -compromised information system accounts, is a serious and ongoing concern -and can have significant adverse impacts on organizations. Auditing the use -of privileged functions is one way to detect such misuse and identify the -risk from insider threats and the advanced persistent threat. - - CCE-83556-1 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -70875,203 +71072,6 @@ done else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83556-1 - - DISA-STIG-RHEL-08-030000 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(3) - - NIST-800-53-AU-7(a) - - NIST-800-53-AU-7(b) - - NIST-800-53-AU-8(b) - - NIST-800-53-CM-5(1) - - PCI-DSSv4-10.2.1.2 - - audit_rules_suid_privilege_function - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Service facts - ansible.builtin.service_facts: null - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-83556-1 - - DISA-STIG-RHEL-08-030000 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(3) - - NIST-800-53-AU-7(a) - - NIST-800-53-AU-7(b) - - NIST-800-53-AU-8(b) - - NIST-800-53-CM-5(1) - - PCI-DSSv4-10.2.1.2 - - audit_rules_suid_privilege_function - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Check the rules script being used - ansible.builtin.command: grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service - register: check_rules_scripts_result - changed_when: false - failed_when: false - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-83556-1 - - DISA-STIG-RHEL-08-030000 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(3) - - NIST-800-53-AU-7(a) - - NIST-800-53-AU-7(b) - - NIST-800-53-AU-8(b) - - NIST-800-53-CM-5(1) - - PCI-DSSv4-10.2.1.2 - - audit_rules_suid_privilege_function - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Set suid_audit_rules fact - ansible.builtin.set_fact: - suid_audit_rules: - - rule: -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid - regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - - rule: -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid - regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - - rule: -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid - regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - - rule: -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid - regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-83556-1 - - DISA-STIG-RHEL-08-030000 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(3) - - NIST-800-53-AU-7(a) - - NIST-800-53-AU-7(b) - - NIST-800-53-AU-8(b) - - NIST-800-53-CM-5(1) - - PCI-DSSv4-10.2.1.2 - - audit_rules_suid_privilege_function - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Update /etc/audit/rules.d/privileged.rules to audit privileged functions - ansible.builtin.lineinfile: - path: /etc/audit/rules.d/privileged.rules - line: '{{ item.rule }}' - regexp: '{{ item.regex }}' - create: true - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - '"auditd.service" in ansible_facts.services' - - '"augenrules" in check_rules_scripts_result.stdout' - register: augenrules_audit_rules_privilege_function_update_result - with_items: '{{ suid_audit_rules }}' - tags: - - CCE-83556-1 - - DISA-STIG-RHEL-08-030000 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(3) - - NIST-800-53-AU-7(a) - - NIST-800-53-AU-7(b) - - NIST-800-53-AU-8(b) - - NIST-800-53-CM-5(1) - - PCI-DSSv4-10.2.1.2 - - audit_rules_suid_privilege_function - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Update Update /etc/audit/audit.rules to audit privileged functions - ansible.builtin.lineinfile: - path: /etc/audit/audit.rules - line: '{{ item.rule }}' - regexp: '{{ item.regex }}' - create: true - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - '"auditd.service" in ansible_facts.services' - - '"auditctl" in check_rules_scripts_result.stdout' - register: auditctl_audit_rules_privilege_function_update_result - with_items: '{{ suid_audit_rules }}' - tags: - - CCE-83556-1 - - DISA-STIG-RHEL-08-030000 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(3) - - NIST-800-53-AU-7(a) - - NIST-800-53-AU-7(b) - - NIST-800-53-AU-8(b) - - NIST-800-53-CM-5(1) - - PCI-DSSv4-10.2.1.2 - - audit_rules_suid_privilege_function - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Restart Auditd - ansible.builtin.command: /usr/sbin/service auditd restart - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - (augenrules_audit_rules_privilege_function_update_result.changed or auditctl_audit_rules_privilege_function_update_result.changed) - - ansible_facts.services["auditd.service"].state == "running" - tags: - - CCE-83556-1 - - DISA-STIG-RHEL-08-030000 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(3) - - NIST-800-53-AU-7(a) - - NIST-800-53-AU-7(b) - - NIST-800-53-AU-8(b) - - NIST-800-53-CM-5(1) - - PCI-DSSv4-10.2.1.2 - - audit_rules_suid_privilege_function - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db32%20-S%20execve%20-C%20uid%21%3Deuid%20-F%20euid%3D0%20-k%20execpriv%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20execve%20-C%20uid%21%3Deuid%20-F%20euid%3D0%20-k%20execpriv%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20execve%20-C%20gid%21%3Degid%20-F%20egid%3D0%20-k%20execpriv%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20execve%20-C%20gid%21%3Degid%20-F%20egid%3D0%20-k%20execpriv%0A }} - mode: 0600 - path: /etc/audit/rules.d/75-audit-suid-privilege-function.rules - overwrite: true @@ -71285,279 +71285,20 @@ utility to read audit rules during daemon startup, add the following line to The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. CCE-80743-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/sudoers$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/sudoers -p wa -k actions" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/actions.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/sudoers" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/actions.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/actions.rules" - # If the actions.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/sudoers$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/sudoers -p wa -k actions" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers.d/" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers.d/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/sudoers.d/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/sudoers.d/ -p wa -k actions" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/actions.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/sudoers.d/" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/actions.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/actions.rules" - # If the actions.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers.d/" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers.d/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/sudoers.d/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/sudoers.d/ -p wa -k actions" >> "$audit_rules_file" - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ -w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A }} + mode: 0600 + path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules + overwrite: true - name: Gather the package facts package_facts: @@ -71987,20 +71728,279 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ -w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A }} - mode: 0600 - path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/sudoers$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/sudoers -p wa -k actions" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/actions.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/sudoers" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/actions.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/actions.rules" + # If the actions.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/sudoers$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/sudoers -p wa -k actions" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers.d/" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers.d/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/sudoers.d/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/sudoers.d/ -p wa -k actions" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/actions.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/sudoers.d/" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/actions.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/actions.rules" + # If the actions.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers.d/" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers.d/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/sudoers.d/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/sudoers.d/ -p wa -k actions" >> "$audit_rules_file" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -72074,29 +72074,6 @@ Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. CCE-80744-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_audit_failure_mode='' - - -# Traverse all of: -# -# /etc/audit/audit.rules, (for auditctl case) -# /etc/audit/rules.d/*.rules (for augenrules case) -find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';' - -for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules" -do - echo '' >> $AUDIT_FILE - echo '# Set the audit.rules configuration to halt system upon audit failure per security requirements' >> $AUDIT_FILE - echo "-f $var_audit_failure_mode" >> $AUDIT_FILE -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -72189,6 +72166,29 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_audit_failure_mode='' + + +# Traverse all of: +# +# /etc/audit/audit.rules, (for auditctl case) +# /etc/audit/rules.d/*.rules (for augenrules case) +find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';' + +for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules" +do + echo '' >> $AUDIT_FILE + echo '# Set the audit.rules configuration to halt system upon audit failure per security requirements' >> $AUDIT_FILE + echo "-f $var_audit_failure_mode" >> $AUDIT_FILE +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -73300,148 +73300,6 @@ account changes: will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. CCE-80758-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/group" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/group $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/group$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/group -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/group" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules" - # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/group" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/group $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/group$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/group -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -73667,6 +73525,148 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/group" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/group $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/group$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/group -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/group" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules" + # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/group" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/group $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/group$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/group -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -73893,148 +73893,6 @@ account changes: will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. CCE-80759-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/gshadow" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/gshadow $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/gshadow$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/gshadow -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/gshadow" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules" - # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/gshadow" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/gshadow $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/gshadow$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/gshadow -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -74260,6 +74118,148 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/gshadow" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/gshadow $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/gshadow$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/gshadow -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/gshadow" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules" + # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/gshadow" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/gshadow $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/gshadow$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/gshadow -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -74488,148 +74488,6 @@ account changes: will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. CCE-80760-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/security/opasswd" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/security/opasswd $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/security/opasswd$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/security/opasswd" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules" - # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/security/opasswd" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/security/opasswd $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/security/opasswd$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -74855,6 +74713,148 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/security/opasswd" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/security/opasswd $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/security/opasswd$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/security/opasswd" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules" + # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/security/opasswd" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/security/opasswd $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/security/opasswd$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -75086,148 +75086,6 @@ account changes: will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. CCE-80761-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/passwd" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/passwd $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/passwd$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/passwd -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/passwd" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules" - # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/passwd" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/passwd $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/passwd$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/passwd -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -75453,6 +75311,148 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/passwd" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/passwd $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/passwd$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/passwd -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/passwd" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules" + # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/passwd" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/passwd $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/passwd$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/passwd -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -75679,148 +75679,6 @@ account changes: will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. CCE-80762-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/shadow" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/shadow $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/shadow$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/shadow -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/shadow" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules" - # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/shadow" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/shadow $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/shadow$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/shadow -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -76047,58 +75905,11 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Attempts to perform maintenance activities - The Red Hat Enterprise Linux 8 operating system must generate audit records for -privileged activities, nonlocal maintenance, diagnostic sessions and -other system-level access. - -Verify the operating system audits activities performed during nonlocal -maintenance and diagnostic sessions. Run the following command: -$ sudo auditctl -l | grep sudo.log --w /var/log/sudo.log -p wa -k maintenance - BP28(R73) - CCI-000172 - CCI-002884 - Req-10.2.2 - Req-10.2.5.b - 10.2.1.4 - SRG-OS-000392-GPOS-00172 - SRG-OS-000471-GPOS-00215 - 4.1.3.3 - If events associated with nonlocal administrative access or diagnostic -sessions are not logged, a major tool for assessing and investigating -attacks would not be available. -This requirement addresses auditing-related issues associated with -maintenance tools used specifically for diagnostic and repair actions -on organizational information systems. -Nonlocal maintenance and diagnostic activities are those activities -conducted by individuals communicating through a network, either an -external network (e.g., the internet) or an internal network. Local -maintenance and diagnostic activities are those activities carried -out by individuals physically present at the information system or -information system component and not communicating across a network -connection. -This requirement applies to hardware/software diagnostic test -equipment or tools. This requirement does not cover hardware/software -components that may support information system maintenance, yet are a -part of the system, for example, the software implementing "ping," -"ls," "ipconfig," or the hardware and software implementing the -monitoring port of an Ethernet switch. - CCE-86432-2 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - # Create a list of audit *.rules files that should be inspected for presence and correctness # of a particular audit rule. The scheme is as follows: # @@ -76122,7 +75933,7 @@ files_to_inspect+=('/etc/audit/audit.rules') for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/var/log/sudo.log" "$audit_rules_file" + if grep -q -P -- "^[\s]*-w[\s]+/etc/shadow" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits @@ -76130,7 +75941,7 @@ do # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/sudo.log $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/shadow $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) @@ -76146,12 +75957,12 @@ do done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/var/log/sudo.log$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + sed -i "s#\($sp*-w$sp\+/etc/shadow$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key - echo "-w /var/log/sudo.log -p wa -k logins" >> "$audit_rules_file" + echo "-w /etc/shadow -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" fi done # Create a list of audit *.rules files that should be inspected for presence and correctness @@ -76169,8 +75980,8 @@ files_to_inspect=() # If the audit is 'augenrules', then check if rule is already defined # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/log/sudo.log" /etc/audit/rules.d/*.rules) +# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/shadow" /etc/audit/rules.d/*.rules) # For each of the matched entries for match in "${matches[@]}" @@ -76183,9 +75994,9 @@ done # Case when particular audit rule isn't defined yet if [ "${#files_to_inspect[@]}" -eq "0" ] then - # Append '/etc/audit/rules.d/logins.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/logins.rules" - # If the logins.rules file doesn't exist yet, create it with correct permissions + # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules" + # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions if [ ! -e "$key_rule_file" ] then touch "$key_rule_file" @@ -76199,7 +76010,7 @@ fi for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/var/log/sudo.log" "$audit_rules_file" + if grep -q -P -- "^[\s]*-w[\s]+/etc/shadow" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits @@ -76207,7 +76018,7 @@ do # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/sudo.log $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/shadow $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) @@ -76223,12 +76034,12 @@ do done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/var/log/sudo.log$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + sed -i "s#\($sp*-w$sp\+/etc/shadow$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key - echo "-w /var/log/sudo.log -p wa -k logins" >> "$audit_rules_file" + echo "-w /etc/shadow -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" fi done @@ -76236,6 +76047,52 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Attempts to perform maintenance activities + The Red Hat Enterprise Linux 8 operating system must generate audit records for +privileged activities, nonlocal maintenance, diagnostic sessions and +other system-level access. + +Verify the operating system audits activities performed during nonlocal +maintenance and diagnostic sessions. Run the following command: +$ sudo auditctl -l | grep sudo.log +-w /var/log/sudo.log -p wa -k maintenance + BP28(R73) + CCI-000172 + CCI-002884 + Req-10.2.2 + Req-10.2.5.b + 10.2.1.4 + SRG-OS-000392-GPOS-00172 + SRG-OS-000471-GPOS-00215 + 4.1.3.3 + If events associated with nonlocal administrative access or diagnostic +sessions are not logged, a major tool for assessing and investigating +attacks would not be available. +This requirement addresses auditing-related issues associated with +maintenance tools used specifically for diagnostic and repair actions +on organizational information systems. +Nonlocal maintenance and diagnostic activities are those activities +conducted by individuals communicating through a network, either an +external network (e.g., the internet) or an internal network. Local +maintenance and diagnostic activities are those activities carried +out by individuals physically present at the information system or +information system component and not communicating across a network +connection. +This requirement applies to hardware/software diagnostic test +equipment or tools. This requirement does not cover hardware/software +components that may support information system maintenance, yet are a +part of the system, for example, the software implementing "ping," +"ls," "ipconfig," or the hardware and software implementing the +monitoring port of an Ethernet switch. + CCE-86432-2 - name: Gather the package facts package_facts: manager: auto @@ -76404,6 +76261,149 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/var/log/sudo.log" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/sudo.log $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/var/log/sudo.log$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /var/log/sudo.log -p wa -k logins" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/log/sudo.log" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/logins.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/logins.rules" + # If the logins.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/var/log/sudo.log" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/sudo.log $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/var/log/sudo.log$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /var/log/sudo.log -p wa -k logins" >> "$audit_rules_file" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -76435,6 +76435,158 @@ utility to read audit rules during daemon startup, add the rule to Auditing these events could serve as evidence of potential system compromise.' CCE-80941-8 + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80941-8 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-10.3.1 + - directory_access_var_log_audit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for /var/log/audit + block: + + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + + - name: Check existence of in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F + dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path + :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten + | map(attribute='path') | list }}" + + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, + 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') + | list }}' + + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') + | last).key }}" + when: found_paths | length >= 1 + + - name: No file with syscall found, set path to /etc/audit/rules.d/access-audit-trail.rules + set_fact: audit_file="/etc/audit/rules.d/access-audit-trail.rules" + when: found_paths | length == 0 + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F dir=/var/log/audit/ -F perm=r -F + auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F dir=/var/log/audit/ -F perm=r + -F auid>=1000 -F auid!=unset -F key=access-audit-trail + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + + - name: Check existence of in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F + dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: audit.rules + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Set path to /etc/audit/audit.rules + set_fact: audit_file="/etc/audit/audit.rules" + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( + -S |,)\w+)+)( -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset + (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F dir=/var/log/audit/ -F perm=r + -F auid>=1000 -F auid!=unset -F key=access-audit-trail + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80941-8 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-10.3.1 + - directory_access_var_log_audit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -76754,158 +76906,6 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-80941-8 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSSv4-10.3.1 - - directory_access_var_log_audit - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Perform remediation of Audit rules for /var/log/audit - block: - - - name: Declare list of syscalls - set_fact: - syscalls: [] - syscall_grouping: [] - - - name: Check existence of in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: '*.rules' - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Reset syscalls found per file - set_fact: - syscalls_per_file: {} - found_paths_dict: {} - - - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path - :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" - loop: '{{ find_command.results | selectattr(''matched'') | list }}' - - - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten - | map(attribute='path') | list }}" - - - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, - 0) }) }}" - loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') - | list }}' - - - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') - | last).key }}" - when: found_paths | length >= 1 - - - name: No file with syscall found, set path to /etc/audit/rules.d/access-audit-trail.rules - set_fact: audit_file="/etc/audit/rules.d/access-audit-trail.rules" - when: found_paths | length == 0 - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F dir=/var/log/audit/ -F perm=r -F - auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F dir=/var/log/audit/ -F perm=r - -F auid>=1000 -F auid!=unset -F key=access-audit-trail - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - - - name: Declare list of syscalls - set_fact: - syscalls: [] - syscall_grouping: [] - - - name: Check existence of in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: audit.rules - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset - (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F dir=/var/log/audit/ -F perm=r - -F auid>=1000 -F auid!=unset -F key=access-audit-trail - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80941-8 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSSv4-10.3.1 - - directory_access_var_log_audit - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy @@ -77027,27 +77027,6 @@ group account, change the group ownership of the audit directories to this speci Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. CCE-88225-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then - GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') -else - GROUP=root -fi -if LC_ALL=C grep -iw ^log_file /etc/audit/auditd.conf; then - DIR=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ' | rev | cut -d"/" -f2- | rev) -else - DIR="/var/log/audit" -fi - - -find ${DIR} -type d -exec chgrp ${GROUP} {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -77118,6 +77097,27 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then + GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') +else + GROUP=root +fi +if LC_ALL=C grep -iw ^log_file /etc/audit/auditd.conf; then + DIR=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ' | rev | cut -d"/" -f2- | rev) +else + DIR="/var/log/audit" +fi + + +find ${DIR} -type d -exec chgrp ${GROUP} {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -77236,21 +77236,6 @@ To properly set the owner of /var/log/audit, run the comm Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. CCE-88226-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -if LC_ALL=C grep -iw ^log_file /etc/audit/auditd.conf; then - FILE=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') - LOGPATH="$(dirname "$FILE")" - chown root $LOGPATH -else - chown root /var/log/audit -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -77318,6 +77303,21 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +if LC_ALL=C grep -iw ^log_file /etc/audit/auditd.conf; then + FILE=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') + LOGPATH="$(dirname "$FILE")" + chown root $LOGPATH +else + chown root /var/log/audit +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -77633,17 +77633,6 @@ Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -find /etc/audit/ -maxdepth 1 -type f ! -group 0 -regex '^audit(\.rules|d\.conf)$' -exec chgrp 0 {} \; - -find /etc/audit/rules.d/ -maxdepth 1 -type f ! -group 0 -regex '^.*\.rules$' -exec chgrp 0 {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -77724,6 +77713,17 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +find /etc/audit/ -maxdepth 1 -type f ! -group 0 -regex '^audit(\.rules|d\.conf)$' -exec chgrp 0 {} \; + +find /etc/audit/rules.d/ -maxdepth 1 -type f ! -group 0 -regex '^.*\.rules$' -exec chgrp 0 {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -77750,17 +77750,6 @@ Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -find /etc/audit/ -maxdepth 1 -type f ! -uid 0 -regex '^audit(\.rules|d\.conf)$' -exec chown 0 {} \; - -find /etc/audit/rules.d/ -maxdepth 1 -type f ! -uid 0 -regex '^.*\.rules$' -exec chown 0 {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -77841,6 +77830,17 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +find /etc/audit/ -maxdepth 1 -type f ! -uid 0 -regex '^audit(\.rules|d\.conf)$' -exec chown 0 {} \; + +find /etc/audit/rules.d/ -maxdepth 1 -type f ! -uid 0 -regex '^.*\.rules$' -exec chown 0 {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -78142,17 +78142,6 @@ Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -find -H /etc/audit/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex '.*audit\(\.rules\|d\.conf\)$' -exec chmod u-xs,g-xws,o-xwrt {} \; - -find -H /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex '.*\.rules$' -exec chmod u-xs,g-xws,o-xwrt {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -78235,6 +78224,17 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +find -H /etc/audit/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex '.*audit\(\.rules\|d\.conf\)$' -exec chmod u-xs,g-xws,o-xwrt {} \; + +find -H /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex '.*\.rules$' -exec chmod u-xs,g-xws,o-xwrt {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -78367,22 +78367,6 @@ By default, audit_log_file is "/var/log/audit/audit.log".SV-230396r902733_rule If users can write to audit logs, audit trails can be modified or destroyed. CCE-80819-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -if LC_ALL=C grep -iw ^log_file /etc/audit/auditd.conf; then - FILE=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') -else - FILE="/var/log/audit/audit.log" -fi - - -chmod 0600 $FILE - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -78523,6 +78507,22 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +if LC_ALL=C grep -iw ^log_file /etc/audit/auditd.conf; then + FILE=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') +else + FILE="/var/log/audit/audit.log" +fi + + +chmod 0600 $FILE + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -78719,334 +78719,6 @@ can facilitate the identification of patterns of abuse among both authorized and unauthorized users. CCE-80685-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then - -# First perform the remediation of the syscall rule -# Retrieve hardware architecture of the underlying system -[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") - -for ARCH in "${RULE_ARCHS[@]}" -do - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="" - AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="chmod" - KEY="perm_mod" - SYSCALL_GROUPING="chmod fchmod fchmodat" - - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - -# If audit tool is 'augenrules', then check if the audit rule is defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection -# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection -default_file="/etc/audit/rules.d/$KEY.rules" -# As other_filters may include paths, lets use a different delimiter for it -# The "F" script expression tells sed to print the filenames where the expressions matched -readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) -# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet -if [ ${#files_to_inspect[@]} -eq "0" ] -then - file_to_inspect="/etc/audit/rules.d/$KEY.rules" - files_to_inspect=("$file_to_inspect") - if [ ! -e "$file_to_inspect" ] - then - touch "$file_to_inspect" - chmod 0640 "$file_to_inspect" - fi -fi - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - - -# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# file to the list of files to be inspected -default_file="/etc/audit/audit.rules" -files_to_inspect+=('/etc/audit/audit.rules' ) - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -79388,185 +79060,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify the System's Discretionary Access Controls - chown - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000126 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.5.5 - 10.3.4 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000064-GPOS-00033 - SRG-OS-000466-GPOS-00210 - SRG-OS-000458-GPOS-00203 - SRG-OS-000474-GPOS-00219 - SRG-APP-000091-CTR-000160 - SRG-APP-000492-CTR-001220 - SRG-APP-000493-CTR-001225 - SRG-APP-000494-CTR-001230 - SRG-APP-000500-CTR-001260 - SRG-APP-000507-CTR-001295 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - RHEL-08-030480 - 4.1.3.9 - SV-230455r810459_rule - The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. - - CCE-80686-9 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then # First perform the remediation of the syscall rule @@ -79578,9 +79072,9 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="chown" + SYSCALL="chmod" KEY="perm_mod" - SYSCALL_GROUPING="chown fchown fchownat lchown" + SYSCALL_GROUPING="chmod fchmod fchmodat" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' unset syscall_a @@ -79894,6 +79388,184 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - chown + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000126 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + 10.3.4 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000064-GPOS-00033 + SRG-OS-000466-GPOS-00210 + SRG-OS-000458-GPOS-00203 + SRG-OS-000474-GPOS-00219 + SRG-APP-000091-CTR-000160 + SRG-APP-000492-CTR-001220 + SRG-APP-000493-CTR-001225 + SRG-APP-000494-CTR-001230 + SRG-APP-000500-CTR-001260 + SRG-APP-000507-CTR-001295 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + RHEL-08-030480 + 4.1.3.9 + SV-230455r810459_rule + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + + CCE-80686-9 - name: Gather the package facts package_facts: manager: auto @@ -80239,184 +79911,8 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify the System's Discretionary Access Controls - fchmod - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000126 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.5.5 - 10.3.4 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000064-GPOS-00033 - SRG-OS-000466-GPOS-00210 - SRG-OS-000458-GPOS-00203 - SRG-APP-000091-CTR-000160 - SRG-APP-000492-CTR-001220 - SRG-APP-000493-CTR-001225 - SRG-APP-000494-CTR-001230 - SRG-APP-000500-CTR-001260 - SRG-APP-000507-CTR-001295 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - RHEL-08-030490 - 4.1.3.9 - SV-230456r810462_rule - The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. - CCE-80687-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system @@ -80427,9 +79923,9 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="fchmod" + SYSCALL="chown" KEY="perm_mod" - SYSCALL_GROUPING="chmod fchmod fchmodat" + SYSCALL_GROUPING="chown fchown fchownat lchown" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' unset syscall_a @@ -80743,6 +80239,182 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - fchmod + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000126 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + 10.3.4 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000064-GPOS-00033 + SRG-OS-000466-GPOS-00210 + SRG-OS-000458-GPOS-00203 + SRG-APP-000091-CTR-000160 + SRG-APP-000492-CTR-001220 + SRG-APP-000493-CTR-001225 + SRG-APP-000494-CTR-001230 + SRG-APP-000500-CTR-001260 + SRG-APP-000507-CTR-001295 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + RHEL-08-030490 + 4.1.3.9 + SV-230456r810462_rule + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + CCE-80687-7 - name: Gather the package facts package_facts: manager: auto @@ -81081,183 +80753,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify the System's Discretionary Access Controls - fchmodat - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000126 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.5.5 - 10.3.4 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000064-GPOS-00033 - SRG-OS-000466-GPOS-00210 - SRG-OS-000458-GPOS-00203 - SRG-APP-000091-CTR-000160 - SRG-APP-000492-CTR-001220 - SRG-APP-000493-CTR-001225 - SRG-APP-000494-CTR-001230 - SRG-APP-000500-CTR-001260 - SRG-APP-000507-CTR-001295 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - RHEL-08-030490 - 4.1.3.9 - SV-230456r810462_rule - The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. - CCE-80688-5 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -81269,7 +80765,7 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="fchmodat" + SYSCALL="fchmod" KEY="perm_mod" SYSCALL_GROUPING="chmod fchmod fchmodat" @@ -81585,6 +81081,182 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - fchmodat + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000126 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + 10.3.4 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000064-GPOS-00033 + SRG-OS-000466-GPOS-00210 + SRG-OS-000458-GPOS-00203 + SRG-APP-000091-CTR-000160 + SRG-APP-000492-CTR-001220 + SRG-APP-000493-CTR-001225 + SRG-APP-000494-CTR-001230 + SRG-APP-000500-CTR-001260 + SRG-APP-000507-CTR-001295 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + RHEL-08-030490 + 4.1.3.9 + SV-230456r810462_rule + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + CCE-80688-5 - name: Gather the package facts package_facts: manager: auto @@ -81923,187 +81595,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify the System's Discretionary Access Controls - fchown - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod - -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod - -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod - -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000126 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.5.5 - 10.3.4 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000064-GPOS-00033 - SRG-OS-000466-GPOS-00210 - SRG-OS-000458-GPOS-00203 - SRG-OS-000474-GPOS-00219 - SRG-APP-000091-CTR-000160 - SRG-APP-000492-CTR-001220 - SRG-APP-000493-CTR-001225 - SRG-APP-000494-CTR-001230 - SRG-APP-000500-CTR-001260 - SRG-APP-000507-CTR-001295 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - RHEL-08-030480 - 4.1.3.9 - SV-230455r810459_rule - The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. - CCE-80689-3 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -82115,9 +81607,9 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="fchown" + SYSCALL="fchmodat" KEY="perm_mod" - SYSCALL_GROUPING="chown fchown fchownat lchown" + SYSCALL_GROUPING="chmod fchmod fchmodat" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' unset syscall_a @@ -82431,6 +81923,186 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - fchown + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000126 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + 10.3.4 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000064-GPOS-00033 + SRG-OS-000466-GPOS-00210 + SRG-OS-000458-GPOS-00203 + SRG-OS-000474-GPOS-00219 + SRG-APP-000091-CTR-000160 + SRG-APP-000492-CTR-001220 + SRG-APP-000493-CTR-001225 + SRG-APP-000494-CTR-001230 + SRG-APP-000500-CTR-001260 + SRG-APP-000507-CTR-001295 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + RHEL-08-030480 + 4.1.3.9 + SV-230455r810459_rule + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + CCE-80689-3 - name: Gather the package facts package_facts: manager: auto @@ -82773,184 +82445,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify the System's Discretionary Access Controls - fchownat - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000126 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.5.5 - 10.3.4 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000064-GPOS-00033 - SRG-OS-000466-GPOS-00210 - SRG-OS-000458-GPOS-00203 - SRG-OS-000474-GPOS-00219 - SRG-APP-000091-CTR-000160 - SRG-APP-000492-CTR-001220 - SRG-APP-000493-CTR-001225 - SRG-APP-000494-CTR-001230 - SRG-APP-000500-CTR-001260 - SRG-APP-000507-CTR-001295 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - RHEL-08-030480 - 4.1.3.9 - SV-230455r810459_rule - The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. - CCE-80690-1 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -82962,7 +82457,7 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="fchownat" + SYSCALL="fchown" KEY="perm_mod" SYSCALL_GROUPING="chown fchown fchownat lchown" @@ -83278,6 +82773,183 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - fchownat + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000126 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + 10.3.4 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000064-GPOS-00033 + SRG-OS-000466-GPOS-00210 + SRG-OS-000458-GPOS-00203 + SRG-OS-000474-GPOS-00219 + SRG-APP-000091-CTR-000160 + SRG-APP-000492-CTR-001220 + SRG-APP-000493-CTR-001225 + SRG-APP-000494-CTR-001230 + SRG-APP-000500-CTR-001260 + SRG-APP-000507-CTR-001295 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + RHEL-08-030480 + 4.1.3.9 + SV-230455r810459_rule + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + CCE-80690-1 - name: Gather the package facts package_facts: manager: auto @@ -83620,197 +83292,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify the System's Discretionary Access Controls - fremovexattr - At a minimum, the audit system should collect file permission -changes for all users and root. - -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod - -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod - -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod - -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.5.5 - 10.3.4 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000458-GPOS-00203 - SRG-OS-000462-GPOS-00206 - SRG-OS-000463-GPOS-00207 - SRG-OS-000471-GPOS-00215 - SRG-OS-000474-GPOS-00219 - SRG-OS-000466-GPOS-00210 - SRG-OS-000468-GPOS-00212 - SRG-OS-000064-GPOS-00033 - SRG-APP-000091-CTR-000160 - SRG-APP-000492-CTR-001220 - SRG-APP-000493-CTR-001225 - SRG-APP-000494-CTR-001230 - SRG-APP-000500-CTR-001260 - SRG-APP-000507-CTR-001295 - SRG-APP-000495-CTR-001235 - SRG-APP-000496-CTR-001240 - SRG-APP-000497-CTR-001245 - SRG-APP-000498-CTR-001250 - SRG-APP-000499-CTR-001255 - RHEL-08-030200 - 4.1.3.9 - SV-230413r810463_rule - The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. - CCE-80691-9 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -83822,328 +83304,9 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="fremovexattr" - KEY="perm_mod" - SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" - - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - -# If audit tool is 'augenrules', then check if the audit rule is defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection -# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection -default_file="/etc/audit/rules.d/$KEY.rules" -# As other_filters may include paths, lets use a different delimiter for it -# The "F" script expression tells sed to print the filenames where the expressions matched -readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) -# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet -if [ ${#files_to_inspect[@]} -eq "0" ] -then - file_to_inspect="/etc/audit/rules.d/$KEY.rules" - files_to_inspect=("$file_to_inspect") - if [ ! -e "$file_to_inspect" ] - then - touch "$file_to_inspect" - chmod 0640 "$file_to_inspect" - fi -fi - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - - -# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# file to the list of files to be inspected -default_file="/etc/audit/audit.rules" -files_to_inspect+=('/etc/audit/audit.rules' ) - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi -done - - - -for ARCH in "${RULE_ARCHS[@]}" -do - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="" - AUID_FILTERS="-F auid=0" - SYSCALL="fremovexattr" + SYSCALL="fchownat" KEY="perm_mod" - SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" + SYSCALL_GROUPING="chown fchown fchownat lchown" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' unset syscall_a @@ -84457,6 +83620,196 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - fremovexattr + At a minimum, the audit system should collect file permission +changes for all users and root. + +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod + +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod + +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + 10.3.4 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000462-GPOS-00206 + SRG-OS-000463-GPOS-00207 + SRG-OS-000471-GPOS-00215 + SRG-OS-000474-GPOS-00219 + SRG-OS-000466-GPOS-00210 + SRG-OS-000468-GPOS-00212 + SRG-OS-000064-GPOS-00033 + SRG-APP-000091-CTR-000160 + SRG-APP-000492-CTR-001220 + SRG-APP-000493-CTR-001225 + SRG-APP-000494-CTR-001230 + SRG-APP-000500-CTR-001260 + SRG-APP-000507-CTR-001295 + SRG-APP-000495-CTR-001235 + SRG-APP-000496-CTR-001240 + SRG-APP-000497-CTR-001245 + SRG-APP-000498-CTR-001250 + SRG-APP-000499-CTR-001255 + RHEL-08-030200 + 4.1.3.9 + SV-230413r810463_rule + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + CCE-80691-9 - name: Gather the package facts package_facts: manager: auto @@ -85063,194 +84416,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify the System's Discretionary Access Controls - fsetxattr - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000126 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.5.5 - 10.3.4 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000458-GPOS-00203 - SRG-OS-000462-GPOS-00206 - SRG-OS-000463-GPOS-00207 - SRG-OS-000466-GPOS-00210 - SRG-OS-000468-GPOS-00212 - SRG-OS-000471-GPOS-00215 - SRG-OS-000474-GPOS-00219 - SRG-OS-000064-GPOS-00033 - SRG-APP-000091-CTR-000160 - SRG-APP-000492-CTR-001220 - SRG-APP-000493-CTR-001225 - SRG-APP-000494-CTR-001230 - SRG-APP-000500-CTR-001260 - SRG-APP-000507-CTR-001295 - SRG-APP-000495-CTR-001235 - SRG-APP-000496-CTR-001240 - SRG-APP-000497-CTR-001245 - SRG-APP-000498-CTR-001250 - SRG-APP-000501-CTR-001265 - SRG-APP-000502-CTR-001270 - RHEL-08-030200 - 4.1.3.9 - SV-230413r810463_rule - The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. - CCE-80692-7 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -85262,7 +84428,7 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="fsetxattr" + SYSCALL="fremovexattr" KEY="perm_mod" SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" @@ -85581,7 +84747,7 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid=0" - SYSCALL="fsetxattr" + SYSCALL="fremovexattr" KEY="perm_mod" SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" @@ -85897,132 +85063,319 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-80692-7 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030200 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - PCI-DSSv4-10.3.4 - - audit_rules_dac_modification_fsetxattr - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Set architecture for audit fsetxattr tasks - set_fact: - audit_arch: b64 - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture - == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" - tags: - - CCE-80692-7 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030200 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - PCI-DSSv4-10.3.4 - - audit_rules_dac_modification_fsetxattr - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Perform remediation of Audit rules for fsetxattr for 32bit platform - block: - - - name: Declare list of syscalls - set_fact: - syscalls: - - fsetxattr - syscall_grouping: - - fremovexattr - - lremovexattr - - removexattr - - fsetxattr - - lsetxattr - - setxattr - - - name: Check existence of fsetxattr in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: '*.rules' - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Reset syscalls found per file - set_fact: - syscalls_per_file: {} - found_paths_dict: {} - - - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path - :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" - loop: '{{ find_command.results | selectattr(''matched'') | list }}' - - - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten - | map(attribute='path') | list }}" - - - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, - 0) }) }}" - loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') - | list }}' - - - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') - | last).key }}" - when: found_paths | length >= 1 - - - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" - when: found_paths | length == 0 - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k - |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 - -F auid!=unset -F key=perm_mod - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - fsetxattr + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000126 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + 10.3.4 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000462-GPOS-00206 + SRG-OS-000463-GPOS-00207 + SRG-OS-000466-GPOS-00210 + SRG-OS-000468-GPOS-00212 + SRG-OS-000471-GPOS-00215 + SRG-OS-000474-GPOS-00219 + SRG-OS-000064-GPOS-00033 + SRG-APP-000091-CTR-000160 + SRG-APP-000492-CTR-001220 + SRG-APP-000493-CTR-001225 + SRG-APP-000494-CTR-001230 + SRG-APP-000500-CTR-001260 + SRG-APP-000507-CTR-001295 + SRG-APP-000495-CTR-001235 + SRG-APP-000496-CTR-001240 + SRG-APP-000497-CTR-001245 + SRG-APP-000498-CTR-001250 + SRG-APP-000501-CTR-001265 + SRG-APP-000502-CTR-001270 + RHEL-08-030200 + 4.1.3.9 + SV-230413r810463_rule + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + CCE-80692-7 + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80692-7 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-08-030200 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 + - audit_rules_dac_modification_fsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Set architecture for audit fsetxattr tasks + set_fact: + audit_arch: b64 + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture + == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" + tags: + - CCE-80692-7 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-08-030200 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 + - audit_rules_dac_modification_fsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Perform remediation of Audit rules for fsetxattr for 32bit platform + block: + + - name: Declare list of syscalls + set_fact: + syscalls: + - fsetxattr + syscall_grouping: + - fremovexattr + - lremovexattr + - removexattr + - fsetxattr + - lsetxattr + - setxattr + + - name: Check existence of fsetxattr in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S + |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path + :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten + | map(attribute='path') | list }}" + + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, + 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') + | list }}' + + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') + | last).key }}" + when: found_paths | length >= 1 + + - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules + set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + when: found_paths | length == 0 + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k + |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 + -F auid!=unset -F key=perm_mod + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + - name: Declare list of syscalls set_fact: syscalls: @@ -86503,186 +85856,8 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify the System's Discretionary Access Controls - lchown - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000126 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.5.5 - 10.3.4 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000064-GPOS-00033 - SRG-OS-000466-GPOS-00210 - SRG-OS-000458-GPOS-00203 - SRG-OS-000474-GPOS-00219 - SRG-APP-000091-CTR-000160 - SRG-APP-000492-CTR-001220 - SRG-APP-000493-CTR-001225 - SRG-APP-000494-CTR-001230 - SRG-APP-000500-CTR-001260 - SRG-APP-000507-CTR-001295 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - RHEL-08-030480 - 4.1.3.9 - SV-230455r810459_rule - The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. - - CCE-80693-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system @@ -86693,9 +85868,328 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="lchown" + SYSCALL="fsetxattr" KEY="perm_mod" - SYSCALL_GROUPING="chown fchown fchownat lchown" + SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" + + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + +# If audit tool is 'augenrules', then check if the audit rule is defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection +# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection +default_file="/etc/audit/rules.d/$KEY.rules" +# As other_filters may include paths, lets use a different delimiter for it +# The "F" script expression tells sed to print the filenames where the expressions matched +readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) +# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet +if [ ${#files_to_inspect[@]} -eq "0" ] +then + file_to_inspect="/etc/audit/rules.d/$KEY.rules" + files_to_inspect=("$file_to_inspect") + if [ ! -e "$file_to_inspect" ] + then + touch "$file_to_inspect" + chmod 0640 "$file_to_inspect" + fi +fi + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + + +# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# file to the list of files to be inspected +default_file="/etc/audit/audit.rules" +files_to_inspect+=('/etc/audit/audit.rules' ) + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi +done + + + +for ARCH in "${RULE_ARCHS[@]}" +do + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="" + AUID_FILTERS="-F auid=0" + SYSCALL="fsetxattr" + KEY="perm_mod" + SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' unset syscall_a @@ -87009,6 +86503,184 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - lchown + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000126 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + 10.3.4 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000064-GPOS-00033 + SRG-OS-000466-GPOS-00210 + SRG-OS-000458-GPOS-00203 + SRG-OS-000474-GPOS-00219 + SRG-APP-000091-CTR-000160 + SRG-APP-000492-CTR-001220 + SRG-APP-000493-CTR-001225 + SRG-APP-000494-CTR-001230 + SRG-APP-000500-CTR-001260 + SRG-APP-000507-CTR-001295 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + RHEL-08-030480 + 4.1.3.9 + SV-230455r810459_rule + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + + CCE-80693-5 - name: Gather the package facts package_facts: manager: auto @@ -87354,200 +87026,8 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify the System's Discretionary Access Controls - lremovexattr - At a minimum, the audit system should collect file permission -changes for all users and root. - -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod - -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod - -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod - -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.5.5 - 10.3.4 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000458-GPOS-00203 - SRG-OS-000462-GPOS-00206 - SRG-OS-000463-GPOS-00207 - SRG-OS-000468-GPOS-00212 - SRG-OS-000471-GPOS-00215 - SRG-OS-000474-GPOS-00219 - SRG-OS-000466-GPOS-00210 - SRG-OS-000064-GPOS-00033 - SRG-APP-000091-CTR-000160 - SRG-APP-000492-CTR-001220 - SRG-APP-000493-CTR-001225 - SRG-APP-000494-CTR-001230 - SRG-APP-000500-CTR-001260 - SRG-APP-000507-CTR-001295 - SRG-APP-000495-CTR-001235 - SRG-APP-000496-CTR-001240 - SRG-APP-000497-CTR-001245 - SRG-APP-000498-CTR-001250 - SRG-APP-000499-CTR-001255 - SRG-APP-000501-CTR-001265 - SRG-APP-000502-CTR-001270 - RHEL-08-030200 - 4.1.3.9 - SV-230413r810463_rule - The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. - CCE-80694-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system @@ -87558,328 +87038,9 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="lremovexattr" - KEY="perm_mod" - SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" - - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - -# If audit tool is 'augenrules', then check if the audit rule is defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection -# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection -default_file="/etc/audit/rules.d/$KEY.rules" -# As other_filters may include paths, lets use a different delimiter for it -# The "F" script expression tells sed to print the filenames where the expressions matched -readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) -# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet -if [ ${#files_to_inspect[@]} -eq "0" ] -then - file_to_inspect="/etc/audit/rules.d/$KEY.rules" - files_to_inspect=("$file_to_inspect") - if [ ! -e "$file_to_inspect" ] - then - touch "$file_to_inspect" - chmod 0640 "$file_to_inspect" - fi -fi - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - - -# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# file to the list of files to be inspected -default_file="/etc/audit/audit.rules" -files_to_inspect+=('/etc/audit/audit.rules' ) - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi -done - - - -for ARCH in "${RULE_ARCHS[@]}" -do - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="" - AUID_FILTERS="-F auid=0" - SYSCALL="lremovexattr" + SYSCALL="lchown" KEY="perm_mod" - SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" + SYSCALL_GROUPING="chown fchown fchownat lchown" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' unset syscall_a @@ -88193,6 +87354,198 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - lremovexattr + At a minimum, the audit system should collect file permission +changes for all users and root. + +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod + +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod + +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + 10.3.4 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000462-GPOS-00206 + SRG-OS-000463-GPOS-00207 + SRG-OS-000468-GPOS-00212 + SRG-OS-000471-GPOS-00215 + SRG-OS-000474-GPOS-00219 + SRG-OS-000466-GPOS-00210 + SRG-OS-000064-GPOS-00033 + SRG-APP-000091-CTR-000160 + SRG-APP-000492-CTR-001220 + SRG-APP-000493-CTR-001225 + SRG-APP-000494-CTR-001230 + SRG-APP-000500-CTR-001260 + SRG-APP-000507-CTR-001295 + SRG-APP-000495-CTR-001235 + SRG-APP-000496-CTR-001240 + SRG-APP-000497-CTR-001245 + SRG-APP-000498-CTR-001250 + SRG-APP-000499-CTR-001255 + SRG-APP-000501-CTR-001265 + SRG-APP-000502-CTR-001270 + RHEL-08-030200 + 4.1.3.9 + SV-230413r810463_rule + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + CCE-80694-3 - name: Gather the package facts package_facts: manager: auto @@ -88799,194 +88152,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify the System's Discretionary Access Controls - lsetxattr - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000126 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.5.5 - 10.3.4 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000458-GPOS-00203 - SRG-OS-000462-GPOS-00206 - SRG-OS-000463-GPOS-00207 - SRG-OS-000466-GPOS-00210 - SRG-OS-000468-GPOS-00212 - SRG-OS-000471-GPOS-00215 - SRG-OS-000474-GPOS-00219 - SRG-OS-000064-GPOS-00033 - SRG-APP-000091-CTR-000160 - SRG-APP-000492-CTR-001220 - SRG-APP-000493-CTR-001225 - SRG-APP-000494-CTR-001230 - SRG-APP-000500-CTR-001260 - SRG-APP-000507-CTR-001295 - SRG-APP-000495-CTR-001235 - SRG-APP-000496-CTR-001240 - SRG-APP-000497-CTR-001245 - SRG-APP-000498-CTR-001250 - SRG-APP-000501-CTR-001265 - SRG-APP-000502-CTR-001270 - RHEL-08-030200 - 4.1.3.9 - SV-230413r810463_rule - The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. - CCE-80695-0 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -88998,7 +88164,7 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="lsetxattr" + SYSCALL="lremovexattr" KEY="perm_mod" SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" @@ -89317,7 +88483,7 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid=0" - SYSCALL="lsetxattr" + SYSCALL="lremovexattr" KEY="perm_mod" SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" @@ -89633,6 +88799,193 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000126 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + 10.3.4 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000462-GPOS-00206 + SRG-OS-000463-GPOS-00207 + SRG-OS-000466-GPOS-00210 + SRG-OS-000468-GPOS-00212 + SRG-OS-000471-GPOS-00215 + SRG-OS-000474-GPOS-00219 + SRG-OS-000064-GPOS-00033 + SRG-APP-000091-CTR-000160 + SRG-APP-000492-CTR-001220 + SRG-APP-000493-CTR-001225 + SRG-APP-000494-CTR-001230 + SRG-APP-000500-CTR-001260 + SRG-APP-000507-CTR-001295 + SRG-APP-000495-CTR-001235 + SRG-APP-000496-CTR-001240 + SRG-APP-000497-CTR-001245 + SRG-APP-000498-CTR-001250 + SRG-APP-000501-CTR-001265 + SRG-APP-000502-CTR-001270 + RHEL-08-030200 + 4.1.3.9 + SV-230413r810463_rule + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + CCE-80695-0 - name: Gather the package facts package_facts: manager: auto @@ -90239,198 +89592,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify the System's Discretionary Access Controls - removexattr - At a minimum, the audit system should collect file permission -changes for all users and root. - -If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -following line to a file with suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod - -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod - -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod - -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.5.5 - 10.3.4 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000458-GPOS-00203 - SRG-OS-000462-GPOS-00206 - SRG-OS-000463-GPOS-00207 - SRG-OS-000468-GPOS-00212 - SRG-OS-000471-GPOS-00215 - SRG-OS-000474-GPOS-00219 - SRG-OS-000466-GPOS-00210 - SRG-OS-000064-GPOS-00033 - SRG-APP-000091-CTR-000160 - SRG-APP-000492-CTR-001220 - SRG-APP-000493-CTR-001225 - SRG-APP-000494-CTR-001230 - SRG-APP-000500-CTR-001260 - SRG-APP-000507-CTR-001295 - SRG-APP-000495-CTR-001235 - SRG-APP-000496-CTR-001240 - SRG-APP-000497-CTR-001245 - SRG-APP-000498-CTR-001250 - SRG-APP-000499-CTR-001255 - SRG-APP-000501-CTR-001265 - SRG-APP-000502-CTR-001270 - RHEL-08-030200 - 4.1.3.9 - SV-230413r810463_rule - The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. - CCE-80696-8 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -90442,7 +89604,7 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="removexattr" + SYSCALL="lsetxattr" KEY="perm_mod" SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" @@ -90761,7 +89923,7 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid=0" - SYSCALL="removexattr" + SYSCALL="lsetxattr" KEY="perm_mod" SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" @@ -91077,6 +90239,197 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - removexattr + At a minimum, the audit system should collect file permission +changes for all users and root. + +If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +following line to a file with suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod + +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod + +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + 10.3.4 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000462-GPOS-00206 + SRG-OS-000463-GPOS-00207 + SRG-OS-000468-GPOS-00212 + SRG-OS-000471-GPOS-00215 + SRG-OS-000474-GPOS-00219 + SRG-OS-000466-GPOS-00210 + SRG-OS-000064-GPOS-00033 + SRG-APP-000091-CTR-000160 + SRG-APP-000492-CTR-001220 + SRG-APP-000493-CTR-001225 + SRG-APP-000494-CTR-001230 + SRG-APP-000500-CTR-001260 + SRG-APP-000507-CTR-001295 + SRG-APP-000495-CTR-001235 + SRG-APP-000496-CTR-001240 + SRG-APP-000497-CTR-001245 + SRG-APP-000498-CTR-001250 + SRG-APP-000499-CTR-001255 + SRG-APP-000501-CTR-001265 + SRG-APP-000502-CTR-001270 + RHEL-08-030200 + 4.1.3.9 + SV-230413r810463_rule + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + CCE-80696-8 - name: Gather the package facts package_facts: manager: auto @@ -91683,186 +91036,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify the System's Discretionary Access Controls - setxattr - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000126 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.5.5 - 10.3.4 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000466-GPOS-00210 - SRG-OS-000471-GPOS-00215 - SRG-OS-000064-GPOS-00033 - SRG-OS-000458-GPOS-00203 - SRG-APP-000091-CTR-000160 - SRG-APP-000492-CTR-001220 - SRG-APP-000493-CTR-001225 - SRG-APP-000494-CTR-001230 - SRG-APP-000500-CTR-001260 - SRG-APP-000507-CTR-001295 - SRG-APP-000495-CTR-001235 - RHEL-08-030200 - 4.1.3.9 - SV-230413r810463_rule - The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. - CCE-80697-6 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -91874,7 +91048,7 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="setxattr" + SYSCALL="removexattr" KEY="perm_mod" SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" @@ -92193,7 +91367,7 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid=0" - SYSCALL="setxattr" + SYSCALL="removexattr" KEY="perm_mod" SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" @@ -92509,6 +91683,185 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - setxattr + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000126 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + 10.3.4 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000466-GPOS-00210 + SRG-OS-000471-GPOS-00215 + SRG-OS-000064-GPOS-00033 + SRG-OS-000458-GPOS-00203 + SRG-APP-000091-CTR-000160 + SRG-APP-000492-CTR-001220 + SRG-APP-000493-CTR-001225 + SRG-APP-000494-CTR-001230 + SRG-APP-000500-CTR-001260 + SRG-APP-000507-CTR-001295 + SRG-APP-000495-CTR-001235 + RHEL-08-030200 + 4.1.3.9 + SV-230413r810463_rule + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + CCE-80697-6 - name: Gather the package facts package_facts: manager: auto @@ -93115,215 +92468,183 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify the System's Discretionary Access Controls - umount - At a minimum, the audit system should collect file system umount -changes. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - CCI-000130 - CCI-000169 - CCI-000172 - CCI-002884 - SRG-OS-000037-GPOS-00015 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000495-CTR-001235 - The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then - -ACTION_ARCH_FILTERS="-a always,exit -F arch=b32" -OTHER_FILTERS="" -AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="umount" -KEY="perm_mod" -SYSCALL_GROUPING="" - -# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' -unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - -# If audit tool is 'augenrules', then check if the audit rule is defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection -# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection -default_file="/etc/audit/rules.d/$KEY.rules" -# As other_filters may include paths, lets use a different delimiter for it -# The "F" script expression tells sed to print the filenames where the expressions matched -readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) -# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet -if [ ${#files_to_inspect[@]} -eq "0" ] -then - file_to_inspect="/etc/audit/rules.d/$KEY.rules" - files_to_inspect=("$file_to_inspect") - if [ ! -e "$file_to_inspect" ] - then - touch "$file_to_inspect" - chmod 0640 "$file_to_inspect" - fi -fi + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") -for audit_file in "${files_to_inspect[@]}" +for ARCH in "${RULE_ARCHS[@]}" do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="" + AUID_FILTERS="-F auid>=1000 -F auid!=unset" + SYSCALL="setxattr" + KEY="perm_mod" + SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi -unset syscall_a + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + +# If audit tool is 'augenrules', then check if the audit rule is defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection +# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection +default_file="/etc/audit/rules.d/$KEY.rules" +# As other_filters may include paths, lets use a different delimiter for it +# The "F" script expression tells sed to print the filenames where the expressions matched +readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) +# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet +if [ ${#files_to_inspect[@]} -eq "0" ] +then + file_to_inspect="/etc/audit/rules.d/$KEY.rules" + files_to_inspect=("$file_to_inspect") + if [ ! -e "$file_to_inspect" ] + then + touch "$file_to_inspect" + chmod 0640 "$file_to_inspect" + fi +fi + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi + unset syscall_a unset syscall_grouping unset syscall_string unset syscall @@ -93469,11 +92790,369 @@ if [ "$skip" -ne 0 ]; then sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" fi fi +done + + + +for ARCH in "${RULE_ARCHS[@]}" +do + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="" + AUID_FILTERS="-F auid=0" + SYSCALL="setxattr" + KEY="perm_mod" + SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" + + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + +# If audit tool is 'augenrules', then check if the audit rule is defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection +# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection +default_file="/etc/audit/rules.d/$KEY.rules" +# As other_filters may include paths, lets use a different delimiter for it +# The "F" script expression tells sed to print the filenames where the expressions matched +readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) +# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet +if [ ${#files_to_inspect[@]} -eq "0" ] +then + file_to_inspect="/etc/audit/rules.d/$KEY.rules" + files_to_inspect=("$file_to_inspect") + if [ ! -e "$file_to_inspect" ] + then + touch "$file_to_inspect" + chmod 0640 "$file_to_inspect" + fi +fi + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + + +# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# file to the list of files to be inspected +default_file="/etc/audit/audit.rules" +files_to_inspect+=('/etc/audit/audit.rules' ) + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi +done else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - umount + At a minimum, the audit system should collect file system umount +changes. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + CCI-000130 + CCI-000169 + CCI-000172 + CCI-002884 + SRG-OS-000037-GPOS-00015 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000495-CTR-001235 + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + - name: Gather the package facts package_facts: manager: auto @@ -93617,67 +93296,18 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify the System's Discretionary Access Controls - umount2 - At a minimum, the audit system should collect file system umount2 -changes. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - CCI-000130 - CCI-000169 - CCI-000172 - CCI-002884 - SRG-OS-000037-GPOS-00015 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000495-CTR-001235 - The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. - CCE-90776-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# First perform the remediation of the syscall rule -# Retrieve hardware architecture of the underlying system -[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then -for ARCH in "${RULE_ARCHS[@]}" -do - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="" - AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="umount2" - KEY="perm_mod" - SYSCALL_GROUPING="" +ACTION_ARCH_FILTERS="-a always,exit -F arch=b32" +OTHER_FILTERS="" +AUID_FILTERS="-F auid>=1000 -F auid!=unset" +SYSCALL="umount" +KEY="perm_mod" +SYSCALL_GROUPING="" - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - unset syscall_a +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +unset syscall_a unset syscall_grouping unset syscall_string unset syscall @@ -93836,7 +93466,7 @@ if [ "$skip" -ne 0 ]; then sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" fi fi - unset syscall_a +unset syscall_a unset syscall_grouping unset syscall_string unset syscall @@ -93982,12 +93612,54 @@ if [ "$skip" -ne 0 ]; then sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" fi fi -done else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - umount2 + At a minimum, the audit system should collect file system umount2 +changes. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + CCI-000130 + CCI-000169 + CCI-000172 + CCI-002884 + SRG-OS-000037-GPOS-00015 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000495-CTR-001235 + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + CCE-90776-6 - name: Gather the package facts package_facts: manager: auto @@ -94282,65 +93954,24 @@ fi - reboot_required - restrict_strategy - - - - - - - - - - Record Execution Attempts to Run ACL Privileged Commands - At a minimum, the audit system should collect the execution of -ACL privileged commands for all users and root. - - Record Any Attempts to Run chacl - At a minimum, the audit system should collect any execution attempt -of the chacl command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000466-GPOS-00210 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - RHEL-08-030570 - 4.1.3.17 - SV-230464r627750_rule - Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify -those responsible for one. -Audit records can be generated from various components within the -information system (e.g., module or policy filter). - CCE-89446-9 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then -ACTION_ARCH_FILTERS="-a always,exit" -OTHER_FILTERS="-F path=/usr/bin/chacl -F perm=x" -AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="" -KEY="privileged" -SYSCALL_GROUPING="" -# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' -unset syscall_a +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="" + AUID_FILTERS="-F auid>=1000 -F auid!=unset" + SYSCALL="umount2" + KEY="perm_mod" + SYSCALL_GROUPING="" + + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + unset syscall_a unset syscall_grouping unset syscall_string unset syscall @@ -94499,7 +94130,7 @@ if [ "$skip" -ne 0 ]; then sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" fi fi -unset syscall_a + unset syscall_a unset syscall_grouping unset syscall_string unset syscall @@ -94645,11 +94276,60 @@ if [ "$skip" -ne 0 ]; then sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" fi fi +done else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Record Execution Attempts to Run ACL Privileged Commands + At a minimum, the audit system should collect the execution of +ACL privileged commands for all users and root. + + Record Any Attempts to Run chacl + At a minimum, the audit system should collect any execution attempt +of the chacl command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000466-GPOS-00210 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + RHEL-08-030570 + 4.1.3.17 + SV-230464r627750_rule + Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify +those responsible for one. +Audit records can be generated from various components within the +information system (e.g., module or policy filter). + CCE-89446-9 - name: Gather the package facts package_facts: manager: auto @@ -94794,52 +94474,11 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - Record Any Attempts to Run setfacl - At a minimum, the audit system should collect any execution attempt -of the setfacl command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000495-CTR-001235 - RHEL-08-030330 - 4.1.3.16 - SV-230435r627750_rule - Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify -those responsible for one. -Audit records can be generated from various components within the -information system (e.g., module or policy filter). - CCE-88437-9 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then ACTION_ARCH_FILTERS="-a always,exit" -OTHER_FILTERS="-F path=/usr/bin/setfacl -F perm=x" +OTHER_FILTERS="-F path=/usr/bin/chacl -F perm=x" AUID_FILTERS="-F auid>=1000 -F auid!=unset" SYSCALL="" KEY="privileged" @@ -95155,6 +94794,47 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Any Attempts to Run setfacl + At a minimum, the audit system should collect any execution attempt +of the setfacl command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000495-CTR-001235 + RHEL-08-030330 + 4.1.3.16 + SV-230435r627750_rule + Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify +those responsible for one. +Audit records can be generated from various components within the +information system (e.g., module or policy filter). + CCE-88437-9 - name: Gather the package facts package_facts: manager: auto @@ -95299,140 +94979,11 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - - Record Execution Attempts to Run SELinux Privileged Commands - At a minimum, the audit system should collect the execution of -SELinux privileged commands for all users and root. - - Record Any Attempts to Run chcon - At a minimum, the audit system should collect any execution attempt -of the chcon command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - FAU_GEN.1.1.c - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000468-GPOS-00212 - SRG-OS-000471-GPOS-00215 - SRG-OS-000463-GPOS-00207 - SRG-OS-000465-GPOS-00209 - SRG-APP-000495-CTR-001235 - SRG-APP-000496-CTR-001240 - SRG-APP-000497-CTR-001245 - SRG-APP-000498-CTR-001250 - SRG-APP-000501-CTR-001265 - SRG-APP-000502-CTR-001270 - RHEL-08-030260 - 4.1.3.15 - SV-230419r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80698-4 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then ACTION_ARCH_FILTERS="-a always,exit" -OTHER_FILTERS="-F path=/usr/bin/chcon -F perm=x" +OTHER_FILTERS="-F path=/usr/bin/setfacl -F perm=x" AUID_FILTERS="-F auid>=1000 -F auid!=unset" SYSCALL="" KEY="privileged" @@ -95748,6 +95299,135 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Record Execution Attempts to Run SELinux Privileged Commands + At a minimum, the audit system should collect the execution of +SELinux privileged commands for all users and root. + + Record Any Attempts to Run chcon + At a minimum, the audit system should collect any execution attempt +of the chcon command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000468-GPOS-00212 + SRG-OS-000471-GPOS-00215 + SRG-OS-000463-GPOS-00207 + SRG-OS-000465-GPOS-00209 + SRG-APP-000495-CTR-001235 + SRG-APP-000496-CTR-001240 + SRG-APP-000497-CTR-001245 + SRG-APP-000498-CTR-001250 + SRG-APP-000501-CTR-001265 + SRG-APP-000502-CTR-001270 + RHEL-08-030260 + 4.1.3.15 + SV-230419r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80698-4 - name: Gather the package facts package_facts: manager: auto @@ -95902,117 +95582,11 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - Record Any Attempts to Run restorecon - At a minimum, the audit system should collect any execution attempt -of the restorecon command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - FAU_GEN.1.1.c - SRG-OS-000392-GPOS-00172 - SRG-OS-000463-GPOS-00207 - SRG-OS-000465-GPOS-00209 - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80699-2 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then ACTION_ARCH_FILTERS="-a always,exit" -OTHER_FILTERS="-F path=/usr/sbin/restorecon -F perm=x" +OTHER_FILTERS="-F path=/usr/bin/chcon -F perm=x" AUID_FILTERS="-F auid>=1000 -F auid!=unset" SYSCALL="" KEY="privileged" @@ -96328,6 +95902,112 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Any Attempts to Run restorecon + At a minimum, the audit system should collect any execution attempt +of the restorecon command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000392-GPOS-00172 + SRG-OS-000463-GPOS-00207 + SRG-OS-000465-GPOS-00209 + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80699-2 - name: Gather the package facts package_facts: manager: auto @@ -96480,138 +96160,11 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - Record Any Attempts to Run semanage - At a minimum, the audit system should collect any execution attempt -of the semanage command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - FAU_GEN.1.1.c - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000463-GPOS-00207 - SRG-OS-000465-GPOS-00209 - SRG-APP-000495-CTR-001235 - SRG-APP-000496-CTR-001240 - SRG-APP-000497-CTR-001245 - SRG-APP-000498-CTR-001250 - RHEL-08-030313 - SV-230429r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80700-8 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then ACTION_ARCH_FILTERS="-a always,exit" -OTHER_FILTERS="-F path=/usr/sbin/semanage -F perm=x" +OTHER_FILTERS="-F path=/usr/sbin/restorecon -F perm=x" AUID_FILTERS="-F auid>=1000 -F auid!=unset" SYSCALL="" KEY="privileged" @@ -96927,6 +96480,133 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Any Attempts to Run semanage + At a minimum, the audit system should collect any execution attempt +of the semanage command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000463-GPOS-00207 + SRG-OS-000465-GPOS-00209 + SRG-APP-000495-CTR-001235 + SRG-APP-000496-CTR-001240 + SRG-APP-000497-CTR-001245 + SRG-APP-000498-CTR-001250 + RHEL-08-030313 + SV-230429r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80700-8 - name: Gather the package facts package_facts: manager: auto @@ -97083,62 +96763,11 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - Record Any Attempts to Run setfiles - At a minimum, the audit system should collect any execution attempt -of the setfiles command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - CCI-000169 - CCI-000172 - CCI-002884 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000463-GPOS-00207 - SRG-OS-000465-GPOS-00209 - SRG-APP-000495-CTR-001235 - SRG-APP-000496-CTR-001240 - SRG-APP-000497-CTR-001245 - SRG-APP-000498-CTR-001250 - RHEL-08-030314 - SV-230430r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-82280-9 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then ACTION_ARCH_FILTERS="-a always,exit" -OTHER_FILTERS="-F path=/usr/sbin/setfiles -F perm=x" +OTHER_FILTERS="-F path=/usr/sbin/semanage -F perm=x" AUID_FILTERS="-F auid>=1000 -F auid!=unset" SYSCALL="" KEY="privileged" @@ -97454,6 +97083,57 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Any Attempts to Run setfiles + At a minimum, the audit system should collect any execution attempt +of the setfiles command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + CCI-000169 + CCI-000172 + CCI-002884 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000463-GPOS-00207 + SRG-OS-000465-GPOS-00209 + SRG-APP-000495-CTR-001235 + SRG-APP-000496-CTR-001240 + SRG-APP-000497-CTR-001245 + SRG-APP-000498-CTR-001250 + RHEL-08-030314 + SV-230430r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-82280-9 - name: Gather the package facts package_facts: manager: auto @@ -97606,131 +97286,11 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - Record Any Attempts to Run setsebool - At a minimum, the audit system should collect any execution attempt -of the setsebool command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - FAU_GEN.1.1.c - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000463-GPOS-00207 - SRG-OS-000465-GPOS-00209 - SRG-APP-000495-CTR-001235 - SRG-APP-000496-CTR-001240 - SRG-APP-000497-CTR-001245 - SRG-APP-000498-CTR-001250 - RHEL-08-030316 - SV-230432r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80701-6 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then ACTION_ARCH_FILTERS="-a always,exit" -OTHER_FILTERS="-F path=/usr/sbin/setsebool -F perm=x" +OTHER_FILTERS="-F path=/usr/sbin/setfiles -F perm=x" AUID_FILTERS="-F auid>=1000 -F auid!=unset" SYSCALL="" KEY="privileged" @@ -98046,6 +97606,126 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Any Attempts to Run setsebool + At a minimum, the audit system should collect any execution attempt +of the setsebool command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000463-GPOS-00207 + SRG-OS-000465-GPOS-00209 + SRG-APP-000495-CTR-001235 + SRG-APP-000496-CTR-001240 + SRG-APP-000497-CTR-001245 + SRG-APP-000498-CTR-001250 + RHEL-08-030316 + SV-230432r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80701-6 - name: Gather the package facts package_facts: manager: auto @@ -98200,47 +97880,11 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - Record Any Attempts to Run seunshare - At a minimum, the audit system should collect any execution attempt -of the seunshare command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - CCI-000172 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - FAU_GEN.1.1.c - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80933-5 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then ACTION_ARCH_FILTERS="-a always,exit" -OTHER_FILTERS="-F path=/usr/sbin/seunshare -F perm=x" +OTHER_FILTERS="-F path=/usr/sbin/setsebool -F perm=x" AUID_FILTERS="-F auid>=1000 -F auid!=unset" SYSCALL="" KEY="privileged" @@ -98556,6 +98200,42 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Any Attempts to Run seunshare + At a minimum, the audit system should collect any execution attempt +of the seunshare command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + CCI-000172 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80933-5 - name: Gather the package facts package_facts: manager: auto @@ -98706,180 +98386,17 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - - Record File Deletion Events by User - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: --a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: --a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete - - Ensure auditd Collects File Deletion Events by User - At a minimum the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: --a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: --a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=unset -F key=delete - This rule checks for multiple syscalls related to file deletion; -it was written with DISA STIG in mind. Other policies should use a -separate rule for each syscall that needs to be checked. For example: -audit_rules_file_deletion_events_rmdiraudit_rules_file_deletion_events_unlinkaudit_rules_file_deletion_events_unlinkat - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000366 - CCI-000172 - CCI-002884 - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.7 - 4.1.14 - Auditing file deletions will create an audit trail for files that are removed -from the system. The audit trail could aid in system troubleshooting, as well as, detecting -malicious processes that attempt to delete log files to conceal their presence. - CCE-80702-4 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then -# Perform the remediation for the syscall rule -# Retrieve hardware architecture of the underlying system -[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") - -for ARCH in "${RULE_ARCHS[@]}" -do - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="" - AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="rmdir unlink unlinkat rename renameat" - KEY="delete" - SYSCALL_GROUPING="rmdir unlink unlinkat rename renameat" - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - unset syscall_a +ACTION_ARCH_FILTERS="-a always,exit" +OTHER_FILTERS="-F path=/usr/sbin/seunshare -F perm=x" +AUID_FILTERS="-F auid>=1000 -F auid!=unset" +SYSCALL="" +KEY="privileged" +SYSCALL_GROUPING="" +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +unset syscall_a unset syscall_grouping unset syscall_string unset syscall @@ -99038,7 +98555,7 @@ if [ "$skip" -ne 0 ]; then sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" fi fi - unset syscall_a +unset syscall_a unset syscall_grouping unset syscall_string unset syscall @@ -99184,34 +98701,51 @@ if [ "$skip" -ne 0 ]; then sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" fi fi -done else >&2 echo 'Remediation is not applicable, nothing was done' fi - + - + - - Ensure auditd Collects File Deletion Events by User - rename - At a minimum, the audit system should collect file deletion events + + + Record File Deletion Events by User + At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: --a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete +-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: --a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete - BP28(R73) +-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete + + Ensure auditd Collects File Deletion Events by User + At a minimum the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=unset -F key=delete + This rule checks for multiple syscalls related to file deletion; +it was written with DISA STIG in mind. Other policies should use a +separate rule for each syscall that needs to be checked. For example: +audit_rules_file_deletion_events_rmdiraudit_rules_file_deletion_events_unlinkaudit_rules_file_deletion_events_unlinkat 1 11 12 @@ -99228,6 +98762,7 @@ appropriate for your system: 7 8 9 + 5.4.1.1 APO10.01 APO10.03 APO10.04 @@ -99256,27 +98791,14 @@ appropriate for your system: MEA01.05 MEA02.01 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 CCI-000366 + CCI-000172 CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 - 4.3.3.6.5 4.3.3.6.6 - 4.3.3.6.7 - 4.3.3.6.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 @@ -99303,7 +98825,6 @@ appropriate for your system: SR 6.2 SR 7.1 SR 7.6 - A.11.2.4 A.11.2.6 A.12.4.1 A.12.4.2 @@ -99314,7 +98835,6 @@ appropriate for your system: A.13.2.1 A.14.1.3 A.14.2.7 - A.15.1.1 A.15.2.1 A.15.2.2 A.16.1.4 @@ -99332,39 +98852,21 @@ appropriate for your system: DE.CM-7 ID.SC-4 PR.AC-3 - PR.MA-2 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.7 - 10.2.1.7 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000466-GPOS-00210 - SRG-OS-000467-GPOS-00211 - SRG-OS-000468-GPOS-00212 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - SRG-APP-000501-CTR-001265 - SRG-APP-000502-CTR-001270 - RHEL-08-030361 - 4.1.3.13 - SV-230439r810465_rule + 4.1.14 Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. - - CCE-80703-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then + CCE-80702-4 + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then -# First perform the remediation of the syscall rule +# Perform the remediation for the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") @@ -99373,9 +98875,9 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="rename" + SYSCALL="rmdir unlink unlinkat rename renameat" KEY="delete" - SYSCALL_GROUPING="unlink unlinkat rename renameat rmdir" + SYSCALL_GROUPING="rmdir unlink unlinkat rename renameat" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' unset syscall_a unset syscall_grouping @@ -99688,6 +99190,177 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Ensure auditd Collects File Deletion Events by User - rename + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-000366 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.4 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.1.1 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.MA-2 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.7 + 10.2.1.7 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000466-GPOS-00210 + SRG-OS-000467-GPOS-00211 + SRG-OS-000468-GPOS-00212 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + SRG-APP-000501-CTR-001265 + SRG-APP-000502-CTR-001270 + RHEL-08-030361 + 4.1.3.13 + SV-230439r810465_rule + Auditing file deletions will create an audit trail for files that are removed +from the system. The audit trail could aid in system troubleshooting, as well as, detecting +malicious processes that attempt to delete log files to conceal their presence. + + CCE-80703-2 - name: Gather the package facts package_facts: manager: auto @@ -100033,178 +99706,8 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Ensure auditd Collects File Deletion Events by User - renameat - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: --a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: --a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-000366 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.5 - 4.3.3.6.6 - 4.3.3.6.7 - 4.3.3.6.8 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.4 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.1.1 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.MA-2 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.7 - 10.2.1.7 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000466-GPOS-00210 - SRG-OS-000467-GPOS-00211 - SRG-OS-000468-GPOS-00212 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - SRG-APP-000501-CTR-001265 - SRG-APP-000502-CTR-001270 - RHEL-08-030361 - 4.1.3.13 - SV-230439r810465_rule - Auditing file deletions will create an audit trail for files that are removed -from the system. The audit trail could aid in system troubleshooting, as well as, detecting -malicious processes that attempt to delete log files to conceal their presence. - CCE-80704-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system @@ -100215,7 +99718,7 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="renameat" + SYSCALL="rename" KEY="delete" SYSCALL_GROUPING="unlink unlinkat rename renameat rmdir" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' @@ -100530,6 +100033,176 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Ensure auditd Collects File Deletion Events by User - renameat + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-000366 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.4 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.1.1 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.MA-2 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.7 + 10.2.1.7 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000466-GPOS-00210 + SRG-OS-000467-GPOS-00211 + SRG-OS-000468-GPOS-00212 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + SRG-APP-000501-CTR-001265 + SRG-APP-000502-CTR-001270 + RHEL-08-030361 + 4.1.3.13 + SV-230439r810465_rule + Auditing file deletions will create an audit trail for files that are removed +from the system. The audit trail could aid in system troubleshooting, as well as, detecting +malicious processes that attempt to delete log files to conceal their presence. + CCE-80704-0 - name: Gather the package facts package_facts: manager: auto @@ -100872,179 +100545,8 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Ensure auditd Collects File Deletion Events by User - rmdir - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: --a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: --a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-000366 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.5 - 4.3.3.6.6 - 4.3.3.6.7 - 4.3.3.6.8 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.4 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.1.1 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.MA-2 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.7 - 10.2.1.7 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000466-GPOS-00210 - SRG-OS-000467-GPOS-00211 - SRG-OS-000468-GPOS-00212 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - SRG-APP-000501-CTR-001265 - SRG-APP-000502-CTR-001270 - RHEL-08-030361 - 4.1.14 - SV-230439r810465_rule - Auditing file deletions will create an audit trail for files that are removed -from the system. The audit trail could aid in system troubleshooting, as well as, detecting -malicious processes that attempt to delete log files to conceal their presence. - - CCE-80705-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system @@ -101055,7 +100557,7 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="rmdir" + SYSCALL="renameat" KEY="delete" SYSCALL_GROUPING="unlink unlinkat rename renameat rmdir" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' @@ -101370,6 +100872,177 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Ensure auditd Collects File Deletion Events by User - rmdir + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-000366 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.4 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.1.1 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.MA-2 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.7 + 10.2.1.7 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000466-GPOS-00210 + SRG-OS-000467-GPOS-00211 + SRG-OS-000468-GPOS-00212 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + SRG-APP-000501-CTR-001265 + SRG-APP-000502-CTR-001270 + RHEL-08-030361 + 4.1.14 + SV-230439r810465_rule + Auditing file deletions will create an audit trail for files that are removed +from the system. The audit trail could aid in system troubleshooting, as well as, detecting +malicious processes that attempt to delete log files to conceal their presence. + + CCE-80705-7 - name: Gather the package facts package_facts: manager: auto @@ -101715,178 +101388,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Ensure auditd Collects File Deletion Events by User - unlink - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: --a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: --a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-000366 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.5 - 4.3.3.6.6 - 4.3.3.6.7 - 4.3.3.6.8 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.4 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.1.1 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.MA-2 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.7 - 10.2.1.7 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000466-GPOS-00210 - SRG-OS-000467-GPOS-00211 - SRG-OS-000468-GPOS-00212 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - SRG-APP-000501-CTR-001265 - SRG-APP-000502-CTR-001270 - RHEL-08-030361 - 4.1.3.13 - SV-230439r810465_rule - Auditing file deletions will create an audit trail for files that are removed -from the system. The audit trail could aid in system troubleshooting, as well as, detecting -malicious processes that attempt to delete log files to conceal their presence. - - CCE-80706-5 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then # First perform the remediation of the syscall rule @@ -101898,7 +101400,7 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="unlink" + SYSCALL="rmdir" KEY="delete" SYSCALL_GROUPING="unlink unlinkat rename renameat rmdir" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' @@ -102213,6 +101715,177 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Ensure auditd Collects File Deletion Events by User - unlink + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-000366 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.4 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.1.1 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.MA-2 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.7 + 10.2.1.7 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000466-GPOS-00210 + SRG-OS-000467-GPOS-00211 + SRG-OS-000468-GPOS-00212 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + SRG-APP-000501-CTR-001265 + SRG-APP-000502-CTR-001270 + RHEL-08-030361 + 4.1.3.13 + SV-230439r810465_rule + Auditing file deletions will create an audit trail for files that are removed +from the system. The audit trail could aid in system troubleshooting, as well as, detecting +malicious processes that attempt to delete log files to conceal their presence. + + CCE-80706-5 - name: Gather the package facts package_facts: manager: auto @@ -102558,178 +102231,8 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Ensure auditd Collects File Deletion Events by User - unlinkat - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: --a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: --a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-000366 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.5 - 4.3.3.6.6 - 4.3.3.6.7 - 4.3.3.6.8 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.4 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.1.1 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.MA-2 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.7 - 10.2.1.7 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000466-GPOS-00210 - SRG-OS-000467-GPOS-00211 - SRG-OS-000468-GPOS-00212 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - SRG-APP-000501-CTR-001265 - SRG-APP-000502-CTR-001270 - RHEL-08-030361 - 4.1.3.13 - SV-230439r810465_rule - Auditing file deletions will create an audit trail for files that are removed -from the system. The audit trail could aid in system troubleshooting, as well as, detecting -malicious processes that attempt to delete log files to conceal their presence. - CCE-80707-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system @@ -102740,7 +102243,7 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="unlinkat" + SYSCALL="unlink" KEY="delete" SYSCALL_GROUPING="unlink unlinkat rename renameat rmdir" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' @@ -103055,6 +102558,176 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Ensure auditd Collects File Deletion Events by User - unlinkat + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-000366 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.4 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.1.1 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.MA-2 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.7 + 10.2.1.7 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000466-GPOS-00210 + SRG-OS-000467-GPOS-00211 + SRG-OS-000468-GPOS-00212 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + SRG-APP-000501-CTR-001265 + SRG-APP-000502-CTR-001270 + RHEL-08-030361 + 4.1.3.13 + SV-230439r810465_rule + Auditing file deletions will create an audit trail for files that are removed +from the system. The audit trail could aid in system troubleshooting, as well as, detecting +malicious processes that attempt to delete log files to conceal their presence. + CCE-80707-3 - name: Gather the package facts package_facts: manager: auto @@ -103396,6 +103069,333 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="" + AUID_FILTERS="-F auid>=1000 -F auid!=unset" + SYSCALL="unlinkat" + KEY="delete" + SYSCALL_GROUPING="unlink unlinkat rename renameat rmdir" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + +# If audit tool is 'augenrules', then check if the audit rule is defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection +# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection +default_file="/etc/audit/rules.d/$KEY.rules" +# As other_filters may include paths, lets use a different delimiter for it +# The "F" script expression tells sed to print the filenames where the expressions matched +readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) +# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet +if [ ${#files_to_inspect[@]} -eq "0" ] +then + file_to_inspect="/etc/audit/rules.d/$KEY.rules" + files_to_inspect=("$file_to_inspect") + if [ ! -e "$file_to_inspect" ] + then + touch "$file_to_inspect" + chmod 0640 "$file_to_inspect" + fi +fi + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + + +# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# file to the list of files to be inspected +default_file="/etc/audit/audit.rules" +files_to_inspect+=('/etc/audit/audit.rules' ) + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -105194,646 +105194,6 @@ to the same event is more efficient. See the following example: these events could serve as evidence of potential system compromise. CCE-80975-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then - -# First perform the remediation of the syscall rule -# Retrieve hardware architecture of the underlying system -[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") - -AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="chmod" -KEY="access" -SYSCALL_GROUPING="chmod fchmod fchmodat fsetxattr lsetxattr setxattr" - -for ARCH in "${RULE_ARCHS[@]}" -do - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="-F exit=-EACCES" - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - -# If audit tool is 'augenrules', then check if the audit rule is defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection -# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection -default_file="/etc/audit/rules.d/$KEY.rules" -# As other_filters may include paths, lets use a different delimiter for it -# The "F" script expression tells sed to print the filenames where the expressions matched -readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) -# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet -if [ ${#files_to_inspect[@]} -eq "0" ] -then - file_to_inspect="/etc/audit/rules.d/$KEY.rules" - files_to_inspect=("$file_to_inspect") - if [ ! -e "$file_to_inspect" ] - then - touch "$file_to_inspect" - chmod 0640 "$file_to_inspect" - fi -fi - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - - -# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# file to the list of files to be inspected -default_file="/etc/audit/audit.rules" -files_to_inspect+=('/etc/audit/audit.rules' ) - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi -done - -for ARCH in "${RULE_ARCHS[@]}" -do - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="-F exit=-EPERM" - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - -# If audit tool is 'augenrules', then check if the audit rule is defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection -# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection -default_file="/etc/audit/rules.d/$KEY.rules" -# As other_filters may include paths, lets use a different delimiter for it -# The "F" script expression tells sed to print the filenames where the expressions matched -readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) -# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet -if [ ${#files_to_inspect[@]} -eq "0" ] -then - file_to_inspect="/etc/audit/rules.d/$KEY.rules" - files_to_inspect=("$file_to_inspect") - if [ ! -e "$file_to_inspect" ] - then - touch "$file_to_inspect" - chmod 0640 "$file_to_inspect" - fi -fi - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - - -# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# file to the list of files to be inspected -default_file="/etc/audit/audit.rules" -files_to_inspect+=('/etc/audit/audit.rules' ) - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -106464,43 +105824,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Ownership Changes to Files - chown - The audit system should collect unsuccessful file ownership change -attempts for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. --a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -If the system is 64 bit then also add the following lines: --a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the audit rule checks a -system call independently of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - CCI-000172 - AU-2(d) - AU-12(c) - CM-6(a) - Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - - CCE-80984-8 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then # First perform the remediation of the syscall rule @@ -106508,9 +105832,9 @@ if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm -- [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="chown" +SYSCALL="chmod" KEY="access" -SYSCALL_GROUPING="chown fchown fchownat lchown" +SYSCALL_GROUPING="chmod fchmod fchmodat fsetxattr lsetxattr setxattr" for ARCH in "${RULE_ARCHS[@]}" do @@ -107140,6 +106464,42 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Ownership Changes to Files - chown + The audit system should collect unsuccessful file ownership change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + CCE-80984-8 - name: Gather the package facts package_facts: manager: auto @@ -107754,179 +107114,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Access Attempts to Files - creat - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.4 - Req-10.2.1 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000064-GPOS-00033 - SRG-OS-000458-GPOS-00203 - SRG-OS-000461-GPOS-00205 - SRG-APP-000495-CTR-001235 - RHEL-08-030420 - 4.1.3.7 - SV-230449r810455_rule - Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - - CCE-80751-1 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then # First perform the remediation of the syscall rule @@ -107934,9 +107122,9 @@ if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm -- [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="creat" +SYSCALL="chown" KEY="access" -SYSCALL_GROUPING="creat ftruncate truncate open openat open_by_handle_at" +SYSCALL_GROUPING="chown fchown fchownat lchown" for ARCH in "${RULE_ARCHS[@]}" do @@ -108566,6 +107754,178 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Access Attempts to Files - creat + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000064-GPOS-00033 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-APP-000495-CTR-001235 + RHEL-08-030420 + 4.1.3.7 + SV-230449r810455_rule + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + CCE-80751-1 - name: Gather the package facts package_facts: manager: auto @@ -109220,52 +108580,17 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Permission Changes to Files - fchmod - The audit system should collect unsuccessful file permission change -attempts for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. --a always,exit -F arch=b32 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b32 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -If the system is 64 bit then also add the following lines: --a always,exit -F arch=b64 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b64 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the audit rule checks a -system call independently of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - CCI-000172 - AU-2(d) - AU-12(c) - CM-6(a) - Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80977-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="fchmod" +SYSCALL="creat" KEY="access" -SYSCALL_GROUPING="chmod fchmod fchmodat fsetxattr lsetxattr setxattr" +SYSCALL_GROUPING="creat ftruncate truncate open openat open_by_handle_at" for ARCH in "${RULE_ARCHS[@]}" do @@ -109895,6 +109220,41 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Permission Changes to Files - fchmod + The audit system should collect unsuccessful file permission change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80977-2 - name: Gather the package facts package_facts: manager: auto @@ -110520,42 +109880,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Permission Changes to Files - fchmodat - The audit system should collect unsuccessful file permission change -attempts for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. --a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -If the system is 64 bit then also add the following lines: --a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the audit rule checks a -system call independently of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - CCI-000172 - AU-2(d) - AU-12(c) - CM-6(a) - Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80976-4 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -110563,7 +109888,7 @@ if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm -- [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="fchmodat" +SYSCALL="fchmod" KEY="access" SYSCALL_GROUPING="chmod fchmod fchmodat fsetxattr lsetxattr setxattr" @@ -111195,6 +110520,41 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Permission Changes to Files - fchmodat + The audit system should collect unsuccessful file permission change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80976-4 - name: Gather the package facts package_facts: manager: auto @@ -111820,42 +111180,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Ownership Changes to Files - fchown - The audit system should collect unsuccessful file ownership change -attempts for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. --a always,exit -F arch=b32 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b32 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -If the system is 64 bit then also add the following lines: --a always,exit -F arch=b64 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b64 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the audit rule checks a -system call independently of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - CCI-000172 - AU-2(d) - AU-12(c) - CM-6(a) - Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80986-3 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -111863,9 +111188,9 @@ if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm -- [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="fchown" +SYSCALL="fchmodat" KEY="access" -SYSCALL_GROUPING="chown fchown fchownat lchown" +SYSCALL_GROUPING="chmod fchmod fchmodat fsetxattr lsetxattr setxattr" for ARCH in "${RULE_ARCHS[@]}" do @@ -112495,6 +111820,41 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Ownership Changes to Files - fchown + The audit system should collect unsuccessful file ownership change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80986-3 - name: Gather the package facts package_facts: manager: auto @@ -113104,42 +112464,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Ownership Changes to Files - fchownat - The audit system should collect unsuccessful file ownership change -attempts for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. --a always,exit -F arch=b32 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b32 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -If the system is 64 bit then also add the following lines: --a always,exit -F arch=b64 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b64 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the audit rule checks a -system call independently of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - CCI-000172 - AU-2(d) - AU-12(c) - CM-6(a) - Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80985-5 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -113147,7 +112472,7 @@ if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm -- [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="fchownat" +SYSCALL="fchown" KEY="access" SYSCALL_GROUPING="chown fchown fchownat lchown" @@ -113779,6 +113104,41 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Ownership Changes to Files - fchownat + The audit system should collect unsuccessful file ownership change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80985-5 - name: Gather the package facts package_facts: manager: auto @@ -114388,42 +113748,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Permission Changes to Files - fremovexattr - The audit system should collect unsuccessful file permission change -attempts for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. --a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -If the system is 64 bit then also add the following lines: --a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the audit rule checks a -system call independently of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - CCI-000172 - AU-2(d) - AU-12(c) - CM-6(a) - Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80978-0 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -114431,9 +113756,9 @@ if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm -- [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="fremovexattr" +SYSCALL="fchownat" KEY="access" -SYSCALL_GROUPING="" +SYSCALL_GROUPING="chown fchown fchownat lchown" for ARCH in "${RULE_ARCHS[@]}" do @@ -115063,6 +114388,41 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Permission Changes to Files - fremovexattr + The audit system should collect unsuccessful file permission change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80978-0 - name: Gather the package facts package_facts: manager: auto @@ -115640,42 +115000,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Permission Changes to Files - fsetxattr - The audit system should collect unsuccessful file permission change -attempts for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. --a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -If the system is 64 bit then also add the following lines: --a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the audit rule checks a -system call independently of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - CCI-000172 - AU-2(d) - AU-12(c) - CM-6(a) - Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80979-8 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -115683,9 +115008,9 @@ if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm -- [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="fsetxattr" +SYSCALL="fremovexattr" KEY="access" -SYSCALL_GROUPING="chmod fchmod fchmodat fsetxattr lsetxattr setxattr" +SYSCALL_GROUPING="" for ARCH in "${RULE_ARCHS[@]}" do @@ -116315,6 +115640,41 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Permission Changes to Files - fsetxattr + The audit system should collect unsuccessful file permission change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80979-8 - name: Gather the package facts package_facts: manager: auto @@ -116940,181 +116300,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Access Attempts to Files - ftruncate - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access - -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access - -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access - -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.4 - Req-10.2.1 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000064-GPOS-00033 - SRG-OS-000458-GPOS-00203 - SRG-OS-000461-GPOS-00205 - SRG-APP-000495-CTR-001235 - RHEL-08-030420 - 4.1.3.7 - SV-230449r810455_rule - Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80752-9 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -117122,9 +116308,9 @@ if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm -- [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="ftruncate" +SYSCALL="fsetxattr" KEY="access" -SYSCALL_GROUPING="creat ftruncate truncate open openat open_by_handle_at" +SYSCALL_GROUPING="chmod fchmod fchmodat fsetxattr lsetxattr setxattr" for ARCH in "${RULE_ARCHS[@]}" do @@ -117754,6 +116940,180 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Access Attempts to Files - ftruncate + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000064-GPOS-00033 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-APP-000495-CTR-001235 + RHEL-08-030420 + 4.1.3.7 + SV-230449r810455_rule + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80752-9 - name: Gather the package facts package_facts: manager: auto @@ -118403,57 +117763,17 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Ownership Changes to Files - lchown - The audit system should collect unsuccessful file ownership change -attempts for all users and root. - -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. - --a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - -If the system is 64 bit then also add the following lines: --a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the audit rule checks a -system call independently of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - CCI-000172 - AU-2(d) - AU-12(c) - CM-6(a) - Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - - CCE-80987-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="lchown" +SYSCALL="ftruncate" KEY="access" -SYSCALL_GROUPING="chown fchown fchownat lchown" +SYSCALL_GROUPING="creat ftruncate truncate open openat open_by_handle_at" for ARCH in "${RULE_ARCHS[@]}" do @@ -119083,6 +118403,46 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Ownership Changes to Files - lchown + The audit system should collect unsuccessful file ownership change +attempts for all users and root. + +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. + +-a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + CCE-80987-1 - name: Gather the package facts package_facts: manager: auto @@ -119697,52 +119057,17 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Permission Changes to Files - lremovexattr - The audit system should collect unsuccessful file permission change -attempts for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. --a always,exit -F arch=b32 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b32 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -If the system is 64 bit then also add the following lines: --a always,exit -F arch=b64 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b64 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the audit rule checks a -system call independently of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - CCI-000172 - AU-2(d) - AU-12(c) - CM-6(a) - Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80980-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="lremovexattr" +SYSCALL="lchown" KEY="access" -SYSCALL_GROUPING="" +SYSCALL_GROUPING="chown fchown fchownat lchown" for ARCH in "${RULE_ARCHS[@]}" do @@ -120372,6 +119697,41 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Permission Changes to Files - lremovexattr + The audit system should collect unsuccessful file permission change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80980-6 - name: Gather the package facts package_facts: manager: auto @@ -120949,42 +120309,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Permission Changes to Files - lsetxattr - The audit system should collect unsuccessful file permission change -attempts for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. --a always,exit -F arch=b32 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b32 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -If the system is 64 bit then also add the following lines: --a always,exit -F arch=b64 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b64 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the audit rule checks a -system call independently of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - CCI-000172 - AU-2(d) - AU-12(c) - CM-6(a) - Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80981-4 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -120992,9 +120317,9 @@ if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm -- [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="lsetxattr" +SYSCALL="lremovexattr" KEY="access" -SYSCALL_GROUPING="chmod fchmod fchmodat fsetxattr lsetxattr setxattr" +SYSCALL_GROUPING="" for ARCH in "${RULE_ARCHS[@]}" do @@ -121624,6 +120949,41 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Permission Changes to Files - lsetxattr + The audit system should collect unsuccessful file permission change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80981-4 - name: Gather the package facts package_facts: manager: auto @@ -122249,192 +121609,17 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Access Attempts to Files - open - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access - -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access - -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access - -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.4 - Req-10.2.1 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000064-GPOS-00033 - SRG-OS-000458-GPOS-00203 - SRG-OS-000461-GPOS-00205 - SRG-APP-000495-CTR-001235 - RHEL-08-030420 - 4.1.3.7 - SV-230449r810455_rule - Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - - CCE-80753-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="open" +SYSCALL="lsetxattr" KEY="access" -SYSCALL_GROUPING="creat ftruncate truncate open openat open_by_handle_at" +SYSCALL_GROUPING="chmod fchmod fchmodat fsetxattr lsetxattr setxattr" for ARCH in "${RULE_ARCHS[@]}" do @@ -123064,6 +122249,181 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Access Attempts to Files - open + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000064-GPOS-00033 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-APP-000495-CTR-001235 + RHEL-08-030420 + 4.1.3.7 + SV-230449r810455_rule + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + CCE-80753-7 - name: Gather the package facts package_facts: manager: auto @@ -123718,185 +123078,15 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Access Attempts to Files - open_by_handle_at - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.4 - Req-10.2.1 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000064-GPOS-00033 - SRG-OS-000458-GPOS-00203 - SRG-OS-000461-GPOS-00205 - SRG-APP-000495-CTR-001235 - RHEL-08-030420 - 4.1.10 - SV-230449r810455_rule - Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80755-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="open_by_handle_at" +SYSCALL="open" KEY="access" SYSCALL_GROUPING="creat ftruncate truncate open openat open_by_handle_at" @@ -124528,6 +123718,176 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Access Attempts to Files - open_by_handle_at + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000064-GPOS-00033 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-APP-000495-CTR-001235 + RHEL-08-030420 + 4.1.10 + SV-230449r810455_rule + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80755-2 - name: Gather the package facts package_facts: manager: auto @@ -125178,6 +124538,646 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +AUID_FILTERS="-F auid>=1000 -F auid!=unset" +SYSCALL="open_by_handle_at" +KEY="access" +SYSCALL_GROUPING="creat ftruncate truncate open openat open_by_handle_at" + +for ARCH in "${RULE_ARCHS[@]}" +do + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="-F exit=-EACCES" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + +# If audit tool is 'augenrules', then check if the audit rule is defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection +# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection +default_file="/etc/audit/rules.d/$KEY.rules" +# As other_filters may include paths, lets use a different delimiter for it +# The "F" script expression tells sed to print the filenames where the expressions matched +readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) +# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet +if [ ${#files_to_inspect[@]} -eq "0" ] +then + file_to_inspect="/etc/audit/rules.d/$KEY.rules" + files_to_inspect=("$file_to_inspect") + if [ ! -e "$file_to_inspect" ] + then + touch "$file_to_inspect" + chmod 0640 "$file_to_inspect" + fi +fi + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + + +# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# file to the list of files to be inspected +default_file="/etc/audit/audit.rules" +files_to_inspect+=('/etc/audit/audit.rules' ) + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi +done + +for ARCH in "${RULE_ARCHS[@]}" +do + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="-F exit=-EPERM" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + +# If audit tool is 'augenrules', then check if the audit rule is defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection +# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection +default_file="/etc/audit/rules.d/$KEY.rules" +# As other_filters may include paths, lets use a different delimiter for it +# The "F" script expression tells sed to print the filenames where the expressions matched +readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) +# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet +if [ ${#files_to_inspect[@]} -eq "0" ] +then + file_to_inspect="/etc/audit/rules.d/$KEY.rules" + files_to_inspect=("$file_to_inspect") + if [ ! -e "$file_to_inspect" ] + then + touch "$file_to_inspect" + chmod 0640 "$file_to_inspect" + fi +fi + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + + +# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# file to the list of files to be inspected +default_file="/etc/audit/audit.rules" +files_to_inspect+=('/etc/audit/audit.rules' ) + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -125343,57 +125343,6 @@ to the same event is more efficient. See the following example: Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. CCE-80965-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')" -cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules" -## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance. -## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules - -## The purpose of these rules is to meet the requirements for Operating -## System Protection Profile (OSPP)v4.2. These rules depends on having -## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. - -## Unsuccessful file creation (open with O_CREAT) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -## Unsuccessful file modifications (open for write or truncate) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -## Unsuccessful file access (any other opens) This has to go last. --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -EOF - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -125474,6 +125423,57 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')" +cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules" +## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance. +## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules + +## The purpose of these rules is to meet the requirements for Operating +## System Protection Profile (OSPP)v4.2. These rules depends on having +## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. + +## Unsuccessful file creation (open with O_CREAT) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + +## Unsuccessful file modifications (open for write or truncate) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + +## Unsuccessful file access (any other opens) This has to go last. +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +EOF + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -125639,57 +125639,6 @@ to the same event is more efficient. See the following example: Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. CCE-80966-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')" -cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules" -## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance. -## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules - -## The purpose of these rules is to meet the requirements for Operating -## System Protection Profile (OSPP)v4.2. These rules depends on having -## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. - -## Unsuccessful file creation (open with O_CREAT) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -## Unsuccessful file modifications (open for write or truncate) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -## Unsuccessful file access (any other opens) This has to go last. --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -EOF - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -125770,6 +125719,57 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')" +cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules" +## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance. +## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules + +## The purpose of these rules is to meet the requirements for Operating +## System Protection Profile (OSPP)v4.2. These rules depends on having +## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. + +## Unsuccessful file creation (open with O_CREAT) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + +## Unsuccessful file modifications (open for write or truncate) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + +## Unsuccessful file access (any other opens) This has to go last. +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +EOF + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -126154,57 +126154,6 @@ to the same event is more efficient. See the following example: these events could serve as evidence of potential system compromise. CCE-80968-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then - -mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')" -cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules" -## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance. -## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules - -## The purpose of these rules is to meet the requirements for Operating -## System Protection Profile (OSPP)v4.2. These rules depends on having -## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. - -## Unsuccessful file creation (open with O_CREAT) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -## Unsuccessful file modifications (open for write or truncate) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -## Unsuccessful file access (any other opens) This has to go last. --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -EOF - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -126286,6 +126235,57 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then + +mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')" +cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules" +## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance. +## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules + +## The purpose of these rules is to meet the requirements for Operating +## System Protection Profile (OSPP)v4.2. These rules depends on having +## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. + +## Unsuccessful file creation (open with O_CREAT) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + +## Unsuccessful file modifications (open for write or truncate) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + +## Unsuccessful file access (any other opens) This has to go last. +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +EOF + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -126448,57 +126448,6 @@ to the same event is more efficient. See the following example: these events could serve as evidence of potential system compromise. CCE-80969-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then - -mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')" -cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules" -## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance. -## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules - -## The purpose of these rules is to meet the requirements for Operating -## System Protection Profile (OSPP)v4.2. These rules depends on having -## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. - -## Unsuccessful file creation (open with O_CREAT) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -## Unsuccessful file modifications (open for write or truncate) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -## Unsuccessful file access (any other opens) This has to go last. --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -EOF - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -126580,6 +126529,57 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then + +mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')" +cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules" +## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance. +## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules + +## The purpose of these rules is to meet the requirements for Operating +## System Protection Profile (OSPP)v4.2. These rules depends on having +## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. + +## Unsuccessful file creation (open with O_CREAT) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + +## Unsuccessful file modifications (open for write or truncate) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + +## Unsuccessful file access (any other opens) This has to go last. +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +EOF + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -126974,646 +126974,6 @@ calls with others as identifying earlier in this guide is more efficient.Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. CCE-80754-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# First perform the remediation of the syscall rule -# Retrieve hardware architecture of the underlying system -[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") - -AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="openat" -KEY="access" -SYSCALL_GROUPING="creat ftruncate truncate open openat open_by_handle_at" - -for ARCH in "${RULE_ARCHS[@]}" -do - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="-F exit=-EACCES" - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - -# If audit tool is 'augenrules', then check if the audit rule is defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection -# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection -default_file="/etc/audit/rules.d/$KEY.rules" -# As other_filters may include paths, lets use a different delimiter for it -# The "F" script expression tells sed to print the filenames where the expressions matched -readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) -# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet -if [ ${#files_to_inspect[@]} -eq "0" ] -then - file_to_inspect="/etc/audit/rules.d/$KEY.rules" - files_to_inspect=("$file_to_inspect") - if [ ! -e "$file_to_inspect" ] - then - touch "$file_to_inspect" - chmod 0640 "$file_to_inspect" - fi -fi - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - - -# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# file to the list of files to be inspected -default_file="/etc/audit/audit.rules" -files_to_inspect+=('/etc/audit/audit.rules' ) - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi -done - -for ARCH in "${RULE_ARCHS[@]}" -do - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="-F exit=-EPERM" - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - -# If audit tool is 'augenrules', then check if the audit rule is defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection -# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection -default_file="/etc/audit/rules.d/$KEY.rules" -# As other_filters may include paths, lets use a different delimiter for it -# The "F" script expression tells sed to print the filenames where the expressions matched -readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) -# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet -if [ ${#files_to_inspect[@]} -eq "0" ] -then - file_to_inspect="/etc/audit/rules.d/$KEY.rules" - files_to_inspect=("$file_to_inspect") - if [ ! -e "$file_to_inspect" ] - then - touch "$file_to_inspect" - chmod 0640 "$file_to_inspect" - fi -fi - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - - -# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# file to the list of files to be inspected -default_file="/etc/audit/audit.rules" -files_to_inspect+=('/etc/audit/audit.rules' ) - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -128263,882 +127623,37 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Creation Attempts to Files - openat O_CREAT - The audit system should collect unauthorized file accesses for -all users and root. The openat syscall can be used to create new files -when O_CREAT flag is specified. + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then -The following auidt rules will asure that unsuccessful attempts to create a -file via openat syscall are collected. +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") -If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -rules below to a file with suffix .rules in the directory -/etc/audit/rules.d. +AUID_FILTERS="-F auid>=1000 -F auid!=unset" +SYSCALL="openat" +KEY="access" +SYSCALL_GROUPING="creat ftruncate truncate open openat open_by_handle_at" -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the rules below to -/etc/audit/audit.rules file. - --a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - +for ARCH in "${RULE_ARCHS[@]}" +do + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="-F exit=-EACCES" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.4 - Req-10.2.1 - SRG-OS-000064-GPOS-00033 - SRG-OS-000458-GPOS-00203 - SRG-OS-000461-GPOS-00205 - SRG-OS-000392-GPOS-00172 - Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80962-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')" -cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules" -## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance. -## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules - -## The purpose of these rules is to meet the requirements for Operating -## System Protection Profile (OSPP)v4.2. These rules depends on having -## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. - -## Unsuccessful file creation (open with O_CREAT) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -## Unsuccessful file modifications (open for write or truncate) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -## Unsuccessful file access (any other opens) This has to go last. --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -EOF - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-80962-4 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_openat_o_creat - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Add unsuccessful file operations audit rules - blockinfile: - path: /etc/audit/rules.d/30-ospp-v42-remediation.rules - create: true - block: |- - ## This content is a section of an Audit config snapshot recommended for Red Hat Enterprise Linux 8 systems that target OSPP compliance. - ## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules - - ## The purpose of these rules is to meet the requirements for Operating - ## System Protection Profile (OSPP)v4.2. These rules depends on having - ## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. - - ## Unsuccessful file creation (open with O_CREAT) - -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - - ## Unsuccessful file modifications (open for write or truncate) - -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - - ## Unsuccessful file access (any other opens) This has to go last. - -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80962-4 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_openat_o_creat - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - - - - - - - - - Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE - The audit system should collect detailed unauthorized file accesses for -all users and root. The openat syscall can be used to modify files -if called for write operation of with O_TRUNC_WRITE flag. - -The following auidt rules will asure that unsuccessful attempts to modify a -file via openat syscall are collected. - -If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -rules below to a file with suffix .rules in the directory -/etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the rules below to -/etc/audit/audit.rules file. - --a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - - -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.4 - Req-10.2.1 - SRG-OS-000064-GPOS-00033 - SRG-OS-000458-GPOS-00203 - SRG-OS-000461-GPOS-00205 - SRG-OS-000392-GPOS-00172 - Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80963-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')" -cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules" -## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance. -## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules - -## The purpose of these rules is to meet the requirements for Operating -## System Protection Profile (OSPP)v4.2. These rules depends on having -## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. - -## Unsuccessful file creation (open with O_CREAT) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -## Unsuccessful file modifications (open for write or truncate) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -## Unsuccessful file access (any other opens) This has to go last. --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -EOF - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-80963-2 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_openat_o_trunc_write - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Add unsuccessful file operations audit rules - blockinfile: - path: /etc/audit/rules.d/30-ospp-v42-remediation.rules - create: true - block: |- - ## This content is a section of an Audit config snapshot recommended for Red Hat Enterprise Linux 8 systems that target OSPP compliance. - ## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules - - ## The purpose of these rules is to meet the requirements for Operating - ## System Protection Profile (OSPP)v4.2. These rules depends on having - ## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. - - ## Unsuccessful file creation (open with O_CREAT) - -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - - ## Unsuccessful file modifications (open for write or truncate) - -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - - ## Unsuccessful file access (any other opens) This has to go last. - -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80963-2 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_openat_o_trunc_write - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - - - - - - - - - Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly - The audit system should collect detailed unauthorized file -accesses for all users and root. -To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access -of files via openat syscall the audit rules collecting these events need to be in certain order. -The more specific rules need to come before the less specific rules. The reason for that is that more -specific rules cover a subset of events covered in the less specific rules, thus, they need to come -before to not be overshadowed by less specific rules, which match a bigger set of events. -Make sure that rules for unsuccessful calls of openat syscall are in the order shown below. -If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), check the order of -rules below in a file with suffix .rules in the directory -/etc/audit/rules.d. -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, check the order of rules below in -/etc/audit/audit.rules file. - --a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.4 - Req-10.2.1 - SRG-OS-000064-GPOS-00033 - SRG-OS-000458-GPOS-00203 - SRG-OS-000461-GPOS-00205 - SRG-OS-000392-GPOS-00172 - The more specific rules cover a subset of events covered by the less specific rules. -By ordering them from more specific to less specific, it is assured that the less specific -rule will not catch events better recorded by the more specific rule. - CCE-80964-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')" -cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules" -## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance. -## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules - -## The purpose of these rules is to meet the requirements for Operating -## System Protection Profile (OSPP)v4.2. These rules depends on having -## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. - -## Unsuccessful file creation (open with O_CREAT) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -## Unsuccessful file modifications (open for write or truncate) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -## Unsuccessful file access (any other opens) This has to go last. --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -EOF - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - - - - - - - - - Record Unsuccessful Permission Changes to Files - removexattr - The audit system should collect unsuccessful file permission change -attempts for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. --a always,exit -F arch=b32 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b32 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -If the system is 64 bit then also add the following lines: --a always,exit -F arch=b64 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b64 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the audit rule checks a -system call independently of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - CCI-000172 - AU-2(d) - AU-12(c) - CM-6(a) - Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80982-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# First perform the remediation of the syscall rule -# Retrieve hardware architecture of the underlying system -[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") - -AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="removexattr" -KEY="access" -SYSCALL_GROUPING="" - -for ARCH in "${RULE_ARCHS[@]}" -do - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="-F exit=-EACCES" - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING # Create a list of audit *.rules files that should be inspected for presence and correctness # of a particular audit rule. The scheme is as follows: @@ -129748,85 +128263,930 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Record Unsuccessful Creation Attempts to Files - openat O_CREAT + The audit system should collect unauthorized file accesses for +all users and root. The openat syscall can be used to create new files +when O_CREAT flag is specified. + +The following auidt rules will asure that unsuccessful attempts to create a +file via openat syscall are collected. + +If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +rules below to a file with suffix .rules in the directory +/etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the rules below to +/etc/audit/audit.rules file. + +-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000064-GPOS-00033 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000392-GPOS-00172 + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80962-4 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80982-2 + - CCE-80962-4 + - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_unsuccessful_file_modification_removexattr + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_openat_o_creat - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Set architecture for audit removexattr tasks - set_fact: - audit_arch: b64 +- name: Add unsuccessful file operations audit rules + blockinfile: + path: /etc/audit/rules.d/30-ospp-v42-remediation.rules + create: true + block: |- + ## This content is a section of an Audit config snapshot recommended for Red Hat Enterprise Linux 8 systems that target OSPP compliance. + ## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules + + ## The purpose of these rules is to meet the requirements for Operating + ## System Protection Profile (OSPP)v4.2. These rules depends on having + ## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. + + ## Unsuccessful file creation (open with O_CREAT) + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + + ## Unsuccessful file modifications (open for write or truncate) + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + + ## Unsuccessful file access (any other opens) This has to go last. + -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture - == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - - CCE-80982-2 + - CCE-80962-4 + - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_unsuccessful_file_modification_removexattr + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_openat_o_creat - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then -- name: Perform remediation of Audit rules for removexattr EACCES for 32bit platform - block: - - - name: Declare list of syscalls - set_fact: - syscalls: - - removexattr - syscall_grouping: [] - - - name: Check existence of removexattr in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: '*.rules' - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Reset syscalls found per file - set_fact: - syscalls_per_file: {} - found_paths_dict: {} +mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')" +cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules" +## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance. +## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules - - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path - :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" - loop: '{{ find_command.results | selectattr(''matched'') | list }}' +## The purpose of these rules is to meet the requirements for Operating +## System Protection Profile (OSPP)v4.2. These rules depends on having +## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. - - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten - | map(attribute='path') | list }}" +## Unsuccessful file creation (open with O_CREAT) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, - 0) }) }}" - loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') - | list }}' +## Unsuccessful file modifications (open for write or truncate) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') - | last).key }}" - when: found_paths | length >= 1 +## Unsuccessful file access (any other opens) This has to go last. +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +EOF - - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + + + + + + + + + Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE + The audit system should collect detailed unauthorized file accesses for +all users and root. The openat syscall can be used to modify files +if called for write operation of with O_TRUNC_WRITE flag. + +The following auidt rules will asure that unsuccessful attempts to modify a +file via openat syscall are collected. + +If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +rules below to a file with suffix .rules in the directory +/etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the rules below to +/etc/audit/audit.rules file. + +-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000064-GPOS-00033 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000392-GPOS-00172 + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80963-2 + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80963-2 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_openat_o_trunc_write + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Add unsuccessful file operations audit rules + blockinfile: + path: /etc/audit/rules.d/30-ospp-v42-remediation.rules + create: true + block: |- + ## This content is a section of an Audit config snapshot recommended for Red Hat Enterprise Linux 8 systems that target OSPP compliance. + ## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules + + ## The purpose of these rules is to meet the requirements for Operating + ## System Protection Profile (OSPP)v4.2. These rules depends on having + ## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. + + ## Unsuccessful file creation (open with O_CREAT) + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + + ## Unsuccessful file modifications (open for write or truncate) + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + + ## Unsuccessful file access (any other opens) This has to go last. + -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80963-2 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_openat_o_trunc_write + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')" +cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules" +## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance. +## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules + +## The purpose of these rules is to meet the requirements for Operating +## System Protection Profile (OSPP)v4.2. These rules depends on having +## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. + +## Unsuccessful file creation (open with O_CREAT) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + +## Unsuccessful file modifications (open for write or truncate) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + +## Unsuccessful file access (any other opens) This has to go last. +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +EOF + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + + + + + + + + + Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly + The audit system should collect detailed unauthorized file +accesses for all users and root. +To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access +of files via openat syscall the audit rules collecting these events need to be in certain order. +The more specific rules need to come before the less specific rules. The reason for that is that more +specific rules cover a subset of events covered in the less specific rules, thus, they need to come +before to not be overshadowed by less specific rules, which match a bigger set of events. +Make sure that rules for unsuccessful calls of openat syscall are in the order shown below. +If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), check the order of +rules below in a file with suffix .rules in the directory +/etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, check the order of rules below in +/etc/audit/audit.rules file. + +-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000064-GPOS-00033 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000392-GPOS-00172 + The more specific rules cover a subset of events covered by the less specific rules. +By ordering them from more specific to less specific, it is assured that the less specific +rule will not catch events better recorded by the more specific rule. + CCE-80964-0 + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')" +cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules" +## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance. +## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules + +## The purpose of these rules is to meet the requirements for Operating +## System Protection Profile (OSPP)v4.2. These rules depends on having +## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. + +## Unsuccessful file creation (open with O_CREAT) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + +## Unsuccessful file modifications (open for write or truncate) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + +## Unsuccessful file access (any other opens) This has to go last. +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +EOF + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + + + + + + + + + Record Unsuccessful Permission Changes to Files - removexattr + The audit system should collect unsuccessful file permission change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80982-2 + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80982-2 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_removexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Set architecture for audit removexattr tasks + set_fact: + audit_arch: b64 + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture + == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" + tags: + - CCE-80982-2 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_removexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Perform remediation of Audit rules for removexattr EACCES for 32bit platform + block: + + - name: Declare list of syscalls + set_fact: + syscalls: + - removexattr + syscall_grouping: [] + + - name: Check existence of removexattr in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S + |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path + :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten + | map(attribute='path') | list }}" + + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, + 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') + | list }}' + + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') + | last).key }}" + when: found_paths | length >= 1 + + - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 @@ -130325,172 +129685,17 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Delete Attempts to Files - rename - The audit system should collect unsuccessful file deletion -attempts for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. --a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete --a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete --a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.4 - Req-10.2.1 - SRG-OS-000064-GPOS-00033 - SRG-OS-000392-GPOS-00172 - SRG-OS-000458-GPOS-00203 - SRG-OS-000461-GPOS-00205 - SRG-OS-000468-GPOS-00212 - Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - - CCE-80973-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="rename" +SYSCALL="removexattr" KEY="access" -SYSCALL_GROUPING="rename renameat unlink unlinkat" +SYSCALL_GROUPING="" for ARCH in "${RULE_ARCHS[@]}" do @@ -131120,6 +130325,161 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Delete Attempts to Files - rename + The audit system should collect unsuccessful file deletion +attempts for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000468-GPOS-00212 + Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + CCE-80973-1 - name: Gather the package facts package_facts: manager: auto @@ -131752,171 +131112,15 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Delete Attempts to Files - renameat - -The audit system should collect unsuccessful file deletion -attempts for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. --a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete --a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete --a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: - --a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.4 - Req-10.2.1 - SRG-OS-000064-GPOS-00033 - SRG-OS-000392-GPOS-00172 - SRG-OS-000458-GPOS-00203 - SRG-OS-000461-GPOS-00205 - SRG-OS-000468-GPOS-00212 - Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80974-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="renameat" +SYSCALL="rename" KEY="access" SYSCALL_GROUPING="rename renameat unlink unlinkat" @@ -132548,6 +131752,162 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Delete Attempts to Files - renameat + +The audit system should collect unsuccessful file deletion +attempts for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: + +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000468-GPOS-00212 + Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80974-9 - name: Gather the package facts package_facts: manager: auto @@ -133175,42 +132535,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Permission Changes to Files - setxattr - The audit system should collect unsuccessful file permission change -attempts for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. --a always,exit -F arch=b32 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b32 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -If the system is 64 bit then also add the following lines: --a always,exit -F arch=b64 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b64 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the audit rule checks a -system call independently of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - CCI-000172 - AU-2(d) - AU-12(c) - CM-6(a) - Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80983-0 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -133218,9 +132543,9 @@ if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm -- [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="setxattr" +SYSCALL="renameat" KEY="access" -SYSCALL_GROUPING="chmod fchmod fchmodat fsetxattr lsetxattr setxattr" +SYSCALL_GROUPING="rename renameat unlink unlinkat" for ARCH in "${RULE_ARCHS[@]}" do @@ -133850,6 +133175,41 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Permission Changes to Files - setxattr + The audit system should collect unsuccessful file permission change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80983-0 - name: Gather the package facts package_facts: manager: auto @@ -134475,181 +133835,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Access Attempts to Files - truncate - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access - -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access - -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access - -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.4 - Req-10.2.1 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000064-GPOS-00033 - SRG-OS-000458-GPOS-00203 - SRG-OS-000461-GPOS-00205 - SRG-APP-000495-CTR-001235 - RHEL-08-030420 - 4.1.3.7 - SV-230449r810455_rule - Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80756-0 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -134657,9 +133843,9 @@ if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm -- [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="truncate" +SYSCALL="setxattr" KEY="access" -SYSCALL_GROUPING="creat ftruncate truncate open openat open_by_handle_at" +SYSCALL_GROUPING="chmod fchmod fchmodat fsetxattr lsetxattr setxattr" for ARCH in "${RULE_ARCHS[@]}" do @@ -135289,6 +134475,180 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Access Attempts to Files - truncate + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000064-GPOS-00033 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-APP-000495-CTR-001235 + RHEL-08-030420 + 4.1.3.7 + SV-230449r810455_rule + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80756-0 - name: Gather the package facts package_facts: manager: auto @@ -135938,176 +135298,17 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Delete Attempts to Files - unlink - -The audit system should collect unsuccessful file deletion -attempts for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. --a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete --a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete - -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete --a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: - --a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.4 - Req-10.2.1 - SRG-OS-000064-GPOS-00033 - SRG-OS-000392-GPOS-00172 - SRG-OS-000458-GPOS-00203 - SRG-OS-000461-GPOS-00205 - SRG-OS-000468-GPOS-00212 - Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - - CCE-80971-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="unlink" +SYSCALL="truncate" KEY="access" -SYSCALL_GROUPING="rename renameat unlink unlinkat" +SYSCALL_GROUPING="creat ftruncate truncate open openat open_by_handle_at" for ARCH in "${RULE_ARCHS[@]}" do @@ -136737,6 +135938,165 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Delete Attempts to Files - unlink + +The audit system should collect unsuccessful file deletion +attempts for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: + +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000468-GPOS-00212 + Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + CCE-80971-5 - name: Gather the package facts package_facts: manager: auto @@ -137369,173 +136729,15 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Delete Attempts to Files - unlinkat - -The audit system should collect unsuccessful file deletion -attempts for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. --a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete --a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete - -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete --a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: - --a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.4 - Req-10.2.1 - SRG-OS-000064-GPOS-00033 - SRG-OS-000392-GPOS-00172 - SRG-OS-000458-GPOS-00203 - SRG-OS-000461-GPOS-00205 - SRG-OS-000468-GPOS-00212 - Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80972-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="unlinkat" +SYSCALL="unlink" KEY="access" SYSCALL_GROUPING="rename renameat unlink unlinkat" @@ -138167,6 +137369,164 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Delete Attempts to Files - unlinkat + +The audit system should collect unsuccessful file deletion +attempts for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: + +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000468-GPOS-00212 + Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80972-3 - name: Gather the package facts package_facts: manager: auto @@ -138794,180 +138154,24 @@ fi - reboot_required - restrict_strategy - - - - - - - - - - Record Information on Kernel Modules Loading and Unloading - To capture kernel module loading and unloading events, use following lines, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - --a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules - - -Place to add the lines depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the lines to a file with suffix -.rules in the directory /etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl utility, -add the lines to file /etc/audit/audit.rules. - - Ensure auditd Collects Information on Kernel Module Loading and Unloading - To capture kernel module loading and unloading events, use following lines, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - --a always,exit -F arch=ARCH -S init_module,finit_module,delete_module -F key=modules - - -The place to add the lines depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the lines to a file with suffix -.rules in the directory /etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl utility, -add the lines to file /etc/audit/audit.rules. - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000172 - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - Req-10.2.7 - 4.1.15 - The addition/removal of kernel modules can be used to alter the behavior of -the kernel and potentially introduce malicious code into kernel space. It is important -to have an audit trail of modules that have been introduced into the kernel. - CCE-80709-9 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system -# Note: 32-bit and 64-bit kernel syscall numbers not always line up => -# it's required on a 64-bit system to check also for the presence -# of 32-bit's equivalent of the corresponding rule. -# (See `man 7 audit.rules` for details ) [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") +AUID_FILTERS="-F auid>=1000 -F auid!=unset" +SYSCALL="unlinkat" +KEY="access" +SYSCALL_GROUPING="rename renameat unlink unlinkat" + for ARCH in "${RULE_ARCHS[@]}" do - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="" - - AUID_FILTERS="-F auid>=1000 -F auid!=unset" - - SYSCALL="init_module finit_module delete_module" - KEY="modules" - SYSCALL_GROUPING="init_module finit_module delete_module" - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - unset syscall_a + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="-F exit=-EACCES" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + unset syscall_a unset syscall_grouping unset syscall_string unset syscall @@ -139126,7 +138330,319 @@ if [ "$skip" -ne 0 ]; then sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" fi fi - unset syscall_a + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + + +# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# file to the list of files to be inspected +default_file="/etc/audit/audit.rules" +files_to_inspect+=('/etc/audit/audit.rules' ) + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi +done + +for ARCH in "${RULE_ARCHS[@]}" +do + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="-F exit=-EPERM" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + +# If audit tool is 'augenrules', then check if the audit rule is defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection +# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection +default_file="/etc/audit/rules.d/$KEY.rules" +# As other_filters may include paths, lets use a different delimiter for it +# The "F" script expression tells sed to print the filenames where the expressions matched +readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) +# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet +if [ ${#files_to_inspect[@]} -eq "0" ] +then + file_to_inspect="/etc/audit/rules.d/$KEY.rules" + files_to_inspect=("$file_to_inspect") + if [ ! -e "$file_to_inspect" ] + then + touch "$file_to_inspect" + chmod 0640 "$file_to_inspect" + fi +fi + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi + unset syscall_a unset syscall_grouping unset syscall_string unset syscall @@ -139278,6 +138794,157 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Record Information on Kernel Modules Loading and Unloading + To capture kernel module loading and unloading events, use following lines, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: + +-a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules + + +Place to add the lines depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the lines to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the lines to file /etc/audit/audit.rules. + + Ensure auditd Collects Information on Kernel Module Loading and Unloading + To capture kernel module loading and unloading events, use following lines, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: + +-a always,exit -F arch=ARCH -S init_module,finit_module,delete_module -F key=modules + + +The place to add the lines depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the lines to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the lines to file /etc/audit/audit.rules. + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000172 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + Req-10.2.7 + 4.1.15 + The addition/removal of kernel modules can be used to alter the behavior of +the kernel and potentially introduce malicious code into kernel space. It is important +to have an audit trail of modules that have been introduced into the kernel. + CCE-80709-9 - name: Gather the package facts package_facts: manager: auto @@ -139620,36 +139287,8 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on Kernel Module Unloading - create_module - To capture kernel module unloading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: --a always,exit -F arch=ARCH -S create_module -F key=module-change - -Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. - CCI-000172 - SRG-OS-000471-GPOS-00216 - SRG-OS-000477-GPOS-00222 - 4.1.3.19 - The removal of kernel modules can be used to alter the behavior of -the kernel and potentially introduce malicious code into kernel space. It is important -to have an audit trail of modules that have been introduced into the kernel. - - CCE-88435-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system @@ -139661,15 +139300,16 @@ if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm -- for ARCH in "${RULE_ARCHS[@]}" do - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="" - AUID_FILTERS="" - SYSCALL="create_module" - KEY="module-change" - SYSCALL_GROUPING="" - - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - unset syscall_a + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="" + + AUID_FILTERS="-F auid>=1000 -F auid!=unset" + + SYSCALL="init_module finit_module delete_module" + KEY="modules" + SYSCALL_GROUPING="init_module finit_module delete_module" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + unset syscall_a unset syscall_grouping unset syscall_string unset syscall @@ -139828,7 +139468,7 @@ if [ "$skip" -ne 0 ]; then sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" fi fi - unset syscall_a + unset syscall_a unset syscall_grouping unset syscall_string unset syscall @@ -139979,6 +139619,49 @@ done else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Ensure auditd Collects Information on Kernel Module Unloading - create_module + To capture kernel module unloading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: +-a always,exit -F arch=ARCH -S create_module -F key=module-change + +Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. + CCI-000172 + SRG-OS-000471-GPOS-00216 + SRG-OS-000477-GPOS-00222 + 4.1.3.19 + The removal of kernel modules can be used to alter the behavior of +the kernel and potentially introduce malicious code into kernel space. It is important +to have an audit trail of modules that have been introduced into the kernel. + + CCE-88435-3 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20create_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20create_module%20-k%20module-change%0A + mode: 0600 + path: /etc/audit/rules.d/75-kernel-module-loading-create.rules + overwrite: true - name: Gather the package facts package_facts: @@ -140269,183 +139952,8 @@ fi - medium_severity - no_reboot_needed - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20create_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20create_module%20-k%20module-change%0A - mode: 0600 - path: /etc/audit/rules.d/75-kernel-module-loading-create.rules - overwrite: true - - - - - - - - - - Ensure auditd Collects Information on Kernel Module Unloading - delete_module - To capture kernel module unloading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - --a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules - - -Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.7 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000471-GPOS-00216 - SRG-OS-000477-GPOS-00222 - SRG-APP-000495-CTR-001235 - SRG-APP-000504-CTR-001280 - RHEL-08-030390 - 4.1.3.19 - SV-230446r627750_rule - The removal of kernel modules can be used to alter the behavior of -the kernel and potentially introduce malicious code into kernel space. It is important -to have an audit trail of modules that have been introduced into the kernel. - CCE-80711-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system @@ -140459,12 +139967,11 @@ for ARCH in "${RULE_ARCHS[@]}" do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" - - AUID_FILTERS="-F auid>=1000 -F auid!=unset" - - SYSCALL="delete_module" - KEY="modules" - SYSCALL_GROUPING="delete_module" + AUID_FILTERS="" + SYSCALL="create_module" + KEY="module-change" + SYSCALL_GROUPING="" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' unset syscall_a unset syscall_grouping @@ -140776,6 +140283,181 @@ done else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Ensure auditd Collects Information on Kernel Module Unloading - delete_module + To capture kernel module unloading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: + +-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules + + +Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.7 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000471-GPOS-00216 + SRG-OS-000477-GPOS-00222 + SRG-APP-000495-CTR-001235 + SRG-APP-000504-CTR-001280 + RHEL-08-030390 + 4.1.3.19 + SV-230446r627750_rule + The removal of kernel modules can be used to alter the behavior of +the kernel and potentially introduce malicious code into kernel space. It is important +to have an audit trail of modules that have been introduced into the kernel. + CCE-80711-5 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A + mode: 0600 + path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules + overwrite: true - name: Gather the package facts package_facts: @@ -141099,182 +140781,7 @@ fi - medium_severity - no_reboot_needed - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A - mode: 0600 - path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules - overwrite: true - - - - - - - - - - Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module - If the auditd daemon is configured to use the augenrules program -to read audit rules during daemon startup (the default), add the following lines to a file -with suffix .rules in the directory /etc/audit/rules.d to capture kernel module -loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: - --a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules - If the auditd daemon is configured to use the auditctl utility to read audit -rules during daemon startup, add the following lines to /etc/audit/audit.rules file -in order to capture kernel module loading and unloading events, setting ARCH to either b32 or -b64 as appropriate for your system: - --a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.7 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000471-GPOS-00216 - SRG-OS-000477-GPOS-00222 - SRG-APP-000495-CTR-001235 - SRG-APP-000504-CTR-001280 - RHEL-08-030360 - 4.1.3.19 - SV-230438r810464_rule - The addition/removal of kernel modules can be used to alter the behavior of -the kernel and potentially introduce malicious code into kernel space. It is important -to have an audit trail of modules that have been introduced into the kernel. - CCE-80712-3 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -141292,9 +140799,9 @@ do AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="finit_module" + SYSCALL="delete_module" KEY="modules" - SYSCALL_GROUPING="init_module finit_module" + SYSCALL_GROUPING="delete_module" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' unset syscall_a unset syscall_grouping @@ -141606,6 +141113,181 @@ done else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module + If the auditd daemon is configured to use the augenrules program +to read audit rules during daemon startup (the default), add the following lines to a file +with suffix .rules in the directory /etc/audit/rules.d to capture kernel module +loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: + +-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules + If the auditd daemon is configured to use the auditctl utility to read audit +rules during daemon startup, add the following lines to /etc/audit/audit.rules file +in order to capture kernel module loading and unloading events, setting ARCH to either b32 or +b64 as appropriate for your system: + +-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.7 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000471-GPOS-00216 + SRG-OS-000477-GPOS-00222 + SRG-APP-000495-CTR-001235 + SRG-APP-000504-CTR-001280 + RHEL-08-030360 + 4.1.3.19 + SV-230438r810464_rule + The addition/removal of kernel modules can be used to alter the behavior of +the kernel and potentially introduce malicious code into kernel space. It is important +to have an audit trail of modules that have been introduced into the kernel. + CCE-80712-3 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20finit_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20finit_module%20-k%20module-change%0A + mode: 0600 + path: /etc/audit/rules.d/75-kernel-module-loading-finit.rules + overwrite: true - name: Gather the package facts package_facts: @@ -141937,182 +141619,7 @@ fi - medium_severity - no_reboot_needed - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20finit_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20finit_module%20-k%20module-change%0A - mode: 0600 - path: /etc/audit/rules.d/75-kernel-module-loading-finit.rules - overwrite: true - - - - - - - - - - Ensure auditd Collects Information on Kernel Module Loading - init_module - To capture kernel module loading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - --a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules - - -Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.7 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000471-GPOS-00216 - SRG-OS-000477-GPOS-00222 - SRG-APP-000495-CTR-001235 - SRG-APP-000504-CTR-001280 - RHEL-08-030360 - 4.1.3.19 - SV-230438r810464_rule - The addition of kernel modules can be used to alter the behavior of -the kernel and potentially introduce malicious code into kernel space. It is important -to have an audit trail of modules that have been introduced into the kernel. - CCE-80713-1 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -142130,7 +141637,7 @@ do AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="init_module" + SYSCALL="finit_module" KEY="modules" SYSCALL_GROUPING="init_module finit_module" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' @@ -142444,6 +141951,181 @@ done else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Ensure auditd Collects Information on Kernel Module Loading - init_module + To capture kernel module loading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: + +-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules + + +Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.7 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000471-GPOS-00216 + SRG-OS-000477-GPOS-00222 + SRG-APP-000495-CTR-001235 + SRG-APP-000504-CTR-001280 + RHEL-08-030360 + 4.1.3.19 + SV-230438r810464_rule + The addition of kernel modules can be used to alter the behavior of +the kernel and potentially introduce malicious code into kernel space. It is important +to have an audit trail of modules that have been introduced into the kernel. + CCE-80713-1 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20init_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20init_module%20-k%20module-change%0A + mode: 0600 + path: /etc/audit/rules.d/75-kernel-module-loading-init.rules + overwrite: true - name: Gather the package facts package_facts: @@ -142775,48 +142457,8 @@ fi - medium_severity - no_reboot_needed - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20init_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20init_module%20-k%20module-change%0A - mode: 0600 - path: /etc/audit/rules.d/75-kernel-module-loading-init.rules - overwrite: true - - - - - - - - - - Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_module - If the auditd daemon is configured to use the augenrules program -to read audit rules during daemon startup (the default), add the following lines to a file -with suffix .rules in the directory /etc/audit/rules.d to capture kernel module -loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: --a always,exit -F arch=ARCH -S query_module -F auid>=1000 -F auid!=unset -F key=modules -If the auditd daemon is configured to use the auditctl utility to read audit -rules during daemon startup, add the following lines to /etc/audit/audit.rules file -in order to capture kernel module loading and unloading events, setting ARCH to either b32 or -b64 as appropriate for your system: --a always,exit -F arch=ARCH -S query_module -F auid>=1000 -F auid!=unset -F key=modules - 4.1.3.19 - The addition/removal of kernel modules can be used to alter the behavior of -the kernel and potentially introduce malicious code into kernel space. It is important -to have an audit trail of modules that have been introduced into the kernel. - - CCE-88748-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system @@ -142830,10 +142472,12 @@ for ARCH in "${RULE_ARCHS[@]}" do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" + AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="query_module" + + SYSCALL="init_module" KEY="modules" - SYSCALL_GROUPING="init_module query_module" + SYSCALL_GROUPING="init_module finit_module" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' unset syscall_a unset syscall_grouping @@ -143146,6 +142790,31 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_module + If the auditd daemon is configured to use the augenrules program +to read audit rules during daemon startup (the default), add the following lines to a file +with suffix .rules in the directory /etc/audit/rules.d to capture kernel module +loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: +-a always,exit -F arch=ARCH -S query_module -F auid>=1000 -F auid!=unset -F key=modules +If the auditd daemon is configured to use the auditctl utility to read audit +rules during daemon startup, add the following lines to /etc/audit/audit.rules file +in order to capture kernel module loading and unloading events, setting ARCH to either b32 or +b64 as appropriate for your system: +-a always,exit -F arch=ARCH -S query_module -F auid>=1000 -F auid!=unset -F key=modules + 4.1.3.19 + The addition/removal of kernel modules can be used to alter the behavior of +the kernel and potentially introduce malicious code into kernel space. It is important +to have an audit trail of modules that have been introduced into the kernel. + + CCE-88748-9 - name: Gather the package facts package_facts: manager: auto @@ -143450,6 +143119,337 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +# Note: 32-bit and 64-bit kernel syscall numbers not always line up => +# it's required on a 64-bit system to check also for the presence +# of 32-bit's equivalent of the corresponding rule. +# (See `man 7 audit.rules` for details ) +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="" + AUID_FILTERS="-F auid>=1000 -F auid!=unset" + SYSCALL="query_module" + KEY="modules" + SYSCALL_GROUPING="init_module query_module" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + +# If audit tool is 'augenrules', then check if the audit rule is defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection +# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection +default_file="/etc/audit/rules.d/$KEY.rules" +# As other_filters may include paths, lets use a different delimiter for it +# The "F" script expression tells sed to print the filenames where the expressions matched +readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) +# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet +if [ ${#files_to_inspect[@]} -eq "0" ] +then + file_to_inspect="/etc/audit/rules.d/$KEY.rules" + files_to_inspect=("$file_to_inspect") + if [ ! -e "$file_to_inspect" ] + then + touch "$file_to_inspect" + chmod 0640 "$file_to_inspect" + fi +fi + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + + +# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# file to the list of files to be inspected +default_file="/etc/audit/audit.rules" +files_to_inspect+=('/etc/audit/audit.rules' ) + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -144175,151 +144175,6 @@ edits of files involved in storing logon events: Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. CCE-80718-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - - -var_accounts_passwords_pam_faillock_dir='' - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+${var_accounts_passwords_pam_faillock_dir}" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+${var_accounts_passwords_pam_faillock_dir} $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+${var_accounts_passwords_pam_faillock_dir}$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w ${var_accounts_passwords_pam_faillock_dir} -p wa -k logins" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+${var_accounts_passwords_pam_faillock_dir}" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/logins.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/logins.rules" - # If the logins.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+${var_accounts_passwords_pam_faillock_dir}" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+${var_accounts_passwords_pam_faillock_dir} $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+${var_accounts_passwords_pam_faillock_dir}$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w ${var_accounts_passwords_pam_faillock_dir} -p wa -k logins" >> "$audit_rules_file" - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -144535,6 +144390,151 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + +var_accounts_passwords_pam_faillock_dir='' + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+${var_accounts_passwords_pam_faillock_dir}" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+${var_accounts_passwords_pam_faillock_dir} $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+${var_accounts_passwords_pam_faillock_dir}$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w ${var_accounts_passwords_pam_faillock_dir} -p wa -k logins" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+${var_accounts_passwords_pam_faillock_dir}" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/logins.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/logins.rules" + # If the logins.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+${var_accounts_passwords_pam_faillock_dir}" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+${var_accounts_passwords_pam_faillock_dir} $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+${var_accounts_passwords_pam_faillock_dir}$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w ${var_accounts_passwords_pam_faillock_dir} -p wa -k logins" >> "$audit_rules_file" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -144699,149 +144699,6 @@ edits of files involved in storing logon events: Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. CCE-80719-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/var/log/lastlog" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/lastlog $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/var/log/lastlog$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /var/log/lastlog -p wa -k logins" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/log/lastlog" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/logins.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/logins.rules" - # If the logins.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/var/log/lastlog" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/lastlog $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/var/log/lastlog$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /var/log/lastlog -p wa -k logins" >> "$audit_rules_file" - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -145050,6 +144907,149 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/var/log/lastlog" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/lastlog $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/var/log/lastlog$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /var/log/lastlog -p wa -k logins" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/log/lastlog" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/logins.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/logins.rules" + # If the logins.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/var/log/lastlog" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/lastlog $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/var/log/lastlog$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /var/log/lastlog -p wa -k logins" >> "$audit_rules_file" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -145199,149 +145199,6 @@ edits of files involved in storing logon events: Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. CCE-80720-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/var/log/tallylog" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/tallylog $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/var/log/tallylog$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /var/log/tallylog -p wa -k logins" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/log/tallylog" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/logins.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/logins.rules" - # If the logins.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/var/log/tallylog" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/tallylog $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/var/log/tallylog$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /var/log/tallylog -p wa -k logins" >> "$audit_rules_file" - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -145542,6 +145399,149 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/var/log/tallylog" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/tallylog $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/var/log/tallylog$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /var/log/tallylog -p wa -k logins" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/log/tallylog" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/logins.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/logins.rules" + # If the logins.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/var/log/tallylog" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/tallylog $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/var/log/tallylog$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /var/log/tallylog -p wa -k logins" >> "$audit_rules_file" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -145571,6 +145571,148 @@ form to /etc/audit/audit.rules: AU-12(c) SRG-OS-000477-GPOS-00222 Misuse of the init command may cause availability issues for the system. + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-AU-12(c) + - audit_privileged_commands_init + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for /usr/sbin/init + block: + + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + + - name: Check existence of in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F + path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path + :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten + | map(attribute='path') | list }}" + + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, + 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') + | list }}' + + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') + | last).key }}" + when: found_paths | length >= 1 + + - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules + set_fact: audit_file="/etc/audit/rules.d/privileged.rules" + when: found_paths | length == 0 + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/init -F perm=x -F + auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/init -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + + - name: Check existence of in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F + path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: audit.rules + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Set path to /etc/audit/audit.rules + set_fact: audit_file="/etc/audit/audit.rules" + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( + -S |,)\w+)+)( -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset + (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/init -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - audit_privileged_commands_init + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -145891,31 +146033,54 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts - package_facts: - manager: auto - tags: - - NIST-800-53-AU-12(c) - - audit_privileged_commands_init - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Perform remediation of Audit rules for /usr/sbin/init - block: - - - name: Declare list of syscalls - set_fact: - syscalls: [] - syscall_grouping: [] - + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - poweroff + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/poweroff -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/sbin/poweroff -F auid>=1000 -F auid!=unset -F key=privileged + CCI-000172 + AU-12(c) + SRG-OS-000477-GPOS-00222 + Misuse of the poweroff command may cause availability issues for the system. + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-AU-12(c) + - audit_privileged_commands_poweroff + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for /usr/sbin/poweroff + block: + + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + - name: Check existence of in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -145960,8 +146125,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/init -F perm=x -F - auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/poweroff -F perm=x + -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -145970,8 +146135,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/init -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/poweroff -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -145986,7 +146151,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -146005,7 +146170,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -146015,8 +146180,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/init -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/poweroff -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -146026,36 +146191,13 @@ fi - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-53-AU-12(c) - - audit_privileged_commands_init + - audit_privileged_commands_poweroff - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - poweroff - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/sbin/poweroff -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/sbin/poweroff -F auid>=1000 -F auid!=unset -F key=privileged - CCI-000172 - AU-12(c) - SRG-OS-000477-GPOS-00222 - Misuse of the poweroff command may cause availability issues for the system. # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -146376,19 +146518,42 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - reboot + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/reboot -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/sbin/reboot -F auid>=1000 -F auid!=unset -F key=privileged + CCI-000172 + AU-12(c) + SRG-OS-000477-GPOS-00222 + Misuse of the reboot command may cause availability issues for the system. + - name: Gather the package facts package_facts: manager: auto tags: - NIST-800-53-AU-12(c) - - audit_privileged_commands_poweroff + - audit_privileged_commands_reboot - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/sbin/poweroff +- name: Perform remediation of Audit rules for /usr/sbin/reboot block: - name: Declare list of syscalls @@ -146400,7 +146565,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -146445,7 +146610,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/poweroff -F perm=x + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -146455,8 +146620,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/poweroff -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/reboot -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -146471,7 +146636,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -146490,7 +146655,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -146500,8 +146665,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/poweroff -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/reboot -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -146511,36 +146676,13 @@ fi - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-53-AU-12(c) - - audit_privileged_commands_poweroff + - audit_privileged_commands_reboot - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - reboot - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/sbin/reboot -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/sbin/reboot -F auid>=1000 -F auid!=unset -F key=privileged - CCI-000172 - AU-12(c) - SRG-OS-000477-GPOS-00222 - Misuse of the reboot command may cause availability issues for the system. # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -146860,148 +147002,6 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - NIST-800-53-AU-12(c) - - audit_privileged_commands_reboot - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Perform remediation of Audit rules for /usr/sbin/reboot - block: - - - name: Declare list of syscalls - set_fact: - syscalls: [] - syscall_grouping: [] - - - name: Check existence of in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: '*.rules' - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Reset syscalls found per file - set_fact: - syscalls_per_file: {} - found_paths_dict: {} - - - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path - :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" - loop: '{{ find_command.results | selectattr(''matched'') | list }}' - - - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten - | map(attribute='path') | list }}" - - - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, - 0) }) }}" - loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') - | list }}' - - - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') - | last).key }}" - when: found_paths | length >= 1 - - - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules - set_fact: audit_file="/etc/audit/rules.d/privileged.rules" - when: found_paths | length == 0 - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/reboot -F perm=x - -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/reboot -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - - - name: Declare list of syscalls - set_fact: - syscalls: [] - syscall_grouping: [] - - - name: Check existence of in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: audit.rules - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset - (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/reboot -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - NIST-800-53-AU-12(c) - - audit_privileged_commands_reboot - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy @@ -147026,6 +147026,148 @@ form to /etc/audit/audit.rules: AU-12(c) SRG-OS-000477-GPOS-00222 Misuse of the shutdown command may cause availability issues for the system. + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-AU-12(c) + - audit_privileged_commands_shutdown + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for /usr/sbin/shutdown + block: + + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + + - name: Check existence of in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F + path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path + :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten + | map(attribute='path') | list }}" + + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, + 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') + | list }}' + + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') + | last).key }}" + when: found_paths | length >= 1 + + - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules + set_fact: audit_file="/etc/audit/rules.d/privileged.rules" + when: found_paths | length == 0 + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/shutdown -F perm=x + -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/shutdown -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + + - name: Check existence of in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F + path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: audit.rules + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Set path to /etc/audit/audit.rules + set_fact: audit_file="/etc/audit/audit.rules" + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( + -S |,)\w+)+)( -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset + (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/shutdown -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - audit_privileged_commands_shutdown + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -147345,148 +147487,6 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - NIST-800-53-AU-12(c) - - audit_privileged_commands_shutdown - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Perform remediation of Audit rules for /usr/sbin/shutdown - block: - - - name: Declare list of syscalls - set_fact: - syscalls: [] - syscall_grouping: [] - - - name: Check existence of in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: '*.rules' - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Reset syscalls found per file - set_fact: - syscalls_per_file: {} - found_paths_dict: {} - - - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path - :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" - loop: '{{ find_command.results | selectattr(''matched'') | list }}' - - - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten - | map(attribute='path') | list }}" - - - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, - 0) }) }}" - loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') - | list }}' - - - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') - | last).key }}" - when: found_paths | length >= 1 - - - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules - set_fact: audit_file="/etc/audit/rules.d/privileged.rules" - when: found_paths | length == 0 - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/shutdown -F perm=x - -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/shutdown -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - - - name: Declare list of syscalls - set_fact: - syscalls: [] - syscall_grouping: [] - - - name: Check existence of in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: audit.rules - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset - (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/shutdown -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - NIST-800-53-AU-12(c) - - audit_privileged_commands_shutdown - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy @@ -147677,6 +147677,174 @@ Privileged programs are subject to escalation-of-privilege attacks, which attemp their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80724-8 + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80724-8 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - audit_rules_privileged_commands + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure auditd Collects Information on the Use of Privileged Commands - Set + List of Mount Points Which Permits Execution of Privileged Commands + ansible.builtin.set_fact: + privileged_mount_points: '{{(ansible_facts.mounts | rejectattr(''options'', ''search'', + ''noexec|nosuid'') | rejectattr(''mount'', ''match'', ''/proc($|/.*$)'') | map(attribute=''mount'') + | list ) }}' + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80724-8 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - audit_rules_privileged_commands + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure auditd Collects Information on the Use of Privileged Commands - Search + for Privileged Commands in Eligible Mount Points + ansible.builtin.shell: + cmd: find {{ item }} -xdev -perm /6000 -type f 2>/dev/null + register: result_privileged_commands_search + changed_when: false + failed_when: false + with_items: '{{ privileged_mount_points }}' + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80724-8 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - audit_rules_privileged_commands + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure auditd Collects Information on the Use of Privileged Commands - Set + List of Privileged Commands Found in Eligible Mount Points + ansible.builtin.set_fact: + privileged_commands: '{{( result_privileged_commands_search.results | map(attribute=''stdout_lines'') + | select() | list ) | sum(start=[]) }}' + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80724-8 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - audit_rules_privileged_commands + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure auditd Collects Information on the Use of Privileged Commands - Privileged + Commands are Present in the System + block: + + - name: Ensure auditd Collects Information on the Use of Privileged Commands - Ensure + Rules for All Privileged Commands in augenrules Format + ansible.builtin.lineinfile: + path: /etc/audit/rules.d/privileged.rules + line: -a always,exit -F path={{ item }} -F perm=x -F auid>=1000 -F auid!=unset + -F key=privileged + regexp: ^.*path={{ item | regex_escape() }} .*$ + create: true + with_items: + - '{{ privileged_commands }}' + + - name: Ensure auditd Collects Information on the Use of Privileged Commands - Ensure + Rules for All Privileged Commands in auditctl Format + ansible.builtin.lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path={{ item }} -F perm=x -F auid>=1000 -F auid!=unset + -F key=privileged + regexp: ^.*path={{ item | regex_escape() }} .*$ + create: true + with_items: + - '{{ privileged_commands }}' + + - name: Ensure auditd Collects Information on the Use of Privileged Commands - Search + for Duplicated Rules in Other Files + ansible.builtin.find: + paths: /etc/audit/rules.d + recurse: false + contains: ^-a always,exit -F path={{ item }} .*$ + patterns: '*.rules' + with_items: + - '{{ privileged_commands }}' + register: result_augenrules_files + + - name: Ensure auditd Collects Information on the Use of Privileged Commands - Ensure + Rules for Privileged Commands are Defined Only in One File + ansible.builtin.lineinfile: + path: '{{ item.1.path }}' + regexp: ^-a always,exit -F path={{ item.0.item }} .*$ + state: absent + with_subelements: + - '{{ result_augenrules_files.results }}' + - files + when: + - item.1.path != '/etc/audit/rules.d/privileged.rules' + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - privileged_commands is defined + tags: + - CCE-80724-8 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - audit_rules_privileged_commands + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -148004,174 +148172,6 @@ done else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-80724-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - audit_rules_privileged_commands - - configure_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - -- name: Ensure auditd Collects Information on the Use of Privileged Commands - Set - List of Mount Points Which Permits Execution of Privileged Commands - ansible.builtin.set_fact: - privileged_mount_points: '{{(ansible_facts.mounts | rejectattr(''options'', ''search'', - ''noexec|nosuid'') | rejectattr(''mount'', ''match'', ''/proc($|/.*$)'') | map(attribute=''mount'') - | list ) }}' - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80724-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - audit_rules_privileged_commands - - configure_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - -- name: Ensure auditd Collects Information on the Use of Privileged Commands - Search - for Privileged Commands in Eligible Mount Points - ansible.builtin.shell: - cmd: find {{ item }} -xdev -perm /6000 -type f 2>/dev/null - register: result_privileged_commands_search - changed_when: false - failed_when: false - with_items: '{{ privileged_mount_points }}' - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80724-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - audit_rules_privileged_commands - - configure_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - -- name: Ensure auditd Collects Information on the Use of Privileged Commands - Set - List of Privileged Commands Found in Eligible Mount Points - ansible.builtin.set_fact: - privileged_commands: '{{( result_privileged_commands_search.results | map(attribute=''stdout_lines'') - | select() | list ) | sum(start=[]) }}' - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80724-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - audit_rules_privileged_commands - - configure_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - -- name: Ensure auditd Collects Information on the Use of Privileged Commands - Privileged - Commands are Present in the System - block: - - - name: Ensure auditd Collects Information on the Use of Privileged Commands - Ensure - Rules for All Privileged Commands in augenrules Format - ansible.builtin.lineinfile: - path: /etc/audit/rules.d/privileged.rules - line: -a always,exit -F path={{ item }} -F perm=x -F auid>=1000 -F auid!=unset - -F key=privileged - regexp: ^.*path={{ item | regex_escape() }} .*$ - create: true - with_items: - - '{{ privileged_commands }}' - - - name: Ensure auditd Collects Information on the Use of Privileged Commands - Ensure - Rules for All Privileged Commands in auditctl Format - ansible.builtin.lineinfile: - path: /etc/audit/audit.rules - line: -a always,exit -F path={{ item }} -F perm=x -F auid>=1000 -F auid!=unset - -F key=privileged - regexp: ^.*path={{ item | regex_escape() }} .*$ - create: true - with_items: - - '{{ privileged_commands }}' - - - name: Ensure auditd Collects Information on the Use of Privileged Commands - Search - for Duplicated Rules in Other Files - ansible.builtin.find: - paths: /etc/audit/rules.d - recurse: false - contains: ^-a always,exit -F path={{ item }} .*$ - patterns: '*.rules' - with_items: - - '{{ privileged_commands }}' - register: result_augenrules_files - - - name: Ensure auditd Collects Information on the Use of Privileged Commands - Ensure - Rules for Privileged Commands are Defined Only in One File - ansible.builtin.lineinfile: - path: '{{ item.1.path }}' - regexp: ^-a always,exit -F path={{ item.0.item }} .*$ - state: absent - with_subelements: - - '{{ result_augenrules_files.results }}' - - files - when: - - item.1.path != '/etc/audit/rules.d/privileged.rules' - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - privileged_commands is defined - tags: - - CCE-80724-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - audit_rules_privileged_commands - - configure_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed @@ -148209,6 +148209,156 @@ which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80988-9 + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80988-9 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_at + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for /usr/bin/at + block: + + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + + - name: Check existence of in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F + path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path + :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten + | map(attribute='path') | list }}" + + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, + 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') + | list }}' + + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') + | last).key }}" + when: found_paths | length >= 1 + + - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules + set_fact: audit_file="/etc/audit/rules.d/privileged.rules" + when: found_paths | length == 0 + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/at -F perm=x -F auid>=1000 + -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/at -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + + - name: Check existence of in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F + path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: audit.rules + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Set path to /etc/audit/audit.rules + set_fact: audit_file="/etc/audit/audit.rules" + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( + -S |,)\w+)+)( -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset (?:-k + |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/at -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80988-9 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_at + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -148529,23 +148679,153 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - chage + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000468-GPOS-00212 + SRG-OS-000471-GPOS-00215 + SRG-APP-000029-CTR-000085 + SRG-APP-000495-CTR-001235 + SRG-APP-000501-CTR-001265 + SRG-APP-000502-CTR-001270 + RHEL-08-030250 + SV-230418r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80725-5 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80988-9 + - CCE-80725-5 + - DISA-STIG-RHEL-08-030250 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_at + - audit_rules_privileged_commands_chage - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/bin/at +- name: Perform remediation of Audit rules for /usr/bin/chage block: - name: Declare list of syscalls @@ -148557,7 +148837,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -148602,8 +148882,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/at -F perm=x -F auid>=1000 - -F auid!=unset (?:-k |-F key=)\w+) + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chage -F perm=x -F + auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -148612,7 +148892,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/at -F perm=x + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -148628,7 +148908,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -148647,8 +148927,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset (?:-k - |-F key=)\w+) + -S |,)\w+)+)( -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset + (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -148657,7 +148937,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/at -F perm=x + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -148667,145 +148947,21 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80988-9 + - CCE-80725-5 + - DISA-STIG-RHEL-08-030250 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_at + - audit_rules_privileged_commands_chage - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - chage - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000468-GPOS-00212 - SRG-OS-000471-GPOS-00215 - SRG-APP-000029-CTR-000085 - SRG-APP-000495-CTR-001235 - SRG-APP-000501-CTR-001265 - SRG-APP-000502-CTR-001270 - RHEL-08-030250 - SV-230418r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80725-5 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -149126,26 +149282,149 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - chsh + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000495-CTR-001235 + RHEL-08-030410 + SV-230448r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80726-3 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80725-5 - - DISA-STIG-RHEL-08-030250 + - CCE-80726-3 + - DISA-STIG-RHEL-08-030410 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/bin/chage +- name: Perform remediation of Audit rules for /usr/bin/chsh block: - name: Declare list of syscalls @@ -149157,7 +149436,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -149202,7 +149481,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chage -F perm=x -F + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -149212,7 +149491,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chage -F perm=x + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -149228,7 +149507,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -149247,7 +149526,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -149257,7 +149536,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chage -F perm=x + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -149267,144 +149546,21 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80725-5 - - DISA-STIG-RHEL-08-030250 + - CCE-80726-3 + - DISA-STIG-RHEL-08-030410 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - chsh - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000495-CTR-001235 - RHEL-08-030410 - SV-230448r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80726-3 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -149725,26 +149881,139 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - crontab + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000495-CTR-001235 + RHEL-08-030400 + SV-230447r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80727-1 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80726-3 - - DISA-STIG-RHEL-08-030410 + - CCE-80727-1 + - DISA-STIG-RHEL-08-030400 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/bin/chsh +- name: Perform remediation of Audit rules for /usr/bin/crontab block: - name: Declare list of syscalls @@ -149756,7 +150025,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -149801,8 +150070,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chsh -F perm=x -F - auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/crontab -F perm=x + -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -149811,7 +150080,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chsh -F perm=x + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -149827,7 +150096,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -149846,7 +150115,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -149856,7 +150125,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chsh -F perm=x + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -149866,135 +150135,20 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80726-3 - - DISA-STIG-RHEL-08-030410 + - CCE-80727-1 + - DISA-STIG-RHEL-08-030400 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - crontab - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000495-CTR-001235 - RHEL-08-030400 - SV-230447r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80727-1 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -150315,25 +150469,151 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000029-CTR-000085 + SRG-APP-000495-CTR-001235 + RHEL-08-030370 + SV-230444r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80728-9 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80727-1 - - DISA-STIG-RHEL-08-030400 + - CCE-80728-9 + - DISA-STIG-RHEL-08-030370 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/bin/crontab +- name: Perform remediation of Audit rules for /usr/bin/gpasswd block: - name: Declare list of syscalls @@ -150345,7 +150625,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -150390,7 +150670,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/crontab -F perm=x + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -150400,7 +150680,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/crontab -F perm=x + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -150416,7 +150696,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -150435,7 +150715,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -150445,7 +150725,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/crontab -F perm=x + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -150455,145 +150735,21 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80727-1 - - DISA-STIG-RHEL-08-030400 + - CCE-80728-9 + - DISA-STIG-RHEL-08-030370 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - FAU_GEN.1.1.c - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000029-CTR-000085 - SRG-APP-000495-CTR-001235 - RHEL-08-030370 - SV-230444r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80728-9 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -150913,162 +151069,6 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-80728-9 - - DISA-STIG-RHEL-08-030370 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_gpasswd - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Perform remediation of Audit rules for /usr/bin/gpasswd - block: - - - name: Declare list of syscalls - set_fact: - syscalls: [] - syscall_grouping: [] - - - name: Check existence of in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: '*.rules' - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Reset syscalls found per file - set_fact: - syscalls_per_file: {} - found_paths_dict: {} - - - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path - :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" - loop: '{{ find_command.results | selectattr(''matched'') | list }}' - - - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten - | map(attribute='path') | list }}" - - - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, - 0) }) }}" - loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') - | list }}' - - - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') - | last).key }}" - when: found_paths | length >= 1 - - - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules - set_fact: audit_file="/etc/audit/rules.d/privileged.rules" - when: found_paths | length == 0 - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/gpasswd -F perm=x - -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/gpasswd -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - - - name: Declare list of syscalls - set_fact: - syscalls: [] - syscall_grouping: [] - - - name: Check existence of in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: audit.rules - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset - (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/gpasswd -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80728-9 - - DISA-STIG-RHEL-08-030370 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_gpasswd - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy @@ -151123,147 +151123,6 @@ Audit records can be generated from various components within the information system (e.g., module or policy filter). CCE-89455-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/usr/bin/kmod" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/usr/bin/kmod $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "x" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/usr/bin/kmod$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /usr/bin/kmod -p x -k modules" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/modules.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/usr/bin/kmod" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/modules.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/modules.rules" - # If the modules.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/usr/bin/kmod" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/usr/bin/kmod $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "x" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/usr/bin/kmod$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /usr/bin/kmod -p x -k modules" >> "$audit_rules_file" - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -151464,6 +151323,147 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/usr/bin/kmod" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/usr/bin/kmod $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "x" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/usr/bin/kmod$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /usr/bin/kmod -p x -k modules" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/modules.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/usr/bin/kmod" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/modules.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/modules.rules" + # If the modules.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/usr/bin/kmod" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/usr/bin/kmod $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "x" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/usr/bin/kmod$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /usr/bin/kmod -p x -k modules" >> "$audit_rules_file" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -151514,6 +151514,158 @@ which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80989-7 + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80989-7 + - DISA-STIG-RHEL-08-030300 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_mount + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for /usr/bin/mount + block: + + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + + - name: Check existence of in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F + path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path + :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten + | map(attribute='path') | list }}" + + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, + 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') + | list }}' + + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') + | last).key }}" + when: found_paths | length >= 1 + + - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules + set_fact: audit_file="/etc/audit/rules.d/privileged.rules" + when: found_paths | length == 0 + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/mount -F perm=x -F + auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/mount -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + + - name: Check existence of in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F + path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: audit.rules + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Set path to /etc/audit/audit.rules + set_fact: audit_file="/etc/audit/audit.rules" + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( + -S |,)\w+)+)( -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset + (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/mount -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80989-7 + - DISA-STIG-RHEL-08-030300 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_mount + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -151834,24 +151986,69 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + CCI-000172 + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80991-3 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80989-7 - - DISA-STIG-RHEL-08-030300 + - CCE-80991-3 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgidmap - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/bin/mount +- name: Perform remediation of Audit rules for /usr/bin/newgidmap block: - name: Declare list of syscalls @@ -151863,7 +152060,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -151908,8 +152105,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/mount -F perm=x -F - auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/newgidmap -F perm=x + -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -151918,8 +152115,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/mount -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/newgidmap -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -151934,7 +152131,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -151953,7 +152150,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -151963,8 +152160,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/mount -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/newgidmap -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -151973,64 +152170,19 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80989-7 - - DISA-STIG-RHEL-08-030300 + - CCE-80991-3 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgidmap - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - CCI-000172 - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - FAU_GEN.1.1.c - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80991-3 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -152351,24 +152503,151 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - newgrp + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000169 + CCI-000135 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000029-CTR-000085 + SRG-APP-000495-CTR-001235 + RHEL-08-030350 + SV-230437r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80729-7 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80991-3 + - CCE-80729-7 + - DISA-STIG-RHEL-08-030350 + - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_newgidmap + - audit_rules_privileged_commands_newgrp - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/bin/newgidmap +- name: Perform remediation of Audit rules for /usr/bin/newgrp block: - name: Declare list of syscalls @@ -152380,7 +152659,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -152425,8 +152704,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/newgidmap -F perm=x - -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/newgrp -F perm=x -F + auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -152435,8 +152714,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/newgidmap -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/newgrp -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -152451,7 +152730,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -152470,7 +152749,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -152480,8 +152759,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/newgidmap -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/newgrp -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -152490,144 +152769,21 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80991-3 + - CCE-80729-7 + - DISA-STIG-RHEL-08-030350 + - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_newgidmap + - audit_rules_privileged_commands_newgrp - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - newgrp - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000169 - CCI-000135 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - FAU_GEN.1.1.c - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000029-CTR-000085 - SRG-APP-000495-CTR-001235 - RHEL-08-030350 - SV-230437r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80729-7 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -152948,26 +153104,69 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + CCI-000172 + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80992-1 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80729-7 - - DISA-STIG-RHEL-08-030350 - - NIST-800-171-3.1.7 + - CCE-80992-1 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_newuidmap - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/bin/newgrp +- name: Perform remediation of Audit rules for /usr/bin/newuidmap block: - name: Declare list of syscalls @@ -152979,7 +153178,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -153024,8 +153223,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/newgrp -F perm=x -F - auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/newuidmap -F perm=x + -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -153034,8 +153233,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/newgrp -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/newuidmap -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -153050,7 +153249,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -153069,7 +153268,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -153079,8 +153278,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/newgrp -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/newuidmap -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -153089,66 +153288,19 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80729-7 - - DISA-STIG-RHEL-08-030350 - - NIST-800-171-3.1.7 + - CCE-80992-1 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_newuidmap - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - CCI-000172 - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - FAU_GEN.1.1.c - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80992-1 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -153468,158 +153620,6 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-80992-1 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_newuidmap - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Perform remediation of Audit rules for /usr/bin/newuidmap - block: - - - name: Declare list of syscalls - set_fact: - syscalls: [] - syscall_grouping: [] - - - name: Check existence of in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: '*.rules' - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Reset syscalls found per file - set_fact: - syscalls_per_file: {} - found_paths_dict: {} - - - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path - :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" - loop: '{{ find_command.results | selectattr(''matched'') | list }}' - - - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten - | map(attribute='path') | list }}" - - - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, - 0) }) }}" - loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') - | list }}' - - - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') - | last).key }}" - when: found_paths | length >= 1 - - - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules - set_fact: audit_file="/etc/audit/rules.d/privileged.rules" - when: found_paths | length == 0 - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/newuidmap -F perm=x - -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/newuidmap -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - - - name: Declare list of syscalls - set_fact: - syscalls: [] - syscall_grouping: [] - - - name: Check existence of in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: audit.rules - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset - (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/newuidmap -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80992-1 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_newuidmap - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy @@ -153738,6 +153738,162 @@ which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80730-5 + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80730-5 + - DISA-STIG-RHEL-08-030340 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_pam_timestamp_check + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for /usr/sbin/pam_timestamp_check + block: + + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + + - name: Check existence of in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F + path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset + (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path + :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten + | map(attribute='path') | list }}" + + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, + 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') + | list }}' + + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') + | last).key }}" + when: found_paths | length >= 1 + + - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules + set_fact: audit_file="/etc/audit/rules.d/privileged.rules" + when: found_paths | length == 0 + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/pam_timestamp_check + -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/pam_timestamp_check + -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + + - name: Check existence of in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F + path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset + (-k\s+|-F\s+key=)\S+\s*$ + patterns: audit.rules + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Set path to /etc/audit/audit.rules + set_fact: audit_file="/etc/audit/audit.rules" + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( + -S |,)\w+)+)( -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 + -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/pam_timestamp_check + -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80730-5 + - DISA-STIG-RHEL-08-030340 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_pam_timestamp_check + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -154058,25 +154214,151 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - passwd + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000029-CTR-000085 + SRG-APP-000495-CTR-001235 + RHEL-08-030290 + SV-230422r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80731-3 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80730-5 - - DISA-STIG-RHEL-08-030340 + - CCE-80731-3 + - DISA-STIG-RHEL-08-030290 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/sbin/pam_timestamp_check +- name: Perform remediation of Audit rules for /usr/bin/passwd block: - name: Declare list of syscalls @@ -154088,8 +154370,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset - (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -154134,8 +154415,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/pam_timestamp_check - -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/passwd -F perm=x -F + auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -154144,8 +154425,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/pam_timestamp_check - -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/passwd -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -154160,8 +154441,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset - (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -154180,8 +154460,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 - -F auid!=unset (?:-k |-F key=)\w+) + -S |,)\w+)+)( -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset + (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -154190,8 +154470,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/pam_timestamp_check - -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/passwd -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -154200,145 +154480,21 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80730-5 - - DISA-STIG-RHEL-08-030340 + - CCE-80731-3 + - DISA-STIG-RHEL-08-030290 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - passwd - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - FAU_GEN.1.1.c - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000029-CTR-000085 - SRG-APP-000495-CTR-001235 - RHEL-08-030290 - SV-230422r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80731-3 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -154659,26 +154815,139 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - postdrop + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000495-CTR-001235 + RHEL-08-030311 + SV-230427r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80732-1 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80731-3 - - DISA-STIG-RHEL-08-030290 + - CCE-80732-1 + - DISA-STIG-RHEL-08-030311 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_postdrop - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/bin/passwd +- name: Perform remediation of Audit rules for /usr/sbin/postdrop block: - name: Declare list of syscalls @@ -154690,7 +154959,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -154735,8 +155004,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/passwd -F perm=x -F - auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/postdrop -F perm=x + -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -154745,8 +155014,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/passwd -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/postdrop -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -154761,7 +155030,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -154780,7 +155049,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -154790,8 +155059,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/passwd -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/postdrop -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -154800,135 +155069,20 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80731-3 - - DISA-STIG-RHEL-08-030290 + - CCE-80732-1 + - DISA-STIG-RHEL-08-030311 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_postdrop - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - postdrop - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000495-CTR-001235 - RHEL-08-030311 - SV-230427r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80732-1 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -155249,25 +155403,139 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - postqueue + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000495-CTR-001235 + RHEL-08-030312 + SV-230428r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80733-9 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80732-1 - - DISA-STIG-RHEL-08-030311 + - CCE-80733-9 + - DISA-STIG-RHEL-08-030312 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/sbin/postdrop +- name: Perform remediation of Audit rules for /usr/sbin/postqueue block: - name: Declare list of syscalls @@ -155279,7 +155547,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -155324,7 +155592,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/postdrop -F perm=x + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -155334,7 +155602,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/postdrop -F + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -155350,7 +155618,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -155369,7 +155637,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -155379,7 +155647,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/postdrop -F + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -155389,134 +155657,20 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80732-1 - - DISA-STIG-RHEL-08-030311 + - CCE-80733-9 + - DISA-STIG-RHEL-08-030312 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - postqueue - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000495-CTR-001235 - RHEL-08-030312 - SV-230428r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80733-9 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -155837,25 +155991,123 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000135 + CCI-000172 + CCI-002884 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + SRG-OS-000042-GPOS-00020 + SRG-OS-000392-GPOS-00172 + SRG-OS-000471-GPOS-00215 + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80734-7 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80733-9 - - DISA-STIG-RHEL-08-030312 + - CCE-80734-7 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_pt_chown - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/sbin/postqueue +- name: Perform remediation of Audit rules for /usr/libexec/pt_chown block: - name: Declare list of syscalls @@ -155867,7 +156119,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -155912,7 +156164,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/postqueue -F perm=x + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -155922,8 +156174,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/postqueue -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/libexec/pt_chown + -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -155938,7 +156190,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -155957,7 +156209,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -155967,8 +156219,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/postqueue -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/libexec/pt_chown + -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -155977,119 +156229,19 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80733-9 - - DISA-STIG-RHEL-08-030312 + - CCE-80734-7 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_pt_chown - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000135 - CCI-000172 - CCI-002884 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - SRG-OS-000042-GPOS-00020 - SRG-OS-000392-GPOS-00172 - SRG-OS-000471-GPOS-00215 - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80734-7 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -156410,24 +156562,61 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Record Any Attempts to Run ssh-agent + At a minimum, the audit system should collect any execution attempt +of the ssh-agent command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000495-CTR-001235 + RHEL-08-030280 + SV-230421r627750_rule + Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify +those responsible for one. + +Audit records can be generated from various components within the +information system (e.g., module or policy filter). + CCE-85944-7 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80734-7 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_pt_chown + - CCE-85944-7 + - DISA-STIG-RHEL-08-030280 + - audit_rules_privileged_commands_ssh_agent - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/libexec/pt_chown +- name: Perform remediation of Audit rules for /usr/bin/ssh-agent block: - name: Declare list of syscalls @@ -156439,7 +156628,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -156484,7 +156673,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/libexec/pt_chown -F perm=x + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -156494,8 +156683,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/libexec/pt_chown - -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/ssh-agent -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -156510,7 +156699,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -156529,7 +156718,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -156539,8 +156728,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/libexec/pt_chown - -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/ssh-agent -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -156549,60 +156738,15 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80734-7 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_pt_chown + - CCE-85944-7 + - DISA-STIG-RHEL-08-030280 + - audit_rules_privileged_commands_ssh_agent - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Record Any Attempts to Run ssh-agent - At a minimum, the audit system should collect any execution attempt -of the ssh-agent command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000495-CTR-001235 - RHEL-08-030280 - SV-230421r627750_rule - Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify -those responsible for one. - -Audit records can be generated from various components within the -information system (e.g., module or policy filter). - CCE-85944-7 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -156922,150 +157066,6 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-85944-7 - - DISA-STIG-RHEL-08-030280 - - audit_rules_privileged_commands_ssh_agent - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Perform remediation of Audit rules for /usr/bin/ssh-agent - block: - - - name: Declare list of syscalls - set_fact: - syscalls: [] - syscall_grouping: [] - - - name: Check existence of in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: '*.rules' - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Reset syscalls found per file - set_fact: - syscalls_per_file: {} - found_paths_dict: {} - - - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path - :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" - loop: '{{ find_command.results | selectattr(''matched'') | list }}' - - - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten - | map(attribute='path') | list }}" - - - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, - 0) }) }}" - loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') - | list }}' - - - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') - | last).key }}" - when: found_paths | length >= 1 - - - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules - set_fact: audit_file="/etc/audit/rules.d/privileged.rules" - when: found_paths | length == 0 - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/ssh-agent -F perm=x - -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/ssh-agent -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - - - name: Declare list of syscalls - set_fact: - syscalls: [] - syscall_grouping: [] - - - name: Check existence of in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: audit.rules - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset - (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/ssh-agent -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-85944-7 - - DISA-STIG-RHEL-08-030280 - - audit_rules_privileged_commands_ssh_agent - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy @@ -157183,6 +157183,162 @@ which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80735-4 + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80735-4 + - DISA-STIG-RHEL-08-030320 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_ssh_keysign + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for /usr/libexec/openssh/ssh-keysign + block: + + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + + - name: Check existence of in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F + path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset + (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path + :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten + | map(attribute='path') | list }}" + + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, + 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') + | list }}' + + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') + | last).key }}" + when: found_paths | length >= 1 + + - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules + set_fact: audit_file="/etc/audit/rules.d/privileged.rules" + when: found_paths | length == 0 + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/libexec/openssh/ssh-keysign + -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/libexec/openssh/ssh-keysign + -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + + - name: Check existence of in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F + path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset + (-k\s+|-F\s+key=)\S+\s*$ + patterns: audit.rules + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Set path to /etc/audit/audit.rules + set_fact: audit_file="/etc/audit/audit.rules" + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( + -S |,)\w+)+)( -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 + -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/libexec/openssh/ssh-keysign + -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80735-4 + - DISA-STIG-RHEL-08-030320 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_ssh_keysign + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -157503,25 +157659,144 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - su + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000064-GPOS-0003 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000466-GPOS-00210 + SRG-APP-000029-CTR-000085 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + RHEL-08-030190 + SV-230412r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80736-2 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80735-4 - - DISA-STIG-RHEL-08-030320 + - CCE-80736-2 + - DISA-STIG-RHEL-08-030190 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/libexec/openssh/ssh-keysign +- name: Perform remediation of Audit rules for /usr/bin/su block: - name: Declare list of syscalls @@ -157533,8 +157808,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset - (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -157579,8 +157853,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/libexec/openssh/ssh-keysign - -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/su -F perm=x -F auid>=1000 + -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -157589,8 +157863,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/libexec/openssh/ssh-keysign - -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/su -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -157605,8 +157879,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset - (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -157625,8 +157898,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 - -F auid!=unset (?:-k |-F key=)\w+) + -S |,)\w+)+)( -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset (?:-k + |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -157635,8 +157908,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/libexec/openssh/ssh-keysign - -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/su -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -157645,139 +157918,20 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80735-4 - - DISA-STIG-RHEL-08-030320 + - CCE-80736-2 + - DISA-STIG-RHEL-08-030190 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - su - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - FAU_GEN.1.1.c - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000064-GPOS-0003 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000466-GPOS-00210 - SRG-APP-000029-CTR-000085 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - RHEL-08-030190 - SV-230412r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80736-2 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -158098,25 +158252,144 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - sudo + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + BP28(R19) + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000466-GPOS-00210 + SRG-APP-000029-CTR-000085 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + RHEL-08-030550 + SV-230462r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80737-0 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80736-2 - - DISA-STIG-RHEL-08-030190 + - CCE-80737-0 + - DISA-STIG-RHEL-08-030550 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/bin/su +- name: Perform remediation of Audit rules for /usr/bin/sudo block: - name: Declare list of syscalls @@ -158128,7 +158401,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -158173,8 +158446,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/su -F perm=x -F auid>=1000 - -F auid!=unset (?:-k |-F key=)\w+) + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/sudo -F perm=x -F + auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -158183,7 +158456,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/su -F perm=x + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -158199,7 +158472,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -158218,8 +158491,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset (?:-k - |-F key=)\w+) + -S |,)\w+)+)( -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset + (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -158228,7 +158501,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/su -F perm=x + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -158238,139 +158511,20 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80736-2 - - DISA-STIG-RHEL-08-030190 + - CCE-80737-0 + - DISA-STIG-RHEL-08-030550 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - sudo - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - BP28(R19) - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - FAU_GEN.1.1.c - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000466-GPOS-00210 - SRG-APP-000029-CTR-000085 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - RHEL-08-030550 - SV-230462r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80737-0 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -158691,25 +158845,137 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000495-CTR-001235 + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80738-8 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80737-0 - - DISA-STIG-RHEL-08-030550 + - CCE-80738-8 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/bin/sudo +- name: Perform remediation of Audit rules for /usr/bin/sudoedit block: - name: Declare list of syscalls @@ -158721,7 +158987,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -158766,8 +159032,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/sudo -F perm=x -F - auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/sudoedit -F perm=x + -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -158776,8 +159042,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/sudo -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/sudoedit -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -158792,7 +159058,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -158811,7 +159077,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -158821,8 +159087,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/sudo -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/sudoedit -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -158831,133 +159097,19 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80737-0 - - DISA-STIG-RHEL-08-030550 + - CCE-80738-8 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - FAU_GEN.1.1.c - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000495-CTR-001235 - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80738-8 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -159278,24 +159430,139 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - umount + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000169 + CCI-000135 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000029-CTR-000085 + RHEL-08-030301 + SV-230424r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80739-6 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80738-8 + - CCE-80739-6 + - DISA-STIG-RHEL-08-030301 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/bin/sudoedit +- name: Perform remediation of Audit rules for /usr/bin/umount block: - name: Declare list of syscalls @@ -159307,7 +159574,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -159352,8 +159619,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/sudoedit -F perm=x - -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/umount -F perm=x -F + auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -159362,8 +159629,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/sudoedit -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/umount -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -159378,7 +159645,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -159397,7 +159664,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -159407,8 +159674,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/sudoedit -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/umount -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -159417,133 +159684,20 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80738-8 + - CCE-80739-6 + - DISA-STIG-RHEL-08-030301 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - umount - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000169 - CCI-000135 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000029-CTR-000085 - RHEL-08-030301 - SV-230424r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80739-6 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -159864,25 +160018,164 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + CIP-007-3 R6.5 + AC-2(4) + AU-2(d) + AU-3 + AU-3.1 + AU-12(a) + AU-12(c) + AU-12.1(ii) + AU-12.1(iv) + AC-6(9) + CM-6(a) + MA-4(1)(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000029-CTR-000085 + SRG-APP-000495-CTR-001235 + RHEL-08-030317 + SV-230433r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80740-4 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80739-6 - - DISA-STIG-RHEL-08-030301 + - CCE-80740-4 + - DISA-STIG-RHEL-08-030317 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) + - NIST-800-53-AU-12.1(ii) + - NIST-800-53-AU-12.1(iv) - NIST-800-53-AU-2(d) + - NIST-800-53-AU-3 + - NIST-800-53-AU-3.1 - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_umount + - NIST-800-53-MA-4(1)(a) + - audit_rules_privileged_commands_unix_chkpwd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/bin/umount +- name: Perform remediation of Audit rules for /usr/sbin/unix_chkpwd block: - name: Declare list of syscalls @@ -159894,7 +160187,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -159939,8 +160232,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/umount -F perm=x -F - auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/unix_chkpwd -F perm=x + -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -159949,8 +160242,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/umount -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/unix_chkpwd + -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -159965,7 +160258,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -159984,7 +160277,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -159994,8 +160287,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/umount -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/unix_chkpwd + -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -160004,152 +160297,27 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80739-6 - - DISA-STIG-RHEL-08-030301 + - CCE-80740-4 + - DISA-STIG-RHEL-08-030317 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) + - NIST-800-53-AU-12.1(ii) + - NIST-800-53-AU-12.1(iv) - NIST-800-53-AU-2(d) + - NIST-800-53-AU-3 + - NIST-800-53-AU-3.1 - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_umount + - NIST-800-53-MA-4(1)(a) + - audit_rules_privileged_commands_unix_chkpwd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - CIP-007-3 R6.5 - AC-2(4) - AU-2(d) - AU-3 - AU-3.1 - AU-12(a) - AU-12(c) - AU-12.1(ii) - AU-12.1(iv) - AC-6(9) - CM-6(a) - MA-4(1)(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - FAU_GEN.1.1.c - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000029-CTR-000085 - SRG-APP-000495-CTR-001235 - RHEL-08-030317 - SV-230433r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80740-4 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -160470,32 +160638,65 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - unix_update + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000495-CTR-001235 + RHEL-08-030310 + SV-230426r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-89480-8 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80740-4 - - DISA-STIG-RHEL-08-030317 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(a) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-12.1(ii) - - NIST-800-53-AU-12.1(iv) - - NIST-800-53-AU-2(d) - - NIST-800-53-AU-3 - - NIST-800-53-AU-3.1 - - NIST-800-53-CM-6(a) - - NIST-800-53-MA-4(1)(a) - - audit_rules_privileged_commands_unix_chkpwd + - CCE-89480-8 + - DISA-STIG-RHEL-08-030310 + - audit_rules_privileged_commands_unix_update - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/sbin/unix_chkpwd +- name: Perform remediation of Audit rules for /usr/sbin/unix_update block: - name: Declare list of syscalls @@ -160507,7 +160708,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -160552,7 +160753,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/unix_chkpwd -F perm=x + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -160562,7 +160763,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/unix_chkpwd + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -160578,7 +160779,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -160597,7 +160798,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -160607,7 +160808,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/unix_chkpwd + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -160617,72 +160818,15 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80740-4 - - DISA-STIG-RHEL-08-030317 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(a) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-12.1(ii) - - NIST-800-53-AU-12.1(iv) - - NIST-800-53-AU-2(d) - - NIST-800-53-AU-3 - - NIST-800-53-AU-3.1 - - NIST-800-53-CM-6(a) - - NIST-800-53-MA-4(1)(a) - - audit_rules_privileged_commands_unix_chkpwd + - CCE-89480-8 + - DISA-STIG-RHEL-08-030310 + - audit_rules_privileged_commands_unix_update - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - unix_update - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000064-GPOS-00033 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000495-CTR-001235 - RHEL-08-030310 - SV-230426r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-89480-8 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -161003,20 +161147,139 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - userhelper + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000495-CTR-001235 + RHEL-08-030315 + SV-230431r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80741-2 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-89480-8 - - DISA-STIG-RHEL-08-030310 - - audit_rules_privileged_commands_unix_update + - CCE-80741-2 + - DISA-STIG-RHEL-08-030315 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_userhelper - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/sbin/unix_update +- name: Perform remediation of Audit rules for /usr/sbin/userhelper block: - name: Declare list of syscalls @@ -161028,7 +161291,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -161073,7 +161336,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/unix_update -F perm=x + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -161083,7 +161346,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/unix_update + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -161099,7 +161362,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -161118,7 +161381,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -161128,7 +161391,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/unix_update + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -161138,129 +161401,20 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-89480-8 - - DISA-STIG-RHEL-08-030310 - - audit_rules_privileged_commands_unix_update + - CCE-80741-2 + - DISA-STIG-RHEL-08-030315 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_userhelper - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - userhelper - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - FAU_GEN.1.1.c - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000495-CTR-001235 - RHEL-08-030315 - SV-230431r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80741-2 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -161581,25 +161735,67 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - usermod + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000466-GPOS-00210 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + RHEL-08-030560 + 4.1.3.18 + SV-230463r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-86027-0 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80741-2 - - DISA-STIG-RHEL-08-030315 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_userhelper + - CCE-86027-0 + - DISA-STIG-RHEL-08-030560 + - audit_rules_privileged_commands_usermod - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/sbin/userhelper +- name: Perform remediation of Audit rules for /usr/sbin/usermod block: - name: Declare list of syscalls @@ -161611,7 +161807,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -161656,7 +161852,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/userhelper -F perm=x + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -161666,8 +161862,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/userhelper - -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/usermod -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -161682,7 +161878,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -161701,7 +161897,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -161711,8 +161907,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/userhelper - -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/usermod -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -161721,67 +161917,15 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80741-2 - - DISA-STIG-RHEL-08-030315 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_userhelper + - CCE-86027-0 + - DISA-STIG-RHEL-08-030560 + - audit_rules_privileged_commands_usermod - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - usermod - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000466-GPOS-00210 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - RHEL-08-030560 - 4.1.3.18 - SV-230463r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-86027-0 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -162102,20 +162246,69 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + CCI-000172 + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80990-5 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-86027-0 - - DISA-STIG-RHEL-08-030560 - - audit_rules_privileged_commands_usermod + - CCE-80990-5 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_usernetctl - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/sbin/usermod +- name: Perform remediation of Audit rules for /usr/sbin/usernetctl block: - name: Declare list of syscalls @@ -162127,7 +162320,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -162172,7 +162365,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/usermod -F perm=x + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -162182,8 +162375,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/usermod -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/usernetctl + -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -162198,7 +162391,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -162217,7 +162410,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -162227,8 +162420,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/usermod -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/usernetctl + -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -162237,60 +162430,19 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-86027-0 - - DISA-STIG-RHEL-08-030560 - - audit_rules_privileged_commands_usermod + - CCE-80990-5 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_usernetctl - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - CCI-000172 - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - FAU_GEN.1.1.c - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80990-5 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -162610,158 +162762,6 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-80990-5 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_usernetctl - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Perform remediation of Audit rules for /usr/sbin/usernetctl - block: - - - name: Declare list of syscalls - set_fact: - syscalls: [] - syscall_grouping: [] - - - name: Check existence of in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: '*.rules' - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Reset syscalls found per file - set_fact: - syscalls_per_file: {} - found_paths_dict: {} - - - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path - :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" - loop: '{{ find_command.results | selectattr(''matched'') | list }}' - - - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten - | map(attribute='path') | list }}" - - - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, - 0) }) }}" - loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') - | list }}' - - - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') - | last).key }}" - when: found_paths | length >= 1 - - - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules - set_fact: audit_file="/etc/audit/rules.d/privileged.rules" - when: found_paths | length == 0 - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/usernetctl -F perm=x - -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/usernetctl - -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - - - name: Declare list of syscalls - set_fact: - syscalls: [] - syscall_grouping: [] - - - name: Check existence of in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: audit.rules - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset - (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/usernetctl - -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80990-5 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_usernetctl - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy @@ -162923,6 +162923,350 @@ nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. CCE-80745-3 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }} + mode: 0600 + path: /etc/audit/rules.d/75-syscall-adjtimex.rules + overwrite: true + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80745-3 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - PCI-DSSv4-10.6.3 + - audit_rules_time_adjtimex + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Set architecture for audit tasks + set_fact: + audit_arch: b64 + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture + == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" + tags: + - CCE-80745-3 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - PCI-DSSv4-10.6.3 + - audit_rules_time_adjtimex + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for adjtimex for 32bit platform + block: + + - name: Declare list of syscalls + set_fact: + syscalls: + - adjtimex + syscall_grouping: + - adjtimex + - settimeofday + - stime + + - name: Check existence of adjtimex in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S + |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path + :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten + | map(attribute='path') | list }}" + + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, + 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') + | list }}' + + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') + | last).key }}" + when: found_paths | length >= 1 + + - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules + set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules" + when: found_paths | length == 0 + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] + | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + + - name: Declare list of syscalls + set_fact: + syscalls: + - adjtimex + syscall_grouping: + - adjtimex + - settimeofday + - stime + + - name: Check existence of adjtimex in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S + |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ + patterns: audit.rules + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Set path to /etc/audit/audit.rules + set_fact: audit_file="/etc/audit/audit.rules" + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | + join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80745-3 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - PCI-DSSv4-10.6.3 + - audit_rules_time_adjtimex + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for adjtimex for 64bit platform + block: + + - name: Declare list of syscalls + set_fact: + syscalls: + - adjtimex + syscall_grouping: + - adjtimex + - settimeofday + + - name: Check existence of adjtimex in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S + |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path + :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten + | map(attribute='path') | list }}" + + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, + 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') + | list }}' + + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') + | last).key }}" + when: found_paths | length >= 1 + + - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules + set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules" + when: found_paths | length == 0 + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] + | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + + - name: Declare list of syscalls + set_fact: + syscalls: + - adjtimex + syscall_grouping: + - adjtimex + - settimeofday + - stime + + - name: Check existence of adjtimex in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S + |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ + patterns: audit.rules + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Set path to /etc/audit/audit.rules + set_fact: audit_file="/etc/audit/audit.rules" + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | + join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch == "b64" + tags: + - CCE-80745-3 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - PCI-DSSv4-10.6.3 + - audit_rules_time_adjtimex + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -163262,11 +163606,179 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Record Attempts to Alter Time Through clock_settime + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change +The -k option allows for the specification of a key in string form that can +be used for better reporting capability through ausearch and aureport. +Multiple system calls can be defined on the same line to save space if +desired, but is not required. See an example of multiple combined syscalls: +-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-001487 + CCI-000169 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + Req-10.4.2.b + 10.6.3 + 4.1.3.4 + Arbitrary changes to the system time can be used to obfuscate +nefarious activities in log files, as well as to confuse network services that +are highly dependent upon an accurate system time (such as sshd). All changes +to the system time should be audited. + CCE-80746-1 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }} + mode: 0600 + path: /etc/audit/rules.d/75-syscall-clock-settime.rules + overwrite: true + + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80745-3 + - CCE-80746-1 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) @@ -163275,7 +163787,7 @@ fi - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b - PCI-DSSv4-10.6.3 - - audit_rules_time_adjtimex + - audit_rules_time_clock_settime - low_complexity - low_disruption - medium_severity @@ -163291,7 +163803,7 @@ fi - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - - CCE-80745-3 + - CCE-80746-1 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) @@ -163300,30 +163812,27 @@ fi - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b - PCI-DSSv4-10.6.3 - - audit_rules_time_adjtimex + - audit_rules_time_clock_settime - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for adjtimex for 32bit platform +- name: Perform remediation of Audit rules for clock_settime for 32bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - adjtimex - syscall_grouping: - - adjtimex - - settimeofday - - stime + - clock_settime + syscall_grouping: [] - - name: Check existence of adjtimex in /etc/audit/rules.d/ + - name: Check existence of clock_settime in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -163353,8 +163862,8 @@ fi | last).key }}" when: found_paths | length >= 1 - - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules - set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules" + - name: No file with syscall found, set path to /etc/audit/rules.d/time-change.rules + set_fact: audit_file="/etc/audit/rules.d/time-change.rules" when: found_paths | length == 0 - name: Declare found syscalls @@ -163368,7 +163877,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -163377,7 +163886,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a0=0x0 -F + key=time-change create: true mode: o-rwx state: present @@ -163386,17 +163896,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - adjtimex - syscall_grouping: - - adjtimex - - settimeofday - - stime + - clock_settime + syscall_grouping: [] - - name: Check existence of adjtimex in /etc/audit/audit.rules + - name: Check existence of clock_settime in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -163415,7 +163922,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -163424,7 +163931,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a0=0x0 -F + key=time-change create: true mode: o-rwx state: present @@ -163433,7 +163941,7 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80745-3 + - CCE-80746-1 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) @@ -163442,29 +163950,27 @@ fi - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b - PCI-DSSv4-10.6.3 - - audit_rules_time_adjtimex + - audit_rules_time_clock_settime - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for adjtimex for 64bit platform +- name: Perform remediation of Audit rules for clock_settime for 64bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - adjtimex - syscall_grouping: - - adjtimex - - settimeofday + - clock_settime + syscall_grouping: [] - - name: Check existence of adjtimex in /etc/audit/rules.d/ + - name: Check existence of clock_settime in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -163494,8 +164000,8 @@ fi | last).key }}" when: found_paths | length >= 1 - - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules - set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules" + - name: No file with syscall found, set path to /etc/audit/rules.d/time-change.rules + set_fact: audit_file="/etc/audit/rules.d/time-change.rules" when: found_paths | length == 0 - name: Declare found syscalls @@ -163509,7 +164015,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -163518,7 +164024,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a0=0x0 -F + key=time-change create: true mode: o-rwx state: present @@ -163527,17 +164034,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - adjtimex - syscall_grouping: - - adjtimex - - settimeofday - - stime + - clock_settime + syscall_grouping: [] - - name: Check existence of adjtimex in /etc/audit/audit.rules + - name: Check existence of clock_settime in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -163556,7 +164060,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -163565,7 +164069,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a0=0x0 -F + key=time-change create: true mode: o-rwx state: present @@ -163575,7 +164080,7 @@ fi - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - - CCE-80745-3 + - CCE-80746-1 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) @@ -163584,181 +164089,13 @@ fi - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b - PCI-DSSv4-10.6.3 - - audit_rules_time_adjtimex + - audit_rules_time_clock_settime - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }} - mode: 0600 - path: /etc/audit/rules.d/75-syscall-adjtimex.rules - overwrite: true - - - - - - - - - - Record Attempts to Alter Time Through clock_settime - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change -The -k option allows for the specification of a key in string form that can -be used for better reporting capability through ausearch and aureport. -Multiple system calls can be defined on the same line to save space if -desired, but is not required. See an example of multiple combined syscalls: --a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-001487 - CCI-000169 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - Req-10.4.2.b - 10.6.3 - 4.1.3.4 - Arbitrary changes to the system time can be used to obfuscate -nefarious activities in log files, as well as to confuse network services that -are highly dependent upon an accurate system time (such as sshd). All changes -to the system time should be audited. - CCE-80746-1 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -164085,343 +164422,6 @@ done else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-80746-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - PCI-DSSv4-10.6.3 - - audit_rules_time_clock_settime - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Set architecture for audit tasks - set_fact: - audit_arch: b64 - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture - == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" - tags: - - CCE-80746-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - PCI-DSSv4-10.6.3 - - audit_rules_time_clock_settime - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Perform remediation of Audit rules for clock_settime for 32bit platform - block: - - - name: Declare list of syscalls - set_fact: - syscalls: - - clock_settime - syscall_grouping: [] - - - name: Check existence of clock_settime in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$ - patterns: '*.rules' - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Reset syscalls found per file - set_fact: - syscalls_per_file: {} - found_paths_dict: {} - - - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path - :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" - loop: '{{ find_command.results | selectattr(''matched'') | list }}' - - - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten - | map(attribute='path') | list }}" - - - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, - 0) }) }}" - loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') - | list }}' - - - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') - | last).key }}" - when: found_paths | length >= 1 - - - name: No file with syscall found, set path to /etc/audit/rules.d/time-change.rules - set_fact: audit_file="/etc/audit/rules.d/time-change.rules" - when: found_paths | length == 0 - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a0=0x0 -F - key=time-change - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - - - name: Declare list of syscalls - set_fact: - syscalls: - - clock_settime - syscall_grouping: [] - - - name: Check existence of clock_settime in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$ - patterns: audit.rules - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a0=0x0 -F - key=time-change - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80746-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - PCI-DSSv4-10.6.3 - - audit_rules_time_clock_settime - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Perform remediation of Audit rules for clock_settime for 64bit platform - block: - - - name: Declare list of syscalls - set_fact: - syscalls: - - clock_settime - syscall_grouping: [] - - - name: Check existence of clock_settime in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$ - patterns: '*.rules' - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Reset syscalls found per file - set_fact: - syscalls_per_file: {} - found_paths_dict: {} - - - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path - :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" - loop: '{{ find_command.results | selectattr(''matched'') | list }}' - - - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten - | map(attribute='path') | list }}" - - - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, - 0) }) }}" - loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') - | list }}' - - - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') - | last).key }}" - when: found_paths | length >= 1 - - - name: No file with syscall found, set path to /etc/audit/rules.d/time-change.rules - set_fact: audit_file="/etc/audit/rules.d/time-change.rules" - when: found_paths | length == 0 - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a0=0x0 -F - key=time-change - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - - - name: Declare list of syscalls - set_fact: - syscalls: - - clock_settime - syscall_grouping: [] - - - name: Check existence of clock_settime in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$ - patterns: audit.rules - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a0=0x0 -F - key=time-change - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch == "b64" - tags: - - CCE-80746-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - PCI-DSSv4-10.6.3 - - audit_rules_time_clock_settime - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }} - mode: 0600 - path: /etc/audit/rules.d/75-syscall-clock-settime.rules - overwrite: true @@ -164575,344 +164575,20 @@ nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. CCE-80747-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# Retrieve hardware architecture of the underlying system -[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") - -for ARCH in "${RULE_ARCHS[@]}" -do - # Create expected audit group and audit rule form for particular system call & architecture - if [ ${ARCH} = "b32" ] - then - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output) - # so append it to the list of time group system calls to be audited - SYSCALL="adjtimex settimeofday stime" - SYSCALL_GROUPING="adjtimex settimeofday stime" - elif [ ${ARCH} = "b64" ] - then - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output) - # therefore don't add it to the list of time group system calls to be audited - SYSCALL="adjtimex settimeofday" - SYSCALL_GROUPING="adjtimex settimeofday" - fi - OTHER_FILTERS="" - AUID_FILTERS="" - KEY="audit_time_rules" - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - unset syscall_a - unset syscall_grouping - unset syscall_string - unset syscall - unset file_to_edit - unset rule_to_edit - unset rule_syscalls_to_edit - unset other_string - unset auid_string - unset full_rule - - # Load macro arguments into arrays - read -a syscall_a <<< $SYSCALL - read -a syscall_grouping <<< $SYSCALL_GROUPING - - # Create a list of audit *.rules files that should be inspected for presence and correctness - # of a particular audit rule. The scheme is as follows: - # - # ----------------------------------------------------------------------------------------- - # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | - # ----------------------------------------------------------------------------------------- - # auditctl | Doesn't matter | /etc/audit/audit.rules | - # ----------------------------------------------------------------------------------------- - # augenrules | Yes | /etc/audit/rules.d/*.rules | - # augenrules | No | /etc/audit/rules.d/$key.rules | - # ----------------------------------------------------------------------------------------- - # - files_to_inspect=() - - # If audit tool is 'augenrules', then check if the audit rule is defined - # If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection - # If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection - default_file="/etc/audit/rules.d/$KEY.rules" - # As other_filters may include paths, lets use a different delimiter for it - # The "F" script expression tells sed to print the filenames where the expressions matched - readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) - # Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet - if [ ${#files_to_inspect[@]} -eq "0" ] - then - file_to_inspect="/etc/audit/rules.d/$KEY.rules" - files_to_inspect=("$file_to_inspect") - if [ ! -e "$file_to_inspect" ] - then - touch "$file_to_inspect" - chmod 0640 "$file_to_inspect" - fi - fi - - # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead - skip=1 - - for audit_file in "${files_to_inspect[@]}" - do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi - done - - if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi - fi - unset syscall_a - unset syscall_grouping - unset syscall_string - unset syscall - unset file_to_edit - unset rule_to_edit - unset rule_syscalls_to_edit - unset other_string - unset auid_string - unset full_rule - - # Load macro arguments into arrays - read -a syscall_a <<< $SYSCALL - read -a syscall_grouping <<< $SYSCALL_GROUPING - - # Create a list of audit *.rules files that should be inspected for presence and correctness - # of a particular audit rule. The scheme is as follows: - # - # ----------------------------------------------------------------------------------------- - # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | - # ----------------------------------------------------------------------------------------- - # auditctl | Doesn't matter | /etc/audit/audit.rules | - # ----------------------------------------------------------------------------------------- - # augenrules | Yes | /etc/audit/rules.d/*.rules | - # augenrules | No | /etc/audit/rules.d/$key.rules | - # ----------------------------------------------------------------------------------------- - # - files_to_inspect=() - - - # If audit tool is 'auditctl', then add '/etc/audit/audit.rules' - # file to the list of files to be inspected - default_file="/etc/audit/audit.rules" - files_to_inspect+=('/etc/audit/audit.rules' ) - - # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead - skip=1 - - for audit_file in "${files_to_inspect[@]}" - do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi - done - - if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20settimeofday%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20settimeofday%20-k%20audit_time_rules%0A }} + mode: 0600 + path: /etc/audit/rules.d/75-syscall-settimeofday.rules + overwrite: true - name: Gather the package facts package_facts: @@ -165244,181 +164920,8 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20settimeofday%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20settimeofday%20-k%20audit_time_rules%0A }} - mode: 0600 - path: /etc/audit/rules.d/75-syscall-settimeofday.rules - overwrite: true - - - - - - - - - - Record Attempts to Alter Time Through stime - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d for both 32 bit and 64 bit systems: --a always,exit -F arch=b32 -S stime -F key=audit_time_rules -Since the 64 bit version of the "stime" system call is not defined in the audit -lookup table, the corresponding "-F arch=b64" form of this rule is not expected -to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule -form itself is sufficient for both 32 bit and 64 bit systems). If the -auditd daemon is configured to use the auditctl utility to -read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file for both 32 bit and 64 bit systems: --a always,exit -F arch=b32 -S stime -F key=audit_time_rules -Since the 64 bit version of the "stime" system call is not defined in the audit -lookup table, the corresponding "-F arch=b64" form of this rule is not expected -to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule -form itself is sufficient for both 32 bit and 64 bit systems). The -k option -allows for the specification of a key in string form that can be used for -better reporting capability through ausearch and aureport. Multiple system -calls can be defined on the same line to save space if desired, but is not -required. See an example of multiple combined system calls: --a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-001487 - CCI-000169 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - Req-10.4.2.b - 10.6.3 - 4.1.3.4 - Arbitrary changes to the system time can be used to obfuscate -nefarious activities in log files, as well as to confuse network services that -are highly dependent upon an accurate system time (such as sshd). All changes -to the system time should be audited. - - CCE-80748-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ( ! ( grep -q aarch64 /proc/sys/kernel/osrelease ) && ! ( grep -q s390x /proc/sys/kernel/osrelease ) ); }; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") @@ -165755,6 +165258,179 @@ done else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Record Attempts to Alter Time Through stime + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d for both 32 bit and 64 bit systems: +-a always,exit -F arch=b32 -S stime -F key=audit_time_rules +Since the 64 bit version of the "stime" system call is not defined in the audit +lookup table, the corresponding "-F arch=b64" form of this rule is not expected +to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule +form itself is sufficient for both 32 bit and 64 bit systems). If the +auditd daemon is configured to use the auditctl utility to +read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file for both 32 bit and 64 bit systems: +-a always,exit -F arch=b32 -S stime -F key=audit_time_rules +Since the 64 bit version of the "stime" system call is not defined in the audit +lookup table, the corresponding "-F arch=b64" form of this rule is not expected +to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule +form itself is sufficient for both 32 bit and 64 bit systems). The -k option +allows for the specification of a key in string form that can be used for +better reporting capability through ausearch and aureport. Multiple system +calls can be defined on the same line to save space if desired, but is not +required. See an example of multiple combined system calls: +-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-001487 + CCI-000169 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + Req-10.4.2.b + 10.6.3 + 4.1.3.4 + Arbitrary changes to the system time can be used to obfuscate +nefarious activities in log files, as well as to confuse network services that +are highly dependent upon an accurate system time (such as sshd). All changes +to the system time should be audited. + + CCE-80748-7 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20stime%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20stime%20-k%20audit_time_rules%0A }} + mode: 0600 + path: /etc/audit/rules.d/75-syscall-stime.rules + overwrite: true - name: Gather the package facts package_facts: @@ -165920,90 +165596,414 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20stime%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20stime%20-k%20audit_time_rules%0A }} - mode: 0600 - path: /etc/audit/rules.d/75-syscall-stime.rules - overwrite: true - - - - - - - - - - Record Attempts to Alter the localtime File - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: --w /etc/localtime -p wa -k audit_time_rules -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --w /etc/localtime -p wa -k audit_time_rules -The -k option allows for the specification of a key in string form that can -be used for better reporting capability through ausearch and aureport and -should always be used. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-001487 - CCI-000169 + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ( ! ( grep -q aarch64 /proc/sys/kernel/osrelease ) && ! ( grep -q s390x /proc/sys/kernel/osrelease ) ); }; then + +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + # Create expected audit group and audit rule form for particular system call & architecture + if [ ${ARCH} = "b32" ] + then + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output) + # so append it to the list of time group system calls to be audited + SYSCALL="adjtimex settimeofday stime" + SYSCALL_GROUPING="adjtimex settimeofday stime" + elif [ ${ARCH} = "b64" ] + then + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output) + # therefore don't add it to the list of time group system calls to be audited + SYSCALL="adjtimex settimeofday" + SYSCALL_GROUPING="adjtimex settimeofday" + fi + OTHER_FILTERS="" + AUID_FILTERS="" + KEY="audit_time_rules" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + unset syscall_a + unset syscall_grouping + unset syscall_string + unset syscall + unset file_to_edit + unset rule_to_edit + unset rule_syscalls_to_edit + unset other_string + unset auid_string + unset full_rule + + # Load macro arguments into arrays + read -a syscall_a <<< $SYSCALL + read -a syscall_grouping <<< $SYSCALL_GROUPING + + # Create a list of audit *.rules files that should be inspected for presence and correctness + # of a particular audit rule. The scheme is as follows: + # + # ----------------------------------------------------------------------------------------- + # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | + # ----------------------------------------------------------------------------------------- + # auditctl | Doesn't matter | /etc/audit/audit.rules | + # ----------------------------------------------------------------------------------------- + # augenrules | Yes | /etc/audit/rules.d/*.rules | + # augenrules | No | /etc/audit/rules.d/$key.rules | + # ----------------------------------------------------------------------------------------- + # + files_to_inspect=() + + # If audit tool is 'augenrules', then check if the audit rule is defined + # If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection + # If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection + default_file="/etc/audit/rules.d/$KEY.rules" + # As other_filters may include paths, lets use a different delimiter for it + # The "F" script expression tells sed to print the filenames where the expressions matched + readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) + # Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet + if [ ${#files_to_inspect[@]} -eq "0" ] + then + file_to_inspect="/etc/audit/rules.d/$KEY.rules" + files_to_inspect=("$file_to_inspect") + if [ ! -e "$file_to_inspect" ] + then + touch "$file_to_inspect" + chmod 0640 "$file_to_inspect" + fi + fi + + # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead + skip=1 + + for audit_file in "${files_to_inspect[@]}" + do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi + done + + if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi + fi + unset syscall_a + unset syscall_grouping + unset syscall_string + unset syscall + unset file_to_edit + unset rule_to_edit + unset rule_syscalls_to_edit + unset other_string + unset auid_string + unset full_rule + + # Load macro arguments into arrays + read -a syscall_a <<< $SYSCALL + read -a syscall_grouping <<< $SYSCALL_GROUPING + + # Create a list of audit *.rules files that should be inspected for presence and correctness + # of a particular audit rule. The scheme is as follows: + # + # ----------------------------------------------------------------------------------------- + # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | + # ----------------------------------------------------------------------------------------- + # auditctl | Doesn't matter | /etc/audit/audit.rules | + # ----------------------------------------------------------------------------------------- + # augenrules | Yes | /etc/audit/rules.d/*.rules | + # augenrules | No | /etc/audit/rules.d/$key.rules | + # ----------------------------------------------------------------------------------------- + # + files_to_inspect=() + + + # If audit tool is 'auditctl', then add '/etc/audit/audit.rules' + # file to the list of files to be inspected + default_file="/etc/audit/audit.rules" + files_to_inspect+=('/etc/audit/audit.rules' ) + + # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead + skip=1 + + for audit_file in "${files_to_inspect[@]}" + do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi + done + + if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + + + + + + + + + Record Attempts to Alter the localtime File + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +-w /etc/localtime -p wa -k audit_time_rules +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-w /etc/localtime -p wa -k audit_time_rules +The -k option allows for the specification of a key in string form that can +be used for better reporting capability through ausearch and aureport and +should always be used. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-001487 + CCI-000169 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) @@ -166083,146 +166083,20 @@ nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. CCE-80749-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/localtime" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/localtime $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/localtime$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/localtime -p wa -k audit_time_rules" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/audit_time_rules.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/localtime" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/audit_time_rules.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/audit_time_rules.rules" - # If the audit_time_rules.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/localtime" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/localtime $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/localtime$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/localtime -p wa -k audit_time_rules" >> "$audit_rules_file" - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ -w%20/etc/localtime%20-p%20wa%20-k%20audit_time_rules%0A }} + mode: 0600 + path: /etc/audit/rules.d/75-etclocaltime-wa-audit_time_rules.rules + overwrite: true - name: Gather the package facts package_facts: @@ -166441,20 +166315,146 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ -w%20/etc/localtime%20-p%20wa%20-k%20audit_time_rules%0A }} - mode: 0600 - path: /etc/audit/rules.d/75-etclocaltime-wa-audit_time_rules.rules - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/localtime" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/localtime $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/localtime$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/localtime -p wa -k audit_time_rules" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/audit_time_rules.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/localtime" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/audit_time_rules.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/audit_time_rules.rules" + # If the audit_time_rules.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/localtime" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/localtime $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/localtime$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/localtime -p wa -k audit_time_rules" >> "$audit_rules_file" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -166707,42 +166707,6 @@ send audit records to. For example deletion or alteration.Off-loading is a common process in information systems with limited audit storage capacity. CCE-80925-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_audispd_remote_server='' - - -AUDITCONFIG=/etc/audit/audisp-remote.conf - - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^remote_server") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_audispd_remote_server" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^remote_server\\>" "$AUDITCONFIG"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^remote_server\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" -else - if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" - fi - cce="CCE-80925-1" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG" - printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -166778,6 +166742,42 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_audispd_remote_server='' + + +AUDITCONFIG=/etc/audit/audisp-remote.conf + + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^remote_server") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_audispd_remote_server" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^remote_server\\>" "$AUDITCONFIG"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^remote_server\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" +else + if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" + fi + cce="CCE-80925-1" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG" + printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -166845,38 +166845,6 @@ determined. SRG-OS-000479-GPOS-00224 Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_audispd_disk_full_action='' - - -AUDITCONFIG=/etc/audit/audisp-remote.conf - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^disk_full_action") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_audispd_disk_full_action" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^disk_full_action\\>" "$AUDITCONFIG"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^disk_full_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" -else - if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" - fi - printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -166920,6 +166888,38 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_audispd_disk_full_action='' + + +AUDITCONFIG=/etc/audit/audisp-remote.conf + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^disk_full_action") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_audispd_disk_full_action" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^disk_full_action\\>" "$AUDITCONFIG"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^disk_full_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" +else + if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" + fi + printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -167010,38 +167010,6 @@ This profile configures the action to be SRG-OS-000479-GPOS-00224 Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_audispd_network_failure_action='' - - -AUDITCONFIG=/etc/audit/audisp-remote.conf - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^network_failure_action") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_audispd_network_failure_action" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^network_failure_action\\>" "$AUDITCONFIG"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^network_failure_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" -else - if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" - fi - printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -167085,6 +167053,38 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_audispd_network_failure_action='' + + +AUDITCONFIG=/etc/audit/audisp-remote.conf + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^network_failure_action") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_audispd_network_failure_action" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^network_failure_action\\>" "$AUDITCONFIG"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^network_failure_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" +else + if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" + fi + printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -167179,39 +167179,6 @@ records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server. CCE-80677-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_syslog_active="yes" - -AUDISP_SYSLOGCONFIG=/etc/audit/plugins.d/syslog.conf - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^active") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_syslog_active" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^active\\>" "$AUDISP_SYSLOGCONFIG"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^active\\>.*/$escaped_formatted_output/gi" "$AUDISP_SYSLOGCONFIG" -else - if [[ -s "$AUDISP_SYSLOGCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDISP_SYSLOGCONFIG" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDISP_SYSLOGCONFIG" - fi - cce="CCE-80677-8" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDISP_SYSLOGCONFIG" >> "$AUDISP_SYSLOGCONFIG" - printf '%s\n' "$formatted_output" >> "$AUDISP_SYSLOGCONFIG" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -167253,6 +167220,39 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_syslog_active="yes" + +AUDISP_SYSLOGCONFIG=/etc/audit/plugins.d/syslog.conf + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^active") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_syslog_active" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^active\\>" "$AUDISP_SYSLOGCONFIG"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^active\\>.*/$escaped_formatted_output/gi" "$AUDISP_SYSLOGCONFIG" +else + if [[ -s "$AUDISP_SYSLOGCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDISP_SYSLOGCONFIG" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDISP_SYSLOGCONFIG" + fi + cce="CCE-80677-8" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDISP_SYSLOGCONFIG" >> "$AUDISP_SYSLOGCONFIG" + printf '%s\n' "$formatted_output" >> "$AUDISP_SYSLOGCONFIG" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -167355,11 +167355,74 @@ determined. Details regarding all possible values for ACTION ar Taking appropriate action in case of disk errors will minimize the possibility of losing audit records. CCE-84046-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_disk_error_action='' - + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-84046-2 + - DISA-STIG-RHEL-08-030040 + - NIST-800-53-AU-5(1) + - NIST-800-53-AU-5(2) + - NIST-800-53-AU-5(4) + - NIST-800-53-AU-5(b) + - NIST-800-53-CM-6(a) + - auditd_data_disk_error_action + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy +- name: XCCDF Value var_auditd_disk_error_action # promote to variable + set_fact: + var_auditd_disk_error_action: !!str + tags: + - always + +- name: Configure auditd Disk Error Action on Disk Error + lineinfile: + dest: /etc/audit/auditd.conf + line: disk_error_action = {{ var_auditd_disk_error_action.split('|')[0] }} + regexp: ^\s*disk_error_action\s*=\s*.*$ + state: present + create: true + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-84046-2 + - DISA-STIG-RHEL-08-030040 + - NIST-800-53-AU-5(1) + - NIST-800-53-AU-5(2) + - NIST-800-53-AU-5(4) + - NIST-800-53-AU-5(b) + - NIST-800-53-CM-6(a) + - auditd_data_disk_error_action + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_disk_error_action='' + # # If disk_error_action present in /etc/audit/auditd.conf, change value @@ -167393,69 +167456,6 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84046-2 - - DISA-STIG-RHEL-08-030040 - - NIST-800-53-AU-5(1) - - NIST-800-53-AU-5(2) - - NIST-800-53-AU-5(4) - - NIST-800-53-AU-5(b) - - NIST-800-53-CM-6(a) - - auditd_data_disk_error_action - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy -- name: XCCDF Value var_auditd_disk_error_action # promote to variable - set_fact: - var_auditd_disk_error_action: !!str - tags: - - always - -- name: Configure auditd Disk Error Action on Disk Error - lineinfile: - dest: /etc/audit/auditd.conf - line: disk_error_action = {{ var_auditd_disk_error_action.split('|')[0] }} - regexp: ^\s*disk_error_action\s*=\s*.*$ - state: present - create: true - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-84046-2 - - DISA-STIG-RHEL-08-030040 - - NIST-800-53-AU-5(1) - - NIST-800-53-AU-5(2) - - NIST-800-53-AU-5(4) - - NIST-800-53-AU-5(b) - - NIST-800-53-CM-6(a) - - auditd_data_disk_error_action - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true @@ -167549,35 +167549,20 @@ determined. Details regarding all possible values for ACTION ar SRG-OS-000047-GPOS-00023 Taking appropriate action in case of disk errors will minimize the possibility of losing audit records. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_disk_error_action='' - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^disk_error_action") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_disk_error_action" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^disk_error_action\\>" "/etc/audit/auditd.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^disk_error_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf" -else - if [[ -s "/etc/audit/auditd.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/audit/auditd.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/audit/auditd.conf" - fi - printf '%s\n' "$formatted_output" >> "/etc/audit/auditd.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -167623,20 +167608,35 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_disk_error_action='' + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^disk_error_action") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_disk_error_action" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^disk_error_action\\>" "/etc/audit/auditd.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^disk_error_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf" +else + if [[ -s "/etc/audit/auditd.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/audit/auditd.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/audit/auditd.conf" + fi + printf '%s\n' "$formatted_output" >> "/etc/audit/auditd.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -167735,39 +167735,20 @@ determined. Details regarding all possible values for ACTION ar Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. CCE-84045-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_disk_full_action='' - - -var_auditd_disk_full_action="$(echo $var_auditd_disk_full_action | cut -d \| -f 1)" - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^disk_full_action") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_disk_full_action" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^disk_full_action\\>" "/etc/audit/auditd.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^disk_full_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf" -else - if [[ -s "/etc/audit/auditd.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/audit/auditd.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/audit/auditd.conf" - fi - cce="CCE-84045-4" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/audit/auditd.conf" >> "/etc/audit/auditd.conf" - printf '%s\n' "$formatted_output" >> "/etc/audit/auditd.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -167817,20 +167798,39 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_disk_full_action='' + + +var_auditd_disk_full_action="$(echo $var_auditd_disk_full_action | cut -d \| -f 1)" + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^disk_full_action") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_disk_full_action" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^disk_full_action\\>" "/etc/audit/auditd.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^disk_full_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf" +else + if [[ -s "/etc/audit/auditd.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/audit/auditd.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/audit/auditd.conf" + fi + cce="CCE-84045-4" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/audit/auditd.conf" >> "/etc/audit/auditd.conf" + printf '%s\n' "$formatted_output" >> "/etc/audit/auditd.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -167924,35 +167924,20 @@ determined. Details regarding all possible values for ACTION ar SRG-OS-000047-GPOS-00023 Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_disk_full_action='' - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^disk_full_action") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_disk_full_action" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^disk_full_action\\>" "/etc/audit/auditd.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^disk_full_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf" -else - if [[ -s "/etc/audit/auditd.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/audit/auditd.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/audit/auditd.conf" - fi - printf '%s\n' "$formatted_output" >> "/etc/audit/auditd.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -167998,20 +167983,35 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_disk_full_action='' + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^disk_full_action") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_disk_full_action" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^disk_full_action\\>" "/etc/audit/auditd.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^disk_full_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf" +else + if [[ -s "/etc/audit/auditd.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/audit/auditd.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/audit/auditd.conf" + fi + printf '%s\n' "$formatted_output" >> "/etc/audit/auditd.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -168122,40 +168122,6 @@ via email for those situations: Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action. CCE-80678-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_action_mail_acct='' - - -AUDITCONFIG=/etc/audit/auditd.conf - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^action_mail_acct") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_action_mail_acct" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^action_mail_acct\\>" "$AUDITCONFIG"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^action_mail_acct\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" -else - if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" - fi - cce="CCE-80678-6" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG" - printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -168206,6 +168172,40 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_action_mail_acct='' + + +AUDITCONFIG=/etc/audit/auditd.conf + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^action_mail_acct") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_action_mail_acct" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^action_mail_acct\\>" "$AUDITCONFIG"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^action_mail_acct\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" +else + if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" + fi + cce="CCE-80678-6" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG" + printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -168309,39 +168309,20 @@ determined. Details regarding all possible values for ACTION ar audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur. CCE-80679-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_admin_space_left_action='' - - -AUDITCONFIG=/etc/audit/auditd.conf - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^admin_space_left_action") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_admin_space_left_action" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^admin_space_left_action\\>" "$AUDITCONFIG"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^admin_space_left_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" -else - if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" - fi - cce="CCE-80679-4" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG" - printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -168397,20 +168378,39 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_admin_space_left_action='' + + +AUDITCONFIG=/etc/audit/auditd.conf + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^admin_space_left_action") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_admin_space_left_action" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^admin_space_left_action\\>" "$AUDITCONFIG"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^admin_space_left_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" +else + if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" + fi + cce="CCE-80679-4" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG" + printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -168501,20 +168501,6 @@ to cause the system to perform an action. SRG-OS-000343-GPOS-00134 Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_admin_space_left_percentage='' - - -grep -q "^admin_space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \ - sed -i "s/^admin_space_left[[:space:]]*=.*$/admin_space_left = $var_auditd_admin_space_left_percentage%/g" /etc/audit/auditd.conf || \ - echo "admin_space_left = $var_auditd_admin_space_left_percentage%" >> /etc/audit/auditd.conf - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -168560,6 +168546,20 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_admin_space_left_percentage='' + + +grep -q "^admin_space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \ + sed -i "s/^admin_space_left[[:space:]]*=.*$/admin_space_left = $var_auditd_admin_space_left_percentage%/g" /etc/audit/auditd.conf || \ + echo "admin_space_left = $var_auditd_admin_space_left_percentage%" >> /etc/audit/auditd.conf + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -168657,42 +168657,20 @@ fully synchronized with the log files on the disk: log integrity. These parameters assure that all audit event data is fully synchronized with the log files on the disk. CCE-80680-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_flush='' - - -AUDITCONFIG=/etc/audit/auditd.conf - -# if flush is present, flush param edited to var_auditd_flush -# else flush param is defined by var_auditd_flush -# -# the freq param is only used for values 'incremental' and 'incremental_async' and will be -# commented out if flush != incremental or flush != incremental_async -# -# if flush == incremental or flush == incremental_async && freq param is not defined, it -# will be defined as the package-default value of 20 - -grep -q ^flush $AUDITCONFIG && \ - sed -i 's/^flush.*/flush = '"$var_auditd_flush"'/g' $AUDITCONFIG -if ! [ $? -eq 0 ]; then - echo "flush = $var_auditd_flush" >> $AUDITCONFIG -fi - -if ! [ "$var_auditd_flush" == "incremental" ] && ! [ "$var_auditd_flush" == "incremental_async" ]; then - sed -i 's/^freq/##freq/g' $AUDITCONFIG -elif [ "$var_auditd_flush" == "incremental" ] || [ "$var_auditd_flush" == "incremental_async" ]; then - grep -q freq $AUDITCONFIG && \ - sed -i 's/^#\+freq/freq/g' $AUDITCONFIG - if ! [ $? -eq 0 ]; then - echo "freq = 20" >> $AUDITCONFIG - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -168736,20 +168714,42 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_flush='' + + +AUDITCONFIG=/etc/audit/auditd.conf + +# if flush is present, flush param edited to var_auditd_flush +# else flush param is defined by var_auditd_flush +# +# the freq param is only used for values 'incremental' and 'incremental_async' and will be +# commented out if flush != incremental or flush != incremental_async +# +# if flush == incremental or flush == incremental_async && freq param is not defined, it +# will be defined as the package-default value of 20 + +grep -q ^flush $AUDITCONFIG && \ + sed -i 's/^flush.*/flush = '"$var_auditd_flush"'/g' $AUDITCONFIG +if ! [ $? -eq 0 ]; then + echo "flush = $var_auditd_flush" >> $AUDITCONFIG +fi + +if ! [ "$var_auditd_flush" == "incremental" ] && ! [ "$var_auditd_flush" == "incremental_async" ]; then + sed -i 's/^freq/##freq/g' $AUDITCONFIG +elif [ "$var_auditd_flush" == "incremental" ] || [ "$var_auditd_flush" == "incremental_async" ]; then + grep -q freq $AUDITCONFIG && \ + sed -i 's/^#\+freq/freq/g' $AUDITCONFIG + if ! [ $? -eq 0 ]; then + echo "freq = 20" >> $AUDITCONFIG + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -168839,39 +168839,20 @@ support retention of even more audit data. log information over the period required. This is a function of the maximum log file size and the number of logs retained. CCE-80681-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_max_log_file='' - - -AUDITCONFIG=/etc/audit/auditd.conf - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^max_log_file") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_max_log_file" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^max_log_file\\>" "$AUDITCONFIG"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^max_log_file\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" -else - if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" - fi - cce="CCE-80681-0" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG" - printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -168917,20 +168898,39 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_max_log_file='' + + +AUDITCONFIG=/etc/audit/auditd.conf + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^max_log_file") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_max_log_file" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^max_log_file\\>" "$AUDITCONFIG"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^max_log_file\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" +else + if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" + fi + cce="CCE-80681-0" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG" + printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -169030,39 +169030,20 @@ being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, keep_logs can be employed. CCE-80682-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_max_log_file_action='' - - -AUDITCONFIG=/etc/audit/auditd.conf - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^max_log_file_action") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_max_log_file_action" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^max_log_file_action\\>" "$AUDITCONFIG"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^max_log_file_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" -else - if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" - fi - cce="CCE-80682-8" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG" - printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -169114,20 +169095,39 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_max_log_file_action='' + + +AUDITCONFIG=/etc/audit/auditd.conf + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^max_log_file_action") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_max_log_file_action" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^max_log_file_action\\>" "$AUDITCONFIG"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^max_log_file_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" +else + if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" + fi + cce="CCE-80682-8" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG" + printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -169231,35 +169231,20 @@ minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, keep_logs can be employed. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_max_log_file_action='' - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^max_log_file_action") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_max_log_file_action" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^max_log_file_action\\>" "/etc/audit/auditd.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^max_log_file_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf" -else - if [[ -s "/etc/audit/auditd.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/audit/auditd.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/audit/auditd.conf" - fi - printf '%s\n' "$formatted_output" >> "/etc/audit/auditd.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -169307,20 +169292,35 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_max_log_file_action='' + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^max_log_file_action") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_max_log_file_action" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^max_log_file_action\\>" "/etc/audit/auditd.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^max_log_file_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf" +else + if [[ -s "/etc/audit/auditd.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/audit/auditd.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/audit/auditd.conf" + fi + printf '%s\n' "$formatted_output" >> "/etc/audit/auditd.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -169408,39 +169408,20 @@ Note that values less than 2 result in no log rotation. log information over the period required. This is a function of the maximum log file size and the number of logs retained. CCE-80683-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_num_logs='' - - -AUDITCONFIG=/etc/audit/auditd.conf - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^num_logs") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_num_logs" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^num_logs\\>" "$AUDITCONFIG"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^num_logs\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" -else - if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" - fi - cce="CCE-80683-6" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG" - printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -169488,20 +169469,39 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_num_logs='' + + +AUDITCONFIG=/etc/audit/auditd.conf + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^num_logs") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_num_logs" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^num_logs\\>" "$AUDITCONFIG"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^num_logs\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" +else + if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" + fi + cce="CCE-80683-6" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG" + printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -169594,19 +169594,20 @@ notify the user of an issue. Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. CCE-83619-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_space_left='' - - -grep -q "^space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \ - sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf || \ - echo "space_left = $var_auditd_space_left" >> /etc/audit/auditd.conf - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -169658,20 +169659,19 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_space_left='' + + +grep -q "^space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \ + sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf || \ + echo "space_left = $var_auditd_space_left" >> /etc/audit/auditd.conf + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -169774,45 +169774,20 @@ also include suspend, single, and Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. CCE-80684-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_space_left_action='' - - -# -# If space_left_action present in /etc/audit/auditd.conf, change value -# to var_auditd_space_left_action, else -# add "space_left_action = $var_auditd_space_left_action" to /etc/audit/auditd.conf -# - -AUDITCONFIG=/etc/audit/auditd.conf - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^space_left_action") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_space_left_action" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^space_left_action\\>" "$AUDITCONFIG"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^space_left_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" -else - if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" - fi - cce="CCE-80684-4" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG" - printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -169870,20 +169845,45 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_space_left_action='' + + +# +# If space_left_action present in /etc/audit/auditd.conf, change value +# to var_auditd_space_left_action, else +# add "space_left_action = $var_auditd_space_left_action" to /etc/audit/auditd.conf +# + +AUDITCONFIG=/etc/audit/auditd.conf + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^space_left_action") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_space_left_action" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^space_left_action\\>" "$AUDITCONFIG"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^space_left_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" +else + if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" + fi + cce="CCE-80684-4" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG" + printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -169977,20 +169977,6 @@ notify the user of an issue. Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. CCE-86055-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_space_left_percentage='' - - -grep -q "^space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \ - sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left_percentage%/g" /etc/audit/auditd.conf || \ - echo "space_left = $var_auditd_space_left_percentage%" >> /etc/audit/auditd.conf - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -170040,6 +170026,20 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_space_left_percentage='' + + +grep -q "^space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \ + sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left_percentage%/g" /etc/audit/auditd.conf || \ + echo "space_left = $var_auditd_space_left_percentage%" >> /etc/audit/auditd.conf + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -170061,27 +170061,20 @@ in /etc/audit/auditd.conf. may happen after higher number of records, increasing the danger of audit loss. CCE-82258-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -if [ -e "/etc/audit/auditd.conf" ] ; then - - LC_ALL=C sed -i "/^\s*freq\s*=\s*/Id" "/etc/audit/auditd.conf" -else - touch "/etc/audit/auditd.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/audit/auditd.conf" - -cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak" -# Insert at the end of the file -printf '%s\n' "freq = 50" >> "/etc/audit/auditd.conf" -# Clean up after ourselves. -rm "/etc/audit/auditd.conf.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -170137,20 +170130,27 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +if [ -e "/etc/audit/auditd.conf" ] ; then + + LC_ALL=C sed -i "/^\s*freq\s*=\s*/Id" "/etc/audit/auditd.conf" +else + touch "/etc/audit/auditd.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/audit/auditd.conf" + +cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak" +# Insert at the end of the file +printf '%s\n' "freq = 50" >> "/etc/audit/auditd.conf" +# Clean up after ourselves. +rm "/etc/audit/auditd.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -170174,27 +170174,20 @@ This is the default setting. If option local_events isn't set to yes only events from network will be aggregated. CCE-82233-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -if [ -e "/etc/audit/auditd.conf" ] ; then - - LC_ALL=C sed -i "/^\s*local_events\s*=\s*/Id" "/etc/audit/auditd.conf" -else - touch "/etc/audit/auditd.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/audit/auditd.conf" - -cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak" -# Insert at the end of the file -printf '%s\n' "local_events = yes" >> "/etc/audit/auditd.conf" -# Clean up after ourselves. -rm "/etc/audit/auditd.conf.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -170252,20 +170245,27 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +if [ -e "/etc/audit/auditd.conf" ] ; then + + LC_ALL=C sed -i "/^\s*local_events\s*=\s*/Id" "/etc/audit/auditd.conf" +else + touch "/etc/audit/auditd.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/audit/auditd.conf" + +cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak" +# Insert at the end of the file +printf '%s\n' "local_events = yes" >> "/etc/audit/auditd.conf" +# Clean up after ourselves. +rm "/etc/audit/auditd.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -170300,27 +170300,20 @@ in /etc/audit/auditd.conf. If option log_format isn't set to ENRICHED, the audit records will be stored in a format exactly as the kernel sends them. CCE-82201-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -if [ -e "/etc/audit/auditd.conf" ] ; then - - LC_ALL=C sed -i "/^\s*log_format\s*=\s*/Id" "/etc/audit/auditd.conf" -else - touch "/etc/audit/auditd.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/audit/auditd.conf" - -cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak" -# Insert at the end of the file -printf '%s\n' "log_format = ENRICHED" >> "/etc/audit/auditd.conf" -# Clean up after ourselves. -rm "/etc/audit/auditd.conf.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -170380,20 +170373,27 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +if [ -e "/etc/audit/auditd.conf" ] ; then + + LC_ALL=C sed -i "/^\s*log_format\s*=\s*/Id" "/etc/audit/auditd.conf" +else + touch "/etc/audit/auditd.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/audit/auditd.conf" + +cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak" +# Insert at the end of the file +printf '%s\n' "log_format = ENRICHED" >> "/etc/audit/auditd.conf" +# Clean up after ourselves. +rm "/etc/audit/auditd.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -170423,32 +170423,20 @@ in /etc/audit/auditd.conf. none, audit events from different computers may be hard to distinguish. CCE-82897-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_name_format='' - - -var_auditd_name_format="$(echo $var_auditd_name_format | cut -d \| -f 1)" - -if [ -e "/etc/audit/auditd.conf" ] ; then - - LC_ALL=C sed -i "/^\s*name_format\s*=\s*/Id" "/etc/audit/auditd.conf" -else - touch "/etc/audit/auditd.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/audit/auditd.conf" - -cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak" -# Insert at the end of the file -printf '%s\n' "name_format = $var_auditd_name_format" >> "/etc/audit/auditd.conf" -# Clean up after ourselves. -rm "/etc/audit/auditd.conf.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -170532,20 +170520,32 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_name_format='' + + +var_auditd_name_format="$(echo $var_auditd_name_format | cut -d \| -f 1)" + +if [ -e "/etc/audit/auditd.conf" ] ; then + + LC_ALL=C sed -i "/^\s*name_format\s*=\s*/Id" "/etc/audit/auditd.conf" +else + touch "/etc/audit/auditd.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/audit/auditd.conf" + +cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak" +# Insert at the end of the file +printf '%s\n' "name_format = $var_auditd_name_format" >> "/etc/audit/auditd.conf" +# Clean up after ourselves. +rm "/etc/audit/auditd.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -170569,28 +170569,6 @@ to one of the following values: syslog, single The audit system should have an action setup in the event the internal event queue becomes full so that no data is lost. CCE-85889-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -if [ -e "/etc/audit/auditd.conf" ] ; then - - LC_ALL=C sed -i "/^\s*overflow_action\s*=\s*/Id" "/etc/audit/auditd.conf" -else - touch "/etc/audit/auditd.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/audit/auditd.conf" - -cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak" -# Insert at the end of the file -printf '%s\n' "overflow_action = syslog" >> "/etc/audit/auditd.conf" -# Clean up after ourselves. -rm "/etc/audit/auditd.conf.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -170647,30 +170625,12 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - Write Audit Logs to the Disk - To configure Audit daemon to write Audit logs to the disk, set -write_logs to yes in /etc/audit/auditd.conf. -This is the default setting. - CM-6 - FAU_STG.1 - SRG-OS-000480-GPOS-00227 - If write_logs isn't set to yes, the Audit logs will -not be written to the disk. - CCE-82366-6 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then if [ -e "/etc/audit/auditd.conf" ] ; then - LC_ALL=C sed -i "/^\s*write_logs\s*=\s*/Id" "/etc/audit/auditd.conf" + LC_ALL=C sed -i "/^\s*overflow_action\s*=\s*/Id" "/etc/audit/auditd.conf" else touch "/etc/audit/auditd.conf" fi @@ -170679,13 +170639,46 @@ sed -i -e '$a\' "/etc/audit/auditd.conf" cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak" # Insert at the end of the file -printf '%s\n' "write_logs = yes" >> "/etc/audit/auditd.conf" +printf '%s\n' "overflow_action = syslog" >> "/etc/audit/auditd.conf" # Clean up after ourselves. rm "/etc/audit/auditd.conf.bak" else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Write Audit Logs to the Disk + To configure Audit daemon to write Audit logs to the disk, set +write_logs to yes in /etc/audit/auditd.conf. +This is the default setting. + CM-6 + FAU_STG.1 + SRG-OS-000480-GPOS-00227 + If write_logs isn't set to yes, the Audit logs will +not be written to the disk. + CCE-82366-6 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -170741,20 +170734,27 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +if [ -e "/etc/audit/auditd.conf" ] ; then + + LC_ALL=C sed -i "/^\s*write_logs\s*=\s*/Id" "/etc/audit/auditd.conf" +else + touch "/etc/audit/auditd.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/audit/auditd.conf" + +cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak" +# Insert at the end of the file +printf '%s\n' "write_logs = yes" >> "/etc/audit/auditd.conf" +# Clean up after ourselves. +rm "/etc/audit/auditd.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -170808,25 +170808,6 @@ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You SRG-APP-000507-CTR-001295 Unsuccessful attempts to access a file might be signs of malicious activity happening within the system. Auditing of such activities helps in their monitoring and investigation. CCE-82833-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules -## Unsuccessful file access (any other opens) This has to go last. --a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access --a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access --a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access --a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access -EOF - -chmod o-rwx /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules - -augenrules --load - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Put contents into /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules according to policy copy: @@ -170863,6 +170844,25 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules +## Unsuccessful file access (any other opens) This has to go last. +-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access +-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access +-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access +-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access +EOF + +chmod o-rwx /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -170901,23 +170901,20 @@ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You SRG-OS-000461-GPOS-00205 Auditing of successful attempts to access a file helps in investigation of activities performed on the system. CCE-82834-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-3-access-success.rules -## Successful file access (any other opens) This has to go last. -## These next two are likely to result in a whole lot of events --a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access --a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access -EOF - -chmod o-rwx /etc/audit/rules.d/30-ospp-v42-3-access-success.rules - -augenrules --load - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%23%20Successful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A%23%23%20These%20next%20two%20are%20likely%20to%20result%20in%20a%20whole%20lot%20of%20events%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-access + mode: 0600 + path: /etc/audit/rules.d/30-ospp-v42-3-access-success.rules + overwrite: true - name: Put contents into /etc/audit/rules.d/30-ospp-v42-3-access-success.rules according to policy @@ -170955,20 +170952,23 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,%23%23%20Successful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A%23%23%20These%20next%20two%20are%20likely%20to%20result%20in%20a%20whole%20lot%20of%20events%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-access - mode: 0600 - path: /etc/audit/rules.d/30-ospp-v42-3-access-success.rules - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-3-access-success.rules +## Successful file access (any other opens) This has to go last. +## These next two are likely to result in a whole lot of events +-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access +-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access +EOF + +chmod o-rwx /etc/audit/rules.d/30-ospp-v42-3-access-success.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -171005,32 +171005,20 @@ Load new Audit rules into kernel by running: SRG-OS-000475-GPOS-00220 Without basic configurations, audit may not perform as expected. It may not be able to correctly handle events under stressful conditions, or log events in case of failure. CCE-82827-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/10-base-config.rules -## First rule - delete all --D - -## Increase the buffers to survive stress events. -## Make this bigger for busy systems --b 8192 - -## This determine how long to wait in burst of events ---backlog_wait_time 60000 - -## Set failure mode to syslog --f 1 - -EOF - -chmod o-rwx /etc/audit/rules.d/10-base-config.rules - -augenrules --load - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%23%20First%20rule%20-%20delete%20all%0A-D%0A%0A%23%23%20Increase%20the%20buffers%20to%20survive%20stress%20events.%0A%23%23%20Make%20this%20bigger%20for%20busy%20systems%0A-b%208192%0A%0A%23%23%20This%20determine%20how%20long%20to%20wait%20in%20burst%20of%20events%0A--backlog_wait_time%2060000%0A%0A%23%23%20Set%20failure%20mode%20to%20syslog%0A-f%201%0A + mode: 0600 + path: /etc/audit/rules.d/10-base-config.rules + overwrite: true - name: Put contents into /etc/audit/rules.d/10-base-config.rules according to policy copy: @@ -171076,20 +171064,32 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,%23%23%20First%20rule%20-%20delete%20all%0A-D%0A%0A%23%23%20Increase%20the%20buffers%20to%20survive%20stress%20events.%0A%23%23%20Make%20this%20bigger%20for%20busy%20systems%0A-b%208192%0A%0A%23%23%20This%20determine%20how%20long%20to%20wait%20in%20burst%20of%20events%0A--backlog_wait_time%2060000%0A%0A%23%23%20Set%20failure%20mode%20to%20syslog%0A-f%201%0A - mode: 0600 - path: /etc/audit/rules.d/10-base-config.rules - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat << 'EOF' > /etc/audit/rules.d/10-base-config.rules +## First rule - delete all +-D + +## Increase the buffers to survive stress events. +## Make this bigger for busy systems +-b 8192 + +## This determine how long to wait in burst of events +--backlog_wait_time 60000 + +## Set failure mode to syslog +-f 1 + +EOF + +chmod o-rwx /etc/audit/rules.d/10-base-config.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -171137,33 +171137,6 @@ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You SRG-APP-000507-CTR-001295 Unsuccessful file creations might be a sign of a malicious action being performed on the system. Keeping log of such events helps in monitoring and investigation of such actions. CCE-82374-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules -## Unsuccessful file creation (open with O_CREAT) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -EOF - -chmod o-rwx /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules - -augenrules --load - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Put contents into /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules according to policy copy: @@ -171208,6 +171181,33 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules +## Unsuccessful file creation (open with O_CREAT) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +EOF + +chmod o-rwx /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -171243,27 +171243,6 @@ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You SRG-OS-000461-GPOS-00205 Auditing of successful attempts to create a file helps in investigation of actions which happened on the system. CCE-82829-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-1-create-success.rules -## Successful file creation (open with O_CREAT) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create --a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create --a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create -EOF - -chmod o-rwx /etc/audit/rules.d/30-ospp-v42-1-create-success.rules - -augenrules --load - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Put contents into /etc/audit/rules.d/30-ospp-v42-1-create-success.rules according to policy copy: @@ -171302,6 +171281,27 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-1-create-success.rules +## Successful file creation (open with O_CREAT) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +EOF + +chmod o-rwx /etc/audit/rules.d/30-ospp-v42-1-create-success.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -171336,24 +171336,20 @@ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You SRG-OS-000468-GPOS-00212 Unsuccessful attempts to delete a file might be signs of malicious activities. Auditing of such events help in monitoring and investigating of such activities. CCE-82835-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules -## Unsuccessful file delete --a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete --a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete --a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete --a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -EOF - -chmod o-rwx /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules - -augenrules --load - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%23%20Unsuccessful%20file%20delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete + mode: 0600 + path: /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules + overwrite: true - name: Put contents into /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules according to policy @@ -171392,20 +171388,24 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,%23%23%20Unsuccessful%20file%20delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete - mode: 0600 - path: /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules +## Unsuccessful file delete +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +EOF + +chmod o-rwx /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -171438,22 +171438,21 @@ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You SRG-OS-000468-GPOS-00212 Auditing of successful attempts to delete a file may help in monitoring and investigation of activities performed on the system. CCE-82836-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules -## Successful file delete --a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete --a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete -EOF - -chmod o-rwx /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules - -augenrules --load + --- -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%23%20Successful%20file%20delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-delete }} + mode: 0600 + path: /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules + overwrite: true - name: Put contents into /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules according to policy @@ -171490,21 +171489,22 @@ fi - no_reboot_needed - restrict_strategy - --- + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%23%20Successful%20file%20delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-delete }} - mode: 0600 - path: /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules - overwrite: true +cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules +## Successful file delete +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete +-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete +EOF + +chmod o-rwx /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -171542,22 +171542,20 @@ Load new Audit rules into kernel by running: If modification of login UIDs is not prevented, they can be changed by unprivileged users and make auditing complicated or impossible. CCE-82828-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/11-loginuid.rules -## Make the loginuid immutable. This prevents tampering with the auid. ---loginuid-immutable - -EOF - -chmod o-rwx /etc/audit/rules.d/11-loginuid.rules - -augenrules --load - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%23%20Make%20the%20loginuid%20immutable.%20This%20prevents%20tampering%20with%20the%20auid.%0A--loginuid-immutable%0A%0A + mode: 0600 + path: /etc/audit/rules.d/11-loginuid.rules + overwrite: true - name: Put contents into /etc/audit/rules.d/11-loginuid.rules according to policy copy: @@ -171595,20 +171593,22 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,%23%23%20Make%20the%20loginuid%20immutable.%20This%20prevents%20tampering%20with%20the%20auid.%0A--loginuid-immutable%0A%0A - mode: 0600 - path: /etc/audit/rules.d/11-loginuid.rules - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat << 'EOF' > /etc/audit/rules.d/11-loginuid.rules +## Make the loginuid immutable. This prevents tampering with the auid. +--loginuid-immutable + +EOF + +chmod o-rwx /etc/audit/rules.d/11-loginuid.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -171656,32 +171656,20 @@ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You SRG-APP-000507-CTR-001295 Unsuccessful file modifications might be a sign of a malicious action being performed on the system. Auditing of such events helps in detection and investigation of such actions. CCE-82830-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules -## Unsuccessful file modifications (open for write or truncate) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -EOF - -chmod o-rwx /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules - -augenrules --load - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A + mode: 0600 + path: /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules + overwrite: true - name: Put contents into /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules according to policy @@ -171728,20 +171716,32 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A - mode: 0600 - path: /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules +## Unsuccessful file modifications (open for write or truncate) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +EOF + +chmod o-rwx /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -171777,26 +171777,20 @@ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You SRG-OS-000461-GPOS-00205 Auditing of successful attempts to modify a file helps in investigation of actions which happened on the system. CCE-82832-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules -## Successful file modifications (open for write or truncate) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification -EOF - -chmod o-rwx /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules - -augenrules --load - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%23%20Successful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%26amp%3B01003%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%26amp%3B01003%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%26amp%3B01003%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%26amp%3B01003%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A + mode: 0600 + path: /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules + overwrite: true - name: Put contents into /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules according to policy @@ -171837,20 +171831,26 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,%23%23%20Successful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%26amp%3B01003%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%26amp%3B01003%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%26amp%3B01003%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%26amp%3B01003%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A - mode: 0600 - path: /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules +## Successful file modifications (open for write or truncate) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +EOF + +chmod o-rwx /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -171880,25 +171880,20 @@ Load new Audit rules into kernel by running: SRG-OS-000475-GPOS-00220 Loading of a malicious kernel module introduces a risk to the system, as the module has access to sensitive data and perform actions at the operating system kernel level. Having such events audited helps in monitoring and investigating of malicious activities. CCE-82838-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/43-module-load.rules -## These rules watch for kernel module insertion. By monitoring -## the syscall, we do not need any watches on programs. --a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load --a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load --a always,exit -F arch=b32 -S delete_module -F key=module-unload --a always,exit -F arch=b64 -S delete_module -F key=module-unload -EOF - -chmod o-rwx /etc/audit/rules.d/43-module-load.rules - -augenrules --load - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%23%20These%20rules%20watch%20for%20kernel%20module%20insertion.%20By%20monitoring%0A%23%23%20the%20syscall%2C%20we%20do%20not%20need%20any%20watches%20on%20programs.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20init_module%2Cfinit_module%20-F%20key%3Dmodule-load%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20init_module%2Cfinit_module%20-F%20key%3Dmodule-load%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-F%20key%3Dmodule-unload%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-F%20key%3Dmodule-unload%0A + mode: 0600 + path: /etc/audit/rules.d/43-module-load.rules + overwrite: true - name: Put contents into /etc/audit/rules.d/43-module-load.rules according to policy copy: @@ -171937,20 +171932,25 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,%23%23%20These%20rules%20watch%20for%20kernel%20module%20insertion.%20By%20monitoring%0A%23%23%20the%20syscall%2C%20we%20do%20not%20need%20any%20watches%20on%20programs.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20init_module%2Cfinit_module%20-F%20key%3Dmodule-load%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20init_module%2Cfinit_module%20-F%20key%3Dmodule-load%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-F%20key%3Dmodule-unload%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-F%20key%3Dmodule-unload%0A - mode: 0600 - path: /etc/audit/rules.d/43-module-load.rules - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat << 'EOF' > /etc/audit/rules.d/43-module-load.rules +## These rules watch for kernel module insertion. By monitoring +## the syscall, we do not need any watches on programs. +-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load +-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load +-a always,exit -F arch=b32 -S delete_module -F key=module-unload +-a always,exit -F arch=b64 -S delete_module -F key=module-unload +EOF + +chmod o-rwx /etc/audit/rules.d/43-module-load.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -172068,103 +172068,20 @@ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You SRG-OS-000304-GPOS-00121 Auditing of events listed in the description provides data for monitoring and investigation of potentially malicious events e.g. tampering with Audit logs, malicious access to files storing information about system users and groups etc. CCE-82373-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42.rules -## The purpose of these rules is to meet the requirements for Operating -## System Protection Profile (OSPP)v4.2. These rules depends on having -## the following rule files copied to /etc/audit/rules.d: -## -## 10-base-config.rules, 11-loginuid.rules, -## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules, -## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules, -## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules, -## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules, -## 30-ospp-v42-5-perm-change-failed.rules, -## 30-ospp-v42-5-perm-change-success.rules, -## 30-ospp-v42-6-owner-change-failed.rules, -## 30-ospp-v42-6-owner-change-success.rules -## -## original copies may be found in /usr/share/audit/sample-rules/ - - -## User add delete modify. This is covered by pam. However, someone could -## open a file and directly create or modify a user, so we'll watch passwd and -## shadow for writes --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify - -## User enable and disable. This is entirely handled by pam. - -## Group add delete modify. This is covered by pam. However, someone could -## open a file and directly create or modify a user, so we'll watch group and -## gshadow for writes --a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify --a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify - - -## Use of special rights for config changes. This would be use of setuid -## programs that relate to user accts. This is not all setuid apps because -## requirements are only for ones that affect system configuration. --a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes - -## Privilege escalation via su or sudo. This is entirely handled by pam. - -## Watch for configuration changes to privilege escalation. --a always,exit -F path=/etc/sudoers -F perm=wa -F key=special-config-changes --a always,exit -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes - -## Audit log access --a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail -## Attempts to Alter Process and Session Initiation Information --a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session --a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session --a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session - -## Attempts to modify MAC controls --a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy - -## Software updates. This is entirely handled by rpm. - -## System start and shutdown. This is entirely handled by systemd - -## Kernel Module loading. This is handled in 43-module-load.rules - -## Application invocation. The requirements list an optional requirement -## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to -## state results from that policy. This would be handled entirely by -## that daemon. - -EOF - -chmod o-rwx /etc/audit/rules.d/30-ospp-v42.rules - -augenrules --load - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%20the%20following%20rule%20files%20copied%20to%20%2Fetc%2Faudit%2Frules.d%3A%0A%23%23%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%0A%23%23%2030-ospp-v42-1-create-failed.rules%2C%2030-ospp-v42-1-create-success.rules%2C%0A%23%23%2030-ospp-v42-2-modify-failed.rules%2C%2030-ospp-v42-2-modify-success.rules%2C%0A%23%23%2030-ospp-v42-3-access-failed.rules%2C%2030-ospp-v42-3-access-success.rules%2C%0A%23%23%2030-ospp-v42-4-delete-failed.rules%2C%2030-ospp-v42-4-delete-success.rules%2C%0A%23%23%2030-ospp-v42-5-perm-change-failed.rules%2C%0A%23%23%2030-ospp-v42-5-perm-change-success.rules%2C%0A%23%23%2030-ospp-v42-6-owner-change-failed.rules%2C%0A%23%23%2030-ospp-v42-6-owner-change-success.rules%0A%23%23%0A%23%23%20original%20copies%20may%20be%20found%20in%20%2Fusr%2Fshare%2Faudit%2Fsample-rules%2F%0A%0A%0A%23%23%20User%20add%20delete%20modify.%20This%20is%20covered%20by%20pam.%20However%2C%20someone%20could%0A%23%23%20open%20a%20file%20and%20directly%20create%20or%20modify%20a%20user%2C%20so%20we%27ll%20watch%20passwd%20and%0A%23%23%20shadow%20for%20writes%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2603%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D%2Fetc%2Fshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D%2Fetc%2Fshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2603%20-F%20path%3D%2Fetc%2Fshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D%2Fetc%2Fshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A%0A%23%23%20User%20enable%20and%20disable.%20This%20is%20entirely%20handled%20by%20pam.%0A%0A%23%23%20Group%20add%20delete%20modify.%20This%20is%20covered%20by%20pam.%20However%2C%20someone%20could%0A%23%23%20open%20a%20file%20and%20directly%20create%20or%20modify%20a%20user%2C%20so%20we%27ll%20watch%20group%20and%0A%23%23%20gshadow%20for%20writes%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fshadow%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fgroup%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dgroup-modify%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fgshadow%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dgroup-modify%0A%0A%0A%23%23%20Use%20of%20special%20rights%20for%20config%20changes.%20This%20would%20be%20use%20of%20setuid%0A%23%23%20programs%20that%20relate%20to%20user%20accts.%20This%20is%20not%20all%20setuid%20apps%20because%0A%23%23%20requirements%20are%20only%20for%20ones%20that%20affect%20system%20configuration.%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Funix_chkpwd%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Fusernetctl%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Fuserhelper%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Fseunshare%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fmount%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fnewgrp%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fnewuidmap%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fgpasswd%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fnewgidmap%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fumount%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fpasswd%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fcrontab%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fat%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A%0A%23%23%20Privilege%20escalation%20via%20su%20or%20sudo.%20This%20is%20entirely%20handled%20by%20pam.%0A%0A%23%23%20Watch%20for%20configuration%20changes%20to%20privilege%20escalation.%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fsudoers%20-F%20perm%3Dwa%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20dir%3D%2Fetc%2Fsudoers.d%2F%20-F%20perm%3Dwa%20-F%20key%3Dspecial-config-changes%0A%0A%23%23%20Audit%20log%20access%0A-a%20always%2Cexit%20-F%20dir%3D%2Fvar%2Flog%2Faudit%2F%20-F%20perm%3Dr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess-audit-trail%0A%23%23%20Attempts%20to%20Alter%20Process%20and%20Session%20Initiation%20Information%0A-a%20always%2Cexit%20-F%20path%3D%2Fvar%2Frun%2Futmp%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsession%0A-a%20always%2Cexit%20-F%20path%3D%2Fvar%2Flog%2Fbtmp%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsession%0A-a%20always%2Cexit%20-F%20path%3D%2Fvar%2Flog%2Fwtmp%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsession%0A%0A%23%23%20Attempts%20to%20modify%20MAC%20controls%0A-a%20always%2Cexit%20-F%20dir%3D%2Fetc%2Fselinux%2F%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3DMAC-policy%0A%0A%23%23%20Software%20updates.%20This%20is%20entirely%20handled%20by%20rpm.%0A%0A%23%23%20System%20start%20and%20shutdown.%20This%20is%20entirely%20handled%20by%20systemd%0A%0A%23%23%20Kernel%20Module%20loading.%20This%20is%20handled%20in%2043-module-load.rules%0A%0A%23%23%20Application%20invocation.%20The%20requirements%20list%20an%20optional%20requirement%0A%23%23%20FPT_SRP_EXT.1%20Software%20Restriction%20Policies.%20This%20event%20is%20intended%20to%0A%23%23%20state%20results%20from%20that%20policy.%20This%20would%20be%20handled%20entirely%20by%0A%23%23%20that%20daemon.%0A%0A + mode: 0600 + path: /etc/audit/rules.d/30-ospp-v42.rules + overwrite: true - name: Put contents into /etc/audit/rules.d/30-ospp-v42.rules according to policy copy: @@ -172281,20 +172198,103 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%20the%20following%20rule%20files%20copied%20to%20%2Fetc%2Faudit%2Frules.d%3A%0A%23%23%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%0A%23%23%2030-ospp-v42-1-create-failed.rules%2C%2030-ospp-v42-1-create-success.rules%2C%0A%23%23%2030-ospp-v42-2-modify-failed.rules%2C%2030-ospp-v42-2-modify-success.rules%2C%0A%23%23%2030-ospp-v42-3-access-failed.rules%2C%2030-ospp-v42-3-access-success.rules%2C%0A%23%23%2030-ospp-v42-4-delete-failed.rules%2C%2030-ospp-v42-4-delete-success.rules%2C%0A%23%23%2030-ospp-v42-5-perm-change-failed.rules%2C%0A%23%23%2030-ospp-v42-5-perm-change-success.rules%2C%0A%23%23%2030-ospp-v42-6-owner-change-failed.rules%2C%0A%23%23%2030-ospp-v42-6-owner-change-success.rules%0A%23%23%0A%23%23%20original%20copies%20may%20be%20found%20in%20%2Fusr%2Fshare%2Faudit%2Fsample-rules%2F%0A%0A%0A%23%23%20User%20add%20delete%20modify.%20This%20is%20covered%20by%20pam.%20However%2C%20someone%20could%0A%23%23%20open%20a%20file%20and%20directly%20create%20or%20modify%20a%20user%2C%20so%20we%27ll%20watch%20passwd%20and%0A%23%23%20shadow%20for%20writes%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2603%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D%2Fetc%2Fshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D%2Fetc%2Fshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2603%20-F%20path%3D%2Fetc%2Fshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D%2Fetc%2Fshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A%0A%23%23%20User%20enable%20and%20disable.%20This%20is%20entirely%20handled%20by%20pam.%0A%0A%23%23%20Group%20add%20delete%20modify.%20This%20is%20covered%20by%20pam.%20However%2C%20someone%20could%0A%23%23%20open%20a%20file%20and%20directly%20create%20or%20modify%20a%20user%2C%20so%20we%27ll%20watch%20group%20and%0A%23%23%20gshadow%20for%20writes%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fshadow%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fgroup%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dgroup-modify%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fgshadow%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dgroup-modify%0A%0A%0A%23%23%20Use%20of%20special%20rights%20for%20config%20changes.%20This%20would%20be%20use%20of%20setuid%0A%23%23%20programs%20that%20relate%20to%20user%20accts.%20This%20is%20not%20all%20setuid%20apps%20because%0A%23%23%20requirements%20are%20only%20for%20ones%20that%20affect%20system%20configuration.%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Funix_chkpwd%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Fusernetctl%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Fuserhelper%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Fseunshare%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fmount%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fnewgrp%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fnewuidmap%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fgpasswd%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fnewgidmap%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fumount%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fpasswd%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fcrontab%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fat%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A%0A%23%23%20Privilege%20escalation%20via%20su%20or%20sudo.%20This%20is%20entirely%20handled%20by%20pam.%0A%0A%23%23%20Watch%20for%20configuration%20changes%20to%20privilege%20escalation.%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fsudoers%20-F%20perm%3Dwa%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20dir%3D%2Fetc%2Fsudoers.d%2F%20-F%20perm%3Dwa%20-F%20key%3Dspecial-config-changes%0A%0A%23%23%20Audit%20log%20access%0A-a%20always%2Cexit%20-F%20dir%3D%2Fvar%2Flog%2Faudit%2F%20-F%20perm%3Dr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess-audit-trail%0A%23%23%20Attempts%20to%20Alter%20Process%20and%20Session%20Initiation%20Information%0A-a%20always%2Cexit%20-F%20path%3D%2Fvar%2Frun%2Futmp%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsession%0A-a%20always%2Cexit%20-F%20path%3D%2Fvar%2Flog%2Fbtmp%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsession%0A-a%20always%2Cexit%20-F%20path%3D%2Fvar%2Flog%2Fwtmp%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsession%0A%0A%23%23%20Attempts%20to%20modify%20MAC%20controls%0A-a%20always%2Cexit%20-F%20dir%3D%2Fetc%2Fselinux%2F%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3DMAC-policy%0A%0A%23%23%20Software%20updates.%20This%20is%20entirely%20handled%20by%20rpm.%0A%0A%23%23%20System%20start%20and%20shutdown.%20This%20is%20entirely%20handled%20by%20systemd%0A%0A%23%23%20Kernel%20Module%20loading.%20This%20is%20handled%20in%2043-module-load.rules%0A%0A%23%23%20Application%20invocation.%20The%20requirements%20list%20an%20optional%20requirement%0A%23%23%20FPT_SRP_EXT.1%20Software%20Restriction%20Policies.%20This%20event%20is%20intended%20to%0A%23%23%20state%20results%20from%20that%20policy.%20This%20would%20be%20handled%20entirely%20by%0A%23%23%20that%20daemon.%0A%0A - mode: 0600 - path: /etc/audit/rules.d/30-ospp-v42.rules - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42.rules +## The purpose of these rules is to meet the requirements for Operating +## System Protection Profile (OSPP)v4.2. These rules depends on having +## the following rule files copied to /etc/audit/rules.d: +## +## 10-base-config.rules, 11-loginuid.rules, +## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules, +## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules, +## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules, +## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules, +## 30-ospp-v42-5-perm-change-failed.rules, +## 30-ospp-v42-5-perm-change-success.rules, +## 30-ospp-v42-6-owner-change-failed.rules, +## 30-ospp-v42-6-owner-change-success.rules +## +## original copies may be found in /usr/share/audit/sample-rules/ + + +## User add delete modify. This is covered by pam. However, someone could +## open a file and directly create or modify a user, so we'll watch passwd and +## shadow for writes +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify + +## User enable and disable. This is entirely handled by pam. + +## Group add delete modify. This is covered by pam. However, someone could +## open a file and directly create or modify a user, so we'll watch group and +## gshadow for writes +-a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify +-a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify + + +## Use of special rights for config changes. This would be use of setuid +## programs that relate to user accts. This is not all setuid apps because +## requirements are only for ones that affect system configuration. +-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes + +## Privilege escalation via su or sudo. This is entirely handled by pam. + +## Watch for configuration changes to privilege escalation. +-a always,exit -F path=/etc/sudoers -F perm=wa -F key=special-config-changes +-a always,exit -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes + +## Audit log access +-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail +## Attempts to Alter Process and Session Initiation Information +-a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session +-a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session +-a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session + +## Attempts to modify MAC controls +-a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy + +## Software updates. This is entirely handled by rpm. + +## System start and shutdown. This is entirely handled by systemd + +## Kernel Module loading. This is handled in 43-module-load.rules + +## Application invocation. The requirements list an optional requirement +## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to +## state results from that policy. This would be handled entirely by +## that daemon. + +EOF + +chmod o-rwx /etc/audit/rules.d/30-ospp-v42.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -172329,25 +172329,6 @@ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You SRG-OS-000064-GPOS-00033 Unsuccessful attempts to change an ownership of files or directories might be signs of a malicious activity. Having such events audited helps in monitoring and investigation of such activities. CCE-82384-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules -## Unsuccessful ownership change --a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change --a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change --a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change --a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change -EOF - -chmod o-rwx /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules - -augenrules --load - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Put contents into /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules according to policy copy: @@ -172384,6 +172365,25 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules +## Unsuccessful ownership change +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change +-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change +-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change +EOF + +chmod o-rwx /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -172416,23 +172416,6 @@ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You SRG-OS-000064-GPOS-00033 Auditing of successful ownership changes of files or directories helps in monitoring or investingating of activities performed on the system. CCE-82385-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules -## Successful ownership change --a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change --a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change -EOF - -chmod o-rwx /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules - -augenrules --load - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Put contents into /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules according to policy copy: @@ -172467,6 +172450,23 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules +## Successful ownership change +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change +-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change +EOF + +chmod o-rwx /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -172501,25 +172501,6 @@ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You SRG-OS-000064-GPOS-00033 Unsuccessful attempts to change permissions of files or directories might be signs of malicious activity. Having such events audited helps in monitoring and investigation of such activities. CCE-82837-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules -## Unsuccessful permission change --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change -EOF - -chmod o-rwx /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules - -augenrules --load - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Put contents into /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules according to policy copy: @@ -172556,6 +172537,25 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules +## Unsuccessful permission change +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change +EOF + +chmod o-rwx /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -172588,23 +172588,6 @@ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You SRG-OS-000064-GPOS-00033 Auditing successful file or directory permission changes helps in monitoring and investigating of activities performed on the system. CCE-82383-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules -## Successful permission change --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change -EOF - -chmod o-rwx /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules - -augenrules --load - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Put contents into /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules according to policy copy: @@ -172639,6 +172622,23 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules +## Successful permission change +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change +EOF + +chmod o-rwx /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -172797,21 +172797,6 @@ also required to change the runtime configuration, run: or other services, weakening system security. CCE-86006-4 - # Remediation is applicable only in certain platforms -if rpm --quiet -q grub2-common; then - -if grep -q '^GRUB_DISABLE_RECOVERY=.*' '/etc/default/grub' ; then - sed -i 's/GRUB_DISABLE_RECOVERY=.*/GRUB_DISABLE_RECOVERY=true/' "/etc/default/grub" -else - echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub' -fi - -grubby --update-kernel=ALL --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -172851,6 +172836,21 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common; then + +if grep -q '^GRUB_DISABLE_RECOVERY=.*' '/etc/default/grub' ; then + sed -i 's/GRUB_DISABLE_RECOVERY=.*/GRUB_DISABLE_RECOVERY=true/' "/etc/default/grub" +else + echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub' +fi + +grubby --update-kernel=ALL --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -172877,15 +172877,6 @@ Run the following command to update command line for already installed kernels:< CCE-83920-9 [customizations.kernel] append = "iommu=force" - - # Remediation is applicable only in certain platforms -if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -grubby --update-kernel=ALL --args=iommu=force --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - name: Gather the package facts package_facts: @@ -172912,6 +172903,15 @@ fi - reboot_required - restrict_strategy - unknown_severity + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +grubby --update-kernel=ALL --args=iommu=force --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -172946,15 +172946,6 @@ slow because there is not yet enough entropy in the system.CCE-83314-5 [customizations.kernel] append = "random.trust_cpu=on" - - # Remediation is applicable only in certain platforms -if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -grubby --update-kernel=ALL --args=random.trust_cpu=on --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - name: Gather the package facts package_facts: @@ -172981,6 +172972,15 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +grubby --update-kernel=ALL --args=random.trust_cpu=on --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -173017,19 +173017,6 @@ location that is cached in the L1 Data Cache. CCE-88123-5 [customizations.kernel] append = "l1tf=" - - # Remediation is applicable only in certain platforms -if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -var_l1tf_options='' - - - -grubby --update-kernel=ALL --args=l1tf=$var_l1tf_options --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - name: Gather the package facts package_facts: @@ -173061,6 +173048,19 @@ fi - medium_complexity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +var_l1tf_options='' + + + +grubby --update-kernel=ALL --args=l1tf=$var_l1tf_options --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -173093,15 +173093,6 @@ trying to exploit a vulnerability such as Rowhammer. CCE-87098-0 [customizations.kernel] append = "mce=0" - - # Remediation is applicable only in certain platforms -if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -grubby --update-kernel=ALL --args=mce=0 --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - name: Gather the package facts package_facts: @@ -173128,6 +173119,15 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +grubby --update-kernel=ALL --args=mce=0 --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -173154,15 +173154,6 @@ Run the following command to update command line for already installed kernels: manipulation of data in the user space. CCE-87345-5 - # Remediation is applicable only in certain platforms -if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -grubby --update-kernel=ALL --remove-args=nosmap --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -173188,6 +173179,15 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +grubby --update-kernel=ALL --remove-args=nosmap --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -173214,15 +173214,6 @@ Run the following command to update command line for already installed kernels: the kernel to unintentionally execute code in less privileged memory space. CCE-85989-2 - # Remediation is applicable only in certain platforms -if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -grubby --update-kernel=ALL --remove-args=nosmep --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -173248,6 +173239,15 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +grubby --update-kernel=ALL --remove-args=nosmep --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -173282,15 +173282,6 @@ randomization (KASLR). CCE-82194-2 [customizations.kernel] append = "pti=on" - - # Remediation is applicable only in certain platforms -if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -grubby --update-kernel=ALL --args=pti=on --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - name: Gather the package facts package_facts: @@ -173321,6 +173312,15 @@ fi - medium_complexity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +grubby --update-kernel=ALL --args=pti=on --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -173360,19 +173360,6 @@ from the hardware number generators available in the system helps fill up the en CCE-89567-2 [customizations.kernel] append = "rng_core.default_quality=" - - # Remediation is applicable only in certain platforms -if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -var_rng_core_default_quality='' - - - -grubby --update-kernel=ALL --args=rng_core.default_quality=$var_rng_core_default_quality --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - name: Gather the package facts package_facts: @@ -173405,6 +173392,19 @@ fi - medium_complexity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +var_rng_core_default_quality='' + + + +grubby --update-kernel=ALL --args=rng_core.default_quality=$var_rng_core_default_quality --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -173440,15 +173440,6 @@ Overall, this reduces the kernel attack surface area by isolating slabs from eac CCE-86777-0 [customizations.kernel] append = "slab_nomerge=yes" - - # Remediation is applicable only in certain platforms -if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -grubby --update-kernel=ALL --args=slab_nomerge=yes --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - name: Gather the package facts package_facts: @@ -173475,6 +173466,15 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +grubby --update-kernel=ALL --args=slab_nomerge=yes --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -173514,19 +173514,6 @@ for example inside the sandboxed code. CCE-89234-9 [customizations.kernel] append = "spec_store_bypass_disable=" - - # Remediation is applicable only in certain platforms -if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -var_spec_store_bypass_disable_options='' - - - -grubby --update-kernel=ALL --args=spec_store_bypass_disable=$var_spec_store_bypass_disable_options --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - name: Gather the package facts package_facts: @@ -173559,6 +173546,19 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +var_spec_store_bypass_disable_options='' + + + +grubby --update-kernel=ALL --args=spec_store_bypass_disable=$var_spec_store_bypass_disable_options --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -173594,15 +173594,6 @@ access to. CCE-89345-3 [customizations.kernel] append = "spectre_v2=on" - - # Remediation is applicable only in certain platforms -if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -grubby --update-kernel=ALL --args=spectre_v2=on --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - name: Gather the package facts package_facts: @@ -173629,6 +173620,15 @@ fi - medium_complexity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +grubby --update-kernel=ALL --args=spectre_v2=on --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -173660,15 +173660,6 @@ Run the following command to update command line for already installed kernels: on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. - # Remediation is applicable only in certain platforms -if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -grubby --update-kernel=ALL --remove-args=systemd.debug-shell --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -173692,6 +173683,15 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +grubby --update-kernel=ALL --remove-args=systemd.debug-shell --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -173724,15 +173724,6 @@ of the return instruction pointer. CCE-80946-7 [customizations.kernel] append = "vsyscall=none" - - # Remediation is applicable only in certain platforms -if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -grubby --update-kernel=ALL --args=vsyscall=none --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - name: Gather the package facts package_facts: @@ -173763,6 +173754,15 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +grubby --update-kernel=ALL --args=vsyscall=none --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -173847,15 +173847,6 @@ To properly set the group owner of /boot/grub2/grub.cfg, file should not have any access privileges anyway. CCE-80800-6 - # Remediation is applicable only in certain platforms -if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -chgrp 0 /boot/grub2/grub.cfg - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -173920,6 +173911,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +chgrp 0 /boot/grub2/grub.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -174000,15 +174000,6 @@ file should not have any access privileges anyway. Non-root users who read the b may be able to identify weaknesses in security upon boot and be able to exploit them. CCE-86009-8 - # Remediation is applicable only in certain platforms -if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -chgrp 0 /boot/grub2/user.cfg - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -174073,6 +174064,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +chgrp 0 /boot/grub2/user.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -174152,15 +174152,6 @@ To properly set the owner of /boot/grub2/grub.cfg, run th Only root should be able to modify important boot parameters. CCE-80805-5 - # Remediation is applicable only in certain platforms -if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -chown 0 /boot/grub2/grub.cfg - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -174225,6 +174216,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +chown 0 /boot/grub2/grub.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -174304,15 +174304,6 @@ the boot parameters may be able to identify weaknesses in security upon boot and exploit them. CCE-86015-5 - # Remediation is applicable only in certain platforms -if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -chown 0 /boot/grub2/user.cfg - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -174377,6 +174368,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +chown 0 /boot/grub2/user.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -174452,15 +174452,6 @@ To properly set the permissions of /boot/grub2/grub.cfg, parameters. CCE-80814-7 - # Remediation is applicable only in certain platforms -if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -chmod u-xs,g-xwrs,o-xwrt /boot/grub2/grub.cfg - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -174519,6 +174510,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +chmod u-xs,g-xwrs,o-xwrt /boot/grub2/grub.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -174594,15 +174594,6 @@ To properly set the permissions of /boot/grub2/user.cfg, parameters. CCE-86024-7 - # Remediation is applicable only in certain platforms -if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -chmod u-xs,g-xwrs,o-xwrt /boot/grub2/user.cfg - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -174661,6 +174652,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +chmod u-xs,g-xwrs,o-xwrt /boot/grub2/user.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -175017,15 +175017,6 @@ To properly set the group owner of /boot/efi/EFI/redhat/grub.cfg CCE-85915-7 - # Remediation is applicable only in certain platforms -if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -chgrp 0 /boot/efi/EFI/redhat/grub.cfg - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -175087,6 +175078,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +chgrp 0 /boot/efi/EFI/redhat/grub.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -175154,15 +175154,6 @@ file should not have any access privileges anyway. Non-root users who read the b may be able to identify weaknesses in security upon boot and be able to exploit them. CCE-86012-2 - # Remediation is applicable only in certain platforms -if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -chgrp 0 /boot/efi/EFI/redhat/user.cfg - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -175224,6 +175215,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +chgrp 0 /boot/efi/EFI/redhat/user.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -175290,15 +175290,6 @@ To properly set the owner of /boot/efi/EFI/redhat/grub.cfgOnly root should be able to modify important boot parameters. CCE-85913-2 - # Remediation is applicable only in certain platforms -if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -chown 0 /boot/efi/EFI/redhat/grub.cfg - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -175360,6 +175351,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +chown 0 /boot/efi/EFI/redhat/grub.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -175427,15 +175427,6 @@ the boot parameters may be able to identify weaknesses in security upon boot and exploit them. CCE-86021-3 - # Remediation is applicable only in certain platforms -if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -chown 0 /boot/efi/EFI/redhat/user.cfg - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -175497,6 +175488,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +chown 0 /boot/efi/EFI/redhat/user.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -175560,15 +175560,6 @@ To properly set the permissions of /boot/efi/EFI/redhat/grub.cfg CCE-85912-4 - # Remediation is applicable only in certain platforms -if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -chmod u-s,g-xwrs,o-xwrt /boot/efi/EFI/redhat/grub.cfg - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -175624,6 +175615,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +chmod u-s,g-xwrs,o-xwrt /boot/efi/EFI/redhat/grub.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -175687,15 +175687,6 @@ To properly set the permissions of /boot/efi/EFI/redhat/user.cfg CCE-86028-8 - # Remediation is applicable only in certain platforms -if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -chmod u-s,g-xwrs,o-xwrt /boot/efi/EFI/redhat/user.cfg - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -175751,6 +175742,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +chmod u-s,g-xwrs,o-xwrt /boot/efi/EFI/redhat/user.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -176039,24 +176039,6 @@ this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot. CCE-83321-0 - # Remediation is applicable only in certain platforms -if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Correct BLS option using grubby, which is a thin wrapper around BLS operations -grubby --update-kernel=ALL --args="audit=1" - -# Ensure new kernels and boot entries retain the boot option -if [ ! -f /etc/kernel/cmdline ]; then - echo "audit=1" > /etc/kernel/cmdline -elif ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline; then - - sed -Ei 's/^(.*)$/\1 audit=1/' /etc/kernel/cmdline -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure BLS boot entries options contain audit=1 block: @@ -176116,6 +176098,24 @@ fi - medium_severity - reboot_required - zipl_audit_argument + + # Remediation is applicable only in certain platforms +if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Correct BLS option using grubby, which is a thin wrapper around BLS operations +grubby --update-kernel=ALL --args="audit=1" + +# Ensure new kernels and boot entries retain the boot option +if [ ! -f /etc/kernel/cmdline ]; then + echo "audit=1" > /etc/kernel/cmdline +elif ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline; then + + sed -Ei 's/^(.*)$/\1 audit=1/' /etc/kernel/cmdline +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -176139,24 +176139,6 @@ are stored in this queue. If the queue is overrun during boot process, the acti defined by audit failure flag is taken. CCE-83341-8 - # Remediation is applicable only in certain platforms -if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Correct BLS option using grubby, which is a thin wrapper around BLS operations -grubby --update-kernel=ALL --args="audit_backlog_limit=8192" - -# Ensure new kernels and boot entries retain the boot option -if [ ! -f /etc/kernel/cmdline ]; then - echo "audit_backlog_limit=8192" > /etc/kernel/cmdline -elif ! grep -q '^(.*\s)?audit_backlog_limit=8192(\s.*)?$' /etc/kernel/cmdline; then - - sed -Ei 's/^(.*)$/\1 audit_backlog_limit=8192/' /etc/kernel/cmdline -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure BLS boot entries options contain audit_backlog_limit=8192 block: @@ -176216,6 +176198,24 @@ fi - medium_severity - reboot_required - zipl_audit_backlog_limit_argument + + # Remediation is applicable only in certain platforms +if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Correct BLS option using grubby, which is a thin wrapper around BLS operations +grubby --update-kernel=ALL --args="audit_backlog_limit=8192" + +# Ensure new kernels and boot entries retain the boot option +if [ ! -f /etc/kernel/cmdline ]; then + echo "audit_backlog_limit=8192" > /etc/kernel/cmdline +elif ! grep -q '^(.*\s)?audit_backlog_limit=8192(\s.*)?$' /etc/kernel/cmdline; then + + sed -Ei 's/^(.*)$/\1 audit_backlog_limit=8192/' /etc/kernel/cmdline +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -176251,15 +176251,6 @@ Run zipl command to generate an updated /boot/ boot correct kernel and options. CCE-83486-1 - # Remediation is applicable only in certain platforms -if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -/usr/sbin/zipl - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure zIPL bootmap is up to date block: @@ -176289,6 +176280,15 @@ fi - medium_severity - no_reboot_needed - zipl_bootmap_is_up_to_date + + # Remediation is applicable only in certain platforms +if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +/usr/sbin/zipl + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -176324,24 +176324,6 @@ This prevents many types of use-after-free vulnerabilities at little performance Also prevents leak of data and detection of corrupted memory. CCE-83351-7 - # Remediation is applicable only in certain platforms -if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Correct BLS option using grubby, which is a thin wrapper around BLS operations -grubby --update-kernel=ALL --args="page_poison=1" - -# Ensure new kernels and boot entries retain the boot option -if [ ! -f /etc/kernel/cmdline ]; then - echo "page_poison=1" > /etc/kernel/cmdline -elif ! grep -q '^(.*\s)?page_poison=1(\s.*)?$' /etc/kernel/cmdline; then - - sed -Ei 's/^(.*)$/\1 page_poison=1/' /etc/kernel/cmdline -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure BLS boot entries options contain page_poison=1 block: @@ -176401,6 +176383,24 @@ fi - medium_severity - reboot_required - zipl_page_poison_argument + + # Remediation is applicable only in certain platforms +if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Correct BLS option using grubby, which is a thin wrapper around BLS operations +grubby --update-kernel=ALL --args="page_poison=1" + +# Ensure new kernels and boot entries retain the boot option +if [ ! -f /etc/kernel/cmdline ]; then + echo "page_poison=1" > /etc/kernel/cmdline +elif ! grep -q '^(.*\s)?page_poison=1(\s.*)?$' /etc/kernel/cmdline; then + + sed -Ei 's/^(.*)$/\1 page_poison=1/' /etc/kernel/cmdline +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -176423,24 +176423,6 @@ This prevents many types of use-after-free vulnerabilities at little performance Also prevents leak of data and detection of corrupted memory. CCE-83371-5 - # Remediation is applicable only in certain platforms -if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Correct BLS option using grubby, which is a thin wrapper around BLS operations -grubby --update-kernel=ALL --args="slub_debug=P" - -# Ensure new kernels and boot entries retain the boot option -if [ ! -f /etc/kernel/cmdline ]; then - echo "slub_debug=P" > /etc/kernel/cmdline -elif ! grep -q '^(.*\s)?slub_debug=P(\s.*)?$' /etc/kernel/cmdline; then - - sed -Ei 's/^(.*)$/\1 slub_debug=P/' /etc/kernel/cmdline -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure BLS boot entries options contain slub_debug=P block: @@ -176500,6 +176482,24 @@ fi - medium_severity - reboot_required - zipl_slub_debug_argument + + # Remediation is applicable only in certain platforms +if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Correct BLS option using grubby, which is a thin wrapper around BLS operations +grubby --update-kernel=ALL --args="slub_debug=P" + +# Ensure new kernels and boot entries retain the boot option +if [ ! -f /etc/kernel/cmdline ]; then + echo "slub_debug=P" > /etc/kernel/cmdline +elif ! grep -q '^(.*\s)?slub_debug=P(\s.*)?$' /etc/kernel/cmdline; then + + sed -Ei 's/^(.*)$/\1 slub_debug=P/' /etc/kernel/cmdline +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -176531,21 +176531,6 @@ that systemd.debug-shell=1 is not present in / on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. - # Remediation is applicable only in certain platforms -if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Correct BLS option using grubby, which is a thin wrapper around BLS operations -grubby --update-kernel=ALL --remove-args="systemd.debug-shell" - -# Ensure new kernels and boot entries retain the boot option -if grep -q '\bsystemd.debug-shell\b' /etc/kernel/cmdline; then - sed -Ei 's/^(.*)\s*systemd.debug-shell\b\S*(.*)/\1\2/' /etc/kernel/cmdline -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure BLS boot entries options contain systemd.debug-shell block: @@ -176590,6 +176575,21 @@ fi - medium_severity - reboot_required - zipl_systemd_debug-shell_argument_absent + + # Remediation is applicable only in certain platforms +if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Correct BLS option using grubby, which is a thin wrapper around BLS operations +grubby --update-kernel=ALL --remove-args="systemd.debug-shell" + +# Ensure new kernels and boot entries retain the boot option +if grep -q '\bsystemd.debug-shell\b' /etc/kernel/cmdline; then + sed -Ei 's/^(.*)\s*systemd.debug-shell\b\S*(.*)/\1\2/' /etc/kernel/cmdline +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -176610,24 +176610,6 @@ add vsyscall=none to /etc/kernel/cmdline CCE-83381-4 - # Remediation is applicable only in certain platforms -if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Correct BLS option using grubby, which is a thin wrapper around BLS operations -grubby --update-kernel=ALL --args="vsyscall=none" - -# Ensure new kernels and boot entries retain the boot option -if [ ! -f /etc/kernel/cmdline ]; then - echo "vsyscall=none" > /etc/kernel/cmdline -elif ! grep -q '^(.*\s)?vsyscall=none(\s.*)?$' /etc/kernel/cmdline; then - - sed -Ei 's/^(.*)$/\1 vsyscall=none/' /etc/kernel/cmdline -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure BLS boot entries options contain vsyscall=none block: @@ -176687,6 +176669,24 @@ fi - medium_severity - reboot_required - zipl_vsyscall_argument + + # Remediation is applicable only in certain platforms +if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Correct BLS option using grubby, which is a thin wrapper around BLS operations +grubby --update-kernel=ALL --args="vsyscall=none" + +# Ensure new kernels and boot entries retain the boot option +if [ ! -f /etc/kernel/cmdline ]; then + echo "vsyscall=none" > /etc/kernel/cmdline +elif ! grep -q '^(.*\s)?vsyscall=none(\s.*)?$' /etc/kernel/cmdline; then + + sed -Ei 's/^(.*)$/\1 vsyscall=none/' /etc/kernel/cmdline +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -178331,21 +178331,13 @@ $ sudo yum install rsyslog-gnutls The rsyslog-gnutls package provides Transport Layer Security (TLS) support for the rsyslog daemon, which enables secure remote logging. CCE-82859-0 + +package --add=rsyslog-gnutls + [[packages]] name = "rsyslog-gnutls" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "rsyslog-gnutls" ; then - yum install -y "rsyslog-gnutls" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_rsyslog-gnutls @@ -178370,8 +178362,16 @@ class install_rsyslog-gnutls { - no_reboot_needed - package_rsyslog-gnutls_installed - -package --add=rsyslog-gnutls + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "rsyslog-gnutls" ; then + yum install -y "rsyslog-gnutls" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -178427,21 +178427,13 @@ package --add=rsyslog-gnutls The rsyslog package provides the rsyslog daemon, which provides system logging services. CCE-80847-7 + +package --add=rsyslog + [[packages]] name = "rsyslog" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "rsyslog" ; then - yum install -y "rsyslog" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_rsyslog @@ -178467,8 +178459,16 @@ class install_rsyslog { - no_reboot_needed - package_rsyslog_installed - -package --add=rsyslog + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "rsyslog" ; then + yum install -y "rsyslog" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -178566,18 +178566,6 @@ logging services, which are essential to system administration. [customizations.services] enabled = ["rsyslog"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'rsyslog.service' -"$SYSTEMCTL_EXEC" start 'rsyslog.service' -"$SYSTEMCTL_EXEC" enable 'rsyslog.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_rsyslog @@ -178615,6 +178603,18 @@ class enable_rsyslog { - medium_severity - no_reboot_needed - service_rsyslog_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'rsyslog.service' +"$SYSTEMCTL_EXEC" start 'rsyslog.service' +"$SYSTEMCTL_EXEC" enable 'rsyslog.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -178643,38 +178643,6 @@ created files. It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected. CCE-88321-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -readarray -t targets < <(grep -H '^\s*$FileCreateMode' /etc/rsyslog.conf /etc/rsyslog.d/*) - -# if $FileCreateMode set in multiple places -if [ ${#targets[@]} -gt 1 ]; then - # delete all and create new entry with expected value - sed -i '/^\s*$FileCreateMode/d' /etc/rsyslog.conf /etc/rsyslog.d/* - echo '$FileCreateMode 0640' > /etc/rsyslog.d/99-rsyslog_filecreatemode.conf -# if $FileCreateMode set in only one place -elif [ "${#targets[@]}" -eq 1 ]; then - filename=$(echo "${targets[0]}" | cut -d':' -f1) - value=$(echo "${targets[0]}" | cut -d' ' -f2) - #convert to decimal and bitwise or operation - result=$((8#$value | 416)) - # if more permissive than expected, then set it to 0640 - if [ $result -ne 416 ]; then - # if value is wrong remove it - sed -i '/^\s*$FileCreateMode/d' $filename - echo '$FileCreateMode 0640' > $filename - fi -else - echo '$FileCreateMode 0640' > /etc/rsyslog.d/99-rsyslog_filecreatemode.conf -fi - -systemctl restart rsyslog.service - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure rsyslog Default File Permissions Configured - Search for $FileCreateMode Parameter in rsyslog Main Config File ansible.builtin.find: @@ -178783,6 +178751,38 @@ fi - medium_severity - no_reboot_needed - rsyslog_filecreatemode + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +readarray -t targets < <(grep -H '^\s*$FileCreateMode' /etc/rsyslog.conf /etc/rsyslog.d/*) + +# if $FileCreateMode set in multiple places +if [ ${#targets[@]} -gt 1 ]; then + # delete all and create new entry with expected value + sed -i '/^\s*$FileCreateMode/d' /etc/rsyslog.conf /etc/rsyslog.d/* + echo '$FileCreateMode 0640' > /etc/rsyslog.d/99-rsyslog_filecreatemode.conf +# if $FileCreateMode set in only one place +elif [ "${#targets[@]}" -eq 1 ]; then + filename=$(echo "${targets[0]}" | cut -d':' -f1) + value=$(echo "${targets[0]}" | cut -d' ' -f2) + #convert to decimal and bitwise or operation + result=$((8#$value | 416)) + # if more permissive than expected, then set it to 0640 + if [ $result -ne 416 ]; then + # if value is wrong remove it + sed -i '/^\s*$FileCreateMode/d' $filename + echo '$FileCreateMode 0640' > $filename + fi +else + echo '$FileCreateMode 0640' > /etc/rsyslog.d/99-rsyslog_filecreatemode.conf +fi + +systemctl restart rsyslog.service + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -178951,30 +178951,6 @@ When using rsyslogd to off-load logs the remote system mu configuration, user authentication, and other such information. Audit records should be protected from unauthorized access. CCE-86339-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -sed -i '/^.*\$ActionSendStreamDriverAuthMode.*/d' /etc/rsyslog.conf /etc/rsyslog.d/*.conf 2> /dev/null - -if [ -e "/etc/rsyslog.d/stream_driver_auth.conf" ] ; then - - LC_ALL=C sed -i "/^\s*\$ActionSendStreamDriverAuthMode /Id" "/etc/rsyslog.d/stream_driver_auth.conf" -else - touch "/etc/rsyslog.d/stream_driver_auth.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/rsyslog.d/stream_driver_auth.conf" - -cp "/etc/rsyslog.d/stream_driver_auth.conf" "/etc/rsyslog.d/stream_driver_auth.conf.bak" -# Insert at the end of the file -printf '%s\n' "\$ActionSendStreamDriverAuthMode x509/name" >> "/etc/rsyslog.d/stream_driver_auth.conf" -# Clean up after ourselves. -rm "/etc/rsyslog.d/stream_driver_auth.conf.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure Rsyslog Authenticates Off-Loaded Audit Records block: @@ -179026,6 +179002,30 @@ fi - medium_severity - no_reboot_needed - rsyslog_encrypt_offload_actionsendstreamdriverauthmode + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +sed -i '/^.*\$ActionSendStreamDriverAuthMode.*/d' /etc/rsyslog.conf /etc/rsyslog.d/*.conf 2> /dev/null + +if [ -e "/etc/rsyslog.d/stream_driver_auth.conf" ] ; then + + LC_ALL=C sed -i "/^\s*\$ActionSendStreamDriverAuthMode /Id" "/etc/rsyslog.d/stream_driver_auth.conf" +else + touch "/etc/rsyslog.d/stream_driver_auth.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/rsyslog.d/stream_driver_auth.conf" + +cp "/etc/rsyslog.d/stream_driver_auth.conf" "/etc/rsyslog.d/stream_driver_auth.conf.bak" +# Insert at the end of the file +printf '%s\n' "\$ActionSendStreamDriverAuthMode x509/name" >> "/etc/rsyslog.d/stream_driver_auth.conf" +# Clean up after ourselves. +rm "/etc/rsyslog.d/stream_driver_auth.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -179053,28 +179053,6 @@ When using rsyslogd to off-load logs off a encrpytion sys configuration, user authentication, and other such information. Audit records should be protected from unauthorized access. CCE-86098-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/rsyslog.d/encrypt.conf" ] ; then - - LC_ALL=C sed -i "/^\s*\$ActionSendStreamDriverMode /Id" "/etc/rsyslog.d/encrypt.conf" -else - touch "/etc/rsyslog.d/encrypt.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/rsyslog.d/encrypt.conf" - -cp "/etc/rsyslog.d/encrypt.conf" "/etc/rsyslog.d/encrypt.conf.bak" -# Insert at the end of the file -printf '%s\n' "\$ActionSendStreamDriverMode 1" >> "/etc/rsyslog.d/encrypt.conf" -# Clean up after ourselves. -rm "/etc/rsyslog.d/encrypt.conf.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure Rsyslog Encrypts Off-Loaded Audit Records block: @@ -179126,6 +179104,28 @@ fi - medium_severity - no_reboot_needed - rsyslog_encrypt_offload_actionsendstreamdrivermode + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/rsyslog.d/encrypt.conf" ] ; then + + LC_ALL=C sed -i "/^\s*\$ActionSendStreamDriverMode /Id" "/etc/rsyslog.d/encrypt.conf" +else + touch "/etc/rsyslog.d/encrypt.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/rsyslog.d/encrypt.conf" + +cp "/etc/rsyslog.d/encrypt.conf" "/etc/rsyslog.d/encrypt.conf.bak" +# Insert at the end of the file +printf '%s\n' "\$ActionSendStreamDriverMode 1" >> "/etc/rsyslog.d/encrypt.conf" +# Clean up after ourselves. +rm "/etc/rsyslog.d/encrypt.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -179153,28 +179153,6 @@ When using rsyslogd to off-load logs off an encryption sy configuration, user authentication, and other such information. Audit records should be protected from unauthorized access. CCE-85992-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/rsyslog.d/encrypt.conf" ] ; then - - LC_ALL=C sed -i "/^\s*\$DefaultNetstreamDriver /Id" "/etc/rsyslog.d/encrypt.conf" -else - touch "/etc/rsyslog.d/encrypt.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/rsyslog.d/encrypt.conf" - -cp "/etc/rsyslog.d/encrypt.conf" "/etc/rsyslog.d/encrypt.conf.bak" -# Insert at the end of the file -printf '%s\n' "\$DefaultNetstreamDriver gtls" >> "/etc/rsyslog.d/encrypt.conf" -# Clean up after ourselves. -rm "/etc/rsyslog.d/encrypt.conf.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure Rsyslog Encrypts Off-Loaded Audit Records block: @@ -179226,6 +179204,28 @@ fi - medium_severity - no_reboot_needed - rsyslog_encrypt_offload_defaultnetstreamdriver + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/rsyslog.d/encrypt.conf" ] ; then + + LC_ALL=C sed -i "/^\s*\$DefaultNetstreamDriver /Id" "/etc/rsyslog.d/encrypt.conf" +else + touch "/etc/rsyslog.d/encrypt.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/rsyslog.d/encrypt.conf" + +cp "/etc/rsyslog.d/encrypt.conf" "/etc/rsyslog.d/encrypt.conf.bak" +# Insert at the end of the file +printf '%s\n' "\$DefaultNetstreamDriver gtls" >> "/etc/rsyslog.d/encrypt.conf" +# Clean up after ourselves. +rm "/etc/rsyslog.d/encrypt.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -179310,109 +179310,6 @@ correct this: configuration, user authentication, and other such information. Log files should be protected from unauthorized access. CCE-80860-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# List of log file paths to be inspected for correct permissions -# * Primarily inspect log file paths listed in /etc/rsyslog.conf -RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" -# * And also the log file paths listed after rsyslog's $IncludeConfig directive -# (store the result into array for the case there's shell glob used as value of IncludeConfig) -readarray -t OLD_INC < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2) -readarray -t RSYSLOG_INCLUDE_CONFIG < <(for INCPATH in "${OLD_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done) -readarray -t NEW_INC < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) -readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done) - -# Declare an array to hold the final list of different log file paths -declare -a LOG_FILE_PATHS - -# Array to hold all rsyslog config entries -RSYSLOG_CONFIGS=() -RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}") - -# Get full list of files to be checked -# RSYSLOG_CONFIGS may contain globs such as -# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule -# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files. -RSYSLOG_CONFIG_FILES=() -for ENTRY in "${RSYSLOG_CONFIGS[@]}" -do - # If directory, rsyslog will search for config files in recursively. - # However, files in hidden sub-directories or hidden files will be ignored. - if [ -d "${ENTRY}" ] - then - readarray -t FINDOUT < <(find "${ENTRY}" -not -path '*/.*' -type f) - RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}") - elif [ -f "${ENTRY}" ] - then - RSYSLOG_CONFIG_FILES+=("${ENTRY}") - else - echo "Invalid include object: ${ENTRY}" - fi -done - -# Browse each file selected above as containing paths of log files -# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration) -for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}" -do - # From each of these files extract just particular log file path(s), thus: - # * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters, - # * Ignore empty lines, - # * Strip quotes and closing brackets from paths. - # * Ignore paths that match /dev|/etc.*\.conf, as those are paths, but likely not log files - # * From the remaining valid rows select only fields constituting a log file path - # Text file column is understood to represent a log file path if and only if all of the - # following are met: - # * it contains at least one slash '/' character, - # * it is preceded by space - # * it doesn't contain space (' '), colon (':'), and semicolon (';') characters - # Search log file for path(s) only in case it exists! - if [[ -f "${LOG_FILE}" ]] - then - NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[#|$]/d" "${LOG_FILE}") - LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' <<< "${NORMALIZED_CONFIG_FILE_LINES}") - FILTERED_PATHS=$(awk '{if(NF>=2&&($NF~/^\//||$NF~/^-\//)){sub(/^-\//,"/",$NF);print $NF}}' <<< "${LINES_WITH_PATHS}") - CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}") - MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}") - # Since above sed command might return more than one item (delimited by newline), split - # the particular matches entries into new array specific for this log file - readarray -t ARRAY_FOR_LOG_FILE <<< "$MATCHED_ITEMS" - # Concatenate the two arrays - previous content of $LOG_FILE_PATHS array with - # items from newly created array for this log file - LOG_FILE_PATHS+=("${ARRAY_FOR_LOG_FILE[@]}") - # Delete the temporary array - unset ARRAY_FOR_LOG_FILE - fi -done - -# Check for RainerScript action log format which might be also multiline so grep regex is a bit -# curly: -# extract possibly multiline action omfile expressions -# extract File="logfile" expression -# match only "logfile" expression -for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}" -do - ACTION_OMFILE_LINES=$(grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" "${LOG_FILE}") - OMFILE_LINES=$(echo "${ACTION_OMFILE_LINES}"| grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)") - LOG_FILE_PATHS+=("$(echo "${OMFILE_LINES}"| grep -oE "\"([/[:alnum:][:punct:]]*)\""|tr -d "\"")") -done - -# Ensure the correct attribute if file exists -FILE_CMD="chgrp" -for LOG_FILE_PATH in "${LOG_FILE_PATHS[@]}" -do - # Sanity check - if particular $LOG_FILE_PATH is empty string, skip it from further processing - if [ -z "$LOG_FILE_PATH" ] - then - continue - fi - $FILE_CMD "root" "$LOG_FILE_PATH" -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure Log Files Are Owned By Appropriate Group - Set rsyslog logfile configuration facts ansible.builtin.set_fact: @@ -179609,97 +179506,7 @@ fi - no_reboot_needed - rsyslog_files_groupownership - - - - - - - - - Ensure Log Files Are Owned By Appropriate User - The owner of all log files written by -rsyslog should be - -root. - -These log files are determined by the second part of each Rule line in -/etc/rsyslog.conf and typically all appear in /var/log. -For each log file LOGFILE referenced in /etc/rsyslog.conf, -run the following command to inspect the file's owner: -$ ls -l LOGFILE -If the owner is not - -root, - -run the following command to -correct this: - -$ sudo chown root LOGFILE - BP28(R46) - BP28(R5) - 12 - 13 - 14 - 15 - 16 - 18 - 3 - 5 - APO01.06 - DSS05.04 - DSS05.07 - DSS06.02 - CCI-001314 - 4.3.3.7.3 - SR 2.1 - SR 5.2 - 0988 - 1405 - A.10.1.1 - A.11.1.4 - A.11.1.5 - A.11.2.1 - A.13.1.1 - A.13.1.3 - A.13.2.1 - A.13.2.3 - A.13.2.4 - A.14.1.2 - A.14.1.3 - A.6.1.2 - A.7.1.1 - A.7.1.2 - A.7.3.1 - A.8.2.2 - A.8.2.3 - A.9.1.1 - A.9.1.2 - A.9.2.3 - A.9.4.1 - A.9.4.4 - A.9.4.5 - CIP-003-8 R5.1.1 - CIP-003-8 R5.3 - CIP-004-6 R2.3 - CIP-007-3 R2.1 - CIP-007-3 R2.2 - CIP-007-3 R2.3 - CIP-007-3 R5.1 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.2 - CM-6(a) - AC-6(1) - PR.AC-4 - PR.DS-5 - Req-10.5.1 - Req-10.5.2 - 10.3.2 - The log files generated by rsyslog contain valuable information regarding system -configuration, user authentication, and other such information. Log files should be -protected from unauthorized access. - CCE-80861-8 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then # List of log file paths to be inspected for correct permissions @@ -179787,7 +179594,7 @@ do done # Ensure the correct attribute if file exists -FILE_CMD="chown" +FILE_CMD="chgrp" for LOG_FILE_PATH in "${LOG_FILE_PATHS[@]}" do # Sanity check - if particular $LOG_FILE_PATH is empty string, skip it from further processing @@ -179802,6 +179609,96 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Ensure Log Files Are Owned By Appropriate User + The owner of all log files written by +rsyslog should be + +root. + +These log files are determined by the second part of each Rule line in +/etc/rsyslog.conf and typically all appear in /var/log. +For each log file LOGFILE referenced in /etc/rsyslog.conf, +run the following command to inspect the file's owner: +$ ls -l LOGFILE +If the owner is not + +root, + +run the following command to +correct this: + +$ sudo chown root LOGFILE + BP28(R46) + BP28(R5) + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + CCI-001314 + 4.3.3.7.3 + SR 2.1 + SR 5.2 + 0988 + 1405 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + CIP-003-8 R5.1.1 + CIP-003-8 R5.3 + CIP-004-6 R2.3 + CIP-007-3 R2.1 + CIP-007-3 R2.2 + CIP-007-3 R2.3 + CIP-007-3 R5.1 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.2 + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + Req-10.5.1 + Req-10.5.2 + 10.3.2 + The log files generated by rsyslog contain valuable information regarding system +configuration, user authentication, and other such information. Log files should be +protected from unauthorized access. + CCE-80861-8 - name: Ensure Log Files Are Owned By Appropriate User - Set rsyslog logfile configuration facts ansible.builtin.set_fact: @@ -179998,49 +179895,7 @@ fi - no_reboot_needed - rsyslog_files_ownership - - - - - - - - - Ensure System Log Files Have Correct Permissions - The file permissions for all log files written by rsyslog should -be set to 640, or more restrictive. These log files are determined by the -second part of each Rule line in /etc/rsyslog.conf and typically -all appear in /var/log. For each log file LOGFILE -referenced in /etc/rsyslog.conf, run the following command to -inspect the file's permissions: -$ ls -l LOGFILE -If the permissions are not 640 or more restrictive, run the following -command to correct this: -$ sudo chmod 640 LOGFILE" - BP28(R36) - CCI-001314 - 0988 - 1405 - CIP-003-8 R5.1.1 - CIP-003-8 R5.3 - CIP-004-6 R2.3 - CIP-007-3 R2.1 - CIP-007-3 R2.2 - CIP-007-3 R2.3 - CIP-007-3 R5.1 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.2 - CM-6(a) - AC-6(1) - Req-10.5.1 - Req-10.5.2 - 10.3.1 - 4.2.3 - Log files can contain valuable information regarding system -configuration. If the system log files are not protected unauthorized -users could change the logged data, eliminating their forensic value. - CCE-80862-6 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then # List of log file paths to be inspected for correct permissions @@ -180128,7 +179983,7 @@ do done # Ensure the correct attribute if file exists -FILE_CMD="chmod" +FILE_CMD="chown" for LOG_FILE_PATH in "${LOG_FILE_PATHS[@]}" do # Sanity check - if particular $LOG_FILE_PATH is empty string, skip it from further processing @@ -180136,13 +179991,55 @@ do then continue fi - $FILE_CMD "0640" "$LOG_FILE_PATH" + $FILE_CMD "root" "$LOG_FILE_PATH" done else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Ensure System Log Files Have Correct Permissions + The file permissions for all log files written by rsyslog should +be set to 640, or more restrictive. These log files are determined by the +second part of each Rule line in /etc/rsyslog.conf and typically +all appear in /var/log. For each log file LOGFILE +referenced in /etc/rsyslog.conf, run the following command to +inspect the file's permissions: +$ ls -l LOGFILE +If the permissions are not 640 or more restrictive, run the following +command to correct this: +$ sudo chmod 640 LOGFILE" + BP28(R36) + CCI-001314 + 0988 + 1405 + CIP-003-8 R5.1.1 + CIP-003-8 R5.3 + CIP-004-6 R2.3 + CIP-007-3 R2.1 + CIP-007-3 R2.2 + CIP-007-3 R2.3 + CIP-007-3 R5.1 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.2 + CM-6(a) + AC-6(1) + Req-10.5.1 + Req-10.5.2 + 10.3.1 + 4.2.3 + Log files can contain valuable information regarding system +configuration. If the system log files are not protected unauthorized +users could change the logged data, eliminating their forensic value. + CCE-80862-6 - name: Ensure System Log Files Have Correct Permissions - Set rsyslog logfile configuration facts ansible.builtin.set_fact: @@ -180338,6 +180235,109 @@ fi - medium_severity - no_reboot_needed - rsyslog_files_permissions + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# List of log file paths to be inspected for correct permissions +# * Primarily inspect log file paths listed in /etc/rsyslog.conf +RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" +# * And also the log file paths listed after rsyslog's $IncludeConfig directive +# (store the result into array for the case there's shell glob used as value of IncludeConfig) +readarray -t OLD_INC < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2) +readarray -t RSYSLOG_INCLUDE_CONFIG < <(for INCPATH in "${OLD_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done) +readarray -t NEW_INC < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) +readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done) + +# Declare an array to hold the final list of different log file paths +declare -a LOG_FILE_PATHS + +# Array to hold all rsyslog config entries +RSYSLOG_CONFIGS=() +RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}") + +# Get full list of files to be checked +# RSYSLOG_CONFIGS may contain globs such as +# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule +# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files. +RSYSLOG_CONFIG_FILES=() +for ENTRY in "${RSYSLOG_CONFIGS[@]}" +do + # If directory, rsyslog will search for config files in recursively. + # However, files in hidden sub-directories or hidden files will be ignored. + if [ -d "${ENTRY}" ] + then + readarray -t FINDOUT < <(find "${ENTRY}" -not -path '*/.*' -type f) + RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}") + elif [ -f "${ENTRY}" ] + then + RSYSLOG_CONFIG_FILES+=("${ENTRY}") + else + echo "Invalid include object: ${ENTRY}" + fi +done + +# Browse each file selected above as containing paths of log files +# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration) +for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}" +do + # From each of these files extract just particular log file path(s), thus: + # * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters, + # * Ignore empty lines, + # * Strip quotes and closing brackets from paths. + # * Ignore paths that match /dev|/etc.*\.conf, as those are paths, but likely not log files + # * From the remaining valid rows select only fields constituting a log file path + # Text file column is understood to represent a log file path if and only if all of the + # following are met: + # * it contains at least one slash '/' character, + # * it is preceded by space + # * it doesn't contain space (' '), colon (':'), and semicolon (';') characters + # Search log file for path(s) only in case it exists! + if [[ -f "${LOG_FILE}" ]] + then + NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[#|$]/d" "${LOG_FILE}") + LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' <<< "${NORMALIZED_CONFIG_FILE_LINES}") + FILTERED_PATHS=$(awk '{if(NF>=2&&($NF~/^\//||$NF~/^-\//)){sub(/^-\//,"/",$NF);print $NF}}' <<< "${LINES_WITH_PATHS}") + CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}") + MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}") + # Since above sed command might return more than one item (delimited by newline), split + # the particular matches entries into new array specific for this log file + readarray -t ARRAY_FOR_LOG_FILE <<< "$MATCHED_ITEMS" + # Concatenate the two arrays - previous content of $LOG_FILE_PATHS array with + # items from newly created array for this log file + LOG_FILE_PATHS+=("${ARRAY_FOR_LOG_FILE[@]}") + # Delete the temporary array + unset ARRAY_FOR_LOG_FILE + fi +done + +# Check for RainerScript action log format which might be also multiline so grep regex is a bit +# curly: +# extract possibly multiline action omfile expressions +# extract File="logfile" expression +# match only "logfile" expression +for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}" +do + ACTION_OMFILE_LINES=$(grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" "${LOG_FILE}") + OMFILE_LINES=$(echo "${ACTION_OMFILE_LINES}"| grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)") + LOG_FILE_PATHS+=("$(echo "${OMFILE_LINES}"| grep -oE "\"([/[:alnum:][:punct:]]*)\""|tr -d "\"")") +done + +# Ensure the correct attribute if file exists +FILE_CMD="chmod" +for LOG_FILE_PATH in "${LOG_FILE_PATHS[@]}" +do + # Sanity check - if particular $LOG_FILE_PATH is empty string, skip it from further processing + if [ -z "$LOG_FILE_PATH" ] + then + continue + fi + $FILE_CMD "0640" "$LOG_FILE_PATH" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -180387,37 +180387,6 @@ associated with remote user access management. It can also be used to spot cyber attacks and ensure ongoing compliance with organizational policies surrounding the use of remote access methods. CCE-83426-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -declare -A REMOTE_METHODS=( ['auth.*']='^[^#]*auth\.\*.*$' ['authpriv.*']='^[^#]*authpriv\.\*.*$' ['daemon.*']='^[^#]*daemon\.\*.*$' ) - -if [[ ! -f /etc/rsyslog.conf ]]; then - # Something is not right, create the file - touch /etc/rsyslog.conf -fi - -APPEND_LINE=$(sed -rn '/^\S+\s+\/var\/log\/secure$/p' /etc/rsyslog.conf) - -# Loop through the remote methods associative array -for K in "${!REMOTE_METHODS[@]}" -do - # Check to see if selector/value exists - if ! grep -rq "${REMOTE_METHODS[$K]}" /etc/rsyslog.*; then - # Make sure we have a line to insert after, otherwise append to end - if [[ ! -z ${APPEND_LINE} ]]; then - # Add selector to file - sed -r -i "0,/^(\S+\s+\/var\/log\/secure$)/s//\1\n${K} \/var\/log\/secure/" /etc/rsyslog.conf - else - echo "${K} /var/log/secure" >> /etc/rsyslog.conf - fi - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: 'Ensure remote access methods are monitored in Rsyslog: Set facts' set_fact: conf_files: @@ -180537,6 +180506,37 @@ fi - medium_severity - no_reboot_needed - rsyslog_remote_access_monitoring + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +declare -A REMOTE_METHODS=( ['auth.*']='^[^#]*auth\.\*.*$' ['authpriv.*']='^[^#]*authpriv\.\*.*$' ['daemon.*']='^[^#]*daemon\.\*.*$' ) + +if [[ ! -f /etc/rsyslog.conf ]]; then + # Something is not right, create the file + touch /etc/rsyslog.conf +fi + +APPEND_LINE=$(sed -rn '/^\S+\s+\/var\/log\/secure$/p' /etc/rsyslog.conf) + +# Loop through the remote methods associative array +for K in "${!REMOTE_METHODS[@]}" +do + # Check to see if selector/value exists + if ! grep -rq "${REMOTE_METHODS[$K]}" /etc/rsyslog.*; then + # Make sure we have a line to insert after, otherwise append to end + if [[ ! -z ${APPEND_LINE} ]]; then + # Add selector to file + sed -r -i "0,/^(\S+\s+\/var\/log\/secure$)/s//\1\n${K} \/var\/log\/secure/" /etc/rsyslog.conf + else + echo "${K} /var/log/secure" >> /etc/rsyslog.conf + fi + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -180564,21 +180564,13 @@ from remote hosts, thus enabling centralised log management.Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system. + +package --add=systemd-journal-remote + [[packages]] name = "systemd-journal-remote" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "systemd-journal-remote" ; then - yum install -y "systemd-journal-remote" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_systemd-journal-remote @@ -180601,8 +180593,16 @@ class install_systemd-journal-remote { - no_reboot_needed - package_systemd-journal-remote_installed - -package --add=systemd-journal-remote + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "systemd-journal-remote" ; then + yum install -y "systemd-journal-remote" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -180628,18 +180628,6 @@ The systemd-journald service can be enabled with the foll [customizations.services] enabled = ["systemd-journald"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'systemd-journald.service' -"$SYSTEMCTL_EXEC" start 'systemd-journald.service' -"$SYSTEMCTL_EXEC" enable 'systemd-journald.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_systemd-journald @@ -180675,6 +180663,18 @@ class enable_systemd-journald { - medium_severity - no_reboot_needed - service_systemd-journald_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'systemd-journald.service' +"$SYSTEMCTL_EXEC" start 'systemd-journald.service' +"$SYSTEMCTL_EXEC" enable 'systemd-journald.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -180689,37 +180689,6 @@ class enable_systemd-journald { 4.2.2.3 Log files that are not properly compressed run the risk of growing so large that they fill up the log partition. Valuable logging information could be lost if the log partition becomes full. CCE-85930-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/systemd/journald.conf" ] ; then - - LC_ALL=C sed -i "/^\s*Compress\s*=\s*/d" "/etc/systemd/journald.conf" -else - touch "/etc/systemd/journald.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/systemd/journald.conf" - -cp "/etc/systemd/journald.conf" "/etc/systemd/journald.conf.bak" -# Insert before the line matching the regex '^#\s*Compress'. -line_number="$(LC_ALL=C grep -n "^#\s*Compress" "/etc/systemd/journald.conf.bak" | LC_ALL=C sed 's/:.*//g')" -if [ -z "$line_number" ]; then - # There was no match of '^#\s*Compress', insert at - # the end of the file. - printf '%s\n' "Compress=yes" >> "/etc/systemd/journald.conf" -else - head -n "$(( line_number - 1 ))" "/etc/systemd/journald.conf.bak" > "/etc/systemd/journald.conf" - printf '%s\n' "Compress=yes" >> "/etc/systemd/journald.conf" - tail -n "+$(( line_number ))" "/etc/systemd/journald.conf.bak" >> "/etc/systemd/journald.conf" -fi -# Clean up after ourselves. -rm "/etc/systemd/journald.conf.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Setting unquoted shell-style assignment of 'Compress' to 'yes' in '/etc/systemd/journald.conf' block: @@ -180760,26 +180729,12 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure journald is configured to send logs to rsyslog - Data from journald may be stored in volatile memory or persisted locally. -Utilities exist to accept remote export of journald logs. - 4.2.1.3 - Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system. - CCE-85995-9 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then if [ -e "/etc/systemd/journald.conf" ] ; then - LC_ALL=C sed -i "/^\s*ForwardToSyslog\s*=\s*/d" "/etc/systemd/journald.conf" + LC_ALL=C sed -i "/^\s*Compress\s*=\s*/d" "/etc/systemd/journald.conf" else touch "/etc/systemd/journald.conf" fi @@ -180787,15 +180742,15 @@ fi sed -i -e '$a\' "/etc/systemd/journald.conf" cp "/etc/systemd/journald.conf" "/etc/systemd/journald.conf.bak" -# Insert before the line matching the regex '^#\s*ForwardToSyslog'. -line_number="$(LC_ALL=C grep -n "^#\s*ForwardToSyslog" "/etc/systemd/journald.conf.bak" | LC_ALL=C sed 's/:.*//g')" +# Insert before the line matching the regex '^#\s*Compress'. +line_number="$(LC_ALL=C grep -n "^#\s*Compress" "/etc/systemd/journald.conf.bak" | LC_ALL=C sed 's/:.*//g')" if [ -z "$line_number" ]; then - # There was no match of '^#\s*ForwardToSyslog', insert at + # There was no match of '^#\s*Compress', insert at # the end of the file. - printf '%s\n' "ForwardToSyslog=yes" >> "/etc/systemd/journald.conf" + printf '%s\n' "Compress=yes" >> "/etc/systemd/journald.conf" else head -n "$(( line_number - 1 ))" "/etc/systemd/journald.conf.bak" > "/etc/systemd/journald.conf" - printf '%s\n' "ForwardToSyslog=yes" >> "/etc/systemd/journald.conf" + printf '%s\n' "Compress=yes" >> "/etc/systemd/journald.conf" tail -n "+$(( line_number ))" "/etc/systemd/journald.conf.bak" >> "/etc/systemd/journald.conf" fi # Clean up after ourselves. @@ -180805,6 +180760,20 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Ensure journald is configured to send logs to rsyslog + Data from journald may be stored in volatile memory or persisted locally. +Utilities exist to accept remote export of journald logs. + 4.2.1.3 + Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system. + CCE-85995-9 - name: Setting unquoted shell-style assignment of 'ForwardToSyslog' to 'yes' in '/etc/systemd/journald.conf' block: @@ -180845,26 +180814,12 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure journald is configured to write log files to persistent disk - The journald system may store log files in volatile memory or locally on disk. -If the logs are only stored in volatile memory they will we lost upon reboot. - 4.2.2.4 - Log files contain valuable data and need to be persistent to aid in possible investigations. - CCE-86045-2 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then if [ -e "/etc/systemd/journald.conf" ] ; then - LC_ALL=C sed -i "/^\s*Storage\s*=\s*/d" "/etc/systemd/journald.conf" + LC_ALL=C sed -i "/^\s*ForwardToSyslog\s*=\s*/d" "/etc/systemd/journald.conf" else touch "/etc/systemd/journald.conf" fi @@ -180872,15 +180827,15 @@ fi sed -i -e '$a\' "/etc/systemd/journald.conf" cp "/etc/systemd/journald.conf" "/etc/systemd/journald.conf.bak" -# Insert before the line matching the regex '^#\s*Storage'. -line_number="$(LC_ALL=C grep -n "^#\s*Storage" "/etc/systemd/journald.conf.bak" | LC_ALL=C sed 's/:.*//g')" +# Insert before the line matching the regex '^#\s*ForwardToSyslog'. +line_number="$(LC_ALL=C grep -n "^#\s*ForwardToSyslog" "/etc/systemd/journald.conf.bak" | LC_ALL=C sed 's/:.*//g')" if [ -z "$line_number" ]; then - # There was no match of '^#\s*Storage', insert at + # There was no match of '^#\s*ForwardToSyslog', insert at # the end of the file. - printf '%s\n' "Storage=persistent" >> "/etc/systemd/journald.conf" + printf '%s\n' "ForwardToSyslog=yes" >> "/etc/systemd/journald.conf" else head -n "$(( line_number - 1 ))" "/etc/systemd/journald.conf.bak" > "/etc/systemd/journald.conf" - printf '%s\n' "Storage=persistent" >> "/etc/systemd/journald.conf" + printf '%s\n' "ForwardToSyslog=yes" >> "/etc/systemd/journald.conf" tail -n "+$(( line_number ))" "/etc/systemd/journald.conf.bak" >> "/etc/systemd/journald.conf" fi # Clean up after ourselves. @@ -180890,6 +180845,20 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Ensure journald is configured to write log files to persistent disk + The journald system may store log files in volatile memory or locally on disk. +If the logs are only stored in volatile memory they will we lost upon reboot. + 4.2.2.4 + Log files contain valuable data and need to be persistent to aid in possible investigations. + CCE-86045-2 - name: Setting unquoted shell-style assignment of 'Storage' to 'persistent' in '/etc/systemd/journald.conf' block: @@ -180929,6 +180898,37 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/systemd/journald.conf" ] ; then + + LC_ALL=C sed -i "/^\s*Storage\s*=\s*/d" "/etc/systemd/journald.conf" +else + touch "/etc/systemd/journald.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/systemd/journald.conf" + +cp "/etc/systemd/journald.conf" "/etc/systemd/journald.conf.bak" +# Insert before the line matching the regex '^#\s*Storage'. +line_number="$(LC_ALL=C grep -n "^#\s*Storage" "/etc/systemd/journald.conf.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^#\s*Storage', insert at + # the end of the file. + printf '%s\n' "Storage=persistent" >> "/etc/systemd/journald.conf" +else + head -n "$(( line_number - 1 ))" "/etc/systemd/journald.conf.bak" > "/etc/systemd/journald.conf" + printf '%s\n' "Storage=persistent" >> "/etc/systemd/journald.conf" + tail -n "+$(( line_number ))" "/etc/systemd/journald.conf.bak" >> "/etc/systemd/journald.conf" +fi +# Clean up after ourselves. +rm "/etc/systemd/journald.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -180951,21 +180951,6 @@ NOTE: If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary. CCE-87605-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SOCKET_NAME="systemd-journal-remote.socket" -SYSTEMCTL_EXEC='/usr/bin/systemctl' - -if "$SYSTEMCTL_EXEC" -q list-unit-files --type socket | grep -q "$SOCKET_NAME"; then - "$SYSTEMCTL_EXEC" stop "$SOCKET_NAME" - "$SYSTEMCTL_EXEC" mask "$SOCKET_NAME" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Disable systemd-journal-remote Socket - Collect systemd Socket Units Present in the System ansible.builtin.command: @@ -181000,6 +180985,21 @@ fi - medium_severity - no_reboot_needed - socket_systemd-journal-remote_disabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SOCKET_NAME="systemd-journal-remote.socket" +SYSTEMCTL_EXEC='/usr/bin/systemctl' + +if "$SYSTEMCTL_EXEC" -q list-unit-files --type socket | grep -q "$SOCKET_NAME"; then + "$SYSTEMCTL_EXEC" stop "$SOCKET_NAME" + "$SYSTEMCTL_EXEC" mask "$SOCKET_NAME" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -181074,21 +181074,13 @@ used. 4.3 The logrotate package provides the logrotate services. CCE-86154-2 + +package --add=logrotate + [[packages]] name = "logrotate" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "logrotate" ; then - yum install -y "logrotate" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_logrotate @@ -181115,8 +181107,16 @@ class install_logrotate { - no_reboot_needed - package_logrotate_installed - -package --add=logrotate + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "logrotate" ; then + yum install -y "logrotate" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -181173,30 +181173,20 @@ that they fill up the /var/log partition. Valuable logging information could be if the /var/log partition becomes full. CCE-80794-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q logrotate; }; then - -LOGROTATE_CONF_FILE="/etc/logrotate.conf" - -CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate" - - -# daily rotation is configured -grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE - -# remove any line configuring weekly, monthly or yearly rotation -sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE - - -# configure cron.daily if not already -if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then - echo '#!/bin/sh' > $CRON_DAILY_LOGROTATE_FILE - echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%20see%20%22man%20logrotate%22%20for%20details%0A%23%20rotate%20log%20files%20daily%0Adaily%0A%0A%23%20keep%204%20weeks%20worth%20of%20backlogs%0Arotate%2030%0A%0A%23%20create%20new%20%28empty%29%20log%20files%20after%20rotating%20old%20ones%0Acreate%0A%0A%23%20use%20date%20as%20a%20suffix%20of%20the%20rotated%20file%0Adateext%0A%0A%23%20uncomment%20this%20if%20you%20want%20your%20log%20files%20compressed%0A%23compress%0A%0A%23%20RPM%20packages%20drop%20log%20rotation%20information%20into%20this%20directory%0Ainclude%20/etc/logrotate.d%0A%0A%23%20system-specific%20logs%20may%20be%20also%20be%20configured%20here. }} + mode: 0644 + path: /etc/logrotate.conf + overwrite: true - name: Gather the package facts package_facts: @@ -181281,20 +181271,30 @@ fi - medium_severity - no_reboot_needed - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%20see%20%22man%20logrotate%22%20for%20details%0A%23%20rotate%20log%20files%20daily%0Adaily%0A%0A%23%20keep%204%20weeks%20worth%20of%20backlogs%0Arotate%2030%0A%0A%23%20create%20new%20%28empty%29%20log%20files%20after%20rotating%20old%20ones%0Acreate%0A%0A%23%20use%20date%20as%20a%20suffix%20of%20the%20rotated%20file%0Adateext%0A%0A%23%20uncomment%20this%20if%20you%20want%20your%20log%20files%20compressed%0A%23compress%0A%0A%23%20RPM%20packages%20drop%20log%20rotation%20information%20into%20this%20directory%0Ainclude%20/etc/logrotate.d%0A%0A%23%20system-specific%20logs%20may%20be%20also%20be%20configured%20here. }} - mode: 0644 - path: /etc/logrotate.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q logrotate; }; then + +LOGROTATE_CONF_FILE="/etc/logrotate.conf" + +CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate" + + +# daily rotation is configured +grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE + +# remove any line configuring weekly, monthly or yearly rotation +sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE + + +# configure cron.daily if not already +if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then + echo '#!/bin/sh' > $CRON_DAILY_LOGROTATE_FILE + echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -181349,17 +181349,6 @@ that they fill up the /var/log partition. Valuable logging information could be if the /var/log partition becomes full. CCE-86157-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ( grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="9"; printf "%s\n%s" "$expected" "$real" | sort -VC; } && rpm --quiet -q logrotate ); }; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" start 'logrotate.timer' -"$SYSTEMCTL_EXEC" enable 'logrotate.timer' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -181404,6 +181393,17 @@ fi - medium_severity - no_reboot_needed - timer_logrotate_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ( grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="9"; printf "%s\n%s" "$expected" "$real" | sort -VC; } && rpm --quiet -q logrotate ); }; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" start 'logrotate.timer' +"$SYSTEMCTL_EXEC" enable 'logrotate.timer' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -181464,21 +181464,13 @@ $ sudo yum install syslog-ng-core PR.PT-1 The syslog-ng-core package provides the syslog-ng daemon, which provides system logging services. + +package --add=syslog-ng + [[packages]] name = "syslog-ng" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "syslog-ng" ; then - yum install -y "syslog-ng" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_syslog-ng @@ -181502,8 +181494,16 @@ class install_syslog-ng { - no_reboot_needed - package_syslogng_installed - -package --add=syslog-ng + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "syslog-ng" ; then + yum install -y "syslog-ng" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -181596,18 +181596,6 @@ logging services, which are essential to system administration. [customizations.services] enabled = ["syslog-ng"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'syslog-ng.service' -"$SYSTEMCTL_EXEC" start 'syslog-ng.service' -"$SYSTEMCTL_EXEC" enable 'syslog-ng.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_syslog-ng @@ -181643,6 +181631,18 @@ class enable_syslog-ng { - medium_severity - no_reboot_needed - service_syslogng_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'syslog-ng.service' +"$SYSTEMCTL_EXEC" start 'syslog-ng.service' +"$SYSTEMCTL_EXEC" enable 'syslog-ng.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -181886,38 +181886,6 @@ input(type="imudp" port="514") messages. This risk can be eliminated for rsyslog by configuring it not to listen on the network. CCE-84275-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -legacy_regex='^\s*\$(((Input(TCP|RELP)|UDP)ServerRun)|ModLoad\s+(imtcp|imudp|imrelp))' -rainer_regex='^\s*(module|input)\((load|type)="(imtcp|imudp)".*$' - -readarray -t legacy_targets < <(grep -l -E -r "${legacy_regex[@]}" /etc/rsyslog.conf /etc/rsyslog.d/) -readarray -t rainer_targets < <(grep -l -E -r "${rainer_regex[@]}" /etc/rsyslog.conf /etc/rsyslog.d/) - -config_changed=false -if [ ${#legacy_targets[@]} -gt 0 ]; then - for target in "${legacy_targets[@]}"; do - sed -E -i "/$legacy_regex/ s/^/# /" "$target" - done - config_changed=true -fi - -if [ ${#rainer_targets[@]} -gt 0 ]; then - for target in "${rainer_targets[@]}"; do - sed -E -i "/$rainer_regex/ s/^/# /" "$target" - done - config_changed=true -fi - -if $config_changed; then - systemctl restart rsyslog.service -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server - Define Rsyslog Config Lines Regex in Legacy Syntax ansible.builtin.set_fact: @@ -182135,6 +182103,38 @@ fi - medium_severity - no_reboot_needed - rsyslog_nolisten + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +legacy_regex='^\s*\$(((Input(TCP|RELP)|UDP)ServerRun)|ModLoad\s+(imtcp|imudp|imrelp))' +rainer_regex='^\s*(module|input)\((load|type)="(imtcp|imudp)".*$' + +readarray -t legacy_targets < <(grep -l -E -r "${legacy_regex[@]}" /etc/rsyslog.conf /etc/rsyslog.d/) +readarray -t rainer_targets < <(grep -l -E -r "${rainer_regex[@]}" /etc/rsyslog.conf /etc/rsyslog.d/) + +config_changed=false +if [ ${#legacy_targets[@]} -gt 0 ]; then + for target in "${legacy_targets[@]}"; do + sed -E -i "/$legacy_regex/ s/^/# /" "$target" + done + config_changed=true +fi + +if [ ${#rainer_targets[@]} -gt 0 ]; then + for target in "${rainer_targets[@]}"; do + sed -E -i "/$rainer_regex/ s/^/# /" "$target" + done + config_changed=true +fi + +if $config_changed; then + systemctl restart rsyslog.service +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -182282,6 +182282,32 @@ system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise. CCE-80863-4 + - name: XCCDF Value rsyslog_remote_loghost_address # promote to variable + set_fact: + rsyslog_remote_loghost_address: !!str + tags: + - always + +- name: Set rsyslog remote loghost + lineinfile: + dest: /etc/rsyslog.conf + regexp: ^\*\.\* + line: '*.* @@{{ rsyslog_remote_loghost_address }}' + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80863-4 + - DISA-STIG-RHEL-08-030690 + - NIST-800-53-AU-4(1) + - NIST-800-53-AU-9(2) + - NIST-800-53-CM-6(a) + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - rsyslog_remote_loghost + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -182313,32 +182339,6 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: XCCDF Value rsyslog_remote_loghost_address # promote to variable - set_fact: - rsyslog_remote_loghost_address: !!str - tags: - - always - -- name: Set rsyslog remote loghost - lineinfile: - dest: /etc/rsyslog.conf - regexp: ^\*\.\* - line: '*.* @@{{ rsyslog_remote_loghost_address }}' - create: true - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80863-4 - - DISA-STIG-RHEL-08-030690 - - NIST-800-53-AU-4(1) - - NIST-800-53-AU-9(2) - - NIST-800-53-CM-6(a) - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - rsyslog_remote_loghost @@ -182371,36 +182371,6 @@ Replace the <remote system> in the above command wi For protection of data being logged, the connection to the remote logging server needs to be authenticated and encrypted. CCE-82457-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -rsyslog_remote_loghost_address='' - -params_to_add_if_missing=("protocol" "target" "port" "StreamDriver" "StreamDriverMode" "StreamDriverAuthMode" "streamdriver.CheckExtendedKeyPurpose") -values_to_add_if_missing=("tcp" "$rsyslog_remote_loghost_address" "6514" "gtls" "1" "x509/name" "on") -params_to_replace_if_wrong_value=("protocol" "StreamDriver" "StreamDriverMode" "StreamDriverAuthMode" "streamdriver.CheckExtendedKeyPurpose") -values_to_replace_if_wrong_value=("tcp" "gtls" "1" "x509/name" "on") - -files_containing_omfwd=("$(grep -ilE '^[^#]*\s*action\s*\(\s*type\s*=\s*"omfwd".*' /etc/rsyslog.conf /etc/rsyslog.d/*.conf)") -if [ -n "${files_containing_omfwd[*]}" ]; then - for file in "${files_containing_omfwd[@]}"; do - for ((i=0; i<${#params_to_replace_if_wrong_value[@]}; i++)); do - sed -i -E -e 'H;$!d;x;s/^\n//' -e "s|(\s*action\s*\(\s*type\s*=\s*[\"]omfwd[\"].*?)${params_to_replace_if_wrong_value[$i]}\s*=\s*[\"]\S*[\"](.*\))|\1${params_to_replace_if_wrong_value[$i]}=\"${values_to_replace_if_wrong_value[$i]}\"\2|gI" "$file" - done - for ((i=0; i<${#params_to_add_if_missing[@]}; i++)); do - if ! grep -qPzi "(?s)\s*action\s*\(\s*type\s*=\s*[\"]omfwd[\"].*?${params_to_add_if_missing[$i]}.*?\).*" "$file"; then - sed -i -E -e 'H;$!d;x;s/^\n//' -e "s|(\s*action\s*\(\s*type\s*=\s*[\"]omfwd[\"])|\1\n${params_to_add_if_missing[$i]}=\"${values_to_add_if_missing[$i]}\"|gI" "$file" - fi - done - done -else - echo "action(type=\"omfwd\" protocol=\"tcp\" Target=\"$rsyslog_remote_loghost_address\" port=\"6514\" StreamDriver=\"gtls\" StreamDriverMode=\"1\" StreamDriverAuthMode=\"x509/name\" streamdriver.CheckExtendedKeyPurpose=\"on\")" >> /etc/rsyslog.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value rsyslog_remote_loghost_address # promote to variable set_fact: rsyslog_remote_loghost_address: !!str @@ -182607,6 +182577,36 @@ fi - medium_severity - no_reboot_needed - rsyslog_remote_tls + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +rsyslog_remote_loghost_address='' + +params_to_add_if_missing=("protocol" "target" "port" "StreamDriver" "StreamDriverMode" "StreamDriverAuthMode" "streamdriver.CheckExtendedKeyPurpose") +values_to_add_if_missing=("tcp" "$rsyslog_remote_loghost_address" "6514" "gtls" "1" "x509/name" "on") +params_to_replace_if_wrong_value=("protocol" "StreamDriver" "StreamDriverMode" "StreamDriverAuthMode" "streamdriver.CheckExtendedKeyPurpose") +values_to_replace_if_wrong_value=("tcp" "gtls" "1" "x509/name" "on") + +files_containing_omfwd=("$(grep -ilE '^[^#]*\s*action\s*\(\s*type\s*=\s*"omfwd".*' /etc/rsyslog.conf /etc/rsyslog.d/*.conf)") +if [ -n "${files_containing_omfwd[*]}" ]; then + for file in "${files_containing_omfwd[@]}"; do + for ((i=0; i<${#params_to_replace_if_wrong_value[@]}; i++)); do + sed -i -E -e 'H;$!d;x;s/^\n//' -e "s|(\s*action\s*\(\s*type\s*=\s*[\"]omfwd[\"].*?)${params_to_replace_if_wrong_value[$i]}\s*=\s*[\"]\S*[\"](.*\))|\1${params_to_replace_if_wrong_value[$i]}=\"${values_to_replace_if_wrong_value[$i]}\"\2|gI" "$file" + done + for ((i=0; i<${#params_to_add_if_missing[@]}; i++)); do + if ! grep -qPzi "(?s)\s*action\s*\(\s*type\s*=\s*[\"]omfwd[\"].*?${params_to_add_if_missing[$i]}.*?\).*" "$file"; then + sed -i -E -e 'H;$!d;x;s/^\n//' -e "s|(\s*action\s*\(\s*type\s*=\s*[\"]omfwd[\"])|\1\n${params_to_add_if_missing[$i]}=\"${values_to_add_if_missing[$i]}\"|gI" "$file" + fi + done + done +else + echo "action(type=\"omfwd\" protocol=\"tcp\" Target=\"$rsyslog_remote_loghost_address\" port=\"6514\" StreamDriver=\"gtls\" StreamDriverMode=\"1\" StreamDriverAuthMode=\"x509/name\" streamdriver.CheckExtendedKeyPurpose=\"on\")" >> /etc/rsyslog.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -182874,15 +182874,6 @@ untrusted access, prevent system availability, and/or can lead to a compromise o attack. CCE-82179-3 - # Remediation is applicable only in certain platforms -if rpm --quiet -q polkit; then - -printf "[Disable General User Access to NetworkManager]\nIdentity=default\nAction=org.freedesktop.NetworkManager.*\nResultAny=no\nResultInactive=no\nResultActive=auth_admin\n" > /etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -182931,6 +182922,15 @@ fi - network_nmcli_permissions - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q polkit; then + +printf "[Disable General User Access to NetworkManager]\nIdentity=default\nAction=org.freedesktop.NetworkManager.*\nResultAny=no\nResultInactive=no\nResultActive=auth_admin\n" > /etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -183054,17 +183054,6 @@ tools must be documented with the Information Systems Security Manager (ISSM) an to only authorized personnel. CCE-82283-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -for interface in $(ip link show | grep -E '^[0-9]' | cut -d ":" -f 2); do - ip link set dev $interface multicast off promisc off -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure System is Not Acting as a Network Sniffer - Gather network interfaces ansible.builtin.command: cmd: ip link show @@ -183108,6 +183097,17 @@ fi - network_sniffer_disabled - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +for interface in $(ip link show | grep -E '^[0-9]' | cut -d ":" -f 2); do + ip link set dev $interface multicast off promisc off +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -183148,37 +183148,6 @@ the firewall has to be reloaded. Utilizing the limit statement in "nftables" can help to mitigate DoS attacks. CCE-86506-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q firewalld; }; then - -if [ -e "/etc/firewalld/firewalld.conf" ] ; then - - LC_ALL=C sed -i "/^\s*FirewallBackend\s*=\s*/d" "/etc/firewalld/firewalld.conf" -else - touch "/etc/firewalld/firewalld.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/firewalld/firewalld.conf" - -cp "/etc/firewalld/firewalld.conf" "/etc/firewalld/firewalld.conf.bak" -# Insert before the line matching the regex '^#\s*FirewallBackend'. -line_number="$(LC_ALL=C grep -n "^#\s*FirewallBackend" "/etc/firewalld/firewalld.conf.bak" | LC_ALL=C sed 's/:.*//g')" -if [ -z "$line_number" ]; then - # There was no match of '^#\s*FirewallBackend', insert at - # the end of the file. - printf '%s\n' "FirewallBackend=nftables" >> "/etc/firewalld/firewalld.conf" -else - head -n "$(( line_number - 1 ))" "/etc/firewalld/firewalld.conf.bak" > "/etc/firewalld/firewalld.conf" - printf '%s\n' "FirewallBackend=nftables" >> "/etc/firewalld/firewalld.conf" - tail -n "+$(( line_number ))" "/etc/firewalld/firewalld.conf.bak" >> "/etc/firewalld/firewalld.conf" -fi -# Clean up after ourselves. -rm "/etc/firewalld/firewalld.conf.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -183237,6 +183206,37 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q firewalld; }; then + +if [ -e "/etc/firewalld/firewalld.conf" ] ; then + + LC_ALL=C sed -i "/^\s*FirewallBackend\s*=\s*/d" "/etc/firewalld/firewalld.conf" +else + touch "/etc/firewalld/firewalld.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/firewalld/firewalld.conf" + +cp "/etc/firewalld/firewalld.conf" "/etc/firewalld/firewalld.conf.bak" +# Insert before the line matching the regex '^#\s*FirewallBackend'. +line_number="$(LC_ALL=C grep -n "^#\s*FirewallBackend" "/etc/firewalld/firewalld.conf.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^#\s*FirewallBackend', insert at + # the end of the file. + printf '%s\n' "FirewallBackend=nftables" >> "/etc/firewalld/firewalld.conf" +else + head -n "$(( line_number - 1 ))" "/etc/firewalld/firewalld.conf.bak" > "/etc/firewalld/firewalld.conf" + printf '%s\n' "FirewallBackend=nftables" >> "/etc/firewalld/firewalld.conf" + tail -n "+$(( line_number ))" "/etc/firewalld/firewalld.conf.bak" >> "/etc/firewalld/firewalld.conf" +fi +# Clean up after ourselves. +rm "/etc/firewalld/firewalld.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -183348,21 +183348,13 @@ Remote access is access to DoD nonpublic information systems by an authorized us Red Hat Enterprise Linux 8 functionality (e.g., SSH) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets)." CCE-82998-6 + +package --add=firewalld + [[packages]] name = "firewalld" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "firewalld" ; then - yum install -y "firewalld" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_firewalld @@ -183388,8 +183380,16 @@ class install_firewalld { - no_reboot_needed - package_firewalld_installed - -package --add=firewalld + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "firewalld" ; then + yum install -y "firewalld" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -183451,18 +183451,6 @@ prevents connections from unknown hosts and protocols. [customizations.services] enabled = ["firewalld"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q firewalld; }; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'firewalld.service' -"$SYSTEMCTL_EXEC" start 'firewalld.service' -"$SYSTEMCTL_EXEC" enable 'firewalld.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_firewalld @@ -183529,6 +183517,18 @@ class enable_firewalld { - medium_severity - no_reboot_needed - service_firewalld_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q firewalld; }; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'firewalld.service' +"$SYSTEMCTL_EXEC" start 'firewalld.service' +"$SYSTEMCTL_EXEC" enable 'firewalld.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -183870,15 +183870,13 @@ $ sudo yum install libreswan to initiate a secure VPN connection protects information when it is transmitted over a wide area network. CCE-80845-1 + +package --add=libreswan + [[packages]] name = "libreswan" version = "*" - - -if ! rpm -q --quiet "libreswan" ; then - yum install -y "libreswan" -fi include install_libreswan @@ -183903,8 +183901,10 @@ class install_libreswan { - no_reboot_needed - package_libreswan_installed - -package --add=libreswan + +if ! rpm -q --quiet "libreswan" ; then + yum install -y "libreswan" +fi @@ -184041,21 +184041,13 @@ These services load the iptables rules during the system startup and also allow the iptables rules during runtime. CCE-85982-7 + +package --add=iptables-services + [[packages]] name = "iptables-services" version = "*" - - # Remediation is applicable only in certain platforms -if rpm --quiet -q iptables; then - -if ! rpm -q --quiet "iptables-services" ; then - yum install -y "iptables-services" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_iptables-services @@ -184093,8 +184085,16 @@ class install_iptables-services { - no_reboot_needed - package_iptables-services_installed - -package --add=iptables-services + # Remediation is applicable only in certain platforms +if rpm --quiet -q iptables; then + +if ! rpm -q --quiet "iptables-services" ; then + yum install -y "iptables-services" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -184117,21 +184117,13 @@ code. iptables allows system operators to set up firewall masquerading, etc. CCE-82982-0 + +package --add=iptables + [[packages]] name = "iptables" version = "*" - - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] ); then - -if ! rpm -q --quiet "iptables" ; then - yum install -y "iptables" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_iptables @@ -184158,8 +184150,16 @@ class install_iptables { - no_reboot_needed - package_iptables_installed - -package --add=iptables + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] ); then + +if ! rpm -q --quiet "iptables" ; then + yum install -y "iptables" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -184182,24 +184182,8 @@ during runtime. Those iptables services conflicts with firewalld so they should firewalld is used. CCE-86679-8 - # Remediation is applicable only in certain platforms -if rpm --quiet -q iptables; then - -# CAUTION: This remediation script will remove iptables-services -# from the system, and may remove any packages -# that depend on iptables-services. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "iptables-services" ; then - - yum remove -y "iptables-services" - -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +package --remove=iptables-services include remove_iptables-services @@ -184235,8 +184219,24 @@ class remove_iptables-services { - no_reboot_needed - package_iptables-services_removed - -package --remove=iptables-services + # Remediation is applicable only in certain platforms +if rpm --quiet -q iptables; then + +# CAUTION: This remediation script will remove iptables-services +# from the system, and may remove any packages +# that depend on iptables-services. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "iptables-services" ; then + + yum remove -y "iptables-services" + +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -184415,18 +184415,6 @@ capability for IPv6 and ICMPv6. [customizations.services] enabled = ["ip6tables"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'ip6tables.service' -"$SYSTEMCTL_EXEC" start 'ip6tables.service' -"$SYSTEMCTL_EXEC" enable 'ip6tables.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_ip6tables @@ -184466,6 +184454,18 @@ class enable_ip6tables { - medium_severity - no_reboot_needed - service_ip6tables_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'ip6tables.service' +"$SYSTEMCTL_EXEC" start 'ip6tables.service' +"$SYSTEMCTL_EXEC" enable 'ip6tables.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -184617,18 +184617,6 @@ capability for IPv4 and ICMP. [customizations.services] enabled = ["iptables"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'iptables.service' -"$SYSTEMCTL_EXEC" start 'iptables.service' -"$SYSTEMCTL_EXEC" enable 'iptables.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_iptables @@ -184668,6 +184656,18 @@ class enable_iptables { - medium_severity - no_reboot_needed - service_iptables_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'iptables.service' +"$SYSTEMCTL_EXEC" start 'iptables.service' +"$SYSTEMCTL_EXEC" enable 'iptables.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -185136,15 +185136,6 @@ the vulnerability to exploitation. CCE-82887-1 [customizations.kernel] append = "ipv6.disable=1" - - # Remediation is applicable only in certain platforms -if rpm --quiet -q grub2-common; then - -grubby --update-kernel=ALL --args=ipv6.disable=1 --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - name: Gather the package facts package_facts: @@ -185173,6 +185164,15 @@ fi - medium_complexity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common; then + +grubby --update-kernel=ALL --args=ipv6.disable=1 --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -185262,39 +185262,6 @@ depend on it), while disabling support for the IPv6 protocol. CCE-82872-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Prevent the IPv6 kernel module (ipv6) from loading the IPv6 networking stack -echo "options ipv6 disable=1" > /etc/modprobe.d/ipv6.conf - -# Since according to: https://access.redhat.com/solutions/72733 -# "ipv6 disable=1" options doesn't always disable the IPv6 networking stack from -# loading, instruct also sysctl configuration to disable IPv6 according to: -# https://access.redhat.com/solutions/8709#rhel6disable - -declare -a IPV6_SETTINGS=("net.ipv6.conf.all.disable_ipv6" "net.ipv6.conf.default.disable_ipv6") - -for setting in "${IPV6_SETTINGS[@]}" -do - # Set runtime =1 for setting - /sbin/sysctl -q -n -w "$setting=1" - - # If setting is present in /etc/sysctl.conf, change value to "1" - # else, add "$setting = 1" to /etc/sysctl.conf - if grep -q ^"$setting" /etc/sysctl.conf ; then - sed -i "s/^$setting.*/$setting = 1/g" /etc/sysctl.conf - else - echo "" >> /etc/sysctl.conf - echo "# Set $setting = 1 per security requirements" >> /etc/sysctl.conf - echo "$setting = 1" >> /etc/sysctl.conf - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Disable IPv6 Networking kernel module lineinfile: create: true @@ -185335,6 +185302,39 @@ fi - medium_disruption - medium_severity - reboot_required + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Prevent the IPv6 kernel module (ipv6) from loading the IPv6 networking stack +echo "options ipv6 disable=1" > /etc/modprobe.d/ipv6.conf + +# Since according to: https://access.redhat.com/solutions/72733 +# "ipv6 disable=1" options doesn't always disable the IPv6 networking stack from +# loading, instruct also sysctl configuration to disable IPv6 according to: +# https://access.redhat.com/solutions/8709#rhel6disable + +declare -a IPV6_SETTINGS=("net.ipv6.conf.all.disable_ipv6" "net.ipv6.conf.default.disable_ipv6") + +for setting in "${IPV6_SETTINGS[@]}" +do + # Set runtime =1 for setting + /sbin/sysctl -q -n -w "$setting=1" + + # If setting is present in /etc/sysctl.conf, change value to "1" + # else, add "$setting = 1" to /etc/sysctl.conf + if grep -q ^"$setting" /etc/sysctl.conf ; then + sed -i "s/^$setting.*/$setting = 1/g" /etc/sysctl.conf + else + echo "" >> /etc/sysctl.conf + echo "# Set $setting = 1 per security requirements" >> /etc/sysctl.conf + echo "$setting = 1" >> /etc/sysctl.conf + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -185523,66 +185523,6 @@ functionality require the IPv6 stack loaded to work. the vulnerability to exploitation. CCE-85904-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv6.conf.all.disable_ipv6 from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.disable_ipv6.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.all.disable_ipv6" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - - -# -# Set runtime for net.ipv6.conf.all.disable_ipv6 -# -/sbin/sysctl -q -n -w net.ipv6.conf.all.disable_ipv6="1" - -# -# If net.ipv6.conf.all.disable_ipv6 present in /etc/sysctl.conf, change value to "1" -# else, add "net.ipv6.conf.all.disable_ipv6 = 1" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.disable_ipv6") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "1" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.disable_ipv6\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.disable_ipv6\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-85904-1" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: List /etc/sysctl.d/*.conf files find: paths: @@ -185648,6 +185588,66 @@ fi - medium_severity - reboot_required - sysctl_net_ipv6_conf_all_disable_ipv6 + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv6.conf.all.disable_ipv6 from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.disable_ipv6.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv6.conf.all.disable_ipv6" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + + +# +# Set runtime for net.ipv6.conf.all.disable_ipv6 +# +/sbin/sysctl -q -n -w net.ipv6.conf.all.disable_ipv6="1" + +# +# If net.ipv6.conf.all.disable_ipv6 present in /etc/sysctl.conf, change value to "1" +# else, add "net.ipv6.conf.all.disable_ipv6 = 1" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.disable_ipv6") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "1" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.disable_ipv6\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.disable_ipv6\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-85904-1" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -185737,66 +185737,6 @@ functionality require the IPv6 stack loaded to work. the vulnerability to exploitation. CCE-86004-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv6.conf.default.disable_ipv6 from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.disable_ipv6.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.default.disable_ipv6" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - - -# -# Set runtime for net.ipv6.conf.default.disable_ipv6 -# -/sbin/sysctl -q -n -w net.ipv6.conf.default.disable_ipv6="1" - -# -# If net.ipv6.conf.default.disable_ipv6 present in /etc/sysctl.conf, change value to "1" -# else, add "net.ipv6.conf.default.disable_ipv6 = 1" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.disable_ipv6") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "1" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.disable_ipv6\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.disable_ipv6\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-86004-9" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: List /etc/sysctl.d/*.conf files find: paths: @@ -185862,6 +185802,66 @@ fi - medium_severity - reboot_required - sysctl_net_ipv6_conf_default_disable_ipv6 + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv6.conf.default.disable_ipv6 from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.disable_ipv6.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv6.conf.default.disable_ipv6" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + + +# +# Set runtime for net.ipv6.conf.default.disable_ipv6 +# +/sbin/sysctl -q -n -w net.ipv6.conf.default.disable_ipv6="1" + +# +# If net.ipv6.conf.default.disable_ipv6 present in /etc/sysctl.conf, change value to "1" +# else, add "net.ipv6.conf.default.disable_ipv6 = 1" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.disable_ipv6") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "1" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.disable_ipv6\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.disable_ipv6\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-86004-9" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -186165,67 +186165,20 @@ To make sure that the setting is persistent, add the following line to a file in An illicit router advertisement message could result in a man-in-the-middle attack. CCE-81006-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv6.conf.all.accept_ra from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_ra.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.all.accept_ra" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv6_conf_all_accept_ra_value='' - - -# -# Set runtime for net.ipv6.conf.all.accept_ra -# -/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra="$sysctl_net_ipv6_conf_all_accept_ra_value" - -# -# If net.ipv6.conf.all.accept_ra present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.all.accept_ra = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_ra") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_ra_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_ra\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_ra\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81006-9" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv6.conf.all.accept_ra%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_all_accept_ra.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -186300,49 +186253,18 @@ fi - reboot_required - sysctl_net_ipv6_conf_all_accept_ra - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv6.conf.all.accept_ra%3D0%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_all_accept_ra.conf - overwrite: true - - - - - - - - - - - Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces - To set the runtime status of the net.ipv6.conf.all.accept_ra_defrtr kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra_defrtr=0 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_ra_defrtr = 0 - BP28(R22) - An illicit router advertisement message could result in a man-in-the-middle attack. - - CCE-84272-4 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv6.conf.all.accept_ra_defrtr from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv6.conf.all.accept_ra from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_ra_defrtr.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_ra.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.all.accept_ra_defrtr" matches to preserve user data + # comment out "net.ipv6.conf.all.accept_ra" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -186354,37 +186276,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv6_conf_all_accept_ra_defrtr_value='' +sysctl_net_ipv6_conf_all_accept_ra_value='' # -# Set runtime for net.ipv6.conf.all.accept_ra_defrtr +# Set runtime for net.ipv6.conf.all.accept_ra # -/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra_defrtr="$sysctl_net_ipv6_conf_all_accept_ra_defrtr_value" +/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra="$sysctl_net_ipv6_conf_all_accept_ra_value" # -# If net.ipv6.conf.all.accept_ra_defrtr present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.all.accept_ra_defrtr = value" to /etc/sysctl.conf +# If net.ipv6.conf.all.accept_ra present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.all.accept_ra = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_ra_defrtr") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_ra") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_ra_defrtr_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_ra_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_ra_defrtr\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_ra\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_ra_defrtr\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_ra\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-84272-4" + cce="CCE-81006-9" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -186393,6 +186315,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces + To set the runtime status of the net.ipv6.conf.all.accept_ra_defrtr kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra_defrtr=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_ra_defrtr = 0 + BP28(R22) + An illicit router advertisement message could result in a man-in-the-middle attack. + + CCE-84272-4 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -186452,34 +186390,18 @@ fi - sysctl_net_ipv6_conf_all_accept_ra_defrtr - unknown_severity - - - - - - - - - - Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces - To set the runtime status of the net.ipv6.conf.all.accept_ra_pinfo kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra_pinfo=0 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_ra_pinfo = 0 - BP28(R22) - An illicit router advertisement message could result in a man-in-the-middle attack. - - CCE-84280-7 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv6.conf.all.accept_ra_pinfo from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv6.conf.all.accept_ra_defrtr from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_ra_pinfo.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_ra_defrtr.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.all.accept_ra_pinfo" matches to preserve user data + # comment out "net.ipv6.conf.all.accept_ra_defrtr" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -186491,37 +186413,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv6_conf_all_accept_ra_pinfo_value='' +sysctl_net_ipv6_conf_all_accept_ra_defrtr_value='' # -# Set runtime for net.ipv6.conf.all.accept_ra_pinfo +# Set runtime for net.ipv6.conf.all.accept_ra_defrtr # -/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra_pinfo="$sysctl_net_ipv6_conf_all_accept_ra_pinfo_value" +/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra_defrtr="$sysctl_net_ipv6_conf_all_accept_ra_defrtr_value" # -# If net.ipv6.conf.all.accept_ra_pinfo present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.all.accept_ra_pinfo = value" to /etc/sysctl.conf +# If net.ipv6.conf.all.accept_ra_defrtr present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.all.accept_ra_defrtr = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_ra_pinfo") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_ra_defrtr") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_ra_pinfo_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_ra_defrtr_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_ra_pinfo\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_ra_defrtr\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_ra_pinfo\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_ra_defrtr\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-84280-7" + cce="CCE-84272-4" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -186530,6 +186452,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces + To set the runtime status of the net.ipv6.conf.all.accept_ra_pinfo kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra_pinfo=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_ra_pinfo = 0 + BP28(R22) + An illicit router advertisement message could result in a man-in-the-middle attack. + + CCE-84280-7 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -186589,34 +186527,18 @@ fi - sysctl_net_ipv6_conf_all_accept_ra_pinfo - unknown_severity - - - - - - - - - - Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces - To set the runtime status of the net.ipv6.conf.all.accept_ra_rtr_pref kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra_rtr_pref=0 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_ra_rtr_pref = 0 - BP28(R22) - An illicit router advertisement message could result in a man-in-the-middle attack. - - CCE-84288-0 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv6.conf.all.accept_ra_rtr_pref from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv6.conf.all.accept_ra_pinfo from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_ra_rtr_pref.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_ra_pinfo.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.all.accept_ra_rtr_pref" matches to preserve user data + # comment out "net.ipv6.conf.all.accept_ra_pinfo" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -186628,37 +186550,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_value='' +sysctl_net_ipv6_conf_all_accept_ra_pinfo_value='' # -# Set runtime for net.ipv6.conf.all.accept_ra_rtr_pref +# Set runtime for net.ipv6.conf.all.accept_ra_pinfo # -/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra_rtr_pref="$sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_value" +/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra_pinfo="$sysctl_net_ipv6_conf_all_accept_ra_pinfo_value" # -# If net.ipv6.conf.all.accept_ra_rtr_pref present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.all.accept_ra_rtr_pref = value" to /etc/sysctl.conf +# If net.ipv6.conf.all.accept_ra_pinfo present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.all.accept_ra_pinfo = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_ra_rtr_pref") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_ra_pinfo") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_ra_pinfo_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_ra_rtr_pref\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_ra_pinfo\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_ra_rtr_pref\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_ra_pinfo\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-84288-0" + cce="CCE-84280-7" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -186667,6 +186589,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces + To set the runtime status of the net.ipv6.conf.all.accept_ra_rtr_pref kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra_rtr_pref=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_ra_rtr_pref = 0 + BP28(R22) + An illicit router advertisement message could result in a man-in-the-middle attack. + + CCE-84288-0 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -186725,6 +186663,68 @@ fi - reboot_required - sysctl_net_ipv6_conf_all_accept_ra_rtr_pref - unknown_severity + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv6.conf.all.accept_ra_rtr_pref from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_ra_rtr_pref.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv6.conf.all.accept_ra_rtr_pref" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_value='' + + +# +# Set runtime for net.ipv6.conf.all.accept_ra_rtr_pref +# +/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra_rtr_pref="$sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_value" + +# +# If net.ipv6.conf.all.accept_ra_rtr_pref present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.all.accept_ra_rtr_pref = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_ra_rtr_pref") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_ra_rtr_pref\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_ra_rtr_pref\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-84288-0" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -186818,67 +186818,20 @@ To make sure that the setting is persistent, add the following line to a file in An illicit ICMP redirect message could result in a man-in-the-middle attack. CCE-81009-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv6.conf.all.accept_redirects from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_redirects.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.all.accept_redirects" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv6_conf_all_accept_redirects_value='' - - -# -# Set runtime for net.ipv6.conf.all.accept_redirects -# -/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_redirects="$sysctl_net_ipv6_conf_all_accept_redirects_value" - -# -# If net.ipv6.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.all.accept_redirects = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_redirects") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_redirects_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_redirects\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81009-3" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv6.conf.all.accept_redirects%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_all_accept_redirects.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -186960,20 +186913,67 @@ fi - reboot_required - sysctl_net_ipv6_conf_all_accept_redirects - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv6.conf.all.accept_redirects%3D0%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_all_accept_redirects.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv6.conf.all.accept_redirects from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_redirects.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv6.conf.all.accept_redirects" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv6_conf_all_accept_redirects_value='' + + +# +# Set runtime for net.ipv6.conf.all.accept_redirects +# +/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_redirects="$sysctl_net_ipv6_conf_all_accept_redirects_value" + +# +# If net.ipv6.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.all.accept_redirects = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_redirects") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_redirects_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_redirects\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-81009-3" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -187071,67 +187071,20 @@ Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required. CCE-81013-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv6.conf.all.accept_source_route from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_source_route.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.all.accept_source_route" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv6_conf_all_accept_source_route_value='' - - -# -# Set runtime for net.ipv6.conf.all.accept_source_route -# -/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_source_route="$sysctl_net_ipv6_conf_all_accept_source_route_value" - -# -# If net.ipv6.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.all.accept_source_route = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_source_route") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_source_route_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_source_route\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81013-5" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv6.conf.all.accept_source_route%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_all_accept_source_route.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -187207,49 +187160,18 @@ fi - reboot_required - sysctl_net_ipv6_conf_all_accept_source_route - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv6.conf.all.accept_source_route%3D0%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_all_accept_source_route.conf - overwrite: true - - - - - - - - - - - Configure Auto Configuration on All IPv6 Interfaces - To set the runtime status of the net.ipv6.conf.all.autoconf kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.autoconf=0 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.autoconf = 0 - BP28(R22) - An illicit router advertisement message could result in a man-in-the-middle attack. - - CCE-84266-6 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv6.conf.all.autoconf from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv6.conf.all.accept_source_route from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.autoconf.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_source_route.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.all.autoconf" matches to preserve user data + # comment out "net.ipv6.conf.all.accept_source_route" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -187261,37 +187183,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv6_conf_all_autoconf_value='' +sysctl_net_ipv6_conf_all_accept_source_route_value='' # -# Set runtime for net.ipv6.conf.all.autoconf +# Set runtime for net.ipv6.conf.all.accept_source_route # -/sbin/sysctl -q -n -w net.ipv6.conf.all.autoconf="$sysctl_net_ipv6_conf_all_autoconf_value" +/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_source_route="$sysctl_net_ipv6_conf_all_accept_source_route_value" # -# If net.ipv6.conf.all.autoconf present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.all.autoconf = value" to /etc/sysctl.conf +# If net.ipv6.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.all.accept_source_route = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.autoconf") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_source_route") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_autoconf_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_source_route_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.autoconf\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_source_route\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.autoconf\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-84266-6" + cce="CCE-81013-5" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -187300,6 +187222,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure Auto Configuration on All IPv6 Interfaces + To set the runtime status of the net.ipv6.conf.all.autoconf kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.autoconf=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.autoconf = 0 + BP28(R22) + An illicit router advertisement message could result in a man-in-the-middle attack. + + CCE-84266-6 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -187357,6 +187295,68 @@ fi - reboot_required - sysctl_net_ipv6_conf_all_autoconf - unknown_severity + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv6.conf.all.autoconf from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.autoconf.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv6.conf.all.autoconf" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv6_conf_all_autoconf_value='' + + +# +# Set runtime for net.ipv6.conf.all.autoconf +# +/sbin/sysctl -q -n -w net.ipv6.conf.all.autoconf="$sysctl_net_ipv6_conf_all_autoconf_value" + +# +# If net.ipv6.conf.all.autoconf present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.all.autoconf = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.autoconf") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_autoconf_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.autoconf\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.autoconf\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-84266-6" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -187469,68 +187469,6 @@ interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers. CCE-82863-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv6.conf.all.forwarding from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.forwarding.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.all.forwarding" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv6_conf_all_forwarding_value='' - - -# -# Set runtime for net.ipv6.conf.all.forwarding -# -/sbin/sysctl -q -n -w net.ipv6.conf.all.forwarding="$sysctl_net_ipv6_conf_all_forwarding_value" - -# -# If net.ipv6.conf.all.forwarding present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.all.forwarding = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.forwarding") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_forwarding_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.forwarding\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.forwarding\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-82863-2" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: List /etc/sysctl.d/*.conf files find: paths: @@ -187607,34 +187545,18 @@ fi - reboot_required - sysctl_net_ipv6_conf_all_forwarding - - - - - - - - - - Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces - To set the runtime status of the net.ipv6.conf.all.max_addresses kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.max_addresses=1 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.max_addresses = 1 - BP28(R22) - The number of global unicast IPv6 addresses for each interface should be limited exactly to the number of statically configured addresses. - - CCE-84259-1 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv6.conf.all.max_addresses from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv6.conf.all.forwarding from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.max_addresses.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.forwarding.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.all.max_addresses" matches to preserve user data + # comment out "net.ipv6.conf.all.forwarding" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -187646,37 +187568,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv6_conf_all_max_addresses_value='' +sysctl_net_ipv6_conf_all_forwarding_value='' # -# Set runtime for net.ipv6.conf.all.max_addresses +# Set runtime for net.ipv6.conf.all.forwarding # -/sbin/sysctl -q -n -w net.ipv6.conf.all.max_addresses="$sysctl_net_ipv6_conf_all_max_addresses_value" +/sbin/sysctl -q -n -w net.ipv6.conf.all.forwarding="$sysctl_net_ipv6_conf_all_forwarding_value" # -# If net.ipv6.conf.all.max_addresses present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.all.max_addresses = value" to /etc/sysctl.conf +# If net.ipv6.conf.all.forwarding present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.all.forwarding = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.max_addresses") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.forwarding") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_max_addresses_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_forwarding_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.max_addresses\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.forwarding\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.max_addresses\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.forwarding\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-84259-1" + cce="CCE-82863-2" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -187685,6 +187607,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces + To set the runtime status of the net.ipv6.conf.all.max_addresses kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.max_addresses=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.max_addresses = 1 + BP28(R22) + The number of global unicast IPv6 addresses for each interface should be limited exactly to the number of statically configured addresses. + + CCE-84259-1 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -187744,34 +187682,18 @@ fi - sysctl_net_ipv6_conf_all_max_addresses - unknown_severity - - - - - - - - - - Configure Denying Router Solicitations on All IPv6 Interfaces - To set the runtime status of the net.ipv6.conf.all.router_solicitations kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.router_solicitations=0 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.router_solicitations = 0 - BP28(R22) - To prevent discovery of the system by other systems, router solicitation requests should be denied. - - CCE-84109-8 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv6.conf.all.router_solicitations from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv6.conf.all.max_addresses from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.router_solicitations.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.max_addresses.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.all.router_solicitations" matches to preserve user data + # comment out "net.ipv6.conf.all.max_addresses" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -187783,37 +187705,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv6_conf_all_router_solicitations_value='' +sysctl_net_ipv6_conf_all_max_addresses_value='' # -# Set runtime for net.ipv6.conf.all.router_solicitations +# Set runtime for net.ipv6.conf.all.max_addresses # -/sbin/sysctl -q -n -w net.ipv6.conf.all.router_solicitations="$sysctl_net_ipv6_conf_all_router_solicitations_value" +/sbin/sysctl -q -n -w net.ipv6.conf.all.max_addresses="$sysctl_net_ipv6_conf_all_max_addresses_value" # -# If net.ipv6.conf.all.router_solicitations present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.all.router_solicitations = value" to /etc/sysctl.conf +# If net.ipv6.conf.all.max_addresses present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.all.max_addresses = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.router_solicitations") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.max_addresses") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_router_solicitations_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_max_addresses_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.router_solicitations\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.max_addresses\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.router_solicitations\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.max_addresses\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-84109-8" + cce="CCE-84259-1" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -187822,6 +187744,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure Denying Router Solicitations on All IPv6 Interfaces + To set the runtime status of the net.ipv6.conf.all.router_solicitations kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.router_solicitations=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.router_solicitations = 0 + BP28(R22) + To prevent discovery of the system by other systems, router solicitation requests should be denied. + + CCE-84109-8 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -187880,6 +187818,68 @@ fi - reboot_required - sysctl_net_ipv6_conf_all_router_solicitations - unknown_severity + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv6.conf.all.router_solicitations from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.router_solicitations.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv6.conf.all.router_solicitations" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv6_conf_all_router_solicitations_value='' + + +# +# Set runtime for net.ipv6.conf.all.router_solicitations +# +/sbin/sysctl -q -n -w net.ipv6.conf.all.router_solicitations="$sysctl_net_ipv6_conf_all_router_solicitations_value" + +# +# If net.ipv6.conf.all.router_solicitations present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.all.router_solicitations = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.router_solicitations") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_router_solicitations_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.router_solicitations\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.router_solicitations\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-84109-8" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -187969,67 +187969,20 @@ To make sure that the setting is persistent, add the following line to a file in An illicit router advertisement message could result in a man-in-the-middle attack. CCE-81007-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv6.conf.default.accept_ra from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_ra.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.default.accept_ra" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv6_conf_default_accept_ra_value='' - - -# -# Set runtime for net.ipv6.conf.default.accept_ra -# -/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra="$sysctl_net_ipv6_conf_default_accept_ra_value" - -# -# If net.ipv6.conf.default.accept_ra present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.default.accept_ra = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_ra") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_ra_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_ra\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_ra\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81007-7" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv6.conf.default.accept_ra%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_ra.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -188105,49 +188058,18 @@ fi - reboot_required - sysctl_net_ipv6_conf_default_accept_ra - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv6.conf.default.accept_ra%3D0%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_ra.conf - overwrite: true - - - - - - - - - - - Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default - To set the runtime status of the net.ipv6.conf.default.accept_ra_defrtr kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra_defrtr=0 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra_defrtr = 0 - BP28(R22) - An illicit router advertisement message could result in a man-in-the-middle attack. - - CCE-84268-2 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv6.conf.default.accept_ra_defrtr from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv6.conf.default.accept_ra from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_ra_defrtr.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_ra.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.default.accept_ra_defrtr" matches to preserve user data + # comment out "net.ipv6.conf.default.accept_ra" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -188159,37 +188081,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv6_conf_default_accept_ra_defrtr_value='' +sysctl_net_ipv6_conf_default_accept_ra_value='' # -# Set runtime for net.ipv6.conf.default.accept_ra_defrtr +# Set runtime for net.ipv6.conf.default.accept_ra # -/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra_defrtr="$sysctl_net_ipv6_conf_default_accept_ra_defrtr_value" +/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra="$sysctl_net_ipv6_conf_default_accept_ra_value" # -# If net.ipv6.conf.default.accept_ra_defrtr present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.default.accept_ra_defrtr = value" to /etc/sysctl.conf +# If net.ipv6.conf.default.accept_ra present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.default.accept_ra = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_ra_defrtr") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_ra") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_ra_defrtr_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_ra_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_ra_defrtr\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_ra\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_ra_defrtr\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_ra\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-84268-2" + cce="CCE-81007-7" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -188198,6 +188120,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default + To set the runtime status of the net.ipv6.conf.default.accept_ra_defrtr kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra_defrtr=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra_defrtr = 0 + BP28(R22) + An illicit router advertisement message could result in a man-in-the-middle attack. + + CCE-84268-2 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -188257,34 +188195,18 @@ fi - sysctl_net_ipv6_conf_default_accept_ra_defrtr - unknown_severity - - - - - - - - - - Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default - To set the runtime status of the net.ipv6.conf.default.accept_ra_pinfo kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra_pinfo=0 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra_pinfo = 0 - BP28(R22) - An illicit router advertisement message could result in a man-in-the-middle attack. - - CCE-84051-2 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv6.conf.default.accept_ra_pinfo from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv6.conf.default.accept_ra_defrtr from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_ra_pinfo.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_ra_defrtr.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.default.accept_ra_pinfo" matches to preserve user data + # comment out "net.ipv6.conf.default.accept_ra_defrtr" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -188296,37 +188218,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv6_conf_default_accept_ra_pinfo_value='' +sysctl_net_ipv6_conf_default_accept_ra_defrtr_value='' # -# Set runtime for net.ipv6.conf.default.accept_ra_pinfo +# Set runtime for net.ipv6.conf.default.accept_ra_defrtr # -/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra_pinfo="$sysctl_net_ipv6_conf_default_accept_ra_pinfo_value" +/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra_defrtr="$sysctl_net_ipv6_conf_default_accept_ra_defrtr_value" # -# If net.ipv6.conf.default.accept_ra_pinfo present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.default.accept_ra_pinfo = value" to /etc/sysctl.conf +# If net.ipv6.conf.default.accept_ra_defrtr present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.default.accept_ra_defrtr = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_ra_pinfo") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_ra_defrtr") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_ra_pinfo_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_ra_defrtr_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_ra_pinfo\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_ra_defrtr\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_ra_pinfo\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_ra_defrtr\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-84051-2" + cce="CCE-84268-2" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -188335,6 +188257,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default + To set the runtime status of the net.ipv6.conf.default.accept_ra_pinfo kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra_pinfo=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra_pinfo = 0 + BP28(R22) + An illicit router advertisement message could result in a man-in-the-middle attack. + + CCE-84051-2 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -188394,34 +188332,18 @@ fi - sysctl_net_ipv6_conf_default_accept_ra_pinfo - unknown_severity - - - - - - - - - - Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default - To set the runtime status of the net.ipv6.conf.default.accept_ra_rtr_pref kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra_rtr_pref=0 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra_rtr_pref = 0 - BP28(R22) - An illicit router advertisement message could result in a man-in-the-middle attack. - - CCE-84291-4 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv6.conf.default.accept_ra_rtr_pref from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv6.conf.default.accept_ra_pinfo from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_ra_rtr_pref.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_ra_pinfo.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.default.accept_ra_rtr_pref" matches to preserve user data + # comment out "net.ipv6.conf.default.accept_ra_pinfo" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -188433,37 +188355,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_value='' +sysctl_net_ipv6_conf_default_accept_ra_pinfo_value='' # -# Set runtime for net.ipv6.conf.default.accept_ra_rtr_pref +# Set runtime for net.ipv6.conf.default.accept_ra_pinfo # -/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra_rtr_pref="$sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_value" +/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra_pinfo="$sysctl_net_ipv6_conf_default_accept_ra_pinfo_value" # -# If net.ipv6.conf.default.accept_ra_rtr_pref present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.default.accept_ra_rtr_pref = value" to /etc/sysctl.conf +# If net.ipv6.conf.default.accept_ra_pinfo present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.default.accept_ra_pinfo = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_ra_rtr_pref") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_ra_pinfo") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_ra_pinfo_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_ra_rtr_pref\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_ra_pinfo\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_ra_rtr_pref\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_ra_pinfo\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-84291-4" + cce="CCE-84051-2" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -188472,6 +188394,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default + To set the runtime status of the net.ipv6.conf.default.accept_ra_rtr_pref kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra_rtr_pref=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra_rtr_pref = 0 + BP28(R22) + An illicit router advertisement message could result in a man-in-the-middle attack. + + CCE-84291-4 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -188531,32 +188469,94 @@ fi - sysctl_net_ipv6_conf_default_accept_ra_rtr_pref - unknown_severity - - - - - - - - - - Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces - To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_redirects = 0 - BP28(R22) - 11 - 14 - 3 - 9 - BAI10.01 - BAI10.02 - BAI10.03 - BAI10.05 - DSS05.02 - DSS05.05 - DSS06.06 - 3.1.20 - CCI-000366 + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv6.conf.default.accept_ra_rtr_pref from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_ra_rtr_pref.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv6.conf.default.accept_ra_rtr_pref" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_value='' + + +# +# Set runtime for net.ipv6.conf.default.accept_ra_rtr_pref +# +/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra_rtr_pref="$sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_value" + +# +# If net.ipv6.conf.default.accept_ra_rtr_pref present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.default.accept_ra_rtr_pref = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_ra_rtr_pref") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_ra_rtr_pref\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_ra_rtr_pref\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-84291-4" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + + + + + + + + + + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces + To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_redirects = 0 + BP28(R22) + 11 + 14 + 3 + 9 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + 3.1.20 + CCI-000366 CCI-001551 4.3.3.5.1 4.3.3.5.2 @@ -188621,67 +188621,20 @@ To make sure that the setting is persistent, add the following line to a file in An illicit ICMP redirect message could result in a man-in-the-middle attack. CCE-81010-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv6.conf.default.accept_redirects from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_redirects.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.default.accept_redirects" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv6_conf_default_accept_redirects_value='' - - -# -# Set runtime for net.ipv6.conf.default.accept_redirects -# -/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_redirects="$sysctl_net_ipv6_conf_default_accept_redirects_value" - -# -# If net.ipv6.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.default.accept_redirects = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_redirects") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_redirects_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_redirects\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81010-1" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv6.conf.default.accept_redirects%20%3D%200%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_redirects.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -188757,20 +188710,67 @@ fi - reboot_required - sysctl_net_ipv6_conf_default_accept_redirects - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv6.conf.default.accept_redirects%20%3D%200%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_redirects.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv6.conf.default.accept_redirects from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_redirects.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv6.conf.default.accept_redirects" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv6_conf_default_accept_redirects_value='' + + +# +# Set runtime for net.ipv6.conf.default.accept_redirects +# +/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_redirects="$sysctl_net_ipv6_conf_default_accept_redirects_value" + +# +# If net.ipv6.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.default.accept_redirects = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_redirects") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_redirects_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_redirects\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-81010-1" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -188872,67 +188872,20 @@ Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required. CCE-81015-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv6.conf.default.accept_source_route from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_source_route.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.default.accept_source_route" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv6_conf_default_accept_source_route_value='' - - -# -# Set runtime for net.ipv6.conf.default.accept_source_route -# -/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_source_route="$sysctl_net_ipv6_conf_default_accept_source_route_value" - -# -# If net.ipv6.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.default.accept_source_route = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_source_route") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_source_route_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_source_route\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81015-0" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv6.conf.default.accept_source_route%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_source_route.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -189020,49 +188973,18 @@ fi - reboot_required - sysctl_net_ipv6_conf_default_accept_source_route - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv6.conf.default.accept_source_route%3D0%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_source_route.conf - overwrite: true - - - - - - - - - - - Configure Auto Configuration on All IPv6 Interfaces By Default - To set the runtime status of the net.ipv6.conf.default.autoconf kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.autoconf=0 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.autoconf = 0 - BP28(R22) - An illicit router advertisement message could result in a man-in-the-middle attack. - - CCE-84264-1 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv6.conf.default.autoconf from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv6.conf.default.accept_source_route from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.autoconf.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_source_route.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.default.autoconf" matches to preserve user data + # comment out "net.ipv6.conf.default.accept_source_route" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -189074,37 +188996,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv6_conf_default_autoconf_value='' +sysctl_net_ipv6_conf_default_accept_source_route_value='' # -# Set runtime for net.ipv6.conf.default.autoconf +# Set runtime for net.ipv6.conf.default.accept_source_route # -/sbin/sysctl -q -n -w net.ipv6.conf.default.autoconf="$sysctl_net_ipv6_conf_default_autoconf_value" +/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_source_route="$sysctl_net_ipv6_conf_default_accept_source_route_value" # -# If net.ipv6.conf.default.autoconf present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.default.autoconf = value" to /etc/sysctl.conf +# If net.ipv6.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.default.accept_source_route = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.autoconf") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_source_route") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_autoconf_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_source_route_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.autoconf\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_source_route\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.autoconf\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-84264-1" + cce="CCE-81015-0" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -189113,6 +189035,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure Auto Configuration on All IPv6 Interfaces By Default + To set the runtime status of the net.ipv6.conf.default.autoconf kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.autoconf=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.autoconf = 0 + BP28(R22) + An illicit router advertisement message could result in a man-in-the-middle attack. + + CCE-84264-1 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -189172,34 +189110,18 @@ fi - sysctl_net_ipv6_conf_default_autoconf - unknown_severity - - - - - - - - - - Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default - To set the runtime status of the net.ipv6.conf.default.max_addresses kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.max_addresses=1 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.max_addresses = 1 - BP28(R22) - The number of global unicast IPv6 addresses for each interface should be limited exactly to the number of statically configured addresses. - - CCE-84257-5 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv6.conf.default.max_addresses from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv6.conf.default.autoconf from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.max_addresses.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.autoconf.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.default.max_addresses" matches to preserve user data + # comment out "net.ipv6.conf.default.autoconf" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -189211,37 +189133,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv6_conf_default_max_addresses_value='' +sysctl_net_ipv6_conf_default_autoconf_value='' # -# Set runtime for net.ipv6.conf.default.max_addresses +# Set runtime for net.ipv6.conf.default.autoconf # -/sbin/sysctl -q -n -w net.ipv6.conf.default.max_addresses="$sysctl_net_ipv6_conf_default_max_addresses_value" +/sbin/sysctl -q -n -w net.ipv6.conf.default.autoconf="$sysctl_net_ipv6_conf_default_autoconf_value" # -# If net.ipv6.conf.default.max_addresses present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.default.max_addresses = value" to /etc/sysctl.conf +# If net.ipv6.conf.default.autoconf present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.default.autoconf = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.max_addresses") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.autoconf") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_max_addresses_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_autoconf_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.max_addresses\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.autoconf\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.max_addresses\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.autoconf\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-84257-5" + cce="CCE-84264-1" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -189250,6 +189172,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default + To set the runtime status of the net.ipv6.conf.default.max_addresses kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.max_addresses=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.max_addresses = 1 + BP28(R22) + The number of global unicast IPv6 addresses for each interface should be limited exactly to the number of statically configured addresses. + + CCE-84257-5 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -189309,34 +189247,18 @@ fi - sysctl_net_ipv6_conf_default_max_addresses - unknown_severity - - - - - - - - - - Configure Denying Router Solicitations on All IPv6 Interfaces By Default - To set the runtime status of the net.ipv6.conf.default.router_solicitations kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.router_solicitations=0 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.router_solicitations = 0 - BP28(R22) - To prevent discovery of the system by other systems, router solicitation requests should be denied. - - CCE-83477-0 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv6.conf.default.router_solicitations from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv6.conf.default.max_addresses from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.router_solicitations.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.max_addresses.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.default.router_solicitations" matches to preserve user data + # comment out "net.ipv6.conf.default.max_addresses" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -189348,37 +189270,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv6_conf_default_router_solicitations_value='' +sysctl_net_ipv6_conf_default_max_addresses_value='' # -# Set runtime for net.ipv6.conf.default.router_solicitations +# Set runtime for net.ipv6.conf.default.max_addresses # -/sbin/sysctl -q -n -w net.ipv6.conf.default.router_solicitations="$sysctl_net_ipv6_conf_default_router_solicitations_value" +/sbin/sysctl -q -n -w net.ipv6.conf.default.max_addresses="$sysctl_net_ipv6_conf_default_max_addresses_value" # -# If net.ipv6.conf.default.router_solicitations present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.default.router_solicitations = value" to /etc/sysctl.conf +# If net.ipv6.conf.default.max_addresses present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.default.max_addresses = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.router_solicitations") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.max_addresses") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_router_solicitations_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_max_addresses_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.router_solicitations\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.max_addresses\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.router_solicitations\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.max_addresses\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-83477-0" + cce="CCE-84257-5" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -189387,6 +189309,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure Denying Router Solicitations on All IPv6 Interfaces By Default + To set the runtime status of the net.ipv6.conf.default.router_solicitations kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.router_solicitations=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.router_solicitations = 0 + BP28(R22) + To prevent discovery of the system by other systems, router solicitation requests should be denied. + + CCE-83477-0 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -189445,6 +189383,68 @@ fi - reboot_required - sysctl_net_ipv6_conf_default_router_solicitations - unknown_severity + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv6.conf.default.router_solicitations from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.router_solicitations.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv6.conf.default.router_solicitations" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv6_conf_default_router_solicitations_value='' + + +# +# Set runtime for net.ipv6.conf.default.router_solicitations +# +/sbin/sysctl -q -n -w net.ipv6.conf.default.router_solicitations="$sysctl_net_ipv6_conf_default_router_solicitations_value" + +# +# If net.ipv6.conf.default.router_solicitations present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.default.router_solicitations = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.router_solicitations") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_router_solicitations_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.router_solicitations\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.router_solicitations\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-83477-0" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -189692,6 +189692,60 @@ received from outside whose source is the 127.0.0.0/8 address block. In combination with suitable routing, this can be used to direct packets between two local interfaces over the wire and have them accepted properly. CCE-88789-3 + - name: List /etc/sysctl.d/*.conf files + find: + paths: + - /etc/sysctl.d/ + - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ + contains: ^[\s]*net.ipv4.conf.all.accept_local.*$ + patterns: '*.conf' + file_type: any + register: find_sysctl_d + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-88789-3 + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_all_accept_local + +- name: Comment out any occurrences of net.ipv4.conf.all.accept_local from config + files + replace: + path: '{{ item.path }}' + regexp: ^[\s]*net.ipv4.conf.all.accept_local + replace: '#net.ipv4.conf.all.accept_local' + loop: '{{ find_sysctl_d.files }}' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-88789-3 + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_all_accept_local + +- name: Ensure sysctl net.ipv4.conf.all.accept_local is set to 0 + sysctl: + name: net.ipv4.conf.all.accept_local + value: '0' + sysctl_file: /etc/sysctl.conf + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-88789-3 + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_all_accept_local + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -189751,60 +189805,6 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: List /etc/sysctl.d/*.conf files - find: - paths: - - /etc/sysctl.d/ - - /run/sysctl.d/ - - /usr/local/lib/sysctl.d/ - contains: ^[\s]*net.ipv4.conf.all.accept_local.*$ - patterns: '*.conf' - file_type: any - register: find_sysctl_d - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-88789-3 - - disable_strategy - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_net_ipv4_conf_all_accept_local - -- name: Comment out any occurrences of net.ipv4.conf.all.accept_local from config - files - replace: - path: '{{ item.path }}' - regexp: ^[\s]*net.ipv4.conf.all.accept_local - replace: '#net.ipv4.conf.all.accept_local' - loop: '{{ find_sysctl_d.files }}' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-88789-3 - - disable_strategy - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_net_ipv4_conf_all_accept_local - -- name: Ensure sysctl net.ipv4.conf.all.accept_local is set to 0 - sysctl: - name: net.ipv4.conf.all.accept_local - value: '0' - sysctl_file: /etc/sysctl.conf - state: present - reload: true - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-88789-3 - - disable_strategy - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_net_ipv4_conf_all_accept_local @@ -189923,67 +189923,20 @@ message could result in a man-in-the-middle attack. This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required." CCE-80917-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.conf.all.accept_redirects from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.accept_redirects.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.all.accept_redirects" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv4_conf_all_accept_redirects_value='' - - -# -# Set runtime for net.ipv4.conf.all.accept_redirects -# -/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_redirects="$sysctl_net_ipv4_conf_all_accept_redirects_value" - -# -# If net.ipv4.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.conf.all.accept_redirects = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.accept_redirects") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_accept_redirects_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.accept_redirects\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-80917-8" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.all.accept_redirects%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_accept_redirects.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -190065,20 +190018,67 @@ fi - reboot_required - sysctl_net_ipv4_conf_all_accept_redirects - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv4.conf.all.accept_redirects%3D0%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_accept_redirects.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.conf.all.accept_redirects from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.accept_redirects.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.conf.all.accept_redirects" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv4_conf_all_accept_redirects_value='' + + +# +# Set runtime for net.ipv4.conf.all.accept_redirects +# +/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_redirects="$sysctl_net_ipv4_conf_all_accept_redirects_value" + +# +# If net.ipv4.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.all.accept_redirects = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.accept_redirects") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_accept_redirects_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.accept_redirects\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-80917-8" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -190250,67 +190250,20 @@ forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required. CCE-81011-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.conf.all.accept_source_route from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.accept_source_route.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.all.accept_source_route" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv4_conf_all_accept_source_route_value='' - - -# -# Set runtime for net.ipv4.conf.all.accept_source_route -# -/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_source_route="$sysctl_net_ipv4_conf_all_accept_source_route_value" - -# -# If net.ipv4.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.conf.all.accept_source_route = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.accept_source_route") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_accept_source_route_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.accept_source_route\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81011-9" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.all.accept_source_route%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_accept_source_route.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -190392,51 +190345,18 @@ fi - reboot_required - sysctl_net_ipv4_conf_all_accept_source_route - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv4.conf.all.accept_source_route%3D0%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_accept_source_route.conf - overwrite: true - - - - - - - - - - - Configure ARP filtering for All IPv4 Interfaces - To set the runtime status of the net.ipv4.conf.all.arp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.arp_filter= -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.arp_filter = - This behaviour may cause problems to system on a high availability or load balancing configuration. - BP28(R12) - Prevents the Linux Kernel from handling the ARP table globally. -By default, the kernel may respond to an ARP request from a certain interface with information -from another interface. - CCE-88555-8 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv4.conf.all.arp_filter from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv4.conf.all.accept_source_route from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.arp_filter.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.accept_source_route.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.all.arp_filter" matches to preserve user data + # comment out "net.ipv4.conf.all.accept_source_route" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -190448,37 +190368,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv4_conf_all_arp_filter_value='' +sysctl_net_ipv4_conf_all_accept_source_route_value='' # -# Set runtime for net.ipv4.conf.all.arp_filter +# Set runtime for net.ipv4.conf.all.accept_source_route # -/sbin/sysctl -q -n -w net.ipv4.conf.all.arp_filter="$sysctl_net_ipv4_conf_all_arp_filter_value" +/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_source_route="$sysctl_net_ipv4_conf_all_accept_source_route_value" # -# If net.ipv4.conf.all.arp_filter present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.conf.all.arp_filter = value" to /etc/sysctl.conf +# If net.ipv4.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.all.accept_source_route = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.arp_filter") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.accept_source_route") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_arp_filter_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_accept_source_route_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.arp_filter\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.accept_source_route\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.arp_filter\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-88555-8" + cce="CCE-81011-9" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -190487,6 +190407,24 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure ARP filtering for All IPv4 Interfaces + To set the runtime status of the net.ipv4.conf.all.arp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.arp_filter= +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.arp_filter = + This behaviour may cause problems to system on a high availability or load balancing configuration. + BP28(R12) + Prevents the Linux Kernel from handling the ARP table globally. +By default, the kernel may respond to an ARP request from a certain interface with information +from another interface. + CCE-88555-8 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -190545,34 +190483,18 @@ fi - reboot_required - sysctl_net_ipv4_conf_all_arp_filter - - - - - - - - - - Configure Response Mode of ARP Requests for All IPv4 Interfaces - To set the runtime status of the net.ipv4.conf.all.arp_ignore kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.arp_ignore= -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.arp_ignore = - The ARP response mode may impact behaviour of workloads and firewalls on the system. - BP28(R12) - Avoids ARP Flux on system that have more than one interface on the same subnet. - CCE-88889-1 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv4.conf.all.arp_ignore from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv4.conf.all.arp_filter from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.arp_ignore.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.arp_filter.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.all.arp_ignore" matches to preserve user data + # comment out "net.ipv4.conf.all.arp_filter" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -190584,37 +190506,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv4_conf_all_arp_ignore_value='' +sysctl_net_ipv4_conf_all_arp_filter_value='' # -# Set runtime for net.ipv4.conf.all.arp_ignore +# Set runtime for net.ipv4.conf.all.arp_filter # -/sbin/sysctl -q -n -w net.ipv4.conf.all.arp_ignore="$sysctl_net_ipv4_conf_all_arp_ignore_value" +/sbin/sysctl -q -n -w net.ipv4.conf.all.arp_filter="$sysctl_net_ipv4_conf_all_arp_filter_value" # -# If net.ipv4.conf.all.arp_ignore present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.conf.all.arp_ignore = value" to /etc/sysctl.conf +# If net.ipv4.conf.all.arp_filter present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.all.arp_filter = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.arp_ignore") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.arp_filter") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_arp_ignore_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_arp_filter_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.arp_ignore\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.arp_filter\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.arp_ignore\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.arp_filter\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-88889-1" + cce="CCE-88555-8" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -190623,6 +190545,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure Response Mode of ARP Requests for All IPv4 Interfaces + To set the runtime status of the net.ipv4.conf.all.arp_ignore kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.arp_ignore= +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.arp_ignore = + The ARP response mode may impact behaviour of workloads and firewalls on the system. + BP28(R12) + Avoids ARP Flux on system that have more than one interface on the same subnet. + CCE-88889-1 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -190681,34 +190619,18 @@ fi - reboot_required - sysctl_net_ipv4_conf_all_arp_ignore - - - - - - - - - - Drop Gratuitious ARP frames on All IPv4 Interfaces - To set the runtime status of the net.ipv4.conf.all.drop_gratuitous_arp kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.drop_gratuitous_arp=1 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.drop_gratuitous_arp = 1 - This can cause problems if ARP proxies are used in the network. - BP28(R12) - Drop Gratuitous ARP frames to prevent ARP poisoning. - CCE-88001-3 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv4.conf.all.drop_gratuitous_arp from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv4.conf.all.arp_ignore from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.drop_gratuitous_arp.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.arp_ignore.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.all.drop_gratuitous_arp" matches to preserve user data + # comment out "net.ipv4.conf.all.arp_ignore" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -190720,35 +190642,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" +sysctl_net_ipv4_conf_all_arp_ignore_value='' + # -# Set runtime for net.ipv4.conf.all.drop_gratuitous_arp +# Set runtime for net.ipv4.conf.all.arp_ignore # -/sbin/sysctl -q -n -w net.ipv4.conf.all.drop_gratuitous_arp="1" +/sbin/sysctl -q -n -w net.ipv4.conf.all.arp_ignore="$sysctl_net_ipv4_conf_all_arp_ignore_value" # -# If net.ipv4.conf.all.drop_gratuitous_arp present in /etc/sysctl.conf, change value to "1" -# else, add "net.ipv4.conf.all.drop_gratuitous_arp = 1" to /etc/sysctl.conf +# If net.ipv4.conf.all.arp_ignore present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.all.arp_ignore = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.drop_gratuitous_arp") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.arp_ignore") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "1" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_arp_ignore_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.drop_gratuitous_arp\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.arp_ignore\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.drop_gratuitous_arp\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.arp_ignore\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-88001-3" + cce="CCE-88889-1" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -190757,6 +190681,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Drop Gratuitious ARP frames on All IPv4 Interfaces + To set the runtime status of the net.ipv4.conf.all.drop_gratuitous_arp kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.drop_gratuitous_arp=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.drop_gratuitous_arp = 1 + This can cause problems if ARP proxies are used in the network. + BP28(R12) + Drop Gratuitous ARP frames to prevent ARP poisoning. + CCE-88001-3 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -190811,44 +190751,18 @@ fi - reboot_required - sysctl_net_ipv4_conf_all_drop_gratuitous_arp - - - - - - - - - Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces - To set the runtime status of the net.ipv4.conf.all.forwarding kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.forwarding=0 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.forwarding = 0 - There might be cases when certain applications can systematically override this option. -One such case is Libvirt; a toolkit for managing of virtualization platforms. -By default, Libvirt requires IP forwarding to be enabled to facilitate -network communication between the virtualization host and guest -machines. It enables IP forwarding after every reboot. - CCI-000366 - CM-6(b) - SRG-OS-000480-GPOS-00227 - RHEL-08-040259 - SV-250317r858808_rule - IP forwarding permits the kernel to forward packets from one network -interface to another. The ability to forward packets between two networks is -only appropriate for systems acting as routers. - - CCE-86220-1 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv4.conf.all.forwarding from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv4.conf.all.drop_gratuitous_arp from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.forwarding.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.drop_gratuitous_arp.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.all.forwarding" matches to preserve user data + # comment out "net.ipv4.conf.all.drop_gratuitous_arp" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -190860,37 +190774,35 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv4_conf_all_forwarding_value='' - # -# Set runtime for net.ipv4.conf.all.forwarding +# Set runtime for net.ipv4.conf.all.drop_gratuitous_arp # -/sbin/sysctl -q -n -w net.ipv4.conf.all.forwarding="$sysctl_net_ipv4_conf_all_forwarding_value" +/sbin/sysctl -q -n -w net.ipv4.conf.all.drop_gratuitous_arp="1" # -# If net.ipv4.conf.all.forwarding present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.conf.all.forwarding = value" to /etc/sysctl.conf +# If net.ipv4.conf.all.drop_gratuitous_arp present in /etc/sysctl.conf, change value to "1" +# else, add "net.ipv4.conf.all.drop_gratuitous_arp = 1" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.forwarding") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.drop_gratuitous_arp") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_forwarding_value" +printf -v formatted_output "%s = %s" "$stripped_key" "1" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.forwarding\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.drop_gratuitous_arp\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.forwarding\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.drop_gratuitous_arp\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-86220-1" + cce="CCE-88001-3" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -190899,6 +190811,32 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces + To set the runtime status of the net.ipv4.conf.all.forwarding kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.forwarding=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.forwarding = 0 + There might be cases when certain applications can systematically override this option. +One such case is Libvirt; a toolkit for managing of virtualization platforms. +By default, Libvirt requires IP forwarding to be enabled to facilitate +network communication between the virtualization host and guest +machines. It enables IP forwarding after every reboot. + CCI-000366 + CM-6(b) + SRG-OS-000480-GPOS-00227 + RHEL-08-040259 + SV-250317r858808_rule + IP forwarding permits the kernel to forward packets from one network +interface to another. The ability to forward packets between two networks is +only appropriate for systems acting as routers. + + CCE-86220-1 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -190962,6 +190900,68 @@ fi - medium_severity - reboot_required - sysctl_net_ipv4_conf_all_forwarding + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.conf.all.forwarding from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.forwarding.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.conf.all.forwarding" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv4_conf_all_forwarding_value='' + + +# +# Set runtime for net.ipv4.conf.all.forwarding +# +/sbin/sysctl -q -n -w net.ipv4.conf.all.forwarding="$sysctl_net_ipv4_conf_all_forwarding_value" + +# +# If net.ipv4.conf.all.forwarding present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.all.forwarding = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.forwarding") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_forwarding_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.forwarding\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.forwarding\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-86220-1" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -191089,67 +191089,20 @@ as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. CCE-81018-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.conf.all.log_martians from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.log_martians.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.all.log_martians" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv4_conf_all_log_martians_value='' - - -# -# Set runtime for net.ipv4.conf.all.log_martians -# -/sbin/sysctl -q -n -w net.ipv4.conf.all.log_martians="$sysctl_net_ipv4_conf_all_log_martians_value" - -# -# If net.ipv4.conf.all.log_martians present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.conf.all.log_martians = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.log_martians") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_log_martians_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.log_martians\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.log_martians\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81018-4" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.all.log_martians%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_log_martians.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -191222,50 +191175,18 @@ fi - sysctl_net_ipv4_conf_all_log_martians - unknown_severity - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv4.conf.all.log_martians%3D1%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_log_martians.conf - overwrite: true - - - - - - - - - - - Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces - To set the runtime status of the net.ipv4.conf.all.route_localnet kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.route_localnet=0 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.route_localnet = 0 - BP28(R12) - Refuse the routing of packets whose source or destination address is the local loopback. -This prohibits the use of network 127/8 for local routing purposes. -Enabling route_localnet can expose applications listening on localhost to external traffic. - CCE-88023-7 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv4.conf.all.route_localnet from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv4.conf.all.log_martians from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.route_localnet.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.log_martians.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.all.route_localnet" matches to preserve user data + # comment out "net.ipv4.conf.all.log_martians" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -191277,35 +191198,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" +sysctl_net_ipv4_conf_all_log_martians_value='' + # -# Set runtime for net.ipv4.conf.all.route_localnet +# Set runtime for net.ipv4.conf.all.log_martians # -/sbin/sysctl -q -n -w net.ipv4.conf.all.route_localnet="0" +/sbin/sysctl -q -n -w net.ipv4.conf.all.log_martians="$sysctl_net_ipv4_conf_all_log_martians_value" # -# If net.ipv4.conf.all.route_localnet present in /etc/sysctl.conf, change value to "0" -# else, add "net.ipv4.conf.all.route_localnet = 0" to /etc/sysctl.conf +# If net.ipv4.conf.all.log_martians present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.all.log_martians = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.route_localnet") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.log_martians") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "0" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_log_martians_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.route_localnet\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.log_martians\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.route_localnet\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.log_martians\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-88023-7" + cce="CCE-81018-4" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -191314,6 +191237,23 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces + To set the runtime status of the net.ipv4.conf.all.route_localnet kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.route_localnet=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.route_localnet = 0 + BP28(R12) + Refuse the routing of packets whose source or destination address is the local loopback. +This prohibits the use of network 127/8 for local routing purposes. +Enabling route_localnet can expose applications listening on localhost to external traffic. + CCE-88023-7 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -191367,6 +191307,66 @@ fi - medium_severity - reboot_required - sysctl_net_ipv4_conf_all_route_localnet + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.conf.all.route_localnet from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.route_localnet.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.conf.all.route_localnet" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + + +# +# Set runtime for net.ipv4.conf.all.route_localnet +# +/sbin/sysctl -q -n -w net.ipv4.conf.all.route_localnet="0" + +# +# If net.ipv4.conf.all.route_localnet present in /etc/sysctl.conf, change value to "0" +# else, add "net.ipv4.conf.all.route_localnet = 0" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.route_localnet") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "0" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.route_localnet\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.route_localnet\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-88023-7" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -191474,67 +191474,20 @@ received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. CCE-81021-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.conf.all.rp_filter from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.rp_filter.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.all.rp_filter" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv4_conf_all_rp_filter_value='' - - -# -# Set runtime for net.ipv4.conf.all.rp_filter -# -/sbin/sysctl -q -n -w net.ipv4.conf.all.rp_filter="$sysctl_net_ipv4_conf_all_rp_filter_value" - -# -# If net.ipv4.conf.all.rp_filter present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.conf.all.rp_filter = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.rp_filter") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_rp_filter_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.rp_filter\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.rp_filter\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81021-8" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.all.rp_filter%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_rp_filter.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -191618,20 +191571,67 @@ fi - reboot_required - sysctl_net_ipv4_conf_all_rp_filter - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv4.conf.all.rp_filter%3D1%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_rp_filter.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.conf.all.rp_filter from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.rp_filter.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.conf.all.rp_filter" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv4_conf_all_rp_filter_value='' + + +# +# Set runtime for net.ipv4.conf.all.rp_filter +# +/sbin/sysctl -q -n -w net.ipv4.conf.all.rp_filter="$sysctl_net_ipv4_conf_all_rp_filter_value" + +# +# If net.ipv4.conf.all.rp_filter present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.all.rp_filter = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.rp_filter") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_rp_filter_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.rp_filter\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.rp_filter\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-81021-8" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -191793,67 +191793,20 @@ To make sure that the setting is persistent, add the following line to a file in default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. CCE-81016-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.conf.all.secure_redirects from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.secure_redirects.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.all.secure_redirects" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv4_conf_all_secure_redirects_value='' - - -# -# Set runtime for net.ipv4.conf.all.secure_redirects -# -/sbin/sysctl -q -n -w net.ipv4.conf.all.secure_redirects="$sysctl_net_ipv4_conf_all_secure_redirects_value" - -# -# If net.ipv4.conf.all.secure_redirects present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.conf.all.secure_redirects = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.secure_redirects") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_secure_redirects_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.secure_redirects\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.secure_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81016-8" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.all.secure_redirects%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_secure_redirects.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -191935,49 +191888,18 @@ fi - reboot_required - sysctl_net_ipv4_conf_all_secure_redirects - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv4.conf.all.secure_redirects%3D0%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_secure_redirects.conf - overwrite: true - - - - - - - - - - - Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces - To set the runtime status of the net.ipv4.conf.all.shared_media kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.shared_media= -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.shared_media = - BP28(R12) - This setting should be aligned with net.ipv4.conf.all.secure_redirects because it overrides it. -If shared_media is enabled for an interface secure_redirects will be enabled too. - CCE-88333-0 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv4.conf.all.shared_media from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv4.conf.all.secure_redirects from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.shared_media.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.secure_redirects.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.all.shared_media" matches to preserve user data + # comment out "net.ipv4.conf.all.secure_redirects" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -191989,37 +191911,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv4_conf_all_shared_media_value='' +sysctl_net_ipv4_conf_all_secure_redirects_value='' # -# Set runtime for net.ipv4.conf.all.shared_media +# Set runtime for net.ipv4.conf.all.secure_redirects # -/sbin/sysctl -q -n -w net.ipv4.conf.all.shared_media="$sysctl_net_ipv4_conf_all_shared_media_value" +/sbin/sysctl -q -n -w net.ipv4.conf.all.secure_redirects="$sysctl_net_ipv4_conf_all_secure_redirects_value" # -# If net.ipv4.conf.all.shared_media present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.conf.all.shared_media = value" to /etc/sysctl.conf +# If net.ipv4.conf.all.secure_redirects present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.all.secure_redirects = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.shared_media") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.secure_redirects") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_shared_media_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_secure_redirects_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.shared_media\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.secure_redirects\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.shared_media\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.secure_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-88333-0" + cce="CCE-81016-8" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -192028,6 +191950,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces + To set the runtime status of the net.ipv4.conf.all.shared_media kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.shared_media= +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.shared_media = + BP28(R12) + This setting should be aligned with net.ipv4.conf.all.secure_redirects because it overrides it. +If shared_media is enabled for an interface secure_redirects will be enabled too. + CCE-88333-0 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -192086,6 +192024,68 @@ fi - medium_severity - reboot_required - sysctl_net_ipv4_conf_all_shared_media + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.conf.all.shared_media from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.shared_media.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.conf.all.shared_media" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv4_conf_all_shared_media_value='' + + +# +# Set runtime for net.ipv4.conf.all.shared_media +# +/sbin/sysctl -q -n -w net.ipv4.conf.all.shared_media="$sysctl_net_ipv4_conf_all_shared_media_value" + +# +# If net.ipv4.conf.all.shared_media present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.all.shared_media = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.shared_media") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_shared_media_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.shared_media\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.shared_media\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-88333-0" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -192254,67 +192254,20 @@ message could result in a man-in-the-middle attack. This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required. CCE-80919-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.conf.default.accept_redirects from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.accept_redirects.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.default.accept_redirects" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv4_conf_default_accept_redirects_value='' - - -# -# Set runtime for net.ipv4.conf.default.accept_redirects -# -/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_redirects="$sysctl_net_ipv4_conf_default_accept_redirects_value" - -# -# If net.ipv4.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.conf.default.accept_redirects = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.accept_redirects") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_accept_redirects_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.accept_redirects\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-80919-4" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.default.accept_redirects%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_accept_redirects.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -192402,20 +192355,67 @@ fi - reboot_required - sysctl_net_ipv4_conf_default_accept_redirects - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv4.conf.default.accept_redirects%3D0%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_accept_redirects.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.conf.default.accept_redirects from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.accept_redirects.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.conf.default.accept_redirects" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv4_conf_default_accept_redirects_value='' + + +# +# Set runtime for net.ipv4.conf.default.accept_redirects +# +/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_redirects="$sysctl_net_ipv4_conf_default_accept_redirects_value" + +# +# If net.ipv4.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.default.accept_redirects = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.accept_redirects") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_accept_redirects_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.accept_redirects\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-80919-4" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -192588,67 +192588,20 @@ uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router. CCE-80920-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.conf.default.accept_source_route from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.accept_source_route.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.default.accept_source_route" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv4_conf_default_accept_source_route_value='' - - -# -# Set runtime for net.ipv4.conf.default.accept_source_route -# -/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_source_route="$sysctl_net_ipv4_conf_default_accept_source_route_value" - -# -# If net.ipv4.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.conf.default.accept_source_route = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.accept_source_route") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_accept_source_route_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.accept_source_route\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-80920-2" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.default.accept_source_route%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_accept_source_route.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -192730,20 +192683,67 @@ fi - reboot_required - sysctl_net_ipv4_conf_default_accept_source_route - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv4.conf.default.accept_source_route%3D0%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_accept_source_route.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.conf.default.accept_source_route from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.accept_source_route.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.conf.default.accept_source_route" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv4_conf_default_accept_source_route_value='' + + +# +# Set runtime for net.ipv4.conf.default.accept_source_route +# +/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_source_route="$sysctl_net_ipv4_conf_default_accept_source_route_value" + +# +# If net.ipv4.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.default.accept_source_route = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.accept_source_route") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_accept_source_route_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.accept_source_route\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-80920-2" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -192871,67 +192871,20 @@ as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. CCE-81020-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.conf.default.log_martians from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.log_martians.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.default.log_martians" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv4_conf_default_log_martians_value='' - - -# -# Set runtime for net.ipv4.conf.default.log_martians -# -/sbin/sysctl -q -n -w net.ipv4.conf.default.log_martians="$sysctl_net_ipv4_conf_default_log_martians_value" - -# -# If net.ipv4.conf.default.log_martians present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.conf.default.log_martians = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.log_martians") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_log_martians_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.log_martians\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.log_martians\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81020-0" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.default.log_martians%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_log_martians.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -193004,20 +192957,67 @@ fi - sysctl_net_ipv4_conf_default_log_martians - unknown_severity - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv4.conf.default.log_martians%3D1%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_log_martians.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.conf.default.log_martians from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.log_martians.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.conf.default.log_martians" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv4_conf_default_log_martians_value='' + + +# +# Set runtime for net.ipv4.conf.default.log_martians +# +/sbin/sysctl -q -n -w net.ipv4.conf.default.log_martians="$sysctl_net_ipv4_conf_default_log_martians_value" + +# +# If net.ipv4.conf.default.log_martians present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.default.log_martians = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.log_martians") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_log_martians_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.log_martians\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.log_martians\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-81020-0" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -193121,67 +193121,20 @@ received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. CCE-81022-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.conf.default.rp_filter from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.rp_filter.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.default.rp_filter" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv4_conf_default_rp_filter_value='' - - -# -# Set runtime for net.ipv4.conf.default.rp_filter -# -/sbin/sysctl -q -n -w net.ipv4.conf.default.rp_filter="$sysctl_net_ipv4_conf_default_rp_filter_value" - -# -# If net.ipv4.conf.default.rp_filter present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.conf.default.rp_filter = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.rp_filter") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_rp_filter_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.rp_filter\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.rp_filter\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81022-6" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.default.rp_filter%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_rp_filter.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -193257,20 +193210,67 @@ fi - reboot_required - sysctl_net_ipv4_conf_default_rp_filter - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv4.conf.default.rp_filter%3D1%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_rp_filter.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.conf.default.rp_filter from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.rp_filter.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.conf.default.rp_filter" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv4_conf_default_rp_filter_value='' + + +# +# Set runtime for net.ipv4.conf.default.rp_filter +# +/sbin/sysctl -q -n -w net.ipv4.conf.default.rp_filter="$sysctl_net_ipv4_conf_default_rp_filter_value" + +# +# If net.ipv4.conf.default.rp_filter present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.default.rp_filter = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.rp_filter") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_rp_filter_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.rp_filter\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.rp_filter\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-81022-6" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -193434,67 +193434,20 @@ To make sure that the setting is persistent, add the following line to a file in default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. CCE-81017-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.conf.default.secure_redirects from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.secure_redirects.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.default.secure_redirects" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv4_conf_default_secure_redirects_value='' - - -# -# Set runtime for net.ipv4.conf.default.secure_redirects -# -/sbin/sysctl -q -n -w net.ipv4.conf.default.secure_redirects="$sysctl_net_ipv4_conf_default_secure_redirects_value" - -# -# If net.ipv4.conf.default.secure_redirects present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.conf.default.secure_redirects = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.secure_redirects") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_secure_redirects_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.secure_redirects\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.secure_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81017-6" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.default.secure_redirects%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_secure_redirects.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -193570,49 +193523,18 @@ fi - reboot_required - sysctl_net_ipv4_conf_default_secure_redirects - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv4.conf.default.secure_redirects%3D0%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_secure_redirects.conf - overwrite: true - - - - - - - - - - - Configure Sending and Accepting Shared Media Redirects by Default - To set the runtime status of the net.ipv4.conf.default.shared_media kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.shared_media= -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.shared_media = - BP28(R12) - This setting should be aligned with net.ipv4.conf.default.secure_redirects because it overrides it. -If shared_media is enabled for an interface secure_redirects will be enabled too. - CCE-88444-5 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv4.conf.default.shared_media from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv4.conf.default.secure_redirects from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.shared_media.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.secure_redirects.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.default.shared_media" matches to preserve user data + # comment out "net.ipv4.conf.default.secure_redirects" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -193624,37 +193546,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv4_conf_default_shared_media_value='' +sysctl_net_ipv4_conf_default_secure_redirects_value='' # -# Set runtime for net.ipv4.conf.default.shared_media +# Set runtime for net.ipv4.conf.default.secure_redirects # -/sbin/sysctl -q -n -w net.ipv4.conf.default.shared_media="$sysctl_net_ipv4_conf_default_shared_media_value" +/sbin/sysctl -q -n -w net.ipv4.conf.default.secure_redirects="$sysctl_net_ipv4_conf_default_secure_redirects_value" # -# If net.ipv4.conf.default.shared_media present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.conf.default.shared_media = value" to /etc/sysctl.conf +# If net.ipv4.conf.default.secure_redirects present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.default.secure_redirects = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.shared_media") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.secure_redirects") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_shared_media_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_secure_redirects_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.shared_media\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.secure_redirects\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.shared_media\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.secure_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-88444-5" + cce="CCE-81017-6" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -193663,6 +193585,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure Sending and Accepting Shared Media Redirects by Default + To set the runtime status of the net.ipv4.conf.default.shared_media kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.shared_media= +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.shared_media = + BP28(R12) + This setting should be aligned with net.ipv4.conf.default.secure_redirects because it overrides it. +If shared_media is enabled for an interface secure_redirects will be enabled too. + CCE-88444-5 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -193721,6 +193659,68 @@ fi - medium_severity - reboot_required - sysctl_net_ipv4_conf_default_shared_media + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.conf.default.shared_media from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.shared_media.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.conf.default.shared_media" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv4_conf_default_shared_media_value='' + + +# +# Set runtime for net.ipv4.conf.default.shared_media +# +/sbin/sysctl -q -n -w net.ipv4.conf.default.shared_media="$sysctl_net_ipv4_conf_default_shared_media_value" + +# +# If net.ipv4.conf.default.shared_media present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.default.shared_media = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.shared_media") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_shared_media_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.shared_media\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.shared_media\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-88444-5" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -193889,67 +193889,20 @@ and provides a vector for amplification attacks. Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network. CCE-80922-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.icmp_echo_ignore_broadcasts from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.icmp_echo_ignore_broadcasts.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.icmp_echo_ignore_broadcasts" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value='' - - -# -# Set runtime for net.ipv4.icmp_echo_ignore_broadcasts -# -/sbin/sysctl -q -n -w net.ipv4.icmp_echo_ignore_broadcasts="$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" - -# -# If net.ipv4.icmp_echo_ignore_broadcasts present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.icmp_echo_ignore_broadcasts = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.icmp_echo_ignore_broadcasts") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.icmp_echo_ignore_broadcasts\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.icmp_echo_ignore_broadcasts\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-80922-8" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.icmp_echo_ignore_broadcasts%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_icmp_echo_ignore_broadcasts.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -194034,20 +193987,67 @@ fi - reboot_required - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv4.icmp_echo_ignore_broadcasts%3D1%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv4_icmp_echo_ignore_broadcasts.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.icmp_echo_ignore_broadcasts from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.icmp_echo_ignore_broadcasts.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.icmp_echo_ignore_broadcasts" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value='' + + +# +# Set runtime for net.ipv4.icmp_echo_ignore_broadcasts +# +/sbin/sysctl -q -n -w net.ipv4.icmp_echo_ignore_broadcasts="$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" + +# +# If net.ipv4.icmp_echo_ignore_broadcasts present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.icmp_echo_ignore_broadcasts = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.icmp_echo_ignore_broadcasts") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.icmp_echo_ignore_broadcasts\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.icmp_echo_ignore_broadcasts\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-80922-8" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -194161,67 +194161,20 @@ To make sure that the setting is persistent, add the following line to a file in Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged. CCE-81023-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.icmp_ignore_bogus_error_responses from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.icmp_ignore_bogus_error_responses.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.icmp_ignore_bogus_error_responses" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value='' - - -# -# Set runtime for net.ipv4.icmp_ignore_bogus_error_responses -# -/sbin/sysctl -q -n -w net.ipv4.icmp_ignore_bogus_error_responses="$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value" - -# -# If net.ipv4.icmp_ignore_bogus_error_responses present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.icmp_ignore_bogus_error_responses = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.icmp_ignore_bogus_error_responses") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.icmp_ignore_bogus_error_responses\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.icmp_ignore_bogus_error_responses\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81023-4" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.icmp_ignore_bogus_error_responses%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_icmp_ignore_bogus_error_responses.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -194300,50 +194253,18 @@ fi - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - unknown_severity - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv4.icmp_ignore_bogus_error_responses%3D1%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv4_icmp_ignore_bogus_error_responses.conf - overwrite: true - - - - - - - - - - - Set Kernel Parameter to Increase Local Port Range - To set the runtime status of the net.ipv4.ip_local_port_range kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_local_port_range=32768 65535 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.ip_local_port_range = 32768 65535 - BP28(R22) - This setting defines the local port range that is used by TCP and UDP to -choose the local port. The first number is the first, the second the last -local port number. - CCE-84277-3 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv4.ip_local_port_range from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv4.icmp_ignore_bogus_error_responses from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.ip_local_port_range.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.icmp_ignore_bogus_error_responses.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.ip_local_port_range" matches to preserve user data + # comment out "net.ipv4.icmp_ignore_bogus_error_responses" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -194355,35 +194276,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" +sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value='' + # -# Set runtime for net.ipv4.ip_local_port_range +# Set runtime for net.ipv4.icmp_ignore_bogus_error_responses # -/sbin/sysctl -q -n -w net.ipv4.ip_local_port_range="32768 65535" +/sbin/sysctl -q -n -w net.ipv4.icmp_ignore_bogus_error_responses="$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value" # -# If net.ipv4.ip_local_port_range present in /etc/sysctl.conf, change value to "32768 65535" -# else, add "net.ipv4.ip_local_port_range = 32768 65535" to /etc/sysctl.conf +# If net.ipv4.icmp_ignore_bogus_error_responses present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.icmp_ignore_bogus_error_responses = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.ip_local_port_range") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.icmp_ignore_bogus_error_responses") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "32768 65535" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.ip_local_port_range\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.icmp_ignore_bogus_error_responses\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.ip_local_port_range\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.icmp_ignore_bogus_error_responses\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-84277-3" + cce="CCE-81023-4" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -194392,6 +194315,23 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Set Kernel Parameter to Increase Local Port Range + To set the runtime status of the net.ipv4.ip_local_port_range kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_local_port_range=32768 65535 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.ip_local_port_range = 32768 65535 + BP28(R22) + This setting defines the local port range that is used by TCP and UDP to +choose the local port. The first number is the first, the second the last +local port number. + CCE-84277-3 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -194445,56 +194385,18 @@ fi - reboot_required - sysctl_net_ipv4_ip_local_port_range - - - - - - - - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments - Make sure that the system is configured to limit the maximal rate for sending -duplicate acknowledgments in response to incoming TCP packets that are for -an existing connection but that are invalid due to any of these reasons: - -(a) out-of-window sequence number, (b) out-of-window acknowledgment number, -or (c) PAWS (Protection Against Wrapped Sequence numbers) check failure -This measure protects against or limits effects of DoS attacks against the system. -Set the system to implement rate-limiting measures by adding the following line to -/etc/sysctl.conf or a configuration file in the /etc/sysctl.d/ directory -(or modify the line to have the required value): -net.ipv4.tcp_invalid_ratelimit = -Issue the following command to make the changes take effect: -# sysctl --system - CCI-002385 - CIP-007-3 R4 - CIP-007-3 R4.1 - CIP-007-3 R4.2 - CIP-007-3 R5.1 - SC-5 - SRG-OS-000420-GPOS-00186 - Denial of Service (DoS) is a condition when a resource is not available for legitimate users. When -this occurs, the organization either cannot accomplish its mission or must -operate at degraded capacity. - -This can help mitigate simple “ack loop” DoS attacks, wherein a buggy or -malicious middlebox or man-in-the-middle can rewrite TCP header fields in -manner that causes each endpoint to think that the other is sending invalid -TCP segments, thus causing each side to send an unterminating stream of -duplicate acknowledgments for invalid segments. - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv4.tcp_invalid_ratelimit from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv4.ip_local_port_range from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.tcp_invalid_ratelimit.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.ip_local_port_range.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.tcp_invalid_ratelimit" matches to preserve user data + # comment out "net.ipv4.ip_local_port_range" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -194506,36 +194408,36 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv4_tcp_invalid_ratelimit_value='' - # -# Set runtime for net.ipv4.tcp_invalid_ratelimit +# Set runtime for net.ipv4.ip_local_port_range # -/sbin/sysctl -q -n -w net.ipv4.tcp_invalid_ratelimit="$sysctl_net_ipv4_tcp_invalid_ratelimit_value" +/sbin/sysctl -q -n -w net.ipv4.ip_local_port_range="32768 65535" # -# If net.ipv4.tcp_invalid_ratelimit present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.tcp_invalid_ratelimit = value" to /etc/sysctl.conf +# If net.ipv4.ip_local_port_range present in /etc/sysctl.conf, change value to "32768 65535" +# else, add "net.ipv4.ip_local_port_range = 32768 65535" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.tcp_invalid_ratelimit") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.ip_local_port_range") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_tcp_invalid_ratelimit_value" +printf -v formatted_output "%s = %s" "$stripped_key" "32768 65535" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.tcp_invalid_ratelimit\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.ip_local_port_range\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.tcp_invalid_ratelimit\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.ip_local_port_range\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi + cce="CCE-84277-3" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -194543,6 +194445,44 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + Make sure that the system is configured to limit the maximal rate for sending +duplicate acknowledgments in response to incoming TCP packets that are for +an existing connection but that are invalid due to any of these reasons: + +(a) out-of-window sequence number, (b) out-of-window acknowledgment number, +or (c) PAWS (Protection Against Wrapped Sequence numbers) check failure +This measure protects against or limits effects of DoS attacks against the system. +Set the system to implement rate-limiting measures by adding the following line to +/etc/sysctl.conf or a configuration file in the /etc/sysctl.d/ directory +(or modify the line to have the required value): +net.ipv4.tcp_invalid_ratelimit = +Issue the following command to make the changes take effect: +# sysctl --system + CCI-002385 + CIP-007-3 R4 + CIP-007-3 R4.1 + CIP-007-3 R4.2 + CIP-007-3 R5.1 + SC-5 + SRG-OS-000420-GPOS-00186 + Denial of Service (DoS) is a condition when a resource is not available for legitimate users. When +this occurs, the organization either cannot accomplish its mission or must +operate at degraded capacity. + +This can help mitigate simple “ack loop” DoS attacks, wherein a buggy or +malicious middlebox or man-in-the-middle can rewrite TCP header fields in +manner that causes each endpoint to think that the other is sending invalid +TCP segments, thus causing each side to send an unterminating stream of +duplicate acknowledgments for invalid segments. - name: List /etc/sysctl.d/*.conf files find: paths: @@ -194602,35 +194542,18 @@ fi - reboot_required - sysctl_net_ipv4_tcp_invalid_ratelimit - - - - - - - - - - Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces - To set the runtime status of the net.ipv4.tcp_rfc1337 kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_rfc1337=1 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_rfc1337 = 1 - BP28(R22) - Enable TCP behavior conformant with RFC 1337. When disabled, if a RST is -received in TIME_WAIT state, we close the socket immediately without waiting -for the end of the TIME_WAIT period. - CCE-84270-8 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv4.tcp_rfc1337 from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv4.tcp_invalid_ratelimit from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.tcp_rfc1337.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.tcp_invalid_ratelimit.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.tcp_rfc1337" matches to preserve user data + # comment out "net.ipv4.tcp_invalid_ratelimit" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -194642,38 +194565,36 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv4_tcp_rfc1337_value='' +sysctl_net_ipv4_tcp_invalid_ratelimit_value='' # -# Set runtime for net.ipv4.tcp_rfc1337 +# Set runtime for net.ipv4.tcp_invalid_ratelimit # -/sbin/sysctl -q -n -w net.ipv4.tcp_rfc1337="$sysctl_net_ipv4_tcp_rfc1337_value" +/sbin/sysctl -q -n -w net.ipv4.tcp_invalid_ratelimit="$sysctl_net_ipv4_tcp_invalid_ratelimit_value" # -# If net.ipv4.tcp_rfc1337 present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.tcp_rfc1337 = value" to /etc/sysctl.conf +# If net.ipv4.tcp_invalid_ratelimit present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.tcp_invalid_ratelimit = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.tcp_rfc1337") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.tcp_invalid_ratelimit") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_tcp_rfc1337_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_tcp_invalid_ratelimit_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.tcp_rfc1337\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.tcp_invalid_ratelimit\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.tcp_rfc1337\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.tcp_invalid_ratelimit\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-84270-8" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -194681,6 +194602,23 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces + To set the runtime status of the net.ipv4.tcp_rfc1337 kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_rfc1337=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_rfc1337 = 1 + BP28(R22) + Enable TCP behavior conformant with RFC 1337. When disabled, if a RST is +received in TIME_WAIT state, we close the socket immediately without waiting +for the end of the TIME_WAIT period. + CCE-84270-8 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -194739,50 +194677,112 @@ fi - reboot_required - sysctl_net_ipv4_tcp_rfc1337 - - - - - - - - - - Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces - To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1 - BP28(R22) - 1 - 12 - 13 - 14 - 15 - 16 - 18 - 2 - 4 - 6 - 7 - 8 - 9 - 5.10.1.1 - APO01.06 - APO13.01 - BAI04.04 - DSS01.03 - DSS01.05 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.07 - DSS06.02 - 3.1.20 - CCI-000366 - CCI-001095 - 4.2.3.4 - 4.3.3.4 - 4.4.3.3 + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.tcp_rfc1337 from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.tcp_rfc1337.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.tcp_rfc1337" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv4_tcp_rfc1337_value='' + + +# +# Set runtime for net.ipv4.tcp_rfc1337 +# +/sbin/sysctl -q -n -w net.ipv4.tcp_rfc1337="$sysctl_net_ipv4_tcp_rfc1337_value" + +# +# If net.ipv4.tcp_rfc1337 present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.tcp_rfc1337 = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.tcp_rfc1337") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_tcp_rfc1337_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.tcp_rfc1337\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.tcp_rfc1337\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-84270-8" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + + + + + + + + + + Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces + To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1 + BP28(R22) + 1 + 12 + 13 + 14 + 15 + 16 + 18 + 2 + 4 + 6 + 7 + 8 + 9 + 5.10.1.1 + APO01.06 + APO13.01 + BAI04.04 + DSS01.03 + DSS01.05 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.07 + DSS06.02 + 3.1.20 + CCI-000366 + CCI-001095 + 4.2.3.4 + 4.3.3.4 + 4.4.3.3 SR 3.1 SR 3.5 SR 3.8 @@ -194850,67 +194850,20 @@ verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests. CCE-80923-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.tcp_syncookies from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.tcp_syncookies.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.tcp_syncookies" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv4_tcp_syncookies_value='' - - -# -# Set runtime for net.ipv4.tcp_syncookies -# -/sbin/sysctl -q -n -w net.ipv4.tcp_syncookies="$sysctl_net_ipv4_tcp_syncookies_value" - -# -# If net.ipv4.tcp_syncookies present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.tcp_syncookies = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.tcp_syncookies") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_tcp_syncookies_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.tcp_syncookies\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.tcp_syncookies\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-80923-6" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.tcp_syncookies%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_tcp_syncookies.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -195000,20 +194953,67 @@ fi - reboot_required - sysctl_net_ipv4_tcp_syncookies - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv4.tcp_syncookies%3D1%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv4_tcp_syncookies.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.tcp_syncookies from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.tcp_syncookies.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.tcp_syncookies" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv4_tcp_syncookies_value='' + + +# +# Set runtime for net.ipv4.tcp_syncookies +# +/sbin/sysctl -q -n -w net.ipv4.tcp_syncookies="$sysctl_net_ipv4_tcp_syncookies_value" + +# +# If net.ipv4.tcp_syncookies present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.tcp_syncookies = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.tcp_syncookies") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_tcp_syncookies_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.tcp_syncookies\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.tcp_syncookies\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-80923-6" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -195191,65 +195191,20 @@ from the system's route table possibly revealing portions of the network topolog The ability to send ICMP redirects is only appropriate for systems acting as routers. CCE-80918-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.conf.all.send_redirects from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.send_redirects.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.all.send_redirects" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - - -# -# Set runtime for net.ipv4.conf.all.send_redirects -# -/sbin/sysctl -q -n -w net.ipv4.conf.all.send_redirects="0" - -# -# If net.ipv4.conf.all.send_redirects present in /etc/sysctl.conf, change value to "0" -# else, add "net.ipv4.conf.all.send_redirects = 0" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.send_redirects") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "0" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.send_redirects\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.send_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-80918-6" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.all.send_redirects%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_send_redirects.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -195332,20 +195287,65 @@ fi - reboot_required - sysctl_net_ipv4_conf_all_send_redirects - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv4.conf.all.send_redirects%3D0%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_send_redirects.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.conf.all.send_redirects from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.send_redirects.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.conf.all.send_redirects" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + + +# +# Set runtime for net.ipv4.conf.all.send_redirects +# +/sbin/sysctl -q -n -w net.ipv4.conf.all.send_redirects="0" + +# +# If net.ipv4.conf.all.send_redirects present in /etc/sysctl.conf, change value to "0" +# else, add "net.ipv4.conf.all.send_redirects = 0" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.send_redirects") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "0" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.send_redirects\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.send_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-80918-6" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -195515,65 +195515,20 @@ from the system's route table possibly revealing portions of the network topolog The ability to send ICMP redirects is only appropriate for systems acting as routers. CCE-80921-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.conf.default.send_redirects from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.send_redirects.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.default.send_redirects" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - - -# -# Set runtime for net.ipv4.conf.default.send_redirects -# -/sbin/sysctl -q -n -w net.ipv4.conf.default.send_redirects="0" - -# -# If net.ipv4.conf.default.send_redirects present in /etc/sysctl.conf, change value to "0" -# else, add "net.ipv4.conf.default.send_redirects = 0" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.send_redirects") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "0" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.send_redirects\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.send_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-80921-0" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.default.send_redirects%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_send_redirects.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -195656,20 +195611,65 @@ fi - reboot_required - sysctl_net_ipv4_conf_default_send_redirects - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv4.conf.default.send_redirects%3D0%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_send_redirects.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.conf.default.send_redirects from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.send_redirects.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.conf.default.send_redirects" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + + +# +# Set runtime for net.ipv4.conf.default.send_redirects +# +/sbin/sysctl -q -n -w net.ipv4.conf.default.send_redirects="0" + +# +# If net.ipv4.conf.default.send_redirects present in /etc/sysctl.conf, change value to "0" +# else, add "net.ipv4.conf.default.send_redirects = 0" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.send_redirects") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "0" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.send_redirects\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.send_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-80921-0" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -195806,66 +195806,6 @@ not required, system network information may be unnecessarily transmitted across the network. CCE-81024-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.ip_forward from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.ip_forward.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.ip_forward" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - - -# -# Set runtime for net.ipv4.ip_forward -# -/sbin/sysctl -q -n -w net.ipv4.ip_forward="0" - -# -# If net.ipv4.ip_forward present in /etc/sysctl.conf, change value to "0" -# else, add "net.ipv4.ip_forward = 0" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.ip_forward") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "0" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.ip_forward\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.ip_forward\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81024-2" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: List /etc/sysctl.d/*.conf files find: paths: @@ -195945,6 +195885,66 @@ fi - medium_severity - reboot_required - sysctl_net_ipv4_ip_forward + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.ip_forward from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.ip_forward.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.ip_forward" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + + +# +# Set runtime for net.ipv4.ip_forward +# +/sbin/sysctl -q -n -w net.ipv4.ip_forward="0" + +# +# If net.ipv4.ip_forward present in /etc/sysctl.conf, change value to "0" +# else, add "net.ipv4.ip_forward = 0" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.ip_forward") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "0" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.ip_forward\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.ip_forward\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-81024-2" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -196153,21 +196153,13 @@ originating from within a corporate network to include malicious mobile code and configured software on a host. CCE-86376-1 + +package --add=nftables + [[packages]] name = "nftables" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "nftables" ; then - yum install -y "nftables" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_nftables @@ -196192,8 +196184,16 @@ class install_nftables { - no_reboot_needed - package_nftables_installed - -package --add=nftables + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "nftables" ; then + yum install -y "nftables" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -196218,18 +196218,6 @@ the nftables service [customizations.services] enabled = ["nftables"] - - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q nftables ); then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'nftables.service' -"$SYSTEMCTL_EXEC" start 'nftables.service' -"$SYSTEMCTL_EXEC" enable 'nftables.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_nftables @@ -196277,6 +196265,18 @@ class enable_nftables { - medium_severity - no_reboot_needed - service_nftables_enabled + + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q nftables ); then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'nftables.service' +"$SYSTEMCTL_EXEC" start 'nftables.service' +"$SYSTEMCTL_EXEC" enable 'nftables.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -196301,26 +196301,20 @@ is actually one of the backends for firewalld management [customizations.services] disabled = ["nftables"] - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q firewalld && rpm --quiet -q nftables ); then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'nftables.service' -"$SYSTEMCTL_EXEC" disable 'nftables.service' -"$SYSTEMCTL_EXEC" mask 'nftables.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files nftables.socket; then - "$SYSTEMCTL_EXEC" stop 'nftables.socket' - "$SYSTEMCTL_EXEC" mask 'nftables.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'nftables.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: nftables.service + enabled: false + mask: true + - name: nftables.socket + enabled: false + mask: true include disable_nftables @@ -196414,20 +196408,26 @@ class disable_nftables { - no_reboot_needed - service_nftables_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: nftables.service - enabled: false - mask: true - - name: nftables.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q firewalld && rpm --quiet -q nftables ); then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'nftables.service' +"$SYSTEMCTL_EXEC" disable 'nftables.service' +"$SYSTEMCTL_EXEC" mask 'nftables.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files nftables.socket; then + "$SYSTEMCTL_EXEC" stop 'nftables.socket' + "$SYSTEMCTL_EXEC" mask 'nftables.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'nftables.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -196447,27 +196447,6 @@ network traffic. Note: adding rules to a running nftables can cause loss of connectivity to the system. CCE-86162-5 - # Remediation is applicable only in certain platforms -if rpm --quiet -q nftables; then - -#Set nftables family name -var_nftables_family='' - - -#Set nftables table name -var_nftables_table='' - - -IS_TABLE=$(nft list tables) -if [ -z "$IS_TABLE" ] -then - nft create table "$var_nftables_family" "$var_nftables_table" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -196517,6 +196496,27 @@ fi - no_reboot_needed - restrict_strategy - set_nftables_table + + # Remediation is applicable only in certain platforms +if rpm --quiet -q nftables; then + +#Set nftables family name +var_nftables_family='' + + +#Set nftables table name +var_nftables_table='' + + +IS_TABLE=$(nft list tables) +if [ -z "$IS_TABLE" ] +then + nft create table "$var_nftables_family" "$var_nftables_table" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -196561,18 +196561,6 @@ The ufw service can be enabled with the following command [customizations.services] enabled = ["ufw"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q ufw ); }; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'ufw.service' -"$SYSTEMCTL_EXEC" start 'ufw.service' -"$SYSTEMCTL_EXEC" enable 'ufw.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_ufw @@ -196620,6 +196608,18 @@ class enable_ufw { - medium_severity - no_reboot_needed - service_ufw_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q ufw ); }; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'ufw.service' +"$SYSTEMCTL_EXEC" start 'ufw.service' +"$SYSTEMCTL_EXEC" enable 'ufw.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -196663,24 +196663,20 @@ add the following line to file /etc/modprobe.d/atm.conf: Disabling ATM protects the system against exploitation of any flaws in its implementation. CCE-82028-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install atm" /etc/modprobe.d/atm.conf ; then - - sed -i 's#^install atm.*#install atm /bin/true#g' /etc/modprobe.d/atm.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/atm.conf - echo "install atm /bin/true" >> /etc/modprobe.d/atm.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist atm$" /etc/modprobe.d/atm.conf ; then - echo "blacklist atm" >> /etc/modprobe.d/atm.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20atm%20/bin/true%0Ablacklist%20atm%0A + mode: 0644 + path: /etc/modprobe.d/atm.conf + overwrite: true - name: Ensure kernel module 'atm' is disabled lineinfile: @@ -196718,20 +196714,24 @@ fi - medium_severity - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20atm%20/bin/true%0Ablacklist%20atm%0A - mode: 0644 - path: /etc/modprobe.d/atm.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install atm" /etc/modprobe.d/atm.conf ; then + + sed -i 's#^install atm.*#install atm /bin/true#g' /etc/modprobe.d/atm.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/atm.conf + echo "install atm /bin/true" >> /etc/modprobe.d/atm.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist atm$" /etc/modprobe.d/atm.conf ; then + echo "blacklist atm" >> /etc/modprobe.d/atm.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -196764,24 +196764,20 @@ add the following line to file /etc/modprobe.d/can.conf: Disabling CAN protects the system against exploitation of any flaws in its implementation. CCE-82059-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install can" /etc/modprobe.d/can.conf ; then - - sed -i 's#^install can.*#install can /bin/true#g' /etc/modprobe.d/can.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/can.conf - echo "install can /bin/true" >> /etc/modprobe.d/can.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist can$" /etc/modprobe.d/can.conf ; then - echo "blacklist can" >> /etc/modprobe.d/can.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20can%20/bin/true%0Ablacklist%20can%0A + mode: 0644 + path: /etc/modprobe.d/can.conf + overwrite: true - name: Ensure kernel module 'can' is disabled lineinfile: @@ -196819,20 +196815,24 @@ fi - medium_severity - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20can%20/bin/true%0Ablacklist%20can%0A - mode: 0644 - path: /etc/modprobe.d/can.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install can" /etc/modprobe.d/can.conf ; then + + sed -i 's#^install can.*#install can /bin/true#g' /etc/modprobe.d/can.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/can.conf + echo "install can /bin/true" >> /etc/modprobe.d/can.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist can$" /etc/modprobe.d/can.conf ; then + echo "blacklist can" >> /etc/modprobe.d/can.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -196932,24 +196932,20 @@ add the following line to file /etc/modprobe.d/dccp.conf: Disabling DCCP protects the system against exploitation of any flaws in its implementation. CCE-80833-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install dccp" /etc/modprobe.d/dccp.conf ; then - - sed -i 's#^install dccp.*#install dccp /bin/true#g' /etc/modprobe.d/dccp.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/dccp.conf - echo "install dccp /bin/true" >> /etc/modprobe.d/dccp.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist dccp$" /etc/modprobe.d/dccp.conf ; then - echo "blacklist dccp" >> /etc/modprobe.d/dccp.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20dccp%20/bin/true%0Ablacklist%20dccp%0A + mode: 0644 + path: /etc/modprobe.d/dccp.conf + overwrite: true - name: Ensure kernel module 'dccp' is disabled lineinfile: @@ -196997,20 +196993,24 @@ fi - medium_severity - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20dccp%20/bin/true%0Ablacklist%20dccp%0A - mode: 0644 - path: /etc/modprobe.d/dccp.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install dccp" /etc/modprobe.d/dccp.conf ; then + + sed -i 's#^install dccp.*#install dccp /bin/true#g' /etc/modprobe.d/dccp.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/dccp.conf + echo "install dccp /bin/true" >> /etc/modprobe.d/dccp.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist dccp$" /etc/modprobe.d/dccp.conf ; then + echo "blacklist dccp" >> /etc/modprobe.d/dccp.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -197040,24 +197040,20 @@ add the following line to file /etc/modprobe.d/firewire-core.confDisabling FireWire protects the system against exploitation of any flaws in its implementation. CCE-82005-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install firewire-core" /etc/modprobe.d/firewire-core.conf ; then - - sed -i 's#^install firewire-core.*#install firewire-core /bin/true#g' /etc/modprobe.d/firewire-core.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/firewire-core.conf - echo "install firewire-core /bin/true" >> /etc/modprobe.d/firewire-core.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist firewire-core$" /etc/modprobe.d/firewire-core.conf ; then - echo "blacklist firewire-core" >> /etc/modprobe.d/firewire-core.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20firewire-core%20/bin/true%0Ablacklist%20firewire-core%0A + mode: 0644 + path: /etc/modprobe.d/firewire-core.conf + overwrite: true - name: Ensure kernel module 'firewire-core' is disabled lineinfile: @@ -197095,20 +197091,24 @@ fi - medium_disruption - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20firewire-core%20/bin/true%0Ablacklist%20firewire-core%0A - mode: 0644 - path: /etc/modprobe.d/firewire-core.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install firewire-core" /etc/modprobe.d/firewire-core.conf ; then + + sed -i 's#^install firewire-core.*#install firewire-core /bin/true#g' /etc/modprobe.d/firewire-core.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/firewire-core.conf + echo "install firewire-core /bin/true" >> /etc/modprobe.d/firewire-core.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist firewire-core$" /etc/modprobe.d/firewire-core.conf ; then + echo "blacklist firewire-core" >> /etc/modprobe.d/firewire-core.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -197200,24 +197200,20 @@ add the following line to file /etc/modprobe.d/rds.conf: Disabling RDS protects the system against exploitation of any flaws in its implementation. CCE-82870-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install rds" /etc/modprobe.d/rds.conf ; then - - sed -i 's#^install rds.*#install rds /bin/true#g' /etc/modprobe.d/rds.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/rds.conf - echo "install rds /bin/true" >> /etc/modprobe.d/rds.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist rds$" /etc/modprobe.d/rds.conf ; then - echo "blacklist rds" >> /etc/modprobe.d/rds.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20rds%20/bin/true%0Ablacklist%20rds%0A + mode: 0644 + path: /etc/modprobe.d/rds.conf + overwrite: true - name: Ensure kernel module 'rds' is disabled lineinfile: @@ -197257,20 +197253,24 @@ fi - medium_disruption - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20rds%20/bin/true%0Ablacklist%20rds%0A - mode: 0644 - path: /etc/modprobe.d/rds.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install rds" /etc/modprobe.d/rds.conf ; then + + sed -i 's#^install rds.*#install rds /bin/true#g' /etc/modprobe.d/rds.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/rds.conf + echo "install rds /bin/true" >> /etc/modprobe.d/rds.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist rds$" /etc/modprobe.d/rds.conf ; then + echo "blacklist rds" >> /etc/modprobe.d/rds.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -197374,24 +197374,20 @@ add the following line to file /etc/modprobe.d/sctp.conf: Disabling SCTP protects the system against exploitation of any flaws in its implementation. CCE-80834-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install sctp" /etc/modprobe.d/sctp.conf ; then - - sed -i 's#^install sctp.*#install sctp /bin/true#g' /etc/modprobe.d/sctp.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/sctp.conf - echo "install sctp /bin/true" >> /etc/modprobe.d/sctp.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist sctp$" /etc/modprobe.d/sctp.conf ; then - echo "blacklist sctp" >> /etc/modprobe.d/sctp.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20sctp%20/bin/true%0Ablacklist%20sctp%0A + mode: 0644 + path: /etc/modprobe.d/sctp.conf + overwrite: true - name: Ensure kernel module 'sctp' is disabled lineinfile: @@ -197441,20 +197437,24 @@ fi - medium_severity - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20sctp%20/bin/true%0Ablacklist%20sctp%0A - mode: 0644 - path: /etc/modprobe.d/sctp.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install sctp" /etc/modprobe.d/sctp.conf ; then + + sed -i 's#^install sctp.*#install sctp /bin/true#g' /etc/modprobe.d/sctp.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/sctp.conf + echo "install sctp /bin/true" >> /etc/modprobe.d/sctp.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist sctp$" /etc/modprobe.d/sctp.conf ; then + echo "blacklist sctp" >> /etc/modprobe.d/sctp.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -197555,24 +197555,20 @@ the tipc kernel module will be loaded.Disabling TIPC protects the system against exploitation of any flaws in its implementation. CCE-82297-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install tipc" /etc/modprobe.d/tipc.conf ; then - - sed -i 's#^install tipc.*#install tipc /bin/true#g' /etc/modprobe.d/tipc.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/tipc.conf - echo "install tipc /bin/true" >> /etc/modprobe.d/tipc.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist tipc$" /etc/modprobe.d/tipc.conf ; then - echo "blacklist tipc" >> /etc/modprobe.d/tipc.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20tipc%20/bin/true%0Ablacklist%20tipc%0A + mode: 0644 + path: /etc/modprobe.d/tipc.conf + overwrite: true - name: Ensure kernel module 'tipc' is disabled lineinfile: @@ -197614,20 +197610,24 @@ fi - medium_disruption - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20tipc%20/bin/true%0Ablacklist%20tipc%0A - mode: 0644 - path: /etc/modprobe.d/tipc.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install tipc" /etc/modprobe.d/tipc.conf ; then + + sed -i 's#^install tipc.*#install tipc /bin/true#g' /etc/modprobe.d/tipc.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/tipc.conf + echo "install tipc /bin/true" >> /etc/modprobe.d/tipc.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist tipc$" /etc/modprobe.d/tipc.conf ; then + echo "blacklist tipc" >> /etc/modprobe.d/tipc.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -197771,26 +197771,20 @@ utility of Bluetooth connectivity and its limited range. [customizations.services] disabled = ["bluetooth"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'bluetooth.service' -"$SYSTEMCTL_EXEC" disable 'bluetooth.service' -"$SYSTEMCTL_EXEC" mask 'bluetooth.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files bluetooth.socket; then - "$SYSTEMCTL_EXEC" stop 'bluetooth.socket' - "$SYSTEMCTL_EXEC" mask 'bluetooth.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'bluetooth.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: bluetooth.service + enabled: false + mask: true + - name: bluetooth.socket + enabled: false + mask: true include disable_bluetooth @@ -197880,20 +197874,26 @@ class disable_bluetooth { - no_reboot_needed - service_bluetooth_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: bluetooth.service - enabled: false - mask: true - - name: bluetooth.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'bluetooth.service' +"$SYSTEMCTL_EXEC" disable 'bluetooth.service' +"$SYSTEMCTL_EXEC" mask 'bluetooth.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files bluetooth.socket; then + "$SYSTEMCTL_EXEC" stop 'bluetooth.socket' + "$SYSTEMCTL_EXEC" mask 'bluetooth.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'bluetooth.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -198018,24 +198018,20 @@ from loading the kernel module provides an additional safeguard against its activation. CCE-80832-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install bluetooth" /etc/modprobe.d/bluetooth.conf ; then - - sed -i 's#^install bluetooth.*#install bluetooth /bin/true#g' /etc/modprobe.d/bluetooth.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/bluetooth.conf - echo "install bluetooth /bin/true" >> /etc/modprobe.d/bluetooth.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist bluetooth$" /etc/modprobe.d/bluetooth.conf ; then - echo "blacklist bluetooth" >> /etc/modprobe.d/bluetooth.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20bluetooth%20/bin/true%0Ablacklist%20bluetooth%0A + mode: 0644 + path: /etc/modprobe.d/bluetooth.conf + overwrite: true - name: Ensure kernel module 'bluetooth' is disabled lineinfile: @@ -198087,20 +198083,24 @@ fi - medium_severity - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20bluetooth%20/bin/true%0Ablacklist%20bluetooth%0A - mode: 0644 - path: /etc/modprobe.d/bluetooth.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install bluetooth" /etc/modprobe.d/bluetooth.conf ; then + + sed -i 's#^install bluetooth.*#install bluetooth /bin/true#g' /etc/modprobe.d/bluetooth.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/bluetooth.conf + echo "install bluetooth /bin/true" >> /etc/modprobe.d/bluetooth.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist bluetooth$" /etc/modprobe.d/bluetooth.conf ; then + echo "blacklist bluetooth" >> /etc/modprobe.d/bluetooth.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -198130,24 +198130,20 @@ add the following line to file /etc/modprobe.d/cfg80211.conf - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install cfg80211" /etc/modprobe.d/cfg80211.conf ; then - - sed -i 's#^install cfg80211.*#install cfg80211 /bin/true#g' /etc/modprobe.d/cfg80211.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/cfg80211.conf - echo "install cfg80211 /bin/true" >> /etc/modprobe.d/cfg80211.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist cfg80211$" /etc/modprobe.d/cfg80211.conf ; then - echo "blacklist cfg80211" >> /etc/modprobe.d/cfg80211.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20cfg80211%20/bin/true%0Ablacklist%20cfg80211%0A + mode: 0644 + path: /etc/modprobe.d/cfg80211.conf + overwrite: true - name: Ensure kernel module 'cfg80211' is disabled lineinfile: @@ -198193,20 +198189,24 @@ fi - medium_severity - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20cfg80211%20/bin/true%0Ablacklist%20cfg80211%0A - mode: 0644 - path: /etc/modprobe.d/cfg80211.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install cfg80211" /etc/modprobe.d/cfg80211.conf ; then + + sed -i 's#^install cfg80211.*#install cfg80211 /bin/true#g' /etc/modprobe.d/cfg80211.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/cfg80211.conf + echo "install cfg80211 /bin/true" >> /etc/modprobe.d/cfg80211.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist cfg80211$" /etc/modprobe.d/cfg80211.conf ; then + echo "blacklist cfg80211" >> /etc/modprobe.d/cfg80211.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -198236,24 +198236,20 @@ add the following line to file /etc/modprobe.d/iwlmvm.conf - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install iwlmvm" /etc/modprobe.d/iwlmvm.conf ; then - - sed -i 's#^install iwlmvm.*#install iwlmvm /bin/true#g' /etc/modprobe.d/iwlmvm.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/iwlmvm.conf - echo "install iwlmvm /bin/true" >> /etc/modprobe.d/iwlmvm.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist iwlmvm$" /etc/modprobe.d/iwlmvm.conf ; then - echo "blacklist iwlmvm" >> /etc/modprobe.d/iwlmvm.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20iwlmvm%20/bin/true%0Ablacklist%20iwlmvm%0A + mode: 0644 + path: /etc/modprobe.d/iwlmvm.conf + overwrite: true - name: Ensure kernel module 'iwlmvm' is disabled lineinfile: @@ -198299,20 +198295,24 @@ fi - medium_severity - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20iwlmvm%20/bin/true%0Ablacklist%20iwlmvm%0A - mode: 0644 - path: /etc/modprobe.d/iwlmvm.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install iwlmvm" /etc/modprobe.d/iwlmvm.conf ; then + + sed -i 's#^install iwlmvm.*#install iwlmvm /bin/true#g' /etc/modprobe.d/iwlmvm.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/iwlmvm.conf + echo "install iwlmvm /bin/true" >> /etc/modprobe.d/iwlmvm.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist iwlmvm$" /etc/modprobe.d/iwlmvm.conf ; then + echo "blacklist iwlmvm" >> /etc/modprobe.d/iwlmvm.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -198342,24 +198342,20 @@ add the following line to file /etc/modprobe.d/iwlwifi.conf - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install iwlwifi" /etc/modprobe.d/iwlwifi.conf ; then - - sed -i 's#^install iwlwifi.*#install iwlwifi /bin/true#g' /etc/modprobe.d/iwlwifi.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/iwlwifi.conf - echo "install iwlwifi /bin/true" >> /etc/modprobe.d/iwlwifi.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist iwlwifi$" /etc/modprobe.d/iwlwifi.conf ; then - echo "blacklist iwlwifi" >> /etc/modprobe.d/iwlwifi.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20iwlwifi%20/bin/true%0Ablacklist%20iwlwifi%0A + mode: 0644 + path: /etc/modprobe.d/iwlwifi.conf + overwrite: true - name: Ensure kernel module 'iwlwifi' is disabled lineinfile: @@ -198405,20 +198401,24 @@ fi - medium_severity - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20iwlwifi%20/bin/true%0Ablacklist%20iwlwifi%0A - mode: 0644 - path: /etc/modprobe.d/iwlwifi.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install iwlwifi" /etc/modprobe.d/iwlwifi.conf ; then + + sed -i 's#^install iwlwifi.*#install iwlwifi /bin/true#g' /etc/modprobe.d/iwlwifi.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/iwlwifi.conf + echo "install iwlwifi /bin/true" >> /etc/modprobe.d/iwlwifi.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist iwlwifi$" /etc/modprobe.d/iwlwifi.conf ; then + echo "blacklist iwlwifi" >> /etc/modprobe.d/iwlwifi.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -198448,24 +198448,20 @@ add the following line to file /etc/modprobe.d/mac80211.conf - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install mac80211" /etc/modprobe.d/mac80211.conf ; then - - sed -i 's#^install mac80211.*#install mac80211 /bin/true#g' /etc/modprobe.d/mac80211.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/mac80211.conf - echo "install mac80211 /bin/true" >> /etc/modprobe.d/mac80211.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist mac80211$" /etc/modprobe.d/mac80211.conf ; then - echo "blacklist mac80211" >> /etc/modprobe.d/mac80211.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20mac80211%20/bin/true%0Ablacklist%20mac80211%0A + mode: 0644 + path: /etc/modprobe.d/mac80211.conf + overwrite: true - name: Ensure kernel module 'mac80211' is disabled lineinfile: @@ -198511,20 +198507,24 @@ fi - medium_severity - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20mac80211%20/bin/true%0Ablacklist%20mac80211%0A - mode: 0644 - path: /etc/modprobe.d/mac80211.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install mac80211" /etc/modprobe.d/mac80211.conf ; then + + sed -i 's#^install mac80211.*#install mac80211 /bin/true#g' /etc/modprobe.d/mac80211.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/mac80211.conf + echo "install mac80211 /bin/true" >> /etc/modprobe.d/mac80211.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist mac80211$" /etc/modprobe.d/mac80211.conf ; then + echo "blacklist mac80211" >> /etc/modprobe.d/mac80211.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -198766,13 +198766,6 @@ serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources. CCE-83501-7 - -if ! rpm -q --quiet "NetworkManager" ; then - yum install -y "NetworkManager" -fi - -nmcli radio all off - - name: Gather the package facts package_facts: manager: auto @@ -198844,6 +198837,13 @@ nmcli radio all off - no_reboot_needed - unknown_strategy - wireless_disable_interfaces + + +if ! rpm -q --quiet "NetworkManager" ; then + yum install -y "NetworkManager" +fi + +nmcli radio all off @@ -198942,16 +198942,6 @@ Following this, the files should be deleted or assigned to root user. CCE-83375-6 - -# At least under containerized env /proc can have files w/o possilibity to -# modify even as root. And touching /proc is not good idea anyways. -find / -path /proc -prune -o \ - -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs \ - -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 \ - -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs \ - -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs \ - -not -fstype fuse.sshfs -type d -perm -0002 -uid +0 -exec chown root {} \; - - name: Ensure All World-Writable Directories Are Owned by root User - Define Excluded (Non-Local) File Systems and Paths ansible.builtin.set_fact: @@ -199121,6 +199111,16 @@ find / -path /proc -prune -o \ - medium_severity - no_reboot_needed - restrict_strategy + + +# At least under containerized env /proc can have files w/o possilibity to +# modify even as root. And touching /proc is not good idea anyways. +find / -path /proc -prune -o \ + -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs \ + -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 \ + -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs \ + -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs \ + -not -fstype fuse.sshfs -type d -perm -0002 -uid +0 -exec chown root {} \; @@ -199212,11 +199212,6 @@ repositories. The setting is normally reserved for directories used by the system, by users for temporary file storage (such as /tmp), and for directories requiring global read/write access. CCE-80783-4 - df --local -P | awk '{if (NR!=1) print $6}' \ -| xargs -I '$6' find '$6' -xdev -type d \ -\( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \ --exec chmod a+t {} + - - name: Verify that All World-Writable Directories Have Sticky Bits Set - Define Excluded (Non-Local) File Systems and Paths ansible.builtin.set_fact: @@ -199413,6 +199408,11 @@ for directories requiring global read/write access. - medium_severity - no_reboot_needed - restrict_strategy + + df --local -P | awk '{if (NR!=1) print $6}' \ +| xargs -I '$6' find '$6' -xdev -type d \ +\( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \ +-exec chmod a+t {} + @@ -199567,13 +199567,6 @@ the audit log. Misconfigured audits may also make it more difficult to establish correlate, and investigate the events relating to an incident or identify those responsible for one. CCE-85871-2 - - - - - -chmod u-xs,g-xws,o-xwrt /etc/audit/auditd.conf - - name: Test for existence /etc/audit/auditd.conf stat: path: /etc/audit/auditd.conf @@ -199604,6 +199597,13 @@ chmod u-xs,g-xws,o-xwrt /etc/audit/auditd.conf - low_disruption - medium_severity - no_reboot_needed + + + + + + +chmod u-xs,g-xws,o-xwrt /etc/audit/auditd.conf @@ -199629,13 +199629,6 @@ the audit log. Misconfigured audits may also make it more difficult to establish correlate, and investigate the events relating to an incident or identify those responsible for one. CCE-85875-3 - - - - - -find -H /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex '^.*rules$' -exec chmod u-xs,g-xws,o-xwrt {} \; - - name: Find /etc/audit/rules.d/ file(s) command: find -H /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex "^.*rules$" @@ -199671,6 +199664,13 @@ find -H /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex - low_disruption - medium_severity - no_reboot_needed + + + + + + +find -H /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex '^.*rules$' -exec chmod u-xs,g-xws,o-xwrt {} \; @@ -200226,65 +200226,20 @@ based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). CCE-81027-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of fs.protected_hardlinks from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*fs.protected_hardlinks.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "fs.protected_hardlinks" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - - -# -# Set runtime for fs.protected_hardlinks -# -/sbin/sysctl -q -n -w fs.protected_hardlinks="1" - -# -# If fs.protected_hardlinks present in /etc/sysctl.conf, change value to "1" -# else, add "fs.protected_hardlinks = 1" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^fs.protected_hardlinks") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "1" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^fs.protected_hardlinks\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^fs.protected_hardlinks\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81027-5" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,fs.protected_hardlinks%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_fs_protected_hardlinks.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -200348,70 +200303,18 @@ fi - reboot_required - sysctl_fs_protected_hardlinks - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,fs.protected_hardlinks%3D1%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_fs_protected_hardlinks.conf - overwrite: true - - - - - - - - - - Enable Kernel Parameter to Enforce DAC on Symlinks - To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: $ sudo sysctl -w fs.protected_symlinks=1 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: fs.protected_symlinks = 1 - BP28(R23) - CCI-002165 - CIP-003-8 R5.1.1 - CIP-003-8 R5.3 - CIP-004-6 R2.3 - CIP-007-3 R2.1 - CIP-007-3 R2.2 - CIP-007-3 R2.3 - CIP-007-3 R5.1 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.2 - CM-6(a) - AC-6(1) - SRG-OS-000312-GPOS-00122 - SRG-OS-000312-GPOS-00123 - SRG-OS-000324-GPOS-00125 - RHEL-08-010373 - SV-230267r858751_rule - By enabling this kernel parameter, symbolic links are permitted to be followed -only when outside a sticky world-writable directory, or when the UID of the -link and follower match, or when the directory owner matches the symlink's owner. -Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system -accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of -open() or creat(). - - CCE-81030-9 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of fs.protected_symlinks from /etc/sysctl.d/*.conf files +# Comment out any occurrences of fs.protected_hardlinks from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*fs.protected_symlinks.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*fs.protected_hardlinks.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "fs.protected_symlinks" matches to preserve user data + # comment out "fs.protected_hardlinks" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -200425,18 +200328,18 @@ SYSCONFIG_FILE="/etc/sysctl.conf" # -# Set runtime for fs.protected_symlinks +# Set runtime for fs.protected_hardlinks # -/sbin/sysctl -q -n -w fs.protected_symlinks="1" +/sbin/sysctl -q -n -w fs.protected_hardlinks="1" # -# If fs.protected_symlinks present in /etc/sysctl.conf, change value to "1" -# else, add "fs.protected_symlinks = 1" to /etc/sysctl.conf +# If fs.protected_hardlinks present in /etc/sysctl.conf, change value to "1" +# else, add "fs.protected_hardlinks = 1" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^fs.protected_symlinks") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^fs.protected_hardlinks") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "1" @@ -200444,14 +200347,14 @@ printf -v formatted_output "%s = %s" "$stripped_key" "1" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^fs.protected_symlinks\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^fs.protected_hardlinks\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^fs.protected_symlinks\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^fs.protected_hardlinks\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-81030-9" + cce="CCE-81027-5" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -200459,6 +200362,58 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Enable Kernel Parameter to Enforce DAC on Symlinks + To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: $ sudo sysctl -w fs.protected_symlinks=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: fs.protected_symlinks = 1 + BP28(R23) + CCI-002165 + CIP-003-8 R5.1.1 + CIP-003-8 R5.3 + CIP-004-6 R2.3 + CIP-007-3 R2.1 + CIP-007-3 R2.2 + CIP-007-3 R2.3 + CIP-007-3 R5.1 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.2 + CM-6(a) + AC-6(1) + SRG-OS-000312-GPOS-00122 + SRG-OS-000312-GPOS-00123 + SRG-OS-000324-GPOS-00125 + RHEL-08-010373 + SV-230267r858751_rule + By enabling this kernel parameter, symbolic links are permitted to be followed +only when outside a sticky world-writable directory, or when the UID of the +link and follower match, or when the directory owner matches the symlink's owner. +Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system +accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of +open() or creat(). + + CCE-81030-9 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,fs.protected_symlinks%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_fs_protected_symlinks.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -200522,20 +200477,65 @@ fi - reboot_required - sysctl_fs_protected_symlinks - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,fs.protected_symlinks%3D1%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_fs_protected_symlinks.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of fs.protected_symlinks from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*fs.protected_symlinks.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "fs.protected_symlinks" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + + +# +# Set runtime for fs.protected_symlinks +# +/sbin/sysctl -q -n -w fs.protected_symlinks="1" + +# +# If fs.protected_symlinks present in /etc/sysctl.conf, change value to "1" +# else, add "fs.protected_symlinks = 1" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^fs.protected_symlinks") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "1" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^fs.protected_symlinks\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^fs.protected_symlinks\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-81030-9" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -200565,8 +200565,6 @@ passwords, and should never be enabled. it contains information regarding groups that are configured on the system. Protection of this file is important for system security. CCE-83475-4 - chgrp 0 /etc/group- - - name: Test for existence /etc/group- stat: path: /etc/group- @@ -200599,6 +200597,8 @@ Protection of this file is important for system security. - low_disruption - medium_severity - no_reboot_needed + + chgrp 0 /etc/group- @@ -200619,8 +200619,6 @@ Protection of this file is important for system security. The /etc/gshadow- file is a backup of /etc/gshadow, and as such, it contains group password hashes. Protection of this file is critical for system security. CCE-83535-5 - chgrp 0 /etc/gshadow- - - name: Test for existence /etc/gshadow- stat: path: /etc/gshadow- @@ -200653,6 +200651,8 @@ it contains group password hashes. Protection of this file is critical for syste - low_disruption - medium_severity - no_reboot_needed + + chgrp 0 /etc/gshadow- @@ -200674,8 +200674,6 @@ it contains group password hashes. Protection of this file is critical for syste it contains information about the users that are configured on the system. Protection of this file is critical for system security. CCE-83324-4 - chgrp 0 /etc/passwd- - - name: Test for existence /etc/passwd- stat: path: /etc/passwd- @@ -200708,6 +200706,8 @@ Protection of this file is critical for system security. - low_disruption - medium_severity - no_reboot_needed + + chgrp 0 /etc/passwd- @@ -200727,8 +200727,6 @@ Protection of this file is critical for system security. it contains the list of local system accounts and password hashes. Protection of this file is critical for system security. CCE-83415-0 - chgrp 0 /etc/shadow- - - name: Test for existence /etc/shadow- stat: path: /etc/shadow- @@ -200759,6 +200757,8 @@ Protection of this file is critical for system security. - low_disruption - medium_severity - no_reboot_needed + + chgrp 0 /etc/shadow- @@ -200829,8 +200829,6 @@ Protection of this file is critical for system security. The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security. CCE-80796-6 - chgrp 0 /etc/group - - name: Test for existence /etc/group stat: path: /etc/group @@ -200867,6 +200865,8 @@ on the system. Protection of this file is important for system security. + chgrp 0 /etc/group @@ -200934,8 +200934,6 @@ on the system. Protection of this file is important for system security.The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. CCE-80797-4 - chgrp 0 /etc/gshadow - - name: Test for existence /etc/gshadow stat: path: /etc/gshadow @@ -200966,6 +200964,8 @@ is critical for system security. - low_disruption - medium_severity - no_reboot_needed + + chgrp 0 /etc/gshadow @@ -201036,8 +201036,6 @@ is critical for system security. The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security. CCE-80798-2 - chgrp 0 /etc/passwd - - name: Test for existence /etc/passwd stat: path: /etc/passwd @@ -201074,6 +201072,8 @@ the system. Protection of this file is critical for system security. + chgrp 0 /etc/passwd @@ -201144,8 +201144,6 @@ the system. Protection of this file is critical for system security.The /etc/shadow file stores password hashes. Protection of this file is critical for system security. CCE-80799-0 - chgrp 0 /etc/shadow - - name: Test for existence /etc/shadow stat: path: /etc/shadow @@ -201182,6 +201180,8 @@ critical for system security. - low_disruption - medium_severity - no_reboot_needed + + chgrp 0 /etc/shadow @@ -201203,8 +201203,6 @@ critical for system security. it contains information regarding groups that are configured on the system. Protection of this file is important for system security. CCE-83473-9 - chown 0 /etc/group- - - name: Test for existence /etc/group- stat: path: /etc/group- @@ -201237,6 +201235,8 @@ Protection of this file is important for system security. - low_disruption - medium_severity - no_reboot_needed + + chown 0 /etc/group- @@ -201257,8 +201257,6 @@ Protection of this file is important for system security. The /etc/gshadow- file is a backup of /etc/gshadow, and as such, it contains group password hashes. Protection of this file is critical for system security. CCE-83533-0 - chown 0 /etc/gshadow- - - name: Test for existence /etc/gshadow- stat: path: /etc/gshadow- @@ -201291,6 +201289,8 @@ it contains group password hashes. Protection of this file is critical for syste - low_disruption - medium_severity - no_reboot_needed + + chown 0 /etc/gshadow- @@ -201312,8 +201312,6 @@ it contains group password hashes. Protection of this file is critical for syste it contains information about the users that are configured on the system. Protection of this file is critical for system security. CCE-83326-9 - chown 0 /etc/passwd- - - name: Test for existence /etc/passwd- stat: path: /etc/passwd- @@ -201346,6 +201344,8 @@ Protection of this file is critical for system security. - low_disruption - medium_severity - no_reboot_needed + + chown 0 /etc/passwd- @@ -201367,8 +201367,6 @@ Protection of this file is critical for system security. it contains the list of local system accounts and password hashes. Protection of this file is critical for system security. CCE-83413-5 - chown 0 /etc/shadow- - - name: Test for existence /etc/shadow- stat: path: /etc/shadow- @@ -201401,6 +201399,8 @@ Protection of this file is critical for system security. - low_disruption - medium_severity - no_reboot_needed + + chown 0 /etc/shadow- @@ -201472,8 +201472,6 @@ Protection of this file is critical for system security. The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security. CCE-80801-4 - chown 0 /etc/group - - name: Test for existence /etc/group stat: path: /etc/group @@ -201510,6 +201508,8 @@ on the system. Protection of this file is important for system security. + chown 0 /etc/group @@ -201579,8 +201579,6 @@ on the system. Protection of this file is important for system security.The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. CCE-80802-2 - chown 0 /etc/gshadow - - name: Test for existence /etc/gshadow stat: path: /etc/gshadow @@ -201611,6 +201609,8 @@ is critical for system security. - low_disruption - medium_severity - no_reboot_needed + + chown 0 /etc/gshadow @@ -201682,8 +201682,6 @@ is critical for system security. The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security. CCE-80803-0 - chown 0 /etc/passwd - - name: Test for existence /etc/passwd stat: path: /etc/passwd @@ -201720,6 +201718,8 @@ the system. Protection of this file is critical for system security. + chown 0 /etc/passwd @@ -201795,8 +201795,6 @@ critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture. CCE-80804-8 - chown 0 /etc/shadow - - name: Test for existence /etc/shadow stat: path: /etc/shadow @@ -201833,6 +201831,8 @@ which could weaken the system security posture. - low_disruption - medium_severity - no_reboot_needed + + chown 0 /etc/shadow @@ -201856,13 +201856,6 @@ To properly set the permissions of /etc/group-, run the c it contains information regarding groups that are configured on the system. Protection of this file is important for system security. CCE-83483-8 - - - - - -chmod u-xs,g-xws,o-xwt /etc/group- - - name: Test for existence /etc/group- stat: path: /etc/group- @@ -201895,6 +201888,13 @@ chmod u-xs,g-xws,o-xwt /etc/group- - low_disruption - medium_severity - no_reboot_needed + + + + + + +chmod u-xs,g-xws,o-xwt /etc/group- @@ -201915,13 +201915,6 @@ To properly set the permissions of /etc/gshadow-, run the The /etc/gshadow- file is a backup of /etc/gshadow, and as such, it contains group password hashes. Protection of this file is critical for system security. CCE-83573-6 - - - - - -chmod u-xwrs,g-xwrs,o-xwrt /etc/gshadow- - - name: Test for existence /etc/gshadow- stat: path: /etc/gshadow- @@ -201950,6 +201943,13 @@ chmod u-xwrs,g-xwrs,o-xwrt /etc/gshadow- - low_disruption - medium_severity - no_reboot_needed + + + + + + +chmod u-xwrs,g-xwrs,o-xwrt /etc/gshadow- @@ -201973,13 +201973,6 @@ To properly set the permissions of /etc/passwd-, run the it contains information about the users that are configured on the system. Protection of this file is critical for system security. CCE-83332-7 - - - - - -chmod u-xs,g-xws,o-xwt /etc/passwd- - - name: Test for existence /etc/passwd- stat: path: /etc/passwd- @@ -202012,6 +202005,13 @@ chmod u-xs,g-xws,o-xwt /etc/passwd- - low_disruption - medium_severity - no_reboot_needed + + + + + + +chmod u-xs,g-xws,o-xwt /etc/passwd- @@ -202035,13 +202035,6 @@ To properly set the permissions of /etc/shadow-, run the it contains the list of local system accounts and password hashes. Protection of this file is critical for system security. CCE-83417-6 - - - - - -chmod u-xwrs,g-xwrs,o-xwrt /etc/shadow- - - name: Test for existence /etc/shadow- stat: path: /etc/shadow- @@ -202074,6 +202067,13 @@ chmod u-xwrs,g-xwrs,o-xwrt /etc/shadow- - low_disruption - medium_severity - no_reboot_needed + + + + + + +chmod u-xwrs,g-xwrs,o-xwrt /etc/shadow- @@ -202148,13 +202148,6 @@ To properly set the permissions of /etc/passwd, run the c The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security. CCE-80810-5 - - - - - -chmod u-xs,g-xws,o-xwt /etc/group - - name: Test for existence /etc/group stat: path: /etc/group @@ -202191,6 +202184,13 @@ chmod u-xs,g-xws,o-xwt /etc/group - low_disruption - medium_severity - no_reboot_needed + + + + + + +chmod u-xs,g-xws,o-xwt /etc/group @@ -202262,13 +202262,6 @@ To properly set the permissions of /etc/gshadow, run the The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. CCE-80811-3 - - - - - -chmod u-xwrs,g-xwrs,o-xwrt /etc/gshadow - - name: Test for existence /etc/gshadow stat: path: /etc/gshadow @@ -202299,6 +202292,13 @@ chmod u-xwrs,g-xwrs,o-xwrt /etc/gshadow - low_disruption - medium_severity - no_reboot_needed + + + + + + +chmod u-xwrs,g-xwrs,o-xwrt /etc/gshadow @@ -202375,13 +202375,6 @@ world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security. CCE-80812-1 - - - - - -chmod u-xs,g-xws,o-xwt /etc/passwd - - name: Test for existence /etc/passwd stat: path: /etc/passwd @@ -202418,6 +202411,13 @@ chmod u-xs,g-xws,o-xwt /etc/passwd - low_disruption - medium_severity - no_reboot_needed + + + + + + +chmod u-xs,g-xws,o-xwt /etc/passwd @@ -202495,13 +202495,6 @@ critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture. CCE-80813-9 - - - - - -chmod u-xwrs,g-xwrs,o-xwrt /etc/shadow - - name: Test for existence /etc/shadow stat: path: /etc/shadow @@ -202538,6 +202531,13 @@ chmod u-xwrs,g-xwrs,o-xwrt /etc/shadow - low_disruption - medium_severity - no_reboot_needed + + + + + + +chmod u-xwrs,g-xwrs,o-xwrt /etc/shadow @@ -202564,8 +202564,6 @@ personnel. messages in the system and should only be accessed by authorized personnel. CCE-83659-3 - find -H /var/log/ -maxdepth 1 -type d -exec chgrp 0 {} \; - - name: Ensure group owner on /var/log/ file: path: /var/log/ @@ -202580,6 +202578,8 @@ personnel. - low_disruption - medium_severity - no_reboot_needed + + find -H /var/log/ -maxdepth 1 -type d -exec chgrp 0 {} \; @@ -202598,8 +202598,6 @@ personnel. The /var/log/messages file contains logs of error messages in the system and should only be accessed by authorized personnel. CCE-83660-1 - chgrp 0 /var/log/messages - - name: Test for existence /var/log/messages stat: path: /var/log/messages @@ -202628,6 +202626,8 @@ the system and should only be accessed by authorized personnel. + chgrp 0 /var/log/messages @@ -202643,8 +202643,6 @@ the system and should only be accessed by authorized personnel.SRG-OS-000206-GPOS-00084 The /var/log/syslog file contains logs of error messages in the system and should only be accessed by authorized personnel. - chgrp 4 /var/log/syslog - - name: Test for existence /var/log/syslog stat: path: /var/log/syslog @@ -202669,6 +202667,8 @@ the system and should only be accessed by authorized personnel. + chgrp 4 /var/log/syslog @@ -202689,8 +202689,6 @@ the system and should only be accessed by authorized personnel. CCE-83661-9 - find -H /var/log/ -maxdepth 1 -type d -exec chown 0 {} \; - - name: Ensure owner on directory /var/log/ file: path: /var/log/ @@ -202705,6 +202703,8 @@ personnel. - low_disruption - medium_severity - no_reboot_needed + + find -H /var/log/ -maxdepth 1 -type d -exec chown 0 {} \; @@ -202723,8 +202723,6 @@ personnel. The /var/log/messages file contains logs of error messages in the system and should only be accessed by authorized personnel. CCE-83662-7 - chown 0 /var/log/messages - - name: Test for existence /var/log/messages stat: path: /var/log/messages @@ -202753,6 +202751,8 @@ the system and should only be accessed by authorized personnel. + chown 0 /var/log/messages @@ -202768,8 +202768,6 @@ the system and should only be accessed by authorized personnel.SRG-OS-000206-GPOS-00084 The /var/log/syslog file contains logs of error messages in the system and should only be accessed by authorized personnel. - chown 104 /var/log/syslog - - name: Test for existence /var/log/syslog stat: path: /var/log/syslog @@ -202794,6 +202792,8 @@ the system and should only be accessed by authorized personnel. + chown 104 /var/log/syslog @@ -202816,13 +202816,6 @@ To properly set the permissions of /var/log, run the comm messages in the system and should only be accessed by authorized personnel. CCE-83663-5 - - - - - -find -H /var/log/ -maxdepth 1 -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \; - - name: Find /var/log/ file(s) command: 'find -H /var/log/ -maxdepth 1 -perm /u+s,g+ws,o+wt -type d ' register: files_found @@ -202855,6 +202848,13 @@ find -H /var/log/ -maxdepth 1 -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws, - low_disruption - medium_severity - no_reboot_needed + + + + + + +find -H /var/log/ -maxdepth 1 -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \; @@ -202875,13 +202875,6 @@ To properly set the permissions of /var/log/messages, run The /var/log/messages file contains logs of error messages in the system and should only be accessed by authorized personnel. CCE-83665-0 - - - - - -chmod u-xs,g-xws,o-xwrt /var/log/messages - - name: Test for existence /var/log/messages stat: path: /var/log/messages @@ -202910,6 +202903,13 @@ chmod u-xs,g-xws,o-xwrt /var/log/messages - low_disruption - medium_severity - no_reboot_needed + + + + + + +chmod u-xs,g-xws,o-xwrt /var/log/messages @@ -202927,13 +202927,6 @@ To properly set the permissions of /var/log/syslog, run t SRG-OS-000206-GPOS-00084 The /var/log/syslog file contains logs of error messages in the system and should only be accessed by authorized personnel. - - - - - -chmod u-xs,g-xws,o-xwrt /var/log/syslog - - name: Test for existence /var/log/syslog stat: path: /var/log/syslog @@ -202958,6 +202951,13 @@ chmod u-xs,g-xws,o-xwrt /var/log/syslog - low_disruption - medium_severity - no_reboot_needed + + + + + + +chmod u-xs,g-xws,o-xwrt /var/log/syslog @@ -203001,11 +203001,6 @@ space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership of library directories is necessary to protect the integrity of the system. CCE-85894-4 - find -H /lib/ -type d -exec chgrp 0 {} \; -find -H /lib64/ -type d -exec chgrp 0 {} \; -find -H /usr/lib/ -type d -exec chgrp 0 {} \; -find -H /usr/lib64/ -type d -exec chgrp 0 {} \; - - name: Ensure group owner on /lib/ recursively file: path: /lib/ @@ -203077,6 +203072,11 @@ find -H /usr/lib64/ -type d -exec chgrp 0 {} \; - low_disruption - medium_severity - no_reboot_needed + + find -H /lib/ -type d -exec chgrp 0 {} \; +find -H /lib64/ -type d -exec chgrp 0 {} \; +find -H /usr/lib/ -type d -exec chgrp 0 {} \; +find -H /usr/lib64/ -type d -exec chgrp 0 {} \; @@ -203103,13 +203103,6 @@ following command: System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. - find -H /bin/ -type d -exec chown 0 {} \; -find -H /sbin/ -type d -exec chown 0 {} \; -find -H /usr/bin/ -type d -exec chown 0 {} \; -find -H /usr/sbin/ -type d -exec chown 0 {} \; -find -H /usr/local/bin/ -type d -exec chown 0 {} \; -find -H /usr/local/sbin/ -type d -exec chown 0 {} \; - - name: Ensure owner on directory /bin/ recursively file: path: /bin/ @@ -203193,6 +203186,13 @@ find -H /usr/local/sbin/ -type d -exec chown 0 {} \; - low_disruption - medium_severity - no_reboot_needed + + find -H /bin/ -type d -exec chown 0 {} \; +find -H /sbin/ -type d -exec chown 0 {} \; +find -H /usr/bin/ -type d -exec chown 0 {} \; +find -H /usr/sbin/ -type d -exec chown 0 {} \; +find -H /usr/local/bin/ -type d -exec chown 0 {} \; +find -H /usr/local/sbin/ -type d -exec chown 0 {} \; @@ -203228,11 +203228,6 @@ space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership of library directories is necessary to protect the integrity of the system. CCE-89021-0 - find -H /lib/ -type d -exec chown 0 {} \; -find -H /lib64/ -type d -exec chown 0 {} \; -find -H /usr/lib/ -type d -exec chown 0 {} \; -find -H /usr/lib64/ -type d -exec chown 0 {} \; - - name: Ensure owner on directory /lib/ recursively file: path: /lib/ @@ -203304,6 +203299,11 @@ find -H /usr/lib64/ -type d -exec chown 0 {} \; - low_disruption - medium_severity - no_reboot_needed + + find -H /lib/ -type d -exec chown 0 {} \; +find -H /lib64/ -type d -exec chown 0 {} \; +find -H /usr/lib/ -type d -exec chown 0 {} \; +find -H /usr/lib64/ -type d -exec chown 0 {} \; @@ -203331,23 +203331,6 @@ following command: System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted. - - - - - -find -H /bin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \; - -find -H /sbin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \; - -find -H /usr/bin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \; - -find -H /usr/sbin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \; - -find -H /usr/local/bin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \; - -find -H /usr/local/sbin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \; - - name: Find /bin/ file(s) recursively command: 'find -H /bin/ -perm /u+s,g+ws,o+wt -type d ' register: files_found @@ -203521,6 +203504,23 @@ find -H /usr/local/sbin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt - low_disruption - medium_severity - no_reboot_needed + + + + + + +find -H /bin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \; + +find -H /sbin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \; + +find -H /usr/bin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \; + +find -H /usr/sbin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \; + +find -H /usr/local/bin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \; + +find -H /usr/local/sbin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \; @@ -203563,19 +203563,6 @@ privileged programs which execute with escalated privileges. Only qualified and individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. CCE-88692-9 - - - - - -find -H /lib/ -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \; - -find -H /lib64/ -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \; - -find -H /usr/lib/ -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \; - -find -H /usr/lib64/ -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \; - - name: Find /lib/ file(s) recursively command: 'find -H /lib/ -perm /g+w,o+w -type d ' register: files_found @@ -203731,6 +203718,19 @@ find -H /usr/lib64/ -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \; - low_disruption - medium_severity - no_reboot_needed + + + + + + +find -H /lib/ -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \; + +find -H /lib64/ -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \; + +find -H /usr/lib/ -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \; + +find -H /usr/lib64/ -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \; @@ -203772,14 +203772,6 @@ will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools. CCE-86455-3 - chgrp 0 /sbin/auditctl -chgrp 0 /sbin/aureport -chgrp 0 /sbin/ausearch -chgrp 0 /sbin/autrace -chgrp 0 /sbin/auditd -chgrp 0 /sbin/audispd -chgrp 0 /sbin/augenrules - - name: Test for existence /sbin/auditctl stat: path: /sbin/auditctl @@ -203968,6 +203960,14 @@ chgrp 0 /sbin/augenrules - low_disruption - medium_severity - no_reboot_needed + + chgrp 0 /sbin/auditctl +chgrp 0 /sbin/aureport +chgrp 0 /sbin/ausearch +chgrp 0 /sbin/autrace +chgrp 0 /sbin/auditd +chgrp 0 /sbin/audispd +chgrp 0 /sbin/augenrules @@ -204009,12 +204009,6 @@ escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. CCE-86519-6 - -for SYSCMDFILES in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -do - find -L $SYSCMDFILES \! -group root -type f -exec chgrp root '{}' \; -done - - name: Retrieve the system command files and set their group ownership to root command: find -L {{ item }} ! -group root -type f -exec chgrp root '{}' \; with_items: @@ -204038,6 +204032,12 @@ done - medium_severity - no_reboot_needed - restrict_strategy + + +for SYSCMDFILES in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin +do + find -L $SYSCMDFILES \! -group root -type f -exec chgrp root '{}' \; +done @@ -204079,14 +204079,6 @@ will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools. CCE-86453-8 - chown 0 /sbin/auditctl -chown 0 /sbin/aureport -chown 0 /sbin/ausearch -chown 0 /sbin/autrace -chown 0 /sbin/auditd -chown 0 /sbin/audispd -chown 0 /sbin/augenrules - - name: Test for existence /sbin/auditctl stat: path: /sbin/auditctl @@ -204275,6 +204267,14 @@ chown 0 /sbin/augenrules - low_disruption - medium_severity - no_reboot_needed + + chown 0 /sbin/auditctl +chown 0 /sbin/aureport +chown 0 /sbin/ausearch +chown 0 /sbin/autrace +chown 0 /sbin/auditd +chown 0 /sbin/audispd +chown 0 /sbin/augenrules @@ -204359,15 +204359,6 @@ following command: and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. CCE-80806-3 - find /bin/ \ -/usr/bin/ \ -/usr/local/bin/ \ -/sbin/ \ -/usr/sbin/ \ -/usr/local/sbin/ \ -/usr/libexec \ -\! -user root -execdir chown root {} \; - - name: Read list of system executables without root ownership command: find /bin/ /usr/bin/ /usr/local/bin/ /sbin/ /usr/sbin/ /usr/local/sbin/ /usr/libexec \! -user root @@ -204408,6 +204399,15 @@ execution of these programs cannot be co-opted. - medium_severity - no_reboot_needed - restrict_strategy + + find /bin/ \ +/usr/bin/ \ +/usr/local/bin/ \ +/sbin/ \ +/usr/sbin/ \ +/usr/local/sbin/ \ +/usr/libexec \ +\! -user root -execdir chown root {} \; @@ -204493,15 +204493,6 @@ ownership with the following command: space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system. CCE-80807-1 - -find /lib/ -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \; - -find /lib64/ -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \; - -find /usr/lib/ -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \; - -find /usr/lib64/ -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \; - - name: Find /lib/ file(s) matching ^.*$ recursively command: find -H /lib/ -type f ! -uid 0 -regex "^.*$" register: files_found @@ -204665,6 +204656,15 @@ find /usr/lib64/ -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \; - low_disruption - medium_severity - no_reboot_needed + + +find /lib/ -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \; + +find /lib64/ -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \; + +find /usr/lib/ -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \; + +find /usr/lib64/ -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \; @@ -204706,25 +204706,6 @@ will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools. CCE-86447-0 - - - - - -chmod u-s,g-ws,o-wt /sbin/auditctl - -chmod u-s,g-ws,o-wt /sbin/aureport - -chmod u-s,g-ws,o-wt /sbin/ausearch - -chmod u-s,g-ws,o-wt /sbin/autrace - -chmod u-s,g-ws,o-wt /sbin/auditd - -chmod u-s,g-ws,o-wt /sbin/audispd - -chmod u-s,g-ws,o-wt /sbin/augenrules - - name: Test for existence /sbin/auditctl stat: path: /sbin/auditctl @@ -204913,6 +204894,25 @@ chmod u-s,g-ws,o-wt /sbin/augenrules - low_disruption - medium_severity - no_reboot_needed + + + + + + +chmod u-s,g-ws,o-wt /sbin/auditctl + +chmod u-s,g-ws,o-wt /sbin/aureport + +chmod u-s,g-ws,o-wt /sbin/ausearch + +chmod u-s,g-ws,o-wt /sbin/autrace + +chmod u-s,g-ws,o-wt /sbin/auditd + +chmod u-s,g-ws,o-wt /sbin/audispd + +chmod u-s,g-ws,o-wt /sbin/augenrules @@ -204997,11 +204997,6 @@ following command: and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted. CCE-80809-7 - DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec" -for dirPath in $DIRS; do - find "$dirPath" -perm /022 -exec chmod go-w '{}' \; -done - - name: Read list of world and group writable system executables ansible.builtin.command: find /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec -perm /022 -type f @@ -205043,6 +205038,11 @@ done - medium_severity - no_reboot_needed - restrict_strategy + + DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec" +for dirPath in $DIRS; do + find "$dirPath" -perm /022 -exec chmod go-w '{}' \; +done @@ -205128,19 +205128,6 @@ its permission with the following command: space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system. CCE-80815-4 - - - - - -find -H /lib/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w {} \; - -find -H /lib64/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w {} \; - -find -H /usr/lib/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w {} \; - -find -H /usr/lib64/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w {} \; - - name: Find /lib/ file(s) recursively command: find -H /lib/ -perm /g+w,o+w -type f -regex "^.*$" register: files_found @@ -205304,6 +205291,19 @@ find -H /usr/lib64/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w { - low_disruption - medium_severity - no_reboot_needed + + + + + + +find -H /lib/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w {} \; + +find -H /lib64/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w {} \; + +find -H /usr/lib/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w {} \; + +find -H /usr/lib64/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w {} \; @@ -205342,15 +205342,6 @@ also include privileged programs which execute with escalated privileges. Only q and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. CCE-86523-8 - -find /lib/ -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \; - -find /lib64/ -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \; - -find /usr/lib/ -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \; - -find /usr/lib64/ -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \; - - name: Find /lib/ file(s) matching ^.*$ recursively command: find -H /lib/ -type f ! -group 0 -regex "^.*$" register: files_found @@ -205498,6 +205489,15 @@ find /usr/lib64/ -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \; - medium_severity - no_reboot_needed - root_permissions_syslibrary_files + + +find /lib/ -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \; + +find /lib64/ -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \; + +find /usr/lib/ -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \; + +find /usr/lib64/ -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \; @@ -205627,26 +205627,17 @@ unknown devices, thereby facilitating malicious activity. [customizations.services] disabled = ["autofs"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'autofs.service' -"$SYSTEMCTL_EXEC" disable 'autofs.service' -"$SYSTEMCTL_EXEC" mask 'autofs.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files autofs.socket; then - "$SYSTEMCTL_EXEC" stop 'autofs.socket' - "$SYSTEMCTL_EXEC" mask 'autofs.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'autofs.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - enabled: false + name: autofs.service include disable_autofs @@ -205736,17 +205727,26 @@ class disable_autofs { - no_reboot_needed - service_autofs_disabled - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - enabled: false - name: autofs.service + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'autofs.service' +"$SYSTEMCTL_EXEC" disable 'autofs.service' +"$SYSTEMCTL_EXEC" mask 'autofs.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files autofs.socket; then + "$SYSTEMCTL_EXEC" stop 'autofs.socket' + "$SYSTEMCTL_EXEC" mask 'autofs.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'autofs.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -205964,24 +205964,20 @@ decompress the image. of the server. CCE-81031-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install cramfs" /etc/modprobe.d/cramfs.conf ; then - - sed -i 's#^install cramfs.*#install cramfs /bin/true#g' /etc/modprobe.d/cramfs.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/cramfs.conf - echo "install cramfs /bin/true" >> /etc/modprobe.d/cramfs.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist cramfs$" /etc/modprobe.d/cramfs.conf ; then - echo "blacklist cramfs" >> /etc/modprobe.d/cramfs.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20cramfs%20/bin/true%0Ablacklist%20cramfs%0A + mode: 0644 + path: /etc/modprobe.d/cramfs.conf + overwrite: true - name: Ensure kernel module 'cramfs' is disabled lineinfile: @@ -206025,20 +206021,24 @@ fi - medium_disruption - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20cramfs%20/bin/true%0Ablacklist%20cramfs%0A - mode: 0644 - path: /etc/modprobe.d/cramfs.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install cramfs" /etc/modprobe.d/cramfs.conf ; then + + sed -i 's#^install cramfs.*#install cramfs /bin/true#g' /etc/modprobe.d/cramfs.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/cramfs.conf + echo "install cramfs /bin/true" >> /etc/modprobe.d/cramfs.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist cramfs$" /etc/modprobe.d/cramfs.conf ; then + echo "blacklist cramfs" >> /etc/modprobe.d/cramfs.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -206130,24 +206130,20 @@ This effectively prevents usage of this uncommon filesystem.Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install freevxfs" /etc/modprobe.d/freevxfs.conf ; then - - sed -i 's#^install freevxfs.*#install freevxfs /bin/true#g' /etc/modprobe.d/freevxfs.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/freevxfs.conf - echo "install freevxfs /bin/true" >> /etc/modprobe.d/freevxfs.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist freevxfs$" /etc/modprobe.d/freevxfs.conf ; then - echo "blacklist freevxfs" >> /etc/modprobe.d/freevxfs.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20freevxfs%20/bin/true%0Ablacklist%20freevxfs%0A + mode: 0644 + path: /etc/modprobe.d/freevxfs.conf + overwrite: true - name: Ensure kernel module 'freevxfs' is disabled lineinfile: @@ -206187,20 +206183,24 @@ fi - medium_disruption - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20freevxfs%20/bin/true%0Ablacklist%20freevxfs%0A - mode: 0644 - path: /etc/modprobe.d/freevxfs.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install freevxfs" /etc/modprobe.d/freevxfs.conf ; then + + sed -i 's#^install freevxfs.*#install freevxfs /bin/true#g' /etc/modprobe.d/freevxfs.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/freevxfs.conf + echo "install freevxfs /bin/true" >> /etc/modprobe.d/freevxfs.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist freevxfs$" /etc/modprobe.d/freevxfs.conf ; then + echo "blacklist freevxfs" >> /etc/modprobe.d/freevxfs.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -206289,24 +206289,20 @@ This effectively prevents usage of this uncommon filesystem.Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install hfs" /etc/modprobe.d/hfs.conf ; then - - sed -i 's#^install hfs.*#install hfs /bin/true#g' /etc/modprobe.d/hfs.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/hfs.conf - echo "install hfs /bin/true" >> /etc/modprobe.d/hfs.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist hfs$" /etc/modprobe.d/hfs.conf ; then - echo "blacklist hfs" >> /etc/modprobe.d/hfs.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20hfs%20/bin/true%0Ablacklist%20hfs%0A + mode: 0644 + path: /etc/modprobe.d/hfs.conf + overwrite: true - name: Ensure kernel module 'hfs' is disabled lineinfile: @@ -206346,20 +206342,24 @@ fi - medium_disruption - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20hfs%20/bin/true%0Ablacklist%20hfs%0A - mode: 0644 - path: /etc/modprobe.d/hfs.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install hfs" /etc/modprobe.d/hfs.conf ; then + + sed -i 's#^install hfs.*#install hfs /bin/true#g' /etc/modprobe.d/hfs.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/hfs.conf + echo "install hfs /bin/true" >> /etc/modprobe.d/hfs.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist hfs$" /etc/modprobe.d/hfs.conf ; then + echo "blacklist hfs" >> /etc/modprobe.d/hfs.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -206448,24 +206448,20 @@ This effectively prevents usage of this uncommon filesystem.Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install hfsplus" /etc/modprobe.d/hfsplus.conf ; then - - sed -i 's#^install hfsplus.*#install hfsplus /bin/true#g' /etc/modprobe.d/hfsplus.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/hfsplus.conf - echo "install hfsplus /bin/true" >> /etc/modprobe.d/hfsplus.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist hfsplus$" /etc/modprobe.d/hfsplus.conf ; then - echo "blacklist hfsplus" >> /etc/modprobe.d/hfsplus.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20hfsplus%20/bin/true%0Ablacklist%20hfsplus%0A + mode: 0644 + path: /etc/modprobe.d/hfsplus.conf + overwrite: true - name: Ensure kernel module 'hfsplus' is disabled lineinfile: @@ -206505,20 +206501,24 @@ fi - medium_disruption - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20hfsplus%20/bin/true%0Ablacklist%20hfsplus%0A - mode: 0644 - path: /etc/modprobe.d/hfsplus.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install hfsplus" /etc/modprobe.d/hfsplus.conf ; then + + sed -i 's#^install hfsplus.*#install hfsplus /bin/true#g' /etc/modprobe.d/hfsplus.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/hfsplus.conf + echo "install hfsplus /bin/true" >> /etc/modprobe.d/hfsplus.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist hfsplus$" /etc/modprobe.d/hfsplus.conf ; then + echo "blacklist hfsplus" >> /etc/modprobe.d/hfsplus.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -206607,24 +206607,20 @@ This effectively prevents usage of this uncommon filesystem.Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install jffs2" /etc/modprobe.d/jffs2.conf ; then - - sed -i 's#^install jffs2.*#install jffs2 /bin/true#g' /etc/modprobe.d/jffs2.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/jffs2.conf - echo "install jffs2 /bin/true" >> /etc/modprobe.d/jffs2.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist jffs2$" /etc/modprobe.d/jffs2.conf ; then - echo "blacklist jffs2" >> /etc/modprobe.d/jffs2.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20jffs2%20/bin/true%0Ablacklist%20jffs2%0A + mode: 0644 + path: /etc/modprobe.d/jffs2.conf + overwrite: true - name: Ensure kernel module 'jffs2' is disabled lineinfile: @@ -206664,20 +206660,24 @@ fi - medium_disruption - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20jffs2%20/bin/true%0Ablacklist%20jffs2%0A - mode: 0644 - path: /etc/modprobe.d/jffs2.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install jffs2" /etc/modprobe.d/jffs2.conf ; then + + sed -i 's#^install jffs2.*#install jffs2 /bin/true#g' /etc/modprobe.d/jffs2.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/jffs2.conf + echo "install jffs2 /bin/true" >> /etc/modprobe.d/jffs2.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist jffs2$" /etc/modprobe.d/jffs2.conf ; then + echo "blacklist jffs2" >> /etc/modprobe.d/jffs2.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -206773,24 +206773,20 @@ to first decompress the image. surface of the system. CCE-83498-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install squashfs" /etc/modprobe.d/squashfs.conf ; then - - sed -i 's#^install squashfs.*#install squashfs /bin/true#g' /etc/modprobe.d/squashfs.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/squashfs.conf - echo "install squashfs /bin/true" >> /etc/modprobe.d/squashfs.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist squashfs$" /etc/modprobe.d/squashfs.conf ; then - echo "blacklist squashfs" >> /etc/modprobe.d/squashfs.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20squashfs%20/bin/true%0Ablacklist%20squashfs%0A + mode: 0644 + path: /etc/modprobe.d/squashfs.conf + overwrite: true - name: Ensure kernel module 'squashfs' is disabled lineinfile: @@ -206832,20 +206828,24 @@ fi - medium_disruption - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20squashfs%20/bin/true%0Ablacklist%20squashfs%0A - mode: 0644 - path: /etc/modprobe.d/squashfs.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install squashfs" /etc/modprobe.d/squashfs.conf ; then + + sed -i 's#^install squashfs.*#install squashfs /bin/true#g' /etc/modprobe.d/squashfs.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/squashfs.conf + echo "install squashfs /bin/true" >> /etc/modprobe.d/squashfs.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist squashfs$" /etc/modprobe.d/squashfs.conf ; then + echo "blacklist squashfs" >> /etc/modprobe.d/squashfs.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -206942,24 +206942,20 @@ writing DVDs and newer optical disc formats. attack surface of the system. CCE-82729-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install udf" /etc/modprobe.d/udf.conf ; then - - sed -i 's#^install udf.*#install udf /bin/true#g' /etc/modprobe.d/udf.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/udf.conf - echo "install udf /bin/true" >> /etc/modprobe.d/udf.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist udf$" /etc/modprobe.d/udf.conf ; then - echo "blacklist udf" >> /etc/modprobe.d/udf.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20udf%20/bin/true%0Ablacklist%20udf%0A + mode: 0644 + path: /etc/modprobe.d/udf.conf + overwrite: true - name: Ensure kernel module 'udf' is disabled lineinfile: @@ -207001,20 +206997,24 @@ fi - medium_disruption - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20udf%20/bin/true%0Ablacklist%20udf%0A - mode: 0644 - path: /etc/modprobe.d/udf.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install udf" /etc/modprobe.d/udf.conf ; then + + sed -i 's#^install udf.*#install udf /bin/true#g' /etc/modprobe.d/udf.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/udf.conf + echo "install udf /bin/true" >> /etc/modprobe.d/udf.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist udf$" /etc/modprobe.d/udf.conf ; then + echo "blacklist udf" >> /etc/modprobe.d/udf.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -207121,24 +207121,20 @@ module, but will not prevent an administrator (or another program) from using th malicious software. CCE-80835-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install usb-storage" /etc/modprobe.d/usb-storage.conf ; then - - sed -i 's#^install usb-storage.*#install usb-storage /bin/true#g' /etc/modprobe.d/usb-storage.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/usb-storage.conf - echo "install usb-storage /bin/true" >> /etc/modprobe.d/usb-storage.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist usb-storage$" /etc/modprobe.d/usb-storage.conf ; then - echo "blacklist usb-storage" >> /etc/modprobe.d/usb-storage.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20usb-storage%20/bin/true%0Ablacklist%20usb-storage%0A + mode: 0644 + path: /etc/modprobe.d/usb-storage.conf + overwrite: true - name: Ensure kernel module 'usb-storage' is disabled lineinfile: @@ -207186,20 +207182,24 @@ fi - medium_severity - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20usb-storage%20/bin/true%0Ablacklist%20usb-storage%0A - mode: 0644 - path: /etc/modprobe.d/usb-storage.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install usb-storage" /etc/modprobe.d/usb-storage.conf ; then + + sed -i 's#^install usb-storage.*#install usb-storage /bin/true#g' /etc/modprobe.d/usb-storage.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/usb-storage.conf + echo "install usb-storage /bin/true" >> /etc/modprobe.d/usb-storage.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist usb-storage$" /etc/modprobe.d/usb-storage.conf ; then + echo "blacklist usb-storage" >> /etc/modprobe.d/usb-storage.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -207298,24 +207298,20 @@ all of which are supported by the vfat kernel module. CCE-82170-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install vfat" /etc/modprobe.d/vfat.conf ; then - - sed -i 's#^install vfat.*#install vfat /bin/true#g' /etc/modprobe.d/vfat.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/vfat.conf - echo "install vfat /bin/true" >> /etc/modprobe.d/vfat.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist vfat$" /etc/modprobe.d/vfat.conf ; then - echo "blacklist vfat" >> /etc/modprobe.d/vfat.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20vfat%20/bin/true%0Ablacklist%20vfat%0A + mode: 0644 + path: /etc/modprobe.d/vfat.conf + overwrite: true - name: Ensure kernel module 'vfat' is disabled lineinfile: @@ -207357,20 +207353,24 @@ fi - medium_disruption - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20vfat%20/bin/true%0Ablacklist%20vfat%0A - mode: 0644 - path: /etc/modprobe.d/vfat.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install vfat" /etc/modprobe.d/vfat.conf ; then + + sed -i 's#^install vfat.*#install vfat /bin/true#g' /etc/modprobe.d/vfat.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/vfat.conf + echo "install vfat /bin/true" >> /etc/modprobe.d/vfat.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist vfat$" /etc/modprobe.d/vfat.conf ; then + echo "blacklist vfat" >> /etc/modprobe.d/vfat.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -207424,54 +207424,6 @@ Add the nosuid option to the fourth column of should not be able to execute SUID or SGID binaries from boot partitions. CCE-86038-7 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && [ -d /sys/firmware/efi ] ); then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/boot/efi")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/boot/efi' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /boot/efi in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /boot/efi)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /boot/efi defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab - fi - - - if mkdir -p "/boot/efi"; then - if mountpoint -q "/boot/efi"; then - mount -o remount --target "/boot/efi" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: 'Add nosuid Option to /boot/efi: Check information associated to mountpoint' command: findmnt --fstab '/boot/efi' register: device_name @@ -207590,51 +207542,26 @@ fi - mount_option_boot_efi_nosuid - no_reboot_needed - - - - - - - - - Add noauto Option to /boot - The noauto mount option is used to prevent automatic mounting of th -/boot partition. -Add the noauto option to the fourth column of -/etc/fstab for the line which controls mounting of -/boot. - Although contents of the /boot partition should not be needed -during normal system operation, they might need to be accessible during -system maintenance and upgrades. Make sure that applying this rule will -not break upgrade or maintenance processes affecting the system. - BP28(R12) - The /boot partition contains the kernel and the bootloader. Access -to the partition after the boot process finishes should not be needed. Files -contained within this partition can be analysed and gained information can -be used for exploit creation. - - CCE-83345-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && [ -d /sys/firmware/efi ] ); then function perform_remediation { - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/boot")" + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/boot/efi")" grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/boot' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /boot in /etc/fstab" >&2; return 1; } + || { echo "The mount point '/boot/efi' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /boot/efi in /etc/fstab" >&2; return 1; } - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /boot)" + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /boot/efi)" # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|noauto)(,|$)//g;s/,$//") + | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. @@ -207642,17 +207569,17 @@ function perform_remediation { if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi - echo " /boot defaults,${previous_mount_opts}noauto 0 0" >> /etc/fstab + echo " /boot/efi defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noauto"; then + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noauto|" /etc/fstab + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab fi - if mkdir -p "/boot"; then - if mountpoint -q "/boot"; then - mount -o remount --target "/boot" + if mkdir -p "/boot/efi"; then + if mountpoint -q "/boot/efi"; then + mount -o remount --target "/boot/efi" fi fi } @@ -207662,6 +207589,34 @@ perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Add noauto Option to /boot + The noauto mount option is used to prevent automatic mounting of th +/boot partition. +Add the noauto option to the fourth column of +/etc/fstab for the line which controls mounting of +/boot. + Although contents of the /boot partition should not be needed +during normal system operation, they might need to be accessible during +system maintenance and upgrades. Make sure that applying this rule will +not break upgrade or maintenance processes affecting the system. + BP28(R12) + The /boot partition contains the kernel and the bootloader. Access +to the partition after the boot process finishes should not be needed. Files +contained within this partition can be analysed and gained information can +be used for exploit creation. + + CCE-83345-9 + +part /boot --mountoptions="noauto" - name: 'Add noauto Option to /boot: Check information associated to mountpoint' command: findmnt --fstab '/boot' @@ -207759,50 +207714,7 @@ fi - mount_option_boot_noauto - no_reboot_needed - -part /boot --mountoptions="noauto" - - - - - - - - - - Add nodev Option to /boot - The nodev mount option can be used to prevent device files from -being created in /boot. -Legitimate character and block devices should exist only in -the /dev directory on the root partition or within chroot -jails built for system services. -Add the nodev option to the fourth column of -/etc/fstab for the line which controls mounting of -/boot. - CIP-003-8 R5.1.1 - CIP-003-8 R5.3 - CIP-004-6 R2.3 - CIP-007-3 R2.1 - CIP-007-3 R2.2 - CIP-007-3 R2.3 - CIP-007-3 R5.1 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.2 - CM-7(a) - CM-7(b) - CM-6(a) - AC-6 - AC-6(1) - MP-7 - PR.IP-1 - PR.PT-2 - PR.PT-3 - SRG-OS-000368-GPOS-00154 - The only legitimate location for device files is the /dev directory -located on the root partition. The only exception to this is chroot jails. - - CCE-82941-6 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then function perform_remediation { @@ -207821,7 +207733,7 @@ function perform_remediation { if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") + | sed -E "s/(rw|defaults|seclabel|noauto)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. @@ -207829,11 +207741,11 @@ function perform_remediation { if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi - echo " /boot defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab + echo " /boot defaults,${previous_mount_opts}noauto 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noauto"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noauto|" /etc/fstab fi @@ -207849,6 +207761,49 @@ perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Add nodev Option to /boot + The nodev mount option can be used to prevent device files from +being created in /boot. +Legitimate character and block devices should exist only in +the /dev directory on the root partition or within chroot +jails built for system services. +Add the nodev option to the fourth column of +/etc/fstab for the line which controls mounting of +/boot. + CIP-003-8 R5.1.1 + CIP-003-8 R5.3 + CIP-004-6 R2.3 + CIP-007-3 R2.1 + CIP-007-3 R2.2 + CIP-007-3 R2.3 + CIP-007-3 R5.1 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.2 + CM-7(a) + CM-7(b) + CM-6(a) + AC-6 + AC-6(1) + MP-7 + PR.IP-1 + PR.PT-2 + PR.PT-3 + SRG-OS-000368-GPOS-00154 + The only legitimate location for device files is the /dev directory +located on the root partition. The only exception to this is chroot jails. + + CCE-82941-6 + +part /boot --mountoptions="nodev" - name: 'Add nodev Option to /boot: Check information associated to mountpoint' command: findmnt --fstab '/boot' @@ -207976,8 +207931,53 @@ fi - mount_option_boot_nodev - no_reboot_needed - -part /boot --mountoptions="nodev" + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/boot")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/boot' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /boot in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /boot)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /boot defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab + fi + + + if mkdir -p "/boot"; then + if mountpoint -q "/boot"; then + mount -o remount --target "/boot" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -207999,53 +207999,8 @@ binaries should be executed from this partition after the booting process finishes. CCE-83316-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/boot")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/boot' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /boot in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /boot)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /boot defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab - fi - - - if mkdir -p "/boot"; then - if mountpoint -q "/boot"; then - mount -o remount --target "/boot" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /boot --mountoptions="noexec" - name: 'Add noexec Option to /boot: Check information associated to mountpoint' command: findmnt --fstab '/boot' @@ -208143,8 +208098,53 @@ fi - mount_option_boot_noexec - no_reboot_needed - -part /boot --mountoptions="noexec" + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/boot")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/boot' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /boot in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /boot)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /boot defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab + fi + + + if mkdir -p "/boot"; then + if mountpoint -q "/boot"; then + mount -o remount --target "/boot" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -208189,53 +208189,8 @@ Add the nosuid option to the fourth column of should not be able to execute SUID or SGID binaries from boot partitions. CCE-81033-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/boot")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/boot' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /boot in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /boot)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /boot defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab - fi - - - if mkdir -p "/boot"; then - if mountpoint -q "/boot"; then - mount -o remount --target "/boot" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /boot --mountoptions="nosuid" - name: 'Add nosuid Option to /boot: Check information associated to mountpoint' command: findmnt --fstab '/boot' @@ -208368,8 +208323,53 @@ fi - mount_option_boot_nosuid - no_reboot_needed - -part /boot --mountoptions="nosuid" + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/boot")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/boot' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /boot in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /boot)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /boot defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab + fi + + + if mkdir -p "/boot"; then + if mountpoint -q "/boot"; then + mount -o remount --target "/boot" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -208485,48 +208485,6 @@ Add the nodev option to the fourth column of located on the root partition. The only exception to this is chroot jails. CCE-80837-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -function perform_remediation { - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /dev/shm)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="tmpfs" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab - fi - - - if mkdir -p "/dev/shm"; then - if mountpoint -q "/dev/shm"; then - mount -o remount --target "/dev/shm" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: 'Add nodev Option to /dev/shm: Check information associated to mountpoint' command: findmnt '/dev/shm' register: device_name @@ -208657,6 +208615,48 @@ fi - medium_severity - mount_option_dev_shm_nodev - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +function perform_remediation { + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /dev/shm)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="tmpfs" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab + fi + + + if mkdir -p "/dev/shm"; then + if mountpoint -q "/dev/shm"; then + mount -o remount --target "/dev/shm" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -208773,48 +208773,6 @@ Add the noexec option to the fourth column of such as /dev/shm can expose the system to potential compromise. CCE-80838-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -function perform_remediation { - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /dev/shm)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="tmpfs" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab - fi - - - if mkdir -p "/dev/shm"; then - if mountpoint -q "/dev/shm"; then - mount -o remount --target "/dev/shm" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: 'Add noexec Option to /dev/shm: Check information associated to mountpoint' command: findmnt '/dev/shm' register: device_name @@ -208946,6 +208904,48 @@ fi - medium_severity - mount_option_dev_shm_noexec - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +function perform_remediation { + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /dev/shm)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="tmpfs" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab + fi + + + if mkdir -p "/dev/shm"; then + if mountpoint -q "/dev/shm"; then + mount -o remount --target "/dev/shm" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -209061,48 +209061,6 @@ Add the nosuid option to the fourth column of should not be able to execute SUID or SGID binaries from temporary storage partitions. CCE-80839-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -function perform_remediation { - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /dev/shm)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="tmpfs" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab - fi - - - if mkdir -p "/dev/shm"; then - if mountpoint -q "/dev/shm"; then - mount -o remount --target "/dev/shm" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: 'Add nosuid Option to /dev/shm: Check information associated to mountpoint' command: findmnt '/dev/shm' register: device_name @@ -209235,69 +209193,38 @@ fi - mount_option_dev_shm_nosuid - no_reboot_needed - - - - - - - - - Add grpquota Option to /home - The grpquota mount option allows for the filesystem to have disk quotas configured. -Add the grpquota option to the fourth column of -/etc/fstab for the line which controls mounting of -/home. - The quota options for XFS file systems can only be activated when mounting the partition. -It is not possible to enable them by remounting an already mounted partition. Therefore, -if the desired options were not defined before mounting the partition, dismount and mount -it again to apply the quota options. - CM-6(b) - 1.1.7.5 - To ensure the availability of disk space on /home, it is important to limit the impact a -single user or group can cause for other users (or the wider system) by intentionally or -accidentally filling up the partition. Quotas can also be applied to inodes for filesystems -where inode exhaustion is a concern. - - CCE-86039-5 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then function perform_remediation { - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/home")" - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/home' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; } - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /home)" + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /dev/shm)" # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|grpquota)(,|$)//g;s/,$//") + | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" + fs_type="tmpfs" if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi - echo " /home defaults,${previous_mount_opts}grpquota 0 0" >> /etc/fstab + echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "grpquota"; then + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,grpquota|" /etc/fstab + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab fi - if mkdir -p "/home"; then - if mountpoint -q "/home"; then - mount -o remount --target "/home" + if mkdir -p "/dev/shm"; then + if mountpoint -q "/dev/shm"; then + mount -o remount --target "/dev/shm" fi fi } @@ -209307,6 +209234,34 @@ perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Add grpquota Option to /home + The grpquota mount option allows for the filesystem to have disk quotas configured. +Add the grpquota option to the fourth column of +/etc/fstab for the line which controls mounting of +/home. + The quota options for XFS file systems can only be activated when mounting the partition. +It is not possible to enable them by remounting an already mounted partition. Therefore, +if the desired options were not defined before mounting the partition, dismount and mount +it again to apply the quota options. + CM-6(b) + 1.1.7.5 + To ensure the availability of disk space on /home, it is important to limit the impact a +single user or group can cause for other users (or the wider system) by intentionally or +accidentally filling up the partition. Quotas can also be applied to inodes for filesystems +where inode exhaustion is a concern. + + CCE-86039-5 + +part /home --mountoptions="grpquota" - name: 'Add grpquota Option to /home: Check information associated to mountpoint' command: findmnt --fstab '/home' @@ -209414,34 +209369,7 @@ fi - mount_option_home_grpquota - no_reboot_needed - -part /home --mountoptions="grpquota" - - - - - - - - - - Add nodev Option to /home - The nodev mount option can be used to prevent device files from -being created in /home. -Legitimate character and block devices should exist only in -the /dev directory on the root partition or within chroot -jails built for system services. -Add the nodev option to the fourth column of -/etc/fstab for the line which controls mounting of -/home. - BP28(R12) - SRG-OS-000368-GPOS-00154 - 1.1.7.2 - The only legitimate location for device files is the /dev directory -located on the root partition. The only exception to this is chroot jails. - - CCE-81048-1 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); then function perform_remediation { @@ -209460,7 +209388,7 @@ function perform_remediation { if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") + | sed -E "s/(rw|defaults|seclabel|grpquota)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. @@ -209468,11 +209396,11 @@ function perform_remediation { if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi - echo " /home defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab + echo " /home defaults,${previous_mount_opts}grpquota 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "grpquota"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,grpquota|" /etc/fstab fi @@ -209488,6 +209416,33 @@ perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Add nodev Option to /home + The nodev mount option can be used to prevent device files from +being created in /home. +Legitimate character and block devices should exist only in +the /dev directory on the root partition or within chroot +jails built for system services. +Add the nodev option to the fourth column of +/etc/fstab for the line which controls mounting of +/home. + BP28(R12) + SRG-OS-000368-GPOS-00154 + 1.1.7.2 + The only legitimate location for device files is the /dev directory +located on the root partition. The only exception to this is chroot jails. + + CCE-81048-1 + +part /home --mountoptions="nodev" - name: 'Add nodev Option to /home: Check information associated to mountpoint' command: findmnt --fstab '/home' @@ -209590,36 +209545,8 @@ fi - no_reboot_needed - unknown_severity - -part /home --mountoptions="nodev" - - - - - - - - - - Add noexec Option to /home - The noexec mount option can be used to prevent binaries from being -executed out of /home. -Add the noexec option to the fourth column of -/etc/fstab for the line which controls mounting of -/home. - BP28(R12) - CCI-000366 - CM-6(b) - SRG-OS-000480-GPOS-00227 - RHEL-08-010590 - SV-230302r627750_rule - The /home directory contains data of individual users. Binaries in -this directory should not be considered as trusted and users should not be -able to execute them. - - CCE-83328-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); then function perform_remediation { @@ -209637,7 +209564,7 @@ function perform_remediation { if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") + | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. @@ -209645,11 +209572,11 @@ function perform_remediation { if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi - echo " /home defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab + echo " /home defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab fi @@ -209665,6 +209592,34 @@ perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Add noexec Option to /home + The noexec mount option can be used to prevent binaries from being +executed out of /home. +Add the noexec option to the fourth column of +/etc/fstab for the line which controls mounting of +/home. + BP28(R12) + CCI-000366 + CM-6(b) + SRG-OS-000480-GPOS-00227 + RHEL-08-010590 + SV-230302r627750_rule + The /home directory contains data of individual users. Binaries in +this directory should not be considered as trusted and users should not be +able to execute them. + + CCE-83328-5 + +part /home --mountoptions="noexec" - name: 'Add noexec Option to /home: Check information associated to mountpoint' command: findmnt --fstab '/home' @@ -209772,8 +209727,53 @@ fi - mount_option_home_noexec - no_reboot_needed - -part /home --mountoptions="noexec" + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/home")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/home' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /home)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /home defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab + fi + + + if mkdir -p "/home"; then + if mountpoint -q "/home"; then + mount -o remount --target "/home" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -209891,53 +209891,8 @@ Add the nosuid option to the fourth column of should not be able to execute SUID or SGID binaries from user home directory partitions. CCE-81050-7 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/home")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/home' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /home)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /home defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab - fi - - - if mkdir -p "/home"; then - if mountpoint -q "/home"; then - mount -o remount --target "/home" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /home --mountoptions="nosuid" - name: 'Add nosuid Option to /home: Check information associated to mountpoint' command: findmnt --fstab '/home' @@ -210075,35 +210030,7 @@ fi - mount_option_home_nosuid - no_reboot_needed - -part /home --mountoptions="nosuid" - - - - - - - - - - Add usrquota Option to /home - The usrquota mount option allows for the filesystem to have disk quotas configured. -Add the usrquota option to the fourth column of -/etc/fstab for the line which controls mounting of -/home. - The quota options for XFS file systems can only be activated when mounting the partition. -It is not possible to enable them by remounting an already mounted partition. Therefore, -if the desired options were not defined before mounting the partition, dismount and mount -it again to apply the quota options. - CM-6(b) - 1.1.7.4 - To ensure the availability of disk space on /home, it is important to limit the impact a -single user or group can cause for other users (or the wider system) by intentionally or -accidentally filling up the partition. Quotas can also be applied to inodes for filesystems -where inode exhaustion is a concern. - - CCE-86035-3 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); then function perform_remediation { @@ -210122,7 +210049,7 @@ function perform_remediation { if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|usrquota)(,|$)//g;s/,$//") + | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. @@ -210130,11 +210057,11 @@ function perform_remediation { if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi - echo " /home defaults,${previous_mount_opts}usrquota 0 0" >> /etc/fstab + echo " /home defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "usrquota"; then + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,usrquota|" /etc/fstab + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab fi @@ -210150,6 +210077,34 @@ perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Add usrquota Option to /home + The usrquota mount option allows for the filesystem to have disk quotas configured. +Add the usrquota option to the fourth column of +/etc/fstab for the line which controls mounting of +/home. + The quota options for XFS file systems can only be activated when mounting the partition. +It is not possible to enable them by remounting an already mounted partition. Therefore, +if the desired options were not defined before mounting the partition, dismount and mount +it again to apply the quota options. + CM-6(b) + 1.1.7.4 + To ensure the availability of disk space on /home, it is important to limit the impact a +single user or group can cause for other users (or the wider system) by intentionally or +accidentally filling up the partition. Quotas can also be applied to inodes for filesystems +where inode exhaustion is a concern. + + CCE-86035-3 + +part /home --mountoptions="usrquota" - name: 'Add usrquota Option to /home: Check information associated to mountpoint' command: findmnt --fstab '/home' @@ -210257,8 +210212,53 @@ fi - mount_option_home_usrquota - no_reboot_needed - -part /home --mountoptions="usrquota" + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/home")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/home' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /home)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|usrquota)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /home defaults,${previous_mount_opts}usrquota 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "usrquota"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,usrquota|" /etc/fstab + fi + + + if mkdir -p "/home"; then + if mountpoint -q "/home"; then + mount -o remount --target "/home" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -210369,6 +210369,35 @@ The only exception to this is chroot jails, for which it is not advised to set nodev on these filesystems. CCE-82069-6 + - name: Ensure non-root local partitions are mounted with nodev option + mount: + path: '{{ item.mount }}' + src: '{{ item.device }}' + opts: '{{ item.options }},nodev' + state: mounted + fstype: '{{ item.fstype }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - item.mount is match('/\w') + - item.options is not search('nodev') + with_items: + - '{{ ansible_facts.mounts }}' + tags: + - CCE-82069-6 + - DISA-STIG-RHEL-08-010580 + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_nodev_nonroot_local_partitions + - no_reboot_needed + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -210419,35 +210448,6 @@ done else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Ensure non-root local partitions are mounted with nodev option - mount: - path: '{{ item.mount }}' - src: '{{ item.device }}' - opts: '{{ item.options }},nodev' - state: mounted - fstype: '{{ item.fstype }}' - when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - item.mount is match('/\w') - - item.options is not search('nodev') - with_items: - - '{{ ansible_facts.mounts }}' - tags: - - CCE-82069-6 - - DISA-STIG-RHEL-08-010580 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_nodev_nonroot_local_partitions - - no_reboot_needed @@ -210585,26 +210585,6 @@ not advised to set nodev on partitions which contain thei filesystems. CCE-82742-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_removable_partition='' - - -device_regex="^\s*$var_removable_partition\s\+" -mount_option="nodev" - -if grep -q $device_regex /etc/fstab ; then - previous_opts=$(grep $device_regex /etc/fstab | awk '{print $4}') - sed -i "s|\($device_regex.*$previous_opts\)|\1,$mount_option|" /etc/fstab -else - echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2 -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_removable_partition # promote to variable set_fact: var_removable_partition: !!str @@ -210633,6 +210613,26 @@ fi - medium_severity - mount_option_nodev_removable_partitions - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_removable_partition='' + + +device_regex="^\s*$var_removable_partition\s\+" +mount_option="nodev" + +if grep -q $device_regex /etc/fstab ; then + previous_opts=$(grep $device_regex /etc/fstab | awk '{print $4}') + sed -i "s|\($device_regex.*$previous_opts\)|\1,$mount_option|" /etc/fstab +else + echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2 +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -210769,26 +210769,6 @@ Add the noexec option to the fourth column of the system to potential compromise. CCE-82746-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_removable_partition='' - - -device_regex="^\s*$var_removable_partition\s\+" -mount_option="noexec" - -if grep -q $device_regex /etc/fstab ; then - previous_opts=$(grep $device_regex /etc/fstab | awk '{print $4}') - sed -i "s|\($device_regex.*$previous_opts\)|\1,$mount_option|" /etc/fstab -else - echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2 -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_removable_partition # promote to variable set_fact: var_removable_partition: !!str @@ -210817,6 +210797,26 @@ fi - medium_severity - mount_option_noexec_removable_partitions - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_removable_partition='' + + +device_regex="^\s*$var_removable_partition\s\+" +mount_option="noexec" + +if grep -q $device_regex /etc/fstab ; then + previous_opts=$(grep $device_regex /etc/fstab | awk '{print $4}') + sed -i "s|\($device_regex.*$previous_opts\)|\1,$mount_option|" /etc/fstab +else + echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2 +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -210979,26 +210979,6 @@ users to introduce SUID or SGID binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs. CCE-82744-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_removable_partition='' - - -device_regex="^\s*$var_removable_partition\s\+" -mount_option="nosuid" - -if grep -q $device_regex /etc/fstab ; then - previous_opts=$(grep $device_regex /etc/fstab | awk '{print $4}') - sed -i "s|\($device_regex.*$previous_opts\)|\1,$mount_option|" /etc/fstab -else - echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2 -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_removable_partition # promote to variable set_fact: var_removable_partition: !!str @@ -211027,6 +211007,26 @@ fi - medium_severity - mount_option_nosuid_removable_partitions - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_removable_partition='' + + +device_regex="^\s*$var_removable_partition\s\+" +mount_option="nosuid" + +if grep -q $device_regex /etc/fstab ; then + previous_opts=$(grep $device_regex /etc/fstab | awk '{print $4}') + sed -i "s|\($device_regex.*$previous_opts\)|\1,$mount_option|" /etc/fstab +else + echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2 +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -211050,53 +211050,8 @@ Add the nosuid option to the fourth column of not be able to execute SUID or SGID binaries from this directory. CCE-83319-4 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/opt" > /dev/null || findmnt --fstab "/opt" > /dev/null ); then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/opt")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/opt' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /opt in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /opt)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /opt defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab - fi - - - if mkdir -p "/opt"; then - if mountpoint -q "/opt"; then - mount -o remount --target "/opt" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /opt --mountoptions="nosuid" - name: 'Add nosuid Option to /opt: Check information associated to mountpoint' command: findmnt --fstab '/opt' @@ -211199,8 +211154,53 @@ fi - mount_option_opt_nosuid - no_reboot_needed - -part /opt --mountoptions="nosuid" + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/opt" > /dev/null || findmnt --fstab "/opt" > /dev/null ); then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/opt")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/opt' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /opt in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /opt)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /opt defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab + fi + + + if mkdir -p "/opt"; then + if mountpoint -q "/opt"; then + mount -o remount --target "/opt" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -211236,51 +211236,6 @@ related to their own processes in a system. Otherwise, sensitive information fro other users could be seem. CCE-85882-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -function perform_remediation { - - - - var_mount_option_proc_hidepid='' - - mountoption="hidepid=$var_mount_option_proc_hidepid" - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /proc)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|$mountoption)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="proc" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo "proc /proc proc defaults,${previous_mount_opts}$mountoption 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "$mountoption"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,$mountoption|" /etc/fstab - fi - - - if mkdir -p "/proc"; then - if mountpoint -q "/proc"; then - mount -o remount --target "/proc" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mount_option_proc_hidepid # promote to variable set_fact: var_mount_option_proc_hidepid: !!str @@ -211383,66 +211338,41 @@ fi - mount_option_proc_hidepid - no_reboot_needed - - - - - - - - - - Add nosuid Option to /srv - The nosuid mount option can be used to prevent -execution of setuid programs in /srv. The SUID and SGID permissions -should not be required in this directory. -Add the nosuid option to the fourth column of -/etc/fstab for the line which controls mounting of -/srv. - BP28(R12) - The presence of SUID and SGID executables should be tightly controlled. The -/srv directory contains files served by various network services such as FTP. Users should -not be able to execute SUID or SGID binaries from this directory. - - CCE-83322-8 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/srv" > /dev/null || findmnt --fstab "/srv" > /dev/null ); then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then function perform_remediation { - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/srv")" - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/srv' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /srv in /etc/fstab" >&2; return 1; } - + var_mount_option_proc_hidepid='' - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /srv)" + mountoption="hidepid=$var_mount_option_proc_hidepid" + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /proc)" # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") + | sed -E "s/(rw|defaults|seclabel|$mountoption)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" + fs_type="proc" if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi - echo " /srv defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab + echo "proc /proc proc defaults,${previous_mount_opts}$mountoption 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "$mountoption"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,$mountoption|" /etc/fstab fi - if mkdir -p "/srv"; then - if mountpoint -q "/srv"; then - mount -o remount --target "/srv" + if mkdir -p "/proc"; then + if mountpoint -q "/proc"; then + mount -o remount --target "/proc" fi fi } @@ -211452,6 +211382,31 @@ perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + + Add nosuid Option to /srv + The nosuid mount option can be used to prevent +execution of setuid programs in /srv. The SUID and SGID permissions +should not be required in this directory. +Add the nosuid option to the fourth column of +/etc/fstab for the line which controls mounting of +/srv. + BP28(R12) + The presence of SUID and SGID executables should be tightly controlled. The +/srv directory contains files served by various network services such as FTP. Users should +not be able to execute SUID or SGID binaries from this directory. + + CCE-83322-8 + +part /srv --mountoptions="nosuid" - name: 'Add nosuid Option to /srv: Check information associated to mountpoint' command: findmnt --fstab '/srv' @@ -211554,8 +211509,53 @@ fi - mount_option_srv_nosuid - no_reboot_needed - -part /srv --mountoptions="nosuid" + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/srv" > /dev/null || findmnt --fstab "/srv" > /dev/null ); then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/srv")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/srv' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /srv in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /srv)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /srv defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab + fi + + + if mkdir -p "/srv"; then + if mountpoint -q "/srv"; then + mount -o remount --target "/srv" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -211672,53 +211672,8 @@ Add the nodev option to the fourth column of located on the root partition. The only exception to this is chroot jails. CCE-82623-0 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/tmp" > /dev/null || findmnt --fstab "/tmp" > /dev/null ); then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/tmp")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /tmp)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /tmp defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab - fi - - - if mkdir -p "/tmp"; then - if mountpoint -q "/tmp"; then - mount -o remount --target "/tmp" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /tmp --mountoptions="nodev" - name: 'Add nodev Option to /tmp: Check information associated to mountpoint' command: findmnt --fstab '/tmp' @@ -211855,8 +211810,53 @@ fi - mount_option_tmp_nodev - no_reboot_needed - -part /tmp --mountoptions="nodev" + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/tmp" > /dev/null || findmnt --fstab "/tmp" > /dev/null ); then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/tmp")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /tmp)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /tmp defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab + fi + + + if mkdir -p "/tmp"; then + if mountpoint -q "/tmp"; then + mount -o remount --target "/tmp" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -211973,53 +211973,8 @@ such as /tmp should never be necessary in normal operatio can expose the system to potential compromise. CCE-82139-7 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/tmp" > /dev/null || findmnt --fstab "/tmp" > /dev/null ); then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/tmp")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /tmp)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /tmp defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab - fi - - - if mkdir -p "/tmp"; then - if mountpoint -q "/tmp"; then - mount -o remount --target "/tmp" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /tmp --mountoptions="noexec" - name: 'Add noexec Option to /tmp: Check information associated to mountpoint' command: findmnt --fstab '/tmp' @@ -212157,8 +212112,53 @@ fi - mount_option_tmp_noexec - no_reboot_needed - -part /tmp --mountoptions="noexec" + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/tmp" > /dev/null || findmnt --fstab "/tmp" > /dev/null ); then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/tmp")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /tmp)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /tmp defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab + fi + + + if mkdir -p "/tmp"; then + if mountpoint -q "/tmp"; then + mount -o remount --target "/tmp" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -212275,53 +212275,8 @@ Add the nosuid option to the fourth column of should not be able to execute SUID or SGID binaries from temporary storage partitions. CCE-82140-5 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/tmp" > /dev/null || findmnt --fstab "/tmp" > /dev/null ); then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/tmp")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /tmp)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /tmp defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab - fi - - - if mkdir -p "/tmp"; then - if mountpoint -q "/tmp"; then - mount -o remount --target "/tmp" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /tmp --mountoptions="nosuid" - name: 'Add nosuid Option to /tmp: Check information associated to mountpoint' command: findmnt --fstab '/tmp' @@ -212459,8 +212414,53 @@ fi - mount_option_tmp_nosuid - no_reboot_needed - -part /tmp --mountoptions="nosuid" + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/tmp" > /dev/null || findmnt --fstab "/tmp" > /dev/null ); then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/tmp")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /tmp)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /tmp defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab + fi + + + if mkdir -p "/tmp"; then + if mountpoint -q "/tmp"; then + mount -o remount --target "/tmp" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -212506,53 +212506,8 @@ Add the nodev option to the fourth column of located on the root partition. The only exception to this is chroot jails. CCE-82080-3 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log/audit" > /dev/null || findmnt --fstab "/var/log/audit" > /dev/null ); then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log/audit")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/var/log/audit' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log/audit)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /var/log/audit defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab - fi - - - if mkdir -p "/var/log/audit"; then - if mountpoint -q "/var/log/audit"; then - mount -o remount --target "/var/log/audit" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /var/log/audit --mountoptions="nodev" - name: 'Add nodev Option to /var/log/audit: Check information associated to mountpoint' command: findmnt --fstab '/var/log/audit' @@ -212693,8 +212648,53 @@ fi - mount_option_var_log_audit_nodev - no_reboot_needed - -part /var/log/audit --mountoptions="nodev" + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log/audit" > /dev/null || findmnt --fstab "/var/log/audit" > /dev/null ); then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log/audit")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/var/log/audit' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log/audit)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /var/log/audit defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab + fi + + + if mkdir -p "/var/log/audit"; then + if mountpoint -q "/var/log/audit"; then + mount -o remount --target "/var/log/audit" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -212738,53 +212738,8 @@ such as /var/log/audit should never be necessary in norma can expose the system to potential compromise. CCE-82975-4 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log/audit" > /dev/null || findmnt --fstab "/var/log/audit" > /dev/null ); then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log/audit")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/var/log/audit' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log/audit)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /var/log/audit defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab - fi - - - if mkdir -p "/var/log/audit"; then - if mountpoint -q "/var/log/audit"; then - mount -o remount --target "/var/log/audit" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /var/log/audit --mountoptions="noexec" - name: 'Add noexec Option to /var/log/audit: Check information associated to mountpoint' command: findmnt --fstab '/var/log/audit' @@ -212925,8 +212880,53 @@ fi - mount_option_var_log_audit_noexec - no_reboot_needed - -part /var/log/audit --mountoptions="noexec" + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log/audit" > /dev/null || findmnt --fstab "/var/log/audit" > /dev/null ); then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log/audit")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/var/log/audit' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log/audit)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /var/log/audit defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab + fi + + + if mkdir -p "/var/log/audit"; then + if mountpoint -q "/var/log/audit"; then + mount -o remount --target "/var/log/audit" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -212971,53 +212971,8 @@ should not be able to execute SUID or SGID binaries from partitions designated for audit log files. CCE-82921-8 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log/audit" > /dev/null || findmnt --fstab "/var/log/audit" > /dev/null ); then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log/audit")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/var/log/audit' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log/audit)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /var/log/audit defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab - fi - - - if mkdir -p "/var/log/audit"; then - if mountpoint -q "/var/log/audit"; then - mount -o remount --target "/var/log/audit" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /var/log/audit --mountoptions="nosuid" - name: 'Add nosuid Option to /var/log/audit: Check information associated to mountpoint' command: findmnt --fstab '/var/log/audit' @@ -213158,8 +213113,53 @@ fi - mount_option_var_log_audit_nosuid - no_reboot_needed - -part /var/log/audit --mountoptions="nosuid" + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log/audit" > /dev/null || findmnt --fstab "/var/log/audit" > /dev/null ); then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log/audit")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/var/log/audit' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log/audit)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /var/log/audit defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab + fi + + + if mkdir -p "/var/log/audit"; then + if mountpoint -q "/var/log/audit"; then + mount -o remount --target "/var/log/audit" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -213205,53 +213205,8 @@ Add the nodev option to the fourth column of located on the root partition. The only exception to this is chroot jails. CCE-82077-9 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log" > /dev/null || findmnt --fstab "/var/log" > /dev/null ); then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/var/log' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /var/log defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab - fi - - - if mkdir -p "/var/log"; then - if mountpoint -q "/var/log"; then - mount -o remount --target "/var/log" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /var/log --mountoptions="nodev" - name: 'Add nodev Option to /var/log: Check information associated to mountpoint' command: findmnt --fstab '/var/log' @@ -213390,8 +213345,53 @@ fi - mount_option_var_log_nodev - no_reboot_needed - -part /var/log --mountoptions="nodev" + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log" > /dev/null || findmnt --fstab "/var/log" > /dev/null ); then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/var/log' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /var/log defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab + fi + + + if mkdir -p "/var/log"; then + if mountpoint -q "/var/log"; then + mount -o remount --target "/var/log" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -213436,53 +213436,8 @@ such as /var/log should never be necessary in normal oper can expose the system to potential compromise. CCE-82008-4 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log" > /dev/null || findmnt --fstab "/var/log" > /dev/null ); then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/var/log' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /var/log defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab - fi - - - if mkdir -p "/var/log"; then - if mountpoint -q "/var/log"; then - mount -o remount --target "/var/log" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /var/log --mountoptions="noexec" - name: 'Add noexec Option to /var/log: Check information associated to mountpoint' command: findmnt --fstab '/var/log' @@ -213622,8 +213577,53 @@ fi - mount_option_var_log_noexec - no_reboot_needed - -part /var/log --mountoptions="noexec" + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log" > /dev/null || findmnt --fstab "/var/log" > /dev/null ); then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/var/log' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /var/log defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab + fi + + + if mkdir -p "/var/log"; then + if mountpoint -q "/var/log"; then + mount -o remount --target "/var/log" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -213669,53 +213669,8 @@ should not be able to execute SUID or SGID binaries from partitions designated for log files. CCE-82065-4 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log" > /dev/null || findmnt --fstab "/var/log" > /dev/null ); then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/var/log' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /var/log defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab - fi - - - if mkdir -p "/var/log"; then - if mountpoint -q "/var/log"; then - mount -o remount --target "/var/log" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /var/log --mountoptions="nosuid" - name: 'Add nosuid Option to /var/log: Check information associated to mountpoint' command: findmnt --fstab '/var/log' @@ -213855,8 +213810,53 @@ fi - mount_option_var_log_nosuid - no_reboot_needed - -part /var/log --mountoptions="nosuid" + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log" > /dev/null || findmnt --fstab "/var/log" > /dev/null ); then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/var/log' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /var/log defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab + fi + + + if mkdir -p "/var/log"; then + if mountpoint -q "/var/log"; then + mount -o remount --target "/var/log" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -213899,53 +213899,8 @@ Add the nodev option to the fourth column of located on the root partition. The only exception to this is chroot jails. CCE-82062-1 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var" > /dev/null || findmnt --fstab "/var" > /dev/null ); then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/var' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /var in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /var defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab - fi - - - if mkdir -p "/var"; then - if mountpoint -q "/var"; then - mount -o remount --target "/var" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /var --mountoptions="nodev" - name: 'Add nodev Option to /var: Check information associated to mountpoint' command: findmnt --fstab '/var' @@ -214077,8 +214032,53 @@ fi - mount_option_var_nodev - no_reboot_needed - -part /var --mountoptions="nodev" + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var" > /dev/null || findmnt --fstab "/var" > /dev/null ); then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/var' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /var in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /var defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab + fi + + + if mkdir -p "/var"; then + if mountpoint -q "/var"; then + mount -o remount --target "/var" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -214100,53 +214100,8 @@ Add the noexec option to the fourth column of mails and caches. No binaries should be executed from this directory. CCE-83330-1 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var" > /dev/null || findmnt --fstab "/var" > /dev/null ); then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/var' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /var in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /var defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab - fi - - - if mkdir -p "/var"; then - if mountpoint -q "/var"; then - mount -o remount --target "/var" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /var --mountoptions="noexec" - name: 'Add noexec Option to /var: Check information associated to mountpoint' command: findmnt --fstab '/var' @@ -214249,30 +214204,7 @@ fi - mount_option_var_noexec - no_reboot_needed - -part /var --mountoptions="noexec" - - - - - - - - - - Add nosuid Option to /var - The nosuid mount option can be used to prevent -execution of setuid programs in /var. The SUID and SGID permissions -should not be required for this directory. -Add the nosuid option to the fourth column of -/etc/fstab for the line which controls mounting of -/var. - BP28(R12) - 1.1.3.4 - The presence of SUID and SGID executables should be tightly controlled. - - CCE-83383-0 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var" > /dev/null || findmnt --fstab "/var" > /dev/null ); then function perform_remediation { @@ -214291,7 +214223,7 @@ function perform_remediation { if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") + | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. @@ -214299,11 +214231,11 @@ function perform_remediation { if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi - echo " /var defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab + echo " /var defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab fi @@ -214319,6 +214251,29 @@ perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Add nosuid Option to /var + The nosuid mount option can be used to prevent +execution of setuid programs in /var. The SUID and SGID permissions +should not be required for this directory. +Add the nosuid option to the fourth column of +/etc/fstab for the line which controls mounting of +/var. + BP28(R12) + 1.1.3.4 + The presence of SUID and SGID executables should be tightly controlled. + + CCE-83383-0 + +part /var --mountoptions="nosuid" - name: 'Add nosuid Option to /var: Check information associated to mountpoint' command: findmnt --fstab '/var' @@ -214421,8 +214376,53 @@ fi - mount_option_var_nosuid - no_reboot_needed - -part /var --mountoptions="nosuid" + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var" > /dev/null || findmnt --fstab "/var" > /dev/null ); then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/var' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /var in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /var defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab + fi + + + if mkdir -p "/var"; then + if mountpoint -q "/var"; then + mount -o remount --target "/var" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -214556,53 +214556,8 @@ Add the nodev option to the fourth column of located on the root partition. The only exception to this is chroot jails. CCE-82068-8 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/tmp" > /dev/null || findmnt --fstab "/var/tmp" > /dev/null ); then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/tmp")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/var/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /var/tmp in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/tmp)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /var/tmp defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab - fi - - - if mkdir -p "/var/tmp"; then - if mountpoint -q "/var/tmp"; then - mount -o remount --target "/var/tmp" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /var/tmp --mountoptions="nodev" - name: 'Add nodev Option to /var/tmp: Check information associated to mountpoint' command: findmnt --fstab '/var/tmp' @@ -214711,35 +214666,7 @@ fi - mount_option_var_tmp_nodev - no_reboot_needed - -part /var/tmp --mountoptions="nodev" - - - - - - - - - - Add noexec Option to /var/tmp - The noexec mount option can be used to prevent binaries -from being executed out of /var/tmp. -Add the noexec option to the fourth column of -/etc/fstab for the line which controls mounting of -/var/tmp. - BP28(R12) - CCI-001764 - SRG-OS-000368-GPOS-00154 - RHEL-08-040134 - 1.1.4.2 - SV-230522r854063_rule - Allowing users to execute binaries from world-writable directories -such as /var/tmp should never be necessary in normal operation and -can expose the system to potential compromise. - - CCE-82151-2 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/tmp" > /dev/null || findmnt --fstab "/var/tmp" > /dev/null ); then function perform_remediation { @@ -214758,7 +214685,7 @@ function perform_remediation { if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") + | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. @@ -214766,11 +214693,11 @@ function perform_remediation { if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi - echo " /var/tmp defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab + echo " /var/tmp defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab fi @@ -214786,6 +214713,34 @@ perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Add noexec Option to /var/tmp + The noexec mount option can be used to prevent binaries +from being executed out of /var/tmp. +Add the noexec option to the fourth column of +/etc/fstab for the line which controls mounting of +/var/tmp. + BP28(R12) + CCI-001764 + SRG-OS-000368-GPOS-00154 + RHEL-08-040134 + 1.1.4.2 + SV-230522r854063_rule + Allowing users to execute binaries from world-writable directories +such as /var/tmp should never be necessary in normal operation and +can expose the system to potential compromise. + + CCE-82151-2 + +part /var/tmp --mountoptions="noexec" - name: 'Add noexec Option to /var/tmp: Check information associated to mountpoint' command: findmnt --fstab '/var/tmp' @@ -214895,35 +214850,7 @@ fi - mount_option_var_tmp_noexec - no_reboot_needed - -part /var/tmp --mountoptions="noexec" - - - - - - - - - - Add nosuid Option to /var/tmp - The nosuid mount option can be used to prevent -execution of setuid programs in /var/tmp. The SUID and SGID permissions -should not be required in these world-writable directories. -Add the nosuid option to the fourth column of -/etc/fstab for the line which controls mounting of -/var/tmp. - BP28(R12) - CCI-001764 - SRG-OS-000368-GPOS-00154 - RHEL-08-040133 - 1.1.4.3 - SV-230521r854062_rule - The presence of SUID and SGID executables should be tightly controlled. Users -should not be able to execute SUID or SGID binaries from temporary storage partitions. - - CCE-82154-6 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/tmp" > /dev/null || findmnt --fstab "/var/tmp" > /dev/null ); then function perform_remediation { @@ -214942,7 +214869,7 @@ function perform_remediation { if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") + | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. @@ -214950,11 +214877,11 @@ function perform_remediation { if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi - echo " /var/tmp defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab + echo " /var/tmp defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab fi @@ -214970,6 +214897,34 @@ perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Add nosuid Option to /var/tmp + The nosuid mount option can be used to prevent +execution of setuid programs in /var/tmp. The SUID and SGID permissions +should not be required in these world-writable directories. +Add the nosuid option to the fourth column of +/etc/fstab for the line which controls mounting of +/var/tmp. + BP28(R12) + CCI-001764 + SRG-OS-000368-GPOS-00154 + RHEL-08-040133 + 1.1.4.3 + SV-230521r854062_rule + The presence of SUID and SGID executables should be tightly controlled. Users +should not be able to execute SUID or SGID binaries from temporary storage partitions. + + CCE-82154-6 + +part /var/tmp --mountoptions="nosuid" - name: 'Add nosuid Option to /var/tmp: Check information associated to mountpoint' command: findmnt --fstab '/var/tmp' @@ -215079,8 +215034,53 @@ fi - mount_option_var_tmp_nosuid - no_reboot_needed - -part /var/tmp --mountoptions="nosuid" + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/tmp" > /dev/null || findmnt --fstab "/var/tmp" > /dev/null ); then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/tmp")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/var/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /var/tmp in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/tmp)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /var/tmp defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab + fi + + + if mkdir -p "/var/tmp"; then + if mountpoint -q "/var/tmp"; then + mount -o remount --target "/var/tmp" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -215128,24 +215128,20 @@ or compromised programs. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure participants actually carry out the disconnect activity without having to go through complex and tedious procedures. CCE-86960-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install uvcvideo" /etc/modprobe.d/uvcvideo.conf ; then - - sed -i 's#^install uvcvideo.*#install uvcvideo /bin/true#g' /etc/modprobe.d/uvcvideo.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/uvcvideo.conf - echo "install uvcvideo /bin/true" >> /etc/modprobe.d/uvcvideo.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist uvcvideo$" /etc/modprobe.d/uvcvideo.conf ; then - echo "blacklist uvcvideo" >> /etc/modprobe.d/uvcvideo.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20uvcvideo%20/bin/true%0Ablacklist%20uvcvideo%0A + mode: 0644 + path: /etc/modprobe.d/uvcvideo.conf + overwrite: true - name: Ensure kernel module 'uvcvideo' is disabled lineinfile: @@ -215185,20 +215181,24 @@ fi - medium_severity - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20uvcvideo%20/bin/true%0Ablacklist%20uvcvideo%0A - mode: 0644 - path: /etc/modprobe.d/uvcvideo.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install uvcvideo" /etc/modprobe.d/uvcvideo.conf ; then + + sed -i 's#^install uvcvideo.*#install uvcvideo /bin/true#g' /etc/modprobe.d/uvcvideo.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/uvcvideo.conf + echo "install uvcvideo /bin/true" >> /etc/modprobe.d/uvcvideo.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist uvcvideo$" /etc/modprobe.d/uvcvideo.conf ; then + echo "blacklist uvcvideo" >> /etc/modprobe.d/uvcvideo.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -215223,65 +215223,20 @@ terminates an application. The memory image could contain sensitive data and is only for developers trying to debug problems. CCE-82215-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*kernel.core_pattern.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "kernel.core_pattern" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - - -# -# Set runtime for kernel.core_pattern -# -/sbin/sysctl -q -n -w kernel.core_pattern="|/bin/false" - -# -# If kernel.core_pattern present in /etc/sysctl.conf, change value to "|/bin/false" -# else, add "kernel.core_pattern = |/bin/false" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.core_pattern") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "|/bin/false" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.core_pattern\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^kernel.core_pattern\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-82215-5" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,kernel.core_pattern%20%3D%20%7C/bin/false%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_kernel_core_pattern.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -215345,54 +215300,18 @@ fi - reboot_required - sysctl_kernel_core_pattern - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,kernel.core_pattern%20%3D%20%7C/bin/false%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_kernel_core_pattern.conf - overwrite: true - - - - - - - - - - Configure file name of core dumps - To set the runtime status of the kernel.core_uses_pid kernel parameter, run the following command: $ sudo sysctl -w kernel.core_uses_pid=0 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.core_uses_pid = 0 - FMT_SMF_EXT.1 - The default coredump filename is core. By setting -core_uses_pid to 1, the coredump filename becomes -core.PID. If core_pattern does not include -%p (default does not) and core_uses_pid is set, then -.PID will be appended to the filename. -When combined with kernel.core_pattern = "" configuration, it -is ensured that no core dumps are generated and also no confusing error -messages are printed by a shell. - - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of kernel.core_uses_pid from /etc/sysctl.d/*.conf files +# Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*kernel.core_uses_pid.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*kernel.core_pattern.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "kernel.core_uses_pid" matches to preserve user data + # comment out "kernel.core_pattern" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -215406,32 +215325,34 @@ SYSCONFIG_FILE="/etc/sysctl.conf" # -# Set runtime for kernel.core_uses_pid +# Set runtime for kernel.core_pattern # -/sbin/sysctl -q -n -w kernel.core_uses_pid="0" +/sbin/sysctl -q -n -w kernel.core_pattern="|/bin/false" # -# If kernel.core_uses_pid present in /etc/sysctl.conf, change value to "0" -# else, add "kernel.core_uses_pid = 0" to /etc/sysctl.conf +# If kernel.core_pattern present in /etc/sysctl.conf, change value to "|/bin/false" +# else, add "kernel.core_pattern = |/bin/false" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.core_uses_pid") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.core_pattern") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "0" +printf -v formatted_output "%s = %s" "$stripped_key" "|/bin/false" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.core_uses_pid\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^kernel.core_pattern\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^kernel.core_uses_pid\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^kernel.core_pattern\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi + cce="CCE-82215-5" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -215439,6 +215360,27 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Configure file name of core dumps + To set the runtime status of the kernel.core_uses_pid kernel parameter, run the following command: $ sudo sysctl -w kernel.core_uses_pid=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.core_uses_pid = 0 + FMT_SMF_EXT.1 + The default coredump filename is core. By setting +core_uses_pid to 1, the coredump filename becomes +core.PID. If core_pattern does not include +%p (default does not) and core_uses_pid is set, then +.PID will be appended to the filename. +When combined with kernel.core_pattern = "" configuration, it +is ensured that no core dumps are generated and also no confusing error +messages are printed by a shell. + - name: List /etc/sysctl.d/*.conf files find: paths: @@ -215489,51 +215431,18 @@ fi - reboot_required - sysctl_kernel_core_uses_pid - - - - - - - - - Restrict Access to Kernel Message Buffer - To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.dmesg_restrict=1 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.dmesg_restrict = 1 - BP28(R23) - 3.1.5 - CCI-001090 - CCI-001314 - 164.308(a)(1)(ii)(D) - 164.308(a)(3) - 164.308(a)(4) - 164.310(b) - 164.310(c) - 164.312(a) - 164.312(e) - SI-11(a) - SI-11(b) - SRG-OS-000132-GPOS-00067 - SRG-OS-000138-GPOS-00069 - SRG-APP-000243-CTR-000600 - RHEL-08-010375 - SV-230269r858756_rule - Unprivileged access to the kernel syslog can expose sensitive kernel -address information. - - CCE-80913-7 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of kernel.dmesg_restrict from /etc/sysctl.d/*.conf files +# Comment out any occurrences of kernel.core_uses_pid from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*kernel.dmesg_restrict.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*kernel.core_uses_pid.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "kernel.dmesg_restrict" matches to preserve user data + # comment out "kernel.core_uses_pid" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -215547,40 +215456,86 @@ SYSCONFIG_FILE="/etc/sysctl.conf" # -# Set runtime for kernel.dmesg_restrict +# Set runtime for kernel.core_uses_pid # -/sbin/sysctl -q -n -w kernel.dmesg_restrict="1" +/sbin/sysctl -q -n -w kernel.core_uses_pid="0" # -# If kernel.dmesg_restrict present in /etc/sysctl.conf, change value to "1" -# else, add "kernel.dmesg_restrict = 1" to /etc/sysctl.conf +# If kernel.core_uses_pid present in /etc/sysctl.conf, change value to "0" +# else, add "kernel.core_uses_pid = 0" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.dmesg_restrict") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.core_uses_pid") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "1" +printf -v formatted_output "%s = %s" "$stripped_key" "0" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.dmesg_restrict\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^kernel.core_uses_pid\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^kernel.dmesg_restrict\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^kernel.core_uses_pid\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-80913-7" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Restrict Access to Kernel Message Buffer + To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.dmesg_restrict=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.dmesg_restrict = 1 + BP28(R23) + 3.1.5 + CCI-001090 + CCI-001314 + 164.308(a)(1)(ii)(D) + 164.308(a)(3) + 164.308(a)(4) + 164.310(b) + 164.310(c) + 164.312(a) + 164.312(e) + SI-11(a) + SI-11(b) + SRG-OS-000132-GPOS-00067 + SRG-OS-000138-GPOS-00069 + SRG-APP-000243-CTR-000600 + RHEL-08-010375 + SV-230269r858756_rule + Unprivileged access to the kernel syslog can expose sensitive kernel +address information. + + CCE-80913-7 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,kernel.dmesg_restrict%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_kernel_dmesg_restrict.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -215647,55 +215602,18 @@ fi - reboot_required - sysctl_kernel_dmesg_restrict - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,kernel.dmesg_restrict%3D1%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_kernel_dmesg_restrict.conf - overwrite: true - - - - - - - - - - Disable Kernel Image Loading - To set the runtime status of the kernel.kexec_load_disabled kernel parameter, run the following command: $ sudo sysctl -w kernel.kexec_load_disabled=1 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.kexec_load_disabled = 1 - CCI-001749 - CM-6 - SRG-OS-000480-GPOS-00227 - SRG-OS-000366-GPOS-00153 - RHEL-08-010372 - SV-230266r877463_rule - Disabling kexec_load allows greater control of the kernel memory. -It makes it impossible to load another kernel image after it has been disabled. - - - CCE-80952-5 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of kernel.kexec_load_disabled from /etc/sysctl.d/*.conf files +# Comment out any occurrences of kernel.dmesg_restrict from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*kernel.kexec_load_disabled.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*kernel.dmesg_restrict.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "kernel.kexec_load_disabled" matches to preserve user data + # comment out "kernel.dmesg_restrict" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -215709,18 +215627,18 @@ SYSCONFIG_FILE="/etc/sysctl.conf" # -# Set runtime for kernel.kexec_load_disabled +# Set runtime for kernel.dmesg_restrict # -/sbin/sysctl -q -n -w kernel.kexec_load_disabled="1" +/sbin/sysctl -q -n -w kernel.dmesg_restrict="1" # -# If kernel.kexec_load_disabled present in /etc/sysctl.conf, change value to "1" -# else, add "kernel.kexec_load_disabled = 1" to /etc/sysctl.conf +# If kernel.dmesg_restrict present in /etc/sysctl.conf, change value to "1" +# else, add "kernel.dmesg_restrict = 1" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.kexec_load_disabled") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.dmesg_restrict") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "1" @@ -215728,14 +215646,14 @@ printf -v formatted_output "%s = %s" "$stripped_key" "1" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.kexec_load_disabled\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^kernel.dmesg_restrict\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^kernel.kexec_load_disabled\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^kernel.dmesg_restrict\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-80952-5" + cce="CCE-80913-7" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -215743,6 +215661,43 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Disable Kernel Image Loading + To set the runtime status of the kernel.kexec_load_disabled kernel parameter, run the following command: $ sudo sysctl -w kernel.kexec_load_disabled=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.kexec_load_disabled = 1 + CCI-001749 + CM-6 + SRG-OS-000480-GPOS-00227 + SRG-OS-000366-GPOS-00153 + RHEL-08-010372 + SV-230266r877463_rule + Disabling kexec_load allows greater control of the kernel memory. +It makes it impossible to load another kernel image after it has been disabled. + + + CCE-80952-5 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,kernel.kexec_load_disabled%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_kernel_kexec_load_disabled.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -215803,20 +215758,65 @@ fi - reboot_required - sysctl_kernel_kexec_load_disabled - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,kernel.kexec_load_disabled%3D1%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_kernel_kexec_load_disabled.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of kernel.kexec_load_disabled from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*kernel.kexec_load_disabled.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "kernel.kexec_load_disabled" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + + +# +# Set runtime for kernel.kexec_load_disabled +# +/sbin/sysctl -q -n -w kernel.kexec_load_disabled="1" + +# +# If kernel.kexec_load_disabled present in /etc/sysctl.conf, change value to "1" +# else, add "kernel.kexec_load_disabled = 1" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.kexec_load_disabled") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "1" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^kernel.kexec_load_disabled\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^kernel.kexec_load_disabled\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-80952-5" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -215909,66 +215909,6 @@ would have allowed the system to continue operating will now result in a panic.< panicking the system will impede them from continuing. CCE-87666-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of kernel.panic_on_oops from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*kernel.panic_on_oops.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "kernel.panic_on_oops" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - - -# -# Set runtime for kernel.panic_on_oops -# -/sbin/sysctl -q -n -w kernel.panic_on_oops="1" - -# -# If kernel.panic_on_oops present in /etc/sysctl.conf, change value to "1" -# else, add "kernel.panic_on_oops = 1" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.panic_on_oops") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "1" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.panic_on_oops\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^kernel.panic_on_oops\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-87666-4" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: List /etc/sysctl.d/*.conf files find: paths: @@ -216022,35 +215962,18 @@ fi - reboot_required - sysctl_kernel_panic_on_oops - - - - - - - - - Limit CPU consumption of the Perf system - To set the runtime status of the kernel.perf_cpu_time_max_percent kernel parameter, run the following command: $ sudo sysctl -w kernel.perf_cpu_time_max_percent=1 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.perf_cpu_time_max_percent = 1 - BP28(R23) - The kernel.perf_cpu_time_max_percent configures a treshold of -maximum percentile of CPU that can be used by Perf system. Restricting usage -of Perf system decreases risk of potential availability problems. - - CCE-83373-1 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of kernel.perf_cpu_time_max_percent from /etc/sysctl.d/*.conf files +# Comment out any occurrences of kernel.panic_on_oops from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*kernel.perf_cpu_time_max_percent.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*kernel.panic_on_oops.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "kernel.perf_cpu_time_max_percent" matches to preserve user data + # comment out "kernel.panic_on_oops" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -216064,18 +215987,18 @@ SYSCONFIG_FILE="/etc/sysctl.conf" # -# Set runtime for kernel.perf_cpu_time_max_percent +# Set runtime for kernel.panic_on_oops # -/sbin/sysctl -q -n -w kernel.perf_cpu_time_max_percent="1" +/sbin/sysctl -q -n -w kernel.panic_on_oops="1" # -# If kernel.perf_cpu_time_max_percent present in /etc/sysctl.conf, change value to "1" -# else, add "kernel.perf_cpu_time_max_percent = 1" to /etc/sysctl.conf +# If kernel.panic_on_oops present in /etc/sysctl.conf, change value to "1" +# else, add "kernel.panic_on_oops = 1" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.perf_cpu_time_max_percent") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.panic_on_oops") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "1" @@ -216083,14 +216006,14 @@ printf -v formatted_output "%s = %s" "$stripped_key" "1" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.perf_cpu_time_max_percent\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^kernel.panic_on_oops\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^kernel.perf_cpu_time_max_percent\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^kernel.panic_on_oops\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-83373-1" + cce="CCE-87666-4" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -216099,6 +216022,23 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Limit CPU consumption of the Perf system + To set the runtime status of the kernel.perf_cpu_time_max_percent kernel parameter, run the following command: $ sudo sysctl -w kernel.perf_cpu_time_max_percent=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.perf_cpu_time_max_percent = 1 + BP28(R23) + The kernel.perf_cpu_time_max_percent configures a treshold of +maximum percentile of CPU that can be used by Perf system. Restricting usage +of Perf system decreases risk of potential availability problems. + + CCE-83373-1 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -216153,36 +216093,18 @@ fi - reboot_required - sysctl_kernel_perf_cpu_time_max_percent - - - - - - - - - Limit sampling frequency of the Perf system - To set the runtime status of the kernel.perf_event_max_sample_rate kernel parameter, run the following command: $ sudo sysctl -w kernel.perf_event_max_sample_rate=1 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.perf_event_max_sample_rate = 1 - BP28(R23) - The kernel.perf_event_max_sample_rate parameter configures maximum -frequency of collecting of samples for the Perf system. It is expressed in -samples per second. Restricting usage of Perf system decreases risk -of potential availability problems. - - CCE-83368-1 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of kernel.perf_event_max_sample_rate from /etc/sysctl.d/*.conf files +# Comment out any occurrences of kernel.perf_cpu_time_max_percent from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*kernel.perf_event_max_sample_rate.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*kernel.perf_cpu_time_max_percent.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "kernel.perf_event_max_sample_rate" matches to preserve user data + # comment out "kernel.perf_cpu_time_max_percent" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -216196,18 +216118,18 @@ SYSCONFIG_FILE="/etc/sysctl.conf" # -# Set runtime for kernel.perf_event_max_sample_rate +# Set runtime for kernel.perf_cpu_time_max_percent # -/sbin/sysctl -q -n -w kernel.perf_event_max_sample_rate="1" +/sbin/sysctl -q -n -w kernel.perf_cpu_time_max_percent="1" # -# If kernel.perf_event_max_sample_rate present in /etc/sysctl.conf, change value to "1" -# else, add "kernel.perf_event_max_sample_rate = 1" to /etc/sysctl.conf +# If kernel.perf_cpu_time_max_percent present in /etc/sysctl.conf, change value to "1" +# else, add "kernel.perf_cpu_time_max_percent = 1" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.perf_event_max_sample_rate") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.perf_cpu_time_max_percent") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "1" @@ -216215,14 +216137,14 @@ printf -v formatted_output "%s = %s" "$stripped_key" "1" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.perf_event_max_sample_rate\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^kernel.perf_cpu_time_max_percent\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^kernel.perf_event_max_sample_rate\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^kernel.perf_cpu_time_max_percent\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-83368-1" + cce="CCE-83373-1" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -216231,6 +216153,24 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Limit sampling frequency of the Perf system + To set the runtime status of the kernel.perf_event_max_sample_rate kernel parameter, run the following command: $ sudo sysctl -w kernel.perf_event_max_sample_rate=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.perf_event_max_sample_rate = 1 + BP28(R23) + The kernel.perf_event_max_sample_rate parameter configures maximum +frequency of collecting of samples for the Perf system. It is expressed in +samples per second. Restricting usage of Perf system decreases risk +of potential availability problems. + + CCE-83368-1 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -216285,41 +216225,18 @@ fi - reboot_required - sysctl_kernel_perf_event_max_sample_rate - - - - - - - - - Disallow kernel profiling by unprivileged users - To set the runtime status of the kernel.perf_event_paranoid kernel parameter, run the following command: $ sudo sysctl -w kernel.perf_event_paranoid=2 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.perf_event_paranoid = 2 - BP28(R23) - CCI-001090 - AC-6 - FMT_SMF_EXT.1 - SRG-OS-000132-GPOS-00067 - SRG-OS-000138-GPOS-00069 - SRG-APP-000243-CTR-000600 - RHEL-08-010376 - SV-230270r858758_rule - Kernel profiling can reveal sensitive information about kernel behaviour. - - CCE-81054-9 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of kernel.perf_event_paranoid from /etc/sysctl.d/*.conf files +# Comment out any occurrences of kernel.perf_event_max_sample_rate from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*kernel.perf_event_paranoid.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*kernel.perf_event_max_sample_rate.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "kernel.perf_event_paranoid" matches to preserve user data + # comment out "kernel.perf_event_max_sample_rate" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -216333,33 +216250,33 @@ SYSCONFIG_FILE="/etc/sysctl.conf" # -# Set runtime for kernel.perf_event_paranoid +# Set runtime for kernel.perf_event_max_sample_rate # -/sbin/sysctl -q -n -w kernel.perf_event_paranoid="2" +/sbin/sysctl -q -n -w kernel.perf_event_max_sample_rate="1" # -# If kernel.perf_event_paranoid present in /etc/sysctl.conf, change value to "2" -# else, add "kernel.perf_event_paranoid = 2" to /etc/sysctl.conf +# If kernel.perf_event_max_sample_rate present in /etc/sysctl.conf, change value to "1" +# else, add "kernel.perf_event_max_sample_rate = 1" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.perf_event_paranoid") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.perf_event_max_sample_rate") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "2" +printf -v formatted_output "%s = %s" "$stripped_key" "1" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.perf_event_paranoid\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^kernel.perf_event_max_sample_rate\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^kernel.perf_event_paranoid\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^kernel.perf_event_max_sample_rate\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-81054-9" + cce="CCE-83368-1" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -216367,6 +216284,44 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Disallow kernel profiling by unprivileged users + To set the runtime status of the kernel.perf_event_paranoid kernel parameter, run the following command: $ sudo sysctl -w kernel.perf_event_paranoid=2 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.perf_event_paranoid = 2 + BP28(R23) + CCI-001090 + AC-6 + FMT_SMF_EXT.1 + SRG-OS-000132-GPOS-00067 + SRG-OS-000138-GPOS-00069 + SRG-APP-000243-CTR-000600 + RHEL-08-010376 + SV-230270r858758_rule + Kernel profiling can reveal sensitive information about kernel behaviour. + + CCE-81054-9 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,kernel.perf_event_paranoid%3D2%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_kernel_perf_event_paranoid.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -216427,51 +216382,18 @@ fi - reboot_required - sysctl_kernel_perf_event_paranoid - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,kernel.perf_event_paranoid%3D2%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_kernel_perf_event_paranoid.conf - overwrite: true - - - - - - - - - - Configure maximum number of process identifiers - To set the runtime status of the kernel.pid_max kernel parameter, run the following command: $ sudo sysctl -w kernel.pid_max=65536 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.pid_max = 65536 - BP28(R23) - The kernel.pid_max parameter configures upper limit on process -identifiers (PID). If this number is not high enough, it might happen that -forking of new processes is not possible, because all available PIDs are -exhausted. Increasing this number enhances availability. - - CCE-83366-5 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of kernel.pid_max from /etc/sysctl.d/*.conf files +# Comment out any occurrences of kernel.perf_event_paranoid from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*kernel.pid_max.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*kernel.perf_event_paranoid.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "kernel.pid_max" matches to preserve user data + # comment out "kernel.perf_event_paranoid" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -216485,33 +216407,33 @@ SYSCONFIG_FILE="/etc/sysctl.conf" # -# Set runtime for kernel.pid_max +# Set runtime for kernel.perf_event_paranoid # -/sbin/sysctl -q -n -w kernel.pid_max="65536" +/sbin/sysctl -q -n -w kernel.perf_event_paranoid="2" # -# If kernel.pid_max present in /etc/sysctl.conf, change value to "65536" -# else, add "kernel.pid_max = 65536" to /etc/sysctl.conf +# If kernel.perf_event_paranoid present in /etc/sysctl.conf, change value to "2" +# else, add "kernel.perf_event_paranoid = 2" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.pid_max") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.perf_event_paranoid") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "65536" +printf -v formatted_output "%s = %s" "$stripped_key" "2" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.pid_max\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^kernel.perf_event_paranoid\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^kernel.pid_max\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^kernel.perf_event_paranoid\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-83366-5" + cce="CCE-81054-9" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -216520,6 +216442,24 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Configure maximum number of process identifiers + To set the runtime status of the kernel.pid_max kernel parameter, run the following command: $ sudo sysctl -w kernel.pid_max=65536 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.pid_max = 65536 + BP28(R23) + The kernel.pid_max parameter configures upper limit on process +identifiers (PID). If this number is not high enough, it might happen that +forking of new processes is not possible, because all available PIDs are +exhausted. Increasing this number enhances availability. + + CCE-83366-5 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -216573,36 +216513,18 @@ fi - reboot_required - sysctl_kernel_pid_max - - - - - - - - - Disallow magic SysRq key - To set the runtime status of the kernel.sysrq kernel parameter, run the following command: $ sudo sysctl -w kernel.sysrq=0 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.sysrq = 0 - BP28(R23) - The Magic SysRq key allows sending certain commands directly to the running -kernel. It can dump various system and process information, potentially -revealing sensitive information. It can also reboot or shutdown the machine, -disturbing its availability. - - CCE-83355-8 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of kernel.sysrq from /etc/sysctl.d/*.conf files +# Comment out any occurrences of kernel.pid_max from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*kernel.sysrq.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*kernel.pid_max.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "kernel.sysrq" matches to preserve user data + # comment out "kernel.pid_max" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -216616,33 +216538,33 @@ SYSCONFIG_FILE="/etc/sysctl.conf" # -# Set runtime for kernel.sysrq +# Set runtime for kernel.pid_max # -/sbin/sysctl -q -n -w kernel.sysrq="0" +/sbin/sysctl -q -n -w kernel.pid_max="65536" # -# If kernel.sysrq present in /etc/sysctl.conf, change value to "0" -# else, add "kernel.sysrq = 0" to /etc/sysctl.conf +# If kernel.pid_max present in /etc/sysctl.conf, change value to "65536" +# else, add "kernel.pid_max = 65536" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.sysrq") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.pid_max") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "0" +printf -v formatted_output "%s = %s" "$stripped_key" "65536" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.sysrq\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^kernel.pid_max\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^kernel.sysrq\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^kernel.pid_max\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-83355-8" + cce="CCE-83366-5" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -216651,6 +216573,24 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Disallow magic SysRq key + To set the runtime status of the kernel.sysrq kernel parameter, run the following command: $ sudo sysctl -w kernel.sysrq=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.sysrq = 0 + BP28(R23) + The Magic SysRq key allows sending certain commands directly to the running +kernel. It can dump various system and process information, potentially +revealing sensitive information. It can also reboot or shutdown the machine, +disturbing its availability. + + CCE-83355-8 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -216704,42 +216644,18 @@ fi - reboot_required - sysctl_kernel_sysrq - - - - - - - - - Disable Access to Network bpf() Syscall From Unprivileged Processes - To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command: $ sudo sysctl -w kernel.unprivileged_bpf_disabled=1 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.unprivileged_bpf_disabled = 1 - BP28(R9) - CCI-000366 - AC-6 - SC-7(10) - FMT_SMF_EXT.1 - SRG-OS-000132-GPOS-00067 - SRG-OS-000480-GPOS-00227 - RHEL-08-040281 - SV-230545r858822_rule - Loading and accessing the packet filters programs and maps using the bpf() -syscall has the potential of revealing sensitive information about the kernel state. - - CCE-82974-7 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of kernel.unprivileged_bpf_disabled from /etc/sysctl.d/*.conf files +# Comment out any occurrences of kernel.sysrq from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*kernel.unprivileged_bpf_disabled.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*kernel.sysrq.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "kernel.unprivileged_bpf_disabled" matches to preserve user data + # comment out "kernel.sysrq" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -216753,33 +216669,33 @@ SYSCONFIG_FILE="/etc/sysctl.conf" # -# Set runtime for kernel.unprivileged_bpf_disabled +# Set runtime for kernel.sysrq # -/sbin/sysctl -q -n -w kernel.unprivileged_bpf_disabled="1" +/sbin/sysctl -q -n -w kernel.sysrq="0" # -# If kernel.unprivileged_bpf_disabled present in /etc/sysctl.conf, change value to "1" -# else, add "kernel.unprivileged_bpf_disabled = 1" to /etc/sysctl.conf +# If kernel.sysrq present in /etc/sysctl.conf, change value to "0" +# else, add "kernel.sysrq = 0" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.unprivileged_bpf_disabled") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.sysrq") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "1" +printf -v formatted_output "%s = %s" "$stripped_key" "0" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.unprivileged_bpf_disabled\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^kernel.sysrq\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^kernel.unprivileged_bpf_disabled\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^kernel.sysrq\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-82974-7" + cce="CCE-83355-8" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -216787,6 +216703,45 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Disable Access to Network bpf() Syscall From Unprivileged Processes + To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command: $ sudo sysctl -w kernel.unprivileged_bpf_disabled=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.unprivileged_bpf_disabled = 1 + BP28(R9) + CCI-000366 + AC-6 + SC-7(10) + FMT_SMF_EXT.1 + SRG-OS-000132-GPOS-00067 + SRG-OS-000480-GPOS-00227 + RHEL-08-040281 + SV-230545r858822_rule + Loading and accessing the packet filters programs and maps using the bpf() +syscall has the potential of revealing sensitive information about the kernel state. + + CCE-82974-7 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,kernel.unprivileged_bpf_disabled%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_kernel_unprivileged_bpf_disabled.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -216851,58 +216806,18 @@ fi - reboot_required - sysctl_kernel_unprivileged_bpf_disabled - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,kernel.unprivileged_bpf_disabled%3D1%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_kernel_unprivileged_bpf_disabled.conf - overwrite: true - - - - - - - - - - Restrict usage of ptrace to descendant processes - To set the runtime status of the kernel.yama.ptrace_scope kernel parameter, run the following command: $ sudo sysctl -w kernel.yama.ptrace_scope=1 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.yama.ptrace_scope = 1 - BP28(R25) - CCI-000366 - SC-7(10) - SRG-OS-000132-GPOS-00067 - SRG-OS-000480-GPOS-00227 - RHEL-08-040282 - SV-230546r858824_rule - Unrestricted usage of ptrace allows compromised binaries to run ptrace -on another processes of the user. Like this, the attacker can steal -sensitive information from the target processes (e.g. SSH sessions, web browser, ...) -without any additional assistance from the user (i.e. without resorting to phishing). - - - CCE-80953-3 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of kernel.yama.ptrace_scope from /etc/sysctl.d/*.conf files +# Comment out any occurrences of kernel.unprivileged_bpf_disabled from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*kernel.yama.ptrace_scope.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*kernel.unprivileged_bpf_disabled.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "kernel.yama.ptrace_scope" matches to preserve user data + # comment out "kernel.unprivileged_bpf_disabled" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -216916,18 +216831,18 @@ SYSCONFIG_FILE="/etc/sysctl.conf" # -# Set runtime for kernel.yama.ptrace_scope +# Set runtime for kernel.unprivileged_bpf_disabled # -/sbin/sysctl -q -n -w kernel.yama.ptrace_scope="1" +/sbin/sysctl -q -n -w kernel.unprivileged_bpf_disabled="1" # -# If kernel.yama.ptrace_scope present in /etc/sysctl.conf, change value to "1" -# else, add "kernel.yama.ptrace_scope = 1" to /etc/sysctl.conf +# If kernel.unprivileged_bpf_disabled present in /etc/sysctl.conf, change value to "1" +# else, add "kernel.unprivileged_bpf_disabled = 1" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.yama.ptrace_scope") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.unprivileged_bpf_disabled") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "1" @@ -216935,14 +216850,14 @@ printf -v formatted_output "%s = %s" "$stripped_key" "1" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.yama.ptrace_scope\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^kernel.unprivileged_bpf_disabled\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^kernel.yama.ptrace_scope\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^kernel.unprivileged_bpf_disabled\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-80953-3" + cce="CCE-82974-7" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -216950,6 +216865,46 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Restrict usage of ptrace to descendant processes + To set the runtime status of the kernel.yama.ptrace_scope kernel parameter, run the following command: $ sudo sysctl -w kernel.yama.ptrace_scope=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.yama.ptrace_scope = 1 + BP28(R25) + CCI-000366 + SC-7(10) + SRG-OS-000132-GPOS-00067 + SRG-OS-000480-GPOS-00227 + RHEL-08-040282 + SV-230546r858824_rule + Unrestricted usage of ptrace allows compromised binaries to run ptrace +on another processes of the user. Like this, the attacker can steal +sensitive information from the target processes (e.g. SSH sessions, web browser, ...) +without any additional assistance from the user (i.e. without resorting to phishing). + + + CCE-80953-3 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,kernel.yama.ptrace_scope%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_kernel_yama_ptrace_scope.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -217010,57 +216965,18 @@ fi - reboot_required - sysctl_kernel_yama_ptrace_scope - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,kernel.yama.ptrace_scope%3D1%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_kernel_yama_ptrace_scope.conf - overwrite: true - - - - - - - - - - Harden the operation of the BPF just-in-time compiler - To set the runtime status of the net.core.bpf_jit_harden kernel parameter, run the following command: $ sudo sysctl -w net.core.bpf_jit_harden=2 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.core.bpf_jit_harden = 2 - BP28(R12) - CCI-000366 - CM-6 - SC-7(10) - FMT_SMF_EXT.1 - SRG-OS-000480-GPOS-00227 - RHEL-08-040286 - SV-244554r858832_rule - When hardened, the extended Berkeley Packet Filter just-in-time compiler -will randomize any kernel addresses in the BPF programs and maps, -and will not expose the JIT addresses in /proc/kallsyms. - - CCE-82934-1 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.core.bpf_jit_harden from /etc/sysctl.d/*.conf files +# Comment out any occurrences of kernel.yama.ptrace_scope from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.core.bpf_jit_harden.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*kernel.yama.ptrace_scope.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.core.bpf_jit_harden" matches to preserve user data + # comment out "kernel.yama.ptrace_scope" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -217074,33 +216990,33 @@ SYSCONFIG_FILE="/etc/sysctl.conf" # -# Set runtime for net.core.bpf_jit_harden +# Set runtime for kernel.yama.ptrace_scope # -/sbin/sysctl -q -n -w net.core.bpf_jit_harden="2" +/sbin/sysctl -q -n -w kernel.yama.ptrace_scope="1" # -# If net.core.bpf_jit_harden present in /etc/sysctl.conf, change value to "2" -# else, add "net.core.bpf_jit_harden = 2" to /etc/sysctl.conf +# If kernel.yama.ptrace_scope present in /etc/sysctl.conf, change value to "1" +# else, add "kernel.yama.ptrace_scope = 1" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.core.bpf_jit_harden") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.yama.ptrace_scope") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "2" +printf -v formatted_output "%s = %s" "$stripped_key" "1" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.core.bpf_jit_harden\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^kernel.yama.ptrace_scope\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.core.bpf_jit_harden\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^kernel.yama.ptrace_scope\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-82934-1" + cce="CCE-80953-3" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -217108,6 +217024,45 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Harden the operation of the BPF just-in-time compiler + To set the runtime status of the net.core.bpf_jit_harden kernel parameter, run the following command: $ sudo sysctl -w net.core.bpf_jit_harden=2 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.core.bpf_jit_harden = 2 + BP28(R12) + CCI-000366 + CM-6 + SC-7(10) + FMT_SMF_EXT.1 + SRG-OS-000480-GPOS-00227 + RHEL-08-040286 + SV-244554r858832_rule + When hardened, the extended Berkeley Packet Filter just-in-time compiler +will randomize any kernel addresses in the BPF programs and maps, +and will not expose the JIT addresses in /proc/kallsyms. + + CCE-82934-1 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.core.bpf_jit_harden%3D2%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_core_bpf_jit_harden.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -217171,68 +217126,18 @@ fi - reboot_required - sysctl_net_core_bpf_jit_harden - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.core.bpf_jit_harden%3D2%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_core_bpf_jit_harden.conf - overwrite: true - - - - - - - - - - Disable the use of user namespaces - To set the runtime status of the user.max_user_namespaces kernel parameter, -run the following command: -$ sudo sysctl -w user.max_user_namespaces=0 - -To make sure that the setting is persistent, -add the following line to a file in the directory /etc/sysctl.d: -user.max_user_namespaces = 0 -When containers are deployed on the machine, the value should be set -to large non-zero value. - This configuration baseline was created to deploy the base operating system for general purpose -workloads. When the operating system is configured for certain purposes, such as to host Linux Containers, -it is expected that user.max_user_namespaces will be enabled. - CCI-000366 - SC-39 - CM-6(a) - FMT_SMF_EXT.1 - SRG-OS-000480-GPOS-00227 - RHEL-08-040284 - SV-230548r858828_rule - It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or system objectives. -These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. -They increase the risk to the platform by providing additional attack vectors. -User namespaces are used primarily for Linux containers. The value 0 -disallows the use of user namespaces. - - CCE-82211-4 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of user.max_user_namespaces from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.core.bpf_jit_harden from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*user.max_user_namespaces.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.core.bpf_jit_harden.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "user.max_user_namespaces" matches to preserve user data + # comment out "net.core.bpf_jit_harden" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -217246,33 +217151,33 @@ SYSCONFIG_FILE="/etc/sysctl.conf" # -# Set runtime for user.max_user_namespaces +# Set runtime for net.core.bpf_jit_harden # -/sbin/sysctl -q -n -w user.max_user_namespaces="0" +/sbin/sysctl -q -n -w net.core.bpf_jit_harden="2" # -# If user.max_user_namespaces present in /etc/sysctl.conf, change value to "0" -# else, add "user.max_user_namespaces = 0" to /etc/sysctl.conf +# If net.core.bpf_jit_harden present in /etc/sysctl.conf, change value to "2" +# else, add "net.core.bpf_jit_harden = 2" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^user.max_user_namespaces") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.core.bpf_jit_harden") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "0" +printf -v formatted_output "%s = %s" "$stripped_key" "2" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^user.max_user_namespaces\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.core.bpf_jit_harden\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^user.max_user_namespaces\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.core.bpf_jit_harden\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-82211-4" + cce="CCE-82934-1" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -217280,6 +217185,56 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Disable the use of user namespaces + To set the runtime status of the user.max_user_namespaces kernel parameter, +run the following command: +$ sudo sysctl -w user.max_user_namespaces=0 + +To make sure that the setting is persistent, +add the following line to a file in the directory /etc/sysctl.d: +user.max_user_namespaces = 0 +When containers are deployed on the machine, the value should be set +to large non-zero value. + This configuration baseline was created to deploy the base operating system for general purpose +workloads. When the operating system is configured for certain purposes, such as to host Linux Containers, +it is expected that user.max_user_namespaces will be enabled. + CCI-000366 + SC-39 + CM-6(a) + FMT_SMF_EXT.1 + SRG-OS-000480-GPOS-00227 + RHEL-08-040284 + SV-230548r858828_rule + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or system objectives. +These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. +They increase the risk to the platform by providing additional attack vectors. +User namespaces are used primarily for Linux containers. The value 0 +disallows the use of user namespaces. + + CCE-82211-4 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,user.max_user_namespaces%20%3D%200%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_user_max_user_namespaces.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -217343,51 +217298,18 @@ fi - reboot_required - sysctl_user_max_user_namespaces - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,user.max_user_namespaces%20%3D%200%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_user_max_user_namespaces.conf - overwrite: true - - - - - - - - - - Prevent applications from mapping low portion of virtual memory - To set the runtime status of the vm.mmap_min_addr kernel parameter, run the following command: $ sudo sysctl -w vm.mmap_min_addr=65536 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: vm.mmap_min_addr = 65536 - BP28(R23) - The vm.mmap_min_addr parameter specifies the minimum virtual -address that a process is allowed to mmap. Allowing a process to mmap low -portion of virtual memory can have security implications such as such as -heightened risk of kernel null pointer dereference defects. - - CCE-83363-2 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of vm.mmap_min_addr from /etc/sysctl.d/*.conf files +# Comment out any occurrences of user.max_user_namespaces from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*vm.mmap_min_addr.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*user.max_user_namespaces.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "vm.mmap_min_addr" matches to preserve user data + # comment out "user.max_user_namespaces" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -217401,33 +217323,33 @@ SYSCONFIG_FILE="/etc/sysctl.conf" # -# Set runtime for vm.mmap_min_addr +# Set runtime for user.max_user_namespaces # -/sbin/sysctl -q -n -w vm.mmap_min_addr="65536" +/sbin/sysctl -q -n -w user.max_user_namespaces="0" # -# If vm.mmap_min_addr present in /etc/sysctl.conf, change value to "65536" -# else, add "vm.mmap_min_addr = 65536" to /etc/sysctl.conf +# If user.max_user_namespaces present in /etc/sysctl.conf, change value to "0" +# else, add "user.max_user_namespaces = 0" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^vm.mmap_min_addr") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^user.max_user_namespaces") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "65536" +printf -v formatted_output "%s = %s" "$stripped_key" "0" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^vm.mmap_min_addr\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^user.max_user_namespaces\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^vm.mmap_min_addr\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^user.max_user_namespaces\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-83363-2" + cce="CCE-82211-4" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -217436,6 +217358,24 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Prevent applications from mapping low portion of virtual memory + To set the runtime status of the vm.mmap_min_addr kernel parameter, run the following command: $ sudo sysctl -w vm.mmap_min_addr=65536 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: vm.mmap_min_addr = 65536 + BP28(R23) + The vm.mmap_min_addr parameter specifies the minimum virtual +address that a process is allowed to mmap. Allowing a process to mmap low +portion of virtual memory can have security implications such as such as +heightened risk of kernel null pointer dereference defects. + + CCE-83363-2 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -217488,6 +217428,66 @@ fi - medium_severity - reboot_required - sysctl_vm_mmap_min_addr + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of vm.mmap_min_addr from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*vm.mmap_min_addr.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "vm.mmap_min_addr" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + + +# +# Set runtime for vm.mmap_min_addr +# +/sbin/sysctl -q -n -w vm.mmap_min_addr="65536" + +# +# If vm.mmap_min_addr present in /etc/sysctl.conf, change value to "65536" +# else, add "vm.mmap_min_addr = 65536" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^vm.mmap_min_addr") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "65536" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^vm.mmap_min_addr\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^vm.mmap_min_addr\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-83363-2" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -217532,21 +217532,6 @@ terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. CCE-82881-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SOCKET_NAME="systemd-coredump.socket" -SYSTEMCTL_EXEC='/usr/bin/systemctl' - -if "$SYSTEMCTL_EXEC" -q list-unit-files --type socket | grep -q "$SOCKET_NAME"; then - "$SYSTEMCTL_EXEC" stop "$SOCKET_NAME" - "$SYSTEMCTL_EXEC" mask "$SOCKET_NAME" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Disable acquiring, saving, and processing core dumps - Collect systemd Socket Units Present in the System ansible.builtin.command: @@ -217585,6 +217570,21 @@ fi - medium_severity - no_reboot_needed - service_systemd-coredump_disabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SOCKET_NAME="systemd-coredump.socket" +SYSTEMCTL_EXEC='/usr/bin/systemctl' + +if "$SYSTEMCTL_EXEC" -q list-unit-files --type socket | grep -q "$SOCKET_NAME"; then + "$SYSTEMCTL_EXEC" stop "$SOCKET_NAME" + "$SYSTEMCTL_EXEC" mask "$SOCKET_NAME" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -217623,27 +217623,20 @@ debuging. Permitting temporary enablement of core dumps during such situations should be reviewed through local needs and policy. CCE-82251-0 - # Remediation is applicable only in certain platforms -if rpm --quiet -q systemd; then - -if [ -e "/etc/systemd/coredump.conf" ] ; then - - LC_ALL=C sed -i "/^\s*ProcessSizeMax\s*=\s*/Id" "/etc/systemd/coredump.conf" -else - touch "/etc/systemd/coredump.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/systemd/coredump.conf" - -cp "/etc/systemd/coredump.conf" "/etc/systemd/coredump.conf.bak" -# Insert at the end of the file -printf '%s\n' "ProcessSizeMax=0" >> "/etc/systemd/coredump.conf" -# Clean up after ourselves. -rm "/etc/systemd/coredump.conf.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%20%20This%20file%20is%20part%20of%20systemd.%0A%23%0A%23%20%20systemd%20is%20free%20software%3B%20you%20can%20redistribute%20it%20and/or%20modify%20it%0A%23%20%20under%20the%20terms%20of%20the%20GNU%20Lesser%20General%20Public%20License%20as%20published%20by%0A%23%20%20the%20Free%20Software%20Foundation%3B%20either%20version%202.1%20of%20the%20License%2C%20or%0A%23%20%20%28at%20your%20option%29%20any%20later%20version.%0A%23%0A%23%20Entries%20in%20this%20file%20show%20the%20compile%20time%20defaults.%0A%23%20You%20can%20change%20settings%20by%20editing%20this%20file.%0A%23%20Defaults%20can%20be%20restored%20by%20simply%20deleting%20this%20file.%0A%23%0A%23%20See%20coredump.conf%285%29%20for%20details.%0A%0A%5BCoredump%5D%0A%23Storage%3Dexternal%0A%23Compress%3Dyes%0A%23ProcessSizeMax%3D2G%0A%23ExternalSizeMax%3D2G%0A%23JournalSizeMax%3D767M%0A%23MaxUse%3D%0A%23KeepFree%3D%0AStorage%3Dnone%0AProcessSizeMax%3D0%0A + mode: 0644 + path: /etc/systemd/coredump.conf + overwrite: true - name: Gather the package facts package_facts: @@ -217703,20 +217696,27 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,%23%20%20This%20file%20is%20part%20of%20systemd.%0A%23%0A%23%20%20systemd%20is%20free%20software%3B%20you%20can%20redistribute%20it%20and/or%20modify%20it%0A%23%20%20under%20the%20terms%20of%20the%20GNU%20Lesser%20General%20Public%20License%20as%20published%20by%0A%23%20%20the%20Free%20Software%20Foundation%3B%20either%20version%202.1%20of%20the%20License%2C%20or%0A%23%20%20%28at%20your%20option%29%20any%20later%20version.%0A%23%0A%23%20Entries%20in%20this%20file%20show%20the%20compile%20time%20defaults.%0A%23%20You%20can%20change%20settings%20by%20editing%20this%20file.%0A%23%20Defaults%20can%20be%20restored%20by%20simply%20deleting%20this%20file.%0A%23%0A%23%20See%20coredump.conf%285%29%20for%20details.%0A%0A%5BCoredump%5D%0A%23Storage%3Dexternal%0A%23Compress%3Dyes%0A%23ProcessSizeMax%3D2G%0A%23ExternalSizeMax%3D2G%0A%23JournalSizeMax%3D767M%0A%23MaxUse%3D%0A%23KeepFree%3D%0AStorage%3Dnone%0AProcessSizeMax%3D0%0A - mode: 0644 - path: /etc/systemd/coredump.conf - overwrite: true + # Remediation is applicable only in certain platforms +if rpm --quiet -q systemd; then + +if [ -e "/etc/systemd/coredump.conf" ] ; then + + LC_ALL=C sed -i "/^\s*ProcessSizeMax\s*=\s*/Id" "/etc/systemd/coredump.conf" +else + touch "/etc/systemd/coredump.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/systemd/coredump.conf" + +cp "/etc/systemd/coredump.conf" "/etc/systemd/coredump.conf.bak" +# Insert at the end of the file +printf '%s\n' "ProcessSizeMax=0" >> "/etc/systemd/coredump.conf" +# Clean up after ourselves. +rm "/etc/systemd/coredump.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -217750,27 +217750,20 @@ debuging. Permitting temporary enablement of core dumps during such situations should be reviewed through local needs and policy. CCE-82252-8 - # Remediation is applicable only in certain platforms -if rpm --quiet -q systemd; then - -if [ -e "/etc/systemd/coredump.conf" ] ; then - - LC_ALL=C sed -i "/^\s*Storage\s*=\s*/Id" "/etc/systemd/coredump.conf" -else - touch "/etc/systemd/coredump.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/systemd/coredump.conf" - -cp "/etc/systemd/coredump.conf" "/etc/systemd/coredump.conf.bak" -# Insert at the end of the file -printf '%s\n' "Storage=none" >> "/etc/systemd/coredump.conf" -# Clean up after ourselves. -rm "/etc/systemd/coredump.conf.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%20%20This%20file%20is%20part%20of%20systemd.%0A%23%0A%23%20%20systemd%20is%20free%20software%3B%20you%20can%20redistribute%20it%20and/or%20modify%20it%0A%23%20%20under%20the%20terms%20of%20the%20GNU%20Lesser%20General%20Public%20License%20as%20published%20by%0A%23%20%20the%20Free%20Software%20Foundation%3B%20either%20version%202.1%20of%20the%20License%2C%20or%0A%23%20%20%28at%20your%20option%29%20any%20later%20version.%0A%23%0A%23%20Entries%20in%20this%20file%20show%20the%20compile%20time%20defaults.%0A%23%20You%20can%20change%20settings%20by%20editing%20this%20file.%0A%23%20Defaults%20can%20be%20restored%20by%20simply%20deleting%20this%20file.%0A%23%0A%23%20See%20coredump.conf%285%29%20for%20details.%0A%0A%5BCoredump%5D%0A%23Storage%3Dexternal%0A%23Compress%3Dyes%0A%23ProcessSizeMax%3D2G%0A%23ExternalSizeMax%3D2G%0A%23JournalSizeMax%3D767M%0A%23MaxUse%3D%0A%23KeepFree%3D%0AStorage%3Dnone%0AProcessSizeMax%3D0%0A + mode: 0644 + path: /etc/systemd/coredump.conf + overwrite: true - name: Gather the package facts package_facts: @@ -217830,20 +217823,27 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,%23%20%20This%20file%20is%20part%20of%20systemd.%0A%23%0A%23%20%20systemd%20is%20free%20software%3B%20you%20can%20redistribute%20it%20and/or%20modify%20it%0A%23%20%20under%20the%20terms%20of%20the%20GNU%20Lesser%20General%20Public%20License%20as%20published%20by%0A%23%20%20the%20Free%20Software%20Foundation%3B%20either%20version%202.1%20of%20the%20License%2C%20or%0A%23%20%20%28at%20your%20option%29%20any%20later%20version.%0A%23%0A%23%20Entries%20in%20this%20file%20show%20the%20compile%20time%20defaults.%0A%23%20You%20can%20change%20settings%20by%20editing%20this%20file.%0A%23%20Defaults%20can%20be%20restored%20by%20simply%20deleting%20this%20file.%0A%23%0A%23%20See%20coredump.conf%285%29%20for%20details.%0A%0A%5BCoredump%5D%0A%23Storage%3Dexternal%0A%23Compress%3Dyes%0A%23ProcessSizeMax%3D2G%0A%23ExternalSizeMax%3D2G%0A%23JournalSizeMax%3D767M%0A%23MaxUse%3D%0A%23KeepFree%3D%0AStorage%3Dnone%0AProcessSizeMax%3D0%0A - mode: 0644 - path: /etc/systemd/coredump.conf - overwrite: true + # Remediation is applicable only in certain platforms +if rpm --quiet -q systemd; then + +if [ -e "/etc/systemd/coredump.conf" ] ; then + + LC_ALL=C sed -i "/^\s*Storage\s*=\s*/Id" "/etc/systemd/coredump.conf" +else + touch "/etc/systemd/coredump.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/systemd/coredump.conf" + +cp "/etc/systemd/coredump.conf" "/etc/systemd/coredump.conf.bak" +# Insert at the end of the file +printf '%s\n' "Storage=none" >> "/etc/systemd/coredump.conf" +# Clean up after ourselves. +rm "/etc/systemd/coredump.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -217891,24 +217891,20 @@ terminates an application. The memory image could contain sensitive data and is only for developers trying to debug problems. CCE-81038-2 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -SECURITY_LIMITS_FILE="/etc/security/limits.conf" - -if grep -qE '^\s*\*\s+hard\s+core' $SECURITY_LIMITS_FILE; then - sed -ri 's/(hard\s+core\s+)[[:digit:]]+/\1 0/' $SECURITY_LIMITS_FILE -else - echo "* hard core 0" >> $SECURITY_LIMITS_FILE -fi - -if ls /etc/security/limits.d/*.conf > /dev/null; then - sed -ri '/^\s*\*\s+hard\s+core/d' /etc/security/limits.d/*.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%2A%20%20%20%20%20hard%20%20%20core%20%20%20%200 + mode: 0644 + path: /etc/security/limits.d/75-disable_users_coredumps.conf + overwrite: true - name: Gather the package facts package_facts: @@ -217946,20 +217942,24 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,%2A%20%20%20%20%20hard%20%20%20core%20%20%20%200 - mode: 0644 - path: /etc/security/limits.d/75-disable_users_coredumps.conf - overwrite: true + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +SECURITY_LIMITS_FILE="/etc/security/limits.conf" + +if grep -qE '^\s*\*\s+hard\s+core' $SECURITY_LIMITS_FILE; then + sed -ri 's/(hard\s+core\s+)[[:digit:]]+/\1 0/' $SECURITY_LIMITS_FILE +else + echo "* hard core 0" >> $SECURITY_LIMITS_FILE +fi + +if ls /etc/security/limits.d/*.conf > /dev/null; then + sed -ri '/^\s*\*\s+hard\s+core/d' /etc/security/limits.d/*.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -217991,66 +217991,6 @@ setuid program to write a core file decreases the risk of unauthorized access of such data. CCE-80912-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of fs.suid_dumpable from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*fs.suid_dumpable.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "fs.suid_dumpable" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - - -# -# Set runtime for fs.suid_dumpable -# -/sbin/sysctl -q -n -w fs.suid_dumpable="0" - -# -# If fs.suid_dumpable present in /etc/sysctl.conf, change value to "0" -# else, add "fs.suid_dumpable = 0" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^fs.suid_dumpable") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "0" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^fs.suid_dumpable\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^fs.suid_dumpable\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-80912-9" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: List /etc/sysctl.d/*.conf files find: paths: @@ -218112,6 +218052,66 @@ fi - medium_severity - reboot_required - sysctl_fs_suid_dumpable + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of fs.suid_dumpable from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*fs.suid_dumpable.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "fs.suid_dumpable" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + + +# +# Set runtime for fs.suid_dumpable +# +/sbin/sysctl -q -n -w fs.suid_dumpable="0" + +# +# If fs.suid_dumpable present in /etc/sysctl.conf, change value to "0" +# else, add "fs.suid_dumpable = 0" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^fs.suid_dumpable") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "0" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^fs.suid_dumpable\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^fs.suid_dumpable\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-80912-9" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -218272,15 +218272,6 @@ prevents execution in that address range. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware. CCE-80914-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -grubby --update-kernel=ALL --remove-args=noexec --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Update grub defaults and the bootloader menu command: /sbin/grubby --update-kernel=ALL --remove-args="noexec" when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] @@ -218295,6 +218286,15 @@ fi - reboot_required - restrict_strategy - sysctl_kernel_exec_shield + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +grubby --update-kernel=ALL --remove-args=noexec --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -218349,67 +218349,20 @@ be compromised. This option disallow any program without the CAP_SYSLOG capabili to get the addresses of kernel pointers by replacing them with 0. CCE-80915-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of kernel.kptr_restrict from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*kernel.kptr_restrict.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "kernel.kptr_restrict" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_kernel_kptr_restrict_value='' - - -# -# Set runtime for kernel.kptr_restrict -# -/sbin/sysctl -q -n -w kernel.kptr_restrict="$sysctl_kernel_kptr_restrict_value" - -# -# If kernel.kptr_restrict present in /etc/sysctl.conf, change value to appropriate value -# else, add "kernel.kptr_restrict = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.kptr_restrict") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_kernel_kptr_restrict_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.kptr_restrict\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^kernel.kptr_restrict\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-80915-2" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,kernel.kptr_restrict%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_kernel_kptr_restrict.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -218484,30 +218437,77 @@ fi - reboot_required - sysctl_kernel_kptr_restrict - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,kernel.kptr_restrict%3D1%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_kernel_kptr_restrict.conf - overwrite: true - - - - - - - - - - Enable Randomized Layout of Virtual Address Space + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of kernel.kptr_restrict from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*kernel.kptr_restrict.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "kernel.kptr_restrict" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_kernel_kptr_restrict_value='' + + +# +# Set runtime for kernel.kptr_restrict +# +/sbin/sysctl -q -n -w kernel.kptr_restrict="$sysctl_kernel_kptr_restrict_value" + +# +# If kernel.kptr_restrict present in /etc/sysctl.conf, change value to appropriate value +# else, add "kernel.kptr_restrict = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.kptr_restrict") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_kernel_kptr_restrict_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^kernel.kptr_restrict\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^kernel.kptr_restrict\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-80915-2" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + + + + + + + + + Enable Randomized Layout of Virtual Address Space To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: $ sudo sysctl -w kernel.randomize_va_space=2 To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.randomize_va_space = 2 BP28(R23) @@ -218563,65 +218563,20 @@ existing code in order to re-purpose it using return oriented programming (ROP) techniques. CCE-80916-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of kernel.randomize_va_space from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*kernel.randomize_va_space.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "kernel.randomize_va_space" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - - -# -# Set runtime for kernel.randomize_va_space -# -/sbin/sysctl -q -n -w kernel.randomize_va_space="2" - -# -# If kernel.randomize_va_space present in /etc/sysctl.conf, change value to "2" -# else, add "kernel.randomize_va_space = 2" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.randomize_va_space") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "2" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.randomize_va_space\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^kernel.randomize_va_space\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-80916-0" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,kernel.randomize_va_space%3D2%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_kernel_randomize_va_space.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -218697,20 +218652,65 @@ fi - reboot_required - sysctl_kernel_randomize_va_space - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,kernel.randomize_va_space%3D2%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_kernel_randomize_va_space.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of kernel.randomize_va_space from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*kernel.randomize_va_space.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "kernel.randomize_va_space" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + + +# +# Set runtime for kernel.randomize_va_space +# +/sbin/sysctl -q -n -w kernel.randomize_va_space="2" + +# +# If kernel.randomize_va_space present in /etc/sysctl.conf, change value to "2" +# else, add "kernel.randomize_va_space = 2" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.randomize_va_space") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "2" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^kernel.randomize_va_space\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^kernel.randomize_va_space\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-80916-0" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -218868,15 +218868,6 @@ Also prevents leak of data and detection of corrupted memory.CCE-80944-2 [customizations.kernel] append = "page_poison=1" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then - -grubby --update-kernel=ALL --args=page_poison=1 --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - name: Gather the package facts package_facts: @@ -218907,6 +218898,15 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then + +grubby --update-kernel=ALL --args=page_poison=1 --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -218942,19 +218942,6 @@ Also prevents leak of data and detection of corrupted memory.CCE-80945-9 [customizations.kernel] append = "slub_debug=" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then - -var_slub_debug_options='' - - - -grubby --update-kernel=ALL --args=slub_debug=$var_slub_debug_options --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - name: Gather the package facts package_facts: @@ -218991,6 +218978,19 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then + +var_slub_debug_options='' + + + +grubby --update-kernel=ALL --args=slub_debug=$var_slub_debug_options --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -219061,21 +219061,13 @@ with enhanced security functionality designed to add mandatory access controls t The libselinux package contains the core library of the Security-enhanced Linux system. CCE-82877-2 + +package --add=libselinux + [[packages]] name = "libselinux" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "libselinux" ; then - yum install -y "libselinux" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_libselinux @@ -219100,8 +219092,16 @@ class install_libselinux { - no_reboot_needed - package_libselinux_installed - -package --add=libselinux + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "libselinux" ; then + yum install -y "libselinux" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -219119,21 +219119,13 @@ $ sudo yum install policycoreutils-python-utilsThis package is required to operate and manage an SELinux environment and its policies. It provides utilities such as semanage, audit2allow, audit2why, chcat and sandbox. CCE-82724-6 + +package --add=policycoreutils-python-utils + [[packages]] name = "policycoreutils-python-utils" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "policycoreutils-python-utils" ; then - yum install -y "policycoreutils-python-utils" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_policycoreutils-python-utils @@ -219157,8 +219149,16 @@ class install_policycoreutils-python-utils { - no_reboot_needed - package_policycoreutils-python-utils_installed - -package --add=policycoreutils-python-utils + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "policycoreutils-python-utils" ; then + yum install -y "policycoreutils-python-utils" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -219190,21 +219190,13 @@ basic operation of an SELinux-enabled system. These utilities include setfiles to label filesystems, newrole to switch roles, and so on. CCE-82976-2 + +package --add=policycoreutils + [[packages]] name = "policycoreutils" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "policycoreutils" ; then - yum install -y "policycoreutils" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_policycoreutils @@ -219229,8 +219221,16 @@ class install_policycoreutils { - no_reboot_needed - package_policycoreutils_installed - -package --add=policycoreutils + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "policycoreutils" ; then + yum install -y "policycoreutils" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -219251,24 +219251,8 @@ $ sudo yum erase mcstrans Since this service is not used very often, disable it to reduce the amount of potentially vulnerable code running on the system. CCE-82756-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# CAUTION: This remediation script will remove mcstrans -# from the system, and may remove any packages -# that depend on mcstrans. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "mcstrans" ; then - - yum remove -y "mcstrans" - -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +package --remove=mcstrans include remove_mcstrans @@ -219292,8 +219276,24 @@ class remove_mcstrans { - no_reboot_needed - package_mcstrans_removed - -package --remove=mcstrans + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# CAUTION: This remediation script will remove mcstrans +# from the system, and may remove any packages +# that depend on mcstrans. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "mcstrans" ; then + + yum remove -y "mcstrans" + +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -219310,24 +219310,8 @@ $ sudo yum erase setroubleshoot-plugins The SETroubleshoot service is an unnecessary daemon to have running on a server. CCE-84250-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# CAUTION: This remediation script will remove setroubleshoot-plugins -# from the system, and may remove any packages -# that depend on setroubleshoot-plugins. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "setroubleshoot-plugins" ; then - - yum remove -y "setroubleshoot-plugins" - -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +package --remove=setroubleshoot-plugins include remove_setroubleshoot-plugins @@ -219351,8 +219335,24 @@ class remove_setroubleshoot-plugins { - no_reboot_needed - package_setroubleshoot-plugins_removed - -package --remove=setroubleshoot-plugins + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# CAUTION: This remediation script will remove setroubleshoot-plugins +# from the system, and may remove any packages +# that depend on setroubleshoot-plugins. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "setroubleshoot-plugins" ; then + + yum remove -y "setroubleshoot-plugins" + +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -219373,24 +219373,8 @@ $ sudo yum erase setroubleshoot-server The SETroubleshoot service is an unnecessary daemon to have running on a server. CCE-83490-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# CAUTION: This remediation script will remove setroubleshoot-server -# from the system, and may remove any packages -# that depend on setroubleshoot-server. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "setroubleshoot-server" ; then - - yum remove -y "setroubleshoot-server" - -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +package --remove=setroubleshoot-server include remove_setroubleshoot-server @@ -219414,8 +219398,24 @@ class remove_setroubleshoot-server { - no_reboot_needed - package_setroubleshoot-server_removed - -package --remove=setroubleshoot-server + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# CAUTION: This remediation script will remove setroubleshoot-server +# from the system, and may remove any packages +# that depend on setroubleshoot-server. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "setroubleshoot-server" ; then + + yum remove -y "setroubleshoot-server" + +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -219438,24 +219438,8 @@ $ sudo yum erase setroubleshoot have running on a server, especially if X Windows is removed or disabled. CCE-82755-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# CAUTION: This remediation script will remove setroubleshoot -# from the system, and may remove any packages -# that depend on setroubleshoot. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "setroubleshoot" ; then - - yum remove -y "setroubleshoot" - -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +package --remove=setroubleshoot include remove_setroubleshoot @@ -219479,8 +219463,24 @@ class remove_setroubleshoot { - no_reboot_needed - package_setroubleshoot_removed - -package --remove=setroubleshoot + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# CAUTION: This remediation script will remove setroubleshoot +# from the system, and may remove any packages +# that depend on setroubleshoot. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "setroubleshoot" ; then + + yum remove -y "setroubleshoot" + +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -219831,16 +219831,6 @@ it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation. CCE-80827-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then - -sed -i --follow-symlinks "s/selinux=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/* -sed -i --follow-symlinks "s/enforcing=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/* - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -219994,6 +219984,16 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then + +sed -i --follow-symlinks "s/selinux=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/* +sed -i --follow-symlinks "s/enforcing=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/* + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -220363,31 +220363,6 @@ before setting it to "enforcing", which is strongly recommended. CCE-86151-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/selinux/config" ] ; then - - LC_ALL=C sed -i "/^SELINUX=/Id" "/etc/selinux/config" -else - touch "/etc/selinux/config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/selinux/config" - -cp "/etc/selinux/config" "/etc/selinux/config.bak" -# Insert at the end of the file -printf '%s\n' "SELINUX=permissive" >> "/etc/selinux/config" -# Clean up after ourselves. -rm "/etc/selinux/config.bak" - -fixfiles onboot -fixfiles -f relabel - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure SELinux is Not Disabled block: @@ -220425,6 +220400,31 @@ fi - reboot_required - restrict_strategy - selinux_not_disabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/selinux/config" ] ; then + + LC_ALL=C sed -i "/^SELINUX=/Id" "/etc/selinux/config" +else + touch "/etc/selinux/config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/selinux/config" + +cp "/etc/selinux/config" "/etc/selinux/config.bak" +# Insert at the end of the file +printf '%s\n' "SELINUX=permissive" >> "/etc/selinux/config" +# Clean up after ourselves. +rm "/etc/selinux/config.bak" + +fixfiles onboot +fixfiles -f relabel + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -220623,31 +220623,6 @@ temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to . CCE-80868-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_selinux_policy_name='' - - -if [ -e "/etc/selinux/config" ] ; then - - LC_ALL=C sed -i "/^SELINUXTYPE=/Id" "/etc/selinux/config" -else - touch "/etc/selinux/config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/selinux/config" - -cp "/etc/selinux/config" "/etc/selinux/config.bak" -# Insert at the end of the file -printf '%s\n' "SELINUXTYPE=$var_selinux_policy_name" >> "/etc/selinux/config" -# Clean up after ourselves. -rm "/etc/selinux/config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_selinux_policy_name # promote to variable set_fact: var_selinux_policy_name: !!str @@ -220699,6 +220674,31 @@ fi - reboot_required - restrict_strategy - selinux_policytype + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_selinux_policy_name='' + + +if [ -e "/etc/selinux/config" ] ; then + + LC_ALL=C sed -i "/^SELINUXTYPE=/Id" "/etc/selinux/config" +else + touch "/etc/selinux/config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/selinux/config" + +cp "/etc/selinux/config" "/etc/selinux/config.bak" +# Insert at the end of the file +printf '%s\n' "SELINUXTYPE=$var_selinux_policy_name" >> "/etc/selinux/config" +# Clean up after ourselves. +rm "/etc/selinux/config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -220890,34 +220890,6 @@ potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. CCE-80869-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_selinux_state='' - - -if [ -e "/etc/selinux/config" ] ; then - - LC_ALL=C sed -i "/^SELINUX=/Id" "/etc/selinux/config" -else - touch "/etc/selinux/config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/selinux/config" - -cp "/etc/selinux/config" "/etc/selinux/config.bak" -# Insert at the end of the file -printf '%s\n' "SELINUX=$var_selinux_state" >> "/etc/selinux/config" -# Clean up after ourselves. -rm "/etc/selinux/config.bak" - -fixfiles onboot -fixfiles -f relabel - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_selinux_state # promote to variable set_fact: var_selinux_state: !!str @@ -220968,6 +220940,34 @@ fi - no_reboot_needed - restrict_strategy - selinux_state + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_selinux_state='' + + +if [ -e "/etc/selinux/config" ] ; then + + LC_ALL=C sed -i "/^SELINUX=/Id" "/etc/selinux/config" +else + touch "/etc/selinux/config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/selinux/config" + +cp "/etc/selinux/config" "/etc/selinux/config.bak" +# Insert at the end of the file +printf '%s\n' "SELINUX=$var_selinux_state" >> "/etc/selinux/config" +# Clean up after ourselves. +rm "/etc/selinux/config.bak" + +fixfiles onboot +fixfiles -f relabel + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -223689,18 +223689,6 @@ To disable the abrt_anon_write SELinux boolean, run the f $ sudo setsebool -P abrt_anon_write off 3.7.2 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_abrt_anon_write='' - - -setsebool -P abrt_anon_write $var_abrt_anon_write - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_abrt_anon_write # promote to variable set_fact: var_abrt_anon_write: !!str @@ -223739,6 +223727,18 @@ fi - medium_severity - no_reboot_needed - sebool_abrt_anon_write + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_abrt_anon_write='' + + +setsebool -P abrt_anon_write $var_abrt_anon_write + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -223757,18 +223757,6 @@ To disable the abrt_handle_event SELinux boolean, run the $ sudo setsebool -P abrt_handle_event off 3.7.2 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_abrt_handle_event='' - - -setsebool -P abrt_handle_event $var_abrt_handle_event - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_abrt_handle_event # promote to variable set_fact: var_abrt_handle_event: !!str @@ -223807,6 +223795,18 @@ fi - medium_severity - no_reboot_needed - sebool_abrt_handle_event + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_abrt_handle_event='' + + +setsebool -P abrt_handle_event $var_abrt_handle_event + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -223826,18 +223826,6 @@ To disable the abrt_upload_watch_anon_write SELinux boole $ sudo setsebool -P abrt_upload_watch_anon_write off 3.7.2 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_abrt_upload_watch_anon_write='' - - -setsebool -P abrt_upload_watch_anon_write $var_abrt_upload_watch_anon_write - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_abrt_upload_watch_anon_write # promote to variable set_fact: var_abrt_upload_watch_anon_write: !!str @@ -223876,6 +223864,18 @@ fi - medium_severity - no_reboot_needed - sebool_abrt_upload_watch_anon_write + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_abrt_upload_watch_anon_write='' + + +setsebool -P abrt_upload_watch_anon_write $var_abrt_upload_watch_anon_write + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -223895,18 +223895,6 @@ To enable the antivirus_can_scan_system SELinux boolean, $ sudo setsebool -P antivirus_can_scan_system on 3.7.2 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_antivirus_can_scan_system='' - - -setsebool -P antivirus_can_scan_system $var_antivirus_can_scan_system - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_antivirus_can_scan_system # promote to variable set_fact: var_antivirus_can_scan_system: !!str @@ -223945,6 +223933,18 @@ fi - medium_severity - no_reboot_needed - sebool_antivirus_can_scan_system + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_antivirus_can_scan_system='' + + +setsebool -P antivirus_can_scan_system $var_antivirus_can_scan_system + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -223963,18 +223963,6 @@ To disable the antivirus_use_jit SELinux boolean, run the $ sudo setsebool -P antivirus_use_jit off 3.7.2 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_antivirus_use_jit='' - - -setsebool -P antivirus_use_jit $var_antivirus_use_jit - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_antivirus_use_jit # promote to variable set_fact: var_antivirus_use_jit: !!str @@ -224013,6 +224001,18 @@ fi - medium_severity - no_reboot_needed - sebool_antivirus_use_jit + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_antivirus_use_jit='' + + +setsebool -P antivirus_use_jit $var_antivirus_use_jit + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -224038,18 +224038,6 @@ To enable the auditadm_exec_content SELinux boolean, run 0957 CCE-84297-1 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_auditadm_exec_content='' - - -setsebool -P auditadm_exec_content $var_auditadm_exec_content - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_auditadm_exec_content # promote to variable set_fact: var_auditadm_exec_content: !!str @@ -224090,6 +224078,18 @@ fi - medium_severity - no_reboot_needed - sebool_auditadm_exec_content + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_auditadm_exec_content='' + + +setsebool -P auditadm_exec_content $var_auditadm_exec_content + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -224123,18 +224123,6 @@ To disable the authlogin_nsswitch_use_ldap SELinux boolea 1561 CCE-84296-3 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_authlogin_nsswitch_use_ldap='' - - -setsebool -P authlogin_nsswitch_use_ldap $var_authlogin_nsswitch_use_ldap - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_authlogin_nsswitch_use_ldap # promote to variable set_fact: var_authlogin_nsswitch_use_ldap: !!str @@ -224175,6 +224163,18 @@ fi - medium_severity - no_reboot_needed - sebool_authlogin_nsswitch_use_ldap + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_authlogin_nsswitch_use_ldap='' + + +setsebool -P authlogin_nsswitch_use_ldap $var_authlogin_nsswitch_use_ldap + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -224208,18 +224208,6 @@ To disable the authlogin_radius SELinux boolean, run the 1561 CCE-84294-8 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_authlogin_radius='' - - -setsebool -P authlogin_radius $var_authlogin_radius - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_authlogin_radius # promote to variable set_fact: var_authlogin_radius: !!str @@ -224260,6 +224248,18 @@ fi - medium_severity - no_reboot_needed - sebool_authlogin_radius + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_authlogin_radius='' + + +setsebool -P authlogin_radius $var_authlogin_radius + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -224278,18 +224278,6 @@ To disable the authlogin_yubikey SELinux boolean, run the $ sudo setsebool -P authlogin_yubikey off 3.7.2 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_authlogin_yubikey='' - - -setsebool -P authlogin_yubikey $var_authlogin_yubikey - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_authlogin_yubikey # promote to variable set_fact: var_authlogin_yubikey: !!str @@ -224328,6 +224316,18 @@ fi - medium_severity - no_reboot_needed - sebool_authlogin_yubikey + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_authlogin_yubikey='' + + +setsebool -P authlogin_yubikey $var_authlogin_yubikey + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -224346,18 +224346,6 @@ To disable the awstats_purge_apache_log_files SELinux boo $ sudo setsebool -P awstats_purge_apache_log_files off 3.7.2 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_awstats_purge_apache_log_files='' - - -setsebool -P awstats_purge_apache_log_files $var_awstats_purge_apache_log_files - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_awstats_purge_apache_log_files # promote to variable set_fact: var_awstats_purge_apache_log_files: !!str @@ -224396,6 +224384,18 @@ fi - medium_severity - no_reboot_needed - sebool_awstats_purge_apache_log_files + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_awstats_purge_apache_log_files='' + + +setsebool -P awstats_purge_apache_log_files $var_awstats_purge_apache_log_files + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -224416,18 +224416,6 @@ To disable the boinc_execmem SELinux boolean, run the fol 3.7.2 CCE-83304-6 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_boinc_execmem='' - - -setsebool -P boinc_execmem $var_boinc_execmem - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_boinc_execmem # promote to variable set_fact: var_boinc_execmem: !!str @@ -224468,6 +224456,18 @@ fi - medium_severity - no_reboot_needed - sebool_boinc_execmem + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_boinc_execmem='' + + +setsebool -P boinc_execmem $var_boinc_execmem + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -224485,18 +224485,6 @@ If this setting is enabled, it should be disabled. To disable the cdrecord_read_content SELinux boolean, run the following command: $ sudo setsebool -P cdrecord_read_content off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_cdrecord_read_content='' - - -setsebool -P cdrecord_read_content $var_cdrecord_read_content - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_cdrecord_read_content # promote to variable set_fact: var_cdrecord_read_content: !!str @@ -224533,6 +224521,18 @@ fi - medium_severity - no_reboot_needed - sebool_cdrecord_read_content + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_cdrecord_read_content='' + + +setsebool -P cdrecord_read_content $var_cdrecord_read_content + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -224550,18 +224550,6 @@ If this setting is enabled, it should be disabled. To disable the cluster_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P cluster_can_network_connect off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_cluster_can_network_connect='' - - -setsebool -P cluster_can_network_connect $var_cluster_can_network_connect - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_cluster_can_network_connect # promote to variable set_fact: var_cluster_can_network_connect: !!str @@ -224598,6 +224586,18 @@ fi - medium_severity - no_reboot_needed - sebool_cluster_can_network_connect + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_cluster_can_network_connect='' + + +setsebool -P cluster_can_network_connect $var_cluster_can_network_connect + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -224615,18 +224615,6 @@ If this setting is enabled, it should be disabled. To disable the cluster_manage_all_files SELinux boolean, run the following command: $ sudo setsebool -P cluster_manage_all_files off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_cluster_manage_all_files='' - - -setsebool -P cluster_manage_all_files $var_cluster_manage_all_files - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_cluster_manage_all_files # promote to variable set_fact: var_cluster_manage_all_files: !!str @@ -224663,6 +224651,18 @@ fi - medium_severity - no_reboot_needed - sebool_cluster_manage_all_files + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_cluster_manage_all_files='' + + +setsebool -P cluster_manage_all_files $var_cluster_manage_all_files + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -224682,18 +224682,6 @@ To disable the cluster_use_execmem SELinux boolean, run t BP28(R67) CCE-83305-3 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_cluster_use_execmem='' - - -setsebool -P cluster_use_execmem $var_cluster_use_execmem - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_cluster_use_execmem # promote to variable set_fact: var_cluster_use_execmem: !!str @@ -224732,6 +224720,18 @@ fi - medium_severity - no_reboot_needed - sebool_cluster_use_execmem + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_cluster_use_execmem='' + + +setsebool -P cluster_use_execmem $var_cluster_use_execmem + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -224749,18 +224749,6 @@ If this setting is enabled, it should be disabled. To disable the cobbler_anon_write SELinux boolean, run the following command: $ sudo setsebool -P cobbler_anon_write off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_cobbler_anon_write='' - - -setsebool -P cobbler_anon_write $var_cobbler_anon_write - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_cobbler_anon_write # promote to variable set_fact: var_cobbler_anon_write: !!str @@ -224797,6 +224785,18 @@ fi - medium_severity - no_reboot_needed - sebool_cobbler_anon_write + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_cobbler_anon_write='' + + +setsebool -P cobbler_anon_write $var_cobbler_anon_write + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -224814,18 +224814,6 @@ If this setting is enabled, it should be disabled. To disable the cobbler_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P cobbler_can_network_connect off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_cobbler_can_network_connect='' - - -setsebool -P cobbler_can_network_connect $var_cobbler_can_network_connect - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_cobbler_can_network_connect # promote to variable set_fact: var_cobbler_can_network_connect: !!str @@ -224862,6 +224850,18 @@ fi - medium_severity - no_reboot_needed - sebool_cobbler_can_network_connect + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_cobbler_can_network_connect='' + + +setsebool -P cobbler_can_network_connect $var_cobbler_can_network_connect + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -224879,18 +224879,6 @@ If this setting is enabled, it should be disabled. To disable the cobbler_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P cobbler_use_cifs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_cobbler_use_cifs='' - - -setsebool -P cobbler_use_cifs $var_cobbler_use_cifs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_cobbler_use_cifs # promote to variable set_fact: var_cobbler_use_cifs: !!str @@ -224927,6 +224915,18 @@ fi - medium_severity - no_reboot_needed - sebool_cobbler_use_cifs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_cobbler_use_cifs='' + + +setsebool -P cobbler_use_cifs $var_cobbler_use_cifs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -224944,18 +224944,6 @@ If this setting is enabled, it should be disabled. To disable the cobbler_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P cobbler_use_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_cobbler_use_nfs='' - - -setsebool -P cobbler_use_nfs $var_cobbler_use_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_cobbler_use_nfs # promote to variable set_fact: var_cobbler_use_nfs: !!str @@ -224992,6 +224980,18 @@ fi - medium_severity - no_reboot_needed - sebool_cobbler_use_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_cobbler_use_nfs='' + + +setsebool -P cobbler_use_nfs $var_cobbler_use_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225009,18 +225009,6 @@ If this setting is enabled, it should be disabled. To disable the collectd_tcp_network_connect SELinux boolean, run the following command: $ sudo setsebool -P collectd_tcp_network_connect off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_collectd_tcp_network_connect='' - - -setsebool -P collectd_tcp_network_connect $var_collectd_tcp_network_connect - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_collectd_tcp_network_connect # promote to variable set_fact: var_collectd_tcp_network_connect: !!str @@ -225057,6 +225045,18 @@ fi - medium_severity - no_reboot_needed - sebool_collectd_tcp_network_connect + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_collectd_tcp_network_connect='' + + +setsebool -P collectd_tcp_network_connect $var_collectd_tcp_network_connect + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225074,18 +225074,6 @@ If this setting is enabled, it should be disabled. To disable the condor_tcp_network_connect SELinux boolean, run the following command: $ sudo setsebool -P condor_tcp_network_connect off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_condor_tcp_network_connect='' - - -setsebool -P condor_tcp_network_connect $var_condor_tcp_network_connect - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_condor_tcp_network_connect # promote to variable set_fact: var_condor_tcp_network_connect: !!str @@ -225122,6 +225110,18 @@ fi - medium_severity - no_reboot_needed - sebool_condor_tcp_network_connect + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_condor_tcp_network_connect='' + + +setsebool -P condor_tcp_network_connect $var_condor_tcp_network_connect + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225139,18 +225139,6 @@ If this setting is enabled, it should be disabled. To disable the conman_can_network SELinux boolean, run the following command: $ sudo setsebool -P conman_can_network off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_conman_can_network='' - - -setsebool -P conman_can_network $var_conman_can_network - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_conman_can_network # promote to variable set_fact: var_conman_can_network: !!str @@ -225187,6 +225175,18 @@ fi - medium_severity - no_reboot_needed - sebool_conman_can_network + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_conman_can_network='' + + +setsebool -P conman_can_network $var_conman_can_network + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225204,18 +225204,6 @@ If this setting is enabled, it should be disabled. To disable the container_connect_any SELinux boolean, run the following command: $ sudo setsebool -P container_connect_any off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_container_connect_any='' - - -setsebool -P container_connect_any $var_container_connect_any - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_container_connect_any # promote to variable set_fact: var_container_connect_any: !!str @@ -225252,6 +225240,18 @@ fi - medium_severity - no_reboot_needed - sebool_container_connect_any + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_container_connect_any='' + + +setsebool -P container_connect_any $var_container_connect_any + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225269,18 +225269,6 @@ If this setting is enabled, it should be disabled. To disable the cron_can_relabel SELinux boolean, run the following command: $ sudo setsebool -P cron_can_relabel off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_cron_can_relabel='' - - -setsebool -P cron_can_relabel $var_cron_can_relabel - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_cron_can_relabel # promote to variable set_fact: var_cron_can_relabel: !!str @@ -225317,6 +225305,18 @@ fi - medium_severity - no_reboot_needed - sebool_cron_can_relabel + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_cron_can_relabel='' + + +setsebool -P cron_can_relabel $var_cron_can_relabel + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225334,18 +225334,6 @@ If this setting is enabled, it should be disabled. To disable the cron_system_cronjob_use_shares SELinux boolean, run the following command: $ sudo setsebool -P cron_system_cronjob_use_shares off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_cron_system_cronjob_use_shares='' - - -setsebool -P cron_system_cronjob_use_shares $var_cron_system_cronjob_use_shares - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_cron_system_cronjob_use_shares # promote to variable set_fact: var_cron_system_cronjob_use_shares: !!str @@ -225382,6 +225370,18 @@ fi - medium_severity - no_reboot_needed - sebool_cron_system_cronjob_use_shares + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_cron_system_cronjob_use_shares='' + + +setsebool -P cron_system_cronjob_use_shares $var_cron_system_cronjob_use_shares + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225400,18 +225400,6 @@ associated user domain(s) instead of the general cronjob domain. To enable the cron_userdomain_transition SELinux boolean, run the following command: $ sudo setsebool -P cron_userdomain_transition on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_cron_userdomain_transition='' - - -setsebool -P cron_userdomain_transition $var_cron_userdomain_transition - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_cron_userdomain_transition # promote to variable set_fact: var_cron_userdomain_transition: !!str @@ -225448,6 +225436,18 @@ fi - medium_severity - no_reboot_needed - sebool_cron_userdomain_transition + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_cron_userdomain_transition='' + + +setsebool -P cron_userdomain_transition $var_cron_userdomain_transition + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225467,18 +225467,6 @@ To disable the cups_execmem SELinux boolean, run the foll BP28(R67) CCE-83306-1 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_cups_execmem='' - - -setsebool -P cups_execmem $var_cups_execmem - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_cups_execmem # promote to variable set_fact: var_cups_execmem: !!str @@ -225517,6 +225505,18 @@ fi - medium_severity - no_reboot_needed - sebool_cups_execmem + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_cups_execmem='' + + +setsebool -P cups_execmem $var_cups_execmem + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225534,18 +225534,6 @@ If this setting is enabled, it should be disabled. To disable the cvs_read_shadow SELinux boolean, run the following command: $ sudo setsebool -P cvs_read_shadow off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_cvs_read_shadow='' - - -setsebool -P cvs_read_shadow $var_cvs_read_shadow - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_cvs_read_shadow # promote to variable set_fact: var_cvs_read_shadow: !!str @@ -225582,6 +225570,18 @@ fi - medium_severity - no_reboot_needed - sebool_cvs_read_shadow + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_cvs_read_shadow='' + + +setsebool -P cvs_read_shadow $var_cvs_read_shadow + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225599,18 +225599,6 @@ If this setting is enabled, it should be disabled. To disable the daemons_dump_core SELinux boolean, run the following command: $ sudo setsebool -P daemons_dump_core off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_daemons_dump_core='' - - -setsebool -P daemons_dump_core $var_daemons_dump_core - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_daemons_dump_core # promote to variable set_fact: var_daemons_dump_core: !!str @@ -225647,6 +225635,18 @@ fi - medium_severity - no_reboot_needed - sebool_daemons_dump_core + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_daemons_dump_core='' + + +setsebool -P daemons_dump_core $var_daemons_dump_core + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225664,18 +225664,6 @@ If this setting is enabled, it should be disabled. To disable the daemons_enable_cluster_mode SELinux boolean, run the following command: $ sudo setsebool -P daemons_enable_cluster_mode off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_daemons_enable_cluster_mode='' - - -setsebool -P daemons_enable_cluster_mode $var_daemons_enable_cluster_mode - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_daemons_enable_cluster_mode # promote to variable set_fact: var_daemons_enable_cluster_mode: !!str @@ -225712,6 +225700,18 @@ fi - medium_severity - no_reboot_needed - sebool_daemons_enable_cluster_mode + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_daemons_enable_cluster_mode='' + + +setsebool -P daemons_enable_cluster_mode $var_daemons_enable_cluster_mode + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225729,18 +225729,6 @@ If this setting is enabled, it should be disabled. To disable the daemons_use_tcp_wrapper SELinux boolean, run the following command: $ sudo setsebool -P daemons_use_tcp_wrapper off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_daemons_use_tcp_wrapper='' - - -setsebool -P daemons_use_tcp_wrapper $var_daemons_use_tcp_wrapper - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_daemons_use_tcp_wrapper # promote to variable set_fact: var_daemons_use_tcp_wrapper: !!str @@ -225777,6 +225765,18 @@ fi - medium_severity - no_reboot_needed - sebool_daemons_use_tcp_wrapper + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_daemons_use_tcp_wrapper='' + + +setsebool -P daemons_use_tcp_wrapper $var_daemons_use_tcp_wrapper + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225794,18 +225794,6 @@ If this setting is enabled, it should be disabled. To disable the daemons_use_tty SELinux boolean, run the following command: $ sudo setsebool -P daemons_use_tty off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_daemons_use_tty='' - - -setsebool -P daemons_use_tty $var_daemons_use_tty - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_daemons_use_tty # promote to variable set_fact: var_daemons_use_tty: !!str @@ -225842,6 +225830,18 @@ fi - medium_severity - no_reboot_needed - sebool_daemons_use_tty + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_daemons_use_tty='' + + +setsebool -P daemons_use_tty $var_daemons_use_tty + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225859,18 +225859,6 @@ If this setting is disabled, it should be enabled. To enable the dbadm_exec_content SELinux boolean, run the following command: $ sudo setsebool -P dbadm_exec_content on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_dbadm_exec_content='' - - -setsebool -P dbadm_exec_content $var_dbadm_exec_content - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_dbadm_exec_content # promote to variable set_fact: var_dbadm_exec_content: !!str @@ -225907,6 +225895,18 @@ fi - medium_severity - no_reboot_needed - sebool_dbadm_exec_content + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_dbadm_exec_content='' + + +setsebool -P dbadm_exec_content $var_dbadm_exec_content + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225924,18 +225924,6 @@ If this setting is enabled, it should be disabled. To disable the dbadm_manage_user_files SELinux boolean, run the following command: $ sudo setsebool -P dbadm_manage_user_files off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_dbadm_manage_user_files='' - - -setsebool -P dbadm_manage_user_files $var_dbadm_manage_user_files - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_dbadm_manage_user_files # promote to variable set_fact: var_dbadm_manage_user_files: !!str @@ -225972,6 +225960,18 @@ fi - medium_severity - no_reboot_needed - sebool_dbadm_manage_user_files + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_dbadm_manage_user_files='' + + +setsebool -P dbadm_manage_user_files $var_dbadm_manage_user_files + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225989,18 +225989,6 @@ If this setting is enabled, it should be disabled. To disable the dbadm_read_user_files SELinux boolean, run the following command: $ sudo setsebool -P dbadm_read_user_files off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_dbadm_read_user_files='' - - -setsebool -P dbadm_read_user_files $var_dbadm_read_user_files - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_dbadm_read_user_files # promote to variable set_fact: var_dbadm_read_user_files: !!str @@ -226037,6 +226025,18 @@ fi - medium_severity - no_reboot_needed - sebool_dbadm_read_user_files + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_dbadm_read_user_files='' + + +setsebool -P dbadm_read_user_files $var_dbadm_read_user_files + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -226077,18 +226077,6 @@ If this setting is enabled, it should be disabled. To disable the deny_ptrace SELinux boolean, run the following command: $ sudo setsebool -P deny_ptrace off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_deny_ptrace='' - - -setsebool -P deny_ptrace $var_deny_ptrace - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_deny_ptrace # promote to variable set_fact: var_deny_ptrace: !!str @@ -226125,6 +226113,18 @@ fi - medium_severity - no_reboot_needed - sebool_deny_ptrace + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_deny_ptrace='' + + +setsebool -P deny_ptrace $var_deny_ptrace + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -226142,18 +226142,6 @@ If this setting is enabled, it should be disabled. To disable the dhcpc_exec_iptables SELinux boolean, run the following command: $ sudo setsebool -P dhcpc_exec_iptables off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_dhcpc_exec_iptables='' - - -setsebool -P dhcpc_exec_iptables $var_dhcpc_exec_iptables - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_dhcpc_exec_iptables # promote to variable set_fact: var_dhcpc_exec_iptables: !!str @@ -226190,6 +226178,18 @@ fi - medium_severity - no_reboot_needed - sebool_dhcpc_exec_iptables + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_dhcpc_exec_iptables='' + + +setsebool -P dhcpc_exec_iptables $var_dhcpc_exec_iptables + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -226207,18 +226207,6 @@ If this setting is enabled, it should be disabled. To disable the dhcpd_use_ldap SELinux boolean, run the following command: $ sudo setsebool -P dhcpd_use_ldap off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_dhcpd_use_ldap='' - - -setsebool -P dhcpd_use_ldap $var_dhcpd_use_ldap - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_dhcpd_use_ldap # promote to variable set_fact: var_dhcpd_use_ldap: !!str @@ -226255,6 +226243,18 @@ fi - medium_severity - no_reboot_needed - sebool_dhcpd_use_ldap + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_dhcpd_use_ldap='' + + +setsebool -P dhcpd_use_ldap $var_dhcpd_use_ldap + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -226272,18 +226272,6 @@ If this setting is disabled, it should be enabled. To enable the domain_fd_use SELinux boolean, run the following command: $ sudo setsebool -P domain_fd_use on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_domain_fd_use='' - - -setsebool -P domain_fd_use $var_domain_fd_use - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_domain_fd_use # promote to variable set_fact: var_domain_fd_use: !!str @@ -226320,6 +226308,18 @@ fi - medium_severity - no_reboot_needed - sebool_domain_fd_use + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_domain_fd_use='' + + +setsebool -P domain_fd_use $var_domain_fd_use + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -226337,18 +226337,6 @@ If this setting is enabled, it should be disabled. To disable the domain_kernel_load_modules SELinux boolean, run the following command: $ sudo setsebool -P domain_kernel_load_modules off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_domain_kernel_load_modules='' - - -setsebool -P domain_kernel_load_modules $var_domain_kernel_load_modules - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_domain_kernel_load_modules # promote to variable set_fact: var_domain_kernel_load_modules: !!str @@ -226385,6 +226373,18 @@ fi - medium_severity - no_reboot_needed - sebool_domain_kernel_load_modules + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_domain_kernel_load_modules='' + + +setsebool -P domain_kernel_load_modules $var_domain_kernel_load_modules + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -226402,18 +226402,6 @@ This setting should be disabled as it uses audit input to generate entropy. To disable the entropyd_use_audio SELinux boolean, run the following command: $ sudo setsebool -P entropyd_use_audio off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_entropyd_use_audio='' - - -setsebool -P entropyd_use_audio $var_entropyd_use_audio - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_entropyd_use_audio # promote to variable set_fact: var_entropyd_use_audio: !!str @@ -226450,6 +226438,18 @@ fi - medium_severity - no_reboot_needed - sebool_entropyd_use_audio + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_entropyd_use_audio='' + + +setsebool -P entropyd_use_audio $var_entropyd_use_audio + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -226467,18 +226467,6 @@ If this setting is enabled, it should be disabled. To disable the exim_can_connect_db SELinux boolean, run the following command: $ sudo setsebool -P exim_can_connect_db off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_exim_can_connect_db='' - - -setsebool -P exim_can_connect_db $var_exim_can_connect_db - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_exim_can_connect_db # promote to variable set_fact: var_exim_can_connect_db: !!str @@ -226515,6 +226503,18 @@ fi - medium_severity - no_reboot_needed - sebool_exim_can_connect_db + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_exim_can_connect_db='' + + +setsebool -P exim_can_connect_db $var_exim_can_connect_db + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -226532,18 +226532,6 @@ If this setting is enabled, it should be disabled. To disable the exim_manage_user_files SELinux boolean, run the following command: $ sudo setsebool -P exim_manage_user_files off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_exim_manage_user_files='' - - -setsebool -P exim_manage_user_files $var_exim_manage_user_files - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_exim_manage_user_files # promote to variable set_fact: var_exim_manage_user_files: !!str @@ -226580,6 +226568,18 @@ fi - medium_severity - no_reboot_needed - sebool_exim_manage_user_files + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_exim_manage_user_files='' + + +setsebool -P exim_manage_user_files $var_exim_manage_user_files + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -226597,18 +226597,6 @@ If this setting is enabled, it should be disabled. To disable the exim_read_user_files SELinux boolean, run the following command: $ sudo setsebool -P exim_read_user_files off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_exim_read_user_files='' - - -setsebool -P exim_read_user_files $var_exim_read_user_files - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_exim_read_user_files # promote to variable set_fact: var_exim_read_user_files: !!str @@ -226645,6 +226633,18 @@ fi - medium_severity - no_reboot_needed - sebool_exim_read_user_files + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_exim_read_user_files='' + + +setsebool -P exim_read_user_files $var_exim_read_user_files + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -226662,18 +226662,6 @@ If this setting is enabled, it should be disabled. To disable the fcron_crond SELinux boolean, run the following command: $ sudo setsebool -P fcron_crond off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_fcron_crond='' - - -setsebool -P fcron_crond $var_fcron_crond - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_fcron_crond # promote to variable set_fact: var_fcron_crond: !!str @@ -226710,6 +226698,18 @@ fi - medium_severity - no_reboot_needed - sebool_fcron_crond + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_fcron_crond='' + + +setsebool -P fcron_crond $var_fcron_crond + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -226727,18 +226727,6 @@ If this setting is enabled, it should be disabled. To disable the fenced_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P fenced_can_network_connect off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_fenced_can_network_connect='' - - -setsebool -P fenced_can_network_connect $var_fenced_can_network_connect - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_fenced_can_network_connect # promote to variable set_fact: var_fenced_can_network_connect: !!str @@ -226775,6 +226763,18 @@ fi - medium_severity - no_reboot_needed - sebool_fenced_can_network_connect + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_fenced_can_network_connect='' + + +setsebool -P fenced_can_network_connect $var_fenced_can_network_connect + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -226792,18 +226792,6 @@ If this setting is enabled, it should be disabled. To disable the fenced_can_ssh SELinux boolean, run the following command: $ sudo setsebool -P fenced_can_ssh off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_fenced_can_ssh='' - - -setsebool -P fenced_can_ssh $var_fenced_can_ssh - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_fenced_can_ssh # promote to variable set_fact: var_fenced_can_ssh: !!str @@ -226840,6 +226828,18 @@ fi - medium_severity - no_reboot_needed - sebool_fenced_can_ssh + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_fenced_can_ssh='' + + +setsebool -P fenced_can_ssh $var_fenced_can_ssh + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -226895,18 +226895,6 @@ To enable the fips_mode SELinux boolean, run the followin SC-12 PR.DS-5 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_fips_mode='' - - -setsebool -P fips_mode $var_fips_mode - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_fips_mode # promote to variable set_fact: var_fips_mode: !!str @@ -226957,6 +226945,18 @@ fi - medium_severity - no_reboot_needed - sebool_fips_mode + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_fips_mode='' + + +setsebool -P fips_mode $var_fips_mode + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -226974,18 +226974,6 @@ If this setting is enabled, it should be disabled. To disable the ftpd_anon_write SELinux boolean, run the following command: $ sudo setsebool -P ftpd_anon_write off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_ftpd_anon_write='' - - -setsebool -P ftpd_anon_write $var_ftpd_anon_write - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_ftpd_anon_write # promote to variable set_fact: var_ftpd_anon_write: !!str @@ -227022,6 +227010,18 @@ fi - medium_severity - no_reboot_needed - sebool_ftpd_anon_write + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_ftpd_anon_write='' + + +setsebool -P ftpd_anon_write $var_ftpd_anon_write + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -227039,18 +227039,6 @@ If this setting is enabled, it should be disabled. To disable the ftpd_connect_all_unreserved SELinux boolean, run the following command: $ sudo setsebool -P ftpd_connect_all_unreserved off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_ftpd_connect_all_unreserved='' - - -setsebool -P ftpd_connect_all_unreserved $var_ftpd_connect_all_unreserved - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_ftpd_connect_all_unreserved # promote to variable set_fact: var_ftpd_connect_all_unreserved: !!str @@ -227087,6 +227075,18 @@ fi - medium_severity - no_reboot_needed - sebool_ftpd_connect_all_unreserved + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_ftpd_connect_all_unreserved='' + + +setsebool -P ftpd_connect_all_unreserved $var_ftpd_connect_all_unreserved + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -227104,18 +227104,6 @@ If this setting is enabled, it should be disabled. To disable the ftpd_connect_db SELinux boolean, run the following command: $ sudo setsebool -P ftpd_connect_db off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_ftpd_connect_db='' - - -setsebool -P ftpd_connect_db $var_ftpd_connect_db - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_ftpd_connect_db # promote to variable set_fact: var_ftpd_connect_db: !!str @@ -227152,6 +227140,18 @@ fi - medium_severity - no_reboot_needed - sebool_ftpd_connect_db + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_ftpd_connect_db='' + + +setsebool -P ftpd_connect_db $var_ftpd_connect_db + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -227169,18 +227169,6 @@ If this setting is enabled, it should be disabled. To disable the ftpd_full_access SELinux boolean, run the following command: $ sudo setsebool -P ftpd_full_access off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_ftpd_full_access='' - - -setsebool -P ftpd_full_access $var_ftpd_full_access - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_ftpd_full_access # promote to variable set_fact: var_ftpd_full_access: !!str @@ -227217,6 +227205,18 @@ fi - medium_severity - no_reboot_needed - sebool_ftpd_full_access + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_ftpd_full_access='' + + +setsebool -P ftpd_full_access $var_ftpd_full_access + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -227234,18 +227234,6 @@ If this setting is enabled, it should be disabled. To disable the ftpd_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P ftpd_use_cifs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_ftpd_use_cifs='' - - -setsebool -P ftpd_use_cifs $var_ftpd_use_cifs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_ftpd_use_cifs # promote to variable set_fact: var_ftpd_use_cifs: !!str @@ -227282,6 +227270,18 @@ fi - medium_severity - no_reboot_needed - sebool_ftpd_use_cifs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_ftpd_use_cifs='' + + +setsebool -P ftpd_use_cifs $var_ftpd_use_cifs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -227299,18 +227299,6 @@ If this setting is enabled, it should be disabled. To disable the ftpd_use_fusefs SELinux boolean, run the following command: $ sudo setsebool -P ftpd_use_fusefs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_ftpd_use_fusefs='' - - -setsebool -P ftpd_use_fusefs $var_ftpd_use_fusefs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_ftpd_use_fusefs # promote to variable set_fact: var_ftpd_use_fusefs: !!str @@ -227347,6 +227335,18 @@ fi - medium_severity - no_reboot_needed - sebool_ftpd_use_fusefs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_ftpd_use_fusefs='' + + +setsebool -P ftpd_use_fusefs $var_ftpd_use_fusefs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -227364,18 +227364,6 @@ If this setting is enabled, it should be disabled. To disable the ftpd_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P ftpd_use_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_ftpd_use_nfs='' - - -setsebool -P ftpd_use_nfs $var_ftpd_use_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_ftpd_use_nfs # promote to variable set_fact: var_ftpd_use_nfs: !!str @@ -227412,6 +227400,18 @@ fi - medium_severity - no_reboot_needed - sebool_ftpd_use_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_ftpd_use_nfs='' + + +setsebool -P ftpd_use_nfs $var_ftpd_use_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -227429,18 +227429,6 @@ If this setting is enabled, it should be disabled. To disable the ftpd_use_passive_mode SELinux boolean, run the following command: $ sudo setsebool -P ftpd_use_passive_mode off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_ftpd_use_passive_mode='' - - -setsebool -P ftpd_use_passive_mode $var_ftpd_use_passive_mode - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_ftpd_use_passive_mode # promote to variable set_fact: var_ftpd_use_passive_mode: !!str @@ -227477,6 +227465,18 @@ fi - medium_severity - no_reboot_needed - sebool_ftpd_use_passive_mode + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_ftpd_use_passive_mode='' + + +setsebool -P ftpd_use_passive_mode $var_ftpd_use_passive_mode + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -227494,18 +227494,6 @@ If this setting is enabled, it should be disabled. To disable the git_cgi_enable_homedirs SELinux boolean, run the following command: $ sudo setsebool -P git_cgi_enable_homedirs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_git_cgi_enable_homedirs='' - - -setsebool -P git_cgi_enable_homedirs $var_git_cgi_enable_homedirs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_git_cgi_enable_homedirs # promote to variable set_fact: var_git_cgi_enable_homedirs: !!str @@ -227542,6 +227530,18 @@ fi - medium_severity - no_reboot_needed - sebool_git_cgi_enable_homedirs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_git_cgi_enable_homedirs='' + + +setsebool -P git_cgi_enable_homedirs $var_git_cgi_enable_homedirs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -227559,18 +227559,6 @@ If this setting is enabled, it should be disabled. To disable the git_cgi_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P git_cgi_use_cifs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_git_cgi_use_cifs='' - - -setsebool -P git_cgi_use_cifs $var_git_cgi_use_cifs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_git_cgi_use_cifs # promote to variable set_fact: var_git_cgi_use_cifs: !!str @@ -227607,6 +227595,18 @@ fi - medium_severity - no_reboot_needed - sebool_git_cgi_use_cifs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_git_cgi_use_cifs='' + + +setsebool -P git_cgi_use_cifs $var_git_cgi_use_cifs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -227624,18 +227624,6 @@ If this setting is enabled, it should be disabled. To disable the git_cgi_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P git_cgi_use_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_git_cgi_use_nfs='' - - -setsebool -P git_cgi_use_nfs $var_git_cgi_use_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_git_cgi_use_nfs # promote to variable set_fact: var_git_cgi_use_nfs: !!str @@ -227672,6 +227660,18 @@ fi - medium_severity - no_reboot_needed - sebool_git_cgi_use_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_git_cgi_use_nfs='' + + +setsebool -P git_cgi_use_nfs $var_git_cgi_use_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -227689,18 +227689,6 @@ If this setting is enabled, it should be disabled. To disable the git_session_bind_all_unreserved_ports SELinux boolean, run the following command: $ sudo setsebool -P git_session_bind_all_unreserved_ports off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_git_session_bind_all_unreserved_ports='' - - -setsebool -P git_session_bind_all_unreserved_ports $var_git_session_bind_all_unreserved_ports - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_git_session_bind_all_unreserved_ports # promote to variable set_fact: var_git_session_bind_all_unreserved_ports: !!str @@ -227737,6 +227725,18 @@ fi - medium_severity - no_reboot_needed - sebool_git_session_bind_all_unreserved_ports + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_git_session_bind_all_unreserved_ports='' + + +setsebool -P git_session_bind_all_unreserved_ports $var_git_session_bind_all_unreserved_ports + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -227754,18 +227754,6 @@ If this setting is enabled, it should be disabled. To disable the git_session_users SELinux boolean, run the following command: $ sudo setsebool -P git_session_users off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_git_session_users='' - - -setsebool -P git_session_users $var_git_session_users - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_git_session_users # promote to variable set_fact: var_git_session_users: !!str @@ -227802,6 +227790,18 @@ fi - medium_severity - no_reboot_needed - sebool_git_session_users + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_git_session_users='' + + +setsebool -P git_session_users $var_git_session_users + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -227819,18 +227819,6 @@ If this setting is enabled, it should be disabled. To disable the git_system_enable_homedirs SELinux boolean, run the following command: $ sudo setsebool -P git_system_enable_homedirs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_git_system_enable_homedirs='' - - -setsebool -P git_system_enable_homedirs $var_git_system_enable_homedirs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_git_system_enable_homedirs # promote to variable set_fact: var_git_system_enable_homedirs: !!str @@ -227867,6 +227855,18 @@ fi - medium_severity - no_reboot_needed - sebool_git_system_enable_homedirs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_git_system_enable_homedirs='' + + +setsebool -P git_system_enable_homedirs $var_git_system_enable_homedirs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -227884,18 +227884,6 @@ If this setting is enabled, it should be disabled. To disable the git_system_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P git_system_use_cifs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_git_system_use_cifs='' - - -setsebool -P git_system_use_cifs $var_git_system_use_cifs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_git_system_use_cifs # promote to variable set_fact: var_git_system_use_cifs: !!str @@ -227932,6 +227920,18 @@ fi - medium_severity - no_reboot_needed - sebool_git_system_use_cifs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_git_system_use_cifs='' + + +setsebool -P git_system_use_cifs $var_git_system_use_cifs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -227949,18 +227949,6 @@ If this setting is enabled, it should be disabled. To disable the git_system_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P git_system_use_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_git_system_use_nfs='' - - -setsebool -P git_system_use_nfs $var_git_system_use_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_git_system_use_nfs # promote to variable set_fact: var_git_system_use_nfs: !!str @@ -227997,6 +227985,18 @@ fi - medium_severity - no_reboot_needed - sebool_git_system_use_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_git_system_use_nfs='' + + +setsebool -P git_system_use_nfs $var_git_system_use_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228014,18 +228014,6 @@ If this setting is enabled, it should be disabled. To disable the gitosis_can_sendmail SELinux boolean, run the following command: $ sudo setsebool -P gitosis_can_sendmail off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_gitosis_can_sendmail='' - - -setsebool -P gitosis_can_sendmail $var_gitosis_can_sendmail - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_gitosis_can_sendmail # promote to variable set_fact: var_gitosis_can_sendmail: !!str @@ -228062,6 +228050,18 @@ fi - medium_severity - no_reboot_needed - sebool_gitosis_can_sendmail + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_gitosis_can_sendmail='' + + +setsebool -P gitosis_can_sendmail $var_gitosis_can_sendmail + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228079,18 +228079,6 @@ If this setting is enabled, it should be disabled. To disable the glance_api_can_network SELinux boolean, run the following command: $ sudo setsebool -P glance_api_can_network off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_glance_api_can_network='' - - -setsebool -P glance_api_can_network $var_glance_api_can_network - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_glance_api_can_network # promote to variable set_fact: var_glance_api_can_network: !!str @@ -228127,6 +228115,18 @@ fi - medium_severity - no_reboot_needed - sebool_glance_api_can_network + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_glance_api_can_network='' + + +setsebool -P glance_api_can_network $var_glance_api_can_network + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228146,18 +228146,6 @@ To disable the glance_use_execmem SELinux boolean, run th BP28(R67) CCE-83308-7 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_glance_use_execmem='' - - -setsebool -P glance_use_execmem $var_glance_use_execmem - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_glance_use_execmem # promote to variable set_fact: var_glance_use_execmem: !!str @@ -228196,6 +228184,18 @@ fi - medium_severity - no_reboot_needed - sebool_glance_use_execmem + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_glance_use_execmem='' + + +setsebool -P glance_use_execmem $var_glance_use_execmem + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228213,18 +228213,6 @@ If this setting is enabled, it should be disabled. To disable the glance_use_fusefs SELinux boolean, run the following command: $ sudo setsebool -P glance_use_fusefs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_glance_use_fusefs='' - - -setsebool -P glance_use_fusefs $var_glance_use_fusefs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_glance_use_fusefs # promote to variable set_fact: var_glance_use_fusefs: !!str @@ -228261,6 +228249,18 @@ fi - medium_severity - no_reboot_needed - sebool_glance_use_fusefs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_glance_use_fusefs='' + + +setsebool -P glance_use_fusefs $var_glance_use_fusefs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228278,18 +228278,6 @@ If this setting is enabled, it should be disabled. To disable the global_ssp SELinux boolean, run the following command: $ sudo setsebool -P global_ssp off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_global_ssp='' - - -setsebool -P global_ssp $var_global_ssp - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_global_ssp # promote to variable set_fact: var_global_ssp: !!str @@ -228326,6 +228314,18 @@ fi - medium_severity - no_reboot_needed - sebool_global_ssp + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_global_ssp='' + + +setsebool -P global_ssp $var_global_ssp + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228343,18 +228343,6 @@ If this setting is enabled, it should be disabled. To disable the gluster_anon_write SELinux boolean, run the following command: $ sudo setsebool -P gluster_anon_write off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_gluster_anon_write='' - - -setsebool -P gluster_anon_write $var_gluster_anon_write - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_gluster_anon_write # promote to variable set_fact: var_gluster_anon_write: !!str @@ -228391,6 +228379,18 @@ fi - medium_severity - no_reboot_needed - sebool_gluster_anon_write + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_gluster_anon_write='' + + +setsebool -P gluster_anon_write $var_gluster_anon_write + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228408,18 +228408,6 @@ If this setting is enabled, it should be disabled. To disable the gluster_export_all_ro SELinux boolean, run the following command: $ sudo setsebool -P gluster_export_all_ro off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_gluster_export_all_ro='' - - -setsebool -P gluster_export_all_ro $var_gluster_export_all_ro - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_gluster_export_all_ro # promote to variable set_fact: var_gluster_export_all_ro: !!str @@ -228456,6 +228444,18 @@ fi - medium_severity - no_reboot_needed - sebool_gluster_export_all_ro + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_gluster_export_all_ro='' + + +setsebool -P gluster_export_all_ro $var_gluster_export_all_ro + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228474,18 +228474,6 @@ disable it. To disable the gluster_export_all_rw SELinux boolean, run the following command: $ sudo setsebool -P gluster_export_all_rw off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_gluster_export_all_rw='' - - -setsebool -P gluster_export_all_rw $var_gluster_export_all_rw - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_gluster_export_all_rw # promote to variable set_fact: var_gluster_export_all_rw: !!str @@ -228522,6 +228510,18 @@ fi - medium_severity - no_reboot_needed - sebool_gluster_export_all_rw + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_gluster_export_all_rw='' + + +setsebool -P gluster_export_all_rw $var_gluster_export_all_rw + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228539,18 +228539,6 @@ If this setting is enabled, it should be disabled. To disable the gpg_web_anon_write SELinux boolean, run the following command: $ sudo setsebool -P gpg_web_anon_write off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_gpg_web_anon_write='' - - -setsebool -P gpg_web_anon_write $var_gpg_web_anon_write - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_gpg_web_anon_write # promote to variable set_fact: var_gpg_web_anon_write: !!str @@ -228587,6 +228575,18 @@ fi - medium_severity - no_reboot_needed - sebool_gpg_web_anon_write + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_gpg_web_anon_write='' + + +setsebool -P gpg_web_anon_write $var_gpg_web_anon_write + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228606,18 +228606,6 @@ be enabled. To enable the gssd_read_tmp SELinux boolean, run the following command: $ sudo setsebool -P gssd_read_tmp on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_gssd_read_tmp='' - - -setsebool -P gssd_read_tmp $var_gssd_read_tmp - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_gssd_read_tmp # promote to variable set_fact: var_gssd_read_tmp: !!str @@ -228654,6 +228642,18 @@ fi - medium_severity - no_reboot_needed - sebool_gssd_read_tmp + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_gssd_read_tmp='' + + +setsebool -P gssd_read_tmp $var_gssd_read_tmp + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228671,18 +228671,6 @@ This setting should be disabled as no guest accounts should be used. To disable the guest_exec_content SELinux boolean, run the following command: $ sudo setsebool -P guest_exec_content off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_guest_exec_content='' - - -setsebool -P guest_exec_content $var_guest_exec_content - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_guest_exec_content # promote to variable set_fact: var_guest_exec_content: !!str @@ -228719,6 +228707,18 @@ fi - medium_severity - no_reboot_needed - sebool_guest_exec_content + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_guest_exec_content='' + + +setsebool -P guest_exec_content $var_guest_exec_content + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228736,18 +228736,6 @@ If this setting is enabled, it should be disabled. To disable the haproxy_connect_any SELinux boolean, run the following command: $ sudo setsebool -P haproxy_connect_any off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_haproxy_connect_any='' - - -setsebool -P haproxy_connect_any $var_haproxy_connect_any - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_haproxy_connect_any # promote to variable set_fact: var_haproxy_connect_any: !!str @@ -228784,6 +228772,18 @@ fi - medium_severity - no_reboot_needed - sebool_haproxy_connect_any + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_haproxy_connect_any='' + + +setsebool -P haproxy_connect_any $var_haproxy_connect_any + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228801,18 +228801,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_anon_write SELinux boolean, run the following command: $ sudo setsebool -P httpd_anon_write off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_anon_write='' - - -setsebool -P httpd_anon_write $var_httpd_anon_write - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_anon_write # promote to variable set_fact: var_httpd_anon_write: !!str @@ -228849,6 +228837,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_anon_write + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_anon_write='' + + +setsebool -P httpd_anon_write $var_httpd_anon_write + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228867,18 +228867,6 @@ or some similary scripting language. To disable the httpd_builtin_scripting SELinux boolean, run the following command: $ sudo setsebool -P httpd_builtin_scripting off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_builtin_scripting='' - - -setsebool -P httpd_builtin_scripting $var_httpd_builtin_scripting - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_builtin_scripting # promote to variable set_fact: var_httpd_builtin_scripting: !!str @@ -228915,6 +228903,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_builtin_scripting + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_builtin_scripting='' + + +setsebool -P httpd_builtin_scripting $var_httpd_builtin_scripting + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228932,18 +228932,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_can_check_spam SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_check_spam off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_can_check_spam='' - - -setsebool -P httpd_can_check_spam $var_httpd_can_check_spam - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_can_check_spam # promote to variable set_fact: var_httpd_can_check_spam: !!str @@ -228980,6 +228968,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_can_check_spam + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_can_check_spam='' + + +setsebool -P httpd_can_check_spam $var_httpd_can_check_spam + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228997,18 +228997,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_can_connect_ftp SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_connect_ftp off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_can_connect_ftp='' - - -setsebool -P httpd_can_connect_ftp $var_httpd_can_connect_ftp - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_can_connect_ftp # promote to variable set_fact: var_httpd_can_connect_ftp: !!str @@ -229045,6 +229033,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_can_connect_ftp + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_can_connect_ftp='' + + +setsebool -P httpd_can_connect_ftp $var_httpd_can_connect_ftp + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -229062,18 +229062,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_can_connect_ldap SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_connect_ldap off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_can_connect_ldap='' - - -setsebool -P httpd_can_connect_ldap $var_httpd_can_connect_ldap - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_can_connect_ldap # promote to variable set_fact: var_httpd_can_connect_ldap: !!str @@ -229110,6 +229098,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_can_connect_ldap + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_can_connect_ldap='' + + +setsebool -P httpd_can_connect_ldap $var_httpd_can_connect_ldap + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -229127,18 +229127,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_can_connect_mythtv SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_connect_mythtv off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_can_connect_mythtv='' - - -setsebool -P httpd_can_connect_mythtv $var_httpd_can_connect_mythtv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_can_connect_mythtv # promote to variable set_fact: var_httpd_can_connect_mythtv: !!str @@ -229175,6 +229163,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_can_connect_mythtv + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_can_connect_mythtv='' + + +setsebool -P httpd_can_connect_mythtv $var_httpd_can_connect_mythtv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -229192,18 +229192,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_can_connect_zabbix SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_connect_zabbix off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_can_connect_zabbix='' - - -setsebool -P httpd_can_connect_zabbix $var_httpd_can_connect_zabbix - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_can_connect_zabbix # promote to variable set_fact: var_httpd_can_connect_zabbix: !!str @@ -229240,6 +229228,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_can_connect_zabbix + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_can_connect_zabbix='' + + +setsebool -P httpd_can_connect_zabbix $var_httpd_can_connect_zabbix + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -229257,18 +229257,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_network_connect off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_can_network_connect='' - - -setsebool -P httpd_can_network_connect $var_httpd_can_network_connect - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_can_network_connect # promote to variable set_fact: var_httpd_can_network_connect: !!str @@ -229305,6 +229293,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_can_network_connect + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_can_network_connect='' + + +setsebool -P httpd_can_network_connect $var_httpd_can_network_connect + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -229322,18 +229322,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_can_network_connect_cobbler SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_network_connect_cobbler off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_can_network_connect_cobbler='' - - -setsebool -P httpd_can_network_connect_cobbler $var_httpd_can_network_connect_cobbler - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_can_network_connect_cobbler # promote to variable set_fact: var_httpd_can_network_connect_cobbler: !!str @@ -229370,6 +229358,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_can_network_connect_cobbler + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_can_network_connect_cobbler='' + + +setsebool -P httpd_can_network_connect_cobbler $var_httpd_can_network_connect_cobbler + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -229387,18 +229387,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_can_network_connect_db SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_network_connect_db off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_can_network_connect_db='' - - -setsebool -P httpd_can_network_connect_db $var_httpd_can_network_connect_db - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_can_network_connect_db # promote to variable set_fact: var_httpd_can_network_connect_db: !!str @@ -229435,6 +229423,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_can_network_connect_db + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_can_network_connect_db='' + + +setsebool -P httpd_can_network_connect_db $var_httpd_can_network_connect_db + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -229452,18 +229452,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_can_network_memcache SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_network_memcache off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_can_network_memcache='' - - -setsebool -P httpd_can_network_memcache $var_httpd_can_network_memcache - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_can_network_memcache # promote to variable set_fact: var_httpd_can_network_memcache: !!str @@ -229500,6 +229488,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_can_network_memcache + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_can_network_memcache='' + + +setsebool -P httpd_can_network_memcache $var_httpd_can_network_memcache + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -229517,18 +229517,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_can_network_relay SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_network_relay off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_can_network_relay='' - - -setsebool -P httpd_can_network_relay $var_httpd_can_network_relay - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_can_network_relay # promote to variable set_fact: var_httpd_can_network_relay: !!str @@ -229565,6 +229553,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_can_network_relay + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_can_network_relay='' + + +setsebool -P httpd_can_network_relay $var_httpd_can_network_relay + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -229582,18 +229582,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_can_sendmail SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_sendmail off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_can_sendmail='' - - -setsebool -P httpd_can_sendmail $var_httpd_can_sendmail - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_can_sendmail # promote to variable set_fact: var_httpd_can_sendmail: !!str @@ -229630,6 +229618,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_can_sendmail + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_can_sendmail='' + + +setsebool -P httpd_can_sendmail $var_httpd_can_sendmail + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -229647,18 +229647,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_dbus_avahi SELinux boolean, run the following command: $ sudo setsebool -P httpd_dbus_avahi off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_dbus_avahi='' - - -setsebool -P httpd_dbus_avahi $var_httpd_dbus_avahi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_dbus_avahi # promote to variable set_fact: var_httpd_dbus_avahi: !!str @@ -229695,6 +229683,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_dbus_avahi + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_dbus_avahi='' + + +setsebool -P httpd_dbus_avahi $var_httpd_dbus_avahi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -229712,18 +229712,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_dbus_sssd SELinux boolean, run the following command: $ sudo setsebool -P httpd_dbus_sssd off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_dbus_sssd='' - - -setsebool -P httpd_dbus_sssd $var_httpd_dbus_sssd - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_dbus_sssd # promote to variable set_fact: var_httpd_dbus_sssd: !!str @@ -229760,6 +229748,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_dbus_sssd + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_dbus_sssd='' + + +setsebool -P httpd_dbus_sssd $var_httpd_dbus_sssd + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -229777,18 +229777,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_dontaudit_search_dirs SELinux boolean, run the following command: $ sudo setsebool -P httpd_dontaudit_search_dirs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_dontaudit_search_dirs='' - - -setsebool -P httpd_dontaudit_search_dirs $var_httpd_dontaudit_search_dirs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_dontaudit_search_dirs # promote to variable set_fact: var_httpd_dontaudit_search_dirs: !!str @@ -229825,6 +229813,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_dontaudit_search_dirs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_dontaudit_search_dirs='' + + +setsebool -P httpd_dontaudit_search_dirs $var_httpd_dontaudit_search_dirs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -229843,18 +229843,6 @@ scripting. To disable the httpd_enable_cgi SELinux boolean, run the following command: $ sudo setsebool -P httpd_enable_cgi off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_enable_cgi='' - - -setsebool -P httpd_enable_cgi $var_httpd_enable_cgi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_enable_cgi # promote to variable set_fact: var_httpd_enable_cgi: !!str @@ -229891,6 +229879,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_enable_cgi + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_enable_cgi='' + + +setsebool -P httpd_enable_cgi $var_httpd_enable_cgi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -229908,18 +229908,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_enable_ftp_server SELinux boolean, run the following command: $ sudo setsebool -P httpd_enable_ftp_server off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_enable_ftp_server='' - - -setsebool -P httpd_enable_ftp_server $var_httpd_enable_ftp_server - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_enable_ftp_server # promote to variable set_fact: var_httpd_enable_ftp_server: !!str @@ -229956,6 +229944,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_enable_ftp_server + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_enable_ftp_server='' + + +setsebool -P httpd_enable_ftp_server $var_httpd_enable_ftp_server + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -229973,18 +229973,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_enable_homedirs SELinux boolean, run the following command: $ sudo setsebool -P httpd_enable_homedirs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_enable_homedirs='' - - -setsebool -P httpd_enable_homedirs $var_httpd_enable_homedirs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_enable_homedirs # promote to variable set_fact: var_httpd_enable_homedirs: !!str @@ -230021,6 +230009,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_enable_homedirs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_enable_homedirs='' + + +setsebool -P httpd_enable_homedirs $var_httpd_enable_homedirs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -230040,18 +230040,6 @@ To disable the httpd_execmem SELinux boolean, run the fol BP28(R67) CCE-83309-5 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_execmem='' - - -setsebool -P httpd_execmem $var_httpd_execmem - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_execmem # promote to variable set_fact: var_httpd_execmem: !!str @@ -230090,6 +230078,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_execmem + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_execmem='' + + +setsebool -P httpd_execmem $var_httpd_execmem + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -230107,18 +230107,6 @@ If this setting is disabled, it should be enabled. To enable the httpd_graceful_shutdown SELinux boolean, run the following command: $ sudo setsebool -P httpd_graceful_shutdown on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_graceful_shutdown='' - - -setsebool -P httpd_graceful_shutdown $var_httpd_graceful_shutdown - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_graceful_shutdown # promote to variable set_fact: var_httpd_graceful_shutdown: !!str @@ -230155,6 +230143,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_graceful_shutdown + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_graceful_shutdown='' + + +setsebool -P httpd_graceful_shutdown $var_httpd_graceful_shutdown + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -230172,18 +230172,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_manage_ipa SELinux boolean, run the following command: $ sudo setsebool -P httpd_manage_ipa off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_manage_ipa='' - - -setsebool -P httpd_manage_ipa $var_httpd_manage_ipa - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_manage_ipa # promote to variable set_fact: var_httpd_manage_ipa: !!str @@ -230220,6 +230208,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_manage_ipa + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_manage_ipa='' + + +setsebool -P httpd_manage_ipa $var_httpd_manage_ipa + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -230237,18 +230237,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_mod_auth_ntlm_winbind SELinux boolean, run the following command: $ sudo setsebool -P httpd_mod_auth_ntlm_winbind off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_mod_auth_ntlm_winbind='' - - -setsebool -P httpd_mod_auth_ntlm_winbind $var_httpd_mod_auth_ntlm_winbind - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_mod_auth_ntlm_winbind # promote to variable set_fact: var_httpd_mod_auth_ntlm_winbind: !!str @@ -230285,6 +230273,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_mod_auth_ntlm_winbind + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_mod_auth_ntlm_winbind='' + + +setsebool -P httpd_mod_auth_ntlm_winbind $var_httpd_mod_auth_ntlm_winbind + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -230302,18 +230302,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_mod_auth_pam SELinux boolean, run the following command: $ sudo setsebool -P httpd_mod_auth_pam off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_mod_auth_pam='' - - -setsebool -P httpd_mod_auth_pam $var_httpd_mod_auth_pam - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_mod_auth_pam # promote to variable set_fact: var_httpd_mod_auth_pam: !!str @@ -230350,6 +230338,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_mod_auth_pam + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_mod_auth_pam='' + + +setsebool -P httpd_mod_auth_pam $var_httpd_mod_auth_pam + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -230367,18 +230367,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_read_user_content SELinux boolean, run the following command: $ sudo setsebool -P httpd_read_user_content off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_read_user_content='' - - -setsebool -P httpd_read_user_content $var_httpd_read_user_content - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_read_user_content # promote to variable set_fact: var_httpd_read_user_content: !!str @@ -230415,6 +230403,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_read_user_content + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_read_user_content='' + + +setsebool -P httpd_read_user_content $var_httpd_read_user_content + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -230432,18 +230432,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_run_ipa SELinux boolean, run the following command: $ sudo setsebool -P httpd_run_ipa off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_run_ipa='' - - -setsebool -P httpd_run_ipa $var_httpd_run_ipa - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_run_ipa # promote to variable set_fact: var_httpd_run_ipa: !!str @@ -230480,6 +230468,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_run_ipa + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_run_ipa='' + + +setsebool -P httpd_run_ipa $var_httpd_run_ipa + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -230497,18 +230497,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_run_preupgrade SELinux boolean, run the following command: $ sudo setsebool -P httpd_run_preupgrade off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_run_preupgrade='' - - -setsebool -P httpd_run_preupgrade $var_httpd_run_preupgrade - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_run_preupgrade # promote to variable set_fact: var_httpd_run_preupgrade: !!str @@ -230545,6 +230533,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_run_preupgrade + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_run_preupgrade='' + + +setsebool -P httpd_run_preupgrade $var_httpd_run_preupgrade + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -230562,18 +230562,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_run_stickshift SELinux boolean, run the following command: $ sudo setsebool -P httpd_run_stickshift off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_run_stickshift='' - - -setsebool -P httpd_run_stickshift $var_httpd_run_stickshift - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_run_stickshift # promote to variable set_fact: var_httpd_run_stickshift: !!str @@ -230610,6 +230598,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_run_stickshift + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_run_stickshift='' + + +setsebool -P httpd_run_stickshift $var_httpd_run_stickshift + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -230627,18 +230627,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_serve_cobbler_files SELinux boolean, run the following command: $ sudo setsebool -P httpd_serve_cobbler_files off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_serve_cobbler_files='' - - -setsebool -P httpd_serve_cobbler_files $var_httpd_serve_cobbler_files - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_serve_cobbler_files # promote to variable set_fact: var_httpd_serve_cobbler_files: !!str @@ -230675,6 +230663,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_serve_cobbler_files + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_serve_cobbler_files='' + + +setsebool -P httpd_serve_cobbler_files $var_httpd_serve_cobbler_files + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -230692,18 +230692,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_setrlimit SELinux boolean, run the following command: $ sudo setsebool -P httpd_setrlimit off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_setrlimit='' - - -setsebool -P httpd_setrlimit $var_httpd_setrlimit - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_setrlimit # promote to variable set_fact: var_httpd_setrlimit: !!str @@ -230740,6 +230728,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_setrlimit + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_setrlimit='' + + +setsebool -P httpd_setrlimit $var_httpd_setrlimit + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -230757,18 +230757,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_ssi_exec SELinux boolean, run the following command: $ sudo setsebool -P httpd_ssi_exec off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_ssi_exec='' - - -setsebool -P httpd_ssi_exec $var_httpd_ssi_exec - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_ssi_exec # promote to variable set_fact: var_httpd_ssi_exec: !!str @@ -230805,6 +230793,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_ssi_exec + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_ssi_exec='' + + +setsebool -P httpd_ssi_exec $var_httpd_ssi_exec + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -230822,18 +230822,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_sys_script_anon_write SELinux boolean, run the following command: $ sudo setsebool -P httpd_sys_script_anon_write off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_sys_script_anon_write='' - - -setsebool -P httpd_sys_script_anon_write $var_httpd_sys_script_anon_write - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_sys_script_anon_write # promote to variable set_fact: var_httpd_sys_script_anon_write: !!str @@ -230870,6 +230858,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_sys_script_anon_write + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_sys_script_anon_write='' + + +setsebool -P httpd_sys_script_anon_write $var_httpd_sys_script_anon_write + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -230887,18 +230887,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_tmp_exec SELinux boolean, run the following command: $ sudo setsebool -P httpd_tmp_exec off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_tmp_exec='' - - -setsebool -P httpd_tmp_exec $var_httpd_tmp_exec - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_tmp_exec # promote to variable set_fact: var_httpd_tmp_exec: !!str @@ -230935,6 +230923,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_tmp_exec + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_tmp_exec='' + + +setsebool -P httpd_tmp_exec $var_httpd_tmp_exec + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -230952,18 +230952,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_tty_comm SELinux boolean, run the following command: $ sudo setsebool -P httpd_tty_comm off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_tty_comm='' - - -setsebool -P httpd_tty_comm $var_httpd_tty_comm - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_tty_comm # promote to variable set_fact: var_httpd_tty_comm: !!str @@ -231000,6 +230988,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_tty_comm + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_tty_comm='' + + +setsebool -P httpd_tty_comm $var_httpd_tty_comm + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -231017,18 +231017,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_unified SELinux boolean, run the following command: $ sudo setsebool -P httpd_unified off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_unified='' - - -setsebool -P httpd_unified $var_httpd_unified - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_unified # promote to variable set_fact: var_httpd_unified: !!str @@ -231065,6 +231053,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_unified + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_unified='' + + +setsebool -P httpd_unified $var_httpd_unified + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -231082,18 +231082,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P httpd_use_cifs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_use_cifs='' - - -setsebool -P httpd_use_cifs $var_httpd_use_cifs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_use_cifs # promote to variable set_fact: var_httpd_use_cifs: !!str @@ -231130,6 +231118,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_use_cifs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_use_cifs='' + + +setsebool -P httpd_use_cifs $var_httpd_use_cifs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -231147,18 +231147,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_use_fusefs SELinux boolean, run the following command: $ sudo setsebool -P httpd_use_fusefs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_use_fusefs='' - - -setsebool -P httpd_use_fusefs $var_httpd_use_fusefs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_use_fusefs # promote to variable set_fact: var_httpd_use_fusefs: !!str @@ -231195,6 +231183,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_use_fusefs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_use_fusefs='' + + +setsebool -P httpd_use_fusefs $var_httpd_use_fusefs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -231212,18 +231212,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_use_gpg SELinux boolean, run the following command: $ sudo setsebool -P httpd_use_gpg off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_use_gpg='' - - -setsebool -P httpd_use_gpg $var_httpd_use_gpg - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_use_gpg # promote to variable set_fact: var_httpd_use_gpg: !!str @@ -231260,6 +231248,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_use_gpg + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_use_gpg='' + + +setsebool -P httpd_use_gpg $var_httpd_use_gpg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -231277,18 +231277,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P httpd_use_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_use_nfs='' - - -setsebool -P httpd_use_nfs $var_httpd_use_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_use_nfs # promote to variable set_fact: var_httpd_use_nfs: !!str @@ -231325,6 +231313,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_use_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_use_nfs='' + + +setsebool -P httpd_use_nfs $var_httpd_use_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -231342,18 +231342,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_use_openstack SELinux boolean, run the following command: $ sudo setsebool -P httpd_use_openstack off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_use_openstack='' - - -setsebool -P httpd_use_openstack $var_httpd_use_openstack - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_use_openstack # promote to variable set_fact: var_httpd_use_openstack: !!str @@ -231390,6 +231378,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_use_openstack + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_use_openstack='' + + +setsebool -P httpd_use_openstack $var_httpd_use_openstack + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -231407,18 +231407,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_use_sasl SELinux boolean, run the following command: $ sudo setsebool -P httpd_use_sasl off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_use_sasl='' - - -setsebool -P httpd_use_sasl $var_httpd_use_sasl - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_use_sasl # promote to variable set_fact: var_httpd_use_sasl: !!str @@ -231455,6 +231443,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_use_sasl + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_use_sasl='' + + +setsebool -P httpd_use_sasl $var_httpd_use_sasl + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -231472,18 +231472,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_verify_dns SELinux boolean, run the following command: $ sudo setsebool -P httpd_verify_dns off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_verify_dns='' - - -setsebool -P httpd_verify_dns $var_httpd_verify_dns - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_verify_dns # promote to variable set_fact: var_httpd_verify_dns: !!str @@ -231520,6 +231508,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_verify_dns + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_verify_dns='' + + +setsebool -P httpd_verify_dns $var_httpd_verify_dns + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -231537,18 +231537,6 @@ If this setting is enabled, it should be disabled. To disable the icecast_use_any_tcp_ports SELinux boolean, run the following command: $ sudo setsebool -P icecast_use_any_tcp_ports off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_icecast_use_any_tcp_ports='' - - -setsebool -P icecast_use_any_tcp_ports $var_icecast_use_any_tcp_ports - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_icecast_use_any_tcp_ports # promote to variable set_fact: var_icecast_use_any_tcp_ports: !!str @@ -231585,6 +231573,18 @@ fi - medium_severity - no_reboot_needed - sebool_icecast_use_any_tcp_ports + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_icecast_use_any_tcp_ports='' + + +setsebool -P icecast_use_any_tcp_ports $var_icecast_use_any_tcp_ports + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -231602,18 +231602,6 @@ If this setting is enabled, it should be disabled. To disable the irc_use_any_tcp_ports SELinux boolean, run the following command: $ sudo setsebool -P irc_use_any_tcp_ports off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_irc_use_any_tcp_ports='' - - -setsebool -P irc_use_any_tcp_ports $var_irc_use_any_tcp_ports - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_irc_use_any_tcp_ports # promote to variable set_fact: var_irc_use_any_tcp_ports: !!str @@ -231650,6 +231638,18 @@ fi - medium_severity - no_reboot_needed - sebool_irc_use_any_tcp_ports + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_irc_use_any_tcp_ports='' + + +setsebool -P irc_use_any_tcp_ports $var_irc_use_any_tcp_ports + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -231667,18 +231667,6 @@ If this setting is enabled, it should be disabled. To disable the irssi_use_full_network SELinux boolean, run the following command: $ sudo setsebool -P irssi_use_full_network off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_irssi_use_full_network='' - - -setsebool -P irssi_use_full_network $var_irssi_use_full_network - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_irssi_use_full_network # promote to variable set_fact: var_irssi_use_full_network: !!str @@ -231715,6 +231703,18 @@ fi - medium_severity - no_reboot_needed - sebool_irssi_use_full_network + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_irssi_use_full_network='' + + +setsebool -P irssi_use_full_network $var_irssi_use_full_network + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -231732,18 +231732,6 @@ If this setting is enabled, it should be disabled. To disable the kdumpgui_run_bootloader SELinux boolean, run the following command: $ sudo setsebool -P kdumpgui_run_bootloader off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_kdumpgui_run_bootloader='' - - -setsebool -P kdumpgui_run_bootloader $var_kdumpgui_run_bootloader - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_kdumpgui_run_bootloader # promote to variable set_fact: var_kdumpgui_run_bootloader: !!str @@ -231780,6 +231768,18 @@ fi - medium_severity - no_reboot_needed - sebool_kdumpgui_run_bootloader + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_kdumpgui_run_bootloader='' + + +setsebool -P kdumpgui_run_bootloader $var_kdumpgui_run_bootloader + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -231802,18 +231802,6 @@ To enable the kerberos_enabled SELinux boolean, run the f 1402 CCE-84293-0 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_kerberos_enabled='' - - -setsebool -P kerberos_enabled $var_kerberos_enabled - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_kerberos_enabled # promote to variable set_fact: var_kerberos_enabled: !!str @@ -231852,6 +231840,18 @@ fi - medium_severity - no_reboot_needed - sebool_kerberos_enabled + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_kerberos_enabled='' + + +setsebool -P kerberos_enabled $var_kerberos_enabled + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -231869,18 +231869,6 @@ If this setting is enabled, it should be disabled. To disable the ksmtuned_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P ksmtuned_use_cifs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_ksmtuned_use_cifs='' - - -setsebool -P ksmtuned_use_cifs $var_ksmtuned_use_cifs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_ksmtuned_use_cifs # promote to variable set_fact: var_ksmtuned_use_cifs: !!str @@ -231917,6 +231905,18 @@ fi - medium_severity - no_reboot_needed - sebool_ksmtuned_use_cifs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_ksmtuned_use_cifs='' + + +setsebool -P ksmtuned_use_cifs $var_ksmtuned_use_cifs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -231934,18 +231934,6 @@ If this setting is enabled, it should be disabled. To disable the ksmtuned_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P ksmtuned_use_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_ksmtuned_use_nfs='' - - -setsebool -P ksmtuned_use_nfs $var_ksmtuned_use_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_ksmtuned_use_nfs # promote to variable set_fact: var_ksmtuned_use_nfs: !!str @@ -231982,6 +231970,18 @@ fi - medium_severity - no_reboot_needed - sebool_ksmtuned_use_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_ksmtuned_use_nfs='' + + +setsebool -P ksmtuned_use_nfs $var_ksmtuned_use_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -231999,18 +231999,6 @@ If this setting is disabled, it should be enabled. To enable the logadm_exec_content SELinux boolean, run the following command: $ sudo setsebool -P logadm_exec_content on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_logadm_exec_content='' - - -setsebool -P logadm_exec_content $var_logadm_exec_content - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_logadm_exec_content # promote to variable set_fact: var_logadm_exec_content: !!str @@ -232047,6 +232035,18 @@ fi - medium_severity - no_reboot_needed - sebool_logadm_exec_content + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_logadm_exec_content='' + + +setsebool -P logadm_exec_content $var_logadm_exec_content + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -232064,18 +232064,6 @@ If this setting is enabled, it should be disabled. To disable the logging_syslogd_can_sendmail SELinux boolean, run the following command: $ sudo setsebool -P logging_syslogd_can_sendmail off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_logging_syslogd_can_sendmail='' - - -setsebool -P logging_syslogd_can_sendmail $var_logging_syslogd_can_sendmail - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_logging_syslogd_can_sendmail # promote to variable set_fact: var_logging_syslogd_can_sendmail: !!str @@ -232112,6 +232100,18 @@ fi - medium_severity - no_reboot_needed - sebool_logging_syslogd_can_sendmail + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_logging_syslogd_can_sendmail='' + + +setsebool -P logging_syslogd_can_sendmail $var_logging_syslogd_can_sendmail + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -232129,18 +232129,6 @@ If this setting is enabled, it should be disabled. To disable the logging_syslogd_run_nagios_plugins SELinux boolean, run the following command: $ sudo setsebool -P logging_syslogd_run_nagios_plugins off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_logging_syslogd_run_nagios_plugins='' - - -setsebool -P logging_syslogd_run_nagios_plugins $var_logging_syslogd_run_nagios_plugins - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_logging_syslogd_run_nagios_plugins # promote to variable set_fact: var_logging_syslogd_run_nagios_plugins: !!str @@ -232177,6 +232165,18 @@ fi - medium_severity - no_reboot_needed - sebool_logging_syslogd_run_nagios_plugins + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_logging_syslogd_run_nagios_plugins='' + + +setsebool -P logging_syslogd_run_nagios_plugins $var_logging_syslogd_run_nagios_plugins + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -232195,18 +232195,6 @@ the ability to read/write to terminal. To enable the logging_syslogd_use_tty SELinux boolean, run the following command: $ sudo setsebool -P logging_syslogd_use_tty on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_logging_syslogd_use_tty='' - - -setsebool -P logging_syslogd_use_tty $var_logging_syslogd_use_tty - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_logging_syslogd_use_tty # promote to variable set_fact: var_logging_syslogd_use_tty: !!str @@ -232243,6 +232231,18 @@ fi - medium_severity - no_reboot_needed - sebool_logging_syslogd_use_tty + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_logging_syslogd_use_tty='' + + +setsebool -P logging_syslogd_use_tty $var_logging_syslogd_use_tty + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -232261,18 +232261,6 @@ If this setting is disabled, it should be enabled as it allows login from To enable the login_console_enabled SELinux boolean, run the following command: $ sudo setsebool -P login_console_enabled on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_login_console_enabled='' - - -setsebool -P login_console_enabled $var_login_console_enabled - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_login_console_enabled # promote to variable set_fact: var_login_console_enabled: !!str @@ -232309,6 +232297,18 @@ fi - medium_severity - no_reboot_needed - sebool_login_console_enabled + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_login_console_enabled='' + + +setsebool -P login_console_enabled $var_login_console_enabled + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -232326,18 +232326,6 @@ If this setting is enabled, it should be disabled. To disable the logrotate_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P logrotate_use_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_logrotate_use_nfs='' - - -setsebool -P logrotate_use_nfs $var_logrotate_use_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_logrotate_use_nfs # promote to variable set_fact: var_logrotate_use_nfs: !!str @@ -232374,6 +232362,18 @@ fi - medium_severity - no_reboot_needed - sebool_logrotate_use_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_logrotate_use_nfs='' + + +setsebool -P logrotate_use_nfs $var_logrotate_use_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -232391,18 +232391,6 @@ If this setting is enabled, it should be disabled. To disable the logwatch_can_network_connect_mail SELinux boolean, run the following command: $ sudo setsebool -P logwatch_can_network_connect_mail off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_logwatch_can_network_connect_mail='' - - -setsebool -P logwatch_can_network_connect_mail $var_logwatch_can_network_connect_mail - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_logwatch_can_network_connect_mail # promote to variable set_fact: var_logwatch_can_network_connect_mail: !!str @@ -232439,6 +232427,18 @@ fi - medium_severity - no_reboot_needed - sebool_logwatch_can_network_connect_mail + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_logwatch_can_network_connect_mail='' + + +setsebool -P logwatch_can_network_connect_mail $var_logwatch_can_network_connect_mail + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -232456,18 +232456,6 @@ If this setting is enabled, it should be disabled. To disable the lsmd_plugin_connect_any SELinux boolean, run the following command: $ sudo setsebool -P lsmd_plugin_connect_any off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_lsmd_plugin_connect_any='' - - -setsebool -P lsmd_plugin_connect_any $var_lsmd_plugin_connect_any - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_lsmd_plugin_connect_any # promote to variable set_fact: var_lsmd_plugin_connect_any: !!str @@ -232504,6 +232492,18 @@ fi - medium_severity - no_reboot_needed - sebool_lsmd_plugin_connect_any + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_lsmd_plugin_connect_any='' + + +setsebool -P lsmd_plugin_connect_any $var_lsmd_plugin_connect_any + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -232521,18 +232521,6 @@ If this setting is enabled, it should be disabled. To disable the mailman_use_fusefs SELinux boolean, run the following command: $ sudo setsebool -P mailman_use_fusefs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mailman_use_fusefs='' - - -setsebool -P mailman_use_fusefs $var_mailman_use_fusefs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mailman_use_fusefs # promote to variable set_fact: var_mailman_use_fusefs: !!str @@ -232569,6 +232557,18 @@ fi - medium_severity - no_reboot_needed - sebool_mailman_use_fusefs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mailman_use_fusefs='' + + +setsebool -P mailman_use_fusefs $var_mailman_use_fusefs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -232586,18 +232586,6 @@ If this setting is enabled, it should be disabled. To disable the mcelog_client SELinux boolean, run the following command: $ sudo setsebool -P mcelog_client off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mcelog_client='' - - -setsebool -P mcelog_client $var_mcelog_client - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mcelog_client # promote to variable set_fact: var_mcelog_client: !!str @@ -232634,6 +232622,18 @@ fi - medium_severity - no_reboot_needed - sebool_mcelog_client + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mcelog_client='' + + +setsebool -P mcelog_client $var_mcelog_client + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -232651,18 +232651,6 @@ If this setting is disabled, it should be enabled. To enable the mcelog_exec_scripts SELinux boolean, run the following command: $ sudo setsebool -P mcelog_exec_scripts on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mcelog_exec_scripts='' - - -setsebool -P mcelog_exec_scripts $var_mcelog_exec_scripts - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mcelog_exec_scripts # promote to variable set_fact: var_mcelog_exec_scripts: !!str @@ -232699,6 +232687,18 @@ fi - medium_severity - no_reboot_needed - sebool_mcelog_exec_scripts + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mcelog_exec_scripts='' + + +setsebool -P mcelog_exec_scripts $var_mcelog_exec_scripts + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -232716,18 +232716,6 @@ If this setting is enabled, it should be disabled. To disable the mcelog_foreground SELinux boolean, run the following command: $ sudo setsebool -P mcelog_foreground off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mcelog_foreground='' - - -setsebool -P mcelog_foreground $var_mcelog_foreground - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mcelog_foreground # promote to variable set_fact: var_mcelog_foreground: !!str @@ -232764,6 +232752,18 @@ fi - medium_severity - no_reboot_needed - sebool_mcelog_foreground + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mcelog_foreground='' + + +setsebool -P mcelog_foreground $var_mcelog_foreground + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -232781,18 +232781,6 @@ If this setting is enabled, it should be disabled. To disable the mcelog_server SELinux boolean, run the following command: $ sudo setsebool -P mcelog_server off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mcelog_server='' - - -setsebool -P mcelog_server $var_mcelog_server - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mcelog_server # promote to variable set_fact: var_mcelog_server: !!str @@ -232829,6 +232817,18 @@ fi - medium_severity - no_reboot_needed - sebool_mcelog_server + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mcelog_server='' + + +setsebool -P mcelog_server $var_mcelog_server + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -232846,18 +232846,6 @@ If this setting is enabled, it should be disabled. To disable the minidlna_read_generic_user_content SELinux boolean, run the following command: $ sudo setsebool -P minidlna_read_generic_user_content off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_minidlna_read_generic_user_content='' - - -setsebool -P minidlna_read_generic_user_content $var_minidlna_read_generic_user_content - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_minidlna_read_generic_user_content # promote to variable set_fact: var_minidlna_read_generic_user_content: !!str @@ -232894,6 +232882,18 @@ fi - medium_severity - no_reboot_needed - sebool_minidlna_read_generic_user_content + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_minidlna_read_generic_user_content='' + + +setsebool -P minidlna_read_generic_user_content $var_minidlna_read_generic_user_content + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -232911,18 +232911,6 @@ If this setting is enabled, it should be disabled. To disable the mmap_low_allowed SELinux boolean, run the following command: $ sudo setsebool -P mmap_low_allowed off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mmap_low_allowed='' - - -setsebool -P mmap_low_allowed $var_mmap_low_allowed - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mmap_low_allowed # promote to variable set_fact: var_mmap_low_allowed: !!str @@ -232959,6 +232947,18 @@ fi - medium_severity - no_reboot_needed - sebool_mmap_low_allowed + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mmap_low_allowed='' + + +setsebool -P mmap_low_allowed $var_mmap_low_allowed + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -232976,18 +232976,6 @@ If this setting is enabled, it should be disabled. To disable the mock_enable_homedirs SELinux boolean, run the following command: $ sudo setsebool -P mock_enable_homedirs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mock_enable_homedirs='' - - -setsebool -P mock_enable_homedirs $var_mock_enable_homedirs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mock_enable_homedirs # promote to variable set_fact: var_mock_enable_homedirs: !!str @@ -233024,6 +233012,18 @@ fi - medium_severity - no_reboot_needed - sebool_mock_enable_homedirs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mock_enable_homedirs='' + + +setsebool -P mock_enable_homedirs $var_mock_enable_homedirs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -233042,18 +233042,6 @@ or directory to be mounted. To enable the mount_anyfile SELinux boolean, run the following command: $ sudo setsebool -P mount_anyfile on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mount_anyfile='' - - -setsebool -P mount_anyfile $var_mount_anyfile - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mount_anyfile # promote to variable set_fact: var_mount_anyfile: !!str @@ -233090,6 +233078,18 @@ fi - medium_severity - no_reboot_needed - sebool_mount_anyfile + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mount_anyfile='' + + +setsebool -P mount_anyfile $var_mount_anyfile + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -233107,18 +233107,6 @@ If this setting is enabled, it should be disabled. To disable the mozilla_plugin_bind_unreserved_ports SELinux boolean, run the following command: $ sudo setsebool -P mozilla_plugin_bind_unreserved_ports off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mozilla_plugin_bind_unreserved_ports='' - - -setsebool -P mozilla_plugin_bind_unreserved_ports $var_mozilla_plugin_bind_unreserved_ports - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mozilla_plugin_bind_unreserved_ports # promote to variable set_fact: var_mozilla_plugin_bind_unreserved_ports: !!str @@ -233155,6 +233143,18 @@ fi - medium_severity - no_reboot_needed - sebool_mozilla_plugin_bind_unreserved_ports + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mozilla_plugin_bind_unreserved_ports='' + + +setsebool -P mozilla_plugin_bind_unreserved_ports $var_mozilla_plugin_bind_unreserved_ports + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -233172,18 +233172,6 @@ If this setting is enabled, it should be disabled. To disable the mozilla_plugin_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P mozilla_plugin_can_network_connect off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mozilla_plugin_can_network_connect='' - - -setsebool -P mozilla_plugin_can_network_connect $var_mozilla_plugin_can_network_connect - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mozilla_plugin_can_network_connect # promote to variable set_fact: var_mozilla_plugin_can_network_connect: !!str @@ -233220,6 +233208,18 @@ fi - medium_severity - no_reboot_needed - sebool_mozilla_plugin_can_network_connect + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mozilla_plugin_can_network_connect='' + + +setsebool -P mozilla_plugin_can_network_connect $var_mozilla_plugin_can_network_connect + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -233237,18 +233237,6 @@ If this setting is enabled, it should be disabled. To disable the mozilla_plugin_use_bluejeans SELinux boolean, run the following command: $ sudo setsebool -P mozilla_plugin_use_bluejeans off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mozilla_plugin_use_bluejeans='' - - -setsebool -P mozilla_plugin_use_bluejeans $var_mozilla_plugin_use_bluejeans - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mozilla_plugin_use_bluejeans # promote to variable set_fact: var_mozilla_plugin_use_bluejeans: !!str @@ -233285,6 +233273,18 @@ fi - medium_severity - no_reboot_needed - sebool_mozilla_plugin_use_bluejeans + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mozilla_plugin_use_bluejeans='' + + +setsebool -P mozilla_plugin_use_bluejeans $var_mozilla_plugin_use_bluejeans + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -233302,18 +233302,6 @@ If this setting is enabled, it should be disabled. To disable the mozilla_plugin_use_gps SELinux boolean, run the following command: $ sudo setsebool -P mozilla_plugin_use_gps off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mozilla_plugin_use_gps='' - - -setsebool -P mozilla_plugin_use_gps $var_mozilla_plugin_use_gps - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mozilla_plugin_use_gps # promote to variable set_fact: var_mozilla_plugin_use_gps: !!str @@ -233350,6 +233338,18 @@ fi - medium_severity - no_reboot_needed - sebool_mozilla_plugin_use_gps + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mozilla_plugin_use_gps='' + + +setsebool -P mozilla_plugin_use_gps $var_mozilla_plugin_use_gps + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -233367,18 +233367,6 @@ If this setting is enabled, it should be disabled. To disable the mozilla_plugin_use_spice SELinux boolean, run the following command: $ sudo setsebool -P mozilla_plugin_use_spice off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mozilla_plugin_use_spice='' - - -setsebool -P mozilla_plugin_use_spice $var_mozilla_plugin_use_spice - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mozilla_plugin_use_spice # promote to variable set_fact: var_mozilla_plugin_use_spice: !!str @@ -233415,6 +233403,18 @@ fi - medium_severity - no_reboot_needed - sebool_mozilla_plugin_use_spice + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mozilla_plugin_use_spice='' + + +setsebool -P mozilla_plugin_use_spice $var_mozilla_plugin_use_spice + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -233432,18 +233432,6 @@ If this setting is enabled, it should be disabled. To disable the mozilla_read_content SELinux boolean, run the following command: $ sudo setsebool -P mozilla_read_content off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mozilla_read_content='' - - -setsebool -P mozilla_read_content $var_mozilla_read_content - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mozilla_read_content # promote to variable set_fact: var_mozilla_read_content: !!str @@ -233480,6 +233468,18 @@ fi - medium_severity - no_reboot_needed - sebool_mozilla_read_content + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mozilla_read_content='' + + +setsebool -P mozilla_read_content $var_mozilla_read_content + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -233497,18 +233497,6 @@ If this setting is enabled, it should be disabled. To disable the mpd_enable_homedirs SELinux boolean, run the following command: $ sudo setsebool -P mpd_enable_homedirs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mpd_enable_homedirs='' - - -setsebool -P mpd_enable_homedirs $var_mpd_enable_homedirs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mpd_enable_homedirs # promote to variable set_fact: var_mpd_enable_homedirs: !!str @@ -233545,6 +233533,18 @@ fi - medium_severity - no_reboot_needed - sebool_mpd_enable_homedirs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mpd_enable_homedirs='' + + +setsebool -P mpd_enable_homedirs $var_mpd_enable_homedirs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -233562,18 +233562,6 @@ If this setting is enabled, it should be disabled. To disable the mpd_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P mpd_use_cifs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mpd_use_cifs='' - - -setsebool -P mpd_use_cifs $var_mpd_use_cifs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mpd_use_cifs # promote to variable set_fact: var_mpd_use_cifs: !!str @@ -233610,6 +233598,18 @@ fi - medium_severity - no_reboot_needed - sebool_mpd_use_cifs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mpd_use_cifs='' + + +setsebool -P mpd_use_cifs $var_mpd_use_cifs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -233627,18 +233627,6 @@ If this setting is enabled, it should be disabled. To disable the mpd_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P mpd_use_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mpd_use_nfs='' - - -setsebool -P mpd_use_nfs $var_mpd_use_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mpd_use_nfs # promote to variable set_fact: var_mpd_use_nfs: !!str @@ -233675,6 +233663,18 @@ fi - medium_severity - no_reboot_needed - sebool_mpd_use_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mpd_use_nfs='' + + +setsebool -P mpd_use_nfs $var_mpd_use_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -233692,18 +233692,6 @@ If this setting is enabled, it should be disabled. To disable the mplayer_execstack SELinux boolean, run the following command: $ sudo setsebool -P mplayer_execstack off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mplayer_execstack='' - - -setsebool -P mplayer_execstack $var_mplayer_execstack - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mplayer_execstack # promote to variable set_fact: var_mplayer_execstack: !!str @@ -233740,6 +233728,18 @@ fi - medium_severity - no_reboot_needed - sebool_mplayer_execstack + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mplayer_execstack='' + + +setsebool -P mplayer_execstack $var_mplayer_execstack + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -233757,18 +233757,6 @@ If this setting is enabled, it should be disabled. To disable the mysql_connect_any SELinux boolean, run the following command: $ sudo setsebool -P mysql_connect_any off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mysql_connect_any='' - - -setsebool -P mysql_connect_any $var_mysql_connect_any - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mysql_connect_any # promote to variable set_fact: var_mysql_connect_any: !!str @@ -233805,6 +233793,18 @@ fi - medium_severity - no_reboot_needed - sebool_mysql_connect_any + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mysql_connect_any='' + + +setsebool -P mysql_connect_any $var_mysql_connect_any + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -233822,18 +233822,6 @@ If this setting is enabled, it should be disabled. To disable the nagios_run_pnp4nagios SELinux boolean, run the following command: $ sudo setsebool -P nagios_run_pnp4nagios off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_nagios_run_pnp4nagios='' - - -setsebool -P nagios_run_pnp4nagios $var_nagios_run_pnp4nagios - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_nagios_run_pnp4nagios # promote to variable set_fact: var_nagios_run_pnp4nagios: !!str @@ -233870,6 +233858,18 @@ fi - medium_severity - no_reboot_needed - sebool_nagios_run_pnp4nagios + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_nagios_run_pnp4nagios='' + + +setsebool -P nagios_run_pnp4nagios $var_nagios_run_pnp4nagios + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -233887,18 +233887,6 @@ If this setting is enabled, it should be disabled. To disable the nagios_run_sudo SELinux boolean, run the following command: $ sudo setsebool -P nagios_run_sudo off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_nagios_run_sudo='' - - -setsebool -P nagios_run_sudo $var_nagios_run_sudo - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_nagios_run_sudo # promote to variable set_fact: var_nagios_run_sudo: !!str @@ -233935,6 +233923,18 @@ fi - medium_severity - no_reboot_needed - sebool_nagios_run_sudo + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_nagios_run_sudo='' + + +setsebool -P nagios_run_sudo $var_nagios_run_sudo + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -233952,18 +233952,6 @@ If this setting is enabled, it should be disabled. To disable the named_tcp_bind_http_port SELinux boolean, run the following command: $ sudo setsebool -P named_tcp_bind_http_port off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_named_tcp_bind_http_port='' - - -setsebool -P named_tcp_bind_http_port $var_named_tcp_bind_http_port - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_named_tcp_bind_http_port # promote to variable set_fact: var_named_tcp_bind_http_port: !!str @@ -234000,6 +233988,18 @@ fi - medium_severity - no_reboot_needed - sebool_named_tcp_bind_http_port + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_named_tcp_bind_http_port='' + + +setsebool -P named_tcp_bind_http_port $var_named_tcp_bind_http_port + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234017,18 +234017,6 @@ If this setting is enabled, it should be disabled. To disable the named_write_master_zones SELinux boolean, run the following command: $ sudo setsebool -P named_write_master_zones off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_named_write_master_zones='' - - -setsebool -P named_write_master_zones $var_named_write_master_zones - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_named_write_master_zones # promote to variable set_fact: var_named_write_master_zones: !!str @@ -234065,6 +234053,18 @@ fi - medium_severity - no_reboot_needed - sebool_named_write_master_zones + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_named_write_master_zones='' + + +setsebool -P named_write_master_zones $var_named_write_master_zones + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234082,18 +234082,6 @@ If this setting is enabled, it should be disabled. To disable the neutron_can_network SELinux boolean, run the following command: $ sudo setsebool -P neutron_can_network off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_neutron_can_network='' - - -setsebool -P neutron_can_network $var_neutron_can_network - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_neutron_can_network # promote to variable set_fact: var_neutron_can_network: !!str @@ -234130,6 +234118,18 @@ fi - medium_severity - no_reboot_needed - sebool_neutron_can_network + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_neutron_can_network='' + + +setsebool -P neutron_can_network $var_neutron_can_network + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234148,18 +234148,6 @@ export read-only mounts. To enable the nfs_export_all_ro SELinux boolean, run the following command: $ sudo setsebool -P nfs_export_all_ro on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_nfs_export_all_ro='' - - -setsebool -P nfs_export_all_ro $var_nfs_export_all_ro - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_nfs_export_all_ro # promote to variable set_fact: var_nfs_export_all_ro: !!str @@ -234196,6 +234184,18 @@ fi - medium_severity - no_reboot_needed - sebool_nfs_export_all_ro + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_nfs_export_all_ro='' + + +setsebool -P nfs_export_all_ro $var_nfs_export_all_ro + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234214,18 +234214,6 @@ export read/write mounts. To enable the nfs_export_all_rw SELinux boolean, run the following command: $ sudo setsebool -P nfs_export_all_rw on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_nfs_export_all_rw='' - - -setsebool -P nfs_export_all_rw $var_nfs_export_all_rw - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_nfs_export_all_rw # promote to variable set_fact: var_nfs_export_all_rw: !!str @@ -234262,6 +234250,18 @@ fi - medium_severity - no_reboot_needed - sebool_nfs_export_all_rw + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_nfs_export_all_rw='' + + +setsebool -P nfs_export_all_rw $var_nfs_export_all_rw + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234279,18 +234279,6 @@ If this setting is enabled, it should be disabled. To disable the nfsd_anon_write SELinux boolean, run the following command: $ sudo setsebool -P nfsd_anon_write off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_nfsd_anon_write='' - - -setsebool -P nfsd_anon_write $var_nfsd_anon_write - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_nfsd_anon_write # promote to variable set_fact: var_nfsd_anon_write: !!str @@ -234327,6 +234315,18 @@ fi - medium_severity - no_reboot_needed - sebool_nfsd_anon_write + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_nfsd_anon_write='' + + +setsebool -P nfsd_anon_write $var_nfsd_anon_write + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234344,18 +234344,6 @@ If this setting is enabled, it should be disabled. To disable the nis_enabled SELinux boolean, run the following command: $ sudo setsebool -P nis_enabled off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_nis_enabled='' - - -setsebool -P nis_enabled $var_nis_enabled - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_nis_enabled # promote to variable set_fact: var_nis_enabled: !!str @@ -234392,6 +234380,18 @@ fi - medium_severity - no_reboot_needed - sebool_nis_enabled + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_nis_enabled='' + + +setsebool -P nis_enabled $var_nis_enabled + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234410,18 +234410,6 @@ to use shared memory. To enable the nscd_use_shm SELinux boolean, run the following command: $ sudo setsebool -P nscd_use_shm on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_nscd_use_shm='' - - -setsebool -P nscd_use_shm $var_nscd_use_shm - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_nscd_use_shm # promote to variable set_fact: var_nscd_use_shm: !!str @@ -234458,6 +234446,18 @@ fi - medium_severity - no_reboot_needed - sebool_nscd_use_shm + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_nscd_use_shm='' + + +setsebool -P nscd_use_shm $var_nscd_use_shm + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234475,18 +234475,6 @@ If this setting is enabled, it should be disabled. To disable the openshift_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P openshift_use_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_openshift_use_nfs='' - - -setsebool -P openshift_use_nfs $var_openshift_use_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_openshift_use_nfs # promote to variable set_fact: var_openshift_use_nfs: !!str @@ -234523,6 +234511,18 @@ fi - medium_severity - no_reboot_needed - sebool_openshift_use_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_openshift_use_nfs='' + + +setsebool -P openshift_use_nfs $var_openshift_use_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234540,18 +234540,6 @@ This setting should be disabled. To disable the openvpn_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P openvpn_can_network_connect off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_openvpn_can_network_connect='' - - -setsebool -P openvpn_can_network_connect $var_openvpn_can_network_connect - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_openvpn_can_network_connect # promote to variable set_fact: var_openvpn_can_network_connect: !!str @@ -234588,6 +234576,18 @@ fi - medium_severity - no_reboot_needed - sebool_openvpn_can_network_connect + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_openvpn_can_network_connect='' + + +setsebool -P openvpn_can_network_connect $var_openvpn_can_network_connect + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234605,18 +234605,6 @@ This setting should be disabled. To disable the openvpn_enable_homedirs SELinux boolean, run the following command: $ sudo setsebool -P openvpn_enable_homedirs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_openvpn_enable_homedirs='' - - -setsebool -P openvpn_enable_homedirs $var_openvpn_enable_homedirs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_openvpn_enable_homedirs # promote to variable set_fact: var_openvpn_enable_homedirs: !!str @@ -234653,6 +234641,18 @@ fi - medium_severity - no_reboot_needed - sebool_openvpn_enable_homedirs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_openvpn_enable_homedirs='' + + +setsebool -P openvpn_enable_homedirs $var_openvpn_enable_homedirs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234670,18 +234670,6 @@ If this setting is enabled, it should be disabled. To disable the openvpn_run_unconfined SELinux boolean, run the following command: $ sudo setsebool -P openvpn_run_unconfined off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_openvpn_run_unconfined='' - - -setsebool -P openvpn_run_unconfined $var_openvpn_run_unconfined - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_openvpn_run_unconfined # promote to variable set_fact: var_openvpn_run_unconfined: !!str @@ -234718,6 +234706,18 @@ fi - medium_severity - no_reboot_needed - sebool_openvpn_run_unconfined + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_openvpn_run_unconfined='' + + +setsebool -P openvpn_run_unconfined $var_openvpn_run_unconfined + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234735,18 +234735,6 @@ If this setting is enabled, it should be disabled. To disable the pcp_bind_all_unreserved_ports SELinux boolean, run the following command: $ sudo setsebool -P pcp_bind_all_unreserved_ports off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_pcp_bind_all_unreserved_ports='' - - -setsebool -P pcp_bind_all_unreserved_ports $var_pcp_bind_all_unreserved_ports - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_pcp_bind_all_unreserved_ports # promote to variable set_fact: var_pcp_bind_all_unreserved_ports: !!str @@ -234783,6 +234771,18 @@ fi - medium_severity - no_reboot_needed - sebool_pcp_bind_all_unreserved_ports + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_pcp_bind_all_unreserved_ports='' + + +setsebool -P pcp_bind_all_unreserved_ports $var_pcp_bind_all_unreserved_ports + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234800,18 +234800,6 @@ If this setting is enabled, it should be disabled. To disable the pcp_read_generic_logs SELinux boolean, run the following command: $ sudo setsebool -P pcp_read_generic_logs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_pcp_read_generic_logs='' - - -setsebool -P pcp_read_generic_logs $var_pcp_read_generic_logs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_pcp_read_generic_logs # promote to variable set_fact: var_pcp_read_generic_logs: !!str @@ -234848,6 +234836,18 @@ fi - medium_severity - no_reboot_needed - sebool_pcp_read_generic_logs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_pcp_read_generic_logs='' + + +setsebool -P pcp_read_generic_logs $var_pcp_read_generic_logs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234865,18 +234865,6 @@ If this setting is enabled, it should be disabled. To disable the piranha_lvs_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P piranha_lvs_can_network_connect off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_piranha_lvs_can_network_connect='' - - -setsebool -P piranha_lvs_can_network_connect $var_piranha_lvs_can_network_connect - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_piranha_lvs_can_network_connect # promote to variable set_fact: var_piranha_lvs_can_network_connect: !!str @@ -234913,6 +234901,18 @@ fi - medium_severity - no_reboot_needed - sebool_piranha_lvs_can_network_connect + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_piranha_lvs_can_network_connect='' + + +setsebool -P piranha_lvs_can_network_connect $var_piranha_lvs_can_network_connect + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234930,18 +234930,6 @@ If this setting is enabled, it should be disabled. To disable the polipo_connect_all_unreserved SELinux boolean, run the following command: $ sudo setsebool -P polipo_connect_all_unreserved off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_polipo_connect_all_unreserved='' - - -setsebool -P polipo_connect_all_unreserved $var_polipo_connect_all_unreserved - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_polipo_connect_all_unreserved # promote to variable set_fact: var_polipo_connect_all_unreserved: !!str @@ -234978,6 +234966,18 @@ fi - medium_severity - no_reboot_needed - sebool_polipo_connect_all_unreserved + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_polipo_connect_all_unreserved='' + + +setsebool -P polipo_connect_all_unreserved $var_polipo_connect_all_unreserved + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234995,18 +234995,6 @@ If this setting is enabled, it should be disabled. To disable the polipo_session_bind_all_unreserved_ports SELinux boolean, run the following command: $ sudo setsebool -P polipo_session_bind_all_unreserved_ports off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_polipo_session_bind_all_unreserved_ports='' - - -setsebool -P polipo_session_bind_all_unreserved_ports $var_polipo_session_bind_all_unreserved_ports - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_polipo_session_bind_all_unreserved_ports # promote to variable set_fact: var_polipo_session_bind_all_unreserved_ports: !!str @@ -235043,6 +235031,18 @@ fi - medium_severity - no_reboot_needed - sebool_polipo_session_bind_all_unreserved_ports + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_polipo_session_bind_all_unreserved_ports='' + + +setsebool -P polipo_session_bind_all_unreserved_ports $var_polipo_session_bind_all_unreserved_ports + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -235060,18 +235060,6 @@ If this setting is enabled, it should be disabled. To disable the polipo_session_users SELinux boolean, run the following command: $ sudo setsebool -P polipo_session_users off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_polipo_session_users='' - - -setsebool -P polipo_session_users $var_polipo_session_users - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_polipo_session_users # promote to variable set_fact: var_polipo_session_users: !!str @@ -235108,6 +235096,18 @@ fi - medium_severity - no_reboot_needed - sebool_polipo_session_users + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_polipo_session_users='' + + +setsebool -P polipo_session_users $var_polipo_session_users + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -235125,18 +235125,6 @@ If this setting is enabled, it should be disabled. To disable the polipo_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P polipo_use_cifs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_polipo_use_cifs='' - - -setsebool -P polipo_use_cifs $var_polipo_use_cifs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_polipo_use_cifs # promote to variable set_fact: var_polipo_use_cifs: !!str @@ -235173,6 +235161,18 @@ fi - medium_severity - no_reboot_needed - sebool_polipo_use_cifs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_polipo_use_cifs='' + + +setsebool -P polipo_use_cifs $var_polipo_use_cifs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -235190,18 +235190,6 @@ If this setting is enabled, it should be disabled. To disable the polipo_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P polipo_use_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_polipo_use_nfs='' - - -setsebool -P polipo_use_nfs $var_polipo_use_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_polipo_use_nfs # promote to variable set_fact: var_polipo_use_nfs: !!str @@ -235238,6 +235226,18 @@ fi - medium_severity - no_reboot_needed - sebool_polipo_use_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_polipo_use_nfs='' + + +setsebool -P polipo_use_nfs $var_polipo_use_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -235257,18 +235257,6 @@ To set the polyinstantiation_enabled SELinux boolean, run BP28(R39) CCE-84230-2 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_polyinstantiation_enabled='' - - -setsebool -P polyinstantiation_enabled $var_polyinstantiation_enabled - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_polyinstantiation_enabled # promote to variable set_fact: var_polyinstantiation_enabled: !!str @@ -235307,6 +235295,18 @@ fi - medium_severity - no_reboot_needed - sebool_polyinstantiation_enabled + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_polyinstantiation_enabled='' + + +setsebool -P polyinstantiation_enabled $var_polyinstantiation_enabled + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -235325,18 +235325,6 @@ to the mail spool directories. To enable the postfix_local_write_mail_spool SELinux boolean, run the following command: $ sudo setsebool -P postfix_local_write_mail_spool on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_postfix_local_write_mail_spool='' - - -setsebool -P postfix_local_write_mail_spool $var_postfix_local_write_mail_spool - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_postfix_local_write_mail_spool # promote to variable set_fact: var_postfix_local_write_mail_spool: !!str @@ -235373,6 +235361,18 @@ fi - medium_severity - no_reboot_needed - sebool_postfix_local_write_mail_spool + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_postfix_local_write_mail_spool='' + + +setsebool -P postfix_local_write_mail_spool $var_postfix_local_write_mail_spool + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -235390,18 +235390,6 @@ If this setting is enabled, it should be disabled. To disable the postgresql_can_rsync SELinux boolean, run the following command: $ sudo setsebool -P postgresql_can_rsync off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_postgresql_can_rsync='' - - -setsebool -P postgresql_can_rsync $var_postgresql_can_rsync - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_postgresql_can_rsync # promote to variable set_fact: var_postgresql_can_rsync: !!str @@ -235438,6 +235426,18 @@ fi - medium_severity - no_reboot_needed - sebool_postgresql_can_rsync + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_postgresql_can_rsync='' + + +setsebool -P postgresql_can_rsync $var_postgresql_can_rsync + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -235455,18 +235455,6 @@ If this setting is enabled, it should be disabled. To disable the postgresql_selinux_transmit_client_label SELinux boolean, run the following command: $ sudo setsebool -P postgresql_selinux_transmit_client_label off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_postgresql_selinux_transmit_client_label='' - - -setsebool -P postgresql_selinux_transmit_client_label $var_postgresql_selinux_transmit_client_label - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_postgresql_selinux_transmit_client_label # promote to variable set_fact: var_postgresql_selinux_transmit_client_label: !!str @@ -235503,6 +235491,18 @@ fi - medium_severity - no_reboot_needed - sebool_postgresql_selinux_transmit_client_label + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_postgresql_selinux_transmit_client_label='' + + +setsebool -P postgresql_selinux_transmit_client_label $var_postgresql_selinux_transmit_client_label + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -235521,18 +235521,6 @@ execute Data Manipulation Language (DML) statements. To enable the postgresql_selinux_unconfined_dbadm SELinux boolean, run the following command: $ sudo setsebool -P postgresql_selinux_unconfined_dbadm on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_postgresql_selinux_unconfined_dbadm='' - - -setsebool -P postgresql_selinux_unconfined_dbadm $var_postgresql_selinux_unconfined_dbadm - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_postgresql_selinux_unconfined_dbadm # promote to variable set_fact: var_postgresql_selinux_unconfined_dbadm: !!str @@ -235569,6 +235557,18 @@ fi - medium_severity - no_reboot_needed - sebool_postgresql_selinux_unconfined_dbadm + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_postgresql_selinux_unconfined_dbadm='' + + +setsebool -P postgresql_selinux_unconfined_dbadm $var_postgresql_selinux_unconfined_dbadm + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -235587,18 +235587,6 @@ execute Data Definition Language (DDL) statements. To enable the postgresql_selinux_users_ddl SELinux boolean, run the following command: $ sudo setsebool -P postgresql_selinux_users_ddl on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_postgresql_selinux_users_ddl='' - - -setsebool -P postgresql_selinux_users_ddl $var_postgresql_selinux_users_ddl - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_postgresql_selinux_users_ddl # promote to variable set_fact: var_postgresql_selinux_users_ddl: !!str @@ -235635,6 +235623,18 @@ fi - medium_severity - no_reboot_needed - sebool_postgresql_selinux_users_ddl + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_postgresql_selinux_users_ddl='' + + +setsebool -P postgresql_selinux_users_ddl $var_postgresql_selinux_users_ddl + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -235652,18 +235652,6 @@ If this setting is enabled, it should be disabled. To disable the pppd_can_insmod SELinux boolean, run the following command: $ sudo setsebool -P pppd_can_insmod off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_pppd_can_insmod='' - - -setsebool -P pppd_can_insmod $var_pppd_can_insmod - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_pppd_can_insmod # promote to variable set_fact: var_pppd_can_insmod: !!str @@ -235700,6 +235688,18 @@ fi - medium_severity - no_reboot_needed - sebool_pppd_can_insmod + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_pppd_can_insmod='' + + +setsebool -P pppd_can_insmod $var_pppd_can_insmod + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -235717,18 +235717,6 @@ If this setting is enabled, it should be disabled. To disable the pppd_for_user SELinux boolean, run the following command: $ sudo setsebool -P pppd_for_user off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_pppd_for_user='' - - -setsebool -P pppd_for_user $var_pppd_for_user - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_pppd_for_user # promote to variable set_fact: var_pppd_for_user: !!str @@ -235765,6 +235753,18 @@ fi - medium_severity - no_reboot_needed - sebool_pppd_for_user + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_pppd_for_user='' + + +setsebool -P pppd_for_user $var_pppd_for_user + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -235782,18 +235782,6 @@ This setting should be disabled. To disable the privoxy_connect_any SELinux boolean, run the following command: $ sudo setsebool -P privoxy_connect_any off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_privoxy_connect_any='' - - -setsebool -P privoxy_connect_any $var_privoxy_connect_any - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_privoxy_connect_any # promote to variable set_fact: var_privoxy_connect_any: !!str @@ -235830,6 +235818,18 @@ fi - medium_severity - no_reboot_needed - sebool_privoxy_connect_any + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_privoxy_connect_any='' + + +setsebool -P privoxy_connect_any $var_privoxy_connect_any + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -235847,18 +235847,6 @@ If this setting is enabled, it should be disabled. To disable the prosody_bind_http_port SELinux boolean, run the following command: $ sudo setsebool -P prosody_bind_http_port off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_prosody_bind_http_port='' - - -setsebool -P prosody_bind_http_port $var_prosody_bind_http_port - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_prosody_bind_http_port # promote to variable set_fact: var_prosody_bind_http_port: !!str @@ -235895,6 +235883,18 @@ fi - medium_severity - no_reboot_needed - sebool_prosody_bind_http_port + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_prosody_bind_http_port='' + + +setsebool -P prosody_bind_http_port $var_prosody_bind_http_port + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -235912,18 +235912,6 @@ If this setting is enabled, it should be disabled. To disable the puppetagent_manage_all_files SELinux boolean, run the following command: $ sudo setsebool -P puppetagent_manage_all_files off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_puppetagent_manage_all_files='' - - -setsebool -P puppetagent_manage_all_files $var_puppetagent_manage_all_files - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_puppetagent_manage_all_files # promote to variable set_fact: var_puppetagent_manage_all_files: !!str @@ -235960,6 +235948,18 @@ fi - medium_severity - no_reboot_needed - sebool_puppetagent_manage_all_files + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_puppetagent_manage_all_files='' + + +setsebool -P puppetagent_manage_all_files $var_puppetagent_manage_all_files + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -235977,18 +235977,6 @@ If this setting is enabled, it should be disabled. To disable the puppetmaster_use_db SELinux boolean, run the following command: $ sudo setsebool -P puppetmaster_use_db off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_puppetmaster_use_db='' - - -setsebool -P puppetmaster_use_db $var_puppetmaster_use_db - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_puppetmaster_use_db # promote to variable set_fact: var_puppetmaster_use_db: !!str @@ -236025,6 +236013,18 @@ fi - medium_severity - no_reboot_needed - sebool_puppetmaster_use_db + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_puppetmaster_use_db='' + + +setsebool -P puppetmaster_use_db $var_puppetmaster_use_db + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -236042,18 +236042,6 @@ If this setting is enabled, it should be disabled. To disable the racoon_read_shadow SELinux boolean, run the following command: $ sudo setsebool -P racoon_read_shadow off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_racoon_read_shadow='' - - -setsebool -P racoon_read_shadow $var_racoon_read_shadow - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_racoon_read_shadow # promote to variable set_fact: var_racoon_read_shadow: !!str @@ -236090,6 +236078,18 @@ fi - medium_severity - no_reboot_needed - sebool_racoon_read_shadow + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_racoon_read_shadow='' + + +setsebool -P racoon_read_shadow $var_racoon_read_shadow + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -236107,18 +236107,6 @@ If this setting is enabled, it should be disabled. To disable the rsync_anon_write SELinux boolean, run the following command: $ sudo setsebool -P rsync_anon_write off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_rsync_anon_write='' - - -setsebool -P rsync_anon_write $var_rsync_anon_write - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_rsync_anon_write # promote to variable set_fact: var_rsync_anon_write: !!str @@ -236155,6 +236143,18 @@ fi - medium_severity - no_reboot_needed - sebool_rsync_anon_write + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_rsync_anon_write='' + + +setsebool -P rsync_anon_write $var_rsync_anon_write + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -236172,18 +236172,6 @@ If this setting is enabled, it should be disabled. To disable the rsync_client SELinux boolean, run the following command: $ sudo setsebool -P rsync_client off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_rsync_client='' - - -setsebool -P rsync_client $var_rsync_client - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_rsync_client # promote to variable set_fact: var_rsync_client: !!str @@ -236220,6 +236208,18 @@ fi - medium_severity - no_reboot_needed - sebool_rsync_client + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_rsync_client='' + + +setsebool -P rsync_client $var_rsync_client + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -236237,18 +236237,6 @@ If this setting is enabled, it should be disabled. To disable the rsync_export_all_ro SELinux boolean, run the following command: $ sudo setsebool -P rsync_export_all_ro off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_rsync_export_all_ro='' - - -setsebool -P rsync_export_all_ro $var_rsync_export_all_ro - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_rsync_export_all_ro # promote to variable set_fact: var_rsync_export_all_ro: !!str @@ -236285,6 +236273,18 @@ fi - medium_severity - no_reboot_needed - sebool_rsync_export_all_ro + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_rsync_export_all_ro='' + + +setsebool -P rsync_export_all_ro $var_rsync_export_all_ro + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -236302,18 +236302,6 @@ If this setting is enabled, it should be disabled. To disable the rsync_full_access SELinux boolean, run the following command: $ sudo setsebool -P rsync_full_access off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_rsync_full_access='' - - -setsebool -P rsync_full_access $var_rsync_full_access - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_rsync_full_access # promote to variable set_fact: var_rsync_full_access: !!str @@ -236350,6 +236338,18 @@ fi - medium_severity - no_reboot_needed - sebool_rsync_full_access + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_rsync_full_access='' + + +setsebool -P rsync_full_access $var_rsync_full_access + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -236367,18 +236367,6 @@ If this setting is enabled, it should be disabled. To disable the samba_create_home_dirs SELinux boolean, run the following command: $ sudo setsebool -P samba_create_home_dirs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_samba_create_home_dirs='' - - -setsebool -P samba_create_home_dirs $var_samba_create_home_dirs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_samba_create_home_dirs # promote to variable set_fact: var_samba_create_home_dirs: !!str @@ -236415,6 +236403,18 @@ fi - medium_severity - no_reboot_needed - sebool_samba_create_home_dirs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_samba_create_home_dirs='' + + +setsebool -P samba_create_home_dirs $var_samba_create_home_dirs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -236432,18 +236432,6 @@ If this setting is enabled, it should be disabled. To disable the samba_domain_controller SELinux boolean, run the following command: $ sudo setsebool -P samba_domain_controller off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_samba_domain_controller='' - - -setsebool -P samba_domain_controller $var_samba_domain_controller - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_samba_domain_controller # promote to variable set_fact: var_samba_domain_controller: !!str @@ -236480,6 +236468,18 @@ fi - medium_severity - no_reboot_needed - sebool_samba_domain_controller + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_samba_domain_controller='' + + +setsebool -P samba_domain_controller $var_samba_domain_controller + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -236497,18 +236497,6 @@ If this setting is enabled, it should be disabled. To disable the samba_enable_home_dirs SELinux boolean, run the following command: $ sudo setsebool -P samba_enable_home_dirs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_samba_enable_home_dirs='' - - -setsebool -P samba_enable_home_dirs $var_samba_enable_home_dirs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_samba_enable_home_dirs # promote to variable set_fact: var_samba_enable_home_dirs: !!str @@ -236545,6 +236533,18 @@ fi - medium_severity - no_reboot_needed - sebool_samba_enable_home_dirs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_samba_enable_home_dirs='' + + +setsebool -P samba_enable_home_dirs $var_samba_enable_home_dirs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -236562,18 +236562,6 @@ If this setting is enabled, it should be disabled. To disable the samba_export_all_ro SELinux boolean, run the following command: $ sudo setsebool -P samba_export_all_ro off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_samba_export_all_ro='' - - -setsebool -P samba_export_all_ro $var_samba_export_all_ro - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_samba_export_all_ro # promote to variable set_fact: var_samba_export_all_ro: !!str @@ -236610,6 +236598,18 @@ fi - medium_severity - no_reboot_needed - sebool_samba_export_all_ro + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_samba_export_all_ro='' + + +setsebool -P samba_export_all_ro $var_samba_export_all_ro + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -236627,18 +236627,6 @@ If this setting is enabled, it should be disabled. To disable the samba_export_all_rw SELinux boolean, run the following command: $ sudo setsebool -P samba_export_all_rw off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_samba_export_all_rw='' - - -setsebool -P samba_export_all_rw $var_samba_export_all_rw - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_samba_export_all_rw # promote to variable set_fact: var_samba_export_all_rw: !!str @@ -236675,6 +236663,18 @@ fi - medium_severity - no_reboot_needed - sebool_samba_export_all_rw + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_samba_export_all_rw='' + + +setsebool -P samba_export_all_rw $var_samba_export_all_rw + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -236692,18 +236692,6 @@ If this setting is enabled, it should be disabled. To disable the samba_load_libgfapi SELinux boolean, run the following command: $ sudo setsebool -P samba_load_libgfapi off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_samba_load_libgfapi='' - - -setsebool -P samba_load_libgfapi $var_samba_load_libgfapi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_samba_load_libgfapi # promote to variable set_fact: var_samba_load_libgfapi: !!str @@ -236740,6 +236728,18 @@ fi - medium_severity - no_reboot_needed - sebool_samba_load_libgfapi + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_samba_load_libgfapi='' + + +setsebool -P samba_load_libgfapi $var_samba_load_libgfapi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -236757,18 +236757,6 @@ If this setting is enabled, it should be disabled. To disable the samba_portmapper SELinux boolean, run the following command: $ sudo setsebool -P samba_portmapper off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_samba_portmapper='' - - -setsebool -P samba_portmapper $var_samba_portmapper - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_samba_portmapper # promote to variable set_fact: var_samba_portmapper: !!str @@ -236805,6 +236793,18 @@ fi - medium_severity - no_reboot_needed - sebool_samba_portmapper + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_samba_portmapper='' + + +setsebool -P samba_portmapper $var_samba_portmapper + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -236822,18 +236822,6 @@ If this setting is enabled, it should be disabled. To disable the samba_run_unconfined SELinux boolean, run the following command: $ sudo setsebool -P samba_run_unconfined off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_samba_run_unconfined='' - - -setsebool -P samba_run_unconfined $var_samba_run_unconfined - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_samba_run_unconfined # promote to variable set_fact: var_samba_run_unconfined: !!str @@ -236870,6 +236858,18 @@ fi - medium_severity - no_reboot_needed - sebool_samba_run_unconfined + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_samba_run_unconfined='' + + +setsebool -P samba_run_unconfined $var_samba_run_unconfined + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -236887,18 +236887,6 @@ If this setting is enabled, it should be disabled. To disable the samba_share_fusefs SELinux boolean, run the following command: $ sudo setsebool -P samba_share_fusefs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_samba_share_fusefs='' - - -setsebool -P samba_share_fusefs $var_samba_share_fusefs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_samba_share_fusefs # promote to variable set_fact: var_samba_share_fusefs: !!str @@ -236935,6 +236923,18 @@ fi - medium_severity - no_reboot_needed - sebool_samba_share_fusefs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_samba_share_fusefs='' + + +setsebool -P samba_share_fusefs $var_samba_share_fusefs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -236952,18 +236952,6 @@ If this setting is enabled, it should be disabled. To disable the samba_share_nfs SELinux boolean, run the following command: $ sudo setsebool -P samba_share_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_samba_share_nfs='' - - -setsebool -P samba_share_nfs $var_samba_share_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_samba_share_nfs # promote to variable set_fact: var_samba_share_nfs: !!str @@ -237000,6 +236988,18 @@ fi - medium_severity - no_reboot_needed - sebool_samba_share_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_samba_share_nfs='' + + +setsebool -P samba_share_nfs $var_samba_share_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -237017,18 +237017,6 @@ If this setting is enabled, it should be disabled. To disable the sanlock_use_fusefs SELinux boolean, run the following command: $ sudo setsebool -P sanlock_use_fusefs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_sanlock_use_fusefs='' - - -setsebool -P sanlock_use_fusefs $var_sanlock_use_fusefs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_sanlock_use_fusefs # promote to variable set_fact: var_sanlock_use_fusefs: !!str @@ -237065,6 +237053,18 @@ fi - medium_severity - no_reboot_needed - sebool_sanlock_use_fusefs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_sanlock_use_fusefs='' + + +setsebool -P sanlock_use_fusefs $var_sanlock_use_fusefs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -237082,18 +237082,6 @@ If this setting is enabled, it should be disabled. To disable the sanlock_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P sanlock_use_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_sanlock_use_nfs='' - - -setsebool -P sanlock_use_nfs $var_sanlock_use_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_sanlock_use_nfs # promote to variable set_fact: var_sanlock_use_nfs: !!str @@ -237130,6 +237118,18 @@ fi - medium_severity - no_reboot_needed - sebool_sanlock_use_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_sanlock_use_nfs='' + + +setsebool -P sanlock_use_nfs $var_sanlock_use_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -237147,18 +237147,6 @@ If this setting is enabled, it should be disabled. To disable the sanlock_use_samba SELinux boolean, run the following command: $ sudo setsebool -P sanlock_use_samba off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_sanlock_use_samba='' - - -setsebool -P sanlock_use_samba $var_sanlock_use_samba - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_sanlock_use_samba # promote to variable set_fact: var_sanlock_use_samba: !!str @@ -237195,6 +237183,18 @@ fi - medium_severity - no_reboot_needed - sebool_sanlock_use_samba + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_sanlock_use_samba='' + + +setsebool -P sanlock_use_samba $var_sanlock_use_samba + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -237212,18 +237212,6 @@ If this setting is enabled, it should be disabled. To disable the saslauthd_read_shadow SELinux boolean, run the following command: $ sudo setsebool -P saslauthd_read_shadow off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_saslauthd_read_shadow='' - - -setsebool -P saslauthd_read_shadow $var_saslauthd_read_shadow - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_saslauthd_read_shadow # promote to variable set_fact: var_saslauthd_read_shadow: !!str @@ -237260,6 +237248,18 @@ fi - medium_severity - no_reboot_needed - sebool_saslauthd_read_shadow + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_saslauthd_read_shadow='' + + +setsebool -P saslauthd_read_shadow $var_saslauthd_read_shadow + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -237277,18 +237277,6 @@ If this setting is disabled, it should be enabled. To enable the secadm_exec_content SELinux boolean, run the following command: $ sudo setsebool -P secadm_exec_content on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_secadm_exec_content='' - - -setsebool -P secadm_exec_content $var_secadm_exec_content - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_secadm_exec_content # promote to variable set_fact: var_secadm_exec_content: !!str @@ -237325,6 +237313,18 @@ fi - medium_severity - no_reboot_needed - sebool_secadm_exec_content + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_secadm_exec_content='' + + +setsebool -P secadm_exec_content $var_secadm_exec_content + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -237342,18 +237342,6 @@ If this setting is enabled, it should be disabled. To disable the secure_mode SELinux boolean, run the following command: $ sudo setsebool -P secure_mode off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_secure_mode='' - - -setsebool -P secure_mode $var_secure_mode - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_secure_mode # promote to variable set_fact: var_secure_mode: !!str @@ -237390,6 +237378,18 @@ fi - medium_severity - no_reboot_needed - sebool_secure_mode + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_secure_mode='' + + +setsebool -P secure_mode $var_secure_mode + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -237409,18 +237409,6 @@ To set the secure_mode_insmod SELinux boolean, run the fo BP28(R67) CCE-83310-3 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_secure_mode_insmod='' - - -setsebool -P secure_mode_insmod $var_secure_mode_insmod - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_secure_mode_insmod # promote to variable set_fact: var_secure_mode_insmod: !!str @@ -237459,6 +237447,18 @@ fi - medium_severity - no_reboot_needed - sebool_secure_mode_insmod + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_secure_mode_insmod='' + + +setsebool -P secure_mode_insmod $var_secure_mode_insmod + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -237476,18 +237476,6 @@ If this setting is enabled, it should be disabled. To disable the secure_mode_policyload SELinux boolean, run the following command: $ sudo setsebool -P secure_mode_policyload off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_secure_mode_policyload='' - - -setsebool -P secure_mode_policyload $var_secure_mode_policyload - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_secure_mode_policyload # promote to variable set_fact: var_secure_mode_policyload: !!str @@ -237524,6 +237512,18 @@ fi - medium_severity - no_reboot_needed - sebool_secure_mode_policyload + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_secure_mode_policyload='' + + +setsebool -P secure_mode_policyload $var_secure_mode_policyload + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -237542,18 +237542,6 @@ Otherwise, enable it. To disable the selinuxuser_direct_dri_enabled SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_direct_dri_enabled off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_selinuxuser_direct_dri_enabled='' - - -setsebool -P selinuxuser_direct_dri_enabled $var_selinuxuser_direct_dri_enabled - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_selinuxuser_direct_dri_enabled # promote to variable set_fact: var_selinuxuser_direct_dri_enabled: !!str @@ -237590,6 +237578,18 @@ fi - medium_severity - no_reboot_needed - sebool_selinuxuser_direct_dri_enabled + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_selinuxuser_direct_dri_enabled='' + + +setsebool -P selinuxuser_direct_dri_enabled $var_selinuxuser_direct_dri_enabled + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -237617,18 +237617,6 @@ To disable the selinuxuser_execheap SELinux boolean, run 164.312(e) Disabling code execution from the heap blocks buffer overflow attacks. CCE-80949-1 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_selinuxuser_execheap='' - - -setsebool -P selinuxuser_execheap $var_selinuxuser_execheap - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_selinuxuser_execheap # promote to variable set_fact: var_selinuxuser_execheap: !!str @@ -237667,6 +237655,18 @@ fi - medium_severity - no_reboot_needed - sebool_selinuxuser_execheap + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_selinuxuser_execheap='' + + +setsebool -P selinuxuser_execheap $var_selinuxuser_execheap + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -237692,18 +237692,6 @@ To enable the selinuxuser_execmod SELinux boolean, run th 164.312(e) CCE-80950-9 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_selinuxuser_execmod='' - - -setsebool -P selinuxuser_execmod $var_selinuxuser_execmod - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_selinuxuser_execmod # promote to variable set_fact: var_selinuxuser_execmod: !!str @@ -237742,6 +237730,18 @@ fi - medium_severity - no_reboot_needed - sebool_selinuxuser_execmod + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_selinuxuser_execmod='' + + +setsebool -P selinuxuser_execmod $var_selinuxuser_execmod + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -237769,18 +237769,6 @@ To disable the selinuxuser_execstack SELinux boolean, run 164.312(e) Disabling code execution from the stack blocks buffer overflow attacks. CCE-80951-7 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_selinuxuser_execstack='' - - -setsebool -P selinuxuser_execstack $var_selinuxuser_execstack - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_selinuxuser_execstack # promote to variable set_fact: var_selinuxuser_execstack: !!str @@ -237819,6 +237807,18 @@ fi - medium_severity - no_reboot_needed - sebool_selinuxuser_execstack + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_selinuxuser_execstack='' + + +setsebool -P selinuxuser_execstack $var_selinuxuser_execstack + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -237836,18 +237836,6 @@ If this setting is enabled, it should be disabled. To disable the selinuxuser_mysql_connect_enabled SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_mysql_connect_enabled off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_selinuxuser_mysql_connect_enabled='' - - -setsebool -P selinuxuser_mysql_connect_enabled $var_selinuxuser_mysql_connect_enabled - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_selinuxuser_mysql_connect_enabled # promote to variable set_fact: var_selinuxuser_mysql_connect_enabled: !!str @@ -237884,6 +237872,18 @@ fi - medium_severity - no_reboot_needed - sebool_selinuxuser_mysql_connect_enabled + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_selinuxuser_mysql_connect_enabled='' + + +setsebool -P selinuxuser_mysql_connect_enabled $var_selinuxuser_mysql_connect_enabled + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -237902,18 +237902,6 @@ to use ping and traceroute which is helpful for network troubleshooting. To enable the selinuxuser_ping SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_ping on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_selinuxuser_ping='' - - -setsebool -P selinuxuser_ping $var_selinuxuser_ping - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_selinuxuser_ping # promote to variable set_fact: var_selinuxuser_ping: !!str @@ -237950,6 +237938,18 @@ fi - medium_severity - no_reboot_needed - sebool_selinuxuser_ping + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_selinuxuser_ping='' + + +setsebool -P selinuxuser_ping $var_selinuxuser_ping + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -237967,18 +237967,6 @@ If this setting is enabled, it should be disabled. To disable the selinuxuser_postgresql_connect_enabled SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_postgresql_connect_enabled off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_selinuxuser_postgresql_connect_enabled='' - - -setsebool -P selinuxuser_postgresql_connect_enabled $var_selinuxuser_postgresql_connect_enabled - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_selinuxuser_postgresql_connect_enabled # promote to variable set_fact: var_selinuxuser_postgresql_connect_enabled: !!str @@ -238015,6 +238003,18 @@ fi - medium_severity - no_reboot_needed - sebool_selinuxuser_postgresql_connect_enabled + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_selinuxuser_postgresql_connect_enabled='' + + +setsebool -P selinuxuser_postgresql_connect_enabled $var_selinuxuser_postgresql_connect_enabled + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -238033,18 +238033,6 @@ on filesystems that do not have extended attributes e.g. FAT, CDROM, FLOPPY, etc To disable the selinuxuser_rw_noexattrfile SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_rw_noexattrfile off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_selinuxuser_rw_noexattrfile='' - - -setsebool -P selinuxuser_rw_noexattrfile $var_selinuxuser_rw_noexattrfile - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_selinuxuser_rw_noexattrfile # promote to variable set_fact: var_selinuxuser_rw_noexattrfile: !!str @@ -238081,6 +238069,18 @@ fi - medium_severity - no_reboot_needed - sebool_selinuxuser_rw_noexattrfile + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_selinuxuser_rw_noexattrfile='' + + +setsebool -P selinuxuser_rw_noexattrfile $var_selinuxuser_rw_noexattrfile + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -238098,18 +238098,6 @@ If this setting is enabled, it should be disabled. To disable the selinuxuser_share_music SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_share_music off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_selinuxuser_share_music='' - - -setsebool -P selinuxuser_share_music $var_selinuxuser_share_music - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_selinuxuser_share_music # promote to variable set_fact: var_selinuxuser_share_music: !!str @@ -238146,6 +238134,18 @@ fi - medium_severity - no_reboot_needed - sebool_selinuxuser_share_music + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_selinuxuser_share_music='' + + +setsebool -P selinuxuser_share_music $var_selinuxuser_share_music + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -238163,18 +238163,6 @@ If this setting is enabled, it should be disabled. To disable the selinuxuser_tcp_server SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_tcp_server off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_selinuxuser_tcp_server='' - - -setsebool -P selinuxuser_tcp_server $var_selinuxuser_tcp_server - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_selinuxuser_tcp_server # promote to variable set_fact: var_selinuxuser_tcp_server: !!str @@ -238211,6 +238199,18 @@ fi - medium_severity - no_reboot_needed - sebool_selinuxuser_tcp_server + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_selinuxuser_tcp_server='' + + +setsebool -P selinuxuser_tcp_server $var_selinuxuser_tcp_server + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -238228,18 +238228,6 @@ If this setting is enabled, it should be disabled. To disable the selinuxuser_udp_server SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_udp_server off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_selinuxuser_udp_server='' - - -setsebool -P selinuxuser_udp_server $var_selinuxuser_udp_server - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_selinuxuser_udp_server # promote to variable set_fact: var_selinuxuser_udp_server: !!str @@ -238276,6 +238264,18 @@ fi - medium_severity - no_reboot_needed - sebool_selinuxuser_udp_server + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_selinuxuser_udp_server='' + + +setsebool -P selinuxuser_udp_server $var_selinuxuser_udp_server + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -238293,18 +238293,6 @@ If this setting is enabled, it should be disabled. To disable the selinuxuser_use_ssh_chroot SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_use_ssh_chroot off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_selinuxuser_use_ssh_chroot='' - - -setsebool -P selinuxuser_use_ssh_chroot $var_selinuxuser_use_ssh_chroot - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_selinuxuser_use_ssh_chroot # promote to variable set_fact: var_selinuxuser_use_ssh_chroot: !!str @@ -238341,6 +238329,18 @@ fi - medium_severity - no_reboot_needed - sebool_selinuxuser_use_ssh_chroot + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_selinuxuser_use_ssh_chroot='' + + +setsebool -P selinuxuser_use_ssh_chroot $var_selinuxuser_use_ssh_chroot + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -238358,18 +238358,6 @@ If this setting is enabled, it should be disabled. To disable the sge_domain_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P sge_domain_can_network_connect off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_sge_domain_can_network_connect='' - - -setsebool -P sge_domain_can_network_connect $var_sge_domain_can_network_connect - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_sge_domain_can_network_connect # promote to variable set_fact: var_sge_domain_can_network_connect: !!str @@ -238406,6 +238394,18 @@ fi - medium_severity - no_reboot_needed - sebool_sge_domain_can_network_connect + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_sge_domain_can_network_connect='' + + +setsebool -P sge_domain_can_network_connect $var_sge_domain_can_network_connect + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -238423,18 +238423,6 @@ If this setting is enabled, it should be disabled. To disable the sge_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P sge_use_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_sge_use_nfs='' - - -setsebool -P sge_use_nfs $var_sge_use_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_sge_use_nfs # promote to variable set_fact: var_sge_use_nfs: !!str @@ -238471,6 +238459,18 @@ fi - medium_severity - no_reboot_needed - sebool_sge_use_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_sge_use_nfs='' + + +setsebool -P sge_use_nfs $var_sge_use_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -238488,18 +238488,6 @@ If this setting is enabled, it should be disabled. To disable the smartmon_3ware SELinux boolean, run the following command: $ sudo setsebool -P smartmon_3ware off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_smartmon_3ware='' - - -setsebool -P smartmon_3ware $var_smartmon_3ware - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_smartmon_3ware # promote to variable set_fact: var_smartmon_3ware: !!str @@ -238536,6 +238524,18 @@ fi - medium_severity - no_reboot_needed - sebool_smartmon_3ware + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_smartmon_3ware='' + + +setsebool -P smartmon_3ware $var_smartmon_3ware + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -238553,18 +238553,6 @@ If this setting is enabled, it should be disabled. To disable the smbd_anon_write SELinux boolean, run the following command: $ sudo setsebool -P smbd_anon_write off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_smbd_anon_write='' - - -setsebool -P smbd_anon_write $var_smbd_anon_write - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_smbd_anon_write # promote to variable set_fact: var_smbd_anon_write: !!str @@ -238601,6 +238589,18 @@ fi - medium_severity - no_reboot_needed - sebool_smbd_anon_write + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_smbd_anon_write='' + + +setsebool -P smbd_anon_write $var_smbd_anon_write + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -238618,18 +238618,6 @@ If this setting is enabled, it should be disabled. To disable the spamassassin_can_network SELinux boolean, run the following command: $ sudo setsebool -P spamassassin_can_network off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_spamassassin_can_network='' - - -setsebool -P spamassassin_can_network $var_spamassassin_can_network - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_spamassassin_can_network # promote to variable set_fact: var_spamassassin_can_network: !!str @@ -238666,6 +238654,18 @@ fi - medium_severity - no_reboot_needed - sebool_spamassassin_can_network + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_spamassassin_can_network='' + + +setsebool -P spamassassin_can_network $var_spamassassin_can_network + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -238683,18 +238683,6 @@ If this setting is disabled, it should be enabled. To enable the spamd_enable_home_dirs SELinux boolean, run the following command: $ sudo setsebool -P spamd_enable_home_dirs on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_spamd_enable_home_dirs='' - - -setsebool -P spamd_enable_home_dirs $var_spamd_enable_home_dirs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_spamd_enable_home_dirs # promote to variable set_fact: var_spamd_enable_home_dirs: !!str @@ -238731,6 +238719,18 @@ fi - medium_severity - no_reboot_needed - sebool_spamd_enable_home_dirs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_spamd_enable_home_dirs='' + + +setsebool -P spamd_enable_home_dirs $var_spamd_enable_home_dirs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -238749,18 +238749,6 @@ ports. To disable the squid_connect_any SELinux boolean, run the following command: $ sudo setsebool -P squid_connect_any off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_squid_connect_any='' - - -setsebool -P squid_connect_any $var_squid_connect_any - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_squid_connect_any # promote to variable set_fact: var_squid_connect_any: !!str @@ -238797,6 +238785,18 @@ fi - medium_severity - no_reboot_needed - sebool_squid_connect_any + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_squid_connect_any='' + + +setsebool -P squid_connect_any $var_squid_connect_any + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -238814,18 +238814,6 @@ If this setting is enabled, it should be disabled. To disable the squid_use_tproxy SELinux boolean, run the following command: $ sudo setsebool -P squid_use_tproxy off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_squid_use_tproxy='' - - -setsebool -P squid_use_tproxy $var_squid_use_tproxy - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_squid_use_tproxy # promote to variable set_fact: var_squid_use_tproxy: !!str @@ -238862,6 +238850,18 @@ fi - medium_severity - no_reboot_needed - sebool_squid_use_tproxy + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_squid_use_tproxy='' + + +setsebool -P squid_use_tproxy $var_squid_use_tproxy + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -238879,18 +238879,6 @@ If this setting is enabled, it should be disabled. To disable the ssh_chroot_rw_homedirs SELinux boolean, run the following command: $ sudo setsebool -P ssh_chroot_rw_homedirs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_ssh_chroot_rw_homedirs='' - - -setsebool -P ssh_chroot_rw_homedirs $var_ssh_chroot_rw_homedirs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_ssh_chroot_rw_homedirs # promote to variable set_fact: var_ssh_chroot_rw_homedirs: !!str @@ -238927,6 +238915,18 @@ fi - medium_severity - no_reboot_needed - sebool_ssh_chroot_rw_homedirs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_ssh_chroot_rw_homedirs='' + + +setsebool -P ssh_chroot_rw_homedirs $var_ssh_chroot_rw_homedirs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -238944,18 +238944,6 @@ If this setting is enabled, it should be disabled. To disable the ssh_keysign SELinux boolean, run the following command: $ sudo setsebool -P ssh_keysign off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_ssh_keysign='' - - -setsebool -P ssh_keysign $var_ssh_keysign - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_ssh_keysign # promote to variable set_fact: var_ssh_keysign: !!str @@ -238992,6 +238980,18 @@ fi - medium_severity - no_reboot_needed - sebool_ssh_keysign + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_ssh_keysign='' + + +setsebool -P ssh_keysign $var_ssh_keysign + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -239023,18 +239023,6 @@ authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. CCE-83311-1 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_ssh_sysadm_login='' - - -setsebool -P ssh_sysadm_login $var_ssh_sysadm_login - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_ssh_sysadm_login # promote to variable set_fact: var_ssh_sysadm_login: !!str @@ -239073,6 +239061,18 @@ fi - medium_severity - no_reboot_needed - sebool_ssh_sysadm_login + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_ssh_sysadm_login='' + + +setsebool -P ssh_sysadm_login $var_ssh_sysadm_login + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -239090,18 +239090,6 @@ If this setting is disabled, it should be enabled. To enable the staff_exec_content SELinux boolean, run the following command: $ sudo setsebool -P staff_exec_content on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_staff_exec_content='' - - -setsebool -P staff_exec_content $var_staff_exec_content - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_staff_exec_content # promote to variable set_fact: var_staff_exec_content: !!str @@ -239138,6 +239126,18 @@ fi - medium_severity - no_reboot_needed - sebool_staff_exec_content + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_staff_exec_content='' + + +setsebool -P staff_exec_content $var_staff_exec_content + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -239155,18 +239155,6 @@ If this setting is enabled, it should be disabled. To disable the staff_use_svirt SELinux boolean, run the following command: $ sudo setsebool -P staff_use_svirt off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_staff_use_svirt='' - - -setsebool -P staff_use_svirt $var_staff_use_svirt - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_staff_use_svirt # promote to variable set_fact: var_staff_use_svirt: !!str @@ -239203,6 +239191,18 @@ fi - medium_severity - no_reboot_needed - sebool_staff_use_svirt + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_staff_use_svirt='' + + +setsebool -P staff_use_svirt $var_staff_use_svirt + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -239220,18 +239220,6 @@ If this setting is enabled, it should be disabled. To disable the swift_can_network SELinux boolean, run the following command: $ sudo setsebool -P swift_can_network off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_swift_can_network='' - - -setsebool -P swift_can_network $var_swift_can_network - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_swift_can_network # promote to variable set_fact: var_swift_can_network: !!str @@ -239268,6 +239256,18 @@ fi - medium_severity - no_reboot_needed - sebool_swift_can_network + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_swift_can_network='' + + +setsebool -P swift_can_network $var_swift_can_network + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -239285,18 +239285,6 @@ If this setting is disabled, it should be enabled. To enable the sysadm_exec_content SELinux boolean, run the following command: $ sudo setsebool -P sysadm_exec_content on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_sysadm_exec_content='' - - -setsebool -P sysadm_exec_content $var_sysadm_exec_content - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_sysadm_exec_content # promote to variable set_fact: var_sysadm_exec_content: !!str @@ -239333,6 +239321,18 @@ fi - medium_severity - no_reboot_needed - sebool_sysadm_exec_content + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_sysadm_exec_content='' + + +setsebool -P sysadm_exec_content $var_sysadm_exec_content + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -239350,18 +239350,6 @@ If this setting is enabled, it should be disabled. To disable the telepathy_connect_all_ports SELinux boolean, run the following command: $ sudo setsebool -P telepathy_connect_all_ports off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_telepathy_connect_all_ports='' - - -setsebool -P telepathy_connect_all_ports $var_telepathy_connect_all_ports - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_telepathy_connect_all_ports # promote to variable set_fact: var_telepathy_connect_all_ports: !!str @@ -239398,6 +239386,18 @@ fi - medium_severity - no_reboot_needed - sebool_telepathy_connect_all_ports + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_telepathy_connect_all_ports='' + + +setsebool -P telepathy_connect_all_ports $var_telepathy_connect_all_ports + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -239416,18 +239416,6 @@ ports. To disable the telepathy_tcp_connect_generic_network_ports SELinux boolean, run the following command: $ sudo setsebool -P telepathy_tcp_connect_generic_network_ports off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_telepathy_tcp_connect_generic_network_ports='' - - -setsebool -P telepathy_tcp_connect_generic_network_ports $var_telepathy_tcp_connect_generic_network_ports - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_telepathy_tcp_connect_generic_network_ports # promote to variable set_fact: var_telepathy_tcp_connect_generic_network_ports: !!str @@ -239464,6 +239452,18 @@ fi - medium_severity - no_reboot_needed - sebool_telepathy_tcp_connect_generic_network_ports + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_telepathy_tcp_connect_generic_network_ports='' + + +setsebool -P telepathy_tcp_connect_generic_network_ports $var_telepathy_tcp_connect_generic_network_ports + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -239481,18 +239481,6 @@ If this setting is enabled, it should be disabled. To disable the tftp_anon_write SELinux boolean, run the following command: $ sudo setsebool -P tftp_anon_write off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_tftp_anon_write='' - - -setsebool -P tftp_anon_write $var_tftp_anon_write - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_tftp_anon_write # promote to variable set_fact: var_tftp_anon_write: !!str @@ -239529,6 +239517,18 @@ fi - medium_severity - no_reboot_needed - sebool_tftp_anon_write + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_tftp_anon_write='' + + +setsebool -P tftp_anon_write $var_tftp_anon_write + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -239546,18 +239546,6 @@ If this setting is enabled, it should be disabled. To disable the tftp_home_dir SELinux boolean, run the following command: $ sudo setsebool -P tftp_home_dir off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_tftp_home_dir='' - - -setsebool -P tftp_home_dir $var_tftp_home_dir - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_tftp_home_dir # promote to variable set_fact: var_tftp_home_dir: !!str @@ -239594,6 +239582,18 @@ fi - medium_severity - no_reboot_needed - sebool_tftp_home_dir + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_tftp_home_dir='' + + +setsebool -P tftp_home_dir $var_tftp_home_dir + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -239611,18 +239611,6 @@ If this setting is enabled, it should be disabled. To disable the tmpreaper_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P tmpreaper_use_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_tmpreaper_use_nfs='' - - -setsebool -P tmpreaper_use_nfs $var_tmpreaper_use_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_tmpreaper_use_nfs # promote to variable set_fact: var_tmpreaper_use_nfs: !!str @@ -239659,6 +239647,18 @@ fi - medium_severity - no_reboot_needed - sebool_tmpreaper_use_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_tmpreaper_use_nfs='' + + +setsebool -P tmpreaper_use_nfs $var_tmpreaper_use_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -239676,18 +239676,6 @@ If this setting is enabled, it should be disabled. To disable the tmpreaper_use_samba SELinux boolean, run the following command: $ sudo setsebool -P tmpreaper_use_samba off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_tmpreaper_use_samba='' - - -setsebool -P tmpreaper_use_samba $var_tmpreaper_use_samba - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_tmpreaper_use_samba # promote to variable set_fact: var_tmpreaper_use_samba: !!str @@ -239724,6 +239712,18 @@ fi - medium_severity - no_reboot_needed - sebool_tmpreaper_use_samba + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_tmpreaper_use_samba='' + + +setsebool -P tmpreaper_use_samba $var_tmpreaper_use_samba + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -239741,18 +239741,6 @@ If this setting is enabled, it should be disabled. To disable the tor_bind_all_unreserved_ports SELinux boolean, run the following command: $ sudo setsebool -P tor_bind_all_unreserved_ports off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_tor_bind_all_unreserved_ports='' - - -setsebool -P tor_bind_all_unreserved_ports $var_tor_bind_all_unreserved_ports - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_tor_bind_all_unreserved_ports # promote to variable set_fact: var_tor_bind_all_unreserved_ports: !!str @@ -239789,6 +239777,18 @@ fi - medium_severity - no_reboot_needed - sebool_tor_bind_all_unreserved_ports + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_tor_bind_all_unreserved_ports='' + + +setsebool -P tor_bind_all_unreserved_ports $var_tor_bind_all_unreserved_ports + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -239806,18 +239806,6 @@ If this setting is enabled, it should be disabled. To disable the tor_can_network_relay SELinux boolean, run the following command: $ sudo setsebool -P tor_can_network_relay off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_tor_can_network_relay='' - - -setsebool -P tor_can_network_relay $var_tor_can_network_relay - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_tor_can_network_relay # promote to variable set_fact: var_tor_can_network_relay: !!str @@ -239854,6 +239842,18 @@ fi - medium_severity - no_reboot_needed - sebool_tor_can_network_relay + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_tor_can_network_relay='' + + +setsebool -P tor_can_network_relay $var_tor_can_network_relay + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -239871,18 +239871,6 @@ If this setting is disabled, it should be enabled. To enable the unconfined_chrome_sandbox_transition SELinux boolean, run the following command: $ sudo setsebool -P unconfined_chrome_sandbox_transition on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_unconfined_chrome_sandbox_transition='' - - -setsebool -P unconfined_chrome_sandbox_transition $var_unconfined_chrome_sandbox_transition - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_unconfined_chrome_sandbox_transition # promote to variable set_fact: var_unconfined_chrome_sandbox_transition: !!str @@ -239919,6 +239907,18 @@ fi - medium_severity - no_reboot_needed - sebool_unconfined_chrome_sandbox_transition + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_unconfined_chrome_sandbox_transition='' + + +setsebool -P unconfined_chrome_sandbox_transition $var_unconfined_chrome_sandbox_transition + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -239936,18 +239936,6 @@ If this setting is disabled, it should be enabled. To enable the unconfined_login SELinux boolean, run the following command: $ sudo setsebool -P unconfined_login on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_unconfined_login='' - - -setsebool -P unconfined_login $var_unconfined_login - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_unconfined_login # promote to variable set_fact: var_unconfined_login: !!str @@ -239984,6 +239972,18 @@ fi - medium_severity - no_reboot_needed - sebool_unconfined_login + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_unconfined_login='' + + +setsebool -P unconfined_login $var_unconfined_login + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240001,18 +240001,6 @@ If this setting is disabled, it should be enabled. To enable the unconfined_mozilla_plugin_transition SELinux boolean, run the following command: $ sudo setsebool -P unconfined_mozilla_plugin_transition on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_unconfined_mozilla_plugin_transition='' - - -setsebool -P unconfined_mozilla_plugin_transition $var_unconfined_mozilla_plugin_transition - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_unconfined_mozilla_plugin_transition # promote to variable set_fact: var_unconfined_mozilla_plugin_transition: !!str @@ -240049,6 +240037,18 @@ fi - medium_severity - no_reboot_needed - sebool_unconfined_mozilla_plugin_transition + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_unconfined_mozilla_plugin_transition='' + + +setsebool -P unconfined_mozilla_plugin_transition $var_unconfined_mozilla_plugin_transition + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240066,18 +240066,6 @@ If this setting is enabled, it should be disabled. To disable the unprivuser_use_svirt SELinux boolean, run the following command: $ sudo setsebool -P unprivuser_use_svirt off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_unprivuser_use_svirt='' - - -setsebool -P unprivuser_use_svirt $var_unprivuser_use_svirt - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_unprivuser_use_svirt # promote to variable set_fact: var_unprivuser_use_svirt: !!str @@ -240114,6 +240102,18 @@ fi - medium_severity - no_reboot_needed - sebool_unprivuser_use_svirt + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_unprivuser_use_svirt='' + + +setsebool -P unprivuser_use_svirt $var_unprivuser_use_svirt + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240131,18 +240131,6 @@ If this setting is enabled, it should be disabled. To disable the use_ecryptfs_home_dirs SELinux boolean, run the following command: $ sudo setsebool -P use_ecryptfs_home_dirs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_use_ecryptfs_home_dirs='' - - -setsebool -P use_ecryptfs_home_dirs $var_use_ecryptfs_home_dirs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_use_ecryptfs_home_dirs # promote to variable set_fact: var_use_ecryptfs_home_dirs: !!str @@ -240179,6 +240167,18 @@ fi - medium_severity - no_reboot_needed - sebool_use_ecryptfs_home_dirs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_use_ecryptfs_home_dirs='' + + +setsebool -P use_ecryptfs_home_dirs $var_use_ecryptfs_home_dirs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240196,18 +240196,6 @@ If this setting is enabled, it should be disabled. To disable the use_fusefs_home_dirs SELinux boolean, run the following command: $ sudo setsebool -P use_fusefs_home_dirs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_use_fusefs_home_dirs='' - - -setsebool -P use_fusefs_home_dirs $var_use_fusefs_home_dirs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_use_fusefs_home_dirs # promote to variable set_fact: var_use_fusefs_home_dirs: !!str @@ -240244,6 +240232,18 @@ fi - medium_severity - no_reboot_needed - sebool_use_fusefs_home_dirs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_use_fusefs_home_dirs='' + + +setsebool -P use_fusefs_home_dirs $var_use_fusefs_home_dirs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240261,18 +240261,6 @@ If this setting is enabled, it should be disabled. To disable the use_lpd_server SELinux boolean, run the following command: $ sudo setsebool -P use_lpd_server off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_use_lpd_server='' - - -setsebool -P use_lpd_server $var_use_lpd_server - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_use_lpd_server # promote to variable set_fact: var_use_lpd_server: !!str @@ -240309,6 +240297,18 @@ fi - medium_severity - no_reboot_needed - sebool_use_lpd_server + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_use_lpd_server='' + + +setsebool -P use_lpd_server $var_use_lpd_server + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240326,18 +240326,6 @@ If this setting is enabled, it should be disabled. To disable the use_nfs_home_dirs SELinux boolean, run the following command: $ sudo setsebool -P use_nfs_home_dirs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_use_nfs_home_dirs='' - - -setsebool -P use_nfs_home_dirs $var_use_nfs_home_dirs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_use_nfs_home_dirs # promote to variable set_fact: var_use_nfs_home_dirs: !!str @@ -240374,6 +240362,18 @@ fi - medium_severity - no_reboot_needed - sebool_use_nfs_home_dirs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_use_nfs_home_dirs='' + + +setsebool -P use_nfs_home_dirs $var_use_nfs_home_dirs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240391,18 +240391,6 @@ If this setting is enabled, it should be disabled. To disable the use_samba_home_dirs SELinux boolean, run the following command: $ sudo setsebool -P use_samba_home_dirs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_use_samba_home_dirs='' - - -setsebool -P use_samba_home_dirs $var_use_samba_home_dirs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_use_samba_home_dirs # promote to variable set_fact: var_use_samba_home_dirs: !!str @@ -240439,6 +240427,18 @@ fi - medium_severity - no_reboot_needed - sebool_use_samba_home_dirs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_use_samba_home_dirs='' + + +setsebool -P use_samba_home_dirs $var_use_samba_home_dirs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240456,18 +240456,6 @@ If this setting is disabled, it should be enabled. To enable the user_exec_content SELinux boolean, run the following command: $ sudo setsebool -P user_exec_content on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_user_exec_content='' - - -setsebool -P user_exec_content $var_user_exec_content - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_user_exec_content # promote to variable set_fact: var_user_exec_content: !!str @@ -240504,6 +240492,18 @@ fi - medium_severity - no_reboot_needed - sebool_user_exec_content + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_user_exec_content='' + + +setsebool -P user_exec_content $var_user_exec_content + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240521,18 +240521,6 @@ If this setting is enabled, it should be disabled. To disable the varnishd_connect_any SELinux boolean, run the following command: $ sudo setsebool -P varnishd_connect_any off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_varnishd_connect_any='' - - -setsebool -P varnishd_connect_any $var_varnishd_connect_any - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_varnishd_connect_any # promote to variable set_fact: var_varnishd_connect_any: !!str @@ -240569,6 +240557,18 @@ fi - medium_severity - no_reboot_needed - sebool_varnishd_connect_any + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_varnishd_connect_any='' + + +setsebool -P varnishd_connect_any $var_varnishd_connect_any + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240586,18 +240586,6 @@ If this setting is enabled, it should be disabled. To disable the virt_read_qemu_ga_data SELinux boolean, run the following command: $ sudo setsebool -P virt_read_qemu_ga_data off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_read_qemu_ga_data='' - - -setsebool -P virt_read_qemu_ga_data $var_virt_read_qemu_ga_data - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_read_qemu_ga_data # promote to variable set_fact: var_virt_read_qemu_ga_data: !!str @@ -240634,6 +240622,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_read_qemu_ga_data + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_read_qemu_ga_data='' + + +setsebool -P virt_read_qemu_ga_data $var_virt_read_qemu_ga_data + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240651,18 +240651,6 @@ If this setting is enabled, it should be disabled. To disable the virt_rw_qemu_ga_data SELinux boolean, run the following command: $ sudo setsebool -P virt_rw_qemu_ga_data off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_rw_qemu_ga_data='' - - -setsebool -P virt_rw_qemu_ga_data $var_virt_rw_qemu_ga_data - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_rw_qemu_ga_data # promote to variable set_fact: var_virt_rw_qemu_ga_data: !!str @@ -240699,6 +240687,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_rw_qemu_ga_data + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_rw_qemu_ga_data='' + + +setsebool -P virt_rw_qemu_ga_data $var_virt_rw_qemu_ga_data + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240716,18 +240716,6 @@ This setting is disabled as containers should not run with privileges. To disable the virt_sandbox_use_all_caps SELinux boolean, run the following command: $ sudo setsebool -P virt_sandbox_use_all_caps off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_sandbox_use_all_caps='' - - -setsebool -P virt_sandbox_use_all_caps $var_virt_sandbox_use_all_caps - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_sandbox_use_all_caps # promote to variable set_fact: var_virt_sandbox_use_all_caps: !!str @@ -240764,6 +240752,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_sandbox_use_all_caps + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_sandbox_use_all_caps='' + + +setsebool -P virt_sandbox_use_all_caps $var_virt_sandbox_use_all_caps + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240782,18 +240782,6 @@ to send audit messages. To enable the virt_sandbox_use_audit SELinux boolean, run the following command: $ sudo setsebool -P virt_sandbox_use_audit on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_sandbox_use_audit='' - - -setsebool -P virt_sandbox_use_audit $var_virt_sandbox_use_audit - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_sandbox_use_audit # promote to variable set_fact: var_virt_sandbox_use_audit: !!str @@ -240830,6 +240818,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_sandbox_use_audit + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_sandbox_use_audit='' + + +setsebool -P virt_sandbox_use_audit $var_virt_sandbox_use_audit + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240847,18 +240847,6 @@ If this setting is enabled, it should be disabled. To disable the virt_sandbox_use_mknod SELinux boolean, run the following command: $ sudo setsebool -P virt_sandbox_use_mknod off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_sandbox_use_mknod='' - - -setsebool -P virt_sandbox_use_mknod $var_virt_sandbox_use_mknod - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_sandbox_use_mknod # promote to variable set_fact: var_virt_sandbox_use_mknod: !!str @@ -240895,6 +240883,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_sandbox_use_mknod + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_sandbox_use_mknod='' + + +setsebool -P virt_sandbox_use_mknod $var_virt_sandbox_use_mknod + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240912,18 +240912,6 @@ If this setting is enabled, it should be disabled. To disable the virt_sandbox_use_netlink SELinux boolean, run the following command: $ sudo setsebool -P virt_sandbox_use_netlink off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_sandbox_use_netlink='' - - -setsebool -P virt_sandbox_use_netlink $var_virt_sandbox_use_netlink - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_sandbox_use_netlink # promote to variable set_fact: var_virt_sandbox_use_netlink: !!str @@ -240960,6 +240948,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_sandbox_use_netlink + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_sandbox_use_netlink='' + + +setsebool -P virt_sandbox_use_netlink $var_virt_sandbox_use_netlink + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240977,18 +240977,6 @@ If this setting is enabled, it should be disabled. To disable the virt_sandbox_use_sys_admin SELinux boolean, run the following command: $ sudo setsebool -P virt_sandbox_use_sys_admin off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_sandbox_use_sys_admin='' - - -setsebool -P virt_sandbox_use_sys_admin $var_virt_sandbox_use_sys_admin - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_sandbox_use_sys_admin # promote to variable set_fact: var_virt_sandbox_use_sys_admin: !!str @@ -241025,6 +241013,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_sandbox_use_sys_admin + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_sandbox_use_sys_admin='' + + +setsebool -P virt_sandbox_use_sys_admin $var_virt_sandbox_use_sys_admin + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -241042,18 +241042,6 @@ If this setting is enabled, it should be disabled. To disable the virt_transition_userdomain SELinux boolean, run the following command: $ sudo setsebool -P virt_transition_userdomain off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_transition_userdomain='' - - -setsebool -P virt_transition_userdomain $var_virt_transition_userdomain - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_transition_userdomain # promote to variable set_fact: var_virt_transition_userdomain: !!str @@ -241090,6 +241078,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_transition_userdomain + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_transition_userdomain='' + + +setsebool -P virt_transition_userdomain $var_virt_transition_userdomain + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -241107,18 +241107,6 @@ If this setting is enabled, it should be disabled. To disable the virt_use_comm SELinux boolean, run the following command: $ sudo setsebool -P virt_use_comm off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_use_comm='' - - -setsebool -P virt_use_comm $var_virt_use_comm - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_use_comm # promote to variable set_fact: var_virt_use_comm: !!str @@ -241155,6 +241143,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_use_comm + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_use_comm='' + + +setsebool -P virt_use_comm $var_virt_use_comm + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -241174,18 +241174,6 @@ To disable the virt_use_execmem SELinux boolean, run the BP28(R67) CCE-83312-9 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_use_execmem='' - - -setsebool -P virt_use_execmem $var_virt_use_execmem - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_use_execmem # promote to variable set_fact: var_virt_use_execmem: !!str @@ -241224,6 +241212,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_use_execmem + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_use_execmem='' + + +setsebool -P virt_use_execmem $var_virt_use_execmem + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -241241,18 +241241,6 @@ If this setting is enabled, it should be disabled. To disable the virt_use_fusefs SELinux boolean, run the following command: $ sudo setsebool -P virt_use_fusefs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_use_fusefs='' - - -setsebool -P virt_use_fusefs $var_virt_use_fusefs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_use_fusefs # promote to variable set_fact: var_virt_use_fusefs: !!str @@ -241289,6 +241277,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_use_fusefs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_use_fusefs='' + + +setsebool -P virt_use_fusefs $var_virt_use_fusefs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -241306,18 +241306,6 @@ If this setting is enabled, it should be disabled. To disable the virt_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P virt_use_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_use_nfs='' - - -setsebool -P virt_use_nfs $var_virt_use_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_use_nfs # promote to variable set_fact: var_virt_use_nfs: !!str @@ -241354,6 +241342,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_use_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_use_nfs='' + + +setsebool -P virt_use_nfs $var_virt_use_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -241371,18 +241371,6 @@ If this setting is enabled, it should be disabled. To disable the virt_use_rawip SELinux boolean, run the following command: $ sudo setsebool -P virt_use_rawip off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_use_rawip='' - - -setsebool -P virt_use_rawip $var_virt_use_rawip - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_use_rawip # promote to variable set_fact: var_virt_use_rawip: !!str @@ -241419,6 +241407,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_use_rawip + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_use_rawip='' + + +setsebool -P virt_use_rawip $var_virt_use_rawip + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -241436,18 +241436,6 @@ If this setting is enabled, it should be disabled. To disable the virt_use_samba SELinux boolean, run the following command: $ sudo setsebool -P virt_use_samba off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_use_samba='' - - -setsebool -P virt_use_samba $var_virt_use_samba - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_use_samba # promote to variable set_fact: var_virt_use_samba: !!str @@ -241484,6 +241472,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_use_samba + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_use_samba='' + + +setsebool -P virt_use_samba $var_virt_use_samba + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -241501,18 +241501,6 @@ If this setting is enabled, it should be disabled. To disable the virt_use_sanlock SELinux boolean, run the following command: $ sudo setsebool -P virt_use_sanlock off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_use_sanlock='' - - -setsebool -P virt_use_sanlock $var_virt_use_sanlock - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_use_sanlock # promote to variable set_fact: var_virt_use_sanlock: !!str @@ -241549,6 +241537,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_use_sanlock + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_use_sanlock='' + + +setsebool -P virt_use_sanlock $var_virt_use_sanlock + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -241566,18 +241566,6 @@ This setting should be disabled. To disable the virt_use_usb SELinux boolean, run the following command: $ sudo setsebool -P virt_use_usb off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_use_usb='' - - -setsebool -P virt_use_usb $var_virt_use_usb - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_use_usb # promote to variable set_fact: var_virt_use_usb: !!str @@ -241614,6 +241602,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_use_usb + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_use_usb='' + + +setsebool -P virt_use_usb $var_virt_use_usb + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -241631,18 +241631,6 @@ If this setting is enabled, it should be disabled. To disable the virt_use_xserver SELinux boolean, run the following command: $ sudo setsebool -P virt_use_xserver off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_use_xserver='' - - -setsebool -P virt_use_xserver $var_virt_use_xserver - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_use_xserver # promote to variable set_fact: var_virt_use_xserver: !!str @@ -241679,6 +241667,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_use_xserver + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_use_xserver='' + + +setsebool -P virt_use_xserver $var_virt_use_xserver + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -241696,18 +241696,6 @@ If this setting is enabled, it should be disabled. To disable the webadm_manage_user_files SELinux boolean, run the following command: $ sudo setsebool -P webadm_manage_user_files off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_webadm_manage_user_files='' - - -setsebool -P webadm_manage_user_files $var_webadm_manage_user_files - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_webadm_manage_user_files # promote to variable set_fact: var_webadm_manage_user_files: !!str @@ -241744,6 +241732,18 @@ fi - medium_severity - no_reboot_needed - sebool_webadm_manage_user_files + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_webadm_manage_user_files='' + + +setsebool -P webadm_manage_user_files $var_webadm_manage_user_files + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -241761,18 +241761,6 @@ If this setting is enabled, it should be disabled. To disable the webadm_read_user_files SELinux boolean, run the following command: $ sudo setsebool -P webadm_read_user_files off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_webadm_read_user_files='' - - -setsebool -P webadm_read_user_files $var_webadm_read_user_files - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_webadm_read_user_files # promote to variable set_fact: var_webadm_read_user_files: !!str @@ -241809,6 +241797,18 @@ fi - medium_severity - no_reboot_needed - sebool_webadm_read_user_files + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_webadm_read_user_files='' + + +setsebool -P webadm_read_user_files $var_webadm_read_user_files + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -241826,18 +241826,6 @@ If this setting is enabled, it should be disabled. To disable the wine_mmap_zero_ignore SELinux boolean, run the following command: $ sudo setsebool -P wine_mmap_zero_ignore off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_wine_mmap_zero_ignore='' - - -setsebool -P wine_mmap_zero_ignore $var_wine_mmap_zero_ignore - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_wine_mmap_zero_ignore # promote to variable set_fact: var_wine_mmap_zero_ignore: !!str @@ -241874,6 +241862,18 @@ fi - medium_severity - no_reboot_needed - sebool_wine_mmap_zero_ignore + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_wine_mmap_zero_ignore='' + + +setsebool -P wine_mmap_zero_ignore $var_wine_mmap_zero_ignore + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -241891,18 +241891,6 @@ If this setting is enabled, it should be disabled. To disable the xdm_bind_vnc_tcp_port SELinux boolean, run the following command: $ sudo setsebool -P xdm_bind_vnc_tcp_port off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_xdm_bind_vnc_tcp_port='' - - -setsebool -P xdm_bind_vnc_tcp_port $var_xdm_bind_vnc_tcp_port - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_xdm_bind_vnc_tcp_port # promote to variable set_fact: var_xdm_bind_vnc_tcp_port: !!str @@ -241939,6 +241927,18 @@ fi - medium_severity - no_reboot_needed - sebool_xdm_bind_vnc_tcp_port + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_xdm_bind_vnc_tcp_port='' + + +setsebool -P xdm_bind_vnc_tcp_port $var_xdm_bind_vnc_tcp_port + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -241956,18 +241956,6 @@ If this setting is enabled, it should be disabled. To disable the xdm_exec_bootloader SELinux boolean, run the following command: $ sudo setsebool -P xdm_exec_bootloader off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_xdm_exec_bootloader='' - - -setsebool -P xdm_exec_bootloader $var_xdm_exec_bootloader - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_xdm_exec_bootloader # promote to variable set_fact: var_xdm_exec_bootloader: !!str @@ -242004,6 +241992,18 @@ fi - medium_severity - no_reboot_needed - sebool_xdm_exec_bootloader + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_xdm_exec_bootloader='' + + +setsebool -P xdm_exec_bootloader $var_xdm_exec_bootloader + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -242021,18 +242021,6 @@ If this setting is enabled, it should be disabled. To disable the xdm_sysadm_login SELinux boolean, run the following command: $ sudo setsebool -P xdm_sysadm_login off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_xdm_sysadm_login='' - - -setsebool -P xdm_sysadm_login $var_xdm_sysadm_login - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_xdm_sysadm_login # promote to variable set_fact: var_xdm_sysadm_login: !!str @@ -242069,6 +242057,18 @@ fi - medium_severity - no_reboot_needed - sebool_xdm_sysadm_login + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_xdm_sysadm_login='' + + +setsebool -P xdm_sysadm_login $var_xdm_sysadm_login + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -242086,18 +242086,6 @@ If this setting is enabled, it should be disabled. To disable the xdm_write_home SELinux boolean, run the following command: $ sudo setsebool -P xdm_write_home off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_xdm_write_home='' - - -setsebool -P xdm_write_home $var_xdm_write_home - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_xdm_write_home # promote to variable set_fact: var_xdm_write_home: !!str @@ -242134,6 +242122,18 @@ fi - medium_severity - no_reboot_needed - sebool_xdm_write_home + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_xdm_write_home='' + + +setsebool -P xdm_write_home $var_xdm_write_home + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -242151,18 +242151,6 @@ If this setting is enabled, it should be disabled. To disable the xen_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P xen_use_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_xen_use_nfs='' - - -setsebool -P xen_use_nfs $var_xen_use_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_xen_use_nfs # promote to variable set_fact: var_xen_use_nfs: !!str @@ -242199,6 +242187,18 @@ fi - medium_severity - no_reboot_needed - sebool_xen_use_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_xen_use_nfs='' + + +setsebool -P xen_use_nfs $var_xen_use_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -242216,18 +242216,6 @@ If this setting is disabled, it should be enabled. To enable the xend_run_blktap SELinux boolean, run the following command: $ sudo setsebool -P xend_run_blktap on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_xend_run_blktap='' - - -setsebool -P xend_run_blktap $var_xend_run_blktap - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_xend_run_blktap # promote to variable set_fact: var_xend_run_blktap: !!str @@ -242264,6 +242252,18 @@ fi - medium_severity - no_reboot_needed - sebool_xend_run_blktap + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_xend_run_blktap='' + + +setsebool -P xend_run_blktap $var_xend_run_blktap + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -242281,18 +242281,6 @@ If this setting is disabled, it should be enabled. To enable the xend_run_qemu SELinux boolean, run the following command: $ sudo setsebool -P xend_run_qemu on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_xend_run_qemu='' - - -setsebool -P xend_run_qemu $var_xend_run_qemu - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_xend_run_qemu # promote to variable set_fact: var_xend_run_qemu: !!str @@ -242329,6 +242317,18 @@ fi - medium_severity - no_reboot_needed - sebool_xend_run_qemu + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_xend_run_qemu='' + + +setsebool -P xend_run_qemu $var_xend_run_qemu + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -242347,18 +242347,6 @@ This setting should be disabled as guest users should not be able to configure To disable the xguest_connect_network SELinux boolean, run the following command: $ sudo setsebool -P xguest_connect_network off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_xguest_connect_network='' - - -setsebool -P xguest_connect_network $var_xguest_connect_network - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_xguest_connect_network # promote to variable set_fact: var_xguest_connect_network: !!str @@ -242395,6 +242383,18 @@ fi - medium_severity - no_reboot_needed - sebool_xguest_connect_network + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_xguest_connect_network='' + + +setsebool -P xguest_connect_network $var_xguest_connect_network + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -242413,18 +242413,6 @@ executables. To disable the xguest_exec_content SELinux boolean, run the following command: $ sudo setsebool -P xguest_exec_content off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_xguest_exec_content='' - - -setsebool -P xguest_exec_content $var_xguest_exec_content - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_xguest_exec_content # promote to variable set_fact: var_xguest_exec_content: !!str @@ -242461,6 +242449,18 @@ fi - medium_severity - no_reboot_needed - sebool_xguest_exec_content + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_xguest_exec_content='' + + +setsebool -P xguest_exec_content $var_xguest_exec_content + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -242479,18 +242479,6 @@ any media. To disable the xguest_mount_media SELinux boolean, run the following command: $ sudo setsebool -P xguest_mount_media off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_xguest_mount_media='' - - -setsebool -P xguest_mount_media $var_xguest_mount_media - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_xguest_mount_media # promote to variable set_fact: var_xguest_mount_media: !!str @@ -242527,6 +242515,18 @@ fi - medium_severity - no_reboot_needed - sebool_xguest_mount_media + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_xguest_mount_media='' + + +setsebool -P xguest_mount_media $var_xguest_mount_media + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -242545,18 +242545,6 @@ or use bluetooth. To disable the xguest_use_bluetooth SELinux boolean, run the following command: $ sudo setsebool -P xguest_use_bluetooth off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_xguest_use_bluetooth='' - - -setsebool -P xguest_use_bluetooth $var_xguest_use_bluetooth - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_xguest_use_bluetooth # promote to variable set_fact: var_xguest_use_bluetooth: !!str @@ -242593,6 +242581,18 @@ fi - medium_severity - no_reboot_needed - sebool_xguest_use_bluetooth + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_xguest_use_bluetooth='' + + +setsebool -P xguest_use_bluetooth $var_xguest_use_bluetooth + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -242610,18 +242610,6 @@ If this setting is enabled, it should be disabled. To disable the xserver_clients_write_xshm SELinux boolean, run the following command: $ sudo setsebool -P xserver_clients_write_xshm off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_xserver_clients_write_xshm='' - - -setsebool -P xserver_clients_write_xshm $var_xserver_clients_write_xshm - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_xserver_clients_write_xshm # promote to variable set_fact: var_xserver_clients_write_xshm: !!str @@ -242658,6 +242646,18 @@ fi - medium_severity - no_reboot_needed - sebool_xserver_clients_write_xshm + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_xserver_clients_write_xshm='' + + +setsebool -P xserver_clients_write_xshm $var_xserver_clients_write_xshm + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -242677,18 +242677,6 @@ To disable the xserver_execmem SELinux boolean, run the f BP28(R67) CCE-83313-7 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_xserver_execmem='' - - -setsebool -P xserver_execmem $var_xserver_execmem - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_xserver_execmem # promote to variable set_fact: var_xserver_execmem: !!str @@ -242727,6 +242715,18 @@ fi - medium_severity - no_reboot_needed - sebool_xserver_execmem + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_xserver_execmem='' + + +setsebool -P xserver_execmem $var_xserver_execmem + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -242744,18 +242744,6 @@ If this setting is enabled, it should be disabled. To disable the xserver_object_manager SELinux boolean, run the following command: $ sudo setsebool -P xserver_object_manager off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_xserver_object_manager='' - - -setsebool -P xserver_object_manager $var_xserver_object_manager - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_xserver_object_manager # promote to variable set_fact: var_xserver_object_manager: !!str @@ -242792,6 +242780,18 @@ fi - medium_severity - no_reboot_needed - sebool_xserver_object_manager + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_xserver_object_manager='' + + +setsebool -P xserver_object_manager $var_xserver_object_manager + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -242809,18 +242809,6 @@ If this setting is enabled, it should be disabled. To disable the zabbix_can_network SELinux boolean, run the following command: $ sudo setsebool -P zabbix_can_network off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_zabbix_can_network='' - - -setsebool -P zabbix_can_network $var_zabbix_can_network - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_zabbix_can_network # promote to variable set_fact: var_zabbix_can_network: !!str @@ -242857,6 +242845,18 @@ fi - medium_severity - no_reboot_needed - sebool_zabbix_can_network + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_zabbix_can_network='' + + +setsebool -P zabbix_can_network $var_zabbix_can_network + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -242874,18 +242874,6 @@ If this setting is enabled, it should be disabled. To disable the zarafa_setrlimit SELinux boolean, run the following command: $ sudo setsebool -P zarafa_setrlimit off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_zarafa_setrlimit='' - - -setsebool -P zarafa_setrlimit $var_zarafa_setrlimit - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_zarafa_setrlimit # promote to variable set_fact: var_zarafa_setrlimit: !!str @@ -242922,6 +242910,18 @@ fi - medium_severity - no_reboot_needed - sebool_zarafa_setrlimit + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_zarafa_setrlimit='' + + +setsebool -P zarafa_setrlimit $var_zarafa_setrlimit + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -242939,18 +242939,6 @@ If this setting is enabled, it should be disabled. To disable the zebra_write_config SELinux boolean, run the following command: $ sudo setsebool -P zebra_write_config off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_zebra_write_config='' - - -setsebool -P zebra_write_config $var_zebra_write_config - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_zebra_write_config # promote to variable set_fact: var_zebra_write_config: !!str @@ -242987,6 +242975,18 @@ fi - medium_severity - no_reboot_needed - sebool_zebra_write_config + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_zebra_write_config='' + + +setsebool -P zebra_write_config $var_zebra_write_config + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -243004,18 +243004,6 @@ If this setting is enabled, it should be disabled. To disable the zoneminder_anon_write SELinux boolean, run the following command: $ sudo setsebool -P zoneminder_anon_write off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_zoneminder_anon_write='' - - -setsebool -P zoneminder_anon_write $var_zoneminder_anon_write - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_zoneminder_anon_write # promote to variable set_fact: var_zoneminder_anon_write: !!str @@ -243052,6 +243040,18 @@ fi - medium_severity - no_reboot_needed - sebool_zoneminder_anon_write + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_zoneminder_anon_write='' + + +setsebool -P zoneminder_anon_write $var_zoneminder_anon_write + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -243069,18 +243069,6 @@ If this setting is enabled, it should be disabled. To disable the zoneminder_run_sudo SELinux boolean, run the following command: $ sudo setsebool -P zoneminder_run_sudo off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_zoneminder_run_sudo='' - - -setsebool -P zoneminder_run_sudo $var_zoneminder_run_sudo - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_zoneminder_run_sudo # promote to variable set_fact: var_zoneminder_run_sudo: !!str @@ -243117,6 +243105,18 @@ fi - medium_severity - no_reboot_needed - sebool_zoneminder_run_sudo + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_zoneminder_run_sudo='' + + +setsebool -P zoneminder_run_sudo $var_zoneminder_run_sudo + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -243646,18 +243646,8 @@ the avahi-autoipd and avahi packages can be uninstalled. system functionality. It is recommended to remove this package to reduce the potential attack surface. CCE-86515-4 - -# CAUTION: This remediation script will remove avahi-autoipd -# from the system, and may remove any packages -# that depend on avahi-autoipd. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "avahi-autoipd" ; then - - yum remove -y "avahi-autoipd" - -fi + +package --remove=avahi-autoipd include remove_avahi-autoipd @@ -243683,8 +243673,18 @@ class remove_avahi-autoipd { - no_reboot_needed - package_avahi-autoipd_removed - -package --remove=avahi-autoipd + +# CAUTION: This remediation script will remove avahi-autoipd +# from the system, and may remove any packages +# that depend on avahi-autoipd. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "avahi-autoipd" ; then + + yum remove -y "avahi-autoipd" + +fi @@ -243771,18 +243771,8 @@ the avahi-autoipd and avahi packages can be uninstalled. system functionality. It is recommended to remove this package to reduce the potential attack surface. CCE-86512-1 - -# CAUTION: This remediation script will remove avahi -# from the system, and may remove any packages -# that depend on avahi. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "avahi" ; then - - yum remove -y "avahi" - -fi + +package --remove=avahi include remove_avahi @@ -243808,8 +243798,18 @@ class remove_avahi { - no_reboot_needed - package_avahi_removed - -package --remove=avahi + +# CAUTION: This remediation script will remove avahi +# from the system, and may remove any packages +# that depend on avahi. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "avahi" ; then + + yum remove -y "avahi" + +fi @@ -243902,26 +243902,20 @@ can be trusted. [customizations.services] disabled = ["avahi-daemon"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'avahi-daemon.service' -"$SYSTEMCTL_EXEC" disable 'avahi-daemon.service' -"$SYSTEMCTL_EXEC" mask 'avahi-daemon.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files avahi-daemon.socket; then - "$SYSTEMCTL_EXEC" stop 'avahi-daemon.socket' - "$SYSTEMCTL_EXEC" mask 'avahi-daemon.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'avahi-daemon.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: avahi-daemon.service + enabled: false + mask: true + - name: avahi-daemon.socket + enabled: false + mask: true include disable_avahi-daemon @@ -244005,20 +243999,26 @@ class disable_avahi-daemon { - no_reboot_needed - service_avahi-daemon_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: avahi-daemon.service - enabled: false - mask: true - - name: avahi-daemon.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'avahi-daemon.service' +"$SYSTEMCTL_EXEC" disable 'avahi-daemon.service' +"$SYSTEMCTL_EXEC" mask 'avahi-daemon.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files avahi-daemon.socket; then + "$SYSTEMCTL_EXEC" stop 'avahi-daemon.socket' + "$SYSTEMCTL_EXEC" mask 'avahi-daemon.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'avahi-daemon.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -244168,15 +244168,13 @@ view into some user activities. However, it should be noted that the auditing system and its audit records provide more authoritative and comprehensive records. CCE-82404-5 + +package --add=psacct + [[packages]] name = "psacct" version = "*" - - -if ! rpm -q --quiet "psacct" ; then - yum install -y "psacct" -fi include install_psacct @@ -244201,8 +244199,10 @@ class install_psacct { - no_reboot_needed - package_psacct_installed - -package --add=psacct + +if ! rpm -q --quiet "psacct" ; then + yum install -y "psacct" +fi @@ -244229,18 +244229,8 @@ $ sudo yum erase abrt vulnerabilities in software executing on the system, as well as sensitive information from within a process's address space or registers. CCE-80948-3 - -# CAUTION: This remediation script will remove abrt -# from the system, and may remove any packages -# that depend on abrt. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "abrt" ; then - - yum remove -y "abrt" - -fi + +package --remove=abrt include remove_abrt @@ -244264,8 +244254,18 @@ class remove_abrt { - no_reboot_needed - package_abrt_removed - -package --remove=abrt + +# CAUTION: This remediation script will remove abrt +# from the system, and may remove any packages +# that depend on abrt. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "abrt" ; then + + yum remove -y "abrt" + +fi @@ -244409,18 +244409,6 @@ records. [customizations.services] enabled = ["psacct"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'psacct.service' -"$SYSTEMCTL_EXEC" start 'psacct.service' -"$SYSTEMCTL_EXEC" enable 'psacct.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_psacct @@ -244457,6 +244445,18 @@ class enable_psacct { - low_severity - no_reboot_needed - service_psacct_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'psacct.service' +"$SYSTEMCTL_EXEC" start 'psacct.service' +"$SYSTEMCTL_EXEC" enable 'psacct.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -244573,26 +244573,20 @@ information from within a process's address space or registers. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'abrtd.service' -"$SYSTEMCTL_EXEC" disable 'abrtd.service' -"$SYSTEMCTL_EXEC" mask 'abrtd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files abrtd.socket; then - "$SYSTEMCTL_EXEC" stop 'abrtd.socket' - "$SYSTEMCTL_EXEC" mask 'abrtd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'abrtd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: abrtd.service + enabled: false + mask: true + - name: abrtd.socket + enabled: false + mask: true include disable_abrtd @@ -244670,20 +244664,26 @@ class disable_abrtd { - no_reboot_needed - service_abrtd_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: abrtd.service - enabled: false - mask: true - - name: abrtd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'abrtd.service' +"$SYSTEMCTL_EXEC" disable 'abrtd.service' +"$SYSTEMCTL_EXEC" mask 'abrtd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files abrtd.socket; then + "$SYSTEMCTL_EXEC" stop 'abrtd.socket' + "$SYSTEMCTL_EXEC" mask 'abrtd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'abrtd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -244777,26 +244777,20 @@ it is appropriate. [customizations.services] disabled = ["acpid"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'acpid.service' -"$SYSTEMCTL_EXEC" disable 'acpid.service' -"$SYSTEMCTL_EXEC" mask 'acpid.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files acpid.socket; then - "$SYSTEMCTL_EXEC" stop 'acpid.socket' - "$SYSTEMCTL_EXEC" mask 'acpid.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'acpid.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: acpid.service + enabled: false + mask: true + - name: acpid.socket + enabled: false + mask: true include disable_acpid @@ -244877,20 +244871,26 @@ class disable_acpid { - no_reboot_needed - service_acpid_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: acpid.service - enabled: false - mask: true - - name: acpid.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'acpid.service' +"$SYSTEMCTL_EXEC" disable 'acpid.service' +"$SYSTEMCTL_EXEC" mask 'acpid.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files acpid.socket; then + "$SYSTEMCTL_EXEC" stop 'acpid.socket' + "$SYSTEMCTL_EXEC" mask 'acpid.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'acpid.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -244983,6 +244983,100 @@ for many other use cases. [customizations.services] disabled = ["certmonger"] + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: certmonger.service + enabled: false + mask: true + - name: certmonger.socket + enabled: false + mask: true + + include disable_certmonger + +class disable_certmonger { + service {'certmonger': + enable => false, + ensure => 'stopped', + } +} + + - name: Block Disable service certmonger + block: + + - name: Disable service certmonger + block: + + - name: Disable service certmonger + systemd: + name: certmonger.service + enabled: 'no' + state: stopped + masked: 'yes' + rescue: + + - name: Intentionally ignored previous 'Disable service certmonger' failure, service + was already disabled + meta: noop + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-82452-4 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - service_certmonger_disabled + +- name: Unit Socket Exists - certmonger.socket + command: systemctl -q list-unit-files certmonger.socket + register: socket_file_exists + changed_when: false + failed_when: socket_file_exists.rc not in [0, 1] + check_mode: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-82452-4 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - service_certmonger_disabled + +- name: Disable socket certmonger + systemd: + name: certmonger.socket + enabled: 'no' + state: stopped + masked: 'yes' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - socket_file_exists.stdout_lines is search("certmonger.socket",multiline=True) + tags: + - CCE-82452-4 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - service_certmonger_disabled # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -245004,100 +245098,6 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - - include disable_certmonger - -class disable_certmonger { - service {'certmonger': - enable => false, - ensure => 'stopped', - } -} - - - name: Block Disable service certmonger - block: - - - name: Disable service certmonger - block: - - - name: Disable service certmonger - systemd: - name: certmonger.service - enabled: 'no' - state: stopped - masked: 'yes' - rescue: - - - name: Intentionally ignored previous 'Disable service certmonger' failure, service - was already disabled - meta: noop - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-82452-4 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - service_certmonger_disabled - -- name: Unit Socket Exists - certmonger.socket - command: systemctl -q list-unit-files certmonger.socket - register: socket_file_exists - changed_when: false - failed_when: socket_file_exists.rc not in [0, 1] - check_mode: false - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-82452-4 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - service_certmonger_disabled - -- name: Disable socket certmonger - systemd: - name: certmonger.socket - enabled: 'no' - state: stopped - masked: 'yes' - when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - socket_file_exists.stdout_lines is search("certmonger.socket",multiline=True) - tags: - - CCE-82452-4 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - service_certmonger_disabled - - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: certmonger.service - enabled: false - mask: true - - name: certmonger.socket - enabled: false - mask: true @@ -245119,26 +245119,20 @@ The cockpit service can be disabled with the following co [customizations.services] disabled = ["cockpit"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'cockpit.service' -"$SYSTEMCTL_EXEC" disable 'cockpit.service' -"$SYSTEMCTL_EXEC" mask 'cockpit.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files cockpit.socket; then - "$SYSTEMCTL_EXEC" stop 'cockpit.socket' - "$SYSTEMCTL_EXEC" mask 'cockpit.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'cockpit.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: cockpit.service + enabled: false + mask: true + - name: cockpit.socket + enabled: false + mask: true include disable_cockpit @@ -245207,20 +245201,26 @@ class disable_cockpit { - no_reboot_needed - service_cockpit_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: cockpit.service - enabled: false - mask: true - - name: cockpit.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'cockpit.service' +"$SYSTEMCTL_EXEC" disable 'cockpit.service' +"$SYSTEMCTL_EXEC" mask 'cockpit.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files cockpit.socket; then + "$SYSTEMCTL_EXEC" stop 'cockpit.socket' + "$SYSTEMCTL_EXEC" mask 'cockpit.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'cockpit.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -245313,26 +245313,20 @@ highly desirable or necessary. [customizations.services] disabled = ["cpupower"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'cpupower.service' -"$SYSTEMCTL_EXEC" disable 'cpupower.service' -"$SYSTEMCTL_EXEC" mask 'cpupower.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files cpupower.socket; then - "$SYSTEMCTL_EXEC" stop 'cpupower.socket' - "$SYSTEMCTL_EXEC" mask 'cpupower.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'cpupower.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: cpupower.service + enabled: false + mask: true + - name: cpupower.socket + enabled: false + mask: true include disable_cpupower @@ -245413,20 +245407,26 @@ class disable_cpupower { - no_reboot_needed - service_cpupower_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: cpupower.service - enabled: false - mask: true - - name: cpupower.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'cpupower.service' +"$SYSTEMCTL_EXEC" disable 'cpupower.service' +"$SYSTEMCTL_EXEC" mask 'cpupower.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files cpupower.socket; then + "$SYSTEMCTL_EXEC" stop 'cpupower.socket' + "$SYSTEMCTL_EXEC" mask 'cpupower.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'cpupower.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -245554,30 +245554,27 @@ on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service. CCE-80878-2 + +kdump --disable + [customizations.services] disabled = ["kdump"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'kdump.service' -"$SYSTEMCTL_EXEC" disable 'kdump.service' -"$SYSTEMCTL_EXEC" mask 'kdump.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files kdump.socket; then - "$SYSTEMCTL_EXEC" stop 'kdump.socket' - "$SYSTEMCTL_EXEC" mask 'kdump.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'kdump.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: kdump.service + enabled: false + mask: true + - name: kdump.socket + enabled: false + mask: true include disable_kdump @@ -245661,23 +245658,26 @@ class disable_kdump { - no_reboot_needed - service_kdump_disabled - -kdump --disable - - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: kdump.service - enabled: false - mask: true - - name: kdump.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'kdump.service' +"$SYSTEMCTL_EXEC" disable 'kdump.service' +"$SYSTEMCTL_EXEC" mask 'kdump.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files kdump.socket; then + "$SYSTEMCTL_EXEC" stop 'kdump.socket' + "$SYSTEMCTL_EXEC" mask 'kdump.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'kdump.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -245768,26 +245768,20 @@ there is no need to run this service. [customizations.services] disabled = ["mdmonitor"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'mdmonitor.service' -"$SYSTEMCTL_EXEC" disable 'mdmonitor.service' -"$SYSTEMCTL_EXEC" mask 'mdmonitor.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files mdmonitor.socket; then - "$SYSTEMCTL_EXEC" stop 'mdmonitor.socket' - "$SYSTEMCTL_EXEC" mask 'mdmonitor.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'mdmonitor.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: mdmonitor.service + enabled: false + mask: true + - name: mdmonitor.socket + enabled: false + mask: true include disable_mdmonitor @@ -245868,20 +245862,26 @@ class disable_mdmonitor { - no_reboot_needed - service_mdmonitor_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: mdmonitor.service - enabled: false - mask: true - - name: mdmonitor.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'mdmonitor.service' +"$SYSTEMCTL_EXEC" disable 'mdmonitor.service' +"$SYSTEMCTL_EXEC" mask 'mdmonitor.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files mdmonitor.socket; then + "$SYSTEMCTL_EXEC" stop 'mdmonitor.socket' + "$SYSTEMCTL_EXEC" mask 'mdmonitor.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'mdmonitor.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -245998,26 +245998,20 @@ kernel panics, which is not common. [customizations.services] disabled = ["netconsole"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'netconsole.service' -"$SYSTEMCTL_EXEC" disable 'netconsole.service' -"$SYSTEMCTL_EXEC" mask 'netconsole.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files netconsole.socket; then - "$SYSTEMCTL_EXEC" stop 'netconsole.socket' - "$SYSTEMCTL_EXEC" mask 'netconsole.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'netconsole.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: netconsole.service + enabled: false + mask: true + - name: netconsole.socket + enabled: false + mask: true include disable_netconsole @@ -246098,20 +246092,26 @@ class disable_netconsole { - no_reboot_needed - service_netconsole_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: netconsole.service - enabled: false - mask: true - - name: netconsole.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'netconsole.service' +"$SYSTEMCTL_EXEC" disable 'netconsole.service' +"$SYSTEMCTL_EXEC" mask 'netconsole.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files netconsole.socket; then + "$SYSTEMCTL_EXEC" stop 'netconsole.socket' + "$SYSTEMCTL_EXEC" mask 'netconsole.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'netconsole.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -246230,6 +246230,100 @@ available in the ntpd program and should be considered deprecated. [customizations.services] disabled = ["ntpdate"] + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: ntpdate.service + enabled: false + mask: true + - name: ntpdate.socket + enabled: false + mask: true + + include disable_ntpdate + +class disable_ntpdate { + service {'ntpdate': + enable => false, + ensure => 'stopped', + } +} + + - name: Block Disable service ntpdate + block: + + - name: Disable service ntpdate + block: + + - name: Disable service ntpdate + systemd: + name: ntpdate.service + enabled: 'no' + state: stopped + masked: 'yes' + rescue: + + - name: Intentionally ignored previous 'Disable service ntpdate' failure, service + was already disabled + meta: noop + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80879-0 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - service_ntpdate_disabled + +- name: Unit Socket Exists - ntpdate.socket + command: systemctl -q list-unit-files ntpdate.socket + register: socket_file_exists + changed_when: false + failed_when: socket_file_exists.rc not in [0, 1] + check_mode: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80879-0 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - service_ntpdate_disabled + +- name: Disable socket ntpdate + systemd: + name: ntpdate.socket + enabled: 'no' + state: stopped + masked: 'yes' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - socket_file_exists.stdout_lines is search("ntpdate.socket",multiline=True) + tags: + - CCE-80879-0 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - service_ntpdate_disabled # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -246251,100 +246345,6 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - - include disable_ntpdate - -class disable_ntpdate { - service {'ntpdate': - enable => false, - ensure => 'stopped', - } -} - - - name: Block Disable service ntpdate - block: - - - name: Disable service ntpdate - block: - - - name: Disable service ntpdate - systemd: - name: ntpdate.service - enabled: 'no' - state: stopped - masked: 'yes' - rescue: - - - name: Intentionally ignored previous 'Disable service ntpdate' failure, service - was already disabled - meta: noop - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80879-0 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - service_ntpdate_disabled - -- name: Unit Socket Exists - ntpdate.socket - command: systemctl -q list-unit-files ntpdate.socket - register: socket_file_exists - changed_when: false - failed_when: socket_file_exists.rc not in [0, 1] - check_mode: false - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80879-0 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - service_ntpdate_disabled - -- name: Disable socket ntpdate - systemd: - name: ntpdate.socket - enabled: 'no' - state: stopped - masked: 'yes' - when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - socket_file_exists.stdout_lines is search("ntpdate.socket",multiline=True) - tags: - - CCE-80879-0 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - service_ntpdate_disabled - - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: ntpdate.service - enabled: false - mask: true - - name: ntpdate.socket - enabled: false - mask: true @@ -246440,26 +246440,20 @@ been a source of privilege escalation security issues. [customizations.services] disabled = ["oddjobd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'oddjobd.service' -"$SYSTEMCTL_EXEC" disable 'oddjobd.service' -"$SYSTEMCTL_EXEC" mask 'oddjobd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files oddjobd.socket; then - "$SYSTEMCTL_EXEC" stop 'oddjobd.socket' - "$SYSTEMCTL_EXEC" mask 'oddjobd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'oddjobd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: oddjobd.service + enabled: false + mask: true + - name: oddjobd.socket + enabled: false + mask: true include disable_oddjobd @@ -246540,20 +246534,26 @@ class disable_oddjobd { - no_reboot_needed - service_oddjobd_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: oddjobd.service - enabled: false - mask: true - - name: oddjobd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'oddjobd.service' +"$SYSTEMCTL_EXEC" disable 'oddjobd.service' +"$SYSTEMCTL_EXEC" mask 'oddjobd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files oddjobd.socket; then + "$SYSTEMCTL_EXEC" stop 'oddjobd.socket' + "$SYSTEMCTL_EXEC" mask 'oddjobd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'oddjobd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -246669,26 +246669,20 @@ disabled if not needed. [customizations.services] disabled = ["portreserve"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'portreserve.service' -"$SYSTEMCTL_EXEC" disable 'portreserve.service' -"$SYSTEMCTL_EXEC" mask 'portreserve.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files portreserve.socket; then - "$SYSTEMCTL_EXEC" stop 'portreserve.socket' - "$SYSTEMCTL_EXEC" mask 'portreserve.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'portreserve.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: portreserve.service + enabled: false + mask: true + - name: portreserve.socket + enabled: false + mask: true include disable_portreserve @@ -246769,20 +246763,26 @@ class disable_portreserve { - no_reboot_needed - service_portreserve_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: portreserve.service - enabled: false - mask: true - - name: portreserve.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'portreserve.service' +"$SYSTEMCTL_EXEC" disable 'portreserve.service' +"$SYSTEMCTL_EXEC" mask 'portreserve.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files portreserve.socket; then + "$SYSTEMCTL_EXEC" stop 'portreserve.socket' + "$SYSTEMCTL_EXEC" mask 'portreserve.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'portreserve.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -246902,26 +246902,20 @@ service is not needed and should be disabled or removed. [customizations.services] disabled = ["qpidd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'qpidd.service' -"$SYSTEMCTL_EXEC" disable 'qpidd.service' -"$SYSTEMCTL_EXEC" mask 'qpidd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files qpidd.socket; then - "$SYSTEMCTL_EXEC" stop 'qpidd.socket' - "$SYSTEMCTL_EXEC" mask 'qpidd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'qpidd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: qpidd.service + enabled: false + mask: true + - name: qpidd.socket + enabled: false + mask: true include disable_qpidd @@ -247002,20 +246996,26 @@ class disable_qpidd { - no_reboot_needed - service_qpidd_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: qpidd.service - enabled: false - mask: true - - name: qpidd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'qpidd.service' +"$SYSTEMCTL_EXEC" disable 'qpidd.service' +"$SYSTEMCTL_EXEC" mask 'qpidd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files qpidd.socket; then + "$SYSTEMCTL_EXEC" stop 'qpidd.socket' + "$SYSTEMCTL_EXEC" mask 'qpidd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'qpidd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -247112,26 +247112,20 @@ service. [customizations.services] disabled = ["quota_nld"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'quota_nld.service' -"$SYSTEMCTL_EXEC" disable 'quota_nld.service' -"$SYSTEMCTL_EXEC" mask 'quota_nld.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files quota_nld.socket; then - "$SYSTEMCTL_EXEC" stop 'quota_nld.socket' - "$SYSTEMCTL_EXEC" mask 'quota_nld.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'quota_nld.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: quota_nld.service + enabled: false + mask: true + - name: quota_nld.socket + enabled: false + mask: true include disable_quota_nld @@ -247212,20 +247206,26 @@ class disable_quota_nld { - no_reboot_needed - service_quota_nld_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: quota_nld.service - enabled: false - mask: true - - name: quota_nld.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'quota_nld.service' +"$SYSTEMCTL_EXEC" disable 'quota_nld.service' +"$SYSTEMCTL_EXEC" mask 'quota_nld.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files quota_nld.socket; then + "$SYSTEMCTL_EXEC" stop 'quota_nld.socket' + "$SYSTEMCTL_EXEC" mask 'quota_nld.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'quota_nld.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -247386,26 +247386,20 @@ dynamic network configuration information. [customizations.services] disabled = ["rdisc"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'rdisc.service' -"$SYSTEMCTL_EXEC" disable 'rdisc.service' -"$SYSTEMCTL_EXEC" mask 'rdisc.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files rdisc.socket; then - "$SYSTEMCTL_EXEC" stop 'rdisc.socket' - "$SYSTEMCTL_EXEC" mask 'rdisc.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'rdisc.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: rdisc.service + enabled: false + mask: true + - name: rdisc.socket + enabled: false + mask: true include disable_rdisc @@ -247489,20 +247483,26 @@ class disable_rdisc { - no_reboot_needed - service_rdisc_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: rdisc.service - enabled: false - mask: true - - name: rdisc.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'rdisc.service' +"$SYSTEMCTL_EXEC" disable 'rdisc.service' +"$SYSTEMCTL_EXEC" mask 'rdisc.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files rdisc.socket; then + "$SYSTEMCTL_EXEC" stop 'rdisc.socket' + "$SYSTEMCTL_EXEC" mask 'rdisc.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'rdisc.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -247621,6 +247621,100 @@ desirable for some environments. However, if the system is being managed by RHN [customizations.services] disabled = ["rhnsd"] + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: rhnsd.service + enabled: false + mask: true + - name: rhnsd.socket + enabled: false + mask: true + + include disable_rhnsd + +class disable_rhnsd { + service {'rhnsd': + enable => false, + ensure => 'stopped', + } +} + + - name: Block Disable service rhnsd + block: + + - name: Disable service rhnsd + block: + + - name: Disable service rhnsd + systemd: + name: rhnsd.service + enabled: 'no' + state: stopped + masked: 'yes' + rescue: + + - name: Intentionally ignored previous 'Disable service rhnsd' failure, service + was already disabled + meta: noop + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-82405-2 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - service_rhnsd_disabled + +- name: Unit Socket Exists - rhnsd.socket + command: systemctl -q list-unit-files rhnsd.socket + register: socket_file_exists + changed_when: false + failed_when: socket_file_exists.rc not in [0, 1] + check_mode: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-82405-2 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - service_rhnsd_disabled + +- name: Disable socket rhnsd + systemd: + name: rhnsd.socket + enabled: 'no' + state: stopped + masked: 'yes' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - socket_file_exists.stdout_lines is search("rhnsd.socket",multiline=True) + tags: + - CCE-82405-2 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - service_rhnsd_disabled # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -247642,100 +247736,6 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - - include disable_rhnsd - -class disable_rhnsd { - service {'rhnsd': - enable => false, - ensure => 'stopped', - } -} - - - name: Block Disable service rhnsd - block: - - - name: Disable service rhnsd - block: - - - name: Disable service rhnsd - systemd: - name: rhnsd.service - enabled: 'no' - state: stopped - masked: 'yes' - rescue: - - - name: Intentionally ignored previous 'Disable service rhnsd' failure, service - was already disabled - meta: noop - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-82405-2 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - service_rhnsd_disabled - -- name: Unit Socket Exists - rhnsd.socket - command: systemctl -q list-unit-files rhnsd.socket - register: socket_file_exists - changed_when: false - failed_when: socket_file_exists.rc not in [0, 1] - check_mode: false - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-82405-2 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - service_rhnsd_disabled - -- name: Disable socket rhnsd - systemd: - name: rhnsd.socket - enabled: 'no' - state: stopped - masked: 'yes' - when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - socket_file_exists.stdout_lines is search("rhnsd.socket",multiline=True) - tags: - - CCE-82405-2 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - service_rhnsd_disabled - - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: rhnsd.service - enabled: false - mask: true - - name: rhnsd.socket - enabled: false - mask: true @@ -247830,26 +247830,20 @@ unnecessary and can be disabled. [customizations.services] disabled = ["rhsmcertd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'rhsmcertd.service' -"$SYSTEMCTL_EXEC" disable 'rhsmcertd.service' -"$SYSTEMCTL_EXEC" mask 'rhsmcertd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files rhsmcertd.socket; then - "$SYSTEMCTL_EXEC" stop 'rhsmcertd.socket' - "$SYSTEMCTL_EXEC" mask 'rhsmcertd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'rhsmcertd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: rhsmcertd.service + enabled: false + mask: true + - name: rhsmcertd.socket + enabled: false + mask: true include disable_rhsmcertd @@ -247930,20 +247924,26 @@ class disable_rhsmcertd { - no_reboot_needed - service_rhsmcertd_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: rhsmcertd.service - enabled: false - mask: true - - name: rhsmcertd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'rhsmcertd.service' +"$SYSTEMCTL_EXEC" disable 'rhsmcertd.service' +"$SYSTEMCTL_EXEC" mask 'rhsmcertd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files rhsmcertd.socket; then + "$SYSTEMCTL_EXEC" stop 'rhsmcertd.socket' + "$SYSTEMCTL_EXEC" mask 'rhsmcertd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'rhsmcertd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -248062,26 +248062,20 @@ consulted, it is not necessary and should be disabled. [customizations.services] disabled = ["saslauthd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'saslauthd.service' -"$SYSTEMCTL_EXEC" disable 'saslauthd.service' -"$SYSTEMCTL_EXEC" mask 'saslauthd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files saslauthd.socket; then - "$SYSTEMCTL_EXEC" stop 'saslauthd.socket' - "$SYSTEMCTL_EXEC" mask 'saslauthd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'saslauthd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: saslauthd.service + enabled: false + mask: true + - name: saslauthd.socket + enabled: false + mask: true include disable_saslauthd @@ -248162,20 +248156,26 @@ class disable_saslauthd { - no_reboot_needed - service_saslauthd_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: saslauthd.service - enabled: false - mask: true - - name: saslauthd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'saslauthd.service' +"$SYSTEMCTL_EXEC" disable 'saslauthd.service' +"$SYSTEMCTL_EXEC" mask 'saslauthd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files saslauthd.socket; then + "$SYSTEMCTL_EXEC" stop 'saslauthd.socket' + "$SYSTEMCTL_EXEC" mask 'saslauthd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'saslauthd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -248270,26 +248270,20 @@ this service should be disabled. [customizations.services] disabled = ["sysstat"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'sysstat.service' -"$SYSTEMCTL_EXEC" disable 'sysstat.service' -"$SYSTEMCTL_EXEC" mask 'sysstat.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files sysstat.socket; then - "$SYSTEMCTL_EXEC" stop 'sysstat.socket' - "$SYSTEMCTL_EXEC" mask 'sysstat.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'sysstat.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: sysstat.service + enabled: false + mask: true + - name: sysstat.socket + enabled: false + mask: true include disable_sysstat @@ -248370,20 +248364,26 @@ class disable_sysstat { - no_reboot_needed - service_sysstat_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: sysstat.service - enabled: false - mask: true - - name: sysstat.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'sysstat.service' +"$SYSTEMCTL_EXEC" disable 'sysstat.service' +"$SYSTEMCTL_EXEC" mask 'sysstat.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files sysstat.socket; then + "$SYSTEMCTL_EXEC" stop 'sysstat.socket' + "$SYSTEMCTL_EXEC" mask 'sysstat.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'sysstat.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -248477,21 +248477,13 @@ configured defensively. PR.IP-1 PR.PT-3 The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only. + +package --add=cron + [[packages]] name = "cron" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "cron" ; then - yum install -y "cron" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_cron @@ -248515,8 +248507,16 @@ class install_cron { - no_reboot_needed - package_cron_installed - -package --add=cron + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "cron" ; then + yum install -y "cron" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -248610,18 +248610,6 @@ enabling the cron daemon is essential. [customizations.services] enabled = ["cron"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'cron.service' -"$SYSTEMCTL_EXEC" start 'cron.service' -"$SYSTEMCTL_EXEC" enable 'cron.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_cron @@ -248657,6 +248645,18 @@ class enable_cron { - medium_severity - no_reboot_needed - service_cron_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'cron.service' +"$SYSTEMCTL_EXEC" start 'cron.service' +"$SYSTEMCTL_EXEC" enable 'cron.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -248751,18 +248751,6 @@ enabling the cron daemon is essential. [customizations.services] enabled = ["crond"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'crond.service' -"$SYSTEMCTL_EXEC" start 'crond.service' -"$SYSTEMCTL_EXEC" enable 'crond.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_crond @@ -248798,6 +248786,18 @@ class enable_crond { - medium_severity - no_reboot_needed - service_crond_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'crond.service' +"$SYSTEMCTL_EXEC" start 'crond.service' +"$SYSTEMCTL_EXEC" enable 'crond.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -248894,26 +248894,20 @@ accountability. Furthermore, the need to schedule tasks with at - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'atd.service' -"$SYSTEMCTL_EXEC" disable 'atd.service' -"$SYSTEMCTL_EXEC" mask 'atd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files atd.socket; then - "$SYSTEMCTL_EXEC" stop 'atd.socket' - "$SYSTEMCTL_EXEC" mask 'atd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'atd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: atd.service + enabled: false + mask: true + - name: atd.socket + enabled: false + mask: true include disable_atd @@ -248994,20 +248988,26 @@ class disable_atd { - no_reboot_needed - service_atd_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: atd.service - enabled: false - mask: true - - name: atd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'atd.service' +"$SYSTEMCTL_EXEC" disable 'atd.service' +"$SYSTEMCTL_EXEC" mask 'atd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files atd.socket; then + "$SYSTEMCTL_EXEC" stop 'atd.socket' + "$SYSTEMCTL_EXEC" mask 'atd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'atd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -249153,15 +249153,6 @@ To properly set the group owner of /etc/cron.d, run the c can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes. CCE-82268-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find -H /etc/cron.d/ -maxdepth 1 -type d -exec chgrp 0 {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure group owner on /etc/cron.d/ file: path: /etc/cron.d/ @@ -249179,6 +249170,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find -H /etc/cron.d/ -maxdepth 1 -type d -exec chgrp 0 {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -249241,15 +249241,6 @@ To properly set the group owner of /etc/cron.daily, run t can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes. CCE-82234-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find -H /etc/cron.daily/ -maxdepth 1 -type d -exec chgrp 0 {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure group owner on /etc/cron.daily/ file: path: /etc/cron.daily/ @@ -249267,6 +249258,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find -H /etc/cron.daily/ -maxdepth 1 -type d -exec chgrp 0 {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -249329,15 +249329,6 @@ To properly set the group owner of /etc/cron.hourly, run can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes. CCE-82227-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find -H /etc/cron.hourly/ -maxdepth 1 -type d -exec chgrp 0 {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure group owner on /etc/cron.hourly/ file: path: /etc/cron.hourly/ @@ -249355,6 +249346,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find -H /etc/cron.hourly/ -maxdepth 1 -type d -exec chgrp 0 {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -249417,15 +249417,6 @@ To properly set the group owner of /etc/cron.monthly, run can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes. CCE-82256-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find -H /etc/cron.monthly/ -maxdepth 1 -type d -exec chgrp 0 {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure group owner on /etc/cron.monthly/ file: path: /etc/cron.monthly/ @@ -249443,6 +249434,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find -H /etc/cron.monthly/ -maxdepth 1 -type d -exec chgrp 0 {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -249505,15 +249505,6 @@ To properly set the group owner of /etc/cron.weekly, run can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes. CCE-82244-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find -H /etc/cron.weekly/ -maxdepth 1 -type d -exec chgrp 0 {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure group owner on /etc/cron.weekly/ file: path: /etc/cron.weekly/ @@ -249531,6 +249522,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find -H /etc/cron.weekly/ -maxdepth 1 -type d -exec chgrp 0 {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -249593,15 +249593,6 @@ To properly set the group owner of /etc/crontab, run the can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes. CCE-82223-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -chgrp 0 /etc/crontab - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Test for existence /etc/crontab stat: path: /etc/crontab @@ -249637,6 +249628,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chgrp 0 /etc/crontab + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -249699,15 +249699,6 @@ To properly set the owner of /etc/cron.d, run the command can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes. CCE-82272-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find -H /etc/cron.d/ -maxdepth 1 -type d -exec chown 0 {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure owner on directory /etc/cron.d/ file: path: /etc/cron.d/ @@ -249725,6 +249716,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find -H /etc/cron.d/ -maxdepth 1 -type d -exec chown 0 {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -249787,15 +249787,6 @@ To properly set the owner of /etc/cron.daily, run the com can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes. CCE-82237-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find -H /etc/cron.daily/ -maxdepth 1 -type d -exec chown 0 {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure owner on directory /etc/cron.daily/ file: path: /etc/cron.daily/ @@ -249813,6 +249804,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find -H /etc/cron.daily/ -maxdepth 1 -type d -exec chown 0 {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -249875,15 +249875,6 @@ To properly set the owner of /etc/cron.hourly, run the co can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes. CCE-82209-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find -H /etc/cron.hourly/ -maxdepth 1 -type d -exec chown 0 {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure owner on directory /etc/cron.hourly/ file: path: /etc/cron.hourly/ @@ -249901,6 +249892,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find -H /etc/cron.hourly/ -maxdepth 1 -type d -exec chown 0 {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -249963,15 +249963,6 @@ To properly set the owner of /etc/cron.monthly, run the c can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes. CCE-82260-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find -H /etc/cron.monthly/ -maxdepth 1 -type d -exec chown 0 {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure owner on directory /etc/cron.monthly/ file: path: /etc/cron.monthly/ @@ -249989,6 +249980,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find -H /etc/cron.monthly/ -maxdepth 1 -type d -exec chown 0 {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -250051,15 +250051,6 @@ To properly set the owner of /etc/cron.weekly, run the co can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes. CCE-82247-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find -H /etc/cron.weekly/ -maxdepth 1 -type d -exec chown 0 {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure owner on directory /etc/cron.weekly/ file: path: /etc/cron.weekly/ @@ -250077,6 +250068,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find -H /etc/cron.weekly/ -maxdepth 1 -type d -exec chown 0 {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -250139,15 +250139,6 @@ To properly set the owner of /etc/crontab, run the comman can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes. CCE-82224-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -chown 0 /etc/crontab - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Test for existence /etc/crontab stat: path: /etc/crontab @@ -250183,6 +250174,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chown 0 /etc/crontab + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -250245,15 +250245,6 @@ To properly set the permissions of /etc/cron.d, run the c can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes. CCE-82277-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find -H /etc/cron.d/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Find /etc/cron.d/ file(s) command: 'find -H /etc/cron.d/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' register: files_found @@ -250292,6 +250283,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find -H /etc/cron.d/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -250354,15 +250354,6 @@ To properly set the permissions of /etc/cron.daily, run t can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes. CCE-82240-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find -H /etc/cron.daily/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Find /etc/cron.daily/ file(s) command: 'find -H /etc/cron.daily/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' register: files_found @@ -250402,128 +250393,27 @@ fi - medium_severity - no_reboot_needed - - - - - - - - - Verify Permissions on cron.hourly - -To properly set the permissions of /etc/cron.hourly, run the command: -$ sudo chmod 0700 /etc/cron.hourly - 12 - 13 - 14 - 15 - 16 - 18 - 3 - 5 - APO01.06 - DSS05.04 - DSS05.07 - DSS06.02 - 4.3.3.7.3 - SR 2.1 - SR 5.2 - A.10.1.1 - A.11.1.4 - A.11.1.5 - A.11.2.1 - A.13.1.1 - A.13.1.3 - A.13.2.1 - A.13.2.3 - A.13.2.4 - A.14.1.2 - A.14.1.3 - A.6.1.2 - A.7.1.1 - A.7.1.2 - A.7.3.1 - A.8.2.2 - A.8.2.3 - A.9.1.1 - A.9.1.2 - A.9.2.3 - A.9.4.1 - A.9.4.4 - A.9.4.5 - CM-6(a) - AC-6(1) - PR.AC-4 - PR.DS-5 - 2.2.6 - SRG-OS-000480-GPOS-00227 - 5.1.3 - Service configuration files enable or disable features of their respective services that if configured incorrectly -can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the -correct access rights to prevent unauthorized changes. - CCE-82230-4 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -find -H /etc/cron.hourly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \; +find -H /etc/cron.daily/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \; else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Find /etc/cron.hourly/ file(s) - command: 'find -H /etc/cron.hourly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type - d ' - register: files_found - changed_when: false - failed_when: false - check_mode: false - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-82230-4 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_permissions_cron_hourly - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - -- name: Set permissions for /etc/cron.hourly/ file(s) - file: - path: '{{ item }}' - mode: u-s,g-xwrs,o-xwrt - state: directory - with_items: - - '{{ files_found.stdout_lines }}' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-82230-4 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_permissions_cron_hourly - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - + - + - - Verify Permissions on cron.monthly + + Verify Permissions on cron.hourly -To properly set the permissions of /etc/cron.monthly, run the command: -$ sudo chmod 0700 /etc/cron.monthly +To properly set the permissions of /etc/cron.hourly, run the command: +$ sudo chmod 0700 /etc/cron.hourly 12 13 14 @@ -250568,20 +250458,121 @@ To properly set the permissions of /etc/cron.monthly, run PR.DS-5 2.2.6 SRG-OS-000480-GPOS-00227 - 5.1.6 + 5.1.3 Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes. - CCE-82263-5 - # Remediation is applicable only in certain platforms + CCE-82230-4 + - name: Find /etc/cron.hourly/ file(s) + command: 'find -H /etc/cron.hourly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type + d ' + register: files_found + changed_when: false + failed_when: false + check_mode: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-82230-4 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_permissions_cron_hourly + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Set permissions for /etc/cron.hourly/ file(s) + file: + path: '{{ item }}' + mode: u-s,g-xwrs,o-xwrt + state: directory + with_items: + - '{{ files_found.stdout_lines }}' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-82230-4 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_permissions_cron_hourly + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -find -H /etc/cron.monthly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \; +find -H /etc/cron.hourly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \; else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Verify Permissions on cron.monthly + +To properly set the permissions of /etc/cron.monthly, run the command: +$ sudo chmod 0700 /etc/cron.monthly + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + 4.3.3.7.3 + SR 2.1 + SR 5.2 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + 2.2.6 + SRG-OS-000480-GPOS-00227 + 5.1.6 + Service configuration files enable or disable features of their respective services that if configured incorrectly +can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the +correct access rights to prevent unauthorized changes. + CCE-82263-5 - name: Find /etc/cron.monthly/ file(s) command: 'find -H /etc/cron.monthly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' @@ -250621,6 +250612,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find -H /etc/cron.monthly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -250683,15 +250683,6 @@ To properly set the permissions of /etc/cron.weekly, run can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes. CCE-82253-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find -H /etc/cron.weekly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Find /etc/cron.weekly/ file(s) command: 'find -H /etc/cron.weekly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' @@ -250731,6 +250722,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find -H /etc/cron.weekly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -250793,15 +250793,6 @@ To properly set the permissions of /etc/crontab, run the can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes. CCE-82206-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -chmod u-xs,g-xwrs,o-xwrt /etc/crontab - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Test for existence /etc/crontab stat: path: /etc/crontab @@ -250837,6 +250828,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chmod u-xs,g-xwrs,o-xwrt /etc/crontab + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -250872,21 +250872,6 @@ Use /etc/at.allow instead. Access to at should be restricted. It is easier to manage an allow list than a deny list. CCE-86945-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -#!/bin/bash - - - - if [[ -f /etc/at.deny ]]; then - rm /etc/at.deny - fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Remove /etc/at.deny file: path: /etc/at.deny @@ -250901,6 +250886,21 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +#!/bin/bash + + + + if [[ -f /etc/at.deny ]]; then + rm /etc/at.deny + fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -250918,21 +250918,6 @@ Use /etc/cron.allow instead. Access to cron should be restricted. It is easier to manage an allow list than a deny list. CCE-86849-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -#!/bin/bash - - - - if [[ -f /etc/cron.deny ]]; then - rm /etc/cron.deny - fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Remove /etc/cron.deny file: path: /etc/cron.deny @@ -250947,6 +250932,21 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +#!/bin/bash + + + + if [[ -f /etc/cron.deny ]]; then + rm /etc/cron.deny + fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -250966,15 +250966,6 @@ To properly set the group owner of /etc/at.allow, run the If the owner of the at.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information. CCE-87102-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -chgrp 0 /etc/at.allow - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Test for existence /etc/at.allow stat: path: /etc/at.allow @@ -251006,6 +250997,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chgrp 0 /etc/at.allow + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -251069,15 +251069,6 @@ To properly set the group owner of /etc/cron.allow, run t If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information. CCE-86829-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -chgrp 0 /etc/cron.allow - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Test for existence /etc/cron.allow stat: path: /etc/cron.allow @@ -251113,6 +251104,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chgrp 0 /etc/cron.allow + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -251175,15 +251175,6 @@ To properly set the owner of /etc/cron.allow, run the com If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information. CCE-86843-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -chown 0 /etc/cron.allow - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Test for existence /etc/cron.allow stat: path: /etc/cron.allow @@ -251217,6 +251208,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chown 0 /etc/cron.allow + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -251238,15 +251238,6 @@ To properly set the permissions of /etc/at.allow, run the If the permissions of the at.allow file are not set to 0600 or more restrictive, the possibility exists for an unauthorized user to view or edit sensitive information. CCE-86903-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -chmod u-xs,g-xwrs,o-xwrt /etc/at.allow - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Test for existence /etc/at.allow stat: path: /etc/at.allow @@ -251278,6 +251269,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chmod u-xs,g-xwrs,o-xwrt /etc/at.allow + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -251300,15 +251300,6 @@ To properly set the permissions of /etc/cron.allow, run t If the permissions of the cron.allow file are not set to 0600 or more restrictive, the possibility exists for an unauthorized user to view or edit sensitive information. CCE-86876-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -chmod u-xs,g-xwrs,o-xwrt /etc/cron.allow - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Test for existence /etc/cron.allow stat: path: /etc/cron.allow @@ -251340,6 +251331,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chmod u-xs,g-xwrs,o-xwrt /etc/cron.allow + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -251451,18 +251451,8 @@ confidentiality in network exchange, usage as uncontrolled communication channel telnet allows clear text communications, and does not protect any data transmission between client and server. Any confidential data can be listened and no integrity checking is made. - -# CAUTION: This remediation script will remove inetutils-telnetd -# from the system, and may remove any packages -# that depend on inetutils-telnetd. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "inetutils-telnetd" ; then - - yum remove -y "inetutils-telnetd" - -fi + +package --remove=inetutils-telnetd include remove_inetutils-telnetd @@ -251487,8 +251477,18 @@ class remove_inetutils-telnetd { - no_reboot_needed - package_inetutils-telnetd_removed - -package --remove=inetutils-telnetd + +# CAUTION: This remediation script will remove inetutils-telnetd +# from the system, and may remove any packages +# that depend on inetutils-telnetd. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "inetutils-telnetd" ; then + + yum remove -y "inetutils-telnetd" + +fi @@ -251499,18 +251499,8 @@ package --remove=inetutils-telnetd The support for Yellowpages should not be installed unless it is required. NIS is the historical SUN service for central account management, more and more replaced by LDAP. NIS does not support efficiently security constraints, ACL, etc. and should not be used. - -# CAUTION: This remediation script will remove nis -# from the system, and may remove any packages -# that depend on nis. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "nis" ; then - - yum remove -y "nis" - -fi + +package --remove=nis include remove_nis @@ -251532,8 +251522,18 @@ class remove_nis { - no_reboot_needed - package_nis_removed - -package --remove=nis + +# CAUTION: This remediation script will remove nis +# from the system, and may remove any packages +# that depend on nis. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "nis" ; then + + yum remove -y "nis" + +fi @@ -251543,18 +251543,8 @@ package --remove=nis Uninstall the ntpdate package ntpdate is a historical ntp synchronization client for unixes. It sould be uninstalled. ntpdate is an old not security-compliant ntp client. It should be replaced by modern ntp clients such as ntpd, able to use cryptographic mechanisms integrated in NTP. - -# CAUTION: This remediation script will remove ntpdate -# from the system, and may remove any packages -# that depend on ntpdate. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "ntpdate" ; then - - yum remove -y "ntpdate" - -fi + +package --remove=ntpdate include remove_ntpdate @@ -251576,8 +251566,18 @@ class remove_ntpdate { - no_reboot_needed - package_ntpdate_removed - -package --remove=ntpdate + +# CAUTION: This remediation script will remove ntpdate +# from the system, and may remove any packages +# that depend on ntpdate. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "ntpdate" ; then + + yum remove -y "ntpdate" + +fi @@ -251679,18 +251679,8 @@ package --remove=ntpdate PR.PT-4 telnet, even with ssl support, should not be installed. When remote shell is required, up-to-date ssh daemon can be used. - -# CAUTION: This remediation script will remove telnetd-ssl -# from the system, and may remove any packages -# that depend on telnetd-ssl. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "telnetd-ssl" ; then - - yum remove -y "telnetd-ssl" - -fi + +package --remove=telnetd-ssl include remove_telnetd-ssl @@ -251715,8 +251705,18 @@ class remove_telnetd-ssl { - no_reboot_needed - package_telnetd-ssl_removed - -package --remove=telnetd-ssl + +# CAUTION: This remediation script will remove telnetd-ssl +# from the system, and may remove any packages +# that depend on telnetd-ssl. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "telnetd-ssl" ; then + + yum remove -y "telnetd-ssl" + +fi @@ -251821,18 +251821,8 @@ package --remove=telnetd-ssl any data transmission between client and server. Any confidential data can be listened and no integrity checking is made.' CCE-83302-0 - -# CAUTION: This remediation script will remove telnetd -# from the system, and may remove any packages -# that depend on telnetd. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "telnetd" ; then - - yum remove -y "telnetd" - -fi + +package --remove=telnetd include remove_telnetd @@ -251858,8 +251848,18 @@ class remove_telnetd { - no_reboot_needed - package_telnetd_removed - -package --remove=telnetd + +# CAUTION: This remediation script will remove telnetd +# from the system, and may remove any packages +# that depend on telnetd. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "telnetd" ; then + + yum remove -y "telnetd" + +fi @@ -252535,18 +252535,8 @@ $ sudo yum erase dhcp-server Removing the DHCP server ensures that it cannot be easily or accidentally reactivated and disrupt network operation. CCE-83385-5 - -# CAUTION: This remediation script will remove dhcp-server -# from the system, and may remove any packages -# that depend on dhcp-server. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "dhcp-server" ; then - - yum remove -y "dhcp-server" - -fi + +package --remove=dhcp-server include remove_dhcp-server @@ -252573,8 +252563,18 @@ class remove_dhcp-server { - no_reboot_needed - package_dhcp_removed - -package --remove=dhcp-server + +# CAUTION: This remediation script will remove dhcp-server +# from the system, and may remove any packages +# that depend on dhcp-server. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "dhcp-server" ; then + + yum remove -y "dhcp-server" + +fi @@ -252668,26 +252668,20 @@ DHCP server if there is one. [customizations.services] disabled = ["dhcpd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'dhcpd.service' -"$SYSTEMCTL_EXEC" disable 'dhcpd.service' -"$SYSTEMCTL_EXEC" mask 'dhcpd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files dhcpd.socket; then - "$SYSTEMCTL_EXEC" stop 'dhcpd.socket' - "$SYSTEMCTL_EXEC" mask 'dhcpd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'dhcpd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: dhcpd.service + enabled: false + mask: true + - name: dhcpd.socket + enabled: false + mask: true include disable_dhcpd @@ -252768,20 +252762,26 @@ class disable_dhcpd { - no_reboot_needed - service_dhcpd_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: dhcpd.service - enabled: false - mask: true - - name: dhcpd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'dhcpd.service' +"$SYSTEMCTL_EXEC" disable 'dhcpd.service' +"$SYSTEMCTL_EXEC" mask 'dhcpd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files dhcpd.socket; then + "$SYSTEMCTL_EXEC" stop 'dhcpd.socket' + "$SYSTEMCTL_EXEC" mask 'dhcpd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'dhcpd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -252884,18 +252884,8 @@ $ sudo yum erase bind If there is no need to make DNS server software available, removing it provides a safeguard against its activation. CCE-82408-6 - -# CAUTION: This remediation script will remove bind -# from the system, and may remove any packages -# that depend on bind. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "bind" ; then - - yum remove -y "bind" - -fi + +package --remove=bind include remove_bind @@ -252921,8 +252911,18 @@ class remove_bind { - no_reboot_needed - package_bind_removed - -package --remove=bind + +# CAUTION: This remediation script will remove bind +# from the system, and may remove any packages +# that depend on bind. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "bind" ; then + + yum remove -y "bind" + +fi @@ -253013,26 +253013,20 @@ implementation flaws and should be disabled if possible. [customizations.services] disabled = ["named"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'named.service' -"$SYSTEMCTL_EXEC" disable 'named.service' -"$SYSTEMCTL_EXEC" mask 'named.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files named.socket; then - "$SYSTEMCTL_EXEC" stop 'named.socket' - "$SYSTEMCTL_EXEC" mask 'named.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'named.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: named.service + enabled: false + mask: true + - name: named.socket + enabled: false + mask: true include disable_named @@ -253113,20 +253107,26 @@ class disable_named { - no_reboot_needed - service_named_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: named.service - enabled: false - mask: true - - name: named.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'named.service' +"$SYSTEMCTL_EXEC" disable 'named.service' +"$SYSTEMCTL_EXEC" mask 'named.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files named.socket; then + "$SYSTEMCTL_EXEC" stop 'named.socket' + "$SYSTEMCTL_EXEC" mask 'named.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'named.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -253428,21 +253428,13 @@ $ sudo yum install fapolicyd fapolicyd (File Access Policy Daemon) implements application whitelisting to decide file access rights. CCE-82191-8 + +package --add=fapolicyd + [[packages]] name = "fapolicyd" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "fapolicyd" ; then - yum install -y "fapolicyd" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_fapolicyd @@ -253469,8 +253461,16 @@ class install_fapolicyd { - no_reboot_needed - package_fapolicyd_installed - -package --add=fapolicyd + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "fapolicyd" ; then + yum install -y "fapolicyd" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -253501,18 +253501,6 @@ implements application whitelisting to decide file access rights. [customizations.services] enabled = ["fapolicyd"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'fapolicyd.service' -"$SYSTEMCTL_EXEC" start 'fapolicyd.service' -"$SYSTEMCTL_EXEC" enable 'fapolicyd.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_fapolicyd @@ -253550,6 +253538,18 @@ class enable_fapolicyd { - medium_severity - no_reboot_needed - service_fapolicyd_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'fapolicyd.service' +"$SYSTEMCTL_EXEC" start 'fapolicyd.service' +"$SYSTEMCTL_EXEC" enable 'fapolicyd.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -253577,38 +253577,6 @@ Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. CCE-86478-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat > /etc/fapolicyd/rules.d/99-deny-everything.rules << EOF -# Red Hat KCS 7003854 (https://access.redhat.com/solutions/7003854) -deny perm=any all : all -EOF - -chmod 644 /etc/fapolicyd/rules.d/99-deny-everything.rules -chgrp fapolicyd /etc/fapolicyd/rules.d/99-deny-everything.rules - -if [ -e "/etc/fapolicyd/fapolicyd.conf" ] ; then - - LC_ALL=C sed -i "/^\s*permissive\s*=\s*/Id" "/etc/fapolicyd/fapolicyd.conf" -else - touch "/etc/fapolicyd/fapolicyd.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/fapolicyd/fapolicyd.conf" - -cp "/etc/fapolicyd/fapolicyd.conf" "/etc/fapolicyd/fapolicyd.conf.bak" -# Insert at the end of the file -printf '%s\n' "permissive = 0" >> "/etc/fapolicyd/fapolicyd.conf" -# Clean up after ourselves. -rm "/etc/fapolicyd/fapolicyd.conf.bak" - -systemctl restart fapolicyd - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs. - Ensure a Final Rule Denying Everything @@ -253679,6 +253647,38 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat > /etc/fapolicyd/rules.d/99-deny-everything.rules << EOF +# Red Hat KCS 7003854 (https://access.redhat.com/solutions/7003854) +deny perm=any all : all +EOF + +chmod 644 /etc/fapolicyd/rules.d/99-deny-everything.rules +chgrp fapolicyd /etc/fapolicyd/rules.d/99-deny-everything.rules + +if [ -e "/etc/fapolicyd/fapolicyd.conf" ] ; then + + LC_ALL=C sed -i "/^\s*permissive\s*=\s*/Id" "/etc/fapolicyd/fapolicyd.conf" +else + touch "/etc/fapolicyd/fapolicyd.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/fapolicyd/fapolicyd.conf" + +cp "/etc/fapolicyd/fapolicyd.conf" "/etc/fapolicyd/fapolicyd.conf.bak" +# Insert at the end of the file +printf '%s\n' "permissive = 0" >> "/etc/fapolicyd/fapolicyd.conf" +# Clean up after ourselves. +rm "/etc/fapolicyd/fapolicyd.conf.bak" + +systemctl restart fapolicyd + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -253803,18 +253803,8 @@ possible. Removing the vsftpd package decreases the risk of its accidental activation. CCE-82414-4 - -# CAUTION: This remediation script will remove vsftpd -# from the system, and may remove any packages -# that depend on vsftpd. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "vsftpd" ; then - - yum remove -y "vsftpd" - -fi + +package --remove=vsftpd include remove_vsftpd @@ -253845,8 +253835,18 @@ class remove_vsftpd { - no_reboot_needed - package_vsftpd_removed - -package --remove=vsftpd + +# CAUTION: This remediation script will remove vsftpd +# from the system, and may remove any packages +# that depend on vsftpd. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "vsftpd" ; then + + yum remove -y "vsftpd" + +fi @@ -253939,26 +253939,20 @@ a risk of compromising sensitive information. [customizations.services] disabled = ["vsftpd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'vsftpd.service' -"$SYSTEMCTL_EXEC" disable 'vsftpd.service' -"$SYSTEMCTL_EXEC" mask 'vsftpd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files vsftpd.socket; then - "$SYSTEMCTL_EXEC" stop 'vsftpd.socket' - "$SYSTEMCTL_EXEC" mask 'vsftpd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'vsftpd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: vsftpd.service + enabled: false + mask: true + - name: vsftpd.socket + enabled: false + mask: true include disable_vsftpd @@ -254039,20 +254033,26 @@ class disable_vsftpd { - no_reboot_needed - service_vsftpd_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: vsftpd.service - enabled: false - mask: true - - name: vsftpd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'vsftpd.service' +"$SYSTEMCTL_EXEC" disable 'vsftpd.service' +"$SYSTEMCTL_EXEC" mask 'vsftpd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files vsftpd.socket; then + "$SYSTEMCTL_EXEC" stop 'vsftpd.socket' + "$SYSTEMCTL_EXEC" mask 'vsftpd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'vsftpd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -254347,15 +254347,13 @@ $ sudo yum install vsftpd Red Hat Enterprise Linux to distributing vsftpd. For security and for consistency with future Red Hat releases, the use of vsftpd is recommended. CCE-82411-0 + +package --add=vsftpd + [[packages]] name = "vsftpd" version = "*" - - -if ! rpm -q --quiet "vsftpd" ; then - yum install -y "vsftpd" -fi include install_vsftpd @@ -254379,8 +254377,10 @@ class install_vsftpd { - no_reboot_needed - package_vsftpd_installed - -package --add=vsftpd + +if ! rpm -q --quiet "vsftpd" ; then + yum install -y "vsftpd" +fi @@ -254482,18 +254482,8 @@ $ sudo yum erase httpd If there is no need to make the web server software available, removing it provides a safeguard against its activation. CCE-85970-2 - -# CAUTION: This remediation script will remove httpd -# from the system, and may remove any packages -# that depend on httpd. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "httpd" ; then - - yum remove -y "httpd" - -fi + +package --remove=httpd include remove_httpd @@ -254519,8 +254509,18 @@ class remove_httpd { - package_httpd_removed - unknown_severity - -package --remove=httpd + +# CAUTION: This remediation script will remove httpd +# from the system, and may remove any packages +# that depend on httpd. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "httpd" ; then + + yum remove -y "httpd" + +fi @@ -254609,26 +254609,20 @@ of attack, and should be disabled if not needed. [customizations.services] disabled = ["httpd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'httpd.service' -"$SYSTEMCTL_EXEC" disable 'httpd.service' -"$SYSTEMCTL_EXEC" mask 'httpd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files httpd.socket; then - "$SYSTEMCTL_EXEC" stop 'httpd.socket' - "$SYSTEMCTL_EXEC" mask 'httpd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'httpd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: httpd.service + enabled: false + mask: true + - name: httpd.socket + enabled: false + mask: true include disable_httpd @@ -254709,20 +254703,26 @@ class disable_httpd { - service_httpd_disabled - unknown_severity - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: httpd.service - enabled: false - mask: true - - name: httpd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'httpd.service' +"$SYSTEMCTL_EXEC" disable 'httpd.service' +"$SYSTEMCTL_EXEC" mask 'httpd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files httpd.socket; then + "$SYSTEMCTL_EXEC" stop 'httpd.socket' + "$SYSTEMCTL_EXEC" mask 'httpd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'httpd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -254808,18 +254808,8 @@ $ sudo yum erase nginx If there is no need to make the web server software available, removing it provides a safeguard against its activation. CCE-88034-4 - -# CAUTION: This remediation script will remove nginx -# from the system, and may remove any packages -# that depend on nginx. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "nginx" ; then - - yum remove -y "nginx" - -fi + +package --remove=nginx include remove_nginx @@ -254845,8 +254835,18 @@ class remove_nginx { - package_nginx_removed - unknown_severity - -package --remove=nginx + +# CAUTION: This remediation script will remove nginx +# from the system, and may remove any packages +# that depend on nginx. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "nginx" ; then + + yum remove -y "nginx" + +fi @@ -255373,13 +255373,6 @@ these files. PR.PT-3 Access to the web server's configuration files may allow an unauthorized user or attacker to access information about the web server or to alter the server's configuration files. - - - - - -find -H /etc/httpd/conf.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex '^.*$' -exec chmod u-xs,g-xws,o-xwrt {} \; - - name: Find /etc/httpd/conf.d/ file(s) command: find -H /etc/httpd/conf.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex "^.*$" @@ -255417,6 +255410,13 @@ find -H /etc/httpd/conf.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex - low_disruption - no_reboot_needed - unknown_severity + + + + + + +find -H /etc/httpd/conf.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex '^.*$' -exec chmod u-xs,g-xws,o-xwrt {} \; @@ -255498,13 +255498,6 @@ find -H /etc/httpd/conf.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex PR.PT-3 Access to the web server's configuration files may allow an unauthorized user or attacker to access information about the web server or to alter the server's configuration files. - - - - - -find -H /etc/httpd/conf/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex '^.*$' -exec chmod u-xs,g-xws,o-xwrt {} \; - - name: Find /etc/httpd/conf/ file(s) command: find -H /etc/httpd/conf/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex "^.*$" @@ -255542,6 +255535,13 @@ find -H /etc/httpd/conf/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex '^ - low_disruption - no_reboot_needed - unknown_severity + + + + + + +find -H /etc/httpd/conf/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex '^.*$' -exec chmod u-xs,g-xws,o-xwrt {} \; @@ -256648,18 +256648,8 @@ $ sudo yum erase cyrus-imapd If there is no need to make the cyrus-imapd software available, removing it provides a safeguard against its activation. CCE-88119-3 - -# CAUTION: This remediation script will remove cyrus-imapd -# from the system, and may remove any packages -# that depend on cyrus-imapd. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "cyrus-imapd" ; then - - yum remove -y "cyrus-imapd" - -fi + +package --remove=cyrus-imapd include remove_cyrus-imapd @@ -256682,8 +256672,18 @@ class remove_cyrus-imapd { - package_cyrus-imapd_removed - unknown_severity - -package --remove=cyrus-imapd + +# CAUTION: This remediation script will remove cyrus-imapd +# from the system, and may remove any packages +# that depend on cyrus-imapd. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "cyrus-imapd" ; then + + yum remove -y "cyrus-imapd" + +fi @@ -256707,18 +256707,8 @@ $ sudo yum erase dovecot If there is no need to make the Dovecot software available, removing it provides a safeguard against its activation. CCE-85976-9 - -# CAUTION: This remediation script will remove dovecot -# from the system, and may remove any packages -# that depend on dovecot. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "dovecot" ; then - - yum remove -y "dovecot" - -fi + +package --remove=dovecot include remove_dovecot @@ -256741,8 +256731,18 @@ class remove_dovecot { - package_dovecot_removed - unknown_severity - -package --remove=dovecot + +# CAUTION: This remediation script will remove dovecot +# from the system, and may remove any packages +# that depend on dovecot. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "dovecot" ; then + + yum remove -y "dovecot" + +fi @@ -256764,26 +256764,20 @@ avenue of attack, and should be disabled if not needed. [customizations.services] disabled = ["dovecot"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'dovecot.service' -"$SYSTEMCTL_EXEC" disable 'dovecot.service' -"$SYSTEMCTL_EXEC" mask 'dovecot.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files dovecot.socket; then - "$SYSTEMCTL_EXEC" stop 'dovecot.socket' - "$SYSTEMCTL_EXEC" mask 'dovecot.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'dovecot.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: dovecot.service + enabled: false + mask: true + - name: dovecot.socket + enabled: false + mask: true include disable_dovecot @@ -256855,20 +256849,26 @@ class disable_dovecot { - service_dovecot_disabled - unknown_severity - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: dovecot.service - enabled: false - mask: true - - name: dovecot.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'dovecot.service' +"$SYSTEMCTL_EXEC" disable 'dovecot.service' +"$SYSTEMCTL_EXEC" mask 'dovecot.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files dovecot.socket; then + "$SYSTEMCTL_EXEC" stop 'dovecot.socket' + "$SYSTEMCTL_EXEC" mask 'dovecot.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'dovecot.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -256909,24 +256909,8 @@ surface of the system. While this software is clearly essential on an KDC server, it is not necessary on typical desktop or workstation systems. CCE-85887-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# CAUTION: This remediation script will remove krb5-server -# from the system, and may remove any packages -# that depend on krb5-server. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "krb5-server" ; then - - yum remove -y "krb5-server" - -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +package --remove=krb5-server include remove_krb5-server @@ -256953,8 +256937,24 @@ class remove_krb5-server { - no_reboot_needed - package_krb5-server_removed - -package --remove=krb5-server + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# CAUTION: This remediation script will remove krb5-server +# from the system, and may remove any packages +# that depend on krb5-server. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "krb5-server" ; then + + yum remove -y "krb5-server" + +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -256980,15 +256980,6 @@ remove the Kerberos keytab files, especially The key derivation function (KDF) in Kerberos is not FIPS compatible. CCE-82175-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -rm -f /etc/*.keytab - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Find keytab files find: paths: /etc/ @@ -257020,6 +257011,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +rm -f /etc/*.keytab + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -257059,18 +257059,8 @@ $ sudo yum erase openldap-clients 2.3.5 If the system does not need to act as an LDAP client, it is recommended that the software is removed to reduce the potential attack surface. CCE-82885-5 - -# CAUTION: This remediation script will remove openldap-clients -# from the system, and may remove any packages -# that depend on openldap-clients. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "openldap-clients" ; then - - yum remove -y "openldap-clients" - -fi + +package --remove=openldap-clients include remove_openldap-clients @@ -257093,8 +257083,18 @@ class remove_openldap-clients { - no_reboot_needed - package_openldap-clients_removed - -package --remove=openldap-clients + +# CAUTION: This remediation script will remove openldap-clients +# from the system, and may remove any packages +# that depend on openldap-clients. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "openldap-clients" ; then + + yum remove -y "openldap-clients" + +fi @@ -257561,18 +257561,8 @@ intended for use as an LDAP Server it should be removed. surface of the system. While this software is clearly essential on an LDAP server, it is not necessary on typical desktop or workstation systems. CCE-82415-1 - -# CAUTION: This remediation script will remove openldap-servers -# from the system, and may remove any packages -# that depend on openldap-servers. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "openldap-servers" ; then - - yum remove -y "openldap-servers" - -fi + +package --remove=openldap-servers include remove_openldap-servers @@ -257598,8 +257588,18 @@ class remove_openldap-servers { - no_reboot_needed - package_openldap-servers_removed - -package --remove=openldap-servers + +# CAUTION: This remediation script will remove openldap-servers +# from the system, and may remove any packages +# that depend on openldap-servers. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "openldap-servers" ; then + + yum remove -y "openldap-servers" + +fi @@ -257619,26 +257619,20 @@ disabled to reduce the potential attack surface. [customizations.services] disabled = ["slapd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'slapd.service' -"$SYSTEMCTL_EXEC" disable 'slapd.service' -"$SYSTEMCTL_EXEC" mask 'slapd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files slapd.socket; then - "$SYSTEMCTL_EXEC" stop 'slapd.socket' - "$SYSTEMCTL_EXEC" mask 'slapd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'slapd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: slapd.service + enabled: false + mask: true + - name: slapd.socket + enabled: false + mask: true include disable_slapd @@ -257710,20 +257704,26 @@ class disable_slapd { - no_reboot_needed - service_slapd_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: slapd.service - enabled: false - mask: true - - name: slapd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'slapd.service' +"$SYSTEMCTL_EXEC" disable 'slapd.service' +"$SYSTEMCTL_EXEC" mask 'slapd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files slapd.socket; then + "$SYSTEMCTL_EXEC" stop 'slapd.socket' + "$SYSTEMCTL_EXEC" mask 'slapd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'slapd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -257799,21 +257799,13 @@ $ sudo yum install mailx Emails can be used to notify designated personnel about important system events such as failures or warnings. CCE-87036-0 + +package --add=mailx + [[packages]] name = "mailx" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "mailx" ; then - yum install -y "mailx" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_mailx @@ -257839,8 +257831,16 @@ class install_mailx { - no_reboot_needed - package_mailx_installed - -package --add=mailx + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "mailx" ; then + yum install -y "mailx" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -257861,21 +257861,13 @@ $ sudo yum install postfix Emails can be used to notify designated personnel about important system events such as failures or warnings. CCE-85983-5 + +package --add=postfix + [[packages]] name = "postfix" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "postfix" ; then - yum install -y "postfix" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_postfix @@ -257900,8 +257892,16 @@ class install_postfix { - no_reboot_needed - package_postfix_installed - -package --add=postfix + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "postfix" ; then + yum install -y "postfix" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -257994,24 +257994,8 @@ $ sudo yum erase sendmail its design prevents it from being effectively contained by SELinux. Postfix should be used instead. CCE-81039-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# CAUTION: This remediation script will remove sendmail -# from the system, and may remove any packages -# that depend on sendmail. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "sendmail" ; then - - yum remove -y "sendmail" - -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +package --remove=sendmail include remove_sendmail @@ -258039,8 +258023,24 @@ class remove_sendmail { - no_reboot_needed - package_sendmail_removed - -package --remove=sendmail + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# CAUTION: This remediation script will remove sendmail +# from the system, and may remove any packages +# that depend on sendmail. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "sendmail" ; then + + yum remove -y "sendmail" + +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -258063,18 +258063,6 @@ notification tasks. [customizations.services] enabled = ["postfix"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'postfix.service' -"$SYSTEMCTL_EXEC" start 'postfix.service' -"$SYSTEMCTL_EXEC" enable 'postfix.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_postfix @@ -258108,6 +258096,18 @@ class enable_postfix { - no_reboot_needed - service_postfix_enabled - unknown_severity + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'postfix.service' +"$SYSTEMCTL_EXEC" start 'postfix.service' +"$SYSTEMCTL_EXEC" enable 'postfix.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -258176,42 +258176,6 @@ $ sudo newaliases notify system administrators of active or impending issues. These messages must be forwarded to at least one monitored email address. CCE-82381-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_postfix_root_mail_alias='' - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^root") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s: %s" "$stripped_key" "$var_postfix_root_mail_alias" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^root\\>" "/etc/aliases"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^root\\>.*/$escaped_formatted_output/gi" "/etc/aliases" -else - if [[ -s "/etc/aliases" ]] && [[ -n "$(tail -c 1 -- "/etc/aliases" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/aliases" - fi - cce="CCE-82381-5" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/aliases" >> "/etc/aliases" - printf '%s\n' "$formatted_output" >> "/etc/aliases" -fi - -if [ -f /usr/bin/newaliases ]; then - newaliases -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_postfix_root_mail_alias # promote to variable set_fact: var_postfix_root_mail_alias: !!str @@ -258266,6 +258230,42 @@ fi - medium_severity - no_reboot_needed - postfix_client_configure_mail_alias + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_postfix_root_mail_alias='' + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^root") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s: %s" "$stripped_key" "$var_postfix_root_mail_alias" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^root\\>" "/etc/aliases"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^root\\>.*/$escaped_formatted_output/gi" "/etc/aliases" +else + if [[ -s "/etc/aliases" ]] && [[ -n "$(tail -c 1 -- "/etc/aliases" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/aliases" + fi + cce="CCE-82381-5" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/aliases" >> "/etc/aliases" + printf '%s\n' "$formatted_output" >> "/etc/aliases" +fi + +if [ -f /usr/bin/newaliases ]; then + newaliases +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -258296,32 +258296,6 @@ affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. CCE-89063-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/aliases" ] ; then - - LC_ALL=C sed -i "/^\s*postmaster\s*:\s*/Id" "/etc/aliases" -else - touch "/etc/aliases" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/aliases" - -cp "/etc/aliases" "/etc/aliases.bak" -# Insert at the end of the file -printf '%s\n' "postmaster: root" >> "/etc/aliases" -# Clean up after ourselves. -rm "/etc/aliases.bak" - -if [ -f /usr/bin/newaliases ]; then - newaliases -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Configure System to Forward All Mail From Postmaster to The Root Account block: @@ -258397,6 +258371,32 @@ fi - medium_severity - no_reboot_needed - postfix_client_configure_mail_alias_postmaster + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/aliases" ] ; then + + LC_ALL=C sed -i "/^\s*postmaster\s*:\s*/Id" "/etc/aliases" +else + touch "/etc/aliases" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/aliases" + +cp "/etc/aliases" "/etc/aliases.bak" +# Insert at the end of the file +printf '%s\n' "postmaster: root" >> "/etc/aliases" +# Clean up after ourselves. +rm "/etc/aliases.bak" + +if [ -f /usr/bin/newaliases ]; then + newaliases +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -258500,33 +258500,6 @@ may help prevent spam or viruses from being delivered. and not from the network, which protects it from network attack. CCE-82174-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q postfix; }; then - -var_postfix_inet_interfaces='' - - -if [ -e "/etc/postfix/main.cf" ] ; then - - LC_ALL=C sed -i "/^\s*inet_interfaces\s\+=\s\+/Id" "/etc/postfix/main.cf" -else - touch "/etc/postfix/main.cf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/postfix/main.cf" - -cp "/etc/postfix/main.cf" "/etc/postfix/main.cf.bak" -# Insert at the end of the file -printf '%s\n' "inet_interfaces=$var_postfix_inet_interfaces" >> "/etc/postfix/main.cf" -# Clean up after ourselves. -rm "/etc/postfix/main.cf.bak" - -systemctl restart postfix - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_postfix_inet_interfaces # promote to variable set_fact: var_postfix_inet_interfaces: !!str @@ -258576,6 +258549,33 @@ fi - no_reboot_needed - postfix_network_listening_disabled - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q postfix; }; then + +var_postfix_inet_interfaces='' + + +if [ -e "/etc/postfix/main.cf" ] ; then + + LC_ALL=C sed -i "/^\s*inet_interfaces\s\+=\s\+/Id" "/etc/postfix/main.cf" +else + touch "/etc/postfix/main.cf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/postfix/main.cf" + +cp "/etc/postfix/main.cf" "/etc/postfix/main.cf.bak" +# Insert at the end of the file +printf '%s\n' "inet_interfaces=$var_postfix_inet_interfaces" >> "/etc/postfix/main.cf" +# Clean up after ourselves. +rm "/etc/postfix/main.cf.bak" + +systemctl restart postfix + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -258717,19 +258717,6 @@ to the local network with the following command: host as a mail relay for the purpose of sending spam or other unauthorized activity. CCE-84054-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q postfix; then - -if ! grep -q ^smtpd_client_restrictions /etc/postfix/main.cf; then - echo "smtpd_client_restrictions = permit_mynetworks,reject" >> /etc/postfix/main.cf -else - sed -i "s/^smtpd_client_restrictions.*/smtpd_client_restrictions = permit_mynetworks,reject/g" /etc/postfix/main.cf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -258783,6 +258770,19 @@ fi - no_reboot_needed - postfix_prevent_unrestricted_relay - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q postfix; then + +if ! grep -q ^smtpd_client_restrictions /etc/postfix/main.cf; then + echo "smtpd_client_restrictions = permit_mynetworks,reject" >> /etc/postfix/main.cf +else + sed -i "s/^smtpd_client_restrictions.*/smtpd_client_restrictions = permit_mynetworks,reject/g" /etc/postfix/main.cf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -258881,18 +258881,8 @@ daemon on a remote host for information about the Network File System (NFS) serv remote host. For example, showmount can display the clients which are mounted on that host. CCE-82932-5 - -# CAUTION: This remediation script will remove nfs-utils -# from the system, and may remove any packages -# that depend on nfs-utils. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "nfs-utils" ; then - - yum remove -y "nfs-utils" - -fi + +package --remove=nfs-utils include remove_nfs-utils @@ -258915,8 +258905,18 @@ class remove_nfs-utils { - no_reboot_needed - package_nfs-utils_removed - -package --remove=nfs-utils + +# CAUTION: This remediation script will remove nfs-utils +# from the system, and may remove any packages +# that depend on nfs-utils. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "nfs-utils" ; then + + yum remove -y "nfs-utils" + +fi @@ -258955,26 +258955,20 @@ The netfs service can be disabled with the following comm [customizations.services] disabled = ["netfs"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'netfs.service' -"$SYSTEMCTL_EXEC" disable 'netfs.service' -"$SYSTEMCTL_EXEC" mask 'netfs.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files netfs.socket; then - "$SYSTEMCTL_EXEC" stop 'netfs.socket' - "$SYSTEMCTL_EXEC" mask 'netfs.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'netfs.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: netfs.service + enabled: false + mask: true + - name: netfs.socket + enabled: false + mask: true include disable_netfs @@ -259043,20 +259037,26 @@ class disable_netfs { - service_netfs_disabled - unknown_severity - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: netfs.service - enabled: false - mask: true - - name: netfs.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'netfs.service' +"$SYSTEMCTL_EXEC" disable 'netfs.service' +"$SYSTEMCTL_EXEC" mask 'netfs.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files netfs.socket; then + "$SYSTEMCTL_EXEC" stop 'netfs.socket' + "$SYSTEMCTL_EXEC" mask 'netfs.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'netfs.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -259086,24 +259086,8 @@ $ sudo yum erase rpcbind If the system does not require rpc based services, it is recommended that rpcbind be disabled to reduce the attack surface. CCE-86645-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# CAUTION: This remediation script will remove rpcbind -# from the system, and may remove any packages -# that depend on rpcbind. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "rpcbind" ; then - - yum remove -y "rpcbind" - -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +package --remove=rpcbind include remove_rpcbind @@ -259127,8 +259111,24 @@ class remove_rpcbind { - no_reboot_needed - package_rpcbind_removed - -package --remove=rpcbind + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# CAUTION: This remediation script will remove rpcbind +# from the system, and may remove any packages +# that depend on rpcbind. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "rpcbind" ; then + + yum remove -y "rpcbind" + +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -259151,26 +259151,20 @@ The nfslock service can be disabled with the following co [customizations.services] disabled = ["nfslock"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'nfslock.service' -"$SYSTEMCTL_EXEC" disable 'nfslock.service' -"$SYSTEMCTL_EXEC" mask 'nfslock.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files nfslock.socket; then - "$SYSTEMCTL_EXEC" stop 'nfslock.socket' - "$SYSTEMCTL_EXEC" mask 'nfslock.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'nfslock.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: nfslock.service + enabled: false + mask: true + - name: nfslock.socket + enabled: false + mask: true include disable_nfslock @@ -259239,20 +259233,26 @@ class disable_nfslock { - service_nfslock_disabled - unknown_severity - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: nfslock.service - enabled: false - mask: true - - name: nfslock.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'nfslock.service' +"$SYSTEMCTL_EXEC" disable 'nfslock.service' +"$SYSTEMCTL_EXEC" mask 'nfslock.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files nfslock.socket; then + "$SYSTEMCTL_EXEC" stop 'nfslock.socket' + "$SYSTEMCTL_EXEC" mask 'nfslock.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'nfslock.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -259278,26 +259278,20 @@ rpcbind be disabled to reduce the attack surface. [customizations.services] disabled = ["rpcbind"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'rpcbind.service' -"$SYSTEMCTL_EXEC" disable 'rpcbind.service' -"$SYSTEMCTL_EXEC" mask 'rpcbind.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files rpcbind.socket; then - "$SYSTEMCTL_EXEC" stop 'rpcbind.socket' - "$SYSTEMCTL_EXEC" mask 'rpcbind.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'rpcbind.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: rpcbind.service + enabled: false + mask: true + - name: rpcbind.socket + enabled: false + mask: true include disable_rpcbind @@ -259372,20 +259366,26 @@ class disable_rpcbind { - no_reboot_needed - service_rpcbind_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: rpcbind.service - enabled: false - mask: true - - name: rpcbind.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'rpcbind.service' +"$SYSTEMCTL_EXEC" disable 'rpcbind.service' +"$SYSTEMCTL_EXEC" mask 'rpcbind.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files rpcbind.socket; then + "$SYSTEMCTL_EXEC" stop 'rpcbind.socket' + "$SYSTEMCTL_EXEC" mask 'rpcbind.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'rpcbind.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -259405,26 +259405,20 @@ The rpcgssd service can be disabled with the following co [customizations.services] disabled = ["rpcgssd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'rpcgssd.service' -"$SYSTEMCTL_EXEC" disable 'rpcgssd.service' -"$SYSTEMCTL_EXEC" mask 'rpcgssd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files rpcgssd.socket; then - "$SYSTEMCTL_EXEC" stop 'rpcgssd.socket' - "$SYSTEMCTL_EXEC" mask 'rpcgssd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'rpcgssd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: rpcgssd.service + enabled: false + mask: true + - name: rpcgssd.socket + enabled: false + mask: true include disable_rpcgssd @@ -259493,20 +259487,26 @@ class disable_rpcgssd { - service_rpcgssd_disabled - unknown_severity - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: rpcgssd.service - enabled: false - mask: true - - name: rpcgssd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'rpcgssd.service' +"$SYSTEMCTL_EXEC" disable 'rpcgssd.service' +"$SYSTEMCTL_EXEC" mask 'rpcgssd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files rpcgssd.socket; then + "$SYSTEMCTL_EXEC" stop 'rpcgssd.socket' + "$SYSTEMCTL_EXEC" mask 'rpcgssd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'rpcgssd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -259525,26 +259525,20 @@ The rpcidmapd service can be disabled with the following [customizations.services] disabled = ["rpcidmapd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'rpcidmapd.service' -"$SYSTEMCTL_EXEC" disable 'rpcidmapd.service' -"$SYSTEMCTL_EXEC" mask 'rpcidmapd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files rpcidmapd.socket; then - "$SYSTEMCTL_EXEC" stop 'rpcidmapd.socket' - "$SYSTEMCTL_EXEC" mask 'rpcidmapd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'rpcidmapd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: rpcidmapd.service + enabled: false + mask: true + - name: rpcidmapd.socket + enabled: false + mask: true include disable_rpcidmapd @@ -259613,20 +259607,26 @@ class disable_rpcidmapd { - service_rpcidmapd_disabled - unknown_severity - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: rpcidmapd.service - enabled: false - mask: true - - name: rpcidmapd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'rpcidmapd.service' +"$SYSTEMCTL_EXEC" disable 'rpcidmapd.service' +"$SYSTEMCTL_EXEC" mask 'rpcidmapd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files rpcidmapd.socket; then + "$SYSTEMCTL_EXEC" stop 'rpcidmapd.socket' + "$SYSTEMCTL_EXEC" mask 'rpcidmapd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'rpcidmapd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -259809,26 +259809,20 @@ The nfs-server service can be disabled with the following [customizations.services] disabled = ["nfs-server"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'nfs-server.service' -"$SYSTEMCTL_EXEC" disable 'nfs-server.service' -"$SYSTEMCTL_EXEC" mask 'nfs-server.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files nfs-server.socket; then - "$SYSTEMCTL_EXEC" stop 'nfs-server.socket' - "$SYSTEMCTL_EXEC" mask 'nfs-server.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'nfs-server.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: nfs-server.service + enabled: false + mask: true + - name: nfs-server.socket + enabled: false + mask: true include disable_nfs-server @@ -259909,20 +259903,26 @@ class disable_nfs-server { - service_nfs_disabled - unknown_severity - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: nfs-server.service - enabled: false - mask: true - - name: nfs-server.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'nfs-server.service' +"$SYSTEMCTL_EXEC" disable 'nfs-server.service' +"$SYSTEMCTL_EXEC" mask 'nfs-server.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files nfs-server.socket; then + "$SYSTEMCTL_EXEC" stop 'nfs-server.socket' + "$SYSTEMCTL_EXEC" mask 'nfs-server.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'nfs-server.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -259946,26 +259946,20 @@ The rpcsvcgssd service can be disabled with the following [customizations.services] disabled = ["rpcsvcgssd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'rpcsvcgssd.service' -"$SYSTEMCTL_EXEC" disable 'rpcsvcgssd.service' -"$SYSTEMCTL_EXEC" mask 'rpcsvcgssd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files rpcsvcgssd.socket; then - "$SYSTEMCTL_EXEC" stop 'rpcsvcgssd.socket' - "$SYSTEMCTL_EXEC" mask 'rpcsvcgssd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'rpcsvcgssd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: rpcsvcgssd.service + enabled: false + mask: true + - name: rpcsvcgssd.socket + enabled: false + mask: true include disable_rpcsvcgssd @@ -260034,20 +260028,26 @@ class disable_rpcsvcgssd { - service_rpcsvcgssd_disabled - unknown_severity - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: rpcsvcgssd.service - enabled: false - mask: true - - name: rpcsvcgssd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'rpcsvcgssd.service' +"$SYSTEMCTL_EXEC" disable 'rpcsvcgssd.service' +"$SYSTEMCTL_EXEC" mask 'rpcsvcgssd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files rpcsvcgssd.socket; then + "$SYSTEMCTL_EXEC" stop 'rpcsvcgssd.socket' + "$SYSTEMCTL_EXEC" mask 'rpcsvcgssd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'rpcsvcgssd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -260149,40 +260149,6 @@ any NFS mounts. requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -vfstype_points=() -readarray -t vfstype_points < <(grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | awk '{print $2}') - -for vfstype_point in "${vfstype_points[@]}" -do - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" ${vfstype_point//\\/\\\\})" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|sec=krb5:krb5i:krb5p)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="nfs4" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " ${vfstype_point//\\/\\\\} nfs4 defaults,${previous_mount_opts}sec=krb5:krb5i:krb5p 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "sec=krb5:krb5i:krb5p"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,sec=krb5:krb5i:krb5p|" /etc/fstab - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Get nfs and nfs4 mount points, that don't have sec=krb5:krb5i:krb5p command: findmnt --fstab --types nfs,nfs4 -O nosec=krb5:krb5i:krb5p -n -P register: points_register @@ -260230,6 +260196,40 @@ fi - medium_severity - mount_option_krb_sec_remote_filesystems - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +vfstype_points=() +readarray -t vfstype_points < <(grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | awk '{print $2}') + +for vfstype_point in "${vfstype_points[@]}" +do + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" ${vfstype_point//\\/\\\\})" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|sec=krb5:krb5i:krb5p)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="nfs4" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " ${vfstype_point//\\/\\\\} nfs4 defaults,${previous_mount_opts}sec=krb5:krb5i:krb5p 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "sec=krb5:krb5i:krb5p"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,sec=krb5:krb5i:krb5p|" /etc/fstab + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -260326,40 +260326,6 @@ any NFS mounts. Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users. CCE-84052-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -vfstype_points=() -readarray -t vfstype_points < <(grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | awk '{print $2}') - -for vfstype_point in "${vfstype_points[@]}" -do - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" ${vfstype_point//\\/\\\\})" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="nfs4" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " ${vfstype_point//\\/\\\\} nfs4 defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Get nfs and nfs4 mount points, that don't have nodev command: findmnt --fstab --types nfs,nfs4 -O nonodev -n -P register: points_register @@ -260401,6 +260367,40 @@ fi - medium_severity - mount_option_nodev_remote_filesystems - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +vfstype_points=() +readarray -t vfstype_points < <(grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | awk '{print $2}') + +for vfstype_point in "${vfstype_points[@]}" +do + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" ${vfstype_point//\\/\\\\})" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="nfs4" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " ${vfstype_point//\\/\\\\} nfs4 defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -260466,40 +260466,6 @@ for mounting any file system not containing approved binary files as they may be files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. CCE-84050-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -vfstype_points=() -readarray -t vfstype_points < <(grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | awk '{print $2}') - -for vfstype_point in "${vfstype_points[@]}" -do - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" ${vfstype_point//\\/\\\\})" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="nfs4" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " ${vfstype_point//\\/\\\\} nfs4 defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Get nfs and nfs4 mount points, that don't have noexec command: findmnt --fstab --types nfs,nfs4 -O nonoexec -n -P register: points_register @@ -260545,6 +260511,40 @@ fi - medium_severity - mount_option_noexec_remote_filesystems - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +vfstype_points=() +readarray -t vfstype_points < <(grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | awk '{print $2}') + +for vfstype_point in "${vfstype_points[@]}" +do + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" ${vfstype_point//\\/\\\\})" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="nfs4" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " ${vfstype_point//\\/\\\\} nfs4 defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -260607,40 +260607,6 @@ any NFS mounts. NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem. CCE-84053-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -vfstype_points=() -readarray -t vfstype_points < <(grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | awk '{print $2}') - -for vfstype_point in "${vfstype_points[@]}" -do - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" ${vfstype_point//\\/\\\\})" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="nfs4" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " ${vfstype_point//\\/\\\\} nfs4 defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Get nfs and nfs4 mount points, that don't have nosuid command: findmnt --fstab --types nfs,nfs4 -O nonosuid -n -P register: points_register @@ -260684,6 +260650,40 @@ fi - medium_severity - mount_option_nosuid_remote_filesystems - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +vfstype_points=() +readarray -t vfstype_points < <(grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | awk '{print $2}') + +for vfstype_point in "${vfstype_points[@]}" +do + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" ${vfstype_point//\\/\\\\})" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="nfs4" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " ${vfstype_point//\\/\\\\} nfs4 defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -260882,21 +260882,6 @@ requests from the remote user. The userid and groupid could mistakenly or malici incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request. CCE-80924-4 - -nfs_exports=() -readarray -t nfs_exports < <(grep -E "^/.*[[:space:]]+ .*\(.*\)[[:space:]]*$" /etc/exports | awk '{print $2}') - -for nfs_export in "${nfs_exports[@]}" -do - correct_export="" - if [ "$(grep -c "sec=" <<<"$nfs_export")" -eq 0 ]; then - correct_export="$(echo $nfs_export|sed -e 's/).*$/,sec=krb5\:krb5i\:krb5p)/')" - else - correct_export="$(echo $nfs_export|sed -e 's/sec=[^\,\)]*/sec=krb5\:krb5i\:krb5p/')" - fi - sed -i "s|$nfs_export|$correct_export|g" /etc/exports -done - - name: Drop any security clause for every export replace: path: /etc/exports @@ -260938,6 +260923,21 @@ done - medium_severity - no_reboot_needed - use_kerberos_security_all_exports + + +nfs_exports=() +readarray -t nfs_exports < <(grep -E "^/.*[[:space:]]+ .*\(.*\)[[:space:]]*$" /etc/exports | awk '{print $2}') + +for nfs_export in "${nfs_exports[@]}" +do + correct_export="" + if [ "$(grep -c "sec=" <<<"$nfs_export")" -eq 0 ]; then + correct_export="$(echo $nfs_export|sed -e 's/).*$/,sec=krb5\:krb5i\:krb5p)/')" + else + correct_export="$(echo $nfs_export|sed -e 's/sec=[^\,\)]*/sec=krb5\:krb5i\:krb5p/')" + fi + sed -i "s|$nfs_export|$correct_export|g" /etc/exports +done @@ -261104,21 +261104,13 @@ Kerberos and also ensures log files have consistent time records across the ente which aids in forensic investigations. CCE-82874-9 + +package --add=chrony + [[packages]] name = "chrony" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "chrony" ; then - yum install -y "chrony" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_chrony @@ -261144,8 +261136,16 @@ class install_chrony { - no_reboot_needed - package_chrony_installed - -package --add=chrony + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "chrony" ; then + yum install -y "chrony" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -261191,21 +261191,13 @@ package --add=chrony PR.PT-1 Req-10.4 Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906. + +package --add=ntp + [[packages]] name = "ntp" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "ntp" ; then - yum install -y "ntp" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_ntp @@ -261230,8 +261222,16 @@ class install_ntp { - no_reboot_needed - package_ntp_installed - -package --add=ntp + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "ntp" ; then + yum install -y "ntp" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -261262,18 +261262,6 @@ synchronization is working properly. [customizations.services] enabled = ["chronyd"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q chrony; }; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'chronyd.service' -"$SYSTEMCTL_EXEC" start 'chronyd.service' -"$SYSTEMCTL_EXEC" enable 'chronyd.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_chronyd @@ -261322,6 +261310,18 @@ class enable_chronyd { - medium_severity - no_reboot_needed - service_chronyd_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q chrony; }; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'chronyd.service' +"$SYSTEMCTL_EXEC" start 'chronyd.service' +"$SYSTEMCTL_EXEC" enable 'chronyd.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -261407,47 +261407,6 @@ The chronyd and ntpd NTP daemons o functionality of ntpdate, which is now deprecated. CCE-80874-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if rpm --quiet -q "chrony" ; then - if ! /usr/sbin/pidof ntpd ; then - /usr/bin/systemctl enable "chronyd" - /usr/bin/systemctl start "chronyd" - # The service may not be running because it has been started and failed, - # so let's reset the state so OVAL checks pass. - # Service should be 'inactive', not 'failed' after reboot though. - if /usr/bin/systemctl --failed | grep -q "chronyd"; then - /usr/bin/systemctl reset-failed "chronyd" - fi - fi -elif rpm --quiet -q "ntp" ; then - /usr/bin/systemctl enable "ntpd" - /usr/bin/systemctl start "ntpd" - # The service may not be running because it has been started and failed, - # so let's reset the state so OVAL checks pass. - # Service should be 'inactive', not 'failed' after reboot though. - if /usr/bin/systemctl --failed | grep -q "ntpd"; then - /usr/bin/systemctl reset-failed "ntpd" - fi -else - if ! rpm -q --quiet "chrony" ; then - yum install -y "chrony" - fi - /usr/bin/systemctl enable "chronyd" - /usr/bin/systemctl start "chronyd" - # The service may not be running because it has been started and failed, - # so let's reset the state so OVAL checks pass. - # Service should be 'inactive', not 'failed' after reboot though. - if /usr/bin/systemctl --failed | grep -q "chronyd"; then - /usr/bin/systemctl reset-failed "chronyd" - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -261532,6 +261491,47 @@ fi - medium_severity - no_reboot_needed - service_chronyd_or_ntpd_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if rpm --quiet -q "chrony" ; then + if ! /usr/sbin/pidof ntpd ; then + /usr/bin/systemctl enable "chronyd" + /usr/bin/systemctl start "chronyd" + # The service may not be running because it has been started and failed, + # so let's reset the state so OVAL checks pass. + # Service should be 'inactive', not 'failed' after reboot though. + if /usr/bin/systemctl --failed | grep -q "chronyd"; then + /usr/bin/systemctl reset-failed "chronyd" + fi + fi +elif rpm --quiet -q "ntp" ; then + /usr/bin/systemctl enable "ntpd" + /usr/bin/systemctl start "ntpd" + # The service may not be running because it has been started and failed, + # so let's reset the state so OVAL checks pass. + # Service should be 'inactive', not 'failed' after reboot though. + if /usr/bin/systemctl --failed | grep -q "ntpd"; then + /usr/bin/systemctl reset-failed "ntpd" + fi +else + if ! rpm -q --quiet "chrony" ; then + yum install -y "chrony" + fi + /usr/bin/systemctl enable "chronyd" + /usr/bin/systemctl start "chronyd" + # The service may not be running because it has been started and failed, + # so let's reset the state so OVAL checks pass. + # Service should be 'inactive', not 'failed' after reboot though. + if /usr/bin/systemctl --failed | grep -q "chronyd"; then + /usr/bin/systemctl reset-failed "chronyd" + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -261593,18 +261593,6 @@ deprecated. [customizations.services] enabled = ["ntpd"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q ntp; }; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'ntpd.service' -"$SYSTEMCTL_EXEC" start 'ntpd.service' -"$SYSTEMCTL_EXEC" enable 'ntpd.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_ntpd @@ -261661,6 +261649,18 @@ class enable_ntpd { - medium_severity - no_reboot_needed - service_ntpd_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q ntp; }; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'ntpd.service' +"$SYSTEMCTL_EXEC" start 'ntpd.service' +"$SYSTEMCTL_EXEC" enable 'ntpd.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -261687,34 +261687,30 @@ Operating systems are capable of providing a wide variety of functions and servi To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues. CCE-82988-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^port") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s %s" "$stripped_key" "0" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^port\\>" "/etc/chrony.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^port\\>.*/$escaped_formatted_output/gi" "/etc/chrony.conf" -else - if [[ -s "/etc/chrony.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/chrony.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/chrony.conf" - fi - cce="CCE-82988-7" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/chrony.conf" >> "/etc/chrony.conf" - printf '%s\n' "$formatted_output" >> "/etc/chrony.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }} + mode: 420 + overwrite: true + path: /etc/chrony.conf + - contents: + source: data:, + mode: 420 + overwrite: true + path: /etc/chrony.d/.mco-keep + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }} + mode: 420 + overwrite: true + path: /etc/chrony.d/ntp-server.conf - name: Disable chrony daemon from acting as server block: @@ -261757,30 +261753,34 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }} - mode: 420 - overwrite: true - path: /etc/chrony.conf - - contents: - source: data:, - mode: 420 - overwrite: true - path: /etc/chrony.d/.mco-keep - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }} - mode: 420 - overwrite: true - path: /etc/chrony.d/ntp-server.conf + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^port") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s %s" "$stripped_key" "0" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^port\\>" "/etc/chrony.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^port\\>.*/$escaped_formatted_output/gi" "/etc/chrony.conf" +else + if [[ -s "/etc/chrony.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/chrony.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/chrony.conf" + fi + cce="CCE-82988-7" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/chrony.conf" >> "/etc/chrony.conf" + printf '%s\n' "$formatted_output" >> "/etc/chrony.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -261805,34 +261805,30 @@ for management connections made by chronyc. daemon diminishes the attack surface. CCE-82840-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^cmdport") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s %s" "$stripped_key" "0" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^cmdport\\>" "/etc/chrony.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^cmdport\\>.*/$escaped_formatted_output/gi" "/etc/chrony.conf" -else - if [[ -s "/etc/chrony.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/chrony.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/chrony.conf" - fi - cce="CCE-82840-0" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/chrony.conf" >> "/etc/chrony.conf" - printf '%s\n' "$formatted_output" >> "/etc/chrony.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }} + mode: 420 + overwrite: true + path: /etc/chrony.conf + - contents: + source: data:, + mode: 420 + overwrite: true + path: /etc/chrony.d/.mco-keep + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }} + mode: 420 + overwrite: true + path: /etc/chrony.d/ntp-server.conf - name: Disable network management of chrony daemon block: @@ -261874,30 +261870,34 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }} - mode: 420 - overwrite: true - path: /etc/chrony.conf - - contents: - source: data:, - mode: 420 - overwrite: true - path: /etc/chrony.d/.mco-keep - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }} - mode: 420 - overwrite: true - path: /etc/chrony.d/ntp-server.conf + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^cmdport") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s %s" "$stripped_key" "0" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^cmdport\\>" "/etc/chrony.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^cmdport\\>.*/$escaped_formatted_output/gi" "/etc/chrony.conf" +else + if [[ -s "/etc/chrony.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/chrony.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/chrony.conf" + fi + cce="CCE-82840-0" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/chrony.conf" >> "/etc/chrony.conf" + printf '%s\n' "$formatted_output" >> "/etc/chrony.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -261962,44 +261962,30 @@ Synchronizing internal information system clocks provides uniformity of time sta Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). CCE-84059-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ( rpm --quiet -q chrony || rpm --quiet -q ntp ); }; then - -var_time_service_set_maxpoll='' - - - - -pof="/usr/sbin/pidof" - - -CONFIG_FILES="/etc/ntp.conf" -$pof ntpd || { - CHRONY_NAME=/etc/chrony.conf - CHRONY_PATH=${CHRONY_NAME%%.*} - CONFIG_FILES=$(find ${CHRONY_PATH}.* -type f -name '*.conf') -} - -# get list of ntp files - -for config_file in $CONFIG_FILES; do - # Set maxpoll values to var_time_service_set_maxpoll - sed -i "s/^\(\(server\|pool\|peer\).*maxpoll\) [0-9][0-9]*\(.*\)$/\1 $var_time_service_set_maxpoll \3/" "$config_file" -done - - - - -for config_file in $CONFIG_FILES; do - # Add maxpoll to server, pool or peer entries without maxpoll - grep "^\(server\|pool\|peer\)" "$config_file" | grep -v maxpoll | while read -r line ; do - sed -i "s/$line/& maxpoll $var_time_service_set_maxpoll/" "$config_file" - done -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }} + mode: 420 + overwrite: true + path: /etc/chrony.conf + - contents: + source: data:, + mode: 420 + overwrite: true + path: /etc/chrony.d/.mco-keep + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }} + mode: 420 + overwrite: true + path: /etc/chrony.d/ntp-server.conf - name: Gather the package facts package_facts: @@ -262194,30 +262180,44 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }} - mode: 420 - overwrite: true - path: /etc/chrony.conf - - contents: - source: data:, - mode: 420 - overwrite: true - path: /etc/chrony.d/.mco-keep - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }} - mode: 420 - overwrite: true - path: /etc/chrony.d/ntp-server.conf + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ( rpm --quiet -q chrony || rpm --quiet -q ntp ); }; then + +var_time_service_set_maxpoll='' + + + + +pof="/usr/sbin/pidof" + + +CONFIG_FILES="/etc/ntp.conf" +$pof ntpd || { + CHRONY_NAME=/etc/chrony.conf + CHRONY_PATH=${CHRONY_NAME%%.*} + CONFIG_FILES=$(find ${CHRONY_PATH}.* -type f -name '*.conf') +} + +# get list of ntp files + +for config_file in $CONFIG_FILES; do + # Set maxpoll values to var_time_service_set_maxpoll + sed -i "s/^\(\(server\|pool\|peer\).*maxpoll\) [0-9][0-9]*\(.*\)$/\1 $var_time_service_set_maxpoll \3/" "$config_file" +done + + + + +for config_file in $CONFIG_FILES; do + # Add maxpoll to server, pool or peer entries without maxpoll + grep "^\(server\|pool\|peer\)" "$config_file" | grep -v maxpoll | while read -r line ; do + sed -i "s/$line/& maxpoll $var_time_service_set_maxpoll/" "$config_file" + done +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -262290,28 +262290,30 @@ unavailable. This is typical for a system acting as an NTP server for other systems. CCE-80764-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_multiple_time_servers='' - - -config_file="/etc/ntp.conf" -/usr/sbin/pidof ntpd || config_file="/etc/chrony.conf" - -if ! [ "$(grep -c '^server' "$config_file")" -gt 1 ] ; then - if ! grep -q '#[[:space:]]*server' "$config_file" ; then - for server in $(echo "$var_multiple_time_servers" | tr ',' '\n') ; do - printf '\nserver %s' "$server" >> "$config_file" - done - else - sed -i 's/#[ \t]*server/server/g' "$config_file" - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }} + mode: 420 + overwrite: true + path: /etc/chrony.conf + - contents: + source: data:, + mode: 420 + overwrite: true + path: /etc/chrony.d/.mco-keep + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }} + mode: 420 + overwrite: true + path: /etc/chrony.d/ntp-server.conf - name: XCCDF Value var_multiple_time_servers # promote to variable set_fact: @@ -262407,30 +262409,28 @@ fi - medium_severity - no_reboot_needed - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }} - mode: 420 - overwrite: true - path: /etc/chrony.conf - - contents: - source: data:, - mode: 420 - overwrite: true - path: /etc/chrony.d/.mco-keep - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }} - mode: 420 - overwrite: true - path: /etc/chrony.d/ntp-server.conf + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_multiple_time_servers='' + + +config_file="/etc/ntp.conf" +/usr/sbin/pidof ntpd || config_file="/etc/chrony.conf" + +if ! [ "$(grep -c '^server' "$config_file")" -gt 1 ] ; then + if ! grep -q '#[[:space:]]*server' "$config_file" ; then + for server in $(echo "$var_multiple_time_servers" | tr ',' '\n') ; do + printf '\nserver %s' "$server" >> "$config_file" + done + else + sed -i 's/#[ \t]*server/server/g' "$config_file" + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -262502,29 +262502,6 @@ data. logs from multiple sources or correlate computer events with real time events. CCE-80765-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ( rpm --quiet -q chrony || rpm --quiet -q ntp ) ); }; then - -var_multiple_time_servers='' - - -config_file="/etc/ntp.conf" -/usr/sbin/pidof ntpd || config_file="/etc/chrony.conf" - -if ! grep -q ^server "$config_file" ; then - if ! grep -q '#[[:space:]]*server' "$config_file" ; then - for server in $(echo "$var_multiple_time_servers" | tr ',' '\n') ; do - printf '\nserver %s' "$server" >> "$config_file" - done - else - sed -i 's/#[ \t]*server/server/g' "$config_file" - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - --- apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig @@ -262549,6 +262526,29 @@ spec: mode: 420 overwrite: true path: /etc/chrony.d/ntp-server.conf + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ( rpm --quiet -q chrony || rpm --quiet -q ntp ) ); }; then + +var_multiple_time_servers='' + + +config_file="/etc/ntp.conf" +/usr/sbin/pidof ntpd || config_file="/etc/chrony.conf" + +if ! grep -q ^server "$config_file" ; then + if ! grep -q '#[[:space:]]*server' "$config_file" ; then + for server in $(echo "$var_multiple_time_servers" | tr ',' '\n') ; do + printf '\nserver %s' "$server" >> "$config_file" + done + else + sed -i 's/#[ \t]*server/server/g' "$config_file" + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -262575,27 +262575,6 @@ This recommendation only applies if chrony is in use on the system. CCE-82879-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q chrony; }; then - -if grep -q 'OPTIONS=.*' /etc/sysconfig/chronyd; then - # trying to solve cases where the parameter after OPTIONS - #may or may not be enclosed in quotes - sed -i -E -e 's/\s*-u\s*\w+\s*/ /' -e 's/^([\s]*OPTIONS=["]?[^"]*)("?)/\1\2/' /etc/sysconfig/chronyd -fi - -if grep -q 'OPTIONS=.*' /etc/sysconfig/chronyd; then - # trying to solve cases where the parameter after OPTIONS - #may or may not be enclosed in quotes - sed -i -E -e 's/\s*-u\s*\w+\s*/ /' -e 's/^([\s]*OPTIONS=["]?[^"]*)("?)/\1 -u chrony\2/' /etc/sysconfig/chronyd -else - echo 'OPTIONS="-u chrony"' >> /etc/sysconfig/chronyd -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -262646,6 +262625,27 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q chrony; }; then + +if grep -q 'OPTIONS=.*' /etc/sysconfig/chronyd; then + # trying to solve cases where the parameter after OPTIONS + #may or may not be enclosed in quotes + sed -i -E -e 's/\s*-u\s*\w+\s*/ /' -e 's/^([\s]*OPTIONS=["]?[^"]*)("?)/\1\2/' /etc/sysconfig/chronyd +fi + +if grep -q 'OPTIONS=.*' /etc/sysconfig/chronyd; then + # trying to solve cases where the parameter after OPTIONS + #may or may not be enclosed in quotes + sed -i -E -e 's/\s*-u\s*\w+\s*/ /' -e 's/^([\s]*OPTIONS=["]?[^"]*)("?)/\1 -u chrony\2/' /etc/sysconfig/chronyd +else + echo 'OPTIONS="-u chrony"' >> /etc/sysconfig/chronyd +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -262699,28 +262699,6 @@ Multiple servers may be configured. synchronization is working properly. CCE-82873-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q chrony; }; then - -var_multiple_time_servers='' - - -config_file="/etc/chrony.conf" - -if ! grep -q '^[[:space:]]*\(server\|pool\)[[:space:]]\+[[:graph:]]\+' "$config_file" ; then - if ! grep -q '#[[:space:]]*server' "$config_file" ; then - for server in $(echo "$var_multiple_time_servers" | tr ',' '\n') ; do - printf '\nserver %s' "$server" >> "$config_file" - done - else - sed -i 's/#[ \t]*server/server/g' "$config_file" - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -262787,6 +262765,28 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q chrony; }; then + +var_multiple_time_servers='' + + +config_file="/etc/chrony.conf" + +if ! grep -q '^[[:space:]]*\(server\|pool\)[[:space:]]\+[[:graph:]]\+' "$config_file" ; then + if ! grep -q '#[[:space:]]*server' "$config_file" ; then + for server in $(echo "$var_multiple_time_servers" | tr ',' '\n') ; do + printf '\nserver %s' "$server" >> "$config_file" + done + else + sed -i 's/#[ \t]*server/server/g' "$config_file" + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -262929,18 +262929,8 @@ $ sudo yum erase rsync-daemon The rsyncd service presents a security risk as it uses unencrypted protocols for communication. CCE-86335-7 - -# CAUTION: This remediation script will remove rsync-daemon -# from the system, and may remove any packages -# that depend on rsync-daemon. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "rsync-daemon" ; then - - yum remove -y "rsync-daemon" - -fi + +package --remove=rsync-daemon include remove_rsync-daemon @@ -262963,8 +262953,18 @@ class remove_rsync-daemon { - no_reboot_needed - package_rsync_removed - -package --remove=rsync-daemon + +# CAUTION: This remediation script will remove rsync-daemon +# from the system, and may remove any packages +# that depend on rsync-daemon. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "rsync-daemon" ; then + + yum remove -y "rsync-daemon" + +fi @@ -262988,26 +262988,20 @@ communication. [customizations.services] disabled = ["rsyncd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'rsyncd.service' -"$SYSTEMCTL_EXEC" disable 'rsyncd.service' -"$SYSTEMCTL_EXEC" mask 'rsyncd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files rsyncd.socket; then - "$SYSTEMCTL_EXEC" stop 'rsyncd.socket' - "$SYSTEMCTL_EXEC" mask 'rsyncd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'rsyncd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: rsyncd.service + enabled: false + mask: true + - name: rsyncd.socket + enabled: false + mask: true include disable_rsyncd @@ -263082,20 +263076,26 @@ class disable_rsyncd { - no_reboot_needed - service_rsyncd_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: rsyncd.service - enabled: false - mask: true - - name: rsyncd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'rsyncd.service' +"$SYSTEMCTL_EXEC" disable 'rsyncd.service' +"$SYSTEMCTL_EXEC" mask 'rsyncd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files rsyncd.socket; then + "$SYSTEMCTL_EXEC" stop 'rsyncd.socket' + "$SYSTEMCTL_EXEC" mask 'rsyncd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'rsyncd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -263220,24 +263220,8 @@ $ sudo yum erase xinetd Removing the xinetd package decreases the risk of the xinetd service's accidental (or intentional) activation. CCE-80850-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# CAUTION: This remediation script will remove xinetd -# from the system, and may remove any packages -# that depend on xinetd. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "xinetd" ; then - - yum remove -y "xinetd" - -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +package --remove=xinetd include remove_xinetd @@ -263265,8 +263249,24 @@ class remove_xinetd { - no_reboot_needed - package_xinetd_removed - -package --remove=xinetd + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# CAUTION: This remediation script will remove xinetd +# from the system, and may remove any packages +# that depend on xinetd. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "xinetd" ; then + + yum remove -y "xinetd" + +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -263389,26 +263389,20 @@ attacks against xinetd itself. [customizations.services] disabled = ["xinetd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'xinetd.service' -"$SYSTEMCTL_EXEC" disable 'xinetd.service' -"$SYSTEMCTL_EXEC" mask 'xinetd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files xinetd.socket; then - "$SYSTEMCTL_EXEC" stop 'xinetd.socket' - "$SYSTEMCTL_EXEC" mask 'xinetd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'xinetd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: xinetd.service + enabled: false + mask: true + - name: xinetd.socket + enabled: false + mask: true include disable_xinetd @@ -263492,20 +263486,26 @@ class disable_xinetd { - no_reboot_needed - service_xinetd_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: xinetd.service - enabled: false - mask: true - - name: xinetd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'xinetd.service' +"$SYSTEMCTL_EXEC" disable 'xinetd.service' +"$SYSTEMCTL_EXEC" mask 'xinetd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files xinetd.socket; then + "$SYSTEMCTL_EXEC" stop 'xinetd.socket' + "$SYSTEMCTL_EXEC" mask 'xinetd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'xinetd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -263544,18 +263544,8 @@ NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed. CCE-82181-9 - -# CAUTION: This remediation script will remove ypbind -# from the system, and may remove any packages -# that depend on ypbind. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "ypbind" ; then - - yum remove -y "ypbind" - -fi + +package --remove=ypbind include remove_ypbind @@ -263579,8 +263569,18 @@ class remove_ypbind { - package_ypbind_removed - unknown_severity - -package --remove=ypbind + +# CAUTION: This remediation script will remove ypbind +# from the system, and may remove any packages +# that depend on ypbind. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "ypbind" ; then + + yum remove -y "ypbind" + +fi @@ -263704,18 +263704,8 @@ remote session. Removing the ypserv package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services. CCE-82432-6 - -# CAUTION: This remediation script will remove ypserv -# from the system, and may remove any packages -# that depend on ypserv. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "ypserv" ; then - - yum remove -y "ypserv" - -fi + +package --remove=ypserv include remove_ypserv @@ -263744,8 +263734,18 @@ class remove_ypserv { - no_reboot_needed - package_ypserv_removed - -package --remove=ypserv + +# CAUTION: This remediation script will remove ypserv +# from the system, and may remove any packages +# that depend on ypserv. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "ypserv" ; then + + yum remove -y "ypserv" + +fi @@ -263868,26 +263868,20 @@ unless in use. [customizations.services] disabled = ["ypbind"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'ypbind.service' -"$SYSTEMCTL_EXEC" disable 'ypbind.service' -"$SYSTEMCTL_EXEC" mask 'ypbind.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files ypbind.socket; then - "$SYSTEMCTL_EXEC" stop 'ypbind.socket' - "$SYSTEMCTL_EXEC" mask 'ypbind.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'ypbind.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: ypbind.service + enabled: false + mask: true + - name: ypbind.socket + enabled: false + mask: true include disable_ypbind @@ -263971,20 +263965,26 @@ class disable_ypbind { - no_reboot_needed - service_ypbind_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: ypbind.service - enabled: false - mask: true - - name: ypbind.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'ypbind.service' +"$SYSTEMCTL_EXEC" disable 'ypbind.service' +"$SYSTEMCTL_EXEC" mask 'ypbind.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files ypbind.socket; then + "$SYSTEMCTL_EXEC" stop 'ypbind.socket' + "$SYSTEMCTL_EXEC" mask 'ypbind.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'ypbind.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -264009,26 +264009,20 @@ unless in use. [customizations.services] disabled = ["ypserv"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'ypserv.service' -"$SYSTEMCTL_EXEC" disable 'ypserv.service' -"$SYSTEMCTL_EXEC" mask 'ypserv.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files ypserv.socket; then - "$SYSTEMCTL_EXEC" stop 'ypserv.socket' - "$SYSTEMCTL_EXEC" mask 'ypserv.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'ypserv.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: ypserv.service + enabled: false + mask: true + - name: ypserv.socket + enabled: false + mask: true include disable_ypserv @@ -264100,20 +264094,26 @@ class disable_ypserv { - no_reboot_needed - service_ypserv_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: ypserv.service - enabled: false - mask: true - - name: ypserv.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'ypserv.service' +"$SYSTEMCTL_EXEC" disable 'ypserv.service' +"$SYSTEMCTL_EXEC" mask 'ypserv.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files ypserv.socket; then + "$SYSTEMCTL_EXEC" stop 'ypserv.socket' + "$SYSTEMCTL_EXEC" mask 'ypserv.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'ypserv.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -264243,18 +264243,8 @@ could be compromised. The rsh-server package provides sev network services. Removing it decreases the risk of those services' accidental (or intentional) activation. CCE-82184-3 - -# CAUTION: This remediation script will remove rsh-server -# from the system, and may remove any packages -# that depend on rsh-server. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "rsh-server" ; then - - yum remove -y "rsh-server" - -fi + +package --remove=rsh-server include remove_rsh-server @@ -264283,8 +264273,18 @@ class remove_rsh-server { - no_reboot_needed - package_rsh-server_removed - -package --remove=rsh-server + +# CAUTION: This remediation script will remove rsh-server +# from the system, and may remove any packages +# that depend on rsh-server. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "rsh-server" ; then + + yum remove -y "rsh-server" + +fi @@ -264324,18 +264324,8 @@ their credentials. Note that removing the rsh package rem the clients for rsh,rcp, and rlogin. CCE-82183-5 - -# CAUTION: This remediation script will remove rsh -# from the system, and may remove any packages -# that depend on rsh. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "rsh" ; then - - yum remove -y "rsh" - -fi + +package --remove=rsh include remove_rsh @@ -264360,8 +264350,18 @@ class remove_rsh { - package_rsh_removed - unknown_severity - -package --remove=rsh + +# CAUTION: This remediation script will remove rsh +# from the system, and may remove any packages +# that depend on rsh. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "rsh" ; then + + yum remove -y "rsh" + +fi @@ -264489,26 +264489,20 @@ stolen by eavesdroppers on the network. [customizations.services] disabled = ["rexec"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'rexec.service' -"$SYSTEMCTL_EXEC" disable 'rexec.service' -"$SYSTEMCTL_EXEC" mask 'rexec.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files rexec.socket; then - "$SYSTEMCTL_EXEC" stop 'rexec.socket' - "$SYSTEMCTL_EXEC" mask 'rexec.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'rexec.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: rexec.service + enabled: false + mask: true + - name: rexec.socket + enabled: false + mask: true include disable_rexec @@ -264598,20 +264592,26 @@ class disable_rexec { - no_reboot_needed - service_rexec_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: rexec.service - enabled: false - mask: true - - name: rexec.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'rexec.service' +"$SYSTEMCTL_EXEC" disable 'rexec.service' +"$SYSTEMCTL_EXEC" mask 'rexec.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files rexec.socket; then + "$SYSTEMCTL_EXEC" stop 'rexec.socket' + "$SYSTEMCTL_EXEC" mask 'rexec.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'rexec.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -264761,26 +264761,20 @@ stolen by eavesdroppers on the network. [customizations.services] disabled = ["rlogin"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'rlogin.service' -"$SYSTEMCTL_EXEC" disable 'rlogin.service' -"$SYSTEMCTL_EXEC" mask 'rlogin.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files rlogin.socket; then - "$SYSTEMCTL_EXEC" stop 'rlogin.socket' - "$SYSTEMCTL_EXEC" mask 'rlogin.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'rlogin.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: rlogin.service + enabled: false + mask: true + - name: rlogin.socket + enabled: false + mask: true include disable_rlogin @@ -264870,20 +264864,26 @@ class disable_rlogin { - no_reboot_needed - service_rlogin_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: rlogin.service - enabled: false - mask: true - - name: rlogin.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'rlogin.service' +"$SYSTEMCTL_EXEC" disable 'rlogin.service' +"$SYSTEMCTL_EXEC" mask 'rlogin.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files rlogin.socket; then + "$SYSTEMCTL_EXEC" stop 'rlogin.socket' + "$SYSTEMCTL_EXEC" mask 'rlogin.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'rlogin.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -265034,26 +265034,20 @@ stolen by eavesdroppers on the network. [customizations.services] disabled = ["rsh"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'rsh.service' -"$SYSTEMCTL_EXEC" disable 'rsh.service' -"$SYSTEMCTL_EXEC" mask 'rsh.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files rsh.socket; then - "$SYSTEMCTL_EXEC" stop 'rsh.socket' - "$SYSTEMCTL_EXEC" mask 'rsh.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'rsh.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: rsh.service + enabled: false + mask: true + - name: rsh.socket + enabled: false + mask: true include disable_rsh @@ -265143,20 +265137,26 @@ class disable_rsh { - no_reboot_needed - service_rsh_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: rsh.service - enabled: false - mask: true - - name: rsh.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'rsh.service' +"$SYSTEMCTL_EXEC" disable 'rsh.service' +"$SYSTEMCTL_EXEC" mask 'rsh.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files rsh.socket; then + "$SYSTEMCTL_EXEC" stop 'rsh.socket' + "$SYSTEMCTL_EXEC" mask 'rsh.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'rsh.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -265179,16 +265179,6 @@ Host-based authentication is not sufficient for preventing unauthorized access t as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. CCE-84055-3 - -# Identify local mounts -MOUNT_LIST=$(df --local | awk '{ print $6 }') - -# Find file on each listed mount point -for cur_mount in ${MOUNT_LIST} -do - find ${cur_mount} -xdev -type f -name "shosts.equiv" -exec rm -f {} \; -done - - name: Remove Host-Based Authentication Files - Define Excluded (Non-Local) File Systems and Paths ansible.builtin.set_fact: @@ -265357,6 +265347,16 @@ done - no_host_based_files - no_reboot_needed - restrict_strategy + + +# Identify local mounts +MOUNT_LIST=$(df --local | awk '{ print $6 }') + +# Find file on each listed mount point +for cur_mount in ${MOUNT_LIST} +do + find ${cur_mount} -xdev -type f -name "shosts.equiv" -exec rm -f {} \; +done @@ -265477,17 +265477,6 @@ through PAM. Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system. CCE-80842-8 - # Remediation is applicable only in certain platforms -if rpm --quiet -q rsh-server; then - -find /root -xdev -type f -name ".rhosts" -exec rm -f {} \; -find /home -maxdepth 2 -xdev -type f -name ".rhosts" -exec rm -f {} \; -rm -f /etc/hosts.equiv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -265563,6 +265552,17 @@ fi - no_reboot_needed - no_rsh_trust_files - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q rsh-server; then + +find /root -xdev -type f -name ".rhosts" -exec rm -f {} \; +find /home -maxdepth 2 -xdev -type f -name ".rhosts" -exec rm -f {} \; +rm -f /etc/hosts.equiv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -265588,16 +265588,6 @@ sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. CCE-84056-1 - -# Identify local mounts -MOUNT_LIST=$(df --local | awk '{ print $6 }') - -# Find file on each listed mount point -for cur_mount in ${MOUNT_LIST} -do - find ${cur_mount} -xdev -type f -name ".shosts" -exec rm -f {} \; -done - - name: Remove User Host-Based Authentication Files - Define Excluded (Non-Local) File Systems and Paths ansible.builtin.set_fact: @@ -265766,6 +265756,16 @@ done - no_reboot_needed - no_user_host_based_files - restrict_strategy + + +# Identify local mounts +MOUNT_LIST=$(df --local | awk '{ print $6 }') + +# Find file on each listed mount point +for cur_mount in ${MOUNT_LIST} +do + find ${cur_mount} -xdev -type f -name ".shosts" -exec rm -f {} \; +done @@ -265794,18 +265794,8 @@ across systems through a terminal session. for communications. Removing the talk-server package decreases the risk of the accidental (or intentional) activation of talk services. CCE-82180-1 - -# CAUTION: This remediation script will remove talk-server -# from the system, and may remove any packages -# that depend on talk-server. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "talk-server" ; then - - yum remove -y "talk-server" - -fi + +package --remove=talk-server include remove_talk-server @@ -265829,8 +265819,18 @@ class remove_talk-server { - no_reboot_needed - package_talk-server_removed - -package --remove=talk-server + +# CAUTION: This remediation script will remove talk-server +# from the system, and may remove any packages +# that depend on talk-server. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "talk-server" ; then + + yum remove -y "talk-server" + +fi @@ -265861,18 +265861,8 @@ $ sudo yum erase talk for communications. Removing the talk package decreases the risk of the accidental (or intentional) activation of talk client program. CCE-80848-5 - -# CAUTION: This remediation script will remove talk -# from the system, and may remove any packages -# that depend on talk. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "talk" ; then - - yum remove -y "talk" - -fi + +package --remove=talk include remove_talk @@ -265896,8 +265886,18 @@ class remove_talk { - no_reboot_needed - package_talk_removed - -package --remove=talk + +# CAUTION: This remediation script will remove talk +# from the system, and may remove any packages +# that depend on talk. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "talk" ; then + + yum remove -y "talk" + +fi @@ -266036,18 +266036,8 @@ privileged user password could be compromised. Removing the telnet-server package decreases the risk of the telnet service's accidental (or intentional) activation. CCE-82182-7 - -# CAUTION: This remediation script will remove telnet-server -# from the system, and may remove any packages -# that depend on telnet-server. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "telnet-server" ; then - - yum remove -y "telnet-server" - -fi + +package --remove=telnet-server include remove_telnet-server @@ -266076,8 +266066,18 @@ class remove_telnet-server { - no_reboot_needed - package_telnet-server_removed - -package --remove=telnet-server + +# CAUTION: This remediation script will remove telnet-server +# from the system, and may remove any packages +# that depend on telnet-server. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "telnet-server" ; then + + yum remove -y "telnet-server" + +fi @@ -266111,18 +266111,8 @@ of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in Red Hat Enterprise Linux 8. CCE-80849-3 - -# CAUTION: This remediation script will remove telnet -# from the system, and may remove any packages -# that depend on telnet. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "telnet" ; then - - yum remove -y "telnet" - -fi + +package --remove=telnet include remove_telnet @@ -266147,8 +266137,18 @@ class remove_telnet { - no_reboot_needed - package_telnet_removed - -package --remove=telnet + +# CAUTION: This remediation script will remove telnet +# from the system, and may remove any packages +# that depend on telnet. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "telnet" ; then + + yum remove -y "telnet" + +fi @@ -266297,26 +266297,20 @@ man-in-the-middle attacks. [customizations.services] disabled = ["telnet"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'telnet.service' -"$SYSTEMCTL_EXEC" disable 'telnet.service' -"$SYSTEMCTL_EXEC" mask 'telnet.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files telnet.socket; then - "$SYSTEMCTL_EXEC" stop 'telnet.socket' - "$SYSTEMCTL_EXEC" mask 'telnet.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'telnet.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: telnet.service + enabled: false + mask: true + - name: telnet.socket + enabled: false + mask: true include disable_telnet @@ -266406,20 +266400,26 @@ class disable_telnet { - no_reboot_needed - service_telnet_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: telnet.service - enabled: false - mask: true - - name: telnet.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'telnet.service' +"$SYSTEMCTL_EXEC" disable 'telnet.service' +"$SYSTEMCTL_EXEC" mask 'telnet.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files telnet.socket; then + "$SYSTEMCTL_EXEC" stop 'telnet.socket' + "$SYSTEMCTL_EXEC" mask 'telnet.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'telnet.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -266556,18 +266556,8 @@ configurations), its use must be documented with the Information Systems Securty Manager (ISSM), restricted to only authorized personnel, and have access control rules established. CCE-82436-7 - -# CAUTION: This remediation script will remove tftp-server -# from the system, and may remove any packages -# that depend on tftp-server. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "tftp-server" ; then - - yum remove -y "tftp-server" - -fi + +package --remove=tftp-server include remove_tftp-server @@ -266595,8 +266585,18 @@ class remove_tftp-server { - no_reboot_needed - package_tftp-server_removed - -package --remove=tftp-server + +# CAUTION: This remediation script will remove tftp-server +# from the system, and may remove any packages +# that depend on tftp-server. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "tftp-server" ; then + + yum remove -y "tftp-server" + +fi @@ -266618,18 +266618,8 @@ TFTP does not support authentication and can be easily hacked. The package for TFTP (such as a boot server). In that case, use extreme caution when configuring the services. CCE-83590-0 - -# CAUTION: This remediation script will remove tftp -# from the system, and may remove any packages -# that depend on tftp. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "tftp" ; then - - yum remove -y "tftp" - -fi + +package --remove=tftp include remove_tftp @@ -266653,8 +266643,18 @@ class remove_tftp { - no_reboot_needed - package_tftp_removed - -package --remove=tftp + +# CAUTION: This remediation script will remove tftp +# from the system, and may remove any packages +# that depend on tftp. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "tftp" ; then + + yum remove -y "tftp" + +fi @@ -266768,26 +266768,20 @@ as a TFTP server, which does not provide encryption or authentication. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'tftp.service' -"$SYSTEMCTL_EXEC" disable 'tftp.service' -"$SYSTEMCTL_EXEC" mask 'tftp.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files tftp.socket; then - "$SYSTEMCTL_EXEC" stop 'tftp.socket' - "$SYSTEMCTL_EXEC" mask 'tftp.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'tftp.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: tftp.service + enabled: false + mask: true + - name: tftp.socket + enabled: false + mask: true include disable_tftp @@ -266868,20 +266862,26 @@ class disable_tftp { - no_reboot_needed - service_tftp_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: tftp.service - enabled: false - mask: true - - name: tftp.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'tftp.service' +"$SYSTEMCTL_EXEC" disable 'tftp.service' +"$SYSTEMCTL_EXEC" mask 'tftp.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files tftp.socket; then + "$SYSTEMCTL_EXEC" stop 'tftp.socket' + "$SYSTEMCTL_EXEC" mask 'tftp.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'tftp.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -267025,22 +267025,6 @@ given directory. Serving files from an intentionally-specified directory reduces the risk of sharing files which should remain private. CCE-82434-2 - # Remediation is applicable only in certain platforms -if rpm --quiet -q tftp-server; then - -var_tftpd_secure_directory='' - - -if grep -q 'server_args' /etc/xinetd.d/tftp; then - sed -i -E "s;^([[:blank:]]*server_args[[:blank:]]+=[[:blank:]]+.*?)(-s[[:blank:]]+[[:graph:]]+)*(.*)$;\1 -s $var_tftpd_secure_directory \3;" /etc/xinetd.d/tftp -else - echo "server_args = -s $var_tftpd_secure_directory" >> /etc/xinetd.d/tftp -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -267126,6 +267110,22 @@ fi - medium_severity - no_reboot_needed - tftpd_uses_secure_mode + + # Remediation is applicable only in certain platforms +if rpm --quiet -q tftp-server; then + +var_tftpd_secure_directory='' + + +if grep -q 'server_args' /etc/xinetd.d/tftp; then + sed -i -E "s;^([[:blank:]]*server_args[[:blank:]]+=[[:blank:]]+.*?)(-s[[:blank:]]+[[:graph:]]+)*(.*)$;\1 -s $var_tftpd_secure_directory \3;" /etc/xinetd.d/tftp +else + echo "server_args = -s $var_tftpd_secure_directory" >> /etc/xinetd.d/tftp +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -267224,18 +267224,8 @@ $ sudo yum erase cups If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be removed to reduce the potential attack surface. CCE-86299-5 - -# CAUTION: This remediation script will remove cups -# from the system, and may remove any packages -# that depend on cups. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "cups" ; then - - yum remove -y "cups" - -fi + +package --remove=cups include remove_cups @@ -267261,8 +267251,18 @@ class remove_cups { - package_cups_removed - unknown_severity - -package --remove=cups + +# CAUTION: This remediation script will remove cups +# from the system, and may remove any packages +# that depend on cups. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "cups" ; then + + yum remove -y "cups" + +fi @@ -267351,26 +267351,20 @@ The cups service can be disabled with the following comma [customizations.services] disabled = ["cups"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'cups.service' -"$SYSTEMCTL_EXEC" disable 'cups.service' -"$SYSTEMCTL_EXEC" mask 'cups.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files cups.socket; then - "$SYSTEMCTL_EXEC" stop 'cups.socket' - "$SYSTEMCTL_EXEC" mask 'cups.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'cups.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: cups.service + enabled: false + mask: true + - name: cups.socket + enabled: false + mask: true include disable_cups @@ -267451,20 +267445,26 @@ class disable_cups { - service_cups_disabled - unknown_severity - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: cups.service - enabled: false - mask: true - - name: cups.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'cups.service' +"$SYSTEMCTL_EXEC" disable 'cups.service' +"$SYSTEMCTL_EXEC" mask 'cups.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files cups.socket; then + "$SYSTEMCTL_EXEC" stop 'cups.socket' + "$SYSTEMCTL_EXEC" mask 'cups.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'cups.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -267679,18 +267679,8 @@ and removed. If there is no need to make the proxy server software available, removing it provides a safeguard against its activation. CCE-82189-2 - -# CAUTION: This remediation script will remove squid -# from the system, and may remove any packages -# that depend on squid. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "squid" ; then - - yum remove -y "squid" - -fi + +package --remove=squid include remove_squid @@ -267713,8 +267703,18 @@ class remove_squid { - package_squid_removed - unknown_severity - -package --remove=squid + +# CAUTION: This remediation script will remove squid +# from the system, and may remove any packages +# that depend on squid. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "squid" ; then + + yum remove -y "squid" + +fi @@ -267736,26 +267736,20 @@ of attack, and should be removed if not needed. [customizations.services] disabled = ["squid"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'squid.service' -"$SYSTEMCTL_EXEC" disable 'squid.service' -"$SYSTEMCTL_EXEC" mask 'squid.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files squid.socket; then - "$SYSTEMCTL_EXEC" stop 'squid.socket' - "$SYSTEMCTL_EXEC" mask 'squid.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'squid.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: squid.service + enabled: false + mask: true + - name: squid.socket + enabled: false + mask: true include disable_squid @@ -267827,20 +267821,26 @@ class disable_squid { - service_squid_disabled - unknown_severity - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: squid.service - enabled: false - mask: true - - name: squid.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'squid.service' +"$SYSTEMCTL_EXEC" disable 'squid.service' +"$SYSTEMCTL_EXEC" mask 'squid.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files squid.socket; then + "$SYSTEMCTL_EXEC" stop 'squid.socket' + "$SYSTEMCTL_EXEC" mask 'squid.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'squid.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -267872,18 +267872,8 @@ intended for use as a RADIUS Server it should be removed. CCE-82752-7 - -# CAUTION: This remediation script will remove freeradius -# from the system, and may remove any packages -# that depend on freeradius. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "freeradius" ; then - - yum remove -y "freeradius" - -fi + +package --remove=freeradius include remove_freeradius @@ -267906,8 +267896,18 @@ class remove_freeradius { - no_reboot_needed - package_freeradius_removed - -package --remove=freeradius + +# CAUTION: This remediation script will remove freeradius +# from the system, and may remove any packages +# that depend on freeradius. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "freeradius" ; then + + yum remove -y "freeradius" + +fi @@ -267942,18 +267942,6 @@ feeds random data from hardware device to kernel random device. [customizations.services] enabled = ["rngd"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.3"; printf "%s\n%s" "$real" "$expected" | sort -VC; }; }; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'rngd.service' -"$SYSTEMCTL_EXEC" start 'rngd.service' -"$SYSTEMCTL_EXEC" enable 'rngd.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_rngd @@ -267992,6 +267980,18 @@ class enable_rngd { - low_severity - no_reboot_needed - service_rngd_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.3"; printf "%s\n%s" "$real" "$expected" | sort -VC; }; }; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'rngd.service' +"$SYSTEMCTL_EXEC" start 'rngd.service' +"$SYSTEMCTL_EXEC" enable 'rngd.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -268050,18 +268050,8 @@ information may be unnecessarily transmitted across the network. If there is no need to make the router software available, removing it provides a safeguard against its activation. CCE-82187-6 - -# CAUTION: This remediation script will remove quagga -# from the system, and may remove any packages -# that depend on quagga. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "quagga" ; then - - yum remove -y "quagga" - -fi + +package --remove=quagga include remove_quagga @@ -268087,8 +268077,18 @@ class remove_quagga { - no_reboot_needed - package_quagga_removed - -package --remove=quagga + +# CAUTION: This remediation script will remove quagga +# from the system, and may remove any packages +# that depend on quagga. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "quagga" ; then + + yum remove -y "quagga" + +fi @@ -268142,26 +268142,20 @@ the network. [customizations.services] disabled = ["zebra"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'zebra.service' -"$SYSTEMCTL_EXEC" disable 'zebra.service' -"$SYSTEMCTL_EXEC" mask 'zebra.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files zebra.socket; then - "$SYSTEMCTL_EXEC" stop 'zebra.socket' - "$SYSTEMCTL_EXEC" mask 'zebra.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'zebra.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: zebra.service + enabled: false + mask: true + - name: zebra.socket + enabled: false + mask: true include disable_zebra @@ -268242,20 +268236,26 @@ class disable_zebra { - no_reboot_needed - service_zebra_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: zebra.service - enabled: false - mask: true - - name: zebra.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'zebra.service' +"$SYSTEMCTL_EXEC" disable 'zebra.service' +"$SYSTEMCTL_EXEC" mask 'zebra.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files zebra.socket; then + "$SYSTEMCTL_EXEC" stop 'zebra.socket' + "$SYSTEMCTL_EXEC" mask 'zebra.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'zebra.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -268295,15 +268295,13 @@ The samba-common package can be installed with the follow $ sudo yum install samba-common If the samba-common package is not installed, samba cannot be configured. + +package --add=samba-common + [[packages]] name = "samba-common" version = "*" - - -if ! rpm -q --quiet "samba-common" ; then - yum install -y "samba-common" -fi include install_samba-common @@ -268325,8 +268323,10 @@ class install_samba-common { - no_reboot_needed - package_samba-common_installed - -package --add=samba-common + +if ! rpm -q --quiet "samba-common" ; then + yum install -y "samba-common" +fi @@ -268367,20 +268367,6 @@ only communicate with servers that support packet signing.Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit. - ###################################################################### -#By Luke "Brisk-OH" Brisk -#luke.brisk@boeing.com or luke.brisk@gmail.com -###################################################################### - -CLIENTSIGNING=$( grep -ic 'client signing' /etc/samba/smb.conf ) - -if [ "$CLIENTSIGNING" -eq 0 ]; then - # Add to global section - sed -i 's/\[global\]/\[global\]\n\n\tclient signing = mandatory/g' /etc/samba/smb.conf -else - sed -i 's/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/ client signing = mandatory/g' /etc/samba/smb.conf -fi - - name: Check if /etc/samba/smb.conf exists stat: path: /etc/samba/smb.conf @@ -268408,6 +268394,20 @@ fi - no_reboot_needed - require_smb_client_signing - unknown_severity + + ###################################################################### +#By Luke "Brisk-OH" Brisk +#luke.brisk@boeing.com or luke.brisk@gmail.com +###################################################################### + +CLIENTSIGNING=$( grep -ic 'client signing' /etc/samba/smb.conf ) + +if [ "$CLIENTSIGNING" -eq 0 ]; then + # Add to global section + sed -i 's/\[global\]/\[global\]\n\n\tclient signing = mandatory/g' /etc/samba/smb.conf +else + sed -i 's/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/ client signing = mandatory/g' /etc/samba/smb.conf +fi @@ -268493,18 +268493,8 @@ sharing functionality. If there is no need to make the Samba software available, removing it provides a safeguard against its activation. CCE-85978-5 - -# CAUTION: This remediation script will remove samba -# from the system, and may remove any packages -# that depend on samba. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "samba" ; then - - yum remove -y "samba" - -fi + +package --remove=samba include remove_samba @@ -268527,8 +268517,18 @@ class remove_samba { - package_samba_removed - unknown_severity - -package --remove=samba + +# CAUTION: This remediation script will remove samba +# from the system, and may remove any packages +# that depend on samba. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "samba" ; then + + yum remove -y "samba" + +fi @@ -268551,26 +268551,20 @@ should be disabled if not needed. [customizations.services] disabled = ["smb"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'smb.service' -"$SYSTEMCTL_EXEC" disable 'smb.service' -"$SYSTEMCTL_EXEC" mask 'smb.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files smb.socket; then - "$SYSTEMCTL_EXEC" stop 'smb.socket' - "$SYSTEMCTL_EXEC" mask 'smb.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'smb.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: smb.service + enabled: false + mask: true + - name: smb.socket + enabled: false + mask: true include disable_smb @@ -268642,20 +268636,26 @@ class disable_smb { - no_reboot_needed - service_smb_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: smb.service - enabled: false - mask: true - - name: smb.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'smb.service' +"$SYSTEMCTL_EXEC" disable 'smb.service' +"$SYSTEMCTL_EXEC" mask 'smb.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files smb.socket; then + "$SYSTEMCTL_EXEC" stop 'smb.socket' + "$SYSTEMCTL_EXEC" mask 'smb.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'smb.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -268692,18 +268692,8 @@ $ sudo yum erase net-snmp removing the package provides a safeguard against its activation. CCE-85980-1 - -# CAUTION: This remediation script will remove net-snmp -# from the system, and may remove any packages -# that depend on net-snmp. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "net-snmp" ; then - - yum remove -y "net-snmp" - -fi + +package --remove=net-snmp include remove_net-snmp @@ -268727,8 +268717,18 @@ class remove_net-snmp { - package_net-snmp_removed - unknown_severity - -package --remove=net-snmp + +# CAUTION: This remediation script will remove net-snmp +# from the system, and may remove any packages +# that depend on net-snmp. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "net-snmp" ; then + + yum remove -y "net-snmp" + +fi @@ -268751,26 +268751,20 @@ should be disabled if not needed. [customizations.services] disabled = ["snmpd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'snmpd.service' -"$SYSTEMCTL_EXEC" disable 'snmpd.service' -"$SYSTEMCTL_EXEC" mask 'snmpd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files snmpd.socket; then - "$SYSTEMCTL_EXEC" stop 'snmpd.socket' - "$SYSTEMCTL_EXEC" mask 'snmpd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'snmpd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: snmpd.service + enabled: false + mask: true + - name: snmpd.socket + enabled: false + mask: true include disable_snmpd @@ -268842,20 +268836,26 @@ class disable_snmpd { - no_reboot_needed - service_snmpd_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: snmpd.service - enabled: false - mask: true - - name: snmpd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'snmpd.service' +"$SYSTEMCTL_EXEC" disable 'snmpd.service' +"$SYSTEMCTL_EXEC" mask 'snmpd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files snmpd.socket; then + "$SYSTEMCTL_EXEC" stop 'snmpd.socket' + "$SYSTEMCTL_EXEC" mask 'snmpd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'snmpd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -268973,27 +268973,6 @@ default authenticators, then anyone can gather data about the system and the net and use the information to potentially compromise the integrity of the system and network(s). - # Remediation is applicable only in certain platforms -if rpm --quiet -q net-snmp; then - -var_snmpd_ro_string='' -var_snmpd_rw_string='' - - -# remediate read-only community string -if grep -q 'public' /etc/snmp/snmpd.conf; then - sed -i "s/public/$var_snmpd_ro_string/" /etc/snmp/snmpd.conf -fi - -# remediate read-write community string -if grep -q 'private' /etc/snmp/snmpd.conf; then - sed -i "s/private/$var_snmpd_rw_string/" /etc/snmp/snmpd.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -269063,6 +269042,27 @@ fi - medium_disruption - no_reboot_needed - snmpd_not_default_password + + # Remediation is applicable only in certain platforms +if rpm --quiet -q net-snmp; then + +var_snmpd_ro_string='' +var_snmpd_rw_string='' + + +# remediate read-only community string +if grep -q 'public' /etc/snmp/snmpd.conf; then + sed -i "s/public/$var_snmpd_ro_string/" /etc/snmp/snmpd.conf +fi + +# remediate read-write community string +if grep -q 'private' /etc/snmp/snmpd.conf; then + sed -i "s/private/$var_snmpd_rw_string/" /etc/snmp/snmpd.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -269233,21 +269233,13 @@ $ sudo yum install openssh-clients This package includes utilities to make encrypted connections and transfer files securely to SSH servers. CCE-82722-0 + +package --add=openssh-clients + [[packages]] name = "openssh-clients" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "openssh-clients" ; then - yum install -y "openssh-clients" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_openssh-clients @@ -269271,8 +269263,16 @@ class install_openssh-clients { - no_reboot_needed - package_openssh-clients_installed - -package --add=openssh-clients + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "openssh-clients" ; then + yum install -y "openssh-clients" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -269344,21 +269344,13 @@ $ sudo yum install openssh-server integrity may be compromised because unprotected communications can be intercepted and either read or altered. CCE-83303-8 + +package --add=openssh-server + [[packages]] name = "openssh-server" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "openssh-server" ; then - yum install -y "openssh-server" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_openssh-server @@ -269384,8 +269376,16 @@ class install_openssh-server { - no_reboot_needed - package_openssh-server_installed - -package --add=openssh-server + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "openssh-server" ; then + yum install -y "openssh-server" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -269403,24 +269403,8 @@ $ sudo yum erase openssh-server Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# CAUTION: This remediation script will remove openssh-server -# from the system, and may remove any packages -# that depend on openssh-server. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "openssh-server" ; then - - yum remove -y "openssh-server" - -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +package --remove=openssh-server include remove_openssh-server @@ -269443,8 +269427,24 @@ class remove_openssh-server { - no_reboot_needed - package_openssh-server_removed - -package --remove=openssh-server + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# CAUTION: This remediation script will remove openssh-server +# from the system, and may remove any packages +# that depend on openssh-server. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "openssh-server" ; then + + yum remove -y "openssh-server" + +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -269529,18 +269529,6 @@ of interception and modification. [customizations.services] enabled = ["sshd"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'sshd.service' -"$SYSTEMCTL_EXEC" start 'sshd.service' -"$SYSTEMCTL_EXEC" enable 'sshd.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_sshd @@ -269585,6 +269573,18 @@ class enable_sshd { - medium_severity - no_reboot_needed - service_sshd_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'sshd.service' +"$SYSTEMCTL_EXEC" start 'sshd.service' +"$SYSTEMCTL_EXEC" enable 'sshd.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -269609,26 +269609,20 @@ remote access. [customizations.services] disabled = ["sshd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'sshd.service' -"$SYSTEMCTL_EXEC" disable 'sshd.service' -"$SYSTEMCTL_EXEC" mask 'sshd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files sshd.socket; then - "$SYSTEMCTL_EXEC" stop 'sshd.socket' - "$SYSTEMCTL_EXEC" mask 'sshd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'sshd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: sshd.service + enabled: false + mask: true + - name: sshd.socket + enabled: false + mask: true include disable_sshd @@ -269703,20 +269697,26 @@ class disable_sshd { - no_reboot_needed - service_sshd_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: sshd.service - enabled: false - mask: true - - name: sshd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'sshd.service' +"$SYSTEMCTL_EXEC" disable 'sshd.service' +"$SYSTEMCTL_EXEC" mask 'sshd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files sshd.socket; then + "$SYSTEMCTL_EXEC" stop 'sshd.socket' + "$SYSTEMCTL_EXEC" mask 'sshd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'sshd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -269789,15 +269789,6 @@ services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes. CCE-82901-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -chgrp 0 /etc/ssh/sshd_config - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Test for existence /etc/ssh/sshd_config stat: path: /etc/ssh/sshd_config @@ -269833,6 +269824,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chgrp 0 /etc/ssh/sshd_config + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -269848,15 +269848,6 @@ group-owned by ssh_keys group. 5.2.2 If an unauthorized user obtains the private SSH host key file, the host could be impersonated. CCE-86126-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find /etc/ssh/ -maxdepth 1 -type f ! -group ssh_keys -regex '^.*_key$' -exec chgrp ssh_keys {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Find /etc/ssh/ file(s) matching ^.*_key$ command: find -H /etc/ssh/ -maxdepth 1 -type f ! -group ssh_keys -regex "^.*_key$" register: files_found @@ -269889,6 +269880,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find /etc/ssh/ -maxdepth 1 -type f ! -group ssh_keys -regex '^.*_key$' -exec chgrp ssh_keys {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -269905,15 +269905,6 @@ group-owned by root group. If a public host key file is modified by an unauthorized user, the SSH service may be compromised. CCE-86133-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find /etc/ssh/ -maxdepth 1 -type f ! -group 0 -regex '^.*\.pub$' -exec chgrp 0 {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Find /etc/ssh/ file(s) matching ^.*\.pub$ command: find -H /etc/ssh/ -maxdepth 1 -type f ! -group 0 -regex "^.*\.pub$" register: files_found @@ -269946,6 +269937,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find /etc/ssh/ -maxdepth 1 -type f ! -group 0 -regex '^.*\.pub$' -exec chgrp 0 {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -270018,15 +270018,6 @@ services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes. CCE-82898-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -chown 0 /etc/ssh/sshd_config - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Test for existence /etc/ssh/sshd_config stat: path: /etc/ssh/sshd_config @@ -270062,6 +270053,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chown 0 /etc/ssh/sshd_config + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -270077,15 +270077,6 @@ by root user. 5.2.2 If an unauthorized user obtains the private SSH host key file, the host could be impersonated. CCE-86118-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regex '^.*_key$' -exec chown 0 {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Find /etc/ssh/ file(s) matching ^.*_key$ command: find -H /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regex "^.*_key$" register: files_found @@ -270118,6 +270109,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regex '^.*_key$' -exec chown 0 {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -270134,15 +270134,6 @@ by root user. If a public host key file is modified by an unauthorized user, the SSH service may be compromised. CCE-86129-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regex '^.*\.pub$' -exec chown 0 {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Find /etc/ssh/ file(s) matching ^.*\.pub$ command: find -H /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regex "^.*\.pub$" register: files_found @@ -270175,6 +270166,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regex '^.*\.pub$' -exec chown 0 {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -270248,15 +270248,6 @@ services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes. CCE-82894-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -chmod u-xs,g-xwrs,o-xwrt /etc/ssh/sshd_config - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Test for existence /etc/ssh/sshd_config stat: path: /etc/ssh/sshd_config @@ -270294,6 +270285,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chmod u-xs,g-xwrs,o-xwrt /etc/ssh/sshd_config + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -270372,26 +270372,6 @@ If they are owned by the root user, but by a dedicated gr If an unauthorized user obtains the private SSH host key file, the host could be impersonated. CCE-82424-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -for keyfile in /etc/ssh/*_key; do - test -f "$keyfile" || continue - if test root:root = "$(stat -c "%U:%G" "$keyfile")"; then - - chmod u-xs,g-xwrs,o-xwrt "$keyfile" - - elif test root:ssh_keys = "$(stat -c "%U:%G" "$keyfile")"; then - chmod u-xs,g-xws,o-xwrt "$keyfile" - else - echo "Key-like file '$keyfile' is owned by an unexpected user:group combination" - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - include ssh_private_key_perms class ssh_private_key_perms { @@ -270500,6 +270480,26 @@ class ssh_private_key_perms { - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +for keyfile in /etc/ssh/*_key; do + test -f "$keyfile" || continue + if test root:root = "$(stat -c "%U:%G" "$keyfile")"; then + + chmod u-xs,g-xwrs,o-xwrt "$keyfile" + + elif test root:ssh_keys = "$(stat -c "%U:%G" "$keyfile")"; then + chmod u-xs,g-xws,o-xwrt "$keyfile" + else + echo "Key-like file '$keyfile' is owned by an unexpected user:group combination" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -270575,15 +270575,6 @@ class ssh_private_key_perms { If a public host key file is modified by an unauthorized user, the SSH service may be compromised. CCE-82428-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find -H /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt -type f -regex '^.*\.pub$' -exec chmod u-xs,g-xws,o-xwt {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - include ssh_public_key_perms class ssh_public_key_perms { @@ -270641,6 +270632,15 @@ class ssh_public_key_perms { - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find -H /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt -type f -regex '^.*\.pub$' -exec chmod u-xs,g-xws,o-xwt {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -270711,45 +270711,6 @@ processed before 02-rekey-limit.conf containing definitio time-based limit, effects of potential attacks against encryption keys are limited. CCE-82880-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_ssh_client_rekey_limit_size='' -var_ssh_client_rekey_limit_time='' - - -main_config="/etc/ssh/ssh_config" -include_directory="/etc/ssh/ssh_config.d" - -if grep -q '^[\s]*RekeyLimit.*$' "$main_config"; then - sed -i '/^[\s]*RekeyLimit.*/d' "$main_config" -fi - -for file in "$include_directory"/*.conf; do - if grep -q '^[\s]*RekeyLimit.*$' "$file"; then - sed -i '/^[\s]*RekeyLimit.*/d' "$file" - fi -done - -if [ -e "/etc/ssh/ssh_config.d/02-rekey-limit.conf" ] ; then - - LC_ALL=C sed -i "/^\s*RekeyLimit\s\+/d" "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -else - touch "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/ssh_config.d/02-rekey-limit.conf" - -cp "/etc/ssh/ssh_config.d/02-rekey-limit.conf" "/etc/ssh/ssh_config.d/02-rekey-limit.conf.bak" -# Insert at the end of the file -printf '%s\n' "RekeyLimit $var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time" >> "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -# Clean up after ourselves. -rm "/etc/ssh/ssh_config.d/02-rekey-limit.conf.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_ssh_client_rekey_limit_size # promote to variable set_fact: var_ssh_client_rekey_limit_size: !!str @@ -270828,6 +270789,45 @@ fi - medium_severity - no_reboot_needed - ssh_client_rekey_limit + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_ssh_client_rekey_limit_size='' +var_ssh_client_rekey_limit_time='' + + +main_config="/etc/ssh/ssh_config" +include_directory="/etc/ssh/ssh_config.d" + +if grep -q '^[\s]*RekeyLimit.*$' "$main_config"; then + sed -i '/^[\s]*RekeyLimit.*/d' "$main_config" +fi + +for file in "$include_directory"/*.conf; do + if grep -q '^[\s]*RekeyLimit.*$' "$file"; then + sed -i '/^[\s]*RekeyLimit.*/d' "$file" + fi +done + +if [ -e "/etc/ssh/ssh_config.d/02-rekey-limit.conf" ] ; then + + LC_ALL=C sed -i "/^\s*RekeyLimit\s\+/d" "/etc/ssh/ssh_config.d/02-rekey-limit.conf" +else + touch "/etc/ssh/ssh_config.d/02-rekey-limit.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/ssh_config.d/02-rekey-limit.conf" + +cp "/etc/ssh/ssh_config.d/02-rekey-limit.conf" "/etc/ssh/ssh_config.d/02-rekey-limit.conf.bak" +# Insert at the end of the file +printf '%s\n' "RekeyLimit $var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time" >> "/etc/ssh/ssh_config.d/02-rekey-limit.conf" +# Clean up after ourselves. +rm "/etc/ssh/ssh_config.d/02-rekey-limit.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -270853,19 +270853,6 @@ Randomness is needed to generate considerably more secure data-encryption keys. in encryption algorithms, and high-quality entropy eliminates the possibility that the output of the random number generator used by SSH would be known to potential attackers. CCE-83349-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# put line into the file -echo "setenv SSH_USE_STRONG_RNG 32" > /etc/profile.d/cc-ssh-strong-rng.csh - -# remove eventual override in /etc/profile -sed -i '/^[[:space:]]*setenv[[:space:]]\+SSH_USE_STRONG_RNG.*$/d' /etc/profile - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure that correct variable is exported in /etc/profile.d/cc-ssh-strong-rng.csh lineinfile: path: /etc/profile.d/cc-ssh-strong-rng.csh @@ -270897,6 +270884,19 @@ fi - medium_severity - no_reboot_needed - ssh_client_use_strong_rng_csh + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# put line into the file +echo "setenv SSH_USE_STRONG_RNG 32" > /etc/profile.d/cc-ssh-strong-rng.csh + +# remove eventual override in /etc/profile +sed -i '/^[[:space:]]*setenv[[:space:]]\+SSH_USE_STRONG_RNG.*$/d' /etc/profile + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -270920,19 +270920,6 @@ Randomness is needed to generate considerably more secure data-encryption keys. in encryption algorithms, and high-quality entropy eliminates the possibility that the output of the random number generator used by SSH would be known to potential attackers. CCE-83346-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# put line into the file -echo "export SSH_USE_STRONG_RNG=32" > /etc/profile.d/cc-ssh-strong-rng.sh - -# remove eventual override in /etc/profile -sed -i '/^[[:space:]]*export[[:space:]]\+SSH_USE_STRONG_RNG=.*$/d' /etc/profile - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure that correct variable is exported in /etc/profile.d/cc-ssh-strong-rng.sh lineinfile: path: /etc/profile.d/cc-ssh-strong-rng.sh @@ -270964,6 +270951,19 @@ fi - medium_severity - no_reboot_needed - ssh_client_use_strong_rng_sh + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# put line into the file +echo "export SSH_USE_STRONG_RNG=32" > /etc/profile.d/cc-ssh-strong-rng.sh + +# remove eventual override in /etc/profile +sed -i '/^[[:space:]]*export[[:space:]]\+SSH_USE_STRONG_RNG=.*$/d' /etc/profile + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -271164,29 +271164,6 @@ value of 0 in is reached. CCE-83405-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*ClientAliveCountMax\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "ClientAliveCountMax 0" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Set SSH Client Alive Count Max to zero block: @@ -271234,6 +271211,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_set_keepalive_0 + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*ClientAliveCountMax\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "ClientAliveCountMax 0" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -271370,32 +271370,6 @@ a keep alive message. is reached. CCE-80907-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_sshd_set_keepalive='' - - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*ClientAliveCountMax\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "ClientAliveCountMax $var_sshd_set_keepalive" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_sshd_set_keepalive # promote to variable set_fact: var_sshd_set_keepalive: !!str @@ -271451,6 +271425,32 @@ fi - no_reboot_needed - restrict_strategy - sshd_set_keepalive + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_sshd_set_keepalive='' + + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*ClientAliveCountMax\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "ClientAliveCountMax $var_sshd_set_keepalive" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -271592,32 +271592,6 @@ enabled on the console or console port that has been let unattended. CCE-80906-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.5"; printf "%s\n%s" "$real" "$expected" | sort -VC; }; }; then - -sshd_idle_timeout_value='' - - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*ClientAliveInterval\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "ClientAliveInterval $sshd_idle_timeout_value" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value sshd_idle_timeout_value # promote to variable set_fact: sshd_idle_timeout_value: !!str @@ -271678,6 +271652,32 @@ fi - no_reboot_needed - restrict_strategy - sshd_set_idle_timeout + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.5"; printf "%s\n%s" "$real" "$expected" | sort -VC; }; }; then + +sshd_idle_timeout_value='' + + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*ClientAliveInterval\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "ClientAliveInterval $sshd_idle_timeout_value" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -271832,28 +271832,20 @@ following line in SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. CCE-80786-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*HostbasedAuthentication\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "HostbasedAuthentication no" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018%2F04%2F09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fbin%3A%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Fsbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20%2Fetc%2Fssh%2Fssh_host_rsa_key%0AHostKey%20%2Fetc%2Fssh%2Fssh_host_ecdsa_key%0AHostKey%20%2Fetc%2Fssh%2Fssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20512M%201h%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20%2Fetc%2Fsysconfig%2Fsshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%202m%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh%2Fauthorized_keys%20and%20.ssh%2Fauthorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh%2Fauthorized_keys%0AAuthorizedKeysFile%09.ssh%2Fauthorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20%2Fetc%2Fssh%2Fssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~%2F.ssh%2Fknown_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~%2F.rhosts%20and%20~%2F.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s%2Fkey%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20%2Fetc%2Fpam.d%2Fsshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20no%0AClientAliveInterval%20600%0AClientAliveCountMax%200%0A%23UseDNS%20no%0A%23PidFile%20%2Fvar%2Frun%2Fsshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20%2Fetc%2Fissue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09%2Fusr%2Flibexec%2Fopenssh%2Fsftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20sandbox + mode: 0600 + path: /etc/ssh/sshd_config + overwrite: true - name: Disable Host-Based Authentication block: @@ -271903,20 +271895,28 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018%2F04%2F09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fbin%3A%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Fsbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20%2Fetc%2Fssh%2Fssh_host_rsa_key%0AHostKey%20%2Fetc%2Fssh%2Fssh_host_ecdsa_key%0AHostKey%20%2Fetc%2Fssh%2Fssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20512M%201h%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20%2Fetc%2Fsysconfig%2Fsshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%202m%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh%2Fauthorized_keys%20and%20.ssh%2Fauthorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh%2Fauthorized_keys%0AAuthorizedKeysFile%09.ssh%2Fauthorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20%2Fetc%2Fssh%2Fssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~%2F.ssh%2Fknown_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~%2F.rhosts%20and%20~%2F.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s%2Fkey%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20%2Fetc%2Fpam.d%2Fsshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20no%0AClientAliveInterval%20600%0AClientAliveCountMax%200%0A%23UseDNS%20no%0A%23PidFile%20%2Fvar%2Frun%2Fsshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20%2Fetc%2Fissue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09%2Fusr%2Flibexec%2Fopenssh%2Fsftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20sandbox - mode: 0600 - path: /etc/ssh/sshd_config - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*HostbasedAuthentication\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "HostbasedAuthentication no" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -271961,55 +271961,6 @@ properly configured. will allow remote access through the SSH port. CCE-80820-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "firewalld" ; then - yum install -y "firewalld" -fi -if ! rpm -q --quiet "NetworkManager" ; then - yum install -y "NetworkManager" -fi -firewalld_sshd_zone='' - - -if systemctl is-active NetworkManager && systemctl is-active firewalld; then - # First make sure the SSH service is enabled in run-time for the proper zone. - # This is to avoid connection issues when new interfaces are addeded to this zone. - firewall-cmd --zone="$firewalld_sshd_zone" --add-service=ssh - - # This will collect all NetworkManager connections names - readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') - # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. - # This will not change connections which are already assigned to any firewalld zone. - for connection in "${nm_connections[@]}"; do - current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') - if [ $current_zone = "--" ]; then - nmcli connection modify "$connection" connection.zone $firewalld_sshd_zone - fi - done - systemctl restart NetworkManager - - # Active zones are zones with at least one interface assigned to it. - # It is possible that traffic is comming by any active interface and consequently any - # active zone. So, this make sure all active zones are permanently allowing SSH service. - readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) - for zone in "${firewalld_active_zones[@]}"; do - firewall-cmd --permanent --zone="$zone" --add-service=ssh - done - firewall-cmd --reload -else - echo " - firewalld and NetworkManager services are not active. Remediation aborted! - This remediation could not be applied because it depends on firewalld and NetworkManager services running. - The service is not started by this remediation in order to prevent connection issues." - exit 1 -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value firewalld_sshd_zone # promote to variable set_fact: firewalld_sshd_zone: !!str @@ -272169,6 +272120,55 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "firewalld" ; then + yum install -y "firewalld" +fi +if ! rpm -q --quiet "NetworkManager" ; then + yum install -y "NetworkManager" +fi +firewalld_sshd_zone='' + + +if systemctl is-active NetworkManager && systemctl is-active firewalld; then + # First make sure the SSH service is enabled in run-time for the proper zone. + # This is to avoid connection issues when new interfaces are addeded to this zone. + firewall-cmd --zone="$firewalld_sshd_zone" --add-service=ssh + + # This will collect all NetworkManager connections names + readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') + # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. + # This will not change connections which are already assigned to any firewalld zone. + for connection in "${nm_connections[@]}"; do + current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') + if [ $current_zone = "--" ]; then + nmcli connection modify "$connection" connection.zone $firewalld_sshd_zone + fi + done + systemctl restart NetworkManager + + # Active zones are zones with at least one interface assigned to it. + # It is possible that traffic is comming by any active interface and consequently any + # active zone. So, this make sure all active zones are permanently allowing SSH service. + readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) + for zone in "${firewalld_active_zones[@]}"; do + firewall-cmd --permanent --zone="$zone" --add-service=ssh + done + firewall-cmd --reload +else + echo " + firewalld and NetworkManager services are not active. Remediation aborted! + This remediation could not be applied because it depends on firewalld and NetworkManager services running. + The service is not started by this remediation in order to prevent connection issues." + exit 1 +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -272292,35 +272292,6 @@ supported is version 2, and line Protocol 2 in has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. CCE-80894-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^Protocol") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s %s" "$stripped_key" "2" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^Protocol\\>" "/etc/ssh/sshd_config"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^Protocol\\>.*/$escaped_formatted_output/gi" "/etc/ssh/sshd_config" -else - if [[ -s "/etc/ssh/sshd_config" ]] && [[ -n "$(tail -c 1 -- "/etc/ssh/sshd_config" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/ssh/sshd_config" - fi - cce="CCE-80894-9" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/ssh/sshd_config" >> "/etc/ssh/sshd_config" - printf '%s\n' "$formatted_output" >> "/etc/ssh/sshd_config" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Allow Only SSH Protocol 2 block: @@ -272369,6 +272340,35 @@ fi - no_reboot_needed - restrict_strategy - sshd_allow_only_protocol2 + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^Protocol") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s %s" "$stripped_key" "2" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^Protocol\\>" "/etc/ssh/sshd_config"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^Protocol\\>.*/$escaped_formatted_output/gi" "/etc/ssh/sshd_config" +else + if [[ -s "/etc/ssh/sshd_config" ]] && [[ -n "$(tail -c 1 -- "/etc/ssh/sshd_config" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/ssh/sshd_config" + fi + cce="CCE-80894-9" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/ssh/sshd_config" >> "/etc/ssh/sshd_config" + printf '%s\n' "$formatted_output" >> "/etc/ssh/sshd_config" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -272421,33 +272421,6 @@ a user has successfully authenticated, add or correct the following line in the vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges. CCE-80895-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_sshd_disable_compression='' - - - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*Compression\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "Compression $var_sshd_disable_compression" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_sshd_disable_compression # promote to variable set_fact: var_sshd_disable_compression: !!str @@ -272498,6 +272471,33 @@ fi - no_reboot_needed - restrict_strategy - sshd_disable_compression + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_sshd_disable_compression='' + + + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*Compression\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "Compression $var_sshd_disable_compression" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -272656,29 +272656,6 @@ should prevent users from being able to assign themselves empty passwords. CCE-80896-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*PermitEmptyPasswords\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "PermitEmptyPasswords no" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Disable SSH Access via Empty Passwords block: @@ -272728,6 +272705,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_disable_empty_passwords + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*PermitEmptyPasswords\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "PermitEmptyPasswords no" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -272798,29 +272798,6 @@ To explicitly disable GSSAPI authentication, add or correct the following line i applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. CCE-80897-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "GSSAPIAuthentication no" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Disable GSSAPI Authentication block: @@ -272866,6 +272843,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_disable_gssapi_auth + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "GSSAPIAuthentication no" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -272948,29 +272948,6 @@ is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere. CCE-80898-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*KerberosAuthentication\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "KerberosAuthentication no" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Disable Kerberos Authentication block: @@ -273016,6 +272993,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_disable_kerb_auth + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*KerberosAuthentication\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "KerberosAuthentication no" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -273039,29 +273039,6 @@ correct the following line in applications. Allowing PubkeyAuthentication authentication through SSH allows users to generate their own authentication tokens, increasing the attack surface of the system. CCE-82345-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*PubkeyAuthentication\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "PubkeyAuthentication no" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Disable PubkeyAuthentication Authentication block: @@ -273101,6 +273078,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_disable_pubkey_auth + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*PubkeyAuthentication\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "PubkeyAuthentication no" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -273221,29 +273221,6 @@ To explicitly disable support for .rhosts files, add or correct the following li SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. CCE-80899-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*IgnoreRhosts\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "IgnoreRhosts yes" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Disable SSH Support for .rhosts Files block: @@ -273290,6 +273267,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_disable_rhosts + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*IgnoreRhosts\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "IgnoreRhosts yes" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -273346,35 +273346,6 @@ necessary. assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. CCE-80900-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^RhostsRSAAuthentication") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s %s" "$stripped_key" "no" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^RhostsRSAAuthentication\\>" "/etc/ssh/sshd_config"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^RhostsRSAAuthentication\\>.*/$escaped_formatted_output/gi" "/etc/ssh/sshd_config" -else - if [[ -s "/etc/ssh/sshd_config" ]] && [[ -n "$(tail -c 1 -- "/etc/ssh/sshd_config" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/ssh/sshd_config" - fi - cce="CCE-80900-4" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/ssh/sshd_config" >> "/etc/ssh/sshd_config" - printf '%s\n' "$formatted_output" >> "/etc/ssh/sshd_config" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Disable SSH Support for Rhosts RSA Authentication block: @@ -273419,6 +273390,35 @@ fi - no_reboot_needed - restrict_strategy - sshd_disable_rhosts_rsa + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^RhostsRSAAuthentication") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s %s" "$stripped_key" "no" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^RhostsRSAAuthentication\\>" "/etc/ssh/sshd_config"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^RhostsRSAAuthentication\\>.*/$escaped_formatted_output/gi" "/etc/ssh/sshd_config" +else + if [[ -s "/etc/ssh/sshd_config" ]] && [[ -n "$(tail -c 1 -- "/etc/ssh/sshd_config" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/ssh/sshd_config" + fi + cce="CCE-80900-4" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/ssh/sshd_config" >> "/etc/ssh/sshd_config" + printf '%s\n' "$formatted_output" >> "/etc/ssh/sshd_config" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -273591,29 +273591,6 @@ accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password. CCE-80901-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "PermitRootLogin no" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Disable SSH Root Login block: @@ -273666,6 +273643,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_disable_root_login + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "PermitRootLogin no" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -273693,29 +273693,6 @@ see CCE-27100-7, CCE-27445-6, CCE-80901-2, and similar. Even though the communications channel may be encrypted, an additional layer of security is gained by preventing use of a password. This also helps to minimize direct attack attempts on root's password. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "PermitRootLogin prohibit-password" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Disable SSH root Login with a Password (Insecure) block: @@ -273754,6 +273731,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_disable_root_password_login + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "PermitRootLogin prohibit-password" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -273776,29 +273776,6 @@ To disable TCP forwarding, add or correct the following line in 5.2.13 Leaving port forwarding enabled can expose the organization to security risks and back-doors. CCE-83301-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*AllowTcpForwarding\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "AllowTcpForwarding no" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Disable SSH TCP Forwarding block: @@ -273839,6 +273816,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_disable_tcp_forwarding + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*AllowTcpForwarding\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "AllowTcpForwarding no" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -273896,29 +273896,6 @@ To ensure this behavior is disabled, add or correct the following line in assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. CCE-80902-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*IgnoreUserKnownHosts\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "IgnoreUserKnownHosts yes" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Disable SSH Support for User Known Hosts block: @@ -273964,6 +273941,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_disable_user_known_hosts + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*IgnoreUserKnownHosts\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "IgnoreUserKnownHosts yes" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -274002,29 +274002,6 @@ users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders. CCE-83360-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "X11Forwarding no" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Disable X11 Forwarding block: @@ -274067,6 +274044,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_disable_x11_forwarding + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "X11Forwarding no" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -274128,29 +274128,6 @@ To explicitly disable Environment options, add or correct the following SSH environment options potentially allow users to bypass access restriction in some configurations. CCE-80903-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*PermitUserEnvironment\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "PermitUserEnvironment no" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Do Not Allow SSH Environment Options block: @@ -274199,6 +274176,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_do_not_permit_user_env + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*PermitUserEnvironment\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "PermitUserEnvironment no" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -274226,29 +274226,6 @@ Kerberos implementations may be subject to exploitation. For enterprises, Kerberos is often enabled and used with GSSAPI for centralized user account management which may necessitate enabling of GSSAPI functionality in SSH. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "GSSAPIAuthentication yes" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Enable GSSAPI Authentication block: @@ -274287,6 +274264,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_enable_gssapi_auth + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "GSSAPIAuthentication yes" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -274318,29 +274318,6 @@ important if you want to restrict access to services based off of IP, time or ot the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server. CCE-86721-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*UsePAM\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "UsePAM yes" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Enable PAM block: @@ -274381,6 +274358,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_enable_pam + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*UsePAM\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "UsePAM yes" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -274418,29 +274418,6 @@ A privileged account is defined as an information system account with authorizations of a privileged user. The DoD CAC with DoD-approved PKI is an example of multifactor authentication. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*PubkeyAuthentication\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "PubkeyAuthentication yes" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Enable Public Key Authentication block: @@ -274479,6 +274456,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_enable_pubkey_auth + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*PubkeyAuthentication\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "PubkeyAuthentication yes" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -274569,29 +274569,6 @@ To explicitly enable StrictModes in SSH, add or correct t If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user. CCE-80904-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*StrictModes\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "StrictModes yes" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Enable Use of Strict Mode Checking block: @@ -274636,6 +274613,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_enable_strictmodes + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*StrictModes\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "StrictModes yes" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -274716,29 +274716,6 @@ facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution. CCE-80905-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "Banner /etc/issue" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Enable SSH Warning Banner block: @@ -274786,6 +274763,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_enable_warning_banner + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "Banner /etc/issue" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -274859,29 +274859,6 @@ facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution. CCE-87978-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "Banner /etc/issue.net" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Enable SSH Warning Banner block: @@ -274927,6 +274904,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_enable_warning_banner_net + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "Banner /etc/issue.net" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -274994,29 +274994,6 @@ To enable X11 Forwarding, add or correct the following line in Non-encrypted X displays allow an attacker to capture keystrokes and to execute commands remotely. CCE-82421-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "X11Forwarding yes" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Enable Encrypted X11 Forwarding block: @@ -275060,6 +275037,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_enable_x11_forwarding + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "X11Forwarding yes" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -275240,29 +275240,6 @@ To explicitly enable LastLog in SSH, add or correct the following line in Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. CCE-82281-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*PrintLastLog\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "PrintLastLog yes" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Enable SSH Print Last Log block: @@ -275305,6 +275282,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_print_last_log + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*PrintLastLog\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "PrintLastLog yes" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -275336,35 +275336,6 @@ To decrease the default limits, add or correct the following line in time-based limit, effects of potential attacks against encryption keys are limited. CCE-82177-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_rekey_limit_size='' -var_rekey_limit_time='' - - - - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*RekeyLimit\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "RekeyLimit $var_rekey_limit_size $var_rekey_limit_time" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_rekey_limit_size # promote to variable set_fact: var_rekey_limit_size: !!str @@ -275417,37 +275388,18 @@ fi - no_reboot_needed - sshd_rekey_limit - - - - - - - - - - - - Ensure SSH LoginGraceTime is configured - The LoginGraceTime parameter to the SSH server specifies the time allowed for successful authentication to -the SSH server. The longer the Grace period is the more open unauthenticated connections -can exist. Like other session controls in this session the Grace Period should be limited to -appropriate limits to ensure the service is available for needed access. - 2.2.6 - 5.2.19 - Setting the LoginGraceTime parameter to a low number will minimize the risk of successful -brute force attacks to the SSH server. It will also limit the number of concurrent -unauthenticated connections. - CCE-86551-9 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -var_sshd_set_login_grace_time='' +var_rekey_limit_size='' +var_rekey_limit_time='' + + if [ -e "/etc/ssh/sshd_config" ] ; then - LC_ALL=C sed -i "/^\s*LoginGraceTime\s\+/Id" "/etc/ssh/sshd_config" + LC_ALL=C sed -i "/^\s*RekeyLimit\s\+/Id" "/etc/ssh/sshd_config" else touch "/etc/ssh/sshd_config" fi @@ -275456,7 +275408,7 @@ sed -i -e '$a\' "/etc/ssh/sshd_config" cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" # Insert at the beginning of the file -printf '%s\n' "LoginGraceTime $var_sshd_set_login_grace_time" > "/etc/ssh/sshd_config" +printf '%s\n' "RekeyLimit $var_rekey_limit_size $var_rekey_limit_time" > "/etc/ssh/sshd_config" cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" # Clean up after ourselves. rm "/etc/ssh/sshd_config.bak" @@ -275465,6 +275417,28 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + + + Ensure SSH LoginGraceTime is configured + The LoginGraceTime parameter to the SSH server specifies the time allowed for successful authentication to +the SSH server. The longer the Grace period is the more open unauthenticated connections +can exist. Like other session controls in this session the Grace Period should be limited to +appropriate limits to ensure the service is available for needed access. + 2.2.6 + 5.2.19 + Setting the LoginGraceTime parameter to a low number will minimize the risk of successful +brute force attacks to the SSH server. It will also limit the number of concurrent +unauthenticated connections. + CCE-86551-9 - name: XCCDF Value var_sshd_set_login_grace_time # promote to variable set_fact: var_sshd_set_login_grace_time: !!str @@ -275511,6 +275485,32 @@ fi - no_reboot_needed - restrict_strategy - sshd_set_login_grace_time + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_sshd_set_login_grace_time='' + + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*LoginGraceTime\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "LoginGraceTime $var_sshd_set_login_grace_time" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -275544,29 +275544,6 @@ basic level that only records login activity of SSH users. In many situations, s Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. CCE-82282-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "LogLevel INFO" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Set LogLevel to INFO block: @@ -275608,6 +275585,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_set_loglevel_info + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "LogLevel INFO" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -275644,29 +275644,6 @@ situations, such as Incident Response, it is important to determine when a parti on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. CCE-82420-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "LogLevel VERBOSE" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Set SSH Daemon LogLevel to VERBOSE block: @@ -275711,6 +275688,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_set_loglevel_verbose + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "LogLevel VERBOSE" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -275745,32 +275745,6 @@ to set MaxAUthTries edit /etc/ssh/sshd_config as follows: Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. CCE-83500-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -sshd_max_auth_tries_value='' - - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*MaxAuthTries\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "MaxAuthTries $sshd_max_auth_tries_value" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value sshd_max_auth_tries_value # promote to variable set_fact: sshd_max_auth_tries_value: !!str @@ -275818,35 +275792,15 @@ fi - restrict_strategy - sshd_set_max_auth_tries - - - - - - - - - - - Set SSH MaxSessions limit - The MaxSessions parameter specifies the maximum number of open sessions permitted -from a given connection. To set MaxSessions edit -/etc/ssh/sshd_config as follows: MaxSessions - 2.2.6 - 5.2.18 - To protect a system from denial of service due to a large number of concurrent -sessions, use the rate limiting function of MaxSessions to protect availability -of sshd logins and prevent overwhelming the daemon. - CCE-83357-4 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -var_sshd_max_sessions='' +sshd_max_auth_tries_value='' if [ -e "/etc/ssh/sshd_config" ] ; then - LC_ALL=C sed -i "/^\s*MaxSessions\s\+/Id" "/etc/ssh/sshd_config" + LC_ALL=C sed -i "/^\s*MaxAuthTries\s\+/Id" "/etc/ssh/sshd_config" else touch "/etc/ssh/sshd_config" fi @@ -275855,7 +275809,7 @@ sed -i -e '$a\' "/etc/ssh/sshd_config" cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" # Insert at the beginning of the file -printf '%s\n' "MaxSessions $var_sshd_max_sessions" > "/etc/ssh/sshd_config" +printf '%s\n' "MaxAuthTries $sshd_max_auth_tries_value" > "/etc/ssh/sshd_config" cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" # Clean up after ourselves. rm "/etc/ssh/sshd_config.bak" @@ -275864,6 +275818,26 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + + Set SSH MaxSessions limit + The MaxSessions parameter specifies the maximum number of open sessions permitted +from a given connection. To set MaxSessions edit +/etc/ssh/sshd_config as follows: MaxSessions + 2.2.6 + 5.2.18 + To protect a system from denial of service due to a large number of concurrent +sessions, use the rate limiting function of MaxSessions to protect availability +of sshd logins and prevent overwhelming the daemon. + CCE-83357-4 - name: XCCDF Value var_sshd_max_sessions # promote to variable set_fact: var_sshd_max_sessions: !!str @@ -275910,6 +275884,32 @@ fi - medium_severity - no_reboot_needed - sshd_set_max_sessions + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_sshd_max_sessions='' + + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*MaxSessions\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "MaxSessions $var_sshd_max_sessions" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -275937,32 +275937,6 @@ dictated by site policy. authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon. CCE-90718-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_sshd_set_maxstartups='' - - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*MaxStartups\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "MaxStartups $var_sshd_set_maxstartups" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_sshd_set_maxstartups # promote to variable set_fact: var_sshd_set_maxstartups: !!str @@ -276009,6 +275983,32 @@ fi - no_reboot_needed - restrict_strategy - sshd_set_maxstartups + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_sshd_set_maxstartups='' + + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*MaxStartups\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "MaxStartups $var_sshd_set_maxstartups" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -276485,32 +276485,6 @@ SSH, add or correct the following line in the /etc/ssh/sshd_config CCE-80908-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_sshd_priv_separation='' - - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*UsePrivilegeSeparation\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "UsePrivilegeSeparation $var_sshd_priv_separation" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_sshd_priv_separation # promote to variable set_fact: var_sshd_priv_separation: !!str @@ -276560,6 +276534,32 @@ fi - no_reboot_needed - restrict_strategy - sshd_use_priv_separation + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_sshd_priv_separation='' + + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*UsePrivilegeSeparation\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "UsePrivilegeSeparation $var_sshd_priv_separation" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -276589,37 +276589,6 @@ plaintext padding and initialization vectors in encryption algorithms, and high- entropy elliminates the possibility that the output of the random number generator used by SSH would be known to potential attackers. CCE-82462-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/sysconfig/sshd" ] ; then - - LC_ALL=C sed -i "/^\s*SSH_USE_STRONG_RNG\s*=\s*/d" "/etc/sysconfig/sshd" -else - touch "/etc/sysconfig/sshd" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/sysconfig/sshd" - -cp "/etc/sysconfig/sshd" "/etc/sysconfig/sshd.bak" -# Insert before the line matching the regex '^#\s*SSH_USE_STRONG_RNG'. -line_number="$(LC_ALL=C grep -n "^#\s*SSH_USE_STRONG_RNG" "/etc/sysconfig/sshd.bak" | LC_ALL=C sed 's/:.*//g')" -if [ -z "$line_number" ]; then - # There was no match of '^#\s*SSH_USE_STRONG_RNG', insert at - # the end of the file. - printf '%s\n' "SSH_USE_STRONG_RNG=32" >> "/etc/sysconfig/sshd" -else - head -n "$(( line_number - 1 ))" "/etc/sysconfig/sshd.bak" > "/etc/sysconfig/sshd" - printf '%s\n' "SSH_USE_STRONG_RNG=32" >> "/etc/sysconfig/sshd" - tail -n "+$(( line_number ))" "/etc/sysconfig/sshd.bak" >> "/etc/sysconfig/sshd" -fi -# Clean up after ourselves. -rm "/etc/sysconfig/sshd.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Setting unquoted shell-style assignment of 'SSH_USE_STRONG_RNG' to '32' in '/etc/sysconfig/sshd' block: @@ -276661,6 +276630,37 @@ fi - no_reboot_needed - restrict_strategy - sshd_use_strong_rng + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/sysconfig/sshd" ] ; then + + LC_ALL=C sed -i "/^\s*SSH_USE_STRONG_RNG\s*=\s*/d" "/etc/sysconfig/sshd" +else + touch "/etc/sysconfig/sshd" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/sysconfig/sshd" + +cp "/etc/sysconfig/sshd" "/etc/sysconfig/sshd.bak" +# Insert before the line matching the regex '^#\s*SSH_USE_STRONG_RNG'. +line_number="$(LC_ALL=C grep -n "^#\s*SSH_USE_STRONG_RNG" "/etc/sysconfig/sshd.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^#\s*SSH_USE_STRONG_RNG', insert at + # the end of the file. + printf '%s\n' "SSH_USE_STRONG_RNG=32" >> "/etc/sysconfig/sshd" +else + head -n "$(( line_number - 1 ))" "/etc/sysconfig/sshd.bak" > "/etc/sysconfig/sshd" + printf '%s\n' "SSH_USE_STRONG_RNG=32" >> "/etc/sysconfig/sshd" + tail -n "+$(( line_number ))" "/etc/sysconfig/sshd.bak" >> "/etc/sysconfig/sshd" +fi +# Clean up after ourselves. +rm "/etc/sysconfig/sshd.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -276696,29 +276696,6 @@ loopback address and sets the hostname part of the DISPLAY CCE-84058-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*X11UseLocalhost\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "X11UseLocalhost yes" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Prevent remote hosts from connecting to the proxy display block: @@ -276760,6 +276737,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_x11_use_localhost + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*X11UseLocalhost\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "X11UseLocalhost yes" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -276838,21 +276838,13 @@ $ sudo yum install sssd-ipa sssd-ipa provides the IPA back end that the SSSD can utilize to fetch identity data from and authenticate against an IPA server. CCE-82994-5 + +package --add=sssd-ipa + [[packages]] name = "sssd-ipa" version = "*" - - # Remediation is applicable only in certain platforms -if rpm --quiet -q sssd-common; then - -if ! rpm -q --quiet "sssd-ipa" ; then - yum install -y "sssd-ipa" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_sssd-ipa @@ -276888,8 +276880,16 @@ class install_sssd-ipa { - no_reboot_needed - package_sssd-ipa_installed - -package --add=sssd-ipa + # Remediation is applicable only in certain platforms +if rpm --quiet -q sssd-common; then + +if ! rpm -q --quiet "sssd-ipa" ; then + yum install -y "sssd-ipa" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -276955,21 +276955,13 @@ $ sudo yum install sssd PR.AC-7 CCE-82444-1 + +package --add=sssd + [[packages]] name = "sssd" version = "*" - - # Remediation is applicable only in certain platforms -if rpm --quiet -q sssd-common; then - -if ! rpm -q --quiet "sssd" ; then - yum install -y "sssd" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_sssd @@ -277007,8 +276999,16 @@ class install_sssd { - no_reboot_needed - package_sssd_installed - -package --add=sssd + # Remediation is applicable only in certain platforms +if rpm --quiet -q sssd-common; then + +if ! rpm -q --quiet "sssd" ; then + yum install -y "sssd" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -277079,18 +277079,6 @@ The sssd service can be enabled with the following comman [customizations.services] enabled = ["sssd"] - - # Remediation is applicable only in certain platforms -if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'sssd.service' -"$SYSTEMCTL_EXEC" start 'sssd.service' -"$SYSTEMCTL_EXEC" enable 'sssd.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_sssd @@ -277143,6 +277131,18 @@ class enable_sssd { - medium_severity - no_reboot_needed - service_sssd_enabled + + # Remediation is applicable only in certain platforms +if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'sssd.service' +"$SYSTEMCTL_EXEC" start 'sssd.service' +"$SYSTEMCTL_EXEC" enable 'sssd.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -277167,52 +277167,6 @@ multifactor solutions are checked via Online Certificate Status Protocol (OCSP). Ensuring that multifactor solutions certificates are checked via Online Certificate Status Protocol (OCSP) ensures the security of the system. CCE-86120-3 - # Remediation is applicable only in certain platforms -if rpm --quiet -q sssd-common; then - -var_sssd_certificate_verification_digest_function='' - - -# sssd configuration files must be created with 600 permissions if they don't exist -# otherwise the sssd module fails to start -OLD_UMASK=$(umask) -umask u=rw,go= - -MAIN_CONF="/etc/sssd/conf.d/certificate_verification.conf" - -found=false - -# set value in all files if they contain section or key -for f in $(echo -n "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf"); do - if [ ! -e "$f" ]; then - continue - fi - - # find key in section and change value - if grep -qzosP "[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*certificate_verification" "$f"; then - sed -i "s/certificate_verification[^(\n)]*/certificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function/" "$f" - found=true - - # find section and add key = value to it - elif grep -qs "[[:space:]]*\[sssd\]" "$f"; then - sed -i "/[[:space:]]*\[sssd\]/a certificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function" "$f" - found=true - fi -done - -# if section not in any file, append section with key = value to FIRST file in files parameter -if ! $found ; then - file=$(echo "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf" | cut -f1 -d ' ') - mkdir -p "$(dirname "$file")" - echo -e "[sssd]\ncertificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function" >> "$file" -fi - -umask $OLD_UMASK - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -277289,6 +277243,52 @@ fi - medium_severity - no_reboot_needed - sssd_certificate_verification + + # Remediation is applicable only in certain platforms +if rpm --quiet -q sssd-common; then + +var_sssd_certificate_verification_digest_function='' + + +# sssd configuration files must be created with 600 permissions if they don't exist +# otherwise the sssd module fails to start +OLD_UMASK=$(umask) +umask u=rw,go= + +MAIN_CONF="/etc/sssd/conf.d/certificate_verification.conf" + +found=false + +# set value in all files if they contain section or key +for f in $(echo -n "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf"); do + if [ ! -e "$f" ]; then + continue + fi + + # find key in section and change value + if grep -qzosP "[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*certificate_verification" "$f"; then + sed -i "s/certificate_verification[^(\n)]*/certificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function/" "$f" + found=true + + # find section and add key = value to it + elif grep -qs "[[:space:]]*\[sssd\]" "$f"; then + sed -i "/[[:space:]]*\[sssd\]/a certificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function" "$f" + found=true + fi +done + +# if section not in any file, append section with key = value to FIRST file in files parameter +if ! $found ; then + file=$(echo "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf" | cut -f1 -d ' ') + mkdir -p "$(dirname "$file")" + echo -e "[sssd]\ncertificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function" >> "$file" +fi + +umask $OLD_UMASK + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -277516,89 +277516,6 @@ as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. CCE-80909-5 - # Remediation is applicable only in certain platforms -if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# sssd configuration files must be created with 600 permissions if they don't exist -# otherwise the sssd module fails to start -OLD_UMASK=$(umask) -umask u=rw,go= - -found=false - -# set value in all files if they contain section or key -for f in $(echo -n "/etc/sssd/sssd.conf"); do - if [ ! -e "$f" ]; then - continue - fi - - # find key in section and change value - if grep -qzosP "[[:space:]]*\[pam\]([^\n\[]*\n+)+?[[:space:]]*pam_cert_auth" "$f"; then - sed -i "s/pam_cert_auth[^(\n)]*/pam_cert_auth = True/" "$f" - found=true - - # find section and add key = value to it - elif grep -qs "[[:space:]]*\[pam\]" "$f"; then - sed -i "/[[:space:]]*\[pam\]/a pam_cert_auth = True" "$f" - found=true - fi -done - -# if section not in any file, append section with key = value to FIRST file in files parameter -if ! $found ; then - file=$(echo "/etc/sssd/sssd.conf" | cut -f1 -d ' ') - mkdir -p "$(dirname "$file")" - echo -e "[pam]\npam_cert_auth = True" >> "$file" -fi - -umask $OLD_UMASK - - -if [ -f /usr/bin/authselect ]; then - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - authselect enable-feature with-smartcard - - authselect apply-changes -b -else - if ! grep -qP '^\s*auth\s+'"sufficient"'\s+pam_sss.so\s*.*' "/etc/pam.d/smartcard-auth"; then - # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*auth\s+.*\s+pam_sss.so\s*' "/etc/pam.d/smartcard-auth")" -eq 1 ]; then - # The control is updated only if one single line matches. - sed -i -E --follow-symlinks 's/^(\s*auth\s+).*(\bpam_sss.so.*)/\1'"sufficient"' \2/' "/etc/pam.d/smartcard-auth" - else - echo 'auth '"sufficient"' pam_sss.so' >> "/etc/pam.d/smartcard-auth" - fi - fi - # Check the option - if ! grep -qP '^\s*auth\s+'"sufficient"'\s+pam_sss.so\s*.*\sallow_missing_name\b' "/etc/pam.d/smartcard-auth"; then - sed -i -E --follow-symlinks '/\s*auth\s+'"sufficient"'\s+pam_sss.so.*/ s/$/ allow_missing_name/' "/etc/pam.d/smartcard-auth" - fi - if ! grep -qP '^\s*auth\s+'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"'\s+pam_sss.so\s*.*' "/etc/pam.d/system-auth"; then - # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*auth\s+.*\s+pam_sss.so\s*' "/etc/pam.d/system-auth")" -eq 1 ]; then - # The control is updated only if one single line matches. - sed -i -E --follow-symlinks 's/^(\s*auth\s+).*(\bpam_sss.so.*)/\1'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"' \2/' "/etc/pam.d/system-auth" - else - echo 'auth '"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"' pam_sss.so' >> "/etc/pam.d/system-auth" - fi - fi - # Check the option - if ! grep -qP '^\s*auth\s+'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"'\s+pam_sss.so\s*.*\stry_cert_auth\b' "/etc/pam.d/system-auth"; then - sed -i -E --follow-symlinks '/\s*auth\s+'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"'\s+pam_sss.so.*/ s/$/ try_cert_auth/' "/etc/pam.d/system-auth" - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -277951,6 +277868,89 @@ fi - medium_severity - no_reboot_needed - sssd_enable_smartcards + + # Remediation is applicable only in certain platforms +if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# sssd configuration files must be created with 600 permissions if they don't exist +# otherwise the sssd module fails to start +OLD_UMASK=$(umask) +umask u=rw,go= + +found=false + +# set value in all files if they contain section or key +for f in $(echo -n "/etc/sssd/sssd.conf"); do + if [ ! -e "$f" ]; then + continue + fi + + # find key in section and change value + if grep -qzosP "[[:space:]]*\[pam\]([^\n\[]*\n+)+?[[:space:]]*pam_cert_auth" "$f"; then + sed -i "s/pam_cert_auth[^(\n)]*/pam_cert_auth = True/" "$f" + found=true + + # find section and add key = value to it + elif grep -qs "[[:space:]]*\[pam\]" "$f"; then + sed -i "/[[:space:]]*\[pam\]/a pam_cert_auth = True" "$f" + found=true + fi +done + +# if section not in any file, append section with key = value to FIRST file in files parameter +if ! $found ; then + file=$(echo "/etc/sssd/sssd.conf" | cut -f1 -d ' ') + mkdir -p "$(dirname "$file")" + echo -e "[pam]\npam_cert_auth = True" >> "$file" +fi + +umask $OLD_UMASK + + +if [ -f /usr/bin/authselect ]; then + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + authselect enable-feature with-smartcard + + authselect apply-changes -b +else + if ! grep -qP '^\s*auth\s+'"sufficient"'\s+pam_sss.so\s*.*' "/etc/pam.d/smartcard-auth"; then + # Line matching group + control + module was not found. Check group + module. + if [ "$(grep -cP '^\s*auth\s+.*\s+pam_sss.so\s*' "/etc/pam.d/smartcard-auth")" -eq 1 ]; then + # The control is updated only if one single line matches. + sed -i -E --follow-symlinks 's/^(\s*auth\s+).*(\bpam_sss.so.*)/\1'"sufficient"' \2/' "/etc/pam.d/smartcard-auth" + else + echo 'auth '"sufficient"' pam_sss.so' >> "/etc/pam.d/smartcard-auth" + fi + fi + # Check the option + if ! grep -qP '^\s*auth\s+'"sufficient"'\s+pam_sss.so\s*.*\sallow_missing_name\b' "/etc/pam.d/smartcard-auth"; then + sed -i -E --follow-symlinks '/\s*auth\s+'"sufficient"'\s+pam_sss.so.*/ s/$/ allow_missing_name/' "/etc/pam.d/smartcard-auth" + fi + if ! grep -qP '^\s*auth\s+'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"'\s+pam_sss.so\s*.*' "/etc/pam.d/system-auth"; then + # Line matching group + control + module was not found. Check group + module. + if [ "$(grep -cP '^\s*auth\s+.*\s+pam_sss.so\s*' "/etc/pam.d/system-auth")" -eq 1 ]; then + # The control is updated only if one single line matches. + sed -i -E --follow-symlinks 's/^(\s*auth\s+).*(\bpam_sss.so.*)/\1'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"' \2/' "/etc/pam.d/system-auth" + else + echo 'auth '"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"' pam_sss.so' >> "/etc/pam.d/system-auth" + fi + fi + # Check the option + if ! grep -qP '^\s*auth\s+'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"'\s+pam_sss.so\s*.*\stry_cert_auth\b' "/etc/pam.d/system-auth"; then + sed -i -E --follow-symlinks '/\s*auth\s+'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"'\s+pam_sss.so.*/ s/$/ try_cert_auth/' "/etc/pam.d/system-auth" + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -278059,50 +278059,6 @@ memcache_timeout = CCE-80910-3 - # Remediation is applicable only in certain platforms -if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -var_sssd_memcache_timeout='' - - -# sssd configuration files must be created with 600 permissions if they don't exist -# otherwise the sssd module fails to start -OLD_UMASK=$(umask) -umask u=rw,go= - -found=false - -# set value in all files if they contain section or key -for f in $(echo -n "/etc/sssd/sssd.conf"); do - if [ ! -e "$f" ]; then - continue - fi - - # find key in section and change value - if grep -qzosP "[[:space:]]*\[nss\]([^\n\[]*\n+)+?[[:space:]]*memcache_timeout" "$f"; then - sed -i "s/memcache_timeout[^(\n)]*/memcache_timeout = $var_sssd_memcache_timeout/" "$f" - found=true - - # find section and add key = value to it - elif grep -qs "[[:space:]]*\[nss\]" "$f"; then - sed -i "/[[:space:]]*\[nss\]/a memcache_timeout = $var_sssd_memcache_timeout" "$f" - found=true - fi -done - -# if section not in any file, append section with key = value to FIRST file in files parameter -if ! $found ; then - file=$(echo "/etc/sssd/sssd.conf" | cut -f1 -d ' ') - mkdir -p "$(dirname "$file")" - echo -e "[nss]\nmemcache_timeout = $var_sssd_memcache_timeout" >> "$file" -fi - -umask $OLD_UMASK - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -278194,6 +278150,50 @@ fi - no_reboot_needed - sssd_memcache_timeout - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +var_sssd_memcache_timeout='' + + +# sssd configuration files must be created with 600 permissions if they don't exist +# otherwise the sssd module fails to start +OLD_UMASK=$(umask) +umask u=rw,go= + +found=false + +# set value in all files if they contain section or key +for f in $(echo -n "/etc/sssd/sssd.conf"); do + if [ ! -e "$f" ]; then + continue + fi + + # find key in section and change value + if grep -qzosP "[[:space:]]*\[nss\]([^\n\[]*\n+)+?[[:space:]]*memcache_timeout" "$f"; then + sed -i "s/memcache_timeout[^(\n)]*/memcache_timeout = $var_sssd_memcache_timeout/" "$f" + found=true + + # find section and add key = value to it + elif grep -qs "[[:space:]]*\[nss\]" "$f"; then + sed -i "/[[:space:]]*\[nss\]/a memcache_timeout = $var_sssd_memcache_timeout" "$f" + found=true + fi +done + +# if section not in any file, append section with key = value to FIRST file in files parameter +if ! $found ; then + file=$(echo "/etc/sssd/sssd.conf" | cut -f1 -d ' ') + mkdir -p "$(dirname "$file")" + echo -e "[nss]\nmemcache_timeout = $var_sssd_memcache_timeout" >> "$file" +fi + +umask $OLD_UMASK + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -278278,47 +278278,6 @@ offline_credentials_expiration = 1 authentication information may be questionable. CCE-82460-7 - # Remediation is applicable only in certain platforms -if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# sssd configuration files must be created with 600 permissions if they don't exist -# otherwise the sssd module fails to start -OLD_UMASK=$(umask) -umask u=rw,go= - -found=false - -# set value in all files if they contain section or key -for f in $(echo -n "/etc/sssd/sssd.conf"); do - if [ ! -e "$f" ]; then - continue - fi - - # find key in section and change value - if grep -qzosP "[[:space:]]*\[pam\]([^\n\[]*\n+)+?[[:space:]]*offline_credentials_expiration" "$f"; then - sed -i "s/offline_credentials_expiration[^(\n)]*/offline_credentials_expiration = 1/" "$f" - found=true - - # find section and add key = value to it - elif grep -qs "[[:space:]]*\[pam\]" "$f"; then - sed -i "/[[:space:]]*\[pam\]/a offline_credentials_expiration = 1" "$f" - found=true - fi -done - -# if section not in any file, append section with key = value to FIRST file in files parameter -if ! $found ; then - file=$(echo "/etc/sssd/sssd.conf" | cut -f1 -d ' ') - mkdir -p "$(dirname "$file")" - echo -e "[pam]\noffline_credentials_expiration = 1" >> "$file" -fi - -umask $OLD_UMASK - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -278409,6 +278368,47 @@ fi - medium_severity - no_reboot_needed - sssd_offline_cred_expiration + + # Remediation is applicable only in certain platforms +if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# sssd configuration files must be created with 600 permissions if they don't exist +# otherwise the sssd module fails to start +OLD_UMASK=$(umask) +umask u=rw,go= + +found=false + +# set value in all files if they contain section or key +for f in $(echo -n "/etc/sssd/sssd.conf"); do + if [ ! -e "$f" ]; then + continue + fi + + # find key in section and change value + if grep -qzosP "[[:space:]]*\[pam\]([^\n\[]*\n+)+?[[:space:]]*offline_credentials_expiration" "$f"; then + sed -i "s/offline_credentials_expiration[^(\n)]*/offline_credentials_expiration = 1/" "$f" + found=true + + # find section and add key = value to it + elif grep -qs "[[:space:]]*\[pam\]" "$f"; then + sed -i "/[[:space:]]*\[pam\]/a offline_credentials_expiration = 1" "$f" + found=true + fi +done + +# if section not in any file, append section with key = value to FIRST file in files parameter +if ! $found ; then + file=$(echo "/etc/sssd/sssd.conf" | cut -f1 -d ' ') + mkdir -p "$(dirname "$file")" + echo -e "[pam]\noffline_credentials_expiration = 1" >> "$file" +fi + +umask $OLD_UMASK + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -278541,50 +278541,6 @@ ssh_known_hosts_timeout = CCE-82442-5 - # Remediation is applicable only in certain platforms -if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -var_sssd_ssh_known_hosts_timeout='' - - -# sssd configuration files must be created with 600 permissions if they don't exist -# otherwise the sssd module fails to start -OLD_UMASK=$(umask) -umask u=rw,go= - -found=false - -# set value in all files if they contain section or key -for f in $(echo -n "/etc/sssd/sssd.conf"); do - if [ ! -e "$f" ]; then - continue - fi - - # find key in section and change value - if grep -qzosP "[[:space:]]*\[ssh\]([^\n\[]*\n+)+?[[:space:]]*ssh_known_hosts_timeout" "$f"; then - sed -i "s/ssh_known_hosts_timeout[^(\n)]*/ssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout/" "$f" - found=true - - # find section and add key = value to it - elif grep -qs "[[:space:]]*\[ssh\]" "$f"; then - sed -i "/[[:space:]]*\[ssh\]/a ssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout" "$f" - found=true - fi -done - -# if section not in any file, append section with key = value to FIRST file in files parameter -if ! $found ; then - file=$(echo "/etc/sssd/sssd.conf" | cut -f1 -d ' ') - mkdir -p "$(dirname "$file")" - echo -e "[ssh]\nssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout" >> "$file" -fi - -umask $OLD_UMASK - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -278676,6 +278632,50 @@ fi - no_reboot_needed - sssd_ssh_known_hosts_timeout - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +var_sssd_ssh_known_hosts_timeout='' + + +# sssd configuration files must be created with 600 permissions if they don't exist +# otherwise the sssd module fails to start +OLD_UMASK=$(umask) +umask u=rw,go= + +found=false + +# set value in all files if they contain section or key +for f in $(echo -n "/etc/sssd/sssd.conf"); do + if [ ! -e "$f" ]; then + continue + fi + + # find key in section and change value + if grep -qzosP "[[:space:]]*\[ssh\]([^\n\[]*\n+)+?[[:space:]]*ssh_known_hosts_timeout" "$f"; then + sed -i "s/ssh_known_hosts_timeout[^(\n)]*/ssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout/" "$f" + found=true + + # find section and add key = value to it + elif grep -qs "[[:space:]]*\[ssh\]" "$f"; then + sed -i "/[[:space:]]*\[ssh\]/a ssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout" "$f" + found=true + fi +done + +# if section not in any file, append section with key = value to FIRST file in files parameter +if ! $found ; then + file=$(echo "/etc/sssd/sssd.conf" | cut -f1 -d ' ') + mkdir -p "$(dirname "$file")" + echo -e "[ssh]\nssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout" >> "$file" +fi + +umask $OLD_UMASK + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -278747,40 +278747,6 @@ to verify the hash information while maintaining the confidentiality of the key used to generate the hash. CCE-82456-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q sssd-common; then - -var_sssd_ldap_tls_ca_dir='' - - -SSSD_CONF="/etc/sssd/sssd.conf" -LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_tls_cacertdir' -AD_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*id_provider[[:space:]]*=[[:space:]]*((?i)ad)[[:space:]]*$' -DOMAIN_REGEX="[[:space:]]*\[domain\/[^]]*]" - -# Check if id_provider is not set to ad (Active Directory) which makes start_tls not applicable, note the -v option to invert the grep. -# Try to find [domain/..] and ldap_tls_cacertdir in sssd.conf, if it exists, set to '$var_sssd_ldap_tls_ca_dir' -# if ldap_tls_cacertdir isn't here, add it -# if [domain/..] doesn't exist, add it here for default domain -if grep -qvzosP $AD_REGEX $SSSD_CONF; then - if grep -qzosP $LDAP_REGEX $SSSD_CONF; then - - sed -i "s#ldap_tls_cacertdir[^(\n)]*#ldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir#" $SSSD_CONF - elif grep -qs $DOMAIN_REGEX $SSSD_CONF; then - sed -i "/$DOMAIN_REGEX/a ldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir" $SSSD_CONF - else - if test -f "$SSSD_CONF"; then - echo -e "[domain/default]\nldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir" >> $SSSD_CONF - else - echo "Config file '$SSSD_CONF' doesnt exist, not remediating, assuming non-applicability." >&2 - fi - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -278899,49 +278865,30 @@ fi - sssd_ldap_configure_tls_ca_dir - unknown_strategy - - - - - - - - - - Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server - Configure SSSD to demand a valid certificate from the server to -protect the integrity of LDAP remote access sessions by setting -the ldap_tls_reqcert option in /etc/sssd/sssd.conf -to demand. - CCI-001453 - SC-12(3) - CM-6(a) - SRG-OS-000250-GPOS-00093 - Without a valid certificate presented to the LDAP client backend, the identity of a -server can be forged compromising LDAP remote access sessions. - - CCE-84062-9 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q sssd-common; then +var_sssd_ldap_tls_ca_dir='' + + SSSD_CONF="/etc/sssd/sssd.conf" -LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_tls_reqcert' +LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_tls_cacertdir' AD_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*id_provider[[:space:]]*=[[:space:]]*((?i)ad)[[:space:]]*$' DOMAIN_REGEX="[[:space:]]*\[domain\/[^]]*]" # Check if id_provider is not set to ad (Active Directory) which makes start_tls not applicable, note the -v option to invert the grep. -# Try to find [domain/..] and ldap_tls_reqcert in sssd.conf, if it exists, set to 'demand' -# if ldap_tls_reqcert isn't here, add it +# Try to find [domain/..] and ldap_tls_cacertdir in sssd.conf, if it exists, set to '$var_sssd_ldap_tls_ca_dir' +# if ldap_tls_cacertdir isn't here, add it # if [domain/..] doesn't exist, add it here for default domain if grep -qvzosP $AD_REGEX $SSSD_CONF; then if grep -qzosP $LDAP_REGEX $SSSD_CONF; then - sed -i "s#ldap_tls_reqcert[^(\n)]*#ldap_tls_reqcert = demand#" $SSSD_CONF + sed -i "s#ldap_tls_cacertdir[^(\n)]*#ldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir#" $SSSD_CONF elif grep -qs $DOMAIN_REGEX $SSSD_CONF; then - sed -i "/$DOMAIN_REGEX/a ldap_tls_reqcert = demand" $SSSD_CONF + sed -i "/$DOMAIN_REGEX/a ldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir" $SSSD_CONF else if test -f "$SSSD_CONF"; then - echo -e "[domain/default]\nldap_tls_reqcert = demand" >> $SSSD_CONF + echo -e "[domain/default]\nldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir" >> $SSSD_CONF else echo "Config file '$SSSD_CONF' doesnt exist, not remediating, assuming non-applicability." >&2 fi @@ -278952,6 +278899,28 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server + Configure SSSD to demand a valid certificate from the server to +protect the integrity of LDAP remote access sessions by setting +the ldap_tls_reqcert option in /etc/sssd/sssd.conf +to demand. + CCI-001453 + SC-12(3) + CM-6(a) + SRG-OS-000250-GPOS-00093 + Without a valid certificate presented to the LDAP client backend, the identity of a +server can be forged compromising LDAP remote access sessions. + + CCE-84062-9 - name: Gather the package facts package_facts: manager: auto @@ -279064,6 +279033,37 @@ fi - no_reboot_needed - sssd_ldap_configure_tls_reqcert - unknown_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q sssd-common; then + +SSSD_CONF="/etc/sssd/sssd.conf" +LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_tls_reqcert' +AD_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*id_provider[[:space:]]*=[[:space:]]*((?i)ad)[[:space:]]*$' +DOMAIN_REGEX="[[:space:]]*\[domain\/[^]]*]" + +# Check if id_provider is not set to ad (Active Directory) which makes start_tls not applicable, note the -v option to invert the grep. +# Try to find [domain/..] and ldap_tls_reqcert in sssd.conf, if it exists, set to 'demand' +# if ldap_tls_reqcert isn't here, add it +# if [domain/..] doesn't exist, add it here for default domain +if grep -qvzosP $AD_REGEX $SSSD_CONF; then + if grep -qzosP $LDAP_REGEX $SSSD_CONF; then + + sed -i "s#ldap_tls_reqcert[^(\n)]*#ldap_tls_reqcert = demand#" $SSSD_CONF + elif grep -qs $DOMAIN_REGEX $SSSD_CONF; then + sed -i "/$DOMAIN_REGEX/a ldap_tls_reqcert = demand" $SSSD_CONF + else + if test -f "$SSSD_CONF"; then + echo -e "[domain/default]\nldap_tls_reqcert = demand" >> $SSSD_CONF + else + echo "Config file '$SSSD_CONF' doesnt exist, not remediating, assuming non-applicability." >&2 + fi + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -279181,37 +279181,6 @@ whether to use TLS or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL. CCE-82437-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q sssd-common; then - -SSSD_CONF="/etc/sssd/sssd.conf" -LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_id_use_start_tls' -AD_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*id_provider[[:space:]]*=[[:space:]]*((?i)ad)[[:space:]]*$' -DOMAIN_REGEX="[[:space:]]*\[domain\/[^]]*]" - -# Check if id_provider is not set to ad (Active Directory) which makes start_tls not applicable, note the -v option to invert the grep. -# Try to find [domain/..] and ldap_id_use_start_tls in sssd.conf, if it exists, set to 'true' -# if ldap_id_use_start_tls isn't here, add it -# if [domain/..] doesn't exist, add it here for default domain -if grep -qvzosP $AD_REGEX $SSSD_CONF; then - if grep -qzosP $LDAP_REGEX $SSSD_CONF; then - - sed -i "s#ldap_id_use_start_tls[^(\n)]*#ldap_id_use_start_tls = true#" $SSSD_CONF - elif grep -qs $DOMAIN_REGEX $SSSD_CONF; then - sed -i "/$DOMAIN_REGEX/a ldap_id_use_start_tls = true" $SSSD_CONF - else - if test -f "$SSSD_CONF"; then - echo -e "[domain/default]\nldap_id_use_start_tls = true" >> $SSSD_CONF - else - echo "Config file '$SSSD_CONF' doesnt exist, not remediating, assuming non-applicability." >&2 - fi - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -279329,6 +279298,37 @@ fi - no_reboot_needed - sssd_ldap_start_tls - unknown_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q sssd-common; then + +SSSD_CONF="/etc/sssd/sssd.conf" +LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_id_use_start_tls' +AD_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*id_provider[[:space:]]*=[[:space:]]*((?i)ad)[[:space:]]*$' +DOMAIN_REGEX="[[:space:]]*\[domain\/[^]]*]" + +# Check if id_provider is not set to ad (Active Directory) which makes start_tls not applicable, note the -v option to invert the grep. +# Try to find [domain/..] and ldap_id_use_start_tls in sssd.conf, if it exists, set to 'true' +# if ldap_id_use_start_tls isn't here, add it +# if [domain/..] doesn't exist, add it here for default domain +if grep -qvzosP $AD_REGEX $SSSD_CONF; then + if grep -qzosP $LDAP_REGEX $SSSD_CONF; then + + sed -i "s#ldap_id_use_start_tls[^(\n)]*#ldap_id_use_start_tls = true#" $SSSD_CONF + elif grep -qs $DOMAIN_REGEX $SSSD_CONF; then + sed -i "/$DOMAIN_REGEX/a ldap_id_use_start_tls = true" $SSSD_CONF + else + if test -f "$SSSD_CONF"; then + echo -e "[domain/default]\nldap_id_use_start_tls = true" >> $SSSD_CONF + else + echo "Config file '$SSSD_CONF' doesnt exist, not remediating, assuming non-applicability." >&2 + fi + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -279360,21 +279360,23 @@ $ sudo yum install usbguard against rogue USB devices by implementing basic whitelisting/blacklisting capabilities based on USB device attributes. CCE-82959-8 + +package --add=usbguard + [[packages]] name = "usbguard" version = "*" - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then - -if ! rpm -q --quiet "usbguard" ; then - yum install -y "usbguard" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + extensions: + - usbguard include install_usbguard @@ -279402,18 +279404,16 @@ class install_usbguard { - no_reboot_needed - package_usbguard_installed - -package --add=usbguard - - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - extensions: - - usbguard + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then + +if ! rpm -q --quiet "usbguard" ; then + yum install -y "usbguard" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -279444,17 +279444,20 @@ enforce the USB device authorization policy for all USB devices. - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'usbguard.service' -"$SYSTEMCTL_EXEC" start 'usbguard.service' -"$SYSTEMCTL_EXEC" enable 'usbguard.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +metadata: + annotations: + complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: usbguard.service + enabled: true include enable_usbguard @@ -279494,20 +279497,17 @@ class enable_usbguard { - no_reboot_needed - service_usbguard_enabled - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -metadata: - annotations: - complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: usbguard.service - enabled: true + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'usbguard.service' +"$SYSTEMCTL_EXEC" start 'usbguard.service' +"$SYSTEMCTL_EXEC" enable 'usbguard.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -279537,6 +279537,25 @@ needs to be set to LinuxAudit. of events. CCE-82168-6 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +metadata: + annotations: + complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed + complianceascode.io/ocp-version: '>=4.7.0' +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %0A%23%0A%23%20Rule%20set%20file%20path.%0A%23%0A%23%20The%20USBGuard%20daemon%20will%20use%20this%20file%20to%20load%20the%20policy%0A%23%20rule%20set%20from%20it%20and%20to%20write%20new%20rules%20received%20via%20the%0A%23%20IPC%20interface.%0A%23%0A%23%20RuleFile%3D/path/to/rules.conf%0A%23%0ARuleFile%3D/etc/usbguard/rules.conf%0A%0A%23%0A%23%20Rule%20set%20folder%20path.%0A%23%0A%23%20The%20USBGuard%20daemon%20will%20use%20this%20folder%20to%20load%20the%20policy%0A%23%20rule%20set%20from%20it%20and%20to%20write%20new%20rules%20received%20via%20the%0A%23%20IPC%20interface.%20Usually%2C%20we%20set%20the%20option%20to%0A%23%20/etc/usbguard/rules.d/.%20The%20USBGuard%20daemon%20is%20supposed%20to%0A%23%20behave%20like%20any%20other%20standard%20Linux%20daemon%20therefore%20it%0A%23%20loads%20rule%20files%20in%20alpha-numeric%20order.%20File%20names%20inside%0A%23%20RuleFolder%20directory%20should%20start%20with%20a%20two-digit%20number%0A%23%20prefix%20indicating%20the%20position%2C%20in%20which%20the%20rules%20are%0A%23%20scanned%20by%20the%20daemon.%0A%23%0A%23%20RuleFolder%3D/path/to/rulesfolder/%0A%23%0ARuleFolder%3D/etc/usbguard/rules.d/%0A%0A%23%0A%23%20Implicit%20policy%20target.%0A%23%0A%23%20How%20to%20treat%20devices%20that%20don%27t%20match%20any%20rule%20in%20the%0A%23%20policy.%20One%20of%3A%0A%23%0A%23%20%2A%20allow%20%20-%20authorize%20the%20device%0A%23%20%2A%20block%20%20-%20block%20the%20device%0A%23%20%2A%20reject%20-%20remove%20the%20device%0A%23%0AImplicitPolicyTarget%3Dblock%0A%0A%23%0A%23%20Present%20device%20policy.%0A%23%0A%23%20How%20to%20treat%20devices%20that%20are%20already%20connected%20when%20the%0A%23%20daemon%20starts.%20One%20of%3A%0A%23%0A%23%20%2A%20allow%20%20%20%20%20%20%20%20-%20authorize%20every%20present%20device%0A%23%20%2A%20block%20%20%20%20%20%20%20%20-%20deauthorize%20every%20present%20device%0A%23%20%2A%20reject%20%20%20%20%20%20%20-%20remove%20every%20present%20device%0A%23%20%2A%20keep%20%20%20%20%20%20%20%20%20-%20just%20sync%20the%20internal%20state%20and%20leave%20it%0A%23%20%2A%20apply-policy%20-%20evaluate%20the%20ruleset%20for%20every%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20device%0A%23%0APresentDevicePolicy%3Dapply-policy%0A%0A%23%0A%23%20Present%20controller%20policy.%0A%23%0A%23%20How%20to%20treat%20USB%20controllers%20that%20are%20already%20connected%0A%23%20when%20the%20daemon%20starts.%20One%20of%3A%0A%23%0A%23%20%2A%20allow%20%20%20%20%20%20%20%20-%20authorize%20every%20present%20device%0A%23%20%2A%20block%20%20%20%20%20%20%20%20-%20deauthorize%20every%20present%20device%0A%23%20%2A%20reject%20%20%20%20%20%20%20-%20remove%20every%20present%20device%0A%23%20%2A%20keep%20%20%20%20%20%20%20%20%20-%20just%20sync%20the%20internal%20state%20and%20leave%20it%0A%23%20%2A%20apply-policy%20-%20evaluate%20the%20ruleset%20for%20every%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20device%0A%23%0APresentControllerPolicy%3Dkeep%0A%0A%23%0A%23%20Inserted%20device%20policy.%0A%23%0A%23%20How%20to%20treat%20USB%20devices%20that%20are%20already%20connected%0A%23%20%2Aafter%2A%20the%20daemon%20starts.%20One%20of%3A%0A%23%0A%23%20%2A%20block%20%20%20%20%20%20%20%20-%20deauthorize%20every%20present%20device%0A%23%20%2A%20reject%20%20%20%20%20%20%20-%20remove%20every%20present%20device%0A%23%20%2A%20apply-policy%20-%20evaluate%20the%20ruleset%20for%20every%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20device%0A%23%0AInsertedDevicePolicy%3Dapply-policy%0A%0A%23%0A%23%20Control%20which%20devices%20are%20authorized%20by%20default.%0A%23%0A%23%20The%20USBGuard%20daemon%20modifies%20some%20the%20default%20authorization%20state%20attributes%0A%23%20of%20controller%20devices.%20This%20setting%2C%20enables%20you%20to%20define%20what%20value%20the%0A%23%20default%20authorization%20is%20set%20to.%0A%23%0A%23%20%2A%20keep%20%20%20%20%20%20%20%20%20-%20do%20not%20change%20the%20authorization%20state%0A%23%20%2A%20none%20%20%20%20%20%20%20%20%20-%20every%20new%20device%20starts%20out%20deauthorized%0A%23%20%2A%20all%20%20%20%20%20%20%20%20%20%20-%20every%20new%20device%20starts%20out%20authorized%0A%23%20%2A%20internal%20%20%20%20%20-%20internal%20devices%20start%20out%20authorized%2C%20external%20devices%20start%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20out%20deauthorized%20%28this%20requires%20the%20ACPI%20tables%20to%20properly%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20label%20internal%20devices%2C%20and%20kernel%20support%29%0A%23%0A%23AuthorizedDefault%3Dnone%0A%0A%23%0A%23%20Restore%20controller%20device%20state.%0A%23%0A%23%20The%20USBGuard%20daemon%20modifies%20some%20attributes%20of%20controller%0A%23%20devices%20like%20the%20default%20authorization%20state%20of%20new%20child%20device%0A%23%20instances.%20Using%20this%20setting%2C%20you%20can%20control%20whether%20the%0A%23%20daemon%20will%20try%20to%20restore%20the%20attribute%20values%20to%20the%20state%0A%23%20before%20modification%20on%20shutdown.%0A%23%0A%23%20SECURITY%20CONSIDERATIONS%3A%20If%20set%20to%20true%2C%20the%20USB%20authorization%0A%23%20policy%20could%20be%20bypassed%20by%20performing%20some%20sort%20of%20attack%20on%20the%0A%23%20daemon%20%28via%20a%20local%20exploit%20or%20via%20a%20USB%20device%29%20to%20make%20it%20shutdown%0A%23%20and%20restore%20to%20the%20operating-system%20default%20state%20%28known%20to%20be%20permissive%29.%0A%23%0ARestoreControllerDeviceState%3Dfalse%0A%0A%23%0A%23%20Device%20manager%20backend%0A%23%0A%23%20Which%20device%20manager%20backend%20implementation%20to%20use.%20One%20of%3A%0A%23%0A%23%20%2A%20uevent%20%20%20-%20Netlink%20based%20implementation%20which%20uses%20sysfs%20to%20scan%20for%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20devices%20and%20an%20uevent%20netlink%20socket%20for%20receiving%20USB%20device%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20related%20events.%0A%23%20%2A%20umockdev%20-%20umockdev%20based%20device%20manager%20capable%20of%20simulating%20devices%20based%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20on%20umockdev-record%20files.%20Useful%20for%20testing.%0A%23%0ADeviceManagerBackend%3Duevent%0A%0A%23%21%21%21%20WARNING%3A%20It%27s%20good%20practice%20to%20set%20at%20least%20one%20of%20the%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20two%20options%20bellow.%20If%20none%20of%20them%20are%20set%2C%20%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20the%20daemon%20will%20accept%20IPC%20connections%20from%20%20%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20anyone%2C%20thus%20allowing%20anyone%20to%20modify%20the%20%20%20%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20rule%20set%20and%20%28de%29authorize%20USB%20devices.%20%20%20%20%20%20%20%21%21%21%0A%0A%23%0A%23%20Users%20allowed%20to%20use%20the%20IPC%20interface.%0A%23%0A%23%20A%20space%20delimited%20list%20of%20usernames%20that%20the%20daemon%20will%0A%23%20accept%20IPC%20connections%20from.%0A%23%0A%23%20IPCAllowedUsers%3Dusername1%20username2%20...%0A%23%0AIPCAllowedUsers%3Droot%0A%0A%23%0A%23%20Groups%20allowed%20to%20use%20the%20IPC%20interface.%0A%23%0A%23%20A%20space%20delimited%20list%20of%20groupnames%20that%20the%20daemon%20will%0A%23%20accept%20IPC%20connections%20from.%0A%23%0A%23%20IPCAllowedGroups%3Dgroupname1%20groupname2%20...%0A%23%0AIPCAllowedGroups%3Dwheel%0A%0A%23%0A%23%20IPC%20access%20control%20definition%20files%20path.%0A%23%0A%23%20The%20files%20at%20this%20location%20will%20be%20interpreted%20by%20the%20daemon%0A%23%20as%20access%20control%20definition%20files.%20The%20%28base%29name%20of%20a%20file%0A%23%20should%20be%20in%20the%20form%3A%0A%23%0A%23%20%20%20%5Buser%5D%5B%3A%3Cgroup%3E%5D%0A%23%0A%23%20and%20should%20contain%20lines%20in%20the%20form%3A%0A%23%0A%23%20%20%20%3Csection%3E%3D%5Bprivilege%5D%20...%0A%23%0A%23%20This%20way%20each%20file%20defines%20who%20is%20able%20to%20connect%20to%20the%20IPC%0A%23%20bus%20and%20what%20privileges%20he%20has.%0A%23%0AIPCAccessControlFiles%3D/etc/usbguard/IPCAccessControl.d/%0A%0A%23%0A%23%20Generate%20device%20specific%20rules%20including%20the%20%22via-port%22%0A%23%20attribute.%0A%23%0A%23%20This%20option%20modifies%20the%20behavior%20of%20the%20allowDevice%0A%23%20action.%20When%20instructed%20to%20generate%20a%20permanent%20rule%2C%0A%23%20the%20action%20can%20generate%20a%20port%20specific%20rule.%20Because%0A%23%20some%20systems%20have%20unstable%20port%20numbering%2C%20the%20generated%0A%23%20rule%20might%20not%20match%20the%20device%20after%20rebooting%20the%20system.%0A%23%0A%23%20If%20set%20to%20false%2C%20the%20generated%20rule%20will%20still%20contain%0A%23%20the%20%22parent-hash%22%20attribute%20which%20also%20defines%20an%20association%0A%23%20to%20the%20parent%20device.%20See%20usbguard-rules.conf%285%29%20for%20more%0A%23%20details.%0A%23%0ADeviceRulesWithPort%3Dfalse%0A%0A%23%0A%23%20USBGuard%20Audit%20events%20log%20backend%0A%23%0A%23%20One%20of%3A%0A%23%0A%23%20%2A%20FileAudit%20-%20Log%20audit%20events%20into%20a%20file%20specified%20by%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20AuditFilePath%20setting%20%28see%20below%29%0A%23%20%2A%20LinuxAudit%20-%20Log%20audit%20events%20using%20the%20Linux%20Audit%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20subsystem%20%28using%20audit_log_user_message%29%0A%23%0AAuditBackend%3DLinuxAudit%0A%0A%23%0A%23%20USBGuard%20audit%20events%20log%20file%20path.%0A%23%0A%23AuditFilePath%3D/var/log/usbguard/usbguard-audit.log%0A%0A%23%0A%23%20Hides%20personally%20identifiable%20information%20such%20as%20device%20serial%20numbers%20and%0A%23%20hashes%20of%20descriptors%20%28which%20include%20the%20serial%20number%29%20from%20audit%20entries.%0A%23%0A%23HidePII%3Dfalse }} + mode: 0600 + path: /etc/usbguard/usbguard-daemon.conf + overwrite: true + # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ) && { rpm --quiet -q usbguard; }; then @@ -279558,25 +279577,6 @@ rm "/etc/usbguard/usbguard-daemon.conf.bak" else >&2 echo 'Remediation is not applicable, nothing was done' fi - - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -metadata: - annotations: - complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed - complianceascode.io/ocp-version: '>=4.7.0' -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %0A%23%0A%23%20Rule%20set%20file%20path.%0A%23%0A%23%20The%20USBGuard%20daemon%20will%20use%20this%20file%20to%20load%20the%20policy%0A%23%20rule%20set%20from%20it%20and%20to%20write%20new%20rules%20received%20via%20the%0A%23%20IPC%20interface.%0A%23%0A%23%20RuleFile%3D/path/to/rules.conf%0A%23%0ARuleFile%3D/etc/usbguard/rules.conf%0A%0A%23%0A%23%20Rule%20set%20folder%20path.%0A%23%0A%23%20The%20USBGuard%20daemon%20will%20use%20this%20folder%20to%20load%20the%20policy%0A%23%20rule%20set%20from%20it%20and%20to%20write%20new%20rules%20received%20via%20the%0A%23%20IPC%20interface.%20Usually%2C%20we%20set%20the%20option%20to%0A%23%20/etc/usbguard/rules.d/.%20The%20USBGuard%20daemon%20is%20supposed%20to%0A%23%20behave%20like%20any%20other%20standard%20Linux%20daemon%20therefore%20it%0A%23%20loads%20rule%20files%20in%20alpha-numeric%20order.%20File%20names%20inside%0A%23%20RuleFolder%20directory%20should%20start%20with%20a%20two-digit%20number%0A%23%20prefix%20indicating%20the%20position%2C%20in%20which%20the%20rules%20are%0A%23%20scanned%20by%20the%20daemon.%0A%23%0A%23%20RuleFolder%3D/path/to/rulesfolder/%0A%23%0ARuleFolder%3D/etc/usbguard/rules.d/%0A%0A%23%0A%23%20Implicit%20policy%20target.%0A%23%0A%23%20How%20to%20treat%20devices%20that%20don%27t%20match%20any%20rule%20in%20the%0A%23%20policy.%20One%20of%3A%0A%23%0A%23%20%2A%20allow%20%20-%20authorize%20the%20device%0A%23%20%2A%20block%20%20-%20block%20the%20device%0A%23%20%2A%20reject%20-%20remove%20the%20device%0A%23%0AImplicitPolicyTarget%3Dblock%0A%0A%23%0A%23%20Present%20device%20policy.%0A%23%0A%23%20How%20to%20treat%20devices%20that%20are%20already%20connected%20when%20the%0A%23%20daemon%20starts.%20One%20of%3A%0A%23%0A%23%20%2A%20allow%20%20%20%20%20%20%20%20-%20authorize%20every%20present%20device%0A%23%20%2A%20block%20%20%20%20%20%20%20%20-%20deauthorize%20every%20present%20device%0A%23%20%2A%20reject%20%20%20%20%20%20%20-%20remove%20every%20present%20device%0A%23%20%2A%20keep%20%20%20%20%20%20%20%20%20-%20just%20sync%20the%20internal%20state%20and%20leave%20it%0A%23%20%2A%20apply-policy%20-%20evaluate%20the%20ruleset%20for%20every%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20device%0A%23%0APresentDevicePolicy%3Dapply-policy%0A%0A%23%0A%23%20Present%20controller%20policy.%0A%23%0A%23%20How%20to%20treat%20USB%20controllers%20that%20are%20already%20connected%0A%23%20when%20the%20daemon%20starts.%20One%20of%3A%0A%23%0A%23%20%2A%20allow%20%20%20%20%20%20%20%20-%20authorize%20every%20present%20device%0A%23%20%2A%20block%20%20%20%20%20%20%20%20-%20deauthorize%20every%20present%20device%0A%23%20%2A%20reject%20%20%20%20%20%20%20-%20remove%20every%20present%20device%0A%23%20%2A%20keep%20%20%20%20%20%20%20%20%20-%20just%20sync%20the%20internal%20state%20and%20leave%20it%0A%23%20%2A%20apply-policy%20-%20evaluate%20the%20ruleset%20for%20every%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20device%0A%23%0APresentControllerPolicy%3Dkeep%0A%0A%23%0A%23%20Inserted%20device%20policy.%0A%23%0A%23%20How%20to%20treat%20USB%20devices%20that%20are%20already%20connected%0A%23%20%2Aafter%2A%20the%20daemon%20starts.%20One%20of%3A%0A%23%0A%23%20%2A%20block%20%20%20%20%20%20%20%20-%20deauthorize%20every%20present%20device%0A%23%20%2A%20reject%20%20%20%20%20%20%20-%20remove%20every%20present%20device%0A%23%20%2A%20apply-policy%20-%20evaluate%20the%20ruleset%20for%20every%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20device%0A%23%0AInsertedDevicePolicy%3Dapply-policy%0A%0A%23%0A%23%20Control%20which%20devices%20are%20authorized%20by%20default.%0A%23%0A%23%20The%20USBGuard%20daemon%20modifies%20some%20the%20default%20authorization%20state%20attributes%0A%23%20of%20controller%20devices.%20This%20setting%2C%20enables%20you%20to%20define%20what%20value%20the%0A%23%20default%20authorization%20is%20set%20to.%0A%23%0A%23%20%2A%20keep%20%20%20%20%20%20%20%20%20-%20do%20not%20change%20the%20authorization%20state%0A%23%20%2A%20none%20%20%20%20%20%20%20%20%20-%20every%20new%20device%20starts%20out%20deauthorized%0A%23%20%2A%20all%20%20%20%20%20%20%20%20%20%20-%20every%20new%20device%20starts%20out%20authorized%0A%23%20%2A%20internal%20%20%20%20%20-%20internal%20devices%20start%20out%20authorized%2C%20external%20devices%20start%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20out%20deauthorized%20%28this%20requires%20the%20ACPI%20tables%20to%20properly%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20label%20internal%20devices%2C%20and%20kernel%20support%29%0A%23%0A%23AuthorizedDefault%3Dnone%0A%0A%23%0A%23%20Restore%20controller%20device%20state.%0A%23%0A%23%20The%20USBGuard%20daemon%20modifies%20some%20attributes%20of%20controller%0A%23%20devices%20like%20the%20default%20authorization%20state%20of%20new%20child%20device%0A%23%20instances.%20Using%20this%20setting%2C%20you%20can%20control%20whether%20the%0A%23%20daemon%20will%20try%20to%20restore%20the%20attribute%20values%20to%20the%20state%0A%23%20before%20modification%20on%20shutdown.%0A%23%0A%23%20SECURITY%20CONSIDERATIONS%3A%20If%20set%20to%20true%2C%20the%20USB%20authorization%0A%23%20policy%20could%20be%20bypassed%20by%20performing%20some%20sort%20of%20attack%20on%20the%0A%23%20daemon%20%28via%20a%20local%20exploit%20or%20via%20a%20USB%20device%29%20to%20make%20it%20shutdown%0A%23%20and%20restore%20to%20the%20operating-system%20default%20state%20%28known%20to%20be%20permissive%29.%0A%23%0ARestoreControllerDeviceState%3Dfalse%0A%0A%23%0A%23%20Device%20manager%20backend%0A%23%0A%23%20Which%20device%20manager%20backend%20implementation%20to%20use.%20One%20of%3A%0A%23%0A%23%20%2A%20uevent%20%20%20-%20Netlink%20based%20implementation%20which%20uses%20sysfs%20to%20scan%20for%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20devices%20and%20an%20uevent%20netlink%20socket%20for%20receiving%20USB%20device%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20related%20events.%0A%23%20%2A%20umockdev%20-%20umockdev%20based%20device%20manager%20capable%20of%20simulating%20devices%20based%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20on%20umockdev-record%20files.%20Useful%20for%20testing.%0A%23%0ADeviceManagerBackend%3Duevent%0A%0A%23%21%21%21%20WARNING%3A%20It%27s%20good%20practice%20to%20set%20at%20least%20one%20of%20the%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20two%20options%20bellow.%20If%20none%20of%20them%20are%20set%2C%20%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20the%20daemon%20will%20accept%20IPC%20connections%20from%20%20%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20anyone%2C%20thus%20allowing%20anyone%20to%20modify%20the%20%20%20%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20rule%20set%20and%20%28de%29authorize%20USB%20devices.%20%20%20%20%20%20%20%21%21%21%0A%0A%23%0A%23%20Users%20allowed%20to%20use%20the%20IPC%20interface.%0A%23%0A%23%20A%20space%20delimited%20list%20of%20usernames%20that%20the%20daemon%20will%0A%23%20accept%20IPC%20connections%20from.%0A%23%0A%23%20IPCAllowedUsers%3Dusername1%20username2%20...%0A%23%0AIPCAllowedUsers%3Droot%0A%0A%23%0A%23%20Groups%20allowed%20to%20use%20the%20IPC%20interface.%0A%23%0A%23%20A%20space%20delimited%20list%20of%20groupnames%20that%20the%20daemon%20will%0A%23%20accept%20IPC%20connections%20from.%0A%23%0A%23%20IPCAllowedGroups%3Dgroupname1%20groupname2%20...%0A%23%0AIPCAllowedGroups%3Dwheel%0A%0A%23%0A%23%20IPC%20access%20control%20definition%20files%20path.%0A%23%0A%23%20The%20files%20at%20this%20location%20will%20be%20interpreted%20by%20the%20daemon%0A%23%20as%20access%20control%20definition%20files.%20The%20%28base%29name%20of%20a%20file%0A%23%20should%20be%20in%20the%20form%3A%0A%23%0A%23%20%20%20%5Buser%5D%5B%3A%3Cgroup%3E%5D%0A%23%0A%23%20and%20should%20contain%20lines%20in%20the%20form%3A%0A%23%0A%23%20%20%20%3Csection%3E%3D%5Bprivilege%5D%20...%0A%23%0A%23%20This%20way%20each%20file%20defines%20who%20is%20able%20to%20connect%20to%20the%20IPC%0A%23%20bus%20and%20what%20privileges%20he%20has.%0A%23%0AIPCAccessControlFiles%3D/etc/usbguard/IPCAccessControl.d/%0A%0A%23%0A%23%20Generate%20device%20specific%20rules%20including%20the%20%22via-port%22%0A%23%20attribute.%0A%23%0A%23%20This%20option%20modifies%20the%20behavior%20of%20the%20allowDevice%0A%23%20action.%20When%20instructed%20to%20generate%20a%20permanent%20rule%2C%0A%23%20the%20action%20can%20generate%20a%20port%20specific%20rule.%20Because%0A%23%20some%20systems%20have%20unstable%20port%20numbering%2C%20the%20generated%0A%23%20rule%20might%20not%20match%20the%20device%20after%20rebooting%20the%20system.%0A%23%0A%23%20If%20set%20to%20false%2C%20the%20generated%20rule%20will%20still%20contain%0A%23%20the%20%22parent-hash%22%20attribute%20which%20also%20defines%20an%20association%0A%23%20to%20the%20parent%20device.%20See%20usbguard-rules.conf%285%29%20for%20more%0A%23%20details.%0A%23%0ADeviceRulesWithPort%3Dfalse%0A%0A%23%0A%23%20USBGuard%20Audit%20events%20log%20backend%0A%23%0A%23%20One%20of%3A%0A%23%0A%23%20%2A%20FileAudit%20-%20Log%20audit%20events%20into%20a%20file%20specified%20by%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20AuditFilePath%20setting%20%28see%20below%29%0A%23%20%2A%20LinuxAudit%20-%20Log%20audit%20events%20using%20the%20Linux%20Audit%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20subsystem%20%28using%20audit_log_user_message%29%0A%23%0AAuditBackend%3DLinuxAudit%0A%0A%23%0A%23%20USBGuard%20audit%20events%20log%20file%20path.%0A%23%0A%23AuditFilePath%3D/var/log/usbguard/usbguard-audit.log%0A%0A%23%0A%23%20Hides%20personally%20identifiable%20information%20such%20as%20device%20serial%20numbers%20and%0A%23%20hashes%20of%20descriptors%20%28which%20include%20the%20serial%20number%29%20from%20audit%20entries.%0A%23%0A%23HidePII%3Dfalse }} - mode: 0600 - path: /etc/usbguard/usbguard-daemon.conf - overwrite: true @@ -279598,18 +279598,6 @@ to /etc/usbguard/rules.conf. Without allowing Human Interface Devices, it might not be possible to interact with the system. CCE-82274-2 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then - -# path of file with Usbguard rules -rulesfile="/etc/usbguard/rules.conf" - -echo "allow with-interface match-all { 03:*:* }" >> $rulesfile - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Allow HID devices lineinfile: path: /etc/usbguard/rules.conf @@ -279626,6 +279614,18 @@ fi - medium_severity - no_reboot_needed - usbguard_allow_hid + + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then + +# path of file with Usbguard rules +rulesfile="/etc/usbguard/rules.conf" + +echo "allow with-interface match-all { 03:*:* }" >> $rulesfile + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -279650,14 +279650,23 @@ to /etc/usbguard/rules.conf. to interact with the system. Without allowing hubs, it might not be possible to use any USB devices on the system. CCE-82368-2 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then - -echo "allow with-interface match-all { 03:*:* 09:00:* }" >> /etc/usbguard/rules.conf - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +metadata: + annotations: + complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %0Aallow%20with-interface%20match-all%20%7B%2003%3A%2A%3A%2A%2009%3A00%3A%2A%20%7D }} + mode: 0600 + path: /etc/usbguard/rules.d/75-hid-and-hub.conf + overwrite: true - name: Allow HID devices and hubs lineinfile: @@ -279678,23 +279687,14 @@ fi - no_reboot_needed - usbguard_allow_hid_and_hub - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -metadata: - annotations: - complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %0Aallow%20with-interface%20match-all%20%7B%2003%3A%2A%3A%2A%2009%3A00%3A%2A%20%7D }} - mode: 0600 - path: /etc/usbguard/rules.d/75-hid-and-hub.conf - overwrite: true + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then + +echo "allow with-interface match-all { 03:*:* 09:00:* }" >> /etc/usbguard/rules.conf + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -279715,15 +279715,6 @@ to /etc/usbguard/rules.conf. Without allowing hubs, it might not be possible to use any USB devices on the system. CCE-82273-4 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then - -echo "allow with-interface match-all { 09:00:* }" >> /etc/usbguard/rules.conf - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Allow hubs lineinfile: path: /etc/usbguard/rules.conf @@ -279740,6 +279731,15 @@ fi - medium_severity - no_reboot_needed - usbguard_allow_hub + + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then + +echo "allow with-interface match-all { 09:00:* }" >> /etc/usbguard/rules.conf + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -279765,36 +279765,6 @@ devices. The usbguard must be configured to allow connected USB devices to work properly, avoiding the system to become inaccessible. CCE-83774-0 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then - -if rpm --quiet -q usbguard -then - USBGUARD_CONF=/etc/usbguard/rules.conf - if [ ! -f "$USBGUARD_CONF" ] || [ ! -s "$USBGUARD_CONF" ]; then - usbguard generate-policy > $USBGUARD_CONF - if [ ! -s "$USBGUARD_CONF" ]; then - # make sure OVAL check doesn't fail on systems where - # generate-policy doesn't find any USB devices (for - # example a system might not have a USB bus) - echo "# No USB devices found" > $USBGUARD_CONF - fi - # make sure it has correct permissions - chmod 600 $USBGUARD_CONF - - SYSTEMCTL_EXEC='/usr/bin/systemctl' - "$SYSTEMCTL_EXEC" unmask 'usbguard.service' - "$SYSTEMCTL_EXEC" restart 'usbguard.service' - "$SYSTEMCTL_EXEC" enable 'usbguard.service' - fi -else - echo "USBGuard is not installed. No remediation was applied!" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -279862,6 +279832,36 @@ fi - medium_severity - no_reboot_needed - usbguard_generate_policy + + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then + +if rpm --quiet -q usbguard +then + USBGUARD_CONF=/etc/usbguard/rules.conf + if [ ! -f "$USBGUARD_CONF" ] || [ ! -s "$USBGUARD_CONF" ]; then + usbguard generate-policy > $USBGUARD_CONF + if [ ! -s "$USBGUARD_CONF" ]; then + # make sure OVAL check doesn't fail on systems where + # generate-policy doesn't find any USB devices (for + # example a system might not have a USB bus) + echo "# No USB devices found" > $USBGUARD_CONF + fi + # make sure it has correct permissions + chmod 600 $USBGUARD_CONF + + SYSTEMCTL_EXEC='/usr/bin/systemctl' + "$SYSTEMCTL_EXEC" unmask 'usbguard.service' + "$SYSTEMCTL_EXEC" restart 'usbguard.service' + "$SYSTEMCTL_EXEC" enable 'usbguard.service' + fi +else + echo "USBGuard is not installed. No remediation was applied!" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -279933,18 +279933,8 @@ continuing installation. Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be installed unless approved and documented. CCE-82757-6 - -# CAUTION: This remediation script will remove xorg-x11-server-common -# from the system, and may remove any packages -# that depend on xorg-x11-server-common. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "xorg-x11-server-common" ; then - - yum remove -y "xorg-x11-server-common" - -fi + +package --remove=xorg-x11-server-common include remove_xorg-x11-server-common @@ -279970,8 +279960,18 @@ class remove_xorg-x11-server-common { - no_reboot_needed - package_xorg-x11-server-common_removed - -package --remove=xorg-x11-server-common + +# CAUTION: This remediation script will remove xorg-x11-server-common +# from the system, and may remove any packages +# that depend on xorg-x11-server-common. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "xorg-x11-server-common" ; then + + yum remove -y "xorg-x11-server-common" + +fi @@ -280009,6 +280009,28 @@ X11 graphic libraries are dependency of OpenStack Cinderlib storage provider. CCE-83411-9 + +package --remove=xorg-x11-server-Xorg --remove=xorg-x11-server-common --remove=xorg-x11-server-utils --remove=xorg-x11-server-Xwayland + + - name: Ensure xorg packages are removed + package: + name: + - xorg-x11-server-Xorg + - xorg-x11-server-common + - xorg-x11-server-utils + - xorg-x11-server-Xwayland + state: absent + tags: + - CCE-83411-9 + - DISA-STIG-RHEL-08-040320 + - NIST-800-53-CM-6(b) + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + - xwindows_remove_packages + # remove packages @@ -280033,28 +280055,6 @@ if rpm -q --quiet "xorg-x11-server-Xwayland" ; then yum remove -y "xorg-x11-server-Xwayland" fi - - - name: Ensure xorg packages are removed - package: - name: - - xorg-x11-server-Xorg - - xorg-x11-server-common - - xorg-x11-server-utils - - xorg-x11-server-Xwayland - state: absent - tags: - - CCE-83411-9 - - DISA-STIG-RHEL-08-040320 - - NIST-800-53-CM-6(b) - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - - xwindows_remove_packages - - -package --remove=xorg-x11-server-Xorg --remove=xorg-x11-server-common --remove=xorg-x11-server-utils --remove=xorg-x11-server-Xwayland @@ -280115,15 +280115,6 @@ long history of security vulnerabilities and should not be used unless approved and documented. CCE-83380-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -systemctl set-default multi-user.target - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Switch to multi-user runlevel file: src: /usr/lib/systemd/system/multi-user.target @@ -280143,6 +280134,15 @@ fi - reboot_required - restrict_strategy - xwindows_runlevel_target + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +systemctl set-default multi-user.target + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -280274,13 +280274,13 @@ which the system will be deployed as closely as possible. - + Script combine_ovals.py from SCAP Security Guide ssg: [0, 1, 71], python: 3.10.12 5.11 - 2023-11-20T00:06:14 + 2023-11-21T00:06:13 @@ -345554,2329 +345554,2341 @@ which the system will be deployed as closely as possible. - + build_shorthand.py from SCAP Security Guide ssg: 0.1.71 2.0 - 2023-11-20T00:06:34 + 2023-11-21T00:06:34 - - Uninstall httpd Package + + Ensure network interfaces are assigned to appropriate zone - ocil:ssg-package_httpd_removed_action:testaction:1 + ocil:ssg-set_firewalld_appropriate_zone_action:testaction:1 - - Disable the authlogin_radius SELinux Boolean + + Verify that audit tools are owned by root - ocil:ssg-sebool_authlogin_radius_action:testaction:1 + ocil:ssg-file_ownership_audit_binaries_action:testaction:1 - - Verify that Shared Library Directories Have Root Group Ownership + + Stack Protector buffer overlow detection - ocil:ssg-dir_group_ownership_library_dirs_action:testaction:1 + ocil:ssg-kernel_config_stackprotector_action:testaction:1 - - Record Attempts to Alter Time Through stime + + Disable the xguest_mount_media SELinux Boolean - ocil:ssg-audit_rules_time_stime_action:testaction:1 + ocil:ssg-sebool_xguest_mount_media_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - unix_update + + Install libselinux Package - ocil:ssg-audit_rules_privileged_commands_unix_update_action:testaction:1 + ocil:ssg-package_libselinux_installed_action:testaction:1 - - Verify Group Ownership of System Login Banner + + Verify User Who Owns gshadow File - ocil:ssg-file_groupowner_etc_issue_action:testaction:1 + ocil:ssg-file_owner_etc_gshadow_action:testaction:1 - - Disable the httpd_run_ipa SELinux Boolean + + Ensure SSH LoginGraceTime is configured - ocil:ssg-sebool_httpd_run_ipa_action:testaction:1 + ocil:ssg-sshd_set_login_grace_time_action:testaction:1 - - Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE + + Disable the cobbler_use_cifs SELinux Boolean - ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write_action:testaction:1 + ocil:ssg-sebool_cobbler_use_cifs_action:testaction:1 - - Only Authorized Local User Accounts Exist on Operating System + + Verify Only Root Has UID 0 - ocil:ssg-accounts_authorized_local_users_action:testaction:1 + ocil:ssg-accounts_no_uid_except_zero_action:testaction:1 - - Verify Owner on SSH Server config file + + Configure Polyinstantiation of /var/tmp Directories - ocil:ssg-file_owner_sshd_config_action:testaction:1 + ocil:ssg-accounts_polyinstantiated_var_tmp_action:testaction:1 - - Enable the staff_exec_content SELinux Boolean + + Prevent user from disabling the screen lock - ocil:ssg-sebool_staff_exec_content_action:testaction:1 + ocil:ssg-no_tmux_in_shells_action:testaction:1 - - Enable checks on notifier call chains + + All GIDs referenced in /etc/passwd must be defined in /etc/group - ocil:ssg-kernel_config_debug_notifiers_action:testaction:1 + ocil:ssg-gid_passwd_group_same_action:testaction:1 - - Disable Full User Name on Splash Shield + + Add nosuid Option to /srv - ocil:ssg-dconf_gnome_screensaver_user_info_action:testaction:1 + ocil:ssg-mount_option_srv_nosuid_action:testaction:1 - - A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ extension + + Disable the racoon_read_shadow SELinux Boolean - ocil:ssg-httpd_nipr_accredited_dmz_action:testaction:1 + ocil:ssg-sebool_racoon_read_shadow_action:testaction:1 - - Disable kexec system call + + Ensure auditd Collects Information on the Use of Privileged Commands - newgrp - ocil:ssg-kernel_config_kexec_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_newgrp_action:testaction:1 - - Strong Stack Protector + + Disable the virt_use_xserver SELinux Boolean - ocil:ssg-kernel_config_stackprotector_strong_action:testaction:1 + ocil:ssg-sebool_virt_use_xserver_action:testaction:1 - - Disable the mozilla_plugin_use_bluejeans SELinux Boolean + + Remove Write Permissions From Filesystem Paths And Server Scripts - ocil:ssg-sebool_mozilla_plugin_use_bluejeans_action:testaction:1 + ocil:ssg-httpd_configure_script_permissions_action:testaction:1 - - Configure auditing of unsuccessful file modifications + + Uninstall tuned Package - ocil:ssg-audit_modify_failed_action:testaction:1 + ocil:ssg-package_tuned_removed_action:testaction:1 - - Add noexec Option to /var/log/audit + + Ignore HTTPD .htaccess Files - ocil:ssg-mount_option_var_log_audit_noexec_action:testaction:1 + ocil:ssg-httpd_ignore_htaccess_files_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - poweroff + + Disable Cockpit Management Server - ocil:ssg-audit_privileged_commands_poweroff_action:testaction:1 + ocil:ssg-service_cockpit_disabled_action:testaction:1 - - Enable seccomp to safely compute untrusted bytecode + + Ensure PAM Enforces Password Requirements - Minimum Different Characters - ocil:ssg-kernel_config_seccomp_action:testaction:1 + ocil:ssg-accounts_password_pam_difok_action:testaction:1 - - Enable the SSSD Service + + Disable the exim_manage_user_files SELinux Boolean - ocil:ssg-service_sssd_enabled_action:testaction:1 + ocil:ssg-sebool_exim_manage_user_files_action:testaction:1 - - Disable the neutron_can_network SELinux Boolean + + Install the opensc Package For Multifactor Authentication - ocil:ssg-sebool_neutron_can_network_action:testaction:1 + ocil:ssg-package_opensc_installed_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - lremovexattr + + Ensure zIPL bootmap is up to date - ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 + ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1 - - Record Successful Access Attempts to Files - truncate + + Enable Kernel Parameter to Enforce DAC on Hardlinks - ocil:ssg-audit_rules_successful_file_modification_truncate_action:testaction:1 + ocil:ssg-sysctl_fs_protected_hardlinks_action:testaction:1 - - Ensure /boot Located On Separate Partition + + Ensure All Groups on the System Have Unique Group ID - ocil:ssg-partition_for_boot_action:testaction:1 + ocil:ssg-group_unique_id_action:testaction:1 - - Mount Remote Filesystems with noexec + + Ensure All-Squashing Disabled On All Exports - ocil:ssg-mount_option_noexec_remote_filesystems_action:testaction:1 + ocil:ssg-no_all_squash_exports_action:testaction:1 - - Install the Samba Common Package + + Ensure Web Content Located on Separate partition - ocil:ssg-package_samba-common_installed_action:testaction:1 + ocil:ssg-partition_for_web_content_action:testaction:1 - - Disable the secure_mode SELinux Boolean + + Account Lockouts Must Persist - ocil:ssg-sebool_secure_mode_action:testaction:1 + ocil:ssg-account_passwords_pam_faillock_dir_action:testaction:1 - - Resolve information before writing to audit logs + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Configure dnf-automatic to Install Only Security Updates + + Add nosuid Option to /var/tmp - ocil:ssg-dnf-automatic_security_updates_only_action:testaction:1 + ocil:ssg-mount_option_var_tmp_nosuid_action:testaction:1 - - Disable the spamassassin_can_network SELinux Boolean + + Modify the System Login Banner for Remote Connections - ocil:ssg-sebool_spamassassin_can_network_action:testaction:1 + ocil:ssg-banner_etc_issue_net_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Configure the polyinstantiation_enabled SELinux Boolean - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 - - Disable the cobbler_use_cifs SELinux Boolean + + Verify Owner on SSH Server config file - ocil:ssg-sebool_cobbler_use_cifs_action:testaction:1 + ocil:ssg-file_owner_sshd_config_action:testaction:1 - - Disable the polipo_session_bind_all_unreserved_ports SELinux Boolean + + Disable the virt_sandbox_use_mknod SELinux Boolean - ocil:ssg-sebool_polipo_session_bind_all_unreserved_ports_action:testaction:1 + ocil:ssg-sebool_virt_sandbox_use_mknod_action:testaction:1 - - Disable GDM Automatic Login + + Record Attempts to Alter the localtime File - ocil:ssg-gnome_gdm_disable_automatic_login_action:testaction:1 + ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 - - Disable the mozilla_plugin_use_spice SELinux Boolean + + Disable the zoneminder_run_sudo SELinux Boolean - ocil:ssg-sebool_mozilla_plugin_use_spice_action:testaction:1 + ocil:ssg-sebool_zoneminder_run_sudo_action:testaction:1 - - Assign Expiration Date to Emergency Accounts + + Ensure /opt Located On Separate Partition - ocil:ssg-account_emergency_expire_date_action:testaction:1 + ocil:ssg-partition_for_opt_action:testaction:1 - - Verify Permissions on Backup passwd File + + Enable the GNOME3 Login Smartcard Authentication - ocil:ssg-file_permissions_backup_etc_passwd_action:testaction:1 + ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1 - - Configure Logind to terminate idle sessions after certain time of inactivity + + Enable the antivirus_can_scan_system SELinux Boolean - ocil:ssg-logind_session_timeout_action:testaction:1 + ocil:ssg-sebool_antivirus_can_scan_system_action:testaction:1 - - Disable vsyscall mapping + + Ensure auditd Collects Information on the Use of Privileged Commands - crontab - ocil:ssg-kernel_config_legacy_vsyscall_none_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_crontab_action:testaction:1 - - Ensure auditd Collects File Deletion Events by User + + Enforce pam_faillock for Local Accounts Only - ocil:ssg-audit_rules_file_deletion_events_action:testaction:1 + ocil:ssg-accounts_passwords_pam_faillock_enforce_local_action:testaction:1 - - Ensure gpgcheck Enabled for Local Packages + + Verify the UEFI Boot Loader grub.cfg Group Ownership - ocil:ssg-ensure_gpgcheck_local_packages_action:testaction:1 + ocil:ssg-file_groupowner_efi_grub2_cfg_action:testaction:1 - - Disable kernel debugfs + + Disable the abrt_handle_event SELinux Boolean - ocil:ssg-kernel_config_debug_fs_action:testaction:1 + ocil:ssg-sebool_abrt_handle_event_action:testaction:1 - - Disable the cluster_can_network_connect SELinux Boolean + + Disable the squid_connect_any SELinux Boolean - ocil:ssg-sebool_cluster_can_network_connect_action:testaction:1 + ocil:ssg-sebool_squid_connect_any_action:testaction:1 - - Disable SSH Support for Rhosts RSA Authentication + + Record Unsuccessful Access Attempts to Files - creat - ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_creat_action:testaction:1 - - Enable Certmap in SSSD + + Ensure nss-tools is installed - ocil:ssg-sssd_enable_certmap_action:testaction:1 + ocil:ssg-package_nss-tools_installed_action:testaction:1 - - Verify iptables Enabled + + Disable the ftpd_connect_all_unreserved SELinux Boolean - ocil:ssg-service_iptables_enabled_action:testaction:1 + ocil:ssg-sebool_ftpd_connect_all_unreserved_action:testaction:1 - - Ensure All SGID Executables Are Authorized + + Install usbguard Package - ocil:ssg-file_permissions_unauthorized_sgid_action:testaction:1 + ocil:ssg-package_usbguard_installed_action:testaction:1 - - Remove the X Windows Package Group + + All Interactive Users Must Have A Home Directory Defined - ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1 + ocil:ssg-accounts_user_interactive_home_directory_defined_action:testaction:1 - - Enable Transport Layer Security (TLS) Encryption + + Authorize USB hubs in USBGuard daemon - ocil:ssg-httpd_configure_tls_action:testaction:1 + ocil:ssg-usbguard_allow_hub_action:testaction:1 - - Disable Printer Browsing Entirely if Possible + + Disable the exim_can_connect_db SELinux Boolean - ocil:ssg-cups_disable_browsing_action:testaction:1 + ocil:ssg-sebool_exim_can_connect_db_action:testaction:1 - - Configure SSH to use System Crypto Policy + + Ensure auditd Collects Information on the Use of Privileged Commands - su - ocil:ssg-configure_ssh_crypto_policy_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1 - - SSH client uses strong entropy to seed (Bash-like shells) + + Record Any Attempts to Run seunshare - ocil:ssg-ssh_client_use_strong_rng_sh_action:testaction:1 + ocil:ssg-audit_rules_execution_seunshare_action:testaction:1 - - Install subscription-manager Package + + Configure auditd mail_acct Action on Low Disk Space - ocil:ssg-package_subscription-manager_installed_action:testaction:1 + ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1 - - Configure the confidence in TPM for entropy + + Set Existing Passwords Minimum Age - ocil:ssg-grub2_rng_core_default_quality_argument_action:testaction:1 + ocil:ssg-accounts_password_set_min_life_existing_action:testaction:1 - - Configure Speculative Store Bypass Mitigation + + Enable GNOME3 Screensaver Lock After Idle Period - ocil:ssg-grub2_spec_store_bypass_disable_argument_action:testaction:1 + ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 - - Disable the selinuxuser_execstack SELinux Boolean + + The web server password(s) must be entrusted to the SA or Web Manager - ocil:ssg-sebool_selinuxuser_execstack_action:testaction:1 + ocil:ssg-httpd_entrust_passwords_action:testaction:1 - - Disable the dhcpc_exec_iptables SELinux Boolean + + Ensure auditd Collects System Administrator Actions - ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1 + ocil:ssg-audit_rules_sysadmin_actions_action:testaction:1 - - Install usbguard Package + + Ensure all zIPL boot entries are BLS compliant - ocil:ssg-package_usbguard_installed_action:testaction:1 + ocil:ssg-zipl_bls_entries_only_action:testaction:1 - - Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default + + Enable poison without sanity check - ocil:ssg-sysctl_net_ipv4_conf_default_accept_source_route_action:testaction:1 + ocil:ssg-kernel_config_page_poisoning_no_sanity_action:testaction:1 - - Disable the xserver_execmem SELinux Boolean + + Configure CA certificate for rsyslog remote logging - ocil:ssg-sebool_xserver_execmem_action:testaction:1 + ocil:ssg-rsyslog_remote_tls_cacert_action:testaction:1 - - Uninstall abrt-cli Package + + Disable the pppd_can_insmod SELinux Boolean - ocil:ssg-package_abrt-cli_removed_action:testaction:1 + ocil:ssg-sebool_pppd_can_insmod_action:testaction:1 - - Verify that system commands files are group owned by root or a system account + + Record Successful Access Attempts to Files - openat - ocil:ssg-file_groupownership_system_commands_dirs_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_action:testaction:1 - - Add nodev Option to Removable Media Partitions + + Configure Periodic Execution of AIDE - ocil:ssg-mount_option_nodev_removable_partitions_action:testaction:1 + ocil:ssg-aide_periodic_cron_checking_action:testaction:1 - - Disable the CUPS Service + + Uninstall talk Package - ocil:ssg-service_cups_disabled_action:testaction:1 + ocil:ssg-package_talk_removed_action:testaction:1 - - Disable Kernel iwlwifi Module + + Verify that All World-Writable Directories Have Sticky Bits Set - ocil:ssg-kernel_module_iwlwifi_disabled_action:testaction:1 + ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1 - - Disable the virt_sandbox_use_netlink SELinux Boolean + + Enable FIPS Mode - ocil:ssg-sebool_virt_sandbox_use_netlink_action:testaction:1 + ocil:ssg-enable_fips_mode_action:testaction:1 - - Restrict Serial Port Root Logins + + Remove the X Windows Package Group - ocil:ssg-restrict_serial_port_logins_action:testaction:1 + ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1 - - Set SSH MaxSessions limit + + Install subscription-manager Package - ocil:ssg-sshd_set_max_sessions_action:testaction:1 + ocil:ssg-package_subscription-manager_installed_action:testaction:1 - - Record Successful Ownership Changes to Files - chown + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow - ocil:ssg-audit_rules_successful_file_modification_chown_action:testaction:1 + ocil:ssg-audit_rules_etc_shadow_open_by_handle_at_action:testaction:1 - - Verify ownership of System Login Banner for Remote Connections + + Configure OpenSSL library to use System Crypto Policy - ocil:ssg-file_owner_etc_issue_net_action:testaction:1 + ocil:ssg-configure_openssl_crypto_policy_action:testaction:1 - - Configure audispd's Plugin network_failure_action On Network Failure + + Implement Blank Screensaver - ocil:ssg-auditd_audispd_network_failure_action_action:testaction:1 + ocil:ssg-dconf_gnome_screensaver_mode_blank_action:testaction:1 - - Enforce Usage of pam_wheel with Group Parameter for su Authentication + + Disable the mozilla_plugin_can_network_connect SELinux Boolean - ocil:ssg-use_pam_wheel_group_for_su_action:testaction:1 + ocil:ssg-sebool_mozilla_plugin_can_network_connect_action:testaction:1 - - Record Unsuccessful Permission Changes to Files - fchmodat + + Disable the polipo_session_users SELinux Boolean - ocil:ssg-audit_rules_unsuccessful_file_modification_fchmodat_action:testaction:1 + ocil:ssg-sebool_polipo_session_users_action:testaction:1 - - Disable Client Dynamic DNS Updates + + Uninstall telnet-server Package - ocil:ssg-network_disable_ddns_interfaces_action:testaction:1 + ocil:ssg-package_telnet-server_removed_action:testaction:1 - - Disable the use_lpd_server SELinux Boolean + + Log USBGuard daemon audit events using Linux Audit - ocil:ssg-sebool_use_lpd_server_action:testaction:1 + ocil:ssg-configure_usbguard_auditbackend_action:testaction:1 - - Unmap kernel when running in userspace (aka KAISER) + + OpenSSL uses strong entropy source - ocil:ssg-kernel_config_unmap_kernel_at_el0_action:testaction:1 + ocil:ssg-openssl_use_strong_entropy_action:testaction:1 - - Use Only FIPS 140-2 Validated MACs + + Ensure SELinux is Not Disabled - ocil:ssg-sshd_use_approved_macs_action:testaction:1 + ocil:ssg-selinux_not_disabled_action:testaction:1 - - Ensure there are no legacy + NIS entries in /etc/passwd + + Direct root Logins Not Allowed - ocil:ssg-no_legacy_plus_entries_etc_passwd_action:testaction:1 + ocil:ssg-no_direct_root_logins_action:testaction:1 - - Disable the daemons_use_tcp_wrapper SELinux Boolean + + Verify permissions on System Login Banner - ocil:ssg-sebool_daemons_use_tcp_wrapper_action:testaction:1 + ocil:ssg-file_permissions_etc_issue_action:testaction:1 - - Install the psacct package + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-package_psacct_installed_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Disable Quota Netlink (quota_nld) - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-service_quota_nld_disabled_action:testaction:1 - - Add noexec Option to /dev/shm + + Disable legacy (BSD) PTY support - ocil:ssg-mount_option_dev_shm_noexec_action:testaction:1 + ocil:ssg-kernel_config_legacy_ptys_action:testaction:1 - - All Interactive Users Home Directories Must Exist + + Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config - ocil:ssg-accounts_user_interactive_home_directory_exists_action:testaction:1 + ocil:ssg-harden_sshd_macs_openssh_conf_crypto_policy_action:testaction:1 - - Verify Permissions on cron.daily + + Disable the telepathy_connect_all_ports SELinux Boolean - ocil:ssg-file_permissions_cron_daily_action:testaction:1 + ocil:ssg-sebool_telepathy_connect_all_ports_action:testaction:1 - - Verify permissions on System Login Banner for Remote Connections + + Disable the Automounter - ocil:ssg-file_permissions_etc_issue_net_action:testaction:1 + ocil:ssg-service_autofs_disabled_action:testaction:1 - - Authorize Human Interface Devices and USB hubs in USBGuard daemon + + Verify Permissions on crontab - ocil:ssg-usbguard_allow_hid_and_hub_action:testaction:1 + ocil:ssg-file_permissions_crontab_action:testaction:1 - - Install Virus Scanning Software + + Disable PubkeyAuthentication Authentication - ocil:ssg-install_antivirus_action:testaction:1 + ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 - - Ensure /var Located On Separate Partition + + Ensure debug-shell service is not enabled during boot - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-grub2_systemd_debug-shell_argument_absent_action:testaction:1 - - Configure basic parameters of Audit system + + Configure auditd Disk Full Action when Disk Space Is Full - ocil:ssg-audit_basic_configuration_action:testaction:1 + ocil:ssg-auditd_data_disk_full_action_action:testaction:1 - - Configure SSSD LDAP Backend to Use TLS For All Transactions + + Ensure All SGID Executables Are Authorized - ocil:ssg-sssd_ldap_start_tls_action:testaction:1 + ocil:ssg-file_permissions_unauthorized_sgid_action:testaction:1 - - Ensure /var/log/audit Located On Separate Partition + + Disable the cron_system_cronjob_use_shares SELinux Boolean - ocil:ssg-partition_for_var_log_audit_action:testaction:1 + ocil:ssg-sebool_cron_system_cronjob_use_shares_action:testaction:1 - - Verify ip6tables Enabled if Using IPv6 + + Enable the dbadm_exec_content SELinux Boolean - ocil:ssg-service_ip6tables_enabled_action:testaction:1 + ocil:ssg-sebool_dbadm_exec_content_action:testaction:1 - - Disable storing core dumps + + Configure audispd's Plugin disk_full_action When Disk Is Full - ocil:ssg-sysctl_kernel_core_pattern_action:testaction:1 + ocil:ssg-auditd_audispd_disk_full_action_action:testaction:1 - - Disable the prosody_bind_http_port SELinux Boolean + + Enable log_config_module For HTTPD Logging - ocil:ssg-sebool_prosody_bind_http_port_action:testaction:1 + ocil:ssg-httpd_enable_log_config_action:testaction:1 - - Support session locking with tmux (not enforcing) + + Disable the cups_execmem SELinux Boolean - ocil:ssg-configure_bashrc_tmux_action:testaction:1 + ocil:ssg-sebool_cups_execmem_action:testaction:1 - - Verify File Hashes with RPM + + Disable the webadm_read_user_files SELinux Boolean - ocil:ssg-rpm_verify_hashes_action:testaction:1 + ocil:ssg-sebool_webadm_read_user_files_action:testaction:1 - - Enable SLUB/SLAB allocator poisoning in zIPL + + Uninstall avahi Server Package - ocil:ssg-zipl_slub_debug_argument_action:testaction:1 + ocil:ssg-package_avahi_removed_action:testaction:1 - - Enable SSH Print Last Log + + Disable the httpd_can_network_connect_cobbler SELinux Boolean - ocil:ssg-sshd_print_last_log_action:testaction:1 + ocil:ssg-sebool_httpd_can_network_connect_cobbler_action:testaction:1 - - A private web server must be located on a separate controlled access subnet + + Verify All Account Password Hashes are Shadowed with SHA512 - ocil:ssg-httpd_private_server_on_separate_subnet_action:testaction:1 + ocil:ssg-accounts_password_all_shadowed_sha512_action:testaction:1 - - Ensure auditd Collects Information on Kernel Module Loading and Unloading + + Disable the httpd_use_sasl SELinux Boolean - ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1 + ocil:ssg-sebool_httpd_use_sasl_action:testaction:1 - - Disable the postgresql_can_rsync SELinux Boolean + + Disable KDump Kernel Crash Analyzer (kdump) - ocil:ssg-sebool_postgresql_can_rsync_action:testaction:1 + ocil:ssg-service_kdump_disabled_action:testaction:1 - - Verify Group Ownership of Message of the Day Banner + + Disable debug-shell SystemD Service - ocil:ssg-file_groupowner_etc_motd_action:testaction:1 + ocil:ssg-service_debug-shell_disabled_action:testaction:1 - - Verify User Who Owns Backup group File + + Virus Scanning Software Definitions Are Updated - ocil:ssg-file_owner_backup_etc_group_action:testaction:1 + ocil:ssg-mcafee_antivirus_definitions_updated_action:testaction:1 - - Disable the polipo_use_nfs SELinux Boolean + + Audit Tools Must Be Owned by Root - ocil:ssg-sebool_polipo_use_nfs_action:testaction:1 + ocil:ssg-file_audit_tools_ownership_action:testaction:1 - - Trigger a kernel BUG when data corruption is detected + + Prevent Unrestricted Mail Relaying - ocil:ssg-kernel_config_bug_on_data_corruption_action:testaction:1 + ocil:ssg-postfix_prevent_unrestricted_relay_action:testaction:1 - - Enable the selinuxuser_execmod SELinux Boolean + + Enable use of Berkeley Packet Filter with seccomp - ocil:ssg-sebool_selinuxuser_execmod_action:testaction:1 + ocil:ssg-kernel_config_seccomp_filter_action:testaction:1 - - Configure Periodic Execution of AIDE + + Verify Group Who Owns Backup gshadow File - ocil:ssg-aide_periodic_cron_checking_action:testaction:1 + ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1 - - Disable the glance_use_fusefs SELinux Boolean + + Enable the postgresql_selinux_unconfined_dbadm SELinux Boolean - ocil:ssg-sebool_glance_use_fusefs_action:testaction:1 + ocil:ssg-sebool_postgresql_selinux_unconfined_dbadm_action:testaction:1 - - Web Content Directories Must Not Be Shared Anonymously + + Disable vsyscall mapping - ocil:ssg-httpd_anonymous_content_sharing_action:testaction:1 + ocil:ssg-kernel_config_legacy_vsyscall_none_action:testaction:1 - - Verify that Shared Library Files Have Root Ownership + + Disable the gluster_export_all_ro SELinux Boolean - ocil:ssg-file_ownership_library_dirs_action:testaction:1 + ocil:ssg-sebool_gluster_export_all_ro_action:testaction:1 - - Disable the telepathy_tcp_connect_generic_network_ports SELinux Boolean + + Disable the container_connect_any SELinux Boolean - ocil:ssg-sebool_telepathy_tcp_connect_generic_network_ports_action:testaction:1 + ocil:ssg-sebool_container_connect_any_action:testaction:1 - - Ensure a Table Exists for Nftables + + Install McAfee Virus Scanning Software - ocil:ssg-set_nftables_table_action:testaction:1 + ocil:ssg-install_mcafee_antivirus_action:testaction:1 - - Verify Permissions on SSH Server Private *_key Key Files + + Disable the privoxy_connect_any SELinux Boolean - ocil:ssg-file_permissions_sshd_private_key_action:testaction:1 + ocil:ssg-sebool_privoxy_connect_any_action:testaction:1 - - Disable the git_system_use_cifs SELinux Boolean + + Install the ntp service - ocil:ssg-sebool_git_system_use_cifs_action:testaction:1 + ocil:ssg-package_ntp_installed_action:testaction:1 - - Set existing passwords a period of inactivity before they been locked + + Verify Group Who Owns cron.weekly - ocil:ssg-accounts_set_post_pw_existing_action:testaction:1 + ocil:ssg-file_groupowner_cron_weekly_action:testaction:1 - - Configure System to Forward All Mail For The Root Account + + Ensure Users Cannot Change GNOME3 Screensaver Idle Activation - ocil:ssg-postfix_client_configure_mail_alias_action:testaction:1 + ocil:ssg-dconf_gnome_screensaver_idle_activation_locked_action:testaction:1 - - Disable the virt_use_execmem SELinux Boolean + + Ensure that /etc/at.deny does not exist - ocil:ssg-sebool_virt_use_execmem_action:testaction:1 + ocil:ssg-file_at_deny_not_exist_action:testaction:1 - - Disable the use_fusefs_home_dirs SELinux Boolean + + Set kernel parameter 'crypto.fips_enabled' to 1 - ocil:ssg-sebool_use_fusefs_home_dirs_action:testaction:1 + ocil:ssg-sysctl_crypto_fips_enabled_action:testaction:1 - - Prevent remote hosts from connecting to the proxy display + + Ensure that Users Path Contains Only Local Directories - ocil:ssg-sshd_x11_use_localhost_action:testaction:1 + ocil:ssg-accounts_user_home_paths_only_action:testaction:1 - - All Interactive User Home Directories Must Be Owned By The Primary User + + Set Permissions on All Configuration Files Inside /etc/httpd/conf.d/ - ocil:ssg-file_ownership_home_directories_action:testaction:1 + ocil:ssg-file_permissions_httpd_server_conf_d_files_action:testaction:1 - - Verify Owner on crontab + + Verify User Who Owns /etc/cron.allow file - ocil:ssg-file_owner_crontab_action:testaction:1 + ocil:ssg-file_owner_cron_allow_action:testaction:1 - - Configure GNOME3 DConf User Profile + + Install the SSSD Package - ocil:ssg-enable_dconf_user_profile_action:testaction:1 + ocil:ssg-package_sssd_installed_action:testaction:1 - - Disable the puppetmaster_use_db SELinux Boolean + + Disable CPU Speed (cpupower) - ocil:ssg-sebool_puppetmaster_use_db_action:testaction:1 + ocil:ssg-service_cpupower_disabled_action:testaction:1 - - Disable Dovecot Service + + Disable the secure_mode SELinux Boolean - ocil:ssg-service_dovecot_disabled_action:testaction:1 + ocil:ssg-sebool_secure_mode_action:testaction:1 - - UEFI Boot Loader Is Not Installed On Removeable Media + + Disable the mozilla_plugin_use_bluejeans SELinux Boolean - ocil:ssg-uefi_no_removeable_media_action:testaction:1 + ocil:ssg-sebool_mozilla_plugin_use_bluejeans_action:testaction:1 - - Configure SSSD's Memory Cache to Expire + + Firewalld Must Employ a Deny-all, Allow-by-exception Policy for Allowing Connections to Other Systems - ocil:ssg-sssd_memcache_timeout_action:testaction:1 + ocil:ssg-configured_firewalld_default_deny_action:testaction:1 - - Record Successful Ownership Changes to Files - lchown + + Set Boot Loader Password in grub2 - ocil:ssg-audit_rules_successful_file_modification_lchown_action:testaction:1 + ocil:ssg-grub2_password_action:testaction:1 - - Add nosuid Option to /home + + Restrict Access to Kernel Message Buffer - ocil:ssg-mount_option_home_nosuid_action:testaction:1 + ocil:ssg-sysctl_kernel_dmesg_restrict_action:testaction:1 - - Install binutils Package + + Verify Permissions on cron.monthly - ocil:ssg-package_binutils_installed_action:testaction:1 + ocil:ssg-file_permissions_cron_monthly_action:testaction:1 - - Build and Test AIDE Database + + Disable the httpd_enable_homedirs SELinux Boolean - ocil:ssg-aide_build_database_action:testaction:1 + ocil:ssg-sebool_httpd_enable_homedirs_action:testaction:1 - - Kernel panic timeout + + Add nodev Option to /tmp - ocil:ssg-kernel_config_panic_timeout_action:testaction:1 + ocil:ssg-mount_option_tmp_nodev_action:testaction:1 - - Configure the secure_mode_insmod SELinux Boolean + + Install the psacct package - ocil:ssg-sebool_secure_mode_insmod_action:testaction:1 + ocil:ssg-package_psacct_installed_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - umount + + Require Authentication for Emergency Systemd Target - ocil:ssg-audit_rules_privileged_commands_umount_action:testaction:1 + ocil:ssg-require_emergency_target_auth_action:testaction:1 - - Harden SSHD Crypto Policy + + Mount Remote Filesystems with nodev - ocil:ssg-harden_sshd_crypto_policy_action:testaction:1 + ocil:ssg-mount_option_nodev_remote_filesystems_action:testaction:1 - - Uninstall nginx Package + + Verify that Shared Library Files Have Root Ownership - ocil:ssg-package_nginx_removed_action:testaction:1 + ocil:ssg-file_ownership_library_dirs_action:testaction:1 - - Disable the cups_execmem SELinux Boolean + + Disable X11 Forwarding - ocil:ssg-sebool_cups_execmem_action:testaction:1 + ocil:ssg-sshd_disable_x11_forwarding_action:testaction:1 - - Disable the samba_portmapper SELinux Boolean + + Disable vsyscall emulation - ocil:ssg-sebool_samba_portmapper_action:testaction:1 + ocil:ssg-kernel_config_legacy_vsyscall_emulate_action:testaction:1 - - Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces + + Kernel panic oops - ocil:ssg-sysctl_net_ipv6_conf_all_max_addresses_action:testaction:1 + ocil:ssg-kernel_config_panic_on_oops_action:testaction:1 - - Disable the virt_use_comm SELinux Boolean + + Disable Ctrl-Alt-Del Reboot Activation - ocil:ssg-sebool_virt_use_comm_action:testaction:1 + ocil:ssg-disable_ctrlaltdel_reboot_action:testaction:1 - - Disable IA32 emulation + + Ensure Log Files Are Owned By Appropriate User - ocil:ssg-kernel_config_ia32_emulation_action:testaction:1 + ocil:ssg-rsyslog_files_ownership_action:testaction:1 - - Encrypt Partitions + + Configure tmux to lock session after inactivity - ocil:ssg-encrypt_partitions_action:testaction:1 + ocil:ssg-configure_tmux_lock_after_time_action:testaction:1 - - Disable the httpd_mod_auth_pam SELinux Boolean + + Record Successful Delete Attempts to Files - renameat - ocil:ssg-sebool_httpd_mod_auth_pam_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_renameat_action:testaction:1 - - Add usrquota Option to /home + + Set Password Hashing Algorithm in /etc/login.defs - ocil:ssg-mount_option_home_usrquota_action:testaction:1 + ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 - - Disable telnet Service + + Disable the selinuxuser_postgresql_connect_enabled SELinux Boolean - ocil:ssg-service_telnet_disabled_action:testaction:1 + ocil:ssg-sebool_selinuxuser_postgresql_connect_enabled_action:testaction:1 - - Add nodev Option to /boot + + Disable the irssi_use_full_network SELinux Boolean - ocil:ssg-mount_option_boot_nodev_action:testaction:1 + ocil:ssg-sebool_irssi_use_full_network_action:testaction:1 - - Remove telnet Clients + + Certificate status checking in SSSD - ocil:ssg-package_telnet_removed_action:testaction:1 + ocil:ssg-sssd_certificate_verification_action:testaction:1 - - Disable Postfix Network Listening + + Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd - ocil:ssg-postfix_network_listening_disabled_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_gpasswd_action:testaction:1 - - Ensure PAM Enforces Password Requirements - Enforce for Local Accounts Only + + Restrict usage of ptrace to descendant processes - ocil:ssg-accounts_password_pam_enforce_local_action:testaction:1 + ocil:ssg-sysctl_kernel_yama_ptrace_scope_action:testaction:1 - - Don't target root user in the sudoers file + + Record Unsuccessful Ownership Changes to Files - chown - ocil:ssg-sudoers_no_root_target_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 - - User Initialization Files Must Not Run World-Writable Programs + + Encrypt Partitions - ocil:ssg-accounts_user_dot_no_world_writable_programs_action:testaction:1 + ocil:ssg-encrypt_partitions_action:testaction:1 - - Ensure the Default Umask is Set Correctly in /etc/profile + + Disable the pppd_for_user SELinux Boolean - ocil:ssg-accounts_umask_etc_profile_action:testaction:1 + ocil:ssg-sebool_pppd_for_user_action:testaction:1 - - Ensure auditd Collects Information on Kernel Module Unloading - delete_module + + Disable rexec Service - ocil:ssg-audit_rules_kernel_module_loading_delete_action:testaction:1 + ocil:ssg-service_rexec_disabled_action:testaction:1 - - Audit Tools Must Be Owned by Root + + Disable the ssh_sysadm_login SELinux Boolean - ocil:ssg-file_audit_tools_ownership_action:testaction:1 + ocil:ssg-sebool_ssh_sysadm_login_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - lsetxattr + + Set SSH authentication attempt limit - ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 + ocil:ssg-sshd_set_max_auth_tries_action:testaction:1 - - Disable the virt_sandbox_use_all_caps SELinux Boolean + + Disable vsyscalls - ocil:ssg-sebool_virt_sandbox_use_all_caps_action:testaction:1 + ocil:ssg-grub2_vsyscall_argument_action:testaction:1 - - Disable the virt_rw_qemu_ga_data SELinux Boolean + + Enable the fips_mode SELinux Boolean - ocil:ssg-sebool_virt_rw_qemu_ga_data_action:testaction:1 + ocil:ssg-sebool_fips_mode_action:testaction:1 - - Configure ARP filtering for All IPv4 Interfaces + + Disable the daemons_dump_core SELinux Boolean - ocil:ssg-sysctl_net_ipv4_conf_all_arp_filter_action:testaction:1 + ocil:ssg-sebool_daemons_dump_core_action:testaction:1 - - Install libreswan Package + + Verify and Correct File Permissions with RPM - ocil:ssg-package_libreswan_installed_action:testaction:1 + ocil:ssg-rpm_verify_permissions_action:testaction:1 - - Verify Owner on cron.daily + + Set Password Hashing Algorithm in /etc/libuser.conf - ocil:ssg-file_owner_cron_daily_action:testaction:1 + ocil:ssg-set_password_hashing_algorithm_libuserconf_action:testaction:1 - - Verify /boot/efi/EFI/redhat/user.cfg Group Ownership + + Set SSH Client Alive Count Max to zero - ocil:ssg-file_groupowner_efi_user_cfg_action:testaction:1 + ocil:ssg-sshd_set_keepalive_0_action:testaction:1 - - Disable the xdm_bind_vnc_tcp_port SELinux Boolean + + Enable the mount_anyfile SELinux Boolean - ocil:ssg-sebool_xdm_bind_vnc_tcp_port_action:testaction:1 + ocil:ssg-sebool_mount_anyfile_action:testaction:1 - - Set Existing Passwords Maximum Age + + Set GNOME3 Screensaver Inactivity Timeout - ocil:ssg-accounts_password_set_max_life_existing_action:testaction:1 + ocil:ssg-dconf_gnome_screensaver_idle_delay_action:testaction:1 - - Disable the httpd_can_connect_zabbix SELinux Boolean + + Uninstall dovecot Package - ocil:ssg-sebool_httpd_can_connect_zabbix_action:testaction:1 + ocil:ssg-package_dovecot_removed_action:testaction:1 - - Uninstall net-snmp Package + + Prevent Login to Accounts With Empty Password - ocil:ssg-package_net-snmp_removed_action:testaction:1 + ocil:ssg-no_empty_passwords_action:testaction:1 - - Set Password Warning Age + + Record Successful Permission Changes to Files - lsetxattr - ocil:ssg-accounts_password_warn_age_login_defs_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_lsetxattr_action:testaction:1 - - Configure a Sufficiently Large Partition for Audit Logs + + Disable the virt_rw_qemu_ga_data SELinux Boolean - ocil:ssg-auditd_audispd_configure_sufficiently_large_partition_action:testaction:1 + ocil:ssg-sebool_virt_rw_qemu_ga_data_action:testaction:1 - - Set Lockout Time for Failed Password Attempts + + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces - ocil:ssg-accounts_passwords_pam_faillock_unlock_time_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_all_rp_filter_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit + + Disable Modprobe Loading of USB Storage Driver - ocil:ssg-audit_rules_privileged_commands_sudoedit_action:testaction:1 + ocil:ssg-kernel_module_usb-storage_disabled_action:testaction:1 - - Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_module + + Disable the ftpd_use_nfs SELinux Boolean - ocil:ssg-audit_rules_kernel_module_loading_query_action:testaction:1 + ocil:ssg-sebool_ftpd_use_nfs_action:testaction:1 - - Disable the varnishd_connect_any SELinux Boolean + + Record Successful Creation Attempts to Files - open_by_handle_at O_TRUNC_WRITE - ocil:ssg-sebool_varnishd_connect_any_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_open_by_handle_at_o_trunc_write_action:testaction:1 - - Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs. + + Ensure Red Hat GPG Key Installed - ocil:ssg-fapolicy_default_deny_action:testaction:1 + ocil:ssg-ensure_redhat_gpgkey_installed_action:testaction:1 - - Disable Portreserve (portreserve) + + Configure Response Mode of ARP Requests for All IPv4 Interfaces - ocil:ssg-service_portreserve_disabled_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1 - - Disable ypbind Service + + Configure the tmux lock session key binding - ocil:ssg-service_ypbind_disabled_action:testaction:1 + ocil:ssg-configure_tmux_lock_keybinding_action:testaction:1 - - Disable Kernel mac80211 Module + + Enable Logging of All FTP Transactions - ocil:ssg-kernel_module_mac80211_disabled_action:testaction:1 + ocil:ssg-ftp_log_transactions_action:testaction:1 - - Enable SSH Server firewalld Firewall Exception + + Enable cron Service - ocil:ssg-firewalld_sshd_port_enabled_action:testaction:1 + ocil:ssg-service_crond_enabled_action:testaction:1 - - Disable /dev/kmem virtual device support + + Disable the httpd_use_openstack SELinux Boolean - ocil:ssg-kernel_config_devkmem_action:testaction:1 + ocil:ssg-sebool_httpd_use_openstack_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - init + + Disable the abrt_upload_watch_anon_write SELinux Boolean - ocil:ssg-audit_privileged_commands_init_action:testaction:1 + ocil:ssg-sebool_abrt_upload_watch_anon_write_action:testaction:1 - - Disable Power Settings in GNOME3 + + Configure PAM in SSSD Services - ocil:ssg-dconf_gnome_disable_power_settings_action:testaction:1 + ocil:ssg-sssd_enable_pam_services_action:testaction:1 - - Enable the gssd_read_tmp SELinux Boolean + + Disable the git_system_use_cifs SELinux Boolean - ocil:ssg-sebool_gssd_read_tmp_action:testaction:1 + ocil:ssg-sebool_git_system_use_cifs_action:testaction:1 - - Disable the privoxy_connect_any SELinux Boolean + + Add nodev Option to /var/tmp - ocil:ssg-sebool_privoxy_connect_any_action:testaction:1 + ocil:ssg-mount_option_var_tmp_nodev_action:testaction:1 - - Disable the Automounter + + Disable graphical user interface - ocil:ssg-service_autofs_disabled_action:testaction:1 + ocil:ssg-xwindows_remove_packages_action:testaction:1 - - Disable Software RAID Monitor (mdmonitor) + + Verify User Who Owns Backup passwd File - ocil:ssg-service_mdmonitor_disabled_action:testaction:1 + ocil:ssg-file_owner_backup_etc_passwd_action:testaction:1 - - Disable the dhcpd_use_ldap SELinux Boolean + + Record Successful Access Attempts to Files - creat - ocil:ssg-sebool_dhcpd_use_ldap_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_creat_action:testaction:1 - - Disable Quagga Service + + Disable the use_lpd_server SELinux Boolean - ocil:ssg-service_zebra_disabled_action:testaction:1 + ocil:ssg-sebool_use_lpd_server_action:testaction:1 - - Install fapolicyd Package + + Verify No netrc Files Exist - ocil:ssg-package_fapolicyd_installed_action:testaction:1 + ocil:ssg-no_netrc_files_action:testaction:1 - - Ensure auditd Collects File Deletion Events by User - unlink + + Verify User Who Owns /var/log Directory - ocil:ssg-audit_rules_file_deletion_events_unlink_action:testaction:1 + ocil:ssg-file_owner_var_log_action:testaction:1 - - Remove the GDM Package Group + + Disable Ctrl-Alt-Del Burst Action - ocil:ssg-package_gdm_removed_action:testaction:1 + ocil:ssg-disable_ctrlaltdel_burstaction_action:testaction:1 - - Enable PAM + + Disable Advanced Configuration and Power Interface (acpid) - ocil:ssg-sshd_enable_pam_action:testaction:1 + ocil:ssg-service_acpid_disabled_action:testaction:1 - - Configure SNMP Service to Use Only SNMPv3 or Newer + + Configure Auto Configuration on All IPv6 Interfaces By Default - ocil:ssg-snmpd_use_newer_protocol_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_default_autoconf_action:testaction:1 - - Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces + + Disable the dbadm_read_user_files SELinux Boolean - ocil:ssg-sysctl_net_ipv4_conf_all_secure_redirects_action:testaction:1 + ocil:ssg-sebool_dbadm_read_user_files_action:testaction:1 - - Disable the httpd_mod_auth_ntlm_winbind SELinux Boolean + + Configure auditd Disk Error Action on Disk Error - ocil:ssg-sebool_httpd_mod_auth_ntlm_winbind_action:testaction:1 + ocil:ssg-auditd_data_disk_error_action_stig_action:testaction:1 - - Add nosuid Option to /tmp + + Verify Owner on cron.monthly - ocil:ssg-mount_option_tmp_nosuid_action:testaction:1 + ocil:ssg-file_owner_cron_monthly_action:testaction:1 - - Configure immutable Audit login UIDs + + Disable the daemons_enable_cluster_mode SELinux Boolean - ocil:ssg-audit_rules_immutable_login_uids_action:testaction:1 + ocil:ssg-sebool_daemons_enable_cluster_mode_action:testaction:1 - - Use zero for poisoning instead of debugging value + + Record Access Events to Audit Log Directory - ocil:ssg-kernel_config_page_poisoning_zero_action:testaction:1 + ocil:ssg-directory_access_var_log_audit_action:testaction:1 - - Configure SSSD LDAP Backend Client CA Certificate Location + + Enable Postfix Service - ocil:ssg-sssd_ldap_configure_tls_ca_dir_action:testaction:1 + ocil:ssg-service_postfix_enabled_action:testaction:1 - - Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period + + Enable auditd Service - ocil:ssg-dconf_gnome_screensaver_lock_locked_action:testaction:1 + ocil:ssg-service_auditd_enabled_action:testaction:1 - - Add nodev Option to Non-Root Local Partitions + + Disable Mounting of cramfs - ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + ocil:ssg-kernel_module_cramfs_disabled_action:testaction:1 - - Disable the rsync_full_access SELinux Boolean + + Set number of records to cause an explicit flush to audit logs - ocil:ssg-sebool_rsync_full_access_action:testaction:1 + ocil:ssg-auditd_freq_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - chown + + Install libreswan Package - ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 + ocil:ssg-package_libreswan_installed_action:testaction:1 - - Configure opensc Smart Card Drivers + + Encrypt All File Uploads - ocil:ssg-configure_opensc_card_drivers_action:testaction:1 + ocil:ssg-httpd_encrypt_file_uploads_action:testaction:1 - - Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE + + IOMMU configuration directive - ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1 + ocil:ssg-grub2_enable_iommu_force_action:testaction:1 - - Configure Kerberos to use System Crypto Policy + + Disable the rsync_export_all_ro SELinux Boolean - ocil:ssg-configure_kerberos_crypto_policy_action:testaction:1 + ocil:ssg-sebool_rsync_export_all_ro_action:testaction:1 - - Ensure Sudo Logfile Exists - sudo logfile + + Install McAfee Endpoint Security for Linux (ENSL) - ocil:ssg-sudo_custom_logfile_action:testaction:1 + ocil:ssg-package_mcafeetp_installed_action:testaction:1 - - Disable the logrotate_use_nfs SELinux Boolean + + Encrypt Audit Records Sent With audispd Plugin - ocil:ssg-sebool_logrotate_use_nfs_action:testaction:1 + ocil:ssg-auditd_audispd_encrypt_sent_records_action:testaction:1 - - Disable TIPC Support + + Mount Remote Filesystems with nosuid - ocil:ssg-kernel_module_tipc_disabled_action:testaction:1 + ocil:ssg-mount_option_nosuid_remote_filesystems_action:testaction:1 - - Enable the nscd_use_shm SELinux Boolean + + Make sure that the dconf databases are up-to-date with regards to respective keyfiles - ocil:ssg-sebool_nscd_use_shm_action:testaction:1 + ocil:ssg-dconf_db_up_to_date_action:testaction:1 - - Disable the LDT (local descriptor table) + + Ensure SMAP is not disabled during boot - ocil:ssg-kernel_config_modify_ldt_syscall_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Uninstall iprutils Package + + Configure the confidence in TPM for entropy - ocil:ssg-package_iprutils_removed_action:testaction:1 + ocil:ssg-grub2_rng_core_default_quality_argument_action:testaction:1 - - Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly + + Disable the mcelog_foreground SELinux Boolean - ocil:ssg-audit_rules_unsuccessful_file_modification_open_rule_order_action:testaction:1 + ocil:ssg-sebool_mcelog_foreground_action:testaction:1 - - Ensure only owner and members of group owner of /usr/bin/sudo can execute it + + Disable the git_cgi_use_nfs SELinux Boolean - ocil:ssg-sudo_restrict_others_executable_permission_action:testaction:1 + ocil:ssg-sebool_git_cgi_use_nfs_action:testaction:1 - - Modify the System Login Banner + + Disable Red Hat Network Service (rhnsd) - ocil:ssg-banner_etc_issue_action:testaction:1 + ocil:ssg-service_rhnsd_disabled_action:testaction:1 - - Disable the virt_use_sanlock SELinux Boolean + + User a virtually-mapped stack - ocil:ssg-sebool_virt_use_sanlock_action:testaction:1 + ocil:ssg-kernel_config_vmap_stack_action:testaction:1 - - Ensure logging is configured + + Configure OpenSSL library to use TLS Encryption - ocil:ssg-rsyslog_logging_configured_action:testaction:1 + ocil:ssg-configure_openssl_tls_crypto_policy_action:testaction:1 - - Disable the cobbler_use_nfs SELinux Boolean + + Add noauto Option to /boot - ocil:ssg-sebool_cobbler_use_nfs_action:testaction:1 + ocil:ssg-mount_option_boot_noauto_action:testaction:1 - - Ensure auditd Collects Information on Kernel Module Unloading - create_module + + Ensure All User Initialization Files Have Mode 0740 Or Less Permissive - ocil:ssg-audit_rules_kernel_module_loading_create_action:testaction:1 + ocil:ssg-file_permission_user_init_files_action:testaction:1 - - Prevent Unrestricted Mail Relaying + + Enable the nfs_export_all_rw SELinux Boolean - ocil:ssg-postfix_prevent_unrestricted_relay_action:testaction:1 + ocil:ssg-sebool_nfs_export_all_rw_action:testaction:1 - - Encrypt Audit Records Sent With audispd Plugin + + Disable the secure_mode_policyload SELinux Boolean - ocil:ssg-auditd_audispd_encrypt_sent_records_action:testaction:1 + ocil:ssg-sebool_secure_mode_policyload_action:testaction:1 - - Enable the login_console_enabled SELinux Boolean + + Ensure the Default Umask is Set Correctly For Interactive Users - ocil:ssg-sebool_login_console_enabled_action:testaction:1 + ocil:ssg-accounts_umask_interactive_users_action:testaction:1 - - Ensure all users last password change date is in the past + + Record Successful Creation Attempts to Files - open_by_handle_at O_CREAT - ocil:ssg-accounts_password_last_change_is_in_past_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_open_by_handle_at_o_creat_action:testaction:1 - - Use Kerberos Security on All Exports + + Record Events that Modify User/Group Information - /etc/group - ocil:ssg-use_kerberos_security_all_exports_action:testaction:1 + ocil:ssg-audit_rules_usergroup_modification_group_action:testaction:1 - - Disable the mplayer_execstack SELinux Boolean + + Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl - ocil:ssg-sebool_mplayer_execstack_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_usernetctl_action:testaction:1 - - Verify the UEFI Boot Loader grub.cfg User Ownership + + Install binutils Package - ocil:ssg-file_owner_efi_grub2_cfg_action:testaction:1 + ocil:ssg-package_binutils_installed_action:testaction:1 - - Disable the mpd_use_nfs SELinux Boolean + + Disable the xserver_execmem SELinux Boolean - ocil:ssg-sebool_mpd_use_nfs_action:testaction:1 + ocil:ssg-sebool_xserver_execmem_action:testaction:1 - - Limit Password Reuse: password-auth + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-accounts_password_pam_pwhistory_remember_password_auth_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces + + Enable Process Accounting (psacct) - ocil:ssg-sysctl_net_ipv4_ip_forward_action:testaction:1 + ocil:ssg-service_psacct_enabled_action:testaction:1 - - Install the McAfee Runtime Libraries and Linux Agent + + Disable hibernation - ocil:ssg-install_mcafee_cma_rt_action:testaction:1 + ocil:ssg-kernel_config_hibernation_action:testaction:1 - - Configure dnf-automatic to Install Available Updates Automatically + + Disable the httpd_can_network_connect SELinux Boolean - ocil:ssg-dnf-automatic_apply_updates_action:testaction:1 + ocil:ssg-sebool_httpd_can_network_connect_action:testaction:1 - - Verify nftables Service is Enabled + + Install the Samba Common Package - ocil:ssg-service_nftables_enabled_action:testaction:1 + ocil:ssg-package_samba-common_installed_action:testaction:1 - - Enable cron Service + + Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces - ocil:ssg-service_cron_enabled_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_source_route_action:testaction:1 - - Disable the httpd_manage_ipa SELinux Boolean + + Resolve information before writing to audit logs - ocil:ssg-sebool_httpd_manage_ipa_action:testaction:1 + ocil:ssg-auditd_log_format_action:testaction:1 - - Record Unsuccessful Permission Changes to Files - chmod + + Verify /boot/grub2/grub.cfg Group Ownership - ocil:ssg-audit_rules_unsuccessful_file_modification_chmod_action:testaction:1 + ocil:ssg-file_groupowner_grub2_cfg_action:testaction:1 - - Disable Compression Or Set Compression to delayed + + Disable the httpd_can_connect_zabbix SELinux Boolean - ocil:ssg-sshd_disable_compression_action:testaction:1 + ocil:ssg-sebool_httpd_can_connect_zabbix_action:testaction:1 - - Ensure remote access methods are monitored in Rsyslog + + Disable the polipo_use_cifs SELinux Boolean - ocil:ssg-rsyslog_remote_access_monitoring_action:testaction:1 + ocil:ssg-sebool_polipo_use_cifs_action:testaction:1 - - Enable Yama support + + Configure Logind to terminate idle sessions after certain time of inactivity - ocil:ssg-kernel_config_security_yama_action:testaction:1 + ocil:ssg-logind_session_timeout_action:testaction:1 - - Prefer to use a 64-bit Operating System when supported + + Disable Kernel iwlmvm Module - ocil:ssg-prefer_64bit_os_action:testaction:1 + ocil:ssg-kernel_module_iwlmvm_disabled_action:testaction:1 - - Disable the mozilla_read_content SELinux Boolean + + Record Events that Modify User/Group Information via open syscall - /etc/passwd - ocil:ssg-sebool_mozilla_read_content_action:testaction:1 + ocil:ssg-audit_rules_etc_passwd_open_action:testaction:1 - - Ensure Home Directories are Created for New Users + + Support session locking with tmux (not enforcing) - ocil:ssg-accounts_have_homedir_login_defs_action:testaction:1 + ocil:ssg-configure_bashrc_tmux_action:testaction:1 - - Perform full reference count validation + + Verify Permissions on passwd File - ocil:ssg-kernel_config_refcount_full_action:testaction:1 + ocil:ssg-file_permissions_etc_passwd_action:testaction:1 - - Enable GNOME3 Login Warning Banner + + Disable the glance_api_can_network SELinux Boolean - ocil:ssg-dconf_gnome_banner_enabled_action:testaction:1 + ocil:ssg-sebool_glance_api_can_network_action:testaction:1 - - Disable the xguest_exec_content SELinux Boolean + + Disable the samba_export_all_ro SELinux Boolean - ocil:ssg-sebool_xguest_exec_content_action:testaction:1 + ocil:ssg-sebool_samba_export_all_ro_action:testaction:1 - - Harden memory copies between kernel and userspace + + Ensure /home Located On Separate Partition - ocil:ssg-kernel_config_hardened_usercopy_action:testaction:1 + ocil:ssg-partition_for_home_action:testaction:1 - - Force kernel panic on uncorrected MCEs + + Enable checks on scatter-gather (SG) table operations - ocil:ssg-grub2_mce_argument_action:testaction:1 + ocil:ssg-kernel_config_debug_sg_action:testaction:1 - - Verify /boot/grub2/user.cfg User Ownership + + Harden SSH client Crypto Policy - ocil:ssg-file_owner_user_cfg_action:testaction:1 + ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1 - - Set Password Hashing Rounds in /etc/login.defs + + Record Events that Modify User/Group Information via open syscall - /etc/gshadow - ocil:ssg-set_password_hashing_min_rounds_logindefs_action:testaction:1 + ocil:ssg-audit_rules_etc_gshadow_open_action:testaction:1 - - Ensure /opt Located On Separate Partition + + Disable the glance_use_execmem SELinux Boolean - ocil:ssg-partition_for_opt_action:testaction:1 + ocil:ssg-sebool_glance_use_execmem_action:testaction:1 - - Enable the auditadm_exec_content SELinux Boolean + + Configure System to Forward All Mail For The Root Account - ocil:ssg-sebool_auditadm_exec_content_action:testaction:1 + ocil:ssg-postfix_client_configure_mail_alias_action:testaction:1 - - Disable Kernel Parameter for IPv6 Forwarding + + Enable the xend_run_qemu SELinux Boolean - ocil:ssg-sysctl_net_ipv6_conf_all_forwarding_action:testaction:1 + ocil:ssg-sebool_xend_run_qemu_action:testaction:1 - - Require Client SMB Packet Signing, if using smbclient + + Set the UEFI Boot Loader Password - ocil:ssg-require_smb_client_signing_action:testaction:1 + ocil:ssg-grub2_uefi_password_action:testaction:1 - - Root Path Must Be Vendor Default + + Disable the samba_export_all_rw SELinux Boolean - ocil:ssg-root_path_default_action:testaction:1 + ocil:ssg-sebool_samba_export_all_rw_action:testaction:1 - - Disable the cobbler_anon_write SELinux Boolean + + Ensure auditd Collects File Deletion Events by User - rename - ocil:ssg-sebool_cobbler_anon_write_action:testaction:1 + ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1 - - Verify Permissions on /etc/cron.allow file + + Disable the mplayer_execstack SELinux Boolean - ocil:ssg-file_permissions_cron_allow_action:testaction:1 + ocil:ssg-sebool_mplayer_execstack_action:testaction:1 - - Disable the cluster_use_execmem SELinux Boolean + + Ensure Rsyslog Encrypts Off-Loaded Audit Records - ocil:ssg-sebool_cluster_use_execmem_action:testaction:1 + ocil:ssg-rsyslog_encrypt_offload_actionsendstreamdrivermode_action:testaction:1 - - Modify the System Message of the Day Banner + + Verify Group Who Owns /etc/at.allow file - ocil:ssg-banner_etc_motd_action:testaction:1 + ocil:ssg-file_groupowner_at_allow_action:testaction:1 - - Disable the nis_enabled SELinux Boolean + + Disable the fenced_can_ssh SELinux Boolean - ocil:ssg-sebool_nis_enabled_action:testaction:1 + ocil:ssg-sebool_fenced_can_ssh_action:testaction:1 - - Disable WIFI Network Notification in GNOME3 + + Disable the httpd_use_gpg SELinux Boolean - ocil:ssg-dconf_gnome_disable_wifi_notification_action:testaction:1 + ocil:ssg-sebool_httpd_use_gpg_action:testaction:1 - - Configure auditing of unsuccessful file deletions + + Disable Anonymous FTP Access - ocil:ssg-audit_delete_failed_action:testaction:1 + ocil:ssg-httpd_disable_anonymous_ftp_access_action:testaction:1 - - Disable X11 Forwarding + + Configure the httpd_builtin_scripting SELinux Boolean - ocil:ssg-sshd_disable_x11_forwarding_action:testaction:1 + ocil:ssg-sebool_httpd_builtin_scripting_action:testaction:1 - - Verify that All World-Writable Directories Have Sticky Bits Set + + Ensure gpgcheck Enabled In Main yum Configuration - ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1 + ocil:ssg-ensure_gpgcheck_globally_activated_action:testaction:1 - - Configure Auto Configuration on All IPv6 Interfaces By Default + + Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session - ocil:ssg-sysctl_net_ipv6_conf_default_autoconf_action:testaction:1 + ocil:ssg-accounts_password_pam_retry_action:testaction:1 - - Add nodev Option to /var/log/audit + + Disable SSH Support for User Known Hosts - ocil:ssg-mount_option_var_log_audit_nodev_action:testaction:1 + ocil:ssg-sshd_disable_user_known_hosts_action:testaction:1 - - Configure System to Forward All Mail through a specific host + + Verify User Who Owns /var/log/syslog File - ocil:ssg-postfix_client_configure_relayhost_action:testaction:1 + ocil:ssg-file_owner_var_log_syslog_action:testaction:1 - - Uninstall abrt-plugin-sosreport Package + + Set Password Maximum Consecutive Repeating Characters - ocil:ssg-package_abrt-plugin-sosreport_removed_action:testaction:1 + ocil:ssg-accounts_password_pam_maxrepeat_action:testaction:1 - - Disable the minidlna_read_generic_user_content SELinux Boolean + + Disable named Service - ocil:ssg-sebool_minidlna_read_generic_user_content_action:testaction:1 + ocil:ssg-service_named_disabled_action:testaction:1 - - Configure auditd space_left Action on Low Disk Space + + Disable the webadm_manage_user_files SELinux Boolean - ocil:ssg-auditd_data_retention_space_left_action_action:testaction:1 + ocil:ssg-sebool_webadm_manage_user_files_action:testaction:1 - - Disable anacron Service + + Disable IA32 emulation - ocil:ssg-disable_anacron_action:testaction:1 + ocil:ssg-kernel_config_ia32_emulation_action:testaction:1 - - Disable Network File System (nfs) + + Configure Accepting Router Advertisements on All IPv6 Interfaces - ocil:ssg-service_nfs_disabled_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_action:testaction:1 - - Enable the NTP Daemon + + Enable SSH Print Last Log - ocil:ssg-service_chronyd_or_ntpd_enabled_action:testaction:1 + ocil:ssg-sshd_print_last_log_action:testaction:1 - - Require Credential Prompting for Remote Access in GNOME3 + + Configure Backups of User Data - ocil:ssg-dconf_gnome_remote_access_credential_prompt_action:testaction:1 + ocil:ssg-configure_user_data_backups_action:testaction:1 - - Uninstall gssproxy Package + + Verify that Shared Library Directories Have Root Group Ownership - ocil:ssg-package_gssproxy_removed_action:testaction:1 + ocil:ssg-dir_group_ownership_library_dirs_action:testaction:1 - - Add noexec Option to /var/tmp + + Disable the openvpn_run_unconfined SELinux Boolean - ocil:ssg-mount_option_var_tmp_noexec_action:testaction:1 + ocil:ssg-sebool_openvpn_run_unconfined_action:testaction:1 - - Disable Advanced Configuration and Power Interface (acpid) + + Record Successful Delete Attempts to Files - unlink - ocil:ssg-service_acpid_disabled_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_unlink_action:testaction:1 - - Uninstall avahi-autoipd Server Package + + Disable the use_ecryptfs_home_dirs SELinux Boolean - ocil:ssg-package_avahi-autoipd_removed_action:testaction:1 + ocil:ssg-sebool_use_ecryptfs_home_dirs_action:testaction:1 - - Do not allow ACPI methods to be inserted/replaced at run time + + Verify Owner on cron.daily - ocil:ssg-kernel_config_acpi_custom_method_action:testaction:1 + ocil:ssg-file_owner_cron_daily_action:testaction:1 - - Log USBGuard daemon audit events using Linux Audit + + Configure A Banner Page For Each Website - ocil:ssg-configure_usbguard_auditbackend_action:testaction:1 + ocil:ssg-httpd_configure_banner_page_action:testaction:1 - - Install policycoreutils Package + + Enable seccomp to safely compute untrusted bytecode - ocil:ssg-package_policycoreutils_installed_action:testaction:1 + ocil:ssg-kernel_config_seccomp_action:testaction:1 - - Restrict Access to Kernel Message Buffer + + Set number of Password Hashing Rounds - password-auth - ocil:ssg-sysctl_kernel_dmesg_restrict_action:testaction:1 + ocil:ssg-accounts_password_pam_unix_rounds_password_auth_action:testaction:1 - - Ensure gpgcheck Enabled In Main yum Configuration + + Verify nftables Service is Enabled - ocil:ssg-ensure_gpgcheck_globally_activated_action:testaction:1 + ocil:ssg-service_nftables_enabled_action:testaction:1 - - Verify /boot/grub2/grub.cfg Permissions + + Configure auditing of unsuccessful file accesses - ocil:ssg-file_permissions_grub2_cfg_action:testaction:1 + ocil:ssg-audit_access_failed_action:testaction:1 - - Configure SSSD to Expire Offline Credentials + + Disable the httpd_execmem SELinux Boolean - ocil:ssg-sssd_offline_cred_expiration_action:testaction:1 + ocil:ssg-sebool_httpd_execmem_action:testaction:1 - - Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate + + Enable Kernel Page-Table Isolation (KPTI) - ocil:ssg-sudo_remove_no_authenticate_action:testaction:1 + ocil:ssg-grub2_pti_argument_action:testaction:1 - - Disable the xserver_clients_write_xshm SELinux Boolean + + Enable the OpenSSH Service - ocil:ssg-sebool_xserver_clients_write_xshm_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Record Unsuccessful Permission Changes to Files - lsetxattr + + Configure auditing of unsuccessful file modifications - ocil:ssg-audit_rules_unsuccessful_file_modification_lsetxattr_action:testaction:1 + ocil:ssg-audit_modify_failed_action:testaction:1 - - Disable SSH Support for User Known Hosts + + Disable the httpd_can_network_connect_db SELinux Boolean - ocil:ssg-sshd_disable_user_known_hosts_action:testaction:1 + ocil:ssg-sebool_httpd_can_network_connect_db_action:testaction:1 - - Disable the wine_mmap_zero_ignore SELinux Boolean + + Ensure a dedicated group owns sudo - ocil:ssg-sebool_wine_mmap_zero_ignore_action:testaction:1 + ocil:ssg-sudo_dedicated_group_action:testaction:1 - - Enable syslog-ng Service + + Drop Gratuitious ARP frames on All IPv4 Interfaces - ocil:ssg-service_syslogng_enabled_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_all_drop_gratuitous_arp_action:testaction:1 - - Uninstall Automatic Bug Reporting Tool (abrt) + + Configure auditing of unsuccessful file deletions - ocil:ssg-package_abrt_removed_action:testaction:1 + ocil:ssg-audit_delete_failed_action:testaction:1 - - Ensure '/etc/system-fips' exists + + Public web server resources must not be shared with private assets - ocil:ssg-etc_system_fips_exists_action:testaction:1 + ocil:ssg-httpd_public_resources_not_shared_action:testaction:1 - - Disable RDS Support + + Ensure the Default Umask is Set Correctly in login.defs - ocil:ssg-kernel_module_rds_disabled_action:testaction:1 + ocil:ssg-accounts_umask_etc_login_defs_action:testaction:1 - - Disable the ftpd_connect_all_unreserved SELinux Boolean + + Add nodev Option to /var/log - ocil:ssg-sebool_ftpd_connect_all_unreserved_action:testaction:1 + ocil:ssg-mount_option_var_log_nodev_action:testaction:1 - - Disable the httpd_dbus_avahi SELinux Boolean + + Enable poison of pages after freeing - ocil:ssg-sebool_httpd_dbus_avahi_action:testaction:1 + ocil:ssg-kernel_config_page_poisoning_action:testaction:1 - - Disable the abrt_upload_watch_anon_write SELinux Boolean + + Set type of computer node name logging in audit logs - ocil:ssg-sebool_abrt_upload_watch_anon_write_action:testaction:1 + ocil:ssg-auditd_name_format_action:testaction:1 - - Disable the httpd_can_check_spam SELinux Boolean + + Ensure PAM Enforces Password Requirements - Enforce for root User - ocil:ssg-sebool_httpd_can_check_spam_action:testaction:1 + ocil:ssg-accounts_password_pam_enforce_root_action:testaction:1 - - Record Any Attempts to Run seunshare + + Configure Libreswan to use System Crypto Policy - ocil:ssg-audit_rules_execution_seunshare_action:testaction:1 + ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1 - - Uninstall Sendmail Package + + Disable the cdrecord_read_content SELinux Boolean - ocil:ssg-package_sendmail_removed_action:testaction:1 + ocil:ssg-sebool_cdrecord_read_content_action:testaction:1 - - Disable the unprivuser_use_svirt SELinux Boolean + + Disallow kernel profiling by unprivileged users - ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_event_paranoid_action:testaction:1 - - Make the auditd Configuration Immutable + + Add nosuid Option to /tmp - ocil:ssg-audit_rules_immutable_action:testaction:1 + ocil:ssg-mount_option_tmp_nosuid_action:testaction:1 - - Verify that System Executables Have Root Ownership + + Set GNOME3 Screensaver Lock Delay After Activation Period - ocil:ssg-file_ownership_binary_dirs_action:testaction:1 + ocil:ssg-dconf_gnome_screensaver_lock_delay_action:testaction:1 - - Disable xinetd Service + + Disable the cluster_can_network_connect SELinux Boolean - ocil:ssg-service_xinetd_disabled_action:testaction:1 + ocil:ssg-sebool_cluster_can_network_connect_action:testaction:1 - - Detect stack corruption on calls to schedule() + + Disable TIPC Support - ocil:ssg-kernel_config_sched_stack_end_check_action:testaction:1 + ocil:ssg-kernel_module_tipc_disabled_action:testaction:1 - - Disable the mailman_use_fusefs SELinux Boolean + + Enable the USBGuard Service - ocil:ssg-sebool_mailman_use_fusefs_action:testaction:1 + ocil:ssg-service_usbguard_enabled_action:testaction:1 - - Direct root Logins Not Allowed + + Disable the virt_sandbox_use_netlink SELinux Boolean - ocil:ssg-no_direct_root_logins_action:testaction:1 + ocil:ssg-sebool_virt_sandbox_use_netlink_action:testaction:1 - - Ensure No World-Writable Files Exist + + Disable System Statistics Reset Service (sysstat) - ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 + ocil:ssg-service_sysstat_disabled_action:testaction:1 - - Disable Web Content Symbolic Links + + Uninstall quagga Package - ocil:ssg-httpd_disable_content_symlinks_action:testaction:1 + ocil:ssg-package_quagga_removed_action:testaction:1 - - Verify the UEFI Boot Loader grub.cfg Group Ownership + + Prevent applications from mapping low portion of virtual memory - ocil:ssg-file_groupowner_efi_grub2_cfg_action:testaction:1 + ocil:ssg-sysctl_vm_mmap_min_addr_action:testaction:1 - - Set SSH authentication attempt limit + + Disable the virt_use_execmem SELinux Boolean - ocil:ssg-sshd_set_max_auth_tries_action:testaction:1 + ocil:ssg-sebool_virt_use_execmem_action:testaction:1 - - Disable the exim_manage_user_files SELinux Boolean + + Verify Group Who Owns shadow File - ocil:ssg-sebool_exim_manage_user_files_action:testaction:1 + ocil:ssg-file_groupowner_etc_shadow_action:testaction:1 - - Configure auditing of unsuccessful file accesses + + Verify Permissions on Backup gshadow File - ocil:ssg-audit_access_failed_action:testaction:1 + ocil:ssg-file_permissions_backup_etc_gshadow_action:testaction:1 - - Verify permissions on Message of the Day Banner + + Disable the virt_use_samba SELinux Boolean - ocil:ssg-file_permissions_etc_motd_action:testaction:1 + ocil:ssg-sebool_virt_use_samba_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - reboot + + Disable Full User Name on Splash Shield - ocil:ssg-audit_privileged_commands_reboot_action:testaction:1 + ocil:ssg-dconf_gnome_screensaver_user_info_action:testaction:1 - - Disable the samba_enable_home_dirs SELinux Boolean + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow - ocil:ssg-sebool_samba_enable_home_dirs_action:testaction:1 + ocil:ssg-audit_rules_etc_gshadow_open_by_handle_at_action:testaction:1 - - Enable Use of Privilege Separation + + Enable systemd-journald Service - ocil:ssg-sshd_use_priv_separation_action:testaction:1 + ocil:ssg-service_systemd-journald_enabled_action:testaction:1 - - Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server + + Ensure logging is configured - ocil:ssg-sssd_ldap_configure_tls_reqcert_action:testaction:1 + ocil:ssg-rsyslog_logging_configured_action:testaction:1 - - Ensure All SUID Executables Are Authorized + + Install the Asset Configuration Compliance Module (ACCM) - ocil:ssg-file_permissions_unauthorized_suid_action:testaction:1 + ocil:ssg-install_mcafee_hbss_accm_action:testaction:1 - - Record Events that Modify the System's Mandatory Access Controls in usr/share + + Verify Group Who Owns cron.d - ocil:ssg-audit_rules_mac_modification_usr_share_action:testaction:1 + ocil:ssg-file_groupowner_cron_d_action:testaction:1 - - All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group + + Enable the domain_fd_use SELinux Boolean - ocil:ssg-accounts_users_home_files_groupownership_action:testaction:1 + ocil:ssg-sebool_domain_fd_use_action:testaction:1 - - Disable Kernel iwlmvm Module + + Add usrquota Option to /home - ocil:ssg-kernel_module_iwlmvm_disabled_action:testaction:1 + ocil:ssg-mount_option_home_usrquota_action:testaction:1 - - Ensure All World-Writable Directories Are Owned by a System Account + + Uninstall geolite2-city Package - ocil:ssg-dir_perms_world_writable_system_owned_action:testaction:1 + ocil:ssg-package_geolite2-city_removed_action:testaction:1 - - Enable module signature verification + + Disable GSSAPI Authentication - ocil:ssg-kernel_config_module_sig_action:testaction:1 + ocil:ssg-sshd_disable_gssapi_auth_action:testaction:1 - - Enable poison without sanity check + + Verify Group Who Owns gshadow File - ocil:ssg-kernel_config_page_poisoning_no_sanity_action:testaction:1 + ocil:ssg-file_groupowner_etc_gshadow_action:testaction:1 - - Require Encryption for Remote Access in GNOME3 + + Configure SSSD to Expire Offline Credentials - ocil:ssg-dconf_gnome_remote_access_encryption_action:testaction:1 + ocil:ssg-sssd_offline_cred_expiration_action:testaction:1 - - Remove NIS Client + + Uninstall rsh-server Package - ocil:ssg-package_ypbind_removed_action:testaction:1 + ocil:ssg-package_rsh-server_removed_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - userhelper + + Configure the Firewalld Ports - ocil:ssg-audit_rules_privileged_commands_userhelper_action:testaction:1 + ocil:ssg-configure_firewalld_ports_action:testaction:1 - - Disable the cobbler_can_network_connect SELinux Boolean + + Uninstall libreport-plugin-rhtsupport Package - ocil:ssg-sebool_cobbler_can_network_connect_action:testaction:1 + ocil:ssg-package_libreport-plugin-rhtsupport_removed_action:testaction:1 - - Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly + + Audit Configuration Files Permissions are 640 or More Restrictive - ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order_action:testaction:1 + ocil:ssg-file_permissions_audit_configuration_action:testaction:1 - - Verify User Who Owns /var/log Directory + + Enable Yama support - ocil:ssg-file_owner_var_log_action:testaction:1 + ocil:ssg-kernel_config_security_yama_action:testaction:1 - - Record attempts to alter time through settimeofday + + Ensure auditd Collects Information on Kernel Module Unloading - create_module - ocil:ssg-audit_rules_time_settimeofday_action:testaction:1 + ocil:ssg-audit_rules_kernel_module_loading_create_action:testaction:1 - - Randomize the address of the kernel image (KASLR) + + Configure SNMP Service to Use Only SNMPv3 or Newer - ocil:ssg-kernel_config_randomize_base_action:testaction:1 + ocil:ssg-snmpd_use_newer_protocol_action:testaction:1 - - Disable the abrt_anon_write SELinux Boolean + + The Chronyd service is enabled - ocil:ssg-sebool_abrt_anon_write_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Verify No netrc Files Exist + + Uninstall nfs-utils Package - ocil:ssg-no_netrc_files_action:testaction:1 + ocil:ssg-package_nfs-utils_removed_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_pinfo_action:testaction:1 - - Verify /boot/efi/EFI/redhat/user.cfg User Ownership + + Verify User Who Owns /var/log/messages File - ocil:ssg-file_owner_efi_user_cfg_action:testaction:1 + ocil:ssg-file_owner_var_log_messages_action:testaction:1 - - Enable poison of pages after freeing + + Disable the 32-bit vDSO - ocil:ssg-kernel_config_page_poisoning_action:testaction:1 + ocil:ssg-kernel_config_compat_vdso_action:testaction:1 - - Set Existing Passwords Warning Age + + Disable the polipo_use_nfs SELinux Boolean - ocil:ssg-accounts_password_set_warn_age_existing_action:testaction:1 + ocil:ssg-sebool_polipo_use_nfs_action:testaction:1 - - Disable the xdm_exec_bootloader SELinux Boolean + + Disable Postfix Network Listening - ocil:ssg-sebool_xdm_exec_bootloader_action:testaction:1 + ocil:ssg-postfix_network_listening_disabled_action:testaction:1 - - Enable Randomized Layout of Virtual Address Space + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-sysctl_kernel_randomize_va_space_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - Force initialization of variables containing userspace addresses + + Configure Auto Configuration on All IPv6 Interfaces - ocil:ssg-kernel_config_gcc_plugin_structleak_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_autoconf_action:testaction:1 - - Use Only FIPS 140-2 Validated Ciphers + + Disallow merge of slab caches - ocil:ssg-sshd_use_approved_ciphers_action:testaction:1 + ocil:ssg-kernel_config_slab_merge_default_action:testaction:1 - - Disable the condor_tcp_network_connect SELinux Boolean + + Specify module signing key to use - ocil:ssg-sebool_condor_tcp_network_connect_action:testaction:1 + ocil:ssg-kernel_config_module_sig_key_action:testaction:1 - - Do Not Allow SSH Environment Options + + Record Successful Permission Changes to Files - chmod - ocil:ssg-sshd_do_not_permit_user_env_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_chmod_action:testaction:1 - - Uninstall Samba Package + + Enable the unconfined_chrome_sandbox_transition SELinux Boolean - ocil:ssg-package_samba_removed_action:testaction:1 + ocil:ssg-sebool_unconfined_chrome_sandbox_transition_action:testaction:1 - - Record Successful Creation Attempts to Files - open_by_handle_at O_TRUNC_WRITE + + Require Credential Prompting for Remote Access in GNOME3 - ocil:ssg-audit_rules_successful_file_modification_open_by_handle_at_o_trunc_write_action:testaction:1 + ocil:ssg-dconf_gnome_remote_access_credential_prompt_action:testaction:1 - - Record Successful Permission Changes to Files - setxattr + + Ensure System is Not Acting as a Network Sniffer - ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 + ocil:ssg-network_sniffer_disabled_action:testaction:1 - - Verify Permissions on /etc/audit/rules.d/*.rules + + Enable the File Access Policy Service - ocil:ssg-file_permissions_etc_audit_rulesd_action:testaction:1 + ocil:ssg-service_fapolicyd_enabled_action:testaction:1 - - Record Unsuccessful Ownership Changes to Files - fchownat + + SSH client uses strong entropy to seed (for CSH like shells) - ocil:ssg-audit_rules_unsuccessful_file_modification_fchownat_action:testaction:1 + ocil:ssg-ssh_client_use_strong_rng_csh_action:testaction:1 - - Record Unsuccessful Ownership Changes to Files - chown + + Ensure Software Patches Installed - ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + ocil:ssg-security_patches_up_to_date_action:testaction:1 - - Add nodev Option to /var/tmp + + Verify that Interactive Boot is Disabled - ocil:ssg-mount_option_var_tmp_nodev_action:testaction:1 + ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 - - Configure the tmux Lock Command + + Disable the httpd_can_connect_mythtv SELinux Boolean - ocil:ssg-configure_tmux_lock_command_action:testaction:1 + ocil:ssg-sebool_httpd_can_connect_mythtv_action:testaction:1 - - All GIDs referenced in /etc/passwd must be defined in /etc/group + + Add nodev Option to /dev/shm - ocil:ssg-gid_passwd_group_same_action:testaction:1 + ocil:ssg-mount_option_dev_shm_nodev_action:testaction:1 - - Disable the httpd_can_network_connect SELinux Boolean + + Disable the httpd_can_check_spam SELinux Boolean - ocil:ssg-sebool_httpd_can_network_connect_action:testaction:1 + ocil:ssg-sebool_httpd_can_check_spam_action:testaction:1 - - Enable Dracut FIPS Module + + Disable Cyrus SASL Authentication Daemon (saslauthd) - ocil:ssg-enable_dracut_fips_module_action:testaction:1 + ocil:ssg-service_saslauthd_disabled_action:testaction:1 - - Install policycoreutils-python-utils package + + Enable the Hardware RNG Entropy Gatherer Service - ocil:ssg-package_policycoreutils-python-utils_installed_action:testaction:1 + ocil:ssg-service_rngd_enabled_action:testaction:1 - - Disable the xguest_mount_media SELinux Boolean + + Configure AIDE to Use FIPS 140-2 for Validating Hashes - ocil:ssg-sebool_xguest_mount_media_action:testaction:1 + ocil:ssg-aide_use_fips_hashes_action:testaction:1 - - Authorize USB hubs in USBGuard daemon + + Record Events that Modify User/Group Information via open syscall - /etc/group - ocil:ssg-usbguard_allow_hub_action:testaction:1 + ocil:ssg-audit_rules_etc_group_open_action:testaction:1 - - Make the module text and rodata read-only + + Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default - ocil:ssg-kernel_config_strict_module_rwx_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_default_log_martians_action:testaction:1 - - Ensure There Are No Accounts With Blank or Null Passwords + + User Initialization Files Must Be Group-Owned By The Primary Group - ocil:ssg-no_empty_passwords_etc_shadow_action:testaction:1 + ocil:ssg-accounts_user_dot_group_ownership_action:testaction:1 - - Disable the boinc_execmem SELinux Boolean + + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces - ocil:ssg-sebool_boinc_execmem_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_action:testaction:1 - - Set number of Password Hashing Rounds - password-auth + + Disable the xdm_write_home SELinux Boolean - ocil:ssg-accounts_password_pam_unix_rounds_password_auth_action:testaction:1 + ocil:ssg-sebool_xdm_write_home_action:testaction:1 - - Add noexec Option to Removable Media Partitions + + Disable the tor_can_network_relay SELinux Boolean - ocil:ssg-mount_option_noexec_removable_partitions_action:testaction:1 + ocil:ssg-sebool_tor_can_network_relay_action:testaction:1 - - Record Successful Ownership Changes to Files - fchownat + + Disable the httpd_setrlimit SELinux Boolean - ocil:ssg-audit_rules_successful_file_modification_fchownat_action:testaction:1 + ocil:ssg-sebool_httpd_setrlimit_action:testaction:1 - - Remove the FreeRadius Server Package + + Disable the virt_use_sanlock SELinux Boolean - ocil:ssg-package_freeradius_removed_action:testaction:1 + ocil:ssg-sebool_virt_use_sanlock_action:testaction:1 - - Uninstall nfs-utils Package + + Ensure auditd Collects Information on the Use of Privileged Commands - mount - ocil:ssg-package_nfs-utils_removed_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_mount_action:testaction:1 - - Configure audispd's Plugin disk_full_action When Disk Is Full + + Install the pcsc-lite package - ocil:ssg-auditd_audispd_disk_full_action_action:testaction:1 + ocil:ssg-package_pcsc-lite_installed_action:testaction:1 - - Record Any Attempts to Run chcon + + Configure auditd max_log_file_action Upon Reaching Maximum Log Size - ocil:ssg-audit_rules_execution_chcon_action:testaction:1 + ocil:ssg-auditd_data_retention_max_log_file_action_stig_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - chmod + + Enable HTTPD System Logging - ocil:ssg-audit_rules_dac_modification_chmod_action:testaction:1 + ocil:ssg-httpd_enable_system_logging_action:testaction:1 - - Audit Tools Must Have a Mode of 0755 or Less Permissive + + Ensure McAfee Endpoint Security for Linux (ENSL) is running - ocil:ssg-file_audit_tools_permissions_action:testaction:1 + ocil:ssg-agent_mfetpd_running_action:testaction:1 - - Verify Group Who Owns Backup gshadow File + + Disable Accepting ICMP Redirects for All IPv4 Interfaces - ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_all_accept_redirects_action:testaction:1 - - Uninstall openldap-servers Package + + Ensure tftp Daemon Uses Secure Mode - ocil:ssg-package_openldap-servers_removed_action:testaction:1 + ocil:ssg-tftpd_uses_secure_mode_action:testaction:1 - - Disable the tmpreaper_use_nfs SELinux Boolean + + Configure session renegotiation for SSH client - ocil:ssg-sebool_tmpreaper_use_nfs_action:testaction:1 + ocil:ssg-ssh_client_rekey_limit_action:testaction:1 - - Configure AIDE to Verify Access Control Lists (ACLs) + + Verify the UEFI Boot Loader grub.cfg Permissions - ocil:ssg-aide_verify_acls_action:testaction:1 + ocil:ssg-file_permissions_efi_grub2_cfg_action:testaction:1 - - Disable the irssi_use_full_network SELinux Boolean + + Disable WIFI Network Notification in GNOME3 - ocil:ssg-sebool_irssi_use_full_network_action:testaction:1 + ocil:ssg-dconf_gnome_disable_wifi_notification_action:testaction:1 - - Record Successful Permission Changes to Files - chmod + + Ensure Insecure File Locking is Not Allowed - ocil:ssg-audit_rules_successful_file_modification_chmod_action:testaction:1 + ocil:ssg-no_insecure_locks_exports_action:testaction:1 - - Disable the smartmon_3ware SELinux Boolean + + Ensure All World-Writable Directories Are Group Owned by a System Account - ocil:ssg-sebool_smartmon_3ware_action:testaction:1 + ocil:ssg-dir_perms_world_writable_system_owned_group_action:testaction:1 - - Disable hibernation + + Record Unsuccessful Creation Attempts to Files - openat O_CREAT - ocil:ssg-kernel_config_hibernation_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_openat_o_creat_action:testaction:1 - - Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces + + Uninstall libreport-plugin-logger Package - ocil:ssg-sysctl_net_ipv6_conf_default_accept_redirects_action:testaction:1 + ocil:ssg-package_libreport-plugin-logger_removed_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - fchownat + + Disable GNOME3 Automount Opening - ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1 + ocil:ssg-dconf_gnome_disable_automount_open_action:testaction:1 - - HTTPD Log Files Must Be Owned By Root + + Enable the virt_sandbox_use_audit SELinux Boolean - ocil:ssg-http_configure_log_file_ownership_action:testaction:1 + ocil:ssg-sebool_virt_sandbox_use_audit_action:testaction:1 - - Kernel panic oops + + Configure SSSD to run as user sssd - ocil:ssg-kernel_config_panic_on_oops_action:testaction:1 + ocil:ssg-sssd_run_as_sssd_user_action:testaction:1 - - Disable Recovery Booting + + Disable rlogin Service - ocil:ssg-grub2_disable_recovery_action:testaction:1 + ocil:ssg-service_rlogin_disabled_action:testaction:1 - - Uninstall avahi Server Package + + Ensure auditd Collects Information on the Use of Privileged Commands - init - ocil:ssg-package_avahi_removed_action:testaction:1 + ocil:ssg-audit_privileged_commands_init_action:testaction:1 - - Enable Auditing to Start Prior to the Audit Daemon in zIPL + + Disable SSH Access via Empty Passwords - ocil:ssg-zipl_audit_argument_action:testaction:1 + ocil:ssg-sshd_disable_empty_passwords_action:testaction:1 - - Configure Time Service Maxpoll Interval + + Disable Red Hat Subscription Manager Daemon (rhsmcertd) - ocil:ssg-chronyd_or_ntpd_set_maxpoll_action:testaction:1 + ocil:ssg-service_rhsmcertd_disabled_action:testaction:1 - - Disable the samba_create_home_dirs SELinux Boolean + + Enable SSH Warning Banner - ocil:ssg-sebool_samba_create_home_dirs_action:testaction:1 + ocil:ssg-sshd_enable_warning_banner_action:testaction:1 - - Appropriate Action Must be Setup When the Internal Audit Event Queue is Full + + Disable kernel support for MISC binaries - ocil:ssg-auditd_overflow_action_action:testaction:1 + ocil:ssg-kernel_config_binfmt_misc_action:testaction:1 - - Ensure the Default Bash Umask is Set Correctly + + Set Existing Passwords Maximum Age - ocil:ssg-accounts_umask_etc_bashrc_action:testaction:1 + ocil:ssg-accounts_password_set_max_life_existing_action:testaction:1 + + + + Disable the sge_use_nfs SELinux Boolean + + ocil:ssg-sebool_sge_use_nfs_action:testaction:1 + + + + Add nodev Option to /home + + ocil:ssg-mount_option_home_nodev_action:testaction:1 @@ -347885,580 +347897,586 @@ which the system will be deployed as closely as possible.ocil:ssg-kernel_module_dccp_disabled_action:testaction:1 - - Ensure zIPL bootmap is up to date + + Ensure SELinux State is Enforcing - ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1 + ocil:ssg-selinux_state_action:testaction:1 - - Disable the haproxy_connect_any SELinux Boolean + + Verify Permissions on SSH Server Public *.pub Key Files - ocil:ssg-sebool_haproxy_connect_any_action:testaction:1 + ocil:ssg-file_permissions_sshd_pub_key_action:testaction:1 - - Disable the awstats_purge_apache_log_files SELinux Boolean + + Harden common str/mem functions against buffer overflows - ocil:ssg-sebool_awstats_purge_apache_log_files_action:testaction:1 + ocil:ssg-kernel_config_fortify_source_action:testaction:1 - - Ensure PAM password complexity module is enabled in password-auth + + Add nosuid Option to /var/log/audit - ocil:ssg-accounts_password_pam_pwquality_password_auth_action:testaction:1 + ocil:ssg-mount_option_var_log_audit_nosuid_action:testaction:1 - - Record Successful Delete Attempts to Files - renameat + + Perform full reference count validation - ocil:ssg-audit_rules_successful_file_modification_renameat_action:testaction:1 + ocil:ssg-kernel_config_refcount_full_action:testaction:1 - - Uninstall libreport-plugin-rhtsupport Package + + Disable the nfsd_anon_write SELinux Boolean - ocil:ssg-package_libreport-plugin-rhtsupport_removed_action:testaction:1 + ocil:ssg-sebool_nfsd_anon_write_action:testaction:1 - - Ensure rsyslog is Installed + + Authorize Human Interface Devices and USB hubs in USBGuard daemon - ocil:ssg-package_rsyslog_installed_action:testaction:1 + ocil:ssg-usbguard_allow_hid_and_hub_action:testaction:1 - - Ensure ip6tables Firewall Rules Exist for All Open Ports + + Disable systemd-journal-remote Socket - ocil:ssg-ip6tables_rules_for_open_ports_action:testaction:1 + ocil:ssg-socket_systemd-journal-remote_disabled_action:testaction:1 - - Verify Permissions on SSH Server config file + + Add noexec Option to /var/tmp - ocil:ssg-file_permissions_sshd_config_action:testaction:1 + ocil:ssg-mount_option_var_tmp_noexec_action:testaction:1 - - Assign Expiration Date to Temporary Accounts + + Set Password Hashing Rounds in /etc/login.defs - ocil:ssg-account_temp_expire_date_action:testaction:1 + ocil:ssg-set_password_hashing_min_rounds_logindefs_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - chage + + Disable SSH root Login with a Password (Insecure) - ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 + ocil:ssg-sshd_disable_root_password_login_action:testaction:1 - - Remove the kernel mapping in user mode + + Ensure logrotate is Installed - ocil:ssg-kernel_config_page_table_isolation_action:testaction:1 + ocil:ssg-package_logrotate_installed_action:testaction:1 - - Ensure syslog-ng is Installed + + Verify Group Who Owns Crontab - ocil:ssg-package_syslogng_installed_action:testaction:1 + ocil:ssg-file_groupowner_crontab_action:testaction:1 - - All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive + + Harden SSHD Crypto Policy - ocil:ssg-accounts_users_home_files_permissions_action:testaction:1 + ocil:ssg-harden_sshd_crypto_policy_action:testaction:1 - - Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces + + Audit Tools Must Have a Mode of 0755 or Less Permissive - ocil:ssg-sysctl_net_ipv4_conf_all_accept_source_route_action:testaction:1 + ocil:ssg-file_audit_tools_permissions_action:testaction:1 - - Disable the httpd_run_stickshift SELinux Boolean + + Uninstall Sendmail Package - ocil:ssg-sebool_httpd_run_stickshift_action:testaction:1 + ocil:ssg-package_sendmail_removed_action:testaction:1 - - Configure maximum number of process identifiers + + Disable the httpd_can_connect_ldap SELinux Boolean - ocil:ssg-sysctl_kernel_pid_max_action:testaction:1 + ocil:ssg-sebool_httpd_can_connect_ldap_action:testaction:1 - - Ensure logrotate is Installed + + Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - ocil:ssg-package_logrotate_installed_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_action:testaction:1 - - Disable x86 vsyscall emulation + + Enable Use of Privilege Separation - ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1 + ocil:ssg-sshd_use_priv_separation_action:testaction:1 - - Uninstall setroubleshoot-plugins Package + + Ensure /tmp Located On Separate Partition - ocil:ssg-package_setroubleshoot-plugins_removed_action:testaction:1 + ocil:ssg-partition_for_tmp_action:testaction:1 - - A remote time server for Chrony is configured + + Require Client SMB Packet Signing, if using smbclient - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-require_smb_client_signing_action:testaction:1 - - Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default + + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces - ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_default_accept_redirects_action:testaction:1 - - Disable Mounting of cramfs + + Disable the mcelog_client SELinux Boolean - ocil:ssg-kernel_module_cramfs_disabled_action:testaction:1 + ocil:ssg-sebool_mcelog_client_action:testaction:1 - - Enable the Hardware RNG Entropy Gatherer Service + + Disable the cluster_use_execmem SELinux Boolean - ocil:ssg-service_rngd_enabled_action:testaction:1 + ocil:ssg-sebool_cluster_use_execmem_action:testaction:1 - - Ensure All Accounts on the System Have Unique User IDs + + Set Existing Passwords Warning Age - ocil:ssg-account_unique_id_action:testaction:1 + ocil:ssg-accounts_password_set_warn_age_existing_action:testaction:1 - - Disable Samba + + Disable the httpd_mod_auth_pam SELinux Boolean - ocil:ssg-service_smb_disabled_action:testaction:1 + ocil:ssg-sebool_httpd_mod_auth_pam_action:testaction:1 - - Disable Ctrl-Alt-Del Burst Action + + Uninstall krb5-workstation Package - ocil:ssg-disable_ctrlaltdel_burstaction_action:testaction:1 + ocil:ssg-package_krb5-workstation_removed_action:testaction:1 - - Ensure that System Accounts Are Locked + + Ensure PAM Enforces Password Requirements - Enforce for Local Accounts Only - ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1 + ocil:ssg-accounts_password_pam_enforce_local_action:testaction:1 - - Disable the polipo_connect_all_unreserved SELinux Boolean + + Disable SSH TCP Forwarding - ocil:ssg-sebool_polipo_connect_all_unreserved_action:testaction:1 + ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1 - - Verify Group Ownership on SSH Server Public *.pub Key Files + + Disable SSH Support for Rhosts RSA Authentication - ocil:ssg-file_groupownership_sshd_pub_key_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1 - - Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT + + Record Any Attempts to Run restorecon - ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat_action:testaction:1 + ocil:ssg-audit_rules_execution_restorecon_action:testaction:1 - - Verify All Account Password Hashes are Shadowed + + Enable page allocator poisoning in zIPL - ocil:ssg-accounts_password_all_shadowed_action:testaction:1 + ocil:ssg-zipl_page_poison_argument_action:testaction:1 - - Modify the System Login Banner for Remote Connections + + Disable the cluster_manage_all_files SELinux Boolean - ocil:ssg-banner_etc_issue_net_action:testaction:1 + ocil:ssg-sebool_cluster_manage_all_files_action:testaction:1 - - Set the UEFI Boot Loader Password + + Verify that System Executable Directories Have Restrictive Permissions - ocil:ssg-grub2_uefi_password_action:testaction:1 + ocil:ssg-dir_permissions_binary_dirs_action:testaction:1 - - Disable mutable hooks + + Enable authselect - ocil:ssg-kernel_config_security_writable_hooks_action:testaction:1 + ocil:ssg-enable_authselect_action:testaction:1 - - Configure the gluster_export_all_rw SELinux Boolean + + Build and Test AIDE Database - ocil:ssg-sebool_gluster_export_all_rw_action:testaction:1 + ocil:ssg-aide_build_database_action:testaction:1 - - Disable the httpd_run_preupgrade SELinux Boolean + + Disable the tmpreaper_use_samba SELinux Boolean - ocil:ssg-sebool_httpd_run_preupgrade_action:testaction:1 + ocil:ssg-sebool_tmpreaper_use_samba_action:testaction:1 - - Uninstall rsh Package + + Configure auditd admin_space_left Action on Low Disk Space - ocil:ssg-package_rsh_removed_action:testaction:1 + ocil:ssg-auditd_data_retention_admin_space_left_action_action:testaction:1 - - Remove the OpenSSH Server Package + + Verify Permissions on cron.daily - ocil:ssg-package_openssh-server_removed_action:testaction:1 + ocil:ssg-file_permissions_cron_daily_action:testaction:1 - - Ensure auditd Collects System Administrator Actions + + Disable the ssh_chroot_rw_homedirs SELinux Boolean - ocil:ssg-audit_rules_sysadmin_actions_action:testaction:1 + ocil:ssg-sebool_ssh_chroot_rw_homedirs_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - newgrp + + Uninstall xinetd Package - ocil:ssg-audit_rules_privileged_commands_newgrp_action:testaction:1 + ocil:ssg-package_xinetd_removed_action:testaction:1 - - Disable SSH Server If Possible + + Disable Core Dumps for SUID programs - ocil:ssg-service_sshd_disabled_action:testaction:1 + ocil:ssg-sysctl_fs_suid_dumpable_action:testaction:1 - - Disable GNOME3 Automount running + + Configure dnf-automatic to Install Only Security Updates - ocil:ssg-dconf_gnome_disable_autorun_action:testaction:1 + ocil:ssg-dnf-automatic_security_updates_only_action:testaction:1 - - Record Events that Modify User/Group Information via open syscall - /etc/shadow + + Install the McAfee Runtime Libraries and Linux Agent - ocil:ssg-audit_rules_etc_shadow_open_action:testaction:1 + ocil:ssg-install_mcafee_cma_rt_action:testaction:1 - - Enable the selinuxuser_ping SELinux Boolean + + Set PAM''s Password Hashing Algorithm - ocil:ssg-sebool_selinuxuser_ping_action:testaction:1 + ocil:ssg-set_password_hashing_algorithm_systemauth_action:testaction:1 - - Enable the logadm_exec_content SELinux Boolean + + Disable the zarafa_setrlimit SELinux Boolean - ocil:ssg-sebool_logadm_exec_content_action:testaction:1 + ocil:ssg-sebool_zarafa_setrlimit_action:testaction:1 - - Enable the LDAP Client For Use in Authconfig + + Remove the GDM Package Group - ocil:ssg-enable_ldap_client_action:testaction:1 + ocil:ssg-package_gdm_removed_action:testaction:1 - - Configure auditd max_log_file_action Upon Reaching Maximum Log Size + + Disable User Administration in GNOME3 - ocil:ssg-auditd_data_retention_max_log_file_action_action:testaction:1 + ocil:ssg-dconf_gnome_disable_user_admin_action:testaction:1 - - Disable the exim_can_connect_db SELinux Boolean + + Record Successful Creation Attempts to Files - open O_CREAT - ocil:ssg-sebool_exim_can_connect_db_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_open_o_creat_action:testaction:1 - - Disable System Statistics Reset Service (sysstat) + + Disable support for /proc/kkcore - ocil:ssg-service_sysstat_disabled_action:testaction:1 + ocil:ssg-kernel_config_proc_kcore_action:testaction:1 - - Ensure auditd Collects File Deletion Events by User - rename + + Verify /boot/efi/EFI/redhat/user.cfg Permissions - ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1 + ocil:ssg-file_permissions_efi_user_cfg_action:testaction:1 - - Verify ufw Enabled + + Verify permissions on Message of the Day Banner - ocil:ssg-service_ufw_enabled_action:testaction:1 + ocil:ssg-file_permissions_etc_motd_action:testaction:1 - - Disable LDAP Server (slapd) + + Enable GNOME3 Login Warning Banner - ocil:ssg-service_slapd_disabled_action:testaction:1 + ocil:ssg-dconf_gnome_banner_enabled_action:testaction:1 - - Disable httpd Service + + Mount Remote Filesystems with noexec - ocil:ssg-service_httpd_disabled_action:testaction:1 + ocil:ssg-mount_option_noexec_remote_filesystems_action:testaction:1 - - Enable the kerberos_enabled SELinux Boolean + + Disable the pcp_bind_all_unreserved_ports SELinux Boolean - ocil:ssg-sebool_kerberos_enabled_action:testaction:1 + ocil:ssg-sebool_pcp_bind_all_unreserved_ports_action:testaction:1 - - Record Successful Access Attempts to Files - open_by_handle_at + + Ensure /usr Located On Separate Partition - ocil:ssg-audit_rules_successful_file_modification_open_by_handle_at_action:testaction:1 + ocil:ssg-partition_for_usr_action:testaction:1 - - Uninstall tuned Package + + Ensure that chronyd is running under chrony user account - ocil:ssg-package_tuned_removed_action:testaction:1 + ocil:ssg-chronyd_run_as_chrony_user_action:testaction:1 - - Disable the virt_read_qemu_ga_data SELinux Boolean + + Disable the mock_enable_homedirs SELinux Boolean - ocil:ssg-sebool_virt_read_qemu_ga_data_action:testaction:1 + ocil:ssg-sebool_mock_enable_homedirs_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl + + Record Unsuccessful Access Attempts to Files - open_by_handle_at - ocil:ssg-audit_rules_privileged_commands_usernetctl_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1 - - Verify Group Who Owns /var/log/syslog File + + Disable Web Content Symbolic Links - ocil:ssg-file_groupowner_var_log_syslog_action:testaction:1 + ocil:ssg-httpd_disable_content_symlinks_action:testaction:1 - - Configure the httpd_builtin_scripting SELinux Boolean + + Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces - ocil:ssg-sebool_httpd_builtin_scripting_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_tcp_syncookies_action:testaction:1 - - Add nosuid Option to /var/tmp + + Verify /boot/efi/EFI/redhat/user.cfg User Ownership - ocil:ssg-mount_option_var_tmp_nosuid_action:testaction:1 + ocil:ssg-file_owner_efi_user_cfg_action:testaction:1 - - The Postfix package is installed + + Verify Group Who Owns Backup group File - ocil:ssg-package_postfix_installed_action:testaction:1 + ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1 - - Disallow Configuration to Bypass Password Requirements for Privilege Escalation + + Disable the samba_share_nfs SELinux Boolean - ocil:ssg-disallow_bypass_password_sudo_action:testaction:1 + ocil:ssg-sebool_samba_share_nfs_action:testaction:1 - - Disable the httpd_ssi_exec SELinux Boolean + + Disable telnet Service - ocil:ssg-sebool_httpd_ssi_exec_action:testaction:1 + ocil:ssg-service_telnet_disabled_action:testaction:1 - - Ensure Red Hat GPG Key Installed + + Do Not Allow SSH Environment Options - ocil:ssg-ensure_redhat_gpgkey_installed_action:testaction:1 + ocil:ssg-sshd_do_not_permit_user_env_action:testaction:1 - - Verify Group Ownership on SSH Server Private *_key Key Files + + Enable the auditadm_exec_content SELinux Boolean - ocil:ssg-file_groupownership_sshd_private_key_action:testaction:1 + ocil:ssg-sebool_auditadm_exec_content_action:testaction:1 - - Disable the httpd_unified SELinux Boolean + + Disable the samba_portmapper SELinux Boolean - ocil:ssg-sebool_httpd_unified_action:testaction:1 + ocil:ssg-sebool_samba_portmapper_action:testaction:1 - - Add nosuid Option to /var/log/audit + + Add nosuid Option to /home - ocil:ssg-mount_option_var_log_audit_nosuid_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Disable the ftpd_use_nfs SELinux Boolean + + All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group - ocil:ssg-sebool_ftpd_use_nfs_action:testaction:1 + ocil:ssg-accounts_users_home_files_groupownership_action:testaction:1 - - Disable the authlogin_yubikey SELinux Boolean + + Ensure Logs Sent To Remote Host - ocil:ssg-sebool_authlogin_yubikey_action:testaction:1 + ocil:ssg-rsyslog_remote_loghost_action:testaction:1 - - Verify User Who Owns passwd File + + Record Events that Modify the System's Discretionary Access Controls - removexattr - ocil:ssg-file_owner_etc_passwd_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 - - Configure auditing of successful file accesses + + Install iptables Package - ocil:ssg-audit_access_success_action:testaction:1 + ocil:ssg-package_iptables_installed_action:testaction:1 - - Disable Host-Based Authentication + + Authorize Human Interface Devices in USBGuard daemon - ocil:ssg-disable_host_auth_action:testaction:1 + ocil:ssg-usbguard_allow_hid_action:testaction:1 - - Ensure PAM Enforces Password Requirements - Minimum Different Categories + + Ensure No World-Writable Files Exist - ocil:ssg-accounts_password_pam_minclass_action:testaction:1 + ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 - - Disable SSH Support for .rhosts Files + + Disable the xguest_connect_network SELinux Boolean - ocil:ssg-sshd_disable_rhosts_action:testaction:1 + ocil:ssg-sebool_xguest_connect_network_action:testaction:1 - - Configure GnuTLS library to use DoD-approved TLS Encryption + + Configure kernel to trust the CPU random number generator - ocil:ssg-configure_gnutls_tls_crypto_policy_action:testaction:1 + ocil:ssg-grub2_kernel_trust_cpu_rng_action:testaction:1 - - Set SSH Client Alive Interval + + Disable the git_session_users SELinux Boolean - ocil:ssg-sshd_set_idle_timeout_action:testaction:1 + ocil:ssg-sebool_git_session_users_action:testaction:1 - - Ensure auditd Collects File Deletion Events by User - renameat + + Don't target root user in the sudoers file - ocil:ssg-audit_rules_file_deletion_events_renameat_action:testaction:1 + ocil:ssg-sudoers_no_root_target_action:testaction:1 - - Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces + + Disable the telepathy_tcp_connect_generic_network_ports SELinux Boolean - ocil:ssg-sysctl_net_ipv4_conf_all_log_martians_action:testaction:1 + ocil:ssg-sebool_telepathy_tcp_connect_generic_network_ports_action:testaction:1 - - Disable the fcron_crond SELinux Boolean + + Specify UID and GID for Anonymous NFS Connections - ocil:ssg-sebool_fcron_crond_action:testaction:1 + ocil:ssg-nfs_no_anonymous_action:testaction:1 - - Ensure debug-shell service is not enabled in zIPL + + Set Default ip6tables Policy for Incoming Packets - ocil:ssg-zipl_systemd_debug-shell_argument_absent_action:testaction:1 + ocil:ssg-set_ip6tables_default_rule_action:testaction:1 - - Record Unsuccessful Access Attempts to Files - ftruncate + + Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign - ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_ssh_keysign_action:testaction:1 - - Disable the pcp_read_generic_logs SELinux Boolean + + Enable Dracut FIPS Module - ocil:ssg-sebool_pcp_read_generic_logs_action:testaction:1 + ocil:ssg-enable_dracut_fips_module_action:testaction:1 - - Disable the selinuxuser_use_ssh_chroot SELinux Boolean + + Ensure sudo Runs In A Minimal Environment - sudo env_reset - ocil:ssg-sebool_selinuxuser_use_ssh_chroot_action:testaction:1 + ocil:ssg-sudo_add_env_reset_action:testaction:1 - - Ensure Log Files Are Owned By Appropriate Group + + All Interactive User Home Directories Must Be Group-Owned By The Primary Group - ocil:ssg-rsyslog_files_groupownership_action:testaction:1 + ocil:ssg-file_groupownership_home_directories_action:testaction:1 - - Enable FIPS Mode + + Disable ypserv Service - ocil:ssg-enable_fips_mode_action:testaction:1 + ocil:ssg-service_ypserv_disabled_action:testaction:1 - - Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default + + UEFI Boot Loader Is Not Installed On Removeable Media - ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_pinfo_action:testaction:1 + ocil:ssg-uefi_no_removeable_media_action:testaction:1 - - Verify Group Who Owns /etc/at.allow file + + Install policycoreutils-python-utils package - ocil:ssg-file_groupowner_at_allow_action:testaction:1 + ocil:ssg-package_policycoreutils-python-utils_installed_action:testaction:1 - - Disable the squid_use_tproxy SELinux Boolean + + Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config - ocil:ssg-sebool_squid_use_tproxy_action:testaction:1 + ocil:ssg-harden_sshd_macs_opensshserver_conf_crypto_policy_action:testaction:1 - - Disable the conman_can_network SELinux Boolean + + Ensure /var/log/audit Located On Separate Partition - ocil:ssg-sebool_conman_can_network_action:testaction:1 + ocil:ssg-partition_for_var_log_audit_action:testaction:1 - - Add nodev Option to /home + + Enable SLUB debugging support - ocil:ssg-mount_option_home_nodev_action:testaction:1 + ocil:ssg-kernel_config_slub_debug_action:testaction:1 - - Set Daemon Umask + + Ensure journald is configured to write log files to persistent disk - ocil:ssg-umask_for_daemons_action:testaction:1 + ocil:ssg-journald_storage_action:testaction:1 - - Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty + + Require Authentication for Single User Mode - ocil:ssg-ensure_pam_wheel_group_empty_action:testaction:1 + ocil:ssg-require_singleuser_auth_action:testaction:1 - - Disable the cron_system_cronjob_use_shares SELinux Boolean + + Disable Core Dumps for All Users - ocil:ssg-sebool_cron_system_cronjob_use_shares_action:testaction:1 + ocil:ssg-disable_users_coredumps_action:testaction:1 - + Configure auditd space_left on Low Disk Space - ocil:ssg-auditd_data_retention_space_left_percentage_action:testaction:1 + ocil:ssg-auditd_data_retention_space_left_action:testaction:1 + + + + Record Unsuccessful Delete Attempts to Files - unlinkat + + ocil:ssg-audit_rules_unsuccessful_file_modification_unlinkat_action:testaction:1 @@ -348467,2068 +348485,2056 @@ which the system will be deployed as closely as possible.ocil:ssg-package_iptables-services_removed_action:testaction:1 - - Verify Group Who Owns cron.hourly + + Record Attempts to perform maintenance activities - ocil:ssg-file_groupowner_cron_hourly_action:testaction:1 + ocil:ssg-audit_sudo_log_events_action:testaction:1 - - Configure auditing of unsuccessful permission changes + + Ensure All Files Are Owned by a User - ocil:ssg-audit_perm_change_failed_action:testaction:1 + ocil:ssg-no_files_unowned_by_user_action:testaction:1 - - Disable the mcelog_server SELinux Boolean + + Configure audispd's Plugin network_failure_action On Network Failure - ocil:ssg-sebool_mcelog_server_action:testaction:1 + ocil:ssg-auditd_audispd_network_failure_action_action:testaction:1 - - Disable the samba_run_unconfined SELinux Boolean + + Audit Configuration Files Must Be Owned By Root - ocil:ssg-sebool_samba_run_unconfined_action:testaction:1 + ocil:ssg-file_ownership_audit_configuration_action:testaction:1 - - Disable the webadm_read_user_files SELinux Boolean + + Configure SSSD LDAP Backend Client CA Certificate - ocil:ssg-sebool_webadm_read_user_files_action:testaction:1 + ocil:ssg-sssd_ldap_configure_tls_ca_action:testaction:1 - - Disable the abrt_handle_event SELinux Boolean + + Disable the GNOME3 Login Restart and Shutdown Buttons - ocil:ssg-sebool_abrt_handle_event_action:testaction:1 + ocil:ssg-dconf_gnome_disable_restart_shutdown_action:testaction:1 - - Disable the nagios_run_pnp4nagios SELinux Boolean + + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default - ocil:ssg-sebool_nagios_run_pnp4nagios_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_action:testaction:1 - - Disable the virt_use_samba SELinux Boolean + + Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config - ocil:ssg-sebool_virt_use_samba_action:testaction:1 + ocil:ssg-harden_sshd_ciphers_opensshserver_conf_crypto_policy_action:testaction:1 - - Add nosuid Option to /dev/shm + + Uninstall bind Package - ocil:ssg-mount_option_dev_shm_nosuid_action:testaction:1 + ocil:ssg-package_bind_removed_action:testaction:1 - - Force opensc To Use Defined Smart Card Driver + + Lock Accounts After Failed Password Attempts - ocil:ssg-force_opensc_card_drivers_action:testaction:1 + ocil:ssg-accounts_passwords_pam_faillock_deny_action:testaction:1 - - Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words + + All Interactive Users Home Directories Must Exist - ocil:ssg-accounts_password_pam_dictcheck_action:testaction:1 + ocil:ssg-accounts_user_interactive_home_directory_exists_action:testaction:1 - - Ensure the Default Umask is Set Correctly in login.defs + + Disable the samba_domain_controller SELinux Boolean - ocil:ssg-accounts_umask_etc_login_defs_action:testaction:1 + ocil:ssg-sebool_samba_domain_controller_action:testaction:1 - - Do Not Show System Messages When Unsuccessful Logon Attempts Occur + + Verify that audit tools Have Mode 0755 or less - ocil:ssg-accounts_passwords_pam_faillock_silent_action:testaction:1 + ocil:ssg-file_permissions_audit_binaries_action:testaction:1 - - Disable the httpd_can_connect_ftp SELinux Boolean + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group - ocil:ssg-sebool_httpd_can_connect_ftp_action:testaction:1 + ocil:ssg-audit_rules_etc_group_open_by_handle_at_action:testaction:1 - - Disable the logging_syslogd_can_sendmail SELinux Boolean + + Disable the samba_run_unconfined SELinux Boolean - ocil:ssg-sebool_logging_syslogd_can_sendmail_action:testaction:1 + ocil:ssg-sebool_samba_run_unconfined_action:testaction:1 - - MIME types for csh or sh shell programs must be disabled + + Disallow magic SysRq key - ocil:ssg-httpd_disable_mime_types_action:testaction:1 + ocil:ssg-sysctl_kernel_sysrq_action:testaction:1 - - Ensure McAfee Endpoint Security for Linux (ENSL) is running + + Disable the use_fusefs_home_dirs SELinux Boolean - ocil:ssg-agent_mfetpd_running_action:testaction:1 + ocil:ssg-sebool_use_fusefs_home_dirs_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - shutdown + + Enable the GNOME3 Screen Locking On Smartcard Removal - ocil:ssg-audit_privileged_commands_shutdown_action:testaction:1 + ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1 - - Ensure the audit Subsystem is Installed + + Ensure Home Directories are Created for New Users - ocil:ssg-package_audit_installed_action:testaction:1 + ocil:ssg-accounts_have_homedir_login_defs_action:testaction:1 - - Disable the tor_can_network_relay SELinux Boolean + + Verify /boot/efi/EFI/redhat/user.cfg Group Ownership - ocil:ssg-sebool_tor_can_network_relay_action:testaction:1 + ocil:ssg-file_groupowner_efi_user_cfg_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - mount + + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default - ocil:ssg-audit_rules_privileged_commands_mount_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_default_max_addresses_action:testaction:1 - - Enable SSH Warning Banner + + Disable the wine_mmap_zero_ignore SELinux Boolean - ocil:ssg-sshd_enable_warning_banner_action:testaction:1 + ocil:ssg-sebool_wine_mmap_zero_ignore_action:testaction:1 - - Disable Kerberos by removing host keytab + + Disable Host-Based Authentication - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-disable_host_auth_action:testaction:1 - - Ensure All Accounts on the System Have Unique Names + + Ensure ip6tables Firewall Rules Exist for All Open Ports - ocil:ssg-account_unique_name_action:testaction:1 + ocil:ssg-ip6tables_rules_for_open_ports_action:testaction:1 - - Only the VDSM User Can Use sudo NOPASSWD + + Scan All Uploaded Content for Malicious Software - ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 + ocil:ssg-httpd_antivirus_scan_uploads_action:testaction:1 - - Disable At Service (atd) + + Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server - ocil:ssg-service_atd_disabled_action:testaction:1 + ocil:ssg-rsyslog_nolisten_action:testaction:1 - - Ensure /usr Located On Separate Partition + + Disable the tmpreaper_use_nfs SELinux Boolean - ocil:ssg-partition_for_usr_action:testaction:1 + ocil:ssg-sebool_tmpreaper_use_nfs_action:testaction:1 - - Enable the user_exec_content SELinux Boolean + + Disable the abrt_anon_write SELinux Boolean - ocil:ssg-sebool_user_exec_content_action:testaction:1 + ocil:ssg-sebool_abrt_anon_write_action:testaction:1 - - Install dnf-plugin-subscription-manager Package + + Configure immutable Audit login UIDs - ocil:ssg-package_dnf-plugin-subscription-manager_installed_action:testaction:1 + ocil:ssg-audit_immutable_login_uids_action:testaction:1 - - Disable the virt_sandbox_use_sys_admin SELinux Boolean + + Configure ARP filtering for All IPv4 Interfaces - ocil:ssg-sebool_virt_sandbox_use_sys_admin_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_all_arp_filter_action:testaction:1 - - Configure CA certificate for rsyslog remote logging + + Configure the secure_mode_insmod SELinux Boolean - ocil:ssg-rsyslog_remote_tls_cacert_action:testaction:1 + ocil:ssg-sebool_secure_mode_insmod_action:testaction:1 - - Configure auditing of successful file creations + + Record Successful Permission Changes to Files - removexattr - ocil:ssg-audit_create_success_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_removexattr_action:testaction:1 - - Set Account Expiration Following Inactivity + + Disable Secure RPC Server Service (rpcsvcgssd) - ocil:ssg-account_disable_post_pw_expiration_action:testaction:1 + ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1 - - Configure LDAP Client to Use TLS For All Transactions + + Disable the nis_enabled SELinux Boolean - ocil:ssg-ldap_client_start_tls_action:testaction:1 + ocil:ssg-sebool_nis_enabled_action:testaction:1 - - Install iptables Package + + Ensure All SUID Executables Are Authorized - ocil:ssg-package_iptables_installed_action:testaction:1 + ocil:ssg-file_permissions_unauthorized_suid_action:testaction:1 - - Set the GNOME3 Login Number of Failures + + Configure auditing of unsuccessful file creations - ocil:ssg-dconf_gnome_login_retries_action:testaction:1 + ocil:ssg-audit_create_failed_action:testaction:1 - - Verify the SSH Private Key Files Have a Passcode + + Require Encryption for Remote Access in GNOME3 - ocil:ssg-ssh_keys_passphrase_protected_action:testaction:1 + ocil:ssg-dconf_gnome_remote_access_encryption_action:testaction:1 - - Enable the cron_userdomain_transition SELinux Boolean + + Configure System to Forward All Mail From Postmaster to The Root Account - ocil:ssg-sebool_cron_userdomain_transition_action:testaction:1 + ocil:ssg-postfix_client_configure_mail_alias_postmaster_action:testaction:1 - - Disable rlogin Service + + Ensure There Are No Accounts With Blank or Null Passwords - ocil:ssg-service_rlogin_disabled_action:testaction:1 + ocil:ssg-no_empty_passwords_etc_shadow_action:testaction:1 - - Disable the httpd_verify_dns SELinux Boolean + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-sebool_httpd_verify_dns_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Disable the authlogin_nsswitch_use_ldap SELinux Boolean + + Disable the sanlock_use_nfs SELinux Boolean - ocil:ssg-sebool_authlogin_nsswitch_use_ldap_action:testaction:1 + ocil:ssg-sebool_sanlock_use_nfs_action:testaction:1 - - Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow + + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty - ocil:ssg-audit_rules_etc_gshadow_open_by_handle_at_action:testaction:1 + ocil:ssg-sudo_add_requiretty_action:testaction:1 - - Enable the xend_run_blktap SELinux Boolean + + Disable the httpd_can_connect_ftp SELinux Boolean - ocil:ssg-sebool_xend_run_blktap_action:testaction:1 + ocil:ssg-sebool_httpd_can_connect_ftp_action:testaction:1 - - Uninstall xinetd Package + + Disable the xen_use_nfs SELinux Boolean - ocil:ssg-package_xinetd_removed_action:testaction:1 + ocil:ssg-sebool_xen_use_nfs_action:testaction:1 - - Configure auditd Disk Error Action on Disk Error + + Ensure that System Accounts Do Not Run a Shell Upon Login - ocil:ssg-auditd_data_disk_error_action_stig_action:testaction:1 + ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1 - - Set type of computer node name logging in audit logs + + The operating system must restrict privilege elevation to authorized personnel - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-sudo_restrict_privilege_elevation_to_authorized_action:testaction:1 - - Install vim Package + + Enable PAM - ocil:ssg-package_vim_installed_action:testaction:1 + ocil:ssg-sshd_enable_pam_action:testaction:1 - - Disable the rsync_anon_write SELinux Boolean + + Disable Power Settings in GNOME3 - ocil:ssg-sebool_rsync_anon_write_action:testaction:1 + ocil:ssg-dconf_gnome_disable_power_settings_action:testaction:1 - - Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces + + Disable the cobbler_anon_write SELinux Boolean - ocil:ssg-sysctl_net_ipv4_conf_all_forwarding_action:testaction:1 + ocil:ssg-sebool_cobbler_anon_write_action:testaction:1 - - Ensure auditd Collects Information on Exporting to Media (successful) + + Record attempts to alter time through settimeofday - ocil:ssg-audit_rules_media_export_action:testaction:1 + ocil:ssg-audit_rules_time_settimeofday_action:testaction:1 - - Disable the ftpd_use_passive_mode SELinux Boolean + + Enforce Spectre v2 mitigation - ocil:ssg-sebool_ftpd_use_passive_mode_action:testaction:1 + ocil:ssg-grub2_spectre_v2_argument_action:testaction:1 - - The Installed Operating System Is Vendor Supported + + Disable the httpd_sys_script_anon_write SELinux Boolean - ocil:ssg-installed_OS_is_vendor_supported_action:testaction:1 + ocil:ssg-sebool_httpd_sys_script_anon_write_action:testaction:1 - - Disable the kdumpgui_run_bootloader SELinux Boolean + + Install OpenSSH client software - ocil:ssg-sebool_kdumpgui_run_bootloader_action:testaction:1 + ocil:ssg-package_openssh-clients_installed_action:testaction:1 - - Install McAfee Endpoint Security for Linux (ENSL) + + Enable Auditing for Processes Which Start Prior to the Audit Daemon - ocil:ssg-package_mcafeetp_installed_action:testaction:1 + ocil:ssg-grub2_audit_argument_action:testaction:1 - - Disable the secure_mode_policyload SELinux Boolean + + Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout - ocil:ssg-sebool_secure_mode_policyload_action:testaction:1 + ocil:ssg-sudo_add_passwd_timeout_action:testaction:1 - - Disable the samba_domain_controller SELinux Boolean + + Record Successful Permission Changes to Files - fchmod - ocil:ssg-sebool_samba_domain_controller_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_fchmod_action:testaction:1 - - Disable the squid_connect_any SELinux Boolean + + Disable the swift_can_network SELinux Boolean - ocil:ssg-sebool_squid_connect_any_action:testaction:1 + ocil:ssg-sebool_swift_can_network_action:testaction:1 - - Enable the fips_mode SELinux Boolean + + Disable the zebra_write_config SELinux Boolean - ocil:ssg-sebool_fips_mode_action:testaction:1 + ocil:ssg-sebool_zebra_write_config_action:testaction:1 - - Record Events that Modify User/Group Information via openat syscall - /etc/passwd + + Verify Owner on cron.weekly - ocil:ssg-audit_rules_etc_passwd_openat_action:testaction:1 + ocil:ssg-file_owner_cron_weekly_action:testaction:1 - - Set Password Maximum Consecutive Repeating Characters + + Configure dnf-automatic to Install Available Updates Automatically - ocil:ssg-accounts_password_pam_maxrepeat_action:testaction:1 + ocil:ssg-dnf-automatic_apply_updates_action:testaction:1 - - Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces + + Record Successful Ownership Changes to Files - fchown - ocil:ssg-sysctl_net_ipv4_conf_all_shared_media_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_fchown_action:testaction:1 - - Verify Owner on cron.hourly + + Disable the mpd_use_nfs SELinux Boolean - ocil:ssg-file_owner_cron_hourly_action:testaction:1 + ocil:ssg-sebool_mpd_use_nfs_action:testaction:1 - - OpenSSL uses strong entropy source + + Limit sampling frequency of the Perf system - ocil:ssg-openssl_use_strong_entropy_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_event_max_sample_rate_action:testaction:1 - - Public web server resources must not be shared with private assets + + Record Events that Modify the System's Network Environment - ocil:ssg-httpd_public_resources_not_shared_action:testaction:1 + ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1 - - Uninstall python3-abrt-addon Package + + Disable storing core dumps - ocil:ssg-package_python3-abrt-addon_removed_action:testaction:1 + ocil:ssg-sysctl_kernel_core_pattern_action:testaction:1 - - Configure TLS for rsyslog remote logging + + Each Web Content Directory Must Contain An index.html File - ocil:ssg-rsyslog_remote_tls_action:testaction:1 + ocil:ssg-httpd_configure_documentroot_action:testaction:1 - - Verify User Who Owns Backup shadow File + + Ensure auditd Collects Information on the Use of Privileged Commands - shutdown - ocil:ssg-file_groupowner_backup_etc_shadow_action:testaction:1 + ocil:ssg-audit_privileged_commands_shutdown_action:testaction:1 - - Record Successful Delete Attempts to Files - unlinkat + + Record Unsuccessful Permission Changes to Files - removexattr - ocil:ssg-audit_rules_successful_file_modification_unlinkat_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_removexattr_action:testaction:1 - - Install the OpenSSH Server Package + + Ensure gpgcheck Enabled for All yum Package Repositories - ocil:ssg-package_openssh-server_installed_action:testaction:1 + ocil:ssg-ensure_gpgcheck_never_disabled_action:testaction:1 - - Install McAfee Virus Scanning Software + + Install libcap-ng-utils Package - ocil:ssg-install_mcafee_antivirus_action:testaction:1 + ocil:ssg-package_libcap-ng-utils_installed_action:testaction:1 - - Disable the openvpn_enable_homedirs SELinux Boolean + + Record Events that Modify the System's Discretionary Access Controls - lremovexattr - ocil:ssg-sebool_openvpn_enable_homedirs_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 - - Limit the Number of Concurrent Login Sessions Allowed Per User + + Enable module signature verification - ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1 + ocil:ssg-kernel_config_module_sig_action:testaction:1 - - Ensure Default SNMP Password Is Not Used + + Set Kernel Parameter to Increase Local Port Range - ocil:ssg-snmpd_not_default_password_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_ip_local_port_range_action:testaction:1 - - Set the Boot Loader Admin Username to a Non-Default Value + + Ensure All Groups on the System Have Unique Group Names - ocil:ssg-grub2_admin_username_action:testaction:1 + ocil:ssg-group_unique_name_action:testaction:1 - - Write Audit Logs to the Disk + + Record Successful Permission Changes to Files - setxattr - ocil:ssg-auditd_write_logs_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 - - Ensure Users Cannot Change GNOME3 Session Idle Settings + + Disable Printer Browsing Entirely if Possible - ocil:ssg-dconf_gnome_session_idle_user_locks_action:testaction:1 + ocil:ssg-cups_disable_browsing_action:testaction:1 - - Ensure All Groups on the System Have Unique Group ID + + Uninstall openldap-servers Package - ocil:ssg-group_unique_id_action:testaction:1 + ocil:ssg-package_openldap-servers_removed_action:testaction:1 - - Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces + + Disable core dump backtraces - ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1 + ocil:ssg-coredump_disable_backtraces_action:testaction:1 - - Disable the selinuxuser_postgresql_connect_enabled SELinux Boolean + + Ensure rsyslog-gnutls is installed - ocil:ssg-sebool_selinuxuser_postgresql_connect_enabled_action:testaction:1 + ocil:ssg-package_rsyslog-gnutls_installed_action:testaction:1 - - Ensure All Groups on the System Have Unique Group Names + + Verify Group Who Owns SSH Server config file - ocil:ssg-group_unique_name_action:testaction:1 + ocil:ssg-file_groupowner_sshd_config_action:testaction:1 - - Ensure network interfaces are assigned to appropriate zone + + Disable x86 vsyscall emulation - ocil:ssg-set_firewalld_appropriate_zone_action:testaction:1 + ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1 - - Record Events that Modify the System's Mandatory Access Controls + + Ensure SMEP is not disabled during boot - ocil:ssg-audit_rules_mac_modification_action:testaction:1 + ocil:ssg-grub2_nosmep_argument_absent_action:testaction:1 - - Enable page allocator poisoning in zIPL + + Verify Permissions on Backup passwd File - ocil:ssg-zipl_page_poison_argument_action:testaction:1 + ocil:ssg-file_permissions_backup_etc_passwd_action:testaction:1 - - Force frequent session key renegotiation + + Ensure that System Accounts Are Locked - ocil:ssg-sshd_rekey_limit_action:testaction:1 + ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1 - - Specify UID and GID for Anonymous NFS Connections + + Configure auditd Disk Error Action on Disk Error - ocil:ssg-nfs_no_anonymous_action:testaction:1 + ocil:ssg-auditd_data_disk_error_action_action:testaction:1 - - Disable PubkeyAuthentication Authentication + + Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1 - - Disable the ksmtuned_use_nfs SELinux Boolean + + Uninstall httpd Package - ocil:ssg-sebool_ksmtuned_use_nfs_action:testaction:1 + ocil:ssg-package_httpd_removed_action:testaction:1 - - Disable the xguest_connect_network SELinux Boolean + + Add noexec Option to /dev/shm - ocil:ssg-sebool_xguest_connect_network_action:testaction:1 + ocil:ssg-mount_option_dev_shm_noexec_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/security/opasswd + + Enable Smartcards in SSSD - ocil:ssg-audit_rules_usergroup_modification_opasswd_action:testaction:1 + ocil:ssg-sssd_enable_smartcards_action:testaction:1 - - Avoid speculative indirect branches in kernel + + Disable Recovery Booting - ocil:ssg-kernel_config_retpoline_action:testaction:1 + ocil:ssg-grub2_disable_recovery_action:testaction:1 - - Disable the webadm_manage_user_files SELinux Boolean + + Disable Kerberos by removing host keytab - ocil:ssg-sebool_webadm_manage_user_files_action:testaction:1 + ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 - - Set Password Hashing Algorithm in /etc/login.defs + + Ensure sudo only includes the default configuration directory - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-sudoers_default_includedir_action:testaction:1 - - Disable the mcelog_client SELinux Boolean + + Restrict Exposed Kernel Pointer Addresses Access - ocil:ssg-sebool_mcelog_client_action:testaction:1 + ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1 - - Disable the virt_use_rawip SELinux Boolean + + Disable the tftp_home_dir SELinux Boolean - ocil:ssg-sebool_virt_use_rawip_action:testaction:1 + ocil:ssg-sebool_tftp_home_dir_action:testaction:1 - - Install the SSSD Package + + Record Events that Modify the System's Mandatory Access Controls in usr/share - ocil:ssg-package_sssd_installed_action:testaction:1 + ocil:ssg-audit_rules_mac_modification_usr_share_action:testaction:1 - - Disable the nagios_run_sudo SELinux Boolean + + Ensure journald is configured to send logs to rsyslog - ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 + ocil:ssg-journald_forward_to_syslog_action:testaction:1 - - Remove Host-Based Authentication Files + + Record Any Attempts to Run setfiles - ocil:ssg-no_host_based_files_action:testaction:1 + ocil:ssg-audit_rules_execution_setfiles_action:testaction:1 - - Disable the mozilla_plugin_can_network_connect SELinux Boolean + + Ensure users' .netrc Files are not group or world accessible - ocil:ssg-sebool_mozilla_plugin_can_network_connect_action:testaction:1 + ocil:ssg-accounts_users_netrc_file_permissions_action:testaction:1 - - Disable rexec Service + + Disable XDMCP in GDM - ocil:ssg-service_rexec_disabled_action:testaction:1 + ocil:ssg-gnome_gdm_disable_xdmcp_action:testaction:1 - - Disable the xserver_object_manager SELinux Boolean + + Disable Odd Job Daemon (oddjobd) - ocil:ssg-sebool_xserver_object_manager_action:testaction:1 + ocil:ssg-service_oddjobd_disabled_action:testaction:1 - - Ensure SELinux Not Disabled in the kernel arguments + + Disable the selinuxuser_execstack SELinux Boolean - ocil:ssg-coreos_enable_selinux_kernel_argument_action:testaction:1 + ocil:ssg-sebool_selinuxuser_execstack_action:testaction:1 - - Record Unsuccessful Access Attempts to Files - truncate + + Ensure PAM Displays Last Logon/Access Notification - ocil:ssg-audit_rules_unsuccessful_file_modification_truncate_action:testaction:1 + ocil:ssg-display_login_attempts_action:testaction:1 - - Configure BIND to use System Crypto Policy + + Remove Rsh Trust Files - ocil:ssg-configure_bind_crypto_policy_action:testaction:1 + ocil:ssg-no_rsh_trust_files_action:testaction:1 - - Disable the collectd_tcp_network_connect SELinux Boolean + + Configure the deny_execmem SELinux Boolean - ocil:ssg-sebool_collectd_tcp_network_connect_action:testaction:1 + ocil:ssg-sebool_deny_execmem_action:testaction:1 - - Verify Group Who Owns /etc/cron.allow file + + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty - ocil:ssg-file_groupowner_cron_allow_action:testaction:1 + ocil:ssg-sudo_add_use_pty_action:testaction:1 - - Disable the glance_api_can_network SELinux Boolean + + Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces - ocil:ssg-sebool_glance_api_can_network_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_all_route_localnet_action:testaction:1 - - Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces + + Harden slab freelist metadata - ocil:ssg-sysctl_net_ipv4_conf_default_accept_redirects_action:testaction:1 + ocil:ssg-kernel_config_slab_freelist_hardened_action:testaction:1 - - Disable Core Dumps for All Users + + Disable the selinuxuser_mysql_connect_enabled SELinux Boolean - ocil:ssg-disable_users_coredumps_action:testaction:1 + ocil:ssg-sebool_selinuxuser_mysql_connect_enabled_action:testaction:1 - - Uninstall vsftpd Package + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-package_vsftpd_removed_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Ensure Chrony is only configured with the server directive + + Disable the cvs_read_shadow SELinux Boolean - ocil:ssg-chronyd_server_directive_action:testaction:1 + ocil:ssg-sebool_cvs_read_shadow_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - at + + Configure GnuTLS library to use DoD-approved TLS Encryption - ocil:ssg-audit_rules_privileged_commands_at_action:testaction:1 + ocil:ssg-configure_gnutls_tls_crypto_policy_action:testaction:1 - - Configure L1 Terminal Fault mitigations + + Do not allow ACPI methods to be inserted/replaced at run time - ocil:ssg-grub2_l1tf_argument_action:testaction:1 + ocil:ssg-kernel_config_acpi_custom_method_action:testaction:1 - - Disable the xdm_sysadm_login SELinux Boolean + + Record Unsuccessful Access Attempts to Files - openat - ocil:ssg-sebool_xdm_sysadm_login_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_openat_action:testaction:1 - - Enable Postfix Service + + Verify Permissions on group File - ocil:ssg-service_postfix_enabled_action:testaction:1 + ocil:ssg-file_permissions_etc_group_action:testaction:1 - - Explicit arguments in sudo specifications + + Record Unsuccessful Permission Changes to Files - fsetxattr - ocil:ssg-sudoers_explicit_command_args_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_fsetxattr_action:testaction:1 - - Verify Permissions on Backup shadow File + + Uninstall setroubleshoot-plugins Package - ocil:ssg-file_permissions_backup_etc_shadow_action:testaction:1 + ocil:ssg-package_setroubleshoot-plugins_removed_action:testaction:1 - - Verify Permissions on cron.weekly + + Harden memory copies between kernel and userspace - ocil:ssg-file_permissions_cron_weekly_action:testaction:1 + ocil:ssg-kernel_config_hardened_usercopy_action:testaction:1 - - Disable IEEE 1394 (FireWire) Support + + Record Any Attempts to Run setfacl - ocil:ssg-kernel_module_firewire-core_disabled_action:testaction:1 + ocil:ssg-audit_rules_execution_setfacl_action:testaction:1 - - Enable the unconfined_mozilla_plugin_transition SELinux Boolean + + Disable the httpd_run_ipa SELinux Boolean - ocil:ssg-sebool_unconfined_mozilla_plugin_transition_action:testaction:1 + ocil:ssg-sebool_httpd_run_ipa_action:testaction:1 - - Ignore HTTPD .htaccess Files + + Disable GNOME3 Automount running - ocil:ssg-httpd_ignore_htaccess_files_action:testaction:1 + ocil:ssg-dconf_gnome_disable_autorun_action:testaction:1 - - Disable the irc_use_any_tcp_ports SELinux Boolean + + Uninstall pigz Package - ocil:ssg-sebool_irc_use_any_tcp_ports_action:testaction:1 + ocil:ssg-package_pigz_removed_action:testaction:1 - - Drop Gratuitious ARP frames on All IPv4 Interfaces + + Set number of Password Hashing Rounds - system-auth - ocil:ssg-sysctl_net_ipv4_conf_all_drop_gratuitous_arp_action:testaction:1 + ocil:ssg-accounts_password_pam_unix_rounds_system_auth_action:testaction:1 - - Mount Remote Filesystems with nodev + + Installation of a compiler on production web server is prohibited - ocil:ssg-mount_option_nodev_remote_filesystems_action:testaction:1 + ocil:ssg-httpd_no_compilers_in_prod_action:testaction:1 - - Set Existing Passwords Minimum Age + + Disable the git_system_enable_homedirs SELinux Boolean - ocil:ssg-accounts_password_set_min_life_existing_action:testaction:1 + ocil:ssg-sebool_git_system_enable_homedirs_action:testaction:1 - - Disable the virt_use_fusefs SELinux Boolean + + Record Attempts to Alter Logon and Logout Events - lastlog - ocil:ssg-sebool_virt_use_fusefs_action:testaction:1 + ocil:ssg-audit_rules_login_events_lastlog_action:testaction:1 - - Disable the nfsd_anon_write SELinux Boolean + + Ensure /var/log Located On Separate Partition - ocil:ssg-sebool_nfsd_anon_write_action:testaction:1 + ocil:ssg-partition_for_var_log_action:testaction:1 - - Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE + + Uninstall CUPS Package - ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_trunc_write_action:testaction:1 + ocil:ssg-package_cups_removed_action:testaction:1 - - Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default + + Require Client SMB Packet Signing, if using mount.cifs - ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_action:testaction:1 + ocil:ssg-mount_option_smb_client_signing_action:testaction:1 - - Disable GNOME3 Automount Opening + + Set SSH MaxSessions limit - ocil:ssg-dconf_gnome_disable_automount_open_action:testaction:1 + ocil:ssg-sshd_set_max_sessions_action:testaction:1 - - Restrict Exposed Kernel Pointer Addresses Access + + Record Unsuccessful Creation Attempts to Files - open O_CREAT - ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_creat_action:testaction:1 - - Record Events that Modify User/Group Information via openat syscall - /etc/shadow + + Force initialization of variables containing userspace addresses - ocil:ssg-audit_rules_etc_shadow_openat_action:testaction:1 + ocil:ssg-kernel_config_gcc_plugin_structleak_action:testaction:1 - - Ensure a dedicated group owns sudo + + Set the GNOME3 Login Warning Banner Text - ocil:ssg-sudo_dedicated_group_action:testaction:1 + ocil:ssg-dconf_gnome_login_banner_text_action:testaction:1 - - Disable the sge_domain_can_network_connect SELinux Boolean + + Ensure auditd Collects Information on the Use of Privileged Commands - ocil:ssg-sebool_sge_domain_can_network_connect_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_action:testaction:1 - - Set number of Password Hashing Rounds - system-auth + + Disable the daemons_use_tty SELinux Boolean - ocil:ssg-accounts_password_pam_unix_rounds_system_auth_action:testaction:1 + ocil:ssg-sebool_daemons_use_tty_action:testaction:1 - - Uninstall rsync Package + + Verify Owner on crontab - ocil:ssg-package_rsync_removed_action:testaction:1 + ocil:ssg-file_owner_crontab_action:testaction:1 - - The Chrony package is installed + + Install audispd-plugins Package - ocil:ssg-package_chrony_installed_action:testaction:1 + ocil:ssg-package_audispd-plugins_installed_action:testaction:1 - - Record Unsuccessful Access Attempts to Files - open_by_handle_at + + Disable the mcelog_server SELinux Boolean - ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1 + ocil:ssg-sebool_mcelog_server_action:testaction:1 - - Enable Encrypted X11 Forwarding + + Ensure the Default Bash Umask is Set Correctly - ocil:ssg-sshd_enable_x11_forwarding_action:testaction:1 + ocil:ssg-accounts_umask_etc_bashrc_action:testaction:1 - - Ensure sudo Runs In A Minimal Environment - sudo env_reset + + Kernel panic timeout - ocil:ssg-sudo_add_env_reset_action:testaction:1 + ocil:ssg-kernel_config_panic_timeout_action:testaction:1 - - Install libselinux Package + + Disable Squid - ocil:ssg-package_libselinux_installed_action:testaction:1 + ocil:ssg-service_squid_disabled_action:testaction:1 - - Disable All GNOME3 Thumbnailers + + Ensure Rsyslog Authenticates Off-Loaded Audit Records - ocil:ssg-dconf_gnome_disable_thumbnailers_action:testaction:1 + ocil:ssg-rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action:testaction:1 - - Ensure /home Located On Separate Partition + + Add noexec Option to /var/log - ocil:ssg-partition_for_home_action:testaction:1 + ocil:ssg-mount_option_var_log_noexec_action:testaction:1 - - Verify Only Root Has UID 0 + + Ensure PAM Enforces Password Requirements - Minimum Length - ocil:ssg-accounts_no_uid_except_zero_action:testaction:1 + ocil:ssg-accounts_password_pam_minlen_action:testaction:1 - - Enable the mcelog_exec_scripts SELinux Boolean + + Disable the puppetagent_manage_all_files SELinux Boolean - ocil:ssg-sebool_mcelog_exec_scripts_action:testaction:1 + ocil:ssg-sebool_puppetagent_manage_all_files_action:testaction:1 - - Enable different security models + + Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces - ocil:ssg-kernel_config_security_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_ip_forward_action:testaction:1 - - Enable GNOME3 Screensaver Idle Activation + + Set Default iptables Policy for Forwarded Packets - ocil:ssg-dconf_gnome_screensaver_idle_activation_enabled_action:testaction:1 + ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 - - Ensure nss-tools is installed + + Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - ocil:ssg-package_nss-tools_installed_action:testaction:1 + ocil:ssg-account_password_pam_faillock_password_auth_action:testaction:1 - - Ensure Mail Transfer Agent is not Listening on any non-loopback Address + + Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces - ocil:ssg-has_nonlocal_mta_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses_action:testaction:1 - - Set Permissions on All Configuration Files Inside /etc/httpd/conf.modules.d/ + + Disable the rsync_full_access SELinux Boolean - ocil:ssg-file_permissions_httpd_server_modules_files_action:testaction:1 + ocil:ssg-sebool_rsync_full_access_action:testaction:1 - - Ensure PAM Enforces Password Requirements - Enforce for root User + + Verify /boot/grub2/user.cfg User Ownership - ocil:ssg-accounts_password_pam_enforce_root_action:testaction:1 + ocil:ssg-file_owner_user_cfg_action:testaction:1 - - Ensure rsyslog Default File Permissions Configured + + Disable ypbind Service - ocil:ssg-rsyslog_filecreatemode_action:testaction:1 + ocil:ssg-service_ypbind_disabled_action:testaction:1 - - Verify Permissions on Backup group File + + Ensure journald is configured to compress large log files - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-journald_compress_action:testaction:1 - - Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters + + Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces - ocil:ssg-accounts_password_pam_ucredit_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_all_accept_source_route_action:testaction:1 - - Disable compatibility with brk() + + Record Events that Modify the System's Discretionary Access Controls - lchown - ocil:ssg-kernel_config_compat_brk_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lchown_action:testaction:1 - - Verify Group Who Owns /var/log Directory + + Uninstall rsh Package - ocil:ssg-file_groupowner_var_log_action:testaction:1 + ocil:ssg-package_rsh_removed_action:testaction:1 - - Configure auditing of loading and unloading of kernel modules + + Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default - ocil:ssg-audit_module_load_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_action:testaction:1 - - Ensure SSH LoginGraceTime is configured + + Configure auditd flush priority - ocil:ssg-sshd_set_login_grace_time_action:testaction:1 + ocil:ssg-auditd_data_retention_flush_action:testaction:1 - - Ensure debug-shell service is not enabled during boot + + Disable the tor_bind_all_unreserved_ports SELinux Boolean - ocil:ssg-grub2_systemd_debug-shell_argument_absent_action:testaction:1 + ocil:ssg-sebool_tor_bind_all_unreserved_ports_action:testaction:1 - - Prevent Login to Accounts With Empty Password + + Create Warning Banners for All FTP Users - ocil:ssg-no_empty_passwords_action:testaction:1 + ocil:ssg-ftp_present_banner_action:testaction:1 - - Uninstall dovecot Package + + Ensure rsyslog Default File Permissions Configured - ocil:ssg-package_dovecot_removed_action:testaction:1 + ocil:ssg-rsyslog_filecreatemode_action:testaction:1 - - Verify Permissions on shadow File + + Disable the ftpd_use_fusefs SELinux Boolean - ocil:ssg-file_permissions_etc_shadow_action:testaction:1 + ocil:ssg-sebool_ftpd_use_fusefs_action:testaction:1 - - Uninstall CUPS Package + + Disable the logrotate_use_nfs SELinux Boolean - ocil:ssg-package_cups_removed_action:testaction:1 + ocil:ssg-sebool_logrotate_use_nfs_action:testaction:1 - - Remove the Kerberos Server Package + + Configure immutable Audit login UIDs - ocil:ssg-package_krb5-server_removed_action:testaction:1 + ocil:ssg-audit_rules_immutable_login_uids_action:testaction:1 - - Record Successful Permission Changes to Files - fchmodat + + Install AIDE - ocil:ssg-audit_rules_successful_file_modification_fchmodat_action:testaction:1 + ocil:ssg-package_aide_installed_action:testaction:1 - - Enable the sysadm_exec_content SELinux Boolean + + Verify User Who Owns passwd File - ocil:ssg-sebool_sysadm_exec_content_action:testaction:1 + ocil:ssg-file_owner_etc_passwd_action:testaction:1 - - Enable HTTPD System Logging + + Disable the openvpn_can_network_connect SELinux Boolean - ocil:ssg-httpd_enable_system_logging_action:testaction:1 + ocil:ssg-sebool_openvpn_can_network_connect_action:testaction:1 - - Disable the httpd_serve_cobbler_files SELinux Boolean + + Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_module - ocil:ssg-sebool_httpd_serve_cobbler_files_action:testaction:1 + ocil:ssg-audit_rules_kernel_module_loading_query_action:testaction:1 - - Disable Anonymous FTP Access + + An SELinux Context must be configured for the pam_faillock.so records directory - ocil:ssg-httpd_disable_anonymous_ftp_access_action:testaction:1 + ocil:ssg-account_password_selinux_faillock_dir_action:testaction:1 - - Install the Host Intrusion Prevention System (HIPS) Module + + Warn on W+X mappings found at boot - ocil:ssg-package_MFEhiplsm_installed_action:testaction:1 + ocil:ssg-kernel_config_debug_wx_action:testaction:1 - - Set PAM''s Password Hashing Algorithm - password-auth + + Disable the postgresql_selinux_transmit_client_label SELinux Boolean - ocil:ssg-set_password_hashing_algorithm_passwordauth_action:testaction:1 + ocil:ssg-sebool_postgresql_selinux_transmit_client_label_action:testaction:1 - - Disable the samba_share_fusefs SELinux Boolean + + Install firewalld Package - ocil:ssg-sebool_samba_share_fusefs_action:testaction:1 + ocil:ssg-package_firewalld_installed_action:testaction:1 - - Disable the httpd_use_gpg SELinux Boolean + + Disable ATM Support - ocil:ssg-sebool_httpd_use_gpg_action:testaction:1 + ocil:ssg-kernel_module_atm_disabled_action:testaction:1 - - Disable the tftp_anon_write SELinux Boolean + + Set SSH Client Alive Count Max - ocil:ssg-sebool_tftp_anon_write_action:testaction:1 + ocil:ssg-sshd_set_keepalive_action:testaction:1 - - Disable the httpd_use_nfs SELinux Boolean + + Disable the GNOME3 Login User List - ocil:ssg-sebool_httpd_use_nfs_action:testaction:1 + ocil:ssg-dconf_gnome_disable_user_list_action:testaction:1 - - Verify that local System.map file (if exists) is readable only by root + + Record Successful Ownership Changes to Files - fchownat - ocil:ssg-file_permissions_systemmap_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_fchownat_action:testaction:1 - - Disable the mpd_use_cifs SELinux Boolean + + Enable the SSSD Service - ocil:ssg-sebool_mpd_use_cifs_action:testaction:1 + ocil:ssg-service_sssd_enabled_action:testaction:1 - - Limit Users' SSH Access + + Disable mutable hooks - ocil:ssg-sshd_limit_user_access_action:testaction:1 + ocil:ssg-kernel_config_security_writable_hooks_action:testaction:1 - - Install OpenSSH client software + + Enable Use of Strict Mode Checking - ocil:ssg-package_openssh-clients_installed_action:testaction:1 + ocil:ssg-sshd_enable_strictmodes_action:testaction:1 - - Record Any Attempts to Run setfacl + + Configure the tmux Lock Command - ocil:ssg-audit_rules_execution_setfacl_action:testaction:1 + ocil:ssg-configure_tmux_lock_command_action:testaction:1 - - Enable the NTP Daemon + + Ensure auditd Collects Information on the Use of Privileged Commands - usermod - ocil:ssg-service_ntpd_enabled_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_usermod_action:testaction:1 - - Mount Remote Filesystems with nosuid + + Verify Permissions on cron.d - ocil:ssg-mount_option_nosuid_remote_filesystems_action:testaction:1 + ocil:ssg-file_permissions_cron_d_action:testaction:1 - - Disable the xen_use_nfs SELinux Boolean + + Ensure auditd Collects Information on the Use of Privileged Commands - at - ocil:ssg-sebool_xen_use_nfs_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_at_action:testaction:1 - - Verify ownership of Message of the Day Banner + + Record Events that Modify the System's Discretionary Access Controls - chmod - ocil:ssg-file_owner_etc_motd_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chmod_action:testaction:1 - - Disable acquiring, saving, and processing core dumps + + Enable automatic signing of all modules - ocil:ssg-service_systemd-coredump_disabled_action:testaction:1 + ocil:ssg-kernel_config_module_sig_all_action:testaction:1 - - Limit Password Reuse + + Install pam_pwquality Package - ocil:ssg-accounts_password_pam_unix_remember_action:testaction:1 + ocil:ssg-package_pam_pwquality_installed_action:testaction:1 - - Verify that audit tools are owned by root + + Disable the mysql_connect_any SELinux Boolean - ocil:ssg-file_ownership_audit_binaries_action:testaction:1 + ocil:ssg-sebool_mysql_connect_any_action:testaction:1 - - Map System Users To The Appropriate SELinux Role + + Extend Audit Backlog Limit for the Audit Daemon - ocil:ssg-selinux_user_login_roles_action:testaction:1 + ocil:ssg-grub2_audit_backlog_limit_argument_action:testaction:1 - - Disable the ftpd_full_access SELinux Boolean + + Verify Root Has A Primary GID 0 - ocil:ssg-sebool_ftpd_full_access_action:testaction:1 - - - - Configure Response Mode of ARP Requests for All IPv4 Interfaces - - ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1 - - - - Disable the mysql_connect_any SELinux Boolean - - ocil:ssg-sebool_mysql_connect_any_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Record Successful Access Attempts to Files - creat + + Configure AIDE to Verify the Audit Tools - ocil:ssg-audit_rules_successful_file_modification_creat_action:testaction:1 + ocil:ssg-aide_check_audit_tools_action:testaction:1 - - Account Lockouts Must Be Logged + + Disable the use_nfs_home_dirs SELinux Boolean - ocil:ssg-account_passwords_pam_faillock_audit_action:testaction:1 + ocil:ssg-sebool_use_nfs_home_dirs_action:testaction:1 - - Disable the httpd_sys_script_anon_write SELinux Boolean + + Enable rsyslog Service - ocil:ssg-sebool_httpd_sys_script_anon_write_action:testaction:1 + ocil:ssg-service_rsyslog_enabled_action:testaction:1 - - Record Unsuccessful Delete Attempts to Files - unlink + + Record Successful Creation Attempts to Files - open O_TRUNC_WRITE - ocil:ssg-audit_rules_unsuccessful_file_modification_unlink_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_open_o_trunc_write_action:testaction:1 - - Disable the pppd_can_insmod SELinux Boolean + + Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. - ocil:ssg-sebool_pppd_can_insmod_action:testaction:1 + ocil:ssg-account_password_pam_faillock_system_auth_action:testaction:1 - - Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. + + Enable TCP/IP syncookie support - ocil:ssg-account_password_pam_faillock_password_auth_action:testaction:1 + ocil:ssg-kernel_config_syn_cookies_action:testaction:1 - - Set Interval For Counting Failed Password Attempts + + Verify /boot/grub2/user.cfg Permissions - ocil:ssg-accounts_passwords_pam_faillock_interval_action:testaction:1 + ocil:ssg-file_permissions_user_cfg_action:testaction:1 - - Ensure the Default Umask is Set Correctly For Interactive Users + + Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC - ocil:ssg-accounts_umask_interactive_users_action:testaction:1 + ocil:ssg-sudo_add_noexec_action:testaction:1 - - Require Authentication for Emergency Systemd Target + + Configure The Number of Allowed Simultaneous Requests - ocil:ssg-require_emergency_target_auth_action:testaction:1 + ocil:ssg-httpd_configure_max_keepalive_requests_action:testaction:1 - - Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session + + Verify /boot/grub2/grub.cfg User Ownership - ocil:ssg-accounts_password_pam_retry_action:testaction:1 + ocil:ssg-file_owner_grub2_cfg_action:testaction:1 - - Record Successful Creation Attempts to Files - open O_TRUNC_WRITE + + Ensure rsyslog is Installed - ocil:ssg-audit_rules_successful_file_modification_open_o_trunc_write_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Verify Owner on cron.weekly + + Configure the gluster_export_all_rw SELinux Boolean - ocil:ssg-file_owner_cron_weekly_action:testaction:1 + ocil:ssg-sebool_gluster_export_all_rw_action:testaction:1 - - Disable vsyscall emulation + + Install vim Package - ocil:ssg-kernel_config_legacy_vsyscall_emulate_action:testaction:1 + ocil:ssg-package_vim_installed_action:testaction:1 - - Disable the gluster_anon_write SELinux Boolean + + Disable IEEE 1394 (FireWire) Support - ocil:ssg-sebool_gluster_anon_write_action:testaction:1 + ocil:ssg-kernel_module_firewire-core_disabled_action:testaction:1 - - Disable the use_ecryptfs_home_dirs SELinux Boolean + + Disable the virt_transition_userdomain SELinux Boolean - ocil:ssg-sebool_use_ecryptfs_home_dirs_action:testaction:1 + ocil:ssg-sebool_virt_transition_userdomain_action:testaction:1 - - Disable the lsmd_plugin_connect_any SELinux Boolean + + Verify Group Who Owns cron.hourly - ocil:ssg-sebool_lsmd_plugin_connect_any_action:testaction:1 + ocil:ssg-file_groupowner_cron_hourly_action:testaction:1 - - Disable the httpd_dontaudit_search_dirs SELinux Boolean + + Ensure that User Home Directories are not Group-Writable or World-Readable - ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1 + ocil:ssg-file_permissions_home_dirs_action:testaction:1 - - Disable the virt_transition_userdomain SELinux Boolean + + Disallow Configuration to Bypass Password Requirements for Privilege Escalation - ocil:ssg-sebool_virt_transition_userdomain_action:testaction:1 + ocil:ssg-disallow_bypass_password_sudo_action:testaction:1 - - Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default + + Ensure auditd Collects Information on the Use of Privileged Commands - sudo - ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_sudo_action:testaction:1 - - Configure audit according to OSPP requirements + + Configure Time Service Maxpoll Interval - ocil:ssg-audit_rules_for_ospp_action:testaction:1 + ocil:ssg-chronyd_or_ntpd_set_maxpoll_action:testaction:1 - - System Audit Directories Must Be Group Owned By Root + + Enable the nfs_export_all_ro SELinux Boolean - ocil:ssg-directory_group_ownership_var_log_audit_action:testaction:1 + ocil:ssg-sebool_nfs_export_all_ro_action:testaction:1 - - Record Attempts to perform maintenance activities + + Configure BIND to use System Crypto Policy - ocil:ssg-audit_sudo_log_events_action:testaction:1 + ocil:ssg-configure_bind_crypto_policy_action:testaction:1 - - Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config + + Uninstall abrt-addon-kerneloops Package - ocil:ssg-harden_sshd_ciphers_opensshserver_conf_crypto_policy_action:testaction:1 + ocil:ssg-package_abrt-addon-kerneloops_removed_action:testaction:1 - - Lock Accounts Must Persist + + Disable the logging_syslogd_can_sendmail SELinux Boolean - ocil:ssg-accounts_passwords_pam_faillock_dir_action:testaction:1 + ocil:ssg-sebool_logging_syslogd_can_sendmail_action:testaction:1 - - Extend Audit Backlog Limit for the Audit Daemon in zIPL + + Install the OpenSSH Server Package - ocil:ssg-zipl_audit_backlog_limit_argument_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Disable the httpd_can_network_connect_db SELinux Boolean + + Disable the virt_read_qemu_ga_data SELinux Boolean - ocil:ssg-sebool_httpd_can_network_connect_db_action:testaction:1 + ocil:ssg-sebool_virt_read_qemu_ga_data_action:testaction:1 - - Audit Configuration Files Permissions are 640 or More Restrictive + + Set Default iptables Policy for Incoming Packets - ocil:ssg-file_permissions_audit_configuration_action:testaction:1 + ocil:ssg-set_iptables_default_rule_action:testaction:1 - - Disable the logwatch_can_network_connect_mail SELinux Boolean + + The Installed Operating System Is Vendor Supported - ocil:ssg-sebool_logwatch_can_network_connect_mail_action:testaction:1 + ocil:ssg-installed_OS_is_vendor_supported_action:testaction:1 - - Record Unsuccessful Permission Changes to Files - lremovexattr + + Audit Configuration Files Must Be Owned By Group root - ocil:ssg-audit_rules_unsuccessful_file_modification_lremovexattr_action:testaction:1 + ocil:ssg-file_groupownership_audit_configuration_action:testaction:1 - - Record Attempts to Alter Logon and Logout Events - tallylog + + Disable Compression Or Set Compression to delayed - ocil:ssg-audit_rules_login_events_tallylog_action:testaction:1 + ocil:ssg-sshd_disable_compression_action:testaction:1 - - Disable the glance_use_execmem SELinux Boolean + + Disable the nagios_run_sudo SELinux Boolean - ocil:ssg-sebool_glance_use_execmem_action:testaction:1 + ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 - - Configure auditing of unsuccessful ownership changes + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_owner_change_failed_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Record Any Attempts to Run ssh-agent + + Disable the httpd_tty_comm SELinux Boolean - ocil:ssg-audit_rules_privileged_commands_ssh_agent_action:testaction:1 + ocil:ssg-sebool_httpd_tty_comm_action:testaction:1 - - Disable the samba_share_nfs SELinux Boolean + + Record Unsuccessful Permission Changes to Files - setxattr - ocil:ssg-sebool_samba_share_nfs_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_setxattr_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - passwd + + Account Lockouts Must Be Logged - ocil:ssg-audit_rules_privileged_commands_passwd_action:testaction:1 + ocil:ssg-account_passwords_pam_faillock_audit_action:testaction:1 - - Set Kernel Parameter to Increase Local Port Range + + Disable the dhcpc_exec_iptables SELinux Boolean - ocil:ssg-sysctl_net_ipv4_ip_local_port_range_action:testaction:1 + ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1 - - Disable the virt_use_nfs SELinux Boolean + + The robots.txt Files Must Not Exist - ocil:ssg-sebool_virt_use_nfs_action:testaction:1 + ocil:ssg-httpd_remove_robots_file_action:testaction:1 - - Emulate Privileged Access Never (PAN) + + Verify User Who Owns group File - ocil:ssg-kernel_config_arm64_sw_ttbr0_pan_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Disable Accepting Router Advertisements on all IPv6 Interfaces by Default + + Enable Auditing to Start Prior to the Audit Daemon in zIPL - ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_action:testaction:1 + ocil:ssg-zipl_audit_argument_action:testaction:1 - - Disable support for /proc/kkcore + + Enable the NTP Daemon - ocil:ssg-kernel_config_proc_kcore_action:testaction:1 + ocil:ssg-service_ntpd_enabled_action:testaction:1 - - Record Unsuccessful Permission Changes to Files - removexattr + + Record Any Attempts to Run chcon - ocil:ssg-audit_rules_unsuccessful_file_modification_removexattr_action:testaction:1 + ocil:ssg-audit_rules_execution_chcon_action:testaction:1 - - Disable the ssh_keysign SELinux Boolean + + Remove User Host-Based Authentication Files - ocil:ssg-sebool_ssh_keysign_action:testaction:1 + ocil:ssg-no_user_host_based_files_action:testaction:1 - - Record Attempts to Alter Logon and Logout Events - lastlog + + Disable LDAP Server (slapd) - ocil:ssg-audit_rules_login_events_lastlog_action:testaction:1 + ocil:ssg-service_slapd_disabled_action:testaction:1 - - Disable the zebra_write_config SELinux Boolean + + Disable the fenced_can_network_connect SELinux Boolean - ocil:ssg-sebool_zebra_write_config_action:testaction:1 + ocil:ssg-sebool_fenced_can_network_connect_action:testaction:1 - - Disable rsh Service + + User Initialization Files Must Not Run World-Writable Programs - ocil:ssg-service_rsh_disabled_action:testaction:1 + ocil:ssg-accounts_user_dot_no_world_writable_programs_action:testaction:1 - - Configure PAM in SSSD Services + + Record Events that Modify the System's Discretionary Access Controls - fremovexattr - ocil:ssg-sssd_enable_pam_services_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1 - - Disable the mock_enable_homedirs SELinux Boolean + + Ensure syslog-ng is Installed - ocil:ssg-sebool_mock_enable_homedirs_action:testaction:1 + ocil:ssg-package_syslogng_installed_action:testaction:1 - - Disable ATM Support + + Ensure that Root's Path Does Not Include World or Group-Writable Directories - ocil:ssg-kernel_module_atm_disabled_action:testaction:1 + ocil:ssg-accounts_root_path_dirs_no_write_action:testaction:1 - - Disable the GNOME3 Login User List + + Map System Users To The Appropriate SELinux Role - ocil:ssg-dconf_gnome_disable_user_list_action:testaction:1 + ocil:ssg-selinux_user_login_roles_action:testaction:1 - - Uninstall abrt-plugin-logger Package + + Disable the httpd_unified SELinux Boolean - ocil:ssg-package_abrt-plugin-logger_removed_action:testaction:1 + ocil:ssg-sebool_httpd_unified_action:testaction:1 - - Disable the httpd_anon_write SELinux Boolean + + Disable the mmap_low_allowed SELinux Boolean - ocil:ssg-sebool_httpd_anon_write_action:testaction:1 + ocil:ssg-sebool_mmap_low_allowed_action:testaction:1 - - Disable the 32-bit vDSO + + Ensure invoking users password for privilege escalation when using sudo - ocil:ssg-kernel_config_compat_vdso_action:testaction:1 + ocil:ssg-sudoers_validate_passwd_action:testaction:1 - - Verify /boot/efi/EFI/redhat/user.cfg Permissions + + Force opensc To Use Defined Smart Card Driver - ocil:ssg-file_permissions_efi_user_cfg_action:testaction:1 + ocil:ssg-force_opensc_card_drivers_action:testaction:1 - - Restrict Virtual Console Root Logins + + Verify ownership of System Login Banner for Remote Connections - ocil:ssg-securetty_root_login_console_only_action:testaction:1 + ocil:ssg-file_owner_etc_issue_net_action:testaction:1 - - Record Any Attempts to Run restorecon + + Verify Group Who Owns /etc/cron.allow file - ocil:ssg-audit_rules_execution_restorecon_action:testaction:1 + ocil:ssg-file_groupowner_cron_allow_action:testaction:1 - - Restrict usage of ptrace to descendant processes + + Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE - ocil:ssg-sysctl_kernel_yama_ptrace_scope_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_trunc_write_action:testaction:1 - - Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config + + Disable the openvpn_enable_homedirs SELinux Boolean - ocil:ssg-harden_sshd_ciphers_openssh_conf_crypto_policy_action:testaction:1 + ocil:ssg-sebool_openvpn_enable_homedirs_action:testaction:1 - - Remove .java And .jpp Files + + Record Events that Modify User/Group Information via openat syscall - /etc/shadow - ocil:ssg-httpd_limit_java_files_action:testaction:1 + ocil:ssg-audit_rules_etc_shadow_openat_action:testaction:1 - - Enable the pcscd Service + + Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces - ocil:ssg-service_pcscd_enabled_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_all_forwarding_action:testaction:1 - - Enforce pam_faillock for Local Accounts Only + + Disable the staff_use_svirt SELinux Boolean - ocil:ssg-accounts_passwords_pam_faillock_enforce_local_action:testaction:1 + ocil:ssg-sebool_staff_use_svirt_action:testaction:1 - - Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty + + Configure auditd admin_space_left on Low Disk Space - ocil:ssg-sudo_add_use_pty_action:testaction:1 + ocil:ssg-auditd_data_retention_admin_space_left_percentage_action:testaction:1 - - Enable support for BUG() + + Disable compatibility with brk() - ocil:ssg-kernel_config_bug_action:testaction:1 + ocil:ssg-kernel_config_compat_brk_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - umount + + Uninstall vsftpd Package - ocil:ssg-audit_rules_dac_modification_umount_action:testaction:1 + ocil:ssg-package_vsftpd_removed_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign + + Record Unsuccessful Permission Changes to Files - lremovexattr - ocil:ssg-audit_rules_privileged_commands_ssh_keysign_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_lremovexattr_action:testaction:1 - - Disable the selinuxuser_execheap SELinux Boolean + + Disable SSH Server If Possible - ocil:ssg-sebool_selinuxuser_execheap_action:testaction:1 + ocil:ssg-service_sshd_disabled_action:testaction:1 - - Disable IPv6 Addressing on All IPv6 Interfaces + + Ensure /var Located On Separate Partition - ocil:ssg-sysctl_net_ipv6_conf_all_disable_ipv6_action:testaction:1 + ocil:ssg-partition_for_var_action:testaction:1 - - Ensure iptables Firewall Rules Exist for All Open Ports + + Ensure SELinux Not Disabled in the kernel arguments - ocil:ssg-iptables_rules_for_open_ports_action:testaction:1 + ocil:ssg-coreos_enable_selinux_kernel_argument_action:testaction:1 - - Enable systemd-journald Service + + Enable SLUB/SLAB allocator poisoning - ocil:ssg-service_systemd-journald_enabled_action:testaction:1 + ocil:ssg-grub2_slub_debug_argument_action:testaction:1 - - Configure firewall to Allow Access to the Web Server + + Disable the gluster_anon_write SELinux Boolean - ocil:ssg-httpd_configure_firewall_action:testaction:1 + ocil:ssg-sebool_gluster_anon_write_action:testaction:1 - - Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-sudo_add_requiretty_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Disable snmpd Service + + All User Files and Directories In The Home Directory Must Have a Valid Owner - ocil:ssg-service_snmpd_disabled_action:testaction:1 + ocil:ssg-accounts_users_home_files_ownership_action:testaction:1 - - Record Successful Creation Attempts to Files - openat O_CREAT + + Disable the httpd_can_network_memcache SELinux Boolean - ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1 + ocil:ssg-sebool_httpd_can_network_memcache_action:testaction:1 - - Enforce Spectre v2 mitigation + + Disable the piranha_lvs_can_network_connect SELinux Boolean - ocil:ssg-grub2_spectre_v2_argument_action:testaction:1 + ocil:ssg-sebool_piranha_lvs_can_network_connect_action:testaction:1 - - Install pam_pwquality Package + + Ensure LDAP client is not installed - ocil:ssg-package_pam_pwquality_installed_action:testaction:1 + ocil:ssg-package_openldap-clients_removed_action:testaction:1 - - Configure System Cryptography Policy + + Enable the selinuxuser_execmod SELinux Boolean - ocil:ssg-configure_crypto_policy_action:testaction:1 + ocil:ssg-sebool_selinuxuser_execmod_action:testaction:1 - - Disable the smbd_anon_write SELinux Boolean + + Disable the xguest_exec_content SELinux Boolean - ocil:ssg-sebool_smbd_anon_write_action:testaction:1 + ocil:ssg-sebool_xguest_exec_content_action:testaction:1 - - Ensure Users Cannot Change GNOME3 Screensaver Settings + + Ensure PAM password complexity module is enabled in password-auth - ocil:ssg-dconf_gnome_screensaver_user_locks_action:testaction:1 + ocil:ssg-accounts_password_pam_pwquality_password_auth_action:testaction:1 - - Uninstall pigz Package + + Use Centralized and Automated Authentication - ocil:ssg-package_pigz_removed_action:testaction:1 + ocil:ssg-account_use_centralized_automated_auth_action:testaction:1 - - Disable SSH root Login with a Password (Insecure) + + Configure System Cryptography Policy - ocil:ssg-sshd_disable_root_password_login_action:testaction:1 + ocil:ssg-configure_crypto_policy_action:testaction:1 - - Disable the httpd_can_network_memcache SELinux Boolean + + Configure auditing of unsuccessful ownership changes - ocil:ssg-sebool_httpd_can_network_memcache_action:testaction:1 + ocil:ssg-audit_owner_change_failed_action:testaction:1 - - Enable the GNOME3 Screen Locking On Smartcard Removal + + Ensure PAM Enforces Password Requirements - Minimum Digit Characters - ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1 + ocil:ssg-accounts_password_pam_dcredit_action:testaction:1 - - Disable the zarafa_setrlimit SELinux Boolean + + All Interactive User Home Directories Must Have mode 0750 Or Less Permissive - ocil:ssg-sebool_zarafa_setrlimit_action:testaction:1 + ocil:ssg-file_permissions_home_directories_action:testaction:1 - - Verify that Shared Library Directories Have Restrictive Permissions + + Record Unsuccessful Permission Changes to Files - fchmodat - ocil:ssg-dir_permissions_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_fchmodat_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - fchmod + + Add noexec Option to /tmp - ocil:ssg-audit_rules_dac_modification_fchmod_action:testaction:1 + ocil:ssg-mount_option_tmp_noexec_action:testaction:1 - - Verify the UEFI Boot Loader grub.cfg Permissions + + Enable nails Service - ocil:ssg-file_permissions_efi_grub2_cfg_action:testaction:1 + ocil:ssg-service_nails_enabled_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - fremovexattr + + Record Attempts to Alter Logon and Logout Events - tallylog - ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1 + ocil:ssg-audit_rules_login_events_tallylog_action:testaction:1 - - Verify Permissions on /var/log/messages File + + Record Events that Modify User/Group Information via openat syscall - /etc/gshadow - ocil:ssg-file_permissions_var_log_messages_action:testaction:1 + ocil:ssg-audit_rules_etc_gshadow_openat_action:testaction:1 - - Record Unsuccessful Permission Changes to Files - fremovexattr + + Disable the ftpd_use_cifs SELinux Boolean - ocil:ssg-audit_rules_unsuccessful_file_modification_fremovexattr_action:testaction:1 + ocil:ssg-sebool_ftpd_use_cifs_action:testaction:1 - - Configure the root Account for Failed Password Attempts + + Disable the xdm_exec_bootloader SELinux Boolean - ocil:ssg-accounts_passwords_pam_faillock_deny_root_action:testaction:1 + ocil:ssg-sebool_xdm_exec_bootloader_action:testaction:1 - - Install Intrusion Detection Software + + Generate some entropy during boot and runtime - ocil:ssg-install_hids_action:testaction:1 + ocil:ssg-kernel_config_gcc_plugin_latent_entropy_action:testaction:1 - - Configure auditd admin_space_left Action on Low Disk Space + + Ensure IPv6 is disabled through kernel boot parameter - ocil:ssg-auditd_data_retention_admin_space_left_action_action:testaction:1 + ocil:ssg-grub2_ipv6_disable_argument_action:testaction:1 - - Verify that System Executables Have Restrictive Permissions + + Uninstall abrt-plugin-rhtsupport Package - ocil:ssg-file_permissions_binary_dirs_action:testaction:1 + ocil:ssg-package_abrt-plugin-rhtsupport_removed_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - postqueue + + Enable Public Key Authentication - ocil:ssg-audit_rules_privileged_commands_postqueue_action:testaction:1 + ocil:ssg-sshd_enable_pubkey_auth_action:testaction:1 - - Install audispd-plugins Package + + Ensure Users Cannot Change GNOME3 Session Idle Settings - ocil:ssg-package_audispd-plugins_installed_action:testaction:1 + ocil:ssg-dconf_gnome_session_idle_user_locks_action:testaction:1 - - Ensure SELinux State is Enforcing + + System Audit Directories Must Be Owned By Root - ocil:ssg-selinux_state_action:testaction:1 + ocil:ssg-directory_ownership_var_log_audit_action:testaction:1 - - Disable merging of slabs with similar size + + Ensure auditd Collects Information on Kernel Module Unloading - delete_module - ocil:ssg-grub2_slab_nomerge_argument_action:testaction:1 + ocil:ssg-audit_rules_kernel_module_loading_delete_action:testaction:1 - - Account Lockouts Must Be Logged + + Disable the condor_tcp_network_connect SELinux Boolean - ocil:ssg-accounts_passwords_pam_faillock_audit_action:testaction:1 + ocil:ssg-sebool_condor_tcp_network_connect_action:testaction:1 - - Harden the operation of the BPF just-in-time compiler + + Set the UEFI Boot Loader Admin Username to a Non-Default Value - ocil:ssg-sysctl_net_core_bpf_jit_harden_action:testaction:1 + ocil:ssg-grub2_uefi_admin_username_action:testaction:1 - - Verify /boot/grub2/user.cfg Group Ownership + + Uninstall net-snmp Package - ocil:ssg-file_groupowner_user_cfg_action:testaction:1 + ocil:ssg-package_net-snmp_removed_action:testaction:1 - - Disable the puppetagent_manage_all_files SELinux Boolean + + Verify /boot/grub2/grub.cfg Permissions - ocil:ssg-sebool_puppetagent_manage_all_files_action:testaction:1 + ocil:ssg-file_permissions_grub2_cfg_action:testaction:1 - - Verify Group Who Owns Backup shadow File + + Disable the icecast_use_any_tcp_ports SELinux Boolean - ocil:ssg-file_owner_backup_etc_shadow_action:testaction:1 + ocil:ssg-sebool_icecast_use_any_tcp_ports_action:testaction:1 - - Disable the httpd_can_connect_mythtv SELinux Boolean + + Force kernel panic on uncorrected MCEs - ocil:ssg-sebool_httpd_can_connect_mythtv_action:testaction:1 + ocil:ssg-grub2_mce_argument_action:testaction:1 - - Enable logrotate Timer + + The mailx Package Is Installed - ocil:ssg-timer_logrotate_enabled_action:testaction:1 + ocil:ssg-package_mailx_installed_action:testaction:1 - - Configure System to Forward All Mail From Postmaster to The Root Account + + Record Successful Access Attempts to Files - ftruncate - ocil:ssg-postfix_client_configure_mail_alias_postmaster_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_ftruncate_action:testaction:1 - - Enable checks on linked list manipulation + + Ensure there are no legacy + NIS entries in /etc/shadow - ocil:ssg-kernel_config_debug_list_action:testaction:1 + ocil:ssg-no_legacy_plus_entries_etc_shadow_action:testaction:1 - - Disable the tmpreaper_use_samba SELinux Boolean + + Disable the authlogin_radius SELinux Boolean - ocil:ssg-sebool_tmpreaper_use_samba_action:testaction:1 + ocil:ssg-sebool_authlogin_radius_action:testaction:1 - - Disable the pppd_for_user SELinux Boolean + + Disable vsyscalls in zIPL - ocil:ssg-sebool_pppd_for_user_action:testaction:1 + ocil:ssg-zipl_vsyscall_argument_action:testaction:1 - - Disable the gitosis_can_sendmail SELinux Boolean + + Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters - ocil:ssg-sebool_gitosis_can_sendmail_action:testaction:1 + ocil:ssg-accounts_password_pam_ucredit_action:testaction:1 - - Disable the IPv6 protocol + + Unmap kernel when running in userspace (aka KAISER) - ocil:ssg-kernel_config_ipv6_action:testaction:1 + ocil:ssg-kernel_config_unmap_kernel_at_el0_action:testaction:1 - - Disable SSH Root Login + + Configure Notification of Post-AIDE Scan Details - ocil:ssg-sshd_disable_root_login_action:testaction:1 + ocil:ssg-aide_scan_notification_action:testaction:1 - - Audit Tools Must Be Group-owned by Root + + Configure the root Account for Failed Password Attempts - ocil:ssg-file_audit_tools_group_ownership_action:testaction:1 + ocil:ssg-accounts_passwords_pam_faillock_deny_root_action:testaction:1 - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + + Disable kernel debugfs - ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 + ocil:ssg-kernel_config_debug_fs_action:testaction:1 - - Verify that audit tools Have Mode 0755 or less + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd - ocil:ssg-file_permissions_audit_binaries_action:testaction:1 + ocil:ssg-audit_rules_etc_passwd_open_by_handle_at_action:testaction:1 - - Configure low address space to protect from user allocation + + Verify Permissions on cron.weekly - ocil:ssg-kernel_config_default_mmap_min_addr_action:testaction:1 + ocil:ssg-file_permissions_cron_weekly_action:testaction:1 - - The robots.txt Files Must Not Exist + + Disable the httpd_use_cifs SELinux Boolean - ocil:ssg-httpd_remove_robots_file_action:testaction:1 + ocil:ssg-sebool_httpd_use_cifs_action:testaction:1 - - Verify Permissions on cron.hourly + + Restrict Serial Port Root Logins - ocil:ssg-file_permissions_cron_hourly_action:testaction:1 + ocil:ssg-restrict_serial_port_logins_action:testaction:1 - - Record Successful Permission Changes to Files - fchmod + + Add noexec Option to Removable Media Partitions - ocil:ssg-audit_rules_successful_file_modification_fchmod_action:testaction:1 + ocil:ssg-mount_option_noexec_removable_partitions_action:testaction:1 - - Set LogLevel to INFO + + Enable the unconfined_login SELinux Boolean - ocil:ssg-sshd_set_loglevel_info_action:testaction:1 + ocil:ssg-sebool_unconfined_login_action:testaction:1 - - Install iptables-services Package + + Install tar Package - ocil:ssg-package_iptables-services_installed_action:testaction:1 + ocil:ssg-package_tar_installed_action:testaction:1 - - Ensure rsyslog-gnutls is installed + + Only the VDSM User Can Use sudo NOPASSWD - ocil:ssg-package_rsyslog-gnutls_installed_action:testaction:1 + ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 - - SSSD Has a Correct Trust Anchor + + Record Any Attempts to Run semanage - ocil:ssg-sssd_has_trust_anchor_action:testaction:1 + ocil:ssg-audit_rules_execution_semanage_action:testaction:1 - - Disable vsftpd Service + + Enable the sysadm_exec_content SELinux Boolean - ocil:ssg-service_vsftpd_disabled_action:testaction:1 + ocil:ssg-sebool_sysadm_exec_content_action:testaction:1 - - Disable vsyscalls in zIPL + + Configure A Valid Server Certificate - ocil:ssg-zipl_vsyscall_argument_action:testaction:1 + ocil:ssg-httpd_configure_valid_server_cert_action:testaction:1 - - Backup interactive scripts on the production web server are prohibited + + Uninstall gssproxy Package - ocil:ssg-httpd_remove_backups_action:testaction:1 + ocil:ssg-package_gssproxy_removed_action:testaction:1 - - Configure kernel to trust the CPU random number generator + + A remote time server for Chrony is configured - ocil:ssg-grub2_kernel_trust_cpu_rng_action:testaction:1 + ocil:ssg-chronyd_specify_remote_server_action:testaction:1 - - Install the Asset Configuration Compliance Module (ACCM) + + Require Client Certificates - ocil:ssg-install_mcafee_hbss_accm_action:testaction:1 + ocil:ssg-httpd_require_client_certs_action:testaction:1 - - Disable the tftp_home_dir SELinux Boolean + + Disable the nagios_run_pnp4nagios SELinux Boolean - ocil:ssg-sebool_tftp_home_dir_action:testaction:1 + ocil:ssg-sebool_nagios_run_pnp4nagios_action:testaction:1 - - Record Unsuccessful Creation Attempts to Files - openat O_CREAT + + Remove NIS Client - ocil:ssg-audit_rules_unsuccessful_file_modification_openat_o_creat_action:testaction:1 + ocil:ssg-package_ypbind_removed_action:testaction:1 - - Disable named Service + + Record Successful Ownership Changes to Files - chown - ocil:ssg-service_named_disabled_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_chown_action:testaction:1 - - Record Successful Creation Attempts to Files - open_by_handle_at O_CREAT + + Set Password Warning Age - ocil:ssg-audit_rules_successful_file_modification_open_by_handle_at_o_creat_action:testaction:1 + ocil:ssg-accounts_password_warn_age_login_defs_action:testaction:1 - - Ensure Web Content Located on Separate partition + + Verify Owner on cron.d - ocil:ssg-partition_for_web_content_action:testaction:1 + ocil:ssg-file_owner_cron_d_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - chsh + + Disable the xserver_object_manager SELinux Boolean - ocil:ssg-audit_rules_privileged_commands_chsh_action:testaction:1 + ocil:ssg-sebool_xserver_object_manager_action:testaction:1 - - Verify Permissions on crontab + + Disable the polipo_connect_all_unreserved SELinux Boolean - ocil:ssg-file_permissions_crontab_action:testaction:1 + ocil:ssg-sebool_polipo_connect_all_unreserved_action:testaction:1 - - Verify Permissions on /var/log/syslog File + + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces - ocil:ssg-file_permissions_var_log_syslog_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_default_accept_redirects_action:testaction:1 - - Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. + + Remove tftp Daemon - ocil:ssg-account_password_pam_faillock_system_auth_action:testaction:1 + ocil:ssg-package_tftp_removed_action:testaction:1 - - The Chronyd service is enabled + + Record Successful Permission Changes to Files - fremovexattr - ocil:ssg-service_chronyd_enabled_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_fremovexattr_action:testaction:1 - - System Audit Logs Must Be Owned By Root + + Verify firewalld Enabled - ocil:ssg-file_ownership_var_log_audit_action:testaction:1 + ocil:ssg-service_firewalld_enabled_action:testaction:1 - - Configure AIDE to Verify the Audit Tools + + Disable the httpd_use_nfs SELinux Boolean - ocil:ssg-aide_check_audit_tools_action:testaction:1 + ocil:ssg-sebool_httpd_use_nfs_action:testaction:1 - - Ensure /var/tmp Located On Separate Partition + + Install the Host Intrusion Prevention System (HIPS) Module - ocil:ssg-partition_for_var_tmp_action:testaction:1 + ocil:ssg-package_MFEhiplsm_installed_action:testaction:1 - - Verify Any Configured IPSec Tunnel Connections + + Disable chrony daemon from acting as server - ocil:ssg-libreswan_approved_tunnels_action:testaction:1 + ocil:ssg-chronyd_client_only_action:testaction:1 - - Record Successful Permission Changes to Files - lremovexattr + + Disable the mozilla_plugin_bind_unreserved_ports SELinux Boolean - ocil:ssg-audit_rules_successful_file_modification_lremovexattr_action:testaction:1 + ocil:ssg-sebool_mozilla_plugin_bind_unreserved_ports_action:testaction:1 - - Disable ypserv Service + + Verify Permissions on /var/log/syslog File - ocil:ssg-service_ypserv_disabled_action:testaction:1 + ocil:ssg-file_permissions_var_log_syslog_action:testaction:1 - - Ensure that Users Path Contains Only Local Directories + + Remove Host-Based Authentication Files - ocil:ssg-accounts_user_home_paths_only_action:testaction:1 + ocil:ssg-no_host_based_files_action:testaction:1 - - Limit Password Reuse: system-auth + + Configure SSSD LDAP Backend to Use TLS For All Transactions - ocil:ssg-accounts_password_pam_pwhistory_remember_system_auth_action:testaction:1 + ocil:ssg-sssd_ldap_start_tls_action:testaction:1 - - Disable chrony daemon from acting as server + + Uninstall setroubleshoot-server Package - ocil:ssg-chronyd_client_only_action:testaction:1 + ocil:ssg-package_setroubleshoot-server_removed_action:testaction:1 - - Disable GSSAPI Authentication + + Ensure SELinux Not Disabled in zIPL - ocil:ssg-sshd_disable_gssapi_auth_action:testaction:1 + ocil:ssg-zipl_enable_selinux_action:testaction:1 - - Stack Protector buffer overlow detection + + Configure auditd to use audispd's syslog plugin - ocil:ssg-kernel_config_stackprotector_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Disable the httpd_can_sendmail SELinux Boolean + + Use Only FIPS 140-2 Validated Ciphers - ocil:ssg-sebool_httpd_can_sendmail_action:testaction:1 + ocil:ssg-sshd_use_approved_ciphers_action:testaction:1 - - Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces + + Ensure Logrotate Runs Periodically - ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_pinfo_action:testaction:1 + ocil:ssg-ensure_logrotate_activated_action:testaction:1 - - Limit CPU consumption of the Perf system + + Enable different security models - ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1 + ocil:ssg-kernel_config_security_action:testaction:1 - - Set Default firewalld Zone for Incoming Packets + + Ensure sudo umask is appropriate - sudo umask - ocil:ssg-set_firewalld_default_zone_action:testaction:1 + ocil:ssg-sudo_add_umask_action:testaction:1 - - Enable the mount_anyfile SELinux Boolean + + Ensure the audit Subsystem is Installed - ocil:ssg-sebool_mount_anyfile_action:testaction:1 + ocil:ssg-package_audit_installed_action:testaction:1 - - Record Attempts to Alter the localtime File + + Remove the OpenSSH Server Package - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-package_openssh-server_removed_action:testaction:1 - - Disable the ssh_sysadm_login SELinux Boolean + + Disable the uvcvideo module - ocil:ssg-sebool_ssh_sysadm_login_action:testaction:1 + ocil:ssg-kernel_module_uvcvideo_disabled_action:testaction:1 @@ -350537,862 +350543,862 @@ which the system will be deployed as closely as possible.ocil:ssg-audit_rules_unsuccessful_file_modification_rename_action:testaction:1 - - Record Events When Executables Are Run As Another User + + Enable the gssd_read_tmp SELinux Boolean - ocil:ssg-audit_rules_suid_auid_privilege_function_action:testaction:1 + ocil:ssg-sebool_gssd_read_tmp_action:testaction:1 - - Disable Red Hat Network Service (rhnsd) + + Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate - ocil:ssg-service_rhnsd_disabled_action:testaction:1 + ocil:ssg-sudo_remove_no_authenticate_action:testaction:1 - - Disable the samba_export_all_ro SELinux Boolean + + Uninstall ypserv Package - ocil:ssg-sebool_samba_export_all_ro_action:testaction:1 + ocil:ssg-package_ypserv_removed_action:testaction:1 - - Record Unsuccessful Permission Changes to Files - setxattr + + Add hidepid Option to /proc - ocil:ssg-audit_rules_unsuccessful_file_modification_setxattr_action:testaction:1 + ocil:ssg-mount_option_proc_hidepid_action:testaction:1 - - Disable the httpd_enable_ftp_server SELinux Boolean + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-sebool_httpd_enable_ftp_server_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Ensure PAM Enforces Password Requirements - Minimum Special Characters + + Disable the logging_syslogd_run_nagios_plugins SELinux Boolean - ocil:ssg-accounts_password_pam_ocredit_action:testaction:1 + ocil:ssg-sebool_logging_syslogd_run_nagios_plugins_action:testaction:1 - - Generate some entropy during boot and runtime + + Enable support for BUG() - ocil:ssg-kernel_config_gcc_plugin_latent_entropy_action:testaction:1 + ocil:ssg-kernel_config_bug_action:testaction:1 - - Ensure Rsyslog Authenticates Off-Loaded Audit Records + + Add nosuid Option to /boot/efi - ocil:ssg-rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action:testaction:1 + ocil:ssg-mount_option_boot_efi_nosuid_action:testaction:1 - - Configure auditd Disk Full Action when Disk Space Is Full + + Ensure auditd Collects Information on the Use of Privileged Commands - passwd - ocil:ssg-auditd_data_disk_full_action_stig_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_passwd_action:testaction:1 - - Configure Auto Configuration on All IPv6 Interfaces + + Verify ownership of System Login Banner - ocil:ssg-sysctl_net_ipv6_conf_all_autoconf_action:testaction:1 + ocil:ssg-file_owner_etc_issue_action:testaction:1 - - Disable Apache Qpid (qpidd) + + Verify Permissions on Backup group File - ocil:ssg-service_qpidd_disabled_action:testaction:1 + ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 - - Disable Cockpit Management Server + + Add noexec Option to /boot - ocil:ssg-service_cockpit_disabled_action:testaction:1 + ocil:ssg-mount_option_boot_noexec_action:testaction:1 - - Uninstall telnet-server Package + + Record Events that Modify User/Group Information - ocil:ssg-package_telnet-server_removed_action:testaction:1 + ocil:ssg-audit_rules_usergroup_modification_action:testaction:1 - - Configure the tmux lock session key binding + + Add grpquota Option to /home - ocil:ssg-configure_tmux_lock_keybinding_action:testaction:1 + ocil:ssg-mount_option_home_grpquota_action:testaction:1 - - Ensure that User Home Directories are not Group-Writable or World-Readable + + Record Events that Modify the System's Mandatory Access Controls - ocil:ssg-file_permissions_home_dirs_action:testaction:1 + ocil:ssg-audit_rules_mac_modification_action:testaction:1 - - User a virtually-mapped stack + + Configure Multiple DNS Servers in /etc/resolv.conf - ocil:ssg-kernel_config_vmap_stack_action:testaction:1 + ocil:ssg-network_configure_name_resolution_action:testaction:1 - - Disable CPU Speed (cpupower) + + Disable the httpd_run_preupgrade SELinux Boolean - ocil:ssg-service_cpupower_disabled_action:testaction:1 + ocil:ssg-sebool_httpd_run_preupgrade_action:testaction:1 - - Ensure No Device Files are Unlabeled by SELinux + + Enable checks on linked list manipulation - ocil:ssg-selinux_all_devicefiles_labeled_action:testaction:1 + ocil:ssg-kernel_config_debug_list_action:testaction:1 - - Verify User Who Owns group File + + Enable the mcelog_exec_scripts SELinux Boolean - ocil:ssg-file_owner_etc_group_action:testaction:1 + ocil:ssg-sebool_mcelog_exec_scripts_action:testaction:1 - - Configure Polyinstantiation of /tmp Directories + + Configure HTTP PERL Scripts To Use TAINT Option - ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1 + ocil:ssg-httpd_configure_perl_taint_action:testaction:1 - - Uninstall DHCP Server Package + + Configure SSSD's Memory Cache to Expire - ocil:ssg-package_dhcp_removed_action:testaction:1 + ocil:ssg-sssd_memcache_timeout_action:testaction:1 - - Enable Kernel Page-Table Isolation (KPTI) + + Enforce Usage of pam_wheel with Group Parameter for su Authentication - ocil:ssg-grub2_pti_argument_action:testaction:1 + ocil:ssg-use_pam_wheel_group_for_su_action:testaction:1 - - Install libcap-ng-utils Package + + Uninstall abrt-plugin-logger Package - ocil:ssg-package_libcap-ng-utils_installed_action:testaction:1 + ocil:ssg-package_abrt-plugin-logger_removed_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_openat_o_trunc_write_action:testaction:1 - - Disable Red Hat Subscription Manager Daemon (rhsmcertd) + + Ensure All Files Are Owned by a Group - ocil:ssg-service_rhsmcertd_disabled_action:testaction:1 + ocil:ssg-file_permissions_ungroupowned_action:testaction:1 - - Verify Permissions on gshadow File + + Set SSH Client Alive Interval - ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 + ocil:ssg-sshd_set_idle_timeout_action:testaction:1 - - Disable Squid + + Assign Expiration Date to Emergency Accounts - ocil:ssg-service_squid_disabled_action:testaction:1 + ocil:ssg-account_emergency_expire_date_action:testaction:1 - - Ensure SELinux Not Disabled in /etc/default/grub + + Disable Network File System (nfs) - ocil:ssg-grub2_enable_selinux_action:testaction:1 + ocil:ssg-service_nfs_disabled_action:testaction:1 - - Disable the httpd_execmem SELinux Boolean + + Uninstall avahi-autoipd Server Package - ocil:ssg-sebool_httpd_execmem_action:testaction:1 + ocil:ssg-package_avahi-autoipd_removed_action:testaction:1 - - Record Successful Ownership Changes to Files - fchown + + Remove the Kerberos Server Package - ocil:ssg-audit_rules_successful_file_modification_fchown_action:testaction:1 + ocil:ssg-package_krb5-server_removed_action:testaction:1 - - Verify User Who Owns Backup gshadow File + + Record Events that Modify User/Group Information via open syscall - /etc/shadow - ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1 + ocil:ssg-audit_rules_etc_shadow_open_action:testaction:1 - - Verify Group Who Owns cron.monthly + + Lock Accounts Must Persist - ocil:ssg-file_groupowner_cron_monthly_action:testaction:1 + ocil:ssg-accounts_passwords_pam_faillock_dir_action:testaction:1 - - Record Unsuccessful Delete Attempts to Files - renameat + + Configure audispd Plugin To Send Logs To Remote Server - ocil:ssg-audit_rules_unsuccessful_file_modification_renameat_action:testaction:1 + ocil:ssg-auditd_audispd_configure_remote_server_action:testaction:1 - - Verify Owner on cron.d + + Configure TLS for rsyslog remote logging - ocil:ssg-file_owner_cron_d_action:testaction:1 + ocil:ssg-rsyslog_remote_tls_action:testaction:1 - - Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces + + Disable the httpd_mod_auth_ntlm_winbind SELinux Boolean - ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_action:testaction:1 + ocil:ssg-sebool_httpd_mod_auth_ntlm_winbind_action:testaction:1 - - Verify Permissions on cron.monthly + + Verify Permissions on /var/log/messages File - ocil:ssg-file_permissions_cron_monthly_action:testaction:1 + ocil:ssg-file_permissions_var_log_messages_action:testaction:1 - - Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + + Ensure auditd Collects File Deletion Events by User - ocil:ssg-network_nmcli_permissions_action:testaction:1 + ocil:ssg-audit_rules_file_deletion_events_action:testaction:1 - - Each Web Content Directory Must Contain An index.html File + + Install fapolicyd Package - ocil:ssg-httpd_configure_documentroot_action:testaction:1 + ocil:ssg-package_fapolicyd_installed_action:testaction:1 - - Disable the virt_sandbox_use_mknod SELinux Boolean + + Disable SSH Root Login - ocil:ssg-sebool_virt_sandbox_use_mknod_action:testaction:1 + ocil:ssg-sshd_disable_root_login_action:testaction:1 - - Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default + + Configure firewall to Allow Access to the Web Server - ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_defrtr_action:testaction:1 + ocil:ssg-httpd_configure_firewall_action:testaction:1 - - Disable the selinuxuser_rw_noexattrfile SELinux Boolean + + Uninstall iprutils Package - ocil:ssg-sebool_selinuxuser_rw_noexattrfile_action:testaction:1 + ocil:ssg-package_iprutils_removed_action:testaction:1 - - Disable Accepting Packets Routed Between Local Interfaces + + Ensure auditd Collects Information on the Use of Privileged Commands - postqueue - ocil:ssg-sysctl_net_ipv4_conf_all_accept_local_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_postqueue_action:testaction:1 - - Add nodev Option to /var + + Verify File Hashes with RPM - ocil:ssg-mount_option_var_nodev_action:testaction:1 + ocil:ssg-rpm_verify_hashes_action:testaction:1 - - Disable loading and unloading of kernel modules + + Set Interactive Session Timeout - ocil:ssg-sysctl_kernel_modules_disabled_action:testaction:1 + ocil:ssg-accounts_tmout_action:testaction:1 - - Ensure PAM password complexity module is enabled in system-auth + + Configure a Sufficiently Large Partition for Audit Logs - ocil:ssg-accounts_password_pam_pwquality_system_auth_action:testaction:1 + ocil:ssg-auditd_audispd_configure_sufficiently_large_partition_action:testaction:1 - - Restrict unprivileged access to the kernel syslog + + Ensure auditd Collects Information on Kernel Module Loading and Unloading - ocil:ssg-kernel_config_security_dmesg_restrict_action:testaction:1 + ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Disable the selinuxuser_share_music SELinux Boolean - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-sebool_selinuxuser_share_music_action:testaction:1 - - Enable checks on credential management + + Disable the dhcpd_use_ldap SELinux Boolean - ocil:ssg-kernel_config_debug_credentials_action:testaction:1 + ocil:ssg-sebool_dhcpd_use_ldap_action:testaction:1 - - Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default + + Uninstall abrt-addon-ccpp Package - ocil:ssg-sysctl_net_ipv4_conf_default_rp_filter_action:testaction:1 + ocil:ssg-package_abrt-addon-ccpp_removed_action:testaction:1 - - Disable graphical user interface + + Disable the rsync_anon_write SELinux Boolean - ocil:ssg-xwindows_remove_packages_action:testaction:1 + ocil:ssg-sebool_rsync_anon_write_action:testaction:1 - - Verify User Who Owns /var/log/syslog File + + Uninstall squid Package - ocil:ssg-file_owner_var_log_syslog_action:testaction:1 + ocil:ssg-package_squid_removed_action:testaction:1 - - Disable the httpd_tmp_exec SELinux Boolean + + Disable the logwatch_can_network_connect_mail SELinux Boolean - ocil:ssg-sebool_httpd_tmp_exec_action:testaction:1 + ocil:ssg-sebool_logwatch_can_network_connect_mail_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Enable dnf-automatic Timer - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-timer_dnf-automatic_enabled_action:testaction:1 - - Enable the dbadm_exec_content SELinux Boolean + + Modify the System Login Banner - ocil:ssg-sebool_dbadm_exec_content_action:testaction:1 + ocil:ssg-banner_etc_issue_action:testaction:1 - - Ensure All World-Writable Directories Are Group Owned by a System Account + + Install dnf-automatic Package - ocil:ssg-dir_perms_world_writable_system_owned_group_action:testaction:1 + ocil:ssg-package_dnf-automatic_installed_action:testaction:1 - - Disable Kernel cfg80211 Module + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-kernel_module_cfg80211_disabled_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Disable the git_cgi_use_nfs SELinux Boolean + + Record Events that Modify the System's Discretionary Access Controls - fsetxattr - ocil:ssg-sebool_git_cgi_use_nfs_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1 - - Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout + + Record Unsuccessful Ownership Changes to Files - fchownat - ocil:ssg-sudo_add_passwd_timeout_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_fchownat_action:testaction:1 - - Configure Accepting Router Advertisements on All IPv6 Interfaces + + Restrict Virtual Console Root Logins - ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_action:testaction:1 + ocil:ssg-securetty_root_login_console_only_action:testaction:1 - - Ensure gpgcheck Enabled for All yum Package Repositories + + Configure auditd space_left on Low Disk Space - ocil:ssg-ensure_gpgcheck_never_disabled_action:testaction:1 + ocil:ssg-auditd_data_retention_space_left_percentage_action:testaction:1 - - Record Any Attempts to Run chacl + + Configure auditd Disk Full Action when Disk Space Is Full - ocil:ssg-audit_rules_execution_chacl_action:testaction:1 + ocil:ssg-auditd_data_disk_full_action_stig_action:testaction:1 - - Use Centralized and Automated Authentication + + Enable the nscd_use_shm SELinux Boolean - ocil:ssg-account_use_centralized_automated_auth_action:testaction:1 + ocil:ssg-sebool_nscd_use_shm_action:testaction:1 - - Uninstall libreport-plugin-logger Package + + Set Permissions on the /etc/httpd/conf/ Directory - ocil:ssg-package_libreport-plugin-logger_removed_action:testaction:1 + ocil:ssg-dir_perms_etc_httpd_conf_action:testaction:1 - - Install the ntp service + + Disable the virt_use_rawip SELinux Boolean - ocil:ssg-package_ntp_installed_action:testaction:1 + ocil:ssg-sebool_virt_use_rawip_action:testaction:1 - - Disable the rsync_export_all_ro SELinux Boolean + + Record Events that Modify User/Group Information via openat syscall - /etc/group - ocil:ssg-sebool_rsync_export_all_ro_action:testaction:1 + ocil:ssg-audit_rules_etc_group_openat_action:testaction:1 - - Disallow magic SysRq key + + Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown - ocil:ssg-sysctl_kernel_sysrq_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_pt_chown_action:testaction:1 - - All Interactive User Home Directories Must Be Group-Owned By The Primary Group + + Configure audit according to OSPP requirements - ocil:ssg-file_groupownership_home_directories_action:testaction:1 + ocil:ssg-audit_rules_for_ospp_action:testaction:1 - - Install crypto-policies package + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-package_crypto-policies_installed_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Enable nails Service + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-service_nails_enabled_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Disable the fenced_can_network_connect SELinux Boolean + + Ensure gpgcheck Enabled for Repository Metadata - ocil:ssg-sebool_fenced_can_network_connect_action:testaction:1 + ocil:ssg-ensure_gpgcheck_repo_metadata_action:testaction:1 - - Ensure PAM Enforces Password Requirements - Minimum Length + + Require modules to be validly signed - ocil:ssg-accounts_password_pam_minlen_action:testaction:1 + ocil:ssg-kernel_config_module_sig_force_action:testaction:1 - - Record Successful Permission Changes to Files - removexattr + + Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap - ocil:ssg-audit_rules_successful_file_modification_removexattr_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_newgidmap_action:testaction:1 - - Disable the sanlock_use_nfs SELinux Boolean + + SSSD Has a Correct Trust Anchor - ocil:ssg-sebool_sanlock_use_nfs_action:testaction:1 + ocil:ssg-sssd_has_trust_anchor_action:testaction:1 - - Disable the zoneminder_anon_write SELinux Boolean + + Disable the virt_use_usb SELinux Boolean - ocil:ssg-sebool_zoneminder_anon_write_action:testaction:1 + ocil:ssg-sebool_virt_use_usb_action:testaction:1 - - Enable the httpd_graceful_shutdown SELinux Boolean + + Limit Password Reuse - ocil:ssg-sebool_httpd_graceful_shutdown_action:testaction:1 + ocil:ssg-accounts_password_pam_unix_remember_action:testaction:1 - - Configure the httpd_enable_cgi SELinux Boolean + + Uninstall DHCP Server Package - ocil:ssg-sebool_httpd_enable_cgi_action:testaction:1 + ocil:ssg-package_dhcp_removed_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/shadow + + Disable the httpd_dbus_avahi SELinux Boolean - ocil:ssg-audit_rules_usergroup_modification_shadow_action:testaction:1 + ocil:ssg-sebool_httpd_dbus_avahi_action:testaction:1 - - Configure session renegotiation for SSH client + + Disable the selinuxuser_execheap SELinux Boolean - ocil:ssg-ssh_client_rekey_limit_action:testaction:1 + ocil:ssg-sebool_selinuxuser_execheap_action:testaction:1 - - Ensure SMEP is not disabled during boot + + Verify Group Who Owns Backup shadow File - ocil:ssg-grub2_nosmep_argument_absent_action:testaction:1 + ocil:ssg-file_owner_backup_etc_shadow_action:testaction:1 - - Add noexec Option to /home + + Disable the use of user namespaces - ocil:ssg-mount_option_home_noexec_action:testaction:1 + ocil:ssg-sysctl_user_max_user_namespaces_action:testaction:1 - - Disable Accepting ICMP Redirects for All IPv4 Interfaces + + Write Audit Logs to the Disk - ocil:ssg-sysctl_net_ipv4_conf_all_accept_redirects_action:testaction:1 + ocil:ssg-auditd_write_logs_action:testaction:1 - - Disable the postgresql_selinux_transmit_client_label SELinux Boolean + + Enable the spamd_enable_home_dirs SELinux Boolean - ocil:ssg-sebool_postgresql_selinux_transmit_client_label_action:testaction:1 + ocil:ssg-sebool_spamd_enable_home_dirs_action:testaction:1 - - The operating system must restrict privilege elevation to authorized personnel + + Disable the authlogin_nsswitch_use_ldap SELinux Boolean - ocil:ssg-sudo_restrict_privilege_elevation_to_authorized_action:testaction:1 + ocil:ssg-sebool_authlogin_nsswitch_use_ldap_action:testaction:1 - - Add nosuid Option to /boot/efi + + Disable the use_samba_home_dirs SELinux Boolean - ocil:ssg-mount_option_boot_efi_nosuid_action:testaction:1 + ocil:ssg-sebool_use_samba_home_dirs_action:testaction:1 - - Ensure SSH MaxStartups is configured + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-sshd_set_maxstartups_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Verify Group Who Owns Crontab + + Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces - ocil:ssg-file_groupowner_crontab_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_all_shared_media_action:testaction:1 - - Installation of a compiler on production web server is prohibited + + Ensure SNMP Read Write is disabled - ocil:ssg-httpd_no_compilers_in_prod_action:testaction:1 + ocil:ssg-snmpd_no_rwusers_action:testaction:1 - - Make sure that the dconf databases are up-to-date with regards to respective keyfiles + + Configure Kernel Parameter for Accepting Secure Redirects By Default - ocil:ssg-dconf_db_up_to_date_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_action:testaction:1 - - Disable the use of user namespaces + + Set the Boot Loader Admin Username to a Non-Default Value - ocil:ssg-sysctl_user_max_user_namespaces_action:testaction:1 + ocil:ssg-grub2_admin_username_action:testaction:1 - - Disable the container_connect_any SELinux Boolean + + Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty - ocil:ssg-sebool_container_connect_any_action:testaction:1 + ocil:ssg-ensure_pam_wheel_group_empty_action:testaction:1 - - Install the cron service + + Record Attempts to Alter Logon and Logout Events - faillock - ocil:ssg-package_cron_installed_action:testaction:1 + ocil:ssg-audit_rules_login_events_faillock_action:testaction:1 - - Disable the selinuxuser_tcp_server SELinux Boolean + + Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period - ocil:ssg-sebool_selinuxuser_tcp_server_action:testaction:1 + ocil:ssg-dconf_gnome_screensaver_lock_locked_action:testaction:1 - - Ensure SMAP is not disabled during boot + + Ensure auditd Collects Information on the Use of Privileged Commands - umount - ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_umount_action:testaction:1 - - Disable Odd Job Daemon (oddjobd) + + Record Any Attempts to Run ssh-agent - ocil:ssg-service_oddjobd_disabled_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_ssh_agent_action:testaction:1 - - Uninstall bind Package + + Ensure there are no legacy + NIS entries in /etc/passwd - ocil:ssg-package_bind_removed_action:testaction:1 + ocil:ssg-no_legacy_plus_entries_etc_passwd_action:testaction:1 - - Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class + + Ensure a Table Exists for Nftables - ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 + ocil:ssg-set_nftables_table_action:testaction:1 - - Install the tmux Package + + The Postfix package is installed - ocil:ssg-package_tmux_installed_action:testaction:1 + ocil:ssg-package_postfix_installed_action:testaction:1 - - Disable the telepathy_connect_all_ports SELinux Boolean + + Ensure Remote Administrative Access Is Encrypted - ocil:ssg-sebool_telepathy_connect_all_ports_action:testaction:1 + ocil:ssg-httpd_configure_remote_session_encryption_action:testaction:1 - - Randomize the kernel memory sections + + Verify Group Ownership of Message of the Day Banner - ocil:ssg-kernel_config_randomize_memory_action:testaction:1 + ocil:ssg-file_groupowner_etc_motd_action:testaction:1 - - Configure Multiple DNS Servers in /etc/resolv.conf + + Install crypto-policies package - ocil:ssg-network_configure_name_resolution_action:testaction:1 + ocil:ssg-package_crypto-policies_installed_action:testaction:1 - - Install firewalld Package + + Record Events that Modify User/Group Information - /etc/gshadow - ocil:ssg-package_firewalld_installed_action:testaction:1 + ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 - - Ensure rsyncd service is disabled + + Install dnf-plugin-subscription-manager Package - ocil:ssg-service_rsyncd_disabled_action:testaction:1 + ocil:ssg-package_dnf-plugin-subscription-manager_installed_action:testaction:1 - - Enable the OpenSSH Service + + Allow Only SSH Protocol 2 - ocil:ssg-service_sshd_enabled_action:testaction:1 + ocil:ssg-sshd_allow_only_protocol2_action:testaction:1 - - Disable the selinuxuser_mysql_connect_enabled SELinux Boolean + + Verify Permissions on /var/log Directory - ocil:ssg-sebool_selinuxuser_mysql_connect_enabled_action:testaction:1 + ocil:ssg-file_permissions_var_log_action:testaction:1 - - Implement Blank Screensaver + + Record Unsuccessful Delete Attempts to Files - renameat - ocil:ssg-dconf_gnome_screensaver_mode_blank_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_renameat_action:testaction:1 - - Record Successful Permission Changes to Files - lsetxattr + + Record Unsuccessful Delete Attempts to Files - unlink - ocil:ssg-audit_rules_successful_file_modification_lsetxattr_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_unlink_action:testaction:1 - - Record Successful Access Attempts to Files - ftruncate + + Use Only FIPS 140-2 Validated MACs - ocil:ssg-audit_rules_successful_file_modification_ftruncate_action:testaction:1 + ocil:ssg-sshd_use_approved_macs_action:testaction:1 - - Ensure /tmp Located On Separate Partition + + Disable RDS Support - ocil:ssg-partition_for_tmp_action:testaction:1 + ocil:ssg-kernel_module_rds_disabled_action:testaction:1 - - Record Unsuccessful Access Attempts to Files - openat + + Web Content Directories Must Not Be Shared Anonymously - ocil:ssg-audit_rules_unsuccessful_file_modification_openat_action:testaction:1 + ocil:ssg-httpd_anonymous_content_sharing_action:testaction:1 - - Disable GDM Guest Login + + Disable the virt_sandbox_use_sys_admin SELinux Boolean - ocil:ssg-gnome_gdm_disable_guest_login_action:testaction:1 + ocil:ssg-sebool_virt_sandbox_use_sys_admin_action:testaction:1 - - Verify Group Who Owns group File + + Disable the spamassassin_can_network SELinux Boolean - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-sebool_spamassassin_can_network_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - usermod + + Verify Permissions on cron.hourly - ocil:ssg-audit_rules_privileged_commands_usermod_action:testaction:1 + ocil:ssg-file_permissions_cron_hourly_action:testaction:1 - - Disable the sanlock_use_fusefs SELinux Boolean + + Disable loading and unloading of kernel modules - ocil:ssg-sebool_sanlock_use_fusefs_action:testaction:1 + ocil:ssg-sysctl_kernel_modules_disabled_action:testaction:1 - - Authorize Human Interface Devices in USBGuard daemon + + Configure auditing of successful ownership changes - ocil:ssg-usbguard_allow_hid_action:testaction:1 + ocil:ssg-audit_owner_change_success_action:testaction:1 - - Set Up a Private Namespace in PAM Configuration + + Enable the LDAP Client For Use in Authconfig - ocil:ssg-enable_pam_namespace_action:testaction:1 + ocil:ssg-enable_ldap_client_action:testaction:1 - - Specify module signing key to use + + Enable checks on notifier call chains - ocil:ssg-kernel_config_module_sig_key_action:testaction:1 + ocil:ssg-kernel_config_debug_notifiers_action:testaction:1 - - Limit sampling frequency of the Perf system + + Enable GNOME3 Screensaver Idle Activation - ocil:ssg-sysctl_kernel_perf_event_max_sample_rate_action:testaction:1 + ocil:ssg-dconf_gnome_screensaver_idle_activation_enabled_action:testaction:1 - - Disable the virt_use_usb SELinux Boolean + + Disable the httpd_verify_dns SELinux Boolean - ocil:ssg-sebool_virt_use_usb_action:testaction:1 + ocil:ssg-sebool_httpd_verify_dns_action:testaction:1 - - Record Successful Access Attempts to Files - openat + + Verify Permissions on SSH Server Private *_key Key Files - ocil:ssg-audit_rules_successful_file_modification_openat_action:testaction:1 + ocil:ssg-file_permissions_sshd_private_key_action:testaction:1 - - Ensure the Default C Shell Umask is Set Correctly + + Configure low address space to protect from user allocation - ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 + ocil:ssg-kernel_config_default_mmap_min_addr_action:testaction:1 - - SSH client uses strong entropy to seed (for CSH like shells) + + Disable the httpd_manage_ipa SELinux Boolean - ocil:ssg-ssh_client_use_strong_rng_csh_action:testaction:1 + ocil:ssg-sebool_httpd_manage_ipa_action:testaction:1 - - Install the pcsc-lite package + + Disable the minidlna_read_generic_user_content SELinux Boolean - ocil:ssg-package_pcsc-lite_installed_action:testaction:1 + ocil:ssg-sebool_minidlna_read_generic_user_content_action:testaction:1 - - Set Boot Loader Password in grub2 + + Record Successful Permission Changes to Files - fchmodat - ocil:ssg-grub2_password_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_fchmodat_action:testaction:1 - - Disable the httpd_can_network_connect_cobbler SELinux Boolean + + Disable Avahi Server Software - ocil:ssg-sebool_httpd_can_network_connect_cobbler_action:testaction:1 + ocil:ssg-service_avahi-daemon_disabled_action:testaction:1 - - Disable the deny_ptrace SELinux Boolean + + Ensure Mail Transfer Agent is not Listening on any non-loopback Address - ocil:ssg-sebool_deny_ptrace_action:testaction:1 + ocil:ssg-has_nonlocal_mta_action:testaction:1 - - Configure auditd mail_acct Action on Low Disk Space + + Record Any Attempts to Run setsebool - ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1 + ocil:ssg-audit_rules_execution_setsebool_action:testaction:1 - - Sign kernel modules with SHA-512 + + Ensure gpgcheck Enabled for Local Packages - ocil:ssg-kernel_config_module_sig_sha512_action:testaction:1 + ocil:ssg-ensure_gpgcheck_local_packages_action:testaction:1 - - Set Permissions on the /var/log/httpd/ Directory + + Disable the selinuxuser_tcp_server SELinux Boolean - ocil:ssg-dir_perms_var_log_httpd_action:testaction:1 + ocil:ssg-sebool_selinuxuser_tcp_server_action:testaction:1 - - Uninstall tftp-server Package + + Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces - ocil:ssg-package_tftp-server_removed_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_action:testaction:1 - - Ensure that Root's Path Does Not Include World or Group-Writable Directories + + Verify Any Configured IPSec Tunnel Connections - ocil:ssg-accounts_root_path_dirs_no_write_action:testaction:1 + ocil:ssg-libreswan_approved_tunnels_action:testaction:1 - - Generate USBGuard Policy + + Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words - ocil:ssg-usbguard_generate_policy_action:testaction:1 + ocil:ssg-accounts_password_pam_dictcheck_action:testaction:1 - - Enable TCP/IP syncookie support + + Sign kernel modules with SHA-512 - ocil:ssg-kernel_config_syn_cookies_action:testaction:1 + ocil:ssg-kernel_config_module_sig_sha512_action:testaction:1 - - Install the Policy Auditor (PA) Module + + Assign Expiration Date to Temporary Accounts - ocil:ssg-install_mcafee_hbss_pa_action:testaction:1 + ocil:ssg-account_temp_expire_date_action:testaction:1 - - Uninstall talk-server Package + + Ensure auditd Collects File Deletion Events by User - unlinkat - ocil:ssg-package_talk-server_removed_action:testaction:1 + ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1 - - Disable Secure RPC Server Service (rpcsvcgssd) + + Disable the LDT (local descriptor table) - ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1 + ocil:ssg-kernel_config_modify_ldt_syscall_action:testaction:1 - - Encrypt All File Uploads + + Disable the cobbler_can_network_connect SELinux Boolean - ocil:ssg-httpd_encrypt_file_uploads_action:testaction:1 + ocil:ssg-sebool_cobbler_can_network_connect_action:testaction:1 - - Restrict Web Browser Use for Administrative Accounts + + Add nosuid Option to /boot - ocil:ssg-no_root_webbrowsing_action:testaction:1 + ocil:ssg-mount_option_boot_nosuid_action:testaction:1 - - Ensure /var/log Located On Separate Partition + + Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly - ocil:ssg-partition_for_var_log_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_openat_rule_order_action:testaction:1 - - Verify Owner on cron.monthly + + Verify Permissions on gshadow File - ocil:ssg-file_owner_cron_monthly_action:testaction:1 + ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 - - Set number of records to cause an explicit flush to audit logs + + Ensure PAM Enforces Password Requirements - Minimum Different Categories - ocil:ssg-auditd_freq_action:testaction:1 + ocil:ssg-accounts_password_pam_minclass_action:testaction:1 - - Ensure /dev/shm is configured + + Verify permissions on System Login Banner for Remote Connections - ocil:ssg-partition_for_dev_shm_action:testaction:1 + ocil:ssg-file_permissions_etc_issue_net_action:testaction:1 - - Disable the guest_exec_content SELinux Boolean + + Disable the pcp_read_generic_logs SELinux Boolean - ocil:ssg-sebool_guest_exec_content_action:testaction:1 + ocil:ssg-sebool_pcp_read_generic_logs_action:testaction:1 - - Configure A Banner Page For Each Website + + Ensure All World-Writable Directories Are Owned by a System Account - ocil:ssg-httpd_configure_banner_page_action:testaction:1 + ocil:ssg-dir_perms_world_writable_system_owned_action:testaction:1 @@ -351401,905 +351407,910 @@ which the system will be deployed as closely as possible.ocil:ssg-sebool_git_cgi_use_cifs_action:testaction:1 - - Ensure the Logon Failure Delay is Set Correctly in login.defs + + Set Interval For Counting Failed Password Attempts - ocil:ssg-accounts_logon_fail_delay_action:testaction:1 + ocil:ssg-accounts_passwords_pam_faillock_interval_action:testaction:1 - - Configure immutable Audit login UIDs + + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default - ocil:ssg-audit_immutable_login_uids_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_action:testaction:1 - - Record Unsuccessful Permission Changes to Files - fsetxattr + + Record Events that Modify User/Group Information - /etc/shadow - ocil:ssg-audit_rules_unsuccessful_file_modification_fsetxattr_action:testaction:1 + ocil:ssg-audit_rules_usergroup_modification_shadow_action:testaction:1 - - Disable WIFI Network Connection Creation in GNOME3 + + Record Successful Access Attempts to Files - truncate - ocil:ssg-dconf_gnome_disable_wifi_create_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_truncate_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - umount2 + + Disable the global_ssp SELinux Boolean - ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 + ocil:ssg-sebool_global_ssp_action:testaction:1 - - Ensure auditd Collects System Administrator Actions - /etc/sudoers + + Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot - ocil:ssg-audit_rules_sudoers_action:testaction:1 + ocil:ssg-sudo_add_ignore_dot_action:testaction:1 - - Set Permissions on All Configuration Files Inside /etc/httpd/conf/ + + Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd - ocil:ssg-file_permissions_httpd_server_conf_files_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_unix_chkpwd_action:testaction:1 - - Disable vsyscalls + + Uninstall rsync Package - ocil:ssg-grub2_vsyscall_argument_action:testaction:1 + ocil:ssg-package_rsync_removed_action:testaction:1 - - Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config + + Configure Kerberos to use System Crypto Policy - ocil:ssg-harden_sshd_macs_opensshserver_conf_crypto_policy_action:testaction:1 + ocil:ssg-configure_kerberos_crypto_policy_action:testaction:1 - - Disable the samba_export_all_rw SELinux Boolean + + Enable GSSAPI Authentication - ocil:ssg-sebool_samba_export_all_rw_action:testaction:1 + ocil:ssg-sshd_enable_gssapi_auth_action:testaction:1 - - Record Events that Modify User/Group Information via open syscall - /etc/passwd + + Disable ntpdate Service (ntpdate) - ocil:ssg-audit_rules_etc_passwd_open_action:testaction:1 + ocil:ssg-service_ntpdate_disabled_action:testaction:1 - - Disable the entropyd_use_audio SELinux Boolean + + Disable the ftpd_anon_write SELinux Boolean - ocil:ssg-sebool_entropyd_use_audio_action:testaction:1 + ocil:ssg-sebool_ftpd_anon_write_action:testaction:1 - - Disable the daemons_enable_cluster_mode SELinux Boolean + + Verify ufw Enabled - ocil:ssg-sebool_daemons_enable_cluster_mode_action:testaction:1 + ocil:ssg-service_ufw_enabled_action:testaction:1 - - Ensure All Files Are Owned by a User + + Disable the rsync_client SELinux Boolean - ocil:ssg-no_files_unowned_by_user_action:testaction:1 + ocil:ssg-sebool_rsync_client_action:testaction:1 - - Disable the racoon_read_shadow SELinux Boolean + + Ensure System Log Files Have Correct Permissions - ocil:ssg-sebool_racoon_read_shadow_action:testaction:1 + ocil:ssg-rsyslog_files_permissions_action:testaction:1 - - Kernel panic on oops + + Configure Denying Router Solicitations on All IPv6 Interfaces - ocil:ssg-sysctl_kernel_panic_on_oops_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_router_solicitations_action:testaction:1 - - Disable the daemons_dump_core SELinux Boolean + + Enable Kernel Parameter to Enforce DAC on Symlinks - ocil:ssg-sebool_daemons_dump_core_action:testaction:1 + ocil:ssg-sysctl_fs_protected_symlinks_action:testaction:1 - - Disable Avahi Server Software + + Disable the xdm_sysadm_login SELinux Boolean - ocil:ssg-service_avahi-daemon_disabled_action:testaction:1 + ocil:ssg-sebool_xdm_sysadm_login_action:testaction:1 - - Disable the tor_bind_all_unreserved_ports SELinux Boolean + + Extend Audit Backlog Limit for the Audit Daemon in zIPL - ocil:ssg-sebool_tor_bind_all_unreserved_ports_action:testaction:1 + ocil:ssg-zipl_audit_backlog_limit_argument_action:testaction:1 - - Enable HTTPD LogLevel + + Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces - ocil:ssg-httpd_enable_loglevel_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_all_secure_redirects_action:testaction:1 - - Add nodev Option to /tmp + + Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT - ocil:ssg-mount_option_tmp_nodev_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat_action:testaction:1 - - Ensure auditd Collects Information on Kernel Module Loading - init_module + + Configure auditing of unsuccessful permission changes - ocil:ssg-audit_rules_kernel_module_loading_init_action:testaction:1 + ocil:ssg-audit_perm_change_failed_action:testaction:1 - - Disable the git_system_use_nfs SELinux Boolean + + Make the module text and rodata read-only - ocil:ssg-sebool_git_system_use_nfs_action:testaction:1 + ocil:ssg-kernel_config_strict_module_rwx_action:testaction:1 - - Disable the sanlock_use_samba SELinux Boolean + + Ensure auditd Collects Information on the Use of Privileged Commands - reboot - ocil:ssg-sebool_sanlock_use_samba_action:testaction:1 + ocil:ssg-audit_privileged_commands_reboot_action:testaction:1 - - Disable X Windows Startup By Setting Default Target + + Remove .java And .jpp Files - ocil:ssg-xwindows_runlevel_target_action:testaction:1 + ocil:ssg-httpd_limit_java_files_action:testaction:1 - - Record Events that Modify User/Group Information via openat syscall - /etc/gshadow + + Disable the prosody_bind_http_port SELinux Boolean - ocil:ssg-audit_rules_etc_gshadow_openat_action:testaction:1 + ocil:ssg-sebool_prosody_bind_http_port_action:testaction:1 - - Verify User Who Owns shadow File + + Remove the kernel mapping in user mode - ocil:ssg-file_owner_etc_shadow_action:testaction:1 + ocil:ssg-kernel_config_page_table_isolation_action:testaction:1 - - Install Smart Card Packages For Multifactor Authentication + + Set Default firewalld Zone for Incoming Packets - ocil:ssg-install_smartcard_packages_action:testaction:1 + ocil:ssg-set_firewalld_default_zone_action:testaction:1 - - Install tar Package + + Verify Permissions on /etc/audit/rules.d/*.rules - ocil:ssg-package_tar_installed_action:testaction:1 + ocil:ssg-file_permissions_etc_audit_rulesd_action:testaction:1 - - Disable the openshift_use_nfs SELinux Boolean + + Disable the mpd_use_cifs SELinux Boolean - ocil:ssg-sebool_openshift_use_nfs_action:testaction:1 + ocil:ssg-sebool_mpd_use_cifs_action:testaction:1 - - Enable the unconfined_chrome_sandbox_transition SELinux Boolean + + Verify Permissions on SSH Server config file - ocil:ssg-sebool_unconfined_chrome_sandbox_transition_action:testaction:1 + ocil:ssg-file_permissions_sshd_config_action:testaction:1 - - Harden OpenSSL Crypto Policy + + Disable the git_system_use_nfs SELinux Boolean - ocil:ssg-harden_openssl_crypto_policy_action:testaction:1 + ocil:ssg-sebool_git_system_use_nfs_action:testaction:1 - - Configure SSSD LDAP Backend Client CA Certificate + + Set PAM''s Password Hashing Algorithm - password-auth - ocil:ssg-sssd_ldap_configure_tls_ca_action:testaction:1 + ocil:ssg-set_password_hashing_algorithm_passwordauth_action:testaction:1 - - Uninstall quagga Package + + Kernel panic on oops - ocil:ssg-package_quagga_removed_action:testaction:1 + ocil:ssg-sysctl_kernel_panic_on_oops_action:testaction:1 - - Record Attempts to Alter Time Through clock_settime + + Limit CPU consumption of the Perf system - ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1 - - Enable NX or XD Support in the BIOS + + Record Unsuccessful Ownership Changes to Files - lchown - ocil:ssg-bios_enable_execution_restrictions_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_lchown_action:testaction:1 - - Verify Group Who Owns shadow File + + Record Any Attempts to Run chacl - ocil:ssg-file_groupowner_etc_shadow_action:testaction:1 + ocil:ssg-audit_rules_execution_chacl_action:testaction:1 - - Disable the ftpd_anon_write SELinux Boolean + + Trigger a kernel BUG when data corruption is detected - ocil:ssg-sebool_ftpd_anon_write_action:testaction:1 + ocil:ssg-kernel_config_bug_on_data_corruption_action:testaction:1 - - Disable storing core dump + + Uninstall python3-abrt-addon Package - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-package_python3-abrt-addon_removed_action:testaction:1 - - Configure SSSD to run as user sssd + + Prevent non-Privileged Users from Modifying Network Interfaces using nmcli - ocil:ssg-sssd_run_as_sssd_user_action:testaction:1 + ocil:ssg-network_nmcli_permissions_action:testaction:1 - - Verify Group Who Owns passwd File + + Enable HTTPD LogLevel - ocil:ssg-file_groupowner_etc_passwd_action:testaction:1 + ocil:ssg-httpd_enable_loglevel_action:testaction:1 - - Install the opensc Package For Multifactor Authentication + + Generate USBGuard Policy - ocil:ssg-package_opensc_installed_action:testaction:1 + ocil:ssg-usbguard_generate_policy_action:testaction:1 - - Uninstall abrt-addon-kerneloops Package + + Configure LDAP Client to Use TLS For All Transactions - ocil:ssg-package_abrt-addon-kerneloops_removed_action:testaction:1 + ocil:ssg-ldap_client_start_tls_action:testaction:1 - - Add nosuid Option to /srv + + Disable DHCP Service - ocil:ssg-mount_option_srv_nosuid_action:testaction:1 + ocil:ssg-service_dhcpd_disabled_action:testaction:1 - - Disallow kernel profiling by unprivileged users + + Enable page allocator poisoning - ocil:ssg-sysctl_kernel_perf_event_paranoid_action:testaction:1 + ocil:ssg-grub2_page_poison_argument_action:testaction:1 - - Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC + + Install nftables Package - ocil:ssg-sudo_add_noexec_action:testaction:1 + ocil:ssg-package_nftables_installed_action:testaction:1 - - Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces + + System Audit Logs Must Have Mode 0640 or Less Permissive - ocil:ssg-sysctl_net_ipv6_conf_all_accept_source_route_action:testaction:1 + ocil:ssg-file_permissions_var_log_audit_action:testaction:1 - - Configure The Number of Allowed Simultaneous Requests + + Configure System to Forward All Mail through a specific host - ocil:ssg-httpd_configure_max_keepalive_requests_action:testaction:1 + ocil:ssg-postfix_client_configure_relayhost_action:testaction:1 - - Shutdown System When Auditing Failures Occur + + Verify Permissions on /etc/at.allow file - ocil:ssg-audit_rules_system_shutdown_action:testaction:1 + ocil:ssg-file_permissions_at_allow_action:testaction:1 - - Add noexec Option to /boot + + Limit Password Reuse: system-auth - ocil:ssg-mount_option_boot_noexec_action:testaction:1 + ocil:ssg-accounts_password_pam_pwhistory_remember_system_auth_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - postdrop + + Record Events that Modify the System's Discretionary Access Controls - fchownat - ocil:ssg-audit_rules_privileged_commands_postdrop_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1 - - Disable the rsync_client SELinux Boolean + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces - ocil:ssg-sebool_rsync_client_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1 - - Virus Scanning Software Definitions Are Updated + + Verify that Shared Library Directories Have Restrictive Permissions - ocil:ssg-mcafee_antivirus_definitions_updated_action:testaction:1 + ocil:ssg-dir_permissions_library_dirs_action:testaction:1 - - Enable cron Service + + Make the kernel text and rodata read-only - ocil:ssg-service_crond_enabled_action:testaction:1 + ocil:ssg-kernel_config_strict_kernel_rwx_action:testaction:1 - - Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group + + Ensure the Logon Failure Delay is Set Correctly in login.defs - ocil:ssg-audit_rules_etc_group_open_by_handle_at_action:testaction:1 + ocil:ssg-accounts_logon_fail_delay_action:testaction:1 - - Audit Configuration Files Must Be Owned By Group root + + Ensure there are no legacy + NIS entries in /etc/group - ocil:ssg-file_groupownership_audit_configuration_action:testaction:1 + ocil:ssg-no_legacy_plus_entries_etc_group_action:testaction:1 - - Record Events When Privileged Executables Are Run + + Disable merging of slabs with similar size - ocil:ssg-audit_rules_suid_privilege_function_action:testaction:1 + ocil:ssg-grub2_slab_nomerge_argument_action:testaction:1 - - Disable the ftpd_connect_db SELinux Boolean + + Enable the pcscd Service - ocil:ssg-sebool_ftpd_connect_db_action:testaction:1 + ocil:ssg-service_pcscd_enabled_action:testaction:1 - - Set SSH Client Alive Count Max to zero + + Verify User Who Owns Backup gshadow File - ocil:ssg-sshd_set_keepalive_0_action:testaction:1 + ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1 - - Enable the antivirus_can_scan_system SELinux Boolean + + Disable the sanlock_use_fusefs SELinux Boolean - ocil:ssg-sebool_antivirus_can_scan_system_action:testaction:1 + ocil:ssg-sebool_sanlock_use_fusefs_action:testaction:1 - - Ensure Rsyslog Encrypts Off-Loaded Audit Records + + Disable GDM Guest Login - ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1 + ocil:ssg-gnome_gdm_disable_guest_login_action:testaction:1 - - Set Default iptables Policy for Incoming Packets + + All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive - ocil:ssg-set_iptables_default_rule_action:testaction:1 + ocil:ssg-accounts_users_home_files_permissions_action:testaction:1 - - The Installed Operating System Is FIPS 140-2 Certified + + Boot Loader Is Not Installed On Removeable Media - ocil:ssg-installed_OS_is_FIPS_certified_action:testaction:1 + ocil:ssg-grub2_no_removeable_media_action:testaction:1 - - System Audit Logs Must Be Owned By Root + + Enable the staff_exec_content SELinux Boolean - ocil:ssg-file_ownership_var_log_audit_stig_action:testaction:1 + ocil:ssg-sebool_staff_exec_content_action:testaction:1 - - Disable systemd-journal-remote Socket + + Root Path Must Be Vendor Default - ocil:ssg-socket_systemd-journal-remote_disabled_action:testaction:1 + ocil:ssg-root_path_default_action:testaction:1 - - Disable the icecast_use_any_tcp_ports SELinux Boolean + + Ensure Default SNMP Password Is Not Used - ocil:ssg-sebool_icecast_use_any_tcp_ports_action:testaction:1 + ocil:ssg-snmpd_not_default_password_action:testaction:1 - - Ensure PAM Enforces Password Requirements - Minimum Different Characters + + Disable the xguest_use_bluetooth SELinux Boolean - ocil:ssg-accounts_password_pam_difok_action:testaction:1 + ocil:ssg-sebool_xguest_use_bluetooth_action:testaction:1 - - Add nosuid Option to /boot + + Disable Apache Qpid (qpidd) - ocil:ssg-mount_option_boot_nosuid_action:testaction:1 + ocil:ssg-service_qpidd_disabled_action:testaction:1 - - Configure OpenSSL library to use TLS Encryption + + Record Successful Access Attempts to Files - open - ocil:ssg-configure_openssl_tls_crypto_policy_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_open_action:testaction:1 - - Enable Process Accounting (psacct) + + Configure auditd Max Log File Size - ocil:ssg-service_psacct_enabled_action:testaction:1 + ocil:ssg-auditd_data_retention_max_log_file_action:testaction:1 - - Verify that Shared Library Files Have Restrictive Permissions + + Disable vsftpd Service - ocil:ssg-file_permissions_library_dirs_action:testaction:1 + ocil:ssg-service_vsftpd_disabled_action:testaction:1 - - Set Password Hashing Algorithm in /etc/libuser.conf + + Enable Randomized Layout of Virtual Address Space - ocil:ssg-set_password_hashing_algorithm_libuserconf_action:testaction:1 + ocil:ssg-sysctl_kernel_randomize_va_space_action:testaction:1 - - Deactivate Wireless Network Interfaces + + Disable Accepting Router Advertisements on all IPv6 Interfaces by Default - ocil:ssg-wireless_disable_interfaces_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_action:testaction:1 - - Warn on W+X mappings found at boot + + Mount Remote Filesystems with Kerberos Security - ocil:ssg-kernel_config_debug_wx_action:testaction:1 + ocil:ssg-mount_option_krb_sec_remote_filesystems_action:testaction:1 - - Add nosuid Option to /opt + + Record Successful Creation Attempts to Files - openat O_CREAT - ocil:ssg-mount_option_opt_nosuid_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1 - - Configure auditd Disk Error Action on Disk Error + + Specify the hash to use when signing modules - ocil:ssg-auditd_data_disk_error_action_action:testaction:1 + ocil:ssg-kernel_config_module_sig_hash_action:testaction:1 - - Disable the global_ssp SELinux Boolean + + Add nosuid Option to /var/log - ocil:ssg-sebool_global_ssp_action:testaction:1 + ocil:ssg-mount_option_var_log_nosuid_action:testaction:1 - - Disable the samba_load_libgfapi SELinux Boolean + + Set the GNOME3 Login Number of Failures - ocil:ssg-sebool_samba_load_libgfapi_action:testaction:1 + ocil:ssg-dconf_gnome_login_retries_action:testaction:1 - - Configure the polyinstantiation_enabled SELinux Boolean + + Record Events that Modify the System's Discretionary Access Controls - setxattr - ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 - - Configure HTTP PERL Scripts To Use TAINT Option + + Disable X Windows Startup By Setting Default Target - ocil:ssg-httpd_configure_perl_taint_action:testaction:1 + ocil:ssg-xwindows_runlevel_target_action:testaction:1 - - Configure Libreswan to use System Crypto Policy + + Disable SSH Support for .rhosts Files - ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_action:testaction:1 - - Record Any Attempts to Run semanage + + Configure auditd space_left Action on Low Disk Space - ocil:ssg-audit_rules_execution_semanage_action:testaction:1 + ocil:ssg-auditd_data_retention_space_left_action_action:testaction:1 - - Disable the cvs_read_shadow SELinux Boolean + + Record Unsuccessful Ownership Changes to Files - fchown - ocil:ssg-sebool_cvs_read_shadow_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_fchown_action:testaction:1 - - Disable Access to Network bpf() Syscall From Unprivileged Processes + + Ensure auditd Collects Information on the Use of Privileged Commands - unix_update - ocil:ssg-sysctl_kernel_unprivileged_bpf_disabled_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_unix_update_action:testaction:1 - - Disable IPv6 Networking Support Automatic Loading + + Ensure Rsyslog Encrypts Off-Loaded Audit Records - ocil:ssg-kernel_module_ipv6_option_disabled_action:testaction:1 + ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1 - - Ensure Users Cannot Change GNOME3 Screensaver Idle Activation + + Disable the named_tcp_bind_http_port SELinux Boolean - ocil:ssg-dconf_gnome_screensaver_idle_activation_locked_action:testaction:1 + ocil:ssg-sebool_named_tcp_bind_http_port_action:testaction:1 - - Enable the secadm_exec_content SELinux Boolean + + Enable logrotate Timer - ocil:ssg-sebool_secadm_exec_content_action:testaction:1 + ocil:ssg-timer_logrotate_enabled_action:testaction:1 - - System Audit Directories Must Be Owned By Root + + Disable Network Console (netconsole) - ocil:ssg-directory_ownership_var_log_audit_action:testaction:1 + ocil:ssg-service_netconsole_disabled_action:testaction:1 - - Disable the virt_use_xserver SELinux Boolean + + Modify the System Message of the Day Banner - ocil:ssg-sebool_virt_use_xserver_action:testaction:1 + ocil:ssg-banner_etc_motd_action:testaction:1 - - Uninstall rsh-server Package + + Disable the httpd_dontaudit_search_dirs SELinux Boolean - ocil:ssg-package_rsh-server_removed_action:testaction:1 + ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1 - - Disable the git_session_bind_all_unreserved_ports SELinux Boolean + + Install sudo Package - ocil:ssg-sebool_git_session_bind_all_unreserved_ports_action:testaction:1 + ocil:ssg-package_sudo_installed_action:testaction:1 - - Verify Permissions on group File + + HTTPD Log Files Must Be Owned By Root - ocil:ssg-file_permissions_etc_group_action:testaction:1 + ocil:ssg-http_configure_log_file_ownership_action:testaction:1 - - Add nosuid Option to /var/log + + Configure SSH to use System Crypto Policy - ocil:ssg-mount_option_var_log_nosuid_action:testaction:1 + ocil:ssg-configure_ssh_crypto_policy_action:testaction:1 - - Configure auditing of successful file deletions + + Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs. - ocil:ssg-audit_delete_success_action:testaction:1 + ocil:ssg-fapolicy_default_deny_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Ensure SSH MaxStartups is configured - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-sshd_set_maxstartups_action:testaction:1 - - System Audit Logs Must Have Mode 0750 or Less Permissive + + Ensure '/etc/system-fips' exists - ocil:ssg-directory_permissions_var_log_audit_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Disable legacy (BSD) PTY support + + Enable the xend_run_blktap SELinux Boolean - ocil:ssg-kernel_config_legacy_ptys_action:testaction:1 + ocil:ssg-sebool_xend_run_blktap_action:testaction:1 - - Set Password Minimum Length in login.defs + + Verify Group Who Owns /var/log/messages File - ocil:ssg-accounts_password_minlen_login_defs_action:testaction:1 + ocil:ssg-file_groupowner_var_log_messages_action:testaction:1 - - SSH server uses strong entropy to seed + + Configure Polyinstantiation of /tmp Directories - ocil:ssg-sshd_use_strong_rng_action:testaction:1 + ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1 - - Configure SELinux Policy + + Ensure remote access methods are monitored in Rsyslog - ocil:ssg-selinux_policytype_action:testaction:1 + ocil:ssg-rsyslog_remote_access_monitoring_action:testaction:1 - - Scan All Uploaded Content for Malicious Software + + Ensure /var/tmp Located On Separate Partition - ocil:ssg-httpd_antivirus_scan_uploads_action:testaction:1 + ocil:ssg-partition_for_var_tmp_action:testaction:1 - - Verify Permissions on /etc/audit/auditd.conf + + Install rng-tools Package - ocil:ssg-file_permissions_etc_audit_auditd_action:testaction:1 + ocil:ssg-package_rng-tools_installed_action:testaction:1 - - Enable automatic signing of all modules + + Disable /dev/kmem virtual device support - ocil:ssg-kernel_config_module_sig_all_action:testaction:1 + ocil:ssg-kernel_config_devkmem_action:testaction:1 - - Disable the domain_kernel_load_modules SELinux Boolean + + Set Password Minimum Age - ocil:ssg-sebool_domain_kernel_load_modules_action:testaction:1 + ocil:ssg-accounts_minimum_age_login_defs_action:testaction:1 - - Prevent user from disabling the screen lock + + Install Virus Scanning Software - ocil:ssg-no_tmux_in_shells_action:testaction:1 + ocil:ssg-install_antivirus_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - fchmodat + + Verify Group Who Owns /var/log Directory - ocil:ssg-audit_rules_dac_modification_fchmodat_action:testaction:1 + ocil:ssg-file_groupowner_var_log_action:testaction:1 - - Disable the git_cgi_enable_homedirs SELinux Boolean + + Remove telnet Clients - ocil:ssg-sebool_git_cgi_enable_homedirs_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Configure auditd Disk Full Action when Disk Space Is Full + + Disable Automatic Bug Reporting Tool (abrtd) - ocil:ssg-auditd_data_disk_full_action_action:testaction:1 + ocil:ssg-service_abrtd_disabled_action:testaction:1 - - Enable Kernel Parameter to Enforce DAC on Hardlinks + + SSH server uses strong entropy to seed - ocil:ssg-sysctl_fs_protected_hardlinks_action:testaction:1 + ocil:ssg-sshd_use_strong_rng_action:testaction:1 - - Disable the mozilla_plugin_bind_unreserved_ports SELinux Boolean + + Verify the UEFI Boot Loader grub.cfg User Ownership - ocil:ssg-sebool_mozilla_plugin_bind_unreserved_ports_action:testaction:1 + ocil:ssg-file_owner_efi_grub2_cfg_action:testaction:1 - - Verify Group Who Owns Backup passwd File + + Verify Permissions on shadow File - ocil:ssg-file_groupowner_backup_etc_passwd_action:testaction:1 + ocil:ssg-file_permissions_etc_shadow_action:testaction:1 - - Ensure journald is configured to compress large log files + + Disable Bluetooth Kernel Module - ocil:ssg-journald_compress_action:testaction:1 + ocil:ssg-kernel_module_bluetooth_disabled_action:testaction:1 - - Uninstall squid Package + + Enable the secadm_exec_content SELinux Boolean - ocil:ssg-package_squid_removed_action:testaction:1 + ocil:ssg-sebool_secadm_exec_content_action:testaction:1 - - Disable DHCP Service + + Disable the ssh_keysign SELinux Boolean - ocil:ssg-service_dhcpd_disabled_action:testaction:1 + ocil:ssg-sebool_ssh_keysign_action:testaction:1 - - Disable debug-shell SystemD Service + + Disable the httpd_ssi_exec SELinux Boolean - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-sebool_httpd_ssi_exec_action:testaction:1 - - Enable the postgresql_selinux_unconfined_dbadm SELinux Boolean + + Disable Quagga Service - ocil:ssg-sebool_postgresql_selinux_unconfined_dbadm_action:testaction:1 + ocil:ssg-service_zebra_disabled_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Record Events When Privileged Executables Are Run - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-audit_rules_suid_privilege_function_action:testaction:1 - - Uninstall cyrus-imapd Package + + Explicit arguments in sudo specifications - ocil:ssg-package_cyrus-imapd_removed_action:testaction:1 + ocil:ssg-sudoers_explicit_command_args_action:testaction:1 - - Record Successful Permission Changes to Files - fremovexattr + + Randomize the address of the kernel image (KASLR) - ocil:ssg-audit_rules_successful_file_modification_fremovexattr_action:testaction:1 + ocil:ssg-kernel_config_randomize_base_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - fsetxattr + + Disable the mpd_enable_homedirs SELinux Boolean - ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1 + ocil:ssg-sebool_mpd_enable_homedirs_action:testaction:1 - - Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default + + Configure auditing of loading and unloading of kernel modules - ocil:ssg-sysctl_net_ipv6_conf_default_max_addresses_action:testaction:1 + ocil:ssg-audit_module_load_action:testaction:1 - - Enable the nfs_export_all_ro SELinux Boolean + + Ensure auditd Collects Information on Kernel Module Loading - init_module - ocil:ssg-sebool_nfs_export_all_ro_action:testaction:1 + ocil:ssg-audit_rules_kernel_module_loading_init_action:testaction:1 - - Disable the httpd_dbus_sssd SELinux Boolean + + Install Intrusion Detection Software - ocil:ssg-sebool_httpd_dbus_sssd_action:testaction:1 + ocil:ssg-install_hids_action:testaction:1 - - Configure audispd Plugin To Send Logs To Remote Server + + Disable the zoneminder_anon_write SELinux Boolean - ocil:ssg-auditd_audispd_configure_remote_server_action:testaction:1 + ocil:ssg-sebool_zoneminder_anon_write_action:testaction:1 - - Record Unsuccessful Permission Changes to Files - fchmod + + Disable the guest_exec_content SELinux Boolean - ocil:ssg-audit_rules_unsuccessful_file_modification_fchmod_action:testaction:1 + ocil:ssg-sebool_guest_exec_content_action:testaction:1 - - Record Unsuccessful Delete Attempts to Files - unlinkat + + Disable CAN Support - ocil:ssg-audit_rules_unsuccessful_file_modification_unlinkat_action:testaction:1 + ocil:ssg-kernel_module_can_disabled_action:testaction:1 - - Include Local Events in Audit Logs + + Disable the neutron_can_network SELinux Boolean - ocil:ssg-auditd_local_events_action:testaction:1 + ocil:ssg-sebool_neutron_can_network_action:testaction:1 - - Ensure Insecure File Locking is Not Allowed + + Disable the httpd_can_network_relay SELinux Boolean - ocil:ssg-no_insecure_locks_exports_action:testaction:1 + ocil:ssg-sebool_httpd_can_network_relay_action:testaction:1 - - Don't define allowed commands in sudoers by means of exclusion + + Enable cron Service - ocil:ssg-sudoers_no_command_negation_action:testaction:1 + ocil:ssg-service_cron_enabled_action:testaction:1 - - Set Password Maximum Age + + Add nodev Option to Removable Media Partitions - ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1 + ocil:ssg-mount_option_nodev_removable_partitions_action:testaction:1 - - Configure Sending and Accepting Shared Media Redirects by Default + + Disable acquiring, saving, and processing core dumps - ocil:ssg-sysctl_net_ipv4_conf_default_shared_media_action:testaction:1 + ocil:ssg-service_systemd-coredump_disabled_action:testaction:1 - - Add nosuid Option to /var + + Specify a Remote NTP Server - ocil:ssg-mount_option_var_nosuid_action:testaction:1 + ocil:ssg-ntpd_specify_remote_server_action:testaction:1 - - Ensure Remote Administrative Access Is Encrypted + + Disable the daemons_use_tcp_wrapper SELinux Boolean - ocil:ssg-httpd_configure_remote_session_encryption_action:testaction:1 + ocil:ssg-sebool_daemons_use_tcp_wrapper_action:testaction:1 - - Enable Public Key Authentication + + Ensure that /etc/cron.deny does not exist - ocil:ssg-sshd_enable_pubkey_auth_action:testaction:1 + ocil:ssg-file_cron_deny_not_exist_action:testaction:1 - - Enable the postgresql_selinux_users_ddl SELinux Boolean + + Disable the awstats_purge_apache_log_files SELinux Boolean - ocil:ssg-sebool_postgresql_selinux_users_ddl_action:testaction:1 + ocil:ssg-sebool_awstats_purge_apache_log_files_action:testaction:1 - - Disable Geolocation in GNOME3 + + System Audit Logs Must Have Mode 0750 or Less Permissive - ocil:ssg-dconf_gnome_disable_geolocation_action:testaction:1 + ocil:ssg-directory_permissions_var_log_audit_action:testaction:1 - - Disable Quota Netlink (quota_nld) + + Add noexec Option to /var - ocil:ssg-service_quota_nld_disabled_action:testaction:1 + ocil:ssg-mount_option_var_noexec_action:testaction:1 - - Certificate status checking in SSSD + + Disable IPv6 Networking Support Automatic Loading - ocil:ssg-sssd_certificate_verification_action:testaction:1 + ocil:ssg-kernel_module_ipv6_option_disabled_action:testaction:1 - - Disable Accepting ICMP Redirects for All IPv6 Interfaces + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class - ocil:ssg-sysctl_net_ipv6_conf_all_accept_redirects_action:testaction:1 + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check + + Enable the httpd_graceful_shutdown SELinux Boolean - ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1 + ocil:ssg-sebool_httpd_graceful_shutdown_action:testaction:1 - - Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module + + Enable ExecShield via sysctl - ocil:ssg-audit_rules_kernel_module_loading_finit_action:testaction:1 + ocil:ssg-sysctl_kernel_exec_shield_action:testaction:1 - - Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config + + Verify that Shared Library Files Have Restrictive Permissions - ocil:ssg-harden_sshd_macs_openssh_conf_crypto_policy_action:testaction:1 + ocil:ssg-file_permissions_library_dirs_action:testaction:1 - - Ensure PAM Displays Last Logon/Access Notification + + Configure AIDE to Verify Access Control Lists (ACLs) - ocil:ssg-display_login_attempts_action:testaction:1 + ocil:ssg-aide_verify_acls_action:testaction:1 - - Disable the httpd_read_user_content SELinux Boolean + + Ensure auditd Collects Information on the Use of Privileged Commands - userhelper - ocil:ssg-sebool_httpd_read_user_content_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_userhelper_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - fchown + + Disable Network Router Discovery Daemon (rdisc) - ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1 + ocil:ssg-service_rdisc_disabled_action:testaction:1 - - Verify the system-wide library files in directories -"/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root. + + Configure AIDE to Verify Extended Attributes - ocil:ssg-root_permissions_syslibrary_files_action:testaction:1 + ocil:ssg-aide_verify_ext_attributes_action:testaction:1 - - Ensure Software Patches Installed + + Restrict Web Browser Use for Administrative Accounts - ocil:ssg-security_patches_up_to_date_action:testaction:1 + ocil:ssg-no_root_webbrowsing_action:testaction:1 - - Verify that audit tools are owned by group root + + Record attempts to alter time through adjtimex - ocil:ssg-file_groupownership_audit_binaries_action:testaction:1 + ocil:ssg-audit_rules_time_adjtimex_action:testaction:1 - - Verify nftables Service is Disabled + + Set existing passwords a period of inactivity before they been locked - ocil:ssg-service_nftables_disabled_action:testaction:1 + ocil:ssg-accounts_set_post_pw_existing_action:testaction:1 - - Configure file name of core dumps + + Enable SSH Server firewalld Firewall Exception - ocil:ssg-sysctl_kernel_core_uses_pid_action:testaction:1 + ocil:ssg-firewalld_sshd_port_enabled_action:testaction:1 + + + + Ensure SELinux Not Disabled in /etc/default/grub + + ocil:ssg-grub2_enable_selinux_action:testaction:1 @@ -352308,1936 +352319,1925 @@ which the system will be deployed as closely as possible.ocil:ssg-sebool_antivirus_use_jit_action:testaction:1 - - Ensure that /etc/cron.deny does not exist + + Enable the unconfined_mozilla_plugin_transition SELinux Boolean - ocil:ssg-file_cron_deny_not_exist_action:testaction:1 + ocil:ssg-sebool_unconfined_mozilla_plugin_transition_action:testaction:1 - - Configure the Firewalld Ports + + Use Kerberos Security on All Exports - ocil:ssg-configure_firewalld_ports_action:testaction:1 + ocil:ssg-use_kerberos_security_all_exports_action:testaction:1 - - Disable the ftpd_use_fusefs SELinux Boolean + + Configure auditing of successful file accesses - ocil:ssg-sebool_ftpd_use_fusefs_action:testaction:1 + ocil:ssg-audit_access_success_action:testaction:1 - - Configure auditd to use audispd's syslog plugin + + Record Attempts to Alter Time Through stime - ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 + ocil:ssg-audit_rules_time_stime_action:testaction:1 - - Enable the unconfined_login SELinux Boolean + + Record Events that Modify User/Group Information - /etc/passwd - ocil:ssg-sebool_unconfined_login_action:testaction:1 + ocil:ssg-audit_rules_usergroup_modification_passwd_action:testaction:1 - - Ensure there are no legacy + NIS entries in /etc/group + + System Audit Logs Must Be Group Owned By Root - ocil:ssg-no_legacy_plus_entries_etc_group_action:testaction:1 + ocil:ssg-file_group_ownership_var_log_audit_action:testaction:1 - - Use Only FIPS 140-2 Validated Key Exchange Algorithms + + Ensure /srv Located On Separate Partition - ocil:ssg-sshd_use_approved_kex_ordered_stig_action:testaction:1 + ocil:ssg-partition_for_srv_action:testaction:1 - - Support session locking with tmux + + Disable the lsmd_plugin_connect_any SELinux Boolean - ocil:ssg-configure_bashrc_exec_tmux_action:testaction:1 + ocil:ssg-sebool_lsmd_plugin_connect_any_action:testaction:1 - - Verify permissions on System Login Banner + + Disable IPv6 Addressing on IPv6 Interfaces by Default - ocil:ssg-file_permissions_etc_issue_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_default_disable_ipv6_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - su + + Verify ownership of Message of the Day Banner - ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1 + ocil:ssg-file_owner_etc_motd_action:testaction:1 - - Ensure that System Accounts Do Not Run a Shell Upon Login + + Configure opensc Smart Card Drivers - ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1 + ocil:ssg-configure_opensc_card_drivers_action:testaction:1 - - Set SSH Daemon LogLevel to VERBOSE + + Enable NX or XD Support in the BIOS - ocil:ssg-sshd_set_loglevel_verbose_action:testaction:1 + ocil:ssg-bios_enable_execution_restrictions_action:testaction:1 - - Remove User Host-Based Authentication Files + + Disable the httpd_serve_cobbler_files SELinux Boolean - ocil:ssg-no_user_host_based_files_action:testaction:1 + ocil:ssg-sebool_httpd_serve_cobbler_files_action:testaction:1 - - Enable SLUB debugging support + + Remove the FreeRadius Server Package - ocil:ssg-kernel_config_slub_debug_action:testaction:1 + ocil:ssg-package_freeradius_removed_action:testaction:1 - - Record attempts to alter time through adjtimex + + Verify Permissions on /etc/audit/auditd.conf - ocil:ssg-audit_rules_time_adjtimex_action:testaction:1 + ocil:ssg-file_permissions_etc_audit_auditd_action:testaction:1 - - Disable the use_samba_home_dirs SELinux Boolean + + Disable the ftpd_use_passive_mode SELinux Boolean - ocil:ssg-sebool_use_samba_home_dirs_action:testaction:1 + ocil:ssg-sebool_ftpd_use_passive_mode_action:testaction:1 - - Disable the mcelog_foreground SELinux Boolean + + Disable Samba - ocil:ssg-sebool_mcelog_foreground_action:testaction:1 + ocil:ssg-service_smb_disabled_action:testaction:1 - - Ensure SNMP Read Write is disabled + + Enable the cron_userdomain_transition SELinux Boolean - ocil:ssg-snmpd_no_rwusers_action:testaction:1 + ocil:ssg-sebool_cron_userdomain_transition_action:testaction:1 - - Verify firewalld Enabled + + Verify ip6tables Enabled if Using IPv6 - ocil:ssg-service_firewalld_enabled_action:testaction:1 + ocil:ssg-service_ip6tables_enabled_action:testaction:1 - - Install scap-security-guide Package + + Ensure auditd Collects Information on the Use of Privileged Commands - chsh - ocil:ssg-package_scap-security-guide_installed_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chsh_action:testaction:1 - - Do not allow usercopy whitelist violations to fallback to object size + + Verify that Shared Library Directories Have Root Ownership - ocil:ssg-kernel_config_hardened_usercopy_fallback_action:testaction:1 + ocil:ssg-dir_ownership_library_dirs_action:testaction:1 - - Verify Group Who Owns Backup group File + + System Audit Logs Must Be Owned By Root - ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1 + ocil:ssg-file_ownership_var_log_audit_stig_action:testaction:1 - - Disable the GNOME3 Login Restart and Shutdown Buttons + + Add nosuid Option to /opt - ocil:ssg-dconf_gnome_disable_restart_shutdown_action:testaction:1 + ocil:ssg-mount_option_opt_nosuid_action:testaction:1 - - Enable Use of Strict Mode Checking + + Enable syslog-ng Service - ocil:ssg-sshd_enable_strictmodes_action:testaction:1 + ocil:ssg-service_syslogng_enabled_action:testaction:1 - - Record Events that Modify User/Group Information via openat syscall - /etc/group + + Install systemd-journal-remote Package - ocil:ssg-audit_rules_etc_group_openat_action:testaction:1 + ocil:ssg-package_systemd-journal-remote_installed_action:testaction:1 - - Ensure System Log Files Have Correct Permissions + + Disable GDM Automatic Login - ocil:ssg-rsyslog_files_permissions_action:testaction:1 + ocil:ssg-gnome_gdm_disable_automatic_login_action:testaction:1 - - Require Client Certificates + + Ensure the Default Umask is Set Correctly in /etc/profile - ocil:ssg-httpd_require_client_certs_action:testaction:1 + ocil:ssg-accounts_umask_etc_profile_action:testaction:1 - - Verify Ownership on SSH Server Private *_key Key Files + + The Installed Operating System Is FIPS 140-2 Certified - ocil:ssg-file_ownership_sshd_private_key_action:testaction:1 + ocil:ssg-installed_OS_is_FIPS_certified_action:testaction:1 - - Harden SSH client Crypto Policy + + Disable the mozilla_plugin_use_spice SELinux Boolean - ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1 + ocil:ssg-sebool_mozilla_plugin_use_spice_action:testaction:1 - - Configure Denying Router Solicitations on All IPv6 Interfaces By Default + + Verify Group Who Owns Backup passwd File - ocil:ssg-sysctl_net_ipv6_conf_default_router_solicitations_action:testaction:1 + ocil:ssg-file_groupowner_backup_etc_passwd_action:testaction:1 - - Install sssd-ipa Package + + Record Events that Modify the System's Discretionary Access Controls - fchmodat - ocil:ssg-package_sssd-ipa_installed_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fchmodat_action:testaction:1 - - Disable the ssh_chroot_rw_homedirs SELinux Boolean + + Install openscap-scanner Package - ocil:ssg-sebool_ssh_chroot_rw_homedirs_action:testaction:1 + ocil:ssg-package_openscap-scanner_installed_action:testaction:1 - - Disable the cdrecord_read_content SELinux Boolean + + Disable the IPv6 protocol - ocil:ssg-sebool_cdrecord_read_content_action:testaction:1 + ocil:ssg-kernel_config_ipv6_action:testaction:1 - - Disable CAN Support + + Disable the CUPS Service - ocil:ssg-kernel_module_can_disabled_action:testaction:1 + ocil:ssg-service_cups_disabled_action:testaction:1 - - Disable Cyrus SASL Authentication Daemon (saslauthd) + + Ensure auditd Collects Information on the Use of Privileged Commands - poweroff - ocil:ssg-service_saslauthd_disabled_action:testaction:1 + ocil:ssg-audit_privileged_commands_poweroff_action:testaction:1 - - Configure auditing of successful permission changes + + Shutdown System When Auditing Failures Occur - ocil:ssg-audit_perm_change_success_action:testaction:1 + ocil:ssg-audit_rules_system_shutdown_action:testaction:1 - - All User Files and Directories In The Home Directory Must Have a Valid Owner + + Restrict unprivileged access to the kernel syslog - ocil:ssg-accounts_users_home_files_ownership_action:testaction:1 + ocil:ssg-kernel_config_security_dmesg_restrict_action:testaction:1 - - Enable checks on scatter-gather (SG) table operations + + Use Only FIPS 140-2 Validated Key Exchange Algorithms - ocil:ssg-kernel_config_debug_sg_action:testaction:1 + ocil:ssg-sshd_use_approved_kex_ordered_stig_action:testaction:1 - - Disable ntpdate Service (ntpdate) + + Add nosuid Option to /dev/shm - ocil:ssg-service_ntpdate_disabled_action:testaction:1 + ocil:ssg-mount_option_dev_shm_nosuid_action:testaction:1 - - Disable the xguest_use_bluetooth SELinux Boolean + + Prevent remote hosts from connecting to the proxy display - ocil:ssg-sebool_xguest_use_bluetooth_action:testaction:1 + ocil:ssg-sshd_x11_use_localhost_action:testaction:1 - - Harden slab freelist metadata + + Disable the dbadm_manage_user_files SELinux Boolean - ocil:ssg-kernel_config_slab_freelist_hardened_action:testaction:1 + ocil:ssg-sebool_dbadm_manage_user_files_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/group + + Configure SELinux Policy - ocil:ssg-audit_rules_usergroup_modification_group_action:testaction:1 + ocil:ssg-selinux_policytype_action:testaction:1 - - Disable the pcp_bind_all_unreserved_ports SELinux Boolean + + Uninstall cyrus-imapd Package - ocil:ssg-sebool_pcp_bind_all_unreserved_ports_action:testaction:1 + ocil:ssg-package_cyrus-imapd_removed_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd + + Verify Permissions on Backup shadow File - ocil:ssg-audit_rules_privileged_commands_gpasswd_action:testaction:1 + ocil:ssg-file_permissions_backup_etc_shadow_action:testaction:1 - - Ensure users' .netrc Files are not group or world accessible + + Force frequent session key renegotiation - ocil:ssg-accounts_users_netrc_file_permissions_action:testaction:1 + ocil:ssg-sshd_rekey_limit_action:testaction:1 - - Record Access Events to Audit Log Directory + + Do not allow usercopy whitelist violations to fallback to object size - ocil:ssg-directory_access_var_log_audit_action:testaction:1 + ocil:ssg-kernel_config_hardened_usercopy_fallback_action:testaction:1 - - Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE + + Disable DHCP Client in ifcfg - ocil:ssg-audit_rules_unsuccessful_file_modification_openat_o_trunc_write_action:testaction:1 + ocil:ssg-sysconfig_networking_bootproto_ifcfg_action:testaction:1 - - Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces + + Disable the samba_enable_home_dirs SELinux Boolean - ocil:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_action:testaction:1 + ocil:ssg-sebool_samba_enable_home_dirs_action:testaction:1 - - Configure SSSD to Expire SSH Known Hosts + + Disable the selinuxuser_udp_server SELinux Boolean - ocil:ssg-sssd_ssh_known_hosts_timeout_action:testaction:1 + ocil:ssg-sebool_selinuxuser_udp_server_action:testaction:1 - - Set GNOME3 Screensaver Lock Delay After Activation Period + + Disable Bluetooth Service - ocil:ssg-dconf_gnome_screensaver_lock_delay_action:testaction:1 + ocil:ssg-service_bluetooth_disabled_action:testaction:1 - - Install nftables Package + + Support session locking with tmux - ocil:ssg-package_nftables_installed_action:testaction:1 + ocil:ssg-configure_bashrc_exec_tmux_action:testaction:1 - - Disable the polipo_session_users SELinux Boolean + + Install scap-security-guide Package - ocil:ssg-sebool_polipo_session_users_action:testaction:1 + ocil:ssg-package_scap-security-guide_installed_action:testaction:1 - - Enable log_config_module For HTTPD Logging + + Verify that System Executables Have Root Ownership - ocil:ssg-httpd_enable_log_config_action:testaction:1 + ocil:ssg-file_ownership_binary_dirs_action:testaction:1 - - Enable the spamd_enable_home_dirs SELinux Boolean + + Randomize slab freelist - ocil:ssg-sebool_spamd_enable_home_dirs_action:testaction:1 + ocil:ssg-kernel_config_slab_freelist_random_action:testaction:1 - - Ensure auditd Collects File Deletion Events by User - unlinkat + + Enable the user_exec_content SELinux Boolean - ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1 + ocil:ssg-sebool_user_exec_content_action:testaction:1 - - Disable Network Console (netconsole) + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-service_netconsole_disabled_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Set SSH Client Alive Count Max + + Disable the cobbler_use_nfs SELinux Boolean - ocil:ssg-sshd_set_keepalive_action:testaction:1 + ocil:ssg-sebool_cobbler_use_nfs_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap + + Disable IPv6 Addressing on All IPv6 Interfaces - ocil:ssg-audit_rules_privileged_commands_newuidmap_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_disable_ipv6_action:testaction:1 - - Verify /boot/grub2/user.cfg Permissions + + Disable the httpd_can_sendmail SELinux Boolean - ocil:ssg-file_permissions_user_cfg_action:testaction:1 + ocil:ssg-sebool_httpd_can_sendmail_action:testaction:1 - - Set PAM''s Password Hashing Algorithm + + Verify Group Ownership on SSH Server Private *_key Key Files - ocil:ssg-set_password_hashing_algorithm_systemauth_action:testaction:1 + ocil:ssg-file_groupownership_sshd_private_key_action:testaction:1 - - Configure Polyinstantiation of /var/tmp Directories + + Ensure PAM Enforces Password Requirements - Minimum Special Characters - ocil:ssg-accounts_polyinstantiated_var_tmp_action:testaction:1 + ocil:ssg-accounts_password_pam_ocredit_action:testaction:1 - - Disable DHCP Client in ifcfg - - ocil:ssg-sysconfig_networking_bootproto_ifcfg_action:testaction:1 - - - - Enable the xend_run_qemu SELinux Boolean + + Disable the httpd_enable_ftp_server SELinux Boolean - ocil:ssg-sebool_xend_run_qemu_action:testaction:1 + ocil:ssg-sebool_httpd_enable_ftp_server_action:testaction:1 - - Disable the sge_use_nfs SELinux Boolean + + Record Unsuccessful Permission Changes to Files - fremovexattr - ocil:ssg-sebool_sge_use_nfs_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_fremovexattr_action:testaction:1 - - Uninstall setroubleshoot-server Package + + Disable Client Dynamic DNS Updates - ocil:ssg-package_setroubleshoot-server_removed_action:testaction:1 + ocil:ssg-network_disable_ddns_interfaces_action:testaction:1 - - Record Unsuccessful Ownership Changes to Files - fchown + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-audit_rules_unsuccessful_file_modification_fchown_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Disable the cluster_manage_all_files SELinux Boolean + + MIME types for csh or sh shell programs must be disabled - ocil:ssg-sebool_cluster_manage_all_files_action:testaction:1 + ocil:ssg-httpd_disable_mime_types_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown + + Configure Sending and Accepting Shared Media Redirects by Default - ocil:ssg-audit_rules_privileged_commands_pt_chown_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_default_shared_media_action:testaction:1 - - Add noexec Option to /var/log + + Disable the virt_use_nfs SELinux Boolean - ocil:ssg-mount_option_var_log_noexec_action:testaction:1 + ocil:ssg-sebool_virt_use_nfs_action:testaction:1 - - Install rng-tools Package + + Verify Group Ownership of System Login Banner for Remote Connections - ocil:ssg-package_rng-tools_installed_action:testaction:1 + ocil:ssg-file_groupowner_etc_issue_net_action:testaction:1 - - Enforce usage of pam_wheel for su authentication + + Disable the httpd_read_user_content SELinux Boolean - ocil:ssg-use_pam_wheel_for_su_action:testaction:1 + ocil:ssg-sebool_httpd_read_user_content_action:testaction:1 - - Ensure that /etc/at.deny does not exist + + Randomize the kernel memory sections - ocil:ssg-file_at_deny_not_exist_action:testaction:1 + ocil:ssg-kernel_config_randomize_memory_action:testaction:1 - - Disable the saslauthd_read_shadow SELinux Boolean + + Disable the zabbix_can_network SELinux Boolean - ocil:ssg-sebool_saslauthd_read_shadow_action:testaction:1 + ocil:ssg-sebool_zabbix_can_network_action:testaction:1 - - Disable the httpd_can_network_relay SELinux Boolean + + Record Unsuccessful Permission Changes to Files - lsetxattr - ocil:ssg-sebool_httpd_can_network_relay_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_lsetxattr_action:testaction:1 - - Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ + + Enable SSH Warning Banner - ocil:ssg-audit_rules_sudoers_d_action:testaction:1 + ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1 - - Disable Kernel Image Loading + + Ensure All Accounts on the System Have Unique Names - ocil:ssg-sysctl_kernel_kexec_load_disabled_action:testaction:1 + ocil:ssg-account_unique_name_action:testaction:1 - - Uninstall abrt-plugin-rhtsupport Package + + Uninstall talk-server Package - ocil:ssg-package_abrt-plugin-rhtsupport_removed_action:testaction:1 + ocil:ssg-package_talk-server_removed_action:testaction:1 - - Enable GSSAPI Authentication + + Enable the NTP Daemon - ocil:ssg-sshd_enable_gssapi_auth_action:testaction:1 + ocil:ssg-service_chronyd_or_ntpd_enabled_action:testaction:1 - - User Initialization Files Must Be Group-Owned By The Primary Group + + Configure the selinuxuser_direct_dri_enabled SELinux Boolean - ocil:ssg-accounts_user_dot_group_ownership_action:testaction:1 + ocil:ssg-sebool_selinuxuser_direct_dri_enabled_action:testaction:1 - - Enable the GNOME3 Login Smartcard Authentication + + Record Events that Modify the System's Discretionary Access Controls - fchown - ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1 - - Disable Network Router Discovery Daemon (rdisc) + + Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server - ocil:ssg-service_rdisc_disabled_action:testaction:1 + ocil:ssg-sssd_ldap_configure_tls_reqcert_action:testaction:1 - - Verify and Correct File Permissions with RPM + + Enable Transport Layer Security (TLS) Encryption - ocil:ssg-rpm_verify_permissions_action:testaction:1 + ocil:ssg-httpd_configure_tls_action:testaction:1 - - Disable Bluetooth Service + + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces - ocil:ssg-service_bluetooth_disabled_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_max_addresses_action:testaction:1 - - Ensure All Files Are Owned by a Group + + Make the auditd Configuration Immutable - ocil:ssg-file_permissions_ungroupowned_action:testaction:1 + ocil:ssg-audit_rules_immutable_action:testaction:1 - - Verify Group Ownership of System Login Banner for Remote Connections + + Enable the postgresql_selinux_users_ddl SELinux Boolean - ocil:ssg-file_groupowner_etc_issue_net_action:testaction:1 + ocil:ssg-sebool_postgresql_selinux_users_ddl_action:testaction:1 - - Randomize slab freelist + + Enable the logadm_exec_content SELinux Boolean - ocil:ssg-kernel_config_slab_freelist_random_action:testaction:1 + ocil:ssg-sebool_logadm_exec_content_action:testaction:1 - - Enable authselect + + Disable the ksmtuned_use_nfs SELinux Boolean - ocil:ssg-enable_authselect_action:testaction:1 + ocil:ssg-sebool_ksmtuned_use_nfs_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Add nodev Option to /boot - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-mount_option_boot_nodev_action:testaction:1 - - Enable page allocator poisoning + + Configure auditd max_log_file_action Upon Reaching Maximum Log Size - ocil:ssg-grub2_page_poison_argument_action:testaction:1 + ocil:ssg-auditd_data_retention_max_log_file_action_action:testaction:1 - - Configure tmux to lock session after inactivity + + Ensure auditd Collects System Administrator Actions - /etc/sudoers - ocil:ssg-configure_tmux_lock_after_time_action:testaction:1 + ocil:ssg-audit_rules_sudoers_action:testaction:1 - - Set GNOME3 Screensaver Inactivity Timeout + + Add noexec Option to /var/log/audit - ocil:ssg-dconf_gnome_screensaver_idle_delay_action:testaction:1 + ocil:ssg-mount_option_var_log_audit_noexec_action:testaction:1 - - Remove tftp Daemon + + Ensure Sudo Logfile Exists - sudo logfile - ocil:ssg-package_tftp_removed_action:testaction:1 + ocil:ssg-sudo_custom_logfile_action:testaction:1 - - Ensure tftp Daemon Uses Secure Mode + + Ensure /dev/shm is configured - ocil:ssg-tftpd_uses_secure_mode_action:testaction:1 + ocil:ssg-partition_for_dev_shm_action:testaction:1 - - Ensure Rsyslog Encrypts Off-Loaded Audit Records + + Perform general configuration of Audit for OSPP - ocil:ssg-rsyslog_encrypt_offload_actionsendstreamdrivermode_action:testaction:1 + ocil:ssg-audit_ospp_general_action:testaction:1 - - Ensure invoking users password for privilege escalation when using sudo + + Set Lockout Time for Failed Password Attempts - ocil:ssg-sudoers_validate_passwd_action:testaction:1 + ocil:ssg-accounts_passwords_pam_faillock_unlock_time_action:testaction:1 - - Require Re-Authentication When Using the sudo Command + + Ensure All Accounts on the System Have Unique User IDs - ocil:ssg-sudo_require_reauthentication_action:testaction:1 + ocil:ssg-account_unique_id_action:testaction:1 - - Ensure All World-Writable Directories Are Owned by root User + + Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters - ocil:ssg-dir_perms_world_writable_root_owned_action:testaction:1 + ocil:ssg-accounts_password_pam_lcredit_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Disable the authlogin_yubikey SELinux Boolean - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-sebool_authlogin_yubikey_action:testaction:1 - - Audit Configuration Files Must Be Owned By Root + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default - ocil:ssg-file_ownership_audit_configuration_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_defrtr_action:testaction:1 - - IOMMU configuration directive + + Disable WIFI Network Connection Creation in GNOME3 - ocil:ssg-grub2_enable_iommu_force_action:testaction:1 + ocil:ssg-dconf_gnome_disable_wifi_create_action:testaction:1 - - Configure auditing of successful ownership changes + + Set Permissions on All Configuration Files Inside /etc/httpd/conf/ - ocil:ssg-audit_owner_change_success_action:testaction:1 + ocil:ssg-file_permissions_httpd_server_conf_files_action:testaction:1 - - Set the UEFI Boot Loader Admin Username to a Non-Default Value + + Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE - ocil:ssg-grub2_uefi_admin_username_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write_action:testaction:1 - - Ensure SELinux is Not Disabled + + Ensure only owner and members of group owner of /usr/bin/sudo can execute it - ocil:ssg-selinux_not_disabled_action:testaction:1 + ocil:ssg-sudo_restrict_others_executable_permission_action:testaction:1 - - Record Events that Modify User/Group Information + + Disable the httpd_dbus_sssd SELinux Boolean - ocil:ssg-audit_rules_usergroup_modification_action:testaction:1 + ocil:ssg-sebool_httpd_dbus_sssd_action:testaction:1 - - Make the kernel text and rodata read-only + + Require Re-Authentication When Using the sudo Command - ocil:ssg-kernel_config_strict_kernel_rwx_action:testaction:1 + ocil:ssg-sudo_require_reauthentication_action:testaction:1 - - Ensure all zIPL boot entries are BLS compliant + + Disable snmpd Service - ocil:ssg-zipl_bls_entries_only_action:testaction:1 + ocil:ssg-service_snmpd_disabled_action:testaction:1 - - Disable the named_write_master_zones SELinux Boolean + + Disable Kernel iwlwifi Module - ocil:ssg-sebool_named_write_master_zones_action:testaction:1 + ocil:ssg-kernel_module_iwlwifi_disabled_action:testaction:1 - - Enable SLUB/SLAB allocator poisoning + + Configure auditing of successful file creations - ocil:ssg-grub2_slub_debug_argument_action:testaction:1 + ocil:ssg-audit_create_success_action:testaction:1 - - Enable auditd Service + + Verify Permissions on /etc/cron.allow file - ocil:ssg-service_auditd_enabled_action:testaction:1 + ocil:ssg-file_permissions_cron_allow_action:testaction:1 - - Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot + + Verify No .forward Files Exist - ocil:ssg-sudo_add_ignore_dot_action:testaction:1 + ocil:ssg-no_forward_files_action:testaction:1 - - Configure the selinuxuser_direct_dri_enabled SELinux Boolean + + Verify Group Who Owns /var/log/syslog File - ocil:ssg-sebool_selinuxuser_direct_dri_enabled_action:testaction:1 + ocil:ssg-file_groupowner_var_log_syslog_action:testaction:1 - - Disable the httpd_setrlimit SELinux Boolean + + Disable Accepting ICMP Redirects for All IPv6 Interfaces - ocil:ssg-sebool_httpd_setrlimit_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_redirects_action:testaction:1 - - Firewalld Must Employ a Deny-all, Allow-by-exception Policy for Allowing Connections to Other Systems + + Record Unsuccessful Permission Changes to Files - fchmod - ocil:ssg-configured_firewalld_default_deny_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_fchmod_action:testaction:1 - - Configure Kernel Parameter for Accepting Secure Redirects By Default + + Disable storing core dump - ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_action:testaction:1 + ocil:ssg-coredump_disable_storage_action:testaction:1 - - Harden common str/mem functions against buffer overflows + + Disable the samba_load_libgfapi SELinux Boolean - ocil:ssg-kernel_config_fortify_source_action:testaction:1 + ocil:ssg-sebool_samba_load_libgfapi_action:testaction:1 - - Record Any Attempts to Run setfiles + + Configure L1 Terminal Fault mitigations - ocil:ssg-audit_rules_execution_setfiles_action:testaction:1 + ocil:ssg-grub2_l1tf_argument_action:testaction:1 - - Ensure Log Files Are Owned By Appropriate User + + Prefer to use a 64-bit Operating System when supported - ocil:ssg-rsyslog_files_ownership_action:testaction:1 + ocil:ssg-prefer_64bit_os_action:testaction:1 - - Enable SSH Warning Banner + + Disable the haproxy_connect_any SELinux Boolean - ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1 + ocil:ssg-sebool_haproxy_connect_any_action:testaction:1 - - Allow Only SSH Protocol 2 + + Verify Owner on cron.hourly - ocil:ssg-sshd_allow_only_protocol2_action:testaction:1 + ocil:ssg-file_owner_cron_hourly_action:testaction:1 - - Add grpquota Option to /home + + Disable the samba_share_fusefs SELinux Boolean - ocil:ssg-mount_option_home_grpquota_action:testaction:1 + ocil:ssg-sebool_samba_share_fusefs_action:testaction:1 - - Verify User Who Owns gshadow File + + Disable the sanlock_use_samba SELinux Boolean - ocil:ssg-file_owner_etc_gshadow_action:testaction:1 + ocil:ssg-sebool_sanlock_use_samba_action:testaction:1 - - Ensure SELinux Not Disabled in zIPL + + Configure auditd Number of Logs Retained - ocil:ssg-zipl_enable_selinux_action:testaction:1 + ocil:ssg-auditd_data_retention_num_logs_action:testaction:1 - - Disable the git_session_users SELinux Boolean + + Configure Certificate Directives for LDAP Use of TLS - ocil:ssg-sebool_git_session_users_action:testaction:1 + ocil:ssg-ldap_client_tls_cacertpath_action:testaction:1 - - Add noexec Option to /tmp + + Uninstall abrt-cli Package - ocil:ssg-mount_option_tmp_noexec_action:testaction:1 + ocil:ssg-package_abrt-cli_removed_action:testaction:1 - - Enable the File Access Policy Service + + Disable network management of chrony daemon - ocil:ssg-service_fapolicyd_enabled_action:testaction:1 + ocil:ssg-chronyd_no_chronyc_network_action:testaction:1 - - Disable the staff_use_svirt SELinux Boolean + + Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly - ocil:ssg-sebool_staff_use_svirt_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order_action:testaction:1 - - Require modules to be validly signed + + Disable the openshift_use_nfs SELinux Boolean - ocil:ssg-kernel_config_module_sig_force_action:testaction:1 + ocil:ssg-sebool_openshift_use_nfs_action:testaction:1 - - Disable the openvpn_can_network_connect SELinux Boolean + + Uninstall abrt-plugin-sosreport Package - ocil:ssg-sebool_openvpn_can_network_connect_action:testaction:1 + ocil:ssg-package_abrt-plugin-sosreport_removed_action:testaction:1 - - Uninstall geolite2-city Package + + Disable anacron Service - ocil:ssg-package_geolite2-city_removed_action:testaction:1 + ocil:ssg-disable_anacron_action:testaction:1 - - Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow + + Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module - ocil:ssg-audit_rules_etc_shadow_open_by_handle_at_action:testaction:1 + ocil:ssg-audit_rules_kernel_module_loading_finit_action:testaction:1 - - Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd + + Disable the domain_kernel_load_modules SELinux Boolean - ocil:ssg-audit_rules_etc_passwd_open_by_handle_at_action:testaction:1 + ocil:ssg-sebool_domain_kernel_load_modules_action:testaction:1 - - Set the GNOME3 Login Warning Banner Text + + Record Successful Ownership Changes to Files - lchown - ocil:ssg-dconf_gnome_login_banner_text_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_lchown_action:testaction:1 - - Disable Automatic Bug Reporting Tool (abrtd) + + Include Local Events in Audit Logs - ocil:ssg-service_abrtd_disabled_action:testaction:1 + ocil:ssg-auditd_local_events_action:testaction:1 - - Disable the swift_can_network SELinux Boolean + + Configure maximum number of process identifiers - ocil:ssg-sebool_swift_can_network_action:testaction:1 + ocil:ssg-sysctl_kernel_pid_max_action:testaction:1 - - Disable the uvcvideo module + + Disable Geolocation in GNOME3 - ocil:ssg-kernel_module_uvcvideo_disabled_action:testaction:1 + ocil:ssg-dconf_gnome_disable_geolocation_action:testaction:1 - - Uninstall talk Package + + Account Lockouts Must Be Logged - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-accounts_passwords_pam_faillock_audit_action:testaction:1 - - Verify Group Who Owns cron.daily + + Do Not Show System Messages When Unsuccessful Logon Attempts Occur - ocil:ssg-file_groupowner_cron_daily_action:testaction:1 + ocil:ssg-accounts_passwords_pam_faillock_silent_action:testaction:1 - - Specify a Remote NTP Server + + Disable Kernel mac80211 Module - ocil:ssg-chronyd_or_ntpd_specify_remote_server_action:testaction:1 + ocil:ssg-kernel_module_mac80211_disabled_action:testaction:1 - - Ensure Users Re-Authenticate for Privilege Escalation - sudo + + Disable the smartmon_3ware SELinux Boolean - ocil:ssg-sudo_require_authentication_action:testaction:1 + ocil:ssg-sebool_smartmon_3ware_action:testaction:1 - - Disable IPv6 Addressing on IPv6 Interfaces by Default + + Disable the conman_can_network SELinux Boolean - ocil:ssg-sysctl_net_ipv6_conf_default_disable_ipv6_action:testaction:1 + ocil:ssg-sebool_conman_can_network_action:testaction:1 - - Enable the logging_syslogd_use_tty SELinux Boolean + + Disable the glance_use_fusefs SELinux Boolean - ocil:ssg-sebool_logging_syslogd_use_tty_action:testaction:1 + ocil:ssg-sebool_glance_use_fusefs_action:testaction:1 - - Perform general configuration of Audit for OSPP + + Enable Certmap in SSSD - ocil:ssg-audit_ospp_general_action:testaction:1 + ocil:ssg-sssd_enable_certmap_action:testaction:1 - - Configure Certificate Directives for LDAP Use of TLS + + Configure GNOME3 DConf User Profile - ocil:ssg-ldap_client_tls_cacertpath_action:testaction:1 + ocil:ssg-enable_dconf_user_profile_action:testaction:1 - - Ensure All-Squashing Disabled On All Exports + + Ensure yum Removes Previous Package Versions - ocil:ssg-no_all_squash_exports_action:testaction:1 + ocil:ssg-clean_components_post_updating_action:testaction:1 - - Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) + + Enable the selinuxuser_ping SELinux Boolean - ocil:ssg-audit_rules_unsuccessful_file_modification_action:testaction:1 + ocil:ssg-sebool_selinuxuser_ping_action:testaction:1 - - Add noauto Option to /boot + + Configure the httpd_enable_cgi SELinux Boolean - ocil:ssg-mount_option_boot_noauto_action:testaction:1 + ocil:ssg-sebool_httpd_enable_cgi_action:testaction:1 - - Disable the httpd_use_cifs SELinux Boolean + + Disable GNOME3 Automounting - ocil:ssg-sebool_httpd_use_cifs_action:testaction:1 + ocil:ssg-dconf_gnome_disable_automount_action:testaction:1 - - Record Successful Delete Attempts to Files - unlink + + Record Successful Delete Attempts to Files - rename - ocil:ssg-audit_rules_successful_file_modification_unlink_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_rename_action:testaction:1 - - Uninstall rpcbind Package + + Enable SLUB/SLAB allocator poisoning in zIPL - ocil:ssg-package_rpcbind_removed_action:testaction:1 + ocil:ssg-zipl_slub_debug_argument_action:testaction:1 - - Ensure auditd Collects File Deletion Events by User - rmdir + + Disable the selinuxuser_use_ssh_chroot SELinux Boolean - ocil:ssg-audit_rules_file_deletion_events_rmdir_action:testaction:1 + ocil:ssg-sebool_selinuxuser_use_ssh_chroot_action:testaction:1 - - Disable the dbadm_manage_user_files SELinux Boolean + + Ensure auditd Collects Information on the Use of Privileged Commands - postdrop - ocil:ssg-sebool_dbadm_manage_user_files_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_postdrop_action:testaction:1 - - Set Default ip6tables Policy for Incoming Packets + + Verify that audit tools are owned by group root - ocil:ssg-set_ip6tables_default_rule_action:testaction:1 + ocil:ssg-file_groupownership_audit_binaries_action:testaction:1 - - Disable the gluster_export_all_ro SELinux Boolean + + Harden the operation of the BPF just-in-time compiler - ocil:ssg-sebool_gluster_export_all_ro_action:testaction:1 + ocil:ssg-sysctl_net_core_bpf_jit_harden_action:testaction:1 - - Add nodev Option to /var/log + + Add nosuid Option to /var - ocil:ssg-mount_option_var_log_nodev_action:testaction:1 + ocil:ssg-mount_option_var_nosuid_action:testaction:1 - - Disable the logging_syslogd_run_nagios_plugins SELinux Boolean + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-sebool_logging_syslogd_run_nagios_plugins_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Disable the ftpd_use_cifs SELinux Boolean + + Record Events When Executables Are Run As Another User - ocil:ssg-sebool_ftpd_use_cifs_action:testaction:1 + ocil:ssg-audit_rules_suid_auid_privilege_function_action:testaction:1 - - Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces + + Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces - ocil:ssg-sysctl_net_ipv4_conf_all_send_redirects_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_all_log_martians_action:testaction:1 - - Disable SSH Access via Empty Passwords + + Disable the polipo_session_bind_all_unreserved_ports SELinux Boolean - ocil:ssg-sshd_disable_empty_passwords_action:testaction:1 + ocil:ssg-sebool_polipo_session_bind_all_unreserved_ports_action:testaction:1 - - Record Unsuccessful Access Attempts to Files - creat + + Set Password Minimum Length in login.defs - ocil:ssg-audit_rules_unsuccessful_file_modification_creat_action:testaction:1 + ocil:ssg-accounts_password_minlen_login_defs_action:testaction:1 - - Require Client SMB Packet Signing, if using mount.cifs + + Ensure PAM password complexity module is enabled in system-auth - ocil:ssg-mount_option_smb_client_signing_action:testaction:1 + ocil:ssg-accounts_password_pam_pwquality_system_auth_action:testaction:1 - - Ensure PAM Enforces Password Requirements - Minimum Digit Characters + + Disable the unprivuser_use_svirt SELinux Boolean - ocil:ssg-accounts_password_pam_dcredit_action:testaction:1 + ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Disable the saslauthd_read_shadow SELinux Boolean - ocil:ssg-file_groupowner_sshd_config_action:testaction:1 + ocil:ssg-sebool_saslauthd_read_shadow_action:testaction:1 - - Specify a Remote NTP Server + + Disable Portreserve (portreserve) - ocil:ssg-ntpd_specify_remote_server_action:testaction:1 + ocil:ssg-service_portreserve_disabled_action:testaction:1 - - Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces + + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default - ocil:ssg-sysctl_net_ipv4_conf_all_route_localnet_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_default_rp_filter_action:testaction:1 - - Disable network management of chrony daemon + + Verify Group Who Owns passwd File - ocil:ssg-chronyd_no_chronyc_network_action:testaction:1 + ocil:ssg-file_groupowner_etc_passwd_action:testaction:1 - - Configure OpenSSL library to use System Crypto Policy + + Configure SSSD to Expire SSH Known Hosts - ocil:ssg-configure_openssl_crypto_policy_action:testaction:1 + ocil:ssg-sssd_ssh_known_hosts_timeout_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - sudo + + Ensure gnutls-utils is installed - ocil:ssg-audit_rules_privileged_commands_sudo_action:testaction:1 + ocil:ssg-package_gnutls-utils_installed_action:testaction:1 - - Install dnf-automatic Package + + System Audit Logs Must Be Owned By Root - ocil:ssg-package_dnf-automatic_installed_action:testaction:1 + ocil:ssg-file_ownership_var_log_audit_action:testaction:1 - - Mount Remote Filesystems with Kerberos Security + + Uninstall Automatic Bug Reporting Tool (abrt) - ocil:ssg-mount_option_krb_sec_remote_filesystems_action:testaction:1 + ocil:ssg-package_abrt_removed_action:testaction:1 - - Disable the ksmtuned_use_cifs SELinux Boolean + + Disable Accepting Packets Routed Between Local Interfaces - ocil:ssg-sebool_ksmtuned_use_cifs_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_all_accept_local_action:testaction:1 - - Verify Permissions on passwd File + + Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly - ocil:ssg-file_permissions_etc_passwd_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_rule_order_action:testaction:1 - - Disable the httpd_enable_homedirs SELinux Boolean + + Record Successful Access Attempts to Files - open_by_handle_at - ocil:ssg-sebool_httpd_enable_homedirs_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_open_by_handle_at_action:testaction:1 - - Configure auditd Max Log File Size + + Add noexec Option to /home - ocil:ssg-auditd_data_retention_max_log_file_action:testaction:1 + ocil:ssg-mount_option_home_noexec_action:testaction:1 - - Ensure Logs Sent To Remote Host + + Set Password Maximum Age - ocil:ssg-rsyslog_remote_loghost_action:testaction:1 + ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1 - - Verify Group Who Owns gshadow File + + All Interactive User Home Directories Must Be Owned By The Primary User - ocil:ssg-file_groupowner_etc_gshadow_action:testaction:1 + ocil:ssg-file_ownership_home_directories_action:testaction:1 - - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + + Limit Password Reuse: password-auth - ocil:ssg-sudo_remove_nopasswd_action:testaction:1 + ocil:ssg-accounts_password_pam_pwhistory_remember_password_auth_action:testaction:1 - - Enable HTTPD Error Logging + + Ensure debug-shell service is not enabled in zIPL - ocil:ssg-httpd_enable_error_logging_action:testaction:1 + ocil:ssg-zipl_systemd_debug-shell_argument_absent_action:testaction:1 - - Disable the selinuxuser_share_music SELinux Boolean + + Install policycoreutils Package - ocil:ssg-sebool_selinuxuser_share_music_action:testaction:1 + ocil:ssg-package_policycoreutils_installed_action:testaction:1 - - Configure A Valid Server Certificate + + Ensure auditd Collects File Deletion Events by User - renameat - ocil:ssg-httpd_configure_valid_server_cert_action:testaction:1 + ocil:ssg-audit_rules_file_deletion_events_renameat_action:testaction:1 - - Specify the hash to use when signing modules + + Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE - ocil:ssg-kernel_config_module_sig_hash_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1 - - Verify and Correct Ownership with RPM + + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces - ocil:ssg-rpm_verify_ownership_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_pinfo_action:testaction:1 - - Configure auditd flush priority + + Enable the kerberos_enabled SELinux Boolean - ocil:ssg-auditd_data_retention_flush_action:testaction:1 + ocil:ssg-sebool_kerberos_enabled_action:testaction:1 - - Ensure /srv Located On Separate Partition + + Deactivate Wireless Network Interfaces - ocil:ssg-partition_for_srv_action:testaction:1 + ocil:ssg-wireless_disable_interfaces_action:testaction:1 - - Enable the virt_sandbox_use_audit SELinux Boolean + + Verify iptables Enabled - ocil:ssg-sebool_virt_sandbox_use_audit_action:testaction:1 + ocil:ssg-service_iptables_enabled_action:testaction:1 - - Set Interactive Session Timeout + + Add nosuid Option to Removable Media Partitions - ocil:ssg-accounts_tmout_action:testaction:1 + ocil:ssg-mount_option_nosuid_removable_partitions_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd + + Disable the git_session_bind_all_unreserved_ports SELinux Boolean - ocil:ssg-audit_rules_privileged_commands_unix_chkpwd_action:testaction:1 + ocil:ssg-sebool_git_session_bind_all_unreserved_ports_action:testaction:1 - - Ensure journald is configured to send logs to rsyslog + + Disable the ftpd_full_access SELinux Boolean - ocil:ssg-journald_forward_to_syslog_action:testaction:1 + ocil:ssg-sebool_ftpd_full_access_action:testaction:1 - - Disable GNOME3 Automounting + + Configure Denying Router Solicitations on All IPv6 Interfaces By Default - ocil:ssg-dconf_gnome_disable_automount_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_default_router_solicitations_action:testaction:1 - - Uninstall ypserv Package + + Disable the selinuxuser_rw_noexattrfile SELinux Boolean - ocil:ssg-package_ypserv_removed_action:testaction:1 + ocil:ssg-sebool_selinuxuser_rw_noexattrfile_action:testaction:1 - - Uninstall krb5-workstation Package + + Disable Dovecot Service - ocil:ssg-package_krb5-workstation_removed_action:testaction:1 + ocil:ssg-service_dovecot_disabled_action:testaction:1 - - Verify User Who Owns Backup passwd File + + Enforce usage of pam_wheel for su authentication - ocil:ssg-file_owner_backup_etc_passwd_action:testaction:1 + ocil:ssg-use_pam_wheel_for_su_action:testaction:1 - - Disable XDMCP in GDM + + Uninstall Samba Package - ocil:ssg-gnome_gdm_disable_xdmcp_action:testaction:1 + ocil:ssg-package_samba_removed_action:testaction:1 - - Enable ExecShield via sysctl + + Disable the httpd_use_fusefs SELinux Boolean - ocil:ssg-sysctl_kernel_exec_shield_action:testaction:1 + ocil:ssg-sebool_httpd_use_fusefs_action:testaction:1 - - Verify All Account Password Hashes are Shadowed with SHA512 + + Configure file name of core dumps - ocil:ssg-accounts_password_all_shadowed_sha512_action:testaction:1 + ocil:ssg-sysctl_kernel_core_uses_pid_action:testaction:1 - - Enable Kernel Parameter to Enforce DAC on Symlinks + + Verify that System Executable Have Root Ownership - ocil:ssg-sysctl_fs_protected_symlinks_action:testaction:1 + ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 - - Record Successful Access Attempts to Files - open + + Install iptables-services Package - ocil:ssg-audit_rules_successful_file_modification_open_action:testaction:1 + ocil:ssg-package_iptables-services_installed_action:testaction:1 - - Verify Permissions on /var/log Directory + + Ensure rsyncd service is disabled - ocil:ssg-file_permissions_var_log_action:testaction:1 + ocil:ssg-service_rsyncd_disabled_action:testaction:1 - - Record Events that Modify the System's Network Environment + + Backup interactive scripts on the production web server are prohibited - ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1 + ocil:ssg-httpd_remove_backups_action:testaction:1 - - Disable the named_tcp_bind_http_port SELinux Boolean + + Verify Group Ownership on SSH Server Public *.pub Key Files - ocil:ssg-sebool_named_tcp_bind_http_port_action:testaction:1 + ocil:ssg-file_groupownership_sshd_pub_key_action:testaction:1 - - Configure Notification of Post-AIDE Scan Details + + Add nodev Option to Non-Root Local Partitions - ocil:ssg-aide_scan_notification_action:testaction:1 + ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 - - Disable Bluetooth Kernel Module + + Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config - ocil:ssg-kernel_module_bluetooth_disabled_action:testaction:1 + ocil:ssg-harden_sshd_ciphers_openssh_conf_crypto_policy_action:testaction:1 - - Disable the piranha_lvs_can_network_connect SELinux Boolean + + Record Successful Permission Changes to Files - fsetxattr - ocil:ssg-sebool_piranha_lvs_can_network_connect_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_fsetxattr_action:testaction:1 - - Disable the selinuxuser_udp_server SELinux Boolean + + Record Events that Modify the System's Discretionary Access Controls - umount - ocil:ssg-sebool_selinuxuser_udp_server_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount_action:testaction:1 - - Add hidepid Option to /proc + + Disable the git_cgi_enable_homedirs SELinux Boolean - ocil:ssg-mount_option_proc_hidepid_action:testaction:1 + ocil:ssg-sebool_git_cgi_enable_homedirs_action:testaction:1 - - Record Unsuccessful Creation Attempts to Files - open O_CREAT + + Verify that system commands files are group owned by root or a system account - ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_creat_action:testaction:1 + ocil:ssg-file_groupownership_system_commands_dirs_action:testaction:1 - - Disable the httpd_tty_comm SELinux Boolean + + Configure Error Log Format - ocil:ssg-sebool_httpd_tty_comm_action:testaction:1 + ocil:ssg-httpd_configure_log_format_action:testaction:1 - - Verify Group Who Owns cron.d + + Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments - ocil:ssg-file_groupowner_cron_d_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/passwd + + Set LogLevel to INFO - ocil:ssg-audit_rules_usergroup_modification_passwd_action:testaction:1 + ocil:ssg-sshd_set_loglevel_info_action:testaction:1 - - Disable Modprobe Loading of USB Storage Driver + + Harden OpenSSL Crypto Policy - ocil:ssg-kernel_module_usb-storage_disabled_action:testaction:1 + ocil:ssg-harden_openssl_crypto_policy_action:testaction:1 - - Verify No .forward Files Exist + + Disable the exim_read_user_files SELinux Boolean - ocil:ssg-no_forward_files_action:testaction:1 + ocil:ssg-sebool_exim_read_user_files_action:testaction:1 - - Configure auditd max_log_file_action Upon Reaching Maximum Log Size + + Verify and Correct Ownership with RPM - ocil:ssg-auditd_data_retention_max_log_file_action_stig_action:testaction:1 + ocil:ssg-rpm_verify_ownership_action:testaction:1 - - Verify ownership of System Login Banner + + Uninstall tftp-server Package - ocil:ssg-file_owner_etc_issue_action:testaction:1 + ocil:ssg-package_tftp-server_removed_action:testaction:1 - - Verify /boot/grub2/grub.cfg Group Ownership + + Add nodev Option to /var/log/audit - ocil:ssg-file_groupowner_grub2_cfg_action:testaction:1 + ocil:ssg-mount_option_var_log_audit_nodev_action:testaction:1 - - Extend Audit Backlog Limit for the Audit Daemon + + Disable the deny_ptrace SELinux Boolean - ocil:ssg-grub2_audit_backlog_limit_argument_action:testaction:1 + ocil:ssg-sebool_deny_ptrace_action:testaction:1 - - Disable Certmonger Service (certmonger) + + Disable the kdumpgui_run_bootloader SELinux Boolean - ocil:ssg-service_certmonger_disabled_action:testaction:1 + ocil:ssg-sebool_kdumpgui_run_bootloader_action:testaction:1 - - Record Unsuccessful Ownership Changes to Files - lchown + + Disable kexec system call - ocil:ssg-audit_rules_unsuccessful_file_modification_lchown_action:testaction:1 + ocil:ssg-kernel_config_kexec_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - crontab + + Disable the xdm_bind_vnc_tcp_port SELinux Boolean - ocil:ssg-audit_rules_privileged_commands_crontab_action:testaction:1 + ocil:ssg-sebool_xdm_bind_vnc_tcp_port_action:testaction:1 - - Ensure IPv6 is disabled through kernel boot parameter + + Set SSH Daemon LogLevel to VERBOSE - ocil:ssg-grub2_ipv6_disable_argument_action:testaction:1 + ocil:ssg-sshd_set_loglevel_verbose_action:testaction:1 - - Ensure gnutls-utils is installed + + Set Up a Private Namespace in PAM Configuration - ocil:ssg-package_gnutls-utils_installed_action:testaction:1 + ocil:ssg-enable_pam_namespace_action:testaction:1 - - Enable dnf-automatic Timer + + Disable the collectd_tcp_network_connect SELinux Boolean - ocil:ssg-timer_dnf-automatic_enabled_action:testaction:1 + ocil:ssg-sebool_collectd_tcp_network_connect_action:testaction:1 - - Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 + + Disable the mozilla_read_content SELinux Boolean - ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_action:testaction:1 + ocil:ssg-sebool_mozilla_read_content_action:testaction:1 - - Disable the exim_read_user_files SELinux Boolean + + SSH client uses strong entropy to seed (Bash-like shells) - ocil:ssg-sebool_exim_read_user_files_action:testaction:1 + ocil:ssg-ssh_client_use_strong_rng_sh_action:testaction:1 - - Enable rsyslog Service + + Enable Encrypted X11 Forwarding - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-sshd_enable_x11_forwarding_action:testaction:1 - - Account Lockouts Must Persist + + Install Smart Card Packages For Multifactor Authentication - ocil:ssg-account_passwords_pam_faillock_dir_action:testaction:1 + ocil:ssg-install_smartcard_packages_action:testaction:1 - - Set Password Minimum Age + + Configure SSSD LDAP Backend Client CA Certificate Location - ocil:ssg-accounts_minimum_age_login_defs_action:testaction:1 + ocil:ssg-sssd_ldap_configure_tls_ca_dir_action:testaction:1 - - Verify Group Who Owns cron.weekly + + Ensure auditd Collects File Deletion Events by User - unlink - ocil:ssg-file_groupowner_cron_weekly_action:testaction:1 + ocil:ssg-audit_rules_file_deletion_events_unlink_action:testaction:1 - - Enable the postfix_local_write_mail_spool SELinux Boolean + + Verify User Who Owns shadow File - ocil:ssg-sebool_postfix_local_write_mail_spool_action:testaction:1 + ocil:ssg-file_owner_etc_shadow_action:testaction:1 - - Uninstall geolite2-country Package + + Configure Speculative Store Bypass Mitigation - ocil:ssg-package_geolite2-country_removed_action:testaction:1 + ocil:ssg-grub2_spec_store_bypass_disable_argument_action:testaction:1 - - All Interactive Users Must Have A Home Directory Defined + + Disable SCTP Support - ocil:ssg-accounts_user_interactive_home_directory_defined_action:testaction:1 + ocil:ssg-kernel_module_sctp_disabled_action:testaction:1 - - Enable Auditing for Processes Which Start Prior to the Audit Daemon + + Disable the ksmtuned_use_cifs SELinux Boolean - ocil:ssg-grub2_audit_argument_action:testaction:1 + ocil:ssg-sebool_ksmtuned_use_cifs_action:testaction:1 - - Disable the fenced_can_ssh SELinux Boolean + + User Initialization Files Must Be Owned By the Primary User - ocil:ssg-sebool_fenced_can_ssh_action:testaction:1 + ocil:ssg-accounts_user_dot_user_ownership_action:testaction:1 - - Record Events that Modify User/Group Information via open syscall - /etc/gshadow + + Disable the irc_use_any_tcp_ports SELinux Boolean - ocil:ssg-audit_rules_etc_gshadow_open_action:testaction:1 + ocil:ssg-sebool_irc_use_any_tcp_ports_action:testaction:1 - - Create Warning Banners for All FTP Users - - ocil:ssg-ftp_present_banner_action:testaction:1 - - - - Disable core dump backtraces + + Audit Tools Must Be Group-owned by Root - ocil:ssg-coredump_disable_backtraces_action:testaction:1 + ocil:ssg-file_audit_tools_group_ownership_action:testaction:1 - - Install systemd-journal-remote Package + + Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default - ocil:ssg-package_systemd-journal-remote_installed_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_default_accept_source_route_action:testaction:1 - - Disable SCTP Support + + Emulate Privileged Access Never (PAN) - ocil:ssg-kernel_module_sctp_disabled_action:testaction:1 + ocil:ssg-kernel_config_arm64_sw_ttbr0_pan_action:testaction:1 - - Disable the git_system_enable_homedirs SELinux Boolean + + Record Unsuccessful Access Attempts to Files - ftruncate - ocil:ssg-sebool_git_system_enable_homedirs_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1 - - Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters + + Ensure iptables Firewall Rules Exist for All Open Ports - ocil:ssg-accounts_password_pam_lcredit_action:testaction:1 + ocil:ssg-iptables_rules_for_open_ports_action:testaction:1 - - Disable the gpg_web_anon_write SELinux Boolean + + Uninstall nginx Package - ocil:ssg-sebool_gpg_web_anon_write_action:testaction:1 + ocil:ssg-package_nginx_removed_action:testaction:1 - - Install AIDE + + Disable Kernel cfg80211 Module - ocil:ssg-package_aide_installed_action:testaction:1 + ocil:ssg-kernel_module_cfg80211_disabled_action:testaction:1 - - Disable the xdm_write_home SELinux Boolean + + Install the cron service - ocil:ssg-sebool_xdm_write_home_action:testaction:1 + ocil:ssg-package_cron_installed_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - kmod + + Install the tmux Package - ocil:ssg-audit_rules_privileged_commands_kmod_action:testaction:1 + ocil:ssg-package_tmux_installed_action:testaction:1 - - Ensure System is Not Acting as a Network Sniffer + + Set Permissions on All Configuration Files Inside /etc/httpd/conf.modules.d/ - ocil:ssg-network_sniffer_disabled_action:testaction:1 + ocil:ssg-file_permissions_httpd_server_modules_files_action:testaction:1 - - Set Permissions on the /etc/httpd/conf/ Directory + + Verify User Who Owns Backup shadow File - ocil:ssg-dir_perms_etc_httpd_conf_action:testaction:1 + ocil:ssg-file_groupowner_backup_etc_shadow_action:testaction:1 - - Disable User Administration in GNOME3 + + Ensure auditd Collects File Deletion Events by User - rmdir - ocil:ssg-dconf_gnome_disable_user_admin_action:testaction:1 + ocil:ssg-audit_rules_file_deletion_events_rmdir_action:testaction:1 - - Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly + + Enable the login_console_enabled SELinux Boolean - ocil:ssg-audit_rules_unsuccessful_file_modification_openat_rule_order_action:testaction:1 + ocil:ssg-sebool_login_console_enabled_action:testaction:1 - - Disable tftp Service + + Ensure all users last password change date is in the past - ocil:ssg-service_tftp_disabled_action:testaction:1 + ocil:ssg-accounts_password_last_change_is_in_past_action:testaction:1 - - Ensure sudo only includes the default configuration directory + + Record Successful Delete Attempts to Files - unlinkat - ocil:ssg-sudoers_default_includedir_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_unlinkat_action:testaction:1 - - Disable the openvpn_run_unconfined SELinux Boolean + + Disable xinetd Service - ocil:ssg-sebool_openvpn_run_unconfined_action:testaction:1 + ocil:ssg-service_xinetd_disabled_action:testaction:1 - - Ensure yum Removes Previous Package Versions + + Use zero for poisoning instead of debugging value - ocil:ssg-clean_components_post_updating_action:testaction:1 + ocil:ssg-kernel_config_page_poisoning_zero_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands + + Verify Ownership on SSH Server Private *_key Key Files - ocil:ssg-audit_rules_privileged_commands_action:testaction:1 + ocil:ssg-file_ownership_sshd_private_key_action:testaction:1 - - Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default + + Disable Kernel Parameter for IPv6 Forwarding - ocil:ssg-sysctl_net_ipv4_conf_default_log_martians_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_forwarding_action:testaction:1 - - Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server + + Verify nftables Service is Disabled - ocil:ssg-rsyslog_nolisten_action:testaction:1 + ocil:ssg-service_nftables_disabled_action:testaction:1 - - Ensure there are no legacy + NIS entries in /etc/shadow + + Strong Stack Protector - ocil:ssg-no_legacy_plus_entries_etc_shadow_action:testaction:1 + ocil:ssg-kernel_config_stackprotector_strong_action:testaction:1 - - Ensure LDAP client is not installed + + Enable the postfix_local_write_mail_spool SELinux Boolean - ocil:ssg-package_openldap-clients_removed_action:testaction:1 + ocil:ssg-sebool_postfix_local_write_mail_spool_action:testaction:1 - - Disable the httpd_use_openstack SELinux Boolean + + Enable HTTPD Error Logging - ocil:ssg-sebool_httpd_use_openstack_action:testaction:1 + ocil:ssg-httpd_enable_error_logging_action:testaction:1 - - All Interactive User Home Directories Must Have mode 0750 Or Less Permissive + + Uninstall rpcbind Package - ocil:ssg-file_permissions_home_directories_action:testaction:1 + ocil:ssg-package_rpcbind_removed_action:testaction:1 - - Set kernel parameter 'crypto.fips_enabled' to 1 + + Disable the virt_use_comm SELinux Boolean - ocil:ssg-sysctl_crypto_fips_enabled_action:testaction:1 + ocil:ssg-sebool_virt_use_comm_action:testaction:1 - - Verify that System Executable Directories Have Restrictive Permissions + + Disable At Service (atd) - ocil:ssg-dir_permissions_binary_dirs_action:testaction:1 + ocil:ssg-service_atd_disabled_action:testaction:1 - - Disable the cron_can_relabel SELinux Boolean + + Verify Group Who Owns group File - ocil:ssg-sebool_cron_can_relabel_action:testaction:1 + ocil:ssg-file_groupowner_etc_group_action:testaction:1 - - Verify Permissions on cron.d + + Limit the Number of Concurrent Login Sessions Allowed Per User - ocil:ssg-file_permissions_cron_d_action:testaction:1 + ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1 - - Configure Firewalld to Use the Nftables Backend + + Disable the puppetmaster_use_db SELinux Boolean - ocil:ssg-firewalld-backend_action:testaction:1 + ocil:ssg-sebool_puppetmaster_use_db_action:testaction:1 - - An SELinux Context must be configured for the pam_faillock.so records directory + + Avoid speculative indirect branches in kernel - ocil:ssg-account_password_selinux_faillock_dir_action:testaction:1 + ocil:ssg-kernel_config_retpoline_action:testaction:1 - - The web server password(s) must be entrusted to the SA or Web Manager + + A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ extension - ocil:ssg-httpd_entrust_passwords_action:testaction:1 + ocil:ssg-httpd_nipr_accredited_dmz_action:testaction:1 - - Disable the mozilla_plugin_use_gps SELinux Boolean + + Set Daemon Umask - ocil:ssg-sebool_mozilla_plugin_use_gps_action:testaction:1 + ocil:ssg-umask_for_daemons_action:testaction:1 - - Verify Ownership on SSH Server Public *.pub Key Files + + Disable the fcron_crond SELinux Boolean - ocil:ssg-file_ownership_sshd_pub_key_action:testaction:1 + ocil:ssg-sebool_fcron_crond_action:testaction:1 - - Verify Permissions on Backup gshadow File + + Disable the virt_use_fusefs SELinux Boolean - ocil:ssg-file_permissions_backup_etc_gshadow_action:testaction:1 + ocil:ssg-sebool_virt_use_fusefs_action:testaction:1 - - Record Unsuccessful Access Attempts to Files - open + + Disable tftp Service - ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 + ocil:ssg-service_tftp_disabled_action:testaction:1 - - Disable the zoneminder_run_sudo SELinux Boolean + + Verify Group Who Owns cron.daily - ocil:ssg-sebool_zoneminder_run_sudo_action:testaction:1 + ocil:ssg-file_groupowner_cron_daily_action:testaction:1 - - Add nosuid Option to Removable Media Partitions + + Ensure Chrony is only configured with the server directive - ocil:ssg-mount_option_nosuid_removable_partitions_action:testaction:1 + ocil:ssg-chronyd_server_directive_action:testaction:1 - - Disable the polipo_use_cifs SELinux Boolean + + Disable httpd Service - ocil:ssg-sebool_polipo_use_cifs_action:testaction:1 + ocil:ssg-service_httpd_disabled_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap + + Disable Kernel Image Loading - ocil:ssg-audit_rules_privileged_commands_newgidmap_action:testaction:1 + ocil:ssg-sysctl_kernel_kexec_load_disabled_action:testaction:1 - - Ensure sudo umask is appropriate - sudo umask + + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces - ocil:ssg-sudo_add_umask_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_all_send_redirects_action:testaction:1 - - Enable the USBGuard Service + + Verify Group Ownership of System Login Banner - ocil:ssg-service_usbguard_enabled_action:testaction:1 + ocil:ssg-file_groupowner_etc_issue_action:testaction:1 - - Configure Backups of User Data + + Disable the httpd_anon_write SELinux Boolean - ocil:ssg-configure_user_data_backups_action:testaction:1 + ocil:ssg-sebool_httpd_anon_write_action:testaction:1 - - Disable the httpd_use_fusefs SELinux Boolean + + Disable the named_write_master_zones SELinux Boolean - ocil:ssg-sebool_httpd_use_fusefs_action:testaction:1 + ocil:ssg-sebool_named_write_master_zones_action:testaction:1 - - Disable the use_nfs_home_dirs SELinux Boolean + + Disable All GNOME3 Thumbnailers - ocil:ssg-sebool_use_nfs_home_dirs_action:testaction:1 + ocil:ssg-dconf_gnome_disable_thumbnailers_action:testaction:1 - - Boot Loader Is Not Installed On Removeable Media + + Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces - ocil:ssg-grub2_no_removeable_media_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_tcp_rfc1337_action:testaction:1 - - Require Authentication for Single User Mode + + Verify All Account Password Hashes are Shadowed - ocil:ssg-require_singleuser_auth_action:testaction:1 + ocil:ssg-accounts_password_all_shadowed_action:testaction:1 - - Remove Rsh Trust Files + + Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap - ocil:ssg-no_rsh_trust_files_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_newuidmap_action:testaction:1 - - User Initialization Files Must Be Owned By the Primary User + + Ensure cron Is Logging To Rsyslog - ocil:ssg-accounts_user_dot_user_ownership_action:testaction:1 + ocil:ssg-rsyslog_cron_logging_action:testaction:1 - - Disable SSH TCP Forwarding + + Verify Group Who Owns cron.monthly - ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1 + ocil:ssg-file_groupowner_cron_monthly_action:testaction:1 - - Record Attempts to Alter Logon and Logout Events - faillock + + Disable the cron_can_relabel SELinux Boolean - ocil:ssg-audit_rules_login_events_faillock_action:testaction:1 + ocil:ssg-sebool_cron_can_relabel_action:testaction:1 - - Disable Ctrl-Alt-Del Reboot Activation + + Ensure auditd Collects Information on the Use of Privileged Commands - kmod - ocil:ssg-disable_ctrlaltdel_reboot_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_kmod_action:testaction:1 - - Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces + + Enable the logging_syslogd_use_tty SELinux Boolean - ocil:ssg-sysctl_net_ipv4_tcp_rfc1337_action:testaction:1 + ocil:ssg-sebool_logging_syslogd_use_tty_action:testaction:1 - - Disable the daemons_use_tty SELinux Boolean + + Install the Policy Auditor (PA) Module - ocil:ssg-sebool_daemons_use_tty_action:testaction:1 + ocil:ssg-install_mcafee_hbss_pa_action:testaction:1 - - Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces + + Disable the tftp_anon_write SELinux Boolean - ocil:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses_action:testaction:1 + ocil:ssg-sebool_tftp_anon_write_action:testaction:1 - - Ensure Logrotate Runs Periodically + + Disable the xserver_clients_write_xshm SELinux Boolean - ocil:ssg-ensure_logrotate_activated_action:testaction:1 + ocil:ssg-sebool_xserver_clients_write_xshm_action:testaction:1 - - Disable the dbadm_read_user_files SELinux Boolean + + Disable the postgresql_can_rsync SELinux Boolean - ocil:ssg-sebool_dbadm_read_user_files_action:testaction:1 + ocil:ssg-sebool_postgresql_can_rsync_action:testaction:1 - - Ensure journald is configured to write log files to persistent disk + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-journald_storage_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Disable kernel support for MISC binaries + + Limit Users' SSH Access - ocil:ssg-kernel_config_binfmt_misc_action:testaction:1 + ocil:ssg-sshd_limit_user_access_action:testaction:1 - - Disable the mpd_enable_homedirs SELinux Boolean + + Disable Software RAID Monitor (mdmonitor) - ocil:ssg-sebool_mpd_enable_homedirs_action:testaction:1 + ocil:ssg-service_mdmonitor_disabled_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Install sssd-ipa Package - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-package_sssd-ipa_installed_action:testaction:1 - - Configure auditd admin_space_left on Low Disk Space + + Set Account Expiration Following Inactivity - ocil:ssg-auditd_data_retention_admin_space_left_percentage_action:testaction:1 + ocil:ssg-account_disable_post_pw_expiration_action:testaction:1 - - Record Events that Modify User/Group Information via open syscall - /etc/group + + Set Permissions on the /var/log/httpd/ Directory - ocil:ssg-audit_rules_etc_group_open_action:testaction:1 + ocil:ssg-dir_perms_var_log_httpd_action:testaction:1 - - Enable the domain_fd_use SELinux Boolean + + Disable the varnishd_connect_any SELinux Boolean - ocil:ssg-sebool_domain_fd_use_action:testaction:1 + ocil:ssg-sebool_varnishd_connect_any_action:testaction:1 - - Verify Group Who Owns /var/log/messages File + + Add nodev Option to /var - ocil:ssg-file_groupowner_var_log_messages_action:testaction:1 + ocil:ssg-mount_option_var_nodev_action:testaction:1 - - Disable Kerberos Authentication + + Disable the smbd_anon_write SELinux Boolean - ocil:ssg-sshd_disable_kerb_auth_action:testaction:1 + ocil:ssg-sebool_smbd_anon_write_action:testaction:1 - - Verify Permissions on /etc/at.allow file + + Record Unsuccessful Access Attempts to Files - truncate - ocil:ssg-file_permissions_at_allow_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_truncate_action:testaction:1 - - Add noexec Option to /var + + Verify the system-wide library files in directories +"/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root. - ocil:ssg-mount_option_var_noexec_action:testaction:1 + ocil:ssg-root_permissions_syslibrary_files_action:testaction:1 - - Verify Root Has A Primary GID 0 + + Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ - ocil:ssg-accounts_root_gid_zero_action:testaction:1 + ocil:ssg-audit_rules_sudoers_d_action:testaction:1 - - Ensure gpgcheck Enabled for Repository Metadata + + Configure Firewalld to Use the Nftables Backend - ocil:ssg-ensure_gpgcheck_repo_metadata_action:testaction:1 + ocil:ssg-firewalld-backend_action:testaction:1 - - Disable the mmap_low_allowed SELinux Boolean + + A private web server must be located on a separate controlled access subnet - ocil:ssg-sebool_mmap_low_allowed_action:testaction:1 + ocil:ssg-httpd_private_server_on_separate_subnet_action:testaction:1 - - Install openscap-scanner Package + + Disable the mozilla_plugin_use_gps SELinux Boolean - ocil:ssg-package_openscap-scanner_installed_action:testaction:1 + ocil:ssg-sebool_mozilla_plugin_use_gps_action:testaction:1 - - Install sudo Package + + Configure basic parameters of Audit system - ocil:ssg-package_sudo_installed_action:testaction:1 + ocil:ssg-audit_basic_configuration_action:testaction:1 - - Record Successful Creation Attempts to Files - open O_CREAT + + Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 - ocil:ssg-audit_rules_successful_file_modification_open_o_creat_action:testaction:1 + ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_action:testaction:1 - - Record Any Attempts to Run setsebool + + The Chrony package is installed - ocil:ssg-audit_rules_execution_setsebool_action:testaction:1 + ocil:ssg-package_chrony_installed_action:testaction:1 - - Disable Core Dumps for SUID programs + + Disable the entropyd_use_audio SELinux Boolean - ocil:ssg-sysctl_fs_suid_dumpable_action:testaction:1 + ocil:ssg-sebool_entropyd_use_audio_action:testaction:1 - - Configure AIDE to Use FIPS 140-2 for Validating Hashes + + Record Events that Modify User/Group Information - /etc/security/opasswd - ocil:ssg-aide_use_fips_hashes_action:testaction:1 + ocil:ssg-audit_rules_usergroup_modification_opasswd_action:testaction:1 - - Ensure No Daemons are Unconfined by SELinux + + Verify User Who Owns Backup group File - ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 + ocil:ssg-file_owner_backup_etc_group_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - lchown + + Ensure All World-Writable Directories Are Owned by root User - ocil:ssg-audit_rules_dac_modification_lchown_action:testaction:1 + ocil:ssg-dir_perms_world_writable_root_owned_action:testaction:1 - - Disallow merge of slab caches + + Specify a Remote NTP Server - ocil:ssg-kernel_config_slab_merge_default_action:testaction:1 + ocil:ssg-chronyd_or_ntpd_specify_remote_server_action:testaction:1 - - Disable KDump Kernel Crash Analyzer (kdump) + + Disable Access to Network bpf() Syscall From Unprivileged Processes - ocil:ssg-service_kdump_disabled_action:testaction:1 + ocil:ssg-sysctl_kernel_unprivileged_bpf_disabled_action:testaction:1 - - Lock Accounts After Failed Password Attempts + + Enable checks on credential management - ocil:ssg-accounts_passwords_pam_faillock_deny_action:testaction:1 + ocil:ssg-kernel_config_debug_credentials_action:testaction:1 - - Remove Write Permissions From Filesystem Paths And Server Scripts + + Disable the ftpd_connect_db SELinux Boolean - ocil:ssg-httpd_configure_script_permissions_action:testaction:1 + ocil:ssg-sebool_ftpd_connect_db_action:testaction:1 - - Set Permissions on All Configuration Files Inside /etc/httpd/conf.d/ + + Verify Ownership on SSH Server Public *.pub Key Files - ocil:ssg-file_permissions_httpd_server_conf_d_files_action:testaction:1 + ocil:ssg-file_ownership_sshd_pub_key_action:testaction:1 - - Enable the nfs_export_all_rw SELinux Boolean + + Configure auditing of successful file modifications - ocil:ssg-sebool_nfs_export_all_rw_action:testaction:1 + ocil:ssg-audit_modify_success_action:testaction:1 - - Ensure All User Initialization Files Have Mode 0740 Or Less Permissive + + Disable the httpd_run_stickshift SELinux Boolean - ocil:ssg-file_permission_user_init_files_action:testaction:1 + ocil:ssg-sebool_httpd_run_stickshift_action:testaction:1 - - Add nodev Option to /dev/shm + + Record Unsuccessful Permission Changes to Files - chmod - ocil:ssg-mount_option_dev_shm_nodev_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_chmod_action:testaction:1 - - Configure the deny_execmem SELinux Boolean + + Ensure /boot Located On Separate Partition - ocil:ssg-sebool_deny_execmem_action:testaction:1 + ocil:ssg-partition_for_boot_action:testaction:1 - - Record Successful Delete Attempts to Files - rename + + Disable the gpg_web_anon_write SELinux Boolean - ocil:ssg-audit_rules_successful_file_modification_rename_action:testaction:1 + ocil:ssg-sebool_gpg_web_anon_write_action:testaction:1 - - System Audit Logs Must Have Mode 0640 or Less Permissive + + Disable the boinc_execmem SELinux Boolean - ocil:ssg-file_permissions_var_log_audit_action:testaction:1 + ocil:ssg-sebool_boinc_execmem_action:testaction:1 @@ -354246,147 +354246,147 @@ which the system will be deployed as closely as possible.ocil:ssg-package_rear_installed_action:testaction:1 - - Disable the httpd_can_connect_ldap SELinux Boolean + + Disable the squid_use_tproxy SELinux Boolean - ocil:ssg-sebool_httpd_can_connect_ldap_action:testaction:1 + ocil:ssg-sebool_squid_use_tproxy_action:testaction:1 - - Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces + + Verify the SSH Private Key Files Have a Passcode - ocil:ssg-sysctl_net_ipv4_tcp_syncookies_action:testaction:1 + ocil:ssg-ssh_keys_passphrase_protected_action:testaction:1 - - System Audit Logs Must Be Group Owned By Root + + Detect stack corruption on calls to schedule() - ocil:ssg-file_group_ownership_var_log_audit_action:testaction:1 + ocil:ssg-kernel_config_sched_stack_end_check_action:testaction:1 - - Ensure that chronyd is running under chrony user account + + Record Events that Modify User/Group Information via openat syscall - /etc/passwd - ocil:ssg-chronyd_run_as_chrony_user_action:testaction:1 + ocil:ssg-audit_rules_etc_passwd_openat_action:testaction:1 - - Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces + + Record Events that Modify the System's Discretionary Access Controls - fchmod - ocil:ssg-sysctl_net_ipv4_conf_all_rp_filter_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fchmod_action:testaction:1 - - Disable the httpd_use_sasl SELinux Boolean + + Uninstall geolite2-country Package - ocil:ssg-sebool_httpd_use_sasl_action:testaction:1 + ocil:ssg-package_geolite2-country_removed_action:testaction:1 - - The mailx Package Is Installed + + Configure auditing of successful permission changes - ocil:ssg-package_mailx_installed_action:testaction:1 + ocil:ssg-audit_perm_change_success_action:testaction:1 - - Configure auditd Number of Logs Retained + + Disable the samba_create_home_dirs SELinux Boolean - ocil:ssg-auditd_data_retention_num_logs_action:testaction:1 + ocil:ssg-sebool_samba_create_home_dirs_action:testaction:1 - - Verify Permissions on SSH Server Public *.pub Key Files + + System Audit Directories Must Be Group Owned By Root - ocil:ssg-file_permissions_sshd_pub_key_action:testaction:1 + ocil:ssg-directory_group_ownership_var_log_audit_action:testaction:1 - - Configure auditing of unsuccessful file creations + + Disable the mailman_use_fusefs SELinux Boolean - ocil:ssg-audit_create_failed_action:testaction:1 + ocil:ssg-sebool_mailman_use_fusefs_action:testaction:1 - - Enable use of Berkeley Packet Filter with seccomp + + Disable rsh Service - ocil:ssg-kernel_config_seccomp_filter_action:testaction:1 + ocil:ssg-service_rsh_disabled_action:testaction:1 - - Ensure cron Is Logging To Rsyslog + + Disable the sge_domain_can_network_connect SELinux Boolean - ocil:ssg-rsyslog_cron_logging_action:testaction:1 + ocil:ssg-sebool_sge_domain_can_network_connect_action:testaction:1 - - Enable Smartcards in SSSD + + Disable the httpd_tmp_exec SELinux Boolean - ocil:ssg-sssd_enable_smartcards_action:testaction:1 + ocil:ssg-sebool_httpd_tmp_exec_action:testaction:1 - - Prevent applications from mapping low portion of virtual memory + + Configure auditing of successful file deletions - ocil:ssg-sysctl_vm_mmap_min_addr_action:testaction:1 + ocil:ssg-audit_delete_success_action:testaction:1 - - Configure Denying Router Solicitations on All IPv6 Interfaces + + Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit - ocil:ssg-sysctl_net_ipv6_conf_all_router_solicitations_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_sudoedit_action:testaction:1 - - Configure auditing of successful file modifications + + Disable the gitosis_can_sendmail SELinux Boolean - ocil:ssg-audit_modify_success_action:testaction:1 + ocil:ssg-sebool_gitosis_can_sendmail_action:testaction:1 - - Record Successful Permission Changes to Files - fsetxattr + + Ensure Users Cannot Change GNOME3 Screensaver Settings - ocil:ssg-audit_rules_successful_file_modification_fsetxattr_action:testaction:1 + ocil:ssg-dconf_gnome_screensaver_user_locks_action:testaction:1 - - Configure Error Log Format + + Disable Kerberos Authentication - ocil:ssg-httpd_configure_log_format_action:testaction:1 + ocil:ssg-sshd_disable_kerb_auth_action:testaction:1 - - Disable the zabbix_can_network SELinux Boolean + + Verify /boot/grub2/user.cfg Group Ownership - ocil:ssg-sebool_zabbix_can_network_action:testaction:1 + ocil:ssg-file_groupowner_user_cfg_action:testaction:1 - - Configure auditd space_left on Low Disk Space + + Ensure No Device Files are Unlabeled by SELinux - ocil:ssg-auditd_data_retention_space_left_action:testaction:1 + ocil:ssg-selinux_all_devicefiles_labeled_action:testaction:1 - - Verify /boot/grub2/grub.cfg User Ownership + + Record Successful Permission Changes to Files - lremovexattr - ocil:ssg-file_owner_grub2_cfg_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_lremovexattr_action:testaction:1 - - Enable Logging of All FTP Transactions + + Disable the virt_sandbox_use_all_caps SELinux Boolean - ocil:ssg-ftp_log_transactions_action:testaction:1 + ocil:ssg-sebool_virt_sandbox_use_all_caps_action:testaction:1 - - Uninstall abrt-addon-ccpp Package + + Disable Certmonger Service (certmonger) - ocil:ssg-package_abrt-addon-ccpp_removed_action:testaction:1 + ocil:ssg-service_certmonger_disabled_action:testaction:1 - + PASS @@ -354394,7 +354394,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354402,7 +354402,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354410,7 +354410,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354418,7 +354418,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354426,7 +354426,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354434,7 +354434,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354442,7 +354442,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354450,7 +354450,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354458,7 +354458,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354466,7 +354466,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354474,7 +354474,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354482,7 +354482,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354490,7 +354490,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354498,7 +354498,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354506,7 +354506,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354514,7 +354514,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354522,7 +354522,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354530,7 +354530,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354538,7 +354538,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354546,7 +354546,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354554,7 +354554,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354562,7 +354562,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354570,7 +354570,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354578,7 +354578,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354586,7 +354586,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354594,7 +354594,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354602,7 +354602,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354610,7 +354610,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354618,7 +354618,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354626,7 +354626,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354634,7 +354634,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354642,7 +354642,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354650,7 +354650,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354658,7 +354658,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354666,7 +354666,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354674,7 +354674,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354682,7 +354682,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354690,7 +354690,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354698,7 +354698,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354706,7 +354706,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354714,7 +354714,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354722,7 +354722,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354730,7 +354730,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354738,7 +354738,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354746,7 +354746,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354754,7 +354754,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354762,7 +354762,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354770,7 +354770,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354778,7 +354778,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354786,7 +354786,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354794,7 +354794,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354802,7 +354802,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354810,7 +354810,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354818,7 +354818,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354826,7 +354826,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354834,7 +354834,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354842,7 +354842,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354850,7 +354850,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354858,7 +354858,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354866,7 +354866,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354874,7 +354874,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354882,7 +354882,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354890,7 +354890,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354898,7 +354898,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354906,7 +354906,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354914,7 +354914,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354922,7 +354922,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354930,7 +354930,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354938,7 +354938,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354946,7 +354946,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354954,7 +354954,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354962,7 +354962,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354970,7 +354970,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354978,7 +354978,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354986,7 +354986,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354994,7 +354994,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355002,7 +355002,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355010,7 +355010,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355018,7 +355018,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355026,7 +355026,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355034,7 +355034,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355042,7 +355042,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355050,7 +355050,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355058,7 +355058,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355066,7 +355066,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355074,7 +355074,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355082,7 +355082,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355090,7 +355090,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355098,7 +355098,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355106,7 +355106,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355114,7 +355114,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355122,7 +355122,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355130,7 +355130,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355138,7 +355138,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355146,7 +355146,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355154,7 +355154,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355162,7 +355162,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355170,7 +355170,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355178,7 +355178,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355186,7 +355186,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355194,7 +355194,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355202,7 +355202,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355210,7 +355210,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355218,7 +355218,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355226,7 +355226,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355234,7 +355234,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355242,7 +355242,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355250,7 +355250,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355258,7 +355258,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355266,7 +355266,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355274,7 +355274,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355282,7 +355282,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355290,7 +355290,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355298,7 +355298,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355306,7 +355306,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355314,7 +355314,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355322,7 +355322,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355330,7 +355330,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355338,7 +355338,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355346,7 +355346,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355354,7 +355354,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355362,7 +355362,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355370,7 +355370,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355378,7 +355378,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355386,7 +355386,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355394,7 +355394,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355402,7 +355402,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355410,7 +355410,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355418,7 +355418,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355426,7 +355426,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355434,7 +355434,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355442,7 +355442,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355450,7 +355450,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355458,7 +355458,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355466,7 +355466,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355474,7 +355474,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355482,7 +355482,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355490,7 +355490,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355498,7 +355498,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355506,7 +355506,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355514,7 +355514,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355522,7 +355522,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355530,7 +355530,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355538,7 +355538,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355546,7 +355546,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355554,7 +355554,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355562,7 +355562,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355570,7 +355570,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355578,7 +355578,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355586,7 +355586,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355594,7 +355594,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355602,7 +355602,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355610,7 +355610,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355618,7 +355618,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355626,7 +355626,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355634,7 +355634,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355642,7 +355642,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355650,7 +355650,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355658,7 +355658,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355666,7 +355666,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355674,7 +355674,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355682,7 +355682,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355690,7 +355690,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355698,7 +355698,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355706,7 +355706,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355714,7 +355714,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355722,7 +355722,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355730,7 +355730,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355738,7 +355738,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355746,7 +355746,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355754,7 +355754,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355762,7 +355762,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355770,7 +355770,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355778,7 +355778,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355786,7 +355786,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355794,7 +355794,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355802,7 +355802,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355810,7 +355810,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355818,7 +355818,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355826,7 +355826,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355834,7 +355834,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355842,7 +355842,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355850,7 +355850,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355858,7 +355858,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355866,7 +355866,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355874,7 +355874,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355882,7 +355882,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355890,7 +355890,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355898,7 +355898,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355906,7 +355906,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355914,7 +355914,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355922,7 +355922,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355930,7 +355930,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355938,7 +355938,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355946,7 +355946,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355954,7 +355954,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355962,7 +355962,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355970,7 +355970,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355978,7 +355978,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355986,7 +355986,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355994,7 +355994,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356002,7 +356002,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356010,7 +356010,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356018,7 +356018,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356026,7 +356026,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356034,7 +356034,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356042,7 +356042,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356050,7 +356050,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356058,7 +356058,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356066,7 +356066,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356074,7 +356074,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356082,7 +356082,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356090,7 +356090,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356098,7 +356098,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356106,7 +356106,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356114,7 +356114,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356122,7 +356122,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356130,7 +356130,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356138,7 +356138,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356146,7 +356146,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356154,7 +356154,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356162,7 +356162,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356170,7 +356170,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356178,7 +356178,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356186,7 +356186,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356194,7 +356194,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356202,7 +356202,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356210,7 +356210,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356218,7 +356218,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356226,7 +356226,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356234,7 +356234,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356242,7 +356242,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356250,7 +356250,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356258,7 +356258,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356266,7 +356266,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356274,7 +356274,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356282,7 +356282,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356290,7 +356290,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356298,7 +356298,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356306,7 +356306,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356314,7 +356314,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356322,7 +356322,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356330,7 +356330,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356338,7 +356338,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356346,7 +356346,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356354,7 +356354,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356362,7 +356362,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356370,7 +356370,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356378,7 +356378,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356386,7 +356386,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356394,7 +356394,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356402,7 +356402,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356410,7 +356410,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356418,7 +356418,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356426,7 +356426,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356434,7 +356434,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356442,7 +356442,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356450,7 +356450,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356458,7 +356458,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356466,7 +356466,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356474,7 +356474,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356482,7 +356482,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356490,7 +356490,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356498,7 +356498,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356506,7 +356506,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356514,7 +356514,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356522,7 +356522,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356530,7 +356530,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356538,7 +356538,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356546,7 +356546,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356554,7 +356554,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356562,7 +356562,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356570,7 +356570,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356578,7 +356578,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356586,7 +356586,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356594,7 +356594,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356602,7 +356602,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356610,7 +356610,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356618,7 +356618,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356626,7 +356626,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356634,7 +356634,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356642,7 +356642,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356650,7 +356650,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356658,7 +356658,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356666,7 +356666,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356674,7 +356674,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356682,7 +356682,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356690,7 +356690,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356698,7 +356698,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356706,7 +356706,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356714,7 +356714,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356722,7 +356722,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356730,7 +356730,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356738,7 +356738,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356746,7 +356746,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356754,7 +356754,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356762,7 +356762,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356770,7 +356770,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356778,7 +356778,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356786,7 +356786,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356794,7 +356794,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356802,7 +356802,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356810,7 +356810,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356818,7 +356818,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356826,7 +356826,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356834,7 +356834,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356842,7 +356842,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356850,7 +356850,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356858,7 +356858,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356866,7 +356866,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356874,7 +356874,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356882,7 +356882,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356890,7 +356890,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356898,7 +356898,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356906,7 +356906,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356914,7 +356914,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356922,7 +356922,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356930,7 +356930,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356938,7 +356938,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356946,7 +356946,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356954,7 +356954,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356962,7 +356962,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356970,7 +356970,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356978,7 +356978,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356986,7 +356986,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356994,7 +356994,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357002,7 +357002,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357010,7 +357010,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357018,7 +357018,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357026,7 +357026,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357034,7 +357034,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357042,7 +357042,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357050,7 +357050,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357058,7 +357058,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357066,7 +357066,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357074,7 +357074,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357082,7 +357082,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357090,7 +357090,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357098,7 +357098,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357106,7 +357106,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357114,7 +357114,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357122,7 +357122,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357130,7 +357130,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357138,7 +357138,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357146,7 +357146,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357154,7 +357154,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357162,7 +357162,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357170,7 +357170,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357178,7 +357178,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357186,7 +357186,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357194,7 +357194,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357202,7 +357202,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357210,7 +357210,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357218,7 +357218,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357226,7 +357226,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357234,7 +357234,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357242,7 +357242,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357250,7 +357250,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357258,7 +357258,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357266,7 +357266,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357274,7 +357274,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357282,7 +357282,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357290,7 +357290,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357298,7 +357298,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357306,7 +357306,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357314,7 +357314,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357322,7 +357322,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357330,7 +357330,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357338,7 +357338,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357346,7 +357346,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357354,7 +357354,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357362,7 +357362,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357370,7 +357370,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357378,7 +357378,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357386,7 +357386,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357394,7 +357394,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357402,7 +357402,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357410,7 +357410,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357418,7 +357418,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357426,7 +357426,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357434,7 +357434,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357442,7 +357442,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357450,7 +357450,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357458,7 +357458,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357466,7 +357466,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357474,7 +357474,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357482,7 +357482,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357490,7 +357490,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357498,7 +357498,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357506,7 +357506,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357514,7 +357514,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357522,7 +357522,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357530,7 +357530,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357538,7 +357538,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357546,7 +357546,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357554,7 +357554,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357562,7 +357562,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357570,7 +357570,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357578,7 +357578,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357586,7 +357586,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357594,7 +357594,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357602,7 +357602,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357610,7 +357610,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357618,7 +357618,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357626,7 +357626,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357634,7 +357634,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357642,7 +357642,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357650,7 +357650,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357658,7 +357658,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357666,7 +357666,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357674,7 +357674,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357682,7 +357682,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357690,7 +357690,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357698,7 +357698,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357706,7 +357706,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357714,7 +357714,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357722,7 +357722,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357730,7 +357730,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357738,7 +357738,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357746,7 +357746,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357754,7 +357754,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357762,7 +357762,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357770,7 +357770,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357778,7 +357778,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357786,7 +357786,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357794,7 +357794,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357802,7 +357802,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357810,7 +357810,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357818,7 +357818,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357826,7 +357826,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357834,7 +357834,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357842,7 +357842,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357850,7 +357850,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357858,7 +357858,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357866,7 +357866,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357874,7 +357874,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357882,7 +357882,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357890,7 +357890,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357898,7 +357898,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357906,7 +357906,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357914,7 +357914,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357922,7 +357922,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357930,7 +357930,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357938,7 +357938,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357946,7 +357946,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357954,7 +357954,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357962,7 +357962,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357970,7 +357970,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357978,7 +357978,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357986,7 +357986,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357994,7 +357994,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358002,7 +358002,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358010,7 +358010,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358018,7 +358018,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358026,7 +358026,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358034,7 +358034,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358042,7 +358042,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358050,7 +358050,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358058,7 +358058,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358066,7 +358066,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358074,7 +358074,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358082,7 +358082,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358090,7 +358090,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358098,7 +358098,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358106,7 +358106,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358114,7 +358114,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358122,7 +358122,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358130,7 +358130,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358138,7 +358138,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358146,7 +358146,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358154,7 +358154,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358162,7 +358162,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358170,7 +358170,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358178,7 +358178,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358186,7 +358186,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358194,7 +358194,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358202,7 +358202,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358210,7 +358210,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358218,7 +358218,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358226,7 +358226,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358234,7 +358234,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358242,7 +358242,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358250,7 +358250,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358258,7 +358258,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358266,7 +358266,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358274,7 +358274,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358282,7 +358282,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358290,7 +358290,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358298,7 +358298,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358306,7 +358306,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358314,7 +358314,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358322,7 +358322,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358330,7 +358330,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358338,7 +358338,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358346,7 +358346,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358354,7 +358354,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358362,7 +358362,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358370,7 +358370,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358378,7 +358378,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358386,7 +358386,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358394,7 +358394,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358402,7 +358402,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358410,7 +358410,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358418,7 +358418,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358426,7 +358426,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358434,7 +358434,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358442,7 +358442,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358450,7 +358450,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358458,7 +358458,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358466,7 +358466,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358474,7 +358474,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358482,7 +358482,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358490,7 +358490,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358498,7 +358498,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358506,7 +358506,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358514,7 +358514,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358522,7 +358522,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358530,7 +358530,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358538,7 +358538,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358546,7 +358546,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358554,7 +358554,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358562,7 +358562,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358570,7 +358570,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358578,7 +358578,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358586,7 +358586,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358594,7 +358594,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358602,7 +358602,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358610,7 +358610,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358618,7 +358618,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358626,7 +358626,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358634,7 +358634,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358642,7 +358642,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358650,7 +358650,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358658,7 +358658,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358666,7 +358666,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358674,7 +358674,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358682,7 +358682,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358690,7 +358690,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358698,7 +358698,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358706,7 +358706,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358714,7 +358714,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358722,7 +358722,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358730,7 +358730,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358738,7 +358738,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358746,7 +358746,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358754,7 +358754,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358762,7 +358762,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358770,7 +358770,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358778,7 +358778,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358786,7 +358786,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358794,7 +358794,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358802,7 +358802,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358810,7 +358810,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358818,7 +358818,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358826,7 +358826,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358834,7 +358834,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358842,7 +358842,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358850,7 +358850,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358858,7 +358858,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358866,7 +358866,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358874,7 +358874,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358882,7 +358882,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358890,7 +358890,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358898,7 +358898,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358906,7 +358906,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358914,7 +358914,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358922,7 +358922,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358930,7 +358930,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358938,7 +358938,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358946,7 +358946,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358954,7 +358954,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358962,7 +358962,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358970,7 +358970,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358978,7 +358978,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358986,7 +358986,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358994,7 +358994,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359002,7 +359002,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359010,7 +359010,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359018,7 +359018,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359026,7 +359026,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359034,7 +359034,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359042,7 +359042,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359050,7 +359050,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359058,7 +359058,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359066,7 +359066,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359074,7 +359074,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359082,7 +359082,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359090,7 +359090,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359098,7 +359098,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359106,7 +359106,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359114,7 +359114,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359122,7 +359122,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359130,7 +359130,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359138,7 +359138,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359146,7 +359146,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359154,7 +359154,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359162,7 +359162,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359170,7 +359170,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359178,7 +359178,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359186,7 +359186,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359194,7 +359194,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359202,7 +359202,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359210,7 +359210,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359218,7 +359218,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359226,7 +359226,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359234,7 +359234,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359242,7 +359242,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359250,7 +359250,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359258,7 +359258,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359266,7 +359266,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359274,7 +359274,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359282,7 +359282,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359290,7 +359290,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359298,7 +359298,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359306,7 +359306,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359314,7 +359314,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359322,7 +359322,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359330,7 +359330,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359338,7 +359338,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359346,7 +359346,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359354,7 +359354,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359362,7 +359362,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359370,7 +359370,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359378,7 +359378,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359386,7 +359386,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359394,7 +359394,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359402,7 +359402,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359410,7 +359410,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359418,7 +359418,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359426,7 +359426,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359434,7 +359434,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359442,7 +359442,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359450,7 +359450,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359458,7 +359458,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359466,7 +359466,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359474,7 +359474,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359482,7 +359482,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359490,7 +359490,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359498,7 +359498,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359506,7 +359506,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359514,7 +359514,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359522,7 +359522,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359530,7 +359530,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359538,7 +359538,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359546,7 +359546,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359554,7 +359554,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359562,7 +359562,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359570,7 +359570,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359578,7 +359578,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359586,7 +359586,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359594,7 +359594,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359602,7 +359602,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359610,7 +359610,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359618,7 +359618,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359626,7 +359626,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359634,7 +359634,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359642,7 +359642,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359650,7 +359650,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359658,7 +359658,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359666,7 +359666,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359674,7 +359674,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359682,7 +359682,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359690,7 +359690,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359698,7 +359698,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359706,7 +359706,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359714,7 +359714,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359722,7 +359722,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359730,7 +359730,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359738,7 +359738,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359746,7 +359746,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359754,7 +359754,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359762,7 +359762,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359770,7 +359770,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359778,7 +359778,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359786,7 +359786,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359794,7 +359794,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359802,7 +359802,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359810,7 +359810,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359818,7 +359818,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359826,7 +359826,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359834,7 +359834,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359842,7 +359842,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359850,7 +359850,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359858,7 +359858,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359866,7 +359866,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359874,7 +359874,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359882,7 +359882,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359890,7 +359890,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359898,7 +359898,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359906,7 +359906,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359914,7 +359914,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359922,7 +359922,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359930,7 +359930,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359938,7 +359938,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359946,7 +359946,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359954,7 +359954,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359962,7 +359962,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359970,7 +359970,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359978,7 +359978,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359986,7 +359986,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359994,7 +359994,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360002,7 +360002,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360010,7 +360010,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360018,7 +360018,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360026,7 +360026,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360034,7 +360034,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360042,7 +360042,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360050,7 +360050,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360058,7 +360058,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360066,7 +360066,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360074,7 +360074,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360082,7 +360082,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360090,7 +360090,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360098,7 +360098,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360106,7 +360106,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360114,7 +360114,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360122,7 +360122,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360130,7 +360130,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360138,7 +360138,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360146,7 +360146,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360154,7 +360154,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360162,7 +360162,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360170,7 +360170,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360178,7 +360178,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360186,7 +360186,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360194,7 +360194,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360202,7 +360202,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360210,7 +360210,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360218,7 +360218,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360226,7 +360226,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360234,7 +360234,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360242,7 +360242,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360250,7 +360250,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360258,7 +360258,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360266,7 +360266,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360274,7 +360274,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360282,7 +360282,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360290,7 +360290,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360298,7 +360298,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360306,7 +360306,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360314,7 +360314,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360322,7 +360322,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360330,7 +360330,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360338,7 +360338,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360346,7 +360346,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360354,7 +360354,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360362,7 +360362,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360370,7 +360370,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360378,7 +360378,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360386,7 +360386,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360394,7 +360394,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360402,7 +360402,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360410,7 +360410,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360418,7 +360418,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360426,7 +360426,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360434,7 +360434,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360442,7 +360442,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360450,7 +360450,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360458,7 +360458,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360466,7 +360466,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360474,7 +360474,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360482,7 +360482,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360490,7 +360490,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360498,7 +360498,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360506,7 +360506,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360514,7 +360514,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360522,7 +360522,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360530,7 +360530,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360538,7 +360538,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360546,7 +360546,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360554,7 +360554,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360562,7 +360562,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360570,7 +360570,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360578,7 +360578,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360586,7 +360586,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360594,7 +360594,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360602,7 +360602,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360610,7 +360610,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360618,7 +360618,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360626,7 +360626,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360634,7 +360634,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360642,7 +360642,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360650,7 +360650,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360658,7 +360658,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360666,7 +360666,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360674,7 +360674,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360682,7 +360682,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360690,7 +360690,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360698,7 +360698,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360706,7 +360706,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360714,7 +360714,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360722,7 +360722,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360730,7 +360730,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360738,7 +360738,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360746,7 +360746,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360754,7 +360754,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360762,7 +360762,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360770,7 +360770,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360778,7 +360778,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360786,7 +360786,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360794,7 +360794,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360802,7 +360802,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360810,7 +360810,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360818,7 +360818,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360826,7 +360826,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360834,7 +360834,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360842,7 +360842,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360850,7 +360850,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360858,7 +360858,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360866,7 +360866,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360874,7 +360874,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360882,7 +360882,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360890,7 +360890,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360898,7 +360898,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360906,7 +360906,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360914,7 +360914,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360922,7 +360922,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360930,7 +360930,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360938,7 +360938,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360946,7 +360946,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360954,7 +360954,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360962,7 +360962,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360970,7 +360970,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360978,7 +360978,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360986,7 +360986,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360994,7 +360994,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361002,7 +361002,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361010,7 +361010,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361018,7 +361018,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361026,7 +361026,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361034,7 +361034,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361042,7 +361042,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361050,7 +361050,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361058,7 +361058,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361066,7 +361066,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361074,7 +361074,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361082,7 +361082,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361090,7 +361090,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361098,7 +361098,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361106,7 +361106,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361114,7 +361114,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361122,7 +361122,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361130,7 +361130,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361138,7 +361138,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361146,7 +361146,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361154,7 +361154,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361162,7 +361162,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361170,7 +361170,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361178,7 +361178,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361186,7 +361186,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361194,7 +361194,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361202,7 +361202,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361210,7 +361210,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361218,7 +361218,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361226,7 +361226,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361234,7 +361234,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361242,7 +361242,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361250,7 +361250,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361258,7 +361258,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361266,7 +361266,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361274,7 +361274,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361282,7 +361282,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361290,7 +361290,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361298,7 +361298,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361306,7 +361306,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361314,7 +361314,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361322,7 +361322,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361330,7 +361330,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361338,7 +361338,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361346,7 +361346,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361354,7 +361354,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361362,7 +361362,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361370,7 +361370,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361378,7 +361378,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361386,7 +361386,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361394,7 +361394,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361402,7 +361402,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361410,7 +361410,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361418,7 +361418,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361426,7 +361426,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361434,7 +361434,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361442,7 +361442,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361450,7 +361450,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361458,7 +361458,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361466,7 +361466,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361474,7 +361474,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361482,7 +361482,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361490,7 +361490,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361498,7 +361498,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361506,7 +361506,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361514,7 +361514,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361522,7 +361522,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361530,7 +361530,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361538,7 +361538,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361546,7 +361546,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361554,7 +361554,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361562,7 +361562,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361570,7 +361570,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361578,7 +361578,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361586,7 +361586,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361594,7 +361594,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361602,7 +361602,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361610,7 +361610,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361618,7 +361618,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361626,7 +361626,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361634,7 +361634,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361642,7 +361642,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361650,7 +361650,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361658,7 +361658,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361666,7 +361666,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361674,7 +361674,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361682,7 +361682,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361690,7 +361690,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361698,7 +361698,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361706,7 +361706,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361714,7 +361714,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361722,7 +361722,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361730,7 +361730,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361738,7 +361738,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361746,7 +361746,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361754,7 +361754,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361762,7 +361762,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361770,7 +361770,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361778,7 +361778,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361786,7 +361786,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361794,7 +361794,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361802,7 +361802,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361810,7 +361810,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361818,7 +361818,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361826,7 +361826,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361834,7 +361834,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361842,7 +361842,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361850,7 +361850,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361858,7 +361858,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361866,7 +361866,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361874,7 +361874,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361882,7 +361882,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361890,7 +361890,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361898,7 +361898,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361906,7 +361906,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361914,7 +361914,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361922,7 +361922,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361930,7 +361930,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361938,7 +361938,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361946,7 +361946,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361954,7 +361954,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361962,7 +361962,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361970,7 +361970,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361978,7 +361978,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361986,7 +361986,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361994,7 +361994,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362002,7 +362002,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362010,7 +362010,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362018,7 +362018,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362026,7 +362026,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362034,7 +362034,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362042,7 +362042,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362050,7 +362050,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362058,7 +362058,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362066,7 +362066,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362074,7 +362074,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362082,7 +362082,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362090,7 +362090,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362098,7 +362098,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362106,7 +362106,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362114,7 +362114,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362122,7 +362122,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362130,7 +362130,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362138,7 +362138,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362146,7 +362146,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362154,7 +362154,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362162,7 +362162,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362170,7 +362170,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362178,7 +362178,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362186,7 +362186,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362194,7 +362194,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362202,7 +362202,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362210,7 +362210,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362218,7 +362218,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362226,7 +362226,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362234,7 +362234,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362242,7 +362242,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362250,7 +362250,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362258,7 +362258,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362266,7 +362266,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362274,7 +362274,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362282,7 +362282,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362290,7 +362290,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362298,7 +362298,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362306,7 +362306,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362314,7 +362314,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362322,7 +362322,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362330,7 +362330,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362338,7 +362338,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362346,7 +362346,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362354,7 +362354,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362362,7 +362362,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362370,7 +362370,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362378,7 +362378,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362386,7 +362386,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362394,7 +362394,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362402,7 +362402,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362410,7 +362410,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362418,7 +362418,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362426,7 +362426,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362434,7 +362434,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362442,7 +362442,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362450,7 +362450,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362458,7 +362458,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362466,7 +362466,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362474,7 +362474,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362482,7 +362482,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362490,7 +362490,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362498,7 +362498,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362506,7 +362506,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362514,7 +362514,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362522,7 +362522,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362530,7 +362530,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362538,7 +362538,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362546,7 +362546,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362554,7 +362554,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362562,7 +362562,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362570,7 +362570,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362578,7 +362578,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362586,7 +362586,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362594,7 +362594,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362602,7 +362602,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362610,7 +362610,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362618,7 +362618,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362626,7 +362626,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362634,7 +362634,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362642,7 +362642,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362650,7 +362650,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362658,7 +362658,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362666,7 +362666,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362674,7 +362674,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362682,7 +362682,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362690,7 +362690,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362698,7 +362698,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362706,7 +362706,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362714,7 +362714,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362722,7 +362722,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362730,7 +362730,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362738,7 +362738,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362746,7 +362746,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362754,7 +362754,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362762,7 +362762,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362770,7 +362770,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362778,7 +362778,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362786,7 +362786,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362794,7 +362794,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362802,7 +362802,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362810,7 +362810,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362818,7 +362818,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362826,7 +362826,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362834,7 +362834,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362842,7 +362842,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362850,7 +362850,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362858,7 +362858,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362866,7 +362866,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362874,7 +362874,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362882,7 +362882,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362890,7 +362890,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362898,7 +362898,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362906,7 +362906,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362914,7 +362914,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362922,7 +362922,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362930,7 +362930,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362938,7 +362938,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362946,7 +362946,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362954,7 +362954,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362962,7 +362962,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362970,7 +362970,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362978,7 +362978,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362986,7 +362986,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362994,7 +362994,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363002,7 +363002,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363010,7 +363010,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363018,7 +363018,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363026,7 +363026,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363034,7 +363034,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363042,7 +363042,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363050,7 +363050,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363058,7 +363058,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363066,7 +363066,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363074,7 +363074,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363082,7 +363082,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363090,7 +363090,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363098,7 +363098,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363106,7 +363106,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363114,7 +363114,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363122,7 +363122,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363130,7 +363130,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363138,7 +363138,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363146,7 +363146,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363154,7 +363154,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363162,7 +363162,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363170,7 +363170,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363178,7 +363178,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363186,7 +363186,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363194,7 +363194,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363202,7 +363202,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363210,7 +363210,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363218,7 +363218,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363226,7 +363226,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363234,7 +363234,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363242,7 +363242,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363250,7 +363250,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363258,7 +363258,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363266,7 +363266,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363274,7 +363274,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363282,7 +363282,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363290,7 +363290,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363298,7 +363298,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363306,7 +363306,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363314,7 +363314,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363322,7 +363322,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363330,7 +363330,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363338,7 +363338,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363346,7 +363346,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363354,7 +363354,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363362,7 +363362,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363370,7 +363370,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363378,7 +363378,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363386,7 +363386,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363394,7 +363394,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363402,7 +363402,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363410,7 +363410,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363418,7 +363418,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363426,7 +363426,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363434,7 +363434,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363442,7 +363442,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363450,7 +363450,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363458,7 +363458,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363466,7 +363466,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363474,7 +363474,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363482,7 +363482,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363490,7 +363490,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363498,7 +363498,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363506,7 +363506,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363514,7 +363514,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363522,7 +363522,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363530,7 +363530,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363538,7 +363538,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363546,7 +363546,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363554,7 +363554,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363562,7 +363562,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363570,7 +363570,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363578,7 +363578,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363586,7 +363586,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363594,7 +363594,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363602,7 +363602,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363610,7 +363610,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363618,7 +363618,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363626,7 +363626,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363634,7 +363634,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363642,7 +363642,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363650,7 +363650,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363658,7 +363658,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363666,7 +363666,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363674,7 +363674,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363682,7 +363682,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363690,7 +363690,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363698,7 +363698,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363706,7 +363706,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363714,7 +363714,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363722,7 +363722,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363730,7 +363730,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363738,7 +363738,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363746,7 +363746,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363754,7 +363754,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363762,7 +363762,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363770,7 +363770,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363778,7 +363778,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363786,7 +363786,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363794,7 +363794,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363802,7 +363802,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363810,7 +363810,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363818,7 +363818,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363826,7 +363826,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363834,7 +363834,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363842,7 +363842,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363850,7 +363850,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363858,7 +363858,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363866,7 +363866,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363874,7 +363874,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363882,7 +363882,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363890,7 +363890,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363898,7 +363898,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363906,7 +363906,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363914,7 +363914,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363922,7 +363922,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363930,7 +363930,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363938,7 +363938,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363946,7 +363946,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363954,7 +363954,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363962,7 +363962,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363970,7 +363970,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363978,7 +363978,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363986,7 +363986,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363994,7 +363994,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364002,7 +364002,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364010,7 +364010,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364018,7 +364018,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364026,7 +364026,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364034,7 +364034,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364042,7 +364042,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364050,7 +364050,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364058,7 +364058,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364066,7 +364066,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364074,7 +364074,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364082,7 +364082,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364090,7 +364090,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364098,7 +364098,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364106,7 +364106,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364114,7 +364114,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364122,7 +364122,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364130,7 +364130,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364138,7 +364138,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364146,7 +364146,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364154,7 +364154,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364162,7 +364162,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364170,7 +364170,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364178,7 +364178,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364186,7 +364186,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364194,7 +364194,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364202,7 +364202,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364210,7 +364210,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364218,7 +364218,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364226,7 +364226,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364234,7 +364234,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364242,7 +364242,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364250,7 +364250,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364258,7 +364258,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364266,7 +364266,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364274,7 +364274,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364282,7 +364282,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364290,7 +364290,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364298,7 +364298,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364306,7 +364306,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364314,7 +364314,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364322,7 +364322,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364330,7 +364330,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364338,7 +364338,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364346,7 +364346,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364354,7 +364354,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364362,7 +364362,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364370,7 +364370,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364378,7 +364378,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364386,7 +364386,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364394,7 +364394,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364402,7 +364402,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364410,7 +364410,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364418,7 +364418,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364426,7 +364426,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364434,7 +364434,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364442,7 +364442,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364450,7 +364450,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364458,7 +364458,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364466,7 +364466,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364474,7 +364474,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364482,7 +364482,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364490,7 +364490,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364498,7 +364498,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364506,7 +364506,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364514,7 +364514,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364522,7 +364522,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364530,7 +364530,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364538,7 +364538,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364546,7 +364546,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364554,7 +364554,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364562,7 +364562,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364570,7 +364570,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364578,7 +364578,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364586,7 +364586,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364594,7 +364594,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364602,7 +364602,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364610,7 +364610,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364618,7 +364618,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364626,7 +364626,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364634,7 +364634,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364642,7 +364642,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364650,7 +364650,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364658,7 +364658,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364666,7 +364666,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364674,7 +364674,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364682,7 +364682,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364690,7 +364690,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364698,7 +364698,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364706,7 +364706,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364714,7 +364714,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364722,7 +364722,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364730,7 +364730,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364738,7 +364738,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364746,7 +364746,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364754,7 +364754,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364762,7 +364762,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364770,7 +364770,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364778,7 +364778,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364786,7 +364786,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364794,7 +364794,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364802,7 +364802,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364810,7 +364810,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364818,7 +364818,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364826,7 +364826,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364834,7 +364834,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364842,7 +364842,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364850,7 +364850,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364858,7 +364858,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364866,7 +364866,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364874,7 +364874,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364882,7 +364882,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364890,7 +364890,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364898,7 +364898,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364906,7 +364906,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364914,7 +364914,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364922,7 +364922,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364930,7 +364930,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364938,7 +364938,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364946,7 +364946,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364954,7 +364954,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364962,7 +364962,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364970,7 +364970,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364978,7 +364978,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364986,7 +364986,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364994,7 +364994,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365002,7 +365002,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365010,7 +365010,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365018,7 +365018,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365026,7 +365026,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365034,7 +365034,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365042,7 +365042,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365050,7 +365050,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365058,7 +365058,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365066,7 +365066,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365074,7 +365074,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365082,7 +365082,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365090,7 +365090,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365098,7 +365098,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365106,7 +365106,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365114,7 +365114,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365122,7 +365122,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365130,7 +365130,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365138,7 +365138,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365146,7 +365146,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365154,7 +365154,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365162,7 +365162,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365170,7 +365170,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365178,7 +365178,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365186,7 +365186,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365194,7 +365194,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365202,7 +365202,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365210,7 +365210,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365218,7 +365218,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365226,7 +365226,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365234,7 +365234,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365242,7 +365242,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365250,7 +365250,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365258,7 +365258,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365266,7 +365266,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365274,7 +365274,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365282,7 +365282,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365290,7 +365290,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365298,7 +365298,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365306,7 +365306,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365314,7 +365314,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365322,7 +365322,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365330,7 +365330,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365338,7 +365338,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365346,7 +365346,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365354,7 +365354,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365362,7 +365362,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365370,7 +365370,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365378,7 +365378,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365386,7 +365386,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365394,7 +365394,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365402,7 +365402,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365410,7 +365410,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365418,7 +365418,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365426,7 +365426,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365434,7 +365434,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365442,7 +365442,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365450,7 +365450,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365458,7 +365458,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365466,7 +365466,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365474,7 +365474,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365482,7 +365482,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365490,7 +365490,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365498,7 +365498,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365506,7 +365506,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365514,7 +365514,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365522,7 +365522,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365530,7 +365530,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365538,7 +365538,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365546,7 +365546,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365554,7 +365554,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365562,7 +365562,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365570,7 +365570,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365578,7 +365578,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365586,7 +365586,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365594,7 +365594,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365602,7 +365602,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365610,7 +365610,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365618,7 +365618,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365626,7 +365626,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365634,7 +365634,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365642,7 +365642,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365650,7 +365650,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365658,7 +365658,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365666,7 +365666,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365674,7 +365674,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365682,7 +365682,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365690,7 +365690,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365698,7 +365698,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365706,7 +365706,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365714,7 +365714,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365722,7 +365722,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365730,7 +365730,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365738,7 +365738,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365746,7 +365746,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365754,7 +365754,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365762,7 +365762,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365770,7 +365770,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365778,7 +365778,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365786,7 +365786,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365794,7 +365794,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365802,7 +365802,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365810,7 +365810,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365818,7 +365818,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365826,7 +365826,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365834,7 +365834,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365842,7 +365842,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365850,7 +365850,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365858,7 +365858,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365866,7 +365866,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365874,7 +365874,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365882,7 +365882,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365890,7 +365890,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365898,7 +365898,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365906,7 +365906,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365914,7 +365914,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365922,7 +365922,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365930,7 +365930,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365938,7 +365938,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365946,7 +365946,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365962,7 +365962,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365970,7 +365970,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365978,7 +365978,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365986,7 +365986,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365994,7 +365994,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366002,7 +366002,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366010,7 +366010,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366018,7 +366018,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366026,7 +366026,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366034,7 +366034,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366042,7 +366042,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366050,7 +366050,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366058,7 +366058,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366066,7 +366066,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366074,7 +366074,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366082,7 +366082,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366090,7 +366090,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366098,7 +366098,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366106,7 +366106,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366114,7 +366114,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366122,7 +366122,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366130,7 +366130,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366138,7 +366138,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366148,596 +366148,456 @@ which the system will be deployed as closely as possible. - - Run the following command to determine if the httpd package is installed: -$ rpm -q httpd - Is it the case that the package is installed? - - - - -Run the following command to determine if the authlogin_radius SELinux boolean is disabled: -$ getsebool authlogin_radius -If properly configured, the output should show the following: -authlogin_radius --> off - Is it the case that authlogin_radius is not disabled? + + To verify that the interface(s) follow site policy for zone assignment run the +following command: +$ sudo nmcli -t connection show | awk -F: '{if($4){print $4}}' | while read INT; +do firewall-cmd --get-active-zones | grep -B1 $INT; done +If your have to assign an interface to the appropriate zone run the following command: +$ sudo firewall-cmd --zone= --change-interface= + Is it the case that Your system accepts all incoming packets for unnecessary services and ports? - - Verify the system-wide shared library directories are group-owned by "root" with the following command: + + Verify it by running the following command: +$ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules -$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \; +/sbin/auditctl root +/sbin/aureport root +/sbin/ausearch root +/sbin/autrace root +/sbin/auditd root +/sbin/audispd root +/sbin/augenrules root -If any system-wide shared library directory is returned and is not group-owned by a required system account, this is a finding. - Is it the case that any system-wide shared library directory is returned and is not group-owned by a required system account? - - - - If the system is not configured to audit time changes, this is a finding. -If the system is 64-bit only, this is not applicable -ocil: | -To determine if the system is configured to audit calls to the -stime system call, run the following command: -$ sudo grep "stime" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - - - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "unix_update" command with the following command: -$ sudo auditctl -l | grep unix_update +If the command does not return all the above lines, the missing ones +need to be added. --a always,exit -F path=/usr/bin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_update - Is it the case that the command does not return a line, or the line is commented out? +Run the following command to correct the permissions of the missing +entries: +$ sudo chown root [audit_tool] + +Replace "[audit_tool]" with each audit tool not owned by root. + Is it the case that ? - - To check the group ownership of /etc/issue, -run the command: -$ ls -lL /etc/issue -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/issue does not have a group owner of root? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_STACKPROTECTOR /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - + -Run the following command to determine if the httpd_run_ipa SELinux boolean is disabled: -$ getsebool httpd_run_ipa +Run the following command to determine if the xguest_mount_media SELinux boolean is disabled: +$ getsebool xguest_mount_media If properly configured, the output should show the following: -httpd_run_ipa --> off - Is it the case that httpd_run_ipa is not disabled? - - - - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to modify files using the open_by_handle_at system call with O_TRUNC_WRITE flag. - -If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r open_by_handle_at /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep open_by_handle_at /etc/audit/audit.rules - -The output should be the following: - --a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - Is it the case that the command does not return a line, or the line is commented out? +xguest_mount_media --> off + Is it the case that xguest_mount_media is not disabled? - - To verify that there are no unauthorized local user accounts, run the following command: -$ less /etc/passwd -Inspect the results, and if unauthorized local user accounts exist, remove them by running -the following command: -$ sudo userdel unauthorized_user - Is it the case that there are unauthorized local user accounts on the system? + + Run the following command to determine if the libselinux package is installed: $ rpm -q libselinux + Is it the case that the package is not installed? - - To check the ownership of /etc/ssh/sshd_config, + + To check the ownership of /etc/gshadow, run the command: -$ ls -lL /etc/ssh/sshd_config +$ ls -lL /etc/gshadow If properly configured, the output should indicate the following owner: root - Is it the case that /etc/ssh/sshd_config does not have an owner of root? + Is it the case that /etc/gshadow does not have an owner of root? - + + To ensure LoginGraceTime is set correctly, run the following command: +$ sudo grep LoginGraceTime /etc/ssh/sshd_config +If properly configured, the output should be: +LoginGraceTime +If the option is set to a number greater than 0, then the unauthenticated session will be disconnected +after the configured number seconds. + Is it the case that it is commented out or not configured properly? + + + -Run the following command to determine if the staff_exec_content SELinux boolean is enabled: -$ getsebool staff_exec_content +Run the following command to determine if the cobbler_use_cifs SELinux boolean is disabled: +$ getsebool cobbler_use_cifs If properly configured, the output should show the following: -staff_exec_content --> on - Is it the case that staff_exec_content is not enabled? +cobbler_use_cifs --> off + Is it the case that cobbler_use_cifs is not disabled? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_DEBUG_NOTIFIERS /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + Verify that only the "root" account has a UID "0" assignment with the +following command: +$ awk -F: '$3 == 0 {print $1}' /etc/passwd +root + Is it the case that any accounts other than "root" have a UID of "0"? - - To ensure the splash screen is configured not to show user name, run the following command: -$ gsettings get org.gnome.desktop.screensaver show-full-name-in-top-bar -If properly configured, the output should be false. -To ensure that users cannot enable user name on the lock screen, run the following: -$ grep show-full-name-in-top-bar /etc/dconf/db/local.d/locks/* -If properly configured, the output should be /org/gnome/desktop/screensaver/show-full-name-in-top-bar - Is it the case that it is not set or configured properly? + + Run the following command to ensure that /var/tmp is configured as a +polyinstantiated directory: +$ sudo grep /var/tmp /etc/security/namespace.conf +The output should return the following: +/var/tmp /var/tmp/tmp-inst/ level root,adm + Is it the case that is not configured? - - Interview the SA or web administrator to see where the public web server -is logically located in the data center. Review the site network diagram -to see how the web server is connected to the LAN. Visually check the web -server hardware connections to see if it conforms to the site network -diagram. - Is it the case that the web server is not isolated in an accredited DoD DMZ Extension? + + To verify that tmux is not listed as allowed shell on the system +run the following command: +$ grep 'tmux$' /etc/shells +The output should be empty. + Is it the case that tmux is listed in /etc/shells? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_KEXEC /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? + + To ensure all GIDs referenced in /etc/passwd are defined in /etc/group, +run the following command: +$ sudo pwck -qr +There should be no output. + Is it the case that GIDs referenced in /etc/passwd are returned as not defined in /etc/group? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_STACKPROTECTOR_STRONG /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + Verify the nosuid option is configured for the /srv mount point, + run the following command: + $ sudo mount | grep '\s/srv\s' + . . . /srv . . . nosuid . . . + + Is it the case that the "/srv" file system does not have the "nosuid" option set? - + -Run the following command to determine if the mozilla_plugin_use_bluejeans SELinux boolean is disabled: -$ getsebool mozilla_plugin_use_bluejeans +Run the following command to determine if the racoon_read_shadow SELinux boolean is disabled: +$ getsebool racoon_read_shadow If properly configured, the output should show the following: -mozilla_plugin_use_bluejeans --> off - Is it the case that mozilla_plugin_use_bluejeans is not disabled? - - - - To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -cat /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules -The output has to be exactly as follows: -## Unsuccessful file modifications (open for write or truncate) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification - Is it the case that the file does not exist or the content differs? - - - - Verify the noexec option is configured for the /var/log/audit mount point, - run the following command: - $ sudo mount | grep '\s/var/log/audit\s' - . . . /var/log/audit . . . noexec . . . - - Is it the case that the "/var/log/audit" file system does not have the "noexec" option set? +racoon_read_shadow --> off + Is it the case that racoon_read_shadow is not disabled? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "poweroff" command with the following command: + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "newgrp" command with the following command: -$ sudo auditctl -l | grep poweroff +$ sudo auditctl -l | grep newgrp --a always,exit -F path=/poweroff -F perm=x -F auid>=1000 -F auid!=unset -k privileged-poweroff +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-newgrp Is it the case that the command does not return a line, or the line is commented out? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_SECCOMP /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? - - - + - -Run the following command to determine the current status of the -sssd service: -$ sudo systemctl is-active sssd -If the service is running, it should return the following: active - Is it the case that the service is not enabled? +Run the following command to determine if the virt_use_xserver SELinux boolean is disabled: +$ getsebool virt_use_xserver +If properly configured, the output should show the following: +virt_use_xserver --> off + Is it the case that virt_use_xserver is not disabled? - - -Run the following command to determine if the neutron_can_network SELinux boolean is disabled: -$ getsebool neutron_can_network -If properly configured, the output should show the following: -neutron_can_network --> off - Is it the case that neutron_can_network is not disabled? + + Verify that the files and directories of each instance of Alias, +ScriptAlias, and ScriptAliasMatch that exist +have the correct file and directory permissions applied. + Is it the case that it is not? - - To determine if the system is configured to audit calls to the -lremovexattr system call, run the following command: -$ sudo grep "lremovexattr" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + Run the following command to determine if the tuned package is installed: +$ rpm -q tuned + Is it the case that the package is installed? - - To determine if the system is configured to audit successful calls -to the truncate system call, run the following command: -$ sudo grep "truncate" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + To preclude access to the servers root directory, ensure the following +directive is in the httpd.conf file. This entry will also stop users +from setting up .htaccess files which can override security features +configured in /etc/httpd/conf/httpd.conf. +AllowOverride none + Is it the case that it is not? - - Verify that a separate file system/partition has been created for /boot with the following command: + + To check that the cockpit service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled cockpit +Output should indicate the cockpit service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled cockpit disabled -$ mountpoint /boot +Run the following command to verify cockpit is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active cockpit - Is it the case that "/boot is not a mountpoint" is returned? - - - - To verify the noexec option is configured for all NFS mounts, run the following command: -$ mount | grep nfs -All NFS mounts should show the noexec setting in parentheses. This is not applicable if NFS is -not implemented. - Is it the case that the setting does not show? +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the cockpit is masked, run the following command: +$ sudo systemctl show cockpit | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "cockpit" is loaded and not masked? - - Run the following command to determine if the samba-common package is installed: $ rpm -q samba-common - Is it the case that the package is not installed? + + Verify the value of the "difok" option in "/etc/security/pwquality.conf" with the following command: + +$ sudo grep difok /etc/security/pwquality.conf + +difok = + Is it the case that the value of "difok" is set to less than "<sub idref="var_password_pam_difok" />", or is commented out? - + -Run the following command to determine if the secure_mode SELinux boolean is disabled: -$ getsebool secure_mode +Run the following command to determine if the exim_manage_user_files SELinux boolean is disabled: +$ getsebool exim_manage_user_files If properly configured, the output should show the following: -secure_mode --> off - Is it the case that secure_mode is not disabled? +exim_manage_user_files --> off + Is it the case that exim_manage_user_files is not disabled? - - To verify that Audit Daemon is configured to resolve all uid, gid, syscall, -architecture, and socket address information before writing the event to disk, -run the following command: -$ sudo grep log_format /etc/audit/auditd.conf -The output should return the following: -log_format = ENRICHED - Is it the case that log_format isn't set to ENRICHED? + + Run the following command to determine if the opensc package is installed: $ rpm -q opensc + Is it the case that the package is not installed? - - To verify that only security updates will be automatically installed by dnf-automatic, run the following command: -$ sudo grep upgrade_type /etc/dnf/automatic.conf -The output should return the following: -upgrade_type = security - Is it the case that the upgrade_type is not set to security? + + Make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf +and /etc/zipl.conf: +find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap +No line should be returned, if a line is returned /boot/bootmap is outdated and needs to be regenerated. + Is it the case that the bootmap is outdated? - - -Run the following command to determine if the spamassassin_can_network SELinux boolean is disabled: -$ getsebool spamassassin_can_network -If properly configured, the output should show the following: -spamassassin_can_network --> off - Is it the case that spamassassin_can_network is not disabled? + + The runtime status of the fs.protected_hardlinks kernel parameter can be queried +by running the following command: +$ sysctl fs.protected_hardlinks +1. + + Is it the case that the correct value is not returned? - - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: - -$ sudo auditctl -l | grep -E '(/etc/gshadow)' + + Run the following command to check for duplicate group names: +Check that the operating system contains no duplicate group names for interactive users by running the following command: --w /etc/gshadow -p wa -k identity + cut -d : -f 3 /etc/group | uniq -d -If the command does not return a line, or the line is commented out, this is a finding. - Is it the case that the system is not configured to audit account changes? - - - - -Run the following command to determine if the cobbler_use_cifs SELinux boolean is disabled: -$ getsebool cobbler_use_cifs -If properly configured, the output should show the following: -cobbler_use_cifs --> off - Is it the case that cobbler_use_cifs is not disabled? - - - - -Run the following command to determine if the polipo_session_bind_all_unreserved_ports SELinux boolean is disabled: -$ getsebool polipo_session_bind_all_unreserved_ports -If properly configured, the output should show the following: -polipo_session_bind_all_unreserved_ports --> off - Is it the case that polipo_session_bind_all_unreserved_ports is not disabled? +If output is produced, this is a finding. +Configure the operating system to contain no duplicate names for groups. +Edit the file "/etc/group" and provide each group that has a duplicate group id with a unique group id. + Is it the case that the system has duplicate group ids? - - To verify that automatic logins are disabled, run the following command: -$ grep -Pzoi "^\[daemon]\\nautomaticlogin.*" /etc/gdm/custom.conf -The output should show the following: -[daemon] -AutomaticLoginEnable=false - Is it the case that GDM allows users to automatically login? + + To verify all squashing has been disabled, run the following command: +$ grep all_squash /etc/exports + Is it the case that there is output? - - -Run the following command to determine if the mozilla_plugin_use_spice SELinux boolean is disabled: -$ getsebool mozilla_plugin_use_spice -If properly configured, the output should show the following: -mozilla_plugin_use_spice --> off - Is it the case that mozilla_plugin_use_spice is not disabled? + + To verify that each web content directory exists on separate partitions, +run the following command: +$ grep `grep -i documentroot /etc/httpd/conf/httpd.conf | awk -F'"' '{print $2}'` /etc/fstab +Each of the corresponding DocumentRoot entries should have a +corresponding entry in /etc/fstab. + Is it the case that it is not? - - Verify emergency accounts have been provisioned with an expiration date of 72 hours. - -For every emergency account, run the following command to obtain its account aging and expiration information: + + Verify the "/etc/security/faillock.conf" file is configured use a non-default faillock directory to ensure contents persist after reboot: -$ sudo chage -l emergency_account_name +$ sudo grep 'dir =' /etc/security/faillock.conf -Verify each of these accounts has an expiration date set within 72 hours or as documented. - Is it the case that any emergency accounts have no expiration date set or do not expire within 72 hours? +dir = /var/log/faillock + Is it the case that the "dir" option is not set to a non-default documented tally log directory, is missing or commented out? - - To check the permissions of /etc/passwd-, -run the command: -$ ls -l /etc/passwd- -If properly configured, the output should indicate the following permissions: --rw-r--r-- - Is it the case that /etc/passwd- does not have unix mode -rw-r--r--? + + Verify the "umask" setting is configured correctly in the "/etc/csh.cshrc" file with the following command: + +$ grep umask /etc/csh.cshrc + +umask 077 +umask 077 + Is it the case that the value for the "umask" parameter is not "<sub idref="var_accounts_user_umask" />", or the "umask" parameter is missing or is commented out? - - Display the contents of the file /etc/systemd/logind.conf: -cat /etc/systemd/logind.conf -Ensure that there is a section [login] which contains the -configuration StopIdleSessionSec=. - Is it the case that the option is not configured? + + Verify the nosuid option is configured for the /var/tmp mount point, + run the following command: + $ sudo mount | grep '\s/var/tmp\s' + . . . /var/tmp . . . nosuid . . . + + Is it the case that the "/var/tmp" file system does not have the "nosuid" option set? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_LEGACY_VSYSCALL_NONE /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + To check if the system login banner is compliant, run the following command: +$ cat /etc/issue.net + Is it the case that it does not display the required banner? - - To determine if the system is configured to audit calls to the -rmdir system call, run the following command: -$ sudo grep "rmdir" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. -To determine if the system is configured to audit calls to the -unlink system call, run the following command: -$ sudo grep "unlink" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. -To determine if the system is configured to audit calls to the -unlinkat system call, run the following command: -$ sudo grep "unlinkat" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. -To determine if the system is configured to audit calls to the -rename system call, run the following command: -$ sudo grep "rename" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. -To determine if the system is configured to audit calls to the -renameat system call, run the following command: -$ sudo grep "renameat" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + + +Run the following command to get the current configured value for polyinstantiation_enabled +SELinux boolean: +$ getsebool polyinstantiation_enabled +The expected cofiguration is . +"on" means true, and "off" means false + Is it the case that polyinstantiation_enabled is not set as expected? - - Verify that yum verifies the signature of local packages prior to install with the following command: - -$ grep localpkg_gpgcheck /etc/yum.conf - -localpkg_gpgcheck=1 - -If "localpkg_gpgcheck" is not set to "1", or if the option is missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified. - Is it the case that there is no process to validate certificates for local packages that is approved by the organization? + + To check the ownership of /etc/ssh/sshd_config, +run the command: +$ ls -lL /etc/ssh/sshd_config +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/ssh/sshd_config does not have an owner of root? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_DEBUG_FS /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? + + +Run the following command to determine if the virt_sandbox_use_mknod SELinux boolean is disabled: +$ getsebool virt_sandbox_use_mknod +If properly configured, the output should show the following: +virt_sandbox_use_mknod --> off + Is it the case that virt_sandbox_use_mknod is not disabled? - + + To determine if the system is configured to audit attempts to +alter time via the /etc/localtime file, run the following +command: +$ sudo auditctl -l | grep "watch=/etc/localtime" +If the system is configured to audit this activity, it will return a line. + Is it the case that the system is not configured to audit time changes? + + + -Run the following command to determine if the cluster_can_network_connect SELinux boolean is disabled: -$ getsebool cluster_can_network_connect +Run the following command to determine if the zoneminder_run_sudo SELinux boolean is disabled: +$ getsebool zoneminder_run_sudo If properly configured, the output should show the following: -cluster_can_network_connect --> off - Is it the case that cluster_can_network_connect is not disabled? +zoneminder_run_sudo --> off + Is it the case that zoneminder_run_sudo is not disabled? - - To check which SSH protocol version is allowed, check version of -openssh-server with following command: -$ rpm -qi openssh-server | grep Version -Versions equal to or higher than 7.4 have deprecated the RhostsRSAAuthentication option. -If version is lower than 7.4, run the following command to check configuration: -To determine how the SSH daemon's RhostsRSAAuthentication option is set, run the following command: - -$ sudo grep -i RhostsRSAAuthentication /etc/ssh/sshd_config + + Verify that a separate file system/partition has been created for /opt with the following command: -If a line indicating no is returned, then the required value is set. +$ mountpoint /opt - Is it the case that the required value is not set? + Is it the case that "/opt is not a mountpoint" is returned? - - To verify Certmap is enabled in SSSD, run the following command: -$ sudo cat /etc/sssd/sssd.conf -If configured properly, output should contain section like the following - -[certmap/testing.test/rule_name] -matchrule =<SAN>.*EDIPI@mil -maprule = (userCertificate;binary={cert!bin}) -domains = testing.test - - Is it the case that Certmap is not configured in SSSD? + + To ensure smart card authentication on the login screen is enabled, run the following command: +$ grep enable-smartcard-authentication /etc/dconf/db/gdm.d/* +The output should be true. +To ensure that users cannot disable smart card authentication on the login screen, run the following: +$ grep enable-smartcard-authentication /etc/dconf/db/gdm.d/locks/* +If properly configured, the output should be /org/gnome/login-screen/enable-smartcard-authentication + Is it the case that enable-smartcard-authentication has not been configured or is disabled? - + +Run the following command to determine if the antivirus_can_scan_system SELinux boolean is enabled: +$ getsebool antivirus_can_scan_system +If properly configured, the output should show the following: +antivirus_can_scan_system --> on + Is it the case that antivirus_can_scan_system is not enabled? + + + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "crontab" command with the following command: -Run the following command to determine the current status of the -iptables service: -$ sudo systemctl is-active iptables -If the service is running, it should return the following: active - Is it the case that ? +$ sudo auditctl -l | grep crontab + +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab + Is it the case that the command does not return a line, or the line is commented out? - - To find SGID files, run the following command: -$ sudo find / -xdev -type f -perm -2000 - Is it the case that there is output? + + To check if only local user are impacted by pam_faillock, run the following command: +$ grep local_users_only /etc/security/faillock.conf +The output should return local_users_only not commented. + Is it the case that local_users_only is not uncommented or configured correctly? - - To ensure the X Windows package group is removed, run the following command: -$ rpm -qi xorg-x11-server-common -The output should be: -package xorg-x11-server-common is not installed - Is it the case that the X Windows package group or xorg-x11-server-common has not be removed? + + To check the group ownership of /boot/efi/EFI/redhat/grub.cfg, +run the command: +$ ls -lL /boot/efi/EFI/redhat/grub.cfg +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /boot/efi/EFI/redhat/grub.cfg does not have a group owner of root? - - To verify that TLS is configured properly in -/etc/httpd/conf.modules.d/ssl.conf, run the following command: -$ grep -i "sslengine\|sslprotocol" /etc/httpd/conf.d/ssl.conf -The output should return the following: - -SSLEngine on -SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 - - Is it the case that it is not? + + +Run the following command to determine if the abrt_handle_event SELinux boolean is disabled: +$ getsebool abrt_handle_event +If properly configured, the output should show the following: +abrt_handle_event --> off + Is it the case that abrt_handle_event is not disabled? - - To verify that CUPS printer browsing is disabled, run the following command: -$ sudo grep "Browsing\|BrowseAllow" /etc/cups/cupsd.conf -The output should return the following: -Browsing Off -BrowseAllow none - Is it the case that printer browsing is not disabled? + + +Run the following command to determine if the squid_connect_any SELinux boolean is disabled: +$ getsebool squid_connect_any +If properly configured, the output should show the following: +squid_connect_any --> off + Is it the case that squid_connect_any is not disabled? - - Verify that sshd isn't configured to ignore the system wide cryptographic policy. + + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the creat system call. -Check that the CRYPTO_POLICY variable is not set or is commented out in the -/etc/sysconfig/sshd. +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -Run the following command: +$ sudo grep -r creat /etc/audit/rules.d -$ sudo grep CRYPTO_POLICY /etc/sysconfig/sshd - Is it the case that the CRYPTO_POLICY variable is set or is not commented out in the /etc/sysconfig/sshd? - - - - Run the following command to verify that SSH client is configured to use 32 bytes of entropy: -grep SSH_USE_STRONG_RNG /etc/profile.d/cc-ssh-strong-rng.sh -The output should be: -export SSH_USE_STRONG_RNG=32 - Is it the case that SSH client is not configured to use 32 bytes of entropy or more? +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep creat /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access + Is it the case that the command does not return a line, or the line is commented out? - - Run the following command to determine if the subscription-manager package is installed: $ rpm -q subscription-manager + + Run the following command to determine if the nss-tools package is installed: $ rpm -q nss-tools Is it the case that the package is not installed? - - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes rng_core.default_quality=, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub -If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*rng_core.default_quality=.*' /etc/default/grub -If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*rng_core.default_quality=.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'rng_core.default_quality=' -The command should not return any output. - Is it the case that trust on hardware random number generator is not configured appropriately? - - - - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes spec_store_bypass_disable=, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub -If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*spec_store_bypass_disable=.*' /etc/default/grub -If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*spec_store_bypass_disable=.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'spec_store_bypass_disable=' -The command should not return any output. - Is it the case that SSB is not configured appropriately? - - - - -Run the following command to determine if the selinuxuser_execstack SELinux boolean is disabled: -$ getsebool selinuxuser_execstack -If properly configured, the output should show the following: -selinuxuser_execstack --> off - Is it the case that selinuxuser_execstack is not disabled? - - - + -Run the following command to determine if the dhcpc_exec_iptables SELinux boolean is disabled: -$ getsebool dhcpc_exec_iptables +Run the following command to determine if the ftpd_connect_all_unreserved SELinux boolean is disabled: +$ getsebool ftpd_connect_all_unreserved If properly configured, the output should show the following: -dhcpc_exec_iptables --> off - Is it the case that dhcpc_exec_iptables is not disabled? +ftpd_connect_all_unreserved --> off + Is it the case that ftpd_connect_all_unreserved is not disabled? @@ -366745,795 +366605,1048 @@ dhcpc_exec_iptables --> off Is it the case that the package is not installed? - - The runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.conf.default.accept_source_route -0. + + Verify that interactive users on the system have a home directory assigned with the following command: - Is it the case that the correct value is not returned? +$ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd + +Inspect the output and verify that all interactive users (normally users with a UID greater than 1000) have a home directory defined. + Is it the case that users home directory is not defined? - + + To verify that USB hubs will be authorized by the USBGuard daemon, +run the following command: +$ sudo grep allow /etc/usbguard/rules.conf +One of the output lines should be +allow with-interface match-all { 09:00:* } + Is it the case that USB devices of class 9 are not authorized? + + + -Run the following command to determine if the xserver_execmem SELinux boolean is disabled: -$ getsebool xserver_execmem +Run the following command to determine if the exim_can_connect_db SELinux boolean is disabled: +$ getsebool exim_can_connect_db If properly configured, the output should show the following: -xserver_execmem --> off - Is it the case that xserver_execmem is not disabled? +exim_can_connect_db --> off + Is it the case that exim_can_connect_db is not disabled? - - Run the following command to determine if the abrt-cli package is installed: -$ rpm -q abrt-cli - Is it the case that the package is installed? + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "su" command with the following command: + +$ sudo auditctl -l | grep su + +-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-su + Is it the case that the command does not return a line, or the line is commented out? - - Verify the system commands contained in the following directories are group-owned by "root", or a required system account, with the following command: - -$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -exec ls -l {} \; - Is it the case that any system commands are returned and is not group-owned by a required system account? + + To verify that execution of the command is being audited, run the following command: +$ sudo grep "path=/usr/sbin/seunshare" /etc/audit/audit.rules /etc/audit/rules.d/* +The output should return something similar to: +-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + Is it the case that ? - - Verify file systems that are used for removable media are mounted with the "nodev" option with the following command: + + Verify that Red Hat Enterprise Linux 8 is configured to notify the SA and/or ISSO (at a minimum) in the event of an audit processing failure with the following command: -$ sudo more /etc/fstab +$ sudo grep action_mail_acct /etc/audit/auditd.conf -UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0 - Is it the case that a file system found in "/etc/fstab" refers to removable media and it does not have the "nodev" option set? +action_mail_acct = + Is it the case that the value of the "action_mail_acct" keyword is not set to "<sub idref="var_auditd_action_mail_acct" />" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the retuned line is commented out, ask the system administrator to indicate how they and the ISSO are notified of an audit process failure. If there is no evidence of the proper personnel being notified of an audit processing failure? - - To check that the cups service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled cups -Output should indicate the cups service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled cups disabled - -Run the following command to verify cups is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active cups - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the cups is masked, run the following command: -$ sudo systemctl show cups | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: + + Verify that Red Hat Enterprise Linux 8 has configured the minimum time period between password changes for each user account is one day or greater with the following command: -LoadState=masked +$ sudo awk -F: '$4 < 1 {print $1 " " $4}' /etc/shadow + Is it the case that any results are returned that are not associated with a system account? + + + + To check the status of the idle screen lock activation, run the following command: -UnitFileState=masked - Is it the case that the "cups" is loaded and not masked? +$ gsettings get org.gnome.desktop.screensaver lock-enabled +If properly configured, the output should be true. +To ensure that users cannot change how long until the screensaver locks, run the following: +$ grep lock-enabled /etc/dconf/db/local.d/locks/* +If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled + Is it the case that screensaver locking is not enabled and/or has not been set or configured correctly? - - -If the system is configured to prevent the loading of the iwlwifi kernel module, -it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. -These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. + + The reviewed should make a note of the name of the account being used for +the web service. This information may be needed later in the SRR. There +may also be other server services running related to the web server in +support of a particular web application, these passwords must be entrusted +to the SA or Web Manager as well. -These lines can also instruct the module loading system to ignore the iwlwifi kernel module via blacklist keyword. +Query the SA or Web Manager to determine if they have the web service +password(s). -Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -$ grep -r iwlwifi /etc/modprobe.conf /etc/modprobe.d - Is it the case that no line is returned? +NOTE: For installations that run as a service, or without a password, +the SA or Web Manager having an Admin account on the system would meet +the intent of this check. + Is it the case that the web server password(s) are not entrusted to the SA or Web Manager? - - -Run the following command to determine if the virt_sandbox_use_netlink SELinux boolean is disabled: -$ getsebool virt_sandbox_use_netlink -If properly configured, the output should show the following: -virt_sandbox_use_netlink --> off - Is it the case that virt_sandbox_use_netlink is not disabled? + + To verify that auditing is configured for system administrator actions, run the following command: +$ sudo auditctl -l | grep "watch=/etc/sudoers\|watch=/etc/sudoers.d\|-w /etc/sudoers\|-w /etc/sudoers.d" + Is it the case that there is not output? - - To check for serial port entries which permit root login, -run the following command: -$ sudo grep ^ttyS/[0-9] /etc/securetty -If any output is returned, then root login over serial ports is permitted. - Is it the case that root login over serial ports is permitted? + + Check that no boot image file is specified in /etc/zipl.conf: +grep -R "^image\s*=" /etc/zipl.conf +No line should be returned, if a line is returned non BLS compliant boot entries are configured for zIPL. + Is it the case that a non BLS boot entry is configured? - - Run the following command to see what the max sessions number is: -$ sudo grep MaxSessions /etc/ssh/sshd_config -If properly configured, the output should be: -MaxSessions - Is it the case that MaxSessions is not configured or not configured correctly? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_PAGE_POISONING_NO_SANITY /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - + + To verify that rsyslog's Forwarding Output Module has CA certificate +configured for its TLS connections to remote server, run the following command: +$ grep DefaultNetstreamDriverCAFile /etc/rsyslog.conf /etc/rsyslog.d/*.conf +The output should include record similar to +global(DefaultNetstreamDriverCAFile="/etc/pki/tls/cert.pem") +where the path to the CA file (/etc/pki/tls/cert.pem in case above) must point to the correct CA certificate. + Is it the case that CA certificate for rsyslog remote logging via TLS is not set? + + + + +Run the following command to determine if the pppd_can_insmod SELinux boolean is disabled: +$ getsebool pppd_can_insmod +If properly configured, the output should show the following: +pppd_can_insmod --> off + Is it the case that pppd_can_insmod is not disabled? + + + To determine if the system is configured to audit successful calls -to the chown system call, run the following command: -$ sudo grep "chown" /etc/audit.* +to the openat system call, run the following command: +$ sudo grep "openat" /etc/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - To check the ownership of /etc/issue.net, -run the command: -$ ls -lL /etc/issue.net -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/issue.net does not have an owner of root? + + Verify the operating system routinely checks the baseline configuration for unauthorized changes. + +To determine that periodic AIDE execution has been scheduled, run the following command: +$ grep aide /etc/crontab +The output should return something similar to the following: +05 4 * * * root /usr/sbin/aide --check + +NOTE: The usage of special cron times, such as @daily or @weekly, is acceptable. + Is it the case that AIDE is not configured to scan periodically? - - Inspect /etc/audit/audisp-remote.conf and locate the following line to -determine if the system is configured to perform a correct action according to the policy: -$ sudo grep -i network_failure_action /etc/audit/audisp-remote.conf -The output should return: -network_failure_action = - Is it the case that the system is not configured to switch to single user mode for corrective action? + + Run the following command to determine if the talk package is installed: +$ rpm -q talk + Is it the case that the package is installed? - - Run the following command to check if the line is present: -grep pam_wheel /etc/pam.d/su -The output should contain the following line: -auth required pam_wheel.so use_uid group= - Is it the case that the line is not in the file or it is commented? + + To find world-writable directories that lack the sticky bit, run the following command: +$ sudo find / -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null +fixtext: |- +Configure all world-writable directories to have the sticky bit set to prevent unauthorized and unintended information transferred via shared system resources. + +Set the sticky bit on all world-writable directories using the command, replace "[World-Writable Directory]" with any directory path missing the sticky bit: + +$ chmod a+t [World-Writable Directory] +srg_requirement: +A sticky bit must be set on all Red Hat Enterprise Linux 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. + Is it the case that any world-writable directories are missing the sticky bit? - - To determine if the system is configured to audit unsuccessful calls -to the fchmodat system call, run the following command: -$ sudo grep "fchmodat" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + To verify that FIPS mode is enabled properly, run the following command: +fips-mode-setup --check +The output should contain the following: +FIPS mode is enabled. +To verify that the cryptographic policy has been configured correctly, run the +following command: +$ update-crypto-policies --show +The output should return . + Is it the case that FIPS mode is not enabled? - - To verify that clients cannot automatically update DNS records, perform the -following: -$ grep -i dhcp_hostname /etc/sysconfig/network-scripts/ifcfg-* -$ grep -rni "send host-name" /etc/dhclient.conf /etc/dhcp -The output should return no results. - Is it the case that client Dynamic DNS updates are not disabled? + + To ensure the X Windows package group is removed, run the following command: +$ rpm -qi xorg-x11-server-common +The output should be: +package xorg-x11-server-common is not installed + Is it the case that the X Windows package group or xorg-x11-server-common has not be removed? - - -Run the following command to determine if the use_lpd_server SELinux boolean is disabled: -$ getsebool use_lpd_server -If properly configured, the output should show the following: -use_lpd_server --> off - Is it the case that use_lpd_server is not disabled? + + Run the following command to determine if the subscription-manager package is installed: $ rpm -q subscription-manager + Is it the case that the package is not installed? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_UNMAP_KERNEL_AT_EL0 /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + To determine if the system is configured to audit calls to the +open_by_handle_at system call, run the following command: +$ sudo grep "open_by_handle_at" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - Only FIPS-approved MACs should be used. To verify that only FIPS-approved -MACs are in use, run the following command: -$ sudo grep -i macs /etc/ssh/sshd_config -The output should contain only those MACs which are FIPS-approved. Any use of other -ciphers or algorithms will result in the module entering the non-FIPS mode of -operation. - Is it the case that MACs option is commented out or not using FIPS-approved hash algorithms? + + To verify that OpenSSL uses the system crypto policy, check out that the OpenSSL config file +/etc/pki/tls/openssl.cnf contains the [ crypto_policy ] section with the +.include /etc/crypto-policies/back-ends/opensslcnf.config directive: + +$ sudo grep '\.include\s* /etc/crypto-policies/back-ends/opensslcnf.config$' /etc/pki/tls/openssl.cnf. + Is it the case that the OpenSSL config file doesn't contain the whole section, +or the section doesn't contain the <pre>.include /etc/crypto-policies/back-ends/opensslcnf.config</pre> directive? - - To check for legacy lines in /etc/passwd, run the following command: - grep '^\+' /etc/passwd -The command should not return any output. - Is it the case that the file contains legacy lines? + + To ensure the screensaver is configured to be blank, run the following command: +$ gsettings get org.gnome.desktop.screensaver picture-uri +If properly configured, the output should be ''. + +To ensure that users cannot set the screensaver background, run the following: +$ grep picture-uri /etc/dconf/db/local.d/locks/* +If properly configured, the output should be /org/gnome/desktop/screensaver/picture-uri + Is it the case that it is not set or configured properly? - + -Run the following command to determine if the daemons_use_tcp_wrapper SELinux boolean is disabled: -$ getsebool daemons_use_tcp_wrapper +Run the following command to determine if the mozilla_plugin_can_network_connect SELinux boolean is disabled: +$ getsebool mozilla_plugin_can_network_connect If properly configured, the output should show the following: -daemons_use_tcp_wrapper --> off - Is it the case that daemons_use_tcp_wrapper is not disabled? +mozilla_plugin_can_network_connect --> off + Is it the case that mozilla_plugin_can_network_connect is not disabled? - - Run the following command to determine if the psacct package is installed: $ rpm -q psacct - Is it the case that the package is not installed? + + +Run the following command to determine if the polipo_session_users SELinux boolean is disabled: +$ getsebool polipo_session_users +If properly configured, the output should show the following: +polipo_session_users --> off + Is it the case that polipo_session_users is not disabled? - - To check the status of the idle screen lock activation, run the following command: - -$ gsettings get org.gnome.desktop.screensaver lock-enabled -If properly configured, the output should be true. -To ensure that users cannot change how long until the screensaver locks, run the following: -$ grep lock-enabled /etc/dconf/db/local.d/locks/* -If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled - Is it the case that screensaver locking is not enabled and/or has not been set or configured correctly? + + Run the following command to determine if the telnet-server package is installed: +$ rpm -q telnet-server + Is it the case that the package is installed? - - Verify the noexec option is configured for the /dev/shm mount point, - run the following command: - $ sudo mount | grep '\s/dev/shm\s' - . . . /dev/shm . . . noexec . . . - - Is it the case that the "/dev/shm" file system does not have the "noexec" option set? + + To verify that Linux Audit logging is enabled for the USBGuard daemon, +run the following command: +$ sudo grep AuditBackend /etc/usbguard/usbguard-daemon.conf +The output should be +AuditBackend=LinuxAudit + Is it the case that AuditBackend is not set to LinuxAudit? - - Verify the assigned home directories of all interactive users on the system exist with the following command: - -$ sudo pwck -r + + To determine whether OpenSSL is wrapped by a shell function that ensures that every invocation +uses a SP800-90A compliant entropy source, +make sure that the /etc/profile.d/openssl-rand.sh file contents exactly match those +that are included in the rule's description. + Is it the case that there is no <tt>/etc/profile.d/openssl-rand.sh</tt> file, or its contents don't match those in the description? + + + + Ensure that Red Hat Enterprise Linux 8 does not disable SELinux. -user 'mailnull': directory 'var/spool/mqueue' does not exist +Check if "SELinux" is active and in "enforcing" or "permissive" mode with the following command: -The output should not return any interactive users. - Is it the case that users home directory does not exist? +$ sudo getenforce +Enforcing +-OR- +Permissive + Is it the case that SELinux is disabled? - - To check the permissions of /etc/cron.daily, -run the command: -$ ls -l /etc/cron.daily -If properly configured, the output should indicate the following permissions: --rwx------ - Is it the case that /etc/cron.daily does not have unix mode -rwx------? + + To ensure root may not directly login to the system over physical consoles, +run the following command: +cat /etc/securetty +If any output is returned, this is a finding. + Is it the case that the /etc/securetty file is not empty? - - To check the permissions of /etc/issue.net, + + To check the permissions of /etc/issue, run the command: -$ ls -l /etc/issue.net +$ ls -l /etc/issue If properly configured, the output should indicate the following permissions: -rw-r--r-- - Is it the case that /etc/issue.net does not have unix mode -rw-r--r--? - - - - To verify that USB Human Interface Devices and hubs will be authorized by the USBGuard daemon, -run the following command: -$ sudo grep allow /etc/usbguard/rules.conf -The output lines should include -allow with-interface match-all { 03:*:* 09:00:* } - Is it the case that USB devices of class 3 and 9:00 are not authorized? - - - - Verify an anti-virus solution is installed on the system. The anti-virus solution may be -bundled with an approved host-based security solution. - Is it the case that there is no anti-virus solution installed on the system? + Is it the case that /etc/issue does not have unix mode -rw-r--r--? - - Verify that a separate file system/partition has been created for /var with the following command: - -$ mountpoint /var + + Verify the system commands contained in the following directories have mode "755" or less permissive with the following command: - Is it the case that "/var is not a mountpoint" is returned? +$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin -perm /022 -exec ls -l {} \; + Is it the case that any system commands are found to be group-writable or world-writable? - - To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -cat /etc/audit/rules.d/10-base-config.rules -The output has to be exactly as follows: -## First rule - delete all --D + + To check that the quota_nld service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled quota_nld +Output should indicate the quota_nld service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled quota_nld disabled -## Increase the buffers to survive stress events. -## Make this bigger for busy systems --b 8192 +Run the following command to verify quota_nld is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active quota_nld -## This determine how long to wait in burst of events ---backlog_wait_time 60000 +If the service is not running the command will return the following output: +inactive -## Set failure mode to syslog --f 1 - Is it the case that the file does not exist or the content differs? - - - - If the system is not using TLS, set the ldap_id_use_start_tls option -in /etc/sssd/sssd.conf to true. - Is it the case that the 'ldap_id_use_start_tls' option is not set to 'true'? - - - - Verify that a separate file system/partition has been created for /var/log/audit with the following command: +The service will also be masked, to check that the quota_nld is masked, run the following command: +$ sudo systemctl show quota_nld | grep "LoadState\|UnitFileState" -$ mountpoint /var/log/audit +If the service is masked the command will return the following outputs: - Is it the case that "/var/log/audit is not a mountpoint" is returned? +LoadState=masked + +UnitFileState=masked + Is it the case that the "quota_nld" is loaded and not masked? - - If IPv6 is disabled, this is not applicable. - - - -Run the following command to determine the current status of the -ip6tables service: -$ sudo systemctl is-active ip6tables -If the service is running, it should return the following: active - Is it the case that ? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_LEGACY_PTYS /boot/config.* + + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. + + Is it the case that the kernel was not built with the required value? - - The runtime status of the kernel.core_pattern kernel parameter can be queried -by running the following command: -$ sysctl kernel.core_pattern -|/bin/false. - - Is it the case that the returned line does not have a value of "|/bin/false", or a line is not -returned and the need for core dumps is not documented with the Information -System Security Officer (ISSO) as an operational requirement? + + To verify if the OpenSSH client uses defined MACs in the Crypto Policy, run: +$ grep -i macs /etc/crypto-policies/back-ends/openssh.config +and verify that the line matches: +MACs + Is it the case that Crypto Policy for OpenSSH client is not configured correctly? - + -Run the following command to determine if the prosody_bind_http_port SELinux boolean is disabled: -$ getsebool prosody_bind_http_port +Run the following command to determine if the telepathy_connect_all_ports SELinux boolean is disabled: +$ getsebool telepathy_connect_all_ports If properly configured, the output should show the following: -prosody_bind_http_port --> off - Is it the case that prosody_bind_http_port is not disabled? +telepathy_connect_all_ports --> off + Is it the case that telepathy_connect_all_ports is not disabled? - - Verify Red Hat Enterprise Linux 8 shell initialization file is configured to start each shell with the tmux terminal multiplexer. + + To check that the autofs service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled autofs +Output should indicate the autofs service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled autofs disabled -Determine the location of the tmux script with the following command: +Run the following command to verify autofs is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active autofs -$ sudo grep tmux /etc/bashrc /etc/profile.d/* +If the service is not running the command will return the following output: +inactive -/etc/profile.d/tmux.sh: case "$name" in (sshd|login) tmux ;; esac +The service will also be masked, to check that the autofs is masked, run the following command: +$ sudo systemctl show autofs | grep "LoadState\|UnitFileState" -Review the tmux script by using the following example: +If the service is masked the command will return the following outputs: -$ cat /etc/profile.d/tmux.sh +LoadState=masked -if [ "$PS1" ]; then -parent=$(ps -o ppid= -p $$) -name=$(ps -o comm= -p $parent) -case "$name" in (sshd|login) tmux ;; esac -fi +UnitFileState=masked + Is it the case that the "autofs" is loaded and not masked? + + + + To check the permissions of /etc/crontab, +run the command: +$ ls -l /etc/crontab +If properly configured, the output should indicate the following permissions: +-rw------- + Is it the case that /etc/crontab does not have unix mode -rw-------? + + + + To determine how the SSH daemon's PubkeyAuthentication option is set, run the following command: -If the shell file is not configured as the example above, is commented out, or is missing, this is a finding. +$ sudo grep -i PubkeyAuthentication /etc/ssh/sshd_config -Determine if tmux is currently running with the following command: +If a line indicating no is returned, then the required value is set. -$ sudo ps all | grep tmux | grep -v grep - Is it the case that the command does not produce output? - - - - The following command will list which files on the system -have file hashes different from what is expected by the RPM database. -$ rpm -Va --noconfig | awk '$1 ~ /..5/ && $2 != "c"' - Is it the case that there is output? + Is it the case that the required value is not set? - - To check that SLUB/SLAB poisoning is enabled, check all boot entries with following command; -sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf -No line should be returned, each line returned is a boot entry that does not enable poisoning. - Is it the case that SLUB/SLAB poisoning is not enabled? + + Ensure that debug-shell service is not enabled with the following command: +grep systemd\.debug-shell=1 /boot/grub2/grubenv /etc/default/grub +If the command returns a line, it means that debug-shell service is being enabled. + Is it the case that the comand returns a line? - - To determine how the SSH daemon's PrintLastLog option is set, run the following command: + + Verify Red Hat Enterprise Linux 8 takes the appropriate action when the audit storage volume is full. -$ sudo grep -i PrintLastLog /etc/ssh/sshd_config +Check that Red Hat Enterprise Linux 8 takes the appropriate action when the audit storage volume is full with the following command: -If a line indicating yes is returned, then the required value is set. +$ sudo grep disk_full_action /etc/audit/auditd.conf - Is it the case that the required value is not set? +disk_full_action = + +If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full. + Is it the case that there is no evidence of appropriate action? - - Verify the site's network diagram and visually check the web server, to -ensure that the private web server is located on a separate controlled -access subnet and is not part of the public DMZ that houses the public -web servers. - -In addition, the private web server needs to be isolated via a controlled -access mechanism from the local general population lan. - Is it the case that the private web server is not on a separate controlled access subnet? + + To find SGID files, run the following command: +$ sudo find / -xdev -type f -perm -2000 + Is it the case that there is output? - - To determine if the system is configured to audit calls to the -init_module system call, run the following command: -$ sudo grep "init_module" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. -To determine if the system is configured to audit calls to the -delete_module system call, run the following command: -$ sudo grep "delete_module" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + + +Run the following command to determine if the cron_system_cronjob_use_shares SELinux boolean is disabled: +$ getsebool cron_system_cronjob_use_shares +If properly configured, the output should show the following: +cron_system_cronjob_use_shares --> off + Is it the case that cron_system_cronjob_use_shares is not disabled? - + -Run the following command to determine if the postgresql_can_rsync SELinux boolean is disabled: -$ getsebool postgresql_can_rsync +Run the following command to determine if the dbadm_exec_content SELinux boolean is enabled: +$ getsebool dbadm_exec_content If properly configured, the output should show the following: -postgresql_can_rsync --> off - Is it the case that postgresql_can_rsync is not disabled? +dbadm_exec_content --> on + Is it the case that dbadm_exec_content is not enabled? - - To check the group ownership of /etc/motd, -run the command: -$ ls -lL /etc/motd -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/motd does not have a group owner of root? + + Inspect /etc/audit/audisp-remote.conf and locate the following line to +determine if the system is configured to either send to syslog, switch to single user mode, +or halt when the disk is full: +$ sudo grep -i disk_full_action /etc/audit/audisp-remote.conf +The output should return something similar to: +disk_full_action = single +Acceptable values also include syslog and halt. + Is it the case that the system is not configured to switch to single user mode for corrective action? - - To check the ownership of /etc/group-, -run the command: -$ ls -lL /etc/group- -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/group- does not have an owner of root? + + To verify that the log_config_module exists in +/etc/httpd/conf/httpd.conf, run the following command: +$ grep log_config_module /etc/httpd/conf/httpd.conf +The output should return: +<IfModule log_config_module> + Is it the case that it is not? - + -Run the following command to determine if the polipo_use_nfs SELinux boolean is disabled: -$ getsebool polipo_use_nfs +Run the following command to determine if the cups_execmem SELinux boolean is disabled: +$ getsebool cups_execmem If properly configured, the output should show the following: -polipo_use_nfs --> off - Is it the case that polipo_use_nfs is not disabled? - - - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_BUG_ON_DATA_CORRUPTION /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? +cups_execmem --> off + Is it the case that cups_execmem is not disabled? - + -Run the following command to determine if the selinuxuser_execmod SELinux boolean is enabled: -$ getsebool selinuxuser_execmod +Run the following command to determine if the webadm_read_user_files SELinux boolean is disabled: +$ getsebool webadm_read_user_files If properly configured, the output should show the following: -selinuxuser_execmod --> on - Is it the case that selinuxuser_execmod is not enabled? +webadm_read_user_files --> off + Is it the case that webadm_read_user_files is not disabled? - - Verify the operating system routinely checks the baseline configuration for unauthorized changes. - -To determine that periodic AIDE execution has been scheduled, run the following command: -$ grep aide /etc/crontab -The output should return something similar to the following: -05 4 * * * root /usr/sbin/aide --check - -NOTE: The usage of special cron times, such as @daily or @weekly, is acceptable. - Is it the case that AIDE is not configured to scan periodically? + + Run the following command to determine if the avahi package is installed: +$ rpm -q avahi + Is it the case that the package is installed? - + -Run the following command to determine if the glance_use_fusefs SELinux boolean is disabled: -$ getsebool glance_use_fusefs +Run the following command to determine if the httpd_can_network_connect_cobbler SELinux boolean is disabled: +$ getsebool httpd_can_network_connect_cobbler If properly configured, the output should show the following: -glance_use_fusefs --> off - Is it the case that glance_use_fusefs is not disabled? +httpd_can_network_connect_cobbler --> off + Is it the case that httpd_can_network_connect_cobbler is not disabled? - - To verify that web content directories should not be shared anonymously over -remote filesystems such as nfs and smb, inspect each instance -of DocumentRoot and serverRoot and verify that no entry in -/etc/fstab exists or no remote filesystem process is running for -any instance. -$ ps -ef | grep "nfs\|smb" - Is it the case that it is not? - - - - Verify the system-wide shared library files are owned by "root" with the following command: + + Verify that the interactive user account passwords are using a strong +password hash with the following command: -$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -user root -exec ls -l {} \; - Is it the case that any system wide shared library file is not owned by root? +$ sudo cut -d: -f2 /etc/shadow + +$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/ + +Password hashes ! or * indicate inactive accounts not +available for logon and are not evaluated. + Is it the case that any interactive user password hash does not begin with "$6"? - + -Run the following command to determine if the telepathy_tcp_connect_generic_network_ports SELinux boolean is disabled: -$ getsebool telepathy_tcp_connect_generic_network_ports +Run the following command to determine if the httpd_use_sasl SELinux boolean is disabled: +$ getsebool httpd_use_sasl If properly configured, the output should show the following: -telepathy_tcp_connect_generic_network_ports --> off - Is it the case that telepathy_tcp_connect_generic_network_ports is not disabled? +httpd_use_sasl --> off + Is it the case that httpd_use_sasl is not disabled? - - To verify that a nftables table exists, run the following command: -$ sudo nft list tables -Output should include a list of nftables similar to: + + To check that the kdump service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled kdump +Output should indicate the kdump service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled kdump disabled - table inet filter +Run the following command to verify kdump is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active kdump - Is it the case that a nftables table does not exist? +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the kdump is masked, run the following command: +$ sudo systemctl show kdump | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "kdump" is loaded and not masked? - - To check the permissions of /etc/ssh/*_key, + + To check that the debug-shell service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled debug-shell +Output should indicate the debug-shell service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled debug-shell disabled + +Run the following command to verify debug-shell is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active debug-shell + +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the debug-shell is masked, run the following command: +$ sudo systemctl show debug-shell | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "debug-shell" is loaded and not masked? + + + + To check on the age of McAfee virus definition files, run the following command: +$ sudo cd /opt/NAI/LinuxShield/engine/dat +$ sudo ls -la avvscan.dat avvnames.dat avvclean.dat + Is it the case that signatures are out of date? + + + + Verify the audit tools are owned by "root" to prevent any unauthorized access, deletion, or modification. + +Check the owner of each audit tool by running the following command: + +$ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules + +root /sbin/auditctl +root /sbin/aureport +root /sbin/ausearch +root /sbin/autrace +root /sbin/auditd +root /sbin/rsyslogd +root /sbin/augenrules + Is it the case that any audit tools are not owned by root? + + + + Verify that Red Hat Enterprise Linux 8 is configured to prevent unrestricted mail relaying, +run the following command: +$ sudo postconf -n smtpd_client_restrictions + Is it the case that the "smtpd_client_restrictions" parameter contains any entries other than "permit_mynetworks" and "reject"? + + + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_SECCOMP_FILTER /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? + + + + To check the group ownership of /etc/gshadow-, run the command: -$ ls -l /etc/ssh/*_key -If properly configured, the output should indicate the following permissions: --rw------- - Is it the case that /etc/ssh/*_key does not have unix mode -rw-------? +$ ls -lL /etc/gshadow- +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/gshadow- does not have a group owner of root? - + -Run the following command to determine if the git_system_use_cifs SELinux boolean is disabled: -$ getsebool git_system_use_cifs +Run the following command to determine if the postgresql_selinux_unconfined_dbadm SELinux boolean is enabled: +$ getsebool postgresql_selinux_unconfined_dbadm If properly configured, the output should show the following: -git_system_use_cifs --> off - Is it the case that git_system_use_cifs is not disabled? +postgresql_selinux_unconfined_dbadm --> on + Is it the case that postgresql_selinux_unconfined_dbadm is not enabled? - - Verify that Red Hat Enterprise Linux 8 's INACTIVE conforms to site policy (no more than 30 days) with the following command: - -$ sudo awk -F: '$7 > 30 {print $1 " " $7}' /etc/shadow - Is it the case that the value of INACTIVE is greater than the expected value or is -1? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_LEGACY_VSYSCALL_NONE /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - Find the list of alias maps used by the Postfix mail server: -$ sudo postconf alias_maps -Query the Postfix alias maps for an alias for the root user: -$ sudo postmap -q root hash:/etc/aliases -The output should return an alias. - Is it the case that the alias is not set? + + +Run the following command to determine if the gluster_export_all_ro SELinux boolean is disabled: +$ getsebool gluster_export_all_ro +If properly configured, the output should show the following: +gluster_export_all_ro --> off + Is it the case that gluster_export_all_ro is not disabled? - + -Run the following command to determine if the virt_use_execmem SELinux boolean is disabled: -$ getsebool virt_use_execmem +Run the following command to determine if the container_connect_any SELinux boolean is disabled: +$ getsebool container_connect_any If properly configured, the output should show the following: -virt_use_execmem --> off - Is it the case that virt_use_execmem is not disabled? +container_connect_any --> off + Is it the case that container_connect_any is not disabled? - + + To verify that McAfee VirusScan Enterprise for Linux is installed +and running, run the following command(s): +$ sudo systemctl status nails +$ rpm -q McAfeeVSEForLinux + Is it the case that virus scanning software is not installed or running? + + + -Run the following command to determine if the use_fusefs_home_dirs SELinux boolean is disabled: -$ getsebool use_fusefs_home_dirs +Run the following command to determine if the privoxy_connect_any SELinux boolean is disabled: +$ getsebool privoxy_connect_any If properly configured, the output should show the following: -use_fusefs_home_dirs --> off - Is it the case that use_fusefs_home_dirs is not disabled? +privoxy_connect_any --> off + Is it the case that privoxy_connect_any is not disabled? - - To determine how the SSH daemon's X11UseLocalhost option is set, run the following command: + + Run the following command to determine if the ntp package is installed: $ rpm -q ntp + Is it the case that the package is not installed? + + + + To check the group ownership of /etc/cron.weekly, +run the command: +$ ls -lL /etc/cron.weekly +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/cron.weekly does not have a group owner of root? + + + + To ensure that users cannot disable the screensaver idle inactivity setting, run the following: +$ grep idle-activation-enabled /etc/dconf/db/local.d/locks/* +If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled + Is it the case that idle-activation-enabled is not locked? + + + + The file /etc/at.deny should not exist. +This can be checked by running the following -$ sudo grep -i X11UseLocalhost /etc/ssh/sshd_config +stat /etc/at.deny -If a line indicating yes is returned, then the required value is set. - Is it the case that the display proxy is listening on wildcard address? +and the output should be + +stat: cannot stat `/etc/at.deny': No such file or directory + + Is it the case that the file /etc/at.deny exists? - - To verify the home directory ownership, run the following command: -# ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) - Is it the case that the user ownership is incorrect? + + To verify that kernel parameter 'crypto.fips_enabled' is set properly, run the following command: +sysctl crypto.fips_enabled +The output should contain the following: +crypto.fips_enabled = 1 + Is it the case that crypto.fips_enabled is not 1? - - To check the ownership of /etc/crontab, + + Verify that all local interactive user initialization file executable search path statements do not contain statements that will reference a working directory other than user home directories with the following commands: + +$ sudo grep -i path= /home/*/.* + +/home/[localinteractiveuser]/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin + Is it the case that any local interactive user initialization files have executable search path statements that include directories outside of their home directory and is not documented with the ISSO as an operational requirement? + + + + To check the permissions of /etc/http/conf.d/*, run the command: -$ ls -lL /etc/crontab -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/crontab does not have an owner of root? +$ ls -l /etc/http/conf.d/* +If properly configured, the output should indicate the following permissions: +-rw-r----- + Is it the case that /etc/http/conf.d/* does not have unix mode -rw-r-----? - - To verify that the DConf User profile is configured correctly, run the following -command: - -$ cat /etc/dconf/profile/user -The output should show the following: -user-db:user -system-db:local -system-db:site -system-db:distro - Is it the case that DConf User profile does not exist or is not configured correctly? + + To check the ownership of /etc/cron.allow, +run the command: +$ ls -lL /etc/cron.allow +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/cron.allow does not have an owner of root? - - -Run the following command to determine if the puppetmaster_use_db SELinux boolean is disabled: -$ getsebool puppetmaster_use_db -If properly configured, the output should show the following: -puppetmaster_use_db --> off - Is it the case that puppetmaster_use_db is not disabled? + + Run the following command to determine if the sssd package is installed: $ rpm -q sssd + Is it the case that the package is not installed? - - To check that the dovecot service is disabled in system boot configuration, + + To check that the cpupower service is disabled in system boot configuration, run the following command: -$ sudo systemctl is-enabled dovecot -Output should indicate the dovecot service has either not been installed, +$ sudo systemctl is-enabled cpupower +Output should indicate the cpupower service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled dovecot disabled +$ sudo systemctl is-enabled cpupower disabled -Run the following command to verify dovecot is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active dovecot +Run the following command to verify cpupower is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active cpupower If the service is not running the command will return the following output: inactive -The service will also be masked, to check that the dovecot is masked, run the following command: -$ sudo systemctl show dovecot | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the cpupower is masked, run the following command: +$ sudo systemctl show cpupower | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "dovecot" is loaded and not masked? + Is it the case that the "cpupower" is loaded and not masked? - - To verify the system is not configured to use a boot loader on removable media, -check that the grub configuration file has the set root command in each menu -entry with the following commands: -$ sudo grep -cw menuentry /boot/efi/EFI/redhat/grub.cfg -Note that the -c option for the grep command will print -only the count of menuentry occurrences. This number should match -the number of occurrences reported by the following command: -$ sudo grep "set root='hd0" /boot/efi/EFI/redhat/grub.cfg -The output should return something similar to: -set root='hd0,msdos1' -usb0, cd, fd0, etc. are some examples of removeable -media which should not exist in the lines: -set root='hd0,msdos1' - Is it the case that it is not? + + +Run the following command to determine if the secure_mode SELinux boolean is disabled: +$ getsebool secure_mode +If properly configured, the output should show the following: +secure_mode --> off + Is it the case that secure_mode is not disabled? - - To verify that SSSD's in-memory cache expires after a day, run the following command: -$ sudo grep memcache_timeout /etc/sssd/sssd.conf -If configured properly, output should be memcache_timeout = . - Is it the case that it does not exist or is not configured properly? + + +Run the following command to determine if the mozilla_plugin_use_bluejeans SELinux boolean is disabled: +$ getsebool mozilla_plugin_use_bluejeans +If properly configured, the output should show the following: +mozilla_plugin_use_bluejeans --> off + Is it the case that mozilla_plugin_use_bluejeans is not disabled? - - To determine if the system is configured to audit successful calls -to the lchown system call, run the following command: -$ sudo grep "lchown" /etc/audit.* -If the system is configured to audit this activity, it will return a line. + + Verify "firewalld" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands: - Is it the case that no line is returned? +$ sudo firewall-cmd --state + +running + +$ sudo firewall-cmd --get-active-zones + +[custom] +interfaces: ens33 + +$ sudo firewall-cmd --info-zone=[custom] | grep target + +target: DROP + Is it the case that no zones are active on the interfaces or if the target is set to a different option other than "DROP"? - - Verify the nosuid option is configured for the /home mount point, + + First, check whether the password is defined in either /boot/grub2/user.cfg or +/boot/grub2/grub.cfg. +Run the following commands: +$ sudo grep '^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$' /boot/grub2/user.cfg +$ sudo grep '^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$' /boot/grub2/grub.cfg + + +Second, check that a superuser is defined in /boot/grub2/grub.cfg. +$ sudo grep '^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$' /boot/grub2/grub.cfg + Is it the case that it does not produce any output? + + + + The runtime status of the kernel.dmesg_restrict kernel parameter can be queried +by running the following command: +$ sysctl kernel.dmesg_restrict +1. + + Is it the case that the correct value is not returned? + + + + To check the permissions of /etc/cron.monthly, +run the command: +$ ls -l /etc/cron.monthly +If properly configured, the output should indicate the following permissions: +-rwx------ + Is it the case that /etc/cron.monthly does not have unix mode -rwx------? + + + + +Run the following command to determine if the httpd_enable_homedirs SELinux boolean is disabled: +$ getsebool httpd_enable_homedirs +If properly configured, the output should show the following: +httpd_enable_homedirs --> off + Is it the case that httpd_enable_homedirs is not disabled? + + + + Verify the nodev option is configured for the /tmp mount point, run the following command: - $ sudo mount | grep '\s/home\s' - . . . /home . . . nosuid . . . + $ sudo mount | grep '\s/tmp\s' + . . . /tmp . . . nodev . . . - Is it the case that the "/home" file system does not have the "nosuid" option set? + Is it the case that the "/tmp" file system does not have the "nodev" option set? - - Run the following command to determine if the binutils package is installed: $ rpm -q binutils + + Run the following command to determine if the psacct package is installed: $ rpm -q psacct Is it the case that the package is not installed? - - To find the location of the AIDE database file, run the following command: -$ sudo ls -l DBDIR/database_file_name - Is it the case that there is no database file? + + To check if authentication is required for emergency mode, run the following command: +$ grep sulogin /usr/lib/systemd/system/emergency.service +The output should be similar to the following, and the line must begin with +ExecStart and /usr/lib/systemd/systemd-sulogin-shell. + ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency + +Then, check if the emergency target requires the emergency service: +Run the following command: +$ sudo grep Requires /usr/lib/systemd/system/emergency.target +The output should be the following: +Requires=emergency.service + +Then, check if there is no custom emergency target configured in systemd configuration. +Run the following command: +$ sudo grep -r emergency.target /etc/systemd/system/ +The output should be empty. + +Then, check if there is no custom emergency service configured in systemd configuration. +Run the following command: +$ sudo grep -r emergency.service /etc/systemd/system/ +The output should be empty. + Is it the case that the output is different? - + + To verify the nodev option is configured for all NFS mounts, run +the following command: +$ mount | grep nfs +All NFS mounts should show the nodev setting in parentheses. This +is not applicable if NFS is not implemented. + Is it the case that the setting does not show? + + + + Verify the system-wide shared library files are owned by "root" with the following command: + +$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -user root -exec ls -l {} \; + Is it the case that any system wide shared library file is not owned by root? + + + + To determine how the SSH daemon's X11Forwarding option is set, run the following command: + +$ sudo grep -i X11Forwarding /etc/ssh/sshd_config + +If a line indicating no is returned, then the required value is set. + + Is it the case that the required value is not set? + + + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_PANIC_TIMEOUT /boot/config.* + $ grep CONFIG_LEGACY_VSYSCALL_EMULATE /boot/config.* - For each kernel installed, a line with value "" should be returned. + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. Is it the case that the kernel was not built with the required value? - - -Run the following command to get the current configured value for secure_mode_insmod -SELinux boolean: -$ getsebool secure_mode_insmod -The expected cofiguration is . -"on" means true, and "off" means false - Is it the case that secure_mode_insmod is not set as expected? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_PANIC_ON_OOPS /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "umount" command with the following command: + + To ensure the system is configured to mask the Ctrl-Alt-Del sequence, Check +that the ctrl-alt-del.target is masked and not active with the following +command: +sudo systemctl status ctrl-alt-del.target +The output should indicate that the target is masked and not active. It +might resemble following output: +ctrl-alt-del.target +Loaded: masked (/dev/null; bad) +Active: inactive (dead) + Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed? + + + + The owner of all log files written by rsyslog should be -$ sudo auditctl -l | grep umount +root. --a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-umount - Is it the case that the command does not return a line, or the line is commented out? +These log files are determined by the second part of each Rule line in +/etc/rsyslog.conf and typically all appear in /var/log. +To see the owner of a given log file, run the following command: +$ ls -l LOGFILE + Is it the case that the owner is not correct? - - To verify if the OpenSSH server uses defined Crypto Policy, run: -$ grep 'CRYPTO_POLICY' /etc/crypto-policies/back-ends/opensshserver.config | tail -n 1 -and verify that the line matches -CRYPTO_POLICY='-oCiphers=aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc -oMACs=hmac-sha2-512,hmac-sha2-256 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 -oPubkeyAcceptedKeyTypes=rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256' - Is it the case that Crypto Policy for OpenSSH Server is not configured according to CC requirements? + + Verify Red Hat Enterprise Linux 8 initiates a session lock after 15 minutes of inactivity. + +Check the value of the system inactivity timeout with the following command: + +$ grep -i lock-after-time /etc/tmux.conf + +set -g lock-after-time 900 + +Then, verify that the /etc/tmux.conf file can be read by other users than root: + +$ sudo ls -al /etc/tmux.conf + Is it the case that "lock-after-time" is not set to "900" or less in the global tmux configuration file to enforce session lock after inactivity? - - Run the following command to determine if the nginx package is installed: -$ rpm -q nginx - Is it the case that the package is installed? + + To determine if the system is configured to audit successful calls +to the renameat system call, run the following command: +$ sudo grep "renameat" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - + -Run the following command to determine if the cups_execmem SELinux boolean is disabled: -$ getsebool cups_execmem +Verify that the shadow password suite configuration is set to encrypt password with a FIPS 140-2 approved cryptographic hashing algorithm. + +Check the hashing algorithm that is being used to hash passwords with the following command: + +$ sudo grep -i ENCRYPT_METHOD /etc/login.defs + +ENCRYPT_METHOD + Is it the case that ENCRYPT_METHOD is not set to <sub idref="var_password_hashing_algorithm" />? + + + + +Run the following command to determine if the selinuxuser_postgresql_connect_enabled SELinux boolean is disabled: +$ getsebool selinuxuser_postgresql_connect_enabled If properly configured, the output should show the following: -cups_execmem --> off - Is it the case that cups_execmem is not disabled? +selinuxuser_postgresql_connect_enabled --> off + Is it the case that selinuxuser_postgresql_connect_enabled is not disabled? - + -Run the following command to determine if the samba_portmapper SELinux boolean is disabled: -$ getsebool samba_portmapper +Run the following command to determine if the irssi_use_full_network SELinux boolean is disabled: +$ getsebool irssi_use_full_network If properly configured, the output should show the following: -samba_portmapper --> off - Is it the case that samba_portmapper is not disabled? +irssi_use_full_network --> off + Is it the case that irssi_use_full_network is not disabled? - - The runtime status of the net.ipv6.conf.all.max_addresses kernel parameter can be queried + + Check to see if Online Certificate Status Protocol (OCSP) +is enabled and using the proper digest value on the system with the following command: +$ sudo grep certificate_verification /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf | grep -v "^#" +If configured properly, output should look like + + certificate_verification = ocsp_dgst= + + Is it the case that certificate_verification in sssd is not configured? + + + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "gpasswd" command with the following command: + +$ sudo auditctl -l | grep gpasswd + +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd + Is it the case that the command does not return a line, or the line is commented out? + + + + The runtime status of the kernel.yama.ptrace_scope kernel parameter can be queried by running the following command: -$ sysctl net.ipv6.conf.all.max_addresses +$ sysctl kernel.yama.ptrace_scope 1. Is it the case that the correct value is not returned? - - -Run the following command to determine if the virt_use_comm SELinux boolean is disabled: -$ getsebool virt_use_comm -If properly configured, the output should show the following: -virt_use_comm --> off - Is it the case that virt_use_comm is not disabled? - - - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_IA32_EMULATION /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? + + To determine if the system is configured to audit unsuccessful calls +to the chown system call, run the following command: +$ sudo grep "chown" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? @@ -367551,30 +367664,21 @@ are not required to use disk encryption and are not a finding. Is it the case that partitions do not have a type of crypto_LUKS? - + -Run the following command to determine if the httpd_mod_auth_pam SELinux boolean is disabled: -$ getsebool httpd_mod_auth_pam +Run the following command to determine if the pppd_for_user SELinux boolean is disabled: +$ getsebool pppd_for_user If properly configured, the output should show the following: -httpd_mod_auth_pam --> off - Is it the case that httpd_mod_auth_pam is not disabled? - - - - Verify the usrquota option is configured for the /home mount point, - run the following command: - $ sudo mount | grep '\s/home\s' - . . . /home . . . usrquota . . . - - Is it the case that the "/home" file system does not have the "usrquota" option set? +pppd_for_user --> off + Is it the case that pppd_for_user is not disabled? - + -To check that the telnet service is disabled in system boot configuration with xinetd, run the following command: -$ chkconfig telnet --list -Output should indicate the telnet service has either not been installed, or has been disabled, as shown in the example below: -$ chkconfig telnet --list +To check that the rexec service is disabled in system boot configuration with xinetd, run the following command: +$ chkconfig rexec --list +Output should indicate the rexec service has either not been installed, or has been disabled, as shown in the example below: +$ chkconfig rexec --list Note: This output shows SysV services only and does not include native systemd services. SysV configuration data might be overridden by native @@ -367584,22 +367688,22 @@ If you want to list systemd services use 'systemctl list-unit-files'. To see services enabled on particular target use 'systemctl list-dependencies [target]'. -telnet off +rexec off -To check that the telnet socket is disabled in system boot configuration with systemd, run the following command: -$ systemctl is-enabled telnet -Output should indicate the telnet socket has either not been installed, +To check that the rexec socket is disabled in system boot configuration with systemd, run the following command: +$ systemctl is-enabled rexec +Output should indicate the rexec socket has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled telnetdisabled +$ sudo systemctl is-enabled rexecdisabled -Run the following command to verify telnet is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active telnet +Run the following command to verify rexec is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active rexec If the socket is not running the command will return the following output: inactive -The socket will also be masked, to check that the telnet is masked, run the following command: -$ sudo systemctl show telnet | grep "LoadState\|UnitFileState" +The socket will also be masked, to check that the rexec is masked, run the following command: +$ sudo systemctl show rexec | grep "LoadState\|UnitFileState" If the socket is masked the command will return the following outputs: @@ -367609,103 +367713,132 @@ UnitFileState=masked Is it the case that service and/or socket are running? - - Verify the nodev option is configured for the /boot mount point, - run the following command: - $ sudo mount | grep '\s/boot\s' - . . . /boot . . . nodev . . . - - Is it the case that the "/boot" file system does not have the "nodev" option set? + + +Run the following command to determine if the ssh_sysadm_login SELinux boolean is disabled: +$ getsebool ssh_sysadm_login +If properly configured, the output should show the following: +ssh_sysadm_login --> off + Is it the case that ssh_sysadm_login is not disabled? - - The telnet package can be removed with the following command: $ sudo yum erase telnet - Is it the case that ? + + To ensure the MaxAuthTries parameter is set, run the following command: +$ sudo grep MaxAuthTries /etc/ssh/sshd_config +If properly configured, output should be: +MaxAuthTries + Is it the case that it is commented out or not configured properly? - - Run the following command to ensure postfix accepts mail messages from only the local system: -$ grep inet_interfaces /etc/postfix/main.cf -If properly configured, the output should show only . - Is it the case that it does not? + + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes vsyscall=none, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub +If this option is set to true, then check that a line is output by the following command: +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*vsyscall=none.*' /etc/default/grub +If the recovery is disabled, check the line with +$ sudo grep 'GRUB_CMDLINE_LINUX.*vsyscall=none.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +$ sudo grubby --info=ALL | grep args | grep -v 'vsyscall=none' +The command should not return any output. + Is it the case that vsyscalls are enabled? - - To verify if password complexities are only enforce on local users, run the following command: -$ grep local_users_only /etc/security/pwquality.conf -The output should return local_users_only uncommented. - Is it the case that local_users_only is not uncommented or configured correctly? + + +Run the following command to determine if the fips_mode SELinux boolean is enabled: +$ getsebool fips_mode +If properly configured, the output should show the following: +fips_mode --> on + Is it the case that fips_mode is not enabled? - - To determine if the users are allowed to run commands as root, run the following commands: -$ sudo grep -PR '^\s*((?!root\b)[\w]+)\s*(\w+)\s*=\s*(.*,)?\s*[^\(\s]' /etc/sudoers /etc/sudoers.d/ -and -$ sudo grep -PR '^\s*((?!root\b)[\w]+)\s*(\w+)\s*=\s*(.*,)?\s*\([\w\s]*\b(root|ALL)\b[\w\s]*\)' /etc/sudoers /etc/sudoers.d/ -Both commands should return no output. - Is it the case that /etc/sudoers file contains rules that allow non-root users to run commands as root? + + +Run the following command to determine if the daemons_dump_core SELinux boolean is disabled: +$ getsebool daemons_dump_core +If properly configured, the output should show the following: +daemons_dump_core --> off + Is it the case that daemons_dump_core is not disabled? - - Verify that local initialization files do not execute world-writable programs with the following command: + + The following command will list which files on the system have permissions different from what +is expected by the RPM database: +$ rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }' + Is it the case that there is output? + + + + +Verify that the libuser is set to encrypt password with a FIPS 140-2 approved cryptographic hashing algorithm. -Note: The example will be for a system that is configured to create user home directories in the "/home" directory. +Check the hashing algorithm that is being used to hash passwords with the following command: -$ sudo find /home -perm -002 -type f -name ".[^.]*" -exec ls -ld {} \; - Is it the case that any local initialization files are found to reference world-writable files? +$ sudo grep -i crypt_style /etc/libuser.conf + +crypt_style = sha512 + Is it the case that crypt_style is not set to sha512? - - Verify the umask setting is configured correctly in the /etc/profile file -or scripts within /etc/profile.d directory with the following command: -$ grep "umask" /etc/profile* -umask - Is it the case that the value for the "umask" parameter is not "<sub idref="var_accounts_user_umask" />", -or the "umask" parameter is missing or is commented out? + + To ensure ClientAliveInterval is set correctly, run the following command: + +$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config + +If properly configured, the output should be: +ClientAliveCountMax 0 + +In this case, the SSH timeout occurs precisely when +the ClientAliveInterval is set. + Is it the case that it is commented out or not configured properly? - - To determine if the system is configured to audit calls to the -delete_module system call, run the following command: -$ sudo grep "delete_module" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + +Run the following command to determine if the mount_anyfile SELinux boolean is enabled: +$ getsebool mount_anyfile +If properly configured, the output should show the following: +mount_anyfile --> on + Is it the case that mount_anyfile is not enabled? - - Verify the audit tools are owned by "root" to prevent any unauthorized access, deletion, or modification. - -Check the owner of each audit tool by running the following command: + + To check the current idle time-out value, run the following command: +$ gsettings get org.gnome.desktop.session idle-delay +If properly configured, the output should be 'uint32 '. +To ensure that users cannot change the screensaver inactivity timeout setting, run the following: +$ grep idle-delay /etc/dconf/db/local.d/locks/* +If properly configured, the output should be /org/gnome/desktop/session/idle-delay + Is it the case that idle-delay is set to 0 or a value greater than <sub idref="inactivity_timeout_value" />? + + + + Run the following command to determine if the dovecot package is installed: +$ rpm -q dovecot + Is it the case that the package is installed? + + + + To verify that null passwords cannot be used, run the following command: -$ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules +$ grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth -root /sbin/auditctl -root /sbin/aureport -root /sbin/ausearch -root /sbin/autrace -root /sbin/auditd -root /sbin/rsyslogd -root /sbin/augenrules - Is it the case that any audit tools are not owned by root? +If this produces any output, it may be possible to log into accounts +with empty passwords. Remove any instances of the nullok option to +prevent logins with empty passwords. + Is it the case that NULL passwords can be used? - - To determine if the system is configured to audit calls to the -lsetxattr system call, run the following command: -$ sudo grep "lsetxattr" /etc/audit/audit.* + + To determine if the system is configured to audit successful calls +to the lsetxattr system call, run the following command: +$ sudo grep "lsetxattr" /etc/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - - - -Run the following command to determine if the virt_sandbox_use_all_caps SELinux boolean is disabled: -$ getsebool virt_sandbox_use_all_caps -If properly configured, the output should show the following: -virt_sandbox_use_all_caps --> off - Is it the case that virt_sandbox_use_all_caps is not disabled? @@ -367717,713 +367850,874 @@ virt_rw_qemu_ga_data --> off Is it the case that virt_rw_qemu_ga_data is not disabled? - - The runtime status of the net.ipv4.conf.all.arp_filter kernel parameter can be queried + + The runtime status of the net.ipv4.conf.all.rp_filter parameter can be queried by running the following command: -$ sysctl net.ipv4.conf.all.arp_filter -. +$ sysctl net.ipv4.conf.all.rp_filter +The output of the command should indicate either: +net.ipv4.conf.all.rp_filter = 1 +or: +net.ipv4.conf.all.rp_filter = 2 +The output of the command should not indicate: +net.ipv4.conf.all.rp_filter = 0 - Is it the case that the correct value is not returned? - - - - Run the following command to determine if the libreswan package is installed: $ rpm -q libreswan - Is it the case that the package is not installed? - - - - To check the ownership of /etc/cron.daily, -run the command: -$ ls -lL /etc/cron.daily -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/cron.daily does not have an owner of root? - - - - To check the group ownership of /boot/efi/EFI/redhat/user.cfg, -run the command: -$ ls -lL /boot/efi/EFI/redhat/user.cfg -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /boot/efi/EFI/redhat/user.cfg does not have a group owner of root? +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent sysctl parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv4.conf.all.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d +The command should not find any assignments other than: +net.ipv4.conf.all.rp_filter = 1 +or: +net.ipv4.conf.all.rp_filter = 2 + +Conflicting assignments are not allowed. + Is it the case that the net.ipv4.conf.all.rp_filter is not set to 1 or 2 or is configured to be 0? - + -Run the following command to determine if the xdm_bind_vnc_tcp_port SELinux boolean is disabled: -$ getsebool xdm_bind_vnc_tcp_port -If properly configured, the output should show the following: -xdm_bind_vnc_tcp_port --> off - Is it the case that xdm_bind_vnc_tcp_port is not disabled? - - - - Check whether the maximum time period for existing passwords is restricted to days with the following commands: +If the system is configured to prevent the loading of the usb-storage kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. -$ sudo awk -F: '$5 > 60 {print $1 " " $5}' /etc/shadow +These lines can also instruct the module loading system to ignore the usb-storage kernel module via blacklist keyword. -$ sudo awk -F: '$5 <= 0 {print $1 " " $5}' /etc/shadow - Is it the case that any results are returned that are not associated with a system account? +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d + Is it the case that no line is returned? - + -Run the following command to determine if the httpd_can_connect_zabbix SELinux boolean is disabled: -$ getsebool httpd_can_connect_zabbix +Run the following command to determine if the ftpd_use_nfs SELinux boolean is disabled: +$ getsebool ftpd_use_nfs If properly configured, the output should show the following: -httpd_can_connect_zabbix --> off - Is it the case that httpd_can_connect_zabbix is not disabled? +ftpd_use_nfs --> off + Is it the case that ftpd_use_nfs is not disabled? - - Run the following command to determine if the net-snmp package is installed: -$ rpm -q net-snmp - Is it the case that the package is installed? + + To determine if the system is configured to audit successful calls +to the open_by_handle_at system call, run the following command: +$ sudo grep "open_by_handle_at" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - To check the password warning age, run the command: -$ grep PASS_WARN_AGE /etc/login.defs -The DoD requirement is 7. - Is it the case that it is not set to the required value? + + To ensure that the GPG key is installed, run: +$ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey +The command should return the string below: +gpg(Red Hat, Inc. (release key 2) <security@redhat.com> + Is it the case that the Red Hat GPG Key is not installed? - - To verify whether audispd plugin off-loads audit records onto a different -system or media from the system being audited, run the following command: - -$ sudo grep -i remote_server /etc/audit/audisp-remote.conf + + The runtime status of the net.ipv4.conf.all.arp_ignore kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.all.arp_ignore +. -The output should return something similar to where REMOTE_SYSTEM -is an IP address or hostname: -remote_server = REMOTE_SYSTEM + Is it the case that the correct value is not returned? + + + + Verify Red Hat Enterprise Linux 8 enables the user to initiate a session lock trhough key bindings with the following commands: -Determine which partition the audit records are being written to with the -following command: +$ grep "lock-session" /etc/tmux.conf -$ sudo grep log_file /etc/audit/auditd.conf -log_file = /var/log/audit/audit.log +bind X lock-session -Check the size of the partition that audit records are written to with the -following command and verify whether it is sufficiently large: +Then, verify that the /etc/tmux.conf file can be read by other users than root: -$ sudo df -h /var/log/audit/ -/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit - Is it the case that audispd is not sending logs to a remote system and the local partition has inadequate space? +$ sudo ls -al /etc/tmux.conf + Is it the case that the "lock-session" is not bound to a specific key? - - Verify Red Hat Enterprise Linux 8 is configured to lock an account until released by an administrator -after unsuccessful logon -attempts with the command: + + Find if logging is applied to the FTP daemon. +Procedures: -$ grep 'unlock_time =' /etc/security/faillock.conf -unlock_time = - Is it the case that the "unlock_time" option is not set to "<sub idref="var_accounts_passwords_pam_faillock_unlock_time" />", -the line is missing, or commented out? +If vsftpd is started by xinetd the following command will indicate the xinetd.d startup file: +$ grep vsftpd /etc/xinetd.d/* +$ grep server_args vsftpd xinetd.d startup file +This will indicate the vsftpd config file used when starting through xinetd. +If the server_args line is missing or does not include the vsftpd configuration file, then the default config file (/etc/vsftpd/vsftpd.conf) is used. +$ sudo grep xferlog_enable vsftpd config file + Is it the case that xferlog_enable is missing, or is not set to yes? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "sudoedit" command with the following command: - -$ sudo auditctl -l | grep sudoedit + + --a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudoedit - Is it the case that the command does not return a line, or the line is commented out? +Run the following command to determine the current status of the +crond service: +$ sudo systemctl is-active crond +If the service is running, it should return the following: active + Is it the case that ? - - To determine if the system is configured to audit calls to the -query_module system call, run the following command: -$ sudo grep "query_module" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + +Run the following command to determine if the httpd_use_openstack SELinux boolean is disabled: +$ getsebool httpd_use_openstack +If properly configured, the output should show the following: +httpd_use_openstack --> off + Is it the case that httpd_use_openstack is not disabled? - + -Run the following command to determine if the varnishd_connect_any SELinux boolean is disabled: -$ getsebool varnishd_connect_any +Run the following command to determine if the abrt_upload_watch_anon_write SELinux boolean is disabled: +$ getsebool abrt_upload_watch_anon_write If properly configured, the output should show the following: -varnishd_connect_any --> off - Is it the case that varnishd_connect_any is not disabled? +abrt_upload_watch_anon_write --> off + Is it the case that abrt_upload_watch_anon_write is not disabled? - - Verify the Red Hat Enterprise Linux 8 "fapolicyd" employs a deny-all, permit-by-exception policy. - -Check that "fapolicyd" is in enforcement mode with the following command: - -$ sudo grep permissive /etc/fapolicyd/fapolicyd.conf - -permissive = 0 + + To verify that SSSD is configured for PAM services, run the following command: +$ sudo grep services /etc/sssd/sssd.conf +If configured properly, output should be similar to +services = pam + Is it the case that it does not exist or 'pam' is not added to the 'services' option under the 'sssd' section? + + + + +Run the following command to determine if the git_system_use_cifs SELinux boolean is disabled: +$ getsebool git_system_use_cifs +If properly configured, the output should show the following: +git_system_use_cifs --> off + Is it the case that git_system_use_cifs is not disabled? + + + + Verify the nodev option is configured for the /var/tmp mount point, + run the following command: + $ sudo mount | grep '\s/var/tmp\s' + . . . /var/tmp . . . nodev . . . -Check that fapolicyd employs a deny-all policy on system mounts with the following commands: + Is it the case that the "/var/tmp" file system does not have the "nodev" option set? + + + + To ensure the X Windows package group is removed, run the following command: -For RHEL 8.5 systems and older: -$ sudo tail /etc/fapolicyd/fapolicyd.rules +$ rpm -qi xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland -For RHEL 8.6 systems and newer: -$ sudo tail /etc/fapolicyd/compiled.rules +For each package mentioned above you should receive following line: +package <package> is not installed + Is it the case that xorg related packages are not removed and run level is not correctly configured? + + + + To check the ownership of /etc/passwd-, +run the command: +$ ls -lL /etc/passwd- +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/passwd- does not have an owner of root? + + + + To determine if the system is configured to audit successful calls +to the creat system call, run the following command: +$ sudo grep "creat" /etc/audit.* +If the system is configured to audit this activity, it will return a line. -allow exe=/usr/bin/python3.7 : ftype=text/x-python -deny_audit perm=any pattern=ld_so : all -deny perm=any all : all - Is it the case that fapolicyd is not running in enforcement mode with a deny-all, permit-by-exception policy? + Is it the case that no line is returned? - - To check that the portreserve service is disabled in system boot configuration, + + +Run the following command to determine if the use_lpd_server SELinux boolean is disabled: +$ getsebool use_lpd_server +If properly configured, the output should show the following: +use_lpd_server --> off + Is it the case that use_lpd_server is not disabled? + + + + To check the system for the existence of any .netrc files, run the following command: -$ sudo systemctl is-enabled portreserve -Output should indicate the portreserve service has either not been installed, +$ sudo find /home -xdev -name .netrc + Is it the case that any .netrc files exist? + + + + To check the ownership of /var/log, +run the command: +$ ls -lL /var/log +If properly configured, the output should indicate the following owner: +root + Is it the case that /var/log does not have an owner of root? + + + + To ensure the system is configured to ignore the Ctrl-Alt-Del setting, +enter the following command: +$ sudo grep -i ctrlaltdelburstaction /etc/systemd/system.conf +The output should return: +CtrlAltDelBurstAction=none + Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed more than 7 times in 2 seconds.? + + + + To check that the acpid service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled acpid +Output should indicate the acpid service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled portreserve disabled +$ sudo systemctl is-enabled acpid disabled -Run the following command to verify portreserve is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active portreserve +Run the following command to verify acpid is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active acpid If the service is not running the command will return the following output: inactive -The service will also be masked, to check that the portreserve is masked, run the following command: -$ sudo systemctl show portreserve | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the acpid is masked, run the following command: +$ sudo systemctl show acpid | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "portreserve" is loaded and not masked? + Is it the case that the "acpid" is loaded and not masked? - - To check that the ypbind service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled ypbind -Output should indicate the ypbind service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled ypbind disabled + + The runtime status of the net.ipv6.conf.default.autoconf kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.default.autoconf +0. -Run the following command to verify ypbind is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active ypbind + Is it the case that the correct value is not returned? + + + + +Run the following command to determine if the dbadm_read_user_files SELinux boolean is disabled: +$ getsebool dbadm_read_user_files +If properly configured, the output should show the following: +dbadm_read_user_files --> off + Is it the case that dbadm_read_user_files is not disabled? + + + + Verify Red Hat Enterprise Linux 8 takes the appropriate action when an audit processing failure occurs. -If the service is not running the command will return the following output: -inactive +Check that Red Hat Enterprise Linux 8 takes the appropriate action when an audit processing failure occurs with the following command: -The service will also be masked, to check that the ypbind is masked, run the following command: -$ sudo systemctl show ypbind | grep "LoadState\|UnitFileState" +$ sudo grep disk_error_action /etc/audit/auditd.conf -If the service is masked the command will return the following outputs: +disk_error_action = HALT -LoadState=masked +If the value of the "disk_error_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit process failure occurs. + Is it the case that there is no evidence of appropriate action? + + + + To check the ownership of /etc/cron.monthly, +run the command: +$ ls -lL /etc/cron.monthly +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/cron.monthly does not have an owner of root? + + + + +Run the following command to determine if the daemons_enable_cluster_mode SELinux boolean is disabled: +$ getsebool daemons_enable_cluster_mode +If properly configured, the output should show the following: +daemons_enable_cluster_mode --> off + Is it the case that daemons_enable_cluster_mode is not disabled? + + + + To determine if the system is configured to audit accesses to +/var/log/audit directory, run the following command: +$ sudo grep "dir=/var/log/audit" /etc/audit/audit.rules +If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + + + + -UnitFileState=masked - Is it the case that the "ypbind" is loaded and not masked? +Run the following command to determine the current status of the +postfix service: +$ sudo systemctl is-active postfix +If the service is running, it should return the following: active + Is it the case that the system is not a cross domain solution and the service is not enabled? - + -If the system is configured to prevent the loading of the mac80211 kernel module, + +Run the following command to determine the current status of the +auditd service: +$ sudo systemctl is-active auditd +If the service is running, it should return the following: active + Is it the case that the auditd service is not running? + + + + +If the system is configured to prevent the loading of the cramfs kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. -These lines can also instruct the module loading system to ignore the mac80211 kernel module via blacklist keyword. +These lines can also instruct the module loading system to ignore the cramfs kernel module via blacklist keyword. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -$ grep -r mac80211 /etc/modprobe.conf /etc/modprobe.d +$ grep -r cramfs /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? - + + To verify that Audit Daemon is configured to flush to disk after +every records, run the following command: +$ sudo grep freq /etc/audit/auditd.conf +The output should return the following: +freq = + Is it the case that freq isn't set to <sub idref="var_auditd_freq" />? + + + + Run the following command to determine if the libreswan package is installed: $ rpm -q libreswan + Is it the case that the package is not installed? + + + + Determine if there is a process for the uploading of files to the web site. +This process should include the requirement for the use of a secure encrypted +logon and secure encrypted connection. If the remote users are uploading files +without utilizing approved encryption methods, this is a finding. + Is it the case that it is not? + + + + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes iommu=force, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub +If this option is set to true, then check that a line is output by the following command: +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*iommu=force.*' /etc/default/grub +If the recovery is disabled, check the line with +$ sudo grep 'GRUB_CMDLINE_LINUX.*iommu=force.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +$ sudo grubby --info=ALL | grep args | grep -v 'iommu=force' +The command should not return any output. + Is it the case that I/OMMU is not activated? + + + - - -To determine if firewalld is configured to allow access - -on port 22/tcp, run the following command(s): - firewall-cmd --list-ports - - -to ssh - firewall-cmd --list-services - -If firewalld is configured to allow access through the firewall, something similar to the following will be output: - -If it is a service: -ssh - - -If it is a port: -22/tcp - - Is it the case that sshd service is not enabled in the proper firewalld zone? +Run the following command to determine if the rsync_export_all_ro SELinux boolean is disabled: +$ getsebool rsync_export_all_ro +If properly configured, the output should show the following: +rsync_export_all_ro --> off + Is it the case that rsync_export_all_ro is not disabled? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_DEVKMEM /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? + + Run the following command to determine if the McAfeeTP package is installed: $ rpm -q McAfeeTP + Is it the case that the package is not installed? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "init" command with the following command: - -$ sudo auditctl -l | grep init + + To verify the audispd plugin encrypts audit records off-loaded onto a different +system or media from the system being audited, run the following command: --a always,exit -F path=/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged-init - Is it the case that the command does not return a line, or the line is commented out? +$ sudo grep -i transport /etc/audit/audisp-remote.conf +The output should return the following: +transport = KRB5 + Is it the case that audispd is not encrypting audit records when sent over the network? - - To ensure that the GUI power settings are not active, run the following command: -$ gsettings get org.gnome.settings-daemon.plugins.power active -If properly configured, the output should be false. -To ensure that users cannot enable the power settings, run the following: -$ grep power /etc/dconf/db/local.d/locks/* -If properly configured, the output should be -/org/gnome/settings-daemon/plugins/power/active - Is it the case that power settings are enabled and are not disabled? + + To verify the nosuid option is configured for all NFS mounts, run +the following command: +$ mount | grep nfs +All NFS mounts should show the nosuid setting in parentheses. This +is not applicable if NFS is not implemented. + Is it the case that the setting does not show? - + + In order to be sure that the databases are up-to-date, run the +dconf update +command as the administrator. + Is it the case that The system-wide dconf databases are up-to-date with regards to respective keyfiles? + + + + Make sure that the kernel is not disabling SMAP with the following +commands. +grep -q nosmap /boot/config-`uname -r` +If the command returns a line, it means that SMAP is being disabled. + Is it the case that the kernel is configured to disable SMAP? + + + + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes rng_core.default_quality=, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub +If this option is set to true, then check that a line is output by the following command: +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*rng_core.default_quality=.*' /etc/default/grub +If the recovery is disabled, check the line with +$ sudo grep 'GRUB_CMDLINE_LINUX.*rng_core.default_quality=.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +$ sudo grubby --info=ALL | grep args | grep -v 'rng_core.default_quality=' +The command should not return any output. + Is it the case that trust on hardware random number generator is not configured appropriately? + + + -Run the following command to determine if the gssd_read_tmp SELinux boolean is enabled: -$ getsebool gssd_read_tmp +Run the following command to determine if the mcelog_foreground SELinux boolean is disabled: +$ getsebool mcelog_foreground If properly configured, the output should show the following: -gssd_read_tmp --> on - Is it the case that gssd_read_tmp is not enabled? +mcelog_foreground --> off + Is it the case that mcelog_foreground is not disabled? - + -Run the following command to determine if the privoxy_connect_any SELinux boolean is disabled: -$ getsebool privoxy_connect_any +Run the following command to determine if the git_cgi_use_nfs SELinux boolean is disabled: +$ getsebool git_cgi_use_nfs If properly configured, the output should show the following: -privoxy_connect_any --> off - Is it the case that privoxy_connect_any is not disabled? +git_cgi_use_nfs --> off + Is it the case that git_cgi_use_nfs is not disabled? - - To check that the autofs service is disabled in system boot configuration, + + To check that the rhnsd service is disabled in system boot configuration, run the following command: -$ sudo systemctl is-enabled autofs -Output should indicate the autofs service has either not been installed, +$ sudo systemctl is-enabled rhnsd +Output should indicate the rhnsd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled autofs disabled +$ sudo systemctl is-enabled rhnsd disabled -Run the following command to verify autofs is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active autofs +Run the following command to verify rhnsd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active rhnsd If the service is not running the command will return the following output: inactive -The service will also be masked, to check that the autofs is masked, run the following command: -$ sudo systemctl show autofs | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the rhnsd is masked, run the following command: +$ sudo systemctl show rhnsd | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "autofs" is loaded and not masked? + Is it the case that the "rhnsd" is loaded and not masked? - - To check that the mdmonitor service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled mdmonitor -Output should indicate the mdmonitor service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled mdmonitor disabled - -Run the following command to verify mdmonitor is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active mdmonitor - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the mdmonitor is masked, run the following command: -$ sudo systemctl show mdmonitor | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: - -LoadState=masked + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_VMAP_STACK /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? + + + + To verify if the OpenSSL uses defined TLS Crypto Policy, run: +$ grep -P '^(TLS\.)?MinProtocol' /etc/crypto-policies/back-ends/opensslcnf.config +and verify that the value is +TLSv1.2 + Is it the case that cryptographic policy for openssl is not configured or is configured incorrectly? + + + + Verify the noauto option is configured for the /boot mount point, + run the following command: + $ sudo mount | grep '\s/boot\s' + . . . /boot . . . noauto . . . -UnitFileState=masked - Is it the case that the "mdmonitor" is loaded and not masked? + Is it the case that the "/boot" file system does not have the "noauto" option set? - + + To verify that all user initialization files have a mode of 0740 or +less permissive, run the following command: +$ sudo find /home -type f -name '\.*' \( -perm -0002 -o -perm -0020 \) +There should be no output. + Is it the case that they are not 0740 or more permissive? + + + -Run the following command to determine if the dhcpd_use_ldap SELinux boolean is disabled: -$ getsebool dhcpd_use_ldap +Run the following command to determine if the nfs_export_all_rw SELinux boolean is enabled: +$ getsebool nfs_export_all_rw If properly configured, the output should show the following: -dhcpd_use_ldap --> off - Is it the case that dhcpd_use_ldap is not disabled? +nfs_export_all_rw --> on + Is it the case that nfs_export_all_rw is not enabled? - - To check that the zebra service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled zebra -Output should indicate the zebra service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled zebra disabled - -Run the following command to verify zebra is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active zebra + + +Run the following command to determine if the secure_mode_policyload SELinux boolean is disabled: +$ getsebool secure_mode_policyload +If properly configured, the output should show the following: +secure_mode_policyload --> off + Is it the case that secure_mode_policyload is not disabled? + + + + Verify that the default umask for all local interactive users is "077". -If the service is not running the command will return the following output: -inactive +Identify the locations of all local interactive user home directories by looking at the "/etc/passwd" file. -The service will also be masked, to check that the zebra is masked, run the following command: -$ sudo systemctl show zebra | grep "LoadState\|UnitFileState" +Check all local interactive user initialization files for interactive users with the following command: -If the service is masked the command will return the following outputs: +Note: The example is for a system that is configured to create users home directories in the "/home" directory. -LoadState=masked +# grep -ri umask /home/ -UnitFileState=masked - Is it the case that the "zebra" is loaded and not masked? - - - - Run the following command to determine if the fapolicyd package is installed: $ rpm -q fapolicyd - Is it the case that the fapolicyd package is not installed? +/home/smithj/.bash_history:grep -i umask /etc/bashrc /etc/csh.cshrc /etc/profile +/home/smithj/.bash_history:grep -i umask /etc/login.defs + Is it the case that any local interactive user initialization files are found to have a umask statement that sets a value less restrictive than "077"? - - To determine if the system is configured to audit calls to the -unlink system call, run the following command: -$ sudo grep "unlink" /etc/audit/audit.* + + To determine if the system is configured to audit successful calls +to the open_by_handle_at system call, run the following command: +$ sudo grep "open_by_handle_at" /etc/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - To ensure the gdm package group is removed, run the following command: -$ rpm -qi gdm -The output should be: -package gdm is not installed - Is it the case that gdm has not been removed? - - - - To determine how the SSH daemon's UsePAM option is set, run the following command: - -$ sudo grep -i UsePAM /etc/ssh/sshd_config + + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: -If a line indicating yes is returned, then the required value is set. +$ sudo auditctl -l | grep -E '(/etc/group)' - Is it the case that the required value is not set? +-w /etc/group -p wa -k identity + Is it the case that the command does not return a line, or the line is commented out? - - To ensure only SNMPv3 or newer is used, run the following command: -$ sudo grep 'rocommunity\|rwcommunity\|com2sec' /etc/snmp/snmpd.conf | grep -v "^#" -There should be no output. - Is it the case that there is output? + + To verify that auditing of privileged command use is configured, run the +following command: +$ sudo grep usernetctl /etc/audit/audit.rules /etc/audit/rules.d/* +It should return a relevant line in the audit rules. + Is it the case that the command does not return a line, or the line is commented out? - - The runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.conf.all.secure_redirects -0. - - Is it the case that the correct value is not returned? + + Run the following command to determine if the binutils package is installed: $ rpm -q binutils + Is it the case that the package is not installed? - + -Run the following command to determine if the httpd_mod_auth_ntlm_winbind SELinux boolean is disabled: -$ getsebool httpd_mod_auth_ntlm_winbind +Run the following command to determine if the xserver_execmem SELinux boolean is disabled: +$ getsebool xserver_execmem If properly configured, the output should show the following: -httpd_mod_auth_ntlm_winbind --> off - Is it the case that httpd_mod_auth_ntlm_winbind is not disabled? +xserver_execmem --> off + Is it the case that xserver_execmem is not disabled? - - Verify the nosuid option is configured for the /tmp mount point, - run the following command: - $ sudo mount | grep '\s/tmp\s' - . . . /tmp . . . nosuid . . . + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chage" command with the following command: - Is it the case that the "/tmp" file system does not have the "nosuid" option set? +$ sudo auditctl -l | grep chage + +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage + Is it the case that the command does not return a line, or the line is commented out? - - To determine if the system is configured to make login UIDs immutable, run -one of the following commands. -If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), run the following: -sudo grep immutable /etc/audit/rules.d/*.rules -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, run the following command: -sudo grep immutable /etc/audit/audit.rules -The following line should be returned: ---loginuid-immutable - Is it the case that the system is not configured to make login UIDs immutable? + + To check that the psacct service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled psacct +Output should indicate the psacct service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled psacct disabled + +Run the following command to verify psacct is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active psacct + +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the psacct is masked, run the following command: +$ sudo systemctl show psacct | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "psacct" is loaded and not masked? - + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_PAGE_POISONING_ZERO /boot/config.* + $ grep CONFIG_HIBERNATION /boot/config.* - For each kernel installed, a line with value "y" should be returned. + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. Is it the case that the kernel was not built with the required value? - - To verify the operating system implements cryptography to protect the integrity of -remote ldap access sessions, run the following command: -$ sudo grep ldap_tls_cacertdir /etc/sssd/sssd.conf -The output should return the following with a correctly configured CA cert path: -ldap_tls_cacertdir /path/to/tls/cacert - Is it the case that the TLS CA cert is not configured? - - - - To ensure that users cannot change how long until the screensaver locks, run the following: -$ grep lock-enabled /etc/dconf/db/local.d/locks/* -If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled - Is it the case that screensaver locking is not locked? - - - - To verify the nodev option is configured for non-root local partitions, run the following command: -$ sudo mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev' -The output shows local non-root partitions mounted without the nodev option, and there should be no output at all. - - Is it the case that some mounts appear among output lines? - - - + -Run the following command to determine if the rsync_full_access SELinux boolean is disabled: -$ getsebool rsync_full_access +Run the following command to determine if the httpd_can_network_connect SELinux boolean is disabled: +$ getsebool httpd_can_network_connect If properly configured, the output should show the following: -rsync_full_access --> off - Is it the case that rsync_full_access is not disabled? +httpd_can_network_connect --> off + Is it the case that httpd_can_network_connect is not disabled? - - To determine if the system is configured to audit calls to the -chown system call, run the following command: -$ sudo grep "chown" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + Run the following command to determine if the samba-common package is installed: $ rpm -q samba-common + Is it the case that the package is not installed? - - Verify that Red Hat Enterprise Linux 8 loads the driver with the following command: - -$ grep card_drivers /etc/opensc.conf + + The runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.all.accept_source_route +0. -card_drivers = ; - Is it the case that "<sub idref="var_smartcard_drivers" />" is not listed as a card driver, or there is no line returned for "card_drivers"? + Is it the case that the correct value is not returned? - - To determine if the system is configured to audit successful calls -to the openat system call, run the following command: -$ sudo grep "openat" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + To verify that Audit Daemon is configured to resolve all uid, gid, syscall, +architecture, and socket address information before writing the event to disk, +run the following command: +$ sudo grep log_format /etc/audit/auditd.conf +The output should return the following: +log_format = ENRICHED + Is it the case that log_format isn't set to ENRICHED? - - Check that the symlink exists and target the correct Kerberos crypto policy, with the following command: -file /etc/krb5.conf.d/crypto-policies -If command ouput shows the following line, Kerberos is configured to use the system-wide crypto policy. -/etc/krb5.conf.d/crypto-policies: symbolic link to /etc/crypto-policies/back-ends/krb5.config - Is it the case that the symlink does not exist or points to a different target? + + To check the group ownership of /boot/grub2/grub.cfg, +run the command: +$ ls -lL /boot/grub2/grub.cfg +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /boot/grub2/grub.cfg does not have a group owner of root? - - To determine if logfile has been configured for sudo, run the following command: -$ sudo grep -ri "^[\s]*Defaults\s*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/ -The command should return a matching output. - Is it the case that logfile is not enabled in sudo? + + +Run the following command to determine if the httpd_can_connect_zabbix SELinux boolean is disabled: +$ getsebool httpd_can_connect_zabbix +If properly configured, the output should show the following: +httpd_can_connect_zabbix --> off + Is it the case that httpd_can_connect_zabbix is not disabled? - + -Run the following command to determine if the logrotate_use_nfs SELinux boolean is disabled: -$ getsebool logrotate_use_nfs +Run the following command to determine if the polipo_use_cifs SELinux boolean is disabled: +$ getsebool polipo_use_cifs If properly configured, the output should show the following: -logrotate_use_nfs --> off - Is it the case that logrotate_use_nfs is not disabled? +polipo_use_cifs --> off + Is it the case that polipo_use_cifs is not disabled? - + + Display the contents of the file /etc/systemd/logind.conf: +cat /etc/systemd/logind.conf +Ensure that there is a section [login] which contains the +configuration StopIdleSessionSec=. + Is it the case that the option is not configured? + + + -If the system is configured to prevent the loading of the tipc kernel module, +If the system is configured to prevent the loading of the iwlmvm kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. -These lines can also instruct the module loading system to ignore the tipc kernel module via blacklist keyword. +These lines can also instruct the module loading system to ignore the iwlmvm kernel module via blacklist keyword. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -$ grep -r tipc /etc/modprobe.conf /etc/modprobe.d +$ grep -r iwlmvm /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? - - -Run the following command to determine if the nscd_use_shm SELinux boolean is enabled: -$ getsebool nscd_use_shm -If properly configured, the output should show the following: -nscd_use_shm --> on - Is it the case that nscd_use_shm is not enabled? - - - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_MODIFY_LDT_SYSCALL /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? - - - - Run the following command to determine if the iprutils package is installed: -$ rpm -q iprutils - Is it the case that the package is installed? + + To determine if the system is configured to audit calls to the +open system call, run the following command: +$ sudo grep "open" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - Verify that rules for unsuccessful calls of the open syscall are in the order shown below. + + Verify Red Hat Enterprise Linux 8 shell initialization file is configured to start each shell with the tmux terminal multiplexer. - If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix ".rules" in the directory "/etc/audit/rules.d". - If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, check the order of rules below in "/etc/audit/audit.rules" file. +Determine the location of the tmux script with the following command: - -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +$ sudo grep tmux /etc/bashrc /etc/profile.d/* - If the system is 64 bit then also add the following lines: +/etc/profile.d/tmux.sh: case "$name" in (sshd|login) tmux ;; esac - -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - Is it the case that the rules are in a different order? +Review the tmux script by using the following example: + +$ cat /etc/profile.d/tmux.sh + +if [ "$PS1" ]; then +parent=$(ps -o ppid= -p $$) +name=$(ps -o comm= -p $parent) +case "$name" in (sshd|login) tmux ;; esac +fi + +If the shell file is not configured as the example above, is commented out, or is missing, this is a finding. + +Determine if tmux is currently running with the following command: + +$ sudo ps all | grep tmux | grep -v grep + Is it the case that the command does not produce output? - - To check the permissions of /usr/bin/sudo, + + To check the permissions of /etc/passwd, run the command: -$ ls -l /usr/bin/sudo +$ ls -l /etc/passwd If properly configured, the output should indicate the following permissions: ----s--x--- - Is it the case that /usr/bin/sudo does not have unix mode ---s--x---? +-rw-r--r-- + Is it the case that /etc/passwd does not have unix mode -rw-r--r--? - - To check if the system login banner is compliant, -run the following command: -$ cat /etc/issue - Is it the case that it does not display the required banner? + + +Run the following command to determine if the glance_api_can_network SELinux boolean is disabled: +$ getsebool glance_api_can_network +If properly configured, the output should show the following: +glance_api_can_network --> off + Is it the case that glance_api_can_network is not disabled? - + -Run the following command to determine if the virt_use_sanlock SELinux boolean is disabled: -$ getsebool virt_use_sanlock +Run the following command to determine if the samba_export_all_ro SELinux boolean is disabled: +$ getsebool samba_export_all_ro If properly configured, the output should show the following: -virt_use_sanlock --> off - Is it the case that virt_use_sanlock is not disabled? +samba_export_all_ro --> off + Is it the case that samba_export_all_ro is not disabled? - - Review the contents of the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf -files to ensure appropriate logging is set. In addition, run the following command: -ls -l /var/log/ -and verify that the log files are logging information - Is it the case that no logging is configured? + + Verify that a separate file system/partition has been created for /home with the following command: + +$ mountpoint /home + + Is it the case that "/home is not a mountpoint" is returned? - - -Run the following command to determine if the cobbler_use_nfs SELinux boolean is disabled: -$ getsebool cobbler_use_nfs -If properly configured, the output should show the following: -cobbler_use_nfs --> off - Is it the case that cobbler_use_nfs is not disabled? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_DEBUG_SG /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - + + To verify if the OpenSSH Client uses defined Crypto Policy, run: +$ cat /etc/ssh/ssh_config.d/02-ospp.conf +and verify that the line matches +Match final all +RekeyLimit 512M 1h +GSSAPIAuthentication no +Ciphers aes256-ctr,aes256-cbc,aes128-ctr,aes128-cbc +PubkeyAcceptedKeyTypes ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 +MACs hmac-sha2-512,hmac-sha2-256 +KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1 + Is it the case that Crypto Policy for OpenSSH Client is not configured according to CC requirements? + + + To determine if the system is configured to audit calls to the -create_module system call, run the following command: -$ sudo grep "create_module" /etc/audit/audit.* +open system call, run the following command: +$ sudo grep "open" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - Verify that Red Hat Enterprise Linux 8 is configured to prevent unrestricted mail relaying, -run the following command: -$ sudo postconf -n smtpd_client_restrictions - Is it the case that the "smtpd_client_restrictions" parameter contains any entries other than "permit_mynetworks" and "reject"? + + +Run the following command to determine if the glance_use_execmem SELinux boolean is disabled: +$ getsebool glance_use_execmem +If properly configured, the output should show the following: +glance_use_execmem --> off + Is it the case that glance_use_execmem is not disabled? - - To verify the audispd plugin encrypts audit records off-loaded onto a different -system or media from the system being audited, run the following command: - -$ sudo grep -i transport /etc/audit/audisp-remote.conf -The output should return the following: -transport = KRB5 - Is it the case that audispd is not encrypting audit records when sent over the network? + + Find the list of alias maps used by the Postfix mail server: +$ sudo postconf alias_maps +Query the Postfix alias maps for an alias for the root user: +$ sudo postmap -q root hash:/etc/aliases +The output should return an alias. + Is it the case that the alias is not set? - + -Run the following command to determine if the login_console_enabled SELinux boolean is enabled: -$ getsebool login_console_enabled +Run the following command to determine if the xend_run_qemu SELinux boolean is enabled: +$ getsebool xend_run_qemu If properly configured, the output should show the following: -login_console_enabled --> on - Is it the case that login_console_enabled is not enabled? +xend_run_qemu --> on + Is it the case that xend_run_qemu is not enabled? - - Verify that the interactive user account passwords last change time is not in the future -The following command should return no output -$ sudo expiration=$(cat /etc/shadow|awk -F ':' '{print $3}'); -for edate in ${expiration[@]}; do if [[ $edate > $(( $(date +%s)/86400 )) ]]; -then echo "Expiry date in future"; -fi; done - Is it the case that any interactive user password that has last change time in the future? + + To verify the boot loader superuser password has been set, run the following command: +$ sudo grep "^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$" /boot/efi/EFI/redhat/user.cfg +The output should be similar to: +GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC +2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0 +916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7 +0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828 + Is it the case that no password is set? - - To verify the sec option is configured for all NFS mounts, run the following command: -$ grep "sec=" /etc/exports -All configured NFS exports should show the sec=krb5:krb5i:krb5p setting in parentheses. -This is not applicable if NFS is not implemented. - Is it the case that the setting is not configured, has the 'sys' option added, or does not have all Kerberos options added? + + +Run the following command to determine if the samba_export_all_rw SELinux boolean is disabled: +$ getsebool samba_export_all_rw +If properly configured, the output should show the following: +samba_export_all_rw --> off + Is it the case that samba_export_all_rw is not disabled? + + + + To determine if the system is configured to audit calls to the +rename system call, run the following command: +$ sudo grep "rename" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? @@ -368435,327 +368729,351 @@ mplayer_execstack --> off Is it the case that mplayer_execstack is not disabled? - - To check the ownership of /boot/efi/EFI/redhat/grub.cfg, + + Verify the operating system encrypts audit records off-loaded onto a different system +or media from the system being audited with the following commands: + +$ sudo grep -i '$ActionSendStreamDriverMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf + +The output should be: + +/etc/rsyslog.conf:$ActionSendStreamDriverMode 1 + Is it the case that rsyslogd ActionSendStreamDriverMode is not set to 1? + + + + To check the group ownership of /etc/at.allow, run the command: -$ ls -lL /boot/efi/EFI/redhat/grub.cfg -If properly configured, the output should indicate the following owner: +$ ls -lL /etc/at.allow +If properly configured, the output should indicate the following group-owner: root - Is it the case that /boot/efi/EFI/redhat/grub.cfg does not have an owner of root? + Is it the case that /etc/at.allow does not have a group owner of root? - + -Run the following command to determine if the mpd_use_nfs SELinux boolean is disabled: -$ getsebool mpd_use_nfs +Run the following command to determine if the fenced_can_ssh SELinux boolean is disabled: +$ getsebool fenced_can_ssh If properly configured, the output should show the following: -mpd_use_nfs --> off - Is it the case that mpd_use_nfs is not disabled? +fenced_can_ssh --> off + Is it the case that fenced_can_ssh is not disabled? - - Verify Red Hat Enterprise Linux 8 use the "pam_pwhistory.so" module in the /etc/pam.d/password-auth file -and is configured to prohibit password reuse for a minimum of -generations. - -Verify the "/etc/pam.d/password-auth" file with the following command: - -$ grep pam_pwhistory.so /etc/pam.d/password-auth -password pam_pwhistory.so use_authtok remember= - - -Verify the "/etc/security/pwhistory.conf" file using the following command: - -$ grep remember /etc/security/pwhistory.conf -remember = - -The pam_pwhistory.so "remember" option must be configured only in one file. - Is it the case that the pam_pwhistory.so module is not used, the "remember" module option is not set in -/etc/pam.d/password-auth or in /etc/security/pwhistory.conf, or is set in both files, or is set -with a value less than "<sub idref="var_password_pam_remember" />"? + + +Run the following command to determine if the httpd_use_gpg SELinux boolean is disabled: +$ getsebool httpd_use_gpg +If properly configured, the output should show the following: +httpd_use_gpg --> off + Is it the case that httpd_use_gpg is not disabled? - - The runtime status of the net.ipv4.ip_forward kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.ip_forward -0. -The ability to forward packets is only appropriate for routers. - Is it the case that the correct value is not returned? + + Locate the directories containing the CGI scripts. These directories should be +language-specific (e.g., PERL, ASP, JS, JSP, etc.). Examine the file permissions +on the directories using the following command: +ls -l directories +Anonymous FTP users must not have access to these directories. + Is it the case that it is not? - - To verify that McAfee Runtime Libraries (MFErt) and Linux Agent (MFEcma) -are installed, run the following command(s): -$ rpm -q MFEcma -$ rpm -q MFErt - Is it the case that the HBSS HIPS module is not installed? + + +Run the following command to determine if the httpd_builtin_scripting SELinux boolean is disabled: +$ getsebool httpd_builtin_scripting +If properly configured, the output should show the following: +httpd_builtin_scripting --> off + Is it the case that httpd_builtin_scripting is not disabled? - - To verify that packages comprising the available updates will be automatically installed by dnf-automatic, run the following command: -$ sudo grep apply_updates /etc/dnf/automatic.conf -The output should return the following: -apply_updates = yes - Is it the case that apply_updates is not set to yes? + + Verify that yum verifies the signature of packages from a repository prior to install with the following command: + +$ grep gpgcheck /etc/yum.conf + +gpgcheck=1 + +If "gpgcheck" is not set to "1", or if the option is missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified. + Is it the case that there is no process to validate certificates that is approved by the organization? - - + + Verify Red Hat Enterprise Linux 8 is configured to limit the "pwquality" retry option to . -Run the following command to determine the current status of the -nftables service: -$ sudo systemctl is-active nftables -If the service is running, it should return the following: active - Is it the case that the "nftables" service is disabled, masked, or not started.? + +Check for the use of the "pwquality" retry option in the pwquality.conf file with the following command: +$ grep retry /etc/security/pwquality.conf + Is it the case that the value of "retry" is set to "0" or greater than "<sub idref="var_password_pam_retry" />", or is missing? - - + + To determine how the SSH daemon's IgnoreUserKnownHosts option is set, run the following command: -Run the following command to determine the current status of the -cron service: -$ sudo systemctl is-active cron -If the service is running, it should return the following: active - Is it the case that ? +$ sudo grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config + +If a line indicating yes is returned, then the required value is set. + + Is it the case that the required value is not set? - - -Run the following command to determine if the httpd_manage_ipa SELinux boolean is disabled: -$ getsebool httpd_manage_ipa -If properly configured, the output should show the following: -httpd_manage_ipa --> off - Is it the case that httpd_manage_ipa is not disabled? + + To check the ownership of /var/log/syslog, +run the command: +$ ls -lL /var/log/syslog +If properly configured, the output should indicate the following owner: +syslog + Is it the case that /var/log/syslog does not have an owner of syslog? - - To determine if the system is configured to audit unsuccessful calls -to the chmod system call, run the following command: -$ sudo grep "chmod" /etc/audit.* -If the system is configured to audit this activity, it will return a line. + + Verify the value of the "maxrepeat" option in "/etc/security/pwquality.conf" with the following command: - Is it the case that no line is returned? +$ grep maxrepeat /etc/security/pwquality.conf + +maxrepeat = + Is it the case that the value of "maxrepeat" is set to more than "<sub idref="var_password_pam_maxrepeat" />" or is commented out? - - To check if compression is enabled or set correctly, run the -following command: -$ sudo grep Compression /etc/ssh/sshd_config -If configured properly, output should be no or delayed. - Is it the case that it is commented out, or is not set to no or delayed? + + To check that the named service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled named +Output should indicate the named service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled named disabled + +Run the following command to verify named is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active named + +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the named is masked, run the following command: +$ sudo systemctl show named | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "named" is loaded and not masked? - - To verify that remote access methods are logging to rsyslog, -run the following command: -grep -rE '(auth.\*|authpriv.\*|daemon.\*)' /etc/rsyslog.* -The output should contain auth.*, authpriv.*, and daemon.* -pointing to a log file. - Is it the case that remote access methods are not logging to rsyslog? + + +Run the following command to determine if the webadm_manage_user_files SELinux boolean is disabled: +$ getsebool webadm_manage_user_files +If properly configured, the output should show the following: +webadm_manage_user_files --> off + Is it the case that webadm_manage_user_files is not disabled? - + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_SECURITY_YAMA /boot/config.* + $ grep CONFIG_IA32_EMULATION /boot/config.* - For each kernel installed, a line with value "y" should be returned. + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. Is it the case that the kernel was not built with the required value? - - To check if the installed Operating System is 64-bit, run the following command: -$ uname -m -The output should be one of the following: x86_64, aarch64, ppc64le or s390x. -If the output is i686 or i386 the operating system is 32-bit. -Check if the installed CPU supports 64-bit operating systems by running the following command: -$ lscpu | grep "CPU op-mode" -If the output contains 64bit, the CPU supports 64-bit operating systems. - Is it the case that the installed operating sytem is 32-bit but the CPU supports operation in 64-bit? - - - - -Run the following command to determine if the mozilla_read_content SELinux boolean is disabled: -$ getsebool mozilla_read_content -If properly configured, the output should show the following: -mozilla_read_content --> off - Is it the case that mozilla_read_content is not disabled? + + The runtime status of the net.ipv6.conf.all.accept_ra kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.all.accept_ra +0. + + Is it the case that the correct value is not returned? - - Verify all local interactive users on Red Hat Enterprise Linux 8 are assigned a home -directory upon creation with the following command: -$ grep -i create_home /etc/login.defs -CREATE_HOME yes - Is it the case that the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out? + + To determine how the SSH daemon's PrintLastLog option is set, run the following command: + +$ sudo grep -i PrintLastLog /etc/ssh/sshd_config + +If a line indicating yes is returned, then the required value is set. + + Is it the case that the required value is not set? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_REFCOUNT_FULL /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + Verify that the system backups user data. + Is it the case that it is not? - - To ensure a login warning banner is enabled, run the following: -$ grep banner-message-enable /etc/dconf/db/gdm.d/* -If properly configured, the output should be true. -To ensure a login warning banner is locked and cannot be changed by a user, run the following: -$ grep banner-message-enable /etc/dconf/db/gdm.d/locks/* -If properly configured, the output should be /org/gnome/login-screen/banner-message-enable. - Is it the case that it is not? + + Verify the system-wide shared library directories are group-owned by "root" with the following command: + +$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \; + +If any system-wide shared library directory is returned and is not group-owned by a required system account, this is a finding. + Is it the case that any system-wide shared library directory is returned and is not group-owned by a required system account? - + -Run the following command to determine if the xguest_exec_content SELinux boolean is disabled: -$ getsebool xguest_exec_content +Run the following command to determine if the openvpn_run_unconfined SELinux boolean is disabled: +$ getsebool openvpn_run_unconfined If properly configured, the output should show the following: -xguest_exec_content --> off - Is it the case that xguest_exec_content is not disabled? +openvpn_run_unconfined --> off + Is it the case that openvpn_run_unconfined is not disabled? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_HARDENED_USERCOPY /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + To determine if the system is configured to audit successful calls +to the unlink system call, run the following command: +$ sudo grep "unlink" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes mce=0, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub -If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*mce=0.*' /etc/default/grub -If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*mce=0.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'mce=0' -The command should not return any output. - Is it the case that MCE tolerance is not set to zero? + + +Run the following command to determine if the use_ecryptfs_home_dirs SELinux boolean is disabled: +$ getsebool use_ecryptfs_home_dirs +If properly configured, the output should show the following: +use_ecryptfs_home_dirs --> off + Is it the case that use_ecryptfs_home_dirs is not disabled? - - To check the ownership of /boot/grub2/user.cfg, + + To check the ownership of /etc/cron.daily, run the command: -$ ls -lL /boot/grub2/user.cfg +$ ls -lL /etc/cron.daily If properly configured, the output should indicate the following owner: root - Is it the case that /boot/grub2/user.cfg does not have an owner of root? - - - - Inspect /etc/login.defs and ensure that if eihter -SHA_CRYPT_MIN_ROUNDS or SHA_CRYPT_MAX_ROUNDS -are set, they must have the minimum value of 5000. - Is it the case that it does not? + Is it the case that /etc/cron.daily does not have an owner of root? - - Verify that a separate file system/partition has been created for /opt with the following command: - -$ mountpoint /opt - - Is it the case that "/opt is not a mountpoint" is returned? + + The document, DoDI 8500.01, establishes the policy on the use of DoD +information systems. It requires the use of a standard Notice and Consent Banner +and standard text to be included in user agreements. The banner should be set +to the following: + Is it the case that it is not display the required banner? - - -Run the following command to determine if the auditadm_exec_content SELinux boolean is enabled: -$ getsebool auditadm_exec_content -If properly configured, the output should show the following: -auditadm_exec_content --> on - Is it the case that auditadm_exec_content is not enabled? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_SECCOMP /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - The runtime status of the net.ipv6.conf.all.forwarding kernel parameter can be queried -by running the following command: -$ sysctl net.ipv6.conf.all.forwarding -0. -The ability to forward packets is only appropriate for routers. - Is it the case that IP forwarding value is "1" and the system is not router? + + To verify the number of rounds for the password hashing algorithm is configured, run the following command: +$ sudo grep rounds /etc/pam.d/password-auth +The output should show the following match: +password sufficient pam_unix.so sha512 rounds= + Is it the case that rounds is not set to <sub idref="var_password_pam_unix_rounds" /> or is commented out? - - To verify that Samba clients running smbclient must use packet signing, run the following command: -$ grep signing /etc/samba/smb.conf -The output should show: -client signing = mandatory - Is it the case that it is not? + + + +Run the following command to determine the current status of the +nftables service: +$ sudo systemctl is-active nftables +If the service is running, it should return the following: active + Is it the case that the "nftables" service is disabled, masked, or not started.? - - To view the root user's PATH, run the following command: -$ sudo env | grep PATH -If correctly configured, the PATH must: use vendor default settings, -have no empty entries, and have no entries beginning with a character -other than a slash (/). - Is it the case that any of these conditions are not met? + + To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: +cat /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules +The output has to be exactly as follows: +## Unsuccessful file access (any other opens) This has to go last. +-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access +-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access +-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access +-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access + Is it the case that the file does not exist or the content differs? - + -Run the following command to determine if the cobbler_anon_write SELinux boolean is disabled: -$ getsebool cobbler_anon_write +Run the following command to determine if the httpd_execmem SELinux boolean is disabled: +$ getsebool httpd_execmem If properly configured, the output should show the following: -cobbler_anon_write --> off - Is it the case that cobbler_anon_write is not disabled? +httpd_execmem --> off + Is it the case that httpd_execmem is not disabled? - - To check the permissions of /etc/cron.allow, -run the command: -$ ls -l /etc/cron.allow -If properly configured, the output should indicate the following permissions: --rw------- - Is it the case that /etc/cron.allow does not have unix mode -rw-------? + + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes pti=on, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub +If this option is set to true, then check that a line is output by the following command: +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*pti=on.*' /etc/default/grub +If the recovery is disabled, check the line with +$ sudo grep 'GRUB_CMDLINE_LINUX.*pti=on.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +$ sudo grubby --info=ALL | grep args | grep -v 'pti=on' +The command should not return any output. + Is it the case that Kernel page-table isolation is not enabled? - + -Run the following command to determine if the cluster_use_execmem SELinux boolean is disabled: -$ getsebool cluster_use_execmem -If properly configured, the output should show the following: -cluster_use_execmem --> off - Is it the case that cluster_use_execmem is not disabled? + +Run the following command to determine the current status of the +sshd service: +$ sudo systemctl is-active sshd +If the service is running, it should return the following: active + Is it the case that sshd service is disabled? - - To check if the system motd banner is compliant, -run the following command: -$ cat /etc/motd - Is it the case that it does not display the required banner? + + To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: +cat /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules +The output has to be exactly as follows: +## Unsuccessful file modifications (open for write or truncate) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification + Is it the case that the file does not exist or the content differs? - + -Run the following command to determine if the nis_enabled SELinux boolean is disabled: -$ getsebool nis_enabled +Run the following command to determine if the httpd_can_network_connect_db SELinux boolean is disabled: +$ getsebool httpd_can_network_connect_db If properly configured, the output should show the following: -nis_enabled --> off - Is it the case that nis_enabled is not disabled? +httpd_can_network_connect_db --> off + Is it the case that httpd_can_network_connect_db is not disabled? - - To ensure that wireless network notification is disabled, run the following command: -$ gsettings get org.gnome.nm-applet suppress-wireless-networks-available -If properly configured, the output should be true. -To ensure that users cannot enable wireless notification, run the following: -$ grep wireless-networks-available /etc/dconf/db/local.d/locks/* -If properly configured, the output should be -/org/gnome/nm-applet/suppress-wireless-networks-available - Is it the case that wireless network notification is enabled and not disabled? + + To check the group ownership of /usr/bin/sudo, +run the command: +$ ls -lL /usr/bin/sudo +If properly configured, the output should indicate the following group-owner: + + Is it the case that /usr/bin/sudo does not have a group owner of <sub idref="var_sudo_dedicated_group" />? + + + + The runtime status of the net.ipv4.conf.all.drop_gratuitous_arp kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.all.drop_gratuitous_arp +1. + + Is it the case that the correct value is not returned? @@ -368770,235 +369088,333 @@ The output has to be exactly as follows: Is it the case that the file does not exist or the content differs? - - To determine how the SSH daemon's X11Forwarding option is set, run the following command: + + Configure the public web server to not have a trusted relationship with +any system resources that is also not accessible to the public. Web +content is not to be shared via Microsoft shares or NFS mounts. -$ sudo grep -i X11Forwarding /etc/ssh/sshd_config +Determine whether the public web server has a two-way trust relationship +with any private asset located within the network. Private web server +resources (e.g. drives, folders, printers, etc.) will not be directly +mapped to or shared with public web servers. + Is it the case that sharing is selected for any web folder, this is a finding. -If a line indicating no is returned, then the required value is set. +If private resources (e.g. drives, partitions, folders/directories, +printers, etc.) are sharedw ith the public web server? + + + + Verify Red Hat Enterprise Linux 8 defines default permissions for all authenticated users in such a way that the user can only read and modify their own files with the following command: - Is it the case that the required value is not set? +# grep -i umask /etc/login.defs + +UMASK + Is it the case that the value for the "UMASK" parameter is not "<sub idref="var_accounts_user_umask" />", or the "UMASK" parameter is missing or is commented out? - - To find world-writable directories that lack the sticky bit, run the following command: -$ sudo find / -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null -fixtext: |- -Configure all world-writable directories to have the sticky bit set to prevent unauthorized and unintended information transferred via shared system resources. + + Verify the nodev option is configured for the /var/log mount point, + run the following command: + $ sudo mount | grep '\s/var/log\s' + . . . /var/log . . . nodev . . . -Set the sticky bit on all world-writable directories using the command, replace "[World-Writable Directory]" with any directory path missing the sticky bit: + Is it the case that the "/var/log" file system does not have the "nodev" option set? + + + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_PAGE_POISONING /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? + + + + To verify that Audit Daemon is configured to record the computer node +name in the audit events, run the following command: +$ sudo grep name_format /etc/audit/auditd.conf +The output should return the following: +name_format = + Is it the case that name_format isn't set to <sub idref="var_auditd_name_format" />? + + + + Verify that Red Hat Enterprise Linux 8 enforces password complexity rules for the root account. -$ chmod a+t [World-Writable Directory] -srg_requirement: -A sticky bit must be set on all Red Hat Enterprise Linux 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. - Is it the case that any world-writable directories are missing the sticky bit? +Check if root user is required to use complex passwords with the following command: + +$ grep enforce_for_root /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + +/etc/security/pwquality.conf:enforce_for_root + Is it the case that "enforce_for_root" is commented or missing? - - The runtime status of the net.ipv6.conf.default.autoconf kernel parameter can be queried + + Verify that the IPSec service uses the system crypto policy. + +If the ipsec service is not installed is not applicable. + +Check to see if the "IPsec" service is active with the following command: + +$ systemctl status ipsec + +ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec +Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled) +Active: inactive (dead) + +If the "IPsec" service is active, check to see if it is using the system crypto policy with the following command: + +$ sudo grep include /etc/ipsec.conf /etc/ipsec.d/*.conf + +/etc/ipsec.conf:include /etc/crypto-policies/back-ends/libreswan.config + Is it the case that the "IPsec" service is active and the ipsec configuration file does not contain does not contain <tt>include /etc/crypto-policies/back-ends/libreswan.config</tt>? + + + + +Run the following command to determine if the cdrecord_read_content SELinux boolean is disabled: +$ getsebool cdrecord_read_content +If properly configured, the output should show the following: +cdrecord_read_content --> off + Is it the case that cdrecord_read_content is not disabled? + + + + The runtime status of the kernel.perf_event_paranoid kernel parameter can be queried by running the following command: -$ sysctl net.ipv6.conf.default.autoconf -0. +$ sysctl kernel.perf_event_paranoid +2. Is it the case that the correct value is not returned? - - Verify the nodev option is configured for the /var/log/audit mount point, + + Verify the nosuid option is configured for the /tmp mount point, run the following command: - $ sudo mount | grep '\s/var/log/audit\s' - . . . /var/log/audit . . . nodev . . . + $ sudo mount | grep '\s/tmp\s' + . . . /tmp . . . nosuid . . . - Is it the case that the "/var/log/audit" file system does not have the "nodev" option set? - - - - Run the following command to ensure postfix routes mail to this system: -$ grep relayhost /etc/postfix/main.cf -If properly configured, the output should show only . - Is it the case that it is not? + Is it the case that the "/tmp" file system does not have the "nosuid" option set? - - Run the following command to determine if the abrt-plugin-sosreport package is installed: -$ rpm -q abrt-plugin-sosreport - Is it the case that the package is installed? + + To check that the screen locks immediately when activated, run the following command: +$ gsettings get org.gnome.desktop.screensaver lock-delay +If properly configured, the output should be 'uint32 '. + Is it the case that the screensaver lock delay is missing, or is set to a value greater than <sub idref="var_screensaver_lock_delay" />? - + -Run the following command to determine if the minidlna_read_generic_user_content SELinux boolean is disabled: -$ getsebool minidlna_read_generic_user_content +Run the following command to determine if the cluster_can_network_connect SELinux boolean is disabled: +$ getsebool cluster_can_network_connect If properly configured, the output should show the following: -minidlna_read_generic_user_content --> off - Is it the case that minidlna_read_generic_user_content is not disabled? +cluster_can_network_connect --> off + Is it the case that cluster_can_network_connect is not disabled? - - Verify Red Hat Enterprise Linux 8 notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command: + + +If the system is configured to prevent the loading of the tipc kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. -$ sudo grep -w space_left_action /etc/audit/auditd.conf +These lines can also instruct the module loading system to ignore the tipc kernel module via blacklist keyword. -space_left_action = +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +$ grep -r tipc /etc/modprobe.conf /etc/modprobe.d + Is it the case that no line is returned? + + + + -If the value of the "space_left_action" is not set to "", or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO. - Is it the case that there is no evidence that real-time alerts are configured on the system? +Run the following command to determine the current status of the +usbguard service: +$ sudo systemctl is-active usbguard +If the service is running, it should return the following: active + Is it the case that the service is not enabled? - - Run the following command to determine if the cronie-anacron package is installed: -$ rpm -q cronie-anacron - Is it the case that the package is installed? + + +Run the following command to determine if the virt_sandbox_use_netlink SELinux boolean is disabled: +$ getsebool virt_sandbox_use_netlink +If properly configured, the output should show the following: +virt_sandbox_use_netlink --> off + Is it the case that virt_sandbox_use_netlink is not disabled? - - To check that the nfs-server service is disabled in system boot configuration, + + To check that the sysstat service is disabled in system boot configuration, run the following command: -$ sudo systemctl is-enabled nfs-server -Output should indicate the nfs-server service has either not been installed, +$ sudo systemctl is-enabled sysstat +Output should indicate the sysstat service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled nfs-server disabled +$ sudo systemctl is-enabled sysstat disabled -Run the following command to verify nfs-server is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active nfs-server +Run the following command to verify sysstat is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active sysstat If the service is not running the command will return the following output: inactive -The service will also be masked, to check that the nfs-server is masked, run the following command: -$ sudo systemctl show nfs-server | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the sysstat is masked, run the following command: +$ sudo systemctl show sysstat | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "nfs-server" is loaded and not masked? + Is it the case that the "sysstat" is loaded and not masked? - - - -Run the following command to determine the current status of the -chronyd service: -$ sudo systemctl is-active chronyd -If the service is running, it should return the following: active - + + Run the following command to determine if the quagga package is installed: +$ rpm -q quagga + Is it the case that the package is installed? + + + + The runtime status of the vm.mmap_min_addr kernel parameter can be queried +by running the following command: +$ sysctl vm.mmap_min_addr +65536. -Run the following command to determine the current status of the -ntpd service: -$ sudo systemctl is-active ntpd -If the service is running, it should return the following: active - Is it the case that ? + Is it the case that the correct value is not returned? - - To ensure that remote access requires credentials, run the following command: -$ gsettings get org.gnome.Vino authentication-methods -If properly configured, the output should be false. -To ensure that users cannot disable credentials for remote access, run the following: -$ grep authentication-methods /etc/dconf/db/local.d/locks/* -If properly configured, the output should be -/org/gnome/Vino/authentication-methods - Is it the case that wireless network notification is enabled and not disabled? + + +Run the following command to determine if the virt_use_execmem SELinux boolean is disabled: +$ getsebool virt_use_execmem +If properly configured, the output should show the following: +virt_use_execmem --> off + Is it the case that virt_use_execmem is not disabled? - - Run the following command to determine if the gssproxy package is installed: -$ rpm -q gssproxy - Is it the case that the package is installed? + + To check the group ownership of /etc/shadow, +run the command: +$ ls -lL /etc/shadow +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/shadow does not have a group owner of root? - - Verify the noexec option is configured for the /var/tmp mount point, - run the following command: - $ sudo mount | grep '\s/var/tmp\s' - . . . /var/tmp . . . noexec . . . - - Is it the case that the "/var/tmp" file system does not have the "noexec" option set? + + To check the permissions of /etc/gshadow-, +run the command: +$ ls -l /etc/gshadow- +If properly configured, the output should indicate the following permissions: +---------- + Is it the case that /etc/gshadow- does not have unix mode ----------? - - To check that the acpid service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled acpid -Output should indicate the acpid service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled acpid disabled - -Run the following command to verify acpid is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active acpid - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the acpid is masked, run the following command: -$ sudo systemctl show acpid | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: + + +Run the following command to determine if the virt_use_samba SELinux boolean is disabled: +$ getsebool virt_use_samba +If properly configured, the output should show the following: +virt_use_samba --> off + Is it the case that virt_use_samba is not disabled? + + + + To ensure the splash screen is configured not to show user name, run the following command: +$ gsettings get org.gnome.desktop.screensaver show-full-name-in-top-bar +If properly configured, the output should be false. +To ensure that users cannot enable user name on the lock screen, run the following: +$ grep show-full-name-in-top-bar /etc/dconf/db/local.d/locks/* +If properly configured, the output should be /org/gnome/desktop/screensaver/show-full-name-in-top-bar + Is it the case that it is not set or configured properly? + + + + To determine if the system is configured to audit calls to the +open_by_handle_at system call, run the following command: +$ sudo grep "open_by_handle_at" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. -LoadState=masked + Is it the case that no line is returned? + + + + -UnitFileState=masked - Is it the case that the "acpid" is loaded and not masked? +Run the following command to determine the current status of the +systemd-journald service: +$ sudo systemctl is-active systemd-journald +If the service is running, it should return the following: active + Is it the case that the systemd-journald service is not running? - - Run the following command to determine if the avahi-autoipd package is installed: -$ rpm -q avahi-autoipd - Is it the case that the package is installed? + + Review the contents of the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf +files to ensure appropriate logging is set. In addition, run the following command: +ls -l /var/log/ +and verify that the log files are logging information + Is it the case that no logging is configured? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_ACPI_CUSTOM_METHOD /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? + + To verify that HBSS ACCM is installed, run the following command(s): +$ sudo ls /opt/McAfee/accm/bin/accm + Is it the case that the HBSS ACCM module is not installed? - - To verify that Linux Audit logging is enabled for the USBGuard daemon, -run the following command: -$ sudo grep AuditBackend /etc/usbguard/usbguard-daemon.conf -The output should be -AuditBackend=LinuxAudit - Is it the case that AuditBackend is not set to LinuxAudit? + + To check the group ownership of /etc/cron.d, +run the command: +$ ls -lL /etc/cron.d +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/cron.d does not have a group owner of root? - - Run the following command to determine if the policycoreutils package is installed: $ rpm -q policycoreutils - Is it the case that the policycoreutils package is not installed? + + +Run the following command to determine if the domain_fd_use SELinux boolean is enabled: +$ getsebool domain_fd_use +If properly configured, the output should show the following: +domain_fd_use --> on + Is it the case that domain_fd_use is not enabled? - - The runtime status of the kernel.dmesg_restrict kernel parameter can be queried -by running the following command: -$ sysctl kernel.dmesg_restrict -1. + + Verify the usrquota option is configured for the /home mount point, + run the following command: + $ sudo mount | grep '\s/home\s' + . . . /home . . . usrquota . . . - Is it the case that the correct value is not returned? + Is it the case that the "/home" file system does not have the "usrquota" option set? - - Verify that yum verifies the signature of packages from a repository prior to install with the following command: + + Run the following command to determine if the geolite2-city package is installed: +$ rpm -q geolite2-city + Is it the case that the package is installed? + + + + To determine how the SSH daemon's GSSAPIAuthentication option is set, run the following command: -$ grep gpgcheck /etc/yum.conf +$ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config -gpgcheck=1 +If a line indicating no is returned, then the required value is set. -If "gpgcheck" is not set to "1", or if the option is missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified. - Is it the case that there is no process to validate certificates that is approved by the organization? + Is it the case that the required value is not set? - - To check the permissions of /boot/grub2/grub.cfg, run the command: -$ sudo ls -lL /boot/grub2/grub.cfg -If properly configured, the output should indicate the following -permissions: -rw------- - Is it the case that it does not? + + To check the group ownership of /etc/gshadow, +run the command: +$ ls -lL /etc/gshadow +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/gshadow does not have a group owner of root? @@ -369017,1676 +369433,1870 @@ offline_credentials_expiration = 1 Is it the case that it does not exist or is not configured properly? - - To determine if !authenticate has not been configured for sudo, run the following command: -$ sudo grep -r \!authenticate /etc/sudoers /etc/sudoers.d/ -The command should return no output. - Is it the case that !authenticate is specified in the sudo config files? + + Run the following command to determine if the rsh-server package is installed: +$ rpm -q rsh-server + Is it the case that the package is installed? - - -Run the following command to determine if the xserver_clients_write_xshm SELinux boolean is disabled: -$ getsebool xserver_clients_write_xshm -If properly configured, the output should show the following: -xserver_clients_write_xshm --> off - Is it the case that xserver_clients_write_xshm is not disabled? + + Inspect the list of enabled firewall ports and verify they are configured correctly by running +the following command: + +$ sudo firewall-cmd --list-all + +Ask the System Administrator for the site or program Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA). Verify the services allowed by the firewall match the PPSM CLSA. + Is it the case that there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), or there are no firewall rules configured? - - To determine if the system is configured to audit unsuccessful calls -to the lsetxattr system call, run the following command: -$ sudo grep "lsetxattr" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + Run the following command to determine if the libreport-plugin-rhtsupport package is installed: +$ rpm -q libreport-plugin-rhtsupport + Is it the case that the package is installed? - - To determine how the SSH daemon's IgnoreUserKnownHosts option is set, run the following command: - -$ sudo grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config + + +To properly set the permissions of /etc/audit/, run the command: +$ sudo chmod 0640 /etc/audit/ -If a line indicating yes is returned, then the required value is set. +To properly set the permissions of /etc/audit/rules.d/, run the command: +$ sudo chmod 0640 /etc/audit/rules.d/ + Is it the case that ? + + + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_SECURITY_YAMA /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? + + + + To determine if the system is configured to audit calls to the +create_module system call, run the following command: +$ sudo grep "create_module" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. - Is it the case that the required value is not set? + Is it the case that no line is returned? - - -Run the following command to determine if the wine_mmap_zero_ignore SELinux boolean is disabled: -$ getsebool wine_mmap_zero_ignore -If properly configured, the output should show the following: -wine_mmap_zero_ignore --> off - Is it the case that wine_mmap_zero_ignore is not disabled? + + To ensure only SNMPv3 or newer is used, run the following command: +$ sudo grep 'rocommunity\|rwcommunity\|com2sec' /etc/snmp/snmpd.conf | grep -v "^#" +There should be no output. + Is it the case that there is output? - + Run the following command to determine the current status of the -syslog-ng service: -$ sudo systemctl is-active syslog-ng +chronyd service: +$ sudo systemctl is-active chronyd If the service is running, it should return the following: active - Is it the case that the "syslog-ng" service is disabled, masked, or not started.? + Is it the case that the chronyd process is not running? - - Run the following command to determine if the abrt package is installed: -$ rpm -q abrt + + Run the following command to determine if the nfs-utils package is installed: +$ rpm -q nfs-utils Is it the case that the package is installed? - - To verify /etc/system-fips exists, run the following command: -ls -l /etc/system-fips -The output should be similar to the following: --rw-r--r--. 1 root root 36 Nov 26 11:31 /etc/system-fips - Is it the case that /etc/system-fips does not exist? - - - - -If the system is configured to prevent the loading of the rds kernel module, -it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. -These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. - -These lines can also instruct the module loading system to ignore the rds kernel module via blacklist keyword. + + The runtime status of the net.ipv6.conf.default.accept_ra_pinfo kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.default.accept_ra_pinfo +0. -Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -$ grep -r rds /etc/modprobe.conf /etc/modprobe.d - Is it the case that no line is returned? + Is it the case that the correct value is not returned? - - -Run the following command to determine if the ftpd_connect_all_unreserved SELinux boolean is disabled: -$ getsebool ftpd_connect_all_unreserved -If properly configured, the output should show the following: -ftpd_connect_all_unreserved --> off - Is it the case that ftpd_connect_all_unreserved is not disabled? + + To check the ownership of /var/log/messages, +run the command: +$ ls -lL /var/log/messages +If properly configured, the output should indicate the following owner: +root + Is it the case that /var/log/messages does not have an owner of root? - - -Run the following command to determine if the httpd_dbus_avahi SELinux boolean is disabled: -$ getsebool httpd_dbus_avahi -If properly configured, the output should show the following: -httpd_dbus_avahi --> off - Is it the case that httpd_dbus_avahi is not disabled? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_COMPAT_VDSO /boot/config.* + + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. + + Is it the case that the kernel was not built with the required value? - + -Run the following command to determine if the abrt_upload_watch_anon_write SELinux boolean is disabled: -$ getsebool abrt_upload_watch_anon_write +Run the following command to determine if the polipo_use_nfs SELinux boolean is disabled: +$ getsebool polipo_use_nfs If properly configured, the output should show the following: -abrt_upload_watch_anon_write --> off - Is it the case that abrt_upload_watch_anon_write is not disabled? +polipo_use_nfs --> off + Is it the case that polipo_use_nfs is not disabled? - - -Run the following command to determine if the httpd_can_check_spam SELinux boolean is disabled: -$ getsebool httpd_can_check_spam -If properly configured, the output should show the following: -httpd_can_check_spam --> off - Is it the case that httpd_can_check_spam is not disabled? + + Run the following command to ensure postfix accepts mail messages from only the local system: +$ grep inet_interfaces /etc/postfix/main.cf +If properly configured, the output should show only . + Is it the case that it does not? - - To verify that execution of the command is being audited, run the following command: -$ sudo grep "path=/usr/sbin/seunshare" /etc/audit/audit.rules /etc/audit/rules.d/* -The output should return something similar to: --a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - Is it the case that ? + + To determine if the system is configured to audit calls to the +lsetxattr system call, run the following command: +$ sudo grep "lsetxattr" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - Run the following command to determine if the sendmail package is installed: -$ rpm -q sendmail - Is it the case that the package is installed? + + The runtime status of the net.ipv6.conf.all.autoconf kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.all.autoconf +0. + + Is it the case that the correct value is not returned? - + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_SLAB_MERGE_DEFAULT /boot/config.* + + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. + + Is it the case that the kernel was not built with the required value? + + + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_MODULE_SIG_KEY /boot/config.* + + For each kernel installed, a line with value "" should be returned. + + Is it the case that the kernel was not built with the required value? + + + + To determine if the system is configured to audit successful calls +to the chmod system call, run the following command: +$ sudo grep "chmod" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + -Run the following command to determine if the unprivuser_use_svirt SELinux boolean is disabled: -$ getsebool unprivuser_use_svirt +Run the following command to determine if the unconfined_chrome_sandbox_transition SELinux boolean is enabled: +$ getsebool unconfined_chrome_sandbox_transition If properly configured, the output should show the following: -unprivuser_use_svirt --> off - Is it the case that unprivuser_use_svirt is not disabled? +unconfined_chrome_sandbox_transition --> on + Is it the case that unconfined_chrome_sandbox_transition is not enabled? - - Verify the audit system prevents unauthorized changes with the following command: - -$ sudo grep "^\s*[^#]" /etc/audit/audit.rules | tail -1 --e 2 + + To ensure that remote access requires credentials, run the following command: +$ gsettings get org.gnome.Vino authentication-methods +If properly configured, the output should be false. +To ensure that users cannot disable credentials for remote access, run the following: +$ grep authentication-methods /etc/dconf/db/local.d/locks/* +If properly configured, the output should be +/org/gnome/Vino/authentication-methods + Is it the case that wireless network notification is enabled and not disabled? + + + + Verify that Promiscuous mode of an interface is disabled, run the following command: +$ ip link | grep PROMISC + Is it the case that any network device is in promiscuous mode? + + + + - Is it the case that the audit system is not set to be immutable by adding the "-e 2" option to the end of "/etc/audit/audit.rules"? +Run the following command to determine the current status of the +fapolicyd service: +$ sudo systemctl is-active fapolicyd +If the service is running, it should return the following: active + Is it the case that the service is not enabled? - - Verify the system commands contained in the following directories are owned by "root" with the following command: + + Run the following command to verify that SSH client is configured to use 32 bytes of entropy: +grep SSH_USE_STRONG_RNG /etc/profile.d/cc-ssh-strong-rng.csh +It should return the following output: +setenv SSH_USE_STRONG_RNG 32. + Is it the case that SSH client is not configured to use 32 bytes of entropy or more? + + + + Verify Red Hat Enterprise Linux 8 security patches and updates are installed and up to date. +Updates are required to be applied with a frequency determined by organizational policy. -$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin ! -user root -exec ls -l {} \; - Is it the case that any system commands are found to not be owned by root? + +Obtain the list of available package security updates from Red Hat. The URL for updates is https://access.redhat.com/errata-search/. +It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed. + + +Check that the available package security updates have been installed on the system with the following command: + +$ sudo yum history list | more + +Loaded plugins: langpacks, product-id, subscription-manager +ID | Command line | Date and time | Action(s) | Altered +------------------------------------------------------------------------------- +70 | install aide | 2020-03-05 10:58 | Install | 1 +69 | update -y | 2020-03-04 14:34 | Update | 18 EE +68 | install vlc | 2020-02-21 17:12 | Install | 21 +67 | update -y | 2020-02-21 17:04 | Update | 7 EE + + +Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM. + Is it the case that Red Hat Enterprise Linux 8 is in non-compliance with the organizational patching policy? - - If network services are using the xinetd service, this is not applicable. + + Inspect /etc/default/grub for any instances of +systemd.confirm_spawn=(1|yes|true|on) in the kernel boot arguments. +Presence of a systemd.confirm_spawn=(1|yes|true|on) indicates +that interactive boot is enabled at boot time and verify that +GRUB_DISABLE_RECOVERY=true to disable recovery boot. + Is it the case that Interactive boot is enabled at boot time? + + + + +Run the following command to determine if the httpd_can_connect_mythtv SELinux boolean is disabled: +$ getsebool httpd_can_connect_mythtv +If properly configured, the output should show the following: +httpd_can_connect_mythtv --> off + Is it the case that httpd_can_connect_mythtv is not disabled? + + + + Verify the nodev option is configured for the /dev/shm mount point, + run the following command: + $ sudo mount | grep '\s/dev/shm\s' + . . . /dev/shm . . . nodev . . . -To check that the xinetd service is disabled in system boot configuration, + Is it the case that the "/dev/shm" file system does not have the "nodev" option set? + + + + +Run the following command to determine if the httpd_can_check_spam SELinux boolean is disabled: +$ getsebool httpd_can_check_spam +If properly configured, the output should show the following: +httpd_can_check_spam --> off + Is it the case that httpd_can_check_spam is not disabled? + + + + To check that the saslauthd service is disabled in system boot configuration, run the following command: -$ sudo systemctl is-enabled xinetd -Output should indicate the xinetd service has either not been installed, +$ sudo systemctl is-enabled saslauthd +Output should indicate the saslauthd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled xinetd disabled +$ sudo systemctl is-enabled saslauthd disabled -Run the following command to verify xinetd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active xinetd +Run the following command to verify saslauthd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active saslauthd If the service is not running the command will return the following output: inactive -The service will also be masked, to check that the xinetd is masked, run the following command: -$ sudo systemctl show xinetd | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the saslauthd is masked, run the following command: +$ sudo systemctl show saslauthd | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "xinetd" is loaded and not masked? + Is it the case that the "saslauthd" is loaded and not masked? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_SCHED_STACK_END_CHECK /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + + +Run the following command to determine the current status of the +rngd service: +$ sudo systemctl is-active rngd +If the service is running, it should return the following: active + Is it the case that the "rngd" service is disabled, masked, or not started.? - - -Run the following command to determine if the mailman_use_fusefs SELinux boolean is disabled: -$ getsebool mailman_use_fusefs -If properly configured, the output should show the following: -mailman_use_fusefs --> off - Is it the case that mailman_use_fusefs is not disabled? + + To determine that AIDE is configured for FIPS 140-2 file hashing, run the following command: +$ grep sha512 /etc/aide.conf +Verify that the sha512 option is added to the correct ruleset. + Is it the case that the sha512 option is missing or not added to the correct ruleset? - - To ensure root may not directly login to the system over physical consoles, -run the following command: -cat /etc/securetty -If any output is returned, this is a finding. - Is it the case that the /etc/securetty file is not empty? + + To determine if the system is configured to audit calls to the +open system call, run the following command: +$ sudo grep "open" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - To find world-writable files, run the following command: -$ sudo find / -xdev -type f -perm -002 - Is it the case that there is output? + + The runtime status of the net.ipv4.conf.default.log_martians kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.default.log_martians +1. + + Is it the case that the correct value is not returned? - - Inspect each <Directory> instance and verify that either -FollowSymLinks does not exist, or -Options SymLinksIfOwnerMatchDisable is configured properly. - Is it the case that it is not? + + To verify the local initialization files of all local interactive users are group- +owned by the appropriate user, inspect the primary group of the respective +users in /etc/passwd and verify all initialization files under the +respective users home directory. Check the group owner of all local interactive users +initialization files. + Is it the case that they are not? - - To check the group ownership of /boot/efi/EFI/redhat/grub.cfg, -run the command: -$ ls -lL /boot/efi/EFI/redhat/grub.cfg -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /boot/efi/EFI/redhat/grub.cfg does not have a group owner of root? + + The runtime status of the net.ipv6.conf.all.accept_ra_rtr_pref kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.all.accept_ra_rtr_pref +0. + + Is it the case that the correct value is not returned? - - To ensure the MaxAuthTries parameter is set, run the following command: -$ sudo grep MaxAuthTries /etc/ssh/sshd_config -If properly configured, output should be: -MaxAuthTries - Is it the case that it is commented out or not configured properly? + + +Run the following command to determine if the xdm_write_home SELinux boolean is disabled: +$ getsebool xdm_write_home +If properly configured, the output should show the following: +xdm_write_home --> off + Is it the case that xdm_write_home is not disabled? - + -Run the following command to determine if the exim_manage_user_files SELinux boolean is disabled: -$ getsebool exim_manage_user_files +Run the following command to determine if the tor_can_network_relay SELinux boolean is disabled: +$ getsebool tor_can_network_relay If properly configured, the output should show the following: -exim_manage_user_files --> off - Is it the case that exim_manage_user_files is not disabled? +tor_can_network_relay --> off + Is it the case that tor_can_network_relay is not disabled? - - To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -cat /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules -The output has to be exactly as follows: -## Unsuccessful file access (any other opens) This has to go last. --a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access --a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access --a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access --a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access - Is it the case that the file does not exist or the content differs? + + +Run the following command to determine if the httpd_setrlimit SELinux boolean is disabled: +$ getsebool httpd_setrlimit +If properly configured, the output should show the following: +httpd_setrlimit --> off + Is it the case that httpd_setrlimit is not disabled? - - To check the permissions of /etc/motd, -run the command: -$ ls -l /etc/motd -If properly configured, the output should indicate the following permissions: --rw-r--r-- - Is it the case that /etc/motd does not have unix mode -rw-r--r--? + + +Run the following command to determine if the virt_use_sanlock SELinux boolean is disabled: +$ getsebool virt_use_sanlock +If properly configured, the output should show the following: +virt_use_sanlock --> off + Is it the case that virt_use_sanlock is not disabled? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "reboot" command with the following command: + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "mount" command with the following command: -$ sudo auditctl -l | grep reboot +$ sudo auditctl -l | grep mount --a always,exit -F path=/reboot -F perm=x -F auid>=1000 -F auid!=unset -k privileged-reboot +-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount Is it the case that the command does not return a line, or the line is commented out? - - -Run the following command to determine if the samba_enable_home_dirs SELinux boolean is disabled: -$ getsebool samba_enable_home_dirs -If properly configured, the output should show the following: -samba_enable_home_dirs --> off - Is it the case that samba_enable_home_dirs is not disabled? + + Run the following command to determine if the pcsc-lite package is installed: $ rpm -q pcsc-lite + Is it the case that the package is not installed? - - To check if UsePrivilegeSeparation is enabled or set correctly, run the -following command: -$ sudo grep UsePrivilegeSeparation /etc/ssh/sshd_config -If configured properly, output should be . - Is it the case that it is commented out or is not enabled? + + Verify Red Hat Enterprise Linux 8 takes the appropriate action when the audit files have reached maximum size. + +Check that Red Hat Enterprise Linux 8 takes the appropriate action when the audit files have reached maximum size with the following command: + +$ sudo grep max_log_file_action /etc/audit/auditd.conf + +max_log_file_action = + Is it the case that the value of the "max_log_file_action" option is not "ROTATE", "SINGLE", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full. If there is no evidence of appropriate action? - - To verify the LDAP client backend demands a valid certificate from the server in -remote LDAP access sessions, run the following command: -$ sudo grep ldap_tls_reqcert /etc/sssd/sssd.conf + + To verify if CustomLog is configured correctly in +/etc/httpd/conf/httpd.conf, run the following command: +$ grep -i customlog /etc/httpd/conf/httpd.conf The output should return the following: -ldap_tls_reqcert = demand - Is it the case that the TLS reqcert is not set to demand? - - - - To find SUID files, run the following command: -$ sudo find / -xdev -type f -perm -4000 - Is it the case that only authorized files appear in the output of the find command? +CustomLog "logs/access_log" combined + Is it the case that it is not? - - To determine if the system is configured to audit changes to its SELinux -configuration files, run the following command: -$ sudo auditctl -l | grep "dir=/usr/share/selinux" -If the system is configured to watch for changes to its SELinux -configuration, a line should be returned (including -perm=wa indicating permissions that are watched). - Is it the case that the system is not configured to audit attempts to change the MAC policy? + + To verify that McAfee Endpoint Security for Linux is +running, run the following command: +$ sudo ps -ef | grep -i mfetpd + Is it the case that virus scanning software is not running? - - To verify all files and directories in interactive user home directory are -group-owned by a group the user is a member of, run the -following command: -$ sudo ls -lLR /home/USER - Is it the case that the group ownership is incorrect? + + The runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.all.accept_redirects +0. + + Is it the case that the correct value is not returned? - - -If the system is configured to prevent the loading of the iwlmvm kernel module, -it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. -These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. + + Verify the TFTP daemon is configured to operate in secure mode. -These lines can also instruct the module loading system to ignore the iwlmvm kernel module via blacklist keyword. +Check if a TFTP server is installed with the following command: -Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -$ grep -r iwlmvm /etc/modprobe.conf /etc/modprobe.d - Is it the case that no line is returned? - - - - The following command will discover and print world-writable directories that -are not owned by a system account, given the assumption that only system -accounts have a uid lower than 500. Run it once for each local partition PART: -$ sudo find PART -xdev -type d -perm -0002 -uid +499 -print - Is it the case that there is output? +$ rpm -qa | grep tftp + + +If a TFTP server is not installed, this is Not Applicable. + + +If a TFTP server is installed, verify TFTP is configured by with +the -s option by running the following command: + +grep "server_args" /etc/xinetd.d/tftp +server_args = -s + Is it the case that '"server_args" line does not have a "-s" option, and a subdirectory is not assigned'? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_MODULE_SIG /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + To check if RekeyLimit is set correctly, run the following command: +$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/*.conf +If configured properly, output should be +/etc/ssh/ssh_config.d/02-rekey-limit.conf: +RekeyLimit +Check also the main configuration file with the following command: +$ sudo grep RekeyLimit /etc/ssh/ssh_config +The command should not return any output. + Is it the case that it is commented out or is not set? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_PAGE_POISONING_NO_SANITY /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + To check the permissions of /boot/efi/EFI/redhat/grub.cfg, run the command: +$ sudo ls -lL /boot/efi/EFI/redhat/grub.cfg +If properly configured, the output should indicate the following +permissions: -rwx------ + Is it the case that it does not? - - To ensure that remote access connections are encrypted, run the following command: -$ gsettings get org.gnome.Vino require-encrpytion + + To ensure that wireless network notification is disabled, run the following command: +$ gsettings get org.gnome.nm-applet suppress-wireless-networks-available If properly configured, the output should be true. -To ensure that users cannot disable encrypted remote connections, run the following: -$ grep require-encryption /etc/dconf/db/local.d/locks/* +To ensure that users cannot enable wireless notification, run the following: +$ grep wireless-networks-available /etc/dconf/db/local.d/locks/* If properly configured, the output should be -/org/gnome/Vino/require-encryption - Is it the case that remote access connections are not encrypted? +/org/gnome/nm-applet/suppress-wireless-networks-available + Is it the case that wireless network notification is enabled and not disabled? - - The ypbind package can be removed with the following command: $ sudo yum erase ypbind - Is it the case that ? + + To verify insecure file locking has been disabled, run the following command: +$ grep insecure_locks /etc/exports + Is it the case that there is output? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "userhelper" command with the following command: + + The following command will discover and print world-writable directories that +are not group owned by a system account, given the assumption that only system +accounts have a gid lower than 1000. Run it once for each local partition PART: +$ sudo find PART -xdev -type d -perm -0002 -gid +999 -print + Is it the case that there is output? + + + + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to create files using the openat system call with O_CREAT flag. -$ sudo auditctl -l | grep userhelper +If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command: --a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-userhelper +$ sudo grep -r openat /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep openat /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create Is it the case that the command does not return a line, or the line is commented out? - + + Run the following command to determine if the libreport-plugin-logger package is installed: +$ rpm -q libreport-plugin-logger + Is it the case that the package is installed? + + + + These settings can be verified by running the following: +$ gsettings get org.gnome.desktop.media-handling automount-open +If properly configured, the output for automount-openshould be false. +To ensure that users cannot enable automount opening in GNOME3, run the following: +$ grep 'automount-open' /etc/dconf/db/local.d/locks/* +If properly configured, the output for automount-open should be /org/gnome/desktop/media-handling/automount-open + Is it the case that GNOME automounting is not disabled? + + + -Run the following command to determine if the cobbler_can_network_connect SELinux boolean is disabled: -$ getsebool cobbler_can_network_connect +Run the following command to determine if the virt_sandbox_use_audit SELinux boolean is enabled: +$ getsebool virt_sandbox_use_audit If properly configured, the output should show the following: -cobbler_can_network_connect --> off - Is it the case that cobbler_can_network_connect is not disabled? +virt_sandbox_use_audit --> on + Is it the case that virt_sandbox_use_audit is not enabled? - - Verify that rules for unsuccessful calls of the open_by_handle_at syscall are in the order shown below. + + To verify that SSSD is configured to run as user sssd, run the following command: +$ sudo grep -r '\buser\b' /etc/sssd +If configured properly, output should similar to /etc/sssd/conf.d/ospp.conf:user = sssd. +Sanity of SSSD configuration in general can be checked using $ sudo sssctl config-check + Is it the case that it does not exist or is not configured properly? + + + + +To check that the rlogin service is disabled in system boot configuration with xinetd, run the following command: +$ chkconfig rlogin --list +Output should indicate the rlogin service has either not been installed, or has been disabled, as shown in the example below: +$ chkconfig rlogin --list - If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix ".rules" in the directory "/etc/audit/rules.d". - If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, check the order of rules below in "/etc/audit/audit.rules" file. +Note: This output shows SysV services only and does not include native +systemd services. SysV configuration data might be overridden by native +systemd configuration. - -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +If you want to list systemd services use 'systemctl list-unit-files'. +To see services enabled on particular target use +'systemctl list-dependencies [target]'. - If the system is 64 bit then also add the following lines: +rlogin off - -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - Is it the case that the rules are in a different order? +To check that the rlogin socket is disabled in system boot configuration with systemd, run the following command: +$ systemctl is-enabled rlogin +Output should indicate the rlogin socket has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled rlogindisabled + +Run the following command to verify rlogin is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active rlogin + +If the socket is not running the command will return the following output: +inactive + +The socket will also be masked, to check that the rlogin is masked, run the following command: +$ sudo systemctl show rlogin | grep "LoadState\|UnitFileState" + +If the socket is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that service and/or socket are running? - - To check the ownership of /var/log, -run the command: -$ ls -lL /var/log -If properly configured, the output should indicate the following owner: -root - Is it the case that /var/log does not have an owner of root? + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "init" command with the following command: + +$ sudo auditctl -l | grep init + +-a always,exit -F path=/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged-init + Is it the case that the command does not return a line, or the line is commented out? - - To determine if the system is configured to audit calls to the -settimeofday system call, run the following command: -$ sudo grep "settimeofday" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. + + To determine how the SSH daemon's PermitEmptyPasswords option is set, run the following command: - Is it the case that no line is returned? +$ sudo grep -i PermitEmptyPasswords /etc/ssh/sshd_config + +If a line indicating no is returned, then the required value is set. + + Is it the case that the required value is not set? - + + To check that the rhsmcertd service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled rhsmcertd +Output should indicate the rhsmcertd service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled rhsmcertd disabled + +Run the following command to verify rhsmcertd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active rhsmcertd + +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the rhsmcertd is masked, run the following command: +$ sudo systemctl show rhsmcertd | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "rhsmcertd" is loaded and not masked? + + + + To determine how the SSH daemon's Banner option is set, run the following command: + +$ sudo grep -i Banner /etc/ssh/sshd_config + +If a line indicating /etc/issue is returned, then the required value is set. + + Is it the case that the required value is not set? + + + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_RANDOMIZE_BASE /boot/config.* + $ grep CONFIG_BINFMT_MISC /boot/config.* - For each kernel installed, a line with value "y" should be returned. + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. Is it the case that the kernel was not built with the required value? - + + Check whether the maximum time period for existing passwords is restricted to days with the following commands: + +$ sudo awk -F: '$5 > 60 {print $1 " " $5}' /etc/shadow + +$ sudo awk -F: '$5 <= 0 {print $1 " " $5}' /etc/shadow + Is it the case that any results are returned that are not associated with a system account? + + + -Run the following command to determine if the abrt_anon_write SELinux boolean is disabled: -$ getsebool abrt_anon_write +Run the following command to determine if the sge_use_nfs SELinux boolean is disabled: +$ getsebool sge_use_nfs If properly configured, the output should show the following: -abrt_anon_write --> off - Is it the case that abrt_anon_write is not disabled? +sge_use_nfs --> off + Is it the case that sge_use_nfs is not disabled? - - To check the system for the existence of any .netrc files, -run the following command: -$ sudo find /home -xdev -name .netrc - Is it the case that any .netrc files exist? + + Verify the nodev option is configured for the /home mount point, + run the following command: + $ sudo mount | grep '\s/home\s' + . . . /home . . . nodev . . . + + Is it the case that the "/home" file system does not have the "nodev" option set? - - To check the ownership of /etc/cron.allow, -run the command: -$ ls -lL /etc/cron.allow -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/cron.allow does not have an owner of root? + + +If the system is configured to prevent the loading of the dccp kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. + +These lines can also instruct the module loading system to ignore the dccp kernel module via blacklist keyword. + +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +$ grep -r dccp /etc/modprobe.conf /etc/modprobe.d + Is it the case that no line is returned? - - To check the ownership of /boot/efi/EFI/redhat/user.cfg, + + Ensure that Red Hat Enterprise Linux 8 verifies correct operation of security functions. + +Check if "SELinux" is active and in "" mode with the following command: + +$ sudo getenforce + + Is it the case that SELINUX is not set to enforcing? + + + + To check the permissions of /etc/ssh/*.pub, run the command: -$ ls -lL /boot/efi/EFI/redhat/user.cfg -If properly configured, the output should indicate the following owner: -root - Is it the case that /boot/efi/EFI/redhat/user.cfg does not have an owner of root? +$ ls -l /etc/ssh/*.pub +If properly configured, the output should indicate the following permissions: +-rw-r--r-- + Is it the case that /etc/ssh/*.pub does not have unix mode -rw-r--r--? - + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_PAGE_POISONING /boot/config.* + $ grep CONFIG_FORTIFY_SOURCE /boot/config.* For each kernel installed, a line with value "y" should be returned. Is it the case that the kernel was not built with the required value? - - Verify that Red Hat Enterprise Linux 8 set the days of warning before a password expires to - or more for users with a -password: - -$ sudo awk -F: '$6 || $6 == "" {print $1}' /etc/shadow - Is it the case that any results are returned that are not associated with a system account? - - - - -Run the following command to determine if the xdm_exec_bootloader SELinux boolean is disabled: -$ getsebool xdm_exec_bootloader -If properly configured, the output should show the following: -xdm_exec_bootloader --> off - Is it the case that xdm_exec_bootloader is not disabled? - - - - The runtime status of the kernel.randomize_va_space kernel parameter can be queried -by running the following command: -$ sysctl kernel.randomize_va_space -2. + + Verify the nosuid option is configured for the /var/log/audit mount point, + run the following command: + $ sudo mount | grep '\s/var/log/audit\s' + . . . /var/log/audit . . . nosuid . . . - Is it the case that the correct value is not returned? + Is it the case that the "/var/log/audit" file system does not have the "nosuid" option set? - + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_GCC_PLUGIN_STRUCTLEAK /boot/config.* + $ grep CONFIG_REFCOUNT_FULL /boot/config.* For each kernel installed, a line with value "y" should be returned. Is it the case that the kernel was not built with the required value? - - Only FIPS ciphers should be used. To verify that only FIPS-approved -ciphers are in use, run the following command: -$ sudo grep Ciphers /etc/ssh/sshd_config -The output should contain only those ciphers which are FIPS-approved. - Is it the case that FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved? - - - + -Run the following command to determine if the condor_tcp_network_connect SELinux boolean is disabled: -$ getsebool condor_tcp_network_connect +Run the following command to determine if the nfsd_anon_write SELinux boolean is disabled: +$ getsebool nfsd_anon_write If properly configured, the output should show the following: -condor_tcp_network_connect --> off - Is it the case that condor_tcp_network_connect is not disabled? +nfsd_anon_write --> off + Is it the case that nfsd_anon_write is not disabled? - - To determine how the SSH daemon's PermitUserEnvironment option is set, run the following command: + + To verify that USB Human Interface Devices and hubs will be authorized by the USBGuard daemon, +run the following command: +$ sudo grep allow /etc/usbguard/rules.conf +The output lines should include +allow with-interface match-all { 03:*:* 09:00:* } + Is it the case that USB devices of class 3 and 9:00 are not authorized? + + + + +To check that the systemd-journal-remote.socket socket is disabled in system boot configuration with systemd, run the following command: +$ systemctl is-enabled systemd-journal-remote.socket +Output should indicate the systemd-journal-remote.socket socket has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled systemd-journal-remote.socketdisabled -$ sudo grep -i PermitUserEnvironment /etc/ssh/sshd_config +Run the following command to verify systemd-journal-remote.socket is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active systemd-journal-remote.socket -If a line indicating no is returned, then the required value is set. +If the socket is not running the command will return the following output: +inactive - Is it the case that the required value is not set? - - - - Run the following command to determine if the samba package is installed: -$ rpm -q samba - Is it the case that the package is installed? - - - - To determine if the system is configured to audit successful calls -to the open_by_handle_at system call, run the following command: -$ sudo grep "open_by_handle_at" /etc/audit.* -If the system is configured to audit this activity, it will return a line. +The socket will also be masked, to check that the systemd-journal-remote.socket is masked, run the following command: +$ sudo systemctl show systemd-journal-remote.socket | grep "LoadState\|UnitFileState" - Is it the case that no line is returned? +If the socket is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the systemd-journal-remote socket is not masked? - - To determine if the system is configured to audit successful calls -to the setxattr system call, run the following command: -$ sudo grep "setxattr" /etc/audit.* -If the system is configured to audit this activity, it will return a line. + + Verify the noexec option is configured for the /var/tmp mount point, + run the following command: + $ sudo mount | grep '\s/var/tmp\s' + . . . /var/tmp . . . noexec . . . - Is it the case that no line is returned? + Is it the case that the "/var/tmp" file system does not have the "noexec" option set? - - To check the permissions of /etc/audit/rules.d/*.rules, -run the command: -$ ls -l /etc/audit/rules.d/*.rules -If properly configured, the output should indicate the following permissions: --rw-r----- - Is it the case that /etc/audit/rules.d/*.rules does not have unix mode -rw-r-----? + + Inspect /etc/login.defs and ensure that if eihter +SHA_CRYPT_MIN_ROUNDS or SHA_CRYPT_MAX_ROUNDS +are set, they must have the minimum value of 5000. + Is it the case that it does not? - - To determine if the system is configured to audit unsuccessful calls -to the fchownat system call, run the following command: -$ sudo grep "fchownat" /etc/audit.* -If the system is configured to audit this activity, it will return a line. + + To determine how the SSH daemon's PermitRootLogin option is set, run the following command: - Is it the case that no line is returned? +$ sudo grep -i PermitRootLogin /etc/ssh/sshd_config + +If a line indicating prohibit-password is returned, then the required value is set. + Is it the case that it is commented out or not configured properly? - - To determine if the system is configured to audit unsuccessful calls -to the chown system call, run the following command: -$ sudo grep "chown" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + Run the following command to determine if the logrotate package is installed: $ rpm -q logrotate + Is it the case that the package is not installed? - - Verify the nodev option is configured for the /var/tmp mount point, - run the following command: - $ sudo mount | grep '\s/var/tmp\s' - . . . /var/tmp . . . nodev . . . - - Is it the case that the "/var/tmp" file system does not have the "nodev" option set? + + To check the group ownership of /etc/crontab, +run the command: +$ ls -lL /etc/crontab +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/crontab does not have a group owner of root? - - Verify Red Hat Enterprise Linux 8 enables the user to initiate a session lock with the following command: - -$ grep lock-command /etc/tmux.conf - -set -g lock-command vlock + + To verify if the OpenSSH server uses defined Crypto Policy, run: +$ grep 'CRYPTO_POLICY' /etc/crypto-policies/back-ends/opensshserver.config | tail -n 1 +and verify that the line matches +CRYPTO_POLICY='-oCiphers=aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc -oMACs=hmac-sha2-512,hmac-sha2-256 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 -oPubkeyAcceptedKeyTypes=rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256' + Is it the case that Crypto Policy for OpenSSH Server is not configured according to CC requirements? + + + + Verify the audit tools are protected from unauthorized access, deletion, or modification by checking the permissive mode. -Then, verify that the /etc/tmux.conf file can be read by other users than root: +Check the octal permission of each audit tool by running the following command: -$ sudo ls -al /etc/tmux.conf - Is it the case that the "lock-command" is not set in the global settings to call "vlock"? +$ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules + Is it the case that any of these files have more permissive permissions than 0755? - - To ensure all GIDs referenced in /etc/passwd are defined in /etc/group, -run the following command: -$ sudo pwck -qr -There should be no output. - Is it the case that GIDs referenced in /etc/passwd are returned as not defined in /etc/group? + + Run the following command to determine if the sendmail package is installed: +$ rpm -q sendmail + Is it the case that the package is installed? - + -Run the following command to determine if the httpd_can_network_connect SELinux boolean is disabled: -$ getsebool httpd_can_network_connect +Run the following command to determine if the httpd_can_connect_ldap SELinux boolean is disabled: +$ getsebool httpd_can_connect_ldap If properly configured, the output should show the following: -httpd_can_network_connect --> off - Is it the case that httpd_can_network_connect is not disabled? - - - - To verify that the Dracut FIPS module is enabled, run the following command: -grep "add_dracutmodules" /etc/dracut.conf.d/40-fips.conf -The output should look like this: -add_dracutmodules+=" fips " - Is it the case that the Dracut FIPS module is not enabled? +httpd_can_connect_ldap --> off + Is it the case that httpd_can_connect_ldap is not disabled? - - Run the following command to determine if the policycoreutils-python-utils package is installed: $ rpm -q policycoreutils-python-utils - Is it the case that the package is not installed? + + To verify that the audit system collects unauthorized file accesses, run the following commands: +$ sudo grep EACCES /etc/audit/audit.rules +$ sudo grep EPERM /etc/audit/audit.rules + Is it the case that 32-bit and 64-bit system calls to creat, open, openat, open_by_handle_at, truncate, and ftruncate are not audited during EACCES and EPERM? - - -Run the following command to determine if the xguest_mount_media SELinux boolean is disabled: -$ getsebool xguest_mount_media -If properly configured, the output should show the following: -xguest_mount_media --> off - Is it the case that xguest_mount_media is not disabled? + + To check if UsePrivilegeSeparation is enabled or set correctly, run the +following command: +$ sudo grep UsePrivilegeSeparation /etc/ssh/sshd_config +If configured properly, output should be . + Is it the case that it is commented out or is not enabled? - - To verify that USB hubs will be authorized by the USBGuard daemon, -run the following command: -$ sudo grep allow /etc/usbguard/rules.conf -One of the output lines should be -allow with-interface match-all { 09:00:* } - Is it the case that USB devices of class 9 are not authorized? + + Verify that a separate file system/partition has been created for /tmp with the following command: + +$ mountpoint /tmp + + Is it the case that "/tmp is not a mountpoint" is returned? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_STRICT_MODULE_RWX /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + To verify that Samba clients running smbclient must use packet signing, run the following command: +$ grep signing /etc/samba/smb.conf +The output should show: +client signing = mandatory + Is it the case that it is not? - - To verify that null passwords cannot be used, run the following command: -$ sudo awk -F: '!$2 {print $1}' /etc/shadow -If this produces any output, it may be possible to log into accounts -with empty passwords. - Is it the case that Blank or NULL passwords can be used? + + The runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.default.accept_redirects +0. + + Is it the case that the correct value is not returned? - + -Run the following command to determine if the boinc_execmem SELinux boolean is disabled: -$ getsebool boinc_execmem +Run the following command to determine if the mcelog_client SELinux boolean is disabled: +$ getsebool mcelog_client If properly configured, the output should show the following: -boinc_execmem --> off - Is it the case that boinc_execmem is not disabled? +mcelog_client --> off + Is it the case that mcelog_client is not disabled? - - To verify the number of rounds for the password hashing algorithm is configured, run the following command: -$ sudo grep rounds /etc/pam.d/password-auth -The output should show the following match: -password sufficient pam_unix.so sha512 rounds= - Is it the case that rounds is not set to <sub idref="var_password_pam_unix_rounds" /> or is commented out? + + +Run the following command to determine if the cluster_use_execmem SELinux boolean is disabled: +$ getsebool cluster_use_execmem +If properly configured, the output should show the following: +cluster_use_execmem --> off + Is it the case that cluster_use_execmem is not disabled? - - To verify that binaries cannot be directly executed from removable media, run the following command: -$ grep -v noexec /etc/fstab -The resulting output will show partitions which do not have the noexec flag. Verify all partitions -in the output are not removable media. - Is it the case that removable media partitions are present? - - - - To determine if the system is configured to audit successful calls -to the fchownat system call, run the following command: -$ sudo grep "fchownat" /etc/audit.* -If the system is configured to audit this activity, it will return a line. + + Verify that Red Hat Enterprise Linux 8 set the days of warning before a password expires to + or more for users with a +password: - Is it the case that no line is returned? +$ sudo awk -F: '$6 || $6 == "" {print $1}' /etc/shadow + Is it the case that any results are returned that are not associated with a system account? - - Run the following command to determine if the freeradius package is installed: $ rpm -q freeradius - Is it the case that the package is installed? + + +Run the following command to determine if the httpd_mod_auth_pam SELinux boolean is disabled: +$ getsebool httpd_mod_auth_pam +If properly configured, the output should show the following: +httpd_mod_auth_pam --> off + Is it the case that httpd_mod_auth_pam is not disabled? - - Run the following command to determine if the nfs-utils package is installed: -$ rpm -q nfs-utils + + Run the following command to determine if the krb5-workstation package is installed: +$ rpm -q krb5-workstation Is it the case that the package is installed? - - Inspect /etc/audit/audisp-remote.conf and locate the following line to -determine if the system is configured to either send to syslog, switch to single user mode, -or halt when the disk is full: -$ sudo grep -i disk_full_action /etc/audit/audisp-remote.conf -The output should return something similar to: -disk_full_action = single -Acceptable values also include syslog and halt. - Is it the case that the system is not configured to switch to single user mode for corrective action? + + To verify if password complexities are only enforce on local users, run the following command: +$ grep local_users_only /etc/security/pwquality.conf +The output should return local_users_only uncommented. + Is it the case that local_users_only is not uncommented or configured correctly? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chcon" command with the following command: + + To determine how the SSH daemon's AllowTcpForwarding option is set, run the following command: -$ sudo auditctl -l | grep chcon +$ sudo grep -i AllowTcpForwarding /etc/ssh/sshd_config --a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod - Is it the case that the command does not return a line, or the line is commented out? +If a line indicating no is returned, then the required value is set. + Is it the case that The AllowTcpForwarding option exists and is disabled? - - To determine if the system is configured to audit calls to the -chmod system call, run the following command: -$ sudo grep "chmod" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. + + To check which SSH protocol version is allowed, check version of +openssh-server with following command: +$ rpm -qi openssh-server | grep Version +Versions equal to or higher than 7.4 have deprecated the RhostsRSAAuthentication option. +If version is lower than 7.4, run the following command to check configuration: +To determine how the SSH daemon's RhostsRSAAuthentication option is set, run the following command: - Is it the case that no line is returned? - - - - Verify the audit tools are protected from unauthorized access, deletion, or modification by checking the permissive mode. +$ sudo grep -i RhostsRSAAuthentication /etc/ssh/sshd_config -Check the octal permission of each audit tool by running the following command: +If a line indicating no is returned, then the required value is set. -$ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules - Is it the case that any of these files have more permissive permissions than 0755? + Is it the case that the required value is not set? - - To check the group ownership of /etc/gshadow-, -run the command: -$ ls -lL /etc/gshadow- -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/gshadow- does not have a group owner of root? + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "restorecon" command with the following command: + +$ sudo auditctl -l | grep restorecon + +-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -k privileged-restorecon + Is it the case that the command does not return a line, or the line is commented out? - - To verify the openldap-servers package is not installed, run the -following command: -$ rpm -q openldap-servers -The output should show the following: -package openldap-servers is not installed - Is it the case that it does not? + + To check that page poisoning is enabled at boot time, check all boot entries with following command: +sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf +No line should be returned, each line returned is a boot entry that doesn't enable page poisoning. + Is it the case that page allocator poisoning is not enabled? - + -Run the following command to determine if the tmpreaper_use_nfs SELinux boolean is disabled: -$ getsebool tmpreaper_use_nfs +Run the following command to determine if the cluster_manage_all_files SELinux boolean is disabled: +$ getsebool cluster_manage_all_files If properly configured, the output should show the following: -tmpreaper_use_nfs --> off - Is it the case that tmpreaper_use_nfs is not disabled? +cluster_manage_all_files --> off + Is it the case that cluster_manage_all_files is not disabled? - - To determine that AIDE is verifying ACLs, run the following command: -$ grep acl /etc/aide.conf -Verify that the acl option is added to the correct ruleset. - Is it the case that the acl option is missing or not added to the correct ruleset? + + System executables are stored in the following directories by default: +/bin +/sbin +/usr/bin +/usr/sbin +/usr/local/bin +/usr/local/sbin +To find system executables directories that are group-writable or +world-writable, run the following command for each directory DIR +which contains system executables: +$ sudo find -L DIR -perm /022 -type d + Is it the case that any of these files are group-writable or world-writable? - - -Run the following command to determine if the irssi_use_full_network SELinux boolean is disabled: -$ getsebool irssi_use_full_network -If properly configured, the output should show the following: -irssi_use_full_network --> off - Is it the case that irssi_use_full_network is not disabled? + + Verify that authselect is enabled by running +authselect current +If authselect is enabled on the system, the output should show the ID of the profile which is currently in use. + Is it the case that authselect is not used to manage user authentication setup on the system? - - To determine if the system is configured to audit successful calls -to the chmod system call, run the following command: -$ sudo grep "chmod" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + To find the location of the AIDE database file, run the following command: +$ sudo ls -l DBDIR/database_file_name + Is it the case that there is no database file? - + -Run the following command to determine if the smartmon_3ware SELinux boolean is disabled: -$ getsebool smartmon_3ware +Run the following command to determine if the tmpreaper_use_samba SELinux boolean is disabled: +$ getsebool tmpreaper_use_samba If properly configured, the output should show the following: -smartmon_3ware --> off - Is it the case that smartmon_3ware is not disabled? - - - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_HIBERNATION /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? +tmpreaper_use_samba --> off + Is it the case that tmpreaper_use_samba is not disabled? - - The runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter can be queried -by running the following command: -$ sysctl net.ipv6.conf.default.accept_redirects -0. + + Verify that Red Hat Enterprise Linux 8 is configured to take action in the event of allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity with the following command: - Is it the case that the correct value is not returned? - - - - To determine if the system is configured to audit calls to the -fchownat system call, run the following command: -$ sudo grep "fchownat" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. +$ sudo grep admin_space_left_action /etc/audit/auditd.conf - Is it the case that no line is returned? - - - - -To properly set the owner of /var/log/httpd, run the command: -$ sudo chown root /var/log/httpd +admin_space_left_action = single -To properly set the owner of /var/log/httpd/*, run the command: -$ sudo chown root /var/log/httpd/* - Is it the case that ? +If the value of the "admin_space_left_action" is not set to "single", or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO. + Is it the case that there is no evidence that real-time alerts are configured on the system? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_PANIC_ON_OOPS /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + To check the permissions of /etc/cron.daily, +run the command: +$ ls -l /etc/cron.daily +If properly configured, the output should indicate the following permissions: +-rwx------ + Is it the case that /etc/cron.daily does not have unix mode -rwx------? - - Verify that GRUB_DISABLE_RECOVERY is set to true in /etc/default/grub to disable recovery boot. -Run the following command: - -$ sudo grep GRUB_DISABLE_RECOVERY /etc/default/grub - Is it the case that GRUB_DISABLE_RECOVERY is not set to true or is missing? + + +Run the following command to determine if the ssh_chroot_rw_homedirs SELinux boolean is disabled: +$ getsebool ssh_chroot_rw_homedirs +If properly configured, the output should show the following: +ssh_chroot_rw_homedirs --> off + Is it the case that ssh_chroot_rw_homedirs is not disabled? - - Run the following command to determine if the avahi package is installed: -$ rpm -q avahi + + Run the following command to determine if the xinetd package is installed: +$ rpm -q xinetd Is it the case that the package is installed? - - To check that audit is enabled at boot time, check all boot entries with following command: -sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf -No line should be returned, each line returned is a boot entry that doesn't enable audit. - Is it the case that auditing is not enabled at boot time? - - - - Verify Red Hat Enterprise Linux 8 is securely comparing internal information system clocks at a regular interval with an NTP server with the following command: -$ sudo grep maxpoll /etc/ntp.conf /etc/chrony.conf -server [ntp.server.name] iburst maxpoll . - Is it the case that "maxpoll" has not been set to the value of "<sub idref="var_time_service_set_maxpoll" />", is commented out, or is missing? - - - - -Run the following command to determine if the samba_create_home_dirs SELinux boolean is disabled: -$ getsebool samba_create_home_dirs -If properly configured, the output should show the following: -samba_create_home_dirs --> off - Is it the case that samba_create_home_dirs is not disabled? + + The runtime status of the fs.suid_dumpable kernel parameter can be queried +by running the following command: +$ sysctl fs.suid_dumpable +0. + + Is it the case that the correct value is not returned? - - Verify the audit system is configured to take an appropriate action when the internal event queue is full: -$ sudo grep -i overflow_action /etc/audit/auditd.conf - -The output should contain overflow_action = syslog - -If the value of the "overflow_action" option is not set to syslog, -single, halt or the line is commented out, ask the System Administrator -to indicate how the audit logs are off-loaded to a different system or media. - Is it the case that auditd overflow action is not set correctly? + + To verify that only security updates will be automatically installed by dnf-automatic, run the following command: +$ sudo grep upgrade_type /etc/dnf/automatic.conf +The output should return the following: +upgrade_type = security + Is it the case that the upgrade_type is not set to security? - - Verify the umask setting is configured correctly in the /etc/bashrc file with the following command: - -$ sudo grep "umask" /etc/bashrc - -umask - Is it the case that the value for the "umask" parameter is not "<sub idref="var_accounts_user_umask" />", or the "umask" parameter is missing or is commented out? + + To verify that McAfee Runtime Libraries (MFErt) and Linux Agent (MFEcma) +are installed, run the following command(s): +$ rpm -q MFEcma +$ rpm -q MFErt + Is it the case that the HBSS HIPS module is not installed? - - -If the system is configured to prevent the loading of the dccp kernel module, -it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. -These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. + + Inspect the password section of /etc/pam.d/system-auth +and ensure that the pam_unix.so module is configured to use the argument +sha512: -These lines can also instruct the module loading system to ignore the dccp kernel module via blacklist keyword. +$ sudo grep "^password.*pam_unix\.so.*sha512" /etc/pam.d/system-auth -Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -$ grep -r dccp /etc/modprobe.conf /etc/modprobe.d - Is it the case that no line is returned? - - - - Make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf -and /etc/zipl.conf: -find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap -No line should be returned, if a line is returned /boot/bootmap is outdated and needs to be regenerated. - Is it the case that the bootmap is outdated? +password sufficient pam_unix.so sha512 + Is it the case that "sha512" is missing, or is commented out? - + -Run the following command to determine if the haproxy_connect_any SELinux boolean is disabled: -$ getsebool haproxy_connect_any +Run the following command to determine if the zarafa_setrlimit SELinux boolean is disabled: +$ getsebool zarafa_setrlimit If properly configured, the output should show the following: -haproxy_connect_any --> off - Is it the case that haproxy_connect_any is not disabled? +zarafa_setrlimit --> off + Is it the case that zarafa_setrlimit is not disabled? - - -Run the following command to determine if the awstats_purge_apache_log_files SELinux boolean is disabled: -$ getsebool awstats_purge_apache_log_files -If properly configured, the output should show the following: -awstats_purge_apache_log_files --> off - Is it the case that awstats_purge_apache_log_files is not disabled? + + To ensure the gdm package group is removed, run the following command: +$ rpm -qi gdm +The output should be: +package gdm is not installed + Is it the case that gdm has not been removed? - - To check if pam_pwquality.so is enabled in password-auth, run the following command: -$ grep pam_pwquality /etc/pam.d/password-auth -The output should be similar to the following: -password requisite pam_pwquality.so - Is it the case that pam_pwquality.so is not enabled in password-auth? + + To ensure the GUI does not allow user administratrion capabilities to all users, +run the following command: +$ gsettings get org.gnome.desktop.lockdown user-administration-disabled +If properly configured, the output should be true. +To ensure that users cannot enable user administration, run the following: +$ grep user-administration /etc/dconf/db/local.d/locks/* +If properly configured, the output should be +/org/gnome/desktop/lockdown/user-administration-disabled + Is it the case that user administration is not configured or disabled? - + To determine if the system is configured to audit successful calls -to the renameat system call, run the following command: -$ sudo grep "renameat" /etc/audit.* +to the open system call, run the following command: +$ sudo grep "open" /etc/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - Run the following command to determine if the libreport-plugin-rhtsupport package is installed: -$ rpm -q libreport-plugin-rhtsupport - Is it the case that the package is installed? - - - - Run the following command to determine if the rsyslog package is installed: $ rpm -q rsyslog - Is it the case that the package is not installed? - - - - Run the following command to determine open ports: -# ss -6tuln -Run the following command to determine firewall rules: -# ip6tables -L INPUT -v -n -For each port identified in the audit which does not have a firewall -rule, add rule for accepting or denying inbound connections -# ip6tables -A INPUT -p \ --dport \ -m state --state NEW -j ACCEPT - Is it the case that open ports are denied connection? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_PROC_KCORE /boot/config.* + + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. + + Is it the case that the kernel was not built with the required value? - - To check the permissions of /etc/ssh/sshd_config, + + To check the permissions of /boot/efi/EFI/redhat/user.cfg, run the command: -$ ls -l /etc/ssh/sshd_config +$ ls -l /boot/efi/EFI/redhat/user.cfg If properly configured, the output should indicate the following permissions: -rw------- - Is it the case that /etc/ssh/sshd_config does not have unix mode -rw-------? + Is it the case that /boot/efi/EFI/redhat/user.cfg does not have unix mode -rw-------? - - Verify that temporary accounts have been provisioned with an expiration date -of 72 hours. For every temporary account, run the following command to -obtain its account aging and expiration information: -$ sudo chage -l temporary_account_name -Verify each of these accounts has an expiration date set within 72 hours or -as documented. - Is it the case that any temporary accounts have no expiration date set or do not expire within 72 hours? + + To check the permissions of /etc/motd, +run the command: +$ ls -l /etc/motd +If properly configured, the output should indicate the following permissions: +-rw-r--r-- + Is it the case that /etc/motd does not have unix mode -rw-r--r--? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chage" command with the following command: - -$ sudo auditctl -l | grep chage - --a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage - Is it the case that the command does not return a line, or the line is commented out? + + To ensure a login warning banner is enabled, run the following: +$ grep banner-message-enable /etc/dconf/db/gdm.d/* +If properly configured, the output should be true. +To ensure a login warning banner is locked and cannot be changed by a user, run the following: +$ grep banner-message-enable /etc/dconf/db/gdm.d/locks/* +If properly configured, the output should be /org/gnome/login-screen/banner-message-enable. + Is it the case that it is not? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_PAGE_TABLE_ISOLATION /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + To verify the noexec option is configured for all NFS mounts, run the following command: +$ mount | grep nfs +All NFS mounts should show the noexec setting in parentheses. This is not applicable if NFS is +not implemented. + Is it the case that the setting does not show? - - Run the following command to determine if the syslog-ng-core package is installed: $ rpm -q syslog-ng-core - Is it the case that the package is not installed? + + +Run the following command to determine if the pcp_bind_all_unreserved_ports SELinux boolean is disabled: +$ getsebool pcp_bind_all_unreserved_ports +If properly configured, the output should show the following: +pcp_bind_all_unreserved_ports --> off + Is it the case that pcp_bind_all_unreserved_ports is not disabled? - - To verify all files and directories contained in interactive user home -directory, excluding local initialization files, have a mode of 0750, -run the following command: -$ sudo ls -lLR /home/USER - Is it the case that home directory files or folders have incorrect permissions? + + Verify that a separate file system/partition has been created for /usr with the following command: + +$ mountpoint /usr + + Is it the case that "/usr is not a mountpoint" is returned? - - The runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.conf.all.accept_source_route -0. - - Is it the case that the correct value is not returned? + + # grep "^OPTIONS.*-u" /etc/sysconfig/chronyd | grep -v -e '-u\s*chrony\b' +returns no output + Is it the case that chronyd is not running under chrony user account? - + -Run the following command to determine if the httpd_run_stickshift SELinux boolean is disabled: -$ getsebool httpd_run_stickshift +Run the following command to determine if the mock_enable_homedirs SELinux boolean is disabled: +$ getsebool mock_enable_homedirs If properly configured, the output should show the following: -httpd_run_stickshift --> off - Is it the case that httpd_run_stickshift is not disabled? +mock_enable_homedirs --> off + Is it the case that mock_enable_homedirs is not disabled? - - The runtime status of the kernel.pid_max kernel parameter can be queried -by running the following command: -$ sysctl kernel.pid_max -65536. + + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open_by_handle_at system call. - Is it the case that the correct value is not returned? - - - - Run the following command to determine if the logrotate package is installed: $ rpm -q logrotate - Is it the case that the package is not installed? +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: + +$ sudo grep -r open_by_handle_at /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep open_by_handle_at /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access + Is it the case that the command does not return a line, or the line is commented out? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_X86_VSYSCALL_EMULATION /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? + + Inspect each <Directory> instance and verify that either +FollowSymLinks does not exist, or +Options SymLinksIfOwnerMatchDisable is configured properly. + Is it the case that it is not? - - Run the following command to determine if the setroubleshoot-plugins package is installed: -$ rpm -q setroubleshoot-plugins - Is it the case that the package is installed? + + The runtime status of the net.ipv4.tcp_syncookies kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.tcp_syncookies +1. + + Is it the case that the correct value is not returned? - - Run the following command and verify remote server is configured properly: -# grep -E "^(server|pool)" /etc/chrony.conf - Is it the case that a remote time server is not configured? + + To check the ownership of /boot/efi/EFI/redhat/user.cfg, +run the command: +$ ls -lL /boot/efi/EFI/redhat/user.cfg +If properly configured, the output should indicate the following owner: +root + Is it the case that /boot/efi/EFI/redhat/user.cfg does not have an owner of root? - - The runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter can be queried -by running the following command: -$ sysctl net.ipv6.conf.default.accept_source_route -0. - - Is it the case that the correct value is not returned? + + To check the group ownership of /etc/group-, +run the command: +$ ls -lL /etc/group- +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/group- does not have a group owner of root? - + -If the system is configured to prevent the loading of the cramfs kernel module, -it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. -These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. - -These lines can also instruct the module loading system to ignore the cramfs kernel module via blacklist keyword. - -Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -$ grep -r cramfs /etc/modprobe.conf /etc/modprobe.d - Is it the case that no line is returned? +Run the following command to determine if the samba_share_nfs SELinux boolean is disabled: +$ getsebool samba_share_nfs +If properly configured, the output should show the following: +samba_share_nfs --> off + Is it the case that samba_share_nfs is not disabled? - + +To check that the telnet service is disabled in system boot configuration with xinetd, run the following command: +$ chkconfig telnet --list +Output should indicate the telnet service has either not been installed, or has been disabled, as shown in the example below: +$ chkconfig telnet --list -Run the following command to determine the current status of the -rngd service: -$ sudo systemctl is-active rngd -If the service is running, it should return the following: active - Is it the case that the "rngd" service is disabled, masked, or not started.? - - - - Verify that Red Hat Enterprise Linux 8 contains no duplicate User IDs (UIDs) for interactive users. +Note: This output shows SysV services only and does not include native +systemd services. SysV configuration data might be overridden by native +systemd configuration. -Check that the operating system contains no duplicate UIDs for interactive users with the following command: +If you want to list systemd services use 'systemctl list-unit-files'. +To see services enabled on particular target use +'systemctl list-dependencies [target]'. -$ sudo awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd - Is it the case that output is produced and the accounts listed are interactive user accounts? - - - - To check that the smb service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled smb -Output should indicate the smb service has either not been installed, +telnet off + +To check that the telnet socket is disabled in system boot configuration with systemd, run the following command: +$ systemctl is-enabled telnet +Output should indicate the telnet socket has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled smb disabled +$ sudo systemctl is-enabled telnetdisabled -Run the following command to verify smb is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active smb +Run the following command to verify telnet is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active telnet -If the service is not running the command will return the following output: +If the socket is not running the command will return the following output: inactive -The service will also be masked, to check that the smb is masked, run the following command: -$ sudo systemctl show smb | grep "LoadState\|UnitFileState" +The socket will also be masked, to check that the telnet is masked, run the following command: +$ sudo systemctl show telnet | grep "LoadState\|UnitFileState" -If the service is masked the command will return the following outputs: +If the socket is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "smb" is loaded and not masked? + Is it the case that service and/or socket are running? - - To ensure the system is configured to ignore the Ctrl-Alt-Del setting, -enter the following command: -$ sudo grep -i ctrlaltdelburstaction /etc/systemd/system.conf -The output should return: -CtrlAltDelBurstAction=none - Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed more than 7 times in 2 seconds.? + + To determine how the SSH daemon's PermitUserEnvironment option is set, run the following command: + +$ sudo grep -i PermitUserEnvironment /etc/ssh/sshd_config + +If a line indicating no is returned, then the required value is set. + + Is it the case that the required value is not set? - - To obtain a list of all users and the content of their shadow password field, run the command: -$ sudo readarray -t systemaccounts -Verify if all accounts are locked. - Is it the case that system accounts are not locked? + + +Run the following command to determine if the auditadm_exec_content SELinux boolean is enabled: +$ getsebool auditadm_exec_content +If properly configured, the output should show the following: +auditadm_exec_content --> on + Is it the case that auditadm_exec_content is not enabled? - + -Run the following command to determine if the polipo_connect_all_unreserved SELinux boolean is disabled: -$ getsebool polipo_connect_all_unreserved +Run the following command to determine if the samba_portmapper SELinux boolean is disabled: +$ getsebool samba_portmapper If properly configured, the output should show the following: -polipo_connect_all_unreserved --> off - Is it the case that polipo_connect_all_unreserved is not disabled? +samba_portmapper --> off + Is it the case that samba_portmapper is not disabled? - - To check the group ownership of /etc/ssh/*.pub, -run the command: -$ ls -lL /etc/ssh/*.pub -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/ssh/*.pub does not have a group owner of root? + + Verify the nosuid option is configured for the /home mount point, + run the following command: + $ sudo mount | grep '\s/home\s' + . . . /home . . . nosuid . . . + + Is it the case that the "/home" file system does not have the "nosuid" option set? - - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to create files using the open_by_handle_at system call with O_CREAT flag. - -If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r open_by_handle_at /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep open_by_handle_at /etc/audit/audit.rules - -The output should be the following: - --a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - Is it the case that the command does not return a line, or the line is commented out? + + To verify all files and directories in interactive user home directory are +group-owned by a group the user is a member of, run the +following command: +$ sudo ls -lLR /home/USER + Is it the case that the group ownership is incorrect? - - To check that no password hashes are stored in -/etc/passwd, run the following command: -awk '!/\S:x|\*/ {print}' /etc/passwd -If it produces any output, then a password hash is -stored in /etc/passwd. - Is it the case that any stored hashes are found in /etc/passwd? + + To ensure logs are sent to a remote host, examine the file +/etc/rsyslog.conf. +If using UDP, a line similar to the following should be present: + *.* @ +If using TCP, a line similar to the following should be present: + *.* @@ +If using RELP, a line similar to the following should be present: + *.* :omrelp: + Is it the case that no evidence that the audit logs are being off-loaded to another system or media? - - To check if the system login banner is compliant, run the following command: -$ cat /etc/issue.net - Is it the case that it does not display the required banner? + + To determine if the system is configured to audit calls to the +removexattr system call, run the following command: +$ sudo grep "removexattr" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - To verify the boot loader superuser password has been set, run the following command: -$ sudo grep "^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$" /boot/efi/EFI/redhat/user.cfg -The output should be similar to: -GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC -2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0 -916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7 -0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828 - Is it the case that no password is set? + + Run the following command to determine if the iptables package is installed: $ rpm -q iptables + Is it the case that the package is not installed? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_SECURITY_WRITABLE_HOOKS /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? + + To verify that USB Human Interface Devices will be authorized by the USBGuard daemon, +run the following command: +$ sudo grep allow /etc/usbguard/rules.conf +The output lines should include +allow with-interface match-all { 03:*:* } + Is it the case that USB devices of class 3 are not authorized? - + + To find world-writable files, run the following command: +$ sudo find / -xdev -type f -perm -002 + Is it the case that there is output? + + + -Run the following command to determine if the gluster_export_all_rw SELinux boolean is disabled: -$ getsebool gluster_export_all_rw +Run the following command to determine if the xguest_connect_network SELinux boolean is disabled: +$ getsebool xguest_connect_network If properly configured, the output should show the following: -gluster_export_all_rw --> off - Is it the case that gluster_export_all_rw is not disabled? +xguest_connect_network --> off + Is it the case that xguest_connect_network is not disabled? - + + Make sure that the kernel is configured to trust the CPU RNG by following +commands. To check if the option was correctly configured at kernel compile +time, run the following command: +grep -q CONFIG_RANDOM_TRUST_CPU=y /boot/config-`uname -r` +If the command outputs: +CONFIG_RANDOM_TRUST_CPU=y, +it means that the option is compiled into the kernel. Make sure that the +option is not overridden through a boot parameter: +sudo grep 'kernelopts.*random\.trust_cpu=off.*' /boot/grub2/grubenv +The command should not return any output. If the option is not compiled into +the kernel, check that the option is configured through boot parameter. +Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes random.trust_cpu=on, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub +If this option is set to true, then check that a line is output by the following command: +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*random.trust_cpu=on.*' /etc/default/grub +If the recovery is disabled, check the line with +$ sudo grep 'GRUB_CMDLINE_LINUX.*random.trust_cpu=on.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +$ sudo grubby --info=ALL | grep args | grep -v 'random.trust_cpu=on' +The command should not return any output. + Is it the case that the kernel is not configured to trust the CPU RNG? + + + -Run the following command to determine if the httpd_run_preupgrade SELinux boolean is disabled: -$ getsebool httpd_run_preupgrade +Run the following command to determine if the git_session_users SELinux boolean is disabled: +$ getsebool git_session_users If properly configured, the output should show the following: -httpd_run_preupgrade --> off - Is it the case that httpd_run_preupgrade is not disabled? +git_session_users --> off + Is it the case that git_session_users is not disabled? - - The rsh package can be removed with the following command: $ sudo yum erase rsh - Is it the case that ? + + To determine if the users are allowed to run commands as root, run the following commands: +$ sudo grep -PR '^\s*((?!root\b)[\w]+)\s*(\w+)\s*=\s*(.*,)?\s*[^\(\s]' /etc/sudoers /etc/sudoers.d/ +and +$ sudo grep -PR '^\s*((?!root\b)[\w]+)\s*(\w+)\s*=\s*(.*,)?\s*\([\w\s]*\b(root|ALL)\b[\w\s]*\)' /etc/sudoers /etc/sudoers.d/ +Both commands should return no output. + Is it the case that /etc/sudoers file contains rules that allow non-root users to run commands as root? - - Run the following command to determine if the openssh-server package is installed: $ rpm -q openssh-server - Is it the case that the package is installed? + + +Run the following command to determine if the telepathy_tcp_connect_generic_network_ports SELinux boolean is disabled: +$ getsebool telepathy_tcp_connect_generic_network_ports +If properly configured, the output should show the following: +telepathy_tcp_connect_generic_network_ports --> off + Is it the case that telepathy_tcp_connect_generic_network_ports is not disabled? - - To verify that auditing is configured for system administrator actions, run the following command: -$ sudo auditctl -l | grep "watch=/etc/sudoers\|watch=/etc/sudoers.d\|-w /etc/sudoers\|-w /etc/sudoers.d" - Is it the case that there is not output? + + Inspect the mounts configured in /etc/exports. Each mount should specify a value +greater than UID_MAX and GID_MAX as defined in /etc/login.defs. + Is it the case that anonuid or anongid are not set to a value greater than UID_MAX (for anonuid) and GID_MAX (for anongid)? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "newgrp" command with the following command: + + If IPv6 is disabled, this is not applicable. -$ sudo auditctl -l | grep newgrp +Inspect the file /etc/sysconfig/ip6tables to determine +the default policy for the INPUT chain. It should be set to DROP: +$ sudo grep ":INPUT" /etc/sysconfig/ip6tables + Is it the case that the default policy for the INPUT chain is not set to DROP? + + + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-keysign" command with the following command: --a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-newgrp +$ sudo auditctl -l | grep ssh-keysign + +-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-keysign Is it the case that the command does not return a line, or the line is commented out? - - To check that the sshd service is disabled in system boot configuration, + + To verify that the Dracut FIPS module is enabled, run the following command: +grep "add_dracutmodules" /etc/dracut.conf.d/40-fips.conf +The output should look like this: +add_dracutmodules+=" fips " + Is it the case that the Dracut FIPS module is not enabled? + + + + To determine if env_reset has been configured for sudo, run the following command: +$ sudo grep -ri "^[\s]*Defaults.*\benv_reset\b.*" /etc/sudoers /etc/sudoers.d/ +The command should return a matching output. + Is it the case that env_reset is not enabled in sudo? + + + + To verify the assigned home directory of all interactive users is group- +owned by that users primary GID, run the following command: +# ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) + Is it the case that the group ownership is incorrect? + + + + To check that the ypserv service is disabled in system boot configuration, run the following command: -$ sudo systemctl is-enabled sshd -Output should indicate the sshd service has either not been installed, +$ sudo systemctl is-enabled ypserv +Output should indicate the ypserv service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled sshd disabled +$ sudo systemctl is-enabled ypserv disabled -Run the following command to verify sshd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active sshd +Run the following command to verify ypserv is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active ypserv If the service is not running the command will return the following output: inactive -The service will also be masked, to check that the sshd is masked, run the following command: -$ sudo systemctl show sshd | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the ypserv is masked, run the following command: +$ sudo systemctl show ypserv | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "sshd" is loaded and not masked? - - - - These settings can be verified by running the following: -$ gsettings get org.gnome.desktop.media-handling autorun-never -If properly configured, the output for autorun-nevershould be true. -To ensure that users cannot enable autorun in GNOME3, run the following: -$ grep 'autorun-never' /etc/dconf/db/local.d/locks/* -If properly configured, the output for autorun-never should be /org/gnome/desktop/media-handling/autorun-never - Is it the case that GNOME autorun is not disabled? - - - - To determine if the system is configured to audit calls to the -open system call, run the following command: -$ sudo grep "open" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + Is it the case that the "ypserv" is loaded and not masked? - - -Run the following command to determine if the selinuxuser_ping SELinux boolean is enabled: -$ getsebool selinuxuser_ping -If properly configured, the output should show the following: -selinuxuser_ping --> on - Is it the case that selinuxuser_ping is not enabled? + + To verify the system is not configured to use a boot loader on removable media, +check that the grub configuration file has the set root command in each menu +entry with the following commands: +$ sudo grep -cw menuentry /boot/efi/EFI/redhat/grub.cfg +Note that the -c option for the grep command will print +only the count of menuentry occurrences. This number should match +the number of occurrences reported by the following command: +$ sudo grep "set root='hd0" /boot/efi/EFI/redhat/grub.cfg +The output should return something similar to: +set root='hd0,msdos1' +usb0, cd, fd0, etc. are some examples of removeable +media which should not exist in the lines: +set root='hd0,msdos1' + Is it the case that it is not? - - -Run the following command to determine if the logadm_exec_content SELinux boolean is enabled: -$ getsebool logadm_exec_content -If properly configured, the output should show the following: -logadm_exec_content --> on - Is it the case that logadm_exec_content is not enabled? + + Run the following command to determine if the policycoreutils-python-utils package is installed: $ rpm -q policycoreutils-python-utils + Is it the case that the package is not installed? - - To determine if LDAP is being used for authentication, use the following -command: -$ sudo grep -i useldapauth /etc/sysconfig/authconfig -The output should return: -USELDAPAUTH=yes - Is it the case that USELDAPAUTH=yes is not configured correctly in /etc/sysconfig/authconfig? + + To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run: +$ grep -Po '(-oMACs=\S+)' /etc/crypto-policies/back-ends/opensshserver.config +and verify that the line matches: +-oMACS= + Is it the case that Crypto Policy for OpenSSH Server is not configured correctly? - - Verify that the SA and ISSO (at a minimum) are notified when the audit storage volume is full. + + Verify that a separate file system/partition has been created for /var/log/audit with the following command: -Check which action Red Hat Enterprise Linux 8 takes when the audit storage volume is full with the following command: +$ mountpoint /var/log/audit -$ sudo grep max_log_file_action /etc/audit/auditd.conf -max_log_file_action = - Is it the case that the value of the "max_log_file_action" option is set to "ignore", "rotate", or "suspend", or the line is commented out? + Is it the case that "/var/log/audit is not a mountpoint" is returned? - - -Run the following command to determine if the exim_can_connect_db SELinux boolean is disabled: -$ getsebool exim_can_connect_db -If properly configured, the output should show the following: -exim_can_connect_db --> off - Is it the case that exim_can_connect_db is not disabled? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_SLUB_DEBUG /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - To check that the sysstat service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled sysstat -Output should indicate the sysstat service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled sysstat disabled - -Run the following command to verify sysstat is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active sysstat - -If the service is not running the command will return the following output: -inactive + + Storing logs with persistent storage ensures they are available after a reboot or system crash. +Run the command below to verify that logs are being persistently stored to disk. -The service will also be masked, to check that the sysstat is masked, run the following command: -$ sudo systemctl show sysstat | grep "LoadState\|UnitFileState" +grep "^\sStorage" /etc/systemd/journald.conf -If the service is masked the command will return the following outputs: +and it should return -LoadState=masked +Storage=persistent -UnitFileState=masked - Is it the case that the "sysstat" is loaded and not masked? + Is it the case that is commented out or not configured correctly? - - To determine if the system is configured to audit calls to the -rename system call, run the following command: -$ sudo grep "rename" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + To check if authentication is required for single-user mode, run the following command: +$ grep sulogin /usr/lib/systemd/system/rescue.service +The output should be similar to the following, and the line must begin with +ExecStart and /usr/lib/systemd/systemd-sulogin-shell. + ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue + Is it the case that the output is different? - - - -Run the following command to determine the current status of the -ufw service: -$ sudo systemctl is-active ufw -If the service is running, it should return the following: active - Is it the case that the service is not enabled? + + Verify that core dumps are disabled for all users, run the following command: +$ grep core /etc/security/limits.conf +* hard core 0 + Is it the case that the "core" item is missing, commented out, or the value is anything other than "0" and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core"? - - To check that the slapd service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled slapd -Output should indicate the slapd service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled slapd disabled - -Run the following command to verify slapd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active slapd - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the slapd is masked, run the following command: -$ sudo systemctl show slapd | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: - -LoadState=masked - -UnitFileState=masked - Is it the case that the "slapd" is loaded and not masked? + + Inspect /etc/audit/auditd.conf and locate the following line to +determine if the system is configured correctly: +space_left SIZE_in_MB + Is it the case that the system is not configured a specfic size in MB to notify administrators of an issue? - - To check that the httpd service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled httpd -Output should indicate the httpd service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled httpd disabled + + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the unlinkat system call. -Run the following command to verify httpd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active httpd +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -If the service is not running the command will return the following output: -inactive +$ sudo grep -r unlinkat /etc/audit/rules.d -The service will also be masked, to check that the httpd is masked, run the following command: -$ sudo systemctl show httpd | grep "LoadState\|UnitFileState" +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -If the service is masked the command will return the following outputs: +$ sudo grep unlinkat /etc/audit/audit.rules -LoadState=masked +The output should be the following: -UnitFileState=masked - Is it the case that the "httpd" is loaded and not masked? +-a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete +-a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete +-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete +-a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete + Is it the case that the command does not return a line, or the line is commented out? - - -Run the following command to determine if the kerberos_enabled SELinux boolean is enabled: -$ getsebool kerberos_enabled -If properly configured, the output should show the following: -kerberos_enabled --> on - Is it the case that kerberos_enabled is not enabled? + + Run the following command to determine if the iptables-services package is installed: $ rpm -q iptables-services + Is it the case that the iptables-services package is installed? - - To determine if the system is configured to audit successful calls -to the open_by_handle_at system call, run the following command: -$ sudo grep "open_by_handle_at" /etc/audit.* -If the system is configured to audit this activity, it will return a line. + + Verify the operating system audits activities performed during nonlocal +maintenance and diagnostic sessions. Run the following command: +$ sudo auditctl -l | grep sudo.log +-w /var/log/sudo.log -p wa -k maintenance - Is it the case that no line is returned? + Is it the case that Audit rule is not present? - - Run the following command to determine if the tuned package is installed: -$ rpm -q tuned - Is it the case that the package is installed? + + The following command will discover and print any +files on local partitions which do not belong to a valid user. +$ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser + +Either remove all files and directories from the system that do not have a +valid user, or assign a valid user to all unowned files and directories on +the system with the chown command: +$ sudo chown user file + Is it the case that files exist that are not owned by a valid user? - - -Run the following command to determine if the virt_read_qemu_ga_data SELinux boolean is disabled: -$ getsebool virt_read_qemu_ga_data -If properly configured, the output should show the following: -virt_read_qemu_ga_data --> off - Is it the case that virt_read_qemu_ga_data is not disabled? + + Inspect /etc/audit/audisp-remote.conf and locate the following line to +determine if the system is configured to perform a correct action according to the policy: +$ sudo grep -i network_failure_action /etc/audit/audisp-remote.conf +The output should return: +network_failure_action = + Is it the case that the system is not configured to switch to single user mode for corrective action? - - To verify that auditing of privileged command use is configured, run the -following command: -$ sudo grep usernetctl /etc/audit/audit.rules /etc/audit/rules.d/* -It should return a relevant line in the audit rules. - Is it the case that the command does not return a line, or the line is commented out? + + +To properly set the owner of /etc/audit/, run the command: +$ sudo chown root /etc/audit/ + +To properly set the owner of /etc/audit/rules.d/, run the command: +$ sudo chown root /etc/audit/rules.d/ + Is it the case that ? - - To check the group ownership of /var/log/syslog, -run the command: -$ ls -lL /var/log/syslog -If properly configured, the output should indicate the following group-owner: -adm - Is it the case that /var/log/syslog does not have a group owner of adm? + + To verify the operating system implements cryptography to protect the integrity of +remote ldap access sessions, run the following command: +$ sudo grep ldap_tls_cacert /etc/sssd/sssd.conf +The output should return the following with a correctly configured CA cert path: +ldap_tls_cacert /path/to/tls/ca.cert + Is it the case that the TLS CA cert is not configured? - - -Run the following command to determine if the httpd_builtin_scripting SELinux boolean is disabled: -$ getsebool httpd_builtin_scripting -If properly configured, the output should show the following: -httpd_builtin_scripting --> off - Is it the case that httpd_builtin_scripting is not disabled? + + To ensure disable and restart on the login screen are disabled, run the following command: +$ grep disable-restart-buttons /etc/dconf/db/gdm.d/* +The output should be true. +To ensure that users cannot enable disable and restart on the login screen, run the following: +$ grep disable-restart-buttons /etc/dconf/db/gdm.d/locks/* +If properly configured, the output should be /org/gnome/login-screen/disable-restart-buttons + Is it the case that disable-restart-buttons has not been configured or is not disabled? - - Verify the nosuid option is configured for the /var/tmp mount point, - run the following command: - $ sudo mount | grep '\s/var/tmp\s' - . . . /var/tmp . . . nosuid . . . + + The runtime status of the net.ipv6.conf.default.accept_ra_rtr_pref kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.default.accept_ra_rtr_pref +0. - Is it the case that the "/var/tmp" file system does not have the "nosuid" option set? + Is it the case that the correct value is not returned? - - Run the following command to determine if the postfix package is installed: $ rpm -q postfix - Is it the case that the package is not installed? + + To verify if the OpenSSH server uses defined ciphers in the Crypto Policy, run: +$ grep -Po '(-oCiphers=\S+)' /etc/crypto-policies/back-ends/opensshserver.config +and verify that the line matches: +-oCiphers= + Is it the case that Crypto Policy for OpenSSH Server is not configured correctly? - - Verify the operating system is not configured to bypass password requirements for privilege -escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command: -$ sudo grep pam_succeed_if /etc/pam.d/sudo - Is it the case that system is configured to bypass password requirements for privilege escalation? + + Run the following command to determine if the bind package is installed: +$ rpm -q bind + Is it the case that the package is installed? - + + Verify Red Hat Enterprise Linux 8 is configured to lock an account after +unsuccessful logon attempts with the command: + + +$ grep 'deny =' /etc/security/faillock.conf +deny = . + Is it the case that the "deny" option is not set to "<sub idref="var_accounts_passwords_pam_faillock_deny" />" +or less (but not "0"), is missing or commented out? + + + + Verify the assigned home directories of all interactive users on the system exist with the following command: + +$ sudo pwck -r + +user 'mailnull': directory 'var/spool/mqueue' does not exist + +The output should not return any interactive users. + Is it the case that users home directory does not exist? + + + -Run the following command to determine if the httpd_ssi_exec SELinux boolean is disabled: -$ getsebool httpd_ssi_exec +Run the following command to determine if the samba_domain_controller SELinux boolean is disabled: +$ getsebool samba_domain_controller If properly configured, the output should show the following: -httpd_ssi_exec --> off - Is it the case that httpd_ssi_exec is not disabled? +samba_domain_controller --> off + Is it the case that samba_domain_controller is not disabled? - - To ensure that the GPG key is installed, run: -$ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey -The command should return the string below: -gpg(Red Hat, Inc. (release key 2) <security@redhat.com> - Is it the case that the Red Hat GPG Key is not installed? + + Verify it by running the following command: +$ stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules + +/sbin/auditctl 755 +/sbin/aureport 755 +/sbin/ausearch 755 +/sbin/autrace 755 +/sbin/auditd 755 +/sbin/audispd 755 +/sbin/augenrules 755 + + +If the command does not return all the above lines, the missing ones +need to be added. + +Run the following command to correct the permissions of the missing +entries: +$ sudo chmod 0755 [audit_tool] + +Replace "[audit_tool]" with the audit tool that does not have the +correct permissions. + Is it the case that ? - - To check the group ownership of /etc/ssh/*_key, -run the command: -$ ls -lL /etc/ssh/*_key -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/ssh/*_key does not have a group owner of root? + + To determine if the system is configured to audit calls to the +open_by_handle_at system call, run the following command: +$ sudo grep "open_by_handle_at" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - + -Run the following command to determine if the httpd_unified SELinux boolean is disabled: -$ getsebool httpd_unified +Run the following command to determine if the samba_run_unconfined SELinux boolean is disabled: +$ getsebool samba_run_unconfined If properly configured, the output should show the following: -httpd_unified --> off - Is it the case that httpd_unified is not disabled? +samba_run_unconfined --> off + Is it the case that samba_run_unconfined is not disabled? - - Verify the nosuid option is configured for the /var/log/audit mount point, - run the following command: - $ sudo mount | grep '\s/var/log/audit\s' - . . . /var/log/audit . . . nosuid . . . + + The runtime status of the kernel.sysrq kernel parameter can be queried +by running the following command: +$ sysctl kernel.sysrq +0. - Is it the case that the "/var/log/audit" file system does not have the "nosuid" option set? + Is it the case that the correct value is not returned? - + -Run the following command to determine if the ftpd_use_nfs SELinux boolean is disabled: -$ getsebool ftpd_use_nfs +Run the following command to determine if the use_fusefs_home_dirs SELinux boolean is disabled: +$ getsebool use_fusefs_home_dirs If properly configured, the output should show the following: -ftpd_use_nfs --> off - Is it the case that ftpd_use_nfs is not disabled? +use_fusefs_home_dirs --> off + Is it the case that use_fusefs_home_dirs is not disabled? - - -Run the following command to determine if the authlogin_yubikey SELinux boolean is disabled: -$ getsebool authlogin_yubikey -If properly configured, the output should show the following: -authlogin_yubikey --> off - Is it the case that authlogin_yubikey is not disabled? + + To ensure screen locking on smartcard removal is enabled, run the following command: +$ grep removal-action /etc/dconf/db/local.d/* +The output should be 'lock-screen'. +To ensure that users cannot disable screen locking on smartcard removal, run the following: +$ grep removal-action /etc/dconf/db/local.d/locks/* +If properly configured, the output should be /org/gnome/settings-daemon/peripherals/smartcard/removal-action + Is it the case that removal-action has not been configured? - - To check the ownership of /etc/passwd, + + Verify all local interactive users on Red Hat Enterprise Linux 8 are assigned a home +directory upon creation with the following command: +$ grep -i create_home /etc/login.defs +CREATE_HOME yes + Is it the case that the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out? + + + + To check the group ownership of /boot/efi/EFI/redhat/user.cfg, run the command: -$ ls -lL /etc/passwd -If properly configured, the output should indicate the following owner: +$ ls -lL /boot/efi/EFI/redhat/user.cfg +If properly configured, the output should indicate the following group-owner: root - Is it the case that /etc/passwd does not have an owner of root? + Is it the case that /boot/efi/EFI/redhat/user.cfg does not have a group owner of root? - - To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -cat /etc/audit/rules.d/30-ospp-v42-3-access-success.rules -The output has to be exactly as follows: -## Successful file access (any other opens) This has to go last. -## These next two are likely to result in a whole lot of events --a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access --a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access - Is it the case that the file does not exist or the content differs? + + The runtime status of the net.ipv6.conf.default.max_addresses kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.default.max_addresses +1. + + Is it the case that the correct value is not returned? + + + + +Run the following command to determine if the wine_mmap_zero_ignore SELinux boolean is disabled: +$ getsebool wine_mmap_zero_ignore +If properly configured, the output should show the following: +wine_mmap_zero_ignore --> off + Is it the case that wine_mmap_zero_ignore is not disabled? @@ -370699,368 +371309,441 @@ If a line indicating no is returned, then the required value is set. Is it the case that the required value is not set? - - Verify the value of the "minclass" option in "/etc/security/pwquality.conf" with the following command: - -$ grep minclass /etc/security/pwquality.conf - -minclass = - Is it the case that the value of "minclass" is set to less than "<sub idref="var_password_pam_minclass" />" or is commented out? + + Run the following command to determine open ports: +# ss -6tuln +Run the following command to determine firewall rules: +# ip6tables -L INPUT -v -n +For each port identified in the audit which does not have a firewall +rule, add rule for accepting or denying inbound connections +# ip6tables -A INPUT -p \ --dport \ -m state --state NEW -j ACCEPT + Is it the case that open ports are denied connection? - - To determine how the SSH daemon's IgnoreRhosts option is set, run the following command: + + Remote web authors should not be able to upload files to the Document Root +directory structure without virus checking and checking for malicious or mobile +code. + Is it the case that it is not? + + + + Verify that the system is not accepting "rsyslog" messages from other systems unless it is +documented as a log aggregation server. +Display the contents of the rsyslog configuration files: +find /etc -maxdepth 2 -regex '/etc/rsyslog\(\.conf\|\.d\/.*\.conf\)' -exec cat '{}' \; -$ sudo grep -i IgnoreRhosts /etc/ssh/sshd_config +If any of the below lines are found, ask to see the documentation for the system being used +for log aggregation: -If a line indicating yes is returned, then the required value is set. +If using legacy syntax: +$ModLoad imtcp +$InputTCPServerRun port +$ModLoad imudp +$UDPServerRun port +$ModLoad imrelp +$InputRELPServerRun port - Is it the case that the required value is not set? +If using RainerScript syntax: +module(load="imtcp") +module(load="imudp") +input(type="imtcp" port="514") +input(type="imudp" port="514") + + Is it the case that rsyslog accepts remote messages and is not documented as a log aggregation system? - - To verify if GnuTLS uses defined DoD-approved TLS Crypto Policy, run: -$ sudo grep -'+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0' -/etc/crypto-policies/back-ends/gnutls.config and verify that a match exists. - Is it the case that cryptographic policy for gnutls is not configured or is configured incorrectly? + + +Run the following command to determine if the tmpreaper_use_nfs SELinux boolean is disabled: +$ getsebool tmpreaper_use_nfs +If properly configured, the output should show the following: +tmpreaper_use_nfs --> off + Is it the case that tmpreaper_use_nfs is not disabled? - - Run the following command to see what the timeout interval is: -$ sudo grep ClientAliveInterval /etc/ssh/sshd_config -If properly configured, the output should be: -ClientAliveInterval - Is it the case that it is commented out or not configured properly? + + +Run the following command to determine if the abrt_anon_write SELinux boolean is disabled: +$ getsebool abrt_anon_write +If properly configured, the output should show the following: +abrt_anon_write --> off + Is it the case that abrt_anon_write is not disabled? - - To determine if the system is configured to audit calls to the -renameat system call, run the following command: -$ sudo grep "renameat" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: +$ sudo cat /etc/audit/rules.d/11-loginuid.rules +The output has to be exactly as follows: +## Make the loginuid immutable. This prevents tampering with the auid. +--loginuid-immutable + Is it the case that the file does not exist or the content differs? - - The runtime status of the net.ipv4.conf.all.log_martians kernel parameter can be queried + + The runtime status of the net.ipv4.conf.all.arp_filter kernel parameter can be queried by running the following command: -$ sysctl net.ipv4.conf.all.log_martians -1. +$ sysctl net.ipv4.conf.all.arp_filter +. Is it the case that the correct value is not returned? - + -Run the following command to determine if the fcron_crond SELinux boolean is disabled: -$ getsebool fcron_crond -If properly configured, the output should show the following: -fcron_crond --> off - Is it the case that fcron_crond is not disabled? +Run the following command to get the current configured value for secure_mode_insmod +SELinux boolean: +$ getsebool secure_mode_insmod +The expected cofiguration is . +"on" means true, and "off" means false + Is it the case that secure_mode_insmod is not set as expected? - - Ensure that debug-shell service is not enabled with the following command: -sudo grep -L "^options\s+.*\bsystemd.debug-shell=1\b" /boot/loader/entries/*.conf -No line should be returned, each line returned is a boot entry that enables the debug-shell. - Is it the case that the comand returns a line? + + To determine if the system is configured to audit successful calls +to the removexattr system call, run the following command: +$ sudo grep "removexattr" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the ftruncate system call. + + To check that the rpcsvcgssd service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled rpcsvcgssd +Output should indicate the rpcsvcgssd service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled rpcsvcgssd disabled -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: +Run the following command to verify rpcsvcgssd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active rpcsvcgssd -$ sudo grep -r ftruncate /etc/audit/rules.d +If the service is not running the command will return the following output: +inactive -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: +The service will also be masked, to check that the rpcsvcgssd is masked, run the following command: +$ sudo systemctl show rpcsvcgssd | grep "LoadState\|UnitFileState" -$ sudo grep ftruncate /etc/audit/audit.rules +If the service is masked the command will return the following outputs: -The output should be the following: +LoadState=masked --a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - Is it the case that the command does not return a line, or the line is commented out? +UnitFileState=masked + Is it the case that the "rpcsvcgssd" is loaded and not masked? - + -Run the following command to determine if the pcp_read_generic_logs SELinux boolean is disabled: -$ getsebool pcp_read_generic_logs +Run the following command to determine if the nis_enabled SELinux boolean is disabled: +$ getsebool nis_enabled If properly configured, the output should show the following: -pcp_read_generic_logs --> off - Is it the case that pcp_read_generic_logs is not disabled? +nis_enabled --> off + Is it the case that nis_enabled is not disabled? - - -Run the following command to determine if the selinuxuser_use_ssh_chroot SELinux boolean is disabled: -$ getsebool selinuxuser_use_ssh_chroot -If properly configured, the output should show the following: -selinuxuser_use_ssh_chroot --> off - Is it the case that selinuxuser_use_ssh_chroot is not disabled? + + To find SUID files, run the following command: +$ sudo find / -xdev -type f -perm -4000 + Is it the case that only authorized files appear in the output of the find command? - - The group-owner of all log files written by rsyslog should be -root. -These log files are determined by the second part of each Rule line in -/etc/rsyslog.conf and typically all appear in /var/log. -To see the group-owner of a given log file, run the following command: -$ ls -l LOGFILE - Is it the case that the group-owner is not correct? + + To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: +cat /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules +The output has to be exactly as follows: +## Unsuccessful file creation (open with O_CREAT) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create + Is it the case that the file does not exist or the content differs? - - To verify that FIPS mode is enabled properly, run the following command: -fips-mode-setup --check -The output should contain the following: -FIPS mode is enabled. -To verify that the cryptographic policy has been configured correctly, run the -following command: -$ update-crypto-policies --show -The output should return . - Is it the case that FIPS mode is not enabled? + + To ensure that remote access connections are encrypted, run the following command: +$ gsettings get org.gnome.Vino require-encrpytion +If properly configured, the output should be true. +To ensure that users cannot disable encrypted remote connections, run the following: +$ grep require-encryption /etc/dconf/db/local.d/locks/* +If properly configured, the output should be +/org/gnome/Vino/require-encryption + Is it the case that remote access connections are not encrypted? - - The runtime status of the net.ipv6.conf.default.accept_ra_pinfo kernel parameter can be queried -by running the following command: -$ sysctl net.ipv6.conf.default.accept_ra_pinfo -0. - - Is it the case that the correct value is not returned? + + Find the list of alias maps used by the Postfix mail server: +$ sudo postconf alias_maps +Query the Postfix alias maps for an alias for the postmaster user: +$ sudo postmap -q postmaster hash:/etc/aliases +The output should return root. + Is it the case that the alias is not set or is not root? - - To check the group ownership of /etc/at.allow, -run the command: -$ ls -lL /etc/at.allow -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/at.allow does not have a group owner of root? + + To verify that null passwords cannot be used, run the following command: +$ sudo awk -F: '!$2 {print $1}' /etc/shadow +If this produces any output, it may be possible to log into accounts +with empty passwords. + Is it the case that Blank or NULL passwords can be used? - - -Run the following command to determine if the squid_use_tproxy SELinux boolean is disabled: -$ getsebool squid_use_tproxy -If properly configured, the output should show the following: -squid_use_tproxy --> off - Is it the case that squid_use_tproxy is not disabled? + + To determine if the system is configured to audit calls to the +clock_settime system call, run the following command: +$ sudo grep "clock_settime" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - + -Run the following command to determine if the conman_can_network SELinux boolean is disabled: -$ getsebool conman_can_network +Run the following command to determine if the sanlock_use_nfs SELinux boolean is disabled: +$ getsebool sanlock_use_nfs If properly configured, the output should show the following: -conman_can_network --> off - Is it the case that conman_can_network is not disabled? - - - - Verify the nodev option is configured for the /home mount point, - run the following command: - $ sudo mount | grep '\s/home\s' - . . . /home . . . nodev . . . - - Is it the case that the "/home" file system does not have the "nodev" option set? +sanlock_use_nfs --> off + Is it the case that sanlock_use_nfs is not disabled? - - To check the value of the umask, run the following command: -$ grep umask /etc/init.d/functions -The output should show . - Is it the case that it does not? + + To determine if requiretty has been configured for sudo, run the following command: +$ sudo grep -ri "^[\s]*Defaults.*\brequiretty\b.*" /etc/sudoers /etc/sudoers.d/ +The command should return a matching output. + Is it the case that requiretty is not enabled in sudo? - - Run the following command to check if the group exists: -grep /etc/group -The output should contain the following line: -:x: - Is it the case that group exists and has no user members? + + +Run the following command to determine if the httpd_can_connect_ftp SELinux boolean is disabled: +$ getsebool httpd_can_connect_ftp +If properly configured, the output should show the following: +httpd_can_connect_ftp --> off + Is it the case that httpd_can_connect_ftp is not disabled? - + -Run the following command to determine if the cron_system_cronjob_use_shares SELinux boolean is disabled: -$ getsebool cron_system_cronjob_use_shares +Run the following command to determine if the xen_use_nfs SELinux boolean is disabled: +$ getsebool xen_use_nfs If properly configured, the output should show the following: -cron_system_cronjob_use_shares --> off - Is it the case that cron_system_cronjob_use_shares is not disabled? +xen_use_nfs --> off + Is it the case that xen_use_nfs is not disabled? - - Verify Red Hat Enterprise Linux 8 takes action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command: - -$ sudo grep -w space_left /etc/audit/auditd.conf - -space_left = % - Is it the case that the value of the "space_left" keyword is not set to <sub idref="var_auditd_space_left_percentage" />% of the storage volume allocated to audit logs, or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO. If the "space_left" value is not configured to the correct value? + + To obtain a listing of all users, their UIDs, and their shells, run the command: +$ awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd +Identify the system accounts from this listing. These will primarily be the accounts with UID +numbers less than 1000, other than root. + Is it the case that any system account other than root has a login shell? - - Run the following command to determine if the iptables-services package is installed: $ rpm -q iptables-services - Is it the case that the iptables-services package is installed? + + Determine if "sudoers" file restricts sudo access run the following commands: +$ sudo grep -PR '^\s*ALL\s+ALL\=\(ALL\)\s+ALL\s*$' /etc/sudoers /etc/sudoers.d/* +$ sudo grep -PR '^\s*ALL\s+ALL\=\(ALL\:ALL\)\s+ALL\s*$' /etc/sudoers /etc/sudoers.d/* + Is it the case that either of the commands returned a line? - - To check the group ownership of /etc/cron.hourly, -run the command: -$ ls -lL /etc/cron.hourly -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/cron.hourly does not have a group owner of root? + + To determine how the SSH daemon's UsePAM option is set, run the following command: + +$ sudo grep -i UsePAM /etc/ssh/sshd_config + +If a line indicating yes is returned, then the required value is set. + + Is it the case that the required value is not set? - - To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -cat /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules -The output has to be exactly as follows: -## Unsuccessful permission change --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change - Is it the case that the file does not exist or the content differs? + + To ensure that the GUI power settings are not active, run the following command: +$ gsettings get org.gnome.settings-daemon.plugins.power active +If properly configured, the output should be false. +To ensure that users cannot enable the power settings, run the following: +$ grep power /etc/dconf/db/local.d/locks/* +If properly configured, the output should be +/org/gnome/settings-daemon/plugins/power/active + Is it the case that power settings are enabled and are not disabled? - + -Run the following command to determine if the mcelog_server SELinux boolean is disabled: -$ getsebool mcelog_server +Run the following command to determine if the cobbler_anon_write SELinux boolean is disabled: +$ getsebool cobbler_anon_write If properly configured, the output should show the following: -mcelog_server --> off - Is it the case that mcelog_server is not disabled? +cobbler_anon_write --> off + Is it the case that cobbler_anon_write is not disabled? - - -Run the following command to determine if the samba_run_unconfined SELinux boolean is disabled: -$ getsebool samba_run_unconfined -If properly configured, the output should show the following: -samba_run_unconfined --> off - Is it the case that samba_run_unconfined is not disabled? + + To determine if the system is configured to audit calls to the +settimeofday system call, run the following command: +$ sudo grep "settimeofday" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - -Run the following command to determine if the webadm_read_user_files SELinux boolean is disabled: -$ getsebool webadm_read_user_files -If properly configured, the output should show the following: -webadm_read_user_files --> off - Is it the case that webadm_read_user_files is not disabled? + + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes spectre_v2=on, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub +If this option is set to true, then check that a line is output by the following command: +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*spectre_v2=on.*' /etc/default/grub +If the recovery is disabled, check the line with +$ sudo grep 'GRUB_CMDLINE_LINUX.*spectre_v2=on.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +$ sudo grubby --info=ALL | grep args | grep -v 'spectre_v2=on' +The command should not return any output. + Is it the case that spectre_v2 mitigation is not enforced? - + -Run the following command to determine if the abrt_handle_event SELinux boolean is disabled: -$ getsebool abrt_handle_event +Run the following command to determine if the httpd_sys_script_anon_write SELinux boolean is disabled: +$ getsebool httpd_sys_script_anon_write If properly configured, the output should show the following: -abrt_handle_event --> off - Is it the case that abrt_handle_event is not disabled? +httpd_sys_script_anon_write --> off + Is it the case that httpd_sys_script_anon_write is not disabled? - - -Run the following command to determine if the nagios_run_pnp4nagios SELinux boolean is disabled: -$ getsebool nagios_run_pnp4nagios -If properly configured, the output should show the following: -nagios_run_pnp4nagios --> off - Is it the case that nagios_run_pnp4nagios is not disabled? + + Run the following command to determine if the openssh-clients package is installed: $ rpm -q openssh-clients + Is it the case that the package is not installed? - - -Run the following command to determine if the virt_use_samba SELinux boolean is disabled: -$ getsebool virt_use_samba -If properly configured, the output should show the following: -virt_use_samba --> off - Is it the case that virt_use_samba is not disabled? + + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes audit=1, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub +If this option is set to true, then check that a line is output by the following command: +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit=1.*' /etc/default/grub +If the recovery is disabled, check the line with +$ sudo grep 'GRUB_CMDLINE_LINUX.*audit=1.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +$ sudo grubby --info=ALL | grep args | grep -v 'audit=1' +The command should not return any output. + Is it the case that auditing is not enabled at boot time? - - Verify the nosuid option is configured for the /dev/shm mount point, - run the following command: - $ sudo mount | grep '\s/dev/shm\s' - . . . /dev/shm . . . nosuid . . . + + To determine if passwd_timeout has been configured for sudo, run the following command: +$ sudo grep -ri '^Defaults.*passwd_timeout=' /etc/sudoers /etc/sudoers.d/ +The command should return a matching output. + Is it the case that passwd_timeout is not set with the appropriate value for sudo? + + + + To determine if the system is configured to audit successful calls +to the fchmod system call, run the following command: +$ sudo grep "fchmod" /etc/audit.* +If the system is configured to audit this activity, it will return a line. - Is it the case that the "/dev/shm" file system does not have the "nosuid" option set? + Is it the case that no line is returned? - - To verify that is configured -as the smart card driver, run the following command: -$ grep force_card_driver /etc/opensc.conf -The output should return something similar to: -force_card_driver = ; - Is it the case that the smart card driver is not configured correctly? + + +Run the following command to determine if the swift_can_network SELinux boolean is disabled: +$ getsebool swift_can_network +If properly configured, the output should show the following: +swift_can_network --> off + Is it the case that swift_can_network is not disabled? - - Verify Red Hat Enterprise Linux 8 prevents the use of dictionary words for passwords with the following command: - -$ sudo grep dictcheck /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf - -/etc/security/pwquality.conf:dictcheck=1 - Is it the case that "dictcheck" does not have a value other than "0", or is commented out? + + +Run the following command to determine if the zebra_write_config SELinux boolean is disabled: +$ getsebool zebra_write_config +If properly configured, the output should show the following: +zebra_write_config --> off + Is it the case that zebra_write_config is not disabled? - - Verify Red Hat Enterprise Linux 8 defines default permissions for all authenticated users in such a way that the user can only read and modify their own files with the following command: - -# grep -i umask /etc/login.defs - -UMASK - Is it the case that the value for the "UMASK" parameter is not "<sub idref="var_accounts_user_umask" />", or the "UMASK" parameter is missing or is commented out? + + To check the ownership of /etc/cron.weekly, +run the command: +$ ls -lL /etc/cron.weekly +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/cron.weekly does not have an owner of root? - - To ensure that the system prevents messages from being shown when three unsuccessful logon -attempts occur, run the following command: -$ grep silent /etc/security/faillock.conf -The output should show silent. - Is it the case that the system shows messages when three unsuccessful logon attempts occur? + + To verify that packages comprising the available updates will be automatically installed by dnf-automatic, run the following command: +$ sudo grep apply_updates /etc/dnf/automatic.conf +The output should return the following: +apply_updates = yes + Is it the case that apply_updates is not set to yes? - - -Run the following command to determine if the httpd_can_connect_ftp SELinux boolean is disabled: -$ getsebool httpd_can_connect_ftp -If properly configured, the output should show the following: -httpd_can_connect_ftp --> off - Is it the case that httpd_can_connect_ftp is not disabled? + + To determine if the system is configured to audit successful calls +to the fchown system call, run the following command: +$ sudo grep "fchown" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - + -Run the following command to determine if the logging_syslogd_can_sendmail SELinux boolean is disabled: -$ getsebool logging_syslogd_can_sendmail +Run the following command to determine if the mpd_use_nfs SELinux boolean is disabled: +$ getsebool mpd_use_nfs If properly configured, the output should show the following: -logging_syslogd_can_sendmail --> off - Is it the case that logging_syslogd_can_sendmail is not disabled? +mpd_use_nfs --> off + Is it the case that mpd_use_nfs is not disabled? - - Enter the following commands: + + The runtime status of the kernel.perf_event_max_sample_rate kernel parameter can be queried +by running the following command: +$ sysctl kernel.perf_event_max_sample_rate +1. -grep Action /etc/httpd/conf/httpd.conf -grep AddHandler /etc/httpd/conf/httpd.conf - Is it the case that either of these exist and they configure csh, or any other shell as a viewer for documents? + Is it the case that the correct value is not returned? - - To verify that McAfee Endpoint Security for Linux is -running, run the following command: -$ sudo ps -ef | grep -i mfetpd - Is it the case that virus scanning software is not running? + + To determine if the system is configured to audit changes to its network configuration, +run the following command: +auditctl -l | grep -E '(/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)' +If the system is configured to watch for network configuration changes, a line should be returned for +each file specified (and perm=wa should be indicated for each). + Is it the case that the system is not configured to audit changes of the network configuration? + + + + The runtime status of the kernel.core_pattern kernel parameter can be queried +by running the following command: +$ sysctl kernel.core_pattern +|/bin/false. + + Is it the case that the returned line does not have a value of "|/bin/false", or a line is not +returned and the need for core dumps is not documented with the Information +System Security Officer (ISSO) as an operational requirement? + + + + To verify that each web content directory has an index.html file, +run the following command: +$ sudo find `grep -i documentroot /etc/httpd/conf/httpd.conf | awk -F'"' '{print $2}'` -name index.html +The output should return an index.html file for every +DocumentRoot that is set. + Is it the case that it is not? @@ -371072,1552 +371755,1572 @@ $ sudo auditctl -l | grep shutdown Is it the case that the command does not return a line, or the line is commented out? - - Run the following command to determine if the audit package is installed: $ rpm -q audit - Is it the case that the audit package is not installed? + + To determine if the system is configured to audit unsuccessful calls +to the removexattr system call, run the following command: +$ sudo grep "removexattr" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - -Run the following command to determine if the tor_can_network_relay SELinux boolean is disabled: -$ getsebool tor_can_network_relay -If properly configured, the output should show the following: -tor_can_network_relay --> off - Is it the case that tor_can_network_relay is not disabled? + + To determine whether yum has been configured to disable +gpgcheck for any repos, inspect all files in +/etc/yum.repos.d and ensure the following does not appear in any +sections: +gpgcheck=0 +A value of 0 indicates that gpgcheck has been disabled for that repo. + Is it the case that GPG checking is disabled? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "mount" command with the following command: - -$ sudo auditctl -l | grep mount - --a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount - Is it the case that the command does not return a line, or the line is commented out? + + Run the following command to determine if the libcap-ng-utils package is installed: $ rpm -q libcap-ng-utils + Is it the case that the package is not installed? - - To determine how the SSH daemon's Banner option is set, run the following command: - -$ sudo grep -i Banner /etc/ssh/sshd_config - -If a line indicating /etc/issue is returned, then the required value is set. + + To determine if the system is configured to audit calls to the +lremovexattr system call, run the following command: +$ sudo grep "lremovexattr" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. - Is it the case that the required value is not set? + Is it the case that no line is returned? - - Run the following command to see if there are some keytabs -that would potentially allow the use of Kerberos by system daemons. -$ ls -la /etc/*.keytab -The expected result is -ls: cannot access '/etc/*.keytab': No such file or directory - Is it the case that a keytab file is present on the system? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_MODULE_SIG /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - To verify all accounts have unique names, run the following command: -$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d -No output should be returned. - Is it the case that a line is returned? - - - - To determine if NOPASSWD has been configured for the vdsm user for sudo, -run the following command: -$ sudo grep -ri nopasswd /etc/sudoers.d/ -The command should return output only for the vdsm user. - Is it the case that nopasswd is set for any users beyond vdsm? - - - - To check that the atd service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled atd -Output should indicate the atd service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled atd disabled - -Run the following command to verify atd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active atd - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the atd is masked, run the following command: -$ sudo systemctl show atd | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: - -LoadState=masked + + The runtime status of the net.ipv4.ip_local_port_range kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.ip_local_port_range +32768 65535. -UnitFileState=masked - Is it the case that the "atd" is loaded and not masked? + Is it the case that the correct value is not returned? - - Verify that a separate file system/partition has been created for /usr with the following command: + + Run the following command to check for duplicate group names: +Check that the operating system contains no duplicate group names for interactive users by running the following command: -$ mountpoint /usr + cut -d : -f 1 /etc/group | uniq -d - Is it the case that "/usr is not a mountpoint" is returned? - - - - -Run the following command to determine if the user_exec_content SELinux boolean is enabled: -$ getsebool user_exec_content -If properly configured, the output should show the following: -user_exec_content --> on - Is it the case that user_exec_content is not enabled? +If output is produced, this is a finding. +Configure the operating system to contain no duplicate names for groups. +Edit the file "/etc/group" and provide each group that has a duplicate group name with a unique group name. + Is it the case that has duplicate group names? - - Run the following command to determine if the dnf-plugin-subscription-manager package is installed: $ rpm -q dnf-plugin-subscription-manager - Is it the case that the package is not installed? + + To determine if the system is configured to audit successful calls +to the setxattr system call, run the following command: +$ sudo grep "setxattr" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - -Run the following command to determine if the virt_sandbox_use_sys_admin SELinux boolean is disabled: -$ getsebool virt_sandbox_use_sys_admin -If properly configured, the output should show the following: -virt_sandbox_use_sys_admin --> off - Is it the case that virt_sandbox_use_sys_admin is not disabled? + + To verify that CUPS printer browsing is disabled, run the following command: +$ sudo grep "Browsing\|BrowseAllow" /etc/cups/cupsd.conf +The output should return the following: +Browsing Off +BrowseAllow none + Is it the case that printer browsing is not disabled? - - To verify that rsyslog's Forwarding Output Module has CA certificate -configured for its TLS connections to remote server, run the following command: -$ grep DefaultNetstreamDriverCAFile /etc/rsyslog.conf /etc/rsyslog.d/*.conf -The output should include record similar to -global(DefaultNetstreamDriverCAFile="/etc/pki/tls/cert.pem") -where the path to the CA file (/etc/pki/tls/cert.pem in case above) must point to the correct CA certificate. - Is it the case that CA certificate for rsyslog remote logging via TLS is not set? + + To verify the openldap-servers package is not installed, run the +following command: +$ rpm -q openldap-servers +The output should show the following: +package openldap-servers is not installed + Is it the case that it does not? - - To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -cat /etc/audit/rules.d/30-ospp-v42-1-create-success.rules -The output has to be exactly as follows: -## Successful file creation (open with O_CREAT) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create --a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create --a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create - Is it the case that the file does not exist or the content differs? + + Verify Red Hat Enterprise Linux 8 disables core dump backtraces by issuing the following command: + +$ grep -i process /etc/systemd/coredump.conf + +ProcessSizeMax=0 + Is it the case that the "ProcessSizeMax" item is missing, commented out, or the value is anything other than "0" and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned? - - To verify the INACTIVE setting, run the following command: -$ grep "INACTIVE" /etc/default/useradd -The output should indicate the INACTIVE configuration option is set -to an appropriate integer as shown in the example below: -$ grep "INACTIVE" /etc/default/useradd -INACTIVE= - Is it the case that the value of INACTIVE is greater than the expected value or is -1? + + Run the following command to determine if the rsyslog-gnutls package is installed: +$ rpm -q rsyslog-gnutls + Is it the case that the package is installed? - - To ensure LDAP is configured to use TLS for all transactions, run the following command: -$ grep start_tls /etc/pam_ldap.conf -The result should contain: -ssl start_tls - Is it the case that LDAP is not in use, the line is commented out, or not configured correctly? + + To check the group ownership of /etc/ssh/sshd_config, +run the command: +$ ls -lL /etc/ssh/sshd_config +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/ssh/sshd_config does not have a group owner of root? - - Run the following command to determine if the iptables package is installed: $ rpm -q iptables - Is it the case that the package is not installed? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_X86_VSYSCALL_EMULATION /boot/config.* + + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. + + Is it the case that the kernel was not built with the required value? - - To ensure the login screen resets after a specified number of failures, -run the following command: -$ grep allowed-failures /etc/dconf/db/gdm.d/* -The output should be 3 or less. -To ensure that users cannot change or configure the resets after a specified -number of failures on the login screen, run the following: -$ grep allowed-failures /etc/dconf/db/gdm.d/locks/* -If properly configured, the output should be /org/gnome/login-screen/allowed-failures - Is it the case that allowed-failures is not equal to or less than the expected value? + + Make sure that the kernel is not disabling SMEP with the following +commands. +grep -q nosmep /boot/config-`uname -r` +If the command returns a line, it means that SMEP is being disabled. + Is it the case that the kernel is configured to disable SMEP? - - For each private key stored on the system, use the following command: -$ sudo ssh-keygen -y -f /path/to/file -If the contents of the key are displayed, this is a finding. - Is it the case that no ssh private key is accessible without a passcode? + + To check the permissions of /etc/passwd-, +run the command: +$ ls -l /etc/passwd- +If properly configured, the output should indicate the following permissions: +-rw-r--r-- + Is it the case that /etc/passwd- does not have unix mode -rw-r--r--? - - -Run the following command to determine if the cron_userdomain_transition SELinux boolean is enabled: -$ getsebool cron_userdomain_transition -If properly configured, the output should show the following: -cron_userdomain_transition --> on - Is it the case that cron_userdomain_transition is not enabled? + + To obtain a list of all users and the content of their shadow password field, run the command: +$ sudo readarray -t systemaccounts +Verify if all accounts are locked. + Is it the case that system accounts are not locked? - - -To check that the rlogin service is disabled in system boot configuration with xinetd, run the following command: -$ chkconfig rlogin --list -Output should indicate the rlogin service has either not been installed, or has been disabled, as shown in the example below: -$ chkconfig rlogin --list + + Verify Red Hat Enterprise Linux 8 takes the appropriate action when an audit processing failure occurs. -Note: This output shows SysV services only and does not include native -systemd services. SysV configuration data might be overridden by native -systemd configuration. +Check that Red Hat Enterprise Linux 8 takes the appropriate action when an audit processing failure occurs with the following command: -If you want to list systemd services use 'systemctl list-unit-files'. -To see services enabled on particular target use -'systemctl list-dependencies [target]'. +$ sudo grep disk_error_action /etc/audit/auditd.conf -rlogin off +disk_error_action = -To check that the rlogin socket is disabled in system boot configuration with systemd, run the following command: -$ systemctl is-enabled rlogin -Output should indicate the rlogin socket has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled rlogindisabled +If the value of the "disk_error_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit process failure occurs. + Is it the case that there is no evidence of appropriate action? + + + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "pam_timestamp_check" command with the following command: -Run the following command to verify rlogin is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active rlogin +$ sudo auditctl -l | grep pam_timestamp_check -If the socket is not running the command will return the following output: -inactive +-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check + Is it the case that the command does not return a line, or the line is commented out? + + + + Run the following command to determine if the httpd package is installed: +$ rpm -q httpd + Is it the case that the package is installed? + + + + Verify the noexec option is configured for the /dev/shm mount point, + run the following command: + $ sudo mount | grep '\s/dev/shm\s' + . . . /dev/shm . . . noexec . . . -The socket will also be masked, to check that the rlogin is masked, run the following command: -$ sudo systemctl show rlogin | grep "LoadState\|UnitFileState" + Is it the case that the "/dev/shm" file system does not have the "noexec" option set? + + + + To verify that smart cards are enabled in SSSD, run the following command: +$ sudo grep pam_cert_auth /etc/sssd/sssd.conf +If configured properly, output should be +pam_cert_auth = True -If the socket is masked the command will return the following outputs: -LoadState=masked +To verify that smart cards are enabled in PAM files, run the following command: +$ sudo grep -e "auth.*pam_sss\.so.*\(allow_missing_name\|try_cert_auth\)" /etc/pam.d/smartcard-auth /etc/pam.d/system-auth +If configured properly, output should be -UnitFileState=masked - Is it the case that service and/or socket are running? +/etc/pam.d/smartcard-auth:auth sufficient pam_sss.so allow_missing_name +/etc/pam.d/system-auth:auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth + + Is it the case that smart cards are not enabled in SSSD? - - -Run the following command to determine if the httpd_verify_dns SELinux boolean is disabled: -$ getsebool httpd_verify_dns -If properly configured, the output should show the following: -httpd_verify_dns --> off - Is it the case that httpd_verify_dns is not disabled? + + Verify that GRUB_DISABLE_RECOVERY is set to true in /etc/default/grub to disable recovery boot. +Run the following command: + +$ sudo grep GRUB_DISABLE_RECOVERY /etc/default/grub + Is it the case that GRUB_DISABLE_RECOVERY is not set to true or is missing? - - -Run the following command to determine if the authlogin_nsswitch_use_ldap SELinux boolean is disabled: -$ getsebool authlogin_nsswitch_use_ldap -If properly configured, the output should show the following: -authlogin_nsswitch_use_ldap --> off - Is it the case that authlogin_nsswitch_use_ldap is not disabled? + + Run the following command to see if there are some keytabs +that would potentially allow the use of Kerberos by system daemons. +$ ls -la /etc/*.keytab +The expected result is +ls: cannot access '/etc/*.keytab': No such file or directory + Is it the case that a keytab file is present on the system? - - To determine if the system is configured to audit calls to the -open_by_handle_at system call, run the following command: -$ sudo grep "open_by_handle_at" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. + + To determine whether sudo command includes configuration files from the appropriate directory, +run the following command: +$ sudo grep -rP '^[#@]include(dir)?' /etc/sudoers /etc/sudoers.d +If only the line /etc/sudoers:#includedir /etc/sudoers.d is returned, then the drop-in include configuration is set correctly. +Any other line returned is a finding. + Is it the case that the /etc/sudoers doesn't include /etc/sudores.d or includes other directories?? + + + + The runtime status of the kernel.kptr_restrict kernel parameter can be queried +by running the following command: +$ sysctl kernel.kptr_restrict +The output of the command should indicate either: +kernel.kptr_restrict = 1 +or: +kernel.kptr_restrict = 2 +The output of the command should not indicate: +kernel.kptr_restrict = 0 - Is it the case that no line is returned? +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d +The command should not find any assignments other than: +kernel.kptr_restrict = 1 +or: +kernel.kptr_restrict = 2 + +Conflicting assignments are not allowed. + Is it the case that the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0? - + -Run the following command to determine if the xend_run_blktap SELinux boolean is enabled: -$ getsebool xend_run_blktap +Run the following command to determine if the tftp_home_dir SELinux boolean is disabled: +$ getsebool tftp_home_dir If properly configured, the output should show the following: -xend_run_blktap --> on - Is it the case that xend_run_blktap is not enabled? +tftp_home_dir --> off + Is it the case that tftp_home_dir is not disabled? - - Run the following command to determine if the xinetd package is installed: -$ rpm -q xinetd - Is it the case that the package is installed? + + To determine if the system is configured to audit changes to its SELinux +configuration files, run the following command: +$ sudo auditctl -l | grep "dir=/usr/share/selinux" +If the system is configured to watch for changes to its SELinux +configuration, a line should be returned (including +perm=wa indicating permissions that are watched). + Is it the case that the system is not configured to audit attempts to change the MAC policy? - - Verify Red Hat Enterprise Linux 8 takes the appropriate action when an audit processing failure occurs. + + Storing logs remotely protects the integrity of the data from local attacks. +Run the following command to verify that journald is forwarding logs to a remote host. -Check that Red Hat Enterprise Linux 8 takes the appropriate action when an audit processing failure occurs with the following command: +grep "^\sForwardToSyslog" /etc/systemd/journald.conf -$ sudo grep disk_error_action /etc/audit/auditd.conf +and it should return -disk_error_action = HALT +ForwardToSyslog=yes -If the value of the "disk_error_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit process failure occurs. - Is it the case that there is no evidence of appropriate action? - - - - To verify that Audit Daemon is configured to record the computer node -name in the audit events, run the following command: -$ sudo grep name_format /etc/audit/auditd.conf -The output should return the following: -name_format = - Is it the case that name_format isn't set to <sub idref="var_auditd_name_format" />? + Is it the case that is commented out or not configured correctly? - - Run the following command to determine if the vim-enhanced package is installed: $ rpm -q vim-enhanced - Is it the case that the package is not installed? + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfiles" command with the following command: + +$ sudo auditctl -l | grep setfiles + +-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update + Is it the case that the command does not return a line, or the line is commented out? - - -Run the following command to determine if the rsync_anon_write SELinux boolean is disabled: -$ getsebool rsync_anon_write -If properly configured, the output should show the following: -rsync_anon_write --> off - Is it the case that rsync_anon_write is not disabled? + + To verify .netrc file in interactive user home directory is +not group or world accessible", run the following command: +$ sudo ls -lLR /home/USER/.netrc + Is it the case that the group and world permissions are incorrect? - - The runtime status of the net.ipv4.conf.all.forwarding kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.conf.all.forwarding -0. -The ability to forward packets is only appropriate for routers. - Is it the case that IP forwarding value is "1" and the system is not router? + + To ensure that XDMCP is disabled in /etc/gdm/custom.conf, run the following command: +grep -Pzo "\[xdmcp\]\nEnable=false" /etc/gdm/custom.conf +The output should return the following: + +[xdmcp] +Enable=false + + Is it the case that the Enable is not set to false or is missing in the xdmcp section of the /etc/gdm/custom.conf gdm configuration file? - - To determine if the system is configured to audit calls to the -mount system call, run the following command: -$ sudo grep "mount" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. + + To check that the oddjobd service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled oddjobd +Output should indicate the oddjobd service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled oddjobd disabled - Is it the case that no line is returned? +Run the following command to verify oddjobd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active oddjobd + +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the oddjobd is masked, run the following command: +$ sudo systemctl show oddjobd | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "oddjobd" is loaded and not masked? - + -Run the following command to determine if the ftpd_use_passive_mode SELinux boolean is disabled: -$ getsebool ftpd_use_passive_mode +Run the following command to determine if the selinuxuser_execstack SELinux boolean is disabled: +$ getsebool selinuxuser_execstack If properly configured, the output should show the following: -ftpd_use_passive_mode --> off - Is it the case that ftpd_use_passive_mode is not disabled? +selinuxuser_execstack --> off + Is it the case that selinuxuser_execstack is not disabled? - - To verify that the installed operating system is supported, run -the following command: + + Verify users are provided with feedback on when account accesses last occurred with the following command: -$ grep -i "red hat" /etc/redhat-release +$ sudo grep pam_lastlog /etc/pam.d/postlogin -Red Hat Enterprise Linux 8 - Is it the case that the installed operating system is not supported? +session [default=1] pam_lastlog.so showfailed + Is it the case that "pam_lastlog.so" is not properly configured in "/etc/pam.d/postlogin" file? - - -Run the following command to determine if the kdumpgui_run_bootloader SELinux boolean is disabled: -$ getsebool kdumpgui_run_bootloader -If properly configured, the output should show the following: -kdumpgui_run_bootloader --> off - Is it the case that kdumpgui_run_bootloader is not disabled? + + The existence of the file /etc/hosts.equiv or a file named +.rhosts inside a user home directory indicates the presence +of an Rsh trust relationship. + Is it the case that these files exist? - - Run the following command to determine if the McAfeeTP package is installed: $ rpm -q McAfeeTP - Is it the case that the package is not installed? + + +Run the following command to get the current configured value for deny_execmem +SELinux boolean: +$ getsebool deny_execmem +The expected cofiguration is . +"on" means true, and "off" means false + Is it the case that deny_execmem is not set as expected? - - -Run the following command to determine if the secure_mode_policyload SELinux boolean is disabled: -$ getsebool secure_mode_policyload -If properly configured, the output should show the following: -secure_mode_policyload --> off - Is it the case that secure_mode_policyload is not disabled? + + To determine if use_pty has been configured for sudo, run the following command: +$ sudo grep -ri "^[\s]*Defaults.*\buse_pty\b.*" /etc/sudoers /etc/sudoers.d/ +The command should return a matching output. + Is it the case that use_pty is not enabled in sudo? - - -Run the following command to determine if the samba_domain_controller SELinux boolean is disabled: -$ getsebool samba_domain_controller -If properly configured, the output should show the following: -samba_domain_controller --> off - Is it the case that samba_domain_controller is not disabled? + + The runtime status of the net.ipv4.conf.all.route_localnet kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.all.route_localnet +0. + + Is it the case that the correct value is not returned? - - -Run the following command to determine if the squid_connect_any SELinux boolean is disabled: -$ getsebool squid_connect_any -If properly configured, the output should show the following: -squid_connect_any --> off - Is it the case that squid_connect_any is not disabled? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_SLAB_FREELIST_HARDENED /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - + -Run the following command to determine if the fips_mode SELinux boolean is enabled: -$ getsebool fips_mode +Run the following command to determine if the selinuxuser_mysql_connect_enabled SELinux boolean is disabled: +$ getsebool selinuxuser_mysql_connect_enabled If properly configured, the output should show the following: -fips_mode --> on - Is it the case that fips_mode is not enabled? - - - - To determine if the system is configured to audit calls to the -openat system call, run the following command: -$ sudo grep "openat" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? +selinuxuser_mysql_connect_enabled --> off + Is it the case that selinuxuser_mysql_connect_enabled is not disabled? - - Verify the value of the "maxrepeat" option in "/etc/security/pwquality.conf" with the following command: - -$ grep maxrepeat /etc/security/pwquality.conf - -maxrepeat = - Is it the case that the value of "maxrepeat" is set to more than "<sub idref="var_password_pam_maxrepeat" />" or is commented out? + + The group-owner of all log files written by rsyslog should be +root. +These log files are determined by the second part of each Rule line in +/etc/rsyslog.conf and typically all appear in /var/log. +To see the group-owner of a given log file, run the following command: +$ ls -l LOGFILE + Is it the case that the group-owner is not correct? - - The runtime status of the net.ipv4.conf.all.shared_media kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.conf.all.shared_media -0. - - Is it the case that the correct value is not returned? + + +Run the following command to determine if the cvs_read_shadow SELinux boolean is disabled: +$ getsebool cvs_read_shadow +If properly configured, the output should show the following: +cvs_read_shadow --> off + Is it the case that cvs_read_shadow is not disabled? - - To check the ownership of /etc/cron.hourly, -run the command: -$ ls -lL /etc/cron.hourly -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/cron.hourly does not have an owner of root? + + To verify if GnuTLS uses defined DoD-approved TLS Crypto Policy, run: +$ sudo grep +'+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0' +/etc/crypto-policies/back-ends/gnutls.config and verify that a match exists. + Is it the case that cryptographic policy for gnutls is not configured or is configured incorrectly? - - To determine whether OpenSSL is wrapped by a shell function that ensures that every invocation -uses a SP800-90A compliant entropy source, -make sure that the /etc/profile.d/openssl-rand.sh file contents exactly match those -that are included in the rule's description. - Is it the case that there is no <tt>/etc/profile.d/openssl-rand.sh</tt> file, or its contents don't match those in the description? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_ACPI_CUSTOM_METHOD /boot/config.* + + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. + + Is it the case that the kernel was not built with the required value? - - Configure the public web server to not have a trusted relationship with -any system resources that is also not accessible to the public. Web -content is not to be shared via Microsoft shares or NFS mounts. + + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the openat system call. -Determine whether the public web server has a two-way trust relationship -with any private asset located within the network. Private web server -resources (e.g. drives, folders, printers, etc.) will not be directly -mapped to or shared with public web servers. - Is it the case that sharing is selected for any web folder, this is a finding. +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -If private resources (e.g. drives, partitions, folders/directories, -printers, etc.) are sharedw ith the public web server? - - - - Run the following command to determine if the python3-abrt-addon package is installed: -$ rpm -q python3-abrt-addon - Is it the case that the package is installed? - - - - To verify that rsyslog's Forwarding Output Module is configured -to use TLS for logging to remote server, run the following command: -$ grep omfwd /etc/rsyslog.conf /etc/rsyslog.d/*.conf -The output should include record similar to -action(type="omfwd" protocol="tcp" Target="<remote system>" port="6514" - StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name" streamdriver.CheckExtendedKeyPurpose="on") +$ sudo grep -r openat /etc/audit/rules.d -where the <remote system> present in the configuration line above must be a valid IP address or a host name of the remote logging server. - Is it the case that omfwd is not configured with gtls and AuthMode? +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep openat /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access + Is it the case that the command does not return a line, or the line is commented out? - - To check the group ownership of /etc/shadow-, + + To check the permissions of /etc/group, run the command: -$ ls -lL /etc/shadow- -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/shadow- does not have a group owner of root? +$ ls -l /etc/group +If properly configured, the output should indicate the following permissions: +-rw-r--r-- + Is it the case that /etc/group does not have unix mode -rw-r--r--? - - To determine if the system is configured to audit successful calls -to the unlinkat system call, run the following command: -$ sudo grep "unlinkat" /etc/audit.* + + To determine if the system is configured to audit unsuccessful calls +to the fsetxattr system call, run the following command: +$ sudo grep "fsetxattr" /etc/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - Run the following command to determine if the openssh-server package is installed: $ rpm -q openssh-server - Is it the case that the package is not installed? - - - - To verify that McAfee VirusScan Enterprise for Linux is installed -and running, run the following command(s): -$ sudo systemctl status nails -$ rpm -q McAfeeVSEForLinux - Is it the case that virus scanning software is not installed or running? - - - - -Run the following command to determine if the openvpn_enable_homedirs SELinux boolean is disabled: -$ getsebool openvpn_enable_homedirs -If properly configured, the output should show the following: -openvpn_enable_homedirs --> off - Is it the case that openvpn_enable_homedirs is not disabled? + + Run the following command to determine if the setroubleshoot-plugins package is installed: +$ rpm -q setroubleshoot-plugins + Is it the case that the package is installed? - - Verify Red Hat Enterprise Linux 8 limits the number of concurrent sessions to -"" for all -accounts and/or account types with the following command: -$ grep -r -s maxlogins /etc/security/limits.conf /etc/security/limits.d/*.conf -/etc/security/limits.conf:* hard maxlogins 10 -This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains. - Is it the case that the "maxlogins" item is missing, commented out, or the value is set greater -than "<sub idref="var_accounts_max_concurrent_login_sessions" />" and -is not documented with the Information System Security Officer (ISSO) as an -operational requirement for all domains that have the "maxlogins" item -assigned'? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_HARDENED_USERCOPY /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - To ensure the default password is not set, run the following command: -$ sudo grep -v "^#" /etc/snmp/snmpd.conf| grep -E 'public|private' -There should be no output. - Is it the case that the default SNMP passwords public and private have not been changed or removed? + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfacl" command with the following command: + +$ sudo auditctl -l | grep setfacl + +-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod + Is it the case that the command does not return a line, or the line is commented out? - - To verify the boot loader superuser account has been set, run the following -command: -sudo grep -A1 "superusers" /boot/grub2/grub.cfg -The output should show the following: -set superusers="superusers-account" -export superusers -where superusers-account is the actual account name different from common names like root, -admin, or administrator and different from any other existing user name. - Is it the case that superuser account is not set or is set to root, admin, administrator or any other existing user name? + + +Run the following command to determine if the httpd_run_ipa SELinux boolean is disabled: +$ getsebool httpd_run_ipa +If properly configured, the output should show the following: +httpd_run_ipa --> off + Is it the case that httpd_run_ipa is not disabled? - - To verify that Audit Daemon is configured to write logs to the disk, run the -following command: -$ sudo grep write_logs /etc/audit/auditd.conf -The output should return the following: -write_logs = yes - Is it the case that write_logs isn't set to yes? + + These settings can be verified by running the following: +$ gsettings get org.gnome.desktop.media-handling autorun-never +If properly configured, the output for autorun-nevershould be true. +To ensure that users cannot enable autorun in GNOME3, run the following: +$ grep 'autorun-never' /etc/dconf/db/local.d/locks/* +If properly configured, the output for autorun-never should be /org/gnome/desktop/media-handling/autorun-never + Is it the case that GNOME autorun is not disabled? - - To ensure that users cannot change session idle and lock settings, run the following: -$ grep 'idle-delay' /etc/dconf/db/local.d/locks/* -If properly configured, the output should return: -/org/gnome/desktop/session/idle-delay - Is it the case that idle-delay is not locked? + + Run the following command to determine if the pigz package is installed: +$ rpm -q pigz + Is it the case that the package is installed? - - Run the following command to check for duplicate group names: -Check that the operating system contains no duplicate group names for interactive users by running the following command: - - cut -d : -f 3 /etc/group | uniq -d - -If output is produced, this is a finding. -Configure the operating system to contain no duplicate names for groups. -Edit the file "/etc/group" and provide each group that has a duplicate group id with a unique group id. - Is it the case that the system has duplicate group ids? + + To verify the number of rounds for the password hashing algorithm is configured, run the following command: +$ sudo grep rounds /etc/pam.d/system-auth +The output should show the following match: +password sufficient pam_unix.so sha512 rounds= + Is it the case that rounds is not set to <sub idref="var_password_pam_unix_rounds" /> or is commented out? - - The runtime status of the net.ipv6.conf.all.accept_ra_defrtr kernel parameter can be queried -by running the following command: -$ sysctl net.ipv6.conf.all.accept_ra_defrtr -0. + + Query the SA and the Web Manager to determine if a compiler is present on +the server. + Is it the case that the web server is part of an application suite and a comiler is needed +for installation, patching, and upgrading of the suite or if the compiler +is embedded and can't be removed without breaking the suite, document the +installation of the compiler with the ISSO/ISSM and verify that the compiler +is restricted to administrative users only. If documented and restricted to +administrative users, this is not a finding. - Is it the case that the correct value is not returned? +If an undocumented compiler is present, and available to non-administrative +users? - + -Run the following command to determine if the selinuxuser_postgresql_connect_enabled SELinux boolean is disabled: -$ getsebool selinuxuser_postgresql_connect_enabled +Run the following command to determine if the git_system_enable_homedirs SELinux boolean is disabled: +$ getsebool git_system_enable_homedirs If properly configured, the output should show the following: -selinuxuser_postgresql_connect_enabled --> off - Is it the case that selinuxuser_postgresql_connect_enabled is not disabled? +git_system_enable_homedirs --> off + Is it the case that git_system_enable_homedirs is not disabled? - - Run the following command to check for duplicate group names: -Check that the operating system contains no duplicate group names for interactive users by running the following command: + + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog" with the following command: - cut -d : -f 1 /etc/group | uniq -d +$ sudo auditctl -l | grep /var/log/lastlog -If output is produced, this is a finding. -Configure the operating system to contain no duplicate names for groups. -Edit the file "/etc/group" and provide each group that has a duplicate group name with a unique group name. - Is it the case that has duplicate group names? - - - - To verify that the interface(s) follow site policy for zone assignment run the -following command: -$ sudo nmcli -t connection show | awk -F: '{if($4){print $4}}' | while read INT; -do firewall-cmd --get-active-zones | grep -B1 $INT; done -If your have to assign an interface to the appropriate zone run the following command: -$ sudo firewall-cmd --zone= --change-interface= - Is it the case that Your system accepts all incoming packets for unnecessary services and ports? +-w /var/log/lastlog -p wa -k logins + Is it the case that the command does not return a line, or the line is commented out? - - To determine if the system is configured to audit changes to its SELinux -configuration files, run the following command: -$ sudo auditctl -l | grep "dir=/etc/selinux" -If the system is configured to watch for changes to its SELinux -configuration, a line should be returned (including -perm=wa indicating permissions that are watched). - Is it the case that the system is not configured to audit attempts to change the MAC policy? + + Verify that a separate file system/partition has been created for /var/log with the following command: + +$ mountpoint /var/log + + Is it the case that "/var/log is not a mountpoint" is returned? - - To check that page poisoning is enabled at boot time, check all boot entries with following command: -sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf -No line should be returned, each line returned is a boot entry that doesn't enable page poisoning. - Is it the case that page allocator poisoning is not enabled? + + Run the following command to determine if the cups package is installed: +$ rpm -q cups + Is it the case that the package is installed? - - To check if RekeyLimit is set correctly, run the -following command: - -$ sudo grep RekeyLimit /etc/ssh/sshd_config - -If configured properly, output should be -RekeyLimit - Is it the case that it is commented out or is not set? + + To verify that Samba clients using mount.cifs must use packet signing, run the following command: +$ grep sec /etc/fstab +The output should show either krb5i or ntlmv2i in use. + Is it the case that it does not? - - Inspect the mounts configured in /etc/exports. Each mount should specify a value -greater than UID_MAX and GID_MAX as defined in /etc/login.defs. - Is it the case that anonuid or anongid are not set to a value greater than UID_MAX (for anonuid) and GID_MAX (for anongid)? + + Run the following command to see what the max sessions number is: +$ sudo grep MaxSessions /etc/ssh/sshd_config +If properly configured, the output should be: +MaxSessions + Is it the case that MaxSessions is not configured or not configured correctly? - - To determine how the SSH daemon's PubkeyAuthentication option is set, run the following command: + + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to create files using the open system call with O_CREAT flag. -$ sudo grep -i PubkeyAuthentication /etc/ssh/sshd_config +If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command: -If a line indicating no is returned, then the required value is set. +$ sudo grep -r open /etc/audit/rules.d - Is it the case that the required value is not set? - - - - -Run the following command to determine if the ksmtuned_use_nfs SELinux boolean is disabled: -$ getsebool ksmtuned_use_nfs -If properly configured, the output should show the following: -ksmtuned_use_nfs --> off - Is it the case that ksmtuned_use_nfs is not disabled? - - - - -Run the following command to determine if the xguest_connect_network SELinux boolean is disabled: -$ getsebool xguest_connect_network -If properly configured, the output should show the following: -xguest_connect_network --> off - Is it the case that xguest_connect_network is not disabled? - - - - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -$ sudo auditctl -l | grep -E '(/etc/security/opasswd)' +$ sudo grep open /etc/audit/audit.rules --w /etc/security/opasswd -p wa -k identity +The output should be the following: + +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create Is it the case that the command does not return a line, or the line is commented out? - + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_RETPOLINE /boot/config.* + $ grep CONFIG_GCC_PLUGIN_STRUCTLEAK /boot/config.* For each kernel installed, a line with value "y" should be returned. Is it the case that the kernel was not built with the required value? - + -Run the following command to determine if the webadm_manage_user_files SELinux boolean is disabled: -$ getsebool webadm_manage_user_files -If properly configured, the output should show the following: -webadm_manage_user_files --> off - Is it the case that webadm_manage_user_files is not disabled? +To ensure the login warning banner text is properly set, run the following: +$ grep banner-message-text /etc/dconf/db/gdm.d/* +If properly configured, the proper banner text will appear. +To ensure the login warning banner text is locked and cannot be changed by a user, run the following: +$ grep banner-message-text /etc/dconf/db/gdm.d/locks/* +If properly configured, the output should be /org/gnome/login-screen/banner-message-text. + Is it the case that it does not? - - -Verify that the shadow password suite configuration is set to encrypt password with a FIPS 140-2 approved cryptographic hashing algorithm. - -Check the hashing algorithm that is being used to hash passwords with the following command: + + To verify that auditing of privileged command use is configured, run the following command +to search privileged commands in relevant partitions and check if they are covered by auditd +rules: -$ sudo grep -i ENCRYPT_METHOD /etc/login.defs +FILTER_NODEV=$(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) +PARTITIONS=$(findmnt -n -l -k -it $FILTER_NODEV | grep -Pv "noexec|nosuid" | awk '{ print $1 }') +for PARTITION in $PARTITIONS; do + for PRIV_CMD in $(find "${PARTITION}" -xdev -perm /6000 -type f 2>/dev/null); do + grep -qr "${PRIV_CMD}" /etc/audit/rules.d /etc/audit/audit.rules && + printf "OK: ${PRIV_CMD}\n" || printf "WARNING - rule not found for: ${PRIV_CMD}\n" + done +done -ENCRYPT_METHOD - Is it the case that ENCRYPT_METHOD is not set to <sub idref="var_password_hashing_algorithm" />? +The output should not contain any WARNING. + Is it the case that any setuid or setgid programs doesn't have a line in the audit rules? - + -Run the following command to determine if the mcelog_client SELinux boolean is disabled: -$ getsebool mcelog_client +Run the following command to determine if the daemons_use_tty SELinux boolean is disabled: +$ getsebool daemons_use_tty If properly configured, the output should show the following: -mcelog_client --> off - Is it the case that mcelog_client is not disabled? +daemons_use_tty --> off + Is it the case that daemons_use_tty is not disabled? - - -Run the following command to determine if the virt_use_rawip SELinux boolean is disabled: -$ getsebool virt_use_rawip -If properly configured, the output should show the following: -virt_use_rawip --> off - Is it the case that virt_use_rawip is not disabled? + + To check the ownership of /etc/crontab, +run the command: +$ ls -lL /etc/crontab +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/crontab does not have an owner of root? - - Run the following command to determine if the sssd package is installed: $ rpm -q sssd + + Run the following command to determine if the audispd-plugins package is installed: $ rpm -q audispd-plugins Is it the case that the package is not installed? - + -Run the following command to determine if the nagios_run_sudo SELinux boolean is disabled: -$ getsebool nagios_run_sudo +Run the following command to determine if the mcelog_server SELinux boolean is disabled: +$ getsebool mcelog_server If properly configured, the output should show the following: -nagios_run_sudo --> off - Is it the case that nagios_run_sudo is not disabled? +mcelog_server --> off + Is it the case that mcelog_server is not disabled? - - Verify that there are no shosts.equiv files on the system, run the following command: -$ find / -name shosts.equiv - Is it the case that shosts.equiv files exist? + + Verify the umask setting is configured correctly in the /etc/bashrc file with the following command: + +$ sudo grep "umask" /etc/bashrc + +umask + Is it the case that the value for the "umask" parameter is not "<sub idref="var_accounts_user_umask" />", or the "umask" parameter is missing or is commented out? - - -Run the following command to determine if the mozilla_plugin_can_network_connect SELinux boolean is disabled: -$ getsebool mozilla_plugin_can_network_connect -If properly configured, the output should show the following: -mozilla_plugin_can_network_connect --> off - Is it the case that mozilla_plugin_can_network_connect is not disabled? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_PANIC_TIMEOUT /boot/config.* + + For each kernel installed, a line with value "" should be returned. + + Is it the case that the kernel was not built with the required value? - - -To check that the rexec service is disabled in system boot configuration with xinetd, run the following command: -$ chkconfig rexec --list -Output should indicate the rexec service has either not been installed, or has been disabled, as shown in the example below: -$ chkconfig rexec --list - -Note: This output shows SysV services only and does not include native -systemd services. SysV configuration data might be overridden by native -systemd configuration. - -If you want to list systemd services use 'systemctl list-unit-files'. -To see services enabled on particular target use -'systemctl list-dependencies [target]'. - -rexec off - -To check that the rexec socket is disabled in system boot configuration with systemd, run the following command: -$ systemctl is-enabled rexec -Output should indicate the rexec socket has either not been installed, + + To check that the squid service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled squid +Output should indicate the squid service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled rexecdisabled +$ sudo systemctl is-enabled squid disabled -Run the following command to verify rexec is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active rexec +Run the following command to verify squid is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active squid -If the socket is not running the command will return the following output: +If the service is not running the command will return the following output: inactive -The socket will also be masked, to check that the rexec is masked, run the following command: -$ sudo systemctl show rexec | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the squid is masked, run the following command: +$ sudo systemctl show squid | grep "LoadState\|UnitFileState" -If the socket is masked the command will return the following outputs: +If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that service and/or socket are running? + Is it the case that the "squid" is loaded and not masked? - - -Run the following command to determine if the xserver_object_manager SELinux boolean is disabled: -$ getsebool xserver_object_manager -If properly configured, the output should show the following: -xserver_object_manager --> off - Is it the case that xserver_object_manager is not disabled? + + Verify the operating system authenticates the remote logging server for off-loading audit logs with the following command: + +$ sudo grep -i '$ActionSendStreamDriverAuthMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf +The output should be +$/etc/rsyslog.conf:$ActionSendStreamDriverAuthMode x509/name + Is it the case that $ActionSendStreamDriverAuthMode in /etc/rsyslog.conf is not set to x509/name? - - Inspect /proc/cmdline for any instances of selinux=0 -in the kernel boot arguments. Presence of selinux=0 indicates -that SELinux is disabled at boot time. + + Verify the noexec option is configured for the /var/log mount point, + run the following command: + $ sudo mount | grep '\s/var/log\s' + . . . /var/log . . . noexec . . . -If it would be disabled anywhere, make sure to enable it via a -MachineConfig object. - Is it the case that SELinux is disabled at boot time? + Is it the case that the "/var/log" file system does not have the "noexec" option set? - - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the truncate system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r truncate /etc/audit/rules.d + + Verify that Red Hat Enterprise Linux 8 enforces a minimum -character password length with the following command: -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: +$ grep minlen /etc/security/pwquality.conf -$ sudo grep truncate /etc/audit/audit.rules +minlen = + Is it the case that the command does not return a "minlen" value of "<sub idref="var_password_pam_minlen" />" or greater, does not return a line, or the line is commented out? + + + + +Run the following command to determine if the puppetagent_manage_all_files SELinux boolean is disabled: +$ getsebool puppetagent_manage_all_files +If properly configured, the output should show the following: +puppetagent_manage_all_files --> off + Is it the case that puppetagent_manage_all_files is not disabled? + + + + The runtime status of the net.ipv4.ip_forward kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.ip_forward +0. +The ability to forward packets is only appropriate for routers. + Is it the case that the correct value is not returned? + + + + Run the following command to ensure the default FORWARD policy is DROP: +grep ":FORWARD" /etc/sysconfig/iptables +The output should be similar to the following: +$ sudo grep ":FORWARD" /etc/sysconfig/iptables +:FORWARD DROP [0:0 + Is it the case that the default policy for the FORWARD chain is not set to DROP? + + + + Verify the pam_faillock.so module is present in the "/etc/pam.d/password-auth" file: -The output should be the following: +$ sudo grep pam_faillock.so /etc/pam.d/password-auth --a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - Is it the case that the command does not return a line, or the line is commented out? +auth required pam_faillock.so preauth +auth required pam_faillock.so authfail +account required pam_faillock.so + Is it the case that the pam_faillock.so module is not present in the "/etc/pam.d/password-auth" file with the "preauth" line listed before pam_unix.so? - - To verify that BIND uses the system crypto policy, check out that the BIND config file -/etc/named.conf contains the include "/etc/crypto-policies/back-ends/bind.config"; -directive: -$ sudo grep 'include "/etc/crypto-policies/back-ends/bind.config";' /etc/named.conf -Verify that the directive is at the bottom of the options section of the config file. - Is it the case that BIND is installed and the BIND config file doesn't contain the -<pre>include "/etc/crypto-policies/back-ends/bind.config";</pre> directive? + + The runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.icmp_ignore_bogus_error_responses +1. + + Is it the case that the correct value is not returned? - + -Run the following command to determine if the collectd_tcp_network_connect SELinux boolean is disabled: -$ getsebool collectd_tcp_network_connect +Run the following command to determine if the rsync_full_access SELinux boolean is disabled: +$ getsebool rsync_full_access If properly configured, the output should show the following: -collectd_tcp_network_connect --> off - Is it the case that collectd_tcp_network_connect is not disabled? +rsync_full_access --> off + Is it the case that rsync_full_access is not disabled? - - To check the group ownership of /etc/cron.allow, + + To check the ownership of /boot/grub2/user.cfg, run the command: -$ ls -lL /etc/cron.allow -If properly configured, the output should indicate the following group-owner: +$ ls -lL /boot/grub2/user.cfg +If properly configured, the output should indicate the following owner: root - Is it the case that /etc/cron.allow does not have a group owner of root? + Is it the case that /boot/grub2/user.cfg does not have an owner of root? - - -Run the following command to determine if the glance_api_can_network SELinux boolean is disabled: -$ getsebool glance_api_can_network -If properly configured, the output should show the following: -glance_api_can_network --> off - Is it the case that glance_api_can_network is not disabled? + + To check that the ypbind service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled ypbind +Output should indicate the ypbind service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled ypbind disabled + +Run the following command to verify ypbind is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active ypbind + +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the ypbind is masked, run the following command: +$ sudo systemctl show ypbind | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "ypbind" is loaded and not masked? - - The runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter can be queried + + Storing logs with compression can help avoid filling the system disk. +Run the following command to verify that journald is compressing logs. + +grep "^\sCompress" /etc/systemd/journald.conf + +and it should return + +Compress=yes + + Is it the case that is commented out or not configured correctly? + + + + The runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter can be queried by running the following command: -$ sysctl net.ipv4.conf.default.accept_redirects +$ sysctl net.ipv4.conf.all.accept_source_route 0. Is it the case that the correct value is not returned? - - Verify that core dumps are disabled for all users, run the following command: -$ grep core /etc/security/limits.conf -* hard core 0 - Is it the case that the "core" item is missing, commented out, or the value is anything other than "0" and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core"? + + To determine if the system is configured to audit calls to the +lchown system call, run the following command: +$ sudo grep "lchown" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - Run the following command to determine if the vsftpd package is installed: -$ rpm -q vsftpd - Is it the case that the package is installed? + + The rsh package can be removed with the following command: $ sudo yum erase rsh + Is it the case that ? - - Run the following command and verify that time sources are only configured with server directive: -# grep -E "^(server|pool)" /etc/chrony.conf -A line with the appropriate server should be returned, any line returned starting with pool is a finding. - Is it the case that an authoritative remote time server is not configured or configured with pool directive? + + The runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.default.accept_source_route +0. + + Is it the case that the correct value is not returned? - - To verify that auditing of privileged command use is configured, run the -following command: -$ sudo grep '\bat\b' /etc/audit/audit.rules /etc/audit/rules.d/* -It should return a relevant line in the audit rules. - Is it the case that the command does not return a line, or the line is commented out? + + Inspect /etc/audit/auditd.conf and locate the following line to +determine if the system is configured to synchronize audit event data +with the log files on the disk: +$ sudo grep flush /etc/audit/auditd.conf +flush = DATA +Acceptable values are DATA, and SYNC. The setting is +case-insensitive. + Is it the case that auditd is not configured to synchronously write audit event data to disk? - - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes l1tf=, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub -If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*l1tf=.*' /etc/default/grub -If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*l1tf=.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'l1tf=' -The command should not return any output. - Is it the case that l1tf mitigations are not configured appropriately? + + +Run the following command to determine if the tor_bind_all_unreserved_ports SELinux boolean is disabled: +$ getsebool tor_bind_all_unreserved_ports +If properly configured, the output should show the following: +tor_bind_all_unreserved_ports --> off + Is it the case that tor_bind_all_unreserved_ports is not disabled? - + + If FTP services are not installed, this is not applicable. + +To verify this configuration, run the following command: + +grep "banner_file" /etc/vsftpd/vsftpd.conf + + +The output should show the value of banner_file is set to /etc/issue, an example of which is shown below: + +$ sudo grep "banner_file" /etc/vsftpd/vsftpd.conf + +banner_file=/etc/issue + Is it the case that it does not? + + + + Run the following command: +# grep ^\$FileCreateMode /etc/rsyslog.conf /etc/rsyslog.d/*.conf +Verify the output matches: +$FileCreateMode 0640 +Should a site policy dictate less restrictive permissions, ensure to follow +said policy. + Is it the case that $FileCreateMode is not set or is more permissive than 0640? + + + -Run the following command to determine if the xdm_sysadm_login SELinux boolean is disabled: -$ getsebool xdm_sysadm_login +Run the following command to determine if the ftpd_use_fusefs SELinux boolean is disabled: +$ getsebool ftpd_use_fusefs If properly configured, the output should show the following: -xdm_sysadm_login --> off - Is it the case that xdm_sysadm_login is not disabled? +ftpd_use_fusefs --> off + Is it the case that ftpd_use_fusefs is not disabled? - + - -Run the following command to determine the current status of the -postfix service: -$ sudo systemctl is-active postfix -If the service is running, it should return the following: active - Is it the case that the system is not a cross domain solution and the service is not enabled? +Run the following command to determine if the logrotate_use_nfs SELinux boolean is disabled: +$ getsebool logrotate_use_nfs +If properly configured, the output should show the following: +logrotate_use_nfs --> off + Is it the case that logrotate_use_nfs is not disabled? - - To determine if arguments that commands can be executed with are restricted, run the following command: -$ sudo grep -PR '^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+(?:[ \t]+[^,\s]+)+[ \t]*,)*(\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+[ \t]*(?:,|$))' /etc/sudoers /etc/sudoers.d/ -The command should return no output. - Is it the case that /etc/sudoers file contains user specifications that allow execution of commands with any arguments? + + To determine if the system is configured to make login UIDs immutable, run +one of the following commands. +If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), run the following: +sudo grep immutable /etc/audit/rules.d/*.rules +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, run the following command: +sudo grep immutable /etc/audit/audit.rules +The following line should be returned: +--loginuid-immutable + Is it the case that the system is not configured to make login UIDs immutable? - - To check the permissions of /etc/shadow-, -run the command: -$ ls -l /etc/shadow- -If properly configured, the output should indicate the following permissions: ----------- - Is it the case that /etc/shadow- does not have unix mode ----------? + + Run the following command to determine if the aide package is installed: $ rpm -q aide + Is it the case that the package is not installed? - - To check the permissions of /etc/cron.weekly, + + To check the ownership of /etc/passwd, run the command: -$ ls -l /etc/cron.weekly -If properly configured, the output should indicate the following permissions: --rwx------ - Is it the case that /etc/cron.weekly does not have unix mode -rwx------? +$ ls -lL /etc/passwd +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/passwd does not have an owner of root? - + -If the system is configured to prevent the loading of the firewire-core kernel module, -it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. -These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. - -These lines can also instruct the module loading system to ignore the firewire-core kernel module via blacklist keyword. +Run the following command to determine if the openvpn_can_network_connect SELinux boolean is disabled: +$ getsebool openvpn_can_network_connect +If properly configured, the output should show the following: +openvpn_can_network_connect --> off + Is it the case that openvpn_can_network_connect is not disabled? + + + + To determine if the system is configured to audit calls to the +query_module system call, run the following command: +$ sudo grep "query_module" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. -Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -$ grep -r firewire-core /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? - - -Run the following command to determine if the unconfined_mozilla_plugin_transition SELinux boolean is enabled: -$ getsebool unconfined_mozilla_plugin_transition -If properly configured, the output should show the following: -unconfined_mozilla_plugin_transition --> on - Is it the case that unconfined_mozilla_plugin_transition is not enabled? + + If the system does not have SELinux enabled and enforcing a targeted policy, or if the +pam_faillock.so module is not configured for use, this requirement is not applicable. + +Verify the location of the non-default tally directory for the pam_faillock.so module with +the following command: + +$ sudo grep -w dir /etc/security/faillock.conf + +dir = /var/log/faillock + +Check the security context type of the non-default tally directory with the following command: + +$ sudo ls -Zd /var/log/faillock + +unconfined_u:object_r:faillog_t:s0 /var/log/faillock + Is it the case that the security context type of the non-default tally directory is not "faillog_t"? - - To preclude access to the servers root directory, ensure the following -directive is in the httpd.conf file. This entry will also stop users -from setting up .htaccess files which can override security features -configured in /etc/httpd/conf/httpd.conf. -AllowOverride none - Is it the case that it is not? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_DEBUG_WX /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - + -Run the following command to determine if the irc_use_any_tcp_ports SELinux boolean is disabled: -$ getsebool irc_use_any_tcp_ports +Run the following command to determine if the postgresql_selinux_transmit_client_label SELinux boolean is disabled: +$ getsebool postgresql_selinux_transmit_client_label If properly configured, the output should show the following: -irc_use_any_tcp_ports --> off - Is it the case that irc_use_any_tcp_ports is not disabled? +postgresql_selinux_transmit_client_label --> off + Is it the case that postgresql_selinux_transmit_client_label is not disabled? - - The runtime status of the net.ipv4.conf.all.drop_gratuitous_arp kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.conf.all.drop_gratuitous_arp -1. + + Run the following command to determine if the firewalld package is installed: $ rpm -q firewalld + Is it the case that the package is not installed? + + + + +If the system is configured to prevent the loading of the atm kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. - Is it the case that the correct value is not returned? +These lines can also instruct the module loading system to ignore the atm kernel module via blacklist keyword. + +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +$ grep -r atm /etc/modprobe.conf /etc/modprobe.d + Is it the case that no line is returned? - - To verify the nodev option is configured for all NFS mounts, run -the following command: -$ mount | grep nfs -All NFS mounts should show the nodev setting in parentheses. This -is not applicable if NFS is not implemented. - Is it the case that the setting does not show? + + To ensure ClientAliveInterval is set correctly, run the following command: +$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config +If properly configured, the output should be: +ClientAliveCountMax +For SSH earlier than v8.2, a ClientAliveCountMax value of 0 causes a timeout precisely when +the ClientAliveInterval is set. Starting with v8.2, a value of 0 disables the timeout +functionality completely. +If the option is set to a number greater than 0, then the session will be disconnected after +ClientAliveInterval * ClientAliveCountMax seconds without receiving a keep alive message. + Is it the case that it is commented out or not configured properly? - - Verify that Red Hat Enterprise Linux 8 has configured the minimum time period between password changes for each user account is one day or greater with the following command: + + To ensure the user list is disabled, run the following command: +$ grep disable-user-list /etc/dconf/db/gdm.d/* +The output should be true. +To ensure that users cannot enable displaying the user list, run the following: +$ grep disable-user-list /etc/dconf/db/gdm.d/locks/* +If properly configured, the output should be /org/gnome/login-screen/disable-user-list + Is it the case that disable-user-list has not been configured or is not disabled? + + + + To determine if the system is configured to audit successful calls +to the fchownat system call, run the following command: +$ sudo grep "fchownat" /etc/audit.* +If the system is configured to audit this activity, it will return a line. -$ sudo awk -F: '$4 < 1 {print $1 " " $4}' /etc/shadow - Is it the case that any results are returned that are not associated with a system account? + Is it the case that no line is returned? - + -Run the following command to determine if the virt_use_fusefs SELinux boolean is disabled: -$ getsebool virt_use_fusefs -If properly configured, the output should show the following: -virt_use_fusefs --> off - Is it the case that virt_use_fusefs is not disabled? + +Run the following command to determine the current status of the +sssd service: +$ sudo systemctl is-active sssd +If the service is running, it should return the following: active + Is it the case that the service is not enabled? - - -Run the following command to determine if the nfsd_anon_write SELinux boolean is disabled: -$ getsebool nfsd_anon_write -If properly configured, the output should show the following: -nfsd_anon_write --> off - Is it the case that nfsd_anon_write is not disabled? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_SECURITY_WRITABLE_HOOKS /boot/config.* + + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. + + Is it the case that the kernel was not built with the required value? - - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to modify files using the open system call with O_TRUNC_WRITE flag. + + To determine how the SSH daemon's StrictModes option is set, run the following command: -If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command: +$ sudo grep -i StrictModes /etc/ssh/sshd_config -$ sudo grep -r open /etc/audit/rules.d +If a line indicating yes is returned, then the required value is set. -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + Is it the case that the required value is not set? + + + + Verify Red Hat Enterprise Linux 8 enables the user to initiate a session lock with the following command: -$ sudo grep open /etc/audit/audit.rules +$ grep lock-command /etc/tmux.conf -The output should be the following: +set -g lock-command vlock --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - Is it the case that the command does not return a line, or the line is commented out? +Then, verify that the /etc/tmux.conf file can be read by other users than root: + +$ sudo ls -al /etc/tmux.conf + Is it the case that the "lock-command" is not set in the global settings to call "vlock"? - - The runtime status of the net.ipv4.conf.default.send_redirects kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.conf.default.send_redirects -0. + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "usermod" command with the following command: - Is it the case that the correct value is not returned? +$ sudo auditctl -l | grep usermod + +-a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod + Is it the case that the command does not return a line, or the line is commented out? - - These settings can be verified by running the following: -$ gsettings get org.gnome.desktop.media-handling automount-open -If properly configured, the output for automount-openshould be false. -To ensure that users cannot enable automount opening in GNOME3, run the following: -$ grep 'automount-open' /etc/dconf/db/local.d/locks/* -If properly configured, the output for automount-open should be /org/gnome/desktop/media-handling/automount-open - Is it the case that GNOME automounting is not disabled? + + To check the permissions of /etc/cron.d, +run the command: +$ ls -l /etc/cron.d +If properly configured, the output should indicate the following permissions: +-rwx------ + Is it the case that /etc/cron.d does not have unix mode -rwx------? - - The runtime status of the kernel.kptr_restrict kernel parameter can be queried -by running the following command: -$ sysctl kernel.kptr_restrict -The output of the command should indicate either: -kernel.kptr_restrict = 1 -or: -kernel.kptr_restrict = 2 -The output of the command should not indicate: -kernel.kptr_restrict = 0 - -The preferable way how to assure the runtime compliance is to have -correct persistent configuration, and rebooting the system. - -The persistent kernel parameter configuration is performed by specifying the appropriate -assignment in any file located in the /etc/sysctl.d directory. -Verify that there is not any existing incorrect configuration by executing the following command: -$ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d -The command should not find any assignments other than: -kernel.kptr_restrict = 1 -or: -kernel.kptr_restrict = 2 - -Conflicting assignments are not allowed. - Is it the case that the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0? + + To verify that auditing of privileged command use is configured, run the +following command: +$ sudo grep '\bat\b' /etc/audit/audit.rules /etc/audit/rules.d/* +It should return a relevant line in the audit rules. + Is it the case that the command does not return a line, or the line is commented out? - + To determine if the system is configured to audit calls to the -openat system call, run the following command: -$ sudo grep "openat" /etc/audit/audit.* +chmod system call, run the following command: +$ sudo grep "chmod" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - To check the group ownership of /usr/bin/sudo, -run the command: -$ ls -lL /usr/bin/sudo -If properly configured, the output should indicate the following group-owner: - - Is it the case that /usr/bin/sudo does not have a group owner of <sub idref="var_sudo_dedicated_group" />? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_MODULE_SIG_ALL /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - -Run the following command to determine if the sge_domain_can_network_connect SELinux boolean is disabled: -$ getsebool sge_domain_can_network_connect -If properly configured, the output should show the following: -sge_domain_can_network_connect --> off - Is it the case that sge_domain_can_network_connect is not disabled? + + Run the following command to determine if the libpwquality package is installed: +$ rpm -q libpwquality + Is it the case that the package is not installed? - - To verify the number of rounds for the password hashing algorithm is configured, run the following command: -$ sudo grep rounds /etc/pam.d/system-auth -The output should show the following match: -password sufficient pam_unix.so sha512 rounds= - Is it the case that rounds is not set to <sub idref="var_password_pam_unix_rounds" /> or is commented out? + + +Run the following command to determine if the mysql_connect_any SELinux boolean is disabled: +$ getsebool mysql_connect_any +If properly configured, the output should show the following: +mysql_connect_any --> off + Is it the case that mysql_connect_any is not disabled? - - Run the following command to determine if the rsync-daemon package is installed: -$ rpm -q rsync-daemon - Is it the case that the package is installed? + + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes audit_backlog_limit=8192, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub +If this option is set to true, then check that a line is output by the following command: +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit_backlog_limit=8192.*' /etc/default/grub +If the recovery is disabled, check the line with +$ sudo grep 'GRUB_CMDLINE_LINUX.*audit_backlog_limit=8192.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +$ sudo grubby --info=ALL | grep args | grep -v 'audit_backlog_limit=8192' +The command should not return any output. + Is it the case that audit backlog limit is not configured? - - Run the following command to determine if the chrony package is installed: $ rpm -q chrony - Is it the case that the package is not installed? + + To verify that root's primary group is zero run the following command: + + grep '^root:' /etc/passwd | cut -d : -f 4 + +The command should return: + +0 + + Is it the case that root has a primary gid not equal to zero? - - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open_by_handle_at system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: + + Check that AIDE is properly configured to protect the integrity of the +audit tools by running the following command: -$ sudo grep -r open_by_handle_at /etc/audit/rules.d +# sudo cat /etc/aide.conf | grep /usr/sbin/au -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: +/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 +/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 +/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 +/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 +/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 -$ sudo grep open_by_handle_at /etc/audit/audit.rules -The output should be the following: --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - Is it the case that the command does not return a line, or the line is commented out? - - - - To determine how the SSH daemon's X11Forwarding option is set, run the following command: +/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 -$ sudo grep -i X11Forwarding /etc/ssh/sshd_config -If a line indicating yes is returned, then the required value is set. +If AIDE is configured properly to protect the integrity of the audit tools, +all lines listed above will be returned from the command. - Is it the case that the required value is not set? +If one or more lines are missing, this is a finding. + Is it the case that integrity checks of the audit tools are missing or incomplete? - - To determine if env_reset has been configured for sudo, run the following command: -$ sudo grep -ri "^[\s]*Defaults.*\benv_reset\b.*" /etc/sudoers /etc/sudoers.d/ -The command should return a matching output. - Is it the case that env_reset is not enabled in sudo? + + +Run the following command to determine if the use_nfs_home_dirs SELinux boolean is disabled: +$ getsebool use_nfs_home_dirs +If properly configured, the output should show the following: +use_nfs_home_dirs --> off + Is it the case that use_nfs_home_dirs is not disabled? - - Run the following command to determine if the libselinux package is installed: $ rpm -q libselinux - Is it the case that the package is not installed? + + + +Run the following command to determine the current status of the +rsyslog service: +$ sudo systemctl is-active rsyslog +If the service is running, it should return the following: active + Is it the case that the "rsyslog" service is disabled, masked, or not started.? - - These settings can be verified by running the following: -$ gsettings get org.gnome.desktop.thumbnailers disable-all -If properly configured, the output should be true. -To ensure that users cannot how long until the screensaver locks, run the following: -$ grep disable-all /etc/dconf/db/local.d/locks/* -If properly configured, the output should be /org/gnome/desktop/thumbnailers/disable-all - Is it the case that GNOME thumbnailers are not disabled? + + To determine if the system is configured to audit successful calls +to the open system call, run the following command: +$ sudo grep "open" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - Verify that a separate file system/partition has been created for /home with the following command: + + Verify the pam_faillock.so module is present in the "/etc/pam.d/system-auth" file: -$ mountpoint /home +$ sudo grep pam_faillock.so /etc/pam.d/system-auth - Is it the case that "/home is not a mountpoint" is returned? - - - - Verify that only the "root" account has a UID "0" assignment with the -following command: -$ awk -F: '$3 == 0 {print $1}' /etc/passwd -root - Is it the case that any accounts other than "root" have a UID of "0"? - - - - -Run the following command to determine if the mcelog_exec_scripts SELinux boolean is enabled: -$ getsebool mcelog_exec_scripts -If properly configured, the output should show the following: -mcelog_exec_scripts --> on - Is it the case that mcelog_exec_scripts is not enabled? +auth required pam_faillock.so preauth +auth required pam_faillock.so authfail +account required pam_faillock.so + Is it the case that the pam_faillock.so module is not present in the "/etc/pam.d/system-auth" file with the "preauth" line listed before pam_unix.so? - + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_SECURITY /boot/config.* + $ grep CONFIG_SYN_COOKIES /boot/config.* For each kernel installed, a line with value "y" should be returned. Is it the case that the kernel was not built with the required value? - - To check the screensaver mandatory use status, run the following command: -$ gsettings get org.gnome.desktop.screensaver idle-activation-enabled -If properly configured, the output should be true. -To ensure that users cannot disable the screensaver idle inactivity setting, run the following: -$ grep idle-activation-enabled /etc/dconf/db/local.d/locks/* -If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled - Is it the case that idle-activation-enabled is not enabled or configured? + + To check the permissions of /boot/grub2/user.cfg, +run the command: +$ ls -l /boot/grub2/user.cfg +If properly configured, the output should indicate the following permissions: +-rw------- + Is it the case that /boot/grub2/user.cfg does not have unix mode -rw-------? - - Run the following command to determine if the nss-tools package is installed: $ rpm -q nss-tools - Is it the case that the package is not installed? + + To determine if NOEXEC has been configured for sudo, run the following command: +$ sudo grep -ri "^[\s]*Defaults.*\bnoexec\b.*" /etc/sudoers /etc/sudoers.d/ +The command should return a matching output. + Is it the case that noexec is not enabled in sudo? - - Run the following command to verify that the MTA is not listening on -any non-loopback address (127.0.0.1 or ::1). -# ss -lntu | grep -E ':25\s' | grep -E -v '\s(127.0.0.1|::1):25\s' -Nothing should be returned - Is it the case that MTA is listening on any non-loopback address? + + To verify if MaxKeepAliveRequests is configured correctly in +/etc/httpd/conf/httpd.conf, run the following command: +$ grep -i maxkeepaliverequests /etc/httpd/conf/httpd.conf +The command should return the following: +MaxKeepAliveRequests 100 + Is it the case that it is not? - - To check the permissions of /etc/http/conf.modules.d/*, + + To check the ownership of /boot/grub2/grub.cfg, run the command: -$ ls -l /etc/http/conf.modules.d/* -If properly configured, the output should indicate the following permissions: --rw-r----- - Is it the case that /etc/http/conf.modules.d/* does not have unix mode -rw-r-----? +$ ls -lL /boot/grub2/grub.cfg +If properly configured, the output should indicate the following owner: +root + Is it the case that /boot/grub2/grub.cfg does not have an owner of root? - - Verify that Red Hat Enterprise Linux 8 enforces password complexity rules for the root account. - -Check if root user is required to use complex passwords with the following command: - -$ grep enforce_for_root /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf - -/etc/security/pwquality.conf:enforce_for_root - Is it the case that "enforce_for_root" is commented or missing? + + Run the following command to determine if the rsyslog package is installed: $ rpm -q rsyslog + Is it the case that the package is not installed? - - Run the following command: -# grep ^\$FileCreateMode /etc/rsyslog.conf /etc/rsyslog.d/*.conf -Verify the output matches: -$FileCreateMode 0640 -Should a site policy dictate less restrictive permissions, ensure to follow -said policy. - Is it the case that $FileCreateMode is not set or is more permissive than 0640? + + +Run the following command to determine if the gluster_export_all_rw SELinux boolean is disabled: +$ getsebool gluster_export_all_rw +If properly configured, the output should show the following: +gluster_export_all_rw --> off + Is it the case that gluster_export_all_rw is not disabled? - - To check the permissions of /etc/group-, -run the command: -$ ls -l /etc/group- -If properly configured, the output should indicate the following permissions: --rw-r--r-- - Is it the case that /etc/group- does not have unix mode -rw-r--r--? + + Run the following command to determine if the vim-enhanced package is installed: $ rpm -q vim-enhanced + Is it the case that the package is not installed? - - Verify that Red Hat Enterprise Linux 8 enforces password complexity by requiring that at least one upper-case character. - -Check the value for "ucredit" with the following command: + + +If the system is configured to prevent the loading of the firewire-core kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. -$ sudo grep ucredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf +These lines can also instruct the module loading system to ignore the firewire-core kernel module via blacklist keyword. -ucredit = -1 - Is it the case that the value of "ucredit" is a positive number or is commented out? +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +$ grep -r firewire-core /etc/modprobe.conf /etc/modprobe.d + Is it the case that no line is returned? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_COMPAT_BRK /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? + + +Run the following command to determine if the virt_transition_userdomain SELinux boolean is disabled: +$ getsebool virt_transition_userdomain +If properly configured, the output should show the following: +virt_transition_userdomain --> off + Is it the case that virt_transition_userdomain is not disabled? - - To check the group ownership of /var/log, + + To check the group ownership of /etc/cron.hourly, run the command: -$ ls -lL /var/log +$ ls -lL /etc/cron.hourly If properly configured, the output should indicate the following group-owner: root - Is it the case that /var/log does not have a group owner of root? - - - - To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -cat /etc/audit/rules.d/43-module-load.rules -The output has to be exactly as follows: -## These rules watch for kernel module insertion. By monitoring -## the syscall, we do not need any watches on programs. --a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load --a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load --a always,exit -F arch=b32 -S delete_module -F key=module-unload --a always,exit -F arch=b64 -S delete_module -F key=module-unload - Is it the case that the file does not exist or the content differs? + Is it the case that /etc/cron.hourly does not have a group owner of root? - - To ensure LoginGraceTime is set correctly, run the following command: -$ sudo grep LoginGraceTime /etc/ssh/sshd_config -If properly configured, the output should be: -LoginGraceTime -If the option is set to a number greater than 0, then the unauthenticated session will be disconnected -after the configured number seconds. - Is it the case that it is commented out or not configured properly? + + To ensure the user home directory is not group-writable or world-readable, run the following: +# ls -ld /home/USER + Is it the case that the user home directory is group-writable or world-readable? - - Ensure that debug-shell service is not enabled with the following command: -grep systemd\.debug-shell=1 /boot/grub2/grubenv /etc/default/grub -If the command returns a line, it means that debug-shell service is being enabled. - Is it the case that the comand returns a line? + + Verify the operating system is not configured to bypass password requirements for privilege +escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command: +$ sudo grep pam_succeed_if /etc/pam.d/sudo + Is it the case that system is configured to bypass password requirements for privilege escalation? - - To verify that null passwords cannot be used, run the following command: + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "sudo" command with the following command: -$ grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth +$ sudo auditctl -l | grep sudo -If this produces any output, it may be possible to log into accounts -with empty passwords. Remove any instances of the nullok option to -prevent logins with empty passwords. - Is it the case that NULL passwords can be used? +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudo + Is it the case that the command does not return a line, or the line is commented out? - - Run the following command to determine if the dovecot package is installed: -$ rpm -q dovecot - Is it the case that the package is installed? + + Verify Red Hat Enterprise Linux 8 is securely comparing internal information system clocks at a regular interval with an NTP server with the following command: +$ sudo grep maxpoll /etc/ntp.conf /etc/chrony.conf +server [ntp.server.name] iburst maxpoll . + Is it the case that "maxpoll" has not been set to the value of "<sub idref="var_time_service_set_maxpoll" />", is commented out, or is missing? - - To check the permissions of /etc/shadow, -run the command: -$ ls -l /etc/shadow -If properly configured, the output should indicate the following permissions: ----------- - Is it the case that /etc/shadow does not have unix mode ----------? + + +Run the following command to determine if the nfs_export_all_ro SELinux boolean is enabled: +$ getsebool nfs_export_all_ro +If properly configured, the output should show the following: +nfs_export_all_ro --> on + Is it the case that nfs_export_all_ro is not enabled? - - Run the following command to determine if the cups package is installed: -$ rpm -q cups - Is it the case that the package is installed? + + To verify that BIND uses the system crypto policy, check out that the BIND config file +/etc/named.conf contains the include "/etc/crypto-policies/back-ends/bind.config"; +directive: +$ sudo grep 'include "/etc/crypto-policies/back-ends/bind.config";' /etc/named.conf +Verify that the directive is at the bottom of the options section of the config file. + Is it the case that BIND is installed and the BIND config file doesn't contain the +<pre>include "/etc/crypto-policies/back-ends/bind.config";</pre> directive? - - Run the following command to determine if the krb5-server package is installed: $ rpm -q krb5-server + + Run the following command to determine if the abrt-addon-kerneloops package is installed: +$ rpm -q abrt-addon-kerneloops Is it the case that the package is installed? - - To determine if the system is configured to audit successful calls -to the fchmodat system call, run the following command: -$ sudo grep "fchmodat" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? - - - + -Run the following command to determine if the sysadm_exec_content SELinux boolean is enabled: -$ getsebool sysadm_exec_content +Run the following command to determine if the logging_syslogd_can_sendmail SELinux boolean is disabled: +$ getsebool logging_syslogd_can_sendmail If properly configured, the output should show the following: -sysadm_exec_content --> on - Is it the case that sysadm_exec_content is not enabled? +logging_syslogd_can_sendmail --> off + Is it the case that logging_syslogd_can_sendmail is not disabled? - - To verify if CustomLog is configured correctly in -/etc/httpd/conf/httpd.conf, run the following command: -$ grep -i customlog /etc/httpd/conf/httpd.conf -The output should return the following: -CustomLog "logs/access_log" combined - Is it the case that it is not? + + Run the following command to determine if the openssh-server package is installed: $ rpm -q openssh-server + Is it the case that the package is not installed? - + -Run the following command to determine if the httpd_serve_cobbler_files SELinux boolean is disabled: -$ getsebool httpd_serve_cobbler_files +Run the following command to determine if the virt_read_qemu_ga_data SELinux boolean is disabled: +$ getsebool virt_read_qemu_ga_data If properly configured, the output should show the following: -httpd_serve_cobbler_files --> off - Is it the case that httpd_serve_cobbler_files is not disabled? - - - - Locate the directories containing the CGI scripts. These directories should be -language-specific (e.g., PERL, ASP, JS, JSP, etc.). Examine the file permissions -on the directories using the following command: -ls -l directories -Anonymous FTP users must not have access to these directories. - Is it the case that it is not? +virt_read_qemu_ga_data --> off + Is it the case that virt_read_qemu_ga_data is not disabled? - - To verify that McAfee HIPS is installed, run the following command(s): -$ rpm -q MFEhiplsm - Is it the case that the HBSS HIPS module is not installed? + + Inspect the file /etc/sysconfig/iptables to determine +the default policy for the INPUT chain. It should be set to DROP: +$ sudo grep ":INPUT" /etc/sysconfig/iptables + Is it the case that the default policy for the INPUT chain is not set to DROP? - - Inspect the password section of /etc/pam.d/password-auth -and ensure that the pam_unix.so module includes the argument -sha512: -$ grep sha512 /etc/pam.d/password-auth - Is it the case that it does not? + + To verify that the installed operating system is supported, run +the following command: + +$ grep -i "red hat" /etc/redhat-release + +Red Hat Enterprise Linux 8 + Is it the case that the installed operating system is not supported? - + -Run the following command to determine if the samba_share_fusefs SELinux boolean is disabled: -$ getsebool samba_share_fusefs -If properly configured, the output should show the following: -samba_share_fusefs --> off - Is it the case that samba_share_fusefs is not disabled? +To properly set the group owner of /etc/audit/, run the command: +$ sudo chgrp root /etc/audit/ + +To properly set the group owner of /etc/audit/rules.d/, run the command: +$ sudo chgrp root /etc/audit/rules.d/ + Is it the case that ? - - -Run the following command to determine if the httpd_use_gpg SELinux boolean is disabled: -$ getsebool httpd_use_gpg -If properly configured, the output should show the following: -httpd_use_gpg --> off - Is it the case that httpd_use_gpg is not disabled? + + To check if compression is enabled or set correctly, run the +following command: +$ sudo grep Compression /etc/ssh/sshd_config +If configured properly, output should be no or delayed. + Is it the case that it is commented out, or is not set to no or delayed? - + -Run the following command to determine if the tftp_anon_write SELinux boolean is disabled: -$ getsebool tftp_anon_write +Run the following command to determine if the nagios_run_sudo SELinux boolean is disabled: +$ getsebool nagios_run_sudo If properly configured, the output should show the following: -tftp_anon_write --> off - Is it the case that tftp_anon_write is not disabled? +nagios_run_sudo --> off + Is it the case that nagios_run_sudo is not disabled? - + + To determine if the system is configured to audit calls to the +chown system call, run the following command: +$ sudo grep "chown" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + -Run the following command to determine if the httpd_use_nfs SELinux boolean is disabled: -$ getsebool httpd_use_nfs +Run the following command to determine if the httpd_tty_comm SELinux boolean is disabled: +$ getsebool httpd_tty_comm If properly configured, the output should show the following: -httpd_use_nfs --> off - Is it the case that httpd_use_nfs is not disabled? +httpd_tty_comm --> off + Is it the case that httpd_tty_comm is not disabled? - - To check the permissions of /boot/Sysem.map-*, -run the command: -$ ls -l /boot/Sysem.map-* -If properly configured, the output should indicate the following permissions: --rw------- - Is it the case that ? + + To determine if the system is configured to audit unsuccessful calls +to the setxattr system call, run the following command: +$ sudo grep "setxattr" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - + + Verify the "/etc/security/faillock.conf" file is configured to log user name information when unsuccessful logon attempts occur: + +$ sudo grep audit /etc/security/faillock.conf + +audit + Is it the case that the "audit" option is not set, is missing or commented out? + + + -Run the following command to determine if the mpd_use_cifs SELinux boolean is disabled: -$ getsebool mpd_use_cifs +Run the following command to determine if the dhcpc_exec_iptables SELinux boolean is disabled: +$ getsebool dhcpc_exec_iptables If properly configured, the output should show the following: -mpd_use_cifs --> off - Is it the case that mpd_use_cifs is not disabled? +dhcpc_exec_iptables --> off + Is it the case that dhcpc_exec_iptables is not disabled? - - To ensure sshd limits the users who can log in, run the following: -pre>$ sudo grep -rPi '^\h*(allow|deny)(users|groups)\h+\H+(\h+.*)?$' /etc/ssh/sshd_config* -If properly configured, the output should be a list of usernames and/or -groups allowed to log in to this system. - Is it the case that sshd does not limit the users who can log in? + + Inspect all instances of DocumentRoot and Alias. No +robots.txt file should exist. + Is it the case that it is not? - - Run the following command to determine if the openssh-clients package is installed: $ rpm -q openssh-clients - Is it the case that the package is not installed? + + To check the ownership of /etc/group, +run the command: +$ ls -lL /etc/group +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/group does not have an owner of root? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfacl" command with the following command: - -$ sudo auditctl -l | grep setfacl - --a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod - Is it the case that the command does not return a line, or the line is commented out? + + To check that audit is enabled at boot time, check all boot entries with following command: +sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf +No line should be returned, each line returned is a boot entry that doesn't enable audit. + Is it the case that auditing is not enabled at boot time? @@ -372630,83 +373333,84 @@ If the service is running, it should return the following: active Is it the case that ? - - To verify the nosuid option is configured for all NFS mounts, run -the following command: -$ mount | grep nfs -All NFS mounts should show the nosuid setting in parentheses. This -is not applicable if NFS is not implemented. - Is it the case that the setting does not show? - - - - -Run the following command to determine if the xen_use_nfs SELinux boolean is disabled: -$ getsebool xen_use_nfs -If properly configured, the output should show the following: -xen_use_nfs --> off - Is it the case that xen_use_nfs is not disabled? + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chcon" command with the following command: + +$ sudo auditctl -l | grep chcon + +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod + Is it the case that the command does not return a line, or the line is commented out? - - To check the ownership of /etc/motd, -run the command: -$ ls -lL /etc/motd -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/motd does not have an owner of root? + + To verify that there are no .shosts files +on the system, run the following command: +$ sudo find / -name '.shosts' + Is it the case that .shosts files exist? - - To verify that acquiring, saving, and processing core dumps is disabled, run the -following command: -$ systemctl status systemd-coredump.socket -The output should be similar to: -● systemd-coredump.socket - Loaded: masked (Reason: Unit systemd-coredump.socket is masked.) - Active: inactive (dead) ... + + To check that the slapd service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled slapd +Output should indicate the slapd service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled slapd disabled - Is it the case that unit systemd-coredump.socket is not masked or running? - - - - To verify the password reuse setting is compliant, run the following command: -$ grep remember /etc/pam.d/system-auth -The output should show the following at the end of the line: -remember= +Run the following command to verify slapd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active slapd +If the service is not running the command will return the following output: +inactive -In newer systems, the pam_pwhistory PAM module options can also be set in -"/etc/security/pwhistory.conf" file. Use the following command to verify: -$ grep remember /etc/security/pwhistory.conf -remember = +The service will also be masked, to check that the slapd is masked, run the following command: +$ sudo systemctl show slapd | grep "LoadState\|UnitFileState" -The pam_pwhistory remember option must be configured only in one file. - Is it the case that the value of remember is not equal to or greater than the expected value? - - - - Verify it by running the following command: -$ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules +If the service is masked the command will return the following outputs: -/sbin/auditctl root -/sbin/aureport root -/sbin/ausearch root -/sbin/autrace root -/sbin/auditd root -/sbin/audispd root -/sbin/augenrules root +LoadState=masked +UnitFileState=masked + Is it the case that the "slapd" is loaded and not masked? + + + + +Run the following command to determine if the fenced_can_network_connect SELinux boolean is disabled: +$ getsebool fenced_can_network_connect +If properly configured, the output should show the following: +fenced_can_network_connect --> off + Is it the case that fenced_can_network_connect is not disabled? + + + + Verify that local initialization files do not execute world-writable programs with the following command: -If the command does not return all the above lines, the missing ones -need to be added. +Note: The example will be for a system that is configured to create user home directories in the "/home" directory. -Run the following command to correct the permissions of the missing -entries: -$ sudo chown root [audit_tool] +$ sudo find /home -perm -002 -type f -name ".[^.]*" -exec ls -ld {} \; + Is it the case that any local initialization files are found to reference world-writable files? + + + + To determine if the system is configured to audit calls to the +fremovexattr system call, run the following command: +$ sudo grep "fremovexattr" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. -Replace "[audit_tool]" with each audit tool not owned by root. - Is it the case that ? + Is it the case that no line is returned? + + + + Run the following command to determine if the syslog-ng-core package is installed: $ rpm -q syslog-ng-core + Is it the case that the package is not installed? + + + + To ensure write permissions are disabled for group and other + for each element in root's path, run the following command: +# ls -ld DIR + Is it the case that group or other write permissions exist? @@ -372724,185 +373428,213 @@ users must be mapped to the user_u role or the appropriate domain Is it the case that non-admin users are not confined correctly? - + -Run the following command to determine if the ftpd_full_access SELinux boolean is disabled: -$ getsebool ftpd_full_access +Run the following command to determine if the httpd_unified SELinux boolean is disabled: +$ getsebool httpd_unified If properly configured, the output should show the following: -ftpd_full_access --> off - Is it the case that ftpd_full_access is not disabled? - - - - The runtime status of the net.ipv4.conf.all.arp_ignore kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.conf.all.arp_ignore -. - - Is it the case that the correct value is not returned? +httpd_unified --> off + Is it the case that httpd_unified is not disabled? - + -Run the following command to determine if the mysql_connect_any SELinux boolean is disabled: -$ getsebool mysql_connect_any +Run the following command to determine if the mmap_low_allowed SELinux boolean is disabled: +$ getsebool mmap_low_allowed If properly configured, the output should show the following: -mysql_connect_any --> off - Is it the case that mysql_connect_any is not disabled? +mmap_low_allowed --> off + Is it the case that mmap_low_allowed is not disabled? - - To determine if the system is configured to audit successful calls -to the creat system call, run the following command: -$ sudo grep "creat" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation: + sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)' +or if cvtsudoers not supported: + sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \; +If no results are returned, this is a finding. +If conflicting results are returned, this is a finding. +If "Defaults !targetpw" is not defined, this is a finding. +If "Defaults !rootpw" is not defined, this is a finding. +If "Defaults !runaspw" is not defined, this is a finding. + Is it the case that invoke user passwd when using sudo? - - Verify the "/etc/security/faillock.conf" file is configured to log user name information when unsuccessful logon attempts occur: - -$ sudo grep audit /etc/security/faillock.conf - -audit - Is it the case that the "audit" option is not set, is missing or commented out? + + To verify that is configured +as the smart card driver, run the following command: +$ grep force_card_driver /etc/opensc.conf +The output should return something similar to: +force_card_driver = ; + Is it the case that the smart card driver is not configured correctly? - - -Run the following command to determine if the httpd_sys_script_anon_write SELinux boolean is disabled: -$ getsebool httpd_sys_script_anon_write -If properly configured, the output should show the following: -httpd_sys_script_anon_write --> off - Is it the case that httpd_sys_script_anon_write is not disabled? + + To check the ownership of /etc/issue.net, +run the command: +$ ls -lL /etc/issue.net +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/issue.net does not have an owner of root? - - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the unlink system call. + + To check the group ownership of /etc/cron.allow, +run the command: +$ ls -lL /etc/cron.allow +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/cron.allow does not have a group owner of root? + + + + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to modify files using the open system call with O_TRUNC_WRITE flag. -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: +If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command: -$ sudo grep -r unlink /etc/audit/rules.d +$ sudo grep -r open /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -$ sudo grep unlink /etc/audit/audit.rules +$ sudo grep open /etc/audit/audit.rules The output should be the following: --a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete --a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete --a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete --a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create Is it the case that the command does not return a line, or the line is commented out? - + -Run the following command to determine if the pppd_can_insmod SELinux boolean is disabled: -$ getsebool pppd_can_insmod +Run the following command to determine if the openvpn_enable_homedirs SELinux boolean is disabled: +$ getsebool openvpn_enable_homedirs If properly configured, the output should show the following: -pppd_can_insmod --> off - Is it the case that pppd_can_insmod is not disabled? +openvpn_enable_homedirs --> off + Is it the case that openvpn_enable_homedirs is not disabled? - - Verify the pam_faillock.so module is present in the "/etc/pam.d/password-auth" file: - -$ sudo grep pam_faillock.so /etc/pam.d/password-auth + + To determine if the system is configured to audit calls to the +openat system call, run the following command: +$ sudo grep "openat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. -auth required pam_faillock.so preauth -auth required pam_faillock.so authfail -account required pam_faillock.so - Is it the case that the pam_faillock.so module is not present in the "/etc/pam.d/password-auth" file with the "preauth" line listed before pam_unix.so? + Is it the case that no line is returned? - - To ensure the failed password attempt policy is configured correctly, run the following command: - -$ grep fail_interval /etc/security/faillock.conf -The output should show fail_interval = <interval-in-seconds> where interval-in-seconds is or greater. - Is it the case that the "fail_interval" option is not set to "<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />" -or less (but not "0"), the line is commented out, or the line is missing? + + The runtime status of the net.ipv4.conf.all.forwarding kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.all.forwarding +0. +The ability to forward packets is only appropriate for routers. + Is it the case that IP forwarding value is "1" and the system is not router? - - Verify that the default umask for all local interactive users is "077". - -Identify the locations of all local interactive user home directories by looking at the "/etc/passwd" file. + + +Run the following command to determine if the staff_use_svirt SELinux boolean is disabled: +$ getsebool staff_use_svirt +If properly configured, the output should show the following: +staff_use_svirt --> off + Is it the case that staff_use_svirt is not disabled? + + + + Verify Red Hat Enterprise Linux 8 takes action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity with the following command: -Check all local interactive user initialization files for interactive users with the following command: +$ sudo grep -w admin_space_left /etc/audit/auditd.conf -Note: The example is for a system that is configured to create users home directories in the "/home" directory. +admin_space_left = % -# grep -ri umask /home/ +If the value of the "admin_space_left" keyword is not set to % of the storage volume allocated to audit logs, or if the line is commented out, ask the System Administrator to indicate how the system is taking action if the allocated storage is about to reach capacity. + Is it the case that the "admin_space_left" value is not configured to the correct value? + + + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_COMPAT_BRK /boot/config.* + + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. + + Is it the case that the kernel was not built with the required value? + + + + Run the following command to determine if the vsftpd package is installed: +$ rpm -q vsftpd + Is it the case that the package is installed? + + + + To determine if the system is configured to audit unsuccessful calls +to the lremovexattr system call, run the following command: +$ sudo grep "lremovexattr" /etc/audit.* +If the system is configured to audit this activity, it will return a line. -/home/smithj/.bash_history:grep -i umask /etc/bashrc /etc/csh.cshrc /etc/profile -/home/smithj/.bash_history:grep -i umask /etc/login.defs - Is it the case that any local interactive user initialization files are found to have a umask statement that sets a value less restrictive than "077"? + Is it the case that no line is returned? - - To check if authentication is required for emergency mode, run the following command: -$ grep sulogin /usr/lib/systemd/system/emergency.service -The output should be similar to the following, and the line must begin with -ExecStart and /usr/lib/systemd/systemd-sulogin-shell. - ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency + + To check that the sshd service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled sshd +Output should indicate the sshd service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled sshd disabled -Then, check if the emergency target requires the emergency service: -Run the following command: -$ sudo grep Requires /usr/lib/systemd/system/emergency.target -The output should be the following: -Requires=emergency.service +Run the following command to verify sshd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active sshd -Then, check if there is no custom emergency target configured in systemd configuration. -Run the following command: -$ sudo grep -r emergency.target /etc/systemd/system/ -The output should be empty. +If the service is not running the command will return the following output: +inactive -Then, check if there is no custom emergency service configured in systemd configuration. -Run the following command: -$ sudo grep -r emergency.service /etc/systemd/system/ -The output should be empty. - Is it the case that the output is different? - - - - Verify Red Hat Enterprise Linux 8 is configured to limit the "pwquality" retry option to . +The service will also be masked, to check that the sshd is masked, run the following command: +$ sudo systemctl show sshd | grep "LoadState\|UnitFileState" +If the service is masked the command will return the following outputs: -Check for the use of the "pwquality" retry option in the pwquality.conf file with the following command: -$ grep retry /etc/security/pwquality.conf - Is it the case that the value of "retry" is set to "0" or greater than "<sub idref="var_password_pam_retry" />", or is missing? +LoadState=masked + +UnitFileState=masked + Is it the case that the "sshd" is loaded and not masked? - - To determine if the system is configured to audit successful calls -to the open system call, run the following command: -$ sudo grep "open" /etc/audit.* -If the system is configured to audit this activity, it will return a line. + + Verify that a separate file system/partition has been created for /var with the following command: - Is it the case that no line is returned? +$ mountpoint /var + + Is it the case that "/var is not a mountpoint" is returned? - - To check the ownership of /etc/cron.weekly, -run the command: -$ ls -lL /etc/cron.weekly -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/cron.weekly does not have an owner of root? + + Inspect /proc/cmdline for any instances of selinux=0 +in the kernel boot arguments. Presence of selinux=0 indicates +that SELinux is disabled at boot time. + +If it would be disabled anywhere, make sure to enable it via a +MachineConfig object. + Is it the case that SELinux is disabled at boot time? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_LEGACY_VSYSCALL_EMULATE /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? + + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes slub_debug=, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub +If this option is set to true, then check that a line is output by the following command: +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*slub_debug=.*' /etc/default/grub +If the recovery is disabled, check the line with +$ sudo grep 'GRUB_CMDLINE_LINUX.*slub_debug=.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +$ sudo grubby --info=ALL | grep args | grep -v 'slub_debug=' +The command should not return any output. + Is it the case that SLUB/SLAB poisoning is not enabled? @@ -372914,159 +373646,97 @@ gluster_anon_write --> off Is it the case that gluster_anon_write is not disabled? - - -Run the following command to determine if the use_ecryptfs_home_dirs SELinux boolean is disabled: -$ getsebool use_ecryptfs_home_dirs -If properly configured, the output should show the following: -use_ecryptfs_home_dirs --> off - Is it the case that use_ecryptfs_home_dirs is not disabled? + + Verify the audit system is configured to take an appropriate action when the internal event queue is full: +$ sudo grep -i overflow_action /etc/audit/auditd.conf + +The output should contain overflow_action = syslog + +If the value of the "overflow_action" option is not set to syslog, +single, halt or the line is commented out, ask the System Administrator +to indicate how the audit logs are off-loaded to a different system or media. + Is it the case that auditd overflow action is not set correctly? - - -Run the following command to determine if the lsmd_plugin_connect_any SELinux boolean is disabled: -$ getsebool lsmd_plugin_connect_any -If properly configured, the output should show the following: -lsmd_plugin_connect_any --> off - Is it the case that lsmd_plugin_connect_any is not disabled? + + To verify all files and directories in a local interactive user's +home directory have a valid owner, run the following command: +$ sudo ls -lLR /home/USER + Is it the case that the user ownership is incorrect? - + -Run the following command to determine if the httpd_dontaudit_search_dirs SELinux boolean is disabled: -$ getsebool httpd_dontaudit_search_dirs +Run the following command to determine if the httpd_can_network_memcache SELinux boolean is disabled: +$ getsebool httpd_can_network_memcache If properly configured, the output should show the following: -httpd_dontaudit_search_dirs --> off - Is it the case that httpd_dontaudit_search_dirs is not disabled? +httpd_can_network_memcache --> off + Is it the case that httpd_can_network_memcache is not disabled? - + -Run the following command to determine if the virt_transition_userdomain SELinux boolean is disabled: -$ getsebool virt_transition_userdomain +Run the following command to determine if the piranha_lvs_can_network_connect SELinux boolean is disabled: +$ getsebool piranha_lvs_can_network_connect If properly configured, the output should show the following: -virt_transition_userdomain --> off - Is it the case that virt_transition_userdomain is not disabled? - - - - The runtime status of the net.ipv6.conf.default.accept_ra_rtr_pref kernel parameter can be queried -by running the following command: -$ sysctl net.ipv6.conf.default.accept_ra_rtr_pref -0. - - Is it the case that the correct value is not returned? - - - - To verify that audit is configured for OSPP v4.2.1, run the following commands: -for file in "10-base-config" "11-loginuid" "30-ospp-v42" "43-module-load";do diff /etc/audit/rules.d/$file.rules /usr/share/doc/audit*/rules/$file.rules; done - -If the system is configured properly, no lines should be returned. - Is it the case that the files are not there or differ? - - - - -Determine the audit log group by running the following command: - -$ sudo grep -P '^[ ]*log_group[ ]+=.*$' /etc/audit/auditd.conf - -Then, check that all directories within the /var/log/audit directory are owned by the group specified as log_group or by root if the log_group is not specified. -Run the following command: - -$ sudo find /var/log/audit -type d -printf "%p %g\n" - -All listed directories must be owned by the log_group or by root if the log_group is not specified. - Is it the case that there is a directory owned by different group? - - - - Verify the operating system audits activities performed during nonlocal -maintenance and diagnostic sessions. Run the following command: -$ sudo auditctl -l | grep sudo.log --w /var/log/sudo.log -p wa -k maintenance - - Is it the case that Audit rule is not present? - - - - To verify if the OpenSSH server uses defined ciphers in the Crypto Policy, run: -$ grep -Po '(-oCiphers=\S+)' /etc/crypto-policies/back-ends/opensshserver.config -and verify that the line matches: --oCiphers= - Is it the case that Crypto Policy for OpenSSH Server is not configured correctly? - - - - To ensure the tally directory is configured correctly, run the following command: -$ sudo grep 'dir =' /etc/security/faillock.conf -The output should show that dir is set to something other than "/var/run/faillock" - Is it the case that the "dir" option is not set to a non-default documented tally log directory, is missing or commented out? +piranha_lvs_can_network_connect --> off + Is it the case that piranha_lvs_can_network_connect is not disabled? - - To check that all boot entries extend the backlog limit; -Check that all boot entries extend the log events queue: -sudo grep -L "^options\s+.*\baudit_backlog_limit=8192\b" /boot/loader/entries/*.conf -No line should be returned, each line returned is a boot entry that does not extend the log events queue. - Is it the case that audit backlog limit is not configured? + + Run the following command to determine if the openldap-clients package is installed: +$ rpm -q openldap-clients + Is it the case that the package is installed? - + -Run the following command to determine if the httpd_can_network_connect_db SELinux boolean is disabled: -$ getsebool httpd_can_network_connect_db +Run the following command to determine if the selinuxuser_execmod SELinux boolean is enabled: +$ getsebool selinuxuser_execmod If properly configured, the output should show the following: -httpd_can_network_connect_db --> off - Is it the case that httpd_can_network_connect_db is not disabled? - - - - -To properly set the permissions of /etc/audit/, run the command: -$ sudo chmod 0640 /etc/audit/ - -To properly set the permissions of /etc/audit/rules.d/, run the command: -$ sudo chmod 0640 /etc/audit/rules.d/ - Is it the case that ? +selinuxuser_execmod --> on + Is it the case that selinuxuser_execmod is not enabled? - + -Run the following command to determine if the logwatch_can_network_connect_mail SELinux boolean is disabled: -$ getsebool logwatch_can_network_connect_mail +Run the following command to determine if the xguest_exec_content SELinux boolean is disabled: +$ getsebool xguest_exec_content If properly configured, the output should show the following: -logwatch_can_network_connect_mail --> off - Is it the case that logwatch_can_network_connect_mail is not disabled? +xguest_exec_content --> off + Is it the case that xguest_exec_content is not disabled? - - To determine if the system is configured to audit unsuccessful calls -to the lremovexattr system call, run the following command: -$ sudo grep "lremovexattr" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + To check if pam_pwquality.so is enabled in password-auth, run the following command: +$ grep pam_pwquality /etc/pam.d/password-auth +The output should be similar to the following: +password requisite pam_pwquality.so + Is it the case that pam_pwquality.so is not enabled in password-auth? - - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/tallylog" with the following command: - -$ sudo auditctl -l | grep /var/log/tallylog - --w /var/log/tallylog -p wa -k logins - Is it the case that the command does not return a line, or the line is commented out? + + Verify that the system is integrated with a centralized authentication mechanism +such as as Active Directory, Kerberos, Directory Server, etc. that has +automated account mechanisms in place. + Is it the case that the system is not using a centralized authentication mechanism, or it is not automated? - - -Run the following command to determine if the glance_use_execmem SELinux boolean is disabled: -$ getsebool glance_use_execmem -If properly configured, the output should show the following: -glance_use_execmem --> off - Is it the case that glance_use_execmem is not disabled? + + To verify that cryptography policy has been configured correctly, run the +following command: +$ update-crypto-policies --show +The output should return . +Run the command to check if the policy is correctly applied: +$ update-crypto-policies --is-applied +The output should be The configured policy is applied. +Moreover, check if settings for selected crypto policy are as expected. +List all libraries for which it holds that their crypto policies do not have symbolic link in /etc/crypto-policies/back-ends. +$ ls -l /etc/crypto-policies/back-ends/ | grep '^[^l]' | tail -n +2 | awk -F' ' '{print $NF}' | awk -F'.' '{print $1}' | sort +Subsequently, check if matching libraries have drop in files in the /etc/crypto-policies/local.d directory. +$ ls /etc/crypto-policies/local.d/ | awk -F'-' '{print $1}' | uniq | sort +Outputs of two previous commands should match. + Is it the case that cryptographic policy is not configured or is configured incorrectly? @@ -373081,1450 +373751,1251 @@ The output has to be exactly as follows: Is it the case that the file does not exist or the content differs? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-agent" command with the following command: + + Verify that Red Hat Enterprise Linux 8 enforces password complexity by requiring that at least one numeric character be used. -$ sudo auditctl -l | grep ssh-agent +Check the value for "dcredit" with the following command: --a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent - Is it the case that the command does not return a line, or the line is commented out? +$ sudo grep dcredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + +/etc/security/pwquality.conf:dcredit = + Is it the case that the value of "dcredit" is a positive number or is commented out? - + + To verify the assigned home directory of all interactive user home directories +have a mode of 0750 or less permissive, run the following command: +$ sudo ls -l /home +Inspect the output for any directories with incorrect permissions. + Is it the case that they are more permissive? + + + + To determine if the system is configured to audit unsuccessful calls +to the fchmodat system call, run the following command: +$ sudo grep "fchmodat" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + Verify the noexec option is configured for the /tmp mount point, + run the following command: + $ sudo mount | grep '\s/tmp\s' + . . . /tmp . . . noexec . . . + + Is it the case that the "/tmp" file system does not have the "noexec" option set? + + + -Run the following command to determine if the samba_share_nfs SELinux boolean is disabled: -$ getsebool samba_share_nfs -If properly configured, the output should show the following: -samba_share_nfs --> off - Is it the case that samba_share_nfs is not disabled? + +Run the following command to determine the current status of the +nails service: +$ sudo systemctl is-active nails +If the service is running, it should return the following: active + Is it the case that ? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "passwd" command with the following command: + + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/tallylog" with the following command: -$ sudo auditctl -l | grep passwd +$ sudo auditctl -l | grep /var/log/tallylog --a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd +-w /var/log/tallylog -p wa -k logins Is it the case that the command does not return a line, or the line is commented out? - - The runtime status of the net.ipv4.ip_local_port_range kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.ip_local_port_range -32768 65535. + + To determine if the system is configured to audit calls to the +openat system call, run the following command: +$ sudo grep "openat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. - Is it the case that the correct value is not returned? + Is it the case that no line is returned? - + -Run the following command to determine if the virt_use_nfs SELinux boolean is disabled: -$ getsebool virt_use_nfs +Run the following command to determine if the ftpd_use_cifs SELinux boolean is disabled: +$ getsebool ftpd_use_cifs If properly configured, the output should show the following: -virt_use_nfs --> off - Is it the case that virt_use_nfs is not disabled? - - - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_ARM64_SW_TTBR0_PAN /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? +ftpd_use_cifs --> off + Is it the case that ftpd_use_cifs is not disabled? - - The runtime status of the net.ipv6.conf.default.accept_ra kernel parameter can be queried -by running the following command: -$ sysctl net.ipv6.conf.default.accept_ra -0. - - Is it the case that the correct value is not returned? + + +Run the following command to determine if the xdm_exec_bootloader SELinux boolean is disabled: +$ getsebool xdm_exec_bootloader +If properly configured, the output should show the following: +xdm_exec_bootloader --> off + Is it the case that xdm_exec_bootloader is not disabled? - + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_PROC_KCORE /boot/config.* + $ grep CONFIG_GCC_PLUGIN_LATENT_ENTROPY /boot/config.* - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. + For each kernel installed, a line with value "y" should be returned. Is it the case that the kernel was not built with the required value? - - To determine if the system is configured to audit unsuccessful calls -to the removexattr system call, run the following command: -$ sudo grep "removexattr" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes ipv6.disable=1, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub +If this option is set to true, then check that a line is output by the following command: +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub +If the recovery is disabled, check the line with +$ sudo grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +$ sudo grubby --info=ALL | grep args | grep -v 'ipv6.disable=1' +The command should not return any output. + Is it the case that IPv6 is not disabled? - - -Run the following command to determine if the ssh_keysign SELinux boolean is disabled: -$ getsebool ssh_keysign -If properly configured, the output should show the following: -ssh_keysign --> off - Is it the case that ssh_keysign is not disabled? + + Run the following command to determine if the abrt-plugin-rhtsupport package is installed: +$ rpm -q abrt-plugin-rhtsupport + Is it the case that the package is installed? - - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog" with the following command: + + To determine how the SSH daemon's PubkeyAuthentication option is set, run the following command: -$ sudo auditctl -l | grep /var/log/lastlog +$ sudo grep -i PubkeyAuthentication /etc/ssh/sshd_config --w /var/log/lastlog -p wa -k logins - Is it the case that the command does not return a line, or the line is commented out? +If a line indicating yes is returned, then the required value is set. + + Is it the case that the required value is not set? - - -Run the following command to determine if the zebra_write_config SELinux boolean is disabled: -$ getsebool zebra_write_config -If properly configured, the output should show the following: -zebra_write_config --> off - Is it the case that zebra_write_config is not disabled? + + To ensure that users cannot change session idle and lock settings, run the following: +$ grep 'idle-delay' /etc/dconf/db/local.d/locks/* +If properly configured, the output should return: +/org/gnome/desktop/session/idle-delay + Is it the case that idle-delay is not locked? - - -To check that the rsh service is disabled in system boot configuration with xinetd, run the following command: -$ chkconfig rsh --list -Output should indicate the rsh service has either not been installed, or has been disabled, as shown in the example below: -$ chkconfig rsh --list - -Note: This output shows SysV services only and does not include native -systemd services. SysV configuration data might be overridden by native -systemd configuration. - -If you want to list systemd services use 'systemctl list-unit-files'. -To see services enabled on particular target use -'systemctl list-dependencies [target]'. - -rsh off - -To check that the rsh socket is disabled in system boot configuration with systemd, run the following command: -$ systemctl is-enabled rsh -Output should indicate the rsh socket has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled rshdisabled + + Determine where the audit logs are stored with the following command: -Run the following command to verify rsh is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active rsh +$ sudo grep -iw log_file /etc/audit/auditd.conf -If the socket is not running the command will return the following output: -inactive +log_file = /var/log/audit/audit.log -The socket will also be masked, to check that the rsh is masked, run the following command: -$ sudo systemctl show rsh | grep "LoadState\|UnitFileState" +Determine the owner of the audit log directory by using the output of the above command +(default: "/var/log/audit/"). Run the following command with the correct audit log directory +path: -If the socket is masked the command will return the following outputs: +$ sudo ls -ld /var/log/audit -LoadState=masked +drwx------ 2 root root 23 Jun 11 11:56 /var/log/audit -UnitFileState=masked - Is it the case that service and/or socket are running? +The audit log directory must be owned by "root" + Is it the case that the directory is not owned by root? - - To verify that SSSD is configured for PAM services, run the following command: -$ sudo grep services /etc/sssd/sssd.conf -If configured properly, output should be similar to -services = pam - Is it the case that it does not exist or 'pam' is not added to the 'services' option under the 'sssd' section? + + To determine if the system is configured to audit calls to the +delete_module system call, run the following command: +$ sudo grep "delete_module" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - + -Run the following command to determine if the mock_enable_homedirs SELinux boolean is disabled: -$ getsebool mock_enable_homedirs +Run the following command to determine if the condor_tcp_network_connect SELinux boolean is disabled: +$ getsebool condor_tcp_network_connect If properly configured, the output should show the following: -mock_enable_homedirs --> off - Is it the case that mock_enable_homedirs is not disabled? +condor_tcp_network_connect --> off + Is it the case that condor_tcp_network_connect is not disabled? - - -If the system is configured to prevent the loading of the atm kernel module, -it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. -These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. - -These lines can also instruct the module loading system to ignore the atm kernel module via blacklist keyword. - -Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -$ grep -r atm /etc/modprobe.conf /etc/modprobe.d - Is it the case that no line is returned? + + To verify the boot loader superuser account has been set, run the following +command: +sudo grep -A1 "superusers" /boot/efi/EFI/redhat/grub.cfg +The output should show the following: +set superusers="superusers-account" +export superusers +where superusers-account is the actual account name different from common names like root, +admin, or administrator and different from any other existing user name. + Is it the case that superuser account is not set or is set to an existing name or to a common name? - - To ensure the user list is disabled, run the following command: -$ grep disable-user-list /etc/dconf/db/gdm.d/* -The output should be true. -To ensure that users cannot enable displaying the user list, run the following: -$ grep disable-user-list /etc/dconf/db/gdm.d/locks/* -If properly configured, the output should be /org/gnome/login-screen/disable-user-list - Is it the case that disable-user-list has not been configured or is not disabled? + + Run the following command to determine if the net-snmp package is installed: +$ rpm -q net-snmp + Is it the case that the package is installed? - - Run the following command to determine if the abrt-plugin-logger package is installed: -$ rpm -q abrt-plugin-logger - Is it the case that the package is installed? + + To check the permissions of /boot/grub2/grub.cfg, run the command: +$ sudo ls -lL /boot/grub2/grub.cfg +If properly configured, the output should indicate the following +permissions: -rw------- + Is it the case that it does not? - + -Run the following command to determine if the httpd_anon_write SELinux boolean is disabled: -$ getsebool httpd_anon_write +Run the following command to determine if the icecast_use_any_tcp_ports SELinux boolean is disabled: +$ getsebool icecast_use_any_tcp_ports If properly configured, the output should show the following: -httpd_anon_write --> off - Is it the case that httpd_anon_write is not disabled? - - - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_COMPAT_VDSO /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? +icecast_use_any_tcp_ports --> off + Is it the case that icecast_use_any_tcp_ports is not disabled? - - To check the permissions of /boot/efi/EFI/redhat/user.cfg, -run the command: -$ ls -l /boot/efi/EFI/redhat/user.cfg -If properly configured, the output should indicate the following permissions: --rw------- - Is it the case that /boot/efi/EFI/redhat/user.cfg does not have unix mode -rw-------? + + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes mce=0, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub +If this option is set to true, then check that a line is output by the following command: +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*mce=0.*' /etc/default/grub +If the recovery is disabled, check the line with +$ sudo grep 'GRUB_CMDLINE_LINUX.*mce=0.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +$ sudo grubby --info=ALL | grep args | grep -v 'mce=0' +The command should not return any output. + Is it the case that MCE tolerance is not set to zero? - - To check for virtual console entries which permit root login, run the -following command: -$ sudo grep ^vc/[0-9] /etc/securetty -If any output is returned, then root logins over virtual console devices is permitted. - Is it the case that root login over virtual console devices is permitted? + + Run the following command to determine if the mailx package is installed: $ rpm -q mailx + Is it the case that the package is not installed? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "restorecon" command with the following command: - -$ sudo auditctl -l | grep restorecon + + To determine if the system is configured to audit successful calls +to the ftruncate system call, run the following command: +$ sudo grep "ftruncate" /etc/audit.* +If the system is configured to audit this activity, it will return a line. --a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -k privileged-restorecon - Is it the case that the command does not return a line, or the line is commented out? + Is it the case that no line is returned? - - The runtime status of the kernel.yama.ptrace_scope kernel parameter can be queried -by running the following command: -$ sysctl kernel.yama.ptrace_scope -1. - - Is it the case that the correct value is not returned? + + To check for legacy lines in /etc/shadow, run the following command: + grep '^\+' /etc/shadow +The command should not return any output. + Is it the case that the file contains legacy lines? - - To verify if the OpenSSH client uses defined Cipher suite in the Crypto Policy, run: -$ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config -and verify that the line matches: -Ciphers - Is it the case that Crypto Policy for OpenSSH client is not configured correctly? + + +Run the following command to determine if the authlogin_radius SELinux boolean is disabled: +$ getsebool authlogin_radius +If properly configured, the output should show the following: +authlogin_radius --> off + Is it the case that authlogin_radius is not disabled? - - To verify that no .java and .jpp files exist, run the -following command: -find / -name *.java -o -name *.jpp -The output should not return any .java or .jpp files - Is it the case that it is not? + + To check that virtual syscalls are disabled at boot time, check all boot entries with following command: +sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf +No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls. + Is it the case that vsyscalls are enabled? - - + + Verify that Red Hat Enterprise Linux 8 enforces password complexity by requiring that at least one upper-case character. -Run the following command to determine the current status of the -pcscd service: -$ sudo systemctl is-active pcscd -If the service is running, it should return the following: active - Is it the case that the pcscd service is not enabled? +Check the value for "ucredit" with the following command: + +$ sudo grep ucredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + +ucredit = -1 + Is it the case that the value of "ucredit" is a positive number or is commented out? - - To check if only local user are impacted by pam_faillock, run the following command: -$ grep local_users_only /etc/security/faillock.conf -The output should return local_users_only not commented. - Is it the case that local_users_only is not uncommented or configured correctly? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_UNMAP_KERNEL_AT_EL0 /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - To determine if use_pty has been configured for sudo, run the following command: -$ sudo grep -ri "^[\s]*Defaults.*\buse_pty\b.*" /etc/sudoers /etc/sudoers.d/ -The command should return a matching output. - Is it the case that use_pty is not enabled in sudo? + + To determine that periodic AIDE execution has been scheduled, run the following command: + +$ grep aide /etc/crontab +The output should return something similar to the following: +05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost +The email address that the notifications are sent to can be changed by overriding +. + Is it the case that AIDE has not been configured or has not been configured to notify personnel of scan details? - + + Verify Red Hat Enterprise Linux 8 is configured to lock the root account after +unsuccessful logon attempts with the command: + + +$ grep even_deny_root /etc/security/faillock.conf +even_deny_root + Is it the case that the "even_deny_root" option is not set, is missing or commented out? + + + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_BUG /boot/config.* + $ grep CONFIG_DEBUG_FS /boot/config.* - For each kernel installed, a line with value "y" should be returned. + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. Is it the case that the kernel was not built with the required value? - - Verify that Red Hat Enterprise Linux 8 generates an audit record for all uses of the "umount" and system call. -To determine if the system is configured to audit calls to the -"umount" system call, run the following command: -$ sudo grep "umount" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line like the following. --a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k privileged-umount - Is it the case that the command does not return a line, or the line is commented out? + + To determine if the system is configured to audit calls to the +open_by_handle_at system call, run the following command: +$ sudo grep "open_by_handle_at" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-keysign" command with the following command: - -$ sudo auditctl -l | grep ssh-keysign - --a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-keysign - Is it the case that the command does not return a line, or the line is commented out? + + To check the permissions of /etc/cron.weekly, +run the command: +$ ls -l /etc/cron.weekly +If properly configured, the output should indicate the following permissions: +-rwx------ + Is it the case that /etc/cron.weekly does not have unix mode -rwx------? - + -Run the following command to determine if the selinuxuser_execheap SELinux boolean is disabled: -$ getsebool selinuxuser_execheap +Run the following command to determine if the httpd_use_cifs SELinux boolean is disabled: +$ getsebool httpd_use_cifs If properly configured, the output should show the following: -selinuxuser_execheap --> off - Is it the case that selinuxuser_execheap is not disabled? +httpd_use_cifs --> off + Is it the case that httpd_use_cifs is not disabled? - - If the system uses IPv6, this is not applicable. - -If the system is configured to prevent the usage of the ipv6 on -network interfaces, it will contain a line of the form: -net.ipv6.conf.all.disable_ipv6 = 1 -Such lines may be inside any file in the /etc/sysctl.d directory. -This permits insertion of the IPv6 kernel module (which other parts of the -system expect to be present), but otherwise keeps all network interfaces -from using IPv6. Run the following command to search for such lines in all -files in /etc/sysctl.d: -$ grep -r ipv6 /etc/sysctl.d - Is it the case that the ipv6 support is disabled on all network interfaces? + + To check for serial port entries which permit root login, +run the following command: +$ sudo grep ^ttyS/[0-9] /etc/securetty +If any output is returned, then root login over serial ports is permitted. + Is it the case that root login over serial ports is permitted? - - Run the following command to determine open ports: -# ss -4tuln -Run the following command to determine firewall rules: -# iptables -L INPUT -v -n -For each port identified in the audit which does not have a firewall -rule, add rule for accepting or denying inbound connections -# iptables -A INPUT -p --dport -m state --state NEW -j ACCEPT - Is it the case that open ports are denied connection? + + To verify that binaries cannot be directly executed from removable media, run the following command: +$ grep -v noexec /etc/fstab +The resulting output will show partitions which do not have the noexec flag. Verify all partitions +in the output are not removable media. + Is it the case that removable media partitions are present? - + - -Run the following command to determine the current status of the -systemd-journald service: -$ sudo systemctl is-active systemd-journald -If the service is running, it should return the following: active - Is it the case that the systemd-journald service is not running? +Run the following command to determine if the unconfined_login SELinux boolean is enabled: +$ getsebool unconfined_login +If properly configured, the output should show the following: +unconfined_login --> on + Is it the case that unconfined_login is not enabled? - - Review the web site to determine if HTTP and HTTPs are used in accordance with -well known ports (e.g., 80 and 443) or those ports and services as registered -and approved for use by the DoD PPSM. - -To configure firewalld to allow http access, run the following command(s): -firewall-cmd --permanent --add-service=http -Then run the following command to load the newly created rule(s): -firewall-cmd --reload - -To configure firewalld to allow https access, run the following command(s): -firewall-cmd --permanent --add-service=https -Then run the following command to load the newly created rule(s): -firewall-cmd --reload - Is it the case that it is not? + + Run the following command to determine if the tar package is installed: $ rpm -q tar + Is it the case that the package is not installed? - - To determine if requiretty has been configured for sudo, run the following command: -$ sudo grep -ri "^[\s]*Defaults.*\brequiretty\b.*" /etc/sudoers /etc/sudoers.d/ -The command should return a matching output. - Is it the case that requiretty is not enabled in sudo? + + To determine if NOPASSWD has been configured for the vdsm user for sudo, +run the following command: +$ sudo grep -ri nopasswd /etc/sudoers.d/ +The command should return output only for the vdsm user. + Is it the case that nopasswd is set for any users beyond vdsm? - - To check that the snmpd service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled snmpd -Output should indicate the snmpd service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled snmpd disabled - -Run the following command to verify snmpd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active snmpd + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "semanage" command with the following command: -If the service is not running the command will return the following output: -inactive +$ sudo auditctl -l | grep semanage -The service will also be masked, to check that the snmpd is masked, run the following command: -$ sudo systemctl show snmpd | grep "LoadState\|UnitFileState" +-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update + Is it the case that the command does not return a line, or the line is commented out? + + + + +Run the following command to determine if the sysadm_exec_content SELinux boolean is enabled: +$ getsebool sysadm_exec_content +If properly configured, the output should show the following: +sysadm_exec_content --> on + Is it the case that sysadm_exec_content is not enabled? + + + + Open browser window and browse to the appropriate site. Before entry to the +site, you should be presented with the server's PKI credentials. Review +these credentials for authenticity. -If the service is masked the command will return the following outputs: +For DoD, find an entry which cites: -LoadState=masked +Issuer: +CN = +DOD CLASS 3 CA-3 +OU = PKI +OU = DoD +O = U.S. Government +C = US -UnitFileState=masked - Is it the case that the "snmpd" is loaded and not masked? + Is it the case that it is not? - + + Run the following command to determine if the gssproxy package is installed: +$ rpm -q gssproxy + Is it the case that the package is installed? + + + + Run the following command and verify remote server is configured properly: +# grep -E "^(server|pool)" /etc/chrony.conf + Is it the case that a remote time server is not configured? + + + + To verify if SSLVerifyClient is configured correctly in +/etc/httpd/conf/httpd.conf, run the following command: +$ grep -i sslverifyclient /etc/httpd/conf/httpd.conf +The command should return the following: +SSLVerifyClient require + Is it the case that it is not? + + + + +Run the following command to determine if the nagios_run_pnp4nagios SELinux boolean is disabled: +$ getsebool nagios_run_pnp4nagios +If properly configured, the output should show the following: +nagios_run_pnp4nagios --> off + Is it the case that nagios_run_pnp4nagios is not disabled? + + + + The ypbind package can be removed with the following command: $ sudo yum erase ypbind + Is it the case that ? + + + To determine if the system is configured to audit successful calls -to the openat system call, run the following command: -$ sudo grep "openat" /etc/audit.* +to the chown system call, run the following command: +$ sudo grep "chown" /etc/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes spectre_v2=on, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub -If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*spectre_v2=on.*' /etc/default/grub -If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*spectre_v2=on.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'spectre_v2=on' -The command should not return any output. - Is it the case that spectre_v2 mitigation is not enforced? + + To check the password warning age, run the command: +$ grep PASS_WARN_AGE /etc/login.defs +The DoD requirement is 7. + Is it the case that it is not set to the required value? - - Run the following command to determine if the libpwquality package is installed: -$ rpm -q libpwquality - Is it the case that the package is not installed? + + To check the ownership of /etc/cron.d, +run the command: +$ ls -lL /etc/cron.d +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/cron.d does not have an owner of root? - - To verify that cryptography policy has been configured correctly, run the -following command: -$ update-crypto-policies --show -The output should return . -Run the command to check if the policy is correctly applied: -$ update-crypto-policies --is-applied -The output should be The configured policy is applied. -Moreover, check if settings for selected crypto policy are as expected. -List all libraries for which it holds that their crypto policies do not have symbolic link in /etc/crypto-policies/back-ends. -$ ls -l /etc/crypto-policies/back-ends/ | grep '^[^l]' | tail -n +2 | awk -F' ' '{print $NF}' | awk -F'.' '{print $1}' | sort -Subsequently, check if matching libraries have drop in files in the /etc/crypto-policies/local.d directory. -$ ls /etc/crypto-policies/local.d/ | awk -F'-' '{print $1}' | uniq | sort -Outputs of two previous commands should match. - Is it the case that cryptographic policy is not configured or is configured incorrectly? + + +Run the following command to determine if the xserver_object_manager SELinux boolean is disabled: +$ getsebool xserver_object_manager +If properly configured, the output should show the following: +xserver_object_manager --> off + Is it the case that xserver_object_manager is not disabled? - + -Run the following command to determine if the smbd_anon_write SELinux boolean is disabled: -$ getsebool smbd_anon_write +Run the following command to determine if the polipo_connect_all_unreserved SELinux boolean is disabled: +$ getsebool polipo_connect_all_unreserved If properly configured, the output should show the following: -smbd_anon_write --> off - Is it the case that smbd_anon_write is not disabled? +polipo_connect_all_unreserved --> off + Is it the case that polipo_connect_all_unreserved is not disabled? - - To ensure that users cannot change session idle and lock settings, run the following: -$ grep 'lock-delay' /etc/dconf/db/local.d/locks/* -If properly configured, the output should return: -/org/gnome/desktop/screensaver/lock-delay - Is it the case that GNOME3 session settings are not locked or configured properly? + + The runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.default.accept_redirects +0. + + Is it the case that the correct value is not returned? - - Run the following command to determine if the pigz package is installed: -$ rpm -q pigz - Is it the case that the package is installed? + + The tftp package can be removed with the following command: $ sudo yum erase tftp + Is it the case that ? - - To determine how the SSH daemon's PermitRootLogin option is set, run the following command: + + To determine if the system is configured to audit successful calls +to the fremovexattr system call, run the following command: +$ sudo grep "fremovexattr" /etc/audit.* +If the system is configured to audit this activity, it will return a line. -$ sudo grep -i PermitRootLogin /etc/ssh/sshd_config + Is it the case that no line is returned? + + + + -If a line indicating prohibit-password is returned, then the required value is set. - Is it the case that it is commented out or not configured properly? +Run the following command to determine the current status of the +firewalld service: +$ sudo systemctl is-active firewalld +If the service is running, it should return the following: active + Is it the case that the "firewalld" service is disabled, masked, or not started.? - + -Run the following command to determine if the httpd_can_network_memcache SELinux boolean is disabled: -$ getsebool httpd_can_network_memcache +Run the following command to determine if the httpd_use_nfs SELinux boolean is disabled: +$ getsebool httpd_use_nfs If properly configured, the output should show the following: -httpd_can_network_memcache --> off - Is it the case that httpd_can_network_memcache is not disabled? +httpd_use_nfs --> off + Is it the case that httpd_use_nfs is not disabled? - - To ensure screen locking on smartcard removal is enabled, run the following command: -$ grep removal-action /etc/dconf/db/local.d/* -The output should be 'lock-screen'. -To ensure that users cannot disable screen locking on smartcard removal, run the following: -$ grep removal-action /etc/dconf/db/local.d/locks/* -If properly configured, the output should be /org/gnome/settings-daemon/peripherals/smartcard/removal-action - Is it the case that removal-action has not been configured? + + To verify that McAfee HIPS is installed, run the following command(s): +$ rpm -q MFEhiplsm + Is it the case that the HBSS HIPS module is not installed? - + + Verify Red Hat Enterprise Linux 8 disables the chrony daemon from acting as a server with the following command: +$ grep -w port /etc/chrony.conf +port 0 + Is it the case that the "port" option is not set to "0", is commented out, or is missing? + + + -Run the following command to determine if the zarafa_setrlimit SELinux boolean is disabled: -$ getsebool zarafa_setrlimit +Run the following command to determine if the mozilla_plugin_bind_unreserved_ports SELinux boolean is disabled: +$ getsebool mozilla_plugin_bind_unreserved_ports If properly configured, the output should show the following: -zarafa_setrlimit --> off - Is it the case that zarafa_setrlimit is not disabled? +mozilla_plugin_bind_unreserved_ports --> off + Is it the case that mozilla_plugin_bind_unreserved_ports is not disabled? - - Shared libraries are stored in the following directories: -/lib -/lib64 -/usr/lib -/usr/lib64 - -To find shared libraries that are group-writable or world-writable, -run the following command for each directory DIR which contains shared libraries: -$ sudo find -L DIR -perm /022 -type d - Is it the case that any of these files are group-writable or world-writable? + + To check the permissions of /var/log/syslog, +run the command: +$ ls -l /var/log/syslog +If properly configured, the output should indicate the following permissions: +-rw-r----- + Is it the case that /var/log/syslog does not have unix mode -rw-r-----? - - To determine if the system is configured to audit calls to the -fchmod system call, run the following command: -$ sudo grep "fchmod" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + Verify that there are no shosts.equiv files on the system, run the following command: +$ find / -name shosts.equiv + Is it the case that shosts.equiv files exist? - - To check the permissions of /boot/efi/EFI/redhat/grub.cfg, run the command: -$ sudo ls -lL /boot/efi/EFI/redhat/grub.cfg -If properly configured, the output should indicate the following -permissions: -rwx------ - Is it the case that it does not? + + If the system is not using TLS, set the ldap_id_use_start_tls option +in /etc/sssd/sssd.conf to true. + Is it the case that the 'ldap_id_use_start_tls' option is not set to 'true'? - - To determine if the system is configured to audit calls to the -fremovexattr system call, run the following command: -$ sudo grep "fremovexattr" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + Run the following command to determine if the setroubleshoot-server package is installed: +$ rpm -q setroubleshoot-server + Is it the case that the package is installed? - - To check the permissions of /var/log/messages, -run the command: -$ ls -l /var/log/messages -If properly configured, the output should indicate the following permissions: --rw-r----- - Is it the case that /var/log/messages does not have unix mode -rw-r-----? + + To check that SELinux is not disabled at boot time; +Check that no boot entry disables selinux: +sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf +No line should be returned, each line returned is a boot entry that disables SELinux. + Is it the case that SELinux is disabled at boot time? - - To determine if the system is configured to audit unsuccessful calls -to the fremovexattr system call, run the following command: -$ sudo grep "fremovexattr" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + To verify the audispd's syslog plugin is active, run the following command: +$ sudo grep active /etc/audit/plugins.d/syslog.conf +If the plugin is active, the output will show yes. + Is it the case that it is not activated? - - Verify Red Hat Enterprise Linux 8 is configured to lock the root account after -unsuccessful logon attempts with the command: - - -$ grep even_deny_root /etc/security/faillock.conf -even_deny_root - Is it the case that the "even_deny_root" option is not set, is missing or commented out? + + Only FIPS ciphers should be used. To verify that only FIPS-approved +ciphers are in use, run the following command: +$ sudo grep Ciphers /etc/ssh/sshd_config +The output should contain only those ciphers which are FIPS-approved. + Is it the case that FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved? - - Inspect the system to determine if intrusion detection software has been installed. -Verify this intrusion detection software is active. - Is it the case that no host-based intrusion detection tools are installed? + + To determine the status and frequency of logrotate, run the following command: +$ sudo grep logrotate /var/log/cron* +If logrotate is configured properly, output should include references to +/etc/cron.daily. + Is it the case that logrotate is not configured to run daily? - - Verify that Red Hat Enterprise Linux 8 is configured to take action in the event of allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity with the following command: - -$ sudo grep admin_space_left_action /etc/audit/auditd.conf - -admin_space_left_action = single - -If the value of the "admin_space_left_action" is not set to "single", or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO. - Is it the case that there is no evidence that real-time alerts are configured on the system? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_SECURITY /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - Verify the system commands contained in the following directories have mode "755" or less permissive with the following command: - -$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin -perm /022 -exec ls -l {} \; - Is it the case that any system commands are found to be group-writable or world-writable? + + To determine if umask has been configured for sudo with the appropriate value, +run the following command: +$ sudo grep -ri '^Defaults.*umask=' /etc/sudoers /etc/sudoers.d/ +The command should return a matching output. + Is it the case that umask is not set with the appropriate value for sudo? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postqueue" command with the following command: - -$ sudo auditctl -l | grep postqueue - --a always,exit -F path=/usr/bin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postqueue - Is it the case that the command does not return a line, or the line is commented out? + + Run the following command to determine if the audit package is installed: $ rpm -q audit + Is it the case that the audit package is not installed? - - Run the following command to determine if the audispd-plugins package is installed: $ rpm -q audispd-plugins - Is it the case that the package is not installed? + + Run the following command to determine if the openssh-server package is installed: $ rpm -q openssh-server + Is it the case that the package is installed? - - Ensure that Red Hat Enterprise Linux 8 verifies correct operation of security functions. + + If the device or Red Hat Enterprise Linux 8 does not have a camera installed, this requirement is not applicable. -Check if "SELinux" is active and in "" mode with the following command: +This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision. -$ sudo getenforce +This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed. - Is it the case that SELINUX is not set to enforcing? - - - - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes slab_nomerge=yes, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub -If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*slab_nomerge=yes.*' /etc/default/grub -If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*slab_nomerge=yes.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'slab_nomerge=yes' -The command should not return any output. - Is it the case that merging of slabs with similar size is enabled? - - - - Verify the "/etc/security/faillock.conf" file is configured to log user name information when unsuccessful logon attempts occur: +For an external camera, if there is not a method for the operator to manually disconnect the camera at the end of collaborative computing sessions, this is a finding. -$ sudo grep audit /etc/security/faillock.conf +For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding. -audit - Is it the case that the "audit" option is not set, is missing or commented out? - - - - The runtime status of the net.core.bpf_jit_harden kernel parameter can be queried -by running the following command: -$ sysctl net.core.bpf_jit_harden -2. +If the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software with the following commands: - Is it the case that the correct value is not returned? +Verify the operating system disables the ability to load the uvcvideo kernel module. + +$ sudo grep -r uvcvideo /etc/modprobe.d/* | grep "/bin/true" + +install uvcvideo /bin/true + Is it the case that the command does not return any output, or the line is commented out, and the collaborative computing device has not been authorized for use? - - To check the group ownership of /boot/grub2/user.cfg, -run the command: -$ ls -lL /boot/grub2/user.cfg -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /boot/grub2/user.cfg does not have a group owner of root? + + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the rename system call. + +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: + +$ sudo grep -r rename /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep rename /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete +-a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete +-a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete +-a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete + Is it the case that the command does not return a line, or the line is commented out? - + -Run the following command to determine if the puppetagent_manage_all_files SELinux boolean is disabled: -$ getsebool puppetagent_manage_all_files +Run the following command to determine if the gssd_read_tmp SELinux boolean is enabled: +$ getsebool gssd_read_tmp If properly configured, the output should show the following: -puppetagent_manage_all_files --> off - Is it the case that puppetagent_manage_all_files is not disabled? +gssd_read_tmp --> on + Is it the case that gssd_read_tmp is not enabled? - - To check the ownership of /etc/shadow-, -run the command: -$ ls -lL /etc/shadow- -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/shadow- does not have an owner of root? + + To determine if !authenticate has not been configured for sudo, run the following command: +$ sudo grep -r \!authenticate /etc/sudoers /etc/sudoers.d/ +The command should return no output. + Is it the case that !authenticate is specified in the sudo config files? - - -Run the following command to determine if the httpd_can_connect_mythtv SELinux boolean is disabled: -$ getsebool httpd_can_connect_mythtv -If properly configured, the output should show the following: -httpd_can_connect_mythtv --> off - Is it the case that httpd_can_connect_mythtv is not disabled? + + Run the following command to determine if the ypserv package is installed: +$ rpm -q ypserv + Is it the case that the package is installed? - - Run the following command to determine the current status of the logrotate timer: $ sudo systemctl is-active logrotate.timer If the timer is running, it should return the following: active - Is it the case that logrotate timer is not enabled? + + Verify the hidepid=value option is configured for the /proc mount point, + run the following command: + $ sudo mount | grep '\s/proc\s' + . . . /proc . . . hidepid=value . . . + + Is it the case that the "/proc" file system does not have the "hidepid=value" option set? - - Find the list of alias maps used by the Postfix mail server: -$ sudo postconf alias_maps -Query the Postfix alias maps for an alias for the postmaster user: -$ sudo postmap -q postmaster hash:/etc/aliases -The output should return root. - Is it the case that the alias is not set or is not root? + + To check the permissions of /boot/Sysem.map-*, +run the command: +$ ls -l /boot/Sysem.map-* +If properly configured, the output should indicate the following permissions: +-rw------- + Is it the case that ? - + + +Run the following command to determine if the logging_syslogd_run_nagios_plugins SELinux boolean is disabled: +$ getsebool logging_syslogd_run_nagios_plugins +If properly configured, the output should show the following: +logging_syslogd_run_nagios_plugins --> off + Is it the case that logging_syslogd_run_nagios_plugins is not disabled? + + + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_DEBUG_LIST /boot/config.* + $ grep CONFIG_BUG /boot/config.* For each kernel installed, a line with value "y" should be returned. Is it the case that the kernel was not built with the required value? - - -Run the following command to determine if the tmpreaper_use_samba SELinux boolean is disabled: -$ getsebool tmpreaper_use_samba -If properly configured, the output should show the following: -tmpreaper_use_samba --> off - Is it the case that tmpreaper_use_samba is not disabled? + + Verify the nosuid option is configured for the /boot/efi mount point, + run the following command: + $ sudo mount | grep '\s/boot/efi\s' + . . . /boot/efi . . . nosuid . . . + + Is it the case that the "/boot/efi" file system does not have the "nosuid" option set? - - -Run the following command to determine if the pppd_for_user SELinux boolean is disabled: -$ getsebool pppd_for_user -If properly configured, the output should show the following: -pppd_for_user --> off - Is it the case that pppd_for_user is not disabled? + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "passwd" command with the following command: + +$ sudo auditctl -l | grep passwd + +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd + Is it the case that the command does not return a line, or the line is commented out? - - -Run the following command to determine if the gitosis_can_sendmail SELinux boolean is disabled: -$ getsebool gitosis_can_sendmail -If properly configured, the output should show the following: -gitosis_can_sendmail --> off - Is it the case that gitosis_can_sendmail is not disabled? + + To check the ownership of /etc/issue, +run the command: +$ ls -lL /etc/issue +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/issue does not have an owner of root? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_IPV6 /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? + + To check the permissions of /etc/group-, +run the command: +$ ls -l /etc/group- +If properly configured, the output should indicate the following permissions: +-rw-r--r-- + Is it the case that /etc/group- does not have unix mode -rw-r--r--? - - To determine how the SSH daemon's PermitRootLogin option is set, run the following command: - -$ sudo grep -i PermitRootLogin /etc/ssh/sshd_config - -If a line indicating no is returned, then the required value is set. + + Verify the noexec option is configured for the /boot mount point, + run the following command: + $ sudo mount | grep '\s/boot\s' + . . . /boot . . . noexec . . . - Is it the case that the required value is not set? + Is it the case that the "/boot" file system does not have the "noexec" option set? - - Verify the audit tools are group-owned by "root" to prevent any unauthorized access, deletion, or modification. - -Check the group-owner of each audit tool by running the following command: - -$ sudo stat -c "%G %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules + + To determine if the system is configured to audit account changes, +run the following command: +auditctl -l | grep -E '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' +If the system is configured to watch for account changes, lines should be returned for +each file specified (and with perm=wa for each). + Is it the case that the system is not configured to audit account changes? + + + + Verify the grpquota option is configured for the /home mount point, + run the following command: + $ sudo mount | grep '\s/home\s' + . . . /home . . . grpquota . . . -root /sbin/auditctl -root /sbin/aureport -root /sbin/ausearch -root /sbin/autrace -root /sbin/auditd -root /sbin/rsyslogd -root /sbin/augenrules - Is it the case that any audit tools are not group-owned by root? + Is it the case that the "/home" file system does not have the "grpquota" option set? - - To verify that the operating system protects against or limits the effects of DoS -attacks by ensuring implementation of rate-limiting measures -on impacted network interfaces, run the following command: -# grep 'net.ipv4.tcp_invalid_ratelimit' /etc/sysctl.conf /etc/sysctl.d/* -The command should output the following line: -/etc/sysctl.conf:net.ipv4.tcp_invalid_ratelimit = -The file where the line has been found can differ, but it must be either /etc/sysctl.conf -or a file located under the /etc/sysctl.d/ directory. - Is it the case that rate limiting of duplicate TCP acknowledgments is not configured? + + To determine if the system is configured to audit changes to its SELinux +configuration files, run the following command: +$ sudo auditctl -l | grep "dir=/etc/selinux" +If the system is configured to watch for changes to its SELinux +configuration, a line should be returned (including +perm=wa indicating permissions that are watched). + Is it the case that the system is not configured to audit attempts to change the MAC policy? - - Verify it by running the following command: -$ stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules - -/sbin/auditctl 755 -/sbin/aureport 755 -/sbin/ausearch 755 -/sbin/autrace 755 -/sbin/auditd 755 -/sbin/audispd 755 -/sbin/augenrules 755 - - -If the command does not return all the above lines, the missing ones -need to be added. - -Run the following command to correct the permissions of the missing -entries: -$ sudo chmod 0755 [audit_tool] - -Replace "[audit_tool]" with the audit tool that does not have the -correct permissions. - Is it the case that ? + + Verify that DNS servers have been configured properly, perform the following: +$ sudo grep nameserver /etc/resolv.conf + Is it the case that less than two lines are returned that are not commented out? - + + +Run the following command to determine if the httpd_run_preupgrade SELinux boolean is disabled: +$ getsebool httpd_run_preupgrade +If properly configured, the output should show the following: +httpd_run_preupgrade --> off + Is it the case that httpd_run_preupgrade is not disabled? + + + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_DEFAULT_MMAP_MIN_ADDR /boot/config.* + $ grep CONFIG_DEBUG_LIST /boot/config.* - For each kernel installed, a line with value "65536" should be returned. + For each kernel installed, a line with value "y" should be returned. Is it the case that the kernel was not built with the required value? - - Inspect all instances of DocumentRoot and Alias. No -robots.txt file should exist. - Is it the case that it is not? - - - - To check the permissions of /etc/cron.hourly, -run the command: -$ ls -l /etc/cron.hourly -If properly configured, the output should indicate the following permissions: --rwx------ - Is it the case that /etc/cron.hourly does not have unix mode -rwx------? + + +Run the following command to determine if the mcelog_exec_scripts SELinux boolean is enabled: +$ getsebool mcelog_exec_scripts +If properly configured, the output should show the following: +mcelog_exec_scripts --> on + Is it the case that mcelog_exec_scripts is not enabled? - - To determine if the system is configured to audit successful calls -to the fchmod system call, run the following command: -$ sudo grep "fchmod" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + To verify if the mod_perl is installed, run the following command: +$ rpm -qa | grep mod_perl +If the mod_perl module is installed, verify that PerlSwitches -T +is enabled in /etc/httpd/conf.d/perl.conf by running the following +command: +$ grep -i "PerlSwitches -T" /etc/httpd/conf.d/perl.conf +The output should return uncommented: +PerlSwitches -T + Is it the case that it is not? - - To determine how the SSH daemon's LogLevel option is set, run the following command: - -$ sudo grep -i LogLevel /etc/ssh/sshd_config - -If a line indicating INFO is returned, then the required value is set. - - Is it the case that the required value is not set? + + To verify that SSSD's in-memory cache expires after a day, run the following command: +$ sudo grep memcache_timeout /etc/sssd/sssd.conf +If configured properly, output should be memcache_timeout = . + Is it the case that it does not exist or is not configured properly? - - Run the following command to determine if the iptables-services package is installed: $ rpm -q iptables-services - Is it the case that the iptables-services package is not installed? + + Run the following command to check if the line is present: +grep pam_wheel /etc/pam.d/su +The output should contain the following line: +auth required pam_wheel.so use_uid group= + Is it the case that the line is not in the file or it is commented? - - Run the following command to determine if the rsyslog-gnutls package is installed: -$ rpm -q rsyslog-gnutls + + Run the following command to determine if the abrt-plugin-logger package is installed: +$ rpm -q abrt-plugin-logger Is it the case that the package is installed? - - Verify Red Hat Enterprise Linux 8 for PKI-based authentication has valid certificates by constructing a -certification path (which includes status information) to an accepted trust anchor. + + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to modify files using the openat system call with O_TRUNC_WRITE flag. -Check that the system has a valid DoD root CA installed with the following command: - -$ sudo openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem - -Certificate: -Data: -Version: 3 (0x2) -Serial Number: 1 (0x1) -Signature Algorithm: sha256WithRSAEncryption -Issuer: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3 -Validity -Not Before: Mar 20 18:46:41 2012 GMT -Not After : Dec 30 18:46:41 2029 GMT -Subject: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3 -Subject Public Key Info: -Public Key Algorithm: rsaEncryption - Is it the case that root CA file is not a DoD-issued certificate with a valid date and installed in the /etc/sssd/pki/sssd_auth_ca_db.pem location? - - - - To check that the vsftpd service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled vsftpd -Output should indicate the vsftpd service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled vsftpd disabled - -Run the following command to verify vsftpd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active vsftpd +If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command: -If the service is not running the command will return the following output: -inactive +$ sudo grep -r openat /etc/audit/rules.d -The service will also be masked, to check that the vsftpd is masked, run the following command: -$ sudo systemctl show vsftpd | grep "LoadState\|UnitFileState" +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -If the service is masked the command will return the following outputs: +$ sudo grep openat /etc/audit/audit.rules -LoadState=masked +The output should be the following: -UnitFileState=masked - Is it the case that the "vsftpd" is loaded and not masked? - - - - To check that virtual syscalls are disabled at boot time, check all boot entries with following command: -sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf -No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls. - Is it the case that vsyscalls are enabled? +-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + Is it the case that the command does not return a line, or the line is commented out? - - Ensure that CGI backup scripts are not left on the production web server. -This check is limited to CGI/interactive content and not static HTML. - -Search for backup copies of CGI scripts on the web server or ask the Web -Administrator if they keep backup copies of CGI scripts on the web server. - -Common backup file extensions are: *.bak, *.old, *.temp, *.tmp, *.backup, -*.??0. This would also apply to .jsp files. - -On Red Hat Enterprise Linux, run the following commands to find backup -scripts: -find / name "*.bak" -print -find / name "*.*" -print -find / name "*.old" -print - Is it the case that If fileos with these extensions have no relationship with web activity, -such as backup batch file for operating system utility, and they are -not accessible by the web application, this is not a finding. - -If files with these extensions are found in either the document -directory or the home directory of the web server, this is -a finding. + + The following command will discover and print any +files on local partitions which do not belong to a valid group. +$ df --local -P | awk '{if (NR!=1) print $6}' | sudo xargs -I '{}' find '{}' -xdev -nogroup -If files with these extensions are stored in a repository (not in the -document root) as backups for the web server? - - - - Make sure that the kernel is configured to trust the CPU RNG by following -commands. To check if the option was correctly configured at kernel compile -time, run the following command: -grep -q CONFIG_RANDOM_TRUST_CPU=y /boot/config-`uname -r` -If the command outputs: -CONFIG_RANDOM_TRUST_CPU=y, -it means that the option is compiled into the kernel. Make sure that the -option is not overridden through a boot parameter: -sudo grep 'kernelopts.*random\.trust_cpu=off.*' /boot/grub2/grubenv -The command should not return any output. If the option is not compiled into -the kernel, check that the option is configured through boot parameter. -Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes random.trust_cpu=on, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub -If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*random.trust_cpu=on.*' /etc/default/grub -If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*random.trust_cpu=on.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'random.trust_cpu=on' -The command should not return any output. - Is it the case that the kernel is not configured to trust the CPU RNG? - - - - To verify that HBSS ACCM is installed, run the following command(s): -$ sudo ls /opt/McAfee/accm/bin/accm - Is it the case that the HBSS ACCM module is not installed? +Either remove all files and directories from the system that do not have a valid group, +or assign a valid group with the chgrp command: +$ sudo chgrp group file + Is it the case that there is output? - - -Run the following command to determine if the tftp_home_dir SELinux boolean is disabled: -$ getsebool tftp_home_dir -If properly configured, the output should show the following: -tftp_home_dir --> off - Is it the case that tftp_home_dir is not disabled? + + Run the following command to see what the timeout interval is: +$ sudo grep ClientAliveInterval /etc/ssh/sshd_config +If properly configured, the output should be: +ClientAliveInterval + Is it the case that it is commented out or not configured properly? - - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to create files using the openat system call with O_CREAT flag. - -If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r openat /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + + Verify emergency accounts have been provisioned with an expiration date of 72 hours. -$ sudo grep openat /etc/audit/audit.rules +For every emergency account, run the following command to obtain its account aging and expiration information: -The output should be the following: +$ sudo chage -l emergency_account_name --a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - Is it the case that the command does not return a line, or the line is commented out? +Verify each of these accounts has an expiration date set within 72 hours or as documented. + Is it the case that any emergency accounts have no expiration date set or do not expire within 72 hours? - - To check that the named service is disabled in system boot configuration, + + To check that the nfs-server service is disabled in system boot configuration, run the following command: -$ sudo systemctl is-enabled named -Output should indicate the named service has either not been installed, +$ sudo systemctl is-enabled nfs-server +Output should indicate the nfs-server service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled named disabled +$ sudo systemctl is-enabled nfs-server disabled -Run the following command to verify named is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active named +Run the following command to verify nfs-server is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active nfs-server If the service is not running the command will return the following output: inactive -The service will also be masked, to check that the named is masked, run the following command: -$ sudo systemctl show named | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the nfs-server is masked, run the following command: +$ sudo systemctl show nfs-server | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "named" is loaded and not masked? + Is it the case that the "nfs-server" is loaded and not masked? - - To determine if the system is configured to audit successful calls -to the open_by_handle_at system call, run the following command: -$ sudo grep "open_by_handle_at" /etc/audit.* + + Run the following command to determine if the avahi-autoipd package is installed: +$ rpm -q avahi-autoipd + Is it the case that the package is installed? + + + + Run the following command to determine if the krb5-server package is installed: $ rpm -q krb5-server + Is it the case that the package is installed? + + + + To determine if the system is configured to audit calls to the +open system call, run the following command: +$ sudo grep "open" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - To verify that each web content directory exists on separate partitions, -run the following command: -$ grep `grep -i documentroot /etc/httpd/conf/httpd.conf | awk -F'"' '{print $2}'` /etc/fstab -Each of the corresponding DocumentRoot entries should have a -corresponding entry in /etc/fstab. - Is it the case that it is not? + + To ensure the tally directory is configured correctly, run the following command: +$ sudo grep 'dir =' /etc/security/faillock.conf +The output should show that dir is set to something other than "/var/run/faillock" + Is it the case that the "dir" option is not set to a non-default documented tally log directory, is missing or commented out? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chsh" command with the following command: - -$ sudo auditctl -l | grep chsh + + To verify the audispd plugin off-loads audit records onto a different system or +media from the system being audited, run the following command: +$ sudo grep -i remote_server /etc/audit/audisp-remote.conf +The output should return something similar to +remote_server = + Is it the case that audispd is not sending logs to a remote system? + + + + To verify that rsyslog's Forwarding Output Module is configured +to use TLS for logging to remote server, run the following command: +$ grep omfwd /etc/rsyslog.conf /etc/rsyslog.d/*.conf +The output should include record similar to +action(type="omfwd" protocol="tcp" Target="<remote system>" port="6514" + StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name" streamdriver.CheckExtendedKeyPurpose="on") --a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chsh - Is it the case that the command does not return a line, or the line is commented out? +where the <remote system> present in the configuration line above must be a valid IP address or a host name of the remote logging server. + Is it the case that omfwd is not configured with gtls and AuthMode? - - To check the permissions of /etc/crontab, -run the command: -$ ls -l /etc/crontab -If properly configured, the output should indicate the following permissions: --rw------- - Is it the case that /etc/crontab does not have unix mode -rw-------? + + +Run the following command to determine if the httpd_mod_auth_ntlm_winbind SELinux boolean is disabled: +$ getsebool httpd_mod_auth_ntlm_winbind +If properly configured, the output should show the following: +httpd_mod_auth_ntlm_winbind --> off + Is it the case that httpd_mod_auth_ntlm_winbind is not disabled? - - To check the permissions of /var/log/syslog, + + To check the permissions of /var/log/messages, run the command: -$ ls -l /var/log/syslog +$ ls -l /var/log/messages If properly configured, the output should indicate the following permissions: -rw-r----- - Is it the case that /var/log/syslog does not have unix mode -rw-r-----? - - - - Verify the pam_faillock.so module is present in the "/etc/pam.d/system-auth" file: - -$ sudo grep pam_faillock.so /etc/pam.d/system-auth - -auth required pam_faillock.so preauth -auth required pam_faillock.so authfail -account required pam_faillock.so - Is it the case that the pam_faillock.so module is not present in the "/etc/pam.d/system-auth" file with the "preauth" line listed before pam_unix.so? + Is it the case that /var/log/messages does not have unix mode -rw-r-----? - - - -Run the following command to determine the current status of the -chronyd service: -$ sudo systemctl is-active chronyd -If the service is running, it should return the following: active - Is it the case that the chronyd process is not running? + + To determine if the system is configured to audit calls to the +rmdir system call, run the following command: +$ sudo grep "rmdir" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. +To determine if the system is configured to audit calls to the +unlink system call, run the following command: +$ sudo grep "unlink" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. +To determine if the system is configured to audit calls to the +unlinkat system call, run the following command: +$ sudo grep "unlinkat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. +To determine if the system is configured to audit calls to the +rename system call, run the following command: +$ sudo grep "rename" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. +To determine if the system is configured to audit calls to the +renameat system call, run the following command: +$ sudo grep "renameat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? - - -To properly set the owner of /var/log/audit, run the command: -$ sudo chown root /var/log/audit - -To properly set the owner of /var/log/audit/*, run the command: -$ sudo chown root /var/log/audit/* - Is it the case that ? + + Run the following command to determine if the fapolicyd package is installed: $ rpm -q fapolicyd + Is it the case that the fapolicyd package is not installed? - - Check that AIDE is properly configured to protect the integrity of the -audit tools by running the following command: - -# sudo cat /etc/aide.conf | grep /usr/sbin/au - -/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 -/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 -/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 -/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 -/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 - - - -/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 + + To determine how the SSH daemon's PermitRootLogin option is set, run the following command: +$ sudo grep -i PermitRootLogin /etc/ssh/sshd_config -If AIDE is configured properly to protect the integrity of the audit tools, -all lines listed above will be returned from the command. +If a line indicating no is returned, then the required value is set. -If one or more lines are missing, this is a finding. - Is it the case that integrity checks of the audit tools are missing or incomplete? + Is it the case that the required value is not set? - - Verify that a separate file system/partition has been created for /var/tmp with the following command: + + Review the web site to determine if HTTP and HTTPs are used in accordance with +well known ports (e.g., 80 and 443) or those ports and services as registered +and approved for use by the DoD PPSM. -$ mountpoint /var/tmp +To configure firewalld to allow http access, run the following command(s): +firewall-cmd --permanent --add-service=http +Then run the following command to load the newly created rule(s): +firewall-cmd --reload - Is it the case that "/var/tmp is not a mountpoint" is returned? +To configure firewalld to allow https access, run the following command(s): +firewall-cmd --permanent --add-service=https +Then run the following command to load the newly created rule(s): +firewall-cmd --reload + Is it the case that it is not? - - Verify that Red Hat Enterprise Linux 8 does not have unauthorized IP tunnels configured. - - -# yum list installed libreswan -libreswan.x86-64 3.20-5.el7_4 - - -If "libreswan" is installed, check to see if the "IPsec" service is active with the following command: - -# systemctl status ipsec -ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec -Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled) -Active: inactive (dead) - - -If the "IPsec" service is active, check for configured IPsec connections (conn), perform the following: -grep -rni conn /etc/ipsec.conf /etc/ipsec.d/ -Verify any returned results for organizational approval. - Is it the case that the IPSec tunnels are not approved? + + Run the following command to determine if the iprutils package is installed: +$ rpm -q iprutils + Is it the case that the package is installed? - - To determine if the system is configured to audit successful calls -to the lremovexattr system call, run the following command: -$ sudo grep "lremovexattr" /etc/audit.* -If the system is configured to audit this activity, it will return a line. + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postqueue" command with the following command: - Is it the case that no line is returned? +$ sudo auditctl -l | grep postqueue + +-a always,exit -F path=/usr/bin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postqueue + Is it the case that the command does not return a line, or the line is commented out? - - To check that the ypserv service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled ypserv -Output should indicate the ypserv service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled ypserv disabled - -Run the following command to verify ypserv is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active ypserv - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the ypserv is masked, run the following command: -$ sudo systemctl show ypserv | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: - -LoadState=masked - -UnitFileState=masked - Is it the case that the "ypserv" is loaded and not masked? + + The following command will list which files on the system +have file hashes different from what is expected by the RPM database. +$ rpm -Va --noconfig | awk '$1 ~ /..5/ && $2 != "c"' + Is it the case that there is output? - - Verify that all local interactive user initialization file executable search path statements do not contain statements that will reference a working directory other than user home directories with the following commands: + + Run the following command to ensure the TMOUT value is configured for all users +on the system: -$ sudo grep -i path= /home/*/.* +$ sudo grep TMOUT /etc/profile /etc/profile.d/*.sh -/home/[localinteractiveuser]/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin - Is it the case that any local interactive user initialization files have executable search path statements that include directories outside of their home directory and is not documented with the ISSO as an operational requirement? +The output should return the following: +TMOUT= + Is it the case that value of TMOUT is not less than or equal to expected setting? - - Verify Red Hat Enterprise Linux 8 use the "pam_pwhistory.so" module in the /etc/pam.d/system-auth file -and is configured to prohibit password reuse for a minimum of -generations. - -Verify the "/etc/pam.d/system-auth" file with the following command: - -$ grep pam_pwhistory.so /etc/pam.d/system-auth -password pam_pwhistory.so use_authtok remember= - + + To verify whether audispd plugin off-loads audit records onto a different +system or media from the system being audited, run the following command: -Verify the "/etc/security/pwhistory.conf" file using the following command: +$ sudo grep -i remote_server /etc/audit/audisp-remote.conf -$ grep remember /etc/security/pwhistory.conf -remember = +The output should return something similar to where REMOTE_SYSTEM +is an IP address or hostname: +remote_server = REMOTE_SYSTEM -The pam_pwhistory.so "remember" option must be configured only in one file. - Is it the case that the pam_pwhistory.so module is not used, the "remember" module option is not set in -/etc/pam.d/system-auth or in /etc/security/pwhistory.conf, or is set in both files, or is set -with a value less than "<sub idref="var_password_pam_remember" />"? - - - - Verify Red Hat Enterprise Linux 8 disables the chrony daemon from acting as a server with the following command: -$ grep -w port /etc/chrony.conf -port 0 - Is it the case that the "port" option is not set to "0", is commented out, or is missing? - - - - To determine how the SSH daemon's GSSAPIAuthentication option is set, run the following command: +Determine which partition the audit records are being written to with the +following command: -$ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config +$ sudo grep log_file /etc/audit/auditd.conf +log_file = /var/log/audit/audit.log -If a line indicating no is returned, then the required value is set. +Check the size of the partition that audit records are written to with the +following command and verify whether it is sufficiently large: - Is it the case that the required value is not set? +$ sudo df -h /var/log/audit/ +/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit + Is it the case that audispd is not sending logs to a remote system and the local partition has inadequate space? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_STACKPROTECTOR /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + To determine if the system is configured to audit calls to the +init_module system call, run the following command: +$ sudo grep "init_module" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. +To determine if the system is configured to audit calls to the +delete_module system call, run the following command: +$ sudo grep "delete_module" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? - + -Run the following command to determine if the httpd_can_sendmail SELinux boolean is disabled: -$ getsebool httpd_can_sendmail +Run the following command to determine if the selinuxuser_share_music SELinux boolean is disabled: +$ getsebool selinuxuser_share_music If properly configured, the output should show the following: -httpd_can_sendmail --> off - Is it the case that httpd_can_sendmail is not disabled? - - - - The runtime status of the net.ipv6.conf.all.accept_ra_pinfo kernel parameter can be queried -by running the following command: -$ sysctl net.ipv6.conf.all.accept_ra_pinfo -0. - - Is it the case that the correct value is not returned? +selinuxuser_share_music --> off + Is it the case that selinuxuser_share_music is not disabled? - - The runtime status of the kernel.perf_cpu_time_max_percent kernel parameter can be queried -by running the following command: -$ sysctl kernel.perf_cpu_time_max_percent -1. - - Is it the case that the correct value is not returned? + + +Run the following command to determine if the dhcpd_use_ldap SELinux boolean is disabled: +$ getsebool dhcpd_use_ldap +If properly configured, the output should show the following: +dhcpd_use_ldap --> off + Is it the case that dhcpd_use_ldap is not disabled? - - Inspect the file /etc/firewalld/firewalld.conf to determine -the default zone for the firewalld. It should be set to DefaultZone=drop: -$ sudo grep DefaultZone /etc/firewalld/firewalld.conf - Is it the case that the default zone is not set to DROP? + + Run the following command to determine if the abrt-addon-ccpp package is installed: +$ rpm -q abrt-addon-ccpp + Is it the case that the package is installed? - + -Run the following command to determine if the mount_anyfile SELinux boolean is enabled: -$ getsebool mount_anyfile +Run the following command to determine if the rsync_anon_write SELinux boolean is disabled: +$ getsebool rsync_anon_write If properly configured, the output should show the following: -mount_anyfile --> on - Is it the case that mount_anyfile is not enabled? +rsync_anon_write --> off + Is it the case that rsync_anon_write is not disabled? - - To determine if the system is configured to audit attempts to -alter time via the /etc/localtime file, run the following -command: -$ sudo auditctl -l | grep "watch=/etc/localtime" -If the system is configured to audit this activity, it will return a line. - Is it the case that the system is not configured to audit time changes? + + Run the following command to determine if the squid package is installed: +$ rpm -q squid + Is it the case that the package is installed? - + -Run the following command to determine if the ssh_sysadm_login SELinux boolean is disabled: -$ getsebool ssh_sysadm_login +Run the following command to determine if the logwatch_can_network_connect_mail SELinux boolean is disabled: +$ getsebool logwatch_can_network_connect_mail If properly configured, the output should show the following: -ssh_sysadm_login --> off - Is it the case that ssh_sysadm_login is not disabled? +logwatch_can_network_connect_mail --> off + Is it the case that logwatch_can_network_connect_mail is not disabled? - - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the rename system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r rename /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep rename /etc/audit/audit.rules - -The output should be the following: - --a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete --a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete --a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete --a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete - Is it the case that the command does not return a line, or the line is commented out? + + Run the following command to determine the current status of the dnf-automatic timer: $ sudo systemctl is-active dnf-automatic.timer If the timer is running, it should return the following: active + Is it the case that the dnf-automatic.timer is not enabled? - - Verify Red Hat Enterprise Linux 8 audits execution as another user. - -Check if Red Hat Enterprise Linux 8 is configured to audit the execution of the "execve" system call using the following command: - -$ sudo grep execve /etc/audit/audit.rules - -The output should be the following: - --a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation --a always,exit -F arch=b64 -S execve -C euid!=uid -F auid!=unset-k user_emulation - Is it the case that the command does not return all lines, or the lines are commented out? + + To check if the system login banner is compliant, +run the following command: +$ cat /etc/issue + Is it the case that it does not display the required banner? - - To check that the rhnsd service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled rhnsd -Output should indicate the rhnsd service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled rhnsd disabled - -Run the following command to verify rhnsd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active rhnsd - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the rhnsd is masked, run the following command: -$ sudo systemctl show rhnsd | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: - -LoadState=masked - -UnitFileState=masked - Is it the case that the "rhnsd" is loaded and not masked? + + Run the following command to determine if the dnf-automatic package is installed: $ rpm -q dnf-automatic + Is it the case that the package is not installed? - - -Run the following command to determine if the samba_export_all_ro SELinux boolean is disabled: -$ getsebool samba_export_all_ro -If properly configured, the output should show the following: -samba_export_all_ro --> off - Is it the case that samba_export_all_ro is not disabled? + + Ensure there are no unconfined daemons running on the system, +the following command should produce no output: +$ sudo ps -eZ | grep "unconfined_service_t" + Is it the case that There are unconfined daemons running on the system? - - To determine if the system is configured to audit unsuccessful calls -to the setxattr system call, run the following command: -$ sudo grep "setxattr" /etc/audit.* + + To determine if the system is configured to audit calls to the +fsetxattr system call, run the following command: +$ sudo grep "fsetxattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - -Run the following command to determine if the httpd_enable_ftp_server SELinux boolean is disabled: -$ getsebool httpd_enable_ftp_server -If properly configured, the output should show the following: -httpd_enable_ftp_server --> off - Is it the case that httpd_enable_ftp_server is not disabled? - - - - Verify that Red Hat Enterprise Linux 8 enforces password complexity by requiring that at least one special character with the following command: - -$ sudo grep ocredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + + To determine if the system is configured to audit unsuccessful calls +to the fchownat system call, run the following command: +$ sudo grep "fchownat" /etc/audit.* +If the system is configured to audit this activity, it will return a line. -ocredit = - Is it the case that value of "ocredit" is a positive number or is commented out? + Is it the case that no line is returned? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_GCC_PLUGIN_LATENT_ENTROPY /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + To check for virtual console entries which permit root login, run the +following command: +$ sudo grep ^vc/[0-9] /etc/securetty +If any output is returned, then root logins over virtual console devices is permitted. + Is it the case that root login over virtual console devices is permitted? - - Verify the operating system authenticates the remote logging server for off-loading audit logs with the following command: + + Verify Red Hat Enterprise Linux 8 takes action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command: -$ sudo grep -i '$ActionSendStreamDriverAuthMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf -The output should be -$/etc/rsyslog.conf:$ActionSendStreamDriverAuthMode x509/name - Is it the case that $ActionSendStreamDriverAuthMode in /etc/rsyslog.conf is not set to x509/name? +$ sudo grep -w space_left /etc/audit/auditd.conf + +space_left = % + Is it the case that the value of the "space_left" keyword is not set to <sub idref="var_auditd_space_left_percentage" />% of the storage volume allocated to audit logs, or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO. If the "space_left" value is not configured to the correct value? @@ -374540,148 +375011,147 @@ If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HAL Is it the case that there is no evidence of appropriate action? - - The runtime status of the net.ipv6.conf.all.autoconf kernel parameter can be queried -by running the following command: -$ sysctl net.ipv6.conf.all.autoconf -0. - - Is it the case that the correct value is not returned? + + +Run the following command to determine if the nscd_use_shm SELinux boolean is enabled: +$ getsebool nscd_use_shm +If properly configured, the output should show the following: +nscd_use_shm --> on + Is it the case that nscd_use_shm is not enabled? - - To check that the qpidd service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled qpidd -Output should indicate the qpidd service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled qpidd disabled - -Run the following command to verify qpidd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active qpidd - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the qpidd is masked, run the following command: -$ sudo systemctl show qpidd | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: - -LoadState=masked - -UnitFileState=masked - Is it the case that the "qpidd" is loaded and not masked? + + To check the permissions of /etc/http/conf, +run the command: +$ ls -l /etc/http/conf +If properly configured, the output should indicate the following permissions: +-rwxr-x--- + Is it the case that ? - - To check that the cockpit service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled cockpit -Output should indicate the cockpit service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled cockpit disabled - -Run the following command to verify cockpit is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active cockpit - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the cockpit is masked, run the following command: -$ sudo systemctl show cockpit | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: - -LoadState=masked - -UnitFileState=masked - Is it the case that the "cockpit" is loaded and not masked? + + +Run the following command to determine if the virt_use_rawip SELinux boolean is disabled: +$ getsebool virt_use_rawip +If properly configured, the output should show the following: +virt_use_rawip --> off + Is it the case that virt_use_rawip is not disabled? - - Run the following command to determine if the telnet-server package is installed: -$ rpm -q telnet-server - Is it the case that the package is installed? + + To determine if the system is configured to audit calls to the +openat system call, run the following command: +$ sudo grep "openat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - Verify Red Hat Enterprise Linux 8 enables the user to initiate a session lock trhough key bindings with the following commands: + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "pt_chown" command with the following command: -$ grep "lock-session" /etc/tmux.conf +$ sudo auditctl -l | grep pt_chown -bind X lock-session +-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pt_chown + Is it the case that the command does not return a line, or the line is commented out? + + + + To verify that audit is configured for OSPP v4.2.1, run the following commands: +for file in "10-base-config" "11-loginuid" "30-ospp-v42" "43-module-load";do diff /etc/audit/rules.d/$file.rules /usr/share/doc/audit*/rules/$file.rules; done -Then, verify that the /etc/tmux.conf file can be read by other users than root: +If the system is configured properly, no lines should be returned. + Is it the case that the files are not there or differ? + + + + To determine if the system is configured to audit calls to the +umount2 system call, run the following command: +$ sudo grep "umount2" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. -$ sudo ls -al /etc/tmux.conf - Is it the case that the "lock-session" is not bound to a specific key? + Is it the case that no line is returned? - - To ensure the user home directory is not group-writable or world-readable, run the following: -# ls -ld /home/USER - Is it the case that the user home directory is group-writable or world-readable? + + To determine if NOPASSWD has been configured for sudo, run the following command: +$ sudo grep -ri nopasswd /etc/sudoers /etc/sudoers.d/ +The command should return no output. + Is it the case that nopasswd is specified in the sudo config files? - + + To verify that repo_gpgcheck is configured properly, run the following +command: +$ grep repo_gpgcheck /etc/yum.conf +The output should return something similar to: +repo_gpgcheck=1 + Is it the case that gpgcheck is not enabled or configured correctly to verify repository metadata? + + + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_VMAP_STACK /boot/config.* + $ grep CONFIG_MODULE_SIG_FORCE /boot/config.* For each kernel installed, a line with value "y" should be returned. Is it the case that the kernel was not built with the required value? - - To check that the cpupower service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled cpupower -Output should indicate the cpupower service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled cpupower disabled - -Run the following command to verify cpupower is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active cpupower - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the cpupower is masked, run the following command: -$ sudo systemctl show cpupower | grep "LoadState\|UnitFileState" + + To verify that auditing of privileged command use is configured, run the +following command: +$ sudo grep newgidmap /etc/audit/audit.rules /etc/audit/rules.d/* +It should return a relevant line in the audit rules. + Is it the case that the command does not return a line, or the line is commented out? + + + + Verify Red Hat Enterprise Linux 8 for PKI-based authentication has valid certificates by constructing a +certification path (which includes status information) to an accepted trust anchor. -If the service is masked the command will return the following outputs: +Check that the system has a valid DoD root CA installed with the following command: -LoadState=masked +$ sudo openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem -UnitFileState=masked - Is it the case that the "cpupower" is loaded and not masked? - - - - To check for incorrectly labeled device files, run following commands: -$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n" -$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n" -It should produce no output in a well-configured system. - Is it the case that there is output? +Certificate: +Data: +Version: 3 (0x2) +Serial Number: 1 (0x1) +Signature Algorithm: sha256WithRSAEncryption +Issuer: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3 +Validity +Not Before: Mar 20 18:46:41 2012 GMT +Not After : Dec 30 18:46:41 2029 GMT +Subject: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3 +Subject Public Key Info: +Public Key Algorithm: rsaEncryption + Is it the case that root CA file is not a DoD-issued certificate with a valid date and installed in the /etc/sssd/pki/sssd_auth_ca_db.pem location? - - To check the ownership of /etc/group, -run the command: -$ ls -lL /etc/group -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/group does not have an owner of root? + + +Run the following command to determine if the virt_use_usb SELinux boolean is disabled: +$ getsebool virt_use_usb +If properly configured, the output should show the following: +virt_use_usb --> off + Is it the case that virt_use_usb is not disabled? - - Run the following command to ensure that /tmp is configured as a -polyinstantiated directory: -$ sudo grep /tmp /etc/security/namespace.conf -The output should return the following: -/tmp /tmp/tmp-inst/ level root,adm - Is it the case that is not configured? + + To verify the password reuse setting is compliant, run the following command: +$ grep remember /etc/pam.d/system-auth +The output should show the following at the end of the line: +remember= + + +In newer systems, the pam_pwhistory PAM module options can also be set in +"/etc/security/pwhistory.conf" file. Use the following command to verify: +$ grep remember /etc/security/pwhistory.conf +remember = + +The pam_pwhistory remember option must be configured only in one file. + Is it the case that the value of remember is not equal to or greater than the expected value? @@ -374690,136 +375160,249 @@ $ rpm -q dhcp-server Is it the case that the package is installed? - - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes pti=on, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub -If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*pti=on.*' /etc/default/grub -If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*pti=on.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'pti=on' -The command should not return any output. - Is it the case that Kernel page-table isolation is not enabled? + + +Run the following command to determine if the httpd_dbus_avahi SELinux boolean is disabled: +$ getsebool httpd_dbus_avahi +If properly configured, the output should show the following: +httpd_dbus_avahi --> off + Is it the case that httpd_dbus_avahi is not disabled? - - Run the following command to determine if the libcap-ng-utils package is installed: $ rpm -q libcap-ng-utils - Is it the case that the package is not installed? + + +Run the following command to determine if the selinuxuser_execheap SELinux boolean is disabled: +$ getsebool selinuxuser_execheap +If properly configured, the output should show the following: +selinuxuser_execheap --> off + Is it the case that selinuxuser_execheap is not disabled? - - Run the following command to ensure the default FORWARD policy is DROP: -grep ":FORWARD" /etc/sysconfig/iptables -The output should be similar to the following: -$ sudo grep ":FORWARD" /etc/sysconfig/iptables -:FORWARD DROP [0:0 - Is it the case that the default policy for the FORWARD chain is not set to DROP? + + To check the ownership of /etc/shadow-, +run the command: +$ ls -lL /etc/shadow- +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/shadow- does not have an owner of root? - - To check that the rhsmcertd service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled rhsmcertd -Output should indicate the rhsmcertd service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled rhsmcertd disabled - -Run the following command to verify rhsmcertd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active rhsmcertd - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the rhsmcertd is masked, run the following command: -$ sudo systemctl show rhsmcertd | grep "LoadState\|UnitFileState" + + Verify that Red Hat Enterprise Linux 8 disables the use of user namespaces with the following commands: -If the service is masked the command will return the following outputs: +Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. -LoadState=masked +The runtime status of the user.max_user_namespaces kernel parameter can be queried +by running the following command: +$ sysctl user.max_user_namespaces +0. -UnitFileState=masked - Is it the case that the "rhsmcertd" is loaded and not masked? - - - - To check the permissions of /etc/gshadow, -run the command: -$ ls -l /etc/gshadow -If properly configured, the output should indicate the following permissions: ----------- - Is it the case that /etc/gshadow does not have unix mode ----------? + Is it the case that the correct value is not returned? - - To check that the squid service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled squid -Output should indicate the squid service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled squid disabled - -Run the following command to verify squid is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active squid - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the squid is masked, run the following command: -$ sudo systemctl show squid | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: - -LoadState=masked - -UnitFileState=masked - Is it the case that the "squid" is loaded and not masked? + + To verify that Audit Daemon is configured to write logs to the disk, run the +following command: +$ sudo grep write_logs /etc/audit/auditd.conf +The output should return the following: +write_logs = yes + Is it the case that write_logs isn't set to yes? - - Inspect /etc/default/grub for any instances of selinux=0 -in the kernel boot arguments. Presence of selinux=0 indicates -that SELinux is disabled at boot time. - Is it the case that SELinux is disabled at boot time? + + +Run the following command to determine if the spamd_enable_home_dirs SELinux boolean is enabled: +$ getsebool spamd_enable_home_dirs +If properly configured, the output should show the following: +spamd_enable_home_dirs --> on + Is it the case that spamd_enable_home_dirs is not enabled? - + -Run the following command to determine if the httpd_execmem SELinux boolean is disabled: -$ getsebool httpd_execmem +Run the following command to determine if the authlogin_nsswitch_use_ldap SELinux boolean is disabled: +$ getsebool authlogin_nsswitch_use_ldap If properly configured, the output should show the following: -httpd_execmem --> off - Is it the case that httpd_execmem is not disabled? +authlogin_nsswitch_use_ldap --> off + Is it the case that authlogin_nsswitch_use_ldap is not disabled? - - To determine if the system is configured to audit successful calls -to the fchown system call, run the following command: -$ sudo grep "fchown" /etc/audit.* -If the system is configured to audit this activity, it will return a line. + + +Run the following command to determine if the use_samba_home_dirs SELinux boolean is disabled: +$ getsebool use_samba_home_dirs +If properly configured, the output should show the following: +use_samba_home_dirs --> off + Is it the case that use_samba_home_dirs is not disabled? + + + + To determine if negation is used to define commands users are allowed to execute using sudo, run the following command: +$ sudo grep -PR '^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,!\n][^,\n]+,)*\s*(?:\([^\)]+\))?\s*(?!\s*\()(!\S+).*' /etc/sudoers /etc/sudoers.d/ +The command should return no output. + Is it the case that /etc/sudoers file contains rules that define the set of allowed commands using negation? + + + + The runtime status of the net.ipv4.conf.all.shared_media kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.all.shared_media +0. - Is it the case that no line is returned? + Is it the case that the correct value is not returned? - - To check the ownership of /etc/gshadow-, -run the command: -$ ls -lL /etc/gshadow- -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/gshadow- does not have an owner of root? + + To ensure there are no read-write users, run the following command: +$ sudo grep -v "^#" /etc/snmp/snmpd.conf| grep 'rwuser' +There should be no output. + Is it the case that there are users who can write to SNMP values? - - To check the group ownership of /etc/cron.monthly, + + The runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.default.secure_redirects +0. + + Is it the case that the correct value is not returned? + + + + To verify the boot loader superuser account has been set, run the following +command: +sudo grep -A1 "superusers" /boot/grub2/grub.cfg +The output should show the following: +set superusers="superusers-account" +export superusers +where superusers-account is the actual account name different from common names like root, +admin, or administrator and different from any other existing user name. + Is it the case that superuser account is not set or is set to root, admin, administrator or any other existing user name? + + + + Run the following command to check if the group exists: +grep /etc/group +The output should contain the following line: +:x: + Is it the case that group exists and has no user members? + + + + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: + +$ sudo auditctl -l | grep + +-w -p wa -k logins + Is it the case that the command does not return a line, or the line is commented out? + + + + To ensure that users cannot change how long until the screensaver locks, run the following: +$ grep lock-enabled /etc/dconf/db/local.d/locks/* +If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled + Is it the case that screensaver locking is not locked? + + + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "umount" command with the following command: + +$ sudo auditctl -l | grep umount + +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-umount + Is it the case that the command does not return a line, or the line is commented out? + + + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-agent" command with the following command: + +$ sudo auditctl -l | grep ssh-agent + +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent + Is it the case that the command does not return a line, or the line is commented out? + + + + To check for legacy lines in /etc/passwd, run the following command: + grep '^\+' /etc/passwd +The command should not return any output. + Is it the case that the file contains legacy lines? + + + + To verify that a nftables table exists, run the following command: +$ sudo nft list tables +Output should include a list of nftables similar to: + + table inet filter + + Is it the case that a nftables table does not exist? + + + + Run the following command to determine if the postfix package is installed: $ rpm -q postfix + Is it the case that the package is not installed? + + + + + +Run the following command to determine the current status of the +sshd service: +$ sudo systemctl is-active sshd +If the service is running, it should return the following: active + Is it the case that ? + + + + To check the group ownership of /etc/motd, run the command: -$ ls -lL /etc/cron.monthly +$ ls -lL /etc/motd If properly configured, the output should indicate the following group-owner: root - Is it the case that /etc/cron.monthly does not have a group owner of root? + Is it the case that /etc/motd does not have a group owner of root? + + + + Run the following command to determine if the crypto-policies package is installed: $ rpm -q crypto-policies + Is it the case that the package is not installed? + + + + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: + +$ sudo auditctl -l | grep -E '(/etc/gshadow)' + +-w /etc/gshadow -p wa -k identity + +If the command does not return a line, or the line is commented out, this is a finding. + Is it the case that the system is not configured to audit account changes? + + + + Run the following command to determine if the dnf-plugin-subscription-manager package is installed: $ rpm -q dnf-plugin-subscription-manager + Is it the case that the package is not installed? + + + + To check which SSH protocol version is allowed, check version of openssh-server with following command: + +$ rpm -qi openssh-server | grep Version + +Versions equal to or higher than 7.4 only allow Protocol 2. +If version is lower than 7.4, run the following command to check configuration: +$ sudo grep Protocol /etc/ssh/sshd_config +If configured properly, output should be Protocol 2 + Is it the case that it is commented out or is not set correctly to Protocol 2? + + + + To check the permissions of /var/log, +run the command: +$ ls -l /var/log +If properly configured, the output should indicate the following permissions: +drwxr-xr-x + Is it the case that /var/log does not have unix mode drwxr-xr-x? @@ -374842,112 +375425,84 @@ The output should be the following: Is it the case that the command does not return a line, or the line is commented out? - - To check the ownership of /etc/cron.d, -run the command: -$ ls -lL /etc/cron.d -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/cron.d does not have an owner of root? - - - - The runtime status of the net.ipv6.conf.all.accept_ra_rtr_pref kernel parameter can be queried -by running the following command: -$ sysctl net.ipv6.conf.all.accept_ra_rtr_pref -0. + + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the unlink system call. - Is it the case that the correct value is not returned? +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: + +$ sudo grep -r unlink /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep unlink /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete +-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete +-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete +-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete + Is it the case that the command does not return a line, or the line is commented out? - - To check the permissions of /etc/cron.monthly, -run the command: -$ ls -l /etc/cron.monthly -If properly configured, the output should indicate the following permissions: --rwx------ - Is it the case that /etc/cron.monthly does not have unix mode -rwx------? + + Only FIPS-approved MACs should be used. To verify that only FIPS-approved +MACs are in use, run the following command: +$ sudo grep -i macs /etc/ssh/sshd_config +The output should contain only those MACs which are FIPS-approved. Any use of other +ciphers or algorithms will result in the module entering the non-FIPS mode of +operation. + Is it the case that MACs option is commented out or not using FIPS-approved hash algorithms? - - Using a non-privileged account, verify that users cannot modify or change -network settings with the nmcli command with the following command: -$ nmcli general permissions -The output should contain the following: -PERMISSION VALUE -org.freedesktop.NetworkManager.enable-disable-network auth -org.freedesktop.NetworkManager.enable-disable-wifi auth -org.freedesktop.NetworkManager.enable-disable-wwan auth -org.freedesktop.NetworkManager.enable-disable-wimax auth -org.freedesktop.NetworkManager.sleep-wake auth -org.freedesktop.NetworkManager.network-control auth -org.freedesktop.NetworkManager.wifi.share.protected auth -org.freedesktop.NetworkManager.wifi.share.open auth -org.freedesktop.NetworkManager.settings.modify.system auth -org.freedesktop.NetworkManager.settings.modify.own auth -org.freedesktop.NetworkManager.settings.modify.hostname auth -org.freedesktop.NetworkManager.settings.modify.global-dns auth -org.freedesktop.NetworkManager.reload auth -org.freedesktop.NetworkManager.checkpoint-rollback auth -org.freedesktop.NetworkManager.enable-disable-statistics auth -org.freedesktop.NetworkManager.enable-disable-connectivity-check auth -org.freedesktop.NetworkManager.wifi.scan auth + + +If the system is configured to prevent the loading of the rds kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. - Is it the case that non-privileged users can modify or change network settings? +These lines can also instruct the module loading system to ignore the rds kernel module via blacklist keyword. + +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +$ grep -r rds /etc/modprobe.conf /etc/modprobe.d + Is it the case that no line is returned? - - To verify that each web content directory has an index.html file, -run the following command: -$ sudo find `grep -i documentroot /etc/httpd/conf/httpd.conf | awk -F'"' '{print $2}'` -name index.html -The output should return an index.html file for every -DocumentRoot that is set. + + To verify that web content directories should not be shared anonymously over +remote filesystems such as nfs and smb, inspect each instance +of DocumentRoot and serverRoot and verify that no entry in +/etc/fstab exists or no remote filesystem process is running for +any instance. +$ ps -ef | grep "nfs\|smb" Is it the case that it is not? - + -Run the following command to determine if the virt_sandbox_use_mknod SELinux boolean is disabled: -$ getsebool virt_sandbox_use_mknod +Run the following command to determine if the virt_sandbox_use_sys_admin SELinux boolean is disabled: +$ getsebool virt_sandbox_use_sys_admin If properly configured, the output should show the following: -virt_sandbox_use_mknod --> off - Is it the case that virt_sandbox_use_mknod is not disabled? - - - - The runtime status of the net.ipv6.conf.default.accept_ra_defrtr kernel parameter can be queried -by running the following command: -$ sysctl net.ipv6.conf.default.accept_ra_defrtr -0. - - Is it the case that the correct value is not returned? +virt_sandbox_use_sys_admin --> off + Is it the case that virt_sandbox_use_sys_admin is not disabled? - + -Run the following command to determine if the selinuxuser_rw_noexattrfile SELinux boolean is disabled: -$ getsebool selinuxuser_rw_noexattrfile +Run the following command to determine if the spamassassin_can_network SELinux boolean is disabled: +$ getsebool spamassassin_can_network If properly configured, the output should show the following: -selinuxuser_rw_noexattrfile --> off - Is it the case that selinuxuser_rw_noexattrfile is not disabled? - - - - The runtime status of the net.ipv4.conf.all.accept_local kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.conf.all.accept_local -0. - - Is it the case that the correct value is not returned? +spamassassin_can_network --> off + Is it the case that spamassassin_can_network is not disabled? - - Verify the nodev option is configured for the /var mount point, - run the following command: - $ sudo mount | grep '\s/var\s' - . . . /var . . . nodev . . . - - Is it the case that the "/var" file system does not have the "nodev" option set? + + To check the permissions of /etc/cron.hourly, +run the command: +$ ls -l /etc/cron.hourly +If properly configured, the output should indicate the following permissions: +-rwx------ + Is it the case that /etc/cron.hourly does not have unix mode -rwx------? @@ -374959,280 +375514,349 @@ $ sysctl kernel.modules_disabled Is it the case that the correct value is not returned? - - To check if pam_pwquality.so is enabled in system-auth, run the following command: -$ grep pam_pwquality /etc/pam.d/system-auth -The output should be similar to the following: -password requisite pam_pwquality.so - Is it the case that pam_pwquality.so is not enabled in system-auth? + + To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: +cat /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules +The output has to be exactly as follows: +## Successful ownership change +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change +-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change + Is it the case that the file does not exist or the content differs? - + + To determine if LDAP is being used for authentication, use the following +command: +$ sudo grep -i useldapauth /etc/sysconfig/authconfig +The output should return: +USELDAPAUTH=yes + Is it the case that USELDAPAUTH=yes is not configured correctly in /etc/sysconfig/authconfig? + + + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_SECURITY_DMESG_RESTRICT /boot/config.* + $ grep CONFIG_DEBUG_NOTIFIERS /boot/config.* For each kernel installed, a line with value "y" should be returned. Is it the case that the kernel was not built with the required value? - - To check the ownership of /var/log/messages, + + To check the screensaver mandatory use status, run the following command: +$ gsettings get org.gnome.desktop.screensaver idle-activation-enabled +If properly configured, the output should be true. +To ensure that users cannot disable the screensaver idle inactivity setting, run the following: +$ grep idle-activation-enabled /etc/dconf/db/local.d/locks/* +If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled + Is it the case that idle-activation-enabled is not enabled or configured? + + + + +Run the following command to determine if the httpd_verify_dns SELinux boolean is disabled: +$ getsebool httpd_verify_dns +If properly configured, the output should show the following: +httpd_verify_dns --> off + Is it the case that httpd_verify_dns is not disabled? + + + + To check the permissions of /etc/ssh/*_key, run the command: -$ ls -lL /var/log/messages -If properly configured, the output should indicate the following owner: -root - Is it the case that /var/log/messages does not have an owner of root? +$ ls -l /etc/ssh/*_key +If properly configured, the output should indicate the following permissions: +-rw------- + Is it the case that /etc/ssh/*_key does not have unix mode -rw-------? - + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_DEBUG_CREDENTIALS /boot/config.* + $ grep CONFIG_DEFAULT_MMAP_MIN_ADDR /boot/config.* - For each kernel installed, a line with value "y" should be returned. + For each kernel installed, a line with value "65536" should be returned. Is it the case that the kernel was not built with the required value? - - The runtime status of the net.ipv4.conf.default.rp_filter kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.conf.default.rp_filter -1. - - Is it the case that the correct value is not returned? - - - - To ensure the X Windows package group is removed, run the following command: - -$ rpm -qi xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland - -For each package mentioned above you should receive following line: -package <package> is not installed - Is it the case that xorg related packages are not removed and run level is not correctly configured? - - - - To check the ownership of /var/log/syslog, -run the command: -$ ls -lL /var/log/syslog -If properly configured, the output should indicate the following owner: -syslog - Is it the case that /var/log/syslog does not have an owner of syslog? + + +Run the following command to determine if the httpd_manage_ipa SELinux boolean is disabled: +$ getsebool httpd_manage_ipa +If properly configured, the output should show the following: +httpd_manage_ipa --> off + Is it the case that httpd_manage_ipa is not disabled? - + -Run the following command to determine if the httpd_tmp_exec SELinux boolean is disabled: -$ getsebool httpd_tmp_exec +Run the following command to determine if the minidlna_read_generic_user_content SELinux boolean is disabled: +$ getsebool minidlna_read_generic_user_content If properly configured, the output should show the following: -httpd_tmp_exec --> off - Is it the case that httpd_tmp_exec is not disabled? +minidlna_read_generic_user_content --> off + Is it the case that minidlna_read_generic_user_content is not disabled? - - To determine if the system is configured to audit calls to the -setxattr system call, run the following command: -$ sudo grep "setxattr" /etc/audit/audit.* + + To determine if the system is configured to audit successful calls +to the fchmodat system call, run the following command: +$ sudo grep "fchmodat" /etc/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - -Run the following command to determine if the dbadm_exec_content SELinux boolean is enabled: -$ getsebool dbadm_exec_content -If properly configured, the output should show the following: -dbadm_exec_content --> on - Is it the case that dbadm_exec_content is not enabled? + + To check that the avahi-daemon service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled avahi-daemon +Output should indicate the avahi-daemon service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled avahi-daemon disabled + +Run the following command to verify avahi-daemon is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active avahi-daemon + +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the avahi-daemon is masked, run the following command: +$ sudo systemctl show avahi-daemon | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "avahi-daemon" is loaded and not masked? - - The following command will discover and print world-writable directories that -are not group owned by a system account, given the assumption that only system -accounts have a gid lower than 1000. Run it once for each local partition PART: -$ sudo find PART -xdev -type d -perm -0002 -gid +999 -print - Is it the case that there is output? + + Run the following command to verify that the MTA is not listening on +any non-loopback address (127.0.0.1 or ::1). +# ss -lntu | grep -E ':25\s' | grep -E -v '\s(127.0.0.1|::1):25\s' +Nothing should be returned + Is it the case that MTA is listening on any non-loopback address? - - -If the system is configured to prevent the loading of the cfg80211 kernel module, -it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. -These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setsebool" command with the following command: -These lines can also instruct the module loading system to ignore the cfg80211 kernel module via blacklist keyword. +$ sudo auditctl -l | grep setsebool -Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -$ grep -r cfg80211 /etc/modprobe.conf /etc/modprobe.d - Is it the case that no line is returned? +-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged + Is it the case that the command does not return a line, or the line is commented out? - - -Run the following command to determine if the git_cgi_use_nfs SELinux boolean is disabled: -$ getsebool git_cgi_use_nfs -If properly configured, the output should show the following: -git_cgi_use_nfs --> off - Is it the case that git_cgi_use_nfs is not disabled? + + Verify that yum verifies the signature of local packages prior to install with the following command: + +$ grep localpkg_gpgcheck /etc/yum.conf + +localpkg_gpgcheck=1 + +If "localpkg_gpgcheck" is not set to "1", or if the option is missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified. + Is it the case that there is no process to validate certificates for local packages that is approved by the organization? - - To determine if passwd_timeout has been configured for sudo, run the following command: -$ sudo grep -ri '^Defaults.*passwd_timeout=' /etc/sudoers /etc/sudoers.d/ -The command should return a matching output. - Is it the case that passwd_timeout is not set with the appropriate value for sudo? + + +Run the following command to determine if the selinuxuser_tcp_server SELinux boolean is disabled: +$ getsebool selinuxuser_tcp_server +If properly configured, the output should show the following: +selinuxuser_tcp_server --> off + Is it the case that selinuxuser_tcp_server is not disabled? - - The runtime status of the net.ipv6.conf.all.accept_ra kernel parameter can be queried + + The runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter can be queried by running the following command: -$ sysctl net.ipv6.conf.all.accept_ra -0. +$ sysctl net.ipv4.icmp_echo_ignore_broadcasts +1. Is it the case that the correct value is not returned? - - To determine whether yum has been configured to disable -gpgcheck for any repos, inspect all files in -/etc/yum.repos.d and ensure the following does not appear in any -sections: -gpgcheck=0 -A value of 0 indicates that gpgcheck has been disabled for that repo. - Is it the case that GPG checking is disabled? + + Verify that Red Hat Enterprise Linux 8 does not have unauthorized IP tunnels configured. + + +# yum list installed libreswan +libreswan.x86-64 3.20-5.el7_4 + + +If "libreswan" is installed, check to see if the "IPsec" service is active with the following command: + +# systemctl status ipsec +ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec +Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled) +Active: inactive (dead) + + +If the "IPsec" service is active, check for configured IPsec connections (conn), perform the following: +grep -rni conn /etc/ipsec.conf /etc/ipsec.d/ +Verify any returned results for organizational approval. + Is it the case that the IPSec tunnels are not approved? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chacl" command with the following command: + + Verify Red Hat Enterprise Linux 8 prevents the use of dictionary words for passwords with the following command: -$ sudo auditctl -l | grep chacl +$ sudo grep dictcheck /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf --a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod - Is it the case that the command does not return a line, or the line is commented out? +/etc/security/pwquality.conf:dictcheck=1 + Is it the case that "dictcheck" does not have a value other than "0", or is commented out? - - Verify that the system is integrated with a centralized authentication mechanism -such as as Active Directory, Kerberos, Directory Server, etc. that has -automated account mechanisms in place. - Is it the case that the system is not using a centralized authentication mechanism, or it is not automated? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_MODULE_SIG_SHA512 /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - Run the following command to determine if the libreport-plugin-logger package is installed: -$ rpm -q libreport-plugin-logger - Is it the case that the package is installed? + + Verify that temporary accounts have been provisioned with an expiration date +of 72 hours. For every temporary account, run the following command to +obtain its account aging and expiration information: +$ sudo chage -l temporary_account_name +Verify each of these accounts has an expiration date set within 72 hours or +as documented. + Is it the case that any temporary accounts have no expiration date set or do not expire within 72 hours? - - Run the following command to determine if the ntp package is installed: $ rpm -q ntp - Is it the case that the package is not installed? + + To determine if the system is configured to audit calls to the +unlinkat system call, run the following command: +$ sudo grep "unlinkat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_MODIFY_LDT_SYSCALL /boot/config.* + + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. + + Is it the case that the kernel was not built with the required value? + + + -Run the following command to determine if the rsync_export_all_ro SELinux boolean is disabled: -$ getsebool rsync_export_all_ro +Run the following command to determine if the cobbler_can_network_connect SELinux boolean is disabled: +$ getsebool cobbler_can_network_connect If properly configured, the output should show the following: -rsync_export_all_ro --> off - Is it the case that rsync_export_all_ro is not disabled? +cobbler_can_network_connect --> off + Is it the case that cobbler_can_network_connect is not disabled? - - The runtime status of the kernel.sysrq kernel parameter can be queried -by running the following command: -$ sysctl kernel.sysrq -0. + + Verify the nosuid option is configured for the /boot mount point, + run the following command: + $ sudo mount | grep '\s/boot\s' + . . . /boot . . . nosuid . . . - Is it the case that the correct value is not returned? - - - - To verify the assigned home directory of all interactive users is group- -owned by that users primary GID, run the following command: -# ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) - Is it the case that the group ownership is incorrect? - - - - Run the following command to determine if the crypto-policies package is installed: $ rpm -q crypto-policies - Is it the case that the package is not installed? + Is it the case that the "/boot" file system does not have the "nosuid" option set? - - + + Verify that rules for unsuccessful calls of the openat syscall are in the order shown below. -Run the following command to determine the current status of the -nails service: -$ sudo systemctl is-active nails -If the service is running, it should return the following: active - Is it the case that ? + If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix ".rules" in the directory "/etc/audit/rules.d". + If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, check the order of rules below in "/etc/audit/audit.rules" file. + + -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + + If the system is 64 bit then also add the following lines: + + -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + Is it the case that the rules are in a different order? - - -Run the following command to determine if the fenced_can_network_connect SELinux boolean is disabled: -$ getsebool fenced_can_network_connect -If properly configured, the output should show the following: -fenced_can_network_connect --> off - Is it the case that fenced_can_network_connect is not disabled? + + To check the permissions of /etc/gshadow, +run the command: +$ ls -l /etc/gshadow +If properly configured, the output should indicate the following permissions: +---------- + Is it the case that /etc/gshadow does not have unix mode ----------? - - Verify that Red Hat Enterprise Linux 8 enforces a minimum -character password length with the following command: + + Verify the value of the "minclass" option in "/etc/security/pwquality.conf" with the following command: -$ grep minlen /etc/security/pwquality.conf +$ grep minclass /etc/security/pwquality.conf -minlen = - Is it the case that the command does not return a "minlen" value of "<sub idref="var_password_pam_minlen" />" or greater, does not return a line, or the line is commented out? +minclass = + Is it the case that the value of "minclass" is set to less than "<sub idref="var_password_pam_minclass" />" or is commented out? - - To determine if the system is configured to audit successful calls -to the removexattr system call, run the following command: -$ sudo grep "removexattr" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + To check the permissions of /etc/issue.net, +run the command: +$ ls -l /etc/issue.net +If properly configured, the output should indicate the following permissions: +-rw-r--r-- + Is it the case that /etc/issue.net does not have unix mode -rw-r--r--? - + -Run the following command to determine if the sanlock_use_nfs SELinux boolean is disabled: -$ getsebool sanlock_use_nfs +Run the following command to determine if the pcp_read_generic_logs SELinux boolean is disabled: +$ getsebool pcp_read_generic_logs If properly configured, the output should show the following: -sanlock_use_nfs --> off - Is it the case that sanlock_use_nfs is not disabled? +pcp_read_generic_logs --> off + Is it the case that pcp_read_generic_logs is not disabled? - - -Run the following command to determine if the zoneminder_anon_write SELinux boolean is disabled: -$ getsebool zoneminder_anon_write -If properly configured, the output should show the following: -zoneminder_anon_write --> off - Is it the case that zoneminder_anon_write is not disabled? + + The following command will discover and print world-writable directories that +are not owned by a system account, given the assumption that only system +accounts have a uid lower than 500. Run it once for each local partition PART: +$ sudo find PART -xdev -type d -perm -0002 -uid +499 -print + Is it the case that there is output? - + -Run the following command to determine if the httpd_graceful_shutdown SELinux boolean is enabled: -$ getsebool httpd_graceful_shutdown +Run the following command to determine if the git_cgi_use_cifs SELinux boolean is disabled: +$ getsebool git_cgi_use_cifs If properly configured, the output should show the following: -httpd_graceful_shutdown --> on - Is it the case that httpd_graceful_shutdown is not enabled? +git_cgi_use_cifs --> off + Is it the case that git_cgi_use_cifs is not disabled? - - -Run the following command to determine if the httpd_enable_cgi SELinux boolean is disabled: -$ getsebool httpd_enable_cgi -If properly configured, the output should show the following: -httpd_enable_cgi --> off - Is it the case that httpd_enable_cgi is not disabled? + + To ensure the failed password attempt policy is configured correctly, run the following command: + +$ grep fail_interval /etc/security/faillock.conf +The output should show fail_interval = <interval-in-seconds> where interval-in-seconds is or greater. + Is it the case that the "fail_interval" option is not set to "<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />" +or less (but not "0"), the line is commented out, or the line is missing? + + + + The runtime status of the net.ipv4.conf.default.send_redirects kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.default.send_redirects +0. + + Is it the case that the correct value is not returned? @@ -375244,506 +375868,384 @@ $ sudo auditctl -l | grep -E '(/etc/shadow)' Is it the case that command does not return a line, or the line is commented out? - - To check if RekeyLimit is set correctly, run the following command: -$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/*.conf -If configured properly, output should be -/etc/ssh/ssh_config.d/02-rekey-limit.conf: -RekeyLimit -Check also the main configuration file with the following command: -$ sudo grep RekeyLimit /etc/ssh/ssh_config -The command should not return any output. - Is it the case that it is commented out or is not set? - - - - Make sure that the kernel is not disabling SMEP with the following -commands. -grep -q nosmep /boot/config-`uname -r` -If the command returns a line, it means that SMEP is being disabled. - Is it the case that the kernel is configured to disable SMEP? - - - - Verify the noexec option is configured for the /home mount point, - run the following command: - $ sudo mount | grep '\s/home\s' - . . . /home . . . noexec . . . - - Is it the case that the "/home" file system does not have the "noexec" option set? - - - - The runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.conf.all.accept_redirects -0. + + To determine if the system is configured to audit successful calls +to the truncate system call, run the following command: +$ sudo grep "truncate" /etc/audit.* +If the system is configured to audit this activity, it will return a line. - Is it the case that the correct value is not returned? + Is it the case that no line is returned? - + -Run the following command to determine if the postgresql_selinux_transmit_client_label SELinux boolean is disabled: -$ getsebool postgresql_selinux_transmit_client_label +Run the following command to determine if the global_ssp SELinux boolean is disabled: +$ getsebool global_ssp If properly configured, the output should show the following: -postgresql_selinux_transmit_client_label --> off - Is it the case that postgresql_selinux_transmit_client_label is not disabled? +global_ssp --> off + Is it the case that global_ssp is not disabled? - - Determine if "sudoers" file restricts sudo access run the following commands: -$ sudo grep -PR '^\s*ALL\s+ALL\=\(ALL\)\s+ALL\s*$' /etc/sudoers /etc/sudoers.d/* -$ sudo grep -PR '^\s*ALL\s+ALL\=\(ALL\:ALL\)\s+ALL\s*$' /etc/sudoers /etc/sudoers.d/* - Is it the case that either of the commands returned a line? + + To determine if ignore_dot has been configured for sudo, run the following command: +$ sudo grep -ri "^[\s]*Defaults.*\bignore_dot\b.*" /etc/sudoers /etc/sudoers.d/ +The command should return a matching output. + Is it the case that ignore_dot is not enabled in sudo? - - Verify the nosuid option is configured for the /boot/efi mount point, - run the following command: - $ sudo mount | grep '\s/boot/efi\s' - . . . /boot/efi . . . nosuid . . . + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "unix_chkpwd" command with the following command: - Is it the case that the "/boot/efi" file system does not have the "nosuid" option set? - - - - To check if MaxStartups is configured, run the following command: -$ sudo grep MaxStartups /etc/ssh/sshd_config -If configured, this command should output the configuration. - Is it the case that maxstartups is not configured? - - - - To check the group ownership of /etc/crontab, -run the command: -$ ls -lL /etc/crontab -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/crontab does not have a group owner of root? +$ sudo auditctl -l | grep unix_chkpwd + +-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_chkpwd + Is it the case that the command does not return a line, or the line is commented out? - - Query the SA and the Web Manager to determine if a compiler is present on -the server. - Is it the case that the web server is part of an application suite and a comiler is needed -for installation, patching, and upgrading of the suite or if the compiler -is embedded and can't be removed without breaking the suite, document the -installation of the compiler with the ISSO/ISSM and verify that the compiler -is restricted to administrative users only. If documented and restricted to -administrative users, this is not a finding. - -If an undocumented compiler is present, and available to non-administrative -users? + + Run the following command to determine if the rsync-daemon package is installed: +$ rpm -q rsync-daemon + Is it the case that the package is installed? - - In order to be sure that the databases are up-to-date, run the -dconf update -command as the administrator. - Is it the case that The system-wide dconf databases are up-to-date with regards to respective keyfiles? + + Check that the symlink exists and target the correct Kerberos crypto policy, with the following command: +file /etc/krb5.conf.d/crypto-policies +If command ouput shows the following line, Kerberos is configured to use the system-wide crypto policy. +/etc/krb5.conf.d/crypto-policies: symbolic link to /etc/crypto-policies/back-ends/krb5.config + Is it the case that the symlink does not exist or points to a different target? - - Verify that Red Hat Enterprise Linux 8 disables the use of user namespaces with the following commands: + + To determine how the SSH daemon's GSSAPIAuthentication option is set, run the following command: -Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. +$ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config -The runtime status of the user.max_user_namespaces kernel parameter can be queried -by running the following command: -$ sysctl user.max_user_namespaces -0. +If a line indicating yes is returned, then the required value is set. - Is it the case that the correct value is not returned? - - - - -Run the following command to determine if the container_connect_any SELinux boolean is disabled: -$ getsebool container_connect_any -If properly configured, the output should show the following: -container_connect_any --> off - Is it the case that container_connect_any is not disabled? - - - - Run the following command to determine if the cron package is installed: -$ rpm -q cron - Is it the case that the package is installed? - - - - -Run the following command to determine if the selinuxuser_tcp_server SELinux boolean is disabled: -$ getsebool selinuxuser_tcp_server -If properly configured, the output should show the following: -selinuxuser_tcp_server --> off - Is it the case that selinuxuser_tcp_server is not disabled? - - - - Make sure that the kernel is not disabling SMAP with the following -commands. -grep -q nosmap /boot/config-`uname -r` -If the command returns a line, it means that SMAP is being disabled. - Is it the case that the kernel is configured to disable SMAP? + Is it the case that the required value is not set? - - To check that the oddjobd service is disabled in system boot configuration, + + To check that the ntpdate service is disabled in system boot configuration, run the following command: -$ sudo systemctl is-enabled oddjobd -Output should indicate the oddjobd service has either not been installed, +$ sudo systemctl is-enabled ntpdate +Output should indicate the ntpdate service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled oddjobd disabled +$ sudo systemctl is-enabled ntpdate disabled -Run the following command to verify oddjobd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active oddjobd +Run the following command to verify ntpdate is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active ntpdate If the service is not running the command will return the following output: inactive -The service will also be masked, to check that the oddjobd is masked, run the following command: -$ sudo systemctl show oddjobd | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the ntpdate is masked, run the following command: +$ sudo systemctl show ntpdate | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "oddjobd" is loaded and not masked? + Is it the case that the "ntpdate" is loaded and not masked? - - Run the following command to determine if the bind package is installed: -$ rpm -q bind - Is it the case that the package is installed? + + +Run the following command to determine if the ftpd_anon_write SELinux boolean is disabled: +$ getsebool ftpd_anon_write +If properly configured, the output should show the following: +ftpd_anon_write --> off + Is it the case that ftpd_anon_write is not disabled? - - Verify the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command: - -$ grep maxclassrepeat /etc/security/pwquality.conf + + -maxclassrepeat = - Is it the case that the value of "maxclassrepeat" is set to "0", more than "<sub idref="var_password_pam_maxclassrepeat" />" or is commented out? - - - - Run the following command to determine if the tmux package is installed: $ rpm -q tmux - Is it the case that the package is not installed? +Run the following command to determine the current status of the +ufw service: +$ sudo systemctl is-active ufw +If the service is running, it should return the following: active + Is it the case that the service is not enabled? - + -Run the following command to determine if the telepathy_connect_all_ports SELinux boolean is disabled: -$ getsebool telepathy_connect_all_ports +Run the following command to determine if the rsync_client SELinux boolean is disabled: +$ getsebool rsync_client If properly configured, the output should show the following: -telepathy_connect_all_ports --> off - Is it the case that telepathy_connect_all_ports is not disabled? - - - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_RANDOMIZE_MEMORY /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? +rsync_client --> off + Is it the case that rsync_client is not disabled? - - Verify that DNS servers have been configured properly, perform the following: -$ sudo grep nameserver /etc/resolv.conf - Is it the case that less than two lines are returned that are not commented out? - - - - Run the following command to determine if the firewalld package is installed: $ rpm -q firewalld - Is it the case that the package is not installed? + + The file permissions for all log files written by rsyslog should +be set to 640, or more restrictive. These log files are determined by the +second part of each Rule line in /etc/rsyslog.conf and typically +all appear in /var/log. To see the permissions of a given log +file, run the following command: +$ ls -l LOGFILE +The permissions should be 640, or more restrictive. + Is it the case that the permissions are not correct? - - To check that the rsyncd service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled rsyncd -Output should indicate the rsyncd service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled rsyncd disabled - -Run the following command to verify rsyncd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active rsyncd - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the rsyncd is masked, run the following command: -$ sudo systemctl show rsyncd | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: - -LoadState=masked + + The runtime status of the net.ipv6.conf.all.router_solicitations kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.all.router_solicitations +0. -UnitFileState=masked - Is it the case that the "rsyncd" is loaded and not masked? + Is it the case that the correct value is not returned? - - + + The runtime status of the fs.protected_symlinks kernel parameter can be queried +by running the following command: +$ sysctl fs.protected_symlinks +1. -Run the following command to determine the current status of the -sshd service: -$ sudo systemctl is-active sshd -If the service is running, it should return the following: active - Is it the case that sshd service is disabled? + Is it the case that the correct value is not returned? - + -Run the following command to determine if the selinuxuser_mysql_connect_enabled SELinux boolean is disabled: -$ getsebool selinuxuser_mysql_connect_enabled +Run the following command to determine if the xdm_sysadm_login SELinux boolean is disabled: +$ getsebool xdm_sysadm_login If properly configured, the output should show the following: -selinuxuser_mysql_connect_enabled --> off - Is it the case that selinuxuser_mysql_connect_enabled is not disabled? - - - - To ensure the screensaver is configured to be blank, run the following command: -$ gsettings get org.gnome.desktop.screensaver picture-uri -If properly configured, the output should be ''. - -To ensure that users cannot set the screensaver background, run the following: -$ grep picture-uri /etc/dconf/db/local.d/locks/* -If properly configured, the output should be /org/gnome/desktop/screensaver/picture-uri - Is it the case that it is not set or configured properly? - - - - To determine if the system is configured to audit successful calls -to the lsetxattr system call, run the following command: -$ sudo grep "lsetxattr" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? +xdm_sysadm_login --> off + Is it the case that xdm_sysadm_login is not disabled? - - To determine if the system is configured to audit successful calls -to the ftruncate system call, run the following command: -$ sudo grep "ftruncate" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + To check that all boot entries extend the backlog limit; +Check that all boot entries extend the log events queue: +sudo grep -L "^options\s+.*\baudit_backlog_limit=8192\b" /boot/loader/entries/*.conf +No line should be returned, each line returned is a boot entry that does not extend the log events queue. + Is it the case that audit backlog limit is not configured? - - Verify that a separate file system/partition has been created for /tmp with the following command: - -$ mountpoint /tmp + + The runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.all.secure_redirects +0. - Is it the case that "/tmp is not a mountpoint" is returned? + Is it the case that the correct value is not returned? - - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the openat system call. + + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to create files using the open_by_handle_at system call with O_CREAT flag. -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: +If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command: -$ sudo grep -r openat /etc/audit/rules.d +$ sudo grep -r open_by_handle_at /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -$ sudo grep openat /etc/audit/audit.rules +$ sudo grep open_by_handle_at /etc/audit/audit.rules The output should be the following: --a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create Is it the case that the command does not return a line, or the line is commented out? - - To verify that timed logins are disabled, run the following command: -$ grep -Pzoi "^\[daemon]\\ntimedlogin.*" /etc/gdm/custom.conf -The output should show the following: -[daemon] -TimedLoginEnable=false - Is it the case that GDM allows a guest to login without credentials? + + To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: +cat /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules +The output has to be exactly as follows: +## Unsuccessful permission change +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change + Is it the case that the file does not exist or the content differs? - - To check the group ownership of /etc/group, -run the command: -$ ls -lL /etc/group -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/group does not have a group owner of root? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_STRICT_MODULE_RWX /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "usermod" command with the following command: + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "reboot" command with the following command: -$ sudo auditctl -l | grep usermod +$ sudo auditctl -l | grep reboot --a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod +-a always,exit -F path=/reboot -F perm=x -F auid>=1000 -F auid!=unset -k privileged-reboot Is it the case that the command does not return a line, or the line is commented out? - - -Run the following command to determine if the sanlock_use_fusefs SELinux boolean is disabled: -$ getsebool sanlock_use_fusefs -If properly configured, the output should show the following: -sanlock_use_fusefs --> off - Is it the case that sanlock_use_fusefs is not disabled? - - - - To verify that USB Human Interface Devices will be authorized by the USBGuard daemon, -run the following command: -$ sudo grep allow /etc/usbguard/rules.conf -The output lines should include -allow with-interface match-all { 03:*:* } - Is it the case that USB devices of class 3 are not authorized? + + To verify that no .java and .jpp files exist, run the +following command: +find / -name *.java -o -name *.jpp +The output should not return any .java or .jpp files + Is it the case that it is not? - - To check if pam_namespace.so is required for user login, run the following command: -$ grep pam_namespace.so /etc/pam.d/login -The output should return the following uncommented: -session required pam_namespace.so - Is it the case that pam_namespace.so is not required or is commented out? + + +Run the following command to determine if the prosody_bind_http_port SELinux boolean is disabled: +$ getsebool prosody_bind_http_port +If properly configured, the output should show the following: +prosody_bind_http_port --> off + Is it the case that prosody_bind_http_port is not disabled? - + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_MODULE_SIG_KEY /boot/config.* + $ grep CONFIG_PAGE_TABLE_ISOLATION /boot/config.* - For each kernel installed, a line with value "" should be returned. + For each kernel installed, a line with value "y" should be returned. Is it the case that the kernel was not built with the required value? - - The runtime status of the kernel.perf_event_max_sample_rate kernel parameter can be queried -by running the following command: -$ sysctl kernel.perf_event_max_sample_rate -1. - - Is it the case that the correct value is not returned? + + Inspect the file /etc/firewalld/firewalld.conf to determine +the default zone for the firewalld. It should be set to DefaultZone=drop: +$ sudo grep DefaultZone /etc/firewalld/firewalld.conf + Is it the case that the default zone is not set to DROP? - - -Run the following command to determine if the virt_use_usb SELinux boolean is disabled: -$ getsebool virt_use_usb -If properly configured, the output should show the following: -virt_use_usb --> off - Is it the case that virt_use_usb is not disabled? + + To check the permissions of /etc/audit/rules.d/*.rules, +run the command: +$ ls -l /etc/audit/rules.d/*.rules +If properly configured, the output should indicate the following permissions: +-rw-r----- + Is it the case that /etc/audit/rules.d/*.rules does not have unix mode -rw-r-----? - - To determine if the system is configured to audit successful calls -to the openat system call, run the following command: -$ sudo grep "openat" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + +Run the following command to determine if the mpd_use_cifs SELinux boolean is disabled: +$ getsebool mpd_use_cifs +If properly configured, the output should show the following: +mpd_use_cifs --> off + Is it the case that mpd_use_cifs is not disabled? - - Verify the "umask" setting is configured correctly in the "/etc/csh.cshrc" file with the following command: - -$ grep umask /etc/csh.cshrc - -umask 077 -umask 077 - Is it the case that the value for the "umask" parameter is not "<sub idref="var_accounts_user_umask" />", or the "umask" parameter is missing or is commented out? + + To check the permissions of /etc/ssh/sshd_config, +run the command: +$ ls -l /etc/ssh/sshd_config +If properly configured, the output should indicate the following permissions: +-rw------- + Is it the case that /etc/ssh/sshd_config does not have unix mode -rw-------? - - Run the following command to verify that SSH client is configured to use 32 bytes of entropy: -grep SSH_USE_STRONG_RNG /etc/profile.d/cc-ssh-strong-rng.csh -It should return the following output: -setenv SSH_USE_STRONG_RNG 32. - Is it the case that SSH client is not configured to use 32 bytes of entropy or more? + + +Run the following command to determine if the git_system_use_nfs SELinux boolean is disabled: +$ getsebool git_system_use_nfs +If properly configured, the output should show the following: +git_system_use_nfs --> off + Is it the case that git_system_use_nfs is not disabled? - - Run the following command to determine if the pcsc-lite package is installed: $ rpm -q pcsc-lite - Is it the case that the package is not installed? + + Inspect the password section of /etc/pam.d/password-auth +and ensure that the pam_unix.so module includes the argument +sha512: +$ grep sha512 /etc/pam.d/password-auth + Is it the case that it does not? - - First, check whether the password is defined in either /boot/grub2/user.cfg or -/boot/grub2/grub.cfg. -Run the following commands: -$ sudo grep '^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$' /boot/grub2/user.cfg -$ sudo grep '^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$' /boot/grub2/grub.cfg - + + The runtime status of the kernel.panic_on_oops kernel parameter can be queried +by running the following command: +$ sysctl kernel.panic_on_oops +1. -Second, check that a superuser is defined in /boot/grub2/grub.cfg. -$ sudo grep '^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$' /boot/grub2/grub.cfg - Is it the case that it does not produce any output? + Is it the case that the correct value is not returned? - - -Run the following command to determine if the httpd_can_network_connect_cobbler SELinux boolean is disabled: -$ getsebool httpd_can_network_connect_cobbler -If properly configured, the output should show the following: -httpd_can_network_connect_cobbler --> off - Is it the case that httpd_can_network_connect_cobbler is not disabled? + + The runtime status of the kernel.perf_cpu_time_max_percent kernel parameter can be queried +by running the following command: +$ sysctl kernel.perf_cpu_time_max_percent +1. + + Is it the case that the correct value is not returned? - - -Run the following command to determine if the deny_ptrace SELinux boolean is disabled: -$ getsebool deny_ptrace -If properly configured, the output should show the following: -deny_ptrace --> off - Is it the case that deny_ptrace is not disabled? + + To determine if the system is configured to audit unsuccessful calls +to the lchown system call, run the following command: +$ sudo grep "lchown" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - Verify that Red Hat Enterprise Linux 8 is configured to notify the SA and/or ISSO (at a minimum) in the event of an audit processing failure with the following command: + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chacl" command with the following command: -$ sudo grep action_mail_acct /etc/audit/auditd.conf +$ sudo auditctl -l | grep chacl -action_mail_acct = - Is it the case that the value of the "action_mail_acct" keyword is not set to "<sub idref="var_auditd_action_mail_acct" />" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the retuned line is commented out, ask the system administrator to indicate how they and the ISSO are notified of an audit process failure. If there is no evidence of the proper personnel being notified of an audit processing failure? +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod + Is it the case that the command does not return a line, or the line is commented out? - + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_MODULE_SIG_SHA512 /boot/config.* + $ grep CONFIG_BUG_ON_DATA_CORRUPTION /boot/config.* For each kernel installed, a line with value "y" should be returned. Is it the case that the kernel was not built with the required value? - - Run the following command to check the mode of the httpd log -directory: -$ ls -l /var/log/ | grep httpd -Log directory must be mode 0700 or less permissive. - Is it the case that it is more permissive? + + Run the following command to determine if the python3-abrt-addon package is installed: +$ rpm -q python3-abrt-addon + Is it the case that the package is installed? - - Run the following command to determine if the tftp-server package is installed: -$ rpm -q tftp-server - Is it the case that the package is installed? + + Using a non-privileged account, verify that users cannot modify or change +network settings with the nmcli command with the following command: +$ nmcli general permissions +The output should contain the following: +PERMISSION VALUE +org.freedesktop.NetworkManager.enable-disable-network auth +org.freedesktop.NetworkManager.enable-disable-wifi auth +org.freedesktop.NetworkManager.enable-disable-wwan auth +org.freedesktop.NetworkManager.enable-disable-wimax auth +org.freedesktop.NetworkManager.sleep-wake auth +org.freedesktop.NetworkManager.network-control auth +org.freedesktop.NetworkManager.wifi.share.protected auth +org.freedesktop.NetworkManager.wifi.share.open auth +org.freedesktop.NetworkManager.settings.modify.system auth +org.freedesktop.NetworkManager.settings.modify.own auth +org.freedesktop.NetworkManager.settings.modify.hostname auth +org.freedesktop.NetworkManager.settings.modify.global-dns auth +org.freedesktop.NetworkManager.reload auth +org.freedesktop.NetworkManager.checkpoint-rollback auth +org.freedesktop.NetworkManager.enable-disable-statistics auth +org.freedesktop.NetworkManager.enable-disable-connectivity-check auth +org.freedesktop.NetworkManager.wifi.scan auth + + Is it the case that non-privileged users can modify or change network settings? - - To ensure write permissions are disabled for group and other - for each element in root's path, run the following command: -# ls -ld DIR - Is it the case that group or other write permissions exist? + + To verify if LogLevel is configured correctly in +/etc/httpd/conf/httpd.conf, run the following command: +$ grep -i loglevel /etc/httpd/conf/httpd.conf +The command should return the following: +LogLevel warn + Is it the case that it is not? @@ -375757,366 +376259,414 @@ If the command does not return results or an error is returned, ask the SA to in Is it the case that there is no evidence that unauthorized peripherals are being blocked before establishing a connection? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_SYN_COOKIES /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? - - - - To verify that HBSS PA is installed, run the following command(s): -$ sudo ls /opt/McAfee/auditengine/bin/auditmanager - Is it the case that the HBSS PA module is not installed? - - - - Run the following command to determine if the talk-server package is installed: -$ rpm -q talk-server - Is it the case that the package is installed? + + To ensure LDAP is configured to use TLS for all transactions, run the following command: +$ grep start_tls /etc/pam_ldap.conf +The result should contain: +ssl start_tls + Is it the case that LDAP is not in use, the line is commented out, or not configured correctly? - - To check that the rpcsvcgssd service is disabled in system boot configuration, + + To check that the dhcpd service is disabled in system boot configuration, run the following command: -$ sudo systemctl is-enabled rpcsvcgssd -Output should indicate the rpcsvcgssd service has either not been installed, +$ sudo systemctl is-enabled dhcpd +Output should indicate the dhcpd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled rpcsvcgssd disabled +$ sudo systemctl is-enabled dhcpd disabled -Run the following command to verify rpcsvcgssd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active rpcsvcgssd +Run the following command to verify dhcpd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active dhcpd If the service is not running the command will return the following output: inactive -The service will also be masked, to check that the rpcsvcgssd is masked, run the following command: -$ sudo systemctl show rpcsvcgssd | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the dhcpd is masked, run the following command: +$ sudo systemctl show dhcpd | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "rpcsvcgssd" is loaded and not masked? + Is it the case that the "dhcpd" is loaded and not masked? - - Determine if there is a process for the uploading of files to the web site. -This process should include the requirement for the use of a secure encrypted -logon and secure encrypted connection. If the remote users are uploading files -without utilizing approved encryption methods, this is a finding. - Is it the case that it is not? + + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes page_poison=1, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub +If this option is set to true, then check that a line is output by the following command: +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*page_poison=1.*' /etc/default/grub +If the recovery is disabled, check the line with +$ sudo grep 'GRUB_CMDLINE_LINUX.*page_poison=1.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +$ sudo grubby --info=ALL | grep args | grep -v 'page_poison=1' +The command should not return any output. + Is it the case that page allocator poisoning is not enabled? - - Check the root home directory for a .mozilla directory. If -one exists, ensure browsing is limited to local service administration. - Is it the case that this is not the case? + + Run the following command to determine if the nftables package is installed: $ rpm -q nftables + Is it the case that the package is not installed? - - Verify that a separate file system/partition has been created for /var/log with the following command: - -$ mountpoint /var/log - - Is it the case that "/var/log is not a mountpoint" is returned? + + Run the following command to check the mode of the system audit logs: +$ sudo grep -iw log_file /etc/audit/auditd.conf +log_file=/var/log/audit/audit.log +$ sudo stat -c "%n %a" /var/log/audit/* +$ sudo ls -l /var/log/audit +Audit logs must be mode 0640 or less permissive. + Is it the case that any permissions are more permissive? - - To check the ownership of /etc/cron.monthly, -run the command: -$ ls -lL /etc/cron.monthly -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/cron.monthly does not have an owner of root? + + Run the following command to ensure postfix routes mail to this system: +$ grep relayhost /etc/postfix/main.cf +If properly configured, the output should show only . + Is it the case that it is not? - - To verify that Audit Daemon is configured to flush to disk after -every records, run the following command: -$ sudo grep freq /etc/audit/auditd.conf -The output should return the following: -freq = - Is it the case that freq isn't set to <sub idref="var_auditd_freq" />? + + To check the permissions of /etc/at.allow, +run the command: +$ ls -l /etc/at.allow +If properly configured, the output should indicate the following permissions: +-rw------- + Is it the case that /etc/at.allow does not have unix mode -rw-------? - - Verify that a separate file system/partition has been created for /dev/shm with the following command: + + Verify Red Hat Enterprise Linux 8 use the "pam_pwhistory.so" module in the /etc/pam.d/system-auth file +and is configured to prohibit password reuse for a minimum of +generations. -$ mountpoint /dev/shm +Verify the "/etc/pam.d/system-auth" file with the following command: - Is it the case that "/dev/shm is not a mountpoint" is returned? - - - - -Run the following command to determine if the guest_exec_content SELinux boolean is disabled: -$ getsebool guest_exec_content -If properly configured, the output should show the following: -guest_exec_content --> off - Is it the case that guest_exec_content is not disabled? - - - - The document, DoDI 8500.01, establishes the policy on the use of DoD -information systems. It requires the use of a standard Notice and Consent Banner -and standard text to be included in user agreements. The banner should be set -to the following: - Is it the case that it is not display the required banner? - - - - -Run the following command to determine if the git_cgi_use_cifs SELinux boolean is disabled: -$ getsebool git_cgi_use_cifs -If properly configured, the output should show the following: -git_cgi_use_cifs --> off - Is it the case that git_cgi_use_cifs is not disabled? - - - - Verify Red Hat Enterprise Linux 8 enforces a delay of at least seconds between console logon prompts following a failed logon attempt with the following command: +$ grep pam_pwhistory.so /etc/pam.d/system-auth +password pam_pwhistory.so use_authtok remember= -$ sudo grep -i "FAIL_DELAY" /etc/login.defs -FAIL_DELAY - Is it the case that the value of "FAIL_DELAY" is not set to "<sub idref="var_accounts_fail_delay" />" or greater, or the line is commented out? - - - - To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -$ sudo cat /etc/audit/rules.d/11-loginuid.rules -The output has to be exactly as follows: -## Make the loginuid immutable. This prevents tampering with the auid. ---loginuid-immutable - Is it the case that the file does not exist or the content differs? + +Verify the "/etc/security/pwhistory.conf" file using the following command: + +$ grep remember /etc/security/pwhistory.conf +remember = + +The pam_pwhistory.so "remember" option must be configured only in one file. + Is it the case that the pam_pwhistory.so module is not used, the "remember" module option is not set in +/etc/pam.d/system-auth or in /etc/security/pwhistory.conf, or is set in both files, or is set +with a value less than "<sub idref="var_password_pam_remember" />"? - - To determine if the system is configured to audit unsuccessful calls -to the fsetxattr system call, run the following command: -$ sudo grep "fsetxattr" /etc/audit.* + + To determine if the system is configured to audit calls to the +fchownat system call, run the following command: +$ sudo grep "fchownat" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - To ensure that WIFI connections caanot be created, run the following command: -$ gsettings get org.gnome.nm-applet disable-wifi-create -If properly configured, the output should be true. -To ensure that users cannot enable WIFI connection creation, run the following: -$ grep wifi-create /etc/dconf/db/local.d/locks/* -If properly configured, the output should be -/org/gnome/nm-applet/disable-wifi-create - Is it the case that WIFI connections can be created through GNOME? + + The runtime status of the net.ipv6.conf.all.accept_ra_defrtr kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.all.accept_ra_defrtr +0. + + Is it the case that the correct value is not returned? - - To determine if the system is configured to audit calls to the -umount2 system call, run the following command: -$ sudo grep "umount2" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. + + Shared libraries are stored in the following directories: +/lib +/lib64 +/usr/lib +/usr/lib64 - Is it the case that no line is returned? +To find shared libraries that are group-writable or world-writable, +run the following command for each directory DIR which contains shared libraries: +$ sudo find -L DIR -perm /022 -type d + Is it the case that any of these files are group-writable or world-writable? - - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers" with the following command: - -$ sudo auditctl -l | grep /etc/sudoers + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_STRICT_KERNEL_WRX /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? + + + + Verify Red Hat Enterprise Linux 8 enforces a delay of at least seconds between console logon prompts following a failed logon attempt with the following command: --w /etc/sudoers -p wa -k identity - Is it the case that the command does not return a line, or the line is commented out? +$ sudo grep -i "FAIL_DELAY" /etc/login.defs +FAIL_DELAY + Is it the case that the value of "FAIL_DELAY" is not set to "<sub idref="var_accounts_fail_delay" />" or greater, or the line is commented out? - - To check the permissions of /etc/http/conf/*, -run the command: -$ ls -l /etc/http/conf/* -If properly configured, the output should indicate the following permissions: --rw-r----- - Is it the case that /etc/http/conf/* does not have unix mode -rw-r-----? + + To check for legacy lines in /etc/group, run the following command: + grep '^\+' /etc/group +The command should not return any output. + Is it the case that the file contains legacy lines? - + Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes vsyscall=none, +in /etc/default/grub. If it includes slab_nomerge=yes, then the parameter will be configured for newly installed kernels. First check if the GRUB recovery is enabled: $ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*vsyscall=none.*' /etc/default/grub +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*slab_nomerge=yes.*' /etc/default/grub If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*vsyscall=none.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +$ sudo grep 'GRUB_CMDLINE_LINUX.*slab_nomerge=yes.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'vsyscall=none' +$ sudo grubby --info=ALL | grep args | grep -v 'slab_nomerge=yes' The command should not return any output. - Is it the case that vsyscalls are enabled? + Is it the case that merging of slabs with similar size is enabled? - - To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run: -$ grep -Po '(-oMACs=\S+)' /etc/crypto-policies/back-ends/opensshserver.config -and verify that the line matches: --oMACS= - Is it the case that Crypto Policy for OpenSSH Server is not configured correctly? + + + +Run the following command to determine the current status of the +pcscd service: +$ sudo systemctl is-active pcscd +If the service is running, it should return the following: active + Is it the case that the pcscd service is not enabled? - + + To check the ownership of /etc/gshadow-, +run the command: +$ ls -lL /etc/gshadow- +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/gshadow- does not have an owner of root? + + + -Run the following command to determine if the samba_export_all_rw SELinux boolean is disabled: -$ getsebool samba_export_all_rw +Run the following command to determine if the sanlock_use_fusefs SELinux boolean is disabled: +$ getsebool sanlock_use_fusefs If properly configured, the output should show the following: -samba_export_all_rw --> off - Is it the case that samba_export_all_rw is not disabled? +sanlock_use_fusefs --> off + Is it the case that sanlock_use_fusefs is not disabled? - - To determine if the system is configured to audit calls to the -open system call, run the following command: -$ sudo grep "open" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + To verify that timed logins are disabled, run the following command: +$ grep -Pzoi "^\[daemon]\\ntimedlogin.*" /etc/gdm/custom.conf +The output should show the following: +[daemon] +TimedLoginEnable=false + Is it the case that GDM allows a guest to login without credentials? - - -Run the following command to determine if the entropyd_use_audio SELinux boolean is disabled: -$ getsebool entropyd_use_audio -If properly configured, the output should show the following: -entropyd_use_audio --> off - Is it the case that entropyd_use_audio is not disabled? + + To verify all files and directories contained in interactive user home +directory, excluding local initialization files, have a mode of 0750, +run the following command: +$ sudo ls -lLR /home/USER + Is it the case that home directory files or folders have incorrect permissions? - + + To verify the system is not configured to use a boot loader on removable media, +check that the grub configuration file has the set root command in each menu +entry with the following commands: +$ sudo grep -cw menuentry /boot/grub2/grub.cfg +Note that the -c option for the grep command will print +only the count of menuentry occurrences. This number should match +the number of occurrences reported by the following command: +$ sudo grep "set root='hd0" /boot/grub2/grub.cfg +The output should return something similar to: +set root='hd0,msdos1' +usb0, cd, fd0, etc. are some examples of removeable +media which should not exist in the lines: +set root='hd0,msdos1' + Is it the case that it is not? + + + -Run the following command to determine if the daemons_enable_cluster_mode SELinux boolean is disabled: -$ getsebool daemons_enable_cluster_mode +Run the following command to determine if the staff_exec_content SELinux boolean is enabled: +$ getsebool staff_exec_content If properly configured, the output should show the following: -daemons_enable_cluster_mode --> off - Is it the case that daemons_enable_cluster_mode is not disabled? +staff_exec_content --> on + Is it the case that staff_exec_content is not enabled? - - The following command will discover and print any -files on local partitions which do not belong to a valid user. -$ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser - -Either remove all files and directories from the system that do not have a -valid user, or assign a valid user to all unowned files and directories on -the system with the chown command: -$ sudo chown user file - Is it the case that files exist that are not owned by a valid user? + + To view the root user's PATH, run the following command: +$ sudo env | grep PATH +If correctly configured, the PATH must: use vendor default settings, +have no empty entries, and have no entries beginning with a character +other than a slash (/). + Is it the case that any of these conditions are not met? - + + To ensure the default password is not set, run the following command: +$ sudo grep -v "^#" /etc/snmp/snmpd.conf| grep -E 'public|private' +There should be no output. + Is it the case that the default SNMP passwords public and private have not been changed or removed? + + + -Run the following command to determine if the racoon_read_shadow SELinux boolean is disabled: -$ getsebool racoon_read_shadow +Run the following command to determine if the xguest_use_bluetooth SELinux boolean is disabled: +$ getsebool xguest_use_bluetooth If properly configured, the output should show the following: -racoon_read_shadow --> off - Is it the case that racoon_read_shadow is not disabled? +xguest_use_bluetooth --> off + Is it the case that xguest_use_bluetooth is not disabled? - - The runtime status of the kernel.panic_on_oops kernel parameter can be queried -by running the following command: -$ sysctl kernel.panic_on_oops -1. + + To check that the qpidd service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled qpidd +Output should indicate the qpidd service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled qpidd disabled - Is it the case that the correct value is not returned? +Run the following command to verify qpidd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active qpidd + +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the qpidd is masked, run the following command: +$ sudo systemctl show qpidd | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "qpidd" is loaded and not masked? - - -Run the following command to determine if the daemons_dump_core SELinux boolean is disabled: -$ getsebool daemons_dump_core -If properly configured, the output should show the following: -daemons_dump_core --> off - Is it the case that daemons_dump_core is not disabled? + + To determine if the system is configured to audit successful calls +to the open system call, run the following command: +$ sudo grep "open" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - To check that the avahi-daemon service is disabled in system boot configuration, + + Inspect /etc/audit/auditd.conf and locate the following line to +determine how much data the system will retain in each audit log file: +$ sudo grep max_log_file /etc/audit/auditd.conf +max_log_file = 6 + Is it the case that the system audit data threshold has not been properly configured? + + + + To check that the vsftpd service is disabled in system boot configuration, run the following command: -$ sudo systemctl is-enabled avahi-daemon -Output should indicate the avahi-daemon service has either not been installed, +$ sudo systemctl is-enabled vsftpd +Output should indicate the vsftpd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled avahi-daemon disabled +$ sudo systemctl is-enabled vsftpd disabled -Run the following command to verify avahi-daemon is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active avahi-daemon +Run the following command to verify vsftpd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active vsftpd If the service is not running the command will return the following output: inactive -The service will also be masked, to check that the avahi-daemon is masked, run the following command: -$ sudo systemctl show avahi-daemon | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the vsftpd is masked, run the following command: +$ sudo systemctl show vsftpd | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "avahi-daemon" is loaded and not masked? + Is it the case that the "vsftpd" is loaded and not masked? - - -Run the following command to determine if the tor_bind_all_unreserved_ports SELinux boolean is disabled: -$ getsebool tor_bind_all_unreserved_ports -If properly configured, the output should show the following: -tor_bind_all_unreserved_ports --> off - Is it the case that tor_bind_all_unreserved_ports is not disabled? + + The runtime status of the kernel.randomize_va_space kernel parameter can be queried +by running the following command: +$ sysctl kernel.randomize_va_space +2. + + Is it the case that the correct value is not returned? - - To verify if LogLevel is configured correctly in -/etc/httpd/conf/httpd.conf, run the following command: -$ grep -i loglevel /etc/httpd/conf/httpd.conf -The command should return the following: -LogLevel warn - Is it the case that it is not? + + The runtime status of the net.ipv6.conf.default.accept_ra kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.default.accept_ra +0. + + Is it the case that the correct value is not returned? - - Verify the nodev option is configured for the /tmp mount point, - run the following command: - $ sudo mount | grep '\s/tmp\s' - . . . /tmp . . . nodev . . . - - Is it the case that the "/tmp" file system does not have the "nodev" option set? + + To verify the sec option is configured for all NFS mounts, run the following command: +$ mount | grep "sec=" +All NFS mounts should show the sec=krb5:krb5i:krb5p setting in parentheses. +This is not applicable if NFS is not implemented. + Is it the case that the setting is not configured, has the 'sys' option added, or does not have all Kerberos options added? - - To determine if the system is configured to audit calls to the -init_module system call, run the following command: -$ sudo grep "init_module" /etc/audit/audit.* + + To determine if the system is configured to audit successful calls +to the openat system call, run the following command: +$ sudo grep "openat" /etc/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - -Run the following command to determine if the git_system_use_nfs SELinux boolean is disabled: -$ getsebool git_system_use_nfs -If properly configured, the output should show the following: -git_system_use_nfs --> off - Is it the case that git_system_use_nfs is not disabled? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_MODULE_SIG_HASH /boot/config.* + + For each kernel installed, a line with value "" should be returned. + + Is it the case that the kernel was not built with the required value? - - -Run the following command to determine if the sanlock_use_samba SELinux boolean is disabled: -$ getsebool sanlock_use_samba -If properly configured, the output should show the following: -sanlock_use_samba --> off - Is it the case that sanlock_use_samba is not disabled? + + Verify the nosuid option is configured for the /var/log mount point, + run the following command: + $ sudo mount | grep '\s/var/log\s' + . . . /var/log . . . nosuid . . . + + Is it the case that the "/var/log" file system does not have the "nosuid" option set? + + + + To ensure the login screen resets after a specified number of failures, +run the following command: +$ grep allowed-failures /etc/dconf/db/gdm.d/* +The output should be 3 or less. +To ensure that users cannot change or configure the resets after a specified +number of failures on the login screen, run the following: +$ grep allowed-failures /etc/dconf/db/gdm.d/locks/* +If properly configured, the output should be /org/gnome/login-screen/allowed-failures + Is it the case that allowed-failures is not equal to or less than the expected value? + + + + To determine if the system is configured to audit calls to the +setxattr system call, run the following command: +$ sudo grep "setxattr" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? @@ -376126,273 +376676,381 @@ multi-user.target Is it the case that the system default target is not set to "multi-user.target" and the Information System Security Officer (ISSO) lacks a documented requirement for a graphical user interface? - - To determine if the system is configured to audit calls to the -openat system call, run the following command: -$ sudo grep "openat" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. + + To determine how the SSH daemon's IgnoreRhosts option is set, run the following command: - Is it the case that no line is returned? +$ sudo grep -i IgnoreRhosts /etc/ssh/sshd_config + +If a line indicating yes is returned, then the required value is set. + + Is it the case that the required value is not set? - - To check the ownership of /etc/shadow, -run the command: -$ ls -lL /etc/shadow -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/shadow does not have an owner of root? + + Verify Red Hat Enterprise Linux 8 notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command: + +$ sudo grep -w space_left_action /etc/audit/auditd.conf + +space_left_action = + +If the value of the "space_left_action" is not set to "", or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO. + Is it the case that there is no evidence that real-time alerts are configured on the system? - - Check that Red Hat Enterprise Linux 8 has the packages for smart card support installed. + + To determine if the system is configured to audit unsuccessful calls +to the fchown system call, run the following command: +$ sudo grep "fchown" /etc/audit.* +If the system is configured to audit this activity, it will return a line. -Run the following command to determine if the openssl-pkcs11 package is installed: -$ rpm -q openssl-pkcs11 - Is it the case that smartcard software is not installed? + Is it the case that no line is returned? - - Run the following command to determine if the tar package is installed: $ rpm -q tar - Is it the case that the package is not installed? + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "unix_update" command with the following command: + +$ sudo auditctl -l | grep unix_update + +-a always,exit -F path=/usr/bin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_update + Is it the case that the command does not return a line, or the line is commented out? - - -Run the following command to determine if the openshift_use_nfs SELinux boolean is disabled: -$ getsebool openshift_use_nfs -If properly configured, the output should show the following: -openshift_use_nfs --> off - Is it the case that openshift_use_nfs is not disabled? + + Verify the operating system encrypts audit records off-loaded onto a different system +or media from the system being audited with the following commands: + +$ sudo grep -i '$DefaultNetstreamDriver' /etc/rsyslog.conf /etc/rsyslog.d/*.conf + +The output should be: + +/etc/rsyslog.conf:$DefaultNetstreamDriver gtls + Is it the case that rsyslogd DefaultNetstreamDriver not set to gtls? - + -Run the following command to determine if the unconfined_chrome_sandbox_transition SELinux boolean is enabled: -$ getsebool unconfined_chrome_sandbox_transition +Run the following command to determine if the named_tcp_bind_http_port SELinux boolean is disabled: +$ getsebool named_tcp_bind_http_port If properly configured, the output should show the following: -unconfined_chrome_sandbox_transition --> on - Is it the case that unconfined_chrome_sandbox_transition is not enabled? +named_tcp_bind_http_port --> off + Is it the case that named_tcp_bind_http_port is not disabled? - - To verify if the OpenSSL uses defined Crypto Policy, run: -$ grep 'Ciphersuites' /etc/crypto-policies/back-ends/opensslcnf.config | tail -n 1 -and verify that the line matches -Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 - Is it the case that Crypto Policy for OpenSSL is not configured according to CC requirements? + + Run the following command to determine the current status of the logrotate timer: $ sudo systemctl is-active logrotate.timer If the timer is running, it should return the following: active + Is it the case that logrotate timer is not enabled? - - To verify the operating system implements cryptography to protect the integrity of -remote ldap access sessions, run the following command: -$ sudo grep ldap_tls_cacert /etc/sssd/sssd.conf -The output should return the following with a correctly configured CA cert path: -ldap_tls_cacert /path/to/tls/ca.cert - Is it the case that the TLS CA cert is not configured? + + To check that the netconsole service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled netconsole +Output should indicate the netconsole service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled netconsole disabled + +Run the following command to verify netconsole is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active netconsole + +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the netconsole is masked, run the following command: +$ sudo systemctl show netconsole | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "netconsole" is loaded and not masked? - - Run the following command to determine if the quagga package is installed: -$ rpm -q quagga - Is it the case that the package is installed? + + To check if the system motd banner is compliant, +run the following command: +$ cat /etc/motd + Is it the case that it does not display the required banner? - - To determine if the system is configured to audit calls to the -clock_settime system call, run the following command: -$ sudo grep "clock_settime" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. + + +Run the following command to determine if the httpd_dontaudit_search_dirs SELinux boolean is disabled: +$ getsebool httpd_dontaudit_search_dirs +If properly configured, the output should show the following: +httpd_dontaudit_search_dirs --> off + Is it the case that httpd_dontaudit_search_dirs is not disabled? + + + + Run the following command to determine if the sudo package is installed: $ rpm -q sudo + Is it the case that the package is not installed? + + + + +To properly set the owner of /var/log/httpd, run the command: +$ sudo chown root /var/log/httpd - Is it the case that no line is returned? +To properly set the owner of /var/log/httpd/*, run the command: +$ sudo chown root /var/log/httpd/* + Is it the case that ? - - Verify the NX (no-execution) bit flag is set on the system. + + Verify that sshd isn't configured to ignore the system wide cryptographic policy. -Check that the no-execution bit flag is set with the following commands: +Check that the CRYPTO_POLICY variable is not set or is commented out in the +/etc/sysconfig/sshd. -$ sudo dmesg | grep NX +Run the following command: -[ 0.000000] NX (Execute Disable) protection: active +$ sudo grep CRYPTO_POLICY /etc/sysconfig/sshd + Is it the case that the CRYPTO_POLICY variable is set or is not commented out in the /etc/sysconfig/sshd? + + + + Verify the Red Hat Enterprise Linux 8 "fapolicyd" employs a deny-all, permit-by-exception policy. -If "dmesg" does not show "NX (Execute Disable) protection" active, check the cpuinfo settings with the following command: +Check that "fapolicyd" is in enforcement mode with the following command: -$ sudo grep flags /proc/cpuinfo -flags : fpu vme de pse tsc ms nx rdtscp lm constant_ts +$ sudo grep permissive /etc/fapolicyd/fapolicyd.conf -The output should contain the "nx" flag. - Is it the case that NX is disabled? +permissive = 0 + +Check that fapolicyd employs a deny-all policy on system mounts with the following commands: + +For RHEL 8.5 systems and older: +$ sudo tail /etc/fapolicyd/fapolicyd.rules + +For RHEL 8.6 systems and newer: +$ sudo tail /etc/fapolicyd/compiled.rules + +allow exe=/usr/bin/python3.7 : ftype=text/x-python +deny_audit perm=any pattern=ld_so : all +deny perm=any all : all + Is it the case that fapolicyd is not running in enforcement mode with a deny-all, permit-by-exception policy? - - To check the group ownership of /etc/shadow, -run the command: -$ ls -lL /etc/shadow -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/shadow does not have a group owner of root? + + To check if MaxStartups is configured, run the following command: +$ sudo grep MaxStartups /etc/ssh/sshd_config +If configured, this command should output the configuration. + Is it the case that maxstartups is not configured? - + + To verify /etc/system-fips exists, run the following command: +ls -l /etc/system-fips +The output should be similar to the following: +-rw-r--r--. 1 root root 36 Nov 26 11:31 /etc/system-fips + Is it the case that /etc/system-fips does not exist? + + + -Run the following command to determine if the ftpd_anon_write SELinux boolean is disabled: -$ getsebool ftpd_anon_write +Run the following command to determine if the xend_run_blktap SELinux boolean is enabled: +$ getsebool xend_run_blktap If properly configured, the output should show the following: -ftpd_anon_write --> off - Is it the case that ftpd_anon_write is not disabled? +xend_run_blktap --> on + Is it the case that xend_run_blktap is not enabled? - - Verify Red Hat Enterprise Linux 8 disables storing core dumps for all users by issuing the following command: - -$ grep -i storage /etc/systemd/coredump.conf - -Storage=none - Is it the case that Storage is not set to none or is commented out and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned? + + To check the group ownership of /var/log/messages, +run the command: +$ ls -lL /var/log/messages +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /var/log/messages does not have a group owner of root? - - To verify that SSSD is configured to run as user sssd, run the following command: -$ sudo grep -r '\buser\b' /etc/sssd -If configured properly, output should similar to /etc/sssd/conf.d/ospp.conf:user = sssd. -Sanity of SSSD configuration in general can be checked using $ sudo sssctl config-check - Is it the case that it does not exist or is not configured properly? + + Run the following command to ensure that /tmp is configured as a +polyinstantiated directory: +$ sudo grep /tmp /etc/security/namespace.conf +The output should return the following: +/tmp /tmp/tmp-inst/ level root,adm + Is it the case that is not configured? - - To check the group ownership of /etc/passwd, -run the command: -$ ls -lL /etc/passwd -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/passwd does not have a group owner of root? + + To verify that remote access methods are logging to rsyslog, +run the following command: +grep -rE '(auth.\*|authpriv.\*|daemon.\*)' /etc/rsyslog.* +The output should contain auth.*, authpriv.*, and daemon.* +pointing to a log file. + Is it the case that remote access methods are not logging to rsyslog? - - Run the following command to determine if the opensc package is installed: $ rpm -q opensc + + Verify that a separate file system/partition has been created for /var/tmp with the following command: + +$ mountpoint /var/tmp + + Is it the case that "/var/tmp is not a mountpoint" is returned? + + + + Run the following command to determine if the rng-tools package is installed: $ rpm -q rng-tools Is it the case that the package is not installed? - - Run the following command to determine if the abrt-addon-kerneloops package is installed: -$ rpm -q abrt-addon-kerneloops - Is it the case that the package is installed? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_DEVKMEM /boot/config.* + + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. + + Is it the case that the kernel was not built with the required value? - - Verify the nosuid option is configured for the /srv mount point, - run the following command: - $ sudo mount | grep '\s/srv\s' - . . . /srv . . . nosuid . . . + + Verify Red Hat Enterprise Linux 8 enforces 24 hours/1 day as the minimum password lifetime for new user accounts. - Is it the case that the "/srv" file system does not have the "nosuid" option set? +Check for the value of "PASS_MIN_DAYS" in "/etc/login.defs" with the following command: + +$ grep -i pass_min_days /etc/login.defs + +PASS_MIN_DAYS + Is it the case that the "PASS_MIN_DAYS" parameter value is not "<sub idref="var_accounts_minimum_age_login_defs" />" or greater, or is commented out? - - The runtime status of the kernel.perf_event_paranoid kernel parameter can be queried -by running the following command: -$ sysctl kernel.perf_event_paranoid -2. - - Is it the case that the correct value is not returned? + + Verify an anti-virus solution is installed on the system. The anti-virus solution may be +bundled with an approved host-based security solution. + Is it the case that there is no anti-virus solution installed on the system? - - To determine if NOEXEC has been configured for sudo, run the following command: -$ sudo grep -ri "^[\s]*Defaults.*\bnoexec\b.*" /etc/sudoers /etc/sudoers.d/ -The command should return a matching output. - Is it the case that noexec is not enabled in sudo? + + To check the group ownership of /var/log, +run the command: +$ ls -lL /var/log +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /var/log does not have a group owner of root? - - The runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter can be queried -by running the following command: -$ sysctl net.ipv6.conf.all.accept_source_route -0. + + The telnet package can be removed with the following command: $ sudo yum erase telnet + Is it the case that ? + + + + To check that the abrtd service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled abrtd +Output should indicate the abrtd service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled abrtd disabled - Is it the case that the correct value is not returned? +Run the following command to verify abrtd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active abrtd + +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the abrtd is masked, run the following command: +$ sudo systemctl show abrtd | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "abrtd" is loaded and not masked? - - To verify if MaxKeepAliveRequests is configured correctly in -/etc/httpd/conf/httpd.conf, run the following command: -$ grep -i maxkeepaliverequests /etc/httpd/conf/httpd.conf -The command should return the following: -MaxKeepAliveRequests 100 - Is it the case that it is not? + + To determine whether the SSH service is configured to use strong entropy seed, +run $ sudo grep SSH_USE_STRONG_RNG /etc/sysconfig/sshd +If a line indicating that SSH_USE_STRONG_RNG is set to 32 is returned, +then the option is set correctly. + Is it the case that the SSH_USE_STRONG_RNG is not set to 32 in /etc/sysconfig/sshd? - - To verify that the system will shutdown when auditd fails, -run the following command: -$ sudo grep "\-f " /etc/audit/audit.rules -The output should contain: --f - Is it the case that the system is not configured to shutdown on auditd failures? + + To check the ownership of /boot/efi/EFI/redhat/grub.cfg, +run the command: +$ ls -lL /boot/efi/EFI/redhat/grub.cfg +If properly configured, the output should indicate the following owner: +root + Is it the case that /boot/efi/EFI/redhat/grub.cfg does not have an owner of root? - - Verify the noexec option is configured for the /boot mount point, - run the following command: - $ sudo mount | grep '\s/boot\s' - . . . /boot . . . noexec . . . - - Is it the case that the "/boot" file system does not have the "noexec" option set? + + To check the permissions of /etc/shadow, +run the command: +$ ls -l /etc/shadow +If properly configured, the output should indicate the following permissions: +---------- + Is it the case that /etc/shadow does not have unix mode ----------? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postdrop" command with the following command: + + +If the system is configured to prevent the loading of the bluetooth kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. -$ sudo auditctl -l | grep postdrop +These lines can also instruct the module loading system to ignore the bluetooth kernel module via blacklist keyword. --a always,exit -F path=/usr/bin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postdrop - Is it the case that the command does not return a line, or the line is commented out? +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +$ grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d + Is it the case that no line is returned? - + -Run the following command to determine if the rsync_client SELinux boolean is disabled: -$ getsebool rsync_client +Run the following command to determine if the secadm_exec_content SELinux boolean is enabled: +$ getsebool secadm_exec_content If properly configured, the output should show the following: -rsync_client --> off - Is it the case that rsync_client is not disabled? +secadm_exec_content --> on + Is it the case that secadm_exec_content is not enabled? - - To check on the age of McAfee virus definition files, run the following command: -$ sudo cd /opt/NAI/LinuxShield/engine/dat -$ sudo ls -la avvscan.dat avvnames.dat avvclean.dat - Is it the case that signatures are out of date? + + +Run the following command to determine if the ssh_keysign SELinux boolean is disabled: +$ getsebool ssh_keysign +If properly configured, the output should show the following: +ssh_keysign --> off + Is it the case that ssh_keysign is not disabled? - + - -Run the following command to determine the current status of the -crond service: -$ sudo systemctl is-active crond -If the service is running, it should return the following: active - Is it the case that ? +Run the following command to determine if the httpd_ssi_exec SELinux boolean is disabled: +$ getsebool httpd_ssi_exec +If properly configured, the output should show the following: +httpd_ssi_exec --> off + Is it the case that httpd_ssi_exec is not disabled? - - To determine if the system is configured to audit calls to the -open_by_handle_at system call, run the following command: -$ sudo grep "open_by_handle_at" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. + + To check that the zebra service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled zebra +Output should indicate the zebra service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled zebra disabled - Is it the case that no line is returned? - - - - -To properly set the group owner of /etc/audit/, run the command: -$ sudo chgrp root /etc/audit/ +Run the following command to verify zebra is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active zebra -To properly set the group owner of /etc/audit/rules.d/, run the command: -$ sudo chgrp root /etc/audit/rules.d/ - Is it the case that ? +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the zebra is masked, run the following command: +$ sudo systemctl show zebra | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "zebra" is loaded and not masked? @@ -376412,314 +377070,206 @@ The output should be the following: Is it the case that the command does not return all lines, or the lines are commented out? - - -Run the following command to determine if the ftpd_connect_db SELinux boolean is disabled: -$ getsebool ftpd_connect_db -If properly configured, the output should show the following: -ftpd_connect_db --> off - Is it the case that ftpd_connect_db is not disabled? + + To determine if arguments that commands can be executed with are restricted, run the following command: +$ sudo grep -PR '^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+(?:[ \t]+[^,\s]+)+[ \t]*,)*(\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+[ \t]*(?:,|$))' /etc/sudoers /etc/sudoers.d/ +The command should return no output. + Is it the case that /etc/sudoers file contains user specifications that allow execution of commands with any arguments? - - To ensure ClientAliveInterval is set correctly, run the following command: - -$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config - -If properly configured, the output should be: -ClientAliveCountMax 0 - -In this case, the SSH timeout occurs precisely when -the ClientAliveInterval is set. - Is it the case that it is commented out or not configured properly? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_RANDOMIZE_BASE /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - + -Run the following command to determine if the antivirus_can_scan_system SELinux boolean is enabled: -$ getsebool antivirus_can_scan_system +Run the following command to determine if the mpd_enable_homedirs SELinux boolean is disabled: +$ getsebool mpd_enable_homedirs If properly configured, the output should show the following: -antivirus_can_scan_system --> on - Is it the case that antivirus_can_scan_system is not enabled? - - - - Verify the operating system encrypts audit records off-loaded onto a different system -or media from the system being audited with the following commands: - -$ sudo grep -i '$DefaultNetstreamDriver' /etc/rsyslog.conf /etc/rsyslog.d/*.conf - -The output should be: - -/etc/rsyslog.conf:$DefaultNetstreamDriver gtls - Is it the case that rsyslogd DefaultNetstreamDriver not set to gtls? +mpd_enable_homedirs --> off + Is it the case that mpd_enable_homedirs is not disabled? - - Inspect the file /etc/sysconfig/iptables to determine -the default policy for the INPUT chain. It should be set to DROP: -$ sudo grep ":INPUT" /etc/sysconfig/iptables - Is it the case that the default policy for the INPUT chain is not set to DROP? + + To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: +cat /etc/audit/rules.d/43-module-load.rules +The output has to be exactly as follows: +## These rules watch for kernel module insertion. By monitoring +## the syscall, we do not need any watches on programs. +-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load +-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load +-a always,exit -F arch=b32 -S delete_module -F key=module-unload +-a always,exit -F arch=b64 -S delete_module -F key=module-unload + Is it the case that the file does not exist or the content differs? - - To verify that the installed operating system is supported or certified, run -the following command: + + To determine if the system is configured to audit calls to the +init_module system call, run the following command: +$ sudo grep "init_module" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. -The output should contain something similar to: -Red Hat Enterprise Linux 8 - Is it the case that the installed operating system is not FIPS 140-2 certified? + Is it the case that no line is returned? - - Verify the audit logs are owned by "root". First, determine where the audit logs are stored with the following command: -$ sudo grep -iw log_file /etc/audit/auditd.conf -log_file = /var/log/audit/audit.log -Using the location of the audit log file, determine if the audit log is owned by "root" using the following command: -$ sudo stat -c "%n %U" /var/log/audit/audit.log -Audit logs must be owned by user root. -If the log_file isn't defined in /etc/audit/auditd.conf, check all files in /var/log/audit/ directory instead. - Is it the case that the audit log is not owned by root? + + Inspect the system to determine if intrusion detection software has been installed. +Verify this intrusion detection software is active. + Is it the case that no host-based intrusion detection tools are installed? - + -To check that the systemd-journal-remote.socket socket is disabled in system boot configuration with systemd, run the following command: -$ systemctl is-enabled systemd-journal-remote.socket -Output should indicate the systemd-journal-remote.socket socket has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled systemd-journal-remote.socketdisabled - -Run the following command to verify systemd-journal-remote.socket is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active systemd-journal-remote.socket - -If the socket is not running the command will return the following output: -inactive - -The socket will also be masked, to check that the systemd-journal-remote.socket is masked, run the following command: -$ sudo systemctl show systemd-journal-remote.socket | grep "LoadState\|UnitFileState" - -If the socket is masked the command will return the following outputs: - -LoadState=masked - -UnitFileState=masked - Is it the case that the systemd-journal-remote socket is not masked? +Run the following command to determine if the zoneminder_anon_write SELinux boolean is disabled: +$ getsebool zoneminder_anon_write +If properly configured, the output should show the following: +zoneminder_anon_write --> off + Is it the case that zoneminder_anon_write is not disabled? - + -Run the following command to determine if the icecast_use_any_tcp_ports SELinux boolean is disabled: -$ getsebool icecast_use_any_tcp_ports +Run the following command to determine if the guest_exec_content SELinux boolean is disabled: +$ getsebool guest_exec_content If properly configured, the output should show the following: -icecast_use_any_tcp_ports --> off - Is it the case that icecast_use_any_tcp_ports is not disabled? +guest_exec_content --> off + Is it the case that guest_exec_content is not disabled? - - Verify the value of the "difok" option in "/etc/security/pwquality.conf" with the following command: - -$ sudo grep difok /etc/security/pwquality.conf + + +If the system is configured to prevent the loading of the can kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. -difok = - Is it the case that the value of "difok" is set to less than "<sub idref="var_password_pam_difok" />", or is commented out? - - - - Verify the nosuid option is configured for the /boot mount point, - run the following command: - $ sudo mount | grep '\s/boot\s' - . . . /boot . . . nosuid . . . +These lines can also instruct the module loading system to ignore the can kernel module via blacklist keyword. - Is it the case that the "/boot" file system does not have the "nosuid" option set? +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +$ grep -r can /etc/modprobe.conf /etc/modprobe.d + Is it the case that no line is returned? - - To verify if the OpenSSL uses defined TLS Crypto Policy, run: -$ grep -P '^(TLS\.)?MinProtocol' /etc/crypto-policies/back-ends/opensslcnf.config -and verify that the value is -TLSv1.2 - Is it the case that cryptographic policy for openssl is not configured or is configured incorrectly? + + +Run the following command to determine if the neutron_can_network SELinux boolean is disabled: +$ getsebool neutron_can_network +If properly configured, the output should show the following: +neutron_can_network --> off + Is it the case that neutron_can_network is not disabled? - - To check that the psacct service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled psacct -Output should indicate the psacct service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled psacct disabled - -Run the following command to verify psacct is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active psacct - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the psacct is masked, run the following command: -$ sudo systemctl show psacct | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: - -LoadState=masked - -UnitFileState=masked - Is it the case that the "psacct" is loaded and not masked? + + +Run the following command to determine if the httpd_can_network_relay SELinux boolean is disabled: +$ getsebool httpd_can_network_relay +If properly configured, the output should show the following: +httpd_can_network_relay --> off + Is it the case that httpd_can_network_relay is not disabled? - - Verify the system-wide shared library files contained in the following directories have mode "755" or less permissive with the following command: + + -$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec ls -l {} \; - Is it the case that any system-wide shared library file is found to be group-writable or world-writable? +Run the following command to determine the current status of the +cron service: +$ sudo systemctl is-active cron +If the service is running, it should return the following: active + Is it the case that ? - - -Verify that the libuser is set to encrypt password with a FIPS 140-2 approved cryptographic hashing algorithm. - -Check the hashing algorithm that is being used to hash passwords with the following command: + + Verify file systems that are used for removable media are mounted with the "nodev" option with the following command: -$ sudo grep -i crypt_style /etc/libuser.conf +$ sudo more /etc/fstab -crypt_style = sha512 - Is it the case that crypt_style is not set to sha512? +UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0 + Is it the case that a file system found in "/etc/fstab" refers to removable media and it does not have the "nodev" option set? - - Verify that there are no wireless interfaces configured on the system -with the following command: - -Note: This requirement is Not Applicable for systems that do not have physical wireless network radios. + + To verify that acquiring, saving, and processing core dumps is disabled, run the +following command: +$ systemctl status systemd-coredump.socket +The output should be similar to: +● systemd-coredump.socket + Loaded: masked (Reason: Unit systemd-coredump.socket is masked.) + Active: inactive (dead) ... -$ nmcli device status -DEVICE TYPE STATE CONNECTION -virbr0 bridge connected virbr0 -wlp7s0 wifi connected wifiSSID -enp6s0 ethernet disconnected -- -p2p-dev-wlp7s0 wifi-p2p disconnected -- -lo loopback unmanaged -- -virbr0-nic tun unmanaged -- - Is it the case that a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO)? + Is it the case that unit systemd-coredump.socket is not masked or running? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_DEBUG_WX /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + To verify that a remote NTP service is configured for time synchronization, +open the following file: +/etc/ntp.conf +In the file, there should be a section similar to the following: +server ntpserver + Is it the case that this is not the case? - - Verify the nosuid option is configured for the /opt mount point, - run the following command: - $ sudo mount | grep '\s/opt\s' - . . . /opt . . . nosuid . . . - - Is it the case that the "/opt" file system does not have the "nosuid" option set? + + +Run the following command to determine if the daemons_use_tcp_wrapper SELinux boolean is disabled: +$ getsebool daemons_use_tcp_wrapper +If properly configured, the output should show the following: +daemons_use_tcp_wrapper --> off + Is it the case that daemons_use_tcp_wrapper is not disabled? - - Verify Red Hat Enterprise Linux 8 takes the appropriate action when an audit processing failure occurs. + + The file /etc/cron.deny should not exist. +This can be checked by runnig the following -Check that Red Hat Enterprise Linux 8 takes the appropriate action when an audit processing failure occurs with the following command: +stat /etc/cron.deny -$ sudo grep disk_error_action /etc/audit/auditd.conf +and the output should be -disk_error_action = +stat: cannot stat `/etc/cron.deny': No such file or directory -If the value of the "disk_error_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit process failure occurs. - Is it the case that there is no evidence of appropriate action? - - - - -Run the following command to determine if the global_ssp SELinux boolean is disabled: -$ getsebool global_ssp -If properly configured, the output should show the following: -global_ssp --> off - Is it the case that global_ssp is not disabled? + Is it the case that the file /etc/cron.deny exists? - + -Run the following command to determine if the samba_load_libgfapi SELinux boolean is disabled: -$ getsebool samba_load_libgfapi +Run the following command to determine if the awstats_purge_apache_log_files SELinux boolean is disabled: +$ getsebool awstats_purge_apache_log_files If properly configured, the output should show the following: -samba_load_libgfapi --> off - Is it the case that samba_load_libgfapi is not disabled? - - - - -Run the following command to get the current configured value for polyinstantiation_enabled -SELinux boolean: -$ getsebool polyinstantiation_enabled -The expected cofiguration is . -"on" means true, and "off" means false - Is it the case that polyinstantiation_enabled is not set as expected? - - - - To verify if the mod_perl is installed, run the following command: -$ rpm -qa | grep mod_perl -If the mod_perl module is installed, verify that PerlSwitches -T -is enabled in /etc/httpd/conf.d/perl.conf by running the following -command: -$ grep -i "PerlSwitches -T" /etc/httpd/conf.d/perl.conf -The output should return uncommented: -PerlSwitches -T - Is it the case that it is not? +awstats_purge_apache_log_files --> off + Is it the case that awstats_purge_apache_log_files is not disabled? - - Verify that the IPSec service uses the system crypto policy. + + Verify the audit log directories have a correct mode or less permissive mode. -If the ipsec service is not installed is not applicable. +Find the location of the audit logs: -Check to see if the "IPsec" service is active with the following command: +$ sudo grep "^log_file" /etc/audit/auditd.conf -$ systemctl status ipsec -ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec -Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled) -Active: inactive (dead) -If the "IPsec" service is active, check to see if it is using the system crypto policy with the following command: +Run the following command to check the mode of the system audit logs: -$ sudo grep include /etc/ipsec.conf /etc/ipsec.d/*.conf +$ sudo stat -c "%a %n" [audit_log_directory] -/etc/ipsec.conf:include /etc/crypto-policies/back-ends/libreswan.config - Is it the case that the "IPsec" service is active and the ipsec configuration file does not contain does not contain <tt>include /etc/crypto-policies/back-ends/libreswan.config</tt>? - - - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "semanage" command with the following command: +Replace "[audit_log_directory]" to the correct audit log directory path, by default this location is "/var/log/audit". -$ sudo auditctl -l | grep semanage --a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update - Is it the case that the command does not return a line, or the line is commented out? - - - - -Run the following command to determine if the cvs_read_shadow SELinux boolean is disabled: -$ getsebool cvs_read_shadow -If properly configured, the output should show the following: -cvs_read_shadow --> off - Is it the case that cvs_read_shadow is not disabled? +The correct permissions are 0700 + Is it the case that audit logs have a more permissive mode? - - The runtime status of the kernel.unprivileged_bpf_disabled kernel parameter can be queried -by running the following command: -$ sysctl kernel.unprivileged_bpf_disabled -1. + + Verify the noexec option is configured for the /var mount point, + run the following command: + $ sudo mount | grep '\s/var\s' + . . . /var . . . noexec . . . - Is it the case that the correct value is not returned? + Is it the case that the "/var" file system does not have the "noexec" option set? @@ -376739,786 +377289,688 @@ $ grep -r ipv6 /etc/modprobe.conf /etc/modprobe.d Is it the case that the ipv6 kernel module is not disabled? - - To ensure that users cannot disable the screensaver idle inactivity setting, run the following: -$ grep idle-activation-enabled /etc/dconf/db/local.d/locks/* -If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled - Is it the case that idle-activation-enabled is not locked? + + Verify the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command: + +$ grep maxclassrepeat /etc/security/pwquality.conf + +maxclassrepeat = + Is it the case that the value of "maxclassrepeat" is set to "0", more than "<sub idref="var_password_pam_maxclassrepeat" />" or is commented out? - + -Run the following command to determine if the secadm_exec_content SELinux boolean is enabled: -$ getsebool secadm_exec_content +Run the following command to determine if the httpd_graceful_shutdown SELinux boolean is enabled: +$ getsebool httpd_graceful_shutdown If properly configured, the output should show the following: -secadm_exec_content --> on - Is it the case that secadm_exec_content is not enabled? +httpd_graceful_shutdown --> on + Is it the case that httpd_graceful_shutdown is not enabled? - - Determine where the audit logs are stored with the following command: - -$ sudo grep -iw log_file /etc/audit/auditd.conf - -log_file = /var/log/audit/audit.log - -Determine the owner of the audit log directory by using the output of the above command -(default: "/var/log/audit/"). Run the following command with the correct audit log directory -path: - -$ sudo ls -ld /var/log/audit - -drwx------ 2 root root 23 Jun 11 11:56 /var/log/audit + + To verify ExecShield is enabled on 64-bit Red Hat Enterprise Linux 8 systems, +run the following command: +$ dmesg | grep '[NX|DX]*protection' +The output should not contain 'disabled by kernel command line option'. +Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes noexec=off, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub +If this option is set to true, then check that a line is output by the following command: +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*noexec=off.*' /etc/default/grub +If the recovery is disabled, check the line with +$ sudo grep 'GRUB_CMDLINE_LINUX.*noexec=off.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +$ sudo grubby --info=ALL | grep args | grep -v 'noexec=off' +The command should not return any output. + Is it the case that ExecShield is not supported by the hardware, is not enabled, or has been disabled by the kernel configuration.? + + + + Verify the system-wide shared library files contained in the following directories have mode "755" or less permissive with the following command: -The audit log directory must be owned by "root" - Is it the case that the directory is not owned by root? +$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec ls -l {} \; + Is it the case that any system-wide shared library file is found to be group-writable or world-writable? - - -Run the following command to determine if the virt_use_xserver SELinux boolean is disabled: -$ getsebool virt_use_xserver -If properly configured, the output should show the following: -virt_use_xserver --> off - Is it the case that virt_use_xserver is not disabled? + + To determine that AIDE is verifying ACLs, run the following command: +$ grep acl /etc/aide.conf +Verify that the acl option is added to the correct ruleset. + Is it the case that the acl option is missing or not added to the correct ruleset? - - Run the following command to determine if the rsh-server package is installed: -$ rpm -q rsh-server - Is it the case that the package is installed? + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "userhelper" command with the following command: + +$ sudo auditctl -l | grep userhelper + +-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-userhelper + Is it the case that the command does not return a line, or the line is commented out? - - -Run the following command to determine if the git_session_bind_all_unreserved_ports SELinux boolean is disabled: -$ getsebool git_session_bind_all_unreserved_ports -If properly configured, the output should show the following: -git_session_bind_all_unreserved_ports --> off - Is it the case that git_session_bind_all_unreserved_ports is not disabled? + + To check that the rdisc service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled rdisc +Output should indicate the rdisc service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled rdisc disabled + +Run the following command to verify rdisc is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active rdisc + +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the rdisc is masked, run the following command: +$ sudo systemctl show rdisc | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "rdisc" is loaded and not masked? - - To check the permissions of /etc/group, -run the command: -$ ls -l /etc/group -If properly configured, the output should indicate the following permissions: --rw-r--r-- - Is it the case that /etc/group does not have unix mode -rw-r--r--? + + To determine that AIDE is verifying extended file attributes, run the following command: +$ grep xattrs /etc/aide.conf +Verify that the xattrs option is added to the correct ruleset. + Is it the case that the xattrs option is missing or not added to the correct ruleset? - - Verify the nosuid option is configured for the /var/log mount point, - run the following command: - $ sudo mount | grep '\s/var/log\s' - . . . /var/log . . . nosuid . . . - - Is it the case that the "/var/log" file system does not have the "nosuid" option set? + + Check the root home directory for a .mozilla directory. If +one exists, ensure browsing is limited to local service administration. + Is it the case that this is not the case? - - To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -cat /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules -The output has to be exactly as follows: -## Successful file delete --a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete --a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete - Is it the case that the file does not exist or the content differs? + + To determine if the system is configured to audit calls to the +adjtimex system call, run the following command: +$ sudo grep "adjtimex" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - System executables are stored in the following directories by default: -/bin -/sbin -/usr/bin -/usr/local/bin -/usr/local/sbin -/usr/sbin -For each of these directories, run the following command to find files -not owned by root: -$ sudo find -L DIR/ ! -user root -type d -exec chown root {} \; - Is it the case that any system executables directories are found to not be owned by root? + + Verify that Red Hat Enterprise Linux 8 's INACTIVE conforms to site policy (no more than 30 days) with the following command: + +$ sudo awk -F: '$7 > 30 {print $1 " " $7}' /etc/shadow + Is it the case that the value of INACTIVE is greater than the expected value or is -1? - - Verify the audit log directories have a correct mode or less permissive mode. + + -Find the location of the audit logs: -$ sudo grep "^log_file" /etc/audit/auditd.conf +To determine if firewalld is configured to allow access +on port 22/tcp, run the following command(s): + firewall-cmd --list-ports -Run the following command to check the mode of the system audit logs: +to ssh + firewall-cmd --list-services -$ sudo stat -c "%a %n" [audit_log_directory] +If firewalld is configured to allow access through the firewall, something similar to the following will be output: -Replace "[audit_log_directory]" to the correct audit log directory path, by default this location is "/var/log/audit". +If it is a service: +ssh -The correct permissions are 0700 - Is it the case that audit logs have a more permissive mode? +If it is a port: +22/tcp + + Is it the case that sshd service is not enabled in the proper firewalld zone? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_LEGACY_PTYS /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? + + Inspect /etc/default/grub for any instances of selinux=0 +in the kernel boot arguments. Presence of selinux=0 indicates +that SELinux is disabled at boot time. + Is it the case that SELinux is disabled at boot time? - - To check the minimum password length, run the command: -$ grep PASS_MIN_LEN /etc/login.defs -The DoD requirement is 15. - Is it the case that it is not set to the required value? + + +Run the following command to determine if the antivirus_use_jit SELinux boolean is disabled: +$ getsebool antivirus_use_jit +If properly configured, the output should show the following: +antivirus_use_jit --> off + Is it the case that antivirus_use_jit is not disabled? - - To determine whether the SSH service is configured to use strong entropy seed, -run $ sudo grep SSH_USE_STRONG_RNG /etc/sysconfig/sshd -If a line indicating that SSH_USE_STRONG_RNG is set to 32 is returned, -then the option is set correctly. - Is it the case that the SSH_USE_STRONG_RNG is not set to 32 in /etc/sysconfig/sshd? + + +Run the following command to determine if the unconfined_mozilla_plugin_transition SELinux boolean is enabled: +$ getsebool unconfined_mozilla_plugin_transition +If properly configured, the output should show the following: +unconfined_mozilla_plugin_transition --> on + Is it the case that unconfined_mozilla_plugin_transition is not enabled? - - Verify the SELINUX on Red Hat Enterprise Linux 8 is using the policy with the following command: - -$ sestatus | grep policy - -Loaded policy name: - Is it the case that the loaded policy name is not "<sub idref="var_selinux_policy_name" />"? + + To verify the sec option is configured for all NFS mounts, run the following command: +$ grep "sec=" /etc/exports +All configured NFS exports should show the sec=krb5:krb5i:krb5p setting in parentheses. +This is not applicable if NFS is not implemented. + Is it the case that the setting is not configured, has the 'sys' option added, or does not have all Kerberos options added? - - Remote web authors should not be able to upload files to the Document Root -directory structure without virus checking and checking for malicious or mobile -code. - Is it the case that it is not? - - - - To check the permissions of /etc/audit/auditd.conf, -run the command: -$ ls -l /etc/audit/auditd.conf -If properly configured, the output should indicate the following permissions: --rw-r----- - Is it the case that /etc/audit/auditd.conf does not have unix mode -rw-r-----? - - - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_MODULE_SIG_ALL /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? - - - - -Run the following command to determine if the domain_kernel_load_modules SELinux boolean is disabled: -$ getsebool domain_kernel_load_modules -If properly configured, the output should show the following: -domain_kernel_load_modules --> off - Is it the case that domain_kernel_load_modules is not disabled? - - - - To verify that tmux is not listed as allowed shell on the system -run the following command: -$ grep 'tmux$' /etc/shells -The output should be empty. - Is it the case that tmux is listed in /etc/shells? + + To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: +cat /etc/audit/rules.d/30-ospp-v42-3-access-success.rules +The output has to be exactly as follows: +## Successful file access (any other opens) This has to go last. +## These next two are likely to result in a whole lot of events +-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access +-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access + Is it the case that the file does not exist or the content differs? - - To determine if the system is configured to audit calls to the -fchmodat system call, run the following command: -$ sudo grep "fchmodat" /etc/audit/audit.* + + If the system is not configured to audit time changes, this is a finding. +If the system is 64-bit only, this is not applicable +ocil: | +To determine if the system is configured to audit calls to the +stime system call, run the following command: +$ sudo grep "stime" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - - -Run the following command to determine if the git_cgi_enable_homedirs SELinux boolean is disabled: -$ getsebool git_cgi_enable_homedirs -If properly configured, the output should show the following: -git_cgi_enable_homedirs --> off - Is it the case that git_cgi_enable_homedirs is not disabled? + + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: + +$ sudo auditctl -l | grep -E '(/etc/passwd)' + +-w /etc/passwd -p wa -k identity + Is it the case that the command does not return a line, or the line is commented out? - - Verify Red Hat Enterprise Linux 8 takes the appropriate action when the audit storage volume is full. + + Check group owners of the system audit logs. -Check that Red Hat Enterprise Linux 8 takes the appropriate action when the audit storage volume is full with the following command: +First, determine where the audit log file is located. -$ sudo grep disk_full_action /etc/audit/auditd.conf +$ sudo grep -iw ^log_file /etc/audit/auditd.conf +log_file = /var/log/audit/audit.log -disk_full_action = +The log_file option specifies the audit log file path. +If the log_file option isn't defined, check all files within /var/log/audit directory. -If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full. - Is it the case that there is no evidence of appropriate action? + +Then, determine the audit log group by running the following command: +$ sudo grep -P '^[ ]*log_group[ ]+=.*$' /etc/audit/auditd.conf + + +Then, check that the audit log file is owned by the correct group. +Run the following command to display the owner of the audit log file: + +$ sudo stat -c "%n %G" log_file + + +The audit log file must be owned by the log_group or by root if the log_group is not specified. + Is it the case that audit log files are owned by incorrect group? - - The runtime status of the fs.protected_hardlinks kernel parameter can be queried -by running the following command: -$ sysctl fs.protected_hardlinks -1. + + Verify that a separate file system/partition has been created for /srv with the following command: - Is it the case that the correct value is not returned? +$ mountpoint /srv + + Is it the case that "/srv is not a mountpoint" is returned? - + -Run the following command to determine if the mozilla_plugin_bind_unreserved_ports SELinux boolean is disabled: -$ getsebool mozilla_plugin_bind_unreserved_ports +Run the following command to determine if the lsmd_plugin_connect_any SELinux boolean is disabled: +$ getsebool lsmd_plugin_connect_any If properly configured, the output should show the following: -mozilla_plugin_bind_unreserved_ports --> off - Is it the case that mozilla_plugin_bind_unreserved_ports is not disabled? +lsmd_plugin_connect_any --> off + Is it the case that lsmd_plugin_connect_any is not disabled? - - To check the group ownership of /etc/passwd-, + + If the system uses IPv6, this is not applicable. + +If the system is configured to prevent the usage of the ipv6 on +network interfaces, it will contain a line of the form: +net.ipv6.conf.default.disable_ipv6 = 1 +Such lines may be inside any file in the /etc/sysctl.d directory. +This permits insertion of the IPv6 kernel module (which other parts of the +system expect to be present), but otherwise keeps network interfaces +from using IPv6. Run the following command to search for such lines in all +files in /etc/sysctl.d: +$ grep -r ipv6 /etc/sysctl.d + Is it the case that the ipv6 support is disabled by default on network interfaces? + + + + To check the ownership of /etc/motd, run the command: -$ ls -lL /etc/passwd- -If properly configured, the output should indicate the following group-owner: +$ ls -lL /etc/motd +If properly configured, the output should indicate the following owner: root - Is it the case that /etc/passwd- does not have a group owner of root? + Is it the case that /etc/motd does not have an owner of root? - - Storing logs with compression can help avoid filling the system disk. -Run the following command to verify that journald is compressing logs. - -grep "^\sCompress" /etc/systemd/journald.conf - -and it should return + + Verify that Red Hat Enterprise Linux 8 loads the driver with the following command: -Compress=yes +$ grep card_drivers /etc/opensc.conf - Is it the case that is commented out or not configured correctly? - - - - Run the following command to determine if the squid package is installed: -$ rpm -q squid - Is it the case that the package is installed? +card_drivers = ; + Is it the case that "<sub idref="var_smartcard_drivers" />" is not listed as a card driver, or there is no line returned for "card_drivers"? - - To check that the dhcpd service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled dhcpd -Output should indicate the dhcpd service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled dhcpd disabled + + Verify the NX (no-execution) bit flag is set on the system. -Run the following command to verify dhcpd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active dhcpd +Check that the no-execution bit flag is set with the following commands: -If the service is not running the command will return the following output: -inactive +$ sudo dmesg | grep NX -The service will also be masked, to check that the dhcpd is masked, run the following command: -$ sudo systemctl show dhcpd | grep "LoadState\|UnitFileState" +[ 0.000000] NX (Execute Disable) protection: active -If the service is masked the command will return the following outputs: +If "dmesg" does not show "NX (Execute Disable) protection" active, check the cpuinfo settings with the following command: -LoadState=masked +$ sudo grep flags /proc/cpuinfo +flags : fpu vme de pse tsc ms nx rdtscp lm constant_ts -UnitFileState=masked - Is it the case that the "dhcpd" is loaded and not masked? +The output should contain the "nx" flag. + Is it the case that NX is disabled? - - To check that the debug-shell service is disabled in system boot configuration, + + +Run the following command to determine if the httpd_serve_cobbler_files SELinux boolean is disabled: +$ getsebool httpd_serve_cobbler_files +If properly configured, the output should show the following: +httpd_serve_cobbler_files --> off + Is it the case that httpd_serve_cobbler_files is not disabled? + + + + Run the following command to determine if the freeradius package is installed: $ rpm -q freeradius + Is it the case that the package is installed? + + + + To check the permissions of /etc/audit/auditd.conf, +run the command: +$ ls -l /etc/audit/auditd.conf +If properly configured, the output should indicate the following permissions: +-rw-r----- + Is it the case that /etc/audit/auditd.conf does not have unix mode -rw-r-----? + + + + +Run the following command to determine if the ftpd_use_passive_mode SELinux boolean is disabled: +$ getsebool ftpd_use_passive_mode +If properly configured, the output should show the following: +ftpd_use_passive_mode --> off + Is it the case that ftpd_use_passive_mode is not disabled? + + + + To check that the smb service is disabled in system boot configuration, run the following command: -$ sudo systemctl is-enabled debug-shell -Output should indicate the debug-shell service has either not been installed, +$ sudo systemctl is-enabled smb +Output should indicate the smb service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled debug-shell disabled +$ sudo systemctl is-enabled smb disabled -Run the following command to verify debug-shell is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active debug-shell +Run the following command to verify smb is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active smb If the service is not running the command will return the following output: inactive -The service will also be masked, to check that the debug-shell is masked, run the following command: -$ sudo systemctl show debug-shell | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the smb is masked, run the following command: +$ sudo systemctl show smb | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "debug-shell" is loaded and not masked? + Is it the case that the "smb" is loaded and not masked? - + -Run the following command to determine if the postgresql_selinux_unconfined_dbadm SELinux boolean is enabled: -$ getsebool postgresql_selinux_unconfined_dbadm +Run the following command to determine if the cron_userdomain_transition SELinux boolean is enabled: +$ getsebool cron_userdomain_transition If properly configured, the output should show the following: -postgresql_selinux_unconfined_dbadm --> on - Is it the case that postgresql_selinux_unconfined_dbadm is not enabled? +cron_userdomain_transition --> on + Is it the case that cron_userdomain_transition is not enabled? - - To determine if the system is configured to audit calls to the -removexattr system call, run the following command: -$ sudo grep "removexattr" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. + + If IPv6 is disabled, this is not applicable. - Is it the case that no line is returned? - - - - Run the following command to determine if the cyrus-imapd package is installed: -$ rpm -q cyrus-imapd - Is it the case that the package is installed? - - - - To determine if the system is configured to audit successful calls -to the fremovexattr system call, run the following command: -$ sudo grep "fremovexattr" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - - - - To determine if the system is configured to audit calls to the -fsetxattr system call, run the following command: -$ sudo grep "fsetxattr" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? +Run the following command to determine the current status of the +ip6tables service: +$ sudo systemctl is-active ip6tables +If the service is running, it should return the following: active + Is it the case that ? - - The runtime status of the net.ipv6.conf.default.max_addresses kernel parameter can be queried -by running the following command: -$ sysctl net.ipv6.conf.default.max_addresses -1. + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chsh" command with the following command: - Is it the case that the correct value is not returned? - - - - -Run the following command to determine if the nfs_export_all_ro SELinux boolean is enabled: -$ getsebool nfs_export_all_ro -If properly configured, the output should show the following: -nfs_export_all_ro --> on - Is it the case that nfs_export_all_ro is not enabled? +$ sudo auditctl -l | grep chsh + +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chsh + Is it the case that the command does not return a line, or the line is commented out? - - -Run the following command to determine if the httpd_dbus_sssd SELinux boolean is disabled: -$ getsebool httpd_dbus_sssd -If properly configured, the output should show the following: -httpd_dbus_sssd --> off - Is it the case that httpd_dbus_sssd is not disabled? + + Verify the system-wide shared library directories are owned by "root" with the following command: + +$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c "%n %U" '{}' \; + Is it the case that any system-wide shared library directory is not owned by root? - - To verify the audispd plugin off-loads audit records onto a different system or -media from the system being audited, run the following command: -$ sudo grep -i remote_server /etc/audit/audisp-remote.conf -The output should return something similar to -remote_server = - Is it the case that audispd is not sending logs to a remote system? + + Verify the audit logs are owned by "root". First, determine where the audit logs are stored with the following command: +$ sudo grep -iw log_file /etc/audit/auditd.conf +log_file = /var/log/audit/audit.log +Using the location of the audit log file, determine if the audit log is owned by "root" using the following command: +$ sudo stat -c "%n %U" /var/log/audit/audit.log +Audit logs must be owned by user root. +If the log_file isn't defined in /etc/audit/auditd.conf, check all files in /var/log/audit/ directory instead. + Is it the case that the audit log is not owned by root? - - To determine if the system is configured to audit unsuccessful calls -to the fchmod system call, run the following command: -$ sudo grep "fchmod" /etc/audit.* -If the system is configured to audit this activity, it will return a line. + + Verify the nosuid option is configured for the /opt mount point, + run the following command: + $ sudo mount | grep '\s/opt\s' + . . . /opt . . . nosuid . . . - Is it the case that no line is returned? + Is it the case that the "/opt" file system does not have the "nosuid" option set? - - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the unlinkat system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r unlinkat /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep unlinkat /etc/audit/audit.rules - -The output should be the following: + + --a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete --a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete --a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete --a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete - Is it the case that the command does not return a line, or the line is commented out? - - - - To verify that Audit Daemon is configured to include local events, run the -following command: -$ sudo grep local_events /etc/audit/auditd.conf -The output should return the following: -local_events = yes - Is it the case that local_events isn't set to yes? +Run the following command to determine the current status of the +syslog-ng service: +$ sudo systemctl is-active syslog-ng +If the service is running, it should return the following: active + Is it the case that the "syslog-ng" service is disabled, masked, or not started.? - - To verify insecure file locking has been disabled, run the following command: -$ grep insecure_locks /etc/exports - Is it the case that there is output? + + Run the following command to determine if the systemd-journal-remote package is installed: $ rpm -q systemd-journal-remote + Is it the case that the package is not installed? - - To determine if negation is used to define commands users are allowed to execute using sudo, run the following command: -$ sudo grep -PR '^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,!\n][^,\n]+,)*\s*(?:\([^\)]+\))?\s*(?!\s*\()(!\S+).*' /etc/sudoers /etc/sudoers.d/ -The command should return no output. - Is it the case that /etc/sudoers file contains rules that define the set of allowed commands using negation? + + To verify that automatic logins are disabled, run the following command: +$ grep -Pzoi "^\[daemon]\\nautomaticlogin.*" /etc/gdm/custom.conf +The output should show the following: +[daemon] +AutomaticLoginEnable=false + Is it the case that GDM allows users to automatically login? - - Verify that Red Hat Enterprise Linux 8 enforces a -day maximum password lifetime for new user accounts by running the following command: - -$ grep -i pass_max_days /etc/login.defs - -PASS_MAX_DAYS - Is it the case that the "PASS_MAX_DAYS" parameter value is greater than "<sub idref="var_accounts_maximum_age_login_defs" />", or commented out? + + Verify the umask setting is configured correctly in the /etc/profile file +or scripts within /etc/profile.d directory with the following command: +$ grep "umask" /etc/profile* +umask + Is it the case that the value for the "umask" parameter is not "<sub idref="var_accounts_user_umask" />", +or the "umask" parameter is missing or is commented out? - - The runtime status of the net.ipv4.conf.default.shared_media kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.conf.default.shared_media -0. + + To verify that the installed operating system is supported or certified, run +the following command: - Is it the case that the correct value is not returned? +The output should contain something similar to: +Red Hat Enterprise Linux 8 + Is it the case that the installed operating system is not FIPS 140-2 certified? - - Verify the nosuid option is configured for the /var mount point, - run the following command: - $ sudo mount | grep '\s/var\s' - . . . /var . . . nosuid . . . - - Is it the case that the "/var" file system does not have the "nosuid" option set? + + +Run the following command to determine if the mozilla_plugin_use_spice SELinux boolean is disabled: +$ getsebool mozilla_plugin_use_spice +If properly configured, the output should show the following: +mozilla_plugin_use_spice --> off + Is it the case that mozilla_plugin_use_spice is not disabled? - - - -Run the following command to determine the current status of the -sshd service: -$ sudo systemctl is-active sshd -If the service is running, it should return the following: active - Is it the case that ? + + To check the group ownership of /etc/passwd-, +run the command: +$ ls -lL /etc/passwd- +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/passwd- does not have a group owner of root? - - To determine how the SSH daemon's PubkeyAuthentication option is set, run the following command: - -$ sudo grep -i PubkeyAuthentication /etc/ssh/sshd_config - -If a line indicating yes is returned, then the required value is set. + + To determine if the system is configured to audit calls to the +fchmodat system call, run the following command: +$ sudo grep "fchmodat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. - Is it the case that the required value is not set? + Is it the case that no line is returned? - - -Run the following command to determine if the postgresql_selinux_users_ddl SELinux boolean is enabled: -$ getsebool postgresql_selinux_users_ddl -If properly configured, the output should show the following: -postgresql_selinux_users_ddl --> on - Is it the case that postgresql_selinux_users_ddl is not enabled? + + Run the following command to determine if the openscap-scanner package is installed: $ rpm -q openscap-scanner + Is it the case that the package is not installed? - - To ensure that system location tracking is not active, run the following command: -$ gsettings get org.gnome.system.location enabled -$ gsettings get org.gnome.clocks geolocation -If properly configured, the output should be false. -To ensure that users cannot enable system location tracking, run the following: -$ grep location /etc/dconf/db/local.d/locks/* -If properly configured, the output should be -/org/gnome/system/location/enabled and /org/gnome/clocks/geolocation. - Is it the case that geolocation is enabled and not disabled? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_IPV6 /boot/config.* + + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. + + Is it the case that the kernel was not built with the required value? - - To check that the quota_nld service is disabled in system boot configuration, + + To check that the cups service is disabled in system boot configuration, run the following command: -$ sudo systemctl is-enabled quota_nld -Output should indicate the quota_nld service has either not been installed, +$ sudo systemctl is-enabled cups +Output should indicate the cups service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled quota_nld disabled +$ sudo systemctl is-enabled cups disabled -Run the following command to verify quota_nld is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active quota_nld +Run the following command to verify cups is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active cups If the service is not running the command will return the following output: inactive -The service will also be masked, to check that the quota_nld is masked, run the following command: -$ sudo systemctl show quota_nld | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the cups is masked, run the following command: +$ sudo systemctl show cups | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "quota_nld" is loaded and not masked? + Is it the case that the "cups" is loaded and not masked? - - Check to see if Online Certificate Status Protocol (OCSP) -is enabled and using the proper digest value on the system with the following command: -$ sudo grep certificate_verification /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf | grep -v "^#" -If configured properly, output should look like + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "poweroff" command with the following command: - certificate_verification = ocsp_dgst= +$ sudo auditctl -l | grep poweroff - Is it the case that certificate_verification in sssd is not configured? +-a always,exit -F path=/poweroff -F perm=x -F auid>=1000 -F auid!=unset -k privileged-poweroff + Is it the case that the command does not return a line, or the line is commented out? - - The runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter can be queried -by running the following command: -$ sysctl net.ipv6.conf.all.accept_redirects -0. - - Is it the case that the correct value is not returned? + + To verify that the system will shutdown when auditd fails, +run the following command: +$ sudo grep "\-f " /etc/audit/audit.rules +The output should contain: +-f + Is it the case that the system is not configured to shutdown on auditd failures? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "pam_timestamp_check" command with the following command: - -$ sudo auditctl -l | grep pam_timestamp_check - --a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check - Is it the case that the command does not return a line, or the line is commented out? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_SECURITY_DMESG_RESTRICT /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - To determine if the system is configured to audit calls to the -finit_module system call, run the following command: -$ sudo grep "finit_module" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + Only FIPS-approved key exchange algorithms must be used. To verify that only FIPS-approved +key exchange algorithms are in use, run the following command: +$ sudo grep -i kexalgorithms /etc/crypto-policies/back-ends/opensshserver.config +The output should contain only following algorithms (or a subset) in the exact order: +CRYPTO_POLICY='-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512' + Is it the case that KexAlgorithms option is commented out, contains non-approved algorithms, or the FIPS-approved algorithms are not in the exact order? - - To verify if the OpenSSH client uses defined MACs in the Crypto Policy, run: -$ grep -i macs /etc/crypto-policies/back-ends/openssh.config -and verify that the line matches: -MACs - Is it the case that Crypto Policy for OpenSSH client is not configured correctly? + + Verify the nosuid option is configured for the /dev/shm mount point, + run the following command: + $ sudo mount | grep '\s/dev/shm\s' + . . . /dev/shm . . . nosuid . . . + + Is it the case that the "/dev/shm" file system does not have the "nosuid" option set? - - Verify users are provided with feedback on when account accesses last occurred with the following command: + + To determine how the SSH daemon's X11UseLocalhost option is set, run the following command: -$ sudo grep pam_lastlog /etc/pam.d/postlogin +$ sudo grep -i X11UseLocalhost /etc/ssh/sshd_config -session [default=1] pam_lastlog.so showfailed - Is it the case that "pam_lastlog.so" is not properly configured in "/etc/pam.d/postlogin" file? +If a line indicating yes is returned, then the required value is set. + Is it the case that the display proxy is listening on wildcard address? - + -Run the following command to determine if the httpd_read_user_content SELinux boolean is disabled: -$ getsebool httpd_read_user_content +Run the following command to determine if the dbadm_manage_user_files SELinux boolean is disabled: +$ getsebool dbadm_manage_user_files If properly configured, the output should show the following: -httpd_read_user_content --> off - Is it the case that httpd_read_user_content is not disabled? +dbadm_manage_user_files --> off + Is it the case that dbadm_manage_user_files is not disabled? - - To determine if the system is configured to audit calls to the -fchown system call, run the following command: -$ sudo grep "fchown" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. + + Verify the SELINUX on Red Hat Enterprise Linux 8 is using the policy with the following command: - Is it the case that no line is returned? +$ sestatus | grep policy + +Loaded policy name: + Is it the case that the loaded policy name is not "<sub idref="var_selinux_policy_name" />"? - - Verify the system-wide shared library files are group-owned by "root" with the following command: - -$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} \; - Is it the case that any system wide shared library file is returned and is not group-owned by a required system account? + + Run the following command to determine if the cyrus-imapd package is installed: +$ rpm -q cyrus-imapd + Is it the case that the package is installed? - - Verify Red Hat Enterprise Linux 8 security patches and updates are installed and up to date. -Updates are required to be applied with a frequency determined by organizational policy. - - -Obtain the list of available package security updates from Red Hat. The URL for updates is https://access.redhat.com/errata-search/. -It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed. - - -Check that the available package security updates have been installed on the system with the following command: - -$ sudo yum history list | more - -Loaded plugins: langpacks, product-id, subscription-manager -ID | Command line | Date and time | Action(s) | Altered -------------------------------------------------------------------------------- -70 | install aide | 2020-03-05 10:58 | Install | 1 -69 | update -y | 2020-03-04 14:34 | Update | 18 EE -68 | install vlc | 2020-02-21 17:12 | Install | 21 -67 | update -y | 2020-02-21 17:04 | Update | 7 EE - - -Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM. - Is it the case that Red Hat Enterprise Linux 8 is in non-compliance with the organizational patching policy? + + To check the permissions of /etc/shadow-, +run the command: +$ ls -l /etc/shadow- +If properly configured, the output should indicate the following permissions: +---------- + Is it the case that /etc/shadow- does not have unix mode ----------? - - Verify it by running the following command: -$ stat -c "%n %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules - -/sbin/auditctl root -/sbin/aureport root -/sbin/ausearch root -/sbin/autrace root -/sbin/auditd root -/sbin/audispd root -/sbin/augenrules root - - -If the command does not return all the above lines, the missing ones -need to be added. + + To check if RekeyLimit is set correctly, run the +following command: -Run the following command to correct the permissions of the missing -entries: -$ sudo chown :root [audit_tool] +$ sudo grep RekeyLimit /etc/ssh/sshd_config -Replace "[audit_tool]" with each audit tool not group-owned by root. - Is it the case that ? +If configured properly, output should be +RekeyLimit + Is it the case that it is commented out or is not set? - - To check that the nftables service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled nftables -Output should indicate the nftables service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled nftables disabled - -Run the following command to verify nftables is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active nftables - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the nftables is masked, run the following command: -$ sudo systemctl show nftables | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: - -LoadState=masked - -UnitFileState=masked - Is it the case that the "nftables" is loaded and not masked? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_HARDENED_USERCOPY_FALLBACK /boot/config.* + + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. + + Is it the case that the kernel was not built with the required value? - - The runtime status of the kernel.core_uses_pid kernel parameter can be queried -by running the following command: -$ sysctl kernel.core_uses_pid -0. - Is it the case that the returned line does not have a value of 0? + + To verify that DHCP is not being used, examine the following file for each interface: +# /etc/sysconfig/network-scripts/ifcfg-interface +Look for the following: +BOOTPROTO=none +and the following, substituting the appropriate values based on your site's addressing scheme: +NETMASK=255.255.255.0 +IPADDR=192.168.1.2 +GATEWAY=192.168.1.1 + Is it the case that it does not? - + -Run the following command to determine if the antivirus_use_jit SELinux boolean is disabled: -$ getsebool antivirus_use_jit +Run the following command to determine if the samba_enable_home_dirs SELinux boolean is disabled: +$ getsebool samba_enable_home_dirs If properly configured, the output should show the following: -antivirus_use_jit --> off - Is it the case that antivirus_use_jit is not disabled? +samba_enable_home_dirs --> off + Is it the case that samba_enable_home_dirs is not disabled? - - The file /etc/cron.deny should not exist. -This can be checked by runnig the following + + +Run the following command to determine if the selinuxuser_udp_server SELinux boolean is disabled: +$ getsebool selinuxuser_udp_server +If properly configured, the output should show the following: +selinuxuser_udp_server --> off + Is it the case that selinuxuser_udp_server is not disabled? + + + + To check that the bluetooth service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled bluetooth +Output should indicate the bluetooth service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled bluetooth disabled -stat /etc/cron.deny +Run the following command to verify bluetooth is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active bluetooth -and the output should be +If the service is not running the command will return the following output: +inactive -stat: cannot stat `/etc/cron.deny': No such file or directory +The service will also be masked, to check that the bluetooth is masked, run the following command: +$ sudo systemctl show bluetooth | grep "LoadState\|UnitFileState" - Is it the case that the file /etc/cron.deny exists? - - - - Inspect the list of enabled firewall ports and verify they are configured correctly by running -the following command: +If the service is masked the command will return the following outputs: -$ sudo firewall-cmd --list-all +LoadState=masked -Ask the System Administrator for the site or program Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA). Verify the services allowed by the firewall match the PPSM CLSA. - Is it the case that there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), or there are no firewall rules configured? - - - - -Run the following command to determine if the ftpd_use_fusefs SELinux boolean is disabled: -$ getsebool ftpd_use_fusefs -If properly configured, the output should show the following: -ftpd_use_fusefs --> off - Is it the case that ftpd_use_fusefs is not disabled? - - - - To verify the audispd's syslog plugin is active, run the following command: -$ sudo grep active /etc/audit/plugins.d/syslog.conf -If the plugin is active, the output will show yes. - Is it the case that it is not activated? - - - - -Run the following command to determine if the unconfined_login SELinux boolean is enabled: -$ getsebool unconfined_login -If properly configured, the output should show the following: -unconfined_login --> on - Is it the case that unconfined_login is not enabled? - - - - To check for legacy lines in /etc/group, run the following command: - grep '^\+' /etc/group -The command should not return any output. - Is it the case that the file contains legacy lines? - - - - Only FIPS-approved key exchange algorithms must be used. To verify that only FIPS-approved -key exchange algorithms are in use, run the following command: -$ sudo grep -i kexalgorithms /etc/crypto-policies/back-ends/opensshserver.config -The output should contain only following algorithms (or a subset) in the exact order: -CRYPTO_POLICY='-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512' - Is it the case that KexAlgorithms option is commented out, contains non-approved algorithms, or the FIPS-approved algorithms are not in the exact order? +UnitFileState=masked + Is it the case that the "bluetooth" is loaded and not masked? @@ -377548,1814 +378000,1685 @@ $ sudo ps all | grep tmux | grep -v grep Is it the case that the command does not produce output? - - To check the permissions of /etc/issue, -run the command: -$ ls -l /etc/issue -If properly configured, the output should indicate the following permissions: --rw-r--r-- - Is it the case that /etc/issue does not have unix mode -rw-r--r--? - - - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "su" command with the following command: - -$ sudo auditctl -l | grep su - --a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-su - Is it the case that the command does not return a line, or the line is commented out? - - - - To obtain a listing of all users, their UIDs, and their shells, run the command: -$ awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd -Identify the system accounts from this listing. These will primarily be the accounts with UID -numbers less than 1000, other than root. - Is it the case that any system account other than root has a login shell? + + Run the following command to determine if the scap-security-guide package is installed: $ rpm -q scap-security-guide + Is it the case that the package is not installed? - - To determine how the SSH daemon's LogLevel option is set, run the following command: - -$ sudo grep -i LogLevel /etc/ssh/sshd_config - -If a line indicating VERBOSE is returned, then the required value is set. + + Verify the system commands contained in the following directories are owned by "root" with the following command: - Is it the case that the required value is not set? - - - - To verify that there are no .shosts files -on the system, run the following command: -$ sudo find / -name '.shosts' - Is it the case that .shosts files exist? +$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin ! -user root -exec ls -l {} \; + Is it the case that any system commands are found to not be owned by root? - + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_SLUB_DEBUG /boot/config.* + $ grep CONFIG_SLAB_FREELIST_RANDOM /boot/config.* For each kernel installed, a line with value "y" should be returned. Is it the case that the kernel was not built with the required value? - - To determine if the system is configured to audit calls to the -adjtimex system call, run the following command: -$ sudo grep "adjtimex" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? - - - - -Run the following command to determine if the use_samba_home_dirs SELinux boolean is disabled: -$ getsebool use_samba_home_dirs -If properly configured, the output should show the following: -use_samba_home_dirs --> off - Is it the case that use_samba_home_dirs is not disabled? - - - + -Run the following command to determine if the mcelog_foreground SELinux boolean is disabled: -$ getsebool mcelog_foreground +Run the following command to determine if the user_exec_content SELinux boolean is enabled: +$ getsebool user_exec_content If properly configured, the output should show the following: -mcelog_foreground --> off - Is it the case that mcelog_foreground is not disabled? +user_exec_content --> on + Is it the case that user_exec_content is not enabled? - - To ensure there are no read-write users, run the following command: -$ sudo grep -v "^#" /etc/snmp/snmpd.conf| grep 'rwuser' -There should be no output. - Is it the case that there are users who can write to SNMP values? + + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open system call. + +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: + +$ sudo grep -r open /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep open /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access + Is it the case that the command does not return a line, or the line is commented out? - + - -Run the following command to determine the current status of the -firewalld service: -$ sudo systemctl is-active firewalld -If the service is running, it should return the following: active - Is it the case that the "firewalld" service is disabled, masked, or not started.? +Run the following command to determine if the cobbler_use_nfs SELinux boolean is disabled: +$ getsebool cobbler_use_nfs +If properly configured, the output should show the following: +cobbler_use_nfs --> off + Is it the case that cobbler_use_nfs is not disabled? - - Run the following command to determine if the scap-security-guide package is installed: $ rpm -q scap-security-guide - Is it the case that the package is not installed? + + If the system uses IPv6, this is not applicable. + +If the system is configured to prevent the usage of the ipv6 on +network interfaces, it will contain a line of the form: +net.ipv6.conf.all.disable_ipv6 = 1 +Such lines may be inside any file in the /etc/sysctl.d directory. +This permits insertion of the IPv6 kernel module (which other parts of the +system expect to be present), but otherwise keeps all network interfaces +from using IPv6. Run the following command to search for such lines in all +files in /etc/sysctl.d: +$ grep -r ipv6 /etc/sysctl.d + Is it the case that the ipv6 support is disabled on all network interfaces? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_HARDENED_USERCOPY_FALLBACK /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? + + +Run the following command to determine if the httpd_can_sendmail SELinux boolean is disabled: +$ getsebool httpd_can_sendmail +If properly configured, the output should show the following: +httpd_can_sendmail --> off + Is it the case that httpd_can_sendmail is not disabled? - - To check the group ownership of /etc/group-, + + To check the group ownership of /etc/ssh/*_key, run the command: -$ ls -lL /etc/group- +$ ls -lL /etc/ssh/*_key If properly configured, the output should indicate the following group-owner: root - Is it the case that /etc/group- does not have a group owner of root? - - - - To ensure disable and restart on the login screen are disabled, run the following command: -$ grep disable-restart-buttons /etc/dconf/db/gdm.d/* -The output should be true. -To ensure that users cannot enable disable and restart on the login screen, run the following: -$ grep disable-restart-buttons /etc/dconf/db/gdm.d/locks/* -If properly configured, the output should be /org/gnome/login-screen/disable-restart-buttons - Is it the case that disable-restart-buttons has not been configured or is not disabled? + Is it the case that /etc/ssh/*_key does not have a group owner of root? - - To determine how the SSH daemon's StrictModes option is set, run the following command: - -$ sudo grep -i StrictModes /etc/ssh/sshd_config + + Verify that Red Hat Enterprise Linux 8 enforces password complexity by requiring that at least one special character with the following command: -If a line indicating yes is returned, then the required value is set. +$ sudo grep ocredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf - Is it the case that the required value is not set? +ocredit = + Is it the case that value of "ocredit" is a positive number or is commented out? - - To determine if the system is configured to audit calls to the -openat system call, run the following command: -$ sudo grep "openat" /etc/audit/audit.* + + +Run the following command to determine if the httpd_enable_ftp_server SELinux boolean is disabled: +$ getsebool httpd_enable_ftp_server +If properly configured, the output should show the following: +httpd_enable_ftp_server --> off + Is it the case that httpd_enable_ftp_server is not disabled? + + + + To determine if the system is configured to audit unsuccessful calls +to the fremovexattr system call, run the following command: +$ sudo grep "fremovexattr" /etc/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - The file permissions for all log files written by rsyslog should -be set to 640, or more restrictive. These log files are determined by the -second part of each Rule line in /etc/rsyslog.conf and typically -all appear in /var/log. To see the permissions of a given log -file, run the following command: -$ ls -l LOGFILE -The permissions should be 640, or more restrictive. - Is it the case that the permissions are not correct? - - - - To verify if SSLVerifyClient is configured correctly in -/etc/httpd/conf/httpd.conf, run the following command: -$ grep -i sslverifyclient /etc/httpd/conf/httpd.conf -The command should return the following: -SSLVerifyClient require - Is it the case that it is not? + + To verify that clients cannot automatically update DNS records, perform the +following: +$ grep -i dhcp_hostname /etc/sysconfig/network-scripts/ifcfg-* +$ grep -rni "send host-name" /etc/dhclient.conf /etc/dhcp +The output should return no results. + Is it the case that client Dynamic DNS updates are not disabled? - - To check the ownership of /etc/ssh/*_key, -run the command: -$ ls -lL /etc/ssh/*_key -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/ssh/*_key does not have an owner of root? + + To determine if the system is configured to audit calls to the +mount system call, run the following command: +$ sudo grep "mount" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - To verify if the OpenSSH Client uses defined Crypto Policy, run: -$ cat /etc/ssh/ssh_config.d/02-ospp.conf -and verify that the line matches -Match final all -RekeyLimit 512M 1h -GSSAPIAuthentication no -Ciphers aes256-ctr,aes256-cbc,aes128-ctr,aes128-cbc -PubkeyAcceptedKeyTypes ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 -MACs hmac-sha2-512,hmac-sha2-256 -KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1 - Is it the case that Crypto Policy for OpenSSH Client is not configured according to CC requirements? + + Enter the following commands: + +grep Action /etc/httpd/conf/httpd.conf +grep AddHandler /etc/httpd/conf/httpd.conf + Is it the case that either of these exist and they configure csh, or any other shell as a viewer for documents? - - The runtime status of the net.ipv6.conf.default.router_solicitations kernel parameter can be queried + + The runtime status of the net.ipv4.conf.default.shared_media kernel parameter can be queried by running the following command: -$ sysctl net.ipv6.conf.default.router_solicitations +$ sysctl net.ipv4.conf.default.shared_media 0. Is it the case that the correct value is not returned? - - Run the following command to determine if the sssd-ipa package is installed: $ rpm -q sssd-ipa - Is it the case that the package is not installed? - - - - -Run the following command to determine if the ssh_chroot_rw_homedirs SELinux boolean is disabled: -$ getsebool ssh_chroot_rw_homedirs -If properly configured, the output should show the following: -ssh_chroot_rw_homedirs --> off - Is it the case that ssh_chroot_rw_homedirs is not disabled? - - - + -Run the following command to determine if the cdrecord_read_content SELinux boolean is disabled: -$ getsebool cdrecord_read_content +Run the following command to determine if the virt_use_nfs SELinux boolean is disabled: +$ getsebool virt_use_nfs If properly configured, the output should show the following: -cdrecord_read_content --> off - Is it the case that cdrecord_read_content is not disabled? - - - - -If the system is configured to prevent the loading of the can kernel module, -it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. -These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. - -These lines can also instruct the module loading system to ignore the can kernel module via blacklist keyword. - -Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -$ grep -r can /etc/modprobe.conf /etc/modprobe.d - Is it the case that no line is returned? - - - - To check that the saslauthd service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled saslauthd -Output should indicate the saslauthd service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled saslauthd disabled - -Run the following command to verify saslauthd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active saslauthd - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the saslauthd is masked, run the following command: -$ sudo systemctl show saslauthd | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: - -LoadState=masked - -UnitFileState=masked - Is it the case that the "saslauthd" is loaded and not masked? - - - - To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -cat /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules -The output has to be exactly as follows: -## Successful permission change --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change - Is it the case that the file does not exist or the content differs? - - - - To verify all files and directories in a local interactive user's -home directory have a valid owner, run the following command: -$ sudo ls -lLR /home/USER - Is it the case that the user ownership is incorrect? - - - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_DEBUG_SG /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? +virt_use_nfs --> off + Is it the case that virt_use_nfs is not disabled? - - To check that the ntpdate service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled ntpdate -Output should indicate the ntpdate service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled ntpdate disabled - -Run the following command to verify ntpdate is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active ntpdate - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the ntpdate is masked, run the following command: -$ sudo systemctl show ntpdate | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: - -LoadState=masked - -UnitFileState=masked - Is it the case that the "ntpdate" is loaded and not masked? + + To check the group ownership of /etc/issue.net, +run the command: +$ ls -lL /etc/issue.net +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/issue.net does not have a group owner of root? - + -Run the following command to determine if the xguest_use_bluetooth SELinux boolean is disabled: -$ getsebool xguest_use_bluetooth +Run the following command to determine if the httpd_read_user_content SELinux boolean is disabled: +$ getsebool httpd_read_user_content If properly configured, the output should show the following: -xguest_use_bluetooth --> off - Is it the case that xguest_use_bluetooth is not disabled? +httpd_read_user_content --> off + Is it the case that httpd_read_user_content is not disabled? - + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_SLAB_FREELIST_HARDENED /boot/config.* + $ grep CONFIG_RANDOMIZE_MEMORY /boot/config.* For each kernel installed, a line with value "y" should be returned. Is it the case that the kernel was not built with the required value? - - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: - -$ sudo auditctl -l | grep -E '(/etc/group)' - --w /etc/group -p wa -k identity - Is it the case that the command does not return a line, or the line is commented out? - - - + -Run the following command to determine if the pcp_bind_all_unreserved_ports SELinux boolean is disabled: -$ getsebool pcp_bind_all_unreserved_ports +Run the following command to determine if the zabbix_can_network SELinux boolean is disabled: +$ getsebool zabbix_can_network If properly configured, the output should show the following: -pcp_bind_all_unreserved_ports --> off - Is it the case that pcp_bind_all_unreserved_ports is not disabled? - - - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "gpasswd" command with the following command: - -$ sudo auditctl -l | grep gpasswd - --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd - Is it the case that the command does not return a line, or the line is commented out? - - - - To verify .netrc file in interactive user home directory is -not group or world accessible", run the following command: -$ sudo ls -lLR /home/USER/.netrc - Is it the case that the group and world permissions are incorrect? +zabbix_can_network --> off + Is it the case that zabbix_can_network is not disabled? - - To determine if the system is configured to audit accesses to -/var/log/audit directory, run the following command: -$ sudo grep "dir=/var/log/audit" /etc/audit/audit.rules + + To determine if the system is configured to audit unsuccessful calls +to the lsetxattr system call, run the following command: +$ sudo grep "lsetxattr" /etc/audit.* If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? - - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to modify files using the openat system call with O_TRUNC_WRITE flag. - -If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r openat /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep openat /etc/audit/audit.rules + + To determine how the SSH daemon's Banner option is set, run the following command: -The output should be the following: +$ sudo grep -i Banner /etc/ssh/sshd_config --a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - Is it the case that the command does not return a line, or the line is commented out? - - - - The runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.icmp_echo_ignore_broadcasts -1. +If a line indicating /etc/issue.net is returned, then the required value is set. - Is it the case that the correct value is not returned? - - - - To verify that SSSD expires known SSH host keys, run the following command: -$ sudo grep ssh_known_hosts_timeout /etc/sssd/sssd.conf -If configured properly, output should be -ssh_known_hosts_timeout = - Is it the case that it does not exist or is not configured properly? + Is it the case that the required value is not set? - - To check that the screen locks immediately when activated, run the following command: -$ gsettings get org.gnome.desktop.screensaver lock-delay -If properly configured, the output should be 'uint32 '. - Is it the case that the screensaver lock delay is missing, or is set to a value greater than <sub idref="var_screensaver_lock_delay" />? + + To verify all accounts have unique names, run the following command: +$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d +No output should be returned. + Is it the case that a line is returned? - - Run the following command to determine if the nftables package is installed: $ rpm -q nftables - Is it the case that the package is not installed? + + Run the following command to determine if the talk-server package is installed: +$ rpm -q talk-server + Is it the case that the package is installed? - + -Run the following command to determine if the polipo_session_users SELinux boolean is disabled: -$ getsebool polipo_session_users -If properly configured, the output should show the following: -polipo_session_users --> off - Is it the case that polipo_session_users is not disabled? - - - - To verify that the log_config_module exists in -/etc/httpd/conf/httpd.conf, run the following command: -$ grep log_config_module /etc/httpd/conf/httpd.conf -The output should return: -<IfModule log_config_module> - Is it the case that it is not? + +Run the following command to determine the current status of the +chronyd service: +$ sudo systemctl is-active chronyd +If the service is running, it should return the following: active + + +Run the following command to determine the current status of the +ntpd service: +$ sudo systemctl is-active ntpd +If the service is running, it should return the following: active + Is it the case that ? - + -Run the following command to determine if the spamd_enable_home_dirs SELinux boolean is enabled: -$ getsebool spamd_enable_home_dirs +Run the following command to determine if the selinuxuser_direct_dri_enabled SELinux boolean is disabled: +$ getsebool selinuxuser_direct_dri_enabled If properly configured, the output should show the following: -spamd_enable_home_dirs --> on - Is it the case that spamd_enable_home_dirs is not enabled? +selinuxuser_direct_dri_enabled --> off + Is it the case that selinuxuser_direct_dri_enabled is not disabled? - + To determine if the system is configured to audit calls to the -unlinkat system call, run the following command: -$ sudo grep "unlinkat" /etc/audit/audit.* +fchown system call, run the following command: +$ sudo grep "fchown" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - To check that the netconsole service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled netconsole -Output should indicate the netconsole service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled netconsole disabled - -Run the following command to verify netconsole is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active netconsole - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the netconsole is masked, run the following command: -$ sudo systemctl show netconsole | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: - -LoadState=masked - -UnitFileState=masked - Is it the case that the "netconsole" is loaded and not masked? - - - - To ensure ClientAliveInterval is set correctly, run the following command: -$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config -If properly configured, the output should be: -ClientAliveCountMax -For SSH earlier than v8.2, a ClientAliveCountMax value of 0 causes a timeout precisely when -the ClientAliveInterval is set. Starting with v8.2, a value of 0 disables the timeout -functionality completely. -If the option is set to a number greater than 0, then the session will be disconnected after -ClientAliveInterval * ClientAliveCountMax seconds without receiving a keep alive message. - Is it the case that it is commented out or not configured properly? - - - - To verify that auditing of privileged command use is configured, run the -following command: -$ sudo grep newuidmap /etc/audit/audit.rules /etc/audit/rules.d/* -It should return a relevant line in the audit rules. - Is it the case that the command does not return a line, or the line is commented out? - - - - To check the permissions of /boot/grub2/user.cfg, -run the command: -$ ls -l /boot/grub2/user.cfg -If properly configured, the output should indicate the following permissions: --rw------- - Is it the case that /boot/grub2/user.cfg does not have unix mode -rw-------? + + To verify the LDAP client backend demands a valid certificate from the server in +remote LDAP access sessions, run the following command: +$ sudo grep ldap_tls_reqcert /etc/sssd/sssd.conf +The output should return the following: +ldap_tls_reqcert = demand + Is it the case that the TLS reqcert is not set to demand? - - Inspect the password section of /etc/pam.d/system-auth -and ensure that the pam_unix.so module is configured to use the argument -sha512: + + To verify that TLS is configured properly in +/etc/httpd/conf.modules.d/ssl.conf, run the following command: +$ grep -i "sslengine\|sslprotocol" /etc/httpd/conf.d/ssl.conf +The output should return the following: -$ sudo grep "^password.*pam_unix\.so.*sha512" /etc/pam.d/system-auth +SSLEngine on +SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 -password sufficient pam_unix.so sha512 - Is it the case that "sha512" is missing, or is commented out? + Is it the case that it is not? - - Run the following command to ensure that /var/tmp is configured as a -polyinstantiated directory: -$ sudo grep /var/tmp /etc/security/namespace.conf -The output should return the following: -/var/tmp /var/tmp/tmp-inst/ level root,adm - Is it the case that is not configured? + + The runtime status of the net.ipv6.conf.all.max_addresses kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.all.max_addresses +1. + + Is it the case that the correct value is not returned? - - To verify that DHCP is not being used, examine the following file for each interface: -# /etc/sysconfig/network-scripts/ifcfg-interface -Look for the following: -BOOTPROTO=none -and the following, substituting the appropriate values based on your site's addressing scheme: -NETMASK=255.255.255.0 -IPADDR=192.168.1.2 -GATEWAY=192.168.1.1 - Is it the case that it does not? + + Verify the audit system prevents unauthorized changes with the following command: + +$ sudo grep "^\s*[^#]" /etc/audit/audit.rules | tail -1 +-e 2 + + Is it the case that the audit system is not set to be immutable by adding the "-e 2" option to the end of "/etc/audit/audit.rules"? - + -Run the following command to determine if the xend_run_qemu SELinux boolean is enabled: -$ getsebool xend_run_qemu +Run the following command to determine if the postgresql_selinux_users_ddl SELinux boolean is enabled: +$ getsebool postgresql_selinux_users_ddl If properly configured, the output should show the following: -xend_run_qemu --> on - Is it the case that xend_run_qemu is not enabled? +postgresql_selinux_users_ddl --> on + Is it the case that postgresql_selinux_users_ddl is not enabled? - + -Run the following command to determine if the sge_use_nfs SELinux boolean is disabled: -$ getsebool sge_use_nfs +Run the following command to determine if the logadm_exec_content SELinux boolean is enabled: +$ getsebool logadm_exec_content If properly configured, the output should show the following: -sge_use_nfs --> off - Is it the case that sge_use_nfs is not disabled? +logadm_exec_content --> on + Is it the case that logadm_exec_content is not enabled? - - Run the following command to determine if the setroubleshoot-server package is installed: -$ rpm -q setroubleshoot-server - Is it the case that the package is installed? + + +Run the following command to determine if the ksmtuned_use_nfs SELinux boolean is disabled: +$ getsebool ksmtuned_use_nfs +If properly configured, the output should show the following: +ksmtuned_use_nfs --> off + Is it the case that ksmtuned_use_nfs is not disabled? - - To determine if the system is configured to audit unsuccessful calls -to the fchown system call, run the following command: -$ sudo grep "fchown" /etc/audit.* -If the system is configured to audit this activity, it will return a line. + + Verify the nodev option is configured for the /boot mount point, + run the following command: + $ sudo mount | grep '\s/boot\s' + . . . /boot . . . nodev . . . - Is it the case that no line is returned? + Is it the case that the "/boot" file system does not have the "nodev" option set? - - -Run the following command to determine if the cluster_manage_all_files SELinux boolean is disabled: -$ getsebool cluster_manage_all_files -If properly configured, the output should show the following: -cluster_manage_all_files --> off - Is it the case that cluster_manage_all_files is not disabled? + + Verify that the SA and ISSO (at a minimum) are notified when the audit storage volume is full. + +Check which action Red Hat Enterprise Linux 8 takes when the audit storage volume is full with the following command: + +$ sudo grep max_log_file_action /etc/audit/auditd.conf +max_log_file_action = + Is it the case that the value of the "max_log_file_action" option is set to "ignore", "rotate", or "suspend", or the line is commented out? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "pt_chown" command with the following command: + + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers" with the following command: -$ sudo auditctl -l | grep pt_chown +$ sudo auditctl -l | grep /etc/sudoers --a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pt_chown +-w /etc/sudoers -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? - - Verify the noexec option is configured for the /var/log mount point, + + Verify the noexec option is configured for the /var/log/audit mount point, run the following command: - $ sudo mount | grep '\s/var/log\s' - . . . /var/log . . . noexec . . . + $ sudo mount | grep '\s/var/log/audit\s' + . . . /var/log/audit . . . noexec . . . - Is it the case that the "/var/log" file system does not have the "noexec" option set? + Is it the case that the "/var/log/audit" file system does not have the "noexec" option set? - - Run the following command to determine if the rng-tools package is installed: $ rpm -q rng-tools - Is it the case that the package is not installed? + + To determine if logfile has been configured for sudo, run the following command: +$ sudo grep -ri "^[\s]*Defaults\s*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/ +The command should return a matching output. + Is it the case that logfile is not enabled in sudo? - - Run the following command to check if the line is present: -grep pam_wheel /etc/pam.d/su -The output should contain the following line: -auth required pam_wheel.so use_uid - Is it the case that the line is not in the file or it is commented? + + Verify that a separate file system/partition has been created for /dev/shm with the following command: + +$ mountpoint /dev/shm + + Is it the case that "/dev/shm is not a mountpoint" is returned? - - The file /etc/at.deny should not exist. -This can be checked by running the following + + To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: +cat /etc/audit/rules.d/30-ospp-v42.rules +The output has to be exactly as follows: +## The purpose of these rules is to meet the requirements for Operating +## System Protection Profile (OSPP)v4.2. These rules depends on having +## the following rule files copied to /etc/audit/rules.d: +## +## 10-base-config.rules, 11-loginuid.rules, +## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules, +## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules, +## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules, +## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules, +## 30-ospp-v42-5-perm-change-failed.rules, +## 30-ospp-v42-5-perm-change-success.rules, +## 30-ospp-v42-6-owner-change-failed.rules, +## 30-ospp-v42-6-owner-change-success.rules +## +## original copies may be found in /usr/share/audit/sample-rules/ -stat /etc/at.deny -and the output should be +## User add delete modify. This is covered by pam. However, someone could +## open a file and directly create or modify a user, so we'll watch passwd and +## shadow for writes +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify -stat: cannot stat `/etc/at.deny': No such file or directory +## User enable and disable. This is entirely handled by pam. - Is it the case that the file /etc/at.deny exists? - - - - -Run the following command to determine if the saslauthd_read_shadow SELinux boolean is disabled: -$ getsebool saslauthd_read_shadow -If properly configured, the output should show the following: -saslauthd_read_shadow --> off - Is it the case that saslauthd_read_shadow is not disabled? +## Group add delete modify. This is covered by pam. However, someone could +## open a file and directly create or modify a user, so we'll watch group and +## gshadow for writes +-a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify +-a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify + + +## Use of special rights for config changes. This would be use of setuid +## programs that relate to user accts. This is not all setuid apps because +## requirements are only for ones that affect system configuration. +-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes + +## Privilege escalation via su or sudo. This is entirely handled by pam. + +## Watch for configuration changes to privilege escalation. +-a always,exit -F path=/etc/sudoers -F perm=wa -F key=special-config-changes +-a always,exit -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes + +## Audit log access +-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail +## Attempts to Alter Process and Session Initiation Information +-a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session +-a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session +-a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session + +## Attempts to modify MAC controls +-a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy + +## Software updates. This is entirely handled by rpm. + +## System start and shutdown. This is entirely handled by systemd + +## Kernel Module loading. This is handled in 43-module-load.rules + +## Application invocation. The requirements list an optional requirement +## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to +## state results from that policy. This would be handled entirely by +## that daemon. + Is it the case that the file does not exist or the content differs? - - -Run the following command to determine if the httpd_can_network_relay SELinux boolean is disabled: -$ getsebool httpd_can_network_relay -If properly configured, the output should show the following: -httpd_can_network_relay --> off - Is it the case that httpd_can_network_relay is not disabled? + + Verify Red Hat Enterprise Linux 8 is configured to lock an account until released by an administrator +after unsuccessful logon +attempts with the command: + + +$ grep 'unlock_time =' /etc/security/faillock.conf +unlock_time = + Is it the case that the "unlock_time" option is not set to "<sub idref="var_accounts_passwords_pam_faillock_unlock_time" />", +the line is missing, or commented out? - - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command: + + Verify that Red Hat Enterprise Linux 8 contains no duplicate User IDs (UIDs) for interactive users. -$ sudo auditctl -l | grep/etc/sudoers.d +Check that the operating system contains no duplicate UIDs for interactive users with the following command: --w /etc/sudoers.d/ -p wa -k identity - Is it the case that the command does not return a line, or the line is commented out? +$ sudo awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd + Is it the case that output is produced and the accounts listed are interactive user accounts? - - The runtime status of the kernel.kexec_load_disabled kernel parameter can be queried -by running the following command: -$ sysctl kernel.kexec_load_disabled -1. + + Verify that Red Hat Enterprise Linux 8 enforces password complexity by requiring that at least one lower-case character. - Is it the case that the correct value is not returned? +Check the value for "lcredit" with the following command: + +$ sudo grep lcredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + +/etc/security/pwquality.conf:lcredit = -1 + Is it the case that the value of "lcredit" is a positive number or is commented out? - - Run the following command to determine if the abrt-plugin-rhtsupport package is installed: -$ rpm -q abrt-plugin-rhtsupport - Is it the case that the package is installed? + + +Run the following command to determine if the authlogin_yubikey SELinux boolean is disabled: +$ getsebool authlogin_yubikey +If properly configured, the output should show the following: +authlogin_yubikey --> off + Is it the case that authlogin_yubikey is not disabled? - - To determine how the SSH daemon's GSSAPIAuthentication option is set, run the following command: - -$ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config - -If a line indicating yes is returned, then the required value is set. + + The runtime status of the net.ipv6.conf.default.accept_ra_defrtr kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.default.accept_ra_defrtr +0. - Is it the case that the required value is not set? + Is it the case that the correct value is not returned? - - To verify the local initialization files of all local interactive users are group- -owned by the appropriate user, inspect the primary group of the respective -users in /etc/passwd and verify all initialization files under the -respective users home directory. Check the group owner of all local interactive users -initialization files. - Is it the case that they are not? + + To ensure that WIFI connections caanot be created, run the following command: +$ gsettings get org.gnome.nm-applet disable-wifi-create +If properly configured, the output should be true. +To ensure that users cannot enable WIFI connection creation, run the following: +$ grep wifi-create /etc/dconf/db/local.d/locks/* +If properly configured, the output should be +/org/gnome/nm-applet/disable-wifi-create + Is it the case that WIFI connections can be created through GNOME? - - To ensure smart card authentication on the login screen is enabled, run the following command: -$ grep enable-smartcard-authentication /etc/dconf/db/gdm.d/* -The output should be true. -To ensure that users cannot disable smart card authentication on the login screen, run the following: -$ grep enable-smartcard-authentication /etc/dconf/db/gdm.d/locks/* -If properly configured, the output should be /org/gnome/login-screen/enable-smartcard-authentication - Is it the case that enable-smartcard-authentication has not been configured or is disabled? + + To check the permissions of /etc/http/conf/*, +run the command: +$ ls -l /etc/http/conf/* +If properly configured, the output should indicate the following permissions: +-rw-r----- + Is it the case that /etc/http/conf/* does not have unix mode -rw-r-----? - - To check that the rdisc service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled rdisc -Output should indicate the rdisc service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled rdisc disabled + + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to modify files using the open_by_handle_at system call with O_TRUNC_WRITE flag. -Run the following command to verify rdisc is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active rdisc +If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command: -If the service is not running the command will return the following output: -inactive +$ sudo grep -r open_by_handle_at /etc/audit/rules.d -The service will also be masked, to check that the rdisc is masked, run the following command: -$ sudo systemctl show rdisc | grep "LoadState\|UnitFileState" +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -If the service is masked the command will return the following outputs: +$ sudo grep open_by_handle_at /etc/audit/audit.rules -LoadState=masked +The output should be the following: -UnitFileState=masked - Is it the case that the "rdisc" is loaded and not masked? +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + Is it the case that the command does not return a line, or the line is commented out? - - The following command will list which files on the system have permissions different from what -is expected by the RPM database: -$ rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }' - Is it the case that there is output? + + To check the permissions of /usr/bin/sudo, +run the command: +$ ls -l /usr/bin/sudo +If properly configured, the output should indicate the following permissions: +---s--x--- + Is it the case that /usr/bin/sudo does not have unix mode ---s--x---? - - To check that the bluetooth service is disabled in system boot configuration, + + +Run the following command to determine if the httpd_dbus_sssd SELinux boolean is disabled: +$ getsebool httpd_dbus_sssd +If properly configured, the output should show the following: +httpd_dbus_sssd --> off + Is it the case that httpd_dbus_sssd is not disabled? + + + + Verify the operating system requires re-authentication +when using the "sudo" command to elevate privileges, run the following command: +sudo grep -ri '^Defaults.*timestamp_timeout' /etc/sudoers /etc/sudoers.d +The output should be: +/etc/sudoers:Defaults timestamp_timeout=0 or "timestamp_timeout" is set to a positive number. +If conflicting results are returned, this is a finding. + Is it the case that timestamp_timeout is not set with the appropriate value for sudo? + + + + To check that the snmpd service is disabled in system boot configuration, run the following command: -$ sudo systemctl is-enabled bluetooth -Output should indicate the bluetooth service has either not been installed, +$ sudo systemctl is-enabled snmpd +Output should indicate the snmpd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled bluetooth disabled +$ sudo systemctl is-enabled snmpd disabled -Run the following command to verify bluetooth is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active bluetooth +Run the following command to verify snmpd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active snmpd If the service is not running the command will return the following output: inactive -The service will also be masked, to check that the bluetooth is masked, run the following command: -$ sudo systemctl show bluetooth | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the snmpd is masked, run the following command: +$ sudo systemctl show snmpd | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "bluetooth" is loaded and not masked? + Is it the case that the "snmpd" is loaded and not masked? - - The following command will discover and print any -files on local partitions which do not belong to a valid group. -$ df --local -P | awk '{if (NR!=1) print $6}' | sudo xargs -I '{}' find '{}' -xdev -nogroup + + +If the system is configured to prevent the loading of the iwlwifi kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. -Either remove all files and directories from the system that do not have a valid group, -or assign a valid group with the chgrp command: -$ sudo chgrp group file - Is it the case that there is output? +These lines can also instruct the module loading system to ignore the iwlwifi kernel module via blacklist keyword. + +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +$ grep -r iwlwifi /etc/modprobe.conf /etc/modprobe.d + Is it the case that no line is returned? - - To check the group ownership of /etc/issue.net, + + To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: +cat /etc/audit/rules.d/30-ospp-v42-1-create-success.rules +The output has to be exactly as follows: +## Successful file creation (open with O_CREAT) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create + Is it the case that the file does not exist or the content differs? + + + + To check the permissions of /etc/cron.allow, run the command: -$ ls -lL /etc/issue.net +$ ls -l /etc/cron.allow +If properly configured, the output should indicate the following permissions: +-rw------- + Is it the case that /etc/cron.allow does not have unix mode -rw-------? + + + + To check the system for the existence of any .forward files, +run the following command: +$ sudo find /home -xdev -name .forward + Is it the case that any .forward files exist? + + + + To check the group ownership of /var/log/syslog, +run the command: +$ ls -lL /var/log/syslog If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/issue.net does not have a group owner of root? +adm + Is it the case that /var/log/syslog does not have a group owner of adm? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_SLAB_FREELIST_RANDOM /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + The runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.all.accept_redirects +0. + + Is it the case that the correct value is not returned? - - Verify that authselect is enabled by running -authselect current -If authselect is enabled on the system, the output should show the ID of the profile which is currently in use. - Is it the case that authselect is not used to manage user authentication setup on the system? + + To determine if the system is configured to audit unsuccessful calls +to the fchmod system call, run the following command: +$ sudo grep "fchmod" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - To determine that AIDE is verifying extended file attributes, run the following command: -$ grep xattrs /etc/aide.conf -Verify that the xattrs option is added to the correct ruleset. - Is it the case that the xattrs option is missing or not added to the correct ruleset? + + Verify Red Hat Enterprise Linux 8 disables storing core dumps for all users by issuing the following command: + +$ grep -i storage /etc/systemd/coredump.conf + +Storage=none + Is it the case that Storage is not set to none or is commented out and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned? - + + +Run the following command to determine if the samba_load_libgfapi SELinux boolean is disabled: +$ getsebool samba_load_libgfapi +If properly configured, the output should show the following: +samba_load_libgfapi --> off + Is it the case that samba_load_libgfapi is not disabled? + + + Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes page_poison=1, +in /etc/default/grub. If it includes l1tf=, then the parameter will be configured for newly installed kernels. First check if the GRUB recovery is enabled: $ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*page_poison=1.*' /etc/default/grub +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*l1tf=.*' /etc/default/grub If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*page_poison=1.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +$ sudo grep 'GRUB_CMDLINE_LINUX.*l1tf=.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'page_poison=1' +$ sudo grubby --info=ALL | grep args | grep -v 'l1tf=' The command should not return any output. - Is it the case that page allocator poisoning is not enabled? + Is it the case that l1tf mitigations are not configured appropriately? - - Verify Red Hat Enterprise Linux 8 initiates a session lock after 15 minutes of inactivity. - -Check the value of the system inactivity timeout with the following command: - -$ grep -i lock-after-time /etc/tmux.conf - -set -g lock-after-time 900 - -Then, verify that the /etc/tmux.conf file can be read by other users than root: - -$ sudo ls -al /etc/tmux.conf - Is it the case that "lock-after-time" is not set to "900" or less in the global tmux configuration file to enforce session lock after inactivity? + + To check if the installed Operating System is 64-bit, run the following command: +$ uname -m +The output should be one of the following: x86_64, aarch64, ppc64le or s390x. +If the output is i686 or i386 the operating system is 32-bit. +Check if the installed CPU supports 64-bit operating systems by running the following command: +$ lscpu | grep "CPU op-mode" +If the output contains 64bit, the CPU supports 64-bit operating systems. + Is it the case that the installed operating sytem is 32-bit but the CPU supports operation in 64-bit? - - To check the current idle time-out value, run the following command: -$ gsettings get org.gnome.desktop.session idle-delay -If properly configured, the output should be 'uint32 '. -To ensure that users cannot change the screensaver inactivity timeout setting, run the following: -$ grep idle-delay /etc/dconf/db/local.d/locks/* -If properly configured, the output should be /org/gnome/desktop/session/idle-delay - Is it the case that idle-delay is set to 0 or a value greater than <sub idref="inactivity_timeout_value" />? + + +Run the following command to determine if the haproxy_connect_any SELinux boolean is disabled: +$ getsebool haproxy_connect_any +If properly configured, the output should show the following: +haproxy_connect_any --> off + Is it the case that haproxy_connect_any is not disabled? - - The tftp package can be removed with the following command: $ sudo yum erase tftp - Is it the case that ? + + To check the ownership of /etc/cron.hourly, +run the command: +$ ls -lL /etc/cron.hourly +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/cron.hourly does not have an owner of root? - - Verify the TFTP daemon is configured to operate in secure mode. - -Check if a TFTP server is installed with the following command: - -$ rpm -qa | grep tftp - - -If a TFTP server is not installed, this is Not Applicable. - - -If a TFTP server is installed, verify TFTP is configured by with -the -s option by running the following command: - -grep "server_args" /etc/xinetd.d/tftp -server_args = -s - Is it the case that '"server_args" line does not have a "-s" option, and a subdirectory is not assigned'? + + +Run the following command to determine if the samba_share_fusefs SELinux boolean is disabled: +$ getsebool samba_share_fusefs +If properly configured, the output should show the following: +samba_share_fusefs --> off + Is it the case that samba_share_fusefs is not disabled? - - Verify the operating system encrypts audit records off-loaded onto a different system -or media from the system being audited with the following commands: - -$ sudo grep -i '$ActionSendStreamDriverMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf - -The output should be: - -/etc/rsyslog.conf:$ActionSendStreamDriverMode 1 - Is it the case that rsyslogd ActionSendStreamDriverMode is not set to 1? + + +Run the following command to determine if the sanlock_use_samba SELinux boolean is disabled: +$ getsebool sanlock_use_samba +If properly configured, the output should show the following: +sanlock_use_samba --> off + Is it the case that sanlock_use_samba is not disabled? - - Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation: - sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)' -or if cvtsudoers not supported: - sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \; -If no results are returned, this is a finding. -If conflicting results are returned, this is a finding. -If "Defaults !targetpw" is not defined, this is a finding. -If "Defaults !rootpw" is not defined, this is a finding. -If "Defaults !runaspw" is not defined, this is a finding. - Is it the case that invoke user passwd when using sudo? + + Inspect /etc/audit/auditd.conf and locate the following line to +determine how many logs the system is configured to retain after rotation: +$ sudo grep num_logs /etc/audit/auditd.conf +num_logs = 5 + Is it the case that the system log file retention has not been properly configured? - - Verify the operating system requires re-authentication -when using the "sudo" command to elevate privileges, run the following command: -sudo grep -ri '^Defaults.*timestamp_timeout' /etc/sudoers /etc/sudoers.d -The output should be: -/etc/sudoers:Defaults timestamp_timeout=0 or "timestamp_timeout" is set to a positive number. -If conflicting results are returned, this is a finding. - Is it the case that timestamp_timeout is not set with the appropriate value for sudo? + + To ensure TLS is configured with trust certificates, run the following command: +$ grep cert /etc/nslcd.conf + Is it the case that LDAP is not in use, the line is commented out, or not configured correctly? - - The following command will discover and print world-writable directories that -are not owned by root. Run it once for each local partition PART: -$ sudo find PART -xdev -type d -perm -0002 -uid +0 -print - Is it the case that there are world-writable directories not owned by root? + + Run the following command to determine if the abrt-cli package is installed: +$ rpm -q abrt-cli + Is it the case that the package is installed? - - Inspect /etc/default/grub for any instances of -systemd.confirm_spawn=(1|yes|true|on) in the kernel boot arguments. -Presence of a systemd.confirm_spawn=(1|yes|true|on) indicates -that interactive boot is enabled at boot time and verify that -GRUB_DISABLE_RECOVERY=true to disable recovery boot. - Is it the case that Interactive boot is enabled at boot time? + + Verify Red Hat Enterprise Linux 8 disables network management of the chrony daemon with the following command: +$ grep -w cmdport /etc/chrony.conf +cmdport 0 + Is it the case that the "cmdport" option is not set to "0", is commented out, or is missing? - - -To properly set the owner of /etc/audit/, run the command: -$ sudo chown root /etc/audit/ + + Verify that rules for unsuccessful calls of the open_by_handle_at syscall are in the order shown below. -To properly set the owner of /etc/audit/rules.d/, run the command: -$ sudo chown root /etc/audit/rules.d/ - Is it the case that ? + If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix ".rules" in the directory "/etc/audit/rules.d". + If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, check the order of rules below in "/etc/audit/audit.rules" file. + + -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + + If the system is 64 bit then also add the following lines: + + -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + Is it the case that the rules are in a different order? - - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes iommu=force, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub -If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*iommu=force.*' /etc/default/grub -If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*iommu=force.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'iommu=force' -The command should not return any output. - Is it the case that I/OMMU is not activated? + + +Run the following command to determine if the openshift_use_nfs SELinux boolean is disabled: +$ getsebool openshift_use_nfs +If properly configured, the output should show the following: +openshift_use_nfs --> off + Is it the case that openshift_use_nfs is not disabled? - - To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -cat /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules -The output has to be exactly as follows: -## Successful ownership change --a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change --a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change - Is it the case that the file does not exist or the content differs? + + Run the following command to determine if the abrt-plugin-sosreport package is installed: +$ rpm -q abrt-plugin-sosreport + Is it the case that the package is installed? - - To verify the boot loader superuser account has been set, run the following -command: -sudo grep -A1 "superusers" /boot/efi/EFI/redhat/grub.cfg -The output should show the following: -set superusers="superusers-account" -export superusers -where superusers-account is the actual account name different from common names like root, -admin, or administrator and different from any other existing user name. - Is it the case that superuser account is not set or is set to an existing name or to a common name? + + Run the following command to determine if the cronie-anacron package is installed: +$ rpm -q cronie-anacron + Is it the case that the package is installed? - - Ensure that Red Hat Enterprise Linux 8 does not disable SELinux. + + To determine if the system is configured to audit calls to the +finit_module system call, run the following command: +$ sudo grep "finit_module" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. -Check if "SELinux" is active and in "enforcing" or "permissive" mode with the following command: + Is it the case that no line is returned? + + + + +Run the following command to determine if the domain_kernel_load_modules SELinux boolean is disabled: +$ getsebool domain_kernel_load_modules +If properly configured, the output should show the following: +domain_kernel_load_modules --> off + Is it the case that domain_kernel_load_modules is not disabled? + + + + To determine if the system is configured to audit successful calls +to the lchown system call, run the following command: +$ sudo grep "lchown" /etc/audit.* +If the system is configured to audit this activity, it will return a line. -$ sudo getenforce -Enforcing --OR- -Permissive - Is it the case that SELinux is disabled? + Is it the case that no line is returned? - - To determine if the system is configured to audit account changes, -run the following command: -auditctl -l | grep -E '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' -If the system is configured to watch for account changes, lines should be returned for -each file specified (and with perm=wa for each). - Is it the case that the system is not configured to audit account changes? + + To verify that Audit Daemon is configured to include local events, run the +following command: +$ sudo grep local_events /etc/audit/auditd.conf +The output should return the following: +local_events = yes + Is it the case that local_events isn't set to yes? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_STRICT_KERNEL_WRX /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + The runtime status of the kernel.pid_max kernel parameter can be queried +by running the following command: +$ sysctl kernel.pid_max +65536. + + Is it the case that the correct value is not returned? - - Check that no boot image file is specified in /etc/zipl.conf: -grep -R "^image\s*=" /etc/zipl.conf -No line should be returned, if a line is returned non BLS compliant boot entries are configured for zIPL. - Is it the case that a non BLS boot entry is configured? + + To ensure that system location tracking is not active, run the following command: +$ gsettings get org.gnome.system.location enabled +$ gsettings get org.gnome.clocks geolocation +If properly configured, the output should be false. +To ensure that users cannot enable system location tracking, run the following: +$ grep location /etc/dconf/db/local.d/locks/* +If properly configured, the output should be +/org/gnome/system/location/enabled and /org/gnome/clocks/geolocation. + Is it the case that geolocation is enabled and not disabled? - - -Run the following command to determine if the named_write_master_zones SELinux boolean is disabled: -$ getsebool named_write_master_zones -If properly configured, the output should show the following: -named_write_master_zones --> off - Is it the case that named_write_master_zones is not disabled? + + Verify the "/etc/security/faillock.conf" file is configured to log user name information when unsuccessful logon attempts occur: + +$ sudo grep audit /etc/security/faillock.conf + +audit + Is it the case that the "audit" option is not set, is missing or commented out? - - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes slub_debug=, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub -If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*slub_debug=.*' /etc/default/grub -If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*slub_debug=.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'slub_debug=' -The command should not return any output. - Is it the case that SLUB/SLAB poisoning is not enabled? + + To ensure that the system prevents messages from being shown when three unsuccessful logon +attempts occur, run the following command: +$ grep silent /etc/security/faillock.conf +The output should show silent. + Is it the case that the system shows messages when three unsuccessful logon attempts occur? - + +If the system is configured to prevent the loading of the mac80211 kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. -Run the following command to determine the current status of the -auditd service: -$ sudo systemctl is-active auditd -If the service is running, it should return the following: active - Is it the case that the auditd service is not running? +These lines can also instruct the module loading system to ignore the mac80211 kernel module via blacklist keyword. + +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +$ grep -r mac80211 /etc/modprobe.conf /etc/modprobe.d + Is it the case that no line is returned? - - To determine if ignore_dot has been configured for sudo, run the following command: -$ sudo grep -ri "^[\s]*Defaults.*\bignore_dot\b.*" /etc/sudoers /etc/sudoers.d/ -The command should return a matching output. - Is it the case that ignore_dot is not enabled in sudo? + + +Run the following command to determine if the smartmon_3ware SELinux boolean is disabled: +$ getsebool smartmon_3ware +If properly configured, the output should show the following: +smartmon_3ware --> off + Is it the case that smartmon_3ware is not disabled? - + -Run the following command to determine if the selinuxuser_direct_dri_enabled SELinux boolean is disabled: -$ getsebool selinuxuser_direct_dri_enabled +Run the following command to determine if the conman_can_network SELinux boolean is disabled: +$ getsebool conman_can_network If properly configured, the output should show the following: -selinuxuser_direct_dri_enabled --> off - Is it the case that selinuxuser_direct_dri_enabled is not disabled? +conman_can_network --> off + Is it the case that conman_can_network is not disabled? - + -Run the following command to determine if the httpd_setrlimit SELinux boolean is disabled: -$ getsebool httpd_setrlimit +Run the following command to determine if the glance_use_fusefs SELinux boolean is disabled: +$ getsebool glance_use_fusefs If properly configured, the output should show the following: -httpd_setrlimit --> off - Is it the case that httpd_setrlimit is not disabled? +glance_use_fusefs --> off + Is it the case that glance_use_fusefs is not disabled? - - Verify "firewalld" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands: - -$ sudo firewall-cmd --state + + To verify Certmap is enabled in SSSD, run the following command: +$ sudo cat /etc/sssd/sssd.conf +If configured properly, output should contain section like the following -running +[certmap/testing.test/rule_name] +matchrule =<SAN>.*EDIPI@mil +maprule = (userCertificate;binary={cert!bin}) +domains = testing.test -$ sudo firewall-cmd --get-active-zones + Is it the case that Certmap is not configured in SSSD? + + + + To verify that the DConf User profile is configured correctly, run the following +command: -[custom] -interfaces: ens33 +$ cat /etc/dconf/profile/user +The output should show the following: +user-db:user +system-db:local +system-db:site +system-db:distro + Is it the case that DConf User profile does not exist or is not configured correctly? + + + + Verify Red Hat Enterprise Linux 8 removes all software components after updated versions have been installed. -$ sudo firewall-cmd --info-zone=[custom] | grep target -target: DROP - Is it the case that no zones are active on the interfaces or if the target is set to a different option other than "DROP"? +$ grep clean_requirements_on_remove /etc/yum.conf +clean_requirements_on_remove=1 + Is it the case that '"clean_requirements_on_remove" is not set to "1"'? - - The runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.conf.default.secure_redirects -0. + + +Run the following command to determine if the selinuxuser_ping SELinux boolean is enabled: +$ getsebool selinuxuser_ping +If properly configured, the output should show the following: +selinuxuser_ping --> on + Is it the case that selinuxuser_ping is not enabled? + + + + +Run the following command to determine if the httpd_enable_cgi SELinux boolean is disabled: +$ getsebool httpd_enable_cgi +If properly configured, the output should show the following: +httpd_enable_cgi --> off + Is it the case that httpd_enable_cgi is not disabled? + + + + These settings can be verified by running the following: +$ gsettings get org.gnome.desktop.media-handling automount +If properly configured, the output for automount should be false. +To ensure that users cannot enable automount in GNOME3, run the following: +$ grep 'automount' /etc/dconf/db/local.d/locks/* +If properly configured, the output for automount should be /org/gnome/desktop/media-handling/automount + Is it the case that GNOME automounting is not disabled? + + + + To determine if the system is configured to audit successful calls +to the rename system call, run the following command: +$ sudo grep "rename" /etc/audit.* +If the system is configured to audit this activity, it will return a line. - Is it the case that the correct value is not returned? + Is it the case that no line is returned? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_FORTIFY_SOURCE /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + To check that SLUB/SLAB poisoning is enabled, check all boot entries with following command; +sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf +No line should be returned, each line returned is a boot entry that does not enable poisoning. + Is it the case that SLUB/SLAB poisoning is not enabled? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfiles" command with the following command: + + +Run the following command to determine if the selinuxuser_use_ssh_chroot SELinux boolean is disabled: +$ getsebool selinuxuser_use_ssh_chroot +If properly configured, the output should show the following: +selinuxuser_use_ssh_chroot --> off + Is it the case that selinuxuser_use_ssh_chroot is not disabled? + + + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postdrop" command with the following command: -$ sudo auditctl -l | grep setfiles +$ sudo auditctl -l | grep postdrop --a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update +-a always,exit -F path=/usr/bin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postdrop Is it the case that the command does not return a line, or the line is commented out? - - The owner of all log files written by rsyslog should be + + Verify it by running the following command: +$ stat -c "%n %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules -root. +/sbin/auditctl root +/sbin/aureport root +/sbin/ausearch root +/sbin/autrace root +/sbin/auditd root +/sbin/audispd root +/sbin/augenrules root -These log files are determined by the second part of each Rule line in -/etc/rsyslog.conf and typically all appear in /var/log. -To see the owner of a given log file, run the following command: -$ ls -l LOGFILE - Is it the case that the owner is not correct? - - - - To determine how the SSH daemon's Banner option is set, run the following command: -$ sudo grep -i Banner /etc/ssh/sshd_config +If the command does not return all the above lines, the missing ones +need to be added. -If a line indicating /etc/issue.net is returned, then the required value is set. +Run the following command to correct the permissions of the missing +entries: +$ sudo chown :root [audit_tool] - Is it the case that the required value is not set? +Replace "[audit_tool]" with each audit tool not group-owned by root. + Is it the case that ? - - To check which SSH protocol version is allowed, check version of openssh-server with following command: - -$ rpm -qi openssh-server | grep Version + + The runtime status of the net.core.bpf_jit_harden kernel parameter can be queried +by running the following command: +$ sysctl net.core.bpf_jit_harden +2. -Versions equal to or higher than 7.4 only allow Protocol 2. -If version is lower than 7.4, run the following command to check configuration: -$ sudo grep Protocol /etc/ssh/sshd_config -If configured properly, output should be Protocol 2 - Is it the case that it is commented out or is not set correctly to Protocol 2? + Is it the case that the correct value is not returned? - - Verify the grpquota option is configured for the /home mount point, + + Verify the nosuid option is configured for the /var mount point, run the following command: - $ sudo mount | grep '\s/home\s' - . . . /home . . . grpquota . . . + $ sudo mount | grep '\s/var\s' + . . . /var . . . nosuid . . . - Is it the case that the "/home" file system does not have the "grpquota" option set? - - - - To check the ownership of /etc/gshadow, -run the command: -$ ls -lL /etc/gshadow -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/gshadow does not have an owner of root? - - - - To check that SELinux is not disabled at boot time; -Check that no boot entry disables selinux: -sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf -No line should be returned, each line returned is a boot entry that disables SELinux. - Is it the case that SELinux is disabled at boot time? + Is it the case that the "/var" file system does not have the "nosuid" option set? - - -Run the following command to determine if the git_session_users SELinux boolean is disabled: -$ getsebool git_session_users -If properly configured, the output should show the following: -git_session_users --> off - Is it the case that git_session_users is not disabled? + + To verify that there are no unauthorized local user accounts, run the following command: +$ less /etc/passwd +Inspect the results, and if unauthorized local user accounts exist, remove them by running +the following command: +$ sudo userdel unauthorized_user + Is it the case that there are unauthorized local user accounts on the system? - - Verify the noexec option is configured for the /tmp mount point, - run the following command: - $ sudo mount | grep '\s/tmp\s' - . . . /tmp . . . noexec . . . + + Verify Red Hat Enterprise Linux 8 audits execution as another user. - Is it the case that the "/tmp" file system does not have the "noexec" option set? - - - - +Check if Red Hat Enterprise Linux 8 is configured to audit the execution of the "execve" system call using the following command: -Run the following command to determine the current status of the -fapolicyd service: -$ sudo systemctl is-active fapolicyd -If the service is running, it should return the following: active - Is it the case that the service is not enabled? - - - - -Run the following command to determine if the staff_use_svirt SELinux boolean is disabled: -$ getsebool staff_use_svirt -If properly configured, the output should show the following: -staff_use_svirt --> off - Is it the case that staff_use_svirt is not disabled? +$ sudo grep execve /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation +-a always,exit -F arch=b64 -S execve -C euid!=uid -F auid!=unset-k user_emulation + Is it the case that the command does not return all lines, or the lines are commented out? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_MODULE_SIG_FORCE /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + The runtime status of the net.ipv4.conf.all.log_martians kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.all.log_martians +1. + + Is it the case that the correct value is not returned? - + -Run the following command to determine if the openvpn_can_network_connect SELinux boolean is disabled: -$ getsebool openvpn_can_network_connect +Run the following command to determine if the polipo_session_bind_all_unreserved_ports SELinux boolean is disabled: +$ getsebool polipo_session_bind_all_unreserved_ports If properly configured, the output should show the following: -openvpn_can_network_connect --> off - Is it the case that openvpn_can_network_connect is not disabled? +polipo_session_bind_all_unreserved_ports --> off + Is it the case that polipo_session_bind_all_unreserved_ports is not disabled? - - Run the following command to determine if the geolite2-city package is installed: -$ rpm -q geolite2-city - Is it the case that the package is installed? + + To check the minimum password length, run the command: +$ grep PASS_MIN_LEN /etc/login.defs +The DoD requirement is 15. + Is it the case that it is not set to the required value? - - To determine if the system is configured to audit calls to the -open_by_handle_at system call, run the following command: -$ sudo grep "open_by_handle_at" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + To check if pam_pwquality.so is enabled in system-auth, run the following command: +$ grep pam_pwquality /etc/pam.d/system-auth +The output should be similar to the following: +password requisite pam_pwquality.so + Is it the case that pam_pwquality.so is not enabled in system-auth? - - To determine if the system is configured to audit calls to the -open_by_handle_at system call, run the following command: -$ sudo grep "open_by_handle_at" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + +Run the following command to determine if the unprivuser_use_svirt SELinux boolean is disabled: +$ getsebool unprivuser_use_svirt +If properly configured, the output should show the following: +unprivuser_use_svirt --> off + Is it the case that unprivuser_use_svirt is not disabled? - + -To ensure the login warning banner text is properly set, run the following: -$ grep banner-message-text /etc/dconf/db/gdm.d/* -If properly configured, the proper banner text will appear. -To ensure the login warning banner text is locked and cannot be changed by a user, run the following: -$ grep banner-message-text /etc/dconf/db/gdm.d/locks/* -If properly configured, the output should be /org/gnome/login-screen/banner-message-text. - Is it the case that it does not? +Run the following command to determine if the saslauthd_read_shadow SELinux boolean is disabled: +$ getsebool saslauthd_read_shadow +If properly configured, the output should show the following: +saslauthd_read_shadow --> off + Is it the case that saslauthd_read_shadow is not disabled? - - To check that the abrtd service is disabled in system boot configuration, + + To check that the portreserve service is disabled in system boot configuration, run the following command: -$ sudo systemctl is-enabled abrtd -Output should indicate the abrtd service has either not been installed, +$ sudo systemctl is-enabled portreserve +Output should indicate the portreserve service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled abrtd disabled +$ sudo systemctl is-enabled portreserve disabled -Run the following command to verify abrtd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active abrtd +Run the following command to verify portreserve is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active portreserve If the service is not running the command will return the following output: inactive -The service will also be masked, to check that the abrtd is masked, run the following command: -$ sudo systemctl show abrtd | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the portreserve is masked, run the following command: +$ sudo systemctl show portreserve | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "abrtd" is loaded and not masked? - - - - -Run the following command to determine if the swift_can_network SELinux boolean is disabled: -$ getsebool swift_can_network -If properly configured, the output should show the following: -swift_can_network --> off - Is it the case that swift_can_network is not disabled? + Is it the case that the "portreserve" is loaded and not masked? - - If the device or Red Hat Enterprise Linux 8 does not have a camera installed, this requirement is not applicable. - -This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision. - -This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed. - -For an external camera, if there is not a method for the operator to manually disconnect the camera at the end of collaborative computing sessions, this is a finding. - -For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding. - -If the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software with the following commands: - -Verify the operating system disables the ability to load the uvcvideo kernel module. - -$ sudo grep -r uvcvideo /etc/modprobe.d/* | grep "/bin/true" + + The runtime status of the net.ipv4.conf.default.rp_filter kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.default.rp_filter +1. -install uvcvideo /bin/true - Is it the case that the command does not return any output, or the line is commented out, and the collaborative computing device has not been authorized for use? - - - - Run the following command to determine if the talk package is installed: -$ rpm -q talk - Is it the case that the package is installed? + Is it the case that the correct value is not returned? - - To check the group ownership of /etc/cron.daily, + + To check the group ownership of /etc/passwd, run the command: -$ ls -lL /etc/cron.daily +$ ls -lL /etc/passwd If properly configured, the output should indicate the following group-owner: root - Is it the case that /etc/cron.daily does not have a group owner of root? + Is it the case that /etc/passwd does not have a group owner of root? - - To verify that a remote NTP service is configured for time synchronization, -open the following file: - -/etc/chrony.conf in the case the system in question is -configured to use the chronyd as the NTP daemon (default setting) -/etc/ntp.conf in the case the system in question is configured -to use the ntpd as the NTP daemon - -In the file, there should be a section similar to the following: -server ntpserver - Is it the case that this is not the case? + + To verify that SSSD expires known SSH host keys, run the following command: +$ sudo grep ssh_known_hosts_timeout /etc/sssd/sssd.conf +If configured properly, output should be +ssh_known_hosts_timeout = + Is it the case that it does not exist or is not configured properly? - - To determine if NOPASSWD or !authenticate have been configured for -sudo, run the following command: -$ sudo grep -ri "nopasswd\|\!authenticate" /etc/sudoers /etc/sudoers.d/ -The command should return no output. - Is it the case that nopasswd and/or !authenticate is enabled in sudo? + + Run the following command to determine if the gnutls-utils package is installed: $ rpm -q gnutls-utils + Is it the case that the package is not installed? - - If the system uses IPv6, this is not applicable. + + +To properly set the owner of /var/log/audit, run the command: +$ sudo chown root /var/log/audit -If the system is configured to prevent the usage of the ipv6 on -network interfaces, it will contain a line of the form: -net.ipv6.conf.default.disable_ipv6 = 1 -Such lines may be inside any file in the /etc/sysctl.d directory. -This permits insertion of the IPv6 kernel module (which other parts of the -system expect to be present), but otherwise keeps network interfaces -from using IPv6. Run the following command to search for such lines in all -files in /etc/sysctl.d: -$ grep -r ipv6 /etc/sysctl.d - Is it the case that the ipv6 support is disabled by default on network interfaces? +To properly set the owner of /var/log/audit/*, run the command: +$ sudo chown root /var/log/audit/* + Is it the case that ? - - -Run the following command to determine if the logging_syslogd_use_tty SELinux boolean is enabled: -$ getsebool logging_syslogd_use_tty -If properly configured, the output should show the following: -logging_syslogd_use_tty --> on - Is it the case that logging_syslogd_use_tty is not enabled? + + Run the following command to determine if the abrt package is installed: +$ rpm -q abrt + Is it the case that the package is installed? - - To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -cat /etc/audit/rules.d/30-ospp-v42.rules -The output has to be exactly as follows: -## The purpose of these rules is to meet the requirements for Operating -## System Protection Profile (OSPP)v4.2. These rules depends on having -## the following rule files copied to /etc/audit/rules.d: -## -## 10-base-config.rules, 11-loginuid.rules, -## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules, -## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules, -## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules, -## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules, -## 30-ospp-v42-5-perm-change-failed.rules, -## 30-ospp-v42-5-perm-change-success.rules, -## 30-ospp-v42-6-owner-change-failed.rules, -## 30-ospp-v42-6-owner-change-success.rules -## -## original copies may be found in /usr/share/audit/sample-rules/ + + The runtime status of the net.ipv4.conf.all.accept_local kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.all.accept_local +0. + Is it the case that the correct value is not returned? + + + + Verify that rules for unsuccessful calls of the open syscall are in the order shown below. -## User add delete modify. This is covered by pam. However, someone could -## open a file and directly create or modify a user, so we'll watch passwd and -## shadow for writes --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify + If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix ".rules" in the directory "/etc/audit/rules.d". + If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, check the order of rules below in "/etc/audit/audit.rules" file. -## User enable and disable. This is entirely handled by pam. + -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -## Group add delete modify. This is covered by pam. However, someone could -## open a file and directly create or modify a user, so we'll watch group and -## gshadow for writes --a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify --a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify + If the system is 64 bit then also add the following lines: + -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + Is it the case that the rules are in a different order? + + + + To determine if the system is configured to audit successful calls +to the open_by_handle_at system call, run the following command: +$ sudo grep "open_by_handle_at" /etc/audit.* +If the system is configured to audit this activity, it will return a line. -## Use of special rights for config changes. This would be use of setuid -## programs that relate to user accts. This is not all setuid apps because -## requirements are only for ones that affect system configuration. --a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes + Is it the case that no line is returned? + + + + Verify the noexec option is configured for the /home mount point, + run the following command: + $ sudo mount | grep '\s/home\s' + . . . /home . . . noexec . . . -## Privilege escalation via su or sudo. This is entirely handled by pam. + Is it the case that the "/home" file system does not have the "noexec" option set? + + + + Verify that Red Hat Enterprise Linux 8 enforces a -day maximum password lifetime for new user accounts by running the following command: -## Watch for configuration changes to privilege escalation. --a always,exit -F path=/etc/sudoers -F perm=wa -F key=special-config-changes --a always,exit -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes +$ grep -i pass_max_days /etc/login.defs -## Audit log access --a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail -## Attempts to Alter Process and Session Initiation Information --a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session --a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session --a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session +PASS_MAX_DAYS + Is it the case that the "PASS_MAX_DAYS" parameter value is greater than "<sub idref="var_accounts_maximum_age_login_defs" />", or commented out? + + + + To verify the home directory ownership, run the following command: +# ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) + Is it the case that the user ownership is incorrect? + + + + Verify Red Hat Enterprise Linux 8 use the "pam_pwhistory.so" module in the /etc/pam.d/password-auth file +and is configured to prohibit password reuse for a minimum of +generations. -## Attempts to modify MAC controls --a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy +Verify the "/etc/pam.d/password-auth" file with the following command: -## Software updates. This is entirely handled by rpm. +$ grep pam_pwhistory.so /etc/pam.d/password-auth +password pam_pwhistory.so use_authtok remember= -## System start and shutdown. This is entirely handled by systemd -## Kernel Module loading. This is handled in 43-module-load.rules +Verify the "/etc/security/pwhistory.conf" file using the following command: -## Application invocation. The requirements list an optional requirement -## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to -## state results from that policy. This would be handled entirely by -## that daemon. - Is it the case that the file does not exist or the content differs? - - - - To ensure TLS is configured with trust certificates, run the following command: -$ grep cert /etc/nslcd.conf - Is it the case that LDAP is not in use, the line is commented out, or not configured correctly? +$ grep remember /etc/security/pwhistory.conf +remember = + +The pam_pwhistory.so "remember" option must be configured only in one file. + Is it the case that the pam_pwhistory.so module is not used, the "remember" module option is not set in +/etc/pam.d/password-auth or in /etc/security/pwhistory.conf, or is set in both files, or is set +with a value less than "<sub idref="var_password_pam_remember" />"? - - To verify all squashing has been disabled, run the following command: -$ grep all_squash /etc/exports - Is it the case that there is output? + + Ensure that debug-shell service is not enabled with the following command: +sudo grep -L "^options\s+.*\bsystemd.debug-shell=1\b" /boot/loader/entries/*.conf +No line should be returned, each line returned is a boot entry that enables the debug-shell. + Is it the case that the comand returns a line? - - To verify that the audit system collects unauthorized file accesses, run the following commands: -$ sudo grep EACCES /etc/audit/audit.rules -$ sudo grep EPERM /etc/audit/audit.rules - Is it the case that 32-bit and 64-bit system calls to creat, open, openat, open_by_handle_at, truncate, and ftruncate are not audited during EACCES and EPERM? + + Run the following command to determine if the policycoreutils package is installed: $ rpm -q policycoreutils + Is it the case that the policycoreutils package is not installed? - - Verify the noauto option is configured for the /boot mount point, - run the following command: - $ sudo mount | grep '\s/boot\s' - . . . /boot . . . noauto . . . + + To determine if the system is configured to audit calls to the +renameat system call, run the following command: +$ sudo grep "renameat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. - Is it the case that the "/boot" file system does not have the "noauto" option set? - - - - -Run the following command to determine if the httpd_use_cifs SELinux boolean is disabled: -$ getsebool httpd_use_cifs -If properly configured, the output should show the following: -httpd_use_cifs --> off - Is it the case that httpd_use_cifs is not disabled? + Is it the case that no line is returned? - + To determine if the system is configured to audit successful calls -to the unlink system call, run the following command: -$ sudo grep "unlink" /etc/audit.* +to the openat system call, run the following command: +$ sudo grep "openat" /etc/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - Run the following command to determine if the rpcbind package is installed: -$ rpm -q rpcbind - Is it the case that the package is installed? - - - - To determine if the system is configured to audit calls to the -rmdir system call, run the following command: -$ sudo grep "rmdir" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. + + The runtime status of the net.ipv6.conf.all.accept_ra_pinfo kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.all.accept_ra_pinfo +0. - Is it the case that no line is returned? + Is it the case that the correct value is not returned? - + -Run the following command to determine if the dbadm_manage_user_files SELinux boolean is disabled: -$ getsebool dbadm_manage_user_files +Run the following command to determine if the kerberos_enabled SELinux boolean is enabled: +$ getsebool kerberos_enabled If properly configured, the output should show the following: -dbadm_manage_user_files --> off - Is it the case that dbadm_manage_user_files is not disabled? +kerberos_enabled --> on + Is it the case that kerberos_enabled is not enabled? - - If IPv6 is disabled, this is not applicable. + + Verify that there are no wireless interfaces configured on the system +with the following command: -Inspect the file /etc/sysconfig/ip6tables to determine -the default policy for the INPUT chain. It should be set to DROP: -$ sudo grep ":INPUT" /etc/sysconfig/ip6tables - Is it the case that the default policy for the INPUT chain is not set to DROP? +Note: This requirement is Not Applicable for systems that do not have physical wireless network radios. + +$ nmcli device status +DEVICE TYPE STATE CONNECTION +virbr0 bridge connected virbr0 +wlp7s0 wifi connected wifiSSID +enp6s0 ethernet disconnected -- +p2p-dev-wlp7s0 wifi-p2p disconnected -- +lo loopback unmanaged -- +virbr0-nic tun unmanaged -- + Is it the case that a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO)? - + -Run the following command to determine if the gluster_export_all_ro SELinux boolean is disabled: -$ getsebool gluster_export_all_ro -If properly configured, the output should show the following: -gluster_export_all_ro --> off - Is it the case that gluster_export_all_ro is not disabled? + +Run the following command to determine the current status of the +iptables service: +$ sudo systemctl is-active iptables +If the service is running, it should return the following: active + Is it the case that ? - - Verify the nodev option is configured for the /var/log mount point, - run the following command: - $ sudo mount | grep '\s/var/log\s' - . . . /var/log . . . nodev . . . + + Verify file systems that are used for removable media are mounted with the "nosuid" option with the following command: - Is it the case that the "/var/log" file system does not have the "nodev" option set? +$ sudo more /etc/fstab + +UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0 + Is it the case that file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set? - + -Run the following command to determine if the logging_syslogd_run_nagios_plugins SELinux boolean is disabled: -$ getsebool logging_syslogd_run_nagios_plugins +Run the following command to determine if the git_session_bind_all_unreserved_ports SELinux boolean is disabled: +$ getsebool git_session_bind_all_unreserved_ports If properly configured, the output should show the following: -logging_syslogd_run_nagios_plugins --> off - Is it the case that logging_syslogd_run_nagios_plugins is not disabled? +git_session_bind_all_unreserved_ports --> off + Is it the case that git_session_bind_all_unreserved_ports is not disabled? - + -Run the following command to determine if the ftpd_use_cifs SELinux boolean is disabled: -$ getsebool ftpd_use_cifs +Run the following command to determine if the ftpd_full_access SELinux boolean is disabled: +$ getsebool ftpd_full_access If properly configured, the output should show the following: -ftpd_use_cifs --> off - Is it the case that ftpd_use_cifs is not disabled? +ftpd_full_access --> off + Is it the case that ftpd_full_access is not disabled? - - The runtime status of the net.ipv4.conf.all.send_redirects kernel parameter can be queried + + The runtime status of the net.ipv6.conf.default.router_solicitations kernel parameter can be queried by running the following command: -$ sysctl net.ipv4.conf.all.send_redirects +$ sysctl net.ipv6.conf.default.router_solicitations 0. Is it the case that the correct value is not returned? - - To determine how the SSH daemon's PermitEmptyPasswords option is set, run the following command: - -$ sudo grep -i PermitEmptyPasswords /etc/ssh/sshd_config - -If a line indicating no is returned, then the required value is set. - - Is it the case that the required value is not set? + + +Run the following command to determine if the selinuxuser_rw_noexattrfile SELinux boolean is disabled: +$ getsebool selinuxuser_rw_noexattrfile +If properly configured, the output should show the following: +selinuxuser_rw_noexattrfile --> off + Is it the case that selinuxuser_rw_noexattrfile is not disabled? - - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the creat system call. + + To check that the dovecot service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled dovecot +Output should indicate the dovecot service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled dovecot disabled -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: +Run the following command to verify dovecot is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active dovecot -$ sudo grep -r creat /etc/audit/rules.d +If the service is not running the command will return the following output: +inactive -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: +The service will also be masked, to check that the dovecot is masked, run the following command: +$ sudo systemctl show dovecot | grep "LoadState\|UnitFileState" -$ sudo grep creat /etc/audit/audit.rules +If the service is masked the command will return the following outputs: -The output should be the following: +LoadState=masked --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - Is it the case that the command does not return a line, or the line is commented out? - - - - To verify that Samba clients using mount.cifs must use packet signing, run the following command: -$ grep sec /etc/fstab -The output should show either krb5i or ntlmv2i in use. - Is it the case that it does not? +UnitFileState=masked + Is it the case that the "dovecot" is loaded and not masked? - - Verify that Red Hat Enterprise Linux 8 enforces password complexity by requiring that at least one numeric character be used. - -Check the value for "dcredit" with the following command: - -$ sudo grep dcredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf - -/etc/security/pwquality.conf:dcredit = - Is it the case that the value of "dcredit" is a positive number or is commented out? + + Run the following command to check if the line is present: +grep pam_wheel /etc/pam.d/su +The output should contain the following line: +auth required pam_wheel.so use_uid + Is it the case that the line is not in the file or it is commented? - - To check the group ownership of /etc/ssh/sshd_config, -run the command: -$ ls -lL /etc/ssh/sshd_config -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/ssh/sshd_config does not have a group owner of root? + + Run the following command to determine if the samba package is installed: +$ rpm -q samba + Is it the case that the package is installed? - - To verify that a remote NTP service is configured for time synchronization, -open the following file: -/etc/ntp.conf -In the file, there should be a section similar to the following: -server ntpserver - Is it the case that this is not the case? + + +Run the following command to determine if the httpd_use_fusefs SELinux boolean is disabled: +$ getsebool httpd_use_fusefs +If properly configured, the output should show the following: +httpd_use_fusefs --> off + Is it the case that httpd_use_fusefs is not disabled? - - The runtime status of the net.ipv4.conf.all.route_localnet kernel parameter can be queried + + The runtime status of the kernel.core_uses_pid kernel parameter can be queried by running the following command: -$ sysctl net.ipv4.conf.all.route_localnet +$ sysctl kernel.core_uses_pid 0. - - Is it the case that the correct value is not returned? + Is it the case that the returned line does not have a value of 0? - - Verify Red Hat Enterprise Linux 8 disables network management of the chrony daemon with the following command: -$ grep -w cmdport /etc/chrony.conf -cmdport 0 - Is it the case that the "cmdport" option is not set to "0", is commented out, or is missing? + + System executables are stored in the following directories by default: +/bin +/sbin +/usr/bin +/usr/local/bin +/usr/local/sbin +/usr/sbin +For each of these directories, run the following command to find files +not owned by root: +$ sudo find -L DIR/ ! -user root -type d -exec chown root {} \; + Is it the case that any system executables directories are found to not be owned by root? - - To verify that OpenSSL uses the system crypto policy, check out that the OpenSSL config file -/etc/pki/tls/openssl.cnf contains the [ crypto_policy ] section with the -.include /etc/crypto-policies/back-ends/opensslcnf.config directive: - -$ sudo grep '\.include\s* /etc/crypto-policies/back-ends/opensslcnf.config$' /etc/pki/tls/openssl.cnf. - Is it the case that the OpenSSL config file doesn't contain the whole section, -or the section doesn't contain the <pre>.include /etc/crypto-policies/back-ends/opensslcnf.config</pre> directive? + + Run the following command to determine if the iptables-services package is installed: $ rpm -q iptables-services + Is it the case that the iptables-services package is not installed? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "sudo" command with the following command: + + To check that the rsyncd service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled rsyncd +Output should indicate the rsyncd service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled rsyncd disabled -$ sudo auditctl -l | grep sudo +Run the following command to verify rsyncd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active rsyncd --a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudo - Is it the case that the command does not return a line, or the line is commented out? - - - - Run the following command to determine if the dnf-automatic package is installed: $ rpm -q dnf-automatic - Is it the case that the package is not installed? +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the rsyncd is masked, run the following command: +$ sudo systemctl show rsyncd | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "rsyncd" is loaded and not masked? - - To verify the sec option is configured for all NFS mounts, run the following command: -$ mount | grep "sec=" -All NFS mounts should show the sec=krb5:krb5i:krb5p setting in parentheses. -This is not applicable if NFS is not implemented. - Is it the case that the setting is not configured, has the 'sys' option added, or does not have all Kerberos options added? + + Ensure that CGI backup scripts are not left on the production web server. +This check is limited to CGI/interactive content and not static HTML. + +Search for backup copies of CGI scripts on the web server or ask the Web +Administrator if they keep backup copies of CGI scripts on the web server. + +Common backup file extensions are: *.bak, *.old, *.temp, *.tmp, *.backup, +*.??0. This would also apply to .jsp files. + +On Red Hat Enterprise Linux, run the following commands to find backup +scripts: +find / name "*.bak" -print +find / name "*.*" -print +find / name "*.old" -print + Is it the case that If fileos with these extensions have no relationship with web activity, +such as backup batch file for operating system utility, and they are +not accessible by the web application, this is not a finding. + +If files with these extensions are found in either the document +directory or the home directory of the web server, this is +a finding. + +If files with these extensions are stored in a repository (not in the +document root) as backups for the web server? - - -Run the following command to determine if the ksmtuned_use_cifs SELinux boolean is disabled: -$ getsebool ksmtuned_use_cifs -If properly configured, the output should show the following: -ksmtuned_use_cifs --> off - Is it the case that ksmtuned_use_cifs is not disabled? + + To check the group ownership of /etc/ssh/*.pub, +run the command: +$ ls -lL /etc/ssh/*.pub +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/ssh/*.pub does not have a group owner of root? - - To check the permissions of /etc/passwd, -run the command: -$ ls -l /etc/passwd -If properly configured, the output should indicate the following permissions: --rw-r--r-- - Is it the case that /etc/passwd does not have unix mode -rw-r--r--? + + To verify the nodev option is configured for non-root local partitions, run the following command: +$ sudo mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev' +The output shows local non-root partitions mounted without the nodev option, and there should be no output at all. + + Is it the case that some mounts appear among output lines? - - -Run the following command to determine if the httpd_enable_homedirs SELinux boolean is disabled: -$ getsebool httpd_enable_homedirs -If properly configured, the output should show the following: -httpd_enable_homedirs --> off - Is it the case that httpd_enable_homedirs is not disabled? + + To verify if the OpenSSH client uses defined Cipher suite in the Crypto Policy, run: +$ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config +and verify that the line matches: +Ciphers + Is it the case that Crypto Policy for OpenSSH client is not configured correctly? - - Inspect /etc/audit/auditd.conf and locate the following line to -determine how much data the system will retain in each audit log file: -$ sudo grep max_log_file /etc/audit/auditd.conf -max_log_file = 6 - Is it the case that the system audit data threshold has not been properly configured? + + To determine if the system is configured to audit successful calls +to the fsetxattr system call, run the following command: +$ sudo grep "fsetxattr" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - To ensure logs are sent to a remote host, examine the file -/etc/rsyslog.conf. -If using UDP, a line similar to the following should be present: - *.* @ -If using TCP, a line similar to the following should be present: - *.* @@ -If using RELP, a line similar to the following should be present: - *.* :omrelp: - Is it the case that no evidence that the audit logs are being off-loaded to another system or media? + + Verify that Red Hat Enterprise Linux 8 generates an audit record for all uses of the "umount" and system call. +To determine if the system is configured to audit calls to the +"umount" system call, run the following command: +$ sudo grep "umount" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line like the following. +-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k privileged-umount + Is it the case that the command does not return a line, or the line is commented out? - - To check the group ownership of /etc/gshadow, -run the command: -$ ls -lL /etc/gshadow -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/gshadow does not have a group owner of root? + + +Run the following command to determine if the git_cgi_enable_homedirs SELinux boolean is disabled: +$ getsebool git_cgi_enable_homedirs +If properly configured, the output should show the following: +git_cgi_enable_homedirs --> off + Is it the case that git_cgi_enable_homedirs is not disabled? - - To determine if NOPASSWD has been configured for sudo, run the following command: -$ sudo grep -ri nopasswd /etc/sudoers /etc/sudoers.d/ -The command should return no output. - Is it the case that nopasswd is specified in the sudo config files? + + Verify the system commands contained in the following directories are group-owned by "root", or a required system account, with the following command: + +$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -exec ls -l {} \; + Is it the case that any system commands are returned and is not group-owned by a required system account? - - To verify if ErrorLog is configured correctly in + + To verify if LogFormat is configured correctly in /etc/httpd/conf/httpd.conf, run the following command: -$ grep -i errorlog /etc/httpd/conf/httpd.conf -The output should return the following: -ErrorLog "logs/error_log" +$ grep -i logformat /etc/httpd/conf/httpd.conf +The output should contain the following: +LogFormat "a %A %h %H %l %m %s %t %u %U \"%{Referer}i\" \"%{User-Agent}i\"" combined Is it the case that it is not? - - -Run the following command to determine if the selinuxuser_share_music SELinux boolean is disabled: -$ getsebool selinuxuser_share_music -If properly configured, the output should show the following: -selinuxuser_share_music --> off - Is it the case that selinuxuser_share_music is not disabled? + + To verify that the operating system protects against or limits the effects of DoS +attacks by ensuring implementation of rate-limiting measures +on impacted network interfaces, run the following command: +# grep 'net.ipv4.tcp_invalid_ratelimit' /etc/sysctl.conf /etc/sysctl.d/* +The command should output the following line: +/etc/sysctl.conf:net.ipv4.tcp_invalid_ratelimit = +The file where the line has been found can differ, but it must be either /etc/sysctl.conf +or a file located under the /etc/sysctl.d/ directory. + Is it the case that rate limiting of duplicate TCP acknowledgments is not configured? - - Open browser window and browse to the appropriate site. Before entry to the -site, you should be presented with the server's PKI credentials. Review -these credentials for authenticity. + + To determine how the SSH daemon's LogLevel option is set, run the following command: -For DoD, find an entry which cites: +$ sudo grep -i LogLevel /etc/ssh/sshd_config -Issuer: -CN = -DOD CLASS 3 CA-3 -OU = PKI -OU = DoD -O = U.S. Government -C = US +If a line indicating INFO is returned, then the required value is set. - Is it the case that it is not? + Is it the case that the required value is not set? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_MODULE_SIG_HASH /boot/config.* - - For each kernel installed, a line with value "" should be returned. - - Is it the case that the kernel was not built with the required value? + + To verify if the OpenSSL uses defined Crypto Policy, run: +$ grep 'Ciphersuites' /etc/crypto-policies/back-ends/opensslcnf.config | tail -n 1 +and verify that the line matches +Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 + Is it the case that Crypto Policy for OpenSSL is not configured according to CC requirements? + + + + +Run the following command to determine if the exim_read_user_files SELinux boolean is disabled: +$ getsebool exim_read_user_files +If properly configured, the output should show the following: +exim_read_user_files --> off + Is it the case that exim_read_user_files is not disabled? @@ -379365,475 +379688,439 @@ $ rpm -Va | rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0 Is it the case that there is output? - - Inspect /etc/audit/auditd.conf and locate the following line to -determine if the system is configured to synchronize audit event data -with the log files on the disk: -$ sudo grep flush /etc/audit/auditd.conf -flush = DATA -Acceptable values are DATA, and SYNC. The setting is -case-insensitive. - Is it the case that auditd is not configured to synchronously write audit event data to disk? + + Run the following command to determine if the tftp-server package is installed: +$ rpm -q tftp-server + Is it the case that the package is installed? - - Verify that a separate file system/partition has been created for /srv with the following command: - -$ mountpoint /srv + + Verify the nodev option is configured for the /var/log/audit mount point, + run the following command: + $ sudo mount | grep '\s/var/log/audit\s' + . . . /var/log/audit . . . nodev . . . - Is it the case that "/srv is not a mountpoint" is returned? + Is it the case that the "/var/log/audit" file system does not have the "nodev" option set? - + -Run the following command to determine if the virt_sandbox_use_audit SELinux boolean is enabled: -$ getsebool virt_sandbox_use_audit +Run the following command to determine if the deny_ptrace SELinux boolean is disabled: +$ getsebool deny_ptrace If properly configured, the output should show the following: -virt_sandbox_use_audit --> on - Is it the case that virt_sandbox_use_audit is not enabled? +deny_ptrace --> off + Is it the case that deny_ptrace is not disabled? - - Run the following command to ensure the TMOUT value is configured for all users -on the system: - -$ sudo grep TMOUT /etc/profile /etc/profile.d/*.sh - -The output should return the following: -TMOUT= - Is it the case that value of TMOUT is not less than or equal to expected setting? + + +Run the following command to determine if the kdumpgui_run_bootloader SELinux boolean is disabled: +$ getsebool kdumpgui_run_bootloader +If properly configured, the output should show the following: +kdumpgui_run_bootloader --> off + Is it the case that kdumpgui_run_bootloader is not disabled? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "unix_chkpwd" command with the following command: - -$ sudo auditctl -l | grep unix_chkpwd - --a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_chkpwd - Is it the case that the command does not return a line, or the line is commented out? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_KEXEC /boot/config.* + + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. + + Is it the case that the kernel was not built with the required value? - - Storing logs remotely protects the integrity of the data from local attacks. -Run the following command to verify that journald is forwarding logs to a remote host. - -grep "^\sForwardToSyslog" /etc/systemd/journald.conf + + +Run the following command to determine if the xdm_bind_vnc_tcp_port SELinux boolean is disabled: +$ getsebool xdm_bind_vnc_tcp_port +If properly configured, the output should show the following: +xdm_bind_vnc_tcp_port --> off + Is it the case that xdm_bind_vnc_tcp_port is not disabled? + + + + To determine how the SSH daemon's LogLevel option is set, run the following command: -and it should return +$ sudo grep -i LogLevel /etc/ssh/sshd_config -ForwardToSyslog=yes +If a line indicating VERBOSE is returned, then the required value is set. - Is it the case that is commented out or not configured correctly? - - - - These settings can be verified by running the following: -$ gsettings get org.gnome.desktop.media-handling automount -If properly configured, the output for automount should be false. -To ensure that users cannot enable automount in GNOME3, run the following: -$ grep 'automount' /etc/dconf/db/local.d/locks/* -If properly configured, the output for automount should be /org/gnome/desktop/media-handling/automount - Is it the case that GNOME automounting is not disabled? - - - - Run the following command to determine if the ypserv package is installed: -$ rpm -q ypserv - Is it the case that the package is installed? + Is it the case that the required value is not set? - - Run the following command to determine if the krb5-workstation package is installed: -$ rpm -q krb5-workstation - Is it the case that the package is installed? + + To check if pam_namespace.so is required for user login, run the following command: +$ grep pam_namespace.so /etc/pam.d/login +The output should return the following uncommented: +session required pam_namespace.so + Is it the case that pam_namespace.so is not required or is commented out? - - To check the ownership of /etc/passwd-, -run the command: -$ ls -lL /etc/passwd- -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/passwd- does not have an owner of root? + + +Run the following command to determine if the collectd_tcp_network_connect SELinux boolean is disabled: +$ getsebool collectd_tcp_network_connect +If properly configured, the output should show the following: +collectd_tcp_network_connect --> off + Is it the case that collectd_tcp_network_connect is not disabled? - - To ensure that XDMCP is disabled in /etc/gdm/custom.conf, run the following command: -grep -Pzo "\[xdmcp\]\nEnable=false" /etc/gdm/custom.conf -The output should return the following: - -[xdmcp] -Enable=false - - Is it the case that the Enable is not set to false or is missing in the xdmcp section of the /etc/gdm/custom.conf gdm configuration file? + + +Run the following command to determine if the mozilla_read_content SELinux boolean is disabled: +$ getsebool mozilla_read_content +If properly configured, the output should show the following: +mozilla_read_content --> off + Is it the case that mozilla_read_content is not disabled? - - To verify ExecShield is enabled on 64-bit Red Hat Enterprise Linux 8 systems, -run the following command: -$ dmesg | grep '[NX|DX]*protection' -The output should not contain 'disabled by kernel command line option'. -Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes noexec=off, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub -If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*noexec=off.*' /etc/default/grub -If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*noexec=off.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'noexec=off' -The command should not return any output. - Is it the case that ExecShield is not supported by the hardware, is not enabled, or has been disabled by the kernel configuration.? + + Run the following command to verify that SSH client is configured to use 32 bytes of entropy: +grep SSH_USE_STRONG_RNG /etc/profile.d/cc-ssh-strong-rng.sh +The output should be: +export SSH_USE_STRONG_RNG=32 + Is it the case that SSH client is not configured to use 32 bytes of entropy or more? - - Verify that the interactive user account passwords are using a strong -password hash with the following command: + + To determine how the SSH daemon's X11Forwarding option is set, run the following command: -$ sudo cut -d: -f2 /etc/shadow +$ sudo grep -i X11Forwarding /etc/ssh/sshd_config -$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/ +If a line indicating yes is returned, then the required value is set. -Password hashes ! or * indicate inactive accounts not -available for logon and are not evaluated. - Is it the case that any interactive user password hash does not begin with "$6"? + Is it the case that the required value is not set? - - The runtime status of the fs.protected_symlinks kernel parameter can be queried -by running the following command: -$ sysctl fs.protected_symlinks -1. + + Check that Red Hat Enterprise Linux 8 has the packages for smart card support installed. - Is it the case that the correct value is not returned? +Run the following command to determine if the openssl-pkcs11 package is installed: +$ rpm -q openssl-pkcs11 + Is it the case that smartcard software is not installed? - - To determine if the system is configured to audit successful calls -to the open system call, run the following command: -$ sudo grep "open" /etc/audit.* + + To verify the operating system implements cryptography to protect the integrity of +remote ldap access sessions, run the following command: +$ sudo grep ldap_tls_cacertdir /etc/sssd/sssd.conf +The output should return the following with a correctly configured CA cert path: +ldap_tls_cacertdir /path/to/tls/cacert + Is it the case that the TLS CA cert is not configured? + + + + To determine if the system is configured to audit calls to the +unlink system call, run the following command: +$ sudo grep "unlink" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - To check the permissions of /var/log, + + To check the ownership of /etc/shadow, run the command: -$ ls -l /var/log -If properly configured, the output should indicate the following permissions: -drwxr-xr-x - Is it the case that /var/log does not have unix mode drwxr-xr-x? - - - - To determine if the system is configured to audit changes to its network configuration, -run the following command: -auditctl -l | grep -E '(/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)' -If the system is configured to watch for network configuration changes, a line should be returned for -each file specified (and perm=wa should be indicated for each). - Is it the case that the system is not configured to audit changes of the network configuration? - - - - -Run the following command to determine if the named_tcp_bind_http_port SELinux boolean is disabled: -$ getsebool named_tcp_bind_http_port -If properly configured, the output should show the following: -named_tcp_bind_http_port --> off - Is it the case that named_tcp_bind_http_port is not disabled? +$ ls -lL /etc/shadow +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/shadow does not have an owner of root? - - To determine that periodic AIDE execution has been scheduled, run the following command: - -$ grep aide /etc/crontab -The output should return something similar to the following: -05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost -The email address that the notifications are sent to can be changed by overriding -. - Is it the case that AIDE has not been configured or has not been configured to notify personnel of scan details? + + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes spec_store_bypass_disable=, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub +If this option is set to true, then check that a line is output by the following command: +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*spec_store_bypass_disable=.*' /etc/default/grub +If the recovery is disabled, check the line with +$ sudo grep 'GRUB_CMDLINE_LINUX.*spec_store_bypass_disable=.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +$ sudo grubby --info=ALL | grep args | grep -v 'spec_store_bypass_disable=' +The command should not return any output. + Is it the case that SSB is not configured appropriately? - + -If the system is configured to prevent the loading of the bluetooth kernel module, +If the system is configured to prevent the loading of the sctp kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. -These lines can also instruct the module loading system to ignore the bluetooth kernel module via blacklist keyword. +These lines can also instruct the module loading system to ignore the sctp kernel module via blacklist keyword. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -$ grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d +$ grep -r sctp /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? - + -Run the following command to determine if the piranha_lvs_can_network_connect SELinux boolean is disabled: -$ getsebool piranha_lvs_can_network_connect +Run the following command to determine if the ksmtuned_use_cifs SELinux boolean is disabled: +$ getsebool ksmtuned_use_cifs If properly configured, the output should show the following: -piranha_lvs_can_network_connect --> off - Is it the case that piranha_lvs_can_network_connect is not disabled? +ksmtuned_use_cifs --> off + Is it the case that ksmtuned_use_cifs is not disabled? - + + To verify all local initialization files for interactive users are owned by the +primary user, run the following command: +$ sudo ls -al /home/USER/.* +The user initialization files should be owned by USER. + Is it the case that they are not? + + + -Run the following command to determine if the selinuxuser_udp_server SELinux boolean is disabled: -$ getsebool selinuxuser_udp_server +Run the following command to determine if the irc_use_any_tcp_ports SELinux boolean is disabled: +$ getsebool irc_use_any_tcp_ports If properly configured, the output should show the following: -selinuxuser_udp_server --> off - Is it the case that selinuxuser_udp_server is not disabled? +irc_use_any_tcp_ports --> off + Is it the case that irc_use_any_tcp_ports is not disabled? - - Verify the hidepid=value option is configured for the /proc mount point, - run the following command: - $ sudo mount | grep '\s/proc\s' - . . . /proc . . . hidepid=value . . . + + Verify the audit tools are group-owned by "root" to prevent any unauthorized access, deletion, or modification. - Is it the case that the "/proc" file system does not have the "hidepid=value" option set? +Check the group-owner of each audit tool by running the following command: + +$ sudo stat -c "%G %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules + +root /sbin/auditctl +root /sbin/aureport +root /sbin/ausearch +root /sbin/autrace +root /sbin/auditd +root /sbin/rsyslogd +root /sbin/augenrules + Is it the case that any audit tools are not group-owned by root? - - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to create files using the open system call with O_CREAT flag. + + The runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.default.accept_source_route +0. -If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command: + Is it the case that the correct value is not returned? + + + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_ARM64_SW_TTBR0_PAN /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? + + + + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the ftruncate system call. -$ sudo grep -r open /etc/audit/rules.d +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: + +$ sudo grep -r ftruncate /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -$ sudo grep open /etc/audit/audit.rules +$ sudo grep ftruncate /etc/audit/audit.rules The output should be the following: --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? - - -Run the following command to determine if the httpd_tty_comm SELinux boolean is disabled: -$ getsebool httpd_tty_comm -If properly configured, the output should show the following: -httpd_tty_comm --> off - Is it the case that httpd_tty_comm is not disabled? - - - - To check the group ownership of /etc/cron.d, -run the command: -$ ls -lL /etc/cron.d -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/cron.d does not have a group owner of root? + + Run the following command to determine open ports: +# ss -4tuln +Run the following command to determine firewall rules: +# iptables -L INPUT -v -n +For each port identified in the audit which does not have a firewall +rule, add rule for accepting or denying inbound connections +# iptables -A INPUT -p --dport -m state --state NEW -j ACCEPT + Is it the case that open ports are denied connection? - - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: - -$ sudo auditctl -l | grep -E '(/etc/passwd)' - --w /etc/passwd -p wa -k identity - Is it the case that the command does not return a line, or the line is commented out? + + Run the following command to determine if the nginx package is installed: +$ rpm -q nginx + Is it the case that the package is installed? - + -If the system is configured to prevent the loading of the usb-storage kernel module, +If the system is configured to prevent the loading of the cfg80211 kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. -These lines can also instruct the module loading system to ignore the usb-storage kernel module via blacklist keyword. +These lines can also instruct the module loading system to ignore the cfg80211 kernel module via blacklist keyword. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d +$ grep -r cfg80211 /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? - - To check the system for the existence of any .forward files, -run the following command: -$ sudo find /home -xdev -name .forward - Is it the case that any .forward files exist? + + Run the following command to determine if the cron package is installed: +$ rpm -q cron + Is it the case that the package is installed? - - Verify Red Hat Enterprise Linux 8 takes the appropriate action when the audit files have reached maximum size. - -Check that Red Hat Enterprise Linux 8 takes the appropriate action when the audit files have reached maximum size with the following command: - -$ sudo grep max_log_file_action /etc/audit/auditd.conf - -max_log_file_action = - Is it the case that the value of the "max_log_file_action" option is not "ROTATE", "SINGLE", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full. If there is no evidence of appropriate action? + + Run the following command to determine if the tmux package is installed: $ rpm -q tmux + Is it the case that the package is not installed? - - To check the ownership of /etc/issue, + + To check the permissions of /etc/http/conf.modules.d/*, run the command: -$ ls -lL /etc/issue -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/issue does not have an owner of root? +$ ls -l /etc/http/conf.modules.d/* +If properly configured, the output should indicate the following permissions: +-rw-r----- + Is it the case that /etc/http/conf.modules.d/* does not have unix mode -rw-r-----? - - To check the group ownership of /boot/grub2/grub.cfg, + + To check the group ownership of /etc/shadow-, run the command: -$ ls -lL /boot/grub2/grub.cfg +$ ls -lL /etc/shadow- If properly configured, the output should indicate the following group-owner: root - Is it the case that /boot/grub2/grub.cfg does not have a group owner of root? + Is it the case that /etc/shadow- does not have a group owner of root? - - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes audit_backlog_limit=8192, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub -If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit_backlog_limit=8192.*' /etc/default/grub -If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*audit_backlog_limit=8192.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'audit_backlog_limit=8192' -The command should not return any output. - Is it the case that audit backlog limit is not configured? + + To determine if the system is configured to audit calls to the +rmdir system call, run the following command: +$ sudo grep "rmdir" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - To check that the certmonger service is disabled in system boot configuration, + + +Run the following command to determine if the login_console_enabled SELinux boolean is enabled: +$ getsebool login_console_enabled +If properly configured, the output should show the following: +login_console_enabled --> on + Is it the case that login_console_enabled is not enabled? + + + + Verify that the interactive user account passwords last change time is not in the future +The following command should return no output +$ sudo expiration=$(cat /etc/shadow|awk -F ':' '{print $3}'); +for edate in ${expiration[@]}; do if [[ $edate > $(( $(date +%s)/86400 )) ]]; +then echo "Expiry date in future"; +fi; done + Is it the case that any interactive user password that has last change time in the future? + + + + To determine if the system is configured to audit successful calls +to the unlinkat system call, run the following command: +$ sudo grep "unlinkat" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + If network services are using the xinetd service, this is not applicable. + +To check that the xinetd service is disabled in system boot configuration, run the following command: -$ sudo systemctl is-enabled certmonger -Output should indicate the certmonger service has either not been installed, +$ sudo systemctl is-enabled xinetd +Output should indicate the xinetd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled certmonger disabled +$ sudo systemctl is-enabled xinetd disabled -Run the following command to verify certmonger is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active certmonger +Run the following command to verify xinetd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active xinetd If the service is not running the command will return the following output: inactive -The service will also be masked, to check that the certmonger is masked, run the following command: -$ sudo systemctl show certmonger | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the xinetd is masked, run the following command: +$ sudo systemctl show xinetd | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "certmonger" is loaded and not masked? - - - - To determine if the system is configured to audit unsuccessful calls -to the lchown system call, run the following command: -$ sudo grep "lchown" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? - - - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "crontab" command with the following command: - -$ sudo auditctl -l | grep crontab - --a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab - Is it the case that the command does not return a line, or the line is commented out? + Is it the case that the "xinetd" is loaded and not masked? - - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes ipv6.disable=1, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub -If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub -If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'ipv6.disable=1' -The command should not return any output. - Is it the case that IPv6 is not disabled? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_PAGE_POISONING_ZERO /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - Run the following command to determine if the gnutls-utils package is installed: $ rpm -q gnutls-utils - Is it the case that the package is not installed? + + To check the ownership of /etc/ssh/*_key, +run the command: +$ ls -lL /etc/ssh/*_key +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/ssh/*_key does not have an owner of root? - - Run the following command to determine the current status of the dnf-automatic timer: $ sudo systemctl is-active dnf-automatic.timer If the timer is running, it should return the following: active - Is it the case that the dnf-automatic.timer is not enabled? + + The runtime status of the net.ipv6.conf.all.forwarding kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.all.forwarding +0. +The ability to forward packets is only appropriate for routers. + Is it the case that IP forwarding value is "1" and the system is not router? - - To ensure the system is configured to ignore the Ctrl-Alt-Del sequence, + + To check that the nftables service is disabled in system boot configuration, run the following command: -$ gsettings get org.gnome.settings-daemon.plugins.media-keys logout -$ grep logout /etc/dconf/db/local.d/locks/* -If properly configured, the output should be -/org/gnome/settings-daemon/plugins/media-keys/logout - Is it the case that GNOME3 is configured to reboot when Ctrl-Alt-Del is pressed? - - - - -Run the following command to determine if the exim_read_user_files SELinux boolean is disabled: -$ getsebool exim_read_user_files -If properly configured, the output should show the following: -exim_read_user_files --> off - Is it the case that exim_read_user_files is not disabled? - - - - +$ sudo systemctl is-enabled nftables +Output should indicate the nftables service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled nftables disabled -Run the following command to determine the current status of the -rsyslog service: -$ sudo systemctl is-active rsyslog -If the service is running, it should return the following: active - Is it the case that the "rsyslog" service is disabled, masked, or not started.? - - - - Verify the "/etc/security/faillock.conf" file is configured use a non-default faillock directory to ensure contents persist after reboot: +Run the following command to verify nftables is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active nftables -$ sudo grep 'dir =' /etc/security/faillock.conf +If the service is not running the command will return the following output: +inactive -dir = /var/log/faillock - Is it the case that the "dir" option is not set to a non-default documented tally log directory, is missing or commented out? - - - - Verify Red Hat Enterprise Linux 8 enforces 24 hours/1 day as the minimum password lifetime for new user accounts. +The service will also be masked, to check that the nftables is masked, run the following command: +$ sudo systemctl show nftables | grep "LoadState\|UnitFileState" -Check for the value of "PASS_MIN_DAYS" in "/etc/login.defs" with the following command: +If the service is masked the command will return the following outputs: -$ grep -i pass_min_days /etc/login.defs +LoadState=masked -PASS_MIN_DAYS - Is it the case that the "PASS_MIN_DAYS" parameter value is not "<sub idref="var_accounts_minimum_age_login_defs" />" or greater, or is commented out? +UnitFileState=masked + Is it the case that the "nftables" is loaded and not masked? - - To check the group ownership of /etc/cron.weekly, -run the command: -$ ls -lL /etc/cron.weekly -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/cron.weekly does not have a group owner of root? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_STACKPROTECTOR_STRONG /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? @@ -379845,199 +380132,128 @@ postfix_local_write_mail_spool --> on Is it the case that postfix_local_write_mail_spool is not enabled? - - Run the following command to determine if the geolite2-country package is installed: -$ rpm -q geolite2-country - Is it the case that the package is installed? - - - - Verify that interactive users on the system have a home directory assigned with the following command: - -$ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd - -Inspect the output and verify that all interactive users (normally users with a UID greater than 1000) have a home directory defined. - Is it the case that users home directory is not defined? + + To verify if ErrorLog is configured correctly in +/etc/httpd/conf/httpd.conf, run the following command: +$ grep -i errorlog /etc/httpd/conf/httpd.conf +The output should return the following: +ErrorLog "logs/error_log" + Is it the case that it is not? - - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes audit=1, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub -If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit=1.*' /etc/default/grub -If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*audit=1.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'audit=1' -The command should not return any output. - Is it the case that auditing is not enabled at boot time? + + Run the following command to determine if the rpcbind package is installed: +$ rpm -q rpcbind + Is it the case that the package is installed? - + -Run the following command to determine if the fenced_can_ssh SELinux boolean is disabled: -$ getsebool fenced_can_ssh +Run the following command to determine if the virt_use_comm SELinux boolean is disabled: +$ getsebool virt_use_comm If properly configured, the output should show the following: -fenced_can_ssh --> off - Is it the case that fenced_can_ssh is not disabled? - - - - To determine if the system is configured to audit calls to the -open system call, run the following command: -$ sudo grep "open" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? +virt_use_comm --> off + Is it the case that virt_use_comm is not disabled? - - If FTP services are not installed, this is not applicable. - -To verify this configuration, run the following command: - -grep "banner_file" /etc/vsftpd/vsftpd.conf + + To check that the atd service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled atd +Output should indicate the atd service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled atd disabled +Run the following command to verify atd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active atd -The output should show the value of banner_file is set to /etc/issue, an example of which is shown below: +If the service is not running the command will return the following output: +inactive -$ sudo grep "banner_file" /etc/vsftpd/vsftpd.conf +The service will also be masked, to check that the atd is masked, run the following command: +$ sudo systemctl show atd | grep "LoadState\|UnitFileState" -banner_file=/etc/issue - Is it the case that it does not? - - - - Verify Red Hat Enterprise Linux 8 disables core dump backtraces by issuing the following command: +If the service is masked the command will return the following outputs: -$ grep -i process /etc/systemd/coredump.conf +LoadState=masked -ProcessSizeMax=0 - Is it the case that the "ProcessSizeMax" item is missing, commented out, or the value is anything other than "0" and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned? +UnitFileState=masked + Is it the case that the "atd" is loaded and not masked? - - Run the following command to determine if the systemd-journal-remote package is installed: $ rpm -q systemd-journal-remote - Is it the case that the package is not installed? + + To check the group ownership of /etc/group, +run the command: +$ ls -lL /etc/group +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/group does not have a group owner of root? - - -If the system is configured to prevent the loading of the sctp kernel module, -it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. -These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. - -These lines can also instruct the module loading system to ignore the sctp kernel module via blacklist keyword. - -Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -$ grep -r sctp /etc/modprobe.conf /etc/modprobe.d - Is it the case that no line is returned? + + Verify Red Hat Enterprise Linux 8 limits the number of concurrent sessions to +"" for all +accounts and/or account types with the following command: +$ grep -r -s maxlogins /etc/security/limits.conf /etc/security/limits.d/*.conf +/etc/security/limits.conf:* hard maxlogins 10 +This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains. + Is it the case that the "maxlogins" item is missing, commented out, or the value is set greater +than "<sub idref="var_accounts_max_concurrent_login_sessions" />" and +is not documented with the Information System Security Officer (ISSO) as an +operational requirement for all domains that have the "maxlogins" item +assigned'? - + -Run the following command to determine if the git_system_enable_homedirs SELinux boolean is disabled: -$ getsebool git_system_enable_homedirs +Run the following command to determine if the puppetmaster_use_db SELinux boolean is disabled: +$ getsebool puppetmaster_use_db If properly configured, the output should show the following: -git_system_enable_homedirs --> off - Is it the case that git_system_enable_homedirs is not disabled? +puppetmaster_use_db --> off + Is it the case that puppetmaster_use_db is not disabled? - - Verify that Red Hat Enterprise Linux 8 enforces password complexity by requiring that at least one lower-case character. - -Check the value for "lcredit" with the following command: - -$ sudo grep lcredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf - -/etc/security/pwquality.conf:lcredit = -1 - Is it the case that the value of "lcredit" is a positive number or is commented out? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_RETPOLINE /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - -Run the following command to determine if the gpg_web_anon_write SELinux boolean is disabled: -$ getsebool gpg_web_anon_write -If properly configured, the output should show the following: -gpg_web_anon_write --> off - Is it the case that gpg_web_anon_write is not disabled? + + Interview the SA or web administrator to see where the public web server +is logically located in the data center. Review the site network diagram +to see how the web server is connected to the LAN. Visually check the web +server hardware connections to see if it conforms to the site network +diagram. + Is it the case that the web server is not isolated in an accredited DoD DMZ Extension? - - Run the following command to determine if the aide package is installed: $ rpm -q aide - Is it the case that the package is not installed? + + To check the value of the umask, run the following command: +$ grep umask /etc/init.d/functions +The output should show . + Is it the case that it does not? - + -Run the following command to determine if the xdm_write_home SELinux boolean is disabled: -$ getsebool xdm_write_home +Run the following command to determine if the fcron_crond SELinux boolean is disabled: +$ getsebool fcron_crond If properly configured, the output should show the following: -xdm_write_home --> off - Is it the case that xdm_write_home is not disabled? - - - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "kmod" command with the following command: - -$ sudo auditctl -l | grep kmod - --a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-kmod - Is it the case that the command does not return a line, or the line is commented out? - - - - Verify that Promiscuous mode of an interface is disabled, run the following command: -$ ip link | grep PROMISC - Is it the case that any network device is in promiscuous mode? - - - - To check the permissions of /etc/http/conf, -run the command: -$ ls -l /etc/http/conf -If properly configured, the output should indicate the following permissions: --rwxr-x--- - Is it the case that ? - - - - To ensure the GUI does not allow user administratrion capabilities to all users, -run the following command: -$ gsettings get org.gnome.desktop.lockdown user-administration-disabled -If properly configured, the output should be true. -To ensure that users cannot enable user administration, run the following: -$ grep user-administration /etc/dconf/db/local.d/locks/* -If properly configured, the output should be -/org/gnome/desktop/lockdown/user-administration-disabled - Is it the case that user administration is not configured or disabled? +fcron_crond --> off + Is it the case that fcron_crond is not disabled? - - Verify that rules for unsuccessful calls of the openat syscall are in the order shown below. - - If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix ".rules" in the directory "/etc/audit/rules.d". - If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, check the order of rules below in "/etc/audit/audit.rules" file. - - -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - - If the system is 64 bit then also add the following lines: - - -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - Is it the case that the rules are in a different order? + + +Run the following command to determine if the virt_use_fusefs SELinux boolean is disabled: +$ getsebool virt_use_fusefs +If properly configured, the output should show the following: +virt_use_fusefs --> off + Is it the case that virt_use_fusefs is not disabled? @@ -380065,1027 +380281,811 @@ UnitFileState=masked Is it the case that the "tftp" is loaded and not masked? - - To determine whether sudo command includes configuration files from the appropriate directory, -run the following command: -$ sudo grep -rP '^[#@]include(dir)?' /etc/sudoers /etc/sudoers.d -If only the line /etc/sudoers:#includedir /etc/sudoers.d is returned, then the drop-in include configuration is set correctly. -Any other line returned is a finding. - Is it the case that the /etc/sudoers doesn't include /etc/sudores.d or includes other directories?? + + To check the group ownership of /etc/cron.daily, +run the command: +$ ls -lL /etc/cron.daily +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/cron.daily does not have a group owner of root? - - -Run the following command to determine if the openvpn_run_unconfined SELinux boolean is disabled: -$ getsebool openvpn_run_unconfined -If properly configured, the output should show the following: -openvpn_run_unconfined --> off - Is it the case that openvpn_run_unconfined is not disabled? + + Run the following command and verify that time sources are only configured with server directive: +# grep -E "^(server|pool)" /etc/chrony.conf +A line with the appropriate server should be returned, any line returned starting with pool is a finding. + Is it the case that an authoritative remote time server is not configured or configured with pool directive? - - Verify Red Hat Enterprise Linux 8 removes all software components after updated versions have been installed. + + To check that the httpd service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled httpd +Output should indicate the httpd service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled httpd disabled +Run the following command to verify httpd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active httpd -$ grep clean_requirements_on_remove /etc/yum.conf -clean_requirements_on_remove=1 - Is it the case that '"clean_requirements_on_remove" is not set to "1"'? - - - - To verify that auditing of privileged command use is configured, run the following command -to search privileged commands in relevant partitions and check if they are covered by auditd -rules: +If the service is not running the command will return the following output: +inactive -FILTER_NODEV=$(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) -PARTITIONS=$(findmnt -n -l -k -it $FILTER_NODEV | grep -Pv "noexec|nosuid" | awk '{ print $1 }') -for PARTITION in $PARTITIONS; do - for PRIV_CMD in $(find "${PARTITION}" -xdev -perm /6000 -type f 2>/dev/null); do - grep -qr "${PRIV_CMD}" /etc/audit/rules.d /etc/audit/audit.rules && - printf "OK: ${PRIV_CMD}\n" || printf "WARNING - rule not found for: ${PRIV_CMD}\n" - done -done +The service will also be masked, to check that the httpd is masked, run the following command: +$ sudo systemctl show httpd | grep "LoadState\|UnitFileState" -The output should not contain any WARNING. - Is it the case that any setuid or setgid programs doesn't have a line in the audit rules? +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "httpd" is loaded and not masked? - - The runtime status of the net.ipv4.conf.default.log_martians kernel parameter can be queried + + The runtime status of the kernel.kexec_load_disabled kernel parameter can be queried by running the following command: -$ sysctl net.ipv4.conf.default.log_martians +$ sysctl kernel.kexec_load_disabled 1. Is it the case that the correct value is not returned? - - Verify that the system is not accepting "rsyslog" messages from other systems unless it is -documented as a log aggregation server. -Display the contents of the rsyslog configuration files: -find /etc -maxdepth 2 -regex '/etc/rsyslog\(\.conf\|\.d\/.*\.conf\)' -exec cat '{}' \; - -If any of the below lines are found, ask to see the documentation for the system being used -for log aggregation: - -If using legacy syntax: -$ModLoad imtcp -$InputTCPServerRun port -$ModLoad imudp -$UDPServerRun port -$ModLoad imrelp -$InputRELPServerRun port - -If using RainerScript syntax: -module(load="imtcp") -module(load="imudp") -input(type="imtcp" port="514") -input(type="imudp" port="514") + + The runtime status of the net.ipv4.conf.all.send_redirects kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.all.send_redirects +0. - Is it the case that rsyslog accepts remote messages and is not documented as a log aggregation system? - - - - To check for legacy lines in /etc/shadow, run the following command: - grep '^\+' /etc/shadow -The command should not return any output. - Is it the case that the file contains legacy lines? - - - - Run the following command to determine if the openldap-clients package is installed: -$ rpm -q openldap-clients - Is it the case that the package is installed? - - - - -Run the following command to determine if the httpd_use_openstack SELinux boolean is disabled: -$ getsebool httpd_use_openstack -If properly configured, the output should show the following: -httpd_use_openstack --> off - Is it the case that httpd_use_openstack is not disabled? - - - - To verify the assigned home directory of all interactive user home directories -have a mode of 0750 or less permissive, run the following command: -$ sudo ls -l /home -Inspect the output for any directories with incorrect permissions. - Is it the case that they are more permissive? - - - - To verify that kernel parameter 'crypto.fips_enabled' is set properly, run the following command: -sysctl crypto.fips_enabled -The output should contain the following: -crypto.fips_enabled = 1 - Is it the case that crypto.fips_enabled is not 1? + Is it the case that the correct value is not returned? - - System executables are stored in the following directories by default: -/bin -/sbin -/usr/bin -/usr/sbin -/usr/local/bin -/usr/local/sbin -To find system executables directories that are group-writable or -world-writable, run the following command for each directory DIR -which contains system executables: -$ sudo find -L DIR -perm /022 -type d - Is it the case that any of these files are group-writable or world-writable? + + To check the group ownership of /etc/issue, +run the command: +$ ls -lL /etc/issue +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/issue does not have a group owner of root? - + -Run the following command to determine if the cron_can_relabel SELinux boolean is disabled: -$ getsebool cron_can_relabel +Run the following command to determine if the httpd_anon_write SELinux boolean is disabled: +$ getsebool httpd_anon_write If properly configured, the output should show the following: -cron_can_relabel --> off - Is it the case that cron_can_relabel is not disabled? - - - - To check the permissions of /etc/cron.d, -run the command: -$ ls -l /etc/cron.d -If properly configured, the output should indicate the following permissions: --rwx------ - Is it the case that /etc/cron.d does not have unix mode -rwx------? - - - - Verify "nftables" is configured to allow rate limits on any connection to the system with the following command: - -Verify "firewalld" has "nftables" set as the default backend: - -$ sudo grep -i firewallbackend /etc/firewalld/firewalld.conf - -# FirewallBackend -FirewallBackend=nftables - Is it the case that the "nftables" is not set as the "firewallbackend"? - - - - If the system does not have SELinux enabled and enforcing a targeted policy, or if the -pam_faillock.so module is not configured for use, this requirement is not applicable. - -Verify the location of the non-default tally directory for the pam_faillock.so module with -the following command: - -$ sudo grep -w dir /etc/security/faillock.conf - -dir = /var/log/faillock - -Check the security context type of the non-default tally directory with the following command: - -$ sudo ls -Zd /var/log/faillock - -unconfined_u:object_r:faillog_t:s0 /var/log/faillock - Is it the case that the security context type of the non-default tally directory is not "faillog_t"? - - - - The reviewed should make a note of the name of the account being used for -the web service. This information may be needed later in the SRR. There -may also be other server services running related to the web server in -support of a particular web application, these passwords must be entrusted -to the SA or Web Manager as well. - -Query the SA or Web Manager to determine if they have the web service -password(s). - -NOTE: For installations that run as a service, or without a password, -the SA or Web Manager having an Admin account on the system would meet -the intent of this check. - Is it the case that the web server password(s) are not entrusted to the SA or Web Manager? +httpd_anon_write --> off + Is it the case that httpd_anon_write is not disabled? - + -Run the following command to determine if the mozilla_plugin_use_gps SELinux boolean is disabled: -$ getsebool mozilla_plugin_use_gps +Run the following command to determine if the named_write_master_zones SELinux boolean is disabled: +$ getsebool named_write_master_zones If properly configured, the output should show the following: -mozilla_plugin_use_gps --> off - Is it the case that mozilla_plugin_use_gps is not disabled? - - - - To check the ownership of /etc/ssh/*.pub, -run the command: -$ ls -lL /etc/ssh/*.pub -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/ssh/*.pub does not have an owner of root? - - - - To check the permissions of /etc/gshadow-, -run the command: -$ ls -l /etc/gshadow- -If properly configured, the output should indicate the following permissions: ----------- - Is it the case that /etc/gshadow- does not have unix mode ----------? - - - - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r open /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep open /etc/audit/audit.rules - -The output should be the following: - --a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - Is it the case that the command does not return a line, or the line is commented out? +named_write_master_zones --> off + Is it the case that named_write_master_zones is not disabled? - - -Run the following command to determine if the zoneminder_run_sudo SELinux boolean is disabled: -$ getsebool zoneminder_run_sudo -If properly configured, the output should show the following: -zoneminder_run_sudo --> off - Is it the case that zoneminder_run_sudo is not disabled? + + These settings can be verified by running the following: +$ gsettings get org.gnome.desktop.thumbnailers disable-all +If properly configured, the output should be true. +To ensure that users cannot how long until the screensaver locks, run the following: +$ grep disable-all /etc/dconf/db/local.d/locks/* +If properly configured, the output should be /org/gnome/desktop/thumbnailers/disable-all + Is it the case that GNOME thumbnailers are not disabled? - - Verify file systems that are used for removable media are mounted with the "nosuid" option with the following command: - -$ sudo more /etc/fstab + + The runtime status of the net.ipv4.tcp_rfc1337 kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.tcp_rfc1337 +1. -UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0 - Is it the case that file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set? + Is it the case that the correct value is not returned? - - -Run the following command to determine if the polipo_use_cifs SELinux boolean is disabled: -$ getsebool polipo_use_cifs -If properly configured, the output should show the following: -polipo_use_cifs --> off - Is it the case that polipo_use_cifs is not disabled? + + To check that no password hashes are stored in +/etc/passwd, run the following command: +awk '!/\S:x|\*/ {print}' /etc/passwd +If it produces any output, then a password hash is +stored in /etc/passwd. + Is it the case that any stored hashes are found in /etc/passwd? - + To verify that auditing of privileged command use is configured, run the following command: -$ sudo grep newgidmap /etc/audit/audit.rules /etc/audit/rules.d/* +$ sudo grep newuidmap /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that the command does not return a line, or the line is commented out? - - To determine if umask has been configured for sudo with the appropriate value, + + Verify that cron is logging to rsyslog, run the following command: -$ sudo grep -ri '^Defaults.*umask=' /etc/sudoers /etc/sudoers.d/ -The command should return a matching output. - Is it the case that umask is not set with the appropriate value for sudo? +grep -rni "cron\.\*" /etc/rsyslog.* +cron.* /var/log/cron + Is it the case that cron is not logging to rsyslog? - + + To check the group ownership of /etc/cron.monthly, +run the command: +$ ls -lL /etc/cron.monthly +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/cron.monthly does not have a group owner of root? + + + - -Run the following command to determine the current status of the -usbguard service: -$ sudo systemctl is-active usbguard -If the service is running, it should return the following: active - Is it the case that the service is not enabled? +Run the following command to determine if the cron_can_relabel SELinux boolean is disabled: +$ getsebool cron_can_relabel +If properly configured, the output should show the following: +cron_can_relabel --> off + Is it the case that cron_can_relabel is not disabled? - - Verify that the system backups user data. - Is it the case that it is not? + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "kmod" command with the following command: + +$ sudo auditctl -l | grep kmod + +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-kmod + Is it the case that the command does not return a line, or the line is commented out? - + -Run the following command to determine if the httpd_use_fusefs SELinux boolean is disabled: -$ getsebool httpd_use_fusefs +Run the following command to determine if the logging_syslogd_use_tty SELinux boolean is enabled: +$ getsebool logging_syslogd_use_tty If properly configured, the output should show the following: -httpd_use_fusefs --> off - Is it the case that httpd_use_fusefs is not disabled? +logging_syslogd_use_tty --> on + Is it the case that logging_syslogd_use_tty is not enabled? - + + To verify that HBSS PA is installed, run the following command(s): +$ sudo ls /opt/McAfee/auditengine/bin/auditmanager + Is it the case that the HBSS PA module is not installed? + + + -Run the following command to determine if the use_nfs_home_dirs SELinux boolean is disabled: -$ getsebool use_nfs_home_dirs +Run the following command to determine if the tftp_anon_write SELinux boolean is disabled: +$ getsebool tftp_anon_write If properly configured, the output should show the following: -use_nfs_home_dirs --> off - Is it the case that use_nfs_home_dirs is not disabled? +tftp_anon_write --> off + Is it the case that tftp_anon_write is not disabled? - - To verify the system is not configured to use a boot loader on removable media, -check that the grub configuration file has the set root command in each menu -entry with the following commands: -$ sudo grep -cw menuentry /boot/grub2/grub.cfg -Note that the -c option for the grep command will print -only the count of menuentry occurrences. This number should match -the number of occurrences reported by the following command: -$ sudo grep "set root='hd0" /boot/grub2/grub.cfg -The output should return something similar to: -set root='hd0,msdos1' -usb0, cd, fd0, etc. are some examples of removeable -media which should not exist in the lines: -set root='hd0,msdos1' - Is it the case that it is not? + + +Run the following command to determine if the xserver_clients_write_xshm SELinux boolean is disabled: +$ getsebool xserver_clients_write_xshm +If properly configured, the output should show the following: +xserver_clients_write_xshm --> off + Is it the case that xserver_clients_write_xshm is not disabled? - - To check if authentication is required for single-user mode, run the following command: -$ grep sulogin /usr/lib/systemd/system/rescue.service -The output should be similar to the following, and the line must begin with -ExecStart and /usr/lib/systemd/systemd-sulogin-shell. - ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue - Is it the case that the output is different? + + +Run the following command to determine if the postgresql_can_rsync SELinux boolean is disabled: +$ getsebool postgresql_can_rsync +If properly configured, the output should show the following: +postgresql_can_rsync --> off + Is it the case that postgresql_can_rsync is not disabled? - - The existence of the file /etc/hosts.equiv or a file named -.rhosts inside a user home directory indicates the presence -of an Rsh trust relationship. - Is it the case that these files exist? + + To determine if NOPASSWD or !authenticate have been configured for +sudo, run the following command: +$ sudo grep -ri "nopasswd\|\!authenticate" /etc/sudoers /etc/sudoers.d/ +The command should return no output. + Is it the case that nopasswd and/or !authenticate is enabled in sudo? - - To verify all local initialization files for interactive users are owned by the -primary user, run the following command: -$ sudo ls -al /home/USER/.* -The user initialization files should be owned by USER. - Is it the case that they are not? + + To ensure sshd limits the users who can log in, run the following: +pre>$ sudo grep -rPi '^\h*(allow|deny)(users|groups)\h+\H+(\h+.*)?$' /etc/ssh/sshd_config* +If properly configured, the output should be a list of usernames and/or +groups allowed to log in to this system. + Is it the case that sshd does not limit the users who can log in? - - To determine how the SSH daemon's AllowTcpForwarding option is set, run the following command: + + To check that the mdmonitor service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled mdmonitor +Output should indicate the mdmonitor service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled mdmonitor disabled -$ sudo grep -i AllowTcpForwarding /etc/ssh/sshd_config +Run the following command to verify mdmonitor is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active mdmonitor -If a line indicating no is returned, then the required value is set. - Is it the case that The AllowTcpForwarding option exists and is disabled? - - - - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: +If the service is not running the command will return the following output: +inactive -$ sudo auditctl -l | grep +The service will also be masked, to check that the mdmonitor is masked, run the following command: +$ sudo systemctl show mdmonitor | grep "LoadState\|UnitFileState" --w -p wa -k logins - Is it the case that the command does not return a line, or the line is commented out? +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "mdmonitor" is loaded and not masked? - - To ensure the system is configured to mask the Ctrl-Alt-Del sequence, Check -that the ctrl-alt-del.target is masked and not active with the following -command: -sudo systemctl status ctrl-alt-del.target -The output should indicate that the target is masked and not active. It -might resemble following output: -ctrl-alt-del.target -Loaded: masked (/dev/null; bad) -Active: inactive (dead) - Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed? + + Run the following command to determine if the sssd-ipa package is installed: $ rpm -q sssd-ipa + Is it the case that the package is not installed? - - The runtime status of the net.ipv4.tcp_rfc1337 kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.tcp_rfc1337 -1. - - Is it the case that the correct value is not returned? + + To verify the INACTIVE setting, run the following command: +$ grep "INACTIVE" /etc/default/useradd +The output should indicate the INACTIVE configuration option is set +to an appropriate integer as shown in the example below: +$ grep "INACTIVE" /etc/default/useradd +INACTIVE= + Is it the case that the value of INACTIVE is greater than the expected value or is -1? - + + Run the following command to check the mode of the httpd log +directory: +$ ls -l /var/log/ | grep httpd +Log directory must be mode 0700 or less permissive. + Is it the case that it is more permissive? + + + -Run the following command to determine if the daemons_use_tty SELinux boolean is disabled: -$ getsebool daemons_use_tty +Run the following command to determine if the varnishd_connect_any SELinux boolean is disabled: +$ getsebool varnishd_connect_any If properly configured, the output should show the following: -daemons_use_tty --> off - Is it the case that daemons_use_tty is not disabled? +varnishd_connect_any --> off + Is it the case that varnishd_connect_any is not disabled? - - The runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.icmp_ignore_bogus_error_responses -1. + + Verify the nodev option is configured for the /var mount point, + run the following command: + $ sudo mount | grep '\s/var\s' + . . . /var . . . nodev . . . - Is it the case that the correct value is not returned? - - - - To determine the status and frequency of logrotate, run the following command: -$ sudo grep logrotate /var/log/cron* -If logrotate is configured properly, output should include references to -/etc/cron.daily. - Is it the case that logrotate is not configured to run daily? + Is it the case that the "/var" file system does not have the "nodev" option set? - + -Run the following command to determine if the dbadm_read_user_files SELinux boolean is disabled: -$ getsebool dbadm_read_user_files +Run the following command to determine if the smbd_anon_write SELinux boolean is disabled: +$ getsebool smbd_anon_write If properly configured, the output should show the following: -dbadm_read_user_files --> off - Is it the case that dbadm_read_user_files is not disabled? +smbd_anon_write --> off + Is it the case that smbd_anon_write is not disabled? - - Storing logs with persistent storage ensures they are available after a reboot or system crash. -Run the command below to verify that logs are being persistently stored to disk. + + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the truncate system call. -grep "^\sStorage" /etc/systemd/journald.conf +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -and it should return +$ sudo grep -r truncate /etc/audit/rules.d -Storage=persistent +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - Is it the case that is commented out or not configured correctly? - - - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_BINFMT_MISC /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? +$ sudo grep truncate /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access + Is it the case that the command does not return a line, or the line is commented out? - - -Run the following command to determine if the mpd_enable_homedirs SELinux boolean is disabled: -$ getsebool mpd_enable_homedirs -If properly configured, the output should show the following: -mpd_enable_homedirs --> off - Is it the case that mpd_enable_homedirs is not disabled? + + Verify the system-wide shared library files are group-owned by "root" with the following command: + +$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} \; + Is it the case that any system wide shared library file is returned and is not group-owned by a required system account? - - Verify the system-wide shared library directories are owned by "root" with the following command: + + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command: -$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c "%n %U" '{}' \; - Is it the case that any system-wide shared library directory is not owned by root? +$ sudo auditctl -l | grep/etc/sudoers.d + +-w /etc/sudoers.d/ -p wa -k identity + Is it the case that the command does not return a line, or the line is commented out? - - Verify Red Hat Enterprise Linux 8 takes action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity with the following command: + + Verify "nftables" is configured to allow rate limits on any connection to the system with the following command: -$ sudo grep -w admin_space_left /etc/audit/auditd.conf +Verify "firewalld" has "nftables" set as the default backend: -admin_space_left = % +$ sudo grep -i firewallbackend /etc/firewalld/firewalld.conf -If the value of the "admin_space_left" keyword is not set to % of the storage volume allocated to audit logs, or if the line is commented out, ask the System Administrator to indicate how the system is taking action if the allocated storage is about to reach capacity. - Is it the case that the "admin_space_left" value is not configured to the correct value? +# FirewallBackend +FirewallBackend=nftables + Is it the case that the "nftables" is not set as the "firewallbackend"? - - To determine if the system is configured to audit calls to the -open system call, run the following command: -$ sudo grep "open" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. + + Verify the site's network diagram and visually check the web server, to +ensure that the private web server is located on a separate controlled +access subnet and is not part of the public DMZ that houses the public +web servers. - Is it the case that no line is returned? +In addition, the private web server needs to be isolated via a controlled +access mechanism from the local general population lan. + Is it the case that the private web server is not on a separate controlled access subnet? - + -Run the following command to determine if the domain_fd_use SELinux boolean is enabled: -$ getsebool domain_fd_use +Run the following command to determine if the mozilla_plugin_use_gps SELinux boolean is disabled: +$ getsebool mozilla_plugin_use_gps If properly configured, the output should show the following: -domain_fd_use --> on - Is it the case that domain_fd_use is not enabled? - - - - To check the group ownership of /var/log/messages, -run the command: -$ ls -lL /var/log/messages -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /var/log/messages does not have a group owner of root? +mozilla_plugin_use_gps --> off + Is it the case that mozilla_plugin_use_gps is not disabled? - - To determine how the SSH daemon's KerberosAuthentication option is set, run the following command: - -$ sudo grep -i KerberosAuthentication /etc/ssh/sshd_config + + To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: +cat /etc/audit/rules.d/10-base-config.rules +The output has to be exactly as follows: +## First rule - delete all +-D -If a line indicating no is returned, then the required value is set. +## Increase the buffers to survive stress events. +## Make this bigger for busy systems +-b 8192 - Is it the case that the required value is not set? - - - - To check the permissions of /etc/at.allow, -run the command: -$ ls -l /etc/at.allow -If properly configured, the output should indicate the following permissions: --rw------- - Is it the case that /etc/at.allow does not have unix mode -rw-------? - - - - Verify the noexec option is configured for the /var mount point, - run the following command: - $ sudo mount | grep '\s/var\s' - . . . /var . . . noexec . . . +## This determine how long to wait in burst of events +--backlog_wait_time 60000 - Is it the case that the "/var" file system does not have the "noexec" option set? +## Set failure mode to syslog +-f 1 + Is it the case that the file does not exist or the content differs? - - To verify that root's primary group is zero run the following command: - - grep '^root:' /etc/passwd | cut -d : -f 4 - -The command should return: - -0 - - Is it the case that root has a primary gid not equal to zero? + + To ensure the system is configured to ignore the Ctrl-Alt-Del sequence, +run the following command: +$ gsettings get org.gnome.settings-daemon.plugins.media-keys logout +$ grep logout /etc/dconf/db/local.d/locks/* +If properly configured, the output should be +/org/gnome/settings-daemon/plugins/media-keys/logout + Is it the case that GNOME3 is configured to reboot when Ctrl-Alt-Del is pressed? - - To verify that repo_gpgcheck is configured properly, run the following -command: -$ grep repo_gpgcheck /etc/yum.conf -The output should return something similar to: -repo_gpgcheck=1 - Is it the case that gpgcheck is not enabled or configured correctly to verify repository metadata? + + Run the following command to determine if the chrony package is installed: $ rpm -q chrony + Is it the case that the package is not installed? - + -Run the following command to determine if the mmap_low_allowed SELinux boolean is disabled: -$ getsebool mmap_low_allowed +Run the following command to determine if the entropyd_use_audio SELinux boolean is disabled: +$ getsebool entropyd_use_audio If properly configured, the output should show the following: -mmap_low_allowed --> off - Is it the case that mmap_low_allowed is not disabled? +entropyd_use_audio --> off + Is it the case that entropyd_use_audio is not disabled? - - Run the following command to determine if the openscap-scanner package is installed: $ rpm -q openscap-scanner - Is it the case that the package is not installed? + + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: + +$ sudo auditctl -l | grep -E '(/etc/security/opasswd)' + +-w /etc/security/opasswd -p wa -k identity + Is it the case that the command does not return a line, or the line is commented out? - - Run the following command to determine if the sudo package is installed: $ rpm -q sudo - Is it the case that the package is not installed? + + To check the ownership of /etc/group-, +run the command: +$ ls -lL /etc/group- +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/group- does not have an owner of root? - - To determine if the system is configured to audit successful calls -to the open system call, run the following command: -$ sudo grep "open" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + The following command will discover and print world-writable directories that +are not owned by root. Run it once for each local partition PART: +$ sudo find PART -xdev -type d -perm -0002 -uid +0 -print + Is it the case that there are world-writable directories not owned by root? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setsebool" command with the following command: + + To verify that a remote NTP service is configured for time synchronization, +open the following file: -$ sudo auditctl -l | grep setsebool +/etc/chrony.conf in the case the system in question is +configured to use the chronyd as the NTP daemon (default setting) +/etc/ntp.conf in the case the system in question is configured +to use the ntpd as the NTP daemon --a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged - Is it the case that the command does not return a line, or the line is commented out? +In the file, there should be a section similar to the following: +server ntpserver + Is it the case that this is not the case? - - The runtime status of the fs.suid_dumpable kernel parameter can be queried + + The runtime status of the kernel.unprivileged_bpf_disabled kernel parameter can be queried by running the following command: -$ sysctl fs.suid_dumpable -0. +$ sysctl kernel.unprivileged_bpf_disabled +1. Is it the case that the correct value is not returned? - - To determine that AIDE is configured for FIPS 140-2 file hashing, run the following command: -$ grep sha512 /etc/aide.conf -Verify that the sha512 option is added to the correct ruleset. - Is it the case that the sha512 option is missing or not added to the correct ruleset? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_DEBUG_CREDENTIALS /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - Ensure there are no unconfined daemons running on the system, -the following command should produce no output: -$ sudo ps -eZ | grep "unconfined_service_t" - Is it the case that There are unconfined daemons running on the system? + + +Run the following command to determine if the ftpd_connect_db SELinux boolean is disabled: +$ getsebool ftpd_connect_db +If properly configured, the output should show the following: +ftpd_connect_db --> off + Is it the case that ftpd_connect_db is not disabled? - - To determine if the system is configured to audit calls to the -lchown system call, run the following command: -$ sudo grep "lchown" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + To check the ownership of /etc/ssh/*.pub, +run the command: +$ ls -lL /etc/ssh/*.pub +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/ssh/*.pub does not have an owner of root? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_SLAB_MERGE_DEFAULT /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? + + To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: +cat /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules +The output has to be exactly as follows: +## Successful file modifications (open for write or truncate) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification + Is it the case that the file does not exist or the content differs? - - To check that the kdump service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled kdump -Output should indicate the kdump service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled kdump disabled - -Run the following command to verify kdump is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active kdump - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the kdump is masked, run the following command: -$ sudo systemctl show kdump | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: - -LoadState=masked + + +Run the following command to determine if the httpd_run_stickshift SELinux boolean is disabled: +$ getsebool httpd_run_stickshift +If properly configured, the output should show the following: +httpd_run_stickshift --> off + Is it the case that httpd_run_stickshift is not disabled? + + + + To determine if the system is configured to audit unsuccessful calls +to the chmod system call, run the following command: +$ sudo grep "chmod" /etc/audit.* +If the system is configured to audit this activity, it will return a line. -UnitFileState=masked - Is it the case that the "kdump" is loaded and not masked? + Is it the case that no line is returned? - - Verify Red Hat Enterprise Linux 8 is configured to lock an account after -unsuccessful logon attempts with the command: + + Verify that a separate file system/partition has been created for /boot with the following command: +$ mountpoint /boot -$ grep 'deny =' /etc/security/faillock.conf -deny = . - Is it the case that the "deny" option is not set to "<sub idref="var_accounts_passwords_pam_faillock_deny" />" -or less (but not "0"), is missing or commented out? + Is it the case that "/boot is not a mountpoint" is returned? - - Verify that the files and directories of each instance of Alias, -ScriptAlias, and ScriptAliasMatch that exist -have the correct file and directory permissions applied. - Is it the case that it is not? + + +Run the following command to determine if the gpg_web_anon_write SELinux boolean is disabled: +$ getsebool gpg_web_anon_write +If properly configured, the output should show the following: +gpg_web_anon_write --> off + Is it the case that gpg_web_anon_write is not disabled? - - To check the permissions of /etc/http/conf.d/*, -run the command: -$ ls -l /etc/http/conf.d/* -If properly configured, the output should indicate the following permissions: --rw-r----- - Is it the case that /etc/http/conf.d/* does not have unix mode -rw-r-----? + + +Run the following command to determine if the boinc_execmem SELinux boolean is disabled: +$ getsebool boinc_execmem +If properly configured, the output should show the following: +boinc_execmem --> off + Is it the case that boinc_execmem is not disabled? - + + Run the following command to determine if the rear package is installed: $ rpm -q rear + Is it the case that the package is not installed? + + + -Run the following command to determine if the nfs_export_all_rw SELinux boolean is enabled: -$ getsebool nfs_export_all_rw +Run the following command to determine if the squid_use_tproxy SELinux boolean is disabled: +$ getsebool squid_use_tproxy If properly configured, the output should show the following: -nfs_export_all_rw --> on - Is it the case that nfs_export_all_rw is not enabled? +squid_use_tproxy --> off + Is it the case that squid_use_tproxy is not disabled? - - To verify that all user initialization files have a mode of 0740 or -less permissive, run the following command: -$ sudo find /home -type f -name '\.*' \( -perm -0002 -o -perm -0020 \) -There should be no output. - Is it the case that they are not 0740 or more permissive? + + For each private key stored on the system, use the following command: +$ sudo ssh-keygen -y -f /path/to/file +If the contents of the key are displayed, this is a finding. + Is it the case that no ssh private key is accessible without a passcode? - - Verify the nodev option is configured for the /dev/shm mount point, - run the following command: - $ sudo mount | grep '\s/dev/shm\s' - . . . /dev/shm . . . nodev . . . - - Is it the case that the "/dev/shm" file system does not have the "nodev" option set? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_SCHED_STACK_END_CHECK /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - -Run the following command to get the current configured value for deny_execmem -SELinux boolean: -$ getsebool deny_execmem -The expected cofiguration is . -"on" means true, and "off" means false - Is it the case that deny_execmem is not set as expected? + + To determine if the system is configured to audit calls to the +openat system call, run the following command: +$ sudo grep "openat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - To determine if the system is configured to audit successful calls -to the rename system call, run the following command: -$ sudo grep "rename" /etc/audit.* + + To determine if the system is configured to audit calls to the +fchmod system call, run the following command: +$ sudo grep "fchmod" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - Run the following command to check the mode of the system audit logs: -$ sudo grep -iw log_file /etc/audit/auditd.conf -log_file=/var/log/audit/audit.log -$ sudo stat -c "%n %a" /var/log/audit/* -$ sudo ls -l /var/log/audit -Audit logs must be mode 0640 or less permissive. - Is it the case that any permissions are more permissive? + + Run the following command to determine if the geolite2-country package is installed: +$ rpm -q geolite2-country + Is it the case that the package is installed? - - Run the following command to determine if the rear package is installed: $ rpm -q rear - Is it the case that the package is not installed? + + To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: +cat /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules +The output has to be exactly as follows: +## Successful permission change +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + Is it the case that the file does not exist or the content differs? - + -Run the following command to determine if the httpd_can_connect_ldap SELinux boolean is disabled: -$ getsebool httpd_can_connect_ldap +Run the following command to determine if the samba_create_home_dirs SELinux boolean is disabled: +$ getsebool samba_create_home_dirs If properly configured, the output should show the following: -httpd_can_connect_ldap --> off - Is it the case that httpd_can_connect_ldap is not disabled? +samba_create_home_dirs --> off + Is it the case that samba_create_home_dirs is not disabled? - - The runtime status of the net.ipv4.tcp_syncookies kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.tcp_syncookies -1. + + +Determine the audit log group by running the following command: - Is it the case that the correct value is not returned? - - - - Check group owners of the system audit logs. +$ sudo grep -P '^[ ]*log_group[ ]+=.*$' /etc/audit/auditd.conf -First, determine where the audit log file is located. +Then, check that all directories within the /var/log/audit directory are owned by the group specified as log_group or by root if the log_group is not specified. +Run the following command: -$ sudo grep -iw ^log_file /etc/audit/auditd.conf -log_file = /var/log/audit/audit.log +$ sudo find /var/log/audit -type d -printf "%p %g\n" -The log_file option specifies the audit log file path. -If the log_file option isn't defined, check all files within /var/log/audit directory. +All listed directories must be owned by the log_group or by root if the log_group is not specified. + Is it the case that there is a directory owned by different group? + + + + +Run the following command to determine if the mailman_use_fusefs SELinux boolean is disabled: +$ getsebool mailman_use_fusefs +If properly configured, the output should show the following: +mailman_use_fusefs --> off + Is it the case that mailman_use_fusefs is not disabled? + + + + +To check that the rsh service is disabled in system boot configuration with xinetd, run the following command: +$ chkconfig rsh --list +Output should indicate the rsh service has either not been installed, or has been disabled, as shown in the example below: +$ chkconfig rsh --list +Note: This output shows SysV services only and does not include native +systemd services. SysV configuration data might be overridden by native +systemd configuration. -Then, determine the audit log group by running the following command: -$ sudo grep -P '^[ ]*log_group[ ]+=.*$' /etc/audit/auditd.conf +If you want to list systemd services use 'systemctl list-unit-files'. +To see services enabled on particular target use +'systemctl list-dependencies [target]'. +rsh off -Then, check that the audit log file is owned by the correct group. -Run the following command to display the owner of the audit log file: +To check that the rsh socket is disabled in system boot configuration with systemd, run the following command: +$ systemctl is-enabled rsh +Output should indicate the rsh socket has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled rshdisabled -$ sudo stat -c "%n %G" log_file +Run the following command to verify rsh is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active rsh +If the socket is not running the command will return the following output: +inactive -The audit log file must be owned by the log_group or by root if the log_group is not specified. - Is it the case that audit log files are owned by incorrect group? - - - - # grep "^OPTIONS.*-u" /etc/sysconfig/chronyd | grep -v -e '-u\s*chrony\b' -returns no output - Is it the case that chronyd is not running under chrony user account? - - - - The runtime status of the net.ipv4.conf.all.rp_filter parameter can be queried -by running the following command: -$ sysctl net.ipv4.conf.all.rp_filter -The output of the command should indicate either: -net.ipv4.conf.all.rp_filter = 1 -or: -net.ipv4.conf.all.rp_filter = 2 -The output of the command should not indicate: -net.ipv4.conf.all.rp_filter = 0 +The socket will also be masked, to check that the rsh is masked, run the following command: +$ sudo systemctl show rsh | grep "LoadState\|UnitFileState" -The preferable way how to assure the runtime compliance is to have -correct persistent configuration, and rebooting the system. +If the socket is masked the command will return the following outputs: -The persistent sysctl parameter configuration is performed by specifying the appropriate -assignment in any file located in the /etc/sysctl.d directory. -Verify that there is not any existing incorrect configuration by executing the following command: -$ grep -r '^\s*net.ipv4.conf.all.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d -The command should not find any assignments other than: -net.ipv4.conf.all.rp_filter = 1 -or: -net.ipv4.conf.all.rp_filter = 2 +LoadState=masked -Conflicting assignments are not allowed. - Is it the case that the net.ipv4.conf.all.rp_filter is not set to 1 or 2 or is configured to be 0? +UnitFileState=masked + Is it the case that service and/or socket are running? - + -Run the following command to determine if the httpd_use_sasl SELinux boolean is disabled: -$ getsebool httpd_use_sasl +Run the following command to determine if the sge_domain_can_network_connect SELinux boolean is disabled: +$ getsebool sge_domain_can_network_connect If properly configured, the output should show the following: -httpd_use_sasl --> off - Is it the case that httpd_use_sasl is not disabled? - - - - Run the following command to determine if the mailx package is installed: $ rpm -q mailx - Is it the case that the package is not installed? - - - - Inspect /etc/audit/auditd.conf and locate the following line to -determine how many logs the system is configured to retain after rotation: -$ sudo grep num_logs /etc/audit/auditd.conf -num_logs = 5 - Is it the case that the system log file retention has not been properly configured? +sge_domain_can_network_connect --> off + Is it the case that sge_domain_can_network_connect is not disabled? - - To check the permissions of /etc/ssh/*.pub, -run the command: -$ ls -l /etc/ssh/*.pub -If properly configured, the output should indicate the following permissions: --rw-r--r-- - Is it the case that /etc/ssh/*.pub does not have unix mode -rw-r--r--? + + +Run the following command to determine if the httpd_tmp_exec SELinux boolean is disabled: +$ getsebool httpd_tmp_exec +If properly configured, the output should show the following: +httpd_tmp_exec --> off + Is it the case that httpd_tmp_exec is not disabled? - + To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -cat /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules +cat /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules The output has to be exactly as follows: -## Unsuccessful file creation (open with O_CREAT) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +## Successful file delete +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete +-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete Is it the case that the file does not exist or the content differs? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_SECCOMP_FILTER /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "sudoedit" command with the following command: + +$ sudo auditctl -l | grep sudoedit + +-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudoedit + Is it the case that the command does not return a line, or the line is commented out? - - Verify that cron is logging to rsyslog, -run the following command: -grep -rni "cron\.\*" /etc/rsyslog.* -cron.* /var/log/cron - Is it the case that cron is not logging to rsyslog? + + +Run the following command to determine if the gitosis_can_sendmail SELinux boolean is disabled: +$ getsebool gitosis_can_sendmail +If properly configured, the output should show the following: +gitosis_can_sendmail --> off + Is it the case that gitosis_can_sendmail is not disabled? - - To verify that smart cards are enabled in SSSD, run the following command: -$ sudo grep pam_cert_auth /etc/sssd/sssd.conf -If configured properly, output should be -pam_cert_auth = True - - -To verify that smart cards are enabled in PAM files, run the following command: -$ sudo grep -e "auth.*pam_sss\.so.*\(allow_missing_name\|try_cert_auth\)" /etc/pam.d/smartcard-auth /etc/pam.d/system-auth -If configured properly, output should be - -/etc/pam.d/smartcard-auth:auth sufficient pam_sss.so allow_missing_name -/etc/pam.d/system-auth:auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth - - Is it the case that smart cards are not enabled in SSSD? + + To ensure that users cannot change session idle and lock settings, run the following: +$ grep 'lock-delay' /etc/dconf/db/local.d/locks/* +If properly configured, the output should return: +/org/gnome/desktop/screensaver/lock-delay + Is it the case that GNOME3 session settings are not locked or configured properly? - - The runtime status of the vm.mmap_min_addr kernel parameter can be queried -by running the following command: -$ sysctl vm.mmap_min_addr -65536. + + To determine how the SSH daemon's KerberosAuthentication option is set, run the following command: - Is it the case that the correct value is not returned? +$ sudo grep -i KerberosAuthentication /etc/ssh/sshd_config + +If a line indicating no is returned, then the required value is set. + + Is it the case that the required value is not set? - - The runtime status of the net.ipv6.conf.all.router_solicitations kernel parameter can be queried -by running the following command: -$ sysctl net.ipv6.conf.all.router_solicitations -0. - - Is it the case that the correct value is not returned? + + To check the group ownership of /boot/grub2/user.cfg, +run the command: +$ ls -lL /boot/grub2/user.cfg +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /boot/grub2/user.cfg does not have a group owner of root? - - To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -cat /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules -The output has to be exactly as follows: -## Successful file modifications (open for write or truncate) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification - Is it the case that the file does not exist or the content differs? + + To check for incorrectly labeled device files, run following commands: +$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n" +$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n" +It should produce no output in a well-configured system. + Is it the case that there is output? - + To determine if the system is configured to audit successful calls -to the fsetxattr system call, run the following command: -$ sudo grep "fsetxattr" /etc/audit.* +to the lremovexattr system call, run the following command: +$ sudo grep "lremovexattr" /etc/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - To verify if LogFormat is configured correctly in -/etc/httpd/conf/httpd.conf, run the following command: -$ grep -i logformat /etc/httpd/conf/httpd.conf -The output should contain the following: -LogFormat "a %A %h %H %l %m %s %t %u %U \"%{Referer}i\" \"%{User-Agent}i\"" combined - Is it the case that it is not? - - - + -Run the following command to determine if the zabbix_can_network SELinux boolean is disabled: -$ getsebool zabbix_can_network +Run the following command to determine if the virt_sandbox_use_all_caps SELinux boolean is disabled: +$ getsebool virt_sandbox_use_all_caps If properly configured, the output should show the following: -zabbix_can_network --> off - Is it the case that zabbix_can_network is not disabled? - - - - Inspect /etc/audit/auditd.conf and locate the following line to -determine if the system is configured correctly: -space_left SIZE_in_MB - Is it the case that the system is not configured a specfic size in MB to notify administrators of an issue? - - - - To check the ownership of /boot/grub2/grub.cfg, -run the command: -$ ls -lL /boot/grub2/grub.cfg -If properly configured, the output should indicate the following owner: -root - Is it the case that /boot/grub2/grub.cfg does not have an owner of root? +virt_sandbox_use_all_caps --> off + Is it the case that virt_sandbox_use_all_caps is not disabled? - - Find if logging is applied to the FTP daemon. + + To check that the certmonger service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled certmonger +Output should indicate the certmonger service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled certmonger disabled -Procedures: +Run the following command to verify certmonger is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active certmonger -If vsftpd is started by xinetd the following command will indicate the xinetd.d startup file: -$ grep vsftpd /etc/xinetd.d/* -$ grep server_args vsftpd xinetd.d startup file -This will indicate the vsftpd config file used when starting through xinetd. -If the server_args line is missing or does not include the vsftpd configuration file, then the default config file (/etc/vsftpd/vsftpd.conf) is used. -$ sudo grep xferlog_enable vsftpd config file - Is it the case that xferlog_enable is missing, or is not set to yes? - - - - Run the following command to determine if the abrt-addon-ccpp package is installed: -$ rpm -q abrt-addon-ccpp - Is it the case that the package is installed? +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the certmonger is masked, run the following command: +$ sudo systemctl show certmonger | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "certmonger" is loaded and not masked? - + Script combine_ovals.py from SCAP Security Guide ssg: [0, 1, 71], python: 3.10.12 5.11 - 2023-11-20T00:06:14 + 2023-11-21T00:06:13 diff --git a/ssg-rhel8-ds.xml b/ssg-rhel8-ds.xml index 3348ee1..d2c94bd 100644 --- a/ssg-rhel8-ds.xml +++ b/ssg-rhel8-ds.xml @@ -25,7 +25,7 @@ - + Red Hat Enterprise Linux 8 @@ -77,9 +77,9 @@ - + - draft + draft Guide to the Secure Configuration of Red Hat Enterprise Linux 8 This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 8. It is a rendering of @@ -122,170 +122,161 @@ trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies. - - - - - - + - - - - - - + - + - + + + + + + - + - + + - + - + + + + - + - - + - + - - - + + + + + - - + - - + - + - + - + - + - + - + - + - + - + - + - + - + - - - + + + - + - + - + - + + - + - - - - + + - + - + + + - + - - - - + - + - - - - - - + - + - - + - + - + - + - + - + - - + - + - + - + - + + + - + - + @@ -293,48 +284,56 @@ respective companies. - - - - + + + - + - + - + - + - + - + - + - + + + + + - + - - + - + - + - + - + + + + + + + @@ -343,48 +342,44 @@ respective companies. - + - + - + - + - + - - + - + + + + + + - + - + - + - - - - - - - - - - - - - - - - + + + + + + + + @@ -393,118 +388,94 @@ respective companies. - + - - - - + - + - + - - - - + + + - + - - - - + + - + - - - + - - - - - - + - + - + - - + - + - - + - + - + - - - - - - - - - - - - + - + - + - + - + - + + - + - + - + - - + - + - + + - - - + + + + @@ -518,26 +489,55 @@ respective companies. - + - + - + - + + - + + + + - - + + + + + + + + + + + + + + + + + + + - - + + + + + + + + + + @@ -844,246 +844,246 @@ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ - - - + - - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - - - - - - + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + - - - - - - + + + + + + + + + + + + + + + + + + + + + + + - - - - + + + - - - - + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + - - - - - - - - - + + + + + + - - - - - - - - + + - - - + + + + + + + + + + + + + + + - - - - + - - + + + + + + + + - - - - + + + + + + + + + + + + + + - - - - - - + + + + + + + + + + + + + + + + + + - - - - - - + + + + + - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - + + + + - - - - - - - - - - - - - - - - - - - - + + - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1314,320 +1314,320 @@ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - - - + + + + + + - - - - + + + + + - - - - - + + - - + + + - - - - + + + + + + + + + + + - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - + + + + + - - - - - - + + + + + + - - - - - - - - - - - - - - + + - - + + + + + + + + + + + + + + - - - + + - - - - - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - - + + + - - - - - - - - - - + + - - - - - - - - - - - - - + + - - - - - - - - - - - + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + + + - - - - - - - - - - - - + + + + - - + + + + + + + + + + + + + + + + - - - - - - - - - + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - + + + + - + + + + + + + + + + + + + + + + + + + + + + - - + + + + + - - - + + + - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1860,175 +1860,175 @@ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ - - - + - - - - - - - - - - - - - - - - - - + - - - - - - - - - + + - - - - - - - - - - - - - - - - - + + - - - - - - + + + + + + + + + + + + + + - - - + + + - - - - + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + - - - - - + + - + + + + + + + + + + - - - + - + + + + + - - - - - - - - - - - - - - - - - + + + + + + + + + + + - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + - - + + + + + + + + + + + + + + + + + + - - - - - - - - - + + + + + + + + + + - + + - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2269,53 +2269,53 @@ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ - - + + + + + - - + + + - - - - - - + + + + + - + - - - - + + + + - - - - - + + - - - - - - - - - - + - + + + + - - - + + + + + + + + + @@ -2569,365 +2569,365 @@ Linux 8 Benchmark™, v2.0.0, released 2022-02-23. This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content. https://www.cisecurity.org/benchmark/red_hat_linux/ + + + + + + + + + + + + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - + - - - + + + - - - - - - - - - - + + - - - - - - - - - - - - - + + + + + + + + + + - + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - + + + - - - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - - - - - + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - - - - - - + + + + + - + + + + + + + + + + + + + + + + + + + + - - + + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - + + + + + + - - - - - - - - - + + + + + + + + + + + + - - - + + + + + + + + + + + + + + + + + + + - - - - - - - - - + + + + + + + - - - - - + + + + + + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - + + + + + + + + + + + + + + @@ -3132,289 +3132,289 @@ Linux 8 Benchmark™, v2.0.0, released 2022-02-23. This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content. https://www.cisecurity.org/benchmark/red_hat_linux/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + - + + + + + + + + + + + + + + - - - - - - - + + + + - - + + + + + + + + - - - - - - - - + + + + + + + + + + + + + - - - + + + + + + + - - - - - - - - - - - - - - + + + + + + + - - - + + + + + - - - + + + + + + + - - - - - - - - - - - - + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - + - - - - - - + + + + + + + + + + + + - + + + + + + + + + + + + + + + + + + - - - - + + + + + + + + + - + + + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + - - - - - - - - - - - - - - - - - - - - + + + - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - + + + + + + + + + - + + + + + + + + + - - - - - + + + + + + + - - - - - - - - - - - - - + - - - - - - - - - - - - - + + + + + + + + + + + + + - - - + + + + - - - - - - - - + - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + @@ -3625,282 +3625,282 @@ Linux 8 Benchmark™, v2.0.0, released 2022-02-23. This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content. https://www.cisecurity.org/benchmark/red_hat_linux/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + - + + + + + + + + + + + + + + - - - - - - + + + + - - + + + + + + + + - - - - - - - - + + + + + + + + + + + + + - - - + + + + + + + - - - - - - - - - - - - - - + + + + + + + - - - + + + + + - - - + + + + + + + - - - - - - - - - - - - + + + + + + - - - + + + + - - - - - - - - - - - - - - - - + + + + + + + + + - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + + + + + + + + + + + - - - - + - - - - + + + + + + + + + + - - - - - - - - - - - - - - - + + + + + + + + + + + - - - + + + - - - - - - - - - - - - - - - - - - - - + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - + + + + + + + + - + + + + + + + + + - - - - - + + + + + + - - - - - - - - - - - - - + - - - - - - - - - - - + + + + + + + + + + + + - - - + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + @@ -4118,361 +4118,361 @@ Linux 8 Benchmark™, v2.0.0, released 2022-02-23. This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content. https://www.cisecurity.org/benchmark/red_hat_linux/ + + + + + + + + + + + + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - + - - - + + + - - - - - - - - - - + + - - - - - - - - - - - - - + + + + + + + + + + - + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - + + + - - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - - - - - + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - - - - - - + + + + + - + + + + + + + + + + + + + + + + + + + + - - + + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - + + + + + + - - - - - - - - - + + + + + + + + + + + + - - - + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + - - - - - + + + + + + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - + + + + + + + + + + + + + + @@ -4681,111 +4681,111 @@ Policy Resource Center: https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center - - - - - + + + - - - - + + + + + + - - - - + + + + + - - - - - - - - + + - - - - - - - - - - - - + - - - - + + - - - - - - - - - - - - - - - - + + + - - - - - + + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + + + + + + + + + + + + + + + - - - + - - - - - - - - - - - - + + + + + + - + + + + + + + + + - - + + - - + + @@ -5032,216 +5032,216 @@ in NIST Special Publication 800-53. This profile configures Red Hat Enterprise Linux 8 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI)." - - - - - - - - - - - - - - - + + + + + - - - - - - - - + + + + - - - - - - - - - + - - - - - - - - - - - - - - - - - - + + - - - + + + + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + - - - - - - - - - - - - - - - - + + + + + + + - - - + + + + + + + + - - - + + - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + - - - + + - + + + + + + + - - - - + + + + + + + + + + + + - - - + + - - - - - + + + - - - - - - - - - - - - - - - - - - - + + + + + + + - - - - - - - - - - - + + + + - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + @@ -5474,104 +5474,104 @@ ACSC website: https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers + + + + + + + + + - - - + + + + - - - - - - - - - - + + + + + + + + + + + + - - + + + + + + + + + + + + - - + + + - - - - + + + - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - + - - - + + + + + - - + + + - - - - - - + + + + - - - - - - - - - + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - @@ -5797,143 +5797,143 @@ This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security Rule identified for securing of electronic protected health information. Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s). https://www.hhs.gov/hipaa/for-professionals/index.html - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + + - + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + - + + + + + + + + + + - - - - + - - + - - + - + + + + + + + - - - + + + + + + + + + + - - - - - - - - - - - - - - + + + + + + + + - - - - - - - - - - - - - - - + - - - - - - + + + + + + + + + + + - + + - + + + + + + + + + + + + + + + + + + + - - + + + + + + + + + + @@ -6155,157 +6155,157 @@ A copy of the ISM can be found at the ACSC website: https://www.cyber.gov.au/ism https://www.cyber.gov.au/ism - + + + + + + + + + - - - + + + + + + - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - + + + + + + + + + + + - - + + + + - - - - - - + + + + - - - - - - - - - - - - - - - - - - - - - - + - - + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - + - - - - - + + + + + - - - - - - - - - - - - - - - - - - - + + + + + + + + + - + - - - - + + + + + + - - - - - - - - - - - - - - - - + - + + + - - - + + + + + + - + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -6512,216 +6512,216 @@ U.S. National Security Systems to adhere to certain configuration parameters. Accordingly, this configuration profile is suitable for use in U.S. National Security Systems. https://www.niap-ccevs.org/Profile/Info.cfm?PPID=442&id=442 - - - - - - - - - - - - - - - + + + + + - - - - - - - - + + + + - - - - - - - - - + - - - - - - - - - - - - - - - - - - + + - - - + + + + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + - - - - - - - - - - - - - - - - + + + + + + + - - - + + + + + + + + - - - + + - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + - - - + + - + + + + + + + - - - - + + + + + + + + + + + + - - - + + - - - - - + + + - - - - - - - - - - - - - - - - - - - + + + + + + + - - - - - - - - - - - + + + + - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + @@ -6954,263 +6954,263 @@ financial information. This profile ensures Red Hat Enterprise Linux 8 is configured in alignment with PCI-DSS v4.0 requirements. https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + - - - + + + + + + + + + - - - - + + + + + - - - + + + + + - - - + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - + + + + + + + + - - - - - - - - - - - - - + + + + - - - + + + + + + + - - - - - - - - - - - + + + + + + + - - - - + + + + - - - - - - - - - - - - - - - - + + + + + + + + + + + - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + + + + + + + + + + + - - - - + + + + + + + + + - - - - - - - - - - - + + + + + + + + + - - - - - - - - - - - - - - - - - - + + - + + + + + + + + + + + - - - - - - - - - + + + + + + + + + + + + - - - - + + + + + + + + + + + + + + + + + + + - - - - - - + + + + + + + - + + + + - - - - + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - - + - - - + - - - + + + + + + + - - - - - - - - - + + + @@ -7414,77 +7414,77 @@ with PCI-DSS v4.0 requirements. configuration settings recommended by Red Hat, Inc for Red Hat Enterprise Linux 8 instances deployed by Red Hat Certified Cloud Providers. - + + + + + + + - - - + + + + + - - - - - - - - - - - - - - + + - - - - + - - - - - - - + + + + + + + + + - - - - - - - - - - + + + - - - - - - - - - - - - - - + + + + + + + + + + + + - + + + + + - + + + + + + + + + + + + + + - - - - + @@ -7724,85 +7724,85 @@ Cloud Providers. This profile contains rules to ensure standard security baseline of a Red Hat Enterprise Linux 8 system. Regardless of your system's workload all of these checks should pass. - - - + + + - - - - - - - - - + + + + + + + + - + - - - - + - - - - - - + - + + + + + - + + + + - + + + + + + + + + + + - - - - + - - - + + + + + + + + + + - - - - - - - - - - - - - - - - - - + + + + + + + - - - - - - - + - + + + + + - - - - + + + + + @@ -8041,416 +8041,416 @@ Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as: - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 8 image https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - - - - - - - - - - - - - - - - - + + - + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + - - - - - - - - - - - - - - - + + - - - - - - - - - - - - - - - - - - - - - - - - - + + + - - - - - - - - - - - - - + + + + + + + + - + - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + - + + + + - - - - - - - - - - - - - + + + + + + + + + + + + + + + + - - - - - - - + + - - - - - - - - - - - - - - - - - - - + + + + + + + + - - - - - + + + + + + - + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - + + - + + - - + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - - - - - - + + + + + + + - - - - - - + + + + + + + - - - - - - - - - - - - - - + + + + - - - - - + + + + + + + + + - - - - - - - - - - - + + + + + + + + + + + + + + - + + + + + + + + + + + + + + + + + + + + + + + - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - + + + - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + - - + + + + + + + + + + + + + + + + + + + + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + + + + + - + + + + + + + - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - + + + + + + + + + @@ -8672,413 +8672,413 @@ your Information Systems Security Officer (ISSO) lacks a documented operational requirement for a graphical user interface, please consider using the standard DISA STIG for Red Hat Enterprise Linux 8 profile. https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - - - - - - - - - - - - - - - - - + + - + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - + + - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + - - - + + - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + - - - - - - - - - - - - - + + + + + + + + + + + + + + + + - - - - - - - + + - - - - - - - - - - - - - - - - - - - + + + + + + + + - - - - - + + + + + + - + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - + + - + + - - + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - - - - - + + + + + + - - - - - - + + + + + + + - - - - - - - - - - - - - - + + + + - - - - - + + + + + + + + + - - - - - - - - - - - + + + + + + + + + + + + + - + + + + + + + + + + + + + + + + + + + + + + - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - + + + - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + - - + + + + + + + + + + + + + + + + + + + + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + + + + + - + + + + + + + - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - + + + + + + + + + @@ -9420,16 +9420,6 @@ Alternatively, the package can be reinstalled from trusted media using the comma information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system. CCE-80857-6 - -# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names -files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )" - -# From files names get package names and change newline to space, because rpm writes each package to new line -packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')" - - -yum reinstall -y $packages_to_reinstall - - name: 'Set fact: Package manager reinstall command (dnf)' set_fact: package_manager_reinstall_cmd: dnf reinstall -y @@ -9589,6 +9579,16 @@ yum reinstall -y $packages_to_reinstall - no_reboot_needed - restrict_strategy - rpm_verify_hashes + + +# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names +files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )" + +# From files names get package names and change newline to space, because rpm writes each package to new line +packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')" + + +yum reinstall -y $packages_to_reinstall @@ -9729,28 +9729,6 @@ could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated. CCE-82196-7 - -# Declare array to hold set of RPM packages we need to correct permissions for -declare -A SETPERMS_RPM_DICT - -# Create a list of files on the system having permissions different from what -# is expected by the RPM database -readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }') - -for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}" -do - RPM_PACKAGE=$(rpm -qf "$FILE_PATH") - # Use an associative array to store packages as it's keys, not having to care about duplicates. - SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1 -done - -# For each of the RPM packages left in the list -- reset its permissions to the -# correct values -for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}" -do - rpm --setugids "${RPM_PACKAGE}" -done - - name: Read list of files with incorrect ownership command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nomode @@ -9831,6 +9809,28 @@ done - no_reboot_needed - restrict_strategy - rpm_verify_ownership + + +# Declare array to hold set of RPM packages we need to correct permissions for +declare -A SETPERMS_RPM_DICT + +# Create a list of files on the system having permissions different from what +# is expected by the RPM database +readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }') + +for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}" +do + RPM_PACKAGE=$(rpm -qf "$FILE_PATH") + # Use an associative array to store packages as it's keys, not having to care about duplicates. + SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1 +done + +# For each of the RPM packages left in the list -- reset its permissions to the +# correct values +for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}" +do + rpm --setugids "${RPM_PACKAGE}" +done @@ -9985,32 +9985,6 @@ could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated. CCE-80858-4 - -# Declare array to hold set of RPM packages we need to correct permissions for -declare -A SETPERMS_RPM_DICT - -# Create a list of files on the system having permissions different from what -# is expected by the RPM database -readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }') - -for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}" -do - # NOTE: some files maybe controlled by more then one package - readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}") - for RPM_PACKAGE in "${RPM_PACKAGES[@]}" - do - # Use an associative array to store packages as it's keys, not having to care about duplicates. - SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1 - done -done - -# For each of the RPM packages left in the list -- reset its permissions to the -# correct values -for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}" -do - rpm --restore "${RPM_PACKAGE}" -done - - name: Read list of files with incorrect permissions command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup @@ -10094,6 +10068,32 @@ done - no_reboot_needed - restrict_strategy - rpm_verify_permissions + + +# Declare array to hold set of RPM packages we need to correct permissions for +declare -A SETPERMS_RPM_DICT + +# Create a list of files on the system having permissions different from what +# is expected by the RPM database +readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }') + +for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}" +do + # NOTE: some files maybe controlled by more then one package + readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}") + for RPM_PACKAGE in "${RPM_PACKAGES[@]}" + do + # Use an associative array to store packages as it's keys, not having to care about duplicates. + SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1 + done +done + +# For each of the RPM packages left in the list -- reset its permissions to the +# correct values +for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}" +do + rpm --restore "${RPM_PACKAGE}" +done @@ -10196,21 +10196,13 @@ $ sudo yum install aide SV-251710r880730_rule The AIDE package must be installed if it is to be available for integrity checking. CCE-80844-4 + +package --add=aide + [[packages]] name = "aide" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "aide" ; then - yum install -y "aide" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_aide @@ -10239,8 +10231,16 @@ class install_aide { - no_reboot_needed - package_aide_installed - -package --add=aide + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "aide" ; then + yum install -y "aide" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -10343,20 +10343,6 @@ If this check produces any unexpected output, investigate.For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files. CCE-80675-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "aide" ; then - yum install -y "aide" -fi - -/usr/sbin/aide --init -/bin/cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Build and Test AIDE Database - Ensure AIDE Is Installed ansible.builtin.package: name: '{{ item }}' @@ -10437,6 +10423,20 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "aide" ; then + yum install -y "aide" +fi + +/usr/sbin/aide --init +/bin/cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -10474,68 +10474,6 @@ provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files. CCE-85964-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "aide" ; then - yum install -y "aide" -fi - - - - - - - - - - -if grep -i '^.*/usr/sbin/auditctl.*$' /etc/aide.conf; then -sed -i "s#.*/usr/sbin/auditctl.*#/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf -else -echo "/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf -fi - -if grep -i '^.*/usr/sbin/auditd.*$' /etc/aide.conf; then -sed -i "s#.*/usr/sbin/auditd.*#/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf -else -echo "/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf -fi - -if grep -i '^.*/usr/sbin/ausearch.*$' /etc/aide.conf; then -sed -i "s#.*/usr/sbin/ausearch.*#/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf -else -echo "/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf -fi - -if grep -i '^.*/usr/sbin/aureport.*$' /etc/aide.conf; then -sed -i "s#.*/usr/sbin/aureport.*#/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf -else -echo "/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf -fi - -if grep -i '^.*/usr/sbin/autrace.*$' /etc/aide.conf; then -sed -i "s#.*/usr/sbin/autrace.*#/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf -else -echo "/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf -fi - -if grep -i '^.*/usr/sbin/augenrules.*$' /etc/aide.conf; then -sed -i "s#.*/usr/sbin/augenrules.*#/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf -else -echo "/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf -fi - -if grep -i '^.*/usr/sbin/rsyslogd.*$' /etc/aide.conf; then -sed -i "s#.*/usr/sbin/rsyslogd.*#/usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf -else -echo "/usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure aide is installed package: name: '{{ item }}' @@ -10614,6 +10552,68 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "aide" ; then + yum install -y "aide" +fi + + + + + + + + + + +if grep -i '^.*/usr/sbin/auditctl.*$' /etc/aide.conf; then +sed -i "s#.*/usr/sbin/auditctl.*#/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf +else +echo "/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf +fi + +if grep -i '^.*/usr/sbin/auditd.*$' /etc/aide.conf; then +sed -i "s#.*/usr/sbin/auditd.*#/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf +else +echo "/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf +fi + +if grep -i '^.*/usr/sbin/ausearch.*$' /etc/aide.conf; then +sed -i "s#.*/usr/sbin/ausearch.*#/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf +else +echo "/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf +fi + +if grep -i '^.*/usr/sbin/aureport.*$' /etc/aide.conf; then +sed -i "s#.*/usr/sbin/aureport.*#/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf +else +echo "/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf +fi + +if grep -i '^.*/usr/sbin/autrace.*$' /etc/aide.conf; then +sed -i "s#.*/usr/sbin/autrace.*#/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf +else +echo "/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf +fi + +if grep -i '^.*/usr/sbin/augenrules.*$' /etc/aide.conf; then +sed -i "s#.*/usr/sbin/augenrules.*#/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf +else +echo "/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf +fi + +if grep -i '^.*/usr/sbin/rsyslogd.*$' /etc/aide.conf; then +sed -i "s#.*/usr/sbin/rsyslogd.*#/usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf +else +echo "/usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -10722,24 +10722,6 @@ system. The operating system's Information Management Officer (IMO)/Information Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. CCE-80676-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "aide" ; then - yum install -y "aide" -fi - -if ! grep -q "/usr/sbin/aide --check" /etc/crontab ; then - echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab -else - sed -i '\!^.* --check.*$!d' /etc/crontab - echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure AIDE is installed package: name: '{{ item }}' @@ -10847,6 +10829,24 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "aide" ; then + yum install -y "aide" +fi + +if ! grep -q "/usr/sbin/aide --check" /etc/crontab ; then + echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab +else + sed -i '\!^.* --check.*$!d' /etc/crontab + echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -10926,36 +10926,6 @@ system. The operating system's Information Management Officer (IMO)/Information Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. CCE-82891-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "aide" ; then - yum install -y "aide" -fi -var_aide_scan_notification_email='' - - - -CRONTAB=/etc/crontab -CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly' - -# NOTE: on some platforms, /etc/crontab may not exist -if [ -f /etc/crontab ]; then - CRONTAB_EXIST=/etc/crontab -fi - -if [ -f /var/spool/cron/root ]; then - VARSPOOL=/var/spool/cron/root -fi - -if ! grep -qR '^.*/usr/sbin/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*.*@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then - echo "0 5 * * * root /usr/sbin/aide --check | /bin/mail -s \"\$(hostname) - AIDE Integrity Check\" $var_aide_scan_notification_email" >> $CRONTAB -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_aide_scan_notification_email # promote to variable set_fact: var_aide_scan_notification_email: !!str @@ -11002,6 +10972,36 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "aide" ; then + yum install -y "aide" +fi +var_aide_scan_notification_email='' + + + +CRONTAB=/etc/crontab +CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly' + +# NOTE: on some platforms, /etc/crontab may not exist +if [ -f /etc/crontab ]; then + CRONTAB_EXIST=/etc/crontab +fi + +if [ -f /var/spool/cron/root ]; then + VARSPOOL=/var/spool/cron/root +fi + +if ! grep -qR '^.*/usr/sbin/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*.*@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then + echo "0 5 * * * root /usr/sbin/aide --check | /bin/mail -s \"\$(hostname) - AIDE Integrity Check\" $var_aide_scan_notification_email" >> $CRONTAB +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -11148,37 +11148,6 @@ The remediation provided with this rule adds acl to all r ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools. CCE-84220-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "aide" ; then - yum install -y "aide" -fi - -aide_conf="/etc/aide.conf" - -groups=$(LC_ALL=C grep "^[A-Z][A-Za-z_]*" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u) - -for group in $groups -do - config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ') - - if ! [[ $config = *acl* ]] - then - if [[ -z $config ]] - then - config="acl" - else - config=$config"+acl" - fi - fi - sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather list of packages package_facts: manager: auto @@ -11240,6 +11209,37 @@ fi - low_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "aide" ; then + yum install -y "aide" +fi + +aide_conf="/etc/aide.conf" + +groups=$(LC_ALL=C grep "^[A-Z][A-Za-z_]*" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u) + +for group in $groups +do + config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ') + + if ! [[ $config = *acl* ]] + then + if [[ -z $config ]] + then + config="acl" + else + config=$config"+acl" + fi + fi + sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -11290,37 +11290,6 @@ The remediation provided with this rule adds xattrs to al Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. CCE-83733-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "aide" ; then - yum install -y "aide" -fi - -aide_conf="/etc/aide.conf" - -groups=$(LC_ALL=C grep "^[A-Z][A-Za-z_]*" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u) - -for group in $groups -do - config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ') - - if ! [[ $config = *xattrs* ]] - then - if [[ -z $config ]] - then - config="xattrs" - else - config=$config"+xattrs" - fi - fi - sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather list of packages package_facts: manager: auto @@ -11382,6 +11351,37 @@ fi - low_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "aide" ; then + yum install -y "aide" +fi + +aide_conf="/etc/aide.conf" + +groups=$(LC_ALL=C grep "^[A-Z][A-Za-z_]*" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u) + +for group in $groups +do + config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ') + + if ! [[ $config = *xattrs* ]] + then + if [[ -z $config ]] + then + config="xattrs" + else + config=$config"+xattrs" + fi + fi + sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -11409,21 +11409,6 @@ Audit tools must have the correct group owner. Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information. CCE-86239-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -chgrp 0 /sbin/auditctl -chgrp 0 /sbin/aureport -chgrp 0 /sbin/ausearch -chgrp 0 /sbin/autrace -chgrp 0 /sbin/auditd -chgrp 0 /sbin/rsyslogd -chgrp 0 /sbin/augenrules - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Test for existence /sbin/auditctl stat: path: /sbin/auditctl @@ -11661,6 +11646,21 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chgrp 0 /sbin/auditctl +chgrp 0 /sbin/aureport +chgrp 0 /sbin/ausearch +chgrp 0 /sbin/autrace +chgrp 0 /sbin/auditd +chgrp 0 /sbin/rsyslogd +chgrp 0 /sbin/augenrules + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -11688,21 +11688,6 @@ Audit tools must have the correct owner. Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information. CCE-86259-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -chown 0 /sbin/auditctl -chown 0 /sbin/aureport -chown 0 /sbin/ausearch -chown 0 /sbin/autrace -chown 0 /sbin/auditd -chown 0 /sbin/rsyslogd -chown 0 /sbin/augenrules - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Test for existence /sbin/auditctl stat: path: /sbin/auditctl @@ -11940,6 +11925,21 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chown 0 /sbin/auditctl +chown 0 /sbin/aureport +chown 0 /sbin/ausearch +chown 0 /sbin/autrace +chown 0 /sbin/auditd +chown 0 /sbin/rsyslogd +chown 0 /sbin/augenrules + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -11965,27 +11965,6 @@ Audit tools must have a mode of 0755 or less permissive. Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information. CCE-86227-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -chmod u-s,g-ws,o-wt /sbin/auditctl - -chmod u-s,g-ws,o-wt /sbin/aureport - -chmod u-s,g-ws,o-wt /sbin/ausearch - -chmod u-s,g-ws,o-wt /sbin/autrace - -chmod u-s,g-ws,o-wt /sbin/auditd - -chmod u-s,g-ws,o-wt /sbin/rsyslogd - -chmod u-s,g-ws,o-wt /sbin/augenrules - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Test for existence /sbin/auditctl stat: path: /sbin/auditctl @@ -12223,6 +12202,27 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chmod u-s,g-ws,o-wt /sbin/auditctl + +chmod u-s,g-ws,o-wt /sbin/aureport + +chmod u-s,g-ws,o-wt /sbin/ausearch + +chmod u-s,g-ws,o-wt /sbin/autrace + +chmod u-s,g-ws,o-wt /sbin/auditd + +chmod u-s,g-ws,o-wt /sbin/rsyslogd + +chmod u-s,g-ws,o-wt /sbin/augenrules + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -12288,19 +12288,6 @@ protect data. The operating system must implement cryptographic modules adhering standards approved by the federal government since this provides assurance they have been tested and validated. CCE-82155-3 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ); then - -fips-mode-setup --enable -FIPS_CONF="/etc/dracut.conf.d/40-fips.conf" -if ! grep "^add_dracutmodules+=\" fips \"" $FIPS_CONF; then - echo "add_dracutmodules+=\" fips \"" >> $FIPS_CONF -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Check to see the current status of FIPS mode command: /usr/bin/fips-mode-setup --check register: is_fips_enabled @@ -12367,6 +12354,19 @@ fi - medium_disruption - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ); then + +fips-mode-setup --enable +FIPS_CONF="/etc/dracut.conf.d/40-fips.conf" +if ! grep "^add_dracutmodules+=\" fips \"" $FIPS_CONF; then + echo "add_dracutmodules+=\" fips \"" >> $FIPS_CONF +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -12420,33 +12420,6 @@ standards approved by the federal government since this provides assurance they and validated. CCE-80942-6 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -var_system_crypto_policy='' - - -fips-mode-setup --enable - -stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null) -rc=$? - -if test "$rc" = 127; then - echo "$stderr_of_call" >&2 - echo "Make sure that the script is installed on the remediated system." >&2 - echo "See output of the 'dnf provides update-crypto-policies' command" >&2 - echo "to see what package to (re)install" >&2 - - false # end with an error code -elif test "$rc" != 0; then - echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2 - false # end with an error code -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_system_crypto_policy # promote to variable set_fact: var_system_crypto_policy: !!str @@ -12553,6 +12526,33 @@ fi - medium_disruption - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +var_system_crypto_policy='' + + +fips-mode-setup --enable + +stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null) +rc=$? + +if test "$rc" = 127; then + echo "$stderr_of_call" >&2 + echo "Make sure that the script is installed on the remediated system." >&2 + echo "See output of the 'dnf provides update-crypto-policies' command" >&2 + echo "to see what package to (re)install" >&2 + + false # end with an error code +elif test "$rc" != 0; then + echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2 + false # end with an error code +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -12736,15 +12736,13 @@ $ sudo yum install crypto-policies the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. CCE-82723-8 + +package --add=crypto-policies + [[packages]] name = "crypto-policies" version = "*" - - -if ! rpm -q --quiet "crypto-policies" ; then - yum install -y "crypto-policies" -fi include install_crypto-policies @@ -12767,8 +12765,10 @@ class install_crypto-policies { - no_reboot_needed - package_crypto-policies_installed - -package --add=crypto-policies + +if ! rpm -q --quiet "crypto-policies" ; then + yum install -y "crypto-policies" +fi @@ -12880,24 +12880,26 @@ submits to this process. the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. CCE-80935-0 - -var_system_crypto_policy='' - - -stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null) -rc=$? - -if test "$rc" = 127; then - echo "$stderr_of_call" >&2 - echo "Make sure that the script is installed on the remediated system." >&2 - echo "See output of the 'dnf provides update-crypto-policies' command" >&2 - echo "to see what package to (re)install" >&2 - - false # end with an error code -elif test "$rc" != 0; then - echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2 - false # end with an error code -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: configure-crypto-policy.service + enabled: true + contents: | + [Unit] + Before=kubelet.service + [Service] + Type=oneshot + ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}} + RemainAfterExit=yes + [Install] + WantedBy=multi-user.target - name: XCCDF Value var_system_crypto_policy # promote to variable set_fact: @@ -12949,26 +12951,24 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: configure-crypto-policy.service - enabled: true - contents: | - [Unit] - Before=kubelet.service - [Service] - Type=oneshot - ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}} - RemainAfterExit=yes - [Install] - WantedBy=multi-user.target + +var_system_crypto_policy='' + + +stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null) +rc=$? + +if test "$rc" = 127; then + echo "$stderr_of_call" >&2 + echo "Make sure that the script is installed on the remediated system." >&2 + echo "See output of the 'dnf provides update-crypto-policies' command" >&2 + echo "to see what package to (re)install" >&2 + + false # end with an error code +elif test "$rc" != 0; then + echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2 + false # end with an error code +fi @@ -12998,29 +12998,6 @@ line and is not commented out: library violate expectations, and makes system configuration more fragmented. CCE-84254-2 - -CONF_FILE=/etc/crypto-policies/back-ends/gnutls.config -correct_value='+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0' - -grep -q ${correct_value} ${CONF_FILE} - -if [[ $? -ne 0 ]]; then - # We need to get the existing value, using PCRE to maintain same regex - existing_value=$(grep -Po '(\+VERS-ALL(?::-VERS-[A-Z]+\d\.\d)+)' ${CONF_FILE}) - - if [[ ! -z ${existing_value} ]]; then - # replace existing_value with correct_value - sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE} - else - # ***NOTE*** # - # This probably means this file is not here or it's been modified - # unintentionally. - # ********** # - # echo correct_value to end - echo ${correct_value} >> ${CONF_FILE} - fi -fi - - name: 'Configure GnuTLS library to use DoD-approved TLS Encryption: set_fact' set_fact: path: /etc/crypto-policies/back-ends/gnutls.config @@ -13102,6 +13079,29 @@ fi - medium_severity - reboot_required - restrict_strategy + + +CONF_FILE=/etc/crypto-policies/back-ends/gnutls.config +correct_value='+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0' + +grep -q ${correct_value} ${CONF_FILE} + +if [[ $? -ne 0 ]]; then + # We need to get the existing value, using PCRE to maintain same regex + existing_value=$(grep -Po '(\+VERS-ALL(?::-VERS-[A-Z]+\d\.\d)+)' ${CONF_FILE}) + + if [[ ! -z ${existing_value} ]]; then + # replace existing_value with correct_value + sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE} + else + # ***NOTE*** # + # This probably means this file is not here or it's been modified + # unintentionally. + # ********** # + # echo correct_value to end + echo ${correct_value} >> ${CONF_FILE} + fi +fi @@ -13132,10 +13132,6 @@ If the symlink exists, Kerberos is configured to use the system-wide crypto poli Overriding the system crypto policy makes the behavior of Kerberos violate expectations, and makes system configuration more fragmented. CCE-80936-8 - -rm -f /etc/krb5.conf.d/crypto-policies -ln -s /etc/crypto-policies/back-ends/krb5.config /etc/krb5.conf.d/crypto-policies - - name: Configure Kerberos to use System Crypto Policy file: src: /etc/crypto-policies/back-ends/krb5.config @@ -13153,6 +13149,10 @@ ln -s /etc/crypto-policies/back-ends/krb5.config /etc/krb5.conf.d/crypto-policie - low_complexity - low_disruption - reboot_required + + +rm -f /etc/krb5.conf.d/crypto-policies +ln -s /etc/crypto-policies/back-ends/krb5.config /etc/krb5.conf.d/crypto-policies @@ -13189,18 +13189,6 @@ is not commented out or superseded by later includes: service violate expectations, and makes system configuration more fragmented. CCE-80937-6 - -function remediate_libreswan_crypto_policy() { - CONFIG_FILE="/etc/ipsec.conf" - if ! grep -qP "^\s*include\s+/etc/crypto-policies/back-ends/libreswan.config\s*(?:#.*)?$" "$CONFIG_FILE" ; then - # the file might not end with a new line - echo -e '\ninclude /etc/crypto-policies/back-ends/libreswan.config' >> "$CONFIG_FILE" - fi - return 0 -} - -remediate_libreswan_crypto_policy - - name: Configure Libreswan to use System Crypto Policy lineinfile: path: /etc/ipsec.conf @@ -13221,6 +13209,18 @@ remediate_libreswan_crypto_policy - low_disruption - no_reboot_needed - restrict_strategy + + +function remediate_libreswan_crypto_policy() { + CONFIG_FILE="/etc/ipsec.conf" + if ! grep -qP "^\s*include\s+/etc/crypto-policies/back-ends/libreswan.config\s*(?:#.*)?$" "$CONFIG_FILE" ; then + # the file might not end with a new line + echo -e '\ninclude /etc/crypto-policies/back-ends/libreswan.config' >> "$CONFIG_FILE" + fi + return 0 +} + +remediate_libreswan_crypto_policy @@ -13256,37 +13256,6 @@ if there is a [ crypto_policy ] section that contains the Overriding the system crypto policy makes the behavior of the Java runtime violates expectations, and makes system configuration more fragmented. CCE-80938-4 - -OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]' -OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]' - -OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config' - -OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*(?:=\s*)?/etc/crypto-policies/back-ends/opensslcnf.config$' - - - - - - -function remediate_openssl_crypto_policy() { - CONFIG_FILE=/etc/pki/tls/openssl.cnf - if test -f "$CONFIG_FILE"; then - if ! grep -q "^\\s*$OPENSSL_CRYPTO_POLICY_SECTION_REGEX" "$CONFIG_FILE"; then - printf '\n%s\n\n%s' "$OPENSSL_CRYPTO_POLICY_SECTION" "$OPENSSL_CRYPTO_POLICY_INCLUSION" >> "$CONFIG_FILE" - return 0 - elif ! grep -q "^\\s*$OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX" "$CONFIG_FILE"; then - sed -i "s|$OPENSSL_CRYPTO_POLICY_SECTION_REGEX|&\\n\\n$OPENSSL_CRYPTO_POLICY_INCLUSION\\n|" "$CONFIG_FILE" - return 0 - fi - else - echo "Aborting remediation as '$CONFIG_FILE' was not even found." >&2 - return 1 - fi -} - -remediate_openssl_crypto_policy - - name: Configure OpenSSL library to use System Crypto Policy - Search for crypto_policy Section ansible.builtin.find: @@ -13391,6 +13360,37 @@ remediate_openssl_crypto_policy - medium_severity - no_reboot_needed - unknown_strategy + + +OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]' +OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]' + +OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config' + +OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*(?:=\s*)?/etc/crypto-policies/back-ends/opensslcnf.config$' + + + + + + +function remediate_openssl_crypto_policy() { + CONFIG_FILE=/etc/pki/tls/openssl.cnf + if test -f "$CONFIG_FILE"; then + if ! grep -q "^\\s*$OPENSSL_CRYPTO_POLICY_SECTION_REGEX" "$CONFIG_FILE"; then + printf '\n%s\n\n%s' "$OPENSSL_CRYPTO_POLICY_SECTION" "$OPENSSL_CRYPTO_POLICY_INCLUSION" >> "$CONFIG_FILE" + return 0 + elif ! grep -q "^\\s*$OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX" "$CONFIG_FILE"; then + sed -i "s|$OPENSSL_CRYPTO_POLICY_SECTION_REGEX|&\\n\\n$OPENSSL_CRYPTO_POLICY_INCLUSION\\n|" "$CONFIG_FILE" + return 0 + fi + else + echo "Aborting remediation as '$CONFIG_FILE' was not even found." >&2 + return 1 + fi +} + +remediate_openssl_crypto_policy @@ -13480,11 +13480,6 @@ in the /etc/sysconfig/sshd. Overriding the system crypto policy makes the behavior of the SSH service violate expectations, and makes system configuration more fragmented. CCE-80939-2 - -SSH_CONF="/etc/sysconfig/sshd" - -sed -i "/^\s*CRYPTO_POLICY.*$/Id" $SSH_CONF - - name: Configure SSH to use System Crypto Policy lineinfile: dest: /etc/sysconfig/sshd @@ -13506,6 +13501,11 @@ sed -i "/^\s*CRYPTO_POLICY.*$/Id" $SSH_CONF - medium_disruption - medium_severity - reboot_required + + +SSH_CONF="/etc/sysconfig/sshd" + +sed -i "/^\s*CRYPTO_POLICY.*$/Id" $SSH_CONF @@ -13540,15 +13540,6 @@ variable configured with predefined value. are configured e.g. cipher suites. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy. CCE-84286-4 - -cp="Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" -file="/etc/crypto-policies/local.d/opensslcnf-ospp.config" -backend_file="/etc/crypto-policies/back-ends/opensslcnf.config" - -sed -i "/Ciphersuites\s*=\s*/d" "$backend_file" -printf "\n%s\n" "$cp" >> "$file" -update-crypto-policies - - name: Remove configuration from backend file /etc/crypto-policies/back-ends/opensslcnf.config lineinfile: path: /etc/crypto-policies/back-ends/opensslcnf.config @@ -13595,6 +13586,15 @@ update-crypto-policies - medium_severity - reboot_required - restrict_strategy + + +cp="Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" +file="/etc/crypto-policies/local.d/opensslcnf-ospp.config" +backend_file="/etc/crypto-policies/back-ends/opensslcnf.config" + +sed -i "/Ciphersuites\s*=\s*/d" "$backend_file" +printf "\n%s\n" "$cp" >> "$file" +update-crypto-policies @@ -13690,25 +13690,6 @@ specifying a cipher list with the order of ciphers being in a “strongest weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections. CCE-85902-5 - -sshd_approved_ciphers='' - - -if [ -e "/etc/crypto-policies/back-ends/openssh.config" ] ; then - - LC_ALL=C sed -i "/^.*Ciphers\s\+/d" "/etc/crypto-policies/back-ends/openssh.config" -else - touch "/etc/crypto-policies/back-ends/openssh.config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/crypto-policies/back-ends/openssh.config" - -cp "/etc/crypto-policies/back-ends/openssh.config" "/etc/crypto-policies/back-ends/openssh.config.bak" -# Insert at the end of the file -printf '%s\n' "Ciphers ${sshd_approved_ciphers}" >> "/etc/crypto-policies/back-ends/openssh.config" -# Clean up after ourselves. -rm "/etc/crypto-policies/back-ends/openssh.config.bak" - - name: XCCDF Value sshd_approved_ciphers # promote to variable set_fact: sshd_approved_ciphers: !!str @@ -13753,6 +13734,25 @@ rm "/etc/crypto-policies/back-ends/openssh.config.bak" - low_disruption - reboot_required - restrict_strategy + + +sshd_approved_ciphers='' + + +if [ -e "/etc/crypto-policies/back-ends/openssh.config" ] ; then + + LC_ALL=C sed -i "/^.*Ciphers\s\+/d" "/etc/crypto-policies/back-ends/openssh.config" +else + touch "/etc/crypto-policies/back-ends/openssh.config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/crypto-policies/back-ends/openssh.config" + +cp "/etc/crypto-policies/back-ends/openssh.config" "/etc/crypto-policies/back-ends/openssh.config.bak" +# Insert at the end of the file +printf '%s\n' "Ciphers ${sshd_approved_ciphers}" >> "/etc/crypto-policies/back-ends/openssh.config" +# Clean up after ourselves. +rm "/etc/crypto-policies/back-ends/openssh.config.bak" @@ -13802,38 +13802,6 @@ specifying a cipher list with the order of ciphers being in a “strongest weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections. CCE-85897-7 - -sshd_approved_ciphers='' - - -CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config -correct_value="-oCiphers=${sshd_approved_ciphers}" - -# Test if file exists -test -f ${CONF_FILE} || touch ${CONF_FILE} - -# Ensure CRYPTO_POLICY is not commented out -sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE} - -grep -q "'${correct_value}'" ${CONF_FILE} - -if [[ $? -ne 0 ]]; then - # We need to get the existing value, using PCRE to maintain same regex - existing_value=$(grep -Po '(-oCiphers=\S+)' ${CONF_FILE}) - - if [[ ! -z ${existing_value} ]]; then - # replace existing_value with correct_value - sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE} - else - # ***NOTE*** # - # This probably means this file is not here or it's been modified - # unintentionally. - # ********** # - # echo correct_value to end - echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE} - fi -fi - - name: XCCDF Value sshd_approved_ciphers # promote to variable set_fact: sshd_approved_ciphers: !!str @@ -13921,6 +13889,38 @@ fi - medium_severity - reboot_required - restrict_strategy + + +sshd_approved_ciphers='' + + +CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config +correct_value="-oCiphers=${sshd_approved_ciphers}" + +# Test if file exists +test -f ${CONF_FILE} || touch ${CONF_FILE} + +# Ensure CRYPTO_POLICY is not commented out +sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE} + +grep -q "'${correct_value}'" ${CONF_FILE} + +if [[ $? -ne 0 ]]; then + # We need to get the existing value, using PCRE to maintain same regex + existing_value=$(grep -Po '(-oCiphers=\S+)' ${CONF_FILE}) + + if [[ ! -z ${existing_value} ]]; then + # replace existing_value with correct_value + sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE} + else + # ***NOTE*** # + # This probably means this file is not here or it's been modified + # unintentionally. + # ********** # + # echo correct_value to end + echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE} + fi +fi @@ -14007,25 +14007,6 @@ submits to this process. client violate expectations, and makes system configuration more fragmented. CCE-85870-4 - -sshd_approved_macs='' - - -if [ -e "/etc/crypto-policies/back-ends/openssh.config" ] ; then - - LC_ALL=C sed -i "/^.*MACs\s\+/d" "/etc/crypto-policies/back-ends/openssh.config" -else - touch "/etc/crypto-policies/back-ends/openssh.config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/crypto-policies/back-ends/openssh.config" - -cp "/etc/crypto-policies/back-ends/openssh.config" "/etc/crypto-policies/back-ends/openssh.config.bak" -# Insert at the end of the file -printf '%s\n' "MACs ${sshd_approved_macs}" >> "/etc/crypto-policies/back-ends/openssh.config" -# Clean up after ourselves. -rm "/etc/crypto-policies/back-ends/openssh.config.bak" - - name: XCCDF Value sshd_approved_macs # promote to variable set_fact: sshd_approved_macs: !!str @@ -14070,6 +14051,25 @@ rm "/etc/crypto-policies/back-ends/openssh.config.bak" - medium_severity - reboot_required - restrict_strategy + + +sshd_approved_macs='' + + +if [ -e "/etc/crypto-policies/back-ends/openssh.config" ] ; then + + LC_ALL=C sed -i "/^.*MACs\s\+/d" "/etc/crypto-policies/back-ends/openssh.config" +else + touch "/etc/crypto-policies/back-ends/openssh.config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/crypto-policies/back-ends/openssh.config" + +cp "/etc/crypto-policies/back-ends/openssh.config" "/etc/crypto-policies/back-ends/openssh.config.bak" +# Insert at the end of the file +printf '%s\n' "MACs ${sshd_approved_macs}" >> "/etc/crypto-policies/back-ends/openssh.config" +# Clean up after ourselves. +rm "/etc/crypto-policies/back-ends/openssh.config.bak" @@ -14117,38 +14117,6 @@ submits to this process. server violate expectations, and makes system configuration more fragmented. CCE-85899-3 - -sshd_approved_macs='' - - -CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config -correct_value="-oMACs=${sshd_approved_macs}" - -# Test if file exists -test -f ${CONF_FILE} || touch ${CONF_FILE} - -# Ensure CRYPTO_POLICY is not commented out -sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE} - -grep -q "'${correct_value}'" ${CONF_FILE} - -if [[ $? -ne 0 ]]; then - # We need to get the existing value, using PCRE to maintain same regex - existing_value=$(grep -Po '(-oMACs=\S+)' ${CONF_FILE}) - - if [[ ! -z ${existing_value} ]]; then - # replace existing_value with correct_value - sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE} - else - # ***NOTE*** # - # This probably means this file is not here or it's been modified - # unintentionally. - # ********** # - # echo correct_value to end - echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE} - fi -fi - - name: XCCDF Value sshd_approved_macs # promote to variable set_fact: sshd_approved_macs: !!str @@ -14236,6 +14204,38 @@ fi - medium_severity - reboot_required - restrict_strategy + + +sshd_approved_macs='' + + +CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config +correct_value="-oMACs=${sshd_approved_macs}" + +# Test if file exists +test -f ${CONF_FILE} || touch ${CONF_FILE} + +# Ensure CRYPTO_POLICY is not commented out +sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE} + +grep -q "'${correct_value}'" ${CONF_FILE} + +if [[ $? -ne 0 ]]; then + # We need to get the existing value, using PCRE to maintain same regex + existing_value=$(grep -Po '(-oMACs=\S+)' ${CONF_FILE}) + + if [[ ! -z ${existing_value} ]]; then + # replace existing_value with correct_value + sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE} + else + # ***NOTE*** # + # This probably means this file is not here or it's been modified + # unintentionally. + # ********** # + # echo correct_value to end + echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE} + fi +fi @@ -14290,38 +14290,6 @@ openssl() SRG-OS-000480-GPOS-00227 This rule ensures that openssl invocations always uses SP800-90A compliant random number generator as a default behavior. CCE-82721-2 - -cat > /etc/profile.d/openssl-rand.sh <<- 'EOM' -# provide a default -rand /dev/random option to openssl commands that -# support it - -# written inefficiently for maximum shell compatibility -openssl() -( - openssl_bin=/usr/bin/openssl - - case "$*" in - # if user specified -rand, honor it - *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;; - esac - - cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '` - for i in `$openssl_bin list -commands`; do - if $openssl_bin list -options "$i" | grep -q '^rand '; then - cmds=" $i $cmds" - fi - done - - case "$cmds" in - *\ "$1"\ *) - cmd="$1"; shift - exec $openssl_bin "$cmd" -rand /dev/random "$@" ;; - esac - - exec $openssl_bin "$@" -) -EOM - - name: Put a file with shell wrapper to configure OpenSSL to always use strong entropy copy: dest: /etc/profile.d/openssl-rand.sh @@ -14362,6 +14330,38 @@ EOM - no_reboot_needed - openssl_use_strong_entropy - restrict_strategy + + +cat > /etc/profile.d/openssl-rand.sh <<- 'EOM' +# provide a default -rand /dev/random option to openssl commands that +# support it + +# written inefficiently for maximum shell compatibility +openssl() +( + openssl_bin=/usr/bin/openssl + + case "$*" in + # if user specified -rand, honor it + *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;; + esac + + cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '` + for i in `$openssl_bin list -commands`; do + if $openssl_bin list -options "$i" | grep -q '^rand '; then + cmds=" $i $cmds" + fi + done + + case "$cmds" in + *\ "$1"\ *) + cmd="$1"; shift + exec $openssl_bin "$cmd" -rand /dev/random "$@" ;; + esac + + exec $openssl_bin "$@" +) +EOM @@ -14701,18 +14701,6 @@ computer viruses, as well as to limit their spread to other systems. [customizations.services] enabled = ["nails"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'nails.service' -"$SYSTEMCTL_EXEC" start 'nails.service' -"$SYSTEMCTL_EXEC" enable 'nails.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_nails @@ -14749,6 +14737,18 @@ class enable_nails { - medium_severity - no_reboot_needed - service_nails_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'nails.service' +"$SYSTEMCTL_EXEC" start 'nails.service' +"$SYSTEMCTL_EXEC" enable 'nails.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -15593,13 +15593,13 @@ option. Access to this partition should be restricted. CCE-83336-8 + +part /boot + [[customizations.filesystem]] mountpoint = "/boot" size = 1073741824 - - -part /boot @@ -15624,13 +15624,13 @@ of the program. If the program happened to have a security vulnerability, the at could continue to exploit the known flaw. CCE-86282-1 + +part /dev/shm + [[customizations.filesystem]] mountpoint = "/dev/shm" size = 2147483648 - - -part /dev/shm @@ -15679,13 +15679,13 @@ setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage. CCE-81044-0 + +part /home + [[customizations.filesystem]] mountpoint = "/home" size = 1073741824 - - -part /home @@ -15705,13 +15705,13 @@ makes it easier to apply restrictions e.g. through the nosuid CCE-83340-0 + +part /opt + [[customizations.filesystem]] mountpoint = "/opt" size = 1073741824 - - -part /opt @@ -15734,13 +15734,13 @@ more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage. CCE-83387-1 + +part /srv + [[customizations.filesystem]] mountpoint = "/srv" size = 1073741824 - - -part /srv @@ -15786,13 +15786,13 @@ Placing /tmp in its own partition enables the setting of restrictive mount options, which can help protect programs which use it. CCE-80851-9 + +part /tmp + [[customizations.filesystem]] mountpoint = "/tmp" size = 1073741824 - - -part /tmp @@ -15811,13 +15811,13 @@ Putting it on a separate partition allows limiting its size and applying restrictions through mount options. CCE-83343-4 + +part /usr + [[customizations.filesystem]] mountpoint = "/usr" size = 5368709120 - - -part /usr @@ -15865,13 +15865,13 @@ It is not uncommon for the /var directory to contain world-writable directories installed by other software packages. CCE-80852-7 + +part /var + [[customizations.filesystem]] mountpoint = "/var" size = 3221225472 - - -part /var @@ -15949,13 +15949,13 @@ enables better separation between log files and other files in /var/. CCE-80853-5 + +part /var/log + [[customizations.filesystem]] mountpoint = "/var/log" size = 5368709120 - - -part /var/log @@ -16048,13 +16048,13 @@ auditing cannot be halted due to the partition running out of space. CCE-80854-3 + +part /var/log/audit + [[customizations.filesystem]] mountpoint = "/var/log/audit" size = 10737418240 - - -part /var/log/audit @@ -16078,13 +16078,13 @@ Placing /var/tmp in its own partition enables the setting restrictive mount options, which can help protect programs which use it. CCE-82730-3 + +part /var/tmp + [[customizations.filesystem]] mountpoint = "/var/tmp" size = 1073741824 - - -part /var/tmp @@ -16127,24 +16127,8 @@ mode. To do so, run the following command: A graphical environment is unnecessary for certain types of systems including a virtualization hypervisor. CCE-82367-4 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm; then - -# CAUTION: This remediation script will remove gdm -# from the system, and may remove any packages -# that depend on gdm. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "gdm" ; then - - yum remove -y "gdm" - -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +package --remove=gdm include remove_gdm @@ -16186,8 +16170,24 @@ class remove_gdm { - no_reboot_needed - package_gdm_removed - -package --remove=gdm + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm; then + +# CAUTION: This remediation script will remove gdm +# from the system, and may remove any packages +# that depend on gdm. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "gdm" ; then + + yum remove -y "gdm" + +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -16216,15 +16216,6 @@ configuration files have to be compliant, and the database needs to be more rece which gives confidence that it reflects them. CCE-81003-6 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -16255,6 +16246,15 @@ fi - medium_disruption - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -16365,68 +16365,6 @@ After the settings have been set, run dconf update. - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings" -DBDIR="/etc/dconf/db/gdm.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*disable-restart-buttons\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)disable-restart-buttons(\s*=)/#\1disable-restart-buttons\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" -if grep -q "^\\s*disable-restart-buttons\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*disable-restart-buttons\\s*=\\s*.*/disable-restart-buttons=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/login-screen\\]|a\\disable-restart-buttons=${escaped_value}" "${DCONFFILE}" -fi - -dconf update -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/login-screen/disable-restart-buttons$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/gdm.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/login-screen/disable-restart-buttons$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/login-screen/disable-restart-buttons$" /etc/dconf/db/gdm.d/ -then - echo "/org/gnome/login-screen/disable-restart-buttons" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -16503,6 +16441,68 @@ fi - medium_disruption - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings" +DBDIR="/etc/dconf/db/gdm.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*disable-restart-buttons\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)disable-restart-buttons(\s*=)/#\1disable-restart-buttons\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" +if grep -q "^\\s*disable-restart-buttons\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*disable-restart-buttons\\s*=\\s*.*/disable-restart-buttons=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/login-screen\\]|a\\disable-restart-buttons=${escaped_value}" "${DCONFFILE}" +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/login-screen/disable-restart-buttons$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/gdm.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/login-screen/disable-restart-buttons$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/login-screen/disable-restart-buttons$" /etc/dconf/db/gdm.d/ +then + echo "/org/gnome/login-screen/disable-restart-buttons" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -16538,68 +16538,6 @@ with physical access to the system to quickly enumerate known user accounts without logging in. CCE-86195-5 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings" -DBDIR="/etc/dconf/db/gdm.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*disable-user-list\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)disable-user-list(\s*=)/#\1disable-user-list\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" -if grep -q "^\\s*disable-user-list\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*disable-user-list\\s*=\\s*.*/disable-user-list=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/login-screen\\]|a\\disable-user-list=${escaped_value}" "${DCONFFILE}" -fi - -dconf update -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/login-screen/disable-user-list$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/gdm.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/login-screen/disable-user-list$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/login-screen/disable-user-list$" /etc/dconf/db/gdm.d/ -then - echo "/org/gnome/login-screen/disable-user-list" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -16676,51 +16614,7 @@ fi - no_reboot_needed - unknown_strategy - - - - - - - - - Enable the GNOME3 Login Smartcard Authentication - In the default graphical environment, smart card authentication -can be enabled on the login screen by setting enable-smartcard-authentication -to true. - -To enable, add or edit enable-smartcard-authentication to -/etc/dconf/db/gdm.d/00-security-settings. For example: -[org/gnome/login-screen] -enable-smartcard-authentication=true -Once the setting has been added, add a lock to -/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. -For example: -/org/gnome/login-screen/enable-smartcard-authentication -After the settings have been set, run dconf update. - CCI-000765 - CCI-000766 - CCI-000767 - CCI-000768 - CCI-000771 - CCI-000772 - CCI-000884 - CCI-001948 - CCI-001954 - IA-2(3) - IA-2(4) - IA-2(8) - IA-2(9) - IA-2(11) - Req-8.3 - SRG-OS-000375-GPOS-00160 - SRG-OS-000376-GPOS-00161 - SRG-OS-000377-GPOS-00162 - Smart card login provides two-factor authentication stronger than -that provided by a username and password combination. Smart cards leverage PKI -(public key infrastructure) in order to provide and verify credentials. - - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories @@ -16736,10 +16630,10 @@ mkdir -p "${DBDIR}" # Comment out the configurations in databases different from the target one if [ "${#SETTINGSFILES[@]}" -ne 0 ] then - if grep -q "^\\s*enable-smartcard-authentication\\s*=" "${SETTINGSFILES[@]}" + if grep -q "^\\s*disable-user-list\\s*=" "${SETTINGSFILES[@]}" then - sed -Ei "s/(^\s*)enable-smartcard-authentication(\s*=)/#\1enable-smartcard-authentication\2/g" "${SETTINGSFILES[@]}" + sed -Ei "s/(^\s*)disable-user-list(\s*=)/#\1disable-user-list\2/g" "${SETTINGSFILES[@]}" fi fi @@ -16750,16 +16644,16 @@ then fi escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" -if grep -q "^\\s*enable-smartcard-authentication\\s*=" "${DCONFFILE}" +if grep -q "^\\s*disable-user-list\\s*=" "${DCONFFILE}" then - sed -i "s/\\s*enable-smartcard-authentication\\s*=\\s*.*/enable-smartcard-authentication=${escaped_value}/g" "${DCONFFILE}" + sed -i "s/\\s*disable-user-list\\s*=\\s*.*/disable-user-list=${escaped_value}/g" "${DCONFFILE}" else - sed -i "\\|\\[org/gnome/login-screen\\]|a\\enable-smartcard-authentication=${escaped_value}" "${DCONFFILE}" + sed -i "\\|\\[org/gnome/login-screen\\]|a\\disable-user-list=${escaped_value}" "${DCONFFILE}" fi dconf update # Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/login-screen/enable-smartcard-authentication$" "/etc/dconf/db/" \ +LOCKFILES=$(grep -r "^/org/gnome/login-screen/disable-user-list$" "/etc/dconf/db/" \ | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/gdm.d/locks" @@ -16768,12 +16662,12 @@ mkdir -p "${LOCKSFOLDER}" # Comment out the configurations in databases different from the target one if [[ ! -z "${LOCKFILES}" ]] then - sed -i -E "s|^/org/gnome/login-screen/enable-smartcard-authentication$|#&|" "${LOCKFILES[@]}" + sed -i -E "s|^/org/gnome/login-screen/disable-user-list$|#&|" "${LOCKFILES[@]}" fi -if ! grep -qr "^/org/gnome/login-screen/enable-smartcard-authentication$" /etc/dconf/db/gdm.d/ +if ! grep -qr "^/org/gnome/login-screen/disable-user-list$" /etc/dconf/db/gdm.d/ then - echo "/org/gnome/login-screen/enable-smartcard-authentication" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" + echo "/org/gnome/login-screen/disable-user-list" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" fi dconf update @@ -16782,6 +16676,50 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Enable the GNOME3 Login Smartcard Authentication + In the default graphical environment, smart card authentication +can be enabled on the login screen by setting enable-smartcard-authentication +to true. + +To enable, add or edit enable-smartcard-authentication to +/etc/dconf/db/gdm.d/00-security-settings. For example: +[org/gnome/login-screen] +enable-smartcard-authentication=true +Once the setting has been added, add a lock to +/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/login-screen/enable-smartcard-authentication +After the settings have been set, run dconf update. + CCI-000765 + CCI-000766 + CCI-000767 + CCI-000768 + CCI-000771 + CCI-000772 + CCI-000884 + CCI-001948 + CCI-001954 + IA-2(3) + IA-2(4) + IA-2(8) + IA-2(9) + IA-2(11) + Req-8.3 + SRG-OS-000375-GPOS-00160 + SRG-OS-000376-GPOS-00161 + SRG-OS-000377-GPOS-00162 + Smart card login provides two-factor authentication stronger than +that provided by a username and password combination. Smart cards leverage PKI +(public key infrastructure) in order to provide and verify credentials. + - name: Gather the package facts package_facts: manager: auto @@ -16866,92 +16804,60 @@ fi - no_reboot_needed - unknown_strategy - - - - - - - - - Enable the GNOME3 Screen Locking On Smartcard Removal - In the default graphical environment, screen locking on smartcard removal -can be enabled by setting removal-action -to 'lock-screen'. - -To enable, add or edit removal-action to -/etc/dconf/db/local.d/00-security-settings. For example: -[org/gnome/settings-daemon/peripherals/smartcard] -removal-action='lock-screen' -Once the setting has been added, add a lock to -/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. -For example: -/org/gnome/settings-daemon/peripherals/smartcard/removal-action -After the settings have been set, run dconf update. - CCI-000056 - CCI-000058 - SRG-OS-000028-GPOS-00009 - SRG-OS-000030-GPOS-00011 - RHEL-08-020050 - SV-230351r792899_rule - Locking the screen automatically when removing the smartcard can -prevent undesired access to system. - - CCE-83910-0 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/settings-daemon/peripherals/smartcard\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/local.d/00-security-settings" -DBDIR="/etc/dconf/db/local.d" +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings" +DBDIR="/etc/dconf/db/gdm.d" mkdir -p "${DBDIR}" # Comment out the configurations in databases different from the target one if [ "${#SETTINGSFILES[@]}" -ne 0 ] then - if grep -q "^\\s*removal-action\\s*=" "${SETTINGSFILES[@]}" + if grep -q "^\\s*enable-smartcard-authentication\\s*=" "${SETTINGSFILES[@]}" then - sed -Ei "s/(^\s*)removal-action(\s*=)/#\1removal-action\2/g" "${SETTINGSFILES[@]}" + sed -Ei "s/(^\s*)enable-smartcard-authentication(\s*=)/#\1enable-smartcard-authentication\2/g" "${SETTINGSFILES[@]}" fi fi [ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/settings-daemon/peripherals/smartcard\\]" "${DCONFFILE}" +if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}" then - printf '%s\n' "[org/gnome/settings-daemon/peripherals/smartcard]" >> ${DCONFFILE} + printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE} fi -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "'lock-screen'")" -if grep -q "^\\s*removal-action\\s*=" "${DCONFFILE}" +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" +if grep -q "^\\s*enable-smartcard-authentication\\s*=" "${DCONFFILE}" then - sed -i "s/\\s*removal-action\\s*=\\s*.*/removal-action=${escaped_value}/g" "${DCONFFILE}" + sed -i "s/\\s*enable-smartcard-authentication\\s*=\\s*.*/enable-smartcard-authentication=${escaped_value}/g" "${DCONFFILE}" else - sed -i "\\|\\[org/gnome/settings-daemon/peripherals/smartcard\\]|a\\removal-action=${escaped_value}" "${DCONFFILE}" + sed -i "\\|\\[org/gnome/login-screen\\]|a\\enable-smartcard-authentication=${escaped_value}" "${DCONFFILE}" fi dconf update # Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/local.d/locks" +LOCKFILES=$(grep -r "^/org/gnome/login-screen/enable-smartcard-authentication$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/gdm.d/locks" mkdir -p "${LOCKSFOLDER}" # Comment out the configurations in databases different from the target one if [[ ! -z "${LOCKFILES}" ]] then - sed -i -E "s|^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$|#&|" "${LOCKFILES[@]}" + sed -i -E "s|^/org/gnome/login-screen/enable-smartcard-authentication$|#&|" "${LOCKFILES[@]}" fi -if ! grep -qr "^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$" /etc/dconf/db/local.d/ +if ! grep -qr "^/org/gnome/login-screen/enable-smartcard-authentication$" /etc/dconf/db/gdm.d/ then - echo "/org/gnome/settings-daemon/peripherals/smartcard/removal-action" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" + echo "/org/gnome/login-screen/enable-smartcard-authentication" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" fi dconf update @@ -16960,6 +16866,38 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Enable the GNOME3 Screen Locking On Smartcard Removal + In the default graphical environment, screen locking on smartcard removal +can be enabled by setting removal-action +to 'lock-screen'. + +To enable, add or edit removal-action to +/etc/dconf/db/local.d/00-security-settings. For example: +[org/gnome/settings-daemon/peripherals/smartcard] +removal-action='lock-screen' +Once the setting has been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/settings-daemon/peripherals/smartcard/removal-action +After the settings have been set, run dconf update. + CCI-000056 + CCI-000058 + SRG-OS-000028-GPOS-00009 + SRG-OS-000030-GPOS-00011 + RHEL-08-020050 + SV-230351r792899_rule + Locking the screen automatically when removing the smartcard can +prevent undesired access to system. + + CCE-83910-0 - name: Gather the package facts package_facts: manager: auto @@ -17113,90 +17051,60 @@ fi - no_reboot_needed - unknown_strategy - - - - - - - - - Set the GNOME3 Login Number of Failures - In the default graphical environment, the GNOME3 login -screen and be configured to restart the authentication process after -a configured number of attempts. This can be configured by setting -allowed-failures to 3 or less. - -To enable, add or edit allowed-failures to -/etc/dconf/db/gdm.d/00-security-settings. For example: -[org/gnome/login-screen] -allowed-failures=3 -Once the setting has been added, add a lock to -/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. -For example: -/org/gnome/login-screen/allowed-failures -After the settings have been set, run dconf update. - 3.1.8 - FMT_MOF_EXT.1 - Setting the password retry prompts that are permitted on a per-session basis to a low value -requires some software, such as SSH, to re-connect. This can slow down and -draw additional attention to some types of password-guessing attacks. - - CCE-80771-9 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings" -DBDIR="/etc/dconf/db/gdm.d" +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/settings-daemon/peripherals/smartcard\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" mkdir -p "${DBDIR}" # Comment out the configurations in databases different from the target one if [ "${#SETTINGSFILES[@]}" -ne 0 ] then - if grep -q "^\\s*allowed-failures\\s*=" "${SETTINGSFILES[@]}" + if grep -q "^\\s*removal-action\\s*=" "${SETTINGSFILES[@]}" then - sed -Ei "s/(^\s*)allowed-failures(\s*=)/#\1allowed-failures\2/g" "${SETTINGSFILES[@]}" + sed -Ei "s/(^\s*)removal-action(\s*=)/#\1removal-action\2/g" "${SETTINGSFILES[@]}" fi fi [ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}" +if ! grep -q "\\[org/gnome/settings-daemon/peripherals/smartcard\\]" "${DCONFFILE}" then - printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE} + printf '%s\n' "[org/gnome/settings-daemon/peripherals/smartcard]" >> ${DCONFFILE} fi -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "3")" -if grep -q "^\\s*allowed-failures\\s*=" "${DCONFFILE}" +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "'lock-screen'")" +if grep -q "^\\s*removal-action\\s*=" "${DCONFFILE}" then - sed -i "s/\\s*allowed-failures\\s*=\\s*.*/allowed-failures=${escaped_value}/g" "${DCONFFILE}" + sed -i "s/\\s*removal-action\\s*=\\s*.*/removal-action=${escaped_value}/g" "${DCONFFILE}" else - sed -i "\\|\\[org/gnome/login-screen\\]|a\\allowed-failures=${escaped_value}" "${DCONFFILE}" + sed -i "\\|\\[org/gnome/settings-daemon/peripherals/smartcard\\]|a\\removal-action=${escaped_value}" "${DCONFFILE}" fi dconf update # Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/login-screen/allowed-failures$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/gdm.d/locks" +LOCKFILES=$(grep -r "^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" mkdir -p "${LOCKSFOLDER}" # Comment out the configurations in databases different from the target one if [[ ! -z "${LOCKFILES}" ]] then - sed -i -E "s|^/org/gnome/login-screen/allowed-failures$|#&|" "${LOCKFILES[@]}" + sed -i -E "s|^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$|#&|" "${LOCKFILES[@]}" fi -if ! grep -qr "^/org/gnome/login-screen/allowed-failures$" /etc/dconf/db/gdm.d/ +if ! grep -qr "^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$" /etc/dconf/db/local.d/ then - echo "/org/gnome/login-screen/allowed-failures" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" + echo "/org/gnome/settings-daemon/peripherals/smartcard/removal-action" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update @@ -17205,6 +17113,36 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Set the GNOME3 Login Number of Failures + In the default graphical environment, the GNOME3 login +screen and be configured to restart the authentication process after +a configured number of attempts. This can be configured by setting +allowed-failures to 3 or less. + +To enable, add or edit allowed-failures to +/etc/dconf/db/gdm.d/00-security-settings. For example: +[org/gnome/login-screen] +allowed-failures=3 +Once the setting has been added, add a lock to +/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/login-screen/allowed-failures +After the settings have been set, run dconf update. + 3.1.8 + FMT_MOF_EXT.1 + Setting the password retry prompts that are permitted on a per-session basis to a low value +requires some software, such as SSH, to re-connect. This can slow down and +draw additional attention to some types of password-guessing attacks. + + CCE-80771-9 - name: Gather the package facts package_facts: manager: auto @@ -17272,6 +17210,68 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings" +DBDIR="/etc/dconf/db/gdm.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*allowed-failures\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)allowed-failures(\s*=)/#\1allowed-failures\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "3")" +if grep -q "^\\s*allowed-failures\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*allowed-failures\\s*=\\s*.*/allowed-failures=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/login-screen\\]|a\\allowed-failures=${escaped_value}" "${DCONFFILE}" +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/login-screen/allowed-failures$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/gdm.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/login-screen/allowed-failures$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/login-screen/allowed-failures$" /etc/dconf/db/gdm.d/ +then + echo "/org/gnome/login-screen/allowed-failures" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -17320,24 +17320,6 @@ AutomaticLoginEnable=false system security. CCE-80823-8 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -if rpm --quiet -q gdm -then - if ! grep -q "^AutomaticLoginEnable=" /etc/gdm/custom.conf - then - sed -i "/^\[daemon\]/a \ - AutomaticLoginEnable=False" /etc/gdm/custom.conf - else - sed -i "s/^AutomaticLoginEnable=.*/AutomaticLoginEnable=False/g" /etc/gdm/custom.conf - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -17381,6 +17363,24 @@ fi - medium_disruption - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +if rpm --quiet -q gdm +then + if ! grep -q "^AutomaticLoginEnable=" /etc/gdm/custom.conf + then + sed -i "/^\[daemon\]/a \ + AutomaticLoginEnable=False" /etc/gdm/custom.conf + else + sed -i "s/^AutomaticLoginEnable=.*/AutomaticLoginEnable=False/g" /etc/gdm/custom.conf + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -17428,24 +17428,6 @@ TimedLoginEnable=false system security. CCE-80824-6 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -if rpm --quiet -q gdm -then - if ! grep -q "^TimedLoginEnable=" /etc/gdm/custom.conf - then - sed -i "/^\[daemon\]/a \ - TimedLoginEnable=false" /etc/gdm/custom.conf - else - sed -i "s/^TimedLoginEnable=.*/TimedLoginEnable=false/g" /etc/gdm/custom.conf - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -17489,6 +17471,24 @@ fi - medium_disruption - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +if rpm --quiet -q gdm +then + if ! grep -q "^TimedLoginEnable=" /etc/gdm/custom.conf + then + sed -i "/^\[daemon\]/a \ + TimedLoginEnable=false" /etc/gdm/custom.conf + else + sed -i "s/^TimedLoginEnable=.*/TimedLoginEnable=false/g" /etc/gdm/custom.conf + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -17514,28 +17514,6 @@ remote session. If a privileged user were to login using XDMCP, the privileged user password could be compromised due to typed XEvents and keystrokes will traversing over the network in clear text. CCE-86007-2 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm; then - -# Try find '[xdmcp]' and 'Enable' in '/etc/gdm/custom.conf', if it exists, set -# to 'false', if it isn't here, add it, if '[xdmcp]' doesn't exist, add it there -if grep -qzosP '[[:space:]]*\[xdmcp]([^\n\[]*\n+)+?[[:space:]]*Enable' '/etc/gdm/custom.conf'; then - - sed -i "s/Enable[^(\n)]*/Enable=false/" '/etc/gdm/custom.conf' -elif grep -qs '[[:space:]]*\[xdmcp]' '/etc/gdm/custom.conf'; then - sed -i "/[[:space:]]*\[xdmcp]/a Enable=false" '/etc/gdm/custom.conf' -else - if test -d "/etc/gdm"; then - printf '%s\n' '[xdmcp]' "Enable=false" >> '/etc/gdm/custom.conf' - else - echo "Config file directory '/etc/gdm' doesnt exist, not remediating, assuming non-applicability." >&2 - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -17565,6 +17543,28 @@ fi - medium_disruption - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm; then + +# Try find '[xdmcp]' and 'Enable' in '/etc/gdm/custom.conf', if it exists, set +# to 'false', if it isn't here, add it, if '[xdmcp]' doesn't exist, add it there +if grep -qzosP '[[:space:]]*\[xdmcp]([^\n\[]*\n+)+?[[:space:]]*Enable' '/etc/gdm/custom.conf'; then + + sed -i "s/Enable[^(\n)]*/Enable=false/" '/etc/gdm/custom.conf' +elif grep -qs '[[:space:]]*\[xdmcp]' '/etc/gdm/custom.conf'; then + sed -i "/[[:space:]]*\[xdmcp]/a Enable=false" '/etc/gdm/custom.conf' +else + if test -d "/etc/gdm"; then + printf '%s\n' '[xdmcp]' "Enable=false" >> '/etc/gdm/custom.conf' + else + echo "Config file directory '/etc/gdm' doesnt exist, not remediating, assuming non-applicability." >&2 + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -17640,68 +17640,6 @@ It will, however, also prevent desktop users from legitimate use of removable media. CCE-89904-7 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/local.d/00-security-settings" -DBDIR="/etc/dconf/db/local.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*automount\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)automount(\s*=)/#\1automount\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/desktop/media-handling\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")" -if grep -q "^\\s*automount\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*automount\\s*=\\s*.*/automount=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\automount=${escaped_value}" "${DCONFFILE}" -fi - -dconf update -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/automount$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/local.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/desktop/media-handling/automount$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/desktop/media-handling/automount$" /etc/dconf/db/local.d/ -then - echo "/org/gnome/desktop/media-handling/automount" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -17785,6 +17723,68 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*automount\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)automount(\s*=)/#\1automount\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/desktop/media-handling\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")" +if grep -q "^\\s*automount\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*automount\\s*=\\s*.*/automount=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\automount=${escaped_value}" "${DCONFFILE}" +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/automount$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/desktop/media-handling/automount$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/desktop/media-handling/automount$" /etc/dconf/db/local.d/ +then + echo "/org/gnome/desktop/media-handling/automount" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -17857,68 +17857,6 @@ It will, however, also prevent desktop users from legitimate use of removable media. CCE-83693-2 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/local.d/00-security-settings" -DBDIR="/etc/dconf/db/local.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*automount-open\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)automount-open(\s*=)/#\1automount-open\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/desktop/media-handling\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")" -if grep -q "^\\s*automount-open\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*automount-open\\s*=\\s*.*/automount-open=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\automount-open=${escaped_value}" "${DCONFFILE}" -fi - -dconf update -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/automount-open$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/local.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/desktop/media-handling/automount-open$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/desktop/media-handling/automount-open$" /etc/dconf/db/local.d/ -then - echo "/org/gnome/desktop/media-handling/automount-open" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -18002,6 +17940,68 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*automount-open\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)automount-open(\s*=)/#\1automount-open\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/desktop/media-handling\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")" +if grep -q "^\\s*automount-open\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*automount-open\\s*=\\s*.*/automount-open=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\automount-open=${escaped_value}" "${DCONFFILE}" +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/automount-open$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/desktop/media-handling/automount-open$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/desktop/media-handling/automount-open$" /etc/dconf/db/local.d/ +then + echo "/org/gnome/desktop/media-handling/automount-open" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -18072,68 +18072,6 @@ It will, however, also prevent desktop users from legitimate use of removable media. CCE-83742-7 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/local.d/00-security-settings" -DBDIR="/etc/dconf/db/local.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*autorun-never\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)autorun-never(\s*=)/#\1autorun-never\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/desktop/media-handling\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" -if grep -q "^\\s*autorun-never\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*autorun-never\\s*=\\s*.*/autorun-never=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\autorun-never=${escaped_value}" "${DCONFFILE}" -fi - -dconf update -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/autorun-never$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/local.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/desktop/media-handling/autorun-never$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/desktop/media-handling/autorun-never$" /etc/dconf/db/local.d/ -then - echo "/org/gnome/desktop/media-handling/autorun-never" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -18213,6 +18151,68 @@ fi - medium_disruption - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*autorun-never\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)autorun-never(\s*=)/#\1autorun-never\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/desktop/media-handling\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" +if grep -q "^\\s*autorun-never\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*autorun-never\\s*=\\s*.*/autorun-never=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\autorun-never=${escaped_value}" "${DCONFFILE}" +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/autorun-never$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/desktop/media-handling/autorun-never$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/desktop/media-handling/autorun-never$" /etc/dconf/db/local.d/ +then + echo "/org/gnome/desktop/media-handling/autorun-never" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -18311,68 +18311,6 @@ file to exploit this flaw. Assuming the attacker could place the malicious file malicious file would exploit the thumbnailer with the potential for malicious code execution. It is best to disable these thumbnailer applications unless they are explicitly required. - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/thumbnailers\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/local.d/00-security-settings" -DBDIR="/etc/dconf/db/local.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*disable-all\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)disable-all(\s*=)/#\1disable-all\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/desktop/thumbnailers\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/desktop/thumbnailers]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" -if grep -q "^\\s*disable-all\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*disable-all\\s*=\\s*.*/disable-all=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/desktop/thumbnailers\\]|a\\disable-all=${escaped_value}" "${DCONFFILE}" -fi - -dconf update -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/desktop/thumbnailers/disable-all$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/local.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/desktop/thumbnailers/disable-all$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/desktop/thumbnailers/disable-all$" /etc/dconf/db/local.d/ -then - echo "/org/gnome/desktop/thumbnailers/disable-all" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -18445,42 +18383,13 @@ fi - unknown_severity - unknown_strategy - - - - - - - - - - GNOME Network Settings - GNOME network settings that apply to the graphical interface. - - Disable WIFI Network Connection Creation in GNOME3 - GNOME allows users to create ad-hoc wireless connections through the -NetworkManager applet. Wireless connections should be disabled by -adding or setting disable-wifi-create to true in -/etc/dconf/db/local.d/00-security-settings. For example: -[org/gnome/nm-applet] -disable-wifi-create=true - -Once the settings have been added, add a lock to -/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. -For example: -/org/gnome/nm-applet/disable-wifi-create -After the settings have been set, run dconf update. - 3.1.16 - Wireless network connections should not be allowed to be configured by general -users on a given system as it could open the system to backdoor attacks. - - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/nm-applet\\]" "/etc/dconf/db/" \ +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/thumbnailers\\]" "/etc/dconf/db/" \ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/local.d/00-security-settings" DBDIR="/etc/dconf/db/local.d" @@ -18490,30 +18399,30 @@ mkdir -p "${DBDIR}" # Comment out the configurations in databases different from the target one if [ "${#SETTINGSFILES[@]}" -ne 0 ] then - if grep -q "^\\s*disable-wifi-create\\s*=" "${SETTINGSFILES[@]}" + if grep -q "^\\s*disable-all\\s*=" "${SETTINGSFILES[@]}" then - sed -Ei "s/(^\s*)disable-wifi-create(\s*=)/#\1disable-wifi-create\2/g" "${SETTINGSFILES[@]}" + sed -Ei "s/(^\s*)disable-all(\s*=)/#\1disable-all\2/g" "${SETTINGSFILES[@]}" fi fi [ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/nm-applet\\]" "${DCONFFILE}" +if ! grep -q "\\[org/gnome/desktop/thumbnailers\\]" "${DCONFFILE}" then - printf '%s\n' "[org/gnome/nm-applet]" >> ${DCONFFILE} + printf '%s\n' "[org/gnome/desktop/thumbnailers]" >> ${DCONFFILE} fi escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" -if grep -q "^\\s*disable-wifi-create\\s*=" "${DCONFFILE}" +if grep -q "^\\s*disable-all\\s*=" "${DCONFFILE}" then - sed -i "s/\\s*disable-wifi-create\\s*=\\s*.*/disable-wifi-create=${escaped_value}/g" "${DCONFFILE}" + sed -i "s/\\s*disable-all\\s*=\\s*.*/disable-all=${escaped_value}/g" "${DCONFFILE}" else - sed -i "\\|\\[org/gnome/nm-applet\\]|a\\disable-wifi-create=${escaped_value}" "${DCONFFILE}" + sed -i "\\|\\[org/gnome/desktop/thumbnailers\\]|a\\disable-all=${escaped_value}" "${DCONFFILE}" fi dconf update # Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/nm-applet/disable-wifi-create$" "/etc/dconf/db/" \ +LOCKFILES=$(grep -r "^/org/gnome/desktop/thumbnailers/disable-all$" "/etc/dconf/db/" \ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" @@ -18522,12 +18431,12 @@ mkdir -p "${LOCKSFOLDER}" # Comment out the configurations in databases different from the target one if [[ ! -z "${LOCKFILES}" ]] then - sed -i -E "s|^/org/gnome/nm-applet/disable-wifi-create$|#&|" "${LOCKFILES[@]}" + sed -i -E "s|^/org/gnome/desktop/thumbnailers/disable-all$|#&|" "${LOCKFILES[@]}" fi -if ! grep -qr "^/org/gnome/nm-applet/disable-wifi-create$" /etc/dconf/db/local.d/ +if ! grep -qr "^/org/gnome/desktop/thumbnailers/disable-all$" /etc/dconf/db/local.d/ then - echo "/org/gnome/nm-applet/disable-wifi-create" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" + echo "/org/gnome/desktop/thumbnailers/disable-all" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update @@ -18536,6 +18445,35 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + GNOME Network Settings + GNOME network settings that apply to the graphical interface. + + Disable WIFI Network Connection Creation in GNOME3 + GNOME allows users to create ad-hoc wireless connections through the +NetworkManager applet. Wireless connections should be disabled by +adding or setting disable-wifi-create to true in +/etc/dconf/db/local.d/00-security-settings. For example: +[org/gnome/nm-applet] +disable-wifi-create=true + +Once the settings have been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/nm-applet/disable-wifi-create +After the settings have been set, run dconf update. + 3.1.16 + Wireless network connections should not be allowed to be configured by general +users on a given system as it could open the system to backdoor attacks. + - name: Gather the package facts package_facts: manager: auto @@ -18600,34 +18538,7 @@ fi - no_reboot_needed - unknown_strategy - - - - - - - - - Disable WIFI Network Notification in GNOME3 - By default, GNOME disables WIFI notification. This should be permanently set -so that users do not connect to a wireless network when the system finds one. -While useful for mobile devices, this setting should be disabled for all other systems. -To configure the system to disable the WIFI notication, add or set -suppress-wireless-networks-available to true in -/etc/dconf/db/local.d/00-security-settings. For example: -[org/gnome/nm-applet] -suppress-wireless-networks-available=true - -Once the settings have been added, add a lock to -/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. -For example: -/org/gnome/nm-applet/suppress-wireless-networks-available -After the settings have been set, run dconf update. - 3.1.16 - Wireless network connections should not be allowed to be configured by general -users on a given system as it could open the system to backdoor attacks. - - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories @@ -18643,10 +18554,10 @@ mkdir -p "${DBDIR}" # Comment out the configurations in databases different from the target one if [ "${#SETTINGSFILES[@]}" -ne 0 ] then - if grep -q "^\\s*suppress-wireless-networks-available\\s*=" "${SETTINGSFILES[@]}" + if grep -q "^\\s*disable-wifi-create\\s*=" "${SETTINGSFILES[@]}" then - sed -Ei "s/(^\s*)suppress-wireless-networks-available(\s*=)/#\1suppress-wireless-networks-available\2/g" "${SETTINGSFILES[@]}" + sed -Ei "s/(^\s*)disable-wifi-create(\s*=)/#\1disable-wifi-create\2/g" "${SETTINGSFILES[@]}" fi fi @@ -18657,16 +18568,16 @@ then fi escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" -if grep -q "^\\s*suppress-wireless-networks-available\\s*=" "${DCONFFILE}" +if grep -q "^\\s*disable-wifi-create\\s*=" "${DCONFFILE}" then - sed -i "s/\\s*suppress-wireless-networks-available\\s*=\\s*.*/suppress-wireless-networks-available=${escaped_value}/g" "${DCONFFILE}" + sed -i "s/\\s*disable-wifi-create\\s*=\\s*.*/disable-wifi-create=${escaped_value}/g" "${DCONFFILE}" else - sed -i "\\|\\[org/gnome/nm-applet\\]|a\\suppress-wireless-networks-available=${escaped_value}" "${DCONFFILE}" + sed -i "\\|\\[org/gnome/nm-applet\\]|a\\disable-wifi-create=${escaped_value}" "${DCONFFILE}" fi dconf update # Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/nm-applet/suppress-wireless-networks-available$" "/etc/dconf/db/" \ +LOCKFILES=$(grep -r "^/org/gnome/nm-applet/disable-wifi-create$" "/etc/dconf/db/" \ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" @@ -18675,12 +18586,12 @@ mkdir -p "${LOCKSFOLDER}" # Comment out the configurations in databases different from the target one if [[ ! -z "${LOCKFILES}" ]] then - sed -i -E "s|^/org/gnome/nm-applet/suppress-wireless-networks-available$|#&|" "${LOCKFILES[@]}" + sed -i -E "s|^/org/gnome/nm-applet/disable-wifi-create$|#&|" "${LOCKFILES[@]}" fi -if ! grep -qr "^/org/gnome/nm-applet/suppress-wireless-networks-available$" /etc/dconf/db/local.d/ +if ! grep -qr "^/org/gnome/nm-applet/disable-wifi-create$" /etc/dconf/db/local.d/ then - echo "/org/gnome/nm-applet/suppress-wireless-networks-available" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" + echo "/org/gnome/nm-applet/disable-wifi-create" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update @@ -18689,6 +18600,33 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Disable WIFI Network Notification in GNOME3 + By default, GNOME disables WIFI notification. This should be permanently set +so that users do not connect to a wireless network when the system finds one. +While useful for mobile devices, this setting should be disabled for all other systems. +To configure the system to disable the WIFI notication, add or set +suppress-wireless-networks-available to true in +/etc/dconf/db/local.d/00-security-settings. For example: +[org/gnome/nm-applet] +suppress-wireless-networks-available=true + +Once the settings have been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/nm-applet/suppress-wireless-networks-available +After the settings have been set, run dconf update. + 3.1.16 + Wireless network connections should not be allowed to be configured by general +users on a given system as it could open the system to backdoor attacks. + - name: Gather the package facts package_facts: manager: auto @@ -18753,49 +18691,13 @@ fi - no_reboot_needed - unknown_strategy - - - - - - - - - - GNOME Remote Access Settings - GNOME remote access settings that apply to the graphical interface. - - Require Credential Prompting for Remote Access in GNOME3 - By default, GNOME does not require credentials when using Vino for -remote access. To configure the system to require remote credentials, add or set -authentication-methods to ['vnc'] in -/etc/dconf/db/local.d/00-security-settings. For example: -[org/gnome/Vino] -authentication-methods=['vnc'] - -Once the settings have been added, add a lock to -/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. -For example: -/org/gnome/Vino/authentication-methods -After the settings have been set, run dconf update. - 3.1.12 - 164.308(a)(4)(i) - 164.308(b)(1) - 164.308(b)(3) - 164.310(b) - 164.312(e)(1) - 164.312(e)(2)(ii) - Username and password prompting is required for remote access. Otherwise, non-authorized -and nefarious users can access the system freely. - - CCE-80772-7 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/Vino\\]" "/etc/dconf/db/" \ +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/nm-applet\\]" "/etc/dconf/db/" \ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/local.d/00-security-settings" DBDIR="/etc/dconf/db/local.d" @@ -18805,30 +18707,30 @@ mkdir -p "${DBDIR}" # Comment out the configurations in databases different from the target one if [ "${#SETTINGSFILES[@]}" -ne 0 ] then - if grep -q "^\\s*authentication-methods\\s*=" "${SETTINGSFILES[@]}" + if grep -q "^\\s*suppress-wireless-networks-available\\s*=" "${SETTINGSFILES[@]}" then - sed -Ei "s/(^\s*)authentication-methods(\s*=)/#\1authentication-methods\2/g" "${SETTINGSFILES[@]}" + sed -Ei "s/(^\s*)suppress-wireless-networks-available(\s*=)/#\1suppress-wireless-networks-available\2/g" "${SETTINGSFILES[@]}" fi fi [ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/Vino\\]" "${DCONFFILE}" +if ! grep -q "\\[org/gnome/nm-applet\\]" "${DCONFFILE}" then - printf '%s\n' "[org/gnome/Vino]" >> ${DCONFFILE} + printf '%s\n' "[org/gnome/nm-applet]" >> ${DCONFFILE} fi -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "['vnc']")" -if grep -q "^\\s*authentication-methods\\s*=" "${DCONFFILE}" +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" +if grep -q "^\\s*suppress-wireless-networks-available\\s*=" "${DCONFFILE}" then - sed -i "s/\\s*authentication-methods\\s*=\\s*.*/authentication-methods=${escaped_value}/g" "${DCONFFILE}" + sed -i "s/\\s*suppress-wireless-networks-available\\s*=\\s*.*/suppress-wireless-networks-available=${escaped_value}/g" "${DCONFFILE}" else - sed -i "\\|\\[org/gnome/Vino\\]|a\\authentication-methods=${escaped_value}" "${DCONFFILE}" + sed -i "\\|\\[org/gnome/nm-applet\\]|a\\suppress-wireless-networks-available=${escaped_value}" "${DCONFFILE}" fi dconf update # Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/Vino/authentication-methods$" "/etc/dconf/db/" \ +LOCKFILES=$(grep -r "^/org/gnome/nm-applet/suppress-wireless-networks-available$" "/etc/dconf/db/" \ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" @@ -18837,12 +18739,12 @@ mkdir -p "${LOCKSFOLDER}" # Comment out the configurations in databases different from the target one if [[ ! -z "${LOCKFILES}" ]] then - sed -i -E "s|^/org/gnome/Vino/authentication-methods$|#&|" "${LOCKFILES[@]}" + sed -i -E "s|^/org/gnome/nm-applet/suppress-wireless-networks-available$|#&|" "${LOCKFILES[@]}" fi -if ! grep -qr "^/org/gnome/Vino/authentication-methods$" /etc/dconf/db/local.d/ +if ! grep -qr "^/org/gnome/nm-applet/suppress-wireless-networks-available$" /etc/dconf/db/local.d/ then - echo "/org/gnome/Vino/authentication-methods" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" + echo "/org/gnome/nm-applet/suppress-wireless-networks-available" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update @@ -18851,6 +18753,42 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + GNOME Remote Access Settings + GNOME remote access settings that apply to the graphical interface. + + Require Credential Prompting for Remote Access in GNOME3 + By default, GNOME does not require credentials when using Vino for +remote access. To configure the system to require remote credentials, add or set +authentication-methods to ['vnc'] in +/etc/dconf/db/local.d/00-security-settings. For example: +[org/gnome/Vino] +authentication-methods=['vnc'] + +Once the settings have been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/Vino/authentication-methods +After the settings have been set, run dconf update. + 3.1.12 + 164.308(a)(4)(i) + 164.308(b)(1) + 164.308(b)(3) + 164.310(b) + 164.312(e)(1) + 164.312(e)(2)(ii) + Username and password prompting is required for remote access. Otherwise, non-authorized +and nefarious users can access the system freely. + + CCE-80772-7 - name: Gather the package facts package_facts: manager: auto @@ -18918,6 +18856,68 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/Vino\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*authentication-methods\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)authentication-methods(\s*=)/#\1authentication-methods\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/Vino\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/Vino]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "['vnc']")" +if grep -q "^\\s*authentication-methods\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*authentication-methods\\s*=\\s*.*/authentication-methods=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/Vino\\]|a\\authentication-methods=${escaped_value}" "${DCONFFILE}" +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/Vino/authentication-methods$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/Vino/authentication-methods$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/Vino/authentication-methods$" /etc/dconf/db/local.d/ +then + echo "/org/gnome/Vino/authentication-methods" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -18992,68 +18992,6 @@ After the settings have been set, run dconf update. CCE-80773-5 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/Vino\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/local.d/00-security-settings" -DBDIR="/etc/dconf/db/local.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*require-encryption\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)require-encryption(\s*=)/#\1require-encryption\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/Vino\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/Vino]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" -if grep -q "^\\s*require-encryption\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*require-encryption\\s*=\\s*.*/require-encryption=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/Vino\\]|a\\require-encryption=${escaped_value}" "${DCONFFILE}" -fi - -dconf update -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/Vino/require-encryption$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/local.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/Vino/require-encryption$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/Vino/require-encryption$" /etc/dconf/db/local.d/ -then - echo "/org/gnome/Vino/require-encryption" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -19133,6 +19071,68 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/Vino\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*require-encryption\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)require-encryption(\s*=)/#\1require-encryption\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/Vino\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/Vino]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" +if grep -q "^\\s*require-encryption\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*require-encryption\\s*=\\s*.*/require-encryption=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/Vino\\]|a\\require-encryption=${escaped_value}" "${DCONFFILE}" +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/Vino/require-encryption$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/Vino/require-encryption$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/Vino/require-encryption$" /etc/dconf/db/local.d/ +then + echo "/org/gnome/Vino/require-encryption" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -19243,68 +19243,6 @@ login session does not have administrator rights and the display station is loca controlled-access area. CCE-80774-3 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/local.d/00-security-settings" -DBDIR="/etc/dconf/db/local.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*idle-activation-enabled\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)idle-activation-enabled(\s*=)/#\1idle-activation-enabled\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" -if grep -q "^\\s*idle-activation-enabled\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*idle-activation-enabled\\s*=\\s*.*/idle-activation-enabled=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\idle-activation-enabled=${escaped_value}" "${DCONFFILE}" -fi - -dconf update -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/idle-activation-enabled$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/local.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/desktop/screensaver/idle-activation-enabled$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/desktop/screensaver/idle-activation-enabled$" /etc/dconf/db/local.d/ -then - echo "/org/gnome/desktop/screensaver/idle-activation-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -19392,6 +19330,68 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*idle-activation-enabled\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)idle-activation-enabled(\s*=)/#\1idle-activation-enabled\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" +if grep -q "^\\s*idle-activation-enabled\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*idle-activation-enabled\\s*=\\s*.*/idle-activation-enabled=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\idle-activation-enabled=${escaped_value}" "${DCONFFILE}" +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/idle-activation-enabled$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/desktop/screensaver/idle-activation-enabled$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/desktop/screensaver/idle-activation-enabled$" /etc/dconf/db/local.d/ +then + echo "/org/gnome/desktop/screensaver/idle-activation-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -19448,48 +19448,21 @@ After the settings have been set, run dconf update.A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. CCE-83858-1 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm; then - -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/idle-activation-enabled$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/local.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/desktop/screensaver/idle-activation-enabled$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/desktop/screensaver/idle-activation-enabled$" /etc/dconf/db/local.d/ -then - echo "/org/gnome/desktop/screensaver/idle-activation-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83858-1 - - CJIS-5.5.5 - - NIST-800-171-3.1.10 - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_idle_activation_locked - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-83858-1 + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_idle_activation_locked + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy - name: Prevent user modification of GNOME Screensaver idle-activation-enabled lineinfile: @@ -19526,6 +19499,33 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm; then + +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/idle-activation-enabled$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/desktop/screensaver/idle-activation-enabled$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/desktop/screensaver/idle-activation-enabled$" /etc/dconf/db/local.d/ +then + echo "/org/gnome/desktop/screensaver/idle-activation-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -19594,52 +19594,6 @@ system session prior to vacating the vicinity, GNOME3 can be configured to ident a user's session has idled and take action to initiate a session lock. CCE-80775-0 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -inactivity_timeout_value='' - - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/session\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/local.d/00-security-settings" -DBDIR="/etc/dconf/db/local.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*idle-delay\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)idle-delay(\s*=)/#\1idle-delay\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/desktop/session\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/desktop/session]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "uint32 ${inactivity_timeout_value}")" -if grep -q "^\\s*idle-delay\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*idle-delay\\s*=\\s*.*/idle-delay=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/desktop/session\\]|a\\idle-delay=${escaped_value}" "${DCONFFILE}" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -19711,6 +19665,52 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +inactivity_timeout_value='' + + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/session\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*idle-delay\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)idle-delay(\s*=)/#\1idle-delay\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/desktop/session\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/desktop/session]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "uint32 ${inactivity_timeout_value}")" +if grep -q "^\\s*idle-delay\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*idle-delay\\s*=\\s*.*/idle-delay=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/desktop/session\\]|a\\idle-delay=${escaped_value}" "${DCONFFILE}" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -19776,52 +19776,6 @@ After the settings have been set, run dconf update. CCE-80776-8 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -var_screensaver_lock_delay='' - - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/local.d/00-security-settings" -DBDIR="/etc/dconf/db/local.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*lock-delay\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)lock-delay(\s*=)/#\1lock-delay\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "uint32 ${var_screensaver_lock_delay}")" -if grep -q "^\\s*lock-delay\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*lock-delay\\s*=\\s*.*/lock-delay=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\lock-delay=${escaped_value}" "${DCONFFILE}" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -19890,6 +19844,52 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +var_screensaver_lock_delay='' + + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*lock-delay\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)lock-delay(\s*=)/#\1lock-delay\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "uint32 ${var_screensaver_lock_delay}")" +if grep -q "^\\s*lock-delay\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*lock-delay\\s*=\\s*.*/lock-delay=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\lock-delay=${escaped_value}" "${DCONFFILE}" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -19960,68 +19960,6 @@ After the settings have been set, run dconf update. CCE-80777-6 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/local.d/00-security-settings" -DBDIR="/etc/dconf/db/local.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*lock-enabled\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)lock-enabled(\s*=)/#\1lock-enabled\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" -if grep -q "^\\s*lock-enabled\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*lock-enabled\\s*=\\s*.*/lock-enabled=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\lock-enabled=${escaped_value}" "${DCONFFILE}" -fi - -dconf update -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-enabled$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/local.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/desktop/screensaver/lock-enabled$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/desktop/screensaver/lock-enabled$" /etc/dconf/db/local.d/ -then - echo "/org/gnome/desktop/screensaver/lock-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -20227,6 +20165,68 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*lock-enabled\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)lock-enabled(\s*=)/#\1lock-enabled\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" +if grep -q "^\\s*lock-enabled\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*lock-enabled\\s*=\\s*.*/lock-enabled=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\lock-enabled=${escaped_value}" "${DCONFFILE}" +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-enabled$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/desktop/screensaver/lock-enabled$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/desktop/screensaver/lock-enabled$" /etc/dconf/db/local.d/ +then + echo "/org/gnome/desktop/screensaver/lock-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -20287,33 +20287,6 @@ After the settings have been set, run dconf update.A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. CCE-87261-4 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm; then - -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-enabled$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/local.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/desktop/screensaver/lock-enabled$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/desktop/screensaver/lock-enabled$" /etc/dconf/db/local.d/ -then - echo "/org/gnome/desktop/screensaver/lock-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -20368,6 +20341,33 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm; then + +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-enabled$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/desktop/screensaver/lock-enabled$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/desktop/screensaver/lock-enabled$" /etc/dconf/db/local.d/ +then + echo "/org/gnome/desktop/screensaver/lock-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -20436,68 +20436,6 @@ After the settings have been set, run dconf update. CCE-80778-4 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/local.d/00-security-settings" -DBDIR="/etc/dconf/db/local.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*picture-uri\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)picture-uri(\s*=)/#\1picture-uri\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "string ''")" -if grep -q "^\\s*picture-uri\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*picture-uri\\s*=\\s*.*/picture-uri=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\picture-uri=${escaped_value}" "${DCONFFILE}" -fi - -dconf update -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/picture-uri$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/local.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/desktop/screensaver/picture-uri$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/desktop/screensaver/picture-uri$" /etc/dconf/db/local.d/ -then - echo "/org/gnome/desktop/screensaver/picture-uri" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -20590,34 +20528,7 @@ fi - no_reboot_needed - unknown_strategy - - - - - - - - - Disable Full User Name on Splash Shield - By default when the screen is locked, the splash shield will show the user's -full name. This should be disabled to prevent casual observers from seeing -who has access to the system. This can be disabled by adding or setting -show-full-name-in-top-bar to false in -/etc/dconf/db/local.d/00-security-settings. For example: -[org/gnome/desktop/screensaver] -show-full-name-in-top-bar=false - -Once the settings have been added, add a lock to -/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. -For example: -/org/gnome/desktop/screensaver/show-full-name-in-top-bar -After the settings have been set, run dconf update. - FMT_MOF_EXT.1 - Setting the splash screen to not reveal the logged in user's name -conceals who has access to the system from passersby. - - CCE-80779-2 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories @@ -20633,10 +20544,10 @@ mkdir -p "${DBDIR}" # Comment out the configurations in databases different from the target one if [ "${#SETTINGSFILES[@]}" -ne 0 ] then - if grep -q "^\\s*show-full-name-in-top-bar\\s*=" "${SETTINGSFILES[@]}" + if grep -q "^\\s*picture-uri\\s*=" "${SETTINGSFILES[@]}" then - sed -Ei "s/(^\s*)show-full-name-in-top-bar(\s*=)/#\1show-full-name-in-top-bar\2/g" "${SETTINGSFILES[@]}" + sed -Ei "s/(^\s*)picture-uri(\s*=)/#\1picture-uri\2/g" "${SETTINGSFILES[@]}" fi fi @@ -20646,17 +20557,17 @@ then printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE} fi -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")" -if grep -q "^\\s*show-full-name-in-top-bar\\s*=" "${DCONFFILE}" +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "string ''")" +if grep -q "^\\s*picture-uri\\s*=" "${DCONFFILE}" then - sed -i "s/\\s*show-full-name-in-top-bar\\s*=\\s*.*/show-full-name-in-top-bar=${escaped_value}/g" "${DCONFFILE}" + sed -i "s/\\s*picture-uri\\s*=\\s*.*/picture-uri=${escaped_value}/g" "${DCONFFILE}" else - sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\show-full-name-in-top-bar=${escaped_value}" "${DCONFFILE}" + sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\picture-uri=${escaped_value}" "${DCONFFILE}" fi dconf update # Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/show-full-name-in-top-bar$" "/etc/dconf/db/" \ +LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/picture-uri$" "/etc/dconf/db/" \ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" @@ -20665,12 +20576,12 @@ mkdir -p "${LOCKSFOLDER}" # Comment out the configurations in databases different from the target one if [[ ! -z "${LOCKFILES}" ]] then - sed -i -E "s|^/org/gnome/desktop/screensaver/show-full-name-in-top-bar$|#&|" "${LOCKFILES[@]}" + sed -i -E "s|^/org/gnome/desktop/screensaver/picture-uri$|#&|" "${LOCKFILES[@]}" fi -if ! grep -qr "^/org/gnome/desktop/screensaver/show-full-name-in-top-bar$" /etc/dconf/db/local.d/ +if ! grep -qr "^/org/gnome/desktop/screensaver/picture-uri$" /etc/dconf/db/local.d/ then - echo "/org/gnome/desktop/screensaver/show-full-name-in-top-bar" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" + echo "/org/gnome/desktop/screensaver/picture-uri" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update @@ -20679,6 +20590,33 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Disable Full User Name on Splash Shield + By default when the screen is locked, the splash shield will show the user's +full name. This should be disabled to prevent casual observers from seeing +who has access to the system. This can be disabled by adding or setting +show-full-name-in-top-bar to false in +/etc/dconf/db/local.d/00-security-settings. For example: +[org/gnome/desktop/screensaver] +show-full-name-in-top-bar=false + +Once the settings have been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/desktop/screensaver/show-full-name-in-top-bar +After the settings have been set, run dconf update. + FMT_MOF_EXT.1 + Setting the splash screen to not reveal the logged in user's name +conceals who has access to the system from passersby. + + CCE-80779-2 - name: Gather the package facts package_facts: manager: auto @@ -20742,6 +20680,68 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*show-full-name-in-top-bar\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)show-full-name-in-top-bar(\s*=)/#\1show-full-name-in-top-bar\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")" +if grep -q "^\\s*show-full-name-in-top-bar\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*show-full-name-in-top-bar\\s*=\\s*.*/show-full-name-in-top-bar=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\show-full-name-in-top-bar=${escaped_value}" "${DCONFFILE}" +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/show-full-name-in-top-bar$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/desktop/screensaver/show-full-name-in-top-bar$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/desktop/screensaver/show-full-name-in-top-bar$" /etc/dconf/db/local.d/ +then + echo "/org/gnome/desktop/screensaver/show-full-name-in-top-bar" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -20804,33 +20804,6 @@ GNOME desktops can be configured to identify when a user's session has idled and session lock. As such, users should not be allowed to change session settings. CCE-80780-0 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-delay$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/local.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/desktop/screensaver/lock-delay$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/desktop/screensaver/lock-delay$" /etc/dconf/db/local.d/ -then - echo "/org/gnome/desktop/screensaver/lock-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -20883,6 +20856,33 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-delay$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/desktop/screensaver/lock-delay$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/desktop/screensaver/lock-delay$" /etc/dconf/db/local.d/ +then + echo "/org/gnome/desktop/screensaver/lock-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -20947,33 +20947,6 @@ GNOME desktops can be configured to identify when a user's session has idled and session lock. As such, users should not be allowed to change session settings. CCE-80781-8 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/desktop/session/idle-delay$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/local.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/desktop/session/idle-delay$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/desktop/session/idle-delay$" /etc/dconf/db/local.d/ -then - echo "/org/gnome/desktop/session/idle-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -21032,6 +21005,33 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/session/idle-delay$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/desktop/session/idle-delay$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/desktop/session/idle-delay$" /etc/dconf/db/local.d/ +then + echo "/org/gnome/desktop/session/idle-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -21119,68 +21119,6 @@ the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. CCE-84028-0 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/settings-daemon/plugins/media-keys\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/local.d/00-security-settings" -DBDIR="/etc/dconf/db/local.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*logout\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)logout(\s*=)/#\1logout\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/settings-daemon/plugins/media-keys\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/settings-daemon/plugins/media-keys]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "''")" -if grep -q "^\\s*logout\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*logout\\s*=\\s*.*/logout=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/settings-daemon/plugins/media-keys\\]|a\\logout=${escaped_value}" "${DCONFFILE}" -fi - -dconf update -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/settings-daemon/plugins/media-keys/logout$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/local.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/settings-daemon/plugins/media-keys/logout$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/settings-daemon/plugins/media-keys/logout$" /etc/dconf/db/local.d/ -then - echo "/org/gnome/settings-daemon/plugins/media-keys/logout" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -21264,6 +21202,68 @@ fi - medium_disruption - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/settings-daemon/plugins/media-keys\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*logout\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)logout(\s*=)/#\1logout\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/settings-daemon/plugins/media-keys\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/settings-daemon/plugins/media-keys]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "''")" +if grep -q "^\\s*logout\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*logout\\s*=\\s*.*/logout=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/settings-daemon/plugins/media-keys\\]|a\\logout=${escaped_value}" "${DCONFFILE}" +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/settings-daemon/plugins/media-keys/logout$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/settings-daemon/plugins/media-keys/logout$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/settings-daemon/plugins/media-keys/logout$" /etc/dconf/db/local.d/ +then + echo "/org/gnome/settings-daemon/plugins/media-keys/logout" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -21296,6 +21296,101 @@ After the settings have been set, run dconf update. + - name: Gather the package facts + package_facts: + manager: auto + tags: + - dconf_gnome_disable_geolocation + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Disable Geolocation in GNOME3 - location tracking + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/system/location + option: enabled + value: 'false' + create: true + no_extra_spaces: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - dconf_gnome_disable_geolocation + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Disable Geolocation in GNOME3 - clock location tracking + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/clocks + option: gelocation + value: 'false' + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - dconf_gnome_disable_geolocation + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification of GNOME geolocation - location tracking + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/system/location/enabled$ + line: /org/gnome/system/location/enabled + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - dconf_gnome_disable_geolocation + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification of GNOME geolocation - clock location tracking + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/clocks/geolocation$ + line: /org/gnome/clocks/geolocation + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - dconf_gnome_disable_geolocation + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - dconf_gnome_disable_geolocation + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then @@ -21411,101 +21506,6 @@ dconf update else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - dconf_gnome_disable_geolocation - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy - -- name: Disable Geolocation in GNOME3 - location tracking - ini_file: - dest: /etc/dconf/db/local.d/00-security-settings - section: org/gnome/system/location - option: enabled - value: 'false' - create: true - no_extra_spaces: true - when: - - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - dconf_gnome_disable_geolocation - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy - -- name: Disable Geolocation in GNOME3 - clock location tracking - ini_file: - dest: /etc/dconf/db/local.d/00-security-settings - section: org/gnome/clocks - option: gelocation - value: 'false' - create: true - when: - - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - dconf_gnome_disable_geolocation - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy - -- name: Prevent user modification of GNOME geolocation - location tracking - lineinfile: - path: /etc/dconf/db/local.d/locks/00-security-settings-lock - regexp: ^/org/gnome/system/location/enabled$ - line: /org/gnome/system/location/enabled - create: true - when: - - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - dconf_gnome_disable_geolocation - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy - -- name: Prevent user modification of GNOME geolocation - clock location tracking - lineinfile: - path: /etc/dconf/db/local.d/locks/00-security-settings-lock - regexp: ^/org/gnome/clocks/geolocation$ - line: /org/gnome/clocks/geolocation - create: true - when: - - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - dconf_gnome_disable_geolocation - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy - -- name: Dconf Update - command: dconf update - when: - - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - dconf_gnome_disable_geolocation - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy @@ -21564,68 +21564,6 @@ unintended configuration changes as well as a nefarious user the capability to m changes such as adding new accounts, etc. CCE-80769-3 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/lockdown\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/local.d/00-security-settings" -DBDIR="/etc/dconf/db/local.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*user-administration-disabled\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)user-administration-disabled(\s*=)/#\1user-administration-disabled\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/desktop/lockdown\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/desktop/lockdown]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" -if grep -q "^\\s*user-administration-disabled\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*user-administration-disabled\\s*=\\s*.*/user-administration-disabled=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/desktop/lockdown\\]|a\\user-administration-disabled=${escaped_value}" "${DCONFFILE}" -fi - -dconf update -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/desktop/lockdown/user-administration-disabled$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/local.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/desktop/lockdown/user-administration-disabled$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/desktop/lockdown/user-administration-disabled$" /etc/dconf/db/local.d/ -then - echo "/org/gnome/desktop/lockdown/user-administration-disabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -21777,6 +21715,68 @@ fi - medium_disruption - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/lockdown\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*user-administration-disabled\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)user-administration-disabled(\s*=)/#\1user-administration-disabled\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/desktop/lockdown\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/desktop/lockdown]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" +if grep -q "^\\s*user-administration-disabled\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*user-administration-disabled\\s*=\\s*.*/user-administration-disabled=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/desktop/lockdown\\]|a\\user-administration-disabled=${escaped_value}" "${DCONFFILE}" +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/lockdown/user-administration-disabled$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/desktop/lockdown/user-administration-disabled$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/desktop/lockdown/user-administration-disabled$" /etc/dconf/db/local.d/ +then + echo "/org/gnome/desktop/lockdown/user-administration-disabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -21872,21 +21872,13 @@ is to give as few privileges as possible but still allow system users to get their work done. CCE-82214-8 + +package --add=sudo + [[packages]] name = "sudo" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "sudo" ; then - yum install -y "sudo" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_sudo @@ -21912,8 +21904,16 @@ class install_sudo { - no_reboot_needed - package_sudo_installed - -package --add=sudo + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "sudo" ; then + yum install -y "sudo" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -21934,6 +21934,21 @@ in /etc/sudoers.d/. Forcing sudo to reset the environment ensures that environment variables are not passed on to the command accidentaly, preventing leak of potentially sensitive information. CCE-83820-1 + - name: Ensure env_reset is enabled in /etc/sudoers + lineinfile: + path: /etc/sudoers + regexp: ^[\s]*Defaults.*\benv_reset\b.*$ + line: Defaults env_reset + validate: /usr/sbin/visudo -cf %s + tags: + - CCE-83820-1 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sudo_add_env_reset + if /usr/sbin/visudo -qcf /etc/sudoers; then cp /etc/sudoers /etc/sudoers.bak @@ -21954,21 +21969,6 @@ else echo "Skipping remediation, /etc/sudoers failed to validate" false fi - - - name: Ensure env_reset is enabled in /etc/sudoers - lineinfile: - path: /etc/sudoers - regexp: ^[\s]*Defaults.*\benv_reset\b.*$ - line: Defaults env_reset - validate: /usr/sbin/visudo -cf %s - tags: - - CCE-83820-1 - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - sudo_add_env_reset @@ -21989,6 +21989,21 @@ in /etc/sudoers.d/. Ignoring the commands in the user's current directory prevents an attacker from executing commands downloaded locally. CCE-83810-2 + - name: Ensure ignore_dot is enabled in /etc/sudoers + lineinfile: + path: /etc/sudoers + regexp: ^[\s]*Defaults.*\bignore_dot\b.*$ + line: Defaults ignore_dot + validate: /usr/sbin/visudo -cf %s + tags: + - CCE-83810-2 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sudo_add_ignore_dot + if /usr/sbin/visudo -qcf /etc/sudoers; then cp /etc/sudoers /etc/sudoers.bak @@ -22009,21 +22024,6 @@ else echo "Skipping remediation, /etc/sudoers failed to validate" false fi - - - name: Ensure ignore_dot is enabled in /etc/sudoers - lineinfile: - path: /etc/sudoers - regexp: ^[\s]*Defaults.*\bignore_dot\b.*$ - line: Defaults ignore_dot - validate: /usr/sbin/visudo -cf %s - tags: - - CCE-83810-2 - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - sudo_add_ignore_dot @@ -22043,6 +22043,21 @@ in /etc/sudoers.d/. Restricting the capability of sudo allowed commands to execute sub-commands prevents users from running programs with privileges they wouldn't have otherwise. CCE-83747-6 + - name: Ensure noexec is enabled in /etc/sudoers + lineinfile: + path: /etc/sudoers + regexp: ^[\s]*Defaults.*\bnoexec\b.*$ + line: Defaults noexec + validate: /usr/sbin/visudo -cf %s + tags: + - CCE-83747-6 + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - restrict_strategy + - sudo_add_noexec + if /usr/sbin/visudo -qcf /etc/sudoers; then cp /etc/sudoers /etc/sudoers.bak @@ -22063,21 +22078,6 @@ else echo "Skipping remediation, /etc/sudoers failed to validate" false fi - - - name: Ensure noexec is enabled in /etc/sudoers - lineinfile: - path: /etc/sudoers - regexp: ^[\s]*Defaults.*\bnoexec\b.*$ - line: Defaults noexec - validate: /usr/sbin/visudo -cf %s - tags: - - CCE-83747-6 - - high_severity - - low_complexity - - low_disruption - - no_reboot_needed - - restrict_strategy - - sudo_add_noexec @@ -22097,38 +22097,6 @@ The passwd_timeout should be configured by making sure that the in /etc/sudoers.d/. Reducing the time sudo waits for a a password reduces the time the process is exposed. CCE-83964-7 - - -var_sudo_passwd_timeout='' - - -if /usr/sbin/visudo -qcf /etc/sudoers; then - cp /etc/sudoers /etc/sudoers.bak - if ! grep -P '^[\s]*Defaults[\s]*\bpasswd_timeout=\w+\b\b.*$' /etc/sudoers; then - # sudoers file doesn't define Option passwd_timeout - echo "Defaults passwd_timeout=${var_sudo_passwd_timeout}" >> /etc/sudoers - else - # sudoers file defines Option passwd_timeout, remediate if appropriate value is not set - if ! grep -P "^[\s]*Defaults.*\bpasswd_timeout=${var_sudo_passwd_timeout}\b.*$" /etc/sudoers; then - - escaped_variable=${var_sudo_passwd_timeout//$'/'/$'\/'} - sed -Ei "s/(^[\s]*Defaults.*\bpasswd_timeout=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers - fi - fi - - # Check validity of sudoers and cleanup bak - if /usr/sbin/visudo -qcf /etc/sudoers; then - rm -f /etc/sudoers.bak - else - echo "Fail to validate remediated /etc/sudoers, reverting to original file." - mv /etc/sudoers.bak /etc/sudoers - false - fi -else - echo "Skipping remediation, /etc/sudoers failed to validate" - false -fi - - name: XCCDF Value var_sudo_passwd_timeout # promote to variable set_fact: var_sudo_passwd_timeout: !!str @@ -22166,6 +22134,38 @@ fi - no_reboot_needed - restrict_strategy - sudo_add_passwd_timeout + + + +var_sudo_passwd_timeout='' + + +if /usr/sbin/visudo -qcf /etc/sudoers; then + cp /etc/sudoers /etc/sudoers.bak + if ! grep -P '^[\s]*Defaults[\s]*\bpasswd_timeout=\w+\b\b.*$' /etc/sudoers; then + # sudoers file doesn't define Option passwd_timeout + echo "Defaults passwd_timeout=${var_sudo_passwd_timeout}" >> /etc/sudoers + else + # sudoers file defines Option passwd_timeout, remediate if appropriate value is not set + if ! grep -P "^[\s]*Defaults.*\bpasswd_timeout=${var_sudo_passwd_timeout}\b.*$" /etc/sudoers; then + + escaped_variable=${var_sudo_passwd_timeout//$'/'/$'\/'} + sed -Ei "s/(^[\s]*Defaults.*\bpasswd_timeout=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers + fi + fi + + # Check validity of sudoers and cleanup bak + if /usr/sbin/visudo -qcf /etc/sudoers; then + rm -f /etc/sudoers.bak + else + echo "Fail to validate remediated /etc/sudoers, reverting to original file." + mv /etc/sudoers.bak /etc/sudoers + false + fi +else + echo "Skipping remediation, /etc/sudoers failed to validate" + false +fi @@ -22186,6 +22186,21 @@ in /etc/sudoers.d/. Restricting the use cases in which a user is allowed to execute sudo commands reduces the attack surface. CCE-83790-6 + - name: Ensure requiretty is enabled in /etc/sudoers + lineinfile: + path: /etc/sudoers + regexp: ^[\s]*Defaults.*\brequiretty\b.*$ + line: Defaults requiretty + validate: /usr/sbin/visudo -cf %s + tags: + - CCE-83790-6 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sudo_add_requiretty + if /usr/sbin/visudo -qcf /etc/sudoers; then cp /etc/sudoers /etc/sudoers.bak @@ -22206,21 +22221,6 @@ else echo "Skipping remediation, /etc/sudoers failed to validate" false fi - - - name: Ensure requiretty is enabled in /etc/sudoers - lineinfile: - path: /etc/sudoers - regexp: ^[\s]*Defaults.*\brequiretty\b.*$ - line: Defaults requiretty - validate: /usr/sbin/visudo -cf %s - tags: - - CCE-83790-6 - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - sudo_add_requiretty @@ -22243,38 +22243,6 @@ in /etc/sudoers.d/. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. CCE-83860-7 - - -var_sudo_umask='' - - -if /usr/sbin/visudo -qcf /etc/sudoers; then - cp /etc/sudoers /etc/sudoers.bak - if ! grep -P '^[\s]*Defaults[\s]*\bumask=\w+\b\b.*$' /etc/sudoers; then - # sudoers file doesn't define Option umask - echo "Defaults umask=${var_sudo_umask}" >> /etc/sudoers - else - # sudoers file defines Option umask, remediate if appropriate value is not set - if ! grep -P "^[\s]*Defaults.*\bumask=${var_sudo_umask}\b.*$" /etc/sudoers; then - - escaped_variable=${var_sudo_umask//$'/'/$'\/'} - sed -Ei "s/(^[\s]*Defaults.*\bumask=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers - fi - fi - - # Check validity of sudoers and cleanup bak - if /usr/sbin/visudo -qcf /etc/sudoers; then - rm -f /etc/sudoers.bak - else - echo "Fail to validate remediated /etc/sudoers, reverting to original file." - mv /etc/sudoers.bak /etc/sudoers - false - fi -else - echo "Skipping remediation, /etc/sudoers failed to validate" - false -fi - - name: XCCDF Value var_sudo_umask # promote to variable set_fact: var_sudo_umask: !!str @@ -22312,6 +22280,38 @@ fi - no_reboot_needed - restrict_strategy - sudo_add_umask + + + +var_sudo_umask='' + + +if /usr/sbin/visudo -qcf /etc/sudoers; then + cp /etc/sudoers /etc/sudoers.bak + if ! grep -P '^[\s]*Defaults[\s]*\bumask=\w+\b\b.*$' /etc/sudoers; then + # sudoers file doesn't define Option umask + echo "Defaults umask=${var_sudo_umask}" >> /etc/sudoers + else + # sudoers file defines Option umask, remediate if appropriate value is not set + if ! grep -P "^[\s]*Defaults.*\bumask=${var_sudo_umask}\b.*$" /etc/sudoers; then + + escaped_variable=${var_sudo_umask//$'/'/$'\/'} + sed -Ei "s/(^[\s]*Defaults.*\bumask=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers + fi + fi + + # Check validity of sudoers and cleanup bak + if /usr/sbin/visudo -qcf /etc/sudoers; then + rm -f /etc/sudoers.bak + else + echo "Fail to validate remediated /etc/sudoers, reverting to original file." + mv /etc/sudoers.bak /etc/sudoers + false + fi +else + echo "Skipping remediation, /etc/sudoers failed to validate" + false +fi @@ -22336,33 +22336,6 @@ in /etc/sudoers.d/. access to the user's terminal after the main program has finished executing. CCE-83798-9 - # Remediation is applicable only in certain platforms -if rpm --quiet -q sudo; then - -if /usr/sbin/visudo -qcf /etc/sudoers; then - cp /etc/sudoers /etc/sudoers.bak - if ! grep -P '^[\s]*Defaults[\s]*\buse_pty\b.*$' /etc/sudoers; then - # sudoers file doesn't define Option use_pty - echo "Defaults use_pty" >> /etc/sudoers - fi - - # Check validity of sudoers and cleanup bak - if /usr/sbin/visudo -qcf /etc/sudoers; then - rm -f /etc/sudoers.bak - else - echo "Fail to validate remediated /etc/sudoers, reverting to original file." - mv /etc/sudoers.bak /etc/sudoers - false - fi -else - echo "Skipping remediation, /etc/sudoers failed to validate" - false -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -22395,42 +22368,14 @@ fi - restrict_strategy - sudo_add_use_pty - - - - - - - - - Ensure Sudo Logfile Exists - sudo logfile - A custom log sudo file can be configured with the 'logfile' tag. This rule configures -a sudo custom logfile at the default location suggested by CIS, which uses -/var/log/sudo.log. - Req-10.2.5 - 2.2.6 - 5.3.3 - A sudo log file simplifies auditing of sudo commands. - - CCE-83601-5 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q sudo; then -var_sudo_logfile='' - - if /usr/sbin/visudo -qcf /etc/sudoers; then cp /etc/sudoers /etc/sudoers.bak - if ! grep -P '^[\s]*Defaults[\s]*\blogfile=("(?:\\"|\\\\|[^"\\\n])*"\B|[^"](?:(?:\\,|\\"|\\ |\\\\|[^", \\\n])*)\b)\b.*$' /etc/sudoers; then - # sudoers file doesn't define Option logfile - echo "Defaults logfile=${var_sudo_logfile}" >> /etc/sudoers - else - # sudoers file defines Option logfile, remediate if appropriate value is not set - if ! grep -P "^[\s]*Defaults.*\blogfile=${var_sudo_logfile}\b.*$" /etc/sudoers; then - - escaped_variable=${var_sudo_logfile//$'/'/$'\/'} - sed -Ei "s/(^[\s]*Defaults.*\blogfile=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers - fi + if ! grep -P '^[\s]*Defaults[\s]*\buse_pty\b.*$' /etc/sudoers; then + # sudoers file doesn't define Option use_pty + echo "Defaults use_pty" >> /etc/sudoers fi # Check validity of sudoers and cleanup bak @@ -22450,6 +22395,24 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Ensure Sudo Logfile Exists - sudo logfile + A custom log sudo file can be configured with the 'logfile' tag. This rule configures +a sudo custom logfile at the default location suggested by CIS, which uses +/var/log/sudo.log. + Req-10.2.5 + 2.2.6 + 5.3.3 + A sudo log file simplifies auditing of sudo commands. + + CCE-83601-5 - name: Gather the package facts package_facts: manager: auto @@ -22507,6 +22470,43 @@ fi - no_reboot_needed - restrict_strategy - sudo_custom_logfile + + # Remediation is applicable only in certain platforms +if rpm --quiet -q sudo; then + +var_sudo_logfile='' + + +if /usr/sbin/visudo -qcf /etc/sudoers; then + cp /etc/sudoers /etc/sudoers.bak + if ! grep -P '^[\s]*Defaults[\s]*\blogfile=("(?:\\"|\\\\|[^"\\\n])*"\B|[^"](?:(?:\\,|\\"|\\ |\\\\|[^", \\\n])*)\b)\b.*$' /etc/sudoers; then + # sudoers file doesn't define Option logfile + echo "Defaults logfile=${var_sudo_logfile}" >> /etc/sudoers + else + # sudoers file defines Option logfile, remediate if appropriate value is not set + if ! grep -P "^[\s]*Defaults.*\blogfile=${var_sudo_logfile}\b.*$" /etc/sudoers; then + + escaped_variable=${var_sudo_logfile//$'/'/$'\/'} + sed -Ei "s/(^[\s]*Defaults.*\blogfile=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers + fi + fi + + # Check validity of sudoers and cleanup bak + if /usr/sbin/visudo -qcf /etc/sudoers; then + rm -f /etc/sudoers.bak + else + echo "Fail to validate remediated /etc/sudoers, reverting to original file." + mv /etc/sudoers.bak /etc/sudoers + false + fi +else + echo "Skipping remediation, /etc/sudoers failed to validate" + false +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -22596,22 +22596,6 @@ do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. CCE-82202-3 - -for f in /etc/sudoers /etc/sudoers.d/* ; do - if [ ! -e "$f" ] ; then - continue - fi - matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - # comment out "!authenticate" matches to preserve user data - sed -i "s/^${entry}$/# &/g" $f - done <<< "$matching_list" - - /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo" - fi -done - - name: Find /etc/sudoers.d/ files find: paths: @@ -22649,6 +22633,22 @@ done - no_reboot_needed - restrict_strategy - sudo_remove_no_authenticate + + +for f in /etc/sudoers /etc/sudoers.d/* ; do + if [ ! -e "$f" ] ; then + continue + fi + matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + # comment out "!authenticate" matches to preserve user data + sed -i "s/^${entry}$/# &/g" $f + done <<< "$matching_list" + + /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo" + fi +done @@ -22722,22 +22722,6 @@ When operating systems provide the capability to escalate a functional capabilit is critical that the user re-authenticate. CCE-82197-5 - -for f in /etc/sudoers /etc/sudoers.d/* ; do - if [ ! -e "$f" ] ; then - continue - fi - matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - # comment out "NOPASSWD" matches to preserve user data - sed -i "s/^${entry}$/# &/g" $f - done <<< "$matching_list" - - /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo" - fi -done - - name: Find /etc/sudoers.d/ files find: paths: @@ -22775,6 +22759,22 @@ done - no_reboot_needed - restrict_strategy - sudo_remove_nopasswd + + +for f in /etc/sudoers /etc/sudoers.d/* ; do + if [ ! -e "$f" ] ; then + continue + fi + matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + # comment out "NOPASSWD" matches to preserve user data + sed -i "s/^${entry}$/# &/g" $f + done <<< "$matching_list" + + /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo" + fi +done @@ -22842,37 +22842,6 @@ do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. CCE-82279-1 - -for f in /etc/sudoers /etc/sudoers.d/* ; do - if [ ! -e "$f" ] ; then - continue - fi - matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - # comment out "NOPASSWD" matches to preserve user data - sed -i "s/^${entry}$/# &/g" $f - done <<< "$matching_list" - - /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo" - fi -done - -for f in /etc/sudoers /etc/sudoers.d/* ; do - if [ ! -e "$f" ] ; then - continue - fi - matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - # comment out "!authenticate" matches to preserve user data - sed -i "s/^${entry}$/# &/g" $f - done <<< "$matching_list" - - /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo" - fi -done - - name: Find /etc/sudoers.d/ files find: paths: @@ -22948,6 +22917,37 @@ done - no_reboot_needed - restrict_strategy - sudo_require_authentication + + +for f in /etc/sudoers /etc/sudoers.d/* ; do + if [ ! -e "$f" ] ; then + continue + fi + matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + # comment out "NOPASSWD" matches to preserve user data + sed -i "s/^${entry}$/# &/g" $f + done <<< "$matching_list" + + /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo" + fi +done + +for f in /etc/sudoers /etc/sudoers.d/* ; do + if [ ! -e "$f" ] ; then + continue + fi + matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + # comment out "!authenticate" matches to preserve user data + sed -i "s/^${entry}$/# &/g" $f + done <<< "$matching_list" + + /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo" + fi +done @@ -22983,46 +22983,6 @@ When operating systems provide the capability to escalate a functional capabilit is critical that the user re-authenticate. CCE-87838-9 - # Remediation is applicable only in certain platforms -if rpm --quiet -q sudo; then - -var_sudo_timestamp_timeout='' - - -if grep -Px '^[\s]*Defaults.*timestamp_timeout[\s]*=.*' /etc/sudoers.d/*; then - find /etc/sudoers.d/ -type f -exec sed -Ei "/^[[:blank:]]*Defaults.*timestamp_timeout[[:blank:]]*=.*/d" {} \; -fi - -if /usr/sbin/visudo -qcf /etc/sudoers; then - cp /etc/sudoers /etc/sudoers.bak - if ! grep -P '^[\s]*Defaults.*timestamp_timeout[\s]*=[\s]*[-]?\w+.*$' /etc/sudoers; then - # sudoers file doesn't define Option timestamp_timeout - echo "Defaults timestamp_timeout=${var_sudo_timestamp_timeout}" >> /etc/sudoers - else - # sudoers file defines Option timestamp_timeout, remediate if appropriate value is not set - if ! grep -P "^[\s]*Defaults.*timestamp_timeout[\s]*=[\s]*${var_sudo_timestamp_timeout}.*$" /etc/sudoers; then - - sed -Ei "s/(^[[:blank:]]*Defaults.*timestamp_timeout[[:blank:]]*=)[[:blank:]]*[-]?\w+(.*$)/\1${var_sudo_timestamp_timeout}\2/" /etc/sudoers - fi - fi - - # Check validity of sudoers and cleanup bak - if /usr/sbin/visudo -qcf /etc/sudoers; then - rm -f /etc/sudoers.bak - else - echo "Fail to validate remediated /etc/sudoers, reverting to original file." - mv /etc/sudoers.bak /etc/sudoers - false - fi -else - echo "Skipping remediation, /etc/sudoers failed to validate" - false -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -23123,6 +23083,46 @@ fi - no_reboot_needed - restrict_strategy - sudo_require_reauthentication + + # Remediation is applicable only in certain platforms +if rpm --quiet -q sudo; then + +var_sudo_timestamp_timeout='' + + +if grep -Px '^[\s]*Defaults.*timestamp_timeout[\s]*=.*' /etc/sudoers.d/*; then + find /etc/sudoers.d/ -type f -exec sed -Ei "/^[[:blank:]]*Defaults.*timestamp_timeout[[:blank:]]*=.*/d" {} \; +fi + +if /usr/sbin/visudo -qcf /etc/sudoers; then + cp /etc/sudoers /etc/sudoers.bak + if ! grep -P '^[\s]*Defaults.*timestamp_timeout[\s]*=[\s]*[-]?\w+.*$' /etc/sudoers; then + # sudoers file doesn't define Option timestamp_timeout + echo "Defaults timestamp_timeout=${var_sudo_timestamp_timeout}" >> /etc/sudoers + else + # sudoers file defines Option timestamp_timeout, remediate if appropriate value is not set + if ! grep -P "^[\s]*Defaults.*timestamp_timeout[\s]*=[\s]*${var_sudo_timestamp_timeout}.*$" /etc/sudoers; then + + sed -Ei "s/(^[[:blank:]]*Defaults.*timestamp_timeout[[:blank:]]*=)[[:blank:]]*[-]?\w+(.*$)/\1${var_sudo_timestamp_timeout}\2/" /etc/sudoers + fi + fi + + # Check validity of sudoers and cleanup bak + if /usr/sbin/visudo -qcf /etc/sudoers; then + rm -f /etc/sudoers.bak + else + echo "Fail to validate remediated /etc/sudoers, reverting to original file." + mv /etc/sudoers.bak /etc/sudoers + false + fi +else + echo "Skipping remediation, /etc/sudoers failed to validate" + false +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -23140,13 +23140,6 @@ To properly set the permissions of /usr/bin/sudo, run the BP28(R57) Restricting the set of users able to execute commands as privileged user reduces the attack surface. CCE-83574-4 - - - - - -chmod u-wr,g-wrs,o-xwrt /usr/bin/sudo - - name: Test for existence /usr/bin/sudo stat: path: /usr/bin/sudo @@ -23173,6 +23166,13 @@ chmod u-wr,g-wrs,o-xwrt /usr/bin/sudo - medium_severity - no_reboot_needed - sudo_restrict_others_executable_permission + + + + + + +chmod u-wr,g-wrs,o-xwrt /usr/bin/sudo @@ -23245,27 +23245,6 @@ Note that the '#' character doesn't denote a comment in the configuration file.< Use of these configuration options makes it easier for one compromised accound to be used to compromise other accounts. CCE-86377-9 - -sudoers_config_file="/etc/sudoers" -sudoers_config_dir="/etc/sudoers.d" -sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file") -if [ "$sudoers_includedir_count" -gt 1 ]; then - sed -i "/#includedir/d" "$sudoers_config_file" - echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file" -elif [ "$sudoers_includedir_count" -eq 0 ]; then - echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file" -else - if ! grep -q "^#includedir /etc/sudoers.d" "$sudoers_config_file"; then - sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" "$sudoers_config_file" - fi -fi - -sed -Ei "/^#include\s/d; /^@includedir\s/d" "$sudoers_config_file" - -if grep -Pr "^[#@]include(dir)?\s" "$sudoers_config_dir" ; then - sed -Ei "/^[#@]include(dir)?\s/d" "$sudoers_config_dir"/* -fi - - name: Check for duplicate values lineinfile: path: /etc/sudoers @@ -23383,6 +23362,27 @@ fi - medium_severity - no_reboot_needed - sudoers_default_includedir + + +sudoers_config_file="/etc/sudoers" +sudoers_config_dir="/etc/sudoers.d" +sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file") +if [ "$sudoers_includedir_count" -gt 1 ]; then + sed -i "/#includedir/d" "$sudoers_config_file" + echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file" +elif [ "$sudoers_includedir_count" -eq 0 ]; then + echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file" +else + if ! grep -q "^#includedir /etc/sudoers.d" "$sudoers_config_file"; then + sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" "$sudoers_config_file" + fi +fi + +sed -Ei "/^#include\s/d; /^@includedir\s/d" "$sudoers_config_file" + +if grep -Pr "^[#@]include(dir)?\s" "$sudoers_config_dir" ; then + sed -Ei "/^[#@]include(dir)?\s/d" "$sudoers_config_dir"/* +fi @@ -23486,75 +23486,6 @@ or if cvtsudoers not supported: the invoking user for the "root" user password. CCE-83422-6 - # Remediation is applicable only in certain platforms -if rpm --quiet -q sudo; then - -if grep -x '^Defaults targetpw$' /etc/sudoers; then - sed -i "/Defaults targetpw/d" /etc/sudoers \; -fi -if grep -x '^Defaults targetpw$' /etc/sudoers.d/*; then - find /etc/sudoers.d/ -type f -exec sed -i "/Defaults targetpw/d" {} \; -fi -if grep -x '^Defaults rootpw$' /etc/sudoers; then - sed -i "/Defaults rootpw/d" /etc/sudoers \; -fi -if grep -x '^Defaults rootpw$' /etc/sudoers.d/*; then - find /etc/sudoers.d/ -type f -exec sed -i "/Defaults rootpw/d" {} \; -fi -if grep -x '^Defaults runaspw$' /etc/sudoers; then - sed -i "/Defaults runaspw/d" /etc/sudoers \; -fi -if grep -x '^Defaults runaspw$' /etc/sudoers.d/*; then - find /etc/sudoers.d/ -type f -exec sed -i "/Defaults runaspw/d" {} \; -fi - -if [ -e "/etc/sudoers" ] ; then - - LC_ALL=C sed -i "/Defaults !targetpw/d" "/etc/sudoers" -else - touch "/etc/sudoers" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/sudoers" - -cp "/etc/sudoers" "/etc/sudoers.bak" -# Insert at the end of the file -printf '%s\n' "Defaults !targetpw" >> "/etc/sudoers" -# Clean up after ourselves. -rm "/etc/sudoers.bak" -if [ -e "/etc/sudoers" ] ; then - - LC_ALL=C sed -i "/Defaults !rootpw/d" "/etc/sudoers" -else - touch "/etc/sudoers" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/sudoers" - -cp "/etc/sudoers" "/etc/sudoers.bak" -# Insert at the end of the file -printf '%s\n' "Defaults !rootpw" >> "/etc/sudoers" -# Clean up after ourselves. -rm "/etc/sudoers.bak" -if [ -e "/etc/sudoers" ] ; then - - LC_ALL=C sed -i "/Defaults !runaspw/d" "/etc/sudoers" -else - touch "/etc/sudoers" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/sudoers" - -cp "/etc/sudoers" "/etc/sudoers.bak" -# Insert at the end of the file -printf '%s\n' "Defaults !runaspw" >> "/etc/sudoers" -# Clean up after ourselves. -rm "/etc/sudoers.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -23932,6 +23863,75 @@ fi - no_reboot_needed - restrict_strategy - sudoers_validate_passwd + + # Remediation is applicable only in certain platforms +if rpm --quiet -q sudo; then + +if grep -x '^Defaults targetpw$' /etc/sudoers; then + sed -i "/Defaults targetpw/d" /etc/sudoers \; +fi +if grep -x '^Defaults targetpw$' /etc/sudoers.d/*; then + find /etc/sudoers.d/ -type f -exec sed -i "/Defaults targetpw/d" {} \; +fi +if grep -x '^Defaults rootpw$' /etc/sudoers; then + sed -i "/Defaults rootpw/d" /etc/sudoers \; +fi +if grep -x '^Defaults rootpw$' /etc/sudoers.d/*; then + find /etc/sudoers.d/ -type f -exec sed -i "/Defaults rootpw/d" {} \; +fi +if grep -x '^Defaults runaspw$' /etc/sudoers; then + sed -i "/Defaults runaspw/d" /etc/sudoers \; +fi +if grep -x '^Defaults runaspw$' /etc/sudoers.d/*; then + find /etc/sudoers.d/ -type f -exec sed -i "/Defaults runaspw/d" {} \; +fi + +if [ -e "/etc/sudoers" ] ; then + + LC_ALL=C sed -i "/Defaults !targetpw/d" "/etc/sudoers" +else + touch "/etc/sudoers" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/sudoers" + +cp "/etc/sudoers" "/etc/sudoers.bak" +# Insert at the end of the file +printf '%s\n' "Defaults !targetpw" >> "/etc/sudoers" +# Clean up after ourselves. +rm "/etc/sudoers.bak" +if [ -e "/etc/sudoers" ] ; then + + LC_ALL=C sed -i "/Defaults !rootpw/d" "/etc/sudoers" +else + touch "/etc/sudoers" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/sudoers" + +cp "/etc/sudoers" "/etc/sudoers.bak" +# Insert at the end of the file +printf '%s\n' "Defaults !rootpw" >> "/etc/sudoers" +# Clean up after ourselves. +rm "/etc/sudoers.bak" +if [ -e "/etc/sudoers" ] ; then + + LC_ALL=C sed -i "/Defaults !runaspw/d" "/etc/sudoers" +else + touch "/etc/sudoers" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/sudoers" + +cp "/etc/sudoers" "/etc/sudoers.bak" +# Insert at the end of the file +printf '%s\n' "Defaults !runaspw" >> "/etc/sudoers" +# Clean up after ourselves. +rm "/etc/sudoers.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -23954,15 +23954,13 @@ $ sudo yum install binutils foundational system operator activities, such as ld, nm, objcopy and readelf. CCE-82989-5 + +package --add=binutils + [[packages]] name = "binutils" version = "*" - - -if ! rpm -q --quiet "binutils" ; then - yum install -y "binutils" -fi include install_binutils @@ -23985,8 +23983,10 @@ class install_binutils { - no_reboot_needed - package_binutils_installed - -package --add=binutils + +if ! rpm -q --quiet "binutils" ; then + yum install -y "binutils" +fi @@ -24015,15 +24015,13 @@ $ sudo yum install dnf-plugin-subscription-manager CCE-82315-3 + +package --add=dnf-plugin-subscription-manager + [[packages]] name = "dnf-plugin-subscription-manager" version = "*" - - -if ! rpm -q --quiet "dnf-plugin-subscription-manager" ; then - yum install -y "dnf-plugin-subscription-manager" -fi include install_dnf-plugin-subscription-manager @@ -24046,8 +24044,10 @@ class install_dnf-plugin-subscription-manager { - no_reboot_needed - package_dnf-plugin-subscription-manager_installed - -package --add=dnf-plugin-subscription-manager + +if ! rpm -q --quiet "dnf-plugin-subscription-manager" ; then + yum install -y "dnf-plugin-subscription-manager" +fi @@ -24072,15 +24072,13 @@ other required structures. This package contains command line TLS client and server and certificate manipulation tools. CCE-82395-5 + +package --add=gnutls-utils + [[packages]] name = "gnutls-utils" version = "*" - - -if ! rpm -q --quiet "gnutls-utils" ; then - yum install -y "gnutls-utils" -fi include install_gnutls-utils @@ -24103,8 +24101,10 @@ class install_gnutls-utils { - no_reboot_needed - package_gnutls-utils_installed - -package --add=gnutls-utils + +if ! rpm -q --quiet "gnutls-utils" ; then + yum install -y "gnutls-utils" +fi @@ -24124,15 +24124,13 @@ posix capabilities of all the programs running on a system. libcap-ng-utils also lets system operators set the file system based capabilities. CCE-82979-6 + +package --add=libcap-ng-utils + [[packages]] name = "libcap-ng-utils" version = "*" - - -if ! rpm -q --quiet "libcap-ng-utils" ; then - yum install -y "libcap-ng-utils" -fi include install_libcap-ng-utils @@ -24155,8 +24153,10 @@ class install_libcap-ng-utils { - no_reboot_needed - package_libcap-ng-utils_installed - -package --add=libcap-ng-utils + +if ! rpm -q --quiet "libcap-ng-utils" ; then + yum install -y "libcap-ng-utils" +fi @@ -24178,15 +24178,13 @@ server applications. Install the nss-tools package to install command-line tools to manipulate the NSS certificate and key database. CCE-82396-3 + +package --add=nss-tools + [[packages]] name = "nss-tools" version = "*" - - -if ! rpm -q --quiet "nss-tools" ; then - yum install -y "nss-tools" -fi include install_nss-tools @@ -24209,8 +24207,10 @@ class install_nss-tools { - no_reboot_needed - package_nss-tools_installed - -package --add=nss-tools + +if ! rpm -q --quiet "nss-tools" ; then + yum install -y "nss-tools" +fi @@ -24232,15 +24232,13 @@ $ sudo yum install openscap-scanner configuration and vulnerability scanner, capable of performing compliance checking using SCAP content. CCE-82220-5 + +package --add=openscap-scanner + [[packages]] name = "openscap-scanner" version = "*" - - -if ! rpm -q --quiet "openscap-scanner" ; then - yum install -y "openscap-scanner" -fi include install_openscap-scanner @@ -24263,8 +24261,10 @@ class install_openscap-scanner { - no_reboot_needed - package_openscap-scanner_installed - -package --add=openscap-scanner + +if ! rpm -q --quiet "openscap-scanner" ; then + yum install -y "openscap-scanner" +fi @@ -24282,21 +24282,13 @@ $ sudo yum install rear image of a system and restores from backup using this image. CCE-82883-0 + +package --add=rear + [[packages]] name = "rear" version = "*" - - # Remediation is applicable only in certain platforms -if ! ( ( ( grep -q aarch64 /proc/sys/kernel/osrelease && grep -qP "^ID=[\"']?ol[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="9.0"; printf "%s\n%s" "$expected" "$real" | sort -VC; } ) || ( grep -q aarch64 /proc/sys/kernel/osrelease && grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="9.0"; printf "%s\n%s" "$expected" "$real" | sort -VC; } ) || ( grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.4"; printf "%s\n%s" "$real" "$expected" | sort -VC; } && grep -q s390x /proc/sys/kernel/osrelease ) ) ); then - -if ! rpm -q --quiet "rear" ; then - yum install -y "rear" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_rear @@ -24324,8 +24316,16 @@ class install_rear { - no_reboot_needed - package_rear_installed - -package --add=rear + # Remediation is applicable only in certain platforms +if ! ( ( ( grep -q aarch64 /proc/sys/kernel/osrelease && grep -qP "^ID=[\"']?ol[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="9.0"; printf "%s\n%s" "$expected" "$real" | sort -VC; } ) || ( grep -q aarch64 /proc/sys/kernel/osrelease && grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="9.0"; printf "%s\n%s" "$expected" "$real" | sort -VC; } ) || ( grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.4"; printf "%s\n%s" "$real" "$expected" | sort -VC; } && grep -q s390x /proc/sys/kernel/osrelease ) ) ); then + +if ! rpm -q --quiet "rear" ; then + yum install -y "rear" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -24347,21 +24347,13 @@ $ sudo yum install rng-tools such as those used in the formation of x509/PKI certificates. CCE-82968-9 + +package --add=rng-tools + [[packages]] name = "rng-tools" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "rng-tools" ; then - yum install -y "rng-tools" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_rng-tools @@ -24386,8 +24378,16 @@ class install_rng-tools { - no_reboot_needed - package_rng-tools_installed - -package --add=rng-tools + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "rng-tools" ; then + yum install -y "rng-tools" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -24414,15 +24414,13 @@ package, or the SCAP Workbench GUI tool from the scap-workbench CCE-82949-9 + +package --add=scap-security-guide + [[packages]] name = "scap-security-guide" version = "*" - - -if ! rpm -q --quiet "scap-security-guide" ; then - yum install -y "scap-security-guide" -fi include install_scap-security-guide @@ -24445,8 +24443,10 @@ class install_scap-security-guide { - no_reboot_needed - package_scap-security-guide_installed - -package --add=scap-security-guide + +if ! rpm -q --quiet "scap-security-guide" ; then + yum install -y "scap-security-guide" +fi @@ -24477,15 +24477,13 @@ It communicates with the backend subscription service (the Customer Portal or an on-premise server such as Subscription Asset Manager) and works with content management tools such as . CCE-82316-1 + +package --add=subscription-manager + [[packages]] name = "subscription-manager" version = "*" - - -if ! rpm -q --quiet "subscription-manager" ; then - yum install -y "subscription-manager" -fi include install_subscription-manager @@ -24508,8 +24506,10 @@ class install_subscription-manager { - no_reboot_needed - package_subscription-manager_installed - -package --add=subscription-manager + +if ! rpm -q --quiet "subscription-manager" ; then + yum install -y "subscription-manager" +fi @@ -24528,15 +24528,13 @@ can restore individual files (or all of the files) from the archive. includes multivolume support, automatic archive compression/decompression, the the ability to perform incremental and full backups. If CCE-82965-5 + +package --add=tar + [[packages]] name = "tar" version = "*" - - -if ! rpm -q --quiet "tar" ; then - yum install -y "tar" -fi include install_tar @@ -24559,8 +24557,10 @@ class install_tar { - no_reboot_needed - package_tar_installed - -package --add=tar + +if ! rpm -q --quiet "tar" ; then + yum install -y "tar" +fi @@ -24576,15 +24576,13 @@ package --add=tar $ sudo yum install vim-enhanced Vim (Vi IMproved) is an almost compatible version of the UNIX editor vi. CCE-82956-4 + +package --add=vim-enhanced + [[packages]] name = "vim-enhanced" version = "*" - - -if ! rpm -q --quiet "vim-enhanced" ; then - yum install -y "vim-enhanced" -fi include install_vim-enhanced @@ -24607,8 +24605,10 @@ class install_vim-enhanced { - no_reboot_needed - package_vim_installed - -package --add=vim-enhanced + +if ! rpm -q --quiet "vim-enhanced" ; then + yum install -y "vim-enhanced" +fi @@ -24629,18 +24629,8 @@ $ sudo yum erase abrt-addon-ccpp abrt-addon-ccpp contains hooks for C/C++ crashed programs and abrt's C/C++ analyzer plugin. CCE-82919-2 - -# CAUTION: This remediation script will remove abrt-addon-ccpp -# from the system, and may remove any packages -# that depend on abrt-addon-ccpp. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "abrt-addon-ccpp" ; then - - yum remove -y "abrt-addon-ccpp" - -fi + +package --remove=abrt-addon-ccpp include remove_abrt-addon-ccpp @@ -24664,8 +24654,18 @@ class remove_abrt-addon-ccpp { - no_reboot_needed - package_abrt-addon-ccpp_removed - -package --remove=abrt-addon-ccpp + +# CAUTION: This remediation script will remove abrt-addon-ccpp +# from the system, and may remove any packages +# that depend on abrt-addon-ccpp. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "abrt-addon-ccpp" ; then + + yum remove -y "abrt-addon-ccpp" + +fi @@ -24686,18 +24686,8 @@ $ sudo yum erase abrt-addon-kerneloops abrt-addon-kerneloops contains plugins for collecting kernel crash information and reporter plugin which sends this information to a specified server, usually to kerneloops.org. CCE-82926-7 - -# CAUTION: This remediation script will remove abrt-addon-kerneloops -# from the system, and may remove any packages -# that depend on abrt-addon-kerneloops. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "abrt-addon-kerneloops" ; then - - yum remove -y "abrt-addon-kerneloops" - -fi + +package --remove=abrt-addon-kerneloops include remove_abrt-addon-kerneloops @@ -24721,8 +24711,18 @@ class remove_abrt-addon-kerneloops { - no_reboot_needed - package_abrt-addon-kerneloops_removed - -package --remove=abrt-addon-kerneloops + +# CAUTION: This remediation script will remove abrt-addon-kerneloops +# from the system, and may remove any packages +# that depend on abrt-addon-kerneloops. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "abrt-addon-kerneloops" ; then + + yum remove -y "abrt-addon-kerneloops" + +fi @@ -24743,18 +24743,8 @@ $ sudo yum erase abrt-cli abrt-cli contains a command line client for controlling abrt daemon over sockets. CCE-82907-7 - -# CAUTION: This remediation script will remove abrt-cli -# from the system, and may remove any packages -# that depend on abrt-cli. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "abrt-cli" ; then - - yum remove -y "abrt-cli" - -fi + +package --remove=abrt-cli include remove_abrt-cli @@ -24778,8 +24768,18 @@ class remove_abrt-cli { - no_reboot_needed - package_abrt-cli_removed - -package --remove=abrt-cli + +# CAUTION: This remediation script will remove abrt-cli +# from the system, and may remove any packages +# that depend on abrt-cli. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "abrt-cli" ; then + + yum remove -y "abrt-cli" + +fi @@ -24798,18 +24798,8 @@ $ sudo yum erase abrt-plugin-logger abrt-plugin-logger is an ABRT plugin which writes a report to a specified file. CCE-82913-5 - -# CAUTION: This remediation script will remove abrt-plugin-logger -# from the system, and may remove any packages -# that depend on abrt-plugin-logger. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "abrt-plugin-logger" ; then - - yum remove -y "abrt-plugin-logger" - -fi + +package --remove=abrt-plugin-logger include remove_abrt-plugin-logger @@ -24832,8 +24822,18 @@ class remove_abrt-plugin-logger { - no_reboot_needed - package_abrt-plugin-logger_removed - -package --remove=abrt-plugin-logger + +# CAUTION: This remediation script will remove abrt-plugin-logger +# from the system, and may remove any packages +# that depend on abrt-plugin-logger. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "abrt-plugin-logger" ; then + + yum remove -y "abrt-plugin-logger" + +fi @@ -24852,18 +24852,8 @@ $ sudo yum erase abrt-plugin-rhtsupport abrt-plugin-rhtsupport is a ABRT plugin to report bugs into the Red Hat Support system. CCE-82916-8 - -# CAUTION: This remediation script will remove abrt-plugin-rhtsupport -# from the system, and may remove any packages -# that depend on abrt-plugin-rhtsupport. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "abrt-plugin-rhtsupport" ; then - - yum remove -y "abrt-plugin-rhtsupport" - -fi + +package --remove=abrt-plugin-rhtsupport include remove_abrt-plugin-rhtsupport @@ -24886,8 +24876,18 @@ class remove_abrt-plugin-rhtsupport { - no_reboot_needed - package_abrt-plugin-rhtsupport_removed - -package --remove=abrt-plugin-rhtsupport + +# CAUTION: This remediation script will remove abrt-plugin-rhtsupport +# from the system, and may remove any packages +# that depend on abrt-plugin-rhtsupport. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "abrt-plugin-rhtsupport" ; then + + yum remove -y "abrt-plugin-rhtsupport" + +fi @@ -24907,18 +24907,8 @@ $ sudo yum erase abrt-plugin-sosreport SV-230488r627750_rule abrt-plugin-sosreport provides a plugin to include an sosreport in an ABRT report. CCE-82910-1 - -# CAUTION: This remediation script will remove abrt-plugin-sosreport -# from the system, and may remove any packages -# that depend on abrt-plugin-sosreport. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "abrt-plugin-sosreport" ; then - - yum remove -y "abrt-plugin-sosreport" - -fi + +package --remove=abrt-plugin-sosreport include remove_abrt-plugin-sosreport @@ -24942,8 +24932,18 @@ class remove_abrt-plugin-sosreport { - no_reboot_needed - package_abrt-plugin-sosreport_removed - -package --remove=abrt-plugin-sosreport + +# CAUTION: This remediation script will remove abrt-plugin-sosreport +# from the system, and may remove any packages +# that depend on abrt-plugin-sosreport. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "abrt-plugin-sosreport" ; then + + yum remove -y "abrt-plugin-sosreport" + +fi @@ -24959,18 +24959,8 @@ package --remove=abrt-plugin-sosreport $ sudo yum erase geolite2-city geolite2-city is part of the GeoLite2 database packages, offering geolocation databases and tooling. CCE-82939-0 - -# CAUTION: This remediation script will remove geolite2-city -# from the system, and may remove any packages -# that depend on geolite2-city. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "geolite2-city" ; then - - yum remove -y "geolite2-city" - -fi + +package --remove=geolite2-city include remove_geolite2-city @@ -24993,8 +24983,18 @@ class remove_geolite2-city { - no_reboot_needed - package_geolite2-city_removed - -package --remove=geolite2-city + +# CAUTION: This remediation script will remove geolite2-city +# from the system, and may remove any packages +# that depend on geolite2-city. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "geolite2-city" ; then + + yum remove -y "geolite2-city" + +fi @@ -25010,18 +25010,8 @@ package --remove=geolite2-city $ sudo yum erase geolite2-country geolite2-country is part of the GeoLite2 database packages, offering geolocation databases and tooling. CCE-82936-6 - -# CAUTION: This remediation script will remove geolite2-country -# from the system, and may remove any packages -# that depend on geolite2-country. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "geolite2-country" ; then - - yum remove -y "geolite2-country" - -fi + +package --remove=geolite2-country include remove_geolite2-country @@ -25044,8 +25034,18 @@ class remove_geolite2-country { - no_reboot_needed - package_geolite2-country_removed - -package --remove=geolite2-country + +# CAUTION: This remediation script will remove geolite2-country +# from the system, and may remove any packages +# that depend on geolite2-country. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "geolite2-country" ; then + + yum remove -y "geolite2-country" + +fi @@ -25070,19 +25070,6 @@ RHV uses NFS storage, which has dependency on gssproxy. gssproxy is a proxy for GSS API credential handling. CCE-82943-2 - -# CAUTION: This remediation script will remove gssproxy -# from the system, and may remove any packages -# that depend on gssproxy. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "gssproxy" ; then - - yum remove -y "gssproxy" - -fi - include remove_gssproxy class remove_gssproxy { @@ -25104,6 +25091,19 @@ class remove_gssproxy { - medium_severity - no_reboot_needed - package_gssproxy_removed + + +# CAUTION: This remediation script will remove gssproxy +# from the system, and may remove any packages +# that depend on gssproxy. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "gssproxy" ; then + + yum remove -y "gssproxy" + +fi @@ -25125,18 +25125,8 @@ $ sudo yum erase iprutils iprutils provides a suite of utlilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver. CCE-82946-5 - -# CAUTION: This remediation script will remove iprutils -# from the system, and may remove any packages -# that depend on iprutils. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "iprutils" ; then - - yum remove -y "iprutils" - -fi + +package --remove=iprutils include remove_iprutils @@ -25160,8 +25150,18 @@ class remove_iprutils { - no_reboot_needed - package_iprutils_removed - -package --remove=iprutils + +# CAUTION: This remediation script will remove iprutils +# from the system, and may remove any packages +# that depend on iprutils. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "iprutils" ; then + + yum remove -y "iprutils" + +fi @@ -25186,18 +25186,8 @@ RHV hosts require ipa-client package, which has dependency on krb5-workstation.< Kerberos programs (kinit, klist, kdestroy, kpasswd). CCE-82931-7 - -# CAUTION: This remediation script will remove krb5-workstation -# from the system, and may remove any packages -# that depend on krb5-workstation. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "krb5-workstation" ; then - - yum remove -y "krb5-workstation" - -fi + +package --remove=krb5-workstation include remove_krb5-workstation @@ -25221,8 +25211,18 @@ class remove_krb5-workstation { - no_reboot_needed - package_krb5-workstation_removed - -package --remove=krb5-workstation + +# CAUTION: This remediation script will remove krb5-workstation +# from the system, and may remove any packages +# that depend on krb5-workstation. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "krb5-workstation" ; then + + yum remove -y "krb5-workstation" + +fi @@ -25243,18 +25243,8 @@ $ sudo yum erase libreport-plugin-logger libreport-plugin-logger is a ABRT plugin to report bugs into the Red Hat Support system. CCE-89201-8 - -# CAUTION: This remediation script will remove libreport-plugin-logger -# from the system, and may remove any packages -# that depend on libreport-plugin-logger. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "libreport-plugin-logger" ; then - - yum remove -y "libreport-plugin-logger" - -fi + +package --remove=libreport-plugin-logger include remove_libreport-plugin-logger @@ -25278,8 +25268,18 @@ class remove_libreport-plugin-logger { - no_reboot_needed - package_libreport-plugin-logger_removed - -package --remove=libreport-plugin-logger + +# CAUTION: This remediation script will remove libreport-plugin-logger +# from the system, and may remove any packages +# that depend on libreport-plugin-logger. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "libreport-plugin-logger" ; then + + yum remove -y "libreport-plugin-logger" + +fi @@ -25300,18 +25300,8 @@ $ sudo yum erase libreport-plugin-rhtsupport libreport-plugin-rhtsupport is a ABRT plugin to report bugs into the Red Hat Support system. CCE-88955-0 - -# CAUTION: This remediation script will remove libreport-plugin-rhtsupport -# from the system, and may remove any packages -# that depend on libreport-plugin-rhtsupport. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "libreport-plugin-rhtsupport" ; then - - yum remove -y "libreport-plugin-rhtsupport" - -fi + +package --remove=libreport-plugin-rhtsupport include remove_libreport-plugin-rhtsupport @@ -25335,8 +25325,18 @@ class remove_libreport-plugin-rhtsupport { - no_reboot_needed - package_libreport-plugin-rhtsupport_removed - -package --remove=libreport-plugin-rhtsupport + +# CAUTION: This remediation script will remove libreport-plugin-rhtsupport +# from the system, and may remove any packages +# that depend on libreport-plugin-rhtsupport. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "libreport-plugin-rhtsupport" ; then + + yum remove -y "libreport-plugin-rhtsupport" + +fi @@ -25356,18 +25356,8 @@ have not been compiled using recommended compiler flags. The binaries are compiled without sufficient stack protection and its address space layout randomization (ASLR) is weak. CCE-82397-1 - -# CAUTION: This remediation script will remove pigz -# from the system, and may remove any packages -# that depend on pigz. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "pigz" ; then - - yum remove -y "pigz" - -fi + +package --remove=pigz include remove_pigz @@ -25390,8 +25380,18 @@ class remove_pigz { - no_reboot_needed - package_pigz_removed - -package --remove=pigz + +# CAUTION: This remediation script will remove pigz +# from the system, and may remove any packages +# that depend on pigz. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "pigz" ; then + + yum remove -y "pigz" + +fi @@ -25412,18 +25412,8 @@ $ sudo yum erase python3-abrt-addon python3-abrt-addon contains python hook and python analyzer plugin for handling uncaught exceptions in python programs. CCE-86084-1 - -# CAUTION: This remediation script will remove python3-abrt-addon -# from the system, and may remove any packages -# that depend on python3-abrt-addon. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "python3-abrt-addon" ; then - - yum remove -y "python3-abrt-addon" - -fi + +package --remove=python3-abrt-addon include remove_python3-abrt-addon @@ -25447,8 +25437,18 @@ class remove_python3-abrt-addon { - no_reboot_needed - package_python3-abrt-addon_removed - -package --remove=python3-abrt-addon + +# CAUTION: This remediation script will remove python3-abrt-addon +# from the system, and may remove any packages +# that depend on python3-abrt-addon. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "python3-abrt-addon" ; then + + yum remove -y "python3-abrt-addon" + +fi @@ -25475,18 +25475,8 @@ on that information, components will then be put into lower or higher power savi modes to adapt to the current usage. CCE-82904-4 - -# CAUTION: This remediation script will remove tuned -# from the system, and may remove any packages -# that depend on tuned. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "tuned" ; then - - yum remove -y "tuned" - -fi + +package --remove=tuned include remove_tuned @@ -25510,8 +25500,18 @@ class remove_tuned { - no_reboot_needed - package_tuned_removed - -package --remove=tuned + +# CAUTION: This remediation script will remove tuned +# from the system, and may remove any packages +# that depend on tuned. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "tuned" ; then + + yum remove -y "tuned" + +fi @@ -25543,15 +25543,13 @@ $ sudo yum install dnf-automatic dnf-automatic is an alternative command line interface (CLI) to dnf upgrade suitable for automatic, regular execution. CCE-82985-3 + +package --add=dnf-automatic + [[packages]] name = "dnf-automatic" version = "*" - - -if ! rpm -q --quiet "dnf-automatic" ; then - yum install -y "dnf-automatic" -fi include install_dnf-automatic @@ -25574,8 +25572,10 @@ class install_dnf-automatic { - no_reboot_needed - package_dnf-automatic_installed - -package --add=dnf-automatic + +if ! rpm -q --quiet "dnf-automatic" ; then + yum install -y "dnf-automatic" +fi @@ -25627,20 +25627,6 @@ to 1 in /etc/yum.conf. CCE-82476-3 - # Remediation is applicable only in certain platforms -if rpm --quiet -q yum; then - -if grep --silent ^clean_requirements_on_remove /etc/yum.conf ; then - sed -i "s/^clean_requirements_on_remove.*/clean_requirements_on_remove=1/g" /etc/yum.conf -else - echo -e "\n# Set clean_requirements_on_remove to 1 per security requirements" >> /etc/yum.conf - echo "clean_requirements_on_remove=1" >> /etc/yum.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -25682,6 +25668,20 @@ fi - low_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q yum; then + +if grep --silent ^clean_requirements_on_remove /etc/yum.conf ; then + sed -i "s/^clean_requirements_on_remove.*/clean_requirements_on_remove=1/g" /etc/yum.conf +else + echo -e "\n# Set clean_requirements_on_remove to 1 per security requirements" >> /etc/yum.conf + echo "clean_requirements_on_remove=1" >> /etc/yum.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -25715,6 +25715,25 @@ lack of prompt attention to patching could result in a system compromise. The automated installation of updates ensures that recent security patches are applied in a timely manner. CCE-82494-6 + - name: Configure dnf-automatic to Install Available Updates Automatically + ini_file: + dest: /etc/dnf/automatic.conf + section: commands + option: apply_updates + value: 'yes' + create: true + tags: + - CCE-82494-6 + - NIST-800-53-CM-6(a) + - NIST-800-53-SI-2(5) + - NIST-800-53-SI-2(c) + - dnf-automatic_apply_updates + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + found=false @@ -25742,25 +25761,6 @@ if ! $found ; then mkdir -p "$(dirname "$file")" echo -e "[commands]\napply_updates = yes" >> "$file" fi - - - name: Configure dnf-automatic to Install Available Updates Automatically - ini_file: - dest: /etc/dnf/automatic.conf - section: commands - option: apply_updates - value: 'yes' - create: true - tags: - - CCE-82494-6 - - NIST-800-53-CM-6(a) - - NIST-800-53-SI-2(5) - - NIST-800-53-SI-2(c) - - dnf-automatic_apply_updates - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy @@ -25784,6 +25784,25 @@ automatically, set upgrade_type to security CCE-82267-6 + - name: Configure dnf-automatic to Install Only Security Updates + ini_file: + dest: /etc/dnf/automatic.conf + section: commands + option: upgrade_type + value: security + create: true + tags: + - CCE-82267-6 + - NIST-800-53-CM-6(a) + - NIST-800-53-SI-2(5) + - NIST-800-53-SI-2(c) + - dnf-automatic_security_updates_only + - low_complexity + - low_severity + - medium_disruption + - no_reboot_needed + - unknown_strategy + found=false @@ -25811,25 +25830,6 @@ if ! $found ; then mkdir -p "$(dirname "$file")" echo -e "[commands]\nupgrade_type = security" >> "$file" fi - - - name: Configure dnf-automatic to Install Only Security Updates - ini_file: - dest: /etc/dnf/automatic.conf - section: commands - option: upgrade_type - value: security - create: true - tags: - - CCE-82267-6 - - NIST-800-53-CM-6(a) - - NIST-800-53-SI-2(5) - - NIST-800-53-SI-2(c) - - dnf-automatic_security_updates_only - - low_complexity - - low_severity - - medium_disruption - - no_reboot_needed - - unknown_strategy @@ -25921,35 +25921,6 @@ this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA). CCE-80790-9 - # Remediation is applicable only in certain platforms -if rpm --quiet -q yum; then - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^gpgcheck") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "1" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^gpgcheck\\>" "/etc/yum.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^gpgcheck\\>.*/$escaped_formatted_output/gi" "/etc/yum.conf" -else - if [[ -s "/etc/yum.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/yum.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/yum.conf" - fi - cce="CCE-80790-9" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/yum.conf" >> "/etc/yum.conf" - printf '%s\n' "$formatted_output" >> "/etc/yum.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -26007,6 +25978,35 @@ fi - low_complexity - medium_disruption - no_reboot_needed + + # Remediation is applicable only in certain platforms +if rpm --quiet -q yum; then + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^gpgcheck") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "1" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^gpgcheck\\>" "/etc/yum.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^gpgcheck\\>.*/$escaped_formatted_output/gi" "/etc/yum.conf" +else + if [[ -s "/etc/yum.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/yum.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/yum.conf" + fi + cce="CCE-80790-9" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/yum.conf" >> "/etc/yum.conf" + printf '%s\n' "$formatted_output" >> "/etc/yum.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -26064,35 +26064,6 @@ Accordingly, patches, service packs, device drivers, or operating system compone be signed with a certificate recognized and approved by the organization. CCE-80791-7 - # Remediation is applicable only in certain platforms -if rpm --quiet -q yum; then - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^localpkg_gpgcheck") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "1" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^localpkg_gpgcheck\\>" "/etc/yum.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^localpkg_gpgcheck\\>.*/$escaped_formatted_output/gi" "/etc/yum.conf" -else - if [[ -s "/etc/yum.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/yum.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/yum.conf" - fi - cce="CCE-80791-7" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/yum.conf" >> "/etc/yum.conf" - printf '%s\n' "$formatted_output" >> "/etc/yum.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -26152,6 +26123,35 @@ fi - medium_disruption - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q yum; then + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^localpkg_gpgcheck") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "1" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^localpkg_gpgcheck\\>" "/etc/yum.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^localpkg_gpgcheck\\>.*/$escaped_formatted_output/gi" "/etc/yum.conf" +else + if [[ -s "/etc/yum.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/yum.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/yum.conf" + fi + cce="CCE-80791-7" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/yum.conf" >> "/etc/yum.conf" + printf '%s\n' "$formatted_output" >> "/etc/yum.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -26230,9 +26230,6 @@ trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA)." CCE-80792-5 - -sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/yum.repos.d/* - - name: Grep for yum repo section names shell: | set -o pipefail @@ -26294,6 +26291,9 @@ sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/yum.repos.d/* - low_complexity - medium_disruption - no_reboot_needed + + +sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/yum.repos.d/* @@ -26452,34 +26452,6 @@ not been tampered with and that it has been provided by a trusted vendor. The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat. CCE-80795-8 - # The two fingerprints below are retrieved from https://access.redhat.com/security/team/key -readonly REDHAT_RELEASE_FINGERPRINT="567E347AD0044ADE55BA8A5F199E2F91FD431D51" -readonly REDHAT_AUXILIARY_FINGERPRINT="6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792" - -# Location of the key we would like to import (once it's integrity verified) -readonly REDHAT_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" - -RPM_GPG_DIR_PERMS=$(stat -c %a "$(dirname "$REDHAT_RELEASE_KEY")") - -# Verify /etc/pki/rpm-gpg directory permissions are safe -if [ "${RPM_GPG_DIR_PERMS}" -le "755" ] -then - # If they are safe, try to obtain fingerprints from the key file - # (to ensure there won't be e.g. CRC error). - - readarray -t GPG_OUT < <(gpg --show-keys --with-fingerprint --with-colons "$REDHAT_RELEASE_KEY" | grep -A1 "^pub" | grep "^fpr" | cut -d ":" -f 10) - - GPG_RESULT=$? - # No CRC error, safe to proceed - if [ "${GPG_RESULT}" -eq "0" ] - then - echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || { - # If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it - rpm --import "${REDHAT_RELEASE_KEY}" - } - fi -fi - - name: Read permission of GPG key directory stat: path: /etc/pki/rpm-gpg/ @@ -26602,6 +26574,34 @@ fi - medium_disruption - no_reboot_needed - restrict_strategy + + # The two fingerprints below are retrieved from https://access.redhat.com/security/team/key +readonly REDHAT_RELEASE_FINGERPRINT="567E347AD0044ADE55BA8A5F199E2F91FD431D51" +readonly REDHAT_AUXILIARY_FINGERPRINT="6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792" + +# Location of the key we would like to import (once it's integrity verified) +readonly REDHAT_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + +RPM_GPG_DIR_PERMS=$(stat -c %a "$(dirname "$REDHAT_RELEASE_KEY")") + +# Verify /etc/pki/rpm-gpg directory permissions are safe +if [ "${RPM_GPG_DIR_PERMS}" -le "755" ] +then + # If they are safe, try to obtain fingerprints from the key file + # (to ensure there won't be e.g. CRC error). + + readarray -t GPG_OUT < <(gpg --show-keys --with-fingerprint --with-colons "$REDHAT_RELEASE_KEY" | grep -A1 "^pub" | grep "^fpr" | cut -d ":" -f 10) + + GPG_RESULT=$? + # No CRC error, safe to proceed + if [ "${GPG_RESULT}" -eq "0" ] + then + echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || { + # If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it + rpm --import "${REDHAT_RELEASE_KEY}" + } + fi +fi @@ -26664,10 +26664,6 @@ recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. CCE-80865-9 - - -yum -y update - - name: Security patches are up to date package: name: '*' @@ -26688,6 +26684,10 @@ yum -y update - reboot_required - security_patches_up_to_date - skip_ansible_lint + + + +yum -y update @@ -26707,11 +26707,6 @@ The dnf-automatic timer can be enabled with the following The dnf-automatic is an alternative command line interface (CLI) to dnf upgrade with specific facilities to make it suitable to be executed automatically and regularly from systemd timers, cron jobs and similar. The tool is controlled by dnf-automatic.timer SystemD timer. CCE-82360-9 - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" start 'dnf-automatic.timer' -"$SYSTEMCTL_EXEC" enable 'dnf-automatic.timer' - - name: Enable timer dnf-automatic block: @@ -26737,6 +26732,11 @@ SYSTEMCTL_EXEC='/usr/bin/systemctl' - medium_severity - no_reboot_needed - timer_dnf-automatic_enabled + + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" start 'dnf-automatic.timer' +"$SYSTEMCTL_EXEC" enable 'dnf-automatic.timer' @@ -26798,20 +26798,6 @@ profiles instead of letting the administrator manually build the PAM stack. That way, it avoids potential breakage of configuration, as it ships several tested profiles that are well tested and supported to solve different use-cases. CCE-88248-0 - -var_authselect_profile='' - - -authselect select "$var_authselect_profile" - -if test "$?" -ne 0; then - if rpm --quiet --verify pam; then - authselect select --force "$var_authselect_profile" - else - echo "Files in the 'pam' package have been altered, so the authselect configuration won't be forced" >&2 - fi -fi - - name: XCCDF Value var_authselect_profile # promote to variable set_fact: var_authselect_profile: !!str @@ -26882,6 +26868,20 @@ fi - medium_disruption - medium_severity - no_reboot_needed + + +var_authselect_profile='' + + +authselect select "$var_authselect_profile" + +if test "$?" -ne 0; then + if rpm --quiet --verify pam; then + authselect select --force "$var_authselect_profile" + else + echo "Files in the 'pam' package have been altered, so the authselect configuration won't be forced" >&2 + fi +fi @@ -27037,6 +27037,32 @@ with human users and are not required when such human interfaces do not exist. CCE-80763-6 + - @@ -27149,6 +27149,28 @@ with human users and are not required when such human interfaces do not exist. CCE-86147-6 + - @@ -27250,6 +27250,28 @@ with human users and are not required when such human interfaces do not exist. CCE-83496-0 + - @@ -27320,8 +27320,6 @@ verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper group ownership will ensure that only root user can modify the banner. CCE-83708-8 - chgrp 0 /etc/issue - - name: Test for existence /etc/issue stat: path: /etc/issue @@ -27348,6 +27346,8 @@ Proper group ownership will ensure that only root user can modify the banner. + chgrp 0 /etc/issue @@ -27369,8 +27369,6 @@ verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper group ownership will ensure that only root user can modify the banner. CCE-86051-0 - chgrp 0 /etc/issue.net - - name: Test for existence /etc/issue.net stat: path: /etc/issue.net @@ -27399,6 +27397,8 @@ Proper group ownership will ensure that only root user can modify the banner. + chgrp 0 /etc/issue.net @@ -27419,8 +27419,6 @@ verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper group ownership will ensure that only root user can modify the banner. CCE-83728-6 - chgrp 0 /etc/motd - - name: Test for existence /etc/motd stat: path: /etc/motd @@ -27447,6 +27445,8 @@ Proper group ownership will ensure that only root user can modify the banner. + chgrp 0 /etc/motd @@ -27467,8 +27467,6 @@ verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper ownership will ensure that only root user can modify the banner. CCE-83718-7 - chown 0 /etc/issue - - name: Test for existence /etc/issue stat: path: /etc/issue @@ -27495,6 +27493,8 @@ Proper ownership will ensure that only root user can modify the banner. + chown 0 /etc/issue @@ -27516,8 +27516,6 @@ verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper ownership will ensure that only root user can modify the banner. CCE-86054-4 - chown 0 /etc/issue.net - - name: Test for existence /etc/issue.net stat: path: /etc/issue.net @@ -27546,6 +27544,8 @@ Proper ownership will ensure that only root user can modify the banner. + chown 0 /etc/issue.net @@ -27566,8 +27566,6 @@ verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper ownership will ensure that only root user can modify the banner. CCE-83738-5 - chown 0 /etc/motd - - name: Test for existence /etc/motd stat: path: /etc/motd @@ -27594,6 +27592,8 @@ Proper ownership will ensure that only root user can modify the banner. + chown 0 /etc/motd @@ -27614,13 +27614,6 @@ verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper permissions will ensure that only root user can modify the banner. CCE-83348-3 - - - - - -chmod u-xs,g-xws,o-xwt /etc/issue - - name: Test for existence /etc/issue stat: path: /etc/issue @@ -27647,6 +27640,13 @@ chmod u-xs,g-xws,o-xwt /etc/issue - low_disruption - medium_severity - no_reboot_needed + + + + + + +chmod u-xs,g-xws,o-xwt /etc/issue @@ -27668,13 +27668,6 @@ verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper permissions will ensure that only root user can modify the banner. CCE-86047-8 - - - - - -chmod u-xs,g-xws,o-xwt /etc/issue.net - - name: Test for existence /etc/issue.net stat: path: /etc/issue.net @@ -27703,6 +27696,13 @@ chmod u-xs,g-xws,o-xwt /etc/issue.net - low_disruption - medium_severity - no_reboot_needed + + + + + + +chmod u-xs,g-xws,o-xwt /etc/issue.net @@ -27723,13 +27723,6 @@ verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Proper permissions will ensure that only root user can modify the banner. CCE-83338-4 - - - - - -chmod u-xs,g-xws,o-xwt /etc/motd - - name: Test for existence /etc/motd stat: path: /etc/motd @@ -27756,6 +27749,13 @@ chmod u-xs,g-xws,o-xwt /etc/motd - low_disruption - medium_severity - no_reboot_needed + + + + + + +chmod u-xs,g-xws,o-xwt /etc/motd @@ -27843,68 +27843,6 @@ Executive Orders, directives, policies, regulations, standards, and guidance. For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. CCE-80768-5 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm; then - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings" -DBDIR="/etc/dconf/db/gdm.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*banner-message-enable\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)banner-message-enable(\s*=)/#\1banner-message-enable\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" -if grep -q "^\\s*banner-message-enable\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*banner-message-enable\\s*=\\s*.*/banner-message-enable=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/login-screen\\]|a\\banner-message-enable=${escaped_value}" "${DCONFFILE}" -fi - -dconf update -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/login-screen/banner-message-enable$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/gdm.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/login-screen/banner-message-enable$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/login-screen/banner-message-enable$" /etc/dconf/db/gdm.d/ -then - echo "/org/gnome/login-screen/banner-message-enable" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -27982,6 +27920,68 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings" +DBDIR="/etc/dconf/db/gdm.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*banner-message-enable\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)banner-message-enable(\s*=)/#\1banner-message-enable\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" +if grep -q "^\\s*banner-message-enable\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*banner-message-enable\\s*=\\s*.*/banner-message-enable=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/login-screen\\]|a\\banner-message-enable=${escaped_value}" "${DCONFFILE}" +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/login-screen/banner-message-enable$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/gdm.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/login-screen/banner-message-enable$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/login-screen/banner-message-enable$" /etc/dconf/db/gdm.d/ +then + echo "/org/gnome/login-screen/banner-message-enable" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -28058,87 +28058,6 @@ to begin and end the string with ' and use \n< An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. CCE-80770-1 - # Remediation is applicable only in certain platforms -if rpm --quiet -q gdm; then - -login_banner_text='' - - -# Multiple regexes transform the banner regex into a usable banner -# 0 - Remove anchors around the banner text -login_banner_text=$(echo "$login_banner_text" | sed 's/^\^\(.*\)\$$/\1/g') -# 1 - Keep only the first banners if there are multiple -# (dod_banners contains the long and short banner) -login_banner_text=$(echo "$login_banner_text" | sed 's/^(\(.*\.\)|.*)$/\1/g') -# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ") -login_banner_text=$(echo "$login_banner_text" | sed 's/\[\\s\\n\]+/ /g') -# 3 - Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*") -login_banner_text=$(echo "$login_banner_text" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/(n)*/g') -# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example). -login_banner_text=$(echo "$login_banner_text" | sed 's/\\//g') -# 5 - Removes the newline "token." (Transforms them into newline escape sequences "\n"). -# ( Needs to be done after 4, otherwise the escapce sequence will become just "n". -login_banner_text=$(echo "$login_banner_text" | sed 's/(n)\*/\\n/g') - -# Check for setting in any of the DConf db directories -# If files contain ibus or distro, ignore them. -# The assignment assumes that individual filenames don't contain : -readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1) -DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings" -DBDIR="/etc/dconf/db/gdm.d" - -mkdir -p "${DBDIR}" - -# Comment out the configurations in databases different from the target one -if [ "${#SETTINGSFILES[@]}" -ne 0 ] -then - if grep -q "^\\s*banner-message-text\\s*=" "${SETTINGSFILES[@]}" - then - - sed -Ei "s/(^\s*)banner-message-text(\s*=)/#\1banner-message-text\2/g" "${SETTINGSFILES[@]}" - fi -fi - -[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" -if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}" -then - printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE} -fi - -escaped_value="$(sed -e 's/\\/\\\\/g' <<< "'${login_banner_text}'")" -if grep -q "^\\s*banner-message-text\\s*=" "${DCONFFILE}" -then - sed -i "s/\\s*banner-message-text\\s*=\\s*.*/banner-message-text=${escaped_value}/g" "${DCONFFILE}" - else - sed -i "\\|\\[org/gnome/login-screen\\]|a\\banner-message-text=${escaped_value}" "${DCONFFILE}" -fi - -dconf update -# Check for setting in any of the DConf db directories -LOCKFILES=$(grep -r "^/org/gnome/login-screen/banner-message-text$" "/etc/dconf/db/" \ - | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1) -LOCKSFOLDER="/etc/dconf/db/gdm.d/locks" - -mkdir -p "${LOCKSFOLDER}" - -# Comment out the configurations in databases different from the target one -if [[ ! -z "${LOCKFILES}" ]] -then - sed -i -E "s|^/org/gnome/login-screen/banner-message-text$|#&|" "${LOCKFILES[@]}" -fi - -if ! grep -qr "^/org/gnome/login-screen/banner-message-text$" /etc/dconf/db/gdm.d/ -then - echo "/org/gnome/login-screen/banner-message-text" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" -fi - -dconf update - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -28268,6 +28187,87 @@ fi - medium_severity - no_reboot_needed - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm; then + +login_banner_text='' + + +# Multiple regexes transform the banner regex into a usable banner +# 0 - Remove anchors around the banner text +login_banner_text=$(echo "$login_banner_text" | sed 's/^\^\(.*\)\$$/\1/g') +# 1 - Keep only the first banners if there are multiple +# (dod_banners contains the long and short banner) +login_banner_text=$(echo "$login_banner_text" | sed 's/^(\(.*\.\)|.*)$/\1/g') +# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ") +login_banner_text=$(echo "$login_banner_text" | sed 's/\[\\s\\n\]+/ /g') +# 3 - Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*") +login_banner_text=$(echo "$login_banner_text" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/(n)*/g') +# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example). +login_banner_text=$(echo "$login_banner_text" | sed 's/\\//g') +# 5 - Removes the newline "token." (Transforms them into newline escape sequences "\n"). +# ( Needs to be done after 4, otherwise the escapce sequence will become just "n". +login_banner_text=$(echo "$login_banner_text" | sed 's/(n)\*/\\n/g') + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings" +DBDIR="/etc/dconf/db/gdm.d" + +mkdir -p "${DBDIR}" + +# Comment out the configurations in databases different from the target one +if [ "${#SETTINGSFILES[@]}" -ne 0 ] +then + if grep -q "^\\s*banner-message-text\\s*=" "${SETTINGSFILES[@]}" + then + + sed -Ei "s/(^\s*)banner-message-text(\s*=)/#\1banner-message-text\2/g" "${SETTINGSFILES[@]}" + fi +fi + +[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" +if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}" +then + printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE} +fi + +escaped_value="$(sed -e 's/\\/\\\\/g' <<< "'${login_banner_text}'")" +if grep -q "^\\s*banner-message-text\\s*=" "${DCONFFILE}" +then + sed -i "s/\\s*banner-message-text\\s*=\\s*.*/banner-message-text=${escaped_value}/g" "${DCONFFILE}" + else + sed -i "\\|\\[org/gnome/login-screen\\]|a\\banner-message-text=${escaped_value}" "${DCONFFILE}" +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/login-screen/banner-message-text$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/gdm.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/login-screen/banner-message-text$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/login-screen/banner-message-text$" /etc/dconf/db/gdm.d/ +then + echo "/org/gnome/login-screen/banner-message-text" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -28357,21 +28357,13 @@ of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. + +package --add=libpwquality + [[packages]] name = "libpwquality" version = "*" - - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -if ! rpm -q --quiet "libpwquality" ; then - yum install -y "libpwquality" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_libpwquality @@ -28405,8 +28397,16 @@ class install_libpwquality { - no_reboot_needed - package_pam_pwquality_installed - -package --add=libpwquality + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +if ! rpm -q --quiet "libpwquality" ; then + yum install -y "libpwquality" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -28433,15 +28433,6 @@ have authorization. When operating systems provide the capability to escalate a capability, it is critical the user re-authenticate. CCE-86319-1 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -sed -i '/pam_succeed_if/d' /etc/pam.d/sudo - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -28473,6 +28464,15 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +sed -i '/pam_succeed_if/d' /etc/pam.d/sudo + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -28549,264 +28549,6 @@ account allows the user to determine if any unauthorized activity has occurred a an opportunity to notify administrators. CCE-80788-3 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -if [ -f /usr/bin/authselect ]; then - if authselect list-features minimal | grep -q with-silent-lastlog; then - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - authselect disable-feature with-silent-lastlog - - authselect apply-changes -b - else - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "/etc/pam.d/postlogin") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - if [ -e "$PAM_FILE_PATH" ] ; then - PAM_FILE_PATH="$PAM_FILE_PATH" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "$PAM_FILE_PATH") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*' "$PAM_FILE_PATH"; then - # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*session\s+.*\s+pam_lastlog.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then - # The control is updated only if one single line matches. - sed -i -E --follow-symlinks 's/^(\s*session\s+).*(\bpam_lastlog.so.*)/\1'"\[default=1\]"' \2/' "$PAM_FILE_PATH" - else - LAST_MATCH_LINE=$(grep -nP "^\s*session\s+.*pam_succeed_if\.so.*" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1) - if [ ! -z $LAST_MATCH_LINE ]; then - sed -i --follow-symlinks $LAST_MATCH_LINE' a session '"\[default=1\]"' pam_lastlog.so' "$PAM_FILE_PATH" - else - echo 'session '"\[default=1\]"' pam_lastlog.so' >> "$PAM_FILE_PATH" - fi - fi - fi - # Check the option - if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*\sshowfailed\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks '/\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so.*/ s/$/ showfailed/' "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi - else - echo "$PAM_FILE_PATH was not found" >&2 - fi - if [ -e "$PAM_FILE_PATH" ] ; then - PAM_FILE_PATH="$PAM_FILE_PATH" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "$PAM_FILE_PATH") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - - if grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s.*\bsilent\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks 's/(.*session.*'"\[default=1\]"'.*pam_lastlog.so.*)\ssilent=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi - else - echo "$PAM_FILE_PATH was not found" >&2 - fi - fi -else - if [ -e "/etc/pam.d/postlogin" ] ; then - PAM_FILE_PATH="/etc/pam.d/postlogin" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "/etc/pam.d/postlogin") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*' "$PAM_FILE_PATH"; then - # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*session\s+.*\s+pam_lastlog.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then - # The control is updated only if one single line matches. - sed -i -E --follow-symlinks 's/^(\s*session\s+).*(\bpam_lastlog.so.*)/\1'"\[default=1\]"' \2/' "$PAM_FILE_PATH" - else - LAST_MATCH_LINE=$(grep -nP "^\s*session\s+.*pam_succeed_if\.so.*" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1) - if [ ! -z $LAST_MATCH_LINE ]; then - sed -i --follow-symlinks $LAST_MATCH_LINE' a session '"\[default=1\]"' pam_lastlog.so' "$PAM_FILE_PATH" - else - echo 'session '"\[default=1\]"' pam_lastlog.so' >> "$PAM_FILE_PATH" - fi - fi - fi - # Check the option - if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*\sshowfailed\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks '/\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so.*/ s/$/ showfailed/' "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi - else - echo "/etc/pam.d/postlogin was not found" >&2 - fi - if [ -e "/etc/pam.d/postlogin" ] ; then - PAM_FILE_PATH="/etc/pam.d/postlogin" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "/etc/pam.d/postlogin") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - - if grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s.*\bsilent\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks 's/(.*session.*'"\[default=1\]"'.*pam_lastlog.so.*)\ssilent=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi - else - echo "/etc/pam.d/postlogin was not found" >&2 - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -29193,6 +28935,264 @@ fi - low_disruption - low_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +if [ -f /usr/bin/authselect ]; then + if authselect list-features minimal | grep -q with-silent-lastlog; then + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + authselect disable-feature with-silent-lastlog + + authselect apply-changes -b + else + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "/etc/pam.d/postlogin") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + if [ -e "$PAM_FILE_PATH" ] ; then + PAM_FILE_PATH="$PAM_FILE_PATH" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "$PAM_FILE_PATH") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + fi + if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*' "$PAM_FILE_PATH"; then + # Line matching group + control + module was not found. Check group + module. + if [ "$(grep -cP '^\s*session\s+.*\s+pam_lastlog.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then + # The control is updated only if one single line matches. + sed -i -E --follow-symlinks 's/^(\s*session\s+).*(\bpam_lastlog.so.*)/\1'"\[default=1\]"' \2/' "$PAM_FILE_PATH" + else + LAST_MATCH_LINE=$(grep -nP "^\s*session\s+.*pam_succeed_if\.so.*" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1) + if [ ! -z $LAST_MATCH_LINE ]; then + sed -i --follow-symlinks $LAST_MATCH_LINE' a session '"\[default=1\]"' pam_lastlog.so' "$PAM_FILE_PATH" + else + echo 'session '"\[default=1\]"' pam_lastlog.so' >> "$PAM_FILE_PATH" + fi + fi + fi + # Check the option + if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*\sshowfailed\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks '/\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so.*/ s/$/ showfailed/' "$PAM_FILE_PATH" + fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi + else + echo "$PAM_FILE_PATH was not found" >&2 + fi + if [ -e "$PAM_FILE_PATH" ] ; then + PAM_FILE_PATH="$PAM_FILE_PATH" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "$PAM_FILE_PATH") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + fi + + if grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s.*\bsilent\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks 's/(.*session.*'"\[default=1\]"'.*pam_lastlog.so.*)\ssilent=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" + fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi + else + echo "$PAM_FILE_PATH was not found" >&2 + fi + fi +else + if [ -e "/etc/pam.d/postlogin" ] ; then + PAM_FILE_PATH="/etc/pam.d/postlogin" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "/etc/pam.d/postlogin") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + fi + if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*' "$PAM_FILE_PATH"; then + # Line matching group + control + module was not found. Check group + module. + if [ "$(grep -cP '^\s*session\s+.*\s+pam_lastlog.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then + # The control is updated only if one single line matches. + sed -i -E --follow-symlinks 's/^(\s*session\s+).*(\bpam_lastlog.so.*)/\1'"\[default=1\]"' \2/' "$PAM_FILE_PATH" + else + LAST_MATCH_LINE=$(grep -nP "^\s*session\s+.*pam_succeed_if\.so.*" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1) + if [ ! -z $LAST_MATCH_LINE ]; then + sed -i --follow-symlinks $LAST_MATCH_LINE' a session '"\[default=1\]"' pam_lastlog.so' "$PAM_FILE_PATH" + else + echo 'session '"\[default=1\]"' pam_lastlog.so' >> "$PAM_FILE_PATH" + fi + fi + fi + # Check the option + if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*\sshowfailed\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks '/\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so.*/ s/$/ showfailed/' "$PAM_FILE_PATH" + fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi + else + echo "/etc/pam.d/postlogin was not found" >&2 + fi + if [ -e "/etc/pam.d/postlogin" ] ; then + PAM_FILE_PATH="/etc/pam.d/postlogin" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "/etc/pam.d/postlogin") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + fi + + if grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s.*\bsilent\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks 's/(.*session.*'"\[default=1\]"'.*pam_lastlog.so.*)\ssilent=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" + fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi + else + echo "/etc/pam.d/postlogin was not found" >&2 + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -29213,17 +29213,6 @@ SELinux, user name, security context or both. The polyinstatied directories can be used to dedicate separate temporary directories to each account. CCE-83744-3 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) && rpm --quiet -q pam ); then - -if ! grep -Eq '^\s*session\s+required\s+pam_namespace.so\s*$' '/etc/pam.d/login' ; then - echo "session required pam_namespace.so" >> "/etc/pam.d/login" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -29253,6 +29242,17 @@ fi - low_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) && rpm --quiet -q pam ); then + +if ! grep -Eq '^\s*session\s+required\s+pam_namespace.so\s*$' '/etc/pam.d/login' ; then + echo "session required pam_namespace.so" >> "/etc/pam.d/login" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -29462,99 +29462,6 @@ updates as of version 0.1.65. AC-7 (a) Without auditing of these events it may be harder or impossible to identify what an attacker did after an attack. CCE-86107-0 - -if [ -f /usr/bin/authselect ]; then - if ! authselect check; then -echo " -authselect integrity check failed. Remediation aborted! -This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. -It is not recommended to manually edit the PAM files when authselect tool is available. -In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." -exit 1 -fi -authselect enable-feature with-faillock - -authselect apply-changes -b -else - -AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") -for pam_file in "${AUTH_FILES[@]}" -do - if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then - sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file" - sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file" - sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file" - fi - sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file" -done - -fi - -AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") - -FAILLOCK_CONF="/etc/security/faillock.conf" -if [ -f $FAILLOCK_CONF ]; then - regex="^\s*audit" - line="audit" - if ! grep -q $regex $FAILLOCK_CONF; then - echo $line >> $FAILLOCK_CONF - fi - for pam_file in "${AUTH_FILES[@]}" - do - if [ -e "$pam_file" ] ; then - PAM_FILE_PATH="$pam_file" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "$pam_file") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - - if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\baudit\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\baudit\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi - else - echo "$pam_file was not found" >&2 - fi - done -else - for pam_file in "${AUTH_FILES[@]}" - do - if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*audit' "$pam_file"; then - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ audit/' "$pam_file" - fi - done -fi - - name: Account Lockouts Must Be Logged - Check if system relies on authselect tool ansible.builtin.stat: path: /usr/bin/authselect @@ -30110,6 +30017,99 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + +if [ -f /usr/bin/authselect ]; then + if ! authselect check; then +echo " +authselect integrity check failed. Remediation aborted! +This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. +It is not recommended to manually edit the PAM files when authselect tool is available. +In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." +exit 1 +fi +authselect enable-feature with-faillock + +authselect apply-changes -b +else + +AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") +for pam_file in "${AUTH_FILES[@]}" +do + if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then + sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file" + sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file" + sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file" + fi + sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file" +done + +fi + +AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") + +FAILLOCK_CONF="/etc/security/faillock.conf" +if [ -f $FAILLOCK_CONF ]; then + regex="^\s*audit" + line="audit" + if ! grep -q $regex $FAILLOCK_CONF; then + echo $line >> $FAILLOCK_CONF + fi + for pam_file in "${AUTH_FILES[@]}" + do + if [ -e "$pam_file" ] ; then + PAM_FILE_PATH="$pam_file" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "$pam_file") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + fi + + if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\baudit\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\baudit\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" + fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi + else + echo "$pam_file was not found" >&2 + fi + done +else + for pam_file in "${AUTH_FILES[@]}" + do + if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*audit' "$pam_file"; then + sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ audit/' "$pam_file" + fi + done +fi @@ -30226,201 +30226,6 @@ updated. re-used by a user. CCE-83478-8 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_remember='' -var_password_pam_remember_control_flag='' - - -var_password_pam_remember_control_flag="$(echo $var_password_pam_remember_control_flag | cut -d \, -f 1)" - -if [ -f /usr/bin/authselect ]; then - if authselect list-features minimal | grep -q with-pwhistory; then - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - authselect enable-feature with-pwhistory - - authselect apply-changes -b - else - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - if ! grep -qP '^\s*password\s+'"$var_password_pam_remember_control_flag"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then - # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then - # The control is updated only if one single line matches. - sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "$PAM_FILE_PATH" - else - LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1) - if [ ! -z $LAST_MATCH_LINE ]; then - sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' "$PAM_FILE_PATH" - else - echo 'password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' >> "$PAM_FILE_PATH" - fi - fi - fi - fi -else - if ! grep -qP '^\s*password\s+'"$var_password_pam_remember_control_flag"'\s+pam_pwhistory.so\s*.*' "/etc/pam.d/password-auth"; then - # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "/etc/pam.d/password-auth")" -eq 1 ]; then - # The control is updated only if one single line matches. - sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "/etc/pam.d/password-auth" - else - LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "/etc/pam.d/password-auth" | tail -n 1 | cut -d: -f 1) - if [ ! -z $LAST_MATCH_LINE ]; then - sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' "/etc/pam.d/password-auth" - else - echo 'password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' >> "/etc/pam.d/password-auth" - fi - fi - fi -fi - -PWHISTORY_CONF="/etc/security/pwhistory.conf" -if [ -f $PWHISTORY_CONF ]; then - regex="^\s*remember\s*=" - line="remember = $var_password_pam_remember" - if ! grep -q $regex $PWHISTORY_CONF; then - echo $line >> $PWHISTORY_CONF - else - sed -i --follow-symlinks 's|^\s*\(remember\s*=\s*\)\(\S\+\)|\1'"$var_password_pam_remember"'|g' $PWHISTORY_CONF - fi - if [ -e "/etc/pam.d/password-auth" ] ; then - PAM_FILE_PATH="/etc/pam.d/password-auth" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - - if grep -qP '^\s*password\s.*\bpam_pwhistory.so\s.*\bremember\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks 's/(.*password.*pam_pwhistory.so.*)\bremember\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi - else - echo "/etc/pam.d/password-auth was not found" >&2 - fi -else - PAM_FILE_PATH="/etc/pam.d/password-auth" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then - # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then - # The control is updated only if one single line matches. - sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH" - else - echo 'password '"requisite"' pam_pwhistory.so' >> "$PAM_FILE_PATH" - fi - fi - # Check the option - if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*\sremember\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks '/\s*password\s+'"requisite"'\s+pam_pwhistory.so.*/ s/$/ remember='"$var_password_pam_remember"'/' "$PAM_FILE_PATH" - else - sed -i -E --follow-symlinks 's/(\s*password\s+'"requisite"'\s+pam_pwhistory.so\s+.*)('"remember"'=)[[:alnum:]]+\s*(.*)/\1\2'"$var_password_pam_remember"' \3/' "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -31279,105 +31084,7 @@ fi - medium_severity - no_reboot_needed - - - - - - - - - - - Limit Password Reuse: system-auth - Do not allow users to reuse recent passwords. This can be accomplished by using the -remember option for the pam_pwhistory PAM module. - - -On systems with newer versions of authselect, the pam_pwhistory PAM module -can be enabled via authselect feature: -authselect enable-feature with-pwhistory - -Otherwise, it should be enabled using an authselect custom profile. - -Newer systems also have the /etc/security/pwhistory.conf file for setting -pam_pwhistory module options. This file should be used whenever available. -Otherwise, the pam_pwhistory module options can be set in PAM files. - -The value for remember option must be equal or greater than - - If the system relies on authselect tool to manage PAM settings, the remediation -will also use authselect tool. However, if any manual modification was made in -PAM files, the authselect integrity check will fail and the remediation will be -aborted in order to preserve intentional changes. In this case, an informative message will -be shown in the remediation report. - Newer versions of authselect contain an authselect feature to easily and properly -enable pam_pwhistory.so module. If this feature is not yet available in your -system, an authselect custom profile must be used to avoid integrity issues in PAM files. - 1 - 12 - 15 - 16 - 5 - 5.6.2.1.1 - DSS05.04 - DSS05.05 - DSS05.07 - DSS05.10 - DSS06.03 - DSS06.10 - 3.5.8 - CCI-000200 - 4.3.3.2.2 - 4.3.3.5.1 - 4.3.3.5.2 - 4.3.3.6.1 - 4.3.3.6.2 - 4.3.3.6.3 - 4.3.3.6.4 - 4.3.3.6.5 - 4.3.3.6.6 - 4.3.3.6.7 - 4.3.3.6.8 - 4.3.3.6.9 - 4.3.3.7.2 - 4.3.3.7.4 - SR 1.1 - SR 1.10 - SR 1.2 - SR 1.3 - SR 1.4 - SR 1.5 - SR 1.7 - SR 1.8 - SR 1.9 - SR 2.1 - A.18.1.4 - A.7.1.1 - A.9.2.1 - A.9.2.2 - A.9.2.3 - A.9.2.4 - A.9.2.6 - A.9.3.1 - A.9.4.2 - A.9.4.3 - IA-5(f) - IA-5(1)(e) - PR.AC-1 - PR.AC-6 - PR.AC-7 - Req-8.2.5 - 8.3.7 - SRG-OS-000077-GPOS-00045 - RHEL-08-020221 - 5.5.3 - SV-251717r902749_rule - Preventing re-use of previous passwords helps ensure that a compromised password is not -re-used by a user. - - CCE-83480-4 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then var_password_pam_remember='' @@ -31425,7 +31132,7 @@ if [ -f /usr/bin/authselect ]; then authselect apply-changes -b --backup=after-hardening-custom-profile fi - PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") + PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth") PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" authselect apply-changes -b @@ -31445,17 +31152,17 @@ if [ -f /usr/bin/authselect ]; then fi fi else - if ! grep -qP '^\s*password\s+'"$var_password_pam_remember_control_flag"'\s+pam_pwhistory.so\s*.*' "/etc/pam.d/system-auth"; then + if ! grep -qP '^\s*password\s+'"$var_password_pam_remember_control_flag"'\s+pam_pwhistory.so\s*.*' "/etc/pam.d/password-auth"; then # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "/etc/pam.d/system-auth")" -eq 1 ]; then + if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "/etc/pam.d/password-auth")" -eq 1 ]; then # The control is updated only if one single line matches. - sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "/etc/pam.d/system-auth" + sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "/etc/pam.d/password-auth" else - LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "/etc/pam.d/system-auth" | tail -n 1 | cut -d: -f 1) + LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "/etc/pam.d/password-auth" | tail -n 1 | cut -d: -f 1) if [ ! -z $LAST_MATCH_LINE ]; then - sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' "/etc/pam.d/system-auth" + sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' "/etc/pam.d/password-auth" else - echo 'password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' >> "/etc/pam.d/system-auth" + echo 'password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' >> "/etc/pam.d/password-auth" fi fi fi @@ -31470,8 +31177,8 @@ if [ -f $PWHISTORY_CONF ]; then else sed -i --follow-symlinks 's|^\s*\(remember\s*=\s*\)\(\S\+\)|\1'"$var_password_pam_remember"'|g' $PWHISTORY_CONF fi - if [ -e "/etc/pam.d/system-auth" ] ; then - PAM_FILE_PATH="/etc/pam.d/system-auth" + if [ -e "/etc/pam.d/password-auth" ] ; then + PAM_FILE_PATH="/etc/pam.d/password-auth" if [ -f /usr/bin/authselect ]; then if ! authselect check; then @@ -31498,7 +31205,7 @@ if [ -f $PWHISTORY_CONF ]; then authselect apply-changes -b --backup=after-hardening-custom-profile fi - PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") + PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth") PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" authselect apply-changes -b @@ -31512,10 +31219,10 @@ if [ -f $PWHISTORY_CONF ]; then authselect apply-changes -b fi else - echo "/etc/pam.d/system-auth was not found" >&2 + echo "/etc/pam.d/password-auth was not found" >&2 fi else - PAM_FILE_PATH="/etc/pam.d/system-auth" + PAM_FILE_PATH="/etc/pam.d/password-auth" if [ -f /usr/bin/authselect ]; then if ! authselect check; then @@ -31542,7 +31249,7 @@ else authselect apply-changes -b --backup=after-hardening-custom-profile fi - PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") + PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth") PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" authselect apply-changes -b @@ -31572,6 +31279,104 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + + Limit Password Reuse: system-auth + Do not allow users to reuse recent passwords. This can be accomplished by using the +remember option for the pam_pwhistory PAM module. + + +On systems with newer versions of authselect, the pam_pwhistory PAM module +can be enabled via authselect feature: +authselect enable-feature with-pwhistory + +Otherwise, it should be enabled using an authselect custom profile. + +Newer systems also have the /etc/security/pwhistory.conf file for setting +pam_pwhistory module options. This file should be used whenever available. +Otherwise, the pam_pwhistory module options can be set in PAM files. + +The value for remember option must be equal or greater than + + If the system relies on authselect tool to manage PAM settings, the remediation +will also use authselect tool. However, if any manual modification was made in +PAM files, the authselect integrity check will fail and the remediation will be +aborted in order to preserve intentional changes. In this case, an informative message will +be shown in the remediation report. + Newer versions of authselect contain an authselect feature to easily and properly +enable pam_pwhistory.so module. If this feature is not yet available in your +system, an authselect custom profile must be used to avoid integrity issues in PAM files. + 1 + 12 + 15 + 16 + 5 + 5.6.2.1.1 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + 3.5.8 + CCI-000200 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + IA-5(f) + IA-5(1)(e) + PR.AC-1 + PR.AC-6 + PR.AC-7 + Req-8.2.5 + 8.3.7 + SRG-OS-000077-GPOS-00045 + RHEL-08-020221 + 5.5.3 + SV-251717r902749_rule + Preventing re-use of previous passwords helps ensure that a compromised password is not +re-used by a user. + + CCE-83480-4 - name: Gather the package facts package_facts: manager: auto @@ -32429,95 +32234,15 @@ fi - medium_severity - no_reboot_needed - - - - - - - - - - - Limit Password Reuse - Do not allow users to reuse recent passwords. This can be accomplished by using the -remember option for the pam_unix or pam_pwhistory PAM modules. - If the system relies on authselect tool to manage PAM settings, the remediation -will also use authselect tool. However, if any manual modification was made in -PAM files, the authselect integrity check will fail and the remediation will be -aborted in order to preserve intentional changes. In this case, an informative message will -be shown in the remediation report. - Newer versions of authselect contain an authselect feature to easily and properly -enable pam_pwhistory.so module. If this feature is not yet available in your -system, an authselect custom profile must be used to avoid integrity issues in PAM files. - BP28(R18) - 1 - 12 - 15 - 16 - 5 - 5.6.2.1.1 - DSS05.04 - DSS05.05 - DSS05.07 - DSS05.10 - DSS06.03 - DSS06.10 - 3.5.8 - CCI-000200 - 4.3.3.2.2 - 4.3.3.5.1 - 4.3.3.5.2 - 4.3.3.6.1 - 4.3.3.6.2 - 4.3.3.6.3 - 4.3.3.6.4 - 4.3.3.6.5 - 4.3.3.6.6 - 4.3.3.6.7 - 4.3.3.6.8 - 4.3.3.6.9 - 4.3.3.7.2 - 4.3.3.7.4 - SR 1.1 - SR 1.10 - SR 1.2 - SR 1.3 - SR 1.4 - SR 1.5 - SR 1.7 - SR 1.8 - SR 1.9 - SR 2.1 - A.18.1.4 - A.7.1.1 - A.9.2.1 - A.9.2.2 - A.9.2.3 - A.9.2.4 - A.9.2.6 - A.9.3.1 - A.9.4.2 - A.9.4.3 - IA-5(f) - IA-5(1)(e) - PR.AC-1 - PR.AC-6 - PR.AC-7 - Req-8.2.5 - 8.3.7 - SRG-OS-000077-GPOS-00045 - 5.4.3 - Preventing re-use of previous passwords helps ensure that a compromised password is not -re-used by a user. - - CCE-80666-1 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then -var_password_pam_unix_remember='' +var_password_pam_remember='' +var_password_pam_remember_control_flag='' +var_password_pam_remember_control_flag="$(echo $var_password_pam_remember_control_flag | cut -d \, -f 1)" + if [ -f /usr/bin/authselect ]; then if authselect list-features minimal | grep -q with-pwhistory; then if ! authselect check; then @@ -32561,33 +32286,33 @@ if [ -f /usr/bin/authselect ]; then PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" authselect apply-changes -b - if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then + if ! grep -qP '^\s*password\s+'"$var_password_pam_remember_control_flag"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then # Line matching group + control + module was not found. Check group + module. if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then # The control is updated only if one single line matches. - sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH" + sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "$PAM_FILE_PATH" else LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1) if [ ! -z $LAST_MATCH_LINE ]; then - sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"requisite"' pam_pwhistory.so' "$PAM_FILE_PATH" + sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' "$PAM_FILE_PATH" else - echo 'password '"requisite"' pam_pwhistory.so' >> "$PAM_FILE_PATH" + echo 'password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' >> "$PAM_FILE_PATH" fi fi fi fi else - if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*' "/etc/pam.d/system-auth"; then + if ! grep -qP '^\s*password\s+'"$var_password_pam_remember_control_flag"'\s+pam_pwhistory.so\s*.*' "/etc/pam.d/system-auth"; then # Line matching group + control + module was not found. Check group + module. if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "/etc/pam.d/system-auth")" -eq 1 ]; then # The control is updated only if one single line matches. - sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "/etc/pam.d/system-auth" + sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "/etc/pam.d/system-auth" else LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "/etc/pam.d/system-auth" | tail -n 1 | cut -d: -f 1) if [ ! -z $LAST_MATCH_LINE ]; then - sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"requisite"' pam_pwhistory.so' "/etc/pam.d/system-auth" + sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' "/etc/pam.d/system-auth" else - echo 'password '"requisite"' pam_pwhistory.so' >> "/etc/pam.d/system-auth" + echo 'password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' >> "/etc/pam.d/system-auth" fi fi fi @@ -32596,11 +32321,11 @@ fi PWHISTORY_CONF="/etc/security/pwhistory.conf" if [ -f $PWHISTORY_CONF ]; then regex="^\s*remember\s*=" - line="remember = $var_password_pam_unix_remember" + line="remember = $var_password_pam_remember" if ! grep -q $regex $PWHISTORY_CONF; then echo $line >> $PWHISTORY_CONF else - sed -i --follow-symlinks 's|^\s*\(remember\s*=\s*\)\(\S\+\)|\1'"$var_password_pam_unix_remember"'|g' $PWHISTORY_CONF + sed -i --follow-symlinks 's|^\s*\(remember\s*=\s*\)\(\S\+\)|\1'"$var_password_pam_remember"'|g' $PWHISTORY_CONF fi if [ -e "/etc/pam.d/system-auth" ] ; then PAM_FILE_PATH="/etc/pam.d/system-auth" @@ -32690,9 +32415,9 @@ else fi # Check the option if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*\sremember\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks '/\s*password\s+'"requisite"'\s+pam_pwhistory.so.*/ s/$/ remember='"$var_password_pam_unix_remember"'/' "$PAM_FILE_PATH" + sed -i -E --follow-symlinks '/\s*password\s+'"requisite"'\s+pam_pwhistory.so.*/ s/$/ remember='"$var_password_pam_remember"'/' "$PAM_FILE_PATH" else - sed -i -E --follow-symlinks 's/(\s*password\s+'"requisite"'\s+pam_pwhistory.so\s+.*)('"remember"'=)[[:alnum:]]+\s*(.*)/\1\2'"$var_password_pam_unix_remember"' \3/' "$PAM_FILE_PATH" + sed -i -E --follow-symlinks 's/(\s*password\s+'"requisite"'\s+pam_pwhistory.so\s+.*)('"remember"'=)[[:alnum:]]+\s*(.*)/\1\2'"$var_password_pam_remember"' \3/' "$PAM_FILE_PATH" fi if [ -f /usr/bin/authselect ]; then @@ -32704,6 +32429,89 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + + Limit Password Reuse + Do not allow users to reuse recent passwords. This can be accomplished by using the +remember option for the pam_unix or pam_pwhistory PAM modules. + If the system relies on authselect tool to manage PAM settings, the remediation +will also use authselect tool. However, if any manual modification was made in +PAM files, the authselect integrity check will fail and the remediation will be +aborted in order to preserve intentional changes. In this case, an informative message will +be shown in the remediation report. + Newer versions of authselect contain an authselect feature to easily and properly +enable pam_pwhistory.so module. If this feature is not yet available in your +system, an authselect custom profile must be used to avoid integrity issues in PAM files. + BP28(R18) + 1 + 12 + 15 + 16 + 5 + 5.6.2.1.1 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + 3.5.8 + CCI-000200 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + IA-5(f) + IA-5(1)(e) + PR.AC-1 + PR.AC-6 + PR.AC-7 + Req-8.2.5 + 8.3.7 + SRG-OS-000077-GPOS-00045 + 5.4.3 + Preventing re-use of previous passwords helps ensure that a compromised password is not +re-used by a user. + + CCE-80666-1 - name: Gather the package facts package_facts: manager: auto @@ -33523,124 +33331,217 @@ fi - medium_severity - no_reboot_needed - - - - - - - - - - Account Lockouts Must Be Logged - PAM faillock locks an account due to excessive password failures, this event must be logged. - CCI-000044 - AC-7 (a) - SRG-OS-000021-GPOS-00005 - RHEL-08-020021 - SV-230343r743981_rule - Without auditing of these events it may be harder or impossible to identify what an attacker did after an attack. - - CCE-86099-9 - # Remediation is applicable only in certain platforms -if grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.2"; printf "%s\n%s" "$expected" "$real" | sort -VC; }; then + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_password_pam_unix_remember='' + if [ -f /usr/bin/authselect ]; then - if ! authselect check; then -echo " -authselect integrity check failed. Remediation aborted! -This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. -It is not recommended to manually edit the PAM files when authselect tool is available. -In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." -exit 1 -fi -authselect enable-feature with-faillock + if authselect list-features minimal | grep -q with-pwhistory; then + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + authselect enable-feature with-pwhistory -authselect apply-changes -b + authselect apply-changes -b + else + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then + # Line matching group + control + module was not found. Check group + module. + if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then + # The control is updated only if one single line matches. + sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH" + else + LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1) + if [ ! -z $LAST_MATCH_LINE ]; then + sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"requisite"' pam_pwhistory.so' "$PAM_FILE_PATH" + else + echo 'password '"requisite"' pam_pwhistory.so' >> "$PAM_FILE_PATH" + fi + fi + fi + fi else - -AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") -for pam_file in "${AUTH_FILES[@]}" -do - if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then - sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file" - sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file" - sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file" + if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*' "/etc/pam.d/system-auth"; then + # Line matching group + control + module was not found. Check group + module. + if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "/etc/pam.d/system-auth")" -eq 1 ]; then + # The control is updated only if one single line matches. + sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "/etc/pam.d/system-auth" + else + LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "/etc/pam.d/system-auth" | tail -n 1 | cut -d: -f 1) + if [ ! -z $LAST_MATCH_LINE ]; then + sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"requisite"' pam_pwhistory.so' "/etc/pam.d/system-auth" + else + echo 'password '"requisite"' pam_pwhistory.so' >> "/etc/pam.d/system-auth" + fi + fi fi - sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file" -done - fi -AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") - -FAILLOCK_CONF="/etc/security/faillock.conf" -if [ -f $FAILLOCK_CONF ]; then - regex="^\s*audit" - line="audit" - if ! grep -q $regex $FAILLOCK_CONF; then - echo $line >> $FAILLOCK_CONF +PWHISTORY_CONF="/etc/security/pwhistory.conf" +if [ -f $PWHISTORY_CONF ]; then + regex="^\s*remember\s*=" + line="remember = $var_password_pam_unix_remember" + if ! grep -q $regex $PWHISTORY_CONF; then + echo $line >> $PWHISTORY_CONF + else + sed -i --follow-symlinks 's|^\s*\(remember\s*=\s*\)\(\S\+\)|\1'"$var_password_pam_unix_remember"'|g' $PWHISTORY_CONF fi - for pam_file in "${AUTH_FILES[@]}" - do - if [ -e "$pam_file" ] ; then - PAM_FILE_PATH="$pam_file" - if [ -f /usr/bin/authselect ]; then + if [ -e "/etc/pam.d/system-auth" ] ; then + PAM_FILE_PATH="/etc/pam.d/system-auth" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "$pam_file") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + authselect apply-changes -b + fi + + if grep -qP '^\s*password\s.*\bpam_pwhistory.so\s.*\bremember\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks 's/(.*password.*pam_pwhistory.so.*)\bremember\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" + fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi + else + echo "/etc/pam.d/system-auth was not found" >&2 + fi +else + PAM_FILE_PATH="/etc/pam.d/system-auth" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi - authselect apply-changes -b - fi + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" - if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\baudit\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\baudit\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi + PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + fi + if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then + # Line matching group + control + module was not found. Check group + module. + if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then + # The control is updated only if one single line matches. + sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH" else - echo "$pam_file was not found" >&2 - fi - done -else - for pam_file in "${AUTH_FILES[@]}" - do - if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*audit' "$pam_file"; then - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ audit/' "$pam_file" + echo 'password '"requisite"' pam_pwhistory.so' >> "$PAM_FILE_PATH" fi - done + fi + # Check the option + if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*\sremember\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks '/\s*password\s+'"requisite"'\s+pam_pwhistory.so.*/ s/$/ remember='"$var_password_pam_unix_remember"'/' "$PAM_FILE_PATH" + else + sed -i -E --follow-symlinks 's/(\s*password\s+'"requisite"'\s+pam_pwhistory.so\s+.*)('"remember"'=)[[:alnum:]]+\s*(.*)/\1\2'"$var_password_pam_unix_remember"' \3/' "$PAM_FILE_PATH" + fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi fi else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Account Lockouts Must Be Logged + PAM faillock locks an account due to excessive password failures, this event must be logged. + CCI-000044 + AC-7 (a) + SRG-OS-000021-GPOS-00005 + RHEL-08-020021 + SV-230343r743981_rule + Without auditing of these events it may be harder or impossible to identify what an attacker did after an attack. + + CCE-86099-9 - name: Account Lockouts Must Be Logged - Check if system relies on authselect tool ansible.builtin.stat: path: /usr/bin/authselect @@ -34222,6 +34123,105 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.2"; printf "%s\n%s" "$expected" "$real" | sort -VC; }; then + +if [ -f /usr/bin/authselect ]; then + if ! authselect check; then +echo " +authselect integrity check failed. Remediation aborted! +This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. +It is not recommended to manually edit the PAM files when authselect tool is available. +In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." +exit 1 +fi +authselect enable-feature with-faillock + +authselect apply-changes -b +else + +AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") +for pam_file in "${AUTH_FILES[@]}" +do + if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then + sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file" + sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file" + sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file" + fi + sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file" +done + +fi + +AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") + +FAILLOCK_CONF="/etc/security/faillock.conf" +if [ -f $FAILLOCK_CONF ]; then + regex="^\s*audit" + line="audit" + if ! grep -q $regex $FAILLOCK_CONF; then + echo $line >> $FAILLOCK_CONF + fi + for pam_file in "${AUTH_FILES[@]}" + do + if [ -e "$pam_file" ] ; then + PAM_FILE_PATH="$pam_file" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "$pam_file") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + fi + + if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\baudit\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\baudit\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" + fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi + else + echo "$pam_file was not found" >&2 + fi + done +else + for pam_file in "${AUTH_FILES[@]}" + do + if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*audit' "$pam_file"; then + sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ audit/' "$pam_file" + fi + done +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -34320,114 +34320,6 @@ user password guessing, also known as brute-forcing, is reduced. Limits are impo the account. CCE-80667-9 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_accounts_passwords_pam_faillock_deny='' - - -if [ -f /usr/bin/authselect ]; then - if ! authselect check; then -echo " -authselect integrity check failed. Remediation aborted! -This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. -It is not recommended to manually edit the PAM files when authselect tool is available. -In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." -exit 1 -fi -authselect enable-feature with-faillock - -authselect apply-changes -b -else - -AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") -for pam_file in "${AUTH_FILES[@]}" -do - if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then - sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file" - sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file" - sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file" - fi - sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file" -done - -fi - -AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") - -FAILLOCK_CONF="/etc/security/faillock.conf" -if [ -f $FAILLOCK_CONF ]; then - regex="^\s*deny\s*=" - line="deny = $var_accounts_passwords_pam_faillock_deny" - if ! grep -q $regex $FAILLOCK_CONF; then - echo $line >> $FAILLOCK_CONF - else - sed -i --follow-symlinks 's|^\s*\(deny\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_deny"'|g' $FAILLOCK_CONF - fi - for pam_file in "${AUTH_FILES[@]}" - do - if [ -e "$pam_file" ] ; then - PAM_FILE_PATH="$pam_file" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "$pam_file") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - - if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bdeny\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bdeny\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi - else - echo "$pam_file was not found" >&2 - fi - done -else - for pam_file in "${AUTH_FILES[@]}" - do - if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' "$pam_file"; then - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file" - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file" - else - sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file" - sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file" - fi - done -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -35118,93 +35010,12 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - - Configure the root Account for Failed Password Attempts - This rule configures the system to lock out the root account after a number of -incorrect login attempts using pam_faillock.so. - -pam_faillock.so module requires multiple entries in pam files. These entries must be carefully -defined to work as expected. In order to avoid errors when manually editing these files, it is -recommended to use the appropriate tools, such as authselect or authconfig, -depending on the OS version. - If the system relies on authselect tool to manage PAM settings, the remediation -will also use authselect tool. However, if any manual modification was made in -PAM files, the authselect integrity check will fail and the remediation will be -aborted in order to preserve intentional changes. In this case, an informative message will -be shown in the remediation report. -If the system supports the /etc/security/faillock.conf file, the pam_faillock -parameters should be defined in faillock.conf file. - BP28(R18) - 1 - 12 - 15 - 16 - DSS05.04 - DSS05.10 - DSS06.10 - CCI-002238 - CCI-000044 - 4.3.3.6.1 - 4.3.3.6.2 - 4.3.3.6.3 - 4.3.3.6.4 - 4.3.3.6.5 - 4.3.3.6.6 - 4.3.3.6.7 - 4.3.3.6.8 - 4.3.3.6.9 - SR 1.1 - SR 1.10 - SR 1.2 - SR 1.5 - SR 1.7 - SR 1.8 - SR 1.9 - 0421 - 0422 - 0431 - 0974 - 1173 - 1401 - 1504 - 1505 - 1546 - 1557 - 1558 - 1559 - 1560 - 1561 - A.18.1.4 - A.9.2.1 - A.9.2.4 - A.9.3.1 - A.9.4.2 - A.9.4.3 - CM-6(a) - AC-7(b) - IA-5(c) - PR.AC-7 - FMT_MOF_EXT.1 - SRG-OS-000329-GPOS-00128 - SRG-OS-000021-GPOS-00005 - RHEL-08-020023 - SV-230345r743984_rule - By limiting the number of failed logon attempts, the risk of unauthorized system access via -user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking -the account. - - CCE-80668-7 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then +var_accounts_passwords_pam_faillock_deny='' + + if [ -f /usr/bin/authselect ]; then if ! authselect check; then echo " @@ -35236,10 +35047,12 @@ AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") FAILLOCK_CONF="/etc/security/faillock.conf" if [ -f $FAILLOCK_CONF ]; then - regex="^\s*even_deny_root" - line="even_deny_root" + regex="^\s*deny\s*=" + line="deny = $var_accounts_passwords_pam_faillock_deny" if ! grep -q $regex $FAILLOCK_CONF; then echo $line >> $FAILLOCK_CONF + else + sed -i --follow-symlinks 's|^\s*\(deny\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_deny"'|g' $FAILLOCK_CONF fi for pam_file in "${AUTH_FILES[@]}" do @@ -35277,8 +35090,8 @@ if [ -f $FAILLOCK_CONF ]; then authselect apply-changes -b fi - if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\beven_deny_root\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\beven_deny_root\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" + if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bdeny\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bdeny\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" fi if [ -f /usr/bin/authselect ]; then @@ -35291,9 +35104,12 @@ if [ -f $FAILLOCK_CONF ]; then else for pam_file in "${AUTH_FILES[@]}" do - if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*even_deny_root' "$pam_file"; then - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ even_deny_root/' "$pam_file" - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ even_deny_root/' "$pam_file" + if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' "$pam_file"; then + sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file" + sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file" + else + sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file" + sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file" fi done fi @@ -35302,6 +35118,90 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure the root Account for Failed Password Attempts + This rule configures the system to lock out the root account after a number of +incorrect login attempts using pam_faillock.so. + +pam_faillock.so module requires multiple entries in pam files. These entries must be carefully +defined to work as expected. In order to avoid errors when manually editing these files, it is +recommended to use the appropriate tools, such as authselect or authconfig, +depending on the OS version. + If the system relies on authselect tool to manage PAM settings, the remediation +will also use authselect tool. However, if any manual modification was made in +PAM files, the authselect integrity check will fail and the remediation will be +aborted in order to preserve intentional changes. In this case, an informative message will +be shown in the remediation report. +If the system supports the /etc/security/faillock.conf file, the pam_faillock +parameters should be defined in faillock.conf file. + BP28(R18) + 1 + 12 + 15 + 16 + DSS05.04 + DSS05.10 + DSS06.10 + CCI-002238 + CCI-000044 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + 0421 + 0422 + 0431 + 0974 + 1173 + 1401 + 1504 + 1505 + 1546 + 1557 + 1558 + 1559 + 1560 + 1561 + A.18.1.4 + A.9.2.1 + A.9.2.4 + A.9.3.1 + A.9.4.2 + A.9.4.3 + CM-6(a) + AC-7(b) + IA-5(c) + PR.AC-7 + FMT_MOF_EXT.1 + SRG-OS-000329-GPOS-00128 + SRG-OS-000021-GPOS-00005 + RHEL-08-020023 + SV-230345r743984_rule + By limiting the number of failed logon attempts, the risk of unauthorized system access via +user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking +the account. + + CCE-80668-7 - name: Gather the package facts package_facts: manager: auto @@ -35936,56 +35836,9 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - Lock Accounts Must Persist - This rule ensures that the system lock out accounts using pam_faillock.so persist -after system reboot. From "pam_faillock" man pages: -Note that the default directory that "pam_faillock" uses is usually cleared on system -boot so the access will be reenabled after system reboot. If that is undesirable, a different -tally directory must be set with the "dir" option. - -pam_faillock.so module requires multiple entries in pam files. These entries must be carefully -defined to work as expected. In order to avoid errors when manually editing these files, it is -recommended to use the appropriate tools, such as authselect or authconfig, -depending on the OS version. - -The chosen profile expects the directory to be . - If the system relies on authselect tool to manage PAM settings, the remediation -will also use authselect tool. However, if any manual modification was made in -PAM files, the authselect integrity check will fail and the remediation will be -aborted in order to preserve intentional changes. In this case, an informative message will -be shown in the remediation report. -If the system supports the /etc/security/faillock.conf file, the pam_faillock -parameters should be defined in faillock.conf file. - CCI-000044 - CCI-002238 - AC-7(b) - AC-7(a) - AC-7.1(ii) - SRG-OS-000021-GPOS-00005 - SRG-OS-000329-GPOS-00128 - RHEL-08-020016 - RHEL-08-020017 - SV-230338r627750_rule - SV-230339r743975_rule - Locking out user accounts after a number of incorrect attempts prevents direct password -guessing attacks. In combination with the silent option, user enumeration attacks -are also mitigated. - - CCE-86067-6 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then -var_accounts_passwords_pam_faillock_dir='' - - if [ -f /usr/bin/authselect ]; then if ! authselect check; then echo " @@ -36017,12 +35870,10 @@ AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") FAILLOCK_CONF="/etc/security/faillock.conf" if [ -f $FAILLOCK_CONF ]; then - regex="^\s*dir\s*=" - line="dir = $var_accounts_passwords_pam_faillock_dir" + regex="^\s*even_deny_root" + line="even_deny_root" if ! grep -q $regex $FAILLOCK_CONF; then echo $line >> $FAILLOCK_CONF - else - sed -i --follow-symlinks 's|^\s*\(dir\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_dir"'|g' $FAILLOCK_CONF fi for pam_file in "${AUTH_FILES[@]}" do @@ -36060,8 +35911,8 @@ if [ -f $FAILLOCK_CONF ]; then authselect apply-changes -b fi - if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bdir\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bdir\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" + if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\beven_deny_root\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\beven_deny_root\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" fi if [ -f /usr/bin/authselect ]; then @@ -36074,34 +35925,61 @@ if [ -f $FAILLOCK_CONF ]; then else for pam_file in "${AUTH_FILES[@]}" do - if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*dir' "$pam_file"; then - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ dir='"$var_accounts_passwords_pam_faillock_dir"'/' "$pam_file" - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ dir='"$var_accounts_passwords_pam_faillock_dir"'/' "$pam_file" - else - sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"dir"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_dir"'\3/' "$pam_file" - sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"dir"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_dir"'\3/' "$pam_file" + if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*even_deny_root' "$pam_file"; then + sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ even_deny_root/' "$pam_file" + sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ even_deny_root/' "$pam_file" fi done fi -if ! rpm -q --quiet "python3-libselinux" ; then - yum install -y "python3-libselinux" -fi -if ! rpm -q --quiet "python3-policycoreutils" ; then - yum install -y "python3-policycoreutils" -fi -if ! rpm -q --quiet "policycoreutils-python-utils" ; then - yum install -y "policycoreutils-python-utils" -fi - -mkdir -p "$var_accounts_passwords_pam_faillock_dir" -semanage fcontext -a -t faillog_t "$var_accounts_passwords_pam_faillock_dir(/.*)?" -restorecon -R -v "$var_accounts_passwords_pam_faillock_dir" - else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Lock Accounts Must Persist + This rule ensures that the system lock out accounts using pam_faillock.so persist +after system reboot. From "pam_faillock" man pages: +Note that the default directory that "pam_faillock" uses is usually cleared on system +boot so the access will be reenabled after system reboot. If that is undesirable, a different +tally directory must be set with the "dir" option. + +pam_faillock.so module requires multiple entries in pam files. These entries must be carefully +defined to work as expected. In order to avoid errors when manually editing these files, it is +recommended to use the appropriate tools, such as authselect or authconfig, +depending on the OS version. + +The chosen profile expects the directory to be . + If the system relies on authselect tool to manage PAM settings, the remediation +will also use authselect tool. However, if any manual modification was made in +PAM files, the authselect integrity check will fail and the remediation will be +aborted in order to preserve intentional changes. In this case, an informative message will +be shown in the remediation report. +If the system supports the /etc/security/faillock.conf file, the pam_faillock +parameters should be defined in faillock.conf file. + CCI-000044 + CCI-002238 + AC-7(b) + AC-7(a) + AC-7.1(ii) + SRG-OS-000021-GPOS-00005 + SRG-OS-000329-GPOS-00128 + RHEL-08-020016 + RHEL-08-020017 + SV-230338r627750_rule + SV-230339r743975_rule + Locking out user accounts after a number of incorrect attempts prevents direct password +guessing attacks. In combination with the silent option, user enumeration attacks +are also mitigated. + + CCE-86067-6 - name: Gather the package facts package_facts: manager: auto @@ -36838,39 +36716,12 @@ fi - medium_severity - no_reboot_needed - - - - - - - - - Enforce pam_faillock for Local Accounts Only - The pam_faillock module's local_users_only parameter controls requirements for -enforcing failed lockout attempts only for local user accounts and ignoring centralized user -account management failed attempt configurations. - If the system relies on authselect tool to manage PAM settings, the remediation -will also use authselect tool. However, if any manual modification was made in -PAM files, the authselect integrity check will fail and the remediation will be -aborted in order to preserve intentional changes. In this case, an informative message will -be shown in the remediation report. -If the system supports the /etc/security/faillock.conf file, the pam_faillock -parameters should be defined in faillock.conf file. - Using this rule bypasses pam_faillock's functionality and should be used in cases -where centralized management such as LDAP or Active Directory is in use. - CCI-000015 - AC-2(1) - SRG-OS-000001-GPOS-00001 - The operating system must provide automated mechanisms for supporting account management -functions. Enterprise environments make application account management challenging and -complex. A manual process for account management functions adds the risk of a potential -oversight or other error. Locking out remote accounts may cause unintentional DoS. - - CCE-83401-0 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then +var_accounts_passwords_pam_faillock_dir='' + + if [ -f /usr/bin/authselect ]; then if ! authselect check; then echo " @@ -36902,10 +36753,12 @@ AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") FAILLOCK_CONF="/etc/security/faillock.conf" if [ -f $FAILLOCK_CONF ]; then - regex="^\s*local_users_only" - line="local_users_only" + regex="^\s*dir\s*=" + line="dir = $var_accounts_passwords_pam_faillock_dir" if ! grep -q $regex $FAILLOCK_CONF; then echo $line >> $FAILLOCK_CONF + else + sed -i --follow-symlinks 's|^\s*\(dir\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_dir"'|g' $FAILLOCK_CONF fi for pam_file in "${AUTH_FILES[@]}" do @@ -36943,8 +36796,8 @@ if [ -f $FAILLOCK_CONF ]; then authselect apply-changes -b fi - if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\blocal_users_only\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\blocal_users_only\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" + if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bdir\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bdir\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" fi if [ -f /usr/bin/authselect ]; then @@ -36957,17 +36810,64 @@ if [ -f $FAILLOCK_CONF ]; then else for pam_file in "${AUTH_FILES[@]}" do - if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*local_users_only' "$pam_file"; then - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ local_users_only/' "$pam_file" - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ local_users_only/' "$pam_file" + if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*dir' "$pam_file"; then + sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ dir='"$var_accounts_passwords_pam_faillock_dir"'/' "$pam_file" + sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ dir='"$var_accounts_passwords_pam_faillock_dir"'/' "$pam_file" + else + sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"dir"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_dir"'\3/' "$pam_file" + sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"dir"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_dir"'\3/' "$pam_file" fi done fi +if ! rpm -q --quiet "python3-libselinux" ; then + yum install -y "python3-libselinux" +fi +if ! rpm -q --quiet "python3-policycoreutils" ; then + yum install -y "python3-policycoreutils" +fi +if ! rpm -q --quiet "policycoreutils-python-utils" ; then + yum install -y "policycoreutils-python-utils" +fi + +mkdir -p "$var_accounts_passwords_pam_faillock_dir" +semanage fcontext -a -t faillog_t "$var_accounts_passwords_pam_faillock_dir(/.*)?" +restorecon -R -v "$var_accounts_passwords_pam_faillock_dir" + else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Enforce pam_faillock for Local Accounts Only + The pam_faillock module's local_users_only parameter controls requirements for +enforcing failed lockout attempts only for local user accounts and ignoring centralized user +account management failed attempt configurations. + If the system relies on authselect tool to manage PAM settings, the remediation +will also use authselect tool. However, if any manual modification was made in +PAM files, the authselect integrity check will fail and the remediation will be +aborted in order to preserve intentional changes. In this case, an informative message will +be shown in the remediation report. +If the system supports the /etc/security/faillock.conf file, the pam_faillock +parameters should be defined in faillock.conf file. + Using this rule bypasses pam_faillock's functionality and should be used in cases +where centralized management such as LDAP or Active Directory is in use. + CCI-000015 + AC-2(1) + SRG-OS-000001-GPOS-00001 + The operating system must provide automated mechanisms for supporting account management +functions. Enterprise environments make application account management challenging and +complex. A manual process for account management functions adds the risk of a potential +oversight or other error. Locking out remote accounts may cause unintentional DoS. + + CCE-83401-0 - name: Gather the package facts package_facts: manager: auto @@ -37577,102 +37477,9 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - Set Interval For Counting Failed Password Attempts - Utilizing pam_faillock.so, the fail_interval directive configures the system -to lock out an account after a number of incorrect login attempts within a specified time -period. - -Ensure that the file /etc/security/faillock.conf contains the following entry: -fail_interval = <interval-in-seconds> where interval-in-seconds is or greater. - - -In order to avoid errors when manually editing these files, it is -recommended to use the appropriate tools, such as authselect or authconfig, -depending on the OS version. - If the system relies on authselect tool to manage PAM settings, the remediation -will also use authselect tool. However, if any manual modification was made in -PAM files, the authselect integrity check will fail and the remediation will be -aborted in order to preserve intentional changes. In this case, an informative message will -be shown in the remediation report. -If the system supports the /etc/security/faillock.conf file, the pam_faillock -parameters should be defined in faillock.conf file. - BP28(R18) - 1 - 12 - 15 - 16 - DSS05.04 - DSS05.10 - DSS06.10 - CCI-000044 - CCI-002236 - CCI-002237 - CCI-002238 - 4.3.3.6.1 - 4.3.3.6.2 - 4.3.3.6.3 - 4.3.3.6.4 - 4.3.3.6.5 - 4.3.3.6.6 - 4.3.3.6.7 - 4.3.3.6.8 - 4.3.3.6.9 - SR 1.1 - SR 1.10 - SR 1.2 - SR 1.5 - SR 1.7 - SR 1.8 - SR 1.9 - 0421 - 0422 - 0431 - 0974 - 1173 - 1401 - 1504 - 1505 - 1546 - 1557 - 1558 - 1559 - 1560 - 1561 - A.18.1.4 - A.9.2.1 - A.9.2.4 - A.9.3.1 - A.9.4.2 - A.9.4.3 - CM-6(a) - AC-7(a) - PR.AC-7 - FIA_AFL.1 - SRG-OS-000329-GPOS-00128 - SRG-OS-000021-GPOS-00005 - RHEL-08-020012 - RHEL-08-020013 - SV-230334r627750_rule - SV-230335r743969_rule - By limiting the number of failed logon attempts the risk of unauthorized system -access via user password guessing, otherwise known as brute-forcing, is reduced. -Limits are imposed by locking the account. - - CCE-80669-5 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then -var_accounts_passwords_pam_faillock_fail_interval='' - - if [ -f /usr/bin/authselect ]; then if ! authselect check; then echo " @@ -37704,12 +37511,10 @@ AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") FAILLOCK_CONF="/etc/security/faillock.conf" if [ -f $FAILLOCK_CONF ]; then - regex="^\s*fail_interval\s*=" - line="fail_interval = $var_accounts_passwords_pam_faillock_fail_interval" + regex="^\s*local_users_only" + line="local_users_only" if ! grep -q $regex $FAILLOCK_CONF; then echo $line >> $FAILLOCK_CONF - else - sed -i --follow-symlinks 's|^\s*\(fail_interval\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_fail_interval"'|g' $FAILLOCK_CONF fi for pam_file in "${AUTH_FILES[@]}" do @@ -37747,8 +37552,8 @@ if [ -f $FAILLOCK_CONF ]; then authselect apply-changes -b fi - if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bfail_interval\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bfail_interval\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" + if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\blocal_users_only\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\blocal_users_only\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" fi if [ -f /usr/bin/authselect ]; then @@ -37761,12 +37566,9 @@ if [ -f $FAILLOCK_CONF ]; then else for pam_file in "${AUTH_FILES[@]}" do - if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*fail_interval' "$pam_file"; then - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file" - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file" - else - sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"fail_interval"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file" - sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"fail_interval"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file" + if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*local_users_only' "$pam_file"; then + sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ local_users_only/' "$pam_file" + sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ local_users_only/' "$pam_file" fi done fi @@ -37775,6 +37577,96 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Set Interval For Counting Failed Password Attempts + Utilizing pam_faillock.so, the fail_interval directive configures the system +to lock out an account after a number of incorrect login attempts within a specified time +period. + +Ensure that the file /etc/security/faillock.conf contains the following entry: +fail_interval = <interval-in-seconds> where interval-in-seconds is or greater. + + +In order to avoid errors when manually editing these files, it is +recommended to use the appropriate tools, such as authselect or authconfig, +depending on the OS version. + If the system relies on authselect tool to manage PAM settings, the remediation +will also use authselect tool. However, if any manual modification was made in +PAM files, the authselect integrity check will fail and the remediation will be +aborted in order to preserve intentional changes. In this case, an informative message will +be shown in the remediation report. +If the system supports the /etc/security/faillock.conf file, the pam_faillock +parameters should be defined in faillock.conf file. + BP28(R18) + 1 + 12 + 15 + 16 + DSS05.04 + DSS05.10 + DSS06.10 + CCI-000044 + CCI-002236 + CCI-002237 + CCI-002238 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + 0421 + 0422 + 0431 + 0974 + 1173 + 1401 + 1504 + 1505 + 1546 + 1557 + 1558 + 1559 + 1560 + 1561 + A.18.1.4 + A.9.2.1 + A.9.2.4 + A.9.3.1 + A.9.4.2 + A.9.4.3 + CM-6(a) + AC-7(a) + PR.AC-7 + FIA_AFL.1 + SRG-OS-000329-GPOS-00128 + SRG-OS-000021-GPOS-00005 + RHEL-08-020012 + RHEL-08-020013 + SV-230334r627750_rule + SV-230335r743969_rule + By limiting the number of failed logon attempts the risk of unauthorized system +access via user password guessing, otherwise known as brute-forcing, is reduced. +Limits are imposed by locking the account. + + CCE-80669-5 - name: Gather the package facts package_facts: manager: auto @@ -38444,48 +38336,12 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - - Do Not Show System Messages When Unsuccessful Logon Attempts Occur - This rule ensures the system prevents informative messages from being presented to the user -pertaining to logon information after a number of incorrect login attempts using -pam_faillock.so. - -pam_faillock.so module requires multiple entries in pam files. These entries must be carefully -defined to work as expected. In order to avoid errors when manually editing these files, it is -recommended to use the appropriate tools, such as authselect or authconfig, -depending on the OS version. - If the system relies on authselect tool to manage PAM settings, the remediation -will also use authselect tool. However, if any manual modification was made in -PAM files, the authselect integrity check will fail and the remediation will be -aborted in order to preserve intentional changes. In this case, an informative message will -be shown in the remediation report. -If the system supports the /etc/security/faillock.conf file, the pam_faillock -parameters should be defined in faillock.conf file. - CCI-002238 - CCI-000044 - SRG-OS-000329-GPOS-00128 - SRG-OS-000021-GPOS-00005 - RHEL-08-020018 - RHEL-08-020019 - SV-230340r627750_rule - SV-230341r743978_rule - The pam_faillock module without the silent option will leak information about the existence or -non-existence of a user account in the system because the failures are not recorded for unknown -users. The message about the user account being locked is never displayed for non-existing user -accounts allowing the adversary to infer that a particular account exists or not on the system. - - CCE-87096-4 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then +var_accounts_passwords_pam_faillock_fail_interval='' + + if [ -f /usr/bin/authselect ]; then if ! authselect check; then echo " @@ -38514,18 +38370,72 @@ done fi AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") + FAILLOCK_CONF="/etc/security/faillock.conf" if [ -f $FAILLOCK_CONF ]; then - regex="^\s*silent" - line="silent" + regex="^\s*fail_interval\s*=" + line="fail_interval = $var_accounts_passwords_pam_faillock_fail_interval" if ! grep -q $regex $FAILLOCK_CONF; then echo $line >> $FAILLOCK_CONF + else + sed -i --follow-symlinks 's|^\s*\(fail_interval\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_fail_interval"'|g' $FAILLOCK_CONF fi + for pam_file in "${AUTH_FILES[@]}" + do + if [ -e "$pam_file" ] ; then + PAM_FILE_PATH="$pam_file" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "$pam_file") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + fi + + if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bfail_interval\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bfail_interval\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" + fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi + else + echo "$pam_file was not found" >&2 + fi + done else for pam_file in "${AUTH_FILES[@]}" do - if ! grep -qE '^\s*auth.*pam_faillock\.so\s*preauth.*silent' "$pam_file"; then - sed -i --follow-symlinks '/^\s*auth.*pam_faillock\.so.*preauth/ s/$/ silent/' "$pam_file" + if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*fail_interval' "$pam_file"; then + sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file" + sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file" + else + sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"fail_interval"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file" + sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"fail_interval"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file" fi done fi @@ -38534,6 +38444,45 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Do Not Show System Messages When Unsuccessful Logon Attempts Occur + This rule ensures the system prevents informative messages from being presented to the user +pertaining to logon information after a number of incorrect login attempts using +pam_faillock.so. + +pam_faillock.so module requires multiple entries in pam files. These entries must be carefully +defined to work as expected. In order to avoid errors when manually editing these files, it is +recommended to use the appropriate tools, such as authselect or authconfig, +depending on the OS version. + If the system relies on authselect tool to manage PAM settings, the remediation +will also use authselect tool. However, if any manual modification was made in +PAM files, the authselect integrity check will fail and the remediation will be +aborted in order to preserve intentional changes. In this case, an informative message will +be shown in the remediation report. +If the system supports the /etc/security/faillock.conf file, the pam_faillock +parameters should be defined in faillock.conf file. + CCI-002238 + CCI-000044 + SRG-OS-000329-GPOS-00128 + SRG-OS-000021-GPOS-00005 + RHEL-08-020018 + RHEL-08-020019 + SV-230340r627750_rule + SV-230341r743978_rule + The pam_faillock module without the silent option will leak information about the existence or +non-existence of a user account in the system because the failures are not recorded for unknown +users. The message about the user account being locked is never displayed for non-existing user +accounts allowing the adversary to infer that a particular account exists or not on the system. + + CCE-87096-4 - name: Gather the package facts package_facts: manager: auto @@ -38764,6 +38713,57 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +if [ -f /usr/bin/authselect ]; then + if ! authselect check; then +echo " +authselect integrity check failed. Remediation aborted! +This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. +It is not recommended to manually edit the PAM files when authselect tool is available. +In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." +exit 1 +fi +authselect enable-feature with-faillock + +authselect apply-changes -b +else + +AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") +for pam_file in "${AUTH_FILES[@]}" +do + if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then + sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file" + sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file" + sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file" + fi + sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file" +done + +fi + +AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") +FAILLOCK_CONF="/etc/security/faillock.conf" +if [ -f $FAILLOCK_CONF ]; then + regex="^\s*silent" + line="silent" + if ! grep -q $regex $FAILLOCK_CONF; then + echo $line >> $FAILLOCK_CONF + fi +else + for pam_file in "${AUTH_FILES[@]}" + do + if ! grep -qE '^\s*auth.*pam_faillock\.so\s*preauth.*silent' "$pam_file"; then + sed -i --follow-symlinks '/^\s*auth.*pam_faillock\.so.*preauth/ s/$/ silent/' "$pam_file" + fi + done +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -38871,114 +38871,6 @@ access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. CCE-80670-3 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_accounts_passwords_pam_faillock_unlock_time='' - - -if [ -f /usr/bin/authselect ]; then - if ! authselect check; then -echo " -authselect integrity check failed. Remediation aborted! -This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. -It is not recommended to manually edit the PAM files when authselect tool is available. -In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." -exit 1 -fi -authselect enable-feature with-faillock - -authselect apply-changes -b -else - -AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") -for pam_file in "${AUTH_FILES[@]}" -do - if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then - sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file" - sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file" - sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file" - fi - sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file" -done - -fi - -AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") - -FAILLOCK_CONF="/etc/security/faillock.conf" -if [ -f $FAILLOCK_CONF ]; then - regex="^\s*unlock_time\s*=" - line="unlock_time = $var_accounts_passwords_pam_faillock_unlock_time" - if ! grep -q $regex $FAILLOCK_CONF; then - echo $line >> $FAILLOCK_CONF - else - sed -i --follow-symlinks 's|^\s*\(unlock_time\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_unlock_time"'|g' $FAILLOCK_CONF - fi - for pam_file in "${AUTH_FILES[@]}" - do - if [ -e "$pam_file" ] ; then - PAM_FILE_PATH="$pam_file" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "$pam_file") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - - if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bunlock_time\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bunlock_time\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi - else - echo "$pam_file was not found" >&2 - fi - done -else - for pam_file in "${AUTH_FILES[@]}" - do - if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*unlock_time' "$pam_file"; then - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file" - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file" - else - sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"unlock_time"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file" - sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"unlock_time"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file" - fi - done -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -39678,6 +39570,114 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_accounts_passwords_pam_faillock_unlock_time='' + + +if [ -f /usr/bin/authselect ]; then + if ! authselect check; then +echo " +authselect integrity check failed. Remediation aborted! +This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. +It is not recommended to manually edit the PAM files when authselect tool is available. +In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." +exit 1 +fi +authselect enable-feature with-faillock + +authselect apply-changes -b +else + +AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") +for pam_file in "${AUTH_FILES[@]}" +do + if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then + sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file" + sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file" + sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file" + fi + sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file" +done + +fi + +AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") + +FAILLOCK_CONF="/etc/security/faillock.conf" +if [ -f $FAILLOCK_CONF ]; then + regex="^\s*unlock_time\s*=" + line="unlock_time = $var_accounts_passwords_pam_faillock_unlock_time" + if ! grep -q $regex $FAILLOCK_CONF; then + echo $line >> $FAILLOCK_CONF + else + sed -i --follow-symlinks 's|^\s*\(unlock_time\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_unlock_time"'|g' $FAILLOCK_CONF + fi + for pam_file in "${AUTH_FILES[@]}" + do + if [ -e "$pam_file" ] ; then + PAM_FILE_PATH="$pam_file" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "$pam_file") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + fi + + if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bunlock_time\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bunlock_time\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" + fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi + else + echo "$pam_file was not found" >&2 + fi + done +else + for pam_file in "${AUTH_FILES[@]}" + do + if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*unlock_time' "$pam_file"; then + sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file" + sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file" + else + sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"unlock_time"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file" + sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"unlock_time"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file" + fi + done +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -39937,42 +39937,6 @@ Requiring digits makes password guessing attacks more difficult by ensuring a la search space. CCE-80653-9 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_dcredit='' - - - - - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^dcredit") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_dcredit" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^dcredit\\>" "/etc/security/pwquality.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^dcredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" -else - if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" - fi - cce="CCE-80653-9" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" - printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -40020,6 +39984,42 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_password_pam_dcredit='' + + + + + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^dcredit") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_dcredit" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^dcredit\\>" "/etc/security/pwquality.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^dcredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" +else + if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" + fi + cce="CCE-80653-9" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" + printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -40052,42 +40052,6 @@ password is compromised. Passwords with dictionary words may be more vulnerable to password-guessing attacks. CCE-86233-4 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_dictcheck='' - - - - - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^dictcheck") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_dictcheck" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^dictcheck\\>" "/etc/security/pwquality.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^dictcheck\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" -else - if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" - fi - cce="CCE-86233-4" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" - printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -40131,6 +40095,42 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_password_pam_dictcheck='' + + + + + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^dictcheck") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_dictcheck" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^dictcheck\\>" "/etc/security/pwquality.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^dictcheck\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" +else + if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" + fi + cce="CCE-86233-4" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" + printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -40220,42 +40220,6 @@ newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however. CCE-80654-7 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_difok='' - - - - - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^difok") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_difok" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^difok\\>" "/etc/security/pwquality.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^difok\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" -else - if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" - fi - cce="CCE-80654-7" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" - printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -40301,6 +40265,42 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_password_pam_difok='' + + + + + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^difok") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_difok" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^difok\\>" "/etc/security/pwquality.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^difok\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" +else + if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" + fi + cce="CCE-80654-7" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" + printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -40328,28 +40328,6 @@ complex. A manual process for account management functions adds the risk of a po oversight or other error. CCE-83364-0 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -if [ -e "/etc/security/pwquality.conf" ] ; then - - LC_ALL=C sed -i "/^\s*local_users_only/Id" "/etc/security/pwquality.conf" -else - touch "/etc/security/pwquality.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/security/pwquality.conf" - -cp "/etc/security/pwquality.conf" "/etc/security/pwquality.conf.bak" -# Insert at the end of the file -printf '%s\n' "local_users_only" >> "/etc/security/pwquality.conf" -# Clean up after ourselves. -rm "/etc/security/pwquality.conf.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -40379,6 +40357,28 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +if [ -e "/etc/security/pwquality.conf" ] ; then + + LC_ALL=C sed -i "/^\s*local_users_only/Id" "/etc/security/pwquality.conf" +else + touch "/etc/security/pwquality.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/security/pwquality.conf" + +cp "/etc/security/pwquality.conf" "/etc/security/pwquality.conf.bak" +# Insert at the end of the file +printf '%s\n' "local_users_only" >> "/etc/security/pwquality.conf" +# Clean up after ourselves. +rm "/etc/security/pwquality.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -40420,28 +40420,6 @@ password. The more complex the password, the greater the number of possible comb that need to be tested before the password is compromised. CCE-83377-2 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -if [ -e "/etc/security/pwquality.conf" ] ; then - - LC_ALL=C sed -i "/^\s*enforce_for_root/Id" "/etc/security/pwquality.conf" -else - touch "/etc/security/pwquality.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/security/pwquality.conf" - -cp "/etc/security/pwquality.conf" "/etc/security/pwquality.conf.bak" -# Insert at the end of the file -printf '%s\n' "enforce_for_root" >> "/etc/security/pwquality.conf" -# Clean up after ourselves. -rm "/etc/security/pwquality.conf.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -40477,6 +40455,28 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +if [ -e "/etc/security/pwquality.conf" ] ; then + + LC_ALL=C sed -i "/^\s*enforce_for_root/Id" "/etc/security/pwquality.conf" +else + touch "/etc/security/pwquality.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/security/pwquality.conf" + +cp "/etc/security/pwquality.conf" "/etc/security/pwquality.conf.bak" +# Insert at the end of the file +printf '%s\n' "enforce_for_root" >> "/etc/security/pwquality.conf" +# Clean up after ourselves. +rm "/etc/security/pwquality.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -40578,42 +40578,6 @@ Requiring a minimum number of lowercase characters makes password guessing attac more difficult by ensuring a larger search space. CCE-80655-4 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_lcredit='' - - - - - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^lcredit") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_lcredit" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^lcredit\\>" "/etc/security/pwquality.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^lcredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" -else - if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" - fi - cce="CCE-80655-4" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" - printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -40661,6 +40625,42 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_password_pam_lcredit='' + + + + + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^lcredit") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_lcredit" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^lcredit\\>" "/etc/security/pwquality.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^lcredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" +else + if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" + fi + cce="CCE-80655-4" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" + printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -40742,42 +40742,6 @@ more complex a password, the greater the number of possible combinations that ne password is compromised. CCE-81034-1 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_maxclassrepeat='' - - - - - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^maxclassrepeat") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_maxclassrepeat" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^maxclassrepeat\\>" "/etc/security/pwquality.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^maxclassrepeat\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" -else - if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" - fi - cce="CCE-81034-1" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" - printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -40822,6 +40786,42 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_password_pam_maxclassrepeat='' + + + + + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^maxclassrepeat") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_maxclassrepeat" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^maxclassrepeat\\>" "/etc/security/pwquality.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^maxclassrepeat\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" +else + if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" + fi + cce="CCE-81034-1" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" + printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -40904,42 +40904,6 @@ password is compromised. Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks. CCE-82066-2 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_maxrepeat='' - - - - - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^maxrepeat") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_maxrepeat" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^maxrepeat\\>" "/etc/security/pwquality.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^maxrepeat\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" -else - if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" - fi - cce="CCE-82066-2" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" - printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -40981,6 +40945,42 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_password_pam_maxrepeat='' + + + + + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^maxrepeat") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_maxrepeat" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^maxrepeat\\>" "/etc/security/pwquality.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^maxrepeat\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" +else + if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" + fi + cce="CCE-82066-2" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" + printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -41091,42 +41091,6 @@ Requiring a minimum number of character categories makes password guessing attac by ensuring a larger search space. CCE-82046-4 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_minclass='' - - - - - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^minclass") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_minclass" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^minclass\\>" "/etc/security/pwquality.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^minclass\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" -else - if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" - fi - cce="CCE-82046-4" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" - printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -41170,6 +41134,42 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_password_pam_minclass='' + + + + + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^minclass") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_minclass" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^minclass\\>" "/etc/security/pwquality.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^minclass\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" +else + if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" + fi + cce="CCE-82046-4" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" + printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -41271,42 +41271,6 @@ helps to exponentially increase the time and/or resources required to compromise the password. CCE-80656-2 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_minlen='' - - - - - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^minlen") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_minlen" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^minlen\\>" "/etc/security/pwquality.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^minlen\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" -else - if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" - fi - cce="CCE-80656-2" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" - printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -41356,6 +41320,42 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_password_pam_minlen='' + + + + + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^minlen") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_minlen" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^minlen\\>" "/etc/security/pwquality.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^minlen\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" +else + if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" + fi + cce="CCE-80656-2" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" + printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -41458,6 +41458,50 @@ Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space. CCE-80663-8 + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80663-8 + - DISA-STIG-RHEL-08-020280 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - accounts_password_pam_ocredit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy +- name: XCCDF Value var_password_pam_ocredit # promote to variable + set_fact: + var_password_pam_ocredit: !!str + tags: + - always + +- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters - Ensure + PAM variable ocredit is set accordingly + ansible.builtin.lineinfile: + create: true + dest: /etc/security/pwquality.conf + regexp: ^#?\s*ocredit + line: ocredit = {{ var_password_pam_ocredit }} + when: '"pam" in ansible_facts.packages' + tags: + - CCE-80663-8 + - DISA-STIG-RHEL-08-020280 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - accounts_password_pam_ocredit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then @@ -41493,50 +41537,6 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-80663-8 - - DISA-STIG-RHEL-08-020280 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - - NIST-800-53-IA-5(c) - - accounts_password_pam_ocredit - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy -- name: XCCDF Value var_password_pam_ocredit # promote to variable - set_fact: - var_password_pam_ocredit: !!str - tags: - - always - -- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters - Ensure - PAM variable ocredit is set accordingly - ansible.builtin.lineinfile: - create: true - dest: /etc/security/pwquality.conf - regexp: ^#?\s*ocredit - line: ocredit = {{ var_password_pam_ocredit }} - when: '"pam" in ansible_facts.packages' - tags: - - CCE-80663-8 - - DISA-STIG-RHEL-08-020280 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - - NIST-800-53-IA-5(c) - - accounts_password_pam_ocredit - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy @@ -41562,68 +41562,6 @@ Edit the password section in makes the system less prone to dictionary attacks. CCE-85877-9 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -if [ -e "/etc/pam.d/password-auth" ] ; then - PAM_FILE_PATH="/etc/pam.d/password-auth" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwquality.so\s*.*' "$PAM_FILE_PATH"; then - # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwquality.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then - # The control is updated only if one single line matches. - sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwquality.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH" - else - LAST_MATCH_LINE=$(grep -nP "^account.*required.*pam_permit\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1) - if [ ! -z $LAST_MATCH_LINE ]; then - sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"requisite"' pam_pwquality.so' "$PAM_FILE_PATH" - else - echo 'password '"requisite"' pam_pwquality.so' >> "$PAM_FILE_PATH" - fi - fi -fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi -else - echo "/etc/pam.d/password-auth was not found" >&2 -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -41883,32 +41821,11 @@ fi - medium_severity - no_reboot_needed - - - - - - - - - Ensure PAM password complexity module is enabled in system-auth - To enable PAM password complexity in system-auth file: -Edit the password section in -/etc/pam.d/system-auth to show -password requisite pam_pwquality.so. - CCI-000366 - SRG-OS-000480-GPOS-00227 - RHEL-08-020101 - SV-251713r902740_rule - Enabling PAM password complexity permits to enforce strong passwords and consequently -makes the system less prone to dictionary attacks. - - CCE-85872-0 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then -if [ -e "/etc/pam.d/system-auth" ] ; then - PAM_FILE_PATH="/etc/pam.d/system-auth" +if [ -e "/etc/pam.d/password-auth" ] ; then + PAM_FILE_PATH="/etc/pam.d/password-auth" if [ -f /usr/bin/authselect ]; then if ! authselect check; then @@ -41935,7 +41852,7 @@ if [ -e "/etc/pam.d/system-auth" ] ; then authselect apply-changes -b --backup=after-hardening-custom-profile fi - PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") + PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth") PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" authselect apply-changes -b @@ -41959,13 +41876,34 @@ fi authselect apply-changes -b fi else - echo "/etc/pam.d/system-auth was not found" >&2 + echo "/etc/pam.d/password-auth was not found" >&2 fi else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Ensure PAM password complexity module is enabled in system-auth + To enable PAM password complexity in system-auth file: +Edit the password section in +/etc/pam.d/system-auth to show +password requisite pam_pwquality.so. + CCI-000366 + SRG-OS-000480-GPOS-00227 + RHEL-08-020101 + SV-251713r902740_rule + Enabling PAM password complexity permits to enforce strong passwords and consequently +makes the system less prone to dictionary attacks. + + CCE-85872-0 - name: Gather the package facts package_facts: manager: auto @@ -42225,135 +42163,11 @@ fi - medium_severity - no_reboot_needed - - - - - - - - - Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session - To configure the number of retry prompts that are permitted per-session: - -Edit the /etc/security/pwquality.conf to include - -retry=, or a lower value if site -policy is more restrictive. The DoD requirement is a maximum of 3 prompts -per session. - 1 - 11 - 12 - 15 - 16 - 3 - 5 - 9 - 5.5.3 - BAI10.01 - BAI10.02 - BAI10.03 - BAI10.05 - DSS05.04 - DSS05.05 - DSS05.07 - DSS05.10 - DSS06.03 - DSS06.10 - CCI-000192 - CCI-000366 - 4.3.3.2.2 - 4.3.3.5.1 - 4.3.3.5.2 - 4.3.3.6.1 - 4.3.3.6.2 - 4.3.3.6.3 - 4.3.3.6.4 - 4.3.3.6.5 - 4.3.3.6.6 - 4.3.3.6.7 - 4.3.3.6.8 - 4.3.3.6.9 - 4.3.3.7.2 - 4.3.3.7.4 - 4.3.4.3.2 - 4.3.4.3.3 - SR 1.1 - SR 1.10 - SR 1.2 - SR 1.3 - SR 1.4 - SR 1.5 - SR 1.7 - SR 1.8 - SR 1.9 - SR 2.1 - SR 7.6 - A.12.1.2 - A.12.5.1 - A.12.6.2 - A.14.2.2 - A.14.2.3 - A.14.2.4 - A.18.1.4 - A.7.1.1 - A.9.2.1 - A.9.2.2 - A.9.2.3 - A.9.2.4 - A.9.2.6 - A.9.3.1 - A.9.4.2 - A.9.4.3 - CM-6(a) - AC-7(a) - IA-5(4) - PR.AC-1 - PR.AC-6 - PR.AC-7 - PR.IP-1 - FMT_MOF_EXT.1 - SRG-OS-000069-GPOS-00037 - SRG-OS-000480-GPOS-00227 - RHEL-08-020104 - 5.5.1 - SV-251716r858737_rule - Setting the password retry prompts that are permitted on a per-session basis to a low value -requires some software, such as SSH, to re-connect. This can slow down and -draw additional attention to some types of password-guessing attacks. Note that this -is different from account lockout, which is provided by the pam_faillock module. - - CCE-80664-6 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then -var_password_pam_retry='' - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^retry") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_retry" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^retry\\>" "/etc/security/pwquality.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^retry\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" -else - if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" - fi - cce="CCE-80664-6" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" - printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" -fi - - if [ -e "/etc/pam.d/password-auth" ] ; then - PAM_FILE_PATH="/etc/pam.d/password-auth" +if [ -e "/etc/pam.d/system-auth" ] ; then + PAM_FILE_PATH="/etc/pam.d/system-auth" if [ -f /usr/bin/authselect ]; then if ! authselect check; then @@ -42380,59 +42194,24 @@ fi authselect apply-changes -b --backup=after-hardening-custom-profile fi - PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth") + PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" authselect apply-changes -b fi - -if grep -qP '^\s*password\s+'".*"'\s+pam_pwquality.so\s.*\bretry\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks 's/(.*password.*'".*"'.*pam_pwquality.so.*)\sretry=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" -fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi -else - echo "/etc/pam.d/password-auth was not found" >&2 -fi - - if [ -e "/etc/pam.d/system-auth" ] ; then - PAM_FILE_PATH="/etc/pam.d/system-auth" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile + if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwquality.so\s*.*' "$PAM_FILE_PATH"; then + # Line matching group + control + module was not found. Check group + module. + if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwquality.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then + # The control is updated only if one single line matches. + sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwquality.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH" + else + LAST_MATCH_LINE=$(grep -nP "^account.*required.*pam_permit\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1) + if [ ! -z $LAST_MATCH_LINE ]; then + sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"requisite"' pam_pwquality.so' "$PAM_FILE_PATH" + else + echo 'password '"requisite"' pam_pwquality.so' >> "$PAM_FILE_PATH" fi - PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b fi - -if grep -qP '^\s*password\s+'".*"'\s+pam_pwquality.so\s.*\bretry\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks 's/(.*password.*'".*"'.*pam_pwquality.so.*)\sretry=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" fi if [ -f /usr/bin/authselect ]; then @@ -42446,6 +42225,105 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session + To configure the number of retry prompts that are permitted per-session: + +Edit the /etc/security/pwquality.conf to include + +retry=, or a lower value if site +policy is more restrictive. The DoD requirement is a maximum of 3 prompts +per session. + 1 + 11 + 12 + 15 + 16 + 3 + 5 + 9 + 5.5.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + CCI-000192 + CCI-000366 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 7.6 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + CM-6(a) + AC-7(a) + IA-5(4) + PR.AC-1 + PR.AC-6 + PR.AC-7 + PR.IP-1 + FMT_MOF_EXT.1 + SRG-OS-000069-GPOS-00037 + SRG-OS-000480-GPOS-00227 + RHEL-08-020104 + 5.5.1 + SV-251716r858737_rule + Setting the password retry prompts that are permitted on a per-session basis to a low value +requires some software, such as SSH, to re-connect. This can slow down and +draw additional attention to some types of password-guessing attacks. Note that this +is different from account lockout, which is provided by the pam_faillock module. + + CCE-80664-6 - name: Gather the package facts package_facts: manager: auto @@ -42904,6 +42782,128 @@ fi - medium_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_password_pam_retry='' + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^retry") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_retry" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^retry\\>" "/etc/security/pwquality.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^retry\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" +else + if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" + fi + cce="CCE-80664-6" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" + printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" +fi + + if [ -e "/etc/pam.d/password-auth" ] ; then + PAM_FILE_PATH="/etc/pam.d/password-auth" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + fi + +if grep -qP '^\s*password\s+'".*"'\s+pam_pwquality.so\s.*\bretry\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks 's/(.*password.*'".*"'.*pam_pwquality.so.*)\sretry=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" +fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi +else + echo "/etc/pam.d/password-auth was not found" >&2 +fi + + if [ -e "/etc/pam.d/system-auth" ] ; then + PAM_FILE_PATH="/etc/pam.d/system-auth" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + fi + +if grep -qP '^\s*password\s+'".*"'\s+pam_pwquality.so\s.*\bretry\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks 's/(.*password.*'".*"'.*pam_pwquality.so.*)\sretry=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH" +fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi +else + echo "/etc/pam.d/system-auth was not found" >&2 +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -43004,42 +43004,6 @@ complex the password, the greater the number of possible combinations that need the password is compromised. CCE-80665-3 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_ucredit='' - - - - - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^ucredit") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_ucredit" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^ucredit\\>" "/etc/security/pwquality.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^ucredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" -else - if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" - fi - cce="CCE-80665-3" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" - printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -43085,6 +43049,42 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_password_pam_ucredit='' + + + + + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^ucredit") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_ucredit" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^ucredit\\>" "/etc/security/pwquality.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^ucredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" +else + if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" + fi + cce="CCE-80665-3" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" + printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -43180,26 +43180,6 @@ of a strong hashing algorithm that makes password cracking attacks more difficult. CCE-80891-5 - # Remediation is applicable only in certain platforms -if rpm --quiet -q libuser; then - -LIBUSER_CONF="/etc/libuser.conf" -CRYPT_STYLE_REGEX='[[:space:]]*\[defaults](.*(\n)+)+?[[:space:]]*crypt_style[[:space:]]*' - -# Try find crypt_style in [defaults] section. If it is here, then change algorithm to sha512. -# If it isn't here, then add it to [defaults] section. -if grep -qzosP $CRYPT_STYLE_REGEX $LIBUSER_CONF ; then - sed -i "s/\(crypt_style[[:space:]]*=[[:space:]]*\).*/\1sha512/g" $LIBUSER_CONF -elif grep -qs "\[defaults]" $LIBUSER_CONF ; then - sed -i "/[[:space:]]*\[defaults]/a crypt_style = sha512" $LIBUSER_CONF -else - echo -e "[defaults]\ncrypt_style = sha512" >> $LIBUSER_CONF -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -43243,6 +43223,26 @@ fi - no_reboot_needed - restrict_strategy - set_password_hashing_algorithm_libuserconf + + # Remediation is applicable only in certain platforms +if rpm --quiet -q libuser; then + +LIBUSER_CONF="/etc/libuser.conf" +CRYPT_STYLE_REGEX='[[:space:]]*\[defaults](.*(\n)+)+?[[:space:]]*crypt_style[[:space:]]*' + +# Try find crypt_style in [defaults] section. If it is here, then change algorithm to sha512. +# If it isn't here, then add it to [defaults] section. +if grep -qzosP $CRYPT_STYLE_REGEX $LIBUSER_CONF ; then + sed -i "s/\(crypt_style[[:space:]]*=[[:space:]]*\).*/\1sha512/g" $LIBUSER_CONF +elif grep -qs "\[defaults]" $LIBUSER_CONF ; then + sed -i "/[[:space:]]*\[defaults]/a crypt_style = sha512" $LIBUSER_CONF +else + echo -e "[defaults]\ncrypt_style = sha512" >> $LIBUSER_CONF +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -43327,23 +43327,6 @@ that are encrypted with a weak algorithm are no more protected than if they are Using a stronger hashing algorithm makes password cracking attacks more difficult. CCE-80892-3 - # Remediation is applicable only in certain platforms -if rpm --quiet -q shadow-utils; then - -var_password_hashing_algorithm='' - - -if grep --silent ^ENCRYPT_METHOD /etc/login.defs ; then - sed -i "s/^ENCRYPT_METHOD .*/ENCRYPT_METHOD $var_password_hashing_algorithm/g" /etc/login.defs -else - echo "" >> /etc/login.defs - echo "ENCRYPT_METHOD $var_password_hashing_algorithm" >> /etc/login.defs -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -43393,6 +43376,23 @@ fi - no_reboot_needed - restrict_strategy - set_password_hashing_algorithm_logindefs + + # Remediation is applicable only in certain platforms +if rpm --quiet -q shadow-utils; then + +var_password_hashing_algorithm='' + + +if grep --silent ^ENCRYPT_METHOD /etc/login.defs ; then + sed -i "s/^ENCRYPT_METHOD .*/ENCRYPT_METHOD $var_password_hashing_algorithm/g" /etc/login.defs +else + echo "" >> /etc/login.defs + echo "ENCRYPT_METHOD $var_password_hashing_algorithm" >> /etc/login.defs +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -43496,67 +43496,6 @@ of a strong hashing algorithm that makes password cracking attacks more difficult. CCE-85945-4 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -if [ -e "/etc/pam.d/password-auth" ] ; then - PAM_FILE_PATH="/etc/pam.d/password-auth" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*' "$PAM_FILE_PATH"; then - # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*password\s+.*\s+pam_unix.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then - # The control is updated only if one single line matches. - sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_unix.so.*)/\1'"sufficient"' \2/' "$PAM_FILE_PATH" - else - echo 'password '"sufficient"' pam_unix.so' >> "$PAM_FILE_PATH" - fi - fi - # Check the option - if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*\ssha512\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks '/\s*password\s+'"sufficient"'\s+pam_unix.so.*/ s/$/ sha512/' "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi -else - echo "/etc/pam.d/password-auth was not found" >&2 -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -43853,6 +43792,67 @@ fi - medium_severity - no_reboot_needed - set_password_hashing_algorithm_passwordauth + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +if [ -e "/etc/pam.d/password-auth" ] ; then + PAM_FILE_PATH="/etc/pam.d/password-auth" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + fi + if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*' "$PAM_FILE_PATH"; then + # Line matching group + control + module was not found. Check group + module. + if [ "$(grep -cP '^\s*password\s+.*\s+pam_unix.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then + # The control is updated only if one single line matches. + sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_unix.so.*)/\1'"sufficient"' \2/' "$PAM_FILE_PATH" + else + echo 'password '"sufficient"' pam_unix.so' >> "$PAM_FILE_PATH" + fi + fi + # Check the option + if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*\ssha512\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks '/\s*password\s+'"sufficient"'\s+pam_unix.so.*/ s/$/ sha512/' "$PAM_FILE_PATH" + fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi +else + echo "/etc/pam.d/password-auth was not found" >&2 +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -43956,67 +43956,6 @@ of a strong hashing algorithm that makes password cracking attacks more difficult. CCE-80893-1 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -if [ -e "/etc/pam.d/system-auth" ] ; then - PAM_FILE_PATH="/etc/pam.d/system-auth" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*' "$PAM_FILE_PATH"; then - # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*password\s+.*\s+pam_unix.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then - # The control is updated only if one single line matches. - sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_unix.so.*)/\1'"sufficient"' \2/' "$PAM_FILE_PATH" - else - echo 'password '"sufficient"' pam_unix.so' >> "$PAM_FILE_PATH" - fi - fi - # Check the option - if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*\ssha512\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks '/\s*password\s+'"sufficient"'\s+pam_unix.so.*/ s/$/ sha512/' "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi -else - echo "/etc/pam.d/system-auth was not found" >&2 -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -44311,6 +44250,67 @@ fi - medium_severity - no_reboot_needed - set_password_hashing_algorithm_systemauth + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +if [ -e "/etc/pam.d/system-auth" ] ; then + PAM_FILE_PATH="/etc/pam.d/system-auth" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + fi + if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*' "$PAM_FILE_PATH"; then + # Line matching group + control + module was not found. Check group + module. + if [ "$(grep -cP '^\s*password\s+.*\s+pam_unix.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then + # The control is updated only if one single line matches. + sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_unix.so.*)/\1'"sufficient"' \2/' "$PAM_FILE_PATH" + else + echo 'password '"sufficient"' pam_unix.so' >> "$PAM_FILE_PATH" + fi + fi + # Check the option + if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*\ssha512\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks '/\s*password\s+'"sufficient"'\s+pam_unix.so.*/ s/$/ sha512/' "$PAM_FILE_PATH" + fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi +else + echo "/etc/pam.d/system-auth was not found" >&2 +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -44343,23 +44343,6 @@ they are kept in plain text. Using more hashing rounds makes password cracking attacks more difficult. CCE-89707-4 - -if [ -e "/etc/login.defs" ] ; then - - LC_ALL=C sed -i "/^\s*SHA_CRYPT_MIN_ROUNDS\s*/Id" "/etc/login.defs" -else - printf '%s\n' "Path '/etc/login.defs' wasn't found on this system. Refusing to continue." >&2 - return 1 -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/login.defs" - -cp "/etc/login.defs" "/etc/login.defs.bak" -# Insert at the end of the file -printf '%s\n' "SHA_CRYPT_MIN_ROUNDS 5000" >> "/etc/login.defs" -# Clean up after ourselves. -rm "/etc/login.defs.bak" - - name: Set Password Hashing Rounds in /etc/login.defs - Ensure SHA_CRYPT_MIN_ROUNDS has Minimum Value of 5000 ansible.builtin.replace: @@ -44393,6 +44376,23 @@ rm "/etc/login.defs.bak" - no_reboot_needed - restrict_strategy - set_password_hashing_min_rounds_logindefs + + +if [ -e "/etc/login.defs" ] ; then + + LC_ALL=C sed -i "/^\s*SHA_CRYPT_MIN_ROUNDS\s*/Id" "/etc/login.defs" +else + printf '%s\n' "Path '/etc/login.defs' wasn't found on this system. Refusing to continue." >&2 + return 1 +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/login.defs" + +cp "/etc/login.defs" "/etc/login.defs.bak" +# Insert at the end of the file +printf '%s\n' "SHA_CRYPT_MIN_ROUNDS 5000" >> "/etc/login.defs" +# Clean up after ourselves. +rm "/etc/login.defs.bak" @@ -44464,26 +44464,17 @@ access when the system is rebooted. [customizations.services] disabled = ["debug-shell"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'debug-shell.service' -"$SYSTEMCTL_EXEC" disable 'debug-shell.service' -"$SYSTEMCTL_EXEC" mask 'debug-shell.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files debug-shell.socket; then - "$SYSTEMCTL_EXEC" stop 'debug-shell.socket' - "$SYSTEMCTL_EXEC" mask 'debug-shell.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'debug-shell.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - enabled: false + name: debug-shell.service include disable_debug-shell @@ -44564,17 +44555,26 @@ class disable_debug-shell { - no_reboot_needed - service_debug-shell_disabled - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - enabled: false - name: debug-shell.service + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'debug-shell.service' +"$SYSTEMCTL_EXEC" disable 'debug-shell.service' +"$SYSTEMCTL_EXEC" mask 'debug-shell.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files debug-shell.socket; then + "$SYSTEMCTL_EXEC" stop 'debug-shell.socket' + "$SYSTEMCTL_EXEC" mask 'debug-shell.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'debug-shell.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -44673,34 +44673,20 @@ the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. CCE-80784-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q systemd; }; then - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^CtrlAltDelBurstAction=") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s=%s" "$stripped_key" "none" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^CtrlAltDelBurstAction=\\>" "/etc/systemd/system.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^CtrlAltDelBurstAction=\\>.*/$escaped_formatted_output/gi" "/etc/systemd/system.conf" -else - if [[ -s "/etc/systemd/system.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/systemd/system.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/systemd/system.conf" - fi - cce="CCE-80784-2" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/systemd/system.conf" >> "/etc/systemd/system.conf" - printf '%s\n' "$formatted_output" >> "/etc/systemd/system.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,CtrlAltDelBurstAction%3Dnone + mode: 0644 + path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf + overwrite: true - name: Gather the package facts package_facts: @@ -44743,20 +44729,34 @@ fi - low_disruption - no_reboot_needed - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,CtrlAltDelBurstAction%3Dnone - mode: 0644 - path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q systemd; }; then + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^CtrlAltDelBurstAction=") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s=%s" "$stripped_key" "none" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^CtrlAltDelBurstAction=\\>" "/etc/systemd/system.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^CtrlAltDelBurstAction=\\>.*/$escaped_formatted_output/gi" "/etc/systemd/system.conf" +else + if [[ -s "/etc/systemd/system.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/systemd/system.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/systemd/system.conf" + fi + cce="CCE-80784-2" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/systemd/system.conf" >> "/etc/systemd/system.conf" + printf '%s\n' "$formatted_output" >> "/etc/systemd/system.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -44853,15 +44853,17 @@ can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. CCE-80785-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -systemctl disable --now ctrl-alt-del.target -systemctl mask --now ctrl-alt-del.target - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: ctrl-alt-del.target + mask: true - name: Disable Ctrl-Alt-Del Reboot Activation systemd: @@ -44883,17 +44885,15 @@ fi - low_disruption - no_reboot_needed - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: ctrl-alt-del.target - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +systemctl disable --now ctrl-alt-del.target +systemctl mask --now ctrl-alt-del.target + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -45007,40 +45007,6 @@ It is also required to change the runtime configuration, run: or other services, weakening system security. CCE-80826-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then - -# Verify that Interactive Boot is Disabled in /etc/default/grub -CONFIRM_SPAWN_YES="systemd.confirm_spawn\(=\(1\|yes\|true\|on\)\|\b\)" -CONFIRM_SPAWN_NO="systemd.confirm_spawn=no" - -if grep -q "\(GRUB_CMDLINE_LINUX\|GRUB_CMDLINE_LINUX_DEFAULT\)" /etc/default/grub -then - sed -i "s/${CONFIRM_SPAWN_YES}/${CONFIRM_SPAWN_NO}/" /etc/default/grub -fi - -# make sure GRUB_DISABLE_RECOVERY=true -if grep -q '^GRUB_DISABLE_RECOVERY=.*' '/etc/default/grub' ; then - # modify the GRUB command-line if an GRUB_DISABLE_RECOVERY= arg already exists - sed -i 's/GRUB_DISABLE_RECOVERY=.*/GRUB_DISABLE_RECOVERY=true/' /etc/default/grub -else - # no GRUB_DISABLE_RECOVERY=arg is present, append it to file - echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub' -fi - - - -# Remove 'systemd.confirm_spawn' kernel argument also from runtime settings -/sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn" - - -#Regen grub.cfg handle updated GRUB_DISABLE_RECOVERY and confirm_spawn -grub2-mkconfig -o /boot/grub2/grub.cfg - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -45135,6 +45101,40 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then + +# Verify that Interactive Boot is Disabled in /etc/default/grub +CONFIRM_SPAWN_YES="systemd.confirm_spawn\(=\(1\|yes\|true\|on\)\|\b\)" +CONFIRM_SPAWN_NO="systemd.confirm_spawn=no" + +if grep -q "\(GRUB_CMDLINE_LINUX\|GRUB_CMDLINE_LINUX_DEFAULT\)" /etc/default/grub +then + sed -i "s/${CONFIRM_SPAWN_YES}/${CONFIRM_SPAWN_NO}/" /etc/default/grub +fi + +# make sure GRUB_DISABLE_RECOVERY=true +if grep -q '^GRUB_DISABLE_RECOVERY=.*' '/etc/default/grub' ; then + # modify the GRUB command-line if an GRUB_DISABLE_RECOVERY= arg already exists + sed -i 's/GRUB_DISABLE_RECOVERY=.*/GRUB_DISABLE_RECOVERY=true/' /etc/default/grub +else + # no GRUB_DISABLE_RECOVERY=arg is present, append it to file + echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub' +fi + + + +# Remove 'systemd.confirm_spawn' kernel argument also from runtime settings +/sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn" + + +#Regen grub.cfg handle updated GRUB_DISABLE_RECOVERY and confirm_spawn +grub2-mkconfig -o /boot/grub2/grub.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -45255,32 +45255,6 @@ session enabled on the console or console port that has been let unattended. CCE-90784-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ( grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.7"; printf "%s\n%s" "$expected" "$real" | sort -VC; } && grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="9.0"; [[ "$real" != "$expected" ]]; } ) || grep -qP "^ID=[\"']?ol[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.7"; printf "%s\n%s" "$expected" "$real" | sort -VC; }; }; then - -var_logind_session_timeout='' - - - -# Try find '[Login]' and 'StopIdleSessionSec' in '/etc/systemd/logind.conf', if it exists, set -# to '$var_logind_session_timeout', if it isn't here, add it, if '[Login]' doesn't exist, add it there -if grep -qzosP '[[:space:]]*\[Login]([^\n\[]*\n+)+?[[:space:]]*StopIdleSessionSec' '/etc/systemd/logind.conf'; then - - sed -i "s/StopIdleSessionSec[^(\n)]*/StopIdleSessionSec=$var_logind_session_timeout/" '/etc/systemd/logind.conf' -elif grep -qs '[[:space:]]*\[Login]' '/etc/systemd/logind.conf'; then - sed -i "/[[:space:]]*\[Login]/a StopIdleSessionSec=$var_logind_session_timeout" '/etc/systemd/logind.conf' -else - if test -d "/etc/systemd"; then - printf '%s\n' '[Login]' "StopIdleSessionSec=$var_logind_session_timeout" >> '/etc/systemd/logind.conf' - else - echo "Config file directory '/etc/systemd' doesnt exist, not remediating, assuming non-applicability." >&2 - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_logind_session_timeout # promote to variable set_fact: var_logind_session_timeout: !!str @@ -45321,6 +45295,32 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ( grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.7"; printf "%s\n%s" "$expected" "$real" | sort -VC; } && grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="9.0"; [[ "$real" != "$expected" ]]; } ) || grep -qP "^ID=[\"']?ol[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.7"; printf "%s\n%s" "$expected" "$real" | sort -VC; }; }; then + +var_logind_session_timeout='' + + + +# Try find '[Login]' and 'StopIdleSessionSec' in '/etc/systemd/logind.conf', if it exists, set +# to '$var_logind_session_timeout', if it isn't here, add it, if '[Login]' doesn't exist, add it there +if grep -qzosP '[[:space:]]*\[Login]([^\n\[]*\n+)+?[[:space:]]*StopIdleSessionSec' '/etc/systemd/logind.conf'; then + + sed -i "s/StopIdleSessionSec[^(\n)]*/StopIdleSessionSec=$var_logind_session_timeout/" '/etc/systemd/logind.conf' +elif grep -qs '[[:space:]]*\[Login]' '/etc/systemd/logind.conf'; then + sed -i "/[[:space:]]*\[Login]/a StopIdleSessionSec=$var_logind_session_timeout" '/etc/systemd/logind.conf' +else + if test -d "/etc/systemd"; then + printf '%s\n' '[Login]' "StopIdleSessionSec=$var_logind_session_timeout" >> '/etc/systemd/logind.conf' + else + echo "Config file directory '/etc/systemd' doesnt exist, not remediating, assuming non-applicability." >&2 + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -45457,25 +45457,6 @@ in /usr/lib/systemd/system/emergency.service. CCE-82186-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -service_file="/usr/lib/systemd/system/emergency.service" - - -sulogin="/usr/lib/systemd/systemd-sulogin-shell emergency" - - -if grep "^ExecStart=.*" "$service_file" ; then - sed -i "s%^ExecStart=.*%ExecStart=-$sulogin%" "$service_file" -else - echo "ExecStart=-$sulogin" >> "$service_file" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Require emergency mode password lineinfile: create: true @@ -45497,6 +45478,25 @@ fi - no_reboot_needed - require_emergency_target_auth - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +service_file="/usr/lib/systemd/system/emergency.service" + + +sulogin="/usr/lib/systemd/systemd-sulogin-shell emergency" + + +if grep "^ExecStart=.*" "$service_file" ; then + sed -i "s%^ExecStart=.*%ExecStart=-$sulogin%" "$service_file" +else + echo "ExecStart=-$sulogin" >> "$service_file" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -45642,23 +45642,6 @@ in /usr/lib/systemd/system/rescue.service. CCE-80855-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -service_file="/usr/lib/systemd/system/rescue.service" - -sulogin="/usr/lib/systemd/systemd-sulogin-shell rescue" - -if grep "^ExecStart=.*" "$service_file" ; then - sed -i "s%^ExecStart=.*%ExecStart=-$sulogin%" "$service_file" -else - echo "ExecStart=-$sulogin" >> "$service_file" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Require single user mode password lineinfile: create: true @@ -45680,6 +45663,23 @@ fi - no_reboot_needed - require_singleuser_auth - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +service_file="/usr/lib/systemd/system/rescue.service" + +sulogin="/usr/lib/systemd/systemd-sulogin-shell rescue" + +if grep "^ExecStart=.*" "$service_file" ; then + sed -i "s%^ExecStart=.*%ExecStart=-$sulogin%" "$service_file" +else + echo "ExecStart=-$sulogin" >> "$service_file" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -45766,21 +45766,13 @@ session lock. The tmux package allows for a session lock to be implemented and configured. CCE-80644-8 + +package --add=tmux + [[packages]] name = "tmux" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "tmux" ; then - yum install -y "tmux" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_tmux @@ -45807,8 +45799,16 @@ class install_tmux { - no_reboot_needed - package_tmux_installed - -package --add=tmux + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "tmux" ; then + yum install -y "tmux" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -45837,24 +45837,6 @@ immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. CCE-82266-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then - -if ! grep -x ' case "$name" in sshd|login) exec tmux ;; esac' /etc/bashrc; then - cat >> /etc/profile.d/tmux.sh <<'EOF' -if [ "$PS1" ]; then - parent=$(ps -o ppid= -p $$) - name=$(ps -o comm= -p $parent) - case "$name" in sshd|login) exec tmux ;; esac -fi -EOF - chmod 0644 /etc/profile.d/tmux.sh -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -45928,6 +45910,24 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then + +if ! grep -x ' case "$name" in sshd|login) exec tmux ;; esac' /etc/bashrc; then + cat >> /etc/profile.d/tmux.sh <<'EOF' +if [ "$PS1" ]; then + parent=$(ps -o ppid= -p $$) + name=$(ps -o comm= -p $parent) + case "$name" in sshd|login) exec tmux ;; esac +fi +EOF + chmod 0644 /etc/profile.d/tmux.sh +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -45957,24 +45957,6 @@ immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. CCE-90782-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then - -if ! grep -x ' case "$name" in (sshd|login) tmux ;; esac' /etc/bashrc /etc/profile.d/*.sh; then - cat >> /etc/profile.d/tmux.sh <<'EOF' -if [ "$PS1" ]; then - parent=$(ps -o ppid= -p $$) - name=$(ps -o comm= -p $parent) - case "$name" in (sshd|login) tmux ;; esac -fi -EOF - chmod 0644 /etc/profile.d/tmux.sh -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -46053,6 +46035,24 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then + +if ! grep -x ' case "$name" in (sshd|login) tmux ;; esac' /etc/bashrc /etc/profile.d/*.sh; then + cat >> /etc/profile.d/tmux.sh <<'EOF' +if [ "$PS1" ]; then + parent=$(ps -o ppid= -p $$) + name=$(ps -o comm= -p $parent) + case "$name" in (sshd|login) tmux ;; esac +fi +EOF + chmod 0644 /etc/profile.d/tmux.sh +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -46080,22 +46080,6 @@ or equal to 900 in /etc/tmux.conf. CCE-82199-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then - -tmux_conf="/etc/tmux.conf" - -if grep -qP '^\s*set\s+-g\s+lock-after-time' "$tmux_conf" ; then - sed -i 's/^\s*set\s\+-g\s\+lock-after-time.*$/set -g lock-after-time 900/' "$tmux_conf" -else - echo "set -g lock-after-time 900" >> "$tmux_conf" -fi -chmod 0644 "$tmux_conf" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -46152,6 +46136,22 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then + +tmux_conf="/etc/tmux.conf" + +if grep -qP '^\s*set\s+-g\s+lock-after-time' "$tmux_conf" ; then + sed -i 's/^\s*set\s\+-g\s\+lock-after-time.*$/set -g lock-after-time 900/' "$tmux_conf" +else + echo "set -g lock-after-time 900" >> "$tmux_conf" +fi +chmod 0644 "$tmux_conf" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -46186,22 +46186,6 @@ However, the session lock is implemented by an external command. The default configuration does not contain an effective session lock. CCE-80940-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then - -tmux_conf="/etc/tmux.conf" - -if grep -qP '^\s*set\s+-g\s+lock-command' "$tmux_conf" ; then - sed -i 's/^\s*set\s\+-g\s\+lock-command.*$/set -g lock-command vlock/' "$tmux_conf" -else - echo "set -g lock-command vlock" >> "$tmux_conf" -fi -chmod 0644 "$tmux_conf" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -46264,6 +46248,22 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then + +tmux_conf="/etc/tmux.conf" + +if grep -qP '^\s*set\s+-g\s+lock-command' "$tmux_conf" ; then + sed -i 's/^\s*set\s\+-g\s\+lock-command.*$/set -g lock-command vlock/' "$tmux_conf" +else + echo "set -g lock-command vlock" >> "$tmux_conf" +fi +chmod 0644 "$tmux_conf" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -46290,20 +46290,6 @@ However, the session lock is implemented by an external command. The default configuration does not contain an effective session lock. CCE-86135-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then - -tmux_conf="/etc/tmux.conf" - -if ! grep -qP '^\s*bind\s+\w\s+lock-session' "$tmux_conf" ; then - echo "bind X lock-session" >> "$tmux_conf" -fi -chmod 0644 "$tmux_conf" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -46381,6 +46367,20 @@ fi - low_disruption - low_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then + +tmux_conf="/etc/tmux.conf" + +if ! grep -qP '^\s*bind\s+\w\s+lock-session' "$tmux_conf" ; then + echo "bind X lock-session" >> "$tmux_conf" +fi +chmod 0644 "$tmux_conf" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -46409,17 +46409,6 @@ automatic session locking. It should not be listed in prevents malicious program running as user from lowering security by disabling the screen lock. CCE-82361-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if grep -q 'tmux\s*$' /etc/shells ; then - sed -i '/tmux\s*$/d' /etc/shells -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - --- apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig @@ -46434,6 +46423,17 @@ spec: mode: 0644 path: /etc/shells overwrite: true + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if grep -q 'tmux\s*$' /etc/shells ; then + sed -i '/tmux\s*$/d' /etc/shells +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -46525,21 +46525,13 @@ providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. CCE-80846-9 + +package --add=opensc + [[packages]] name = "opensc" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "opensc" ; then - yum install -y "opensc" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_opensc @@ -46565,8 +46557,16 @@ class install_opensc { - no_reboot_needed - package_opensc_installed - -package --add=opensc + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "opensc" ; then + yum install -y "opensc" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -46589,21 +46589,13 @@ $ sudo yum install pcsc-lite The pcsc-lite package must be installed if it is to be available for multifactor authentication using smartcards. CCE-80993-9 + +package --add=pcsc-lite + [[packages]] name = "pcsc-lite" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "pcsc-lite" ; then - yum install -y "pcsc-lite" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_pcsc-lite @@ -46628,8 +46620,16 @@ class install_pcsc-lite { - no_reboot_needed - package_pcsc-lite_installed - -package --add=pcsc-lite + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "pcsc-lite" ; then + yum install -y "pcsc-lite" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -46670,21 +46670,13 @@ as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. CCE-84029-8 + +package --add=openssl-pkcs11 + [[packages]] name = "openssl-pkcs11" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ! grep -q s390x /proc/sys/kernel/osrelease; }; then - -if ! rpm -q --quiet "openssl-pkcs11" ; then - yum install -y "openssl-pkcs11" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_openssl-pkcs11 @@ -46713,8 +46705,16 @@ class install_openssl-pkcs11 { - medium_severity - no_reboot_needed - -package --add=openssl-pkcs11 + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ! grep -q s390x /proc/sys/kernel/osrelease; }; then + +if ! rpm -q --quiet "openssl-pkcs11" ; then + yum install -y "openssl-pkcs11" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -46756,18 +46756,6 @@ Access Card. [customizations.services] enabled = ["pcscd"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'pcscd.service' -"$SYSTEMCTL_EXEC" start 'pcscd.service' -"$SYSTEMCTL_EXEC" enable 'pcscd.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_pcscd @@ -46816,6 +46804,18 @@ class enable_pcscd { - medium_severity - no_reboot_needed - service_pcscd_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'pcscd.service' +"$SYSTEMCTL_EXEC" start 'pcscd.service' +"$SYSTEMCTL_EXEC" enable 'pcscd.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -46920,22 +46920,6 @@ that provided by a username and password combination. Smart cards leverage PKI Configuring the smart card driver in use by your organization helps to prevent users from using unauthorized smart cards. CCE-80766-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_smartcard_drivers='' - - -OPENSC_TOOL="/usr/bin/opensc-tool" - -if [ -f "${OPENSC_TOOL}" ]; then - ${OPENSC_TOOL} -S app:default:card_drivers:$var_smartcard_drivers -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_smartcard_drivers # promote to variable set_fact: var_smartcard_drivers: !!str @@ -46998,6 +46982,22 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_smartcard_drivers='' + + +OPENSC_TOOL="/usr/bin/opensc-tool" + +if [ -f "${OPENSC_TOOL}" ]; then + ${OPENSC_TOOL} -S app:default:card_drivers:$var_smartcard_drivers +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -47099,22 +47099,6 @@ that provided by a username and password combination. Smart cards leverage PKI Forcing the smart card driver in use by your organization helps to prevent users from using unauthorized smart cards. CCE-80821-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_smartcard_drivers='' - - -OPENSC_TOOL="/usr/bin/opensc-tool" - -if [ -f "${OPENSC_TOOL}" ]; then - ${OPENSC_TOOL} -S app:default:force_card_driver:$var_smartcard_drivers -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_smartcard_drivers # promote to variable set_fact: var_smartcard_drivers: !!str @@ -47177,6 +47161,22 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_smartcard_drivers='' + + +OPENSC_TOOL="/usr/bin/opensc-tool" + +if [ -f "${OPENSC_TOOL}" ]; then + ${OPENSC_TOOL} -S app:default:force_card_driver:$var_smartcard_drivers +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -47460,38 +47460,6 @@ Disabling inactive accounts ensures that accounts which may not have been respon Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. CCE-80954-1 - # Remediation is applicable only in certain platforms -if rpm --quiet -q shadow-utils; then - -var_account_disable_post_pw_expiration='' - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^INACTIVE") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s=%s" "$stripped_key" "$var_account_disable_post_pw_expiration" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^INACTIVE\\>" "/etc/default/useradd"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^INACTIVE\\>.*/$escaped_formatted_output/gi" "/etc/default/useradd" -else - if [[ -s "/etc/default/useradd" ]] && [[ -n "$(tail -c 1 -- "/etc/default/useradd" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/default/useradd" - fi - cce="CCE-80954-1" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/default/useradd" >> "/etc/default/useradd" - printf '%s\n' "$formatted_output" >> "/etc/default/useradd" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -47540,6 +47508,38 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q shadow-utils; then + +var_account_disable_post_pw_expiration='' + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^INACTIVE") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s=%s" "$stripped_key" "$var_account_disable_post_pw_expiration" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^INACTIVE\\>" "/etc/default/useradd"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^INACTIVE\\>.*/$escaped_formatted_output/gi" "/etc/default/useradd" +else + if [[ -s "/etc/default/useradd" ]] && [[ -n "$(tail -c 1 -- "/etc/default/useradd" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/default/useradd" + fi + cce="CCE-80954-1" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/default/useradd" >> "/etc/default/useradd" + printf '%s\n' "$formatted_output" >> "/etc/default/useradd" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -47927,22 +47927,6 @@ increases the risk of users writing down the password in a convenient location subject to physical compromise. CCE-80647-1 - # Remediation is applicable only in certain platforms -if rpm --quiet -q shadow-utils; then - -var_accounts_maximum_age_login_defs='' - - -grep -q ^PASS_MAX_DAYS /etc/login.defs && \ - sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS $var_accounts_maximum_age_login_defs/g" /etc/login.defs -if ! [ $? -eq 0 ]; then - echo "PASS_MAX_DAYS $var_accounts_maximum_age_login_defs" >> /etc/login.defs -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -47991,6 +47975,22 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q shadow-utils; then + +var_accounts_maximum_age_login_defs='' + + +grep -q ^PASS_MAX_DAYS /etc/login.defs && \ + sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS $var_accounts_maximum_age_login_defs/g" /etc/login.defs +if ! [ $? -eq 0 ]; then + echo "PASS_MAX_DAYS $var_accounts_maximum_age_login_defs" >> /etc/login.defs +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -48080,22 +48080,6 @@ Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement. CCE-80648-9 - # Remediation is applicable only in certain platforms -if rpm --quiet -q shadow-utils; then - -var_accounts_minimum_age_login_defs='' - - -grep -q ^PASS_MIN_DAYS /etc/login.defs && \ - sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS $var_accounts_minimum_age_login_defs/g" /etc/login.defs -if ! [ $? -eq 0 ]; then - echo "PASS_MIN_DAYS $var_accounts_minimum_age_login_defs" >> /etc/login.defs -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -48140,6 +48124,22 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q shadow-utils; then + +var_accounts_minimum_age_login_defs='' + + +grep -q ^PASS_MIN_DAYS /etc/login.defs && \ + sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS $var_accounts_minimum_age_login_defs/g" /etc/login.defs +if ! [ $? -eq 0 ]; then + echo "PASS_MIN_DAYS $var_accounts_minimum_age_login_defs" >> /etc/login.defs +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -48242,23 +48242,6 @@ must be carefully weighed against usability problems, support costs, or counterp behavior that may result. CCE-80652-1 - # Remediation is applicable only in certain platforms -if rpm --quiet -q shadow-utils; then - -var_accounts_password_minlen_login_defs='' - - -grep -q ^PASS_MIN_LEN /etc/login.defs && \ -sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs/g" /etc/login.defs -if ! [ $? -eq 0 ] -then - echo -e "PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs" >> /etc/login.defs -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -48304,6 +48287,23 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q shadow-utils; then + +var_accounts_password_minlen_login_defs='' + + +grep -q ^PASS_MIN_LEN /etc/login.defs && \ +sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs/g" /etc/login.defs +if ! [ $? -eq 0 ] +then + echo -e "PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs" >> /etc/login.defs +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -48333,16 +48333,6 @@ not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. CCE-82473-0 - -var_accounts_maximum_age_login_defs='' - - -while IFS= read -r i; do - - chage -M $var_accounts_maximum_age_login_defs $i - -done < <(awk -v var="$var_accounts_maximum_age_login_defs" -F: '(/^[^:]+:[^!*]/ && ($5 > var || $5 == "")) {print $1}' /etc/shadow) - - name: XCCDF Value var_accounts_maximum_age_login_defs # promote to variable set_fact: var_accounts_maximum_age_login_defs: !!str @@ -48387,6 +48377,16 @@ done < <(awk -v var="$var_accounts_maximum_age_login_defs" -F: '(/^[^:]+ - medium_severity - no_reboot_needed - restrict_strategy + + +var_accounts_maximum_age_login_defs='' + + +while IFS= read -r i; do + + chage -M $var_accounts_maximum_age_login_defs $i + +done < <(awk -v var="$var_accounts_maximum_age_login_defs" -F: '(/^[^:]+:[^!*]/ && ($5 > var || $5 == "")) {print $1}' /etc/shadow) @@ -48416,16 +48416,6 @@ users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. CCE-82472-2 - -var_accounts_minimum_age_login_defs='' - - -while IFS= read -r i; do - - chage -m $var_accounts_minimum_age_login_defs $i - -done < <(awk -v var="$var_accounts_minimum_age_login_defs" -F: '(/^[^:]+:[^!*]/ && ($4 < var || $4 == "")) {print $1}' /etc/shadow) - - name: XCCDF Value var_accounts_minimum_age_login_defs # promote to variable set_fact: var_accounts_minimum_age_login_defs: !!str @@ -48466,6 +48456,16 @@ done < <(awk -v var="$var_accounts_minimum_age_login_defs" -F: '(/^[^:]+ - medium_severity - no_reboot_needed - restrict_strategy + + +var_accounts_minimum_age_login_defs='' + + +while IFS= read -r i; do + + chage -m $var_accounts_minimum_age_login_defs $i + +done < <(awk -v var="$var_accounts_minimum_age_login_defs" -F: '(/^[^:]+:[^!*]/ && ($4 < var || $4 == "")) {print $1}' /etc/shadow) @@ -48493,14 +48493,6 @@ This profile requirement is CCE-86914-9 - -var_accounts_password_warn_age_login_defs='' - - -while IFS= read -r i; do - chage --warndays $var_accounts_password_warn_age_login_defs $i -done < <(awk -v var="$var_accounts_password_warn_age_login_defs" -F: '(($6 < var || $6 == "") && $2 ~ /^\$/) {print $1}' /etc/shadow) - - name: XCCDF Value var_accounts_password_warn_age_login_defs # promote to variable set_fact: var_accounts_password_warn_age_login_defs: !!str @@ -48546,6 +48538,14 @@ done < <(awk -v var="$var_accounts_password_warn_age_login_defs" -F: '(( - low_disruption - medium_severity - no_reboot_needed + + +var_accounts_password_warn_age_login_defs='' + + +while IFS= read -r i; do + chage --warndays $var_accounts_password_warn_age_login_defs $i +done < <(awk -v var="$var_accounts_password_warn_age_login_defs" -F: '(($6 < var || $6 == "") && $2 ~ /^\$/) {print $1}' /etc/shadow) @@ -48646,23 +48646,6 @@ The profile requirement is CCE-80671-1 - # Remediation is applicable only in certain platforms -if rpm --quiet -q shadow-utils; then - -var_accounts_password_warn_age_login_defs='' - - -grep -q ^PASS_WARN_AGE /etc/login.defs && \ -sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs/g" /etc/login.defs -if ! [ $? -eq 0 ] -then - echo -e "PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs" >> /etc/login.defs -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -48708,6 +48691,23 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q shadow-utils; then + +var_accounts_password_warn_age_login_defs='' + + +grep -q ^PASS_WARN_AGE /etc/login.defs && \ +sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs/g" /etc/login.defs +if ! [ $? -eq 0 ] +then + echo -e "PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs" >> /etc/login.defs +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -48800,14 +48800,6 @@ to be automatically disabled by running the following command: Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies. CCE-86758-0 - -var_account_disable_post_pw_expiration='' - - -while IFS= read -r i; do - chage --inactive $var_account_disable_post_pw_expiration $i -done < <(awk -v var="$var_account_disable_post_pw_expiration" -F: '(($7 > var || $7 == "") && $2 ~ /^\$/) {print $1}' /etc/shadow) - - name: XCCDF Value var_account_disable_post_pw_expiration # promote to variable set_fact: var_account_disable_post_pw_expiration: !!str @@ -48854,6 +48846,14 @@ done < <(awk -v var="$var_account_disable_post_pw_expiration" -F: '(($7 - medium_severity - no_reboot_needed - restrict_strategy + + +var_account_disable_post_pw_expiration='' + + +while IFS= read -r i; do + chage --inactive $var_account_disable_post_pw_expiration $i +done < <(awk -v var="$var_account_disable_post_pw_expiration" -F: '(($7 > var || $7 == "") && $2 ~ /^\$/) {print $1}' /etc/shadow) @@ -49028,73 +49028,6 @@ but requires more CPU resources to authenticate users. Using a higher number of rounds makes password cracking attacks more difficult. CCE-83403-6 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_unix_rounds='' - - - -if [ -e "/etc/pam.d/password-auth" ] ; then - PAM_FILE_PATH="/etc/pam.d/password-auth" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*' "$PAM_FILE_PATH"; then - # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*password\s+.*\s+pam_unix.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then - # The control is updated only if one single line matches. - sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_unix.so.*)/\1'"sufficient"' \2/' "$PAM_FILE_PATH" - else - echo 'password '"sufficient"' pam_unix.so' >> "$PAM_FILE_PATH" - fi - fi - # Check the option - if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*\srounds\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks '/\s*password\s+'"sufficient"'\s+pam_unix.so.*/ s/$/ rounds='"$var_password_pam_unix_rounds"'/' "$PAM_FILE_PATH" - else - sed -i -E --follow-symlinks 's/(\s*password\s+'"sufficient"'\s+pam_unix.so\s+.*)('"rounds"'=)[[:alnum:]]+\s*(.*)/\1\2'"$var_password_pam_unix_rounds"' \3/' "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi -else - echo "/etc/pam.d/password-auth was not found" >&2 -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -49386,6 +49319,73 @@ fi - medium_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_password_pam_unix_rounds='' + + + +if [ -e "/etc/pam.d/password-auth" ] ; then + PAM_FILE_PATH="/etc/pam.d/password-auth" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + fi + if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*' "$PAM_FILE_PATH"; then + # Line matching group + control + module was not found. Check group + module. + if [ "$(grep -cP '^\s*password\s+.*\s+pam_unix.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then + # The control is updated only if one single line matches. + sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_unix.so.*)/\1'"sufficient"' \2/' "$PAM_FILE_PATH" + else + echo 'password '"sufficient"' pam_unix.so' >> "$PAM_FILE_PATH" + fi + fi + # Check the option + if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*\srounds\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks '/\s*password\s+'"sufficient"'\s+pam_unix.so.*/ s/$/ rounds='"$var_password_pam_unix_rounds"'/' "$PAM_FILE_PATH" + else + sed -i -E --follow-symlinks 's/(\s*password\s+'"sufficient"'\s+pam_unix.so\s+.*)('"rounds"'=)[[:alnum:]]+\s*(.*)/\1\2'"$var_password_pam_unix_rounds"' \3/' "$PAM_FILE_PATH" + fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi +else + echo "/etc/pam.d/password-auth was not found" >&2 +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -49412,72 +49412,6 @@ but requires more CPU resources to authenticate users. Using a higher number of rounds makes password cracking attacks more difficult. CCE-83386-3 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_unix_rounds='' - - -if [ -e "/etc/pam.d/system-auth" ] ; then - PAM_FILE_PATH="/etc/pam.d/system-auth" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*' "$PAM_FILE_PATH"; then - # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*password\s+.*\s+pam_unix.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then - # The control is updated only if one single line matches. - sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_unix.so.*)/\1'"sufficient"' \2/' "$PAM_FILE_PATH" - else - echo 'password '"sufficient"' pam_unix.so' >> "$PAM_FILE_PATH" - fi - fi - # Check the option - if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*\srounds\b' "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks '/\s*password\s+'"sufficient"'\s+pam_unix.so.*/ s/$/ rounds='"$var_password_pam_unix_rounds"'/' "$PAM_FILE_PATH" - else - sed -i -E --follow-symlinks 's/(\s*password\s+'"sufficient"'\s+pam_unix.so\s+.*)('"rounds"'=)[[:alnum:]]+\s*(.*)/\1\2'"$var_password_pam_unix_rounds"' \3/' "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi -else - echo "/etc/pam.d/system-auth was not found" >&2 -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -49769,6 +49703,72 @@ fi - medium_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_password_pam_unix_rounds='' + + +if [ -e "/etc/pam.d/system-auth" ] ; then + PAM_FILE_PATH="/etc/pam.d/system-auth" + if [ -f /usr/bin/authselect ]; then + + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + + CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') + # If not already in use, a custom profile is created preserving the enabled features. + if [[ ! $CURRENT_PROFILE == custom/* ]]; then + ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') + authselect create-profile hardening -b $CURRENT_PROFILE + CURRENT_PROFILE="custom/hardening" + + authselect apply-changes -b --backup=before-hardening-custom-profile + authselect select $CURRENT_PROFILE + for feature in $ENABLED_FEATURES; do + authselect enable-feature $feature; + done + + authselect apply-changes -b --backup=after-hardening-custom-profile + fi + PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") + PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" + + authselect apply-changes -b + fi + if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*' "$PAM_FILE_PATH"; then + # Line matching group + control + module was not found. Check group + module. + if [ "$(grep -cP '^\s*password\s+.*\s+pam_unix.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then + # The control is updated only if one single line matches. + sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_unix.so.*)/\1'"sufficient"' \2/' "$PAM_FILE_PATH" + else + echo 'password '"sufficient"' pam_unix.so' >> "$PAM_FILE_PATH" + fi + fi + # Check the option + if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*\srounds\b' "$PAM_FILE_PATH"; then + sed -i -E --follow-symlinks '/\s*password\s+'"sufficient"'\s+pam_unix.so.*/ s/$/ rounds='"$var_password_pam_unix_rounds"'/' "$PAM_FILE_PATH" + else + sed -i -E --follow-symlinks 's/(\s*password\s+'"sufficient"'\s+pam_unix.so\s+.*)('"rounds"'=)[[:alnum:]]+\s*(.*)/\1\2'"$var_password_pam_unix_rounds"' \3/' "$PAM_FILE_PATH" + fi + if [ -f /usr/bin/authselect ]; then + + authselect apply-changes -b + fi +else + echo "/etc/pam.d/system-auth was not found" >&2 +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -49989,43 +49989,25 @@ run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. CCE-80841-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -f /usr/bin/authselect ]; then - if ! authselect check; then -echo " -authselect integrity check failed. Remediation aborted! -This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. -It is not recommended to manually edit the PAM files when authselect tool is available. -In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." -exit 1 -fi -authselect enable-feature without-nullok - -authselect apply-changes -b -else - -if grep -qP '^\s*auth\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/system-auth"; then - sed -i -E --follow-symlinks 's/(.*auth.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/system-auth" -fi - -if grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/system-auth"; then - sed -i -E --follow-symlinks 's/(.*password.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/system-auth" -fi - -if grep -qP '^\s*auth\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/password-auth"; then - sed -i -E --follow-symlinks 's/(.*auth.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/password-auth" -fi - -if grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/password-auth"; then - sed -i -E --follow-symlinks 's/(.*password.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/password-auth" -fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A + mode: 0644 + path: /etc/pam.d/password-auth + overwrite: true + - contents: + source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A + mode: 0644 + path: /etc/pam.d/system-auth + overwrite: true - name: Prevent Login to Accounts With Empty Password - Check if system relies on authselect @@ -50155,25 +50137,43 @@ fi - no_empty_passwords - no_reboot_needed - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A - mode: 0644 - path: /etc/pam.d/password-auth - overwrite: true - - contents: - source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A - mode: 0644 - path: /etc/pam.d/system-auth - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -f /usr/bin/authselect ]; then + if ! authselect check; then +echo " +authselect integrity check failed. Remediation aborted! +This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. +It is not recommended to manually edit the PAM files when authselect tool is available. +In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." +exit 1 +fi +authselect enable-feature without-nullok + +authselect apply-changes -b +else + +if grep -qP '^\s*auth\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/system-auth"; then + sed -i -E --follow-symlinks 's/(.*auth.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/system-auth" +fi + +if grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/system-auth"; then + sed -i -E --follow-symlinks 's/(.*password.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/system-auth" +fi + +if grep -qP '^\s*auth\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/password-auth"; then + sed -i -E --follow-symlinks 's/(.*auth.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/password-auth" +fi + +if grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/password-auth"; then + sed -i -E --follow-symlinks 's/(.*password.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/password-auth" +fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -50208,20 +50208,6 @@ run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. CCE-85953-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -readarray -t users_with_empty_pass < <(sudo awk -F: '!$2 {print $1}' /etc/shadow) - -for user_with_empty_pass in "${users_with_empty_pass[@]}" -do - passwd -l $user_with_empty_pass -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Collect users with no password command: | awk -F: '!$2 {print $1}' /etc/shadow @@ -50259,6 +50245,20 @@ fi - no_empty_passwords_etc_shadow - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +readarray -t users_with_empty_pass < <(sudo awk -F: '!$2 {print $1}' /etc/shadow) + +for user_with_empty_pass in "${users_with_empty_pass[@]}" +do + passwd -l $user_with_empty_pass +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -50291,13 +50291,6 @@ entries from a network information service (NIS) should be directly inserted. CCE-83389-7 - -if grep -q '^\+' /etc/group; then -# backup old file to /etc/group- - cp /etc/group /etc/group- - sed -i '/^\+.*$/d' /etc/group -fi - - name: Ensure there are no legacy + NIS entries in /etc/group - Backup the Old /etc/group File ansible.builtin.copy: @@ -50327,6 +50320,13 @@ fi - no_legacy_plus_entries_etc_group - no_reboot_needed - restrict_strategy + + +if grep -q '^\+' /etc/group; then +# backup old file to /etc/group- + cp /etc/group /etc/group- + sed -i '/^\+.*$/d' /etc/group +fi @@ -50343,13 +50343,6 @@ entries from a network information service (NIS) should be directly inserted. CCE-82890-5 - -if grep -q '^\+' /etc/passwd; then -# backup old file to /etc/passwd- - cp /etc/passwd /etc/passwd- - sed -i '/^\+.*$/d' /etc/passwd -fi - - name: Ensure there are no legacy + NIS entries in /etc/passwd - Backup the Old /etc/passwd File ansible.builtin.copy: @@ -50379,6 +50372,13 @@ fi - no_legacy_plus_entries_etc_passwd - no_reboot_needed - restrict_strategy + + +if grep -q '^\+' /etc/passwd; then +# backup old file to /etc/passwd- + cp /etc/passwd /etc/passwd- + sed -i '/^\+.*$/d' /etc/passwd +fi @@ -50395,13 +50395,6 @@ entries from a network information service (NIS) should be directly inserted. CCE-84290-6 - -if grep -q '^\+' /etc/shadow; then -# backup old file to /etc/shadow- - cp /etc/shadow /etc/shadow- - sed -i '/^\+.*$/d' /etc/shadow -fi - - name: Ensure there are no legacy + NIS entries in /etc/shadow - Backup the Old /etc/shadow File ansible.builtin.copy: @@ -50431,6 +50424,13 @@ fi - no_legacy_plus_entries_etc_shadow - no_reboot_needed - restrict_strategy + + +if grep -q '^\+' /etc/shadow; then +# backup old file to /etc/shadow- + cp /etc/shadow /etc/shadow- + sed -i '/^\+.*$/d' /etc/shadow +fi @@ -50704,8 +50704,6 @@ guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner. CCE-80649-7 - awk -F: '$3 == 0 && $1 != "root" { print $1 }' /etc/passwd | xargs --no-run-if-empty --max-lines=1 passwd -l - - name: Get all /etc/passwd file entries getent: database: passwd @@ -50748,6 +50746,8 @@ access to root privileges in an accountable manner. - low_disruption - no_reboot_needed - restrict_strategy + + awk -F: '$3 == 0 && $1 != "root" { print $1 }' /etc/passwd | xargs --no-run-if-empty --max-lines=1 passwd -l @@ -50788,23 +50788,6 @@ It is commonly used to run commands as the root user. Limiting access to such command is considered a good security practice. CCE-86071-8 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_pam_wheel_group_for_su='' - - -if ! grep -q "^${var_pam_wheel_group_for_su}:[^:]*:[^:]*:[^:]*" /etc/group; then - groupadd ${var_pam_wheel_group_for_su} -fi - -# group must be empty -gpasswd -M '' ${var_pam_wheel_group_for_su} - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -50856,6 +50839,23 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_pam_wheel_group_for_su='' + + +if ! grep -q "^${var_pam_wheel_group_for_su}:[^:]*:[^:]*:[^:]*" /etc/group; then + groupadd ${var_pam_wheel_group_for_su} +fi + +# group must be empty +gpasswd -M '' ${var_pam_wheel_group_for_su} + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -50965,14 +50965,20 @@ to privileged (root) access via su / sudo. This is required for FISMA Low and FISMA Moderate systems. CCE-80840-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -echo > /etc/securetty - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:, + mode: 0600 + path: /etc/securetty + overwrite: true - name: Direct root Logins Not Allowed copy: @@ -50993,20 +50999,14 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:, - mode: 0600 - path: /etc/securetty - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +echo > /etc/securetty + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -51040,15 +51040,6 @@ and nfsnobody has an unlocked password, disable it with t Disabling authentication for default system accounts makes it more difficult for attackers to make use of them to compromise a system. CCE-86112-0 - -readarray -t systemaccounts < <(awk -F: \ - '($3 < 1000 && $3 != root && $3 != halt && $3 != sync && $3 != shutdown \ - && $3 != nfsnobody) { print $1 }' /etc/passwd) - -for systemaccount in "${systemaccounts[@]}"; do - usermod -L "$systemaccount" -done - - name: Ensure that System Accounts Are Locked - Get All Local Users From /etc/passwd ansible.builtin.getent: database: passwd @@ -51100,6 +51091,15 @@ done - no_password_auth_for_systemaccounts - no_reboot_needed - restrict_strategy + + +readarray -t systemaccounts < <(awk -F: \ + '($3 < 1000 && $3 != root && $3 != halt && $3 != sync && $3 != shutdown \ + && $3 != nfsnobody) { print $1 }' /etc/passwd) + +for systemaccount in "${systemaccounts[@]}"; do + usermod -L "$systemaccount" +done @@ -51198,15 +51198,6 @@ system to become inaccessible. Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts. CCE-80843-6 - -readarray -t systemaccounts < <(awk -F: '($3 < 1000 && $3 != root \ - && $7 != "\/sbin\/shutdown" && $7 != "\/sbin\/halt" && $7 != "\/bin\/sync") \ - { print $1 }' /etc/passwd) - -for systemaccount in "${systemaccounts[@]}"; do - usermod -s /sbin/nologin "$systemaccount" -done - - name: Ensure that System Accounts Do Not Run a Shell Upon Login - Get All Local Users From /etc/passwd ansible.builtin.getent: @@ -51267,6 +51258,15 @@ done - no_reboot_needed - no_shelllogin_for_systemaccounts - restrict_strategy + + +readarray -t systemaccounts < <(awk -F: '($3 < 1000 && $3 != root \ + && $7 != "\/sbin\/shutdown" && $7 != "\/sbin\/halt" && $7 != "\/bin\/sync") \ + { print $1 }' /etc/passwd) + +for systemaccount in "${systemaccounts[@]}"; do + usermod -s /sbin/nologin "$systemaccount" +done @@ -51350,8 +51350,6 @@ ttyS1 helps ensure accountability for actions taken on the systems using the root account. CCE-80856-8 - sed -i '/ttyS/d' /etc/securetty - - name: Restrict Serial Port Root Logins lineinfile: dest: /etc/securetty @@ -51369,6 +51367,8 @@ using the root account. - no_reboot_needed - restrict_serial_port_logins - restrict_strategy + + sed -i '/ttyS/d' /etc/securetty @@ -51481,8 +51481,6 @@ vc/4 helps ensure accountability for actions taken on the system using the root account. CCE-80864-2 - sed -i '/^vc\//d' /etc/securetty - - name: Restrict Virtual Console Root Logins lineinfile: dest: /etc/securetty @@ -51501,6 +51499,8 @@ using the root account. - no_reboot_needed - restrict_strategy - securetty_root_login_console_only + + sed -i '/^vc\//d' /etc/securetty @@ -51526,16 +51526,6 @@ group ID. It is commonly used to run commands as the root user. Limiting access to such command is considered a good security practice. CCE-83318-6 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -# uncomment the option if commented - sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -51562,6 +51552,16 @@ fi - no_reboot_needed - restrict_strategy - use_pam_wheel_for_su + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +# uncomment the option if commented + sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -51585,29 +51585,6 @@ It is commonly used to run commands as the root user. Limiting access to such command is considered a good security practice. CCE-86064-3 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_pam_wheel_group_for_su='' - - -PAM_CONF=/etc/pam.d/su - -pamstr=$(grep -P '^auth\s+required\s+pam_wheel\.so\s+(?=[^#]*\buse_uid\b)(?=[^#]*\bgroup=)' ${PAM_CONF}) -if [ -z "$pamstr" ]; then - sed -Ei '/^auth\b.*\brequired\b.*\bpam_wheel\.so/d' ${PAM_CONF} # remove any remaining uncommented pam_wheel.so line - sed -Ei "/^auth\s+sufficient\s+pam_rootok\.so.*$/a auth required pam_wheel.so use_uid group=${var_pam_wheel_group_for_su}" ${PAM_CONF} -else - group_val=$(echo -n "$pamstr" | grep -Eo '\bgroup=[_a-z][-0-9_a-z]*' | cut -d '=' -f 2) - if [ -z "${group_val}" ] || [ ${group_val} != ${var_pam_wheel_group_for_su} ]; then - sed -Ei "s/(^auth\s+required\s+pam_wheel.so\s+[^#]*group=)[_a-z][-0-9_a-z]*/\1${var_pam_wheel_group_for_su}/" ${PAM_CONF} - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -51644,6 +51621,29 @@ fi - no_reboot_needed - restrict_strategy - use_pam_wheel_group_for_su + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_pam_wheel_group_for_su='' + + +PAM_CONF=/etc/pam.d/su + +pamstr=$(grep -P '^auth\s+required\s+pam_wheel\.so\s+(?=[^#]*\buse_uid\b)(?=[^#]*\bgroup=)' ${PAM_CONF}) +if [ -z "$pamstr" ]; then + sed -Ei '/^auth\b.*\brequired\b.*\bpam_wheel\.so/d' ${PAM_CONF} # remove any remaining uncommented pam_wheel.so line + sed -Ei "/^auth\s+sufficient\s+pam_rootok\.so.*$/a auth required pam_wheel.so use_uid group=${var_pam_wheel_group_for_su}" ${PAM_CONF} +else + group_val=$(echo -n "$pamstr" | grep -Eo '\bgroup=[_a-z][-0-9_a-z]*' | cut -d '=' -f 2) + if [ -z "${group_val}" ] || [ ${group_val} != ${var_pam_wheel_group_for_su} ]; then + sed -Ei "s/(^auth\s+required\s+pam_wheel.so\s+[^#]*group=)[_a-z][-0-9_a-z]*/\1${var_pam_wheel_group_for_su}/" ${PAM_CONF} + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -51723,37 +51723,6 @@ parameter in /etc/login.defs to yes CCE-83789-8 - # Remediation is applicable only in certain platforms -if rpm --quiet -q shadow-utils; then - -if [ -e "/etc/login.defs" ] ; then - - LC_ALL=C sed -i "/^\s*CREATE_HOME\s\+/Id" "/etc/login.defs" -else - touch "/etc/login.defs" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/login.defs" - -cp "/etc/login.defs" "/etc/login.defs.bak" -# Insert before the line matching the regex '^\s*CREATE_HOME'. -line_number="$(LC_ALL=C grep -n "^\s*CREATE_HOME" "/etc/login.defs.bak" | LC_ALL=C sed 's/:.*//g')" -if [ -z "$line_number" ]; then - # There was no match of '^\s*CREATE_HOME', insert at - # the end of the file. - printf '%s\n' "CREATE_HOME yes" >> "/etc/login.defs" -else - head -n "$(( line_number - 1 ))" "/etc/login.defs.bak" > "/etc/login.defs" - printf '%s\n' "CREATE_HOME yes" >> "/etc/login.defs" - tail -n "+$(( line_number ))" "/etc/login.defs.bak" >> "/etc/login.defs" -fi -# Clean up after ourselves. -rm "/etc/login.defs.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -51805,6 +51774,37 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q shadow-utils; then + +if [ -e "/etc/login.defs" ] ; then + + LC_ALL=C sed -i "/^\s*CREATE_HOME\s\+/Id" "/etc/login.defs" +else + touch "/etc/login.defs" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/login.defs" + +cp "/etc/login.defs" "/etc/login.defs.bak" +# Insert before the line matching the regex '^\s*CREATE_HOME'. +line_number="$(LC_ALL=C grep -n "^\s*CREATE_HOME" "/etc/login.defs.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^\s*CREATE_HOME', insert at + # the end of the file. + printf '%s\n' "CREATE_HOME yes" >> "/etc/login.defs" +else + head -n "$(( line_number - 1 ))" "/etc/login.defs.bak" > "/etc/login.defs" + printf '%s\n' "CREATE_HOME yes" >> "/etc/login.defs" + tail -n "+$(( line_number ))" "/etc/login.defs.bak" >> "/etc/login.defs" +fi +# Clean up after ourselves. +rm "/etc/login.defs.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -51845,38 +51845,6 @@ add or correct the FAIL_DELAY setting in /etc/ enter credentials helps to slow a single-threaded brute force attack. CCE-84037-1 - # Remediation is applicable only in certain platforms -if rpm --quiet -q shadow-utils; then - -var_accounts_fail_delay='' - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^FAIL_DELAY") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s %s" "$stripped_key" "$var_accounts_fail_delay" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^FAIL_DELAY\\>" "/etc/login.defs"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^FAIL_DELAY\\>.*/$escaped_formatted_output/gi" "/etc/login.defs" -else - if [[ -s "/etc/login.defs" ]] && [[ -n "$(tail -c 1 -- "/etc/login.defs" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/login.defs" - fi - cce="CCE-84037-1" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/login.defs" >> "/etc/login.defs" - printf '%s\n' "$formatted_output" >> "/etc/login.defs" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -51915,6 +51883,38 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q shadow-utils; then + +var_accounts_fail_delay='' + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^FAIL_DELAY") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s %s" "$stripped_key" "$var_accounts_fail_delay" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^FAIL_DELAY\\>" "/etc/login.defs"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^FAIL_DELAY\\>.*/$escaped_formatted_output/gi" "/etc/login.defs" +else + if [[ -s "/etc/login.defs" ]] && [[ -n "$(tail -c 1 -- "/etc/login.defs" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/login.defs" + fi + cce="CCE-84037-1" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/login.defs" >> "/etc/login.defs" + printf '%s\n' "$formatted_output" >> "/etc/login.defs" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -51961,24 +51961,6 @@ problems caused by excessive logins. Automated login processes operating imprope maliciously may result in an exceptional number of simultaneous login sessions. CCE-80955-8 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_accounts_max_concurrent_login_sessions='' - - -if grep -q '^[^#]*\<maxlogins\>' /etc/security/limits.d/*.conf; then - sed -i "/^[^#]*\<maxlogins\>/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.d/*.conf -elif grep -q '^[^#]*\<maxlogins\>' /etc/security/limits.conf; then - sed -i "/^[^#]*\<maxlogins\>/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.conf -else - echo "* hard maxlogins $var_accounts_max_concurrent_login_sessions" >> /etc/security/limits.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -52067,6 +52049,24 @@ fi - low_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +var_accounts_max_concurrent_login_sessions='' + + +if grep -q '^[^#]*\<maxlogins\>' /etc/security/limits.d/*.conf; then + sed -i "/^[^#]*\<maxlogins\>/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.d/*.conf +elif grep -q '^[^#]*\<maxlogins\>' /etc/security/limits.conf; then + sed -i "/^[^#]*\<maxlogins\>/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.conf +else + echo "* hard maxlogins $var_accounts_max_concurrent_login_sessions" >> /etc/security/limits.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -52089,27 +52089,6 @@ which reduces chances of attacks that are made possible by /tmp directories being world-writable. CCE-83732-8 - # Remediation is applicable only in certain platforms -if ! ( [ "${container:-}" == "bwrap-osbuild" ] ); then - -#!/bin/bash - -# shellcheck disable=SC2174 -mkdir -p --mode 000 /tmp/tmp-inst -chmod 000 /tmp/tmp-inst -chcon --reference=/tmp /tmp/tmp-inst - -if ! grep -Eq '^\s*/tmp\s+/tmp/tmp-inst/\s+level\s+root,adm$' /etc/security/namespace.conf ; then - if grep -Eq '^\s*/tmp\s+' /etc/security/namespace.conf ; then - sed -i '/^\s*\/tmp/d' /etc/security/namespace.conf - fi - echo "/tmp /tmp/tmp-inst/ level root,adm" >> /etc/security/namespace.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Create /tmp/tmp-inst directory file: path: /tmp/tmp-inst @@ -52144,6 +52123,27 @@ fi - low_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if ! ( [ "${container:-}" == "bwrap-osbuild" ] ); then + +#!/bin/bash + +# shellcheck disable=SC2174 +mkdir -p --mode 000 /tmp/tmp-inst +chmod 000 /tmp/tmp-inst +chcon --reference=/tmp /tmp/tmp-inst + +if ! grep -Eq '^\s*/tmp\s+/tmp/tmp-inst/\s+level\s+root,adm$' /etc/security/namespace.conf ; then + if grep -Eq '^\s*/tmp\s+' /etc/security/namespace.conf ; then + sed -i '/^\s*\/tmp/d' /etc/security/namespace.conf + fi + echo "/tmp /tmp/tmp-inst/ level root,adm" >> /etc/security/namespace.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -52165,27 +52165,6 @@ which reduces chances of attacks that are made possible by /var/tmp directories being world-writable. CCE-83778-1 - # Remediation is applicable only in certain platforms -if ! ( [ "${container:-}" == "bwrap-osbuild" ] ); then - -#!/bin/bash - -# shellcheck disable=SC2174 -mkdir -p --mode 000 /var/tmp/tmp-inst -chmod 000 /var/tmp/tmp-inst -chcon --reference=/var/tmp /var/tmp/tmp-inst - -if ! grep -Eq '^\s*/var/tmp\s+/var/tmp/tmp-inst/\s+level\s+root,adm$' /etc/security/namespace.conf ; then - if grep -Eq '^\s*/var/tmp\s+' /etc/security/namespace.conf ; then - sed -i '/^\s*\/var\/tmp/d' /etc/security/namespace.conf - fi - echo "/var/tmp /var/tmp/tmp-inst/ level root,adm" >> /etc/security/namespace.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Create /var/tmp/tmp-inst directory file: path: /var/tmp/tmp-inst @@ -52220,6 +52199,27 @@ fi - low_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if ! ( [ "${container:-}" == "bwrap-osbuild" ] ); then + +#!/bin/bash + +# shellcheck disable=SC2174 +mkdir -p --mode 000 /var/tmp/tmp-inst +chmod 000 /var/tmp/tmp-inst +chcon --reference=/var/tmp /var/tmp/tmp-inst + +if ! grep -Eq '^\s*/var/tmp\s+/var/tmp/tmp-inst/\s+level\s+root,adm$' /etc/security/namespace.conf ; then + if grep -Eq '^\s*/var/tmp\s+' /etc/security/namespace.conf ; then + sed -i '/^\s*\/var\/tmp/d' /etc/security/namespace.conf + fi + echo "/var/tmp /var/tmp/tmp-inst/ level root,adm" >> /etc/security/namespace.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -52294,35 +52294,6 @@ management session enabled on the console or console port that has been left unattended. CCE-80673-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_accounts_tmout='' - - -# if 0, no occurence of tmout found, if 1, occurence found -tmout_found=0 - - -for f in /etc/profile /etc/profile.d/*.sh; do - - if grep --silent '^[^#].*TMOUT' $f; then - sed -i -E "s/^(.*)TMOUT\s*=\s*(\w|\$)*(.*)$/declare -xr TMOUT=$var_accounts_tmout\3/g" $f - tmout_found=1 - fi -done - -if [ $tmout_found -eq 0 ]; then - echo -e "\n# Set TMOUT to $var_accounts_tmout per security requirements" >> /etc/profile.d/tmout.sh - echo "declare -xr TMOUT=$var_accounts_tmout" >> /etc/profile.d/tmout.sh - echo "readonly TMOUT" >> /etc/profile.d/tmout.sh - echo "export TMOUT" >> /etc/profile.d/tmout.sh -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_accounts_tmout # promote to variable set_fact: var_accounts_tmout: !!str @@ -52373,6 +52344,35 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_accounts_tmout='' + + +# if 0, no occurence of tmout found, if 1, occurence found +tmout_found=0 + + +for f in /etc/profile /etc/profile.d/*.sh; do + + if grep --silent '^[^#].*TMOUT' $f; then + sed -i -E "s/^(.*)TMOUT\s*=\s*(\w|\$)*(.*)$/declare -xr TMOUT=$var_accounts_tmout\3/g" $f + tmout_found=1 + fi +done + +if [ $tmout_found -eq 0 ]; then + echo -e "\n# Set TMOUT to $var_accounts_tmout per security requirements" >> /etc/profile.d/tmout.sh + echo "declare -xr TMOUT=$var_accounts_tmout" >> /etc/profile.d/tmout.sh + echo "readonly TMOUT" >> /etc/profile.d/tmout.sh + echo "export TMOUT" >> /etc/profile.d/tmout.sh +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -52399,9 +52399,6 @@ of their respective initialization files. Local initialization files for interactive users are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. - -awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chgrp -f " $4" "$6"/.[^\.]?*") }' /etc/passwd - - name: Ensure interactive local users are the group-owners of their respective initialization files ansible.builtin.command: @@ -52414,6 +52411,9 @@ awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chgrp -f " $4" "$ - medium_severity - no_reboot_needed - restrict_strategy + + +awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chgrp -f " $4" "$6"/.[^\.]?*") }' /etc/passwd @@ -52475,9 +52475,6 @@ their respective initialization files. Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. - -awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chown -f " $3" "$6"/.[^\.]?*") }' /etc/passwd - - name: Ensure interactive local users are the owners of their respective initialization files ansible.builtin.command: @@ -52490,6 +52487,9 @@ awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chown -f " $3" "$ - medium_severity - no_reboot_needed - restrict_strategy + + +awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chown -f " $3" "$6"/.[^\.]?*") }' /etc/passwd @@ -52537,14 +52537,6 @@ Therefore, this rule will report a finding for home directories like If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. CCE-84036-3 - -for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1 }' /etc/passwd); do - # This follows the same logic of evaluation of home directories as used in OVAL. - if ! grep -q $user /etc/passwd | cut -d: -f6 | grep '^\/\w*\/\w\{1,\}'; then - sed -i "s/\($user:x:[0-9]*:[0-9]*:.*:\).*\(:.*\)$/\1\/home\/$user\2/g" /etc/passwd; - fi -done - - name: Get all local users from /etc/passwd ansible.builtin.getent: database: passwd @@ -52591,6 +52583,14 @@ done - medium_severity - no_reboot_needed - restrict_strategy + + +for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1 }' /etc/passwd); do + # This follows the same logic of evaluation of home directories as used in OVAL. + if ! grep -q $user /etc/passwd | cut -d: -f6 | grep '^\/\w*\/\w\{1,\}'; then + sed -i "s/\($user:x:[0-9]*:[0-9]*:.*:\).*\(:.*\)$/\1\/home\/$user\2/g" /etc/passwd; + fi +done @@ -52616,11 +52616,6 @@ upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access. CCE-83424-2 - -for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1}' /etc/passwd); do - mkhomedir_helper $user 0077; -done - - name: Get all local users from /etc/passwd ansible.builtin.getent: database: passwd @@ -52665,6 +52660,11 @@ done - medium_severity - no_reboot_needed - restrict_strategy + + +for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1}' /etc/passwd); do + mkhomedir_helper $user 0077; +done @@ -52692,16 +52692,6 @@ of folders or files in their respective home directories. If a local interactive users files are group-owned by a group of which the user is not a member, unintended users may be able to access them. CCE-86534-5 - -for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1 }' /etc/passwd); do - home_dir=$(getent passwd $user | cut -d: -f6) - group=$(getent passwd $user | cut -d: -f4) - # Only update the group-ownership when necessary. This will avoid changing the inode timestamp - # when the group is already defined as expected, therefore not impacting in possible integrity - # check systems that also check inodes timestamps. - find $home_dir -not -group $group -exec chgrp -f $group {} \; -done - - name: Get all local users from /etc/passwd ansible.builtin.getent: database: passwd @@ -52764,6 +52754,16 @@ done - medium_severity - no_reboot_needed - restrict_strategy + + +for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1 }' /etc/passwd); do + home_dir=$(getent passwd $user | cut -d: -f6) + group=$(getent passwd $user | cut -d: -f4) + # Only update the group-ownership when necessary. This will avoid changing the inode timestamp + # when the group is already defined as expected, therefore not impacting in possible integrity + # check systems that also check inodes timestamps. + find $home_dir -not -group $group -exec chgrp -f $group {} \; +done @@ -52791,15 +52791,6 @@ folders or files in their respective home directories. If local interactive users do not own the files in their directories, unauthorized users may be able to access them. Additionally, if files are not owned by the user, this could be an indication of system compromise. - -for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1 }' /etc/passwd); do - home_dir=$(getent passwd $user | cut -d: -f6) - # Only update the ownership when necessary. This will avoid changing the inode timestamp - # when the owner is already defined as expected, therefore not impacting in possible integrity - # check systems that also check inodes timestamps. - find $home_dir -not -user $user -exec chown -f $user {} \; -done - - name: Get all local users from /etc/passwd ansible.builtin.getent: database: passwd @@ -52854,6 +52845,15 @@ done - medium_severity - no_reboot_needed - restrict_strategy + + +for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1 }' /etc/passwd); do + home_dir=$(getent passwd $user | cut -d: -f6) + # Only update the ownership when necessary. This will avoid changing the inode timestamp + # when the owner is already defined as expected, therefore not impacting in possible integrity + # check systems that also check inodes timestamps. + find $home_dir -not -user $user -exec chown -f $user {} \; +done @@ -52875,14 +52875,6 @@ Files that begin with a "." are excluded from this requirement.If a local interactive user files have excessive permissions, unintended users may be able to access or modify them. CCE-85888-6 - -for home_dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 }' /etc/passwd); do - # Only update the permissions when necessary. This will avoid changing the inode timestamp when - # the permission is already defined as expected, therefore not impacting in possible integrity - # check systems that also check inodes timestamps. - find "$home_dir" -perm /7027 -exec chmod u-s,g-w-s,o=- {} \; -done - - name: Get all local users from /etc/passwd ansible.builtin.getent: database: passwd @@ -52946,6 +52938,14 @@ done - medium_severity - no_reboot_needed - restrict_strategy + + +for home_dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 }' /etc/passwd); do + # Only update the permissions when necessary. This will avoid changing the inode timestamp when + # the permission is already defined as expected, therefore not impacting in possible integrity + # check systems that also check inodes timestamps. + find "$home_dir" -perm /7027 -exec chmod u-s,g-w-s,o=- {} \; +done @@ -52966,12 +52966,6 @@ to an interactive user is not group or world accessible Note: While the complete removal of .netrc files is recommended, if any are required on the system, secure permissions must be applied. CCE-87369-5 - -for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1 }' /etc/passwd); do - home_dir=$(getent passwd "$user" | cut -d: -f6) - find "${home_dir}/.netrc" -exec chmod 0600 {} \; -done - - name: Get all local users from /etc/passwd ansible.builtin.getent: database: passwd @@ -53030,6 +53024,12 @@ done - medium_severity - no_reboot_needed - restrict_strategy + + +for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1 }' /etc/passwd); do + home_dir=$(getent passwd "$user" | cut -d: -f6) + find "${home_dir}/.netrc" -exec chmod 0600 {} \; +done @@ -53061,9 +53061,6 @@ not the same as the primary GID of the user, this would allow unauthorized access to the users files, and users that share the same group may not be able to access files that they legitimately should. CCE-83434-1 - -awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chgrp -f " $4" "$6) }' /etc/passwd - - name: Get all local users from /etc/passwd ansible.builtin.getent: database: passwd @@ -53126,6 +53123,9 @@ awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chgrp -f " $4" "$ - medium_severity - no_reboot_needed - restrict_strategy + + +awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chgrp -f " $4" "$6) }' /etc/passwd @@ -53154,9 +53154,6 @@ their respective home directories. users could access or modify the user's files, and the users may not be able to access their own files. CCE-86131-0 - -awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chown -f " $3" "$6) }' /etc/passwd - - name: Get all local users from /etc/passwd ansible.builtin.getent: database: passwd @@ -53214,6 +53211,9 @@ awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chown -f " $3" "$ - medium_severity - no_reboot_needed - restrict_strategy + + +awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chown -f " $3" "$6) }' /etc/passwd @@ -53235,28 +53235,6 @@ following command: upon logon. Malicious modification of these files could compromise accounts upon logon. CCE-84043-9 - -var_user_initialization_files_regex='' - - -readarray -t interactive_users < <(awk -F: '$3>=1000 {print $1}' /etc/passwd) -readarray -t interactive_users_home < <(awk -F: '$3>=1000 {print $6}' /etc/passwd) -readarray -t interactive_users_shell < <(awk -F: '$3>=1000 {print $7}' /etc/passwd) - -USERS_IGNORED_REGEX='nobody|nfsnobody' - -for (( i=0; i<"${#interactive_users[@]}"; i++ )); do - if ! grep -qP "$USERS_IGNORED_REGEX" <<< "${interactive_users[$i]}" && \ - [ "${interactive_users_shell[$i]}" != "/sbin/nologin" ]; then - - readarray -t init_files < <(find "${interactive_users_home[$i]}" -maxdepth 1 \ - -exec basename {} \; | grep -P "$var_user_initialization_files_regex") - for file in "${init_files[@]}"; do - chmod u-s,g-wxs,o= "${interactive_users_home[$i]}/$file" - done - fi -done - - name: XCCDF Value var_user_initialization_files_regex # promote to variable set_fact: var_user_initialization_files_regex: !!str @@ -53316,6 +53294,28 @@ done - medium_severity - no_reboot_needed - restrict_strategy + + +var_user_initialization_files_regex='' + + +readarray -t interactive_users < <(awk -F: '$3>=1000 {print $1}' /etc/passwd) +readarray -t interactive_users_home < <(awk -F: '$3>=1000 {print $6}' /etc/passwd) +readarray -t interactive_users_shell < <(awk -F: '$3>=1000 {print $7}' /etc/passwd) + +USERS_IGNORED_REGEX='nobody|nfsnobody' + +for (( i=0; i<"${#interactive_users[@]}"; i++ )); do + if ! grep -qP "$USERS_IGNORED_REGEX" <<< "${interactive_users[$i]}" && \ + [ "${interactive_users_shell[$i]}" != "/sbin/nologin" ]; then + + readarray -t init_files < <(find "${interactive_users_home[$i]}" -maxdepth 1 \ + -exec basename {} \; | grep -P "$var_user_initialization_files_regex") + for file in "${init_files[@]}"; do + chmod u-s,g-wxs,o= "${interactive_users_home[$i]}/$file" + done + fi +done @@ -53339,14 +53339,6 @@ following command: Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. CCE-84038-9 - -for home_dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 }' /etc/passwd); do - # Only update the permissions when necessary. This will avoid changing the inode timestamp when - # the permission is already defined as expected, therefore not impacting in possible integrity - # check systems that also check inodes timestamps. - find "$home_dir" -maxdepth 0 -perm /7027 -exec chmod u-s,g-w-s,o=- {} \; -done - - name: Get all local users from /etc/passwd ansible.builtin.getent: database: passwd @@ -53410,6 +53402,14 @@ done - medium_severity - no_reboot_needed - restrict_strategy + + +for home_dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 }' /etc/passwd); do + # Only update the permissions when necessary. This will avoid changing the inode timestamp when + # the permission is already defined as expected, therefore not impacting in possible integrity + # check systems that also check inodes timestamps. + find "$home_dir" -maxdepth 0 -perm /7027 -exec chmod u-s,g-w-s,o=- {} \; +done @@ -53495,14 +53495,6 @@ to other users. If a subset of users need read access to one another's home directories, this can be provided using groups or ACLs. CCE-84274-0 - -for home_dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 }' /etc/passwd); do - # Only update the permissions when necessary. This will avoid changing the inode timestamp when - # the permission is already defined as expected, therefore not impacting in possible integrity - # check systems that also check inodes timestamps. - find "$home_dir" -maxdepth 0 -perm /7027 -exec chmod u-s,g-w-s,o=- {} \; -done - - name: Get all local users from /etc/passwd ansible.builtin.getent: database: passwd @@ -53574,6 +53566,14 @@ done - medium_severity - no_reboot_needed - restrict_strategy + + +for home_dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 }' /etc/passwd); do + # Only update the permissions when necessary. This will avoid changing the inode timestamp when + # the permission is already defined as expected, therefore not impacting in possible integrity + # check systems that also check inodes timestamps. + find "$home_dir" -maxdepth 0 -perm /7027 -exec chmod u-s,g-w-s,o=- {} \; +done @@ -53785,26 +53785,6 @@ A misconfigured umask value could result in files with excessive permissions tha written to by unauthorized users. CCE-81036-6 - # Remediation is applicable only in certain platforms -if rpm --quiet -q bash; then - -var_accounts_user_umask='' - - - - - - -grep -q "^\s*umask" /etc/bashrc && \ - sed -i -E -e "s/^(\s*umask).*/\1 $var_accounts_user_umask/g" /etc/bashrc -if ! [ $? -eq 0 ]; then - echo "umask $var_accounts_user_umask" >> /etc/bashrc -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -53885,6 +53865,26 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q bash; then + +var_accounts_user_umask='' + + + + + + +grep -q "^\s*umask" /etc/bashrc && \ + sed -i -E -e "s/^(\s*umask).*/\1 $var_accounts_user_umask/g" /etc/bashrc +if ! [ $? -eq 0 ]; then + echo "umask $var_accounts_user_umask" >> /etc/bashrc +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -53930,16 +53930,6 @@ add or correct the umask setting in /etc/csh.c A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. CCE-81037-4 - -var_accounts_user_umask='' - - -grep -q "^\s*umask" /etc/csh.cshrc && \ - sed -i -E -e "s/^(\s*umask).*/\1 $var_accounts_user_umask/g" /etc/csh.cshrc -if ! [ $? -eq 0 ]; then - echo "umask $var_accounts_user_umask" >> /etc/csh.cshrc -fi - - name: XCCDF Value var_accounts_user_umask # promote to variable set_fact: var_accounts_user_umask: !!str @@ -54001,6 +53991,16 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + +var_accounts_user_umask='' + + +grep -q "^\s*umask" /etc/csh.cshrc && \ + sed -i -E -e "s/^(\s*umask).*/\1 $var_accounts_user_umask/g" /etc/csh.cshrc +if ! [ $? -eq 0 ]; then + echo "umask $var_accounts_user_umask" >> /etc/csh.cshrc +fi @@ -54064,38 +54064,6 @@ A misconfigured umask value could result in files with excessive permissions tha written to by unauthorized users. CCE-82888-9 - # Remediation is applicable only in certain platforms -if rpm --quiet -q shadow-utils; then - -var_accounts_user_umask='' - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^UMASK") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s %s" "$stripped_key" "$var_accounts_user_umask" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^UMASK\\>" "/etc/login.defs"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^UMASK\\>.*/$escaped_formatted_output/gi" "/etc/login.defs" -else - if [[ -s "/etc/login.defs" ]] && [[ -n "$(tail -c 1 -- "/etc/login.defs" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/login.defs" - fi - cce="CCE-82888-9" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/login.defs" >> "/etc/login.defs" - printf '%s\n' "$formatted_output" >> "/etc/login.defs" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -54176,6 +54144,38 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q shadow-utils; then + +var_accounts_user_umask='' + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^UMASK") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s %s" "$stripped_key" "$var_accounts_user_umask" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^UMASK\\>" "/etc/login.defs"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^UMASK\\>.*/$escaped_formatted_output/gi" "/etc/login.defs" +else + if [[ -s "/etc/login.defs" ]] && [[ -n "$(tail -c 1 -- "/etc/login.defs" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/login.defs" + fi + cce="CCE-82888-9" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/login.defs" >> "/etc/login.defs" + printf '%s\n' "$formatted_output" >> "/etc/login.defs" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -54227,20 +54227,6 @@ considered during the check and properly remediated, if necessary. CCE-81035-8 - -var_accounts_user_umask='' - - -readarray -t profile_files < <(find /etc/profile.d/ -type f -name '*.sh' -or -name 'sh.local') - -for file in "${profile_files[@]}" /etc/profile; do - grep -qE '^[^#]*umask' "$file" && sed -i -E "s/^(\s*umask\s*)[0-7]+/\1$var_accounts_user_umask/g" "$file" -done - -if ! grep -qrE '^[^#]*umask' /etc/profile*; then - echo "umask $var_accounts_user_umask" >> /etc/profile -fi - - name: XCCDF Value var_accounts_user_umask # promote to variable set_fact: var_accounts_user_umask: !!str @@ -54328,6 +54314,20 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + +var_accounts_user_umask='' + + +readarray -t profile_files < <(find /etc/profile.d/ -type f -name '*.sh' -or -name 'sh.local') + +for file in "${profile_files[@]}" /etc/profile; do + grep -qE '^[^#]*umask' "$file" && sed -i -E "s/^(\s*umask\s*)[0-7]+/\1$var_accounts_user_umask/g" "$file" +done + +if ! grep -qrE '^[^#]*umask' /etc/profile*; then + echo "umask $var_accounts_user_umask" >> /etc/profile +fi @@ -54353,15 +54353,6 @@ access modes is typically ignored or required to be 0. This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. CCE-84044-7 - -while IFS= read -r dir; do - while IFS= read -r -d '' file; do - if [ "$(basename $file)" != ".bash_history" ]; then - sed -i 's/^\(\s*umask\s*\)/#\1/g' "$file" - fi - done < <(find $dir -maxdepth 1 -type f -name ".*" -print0) -done < <(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6}' /etc/passwd) - - name: Ensure interactive local users are the owners of their respective initialization files ansible.builtin.shell: @@ -54382,6 +54373,15 @@ done < <(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 - medium_severity - no_reboot_needed - restrict_strategy + + +while IFS= read -r dir; do + while IFS= read -r -d '' file; do + if [ "$(basename $file)" != ".bash_history" ]; then + sed -i 's/^\(\s*umask\s*\)/#\1/g' "$file" + fi + done < <(find $dir -maxdepth 1 -type f -name ".*" -print0) +done < <(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6}' /etc/passwd) @@ -54485,21 +54485,13 @@ $ sudo yum install audispd-plugins audit subsystem, audispd. These plugins can do things like relay events to remote machines or analyze events for suspicious behavior. CCE-82953-1 + +package --add=audispd-plugins + [[packages]] name = "audispd-plugins" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "audispd-plugins" ; then - yum install -y "audispd-plugins" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_audispd-plugins @@ -54524,8 +54516,16 @@ class install_audispd-plugins { - no_reboot_needed - package_audispd-plugins_installed - -package --add=audispd-plugins + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "audispd-plugins" ; then + yum install -y "audispd-plugins" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -54604,21 +54604,13 @@ package --add=audispd-plugins SV-230411r744000_rule The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. CCE-81043-2 + +package --add=audit + [[packages]] name = "audit" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "audit" ; then - yum install -y "audit" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_audit @@ -54652,8 +54644,16 @@ class install_audit { - no_reboot_needed - package_audit_installed - -package --add=audit + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "audit" ; then + yum install -y "audit" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -54869,17 +54869,17 @@ can be held accountable for their actions. [customizations.services] enabled = ["auditd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q audit; }; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'auditd.service' -"$SYSTEMCTL_EXEC" start 'auditd.service' -"$SYSTEMCTL_EXEC" enable 'auditd.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: auditd.service + enabled: true include enable_auditd @@ -54961,17 +54961,17 @@ class enable_auditd { - no_reboot_needed - service_auditd_enabled - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: auditd.service - enabled: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q audit; }; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'auditd.service' +"$SYSTEMCTL_EXEC" start 'auditd.service' +"$SYSTEMCTL_EXEC" enable 'auditd.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -55123,15 +55123,6 @@ ensures it is set for every process during boot. CCE-80825-3 [customizations.kernel] append = "audit=1" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then - -grubby --update-kernel=ALL --args=audit=1 --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - name: Gather the package facts package_facts: @@ -55178,6 +55169,15 @@ fi - medium_complexity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then + +grubby --update-kernel=ALL --args=audit=1 --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -55226,15 +55226,6 @@ defined by audit failure flag is taken. CCE-80943-4 [customizations.kernel] append = "audit_backlog_limit=8192" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then - -grubby --update-kernel=ALL --args=audit_backlog_limit=8192 --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - name: Gather the package facts package_facts: @@ -55267,6 +55258,15 @@ fi - medium_complexity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then + +grubby --update-kernel=ALL --args=audit_backlog_limit=8192 --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -55358,6 +55358,323 @@ to the same event is more efficient. See the following example: Auditing these events could serve as evidence of potential system compromise. CCE-80927-7 + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80927-7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Set architecture for audit open tasks + set_fact: + audit_arch: b64 + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) + - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture + == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" + tags: + - CCE-80927-7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Perform remediation of Audit rules for open for 32bit platform + block: + + - name: Declare list of syscalls + set_fact: + syscalls: + - open + syscall_grouping: [] + + - name: Check existence of open in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S + |,)\w+)* -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path + :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten + | map(attribute='path') | list }}" + + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, + 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') + | list }}' + + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') + | last).key }}" + when: found_paths | length >= 1 + + - name: No file with syscall found, set path to /etc/audit/rules.d/modify.rules + set_fact: audit_file="/etc/audit/rules.d/modify.rules" + when: found_paths | length == 0 + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/group -F auid>=1000 + -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/group + -F auid>=1000 -F auid!=unset -F key=modify + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + + - name: Declare list of syscalls + set_fact: + syscalls: + - open + syscall_grouping: [] + + - name: Check existence of open in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S + |,)\w+)* -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: audit.rules + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Set path to /etc/audit/audit.rules + set_fact: audit_file="/etc/audit/audit.rules" + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/group -F auid>=1000 + -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/group + -F auid>=1000 -F auid!=unset -F key=modify + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) + tags: + - CCE-80927-7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Perform remediation of Audit rules for open for 64bit platform + block: + + - name: Declare list of syscalls + set_fact: + syscalls: + - open + syscall_grouping: [] + + - name: Check existence of open in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S + |,)\w+)* -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path + :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten + | map(attribute='path') | list }}" + + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, + 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') + | list }}' + + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') + | last).key }}" + when: found_paths | length >= 1 + + - name: No file with syscall found, set path to /etc/audit/rules.d/modify.rules + set_fact: audit_file="/etc/audit/rules.d/modify.rules" + when: found_paths | length == 0 + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/group -F auid>=1000 + -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/group + -F auid>=1000 -F auid!=unset -F key=modify + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + + - name: Declare list of syscalls + set_fact: + syscalls: + - open + syscall_grouping: [] + + - name: Check existence of open in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S + |,)\w+)* -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: audit.rules + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Set path to /etc/audit/audit.rules + set_fact: audit_file="/etc/audit/audit.rules" + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/group -F auid>=1000 + -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/group + -F auid>=1000 -F auid!=unset -F key=modify + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) + - audit_arch == "b64" + tags: + - CCE-80927-7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then @@ -55685,60 +56002,102 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group + The audit system should collect write events to /etc/group file for all group and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + CCE-80929-3 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80927-7 + - CCE-80929-3 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_group_open + - audit_rules_etc_group_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit open tasks +- name: Set architecture for audit open_by_handle_at tasks set_fact: audit_arch: b64 when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - - CCE-80927-7 + - CCE-80929-3 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_group_open + - audit_rules_etc_group_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open for 32bit platform +- name: Perform remediation of Audit rules for open_by_handle_at for 32bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/rules.d/ + - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -55783,7 +56142,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/group -F auid>=1000 + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -55793,7 +56152,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/group + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -55803,14 +56162,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/audit.rules + - name: Check existence of open_by_handle_at in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -55829,7 +56188,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/group -F auid>=1000 + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -55839,7 +56198,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/group + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -55848,35 +56207,34 @@ fi when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - not ( ansible_architecture == "aarch64" ) tags: - - CCE-80927-7 + - CCE-80929-3 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_group_open + - audit_rules_etc_group_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open for 64bit platform +- name: Perform remediation of Audit rules for open_by_handle_at for 64bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/rules.d/ + - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -55921,7 +56279,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/group -F auid>=1000 + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -55931,7 +56289,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/group + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -55941,14 +56299,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/audit.rules + - name: Check existence of open_by_handle_at in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -55967,7 +56325,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/group -F auid>=1000 + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -55977,7 +56335,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/group + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -55986,65 +56344,21 @@ fi when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - - CCE-80927-7 + - CCE-80929-3 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_group_open + - audit_rules_etc_group_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group - The audit system should collect write events to /etc/group file for all group and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - FAU_GEN.1.1.c - Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. -Auditing these events could serve as evidence of potential system compromise. - CCE-80929-3 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -56372,24 +56686,67 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Record Events that Modify User/Group Information via openat syscall - /etc/group + The audit system should collect write events to /etc/group file for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + CCE-80928-5 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80929-3 + - CCE-80928-5 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_group_open_by_handle_at + - audit_rules_etc_group_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit open_by_handle_at tasks +- name: Set architecture for audit openat tasks set_fact: audit_arch: b64 when: @@ -56398,29 +56755,29 @@ fi - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - - CCE-80929-3 + - CCE-80928-5 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_group_open_by_handle_at + - audit_rules_etc_group_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open_by_handle_at for 32bit platform +- name: Perform remediation of Audit rules for openat for 32bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ + - name: Check existence of openat in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -56489,10 +56846,10 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/audit.rules + - name: Check existence of openat in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -56535,29 +56892,29 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80929-3 + - CCE-80928-5 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_group_open_by_handle_at + - audit_rules_etc_group_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open_by_handle_at for 64bit platform +- name: Perform remediation of Audit rules for openat for 64bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ + - name: Check existence of openat in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -56626,10 +56983,10 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/audit.rules + - name: Check existence of openat in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -56673,62 +57030,19 @@ fi - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - - CCE-80929-3 + - CCE-80928-5 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_group_open_by_handle_at + - audit_rules_etc_group_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify User/Group Information via openat syscall - /etc/group - The audit system should collect write events to /etc/group file for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - FAU_GEN.1.1.c - Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. -Auditing these events could serve as evidence of potential system compromise. - CCE-80928-5 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -57056,59 +57370,104 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Record Events that Modify User/Group Information via open syscall - /etc/gshadow + The audit system should collect write events to /etc/gshadow file for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + + CCE-80959-0 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80928-5 + - CCE-80959-0 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_group_openat + - audit_rules_etc_gshadow_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit openat tasks +- name: Set architecture for audit open tasks set_fact: audit_arch: b64 when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - - CCE-80928-5 + - CCE-80959-0 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_group_openat + - audit_rules_etc_gshadow_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for openat for 32bit platform +- name: Perform remediation of Audit rules for open for 32bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - openat + - open syscall_grouping: [] - - name: Check existence of openat in /etc/audit/rules.d/ + - name: Check existence of open in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -57153,7 +57512,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/group -F auid>=1000 + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -57163,7 +57522,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -57173,14 +57532,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - openat + - open syscall_grouping: [] - - name: Check existence of openat in /etc/audit/audit.rules + - name: Check existence of open in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -57199,7 +57558,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/group -F auid>=1000 + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -57209,7 +57568,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -57218,34 +57577,35 @@ fi when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) tags: - - CCE-80928-5 + - CCE-80959-0 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_group_openat + - audit_rules_etc_gshadow_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for openat for 64bit platform +- name: Perform remediation of Audit rules for open for 64bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - openat + - open syscall_grouping: [] - - name: Check existence of openat in /etc/audit/rules.d/ + - name: Check existence of open in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -57290,7 +57650,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/group -F auid>=1000 + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -57300,7 +57660,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -57310,14 +57670,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - openat + - open syscall_grouping: [] - - name: Check existence of openat in /etc/audit/audit.rules + - name: Check existence of open in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -57336,7 +57696,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/group -F auid>=1000 + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -57346,7 +57706,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -57355,65 +57715,22 @@ fi when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - - CCE-80928-5 + - CCE-80959-0 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_group_openat + - audit_rules_etc_gshadow_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify User/Group Information via open syscall - /etc/gshadow - The audit system should collect write events to /etc/gshadow file for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - FAU_GEN.1.1.c - Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system. -Auditing these events could serve as evidence of potential system compromise. - - CCE-80959-0 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then @@ -57741,60 +58058,102 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow + The audit system should collect write events to /etc/gshadow file for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + CCE-80960-8 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80959-0 + - CCE-80960-8 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_gshadow_open + - audit_rules_etc_gshadow_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit open tasks +- name: Set architecture for audit open_by_handle_at tasks set_fact: audit_arch: b64 when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - - CCE-80959-0 + - CCE-80960-8 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_gshadow_open + - audit_rules_etc_gshadow_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open for 32bit platform +- name: Perform remediation of Audit rules for open_by_handle_at for 32bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/rules.d/ + - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -57839,7 +58198,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/gshadow -F auid>=1000 + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -57849,7 +58208,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/gshadow + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -57859,14 +58218,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/audit.rules + - name: Check existence of open_by_handle_at in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -57885,7 +58244,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/gshadow -F auid>=1000 + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -57895,7 +58254,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/gshadow + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -57904,35 +58263,34 @@ fi when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - not ( ansible_architecture == "aarch64" ) tags: - - CCE-80959-0 + - CCE-80960-8 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_gshadow_open + - audit_rules_etc_gshadow_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open for 64bit platform +- name: Perform remediation of Audit rules for open_by_handle_at for 64bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/rules.d/ + - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -57977,7 +58335,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/gshadow -F auid>=1000 + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -57987,7 +58345,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/gshadow + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -57997,14 +58355,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/audit.rules + - name: Check existence of open_by_handle_at in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -58023,7 +58381,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/gshadow -F auid>=1000 + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -58033,7 +58391,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/gshadow + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -58042,65 +58400,21 @@ fi when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - - CCE-80959-0 + - CCE-80960-8 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_gshadow_open + - audit_rules_etc_gshadow_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow - The audit system should collect write events to /etc/gshadow file for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - FAU_GEN.1.1.c - Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system. -Auditing these events could serve as evidence of potential system compromise. - CCE-80960-8 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -58428,24 +58742,67 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Record Events that Modify User/Group Information via openat syscall - /etc/gshadow + The audit system should collect write events to /etc/gshadow file for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + CCE-80961-6 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80960-8 + - CCE-80961-6 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_gshadow_open_by_handle_at + - audit_rules_etc_gshadow_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit open_by_handle_at tasks +- name: Set architecture for audit openat tasks set_fact: audit_arch: b64 when: @@ -58454,29 +58811,29 @@ fi - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - - CCE-80960-8 + - CCE-80961-6 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_gshadow_open_by_handle_at + - audit_rules_etc_gshadow_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open_by_handle_at for 32bit platform +- name: Perform remediation of Audit rules for openat for 32bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ + - name: Check existence of openat in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -58545,10 +58902,10 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/audit.rules + - name: Check existence of openat in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -58591,29 +58948,29 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80960-8 + - CCE-80961-6 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_gshadow_open_by_handle_at + - audit_rules_etc_gshadow_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open_by_handle_at for 64bit platform +- name: Perform remediation of Audit rules for openat for 64bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ + - name: Check existence of openat in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -58682,10 +59039,10 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/audit.rules + - name: Check existence of openat in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -58729,62 +59086,19 @@ fi - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - - CCE-80960-8 + - CCE-80961-6 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_gshadow_open_by_handle_at + - audit_rules_etc_gshadow_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify User/Group Information via openat syscall - /etc/gshadow - The audit system should collect write events to /etc/gshadow file for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - FAU_GEN.1.1.c - Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system. -Auditing these events could serve as evidence of potential system compromise. - CCE-80961-6 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -59112,59 +59426,104 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Record Events that Modify User/Group Information via open syscall - /etc/passwd + The audit system should collect write events to /etc/passwd file for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + + CCE-80930-1 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80961-6 + - CCE-80930-1 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_gshadow_openat + - audit_rules_etc_passwd_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit openat tasks +- name: Set architecture for audit open tasks set_fact: audit_arch: b64 when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - - CCE-80961-6 + - CCE-80930-1 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_gshadow_openat + - audit_rules_etc_passwd_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for openat for 32bit platform +- name: Perform remediation of Audit rules for open for 32bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - openat + - open syscall_grouping: [] - - name: Check existence of openat in /etc/audit/rules.d/ + - name: Check existence of open in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -59209,7 +59568,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/gshadow -F auid>=1000 + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -59219,7 +59578,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -59229,14 +59588,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - openat + - open syscall_grouping: [] - - name: Check existence of openat in /etc/audit/audit.rules + - name: Check existence of open in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -59255,7 +59614,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/gshadow -F auid>=1000 + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -59265,7 +59624,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -59274,34 +59633,35 @@ fi when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) tags: - - CCE-80961-6 + - CCE-80930-1 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_gshadow_openat + - audit_rules_etc_passwd_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for openat for 64bit platform +- name: Perform remediation of Audit rules for open for 64bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - openat + - open syscall_grouping: [] - - name: Check existence of openat in /etc/audit/rules.d/ + - name: Check existence of open in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -59346,7 +59706,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/gshadow -F auid>=1000 + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -59356,7 +59716,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -59366,14 +59726,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - openat + - open syscall_grouping: [] - - name: Check existence of openat in /etc/audit/audit.rules + - name: Check existence of open in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -59392,7 +59752,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/gshadow -F auid>=1000 + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -59402,7 +59762,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -59411,65 +59771,22 @@ fi when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - - CCE-80961-6 + - CCE-80930-1 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_gshadow_openat + - audit_rules_etc_passwd_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify User/Group Information via open syscall - /etc/passwd - The audit system should collect write events to /etc/passwd file for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - FAU_GEN.1.1.c - Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. -Auditing these events could serve as evidence of potential system compromise. - - CCE-80930-1 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then @@ -59797,60 +60114,102 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd + The audit system should collect write events to /etc/passwd file for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + CCE-80932-7 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80930-1 + - CCE-80932-7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_passwd_open + - audit_rules_etc_passwd_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit open tasks +- name: Set architecture for audit open_by_handle_at tasks set_fact: audit_arch: b64 when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - - CCE-80930-1 + - CCE-80932-7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_passwd_open + - audit_rules_etc_passwd_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open for 32bit platform +- name: Perform remediation of Audit rules for open_by_handle_at for 32bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/rules.d/ + - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -59895,7 +60254,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/passwd -F auid>=1000 + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -59905,7 +60264,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/passwd + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -59915,14 +60274,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/audit.rules + - name: Check existence of open_by_handle_at in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -59941,7 +60300,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/passwd -F auid>=1000 + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -59951,7 +60310,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/passwd + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -59960,35 +60319,34 @@ fi when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - not ( ansible_architecture == "aarch64" ) tags: - - CCE-80930-1 + - CCE-80932-7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_passwd_open + - audit_rules_etc_passwd_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open for 64bit platform +- name: Perform remediation of Audit rules for open_by_handle_at for 64bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/rules.d/ + - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -60033,7 +60391,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/passwd -F auid>=1000 + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -60043,7 +60401,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/passwd + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -60053,14 +60411,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/audit.rules + - name: Check existence of open_by_handle_at in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -60079,7 +60437,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/passwd -F auid>=1000 + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -60089,7 +60447,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/passwd + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -60098,65 +60456,21 @@ fi when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - - CCE-80930-1 + - CCE-80932-7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_passwd_open + - audit_rules_etc_passwd_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd - The audit system should collect write events to /etc/passwd file for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - FAU_GEN.1.1.c - Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. -Auditing these events could serve as evidence of potential system compromise. - CCE-80932-7 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -60484,24 +60798,67 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Record Events that Modify User/Group Information via openat syscall - /etc/passwd + The audit system should collect write events to /etc/passwd file for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + CCE-80931-9 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80932-7 + - CCE-80931-9 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_passwd_open_by_handle_at + - audit_rules_etc_passwd_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit open_by_handle_at tasks +- name: Set architecture for audit openat tasks set_fact: audit_arch: b64 when: @@ -60510,29 +60867,29 @@ fi - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - - CCE-80932-7 + - CCE-80931-9 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_passwd_open_by_handle_at + - audit_rules_etc_passwd_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open_by_handle_at for 32bit platform +- name: Perform remediation of Audit rules for openat for 32bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ + - name: Check existence of openat in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -60601,10 +60958,10 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/audit.rules + - name: Check existence of openat in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -60647,29 +61004,29 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80932-7 + - CCE-80931-9 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_passwd_open_by_handle_at + - audit_rules_etc_passwd_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open_by_handle_at for 64bit platform +- name: Perform remediation of Audit rules for openat for 64bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ + - name: Check existence of openat in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -60738,10 +61095,10 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/audit.rules + - name: Check existence of openat in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -60785,62 +61142,19 @@ fi - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - - CCE-80932-7 + - CCE-80931-9 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_passwd_open_by_handle_at + - audit_rules_etc_passwd_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify User/Group Information via openat syscall - /etc/passwd - The audit system should collect write events to /etc/passwd file for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - FAU_GEN.1.1.c - Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. -Auditing these events could serve as evidence of potential system compromise. - CCE-80931-9 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -61168,59 +61482,104 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Record Events that Modify User/Group Information via open syscall - /etc/shadow + The audit system should collect write events to /etc/shadow file for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + + CCE-80956-6 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80931-9 + - CCE-80956-6 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_passwd_openat + - audit_rules_etc_shadow_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit openat tasks +- name: Set architecture for audit open tasks set_fact: audit_arch: b64 when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - - CCE-80931-9 + - CCE-80956-6 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_passwd_openat + - audit_rules_etc_shadow_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for openat for 32bit platform +- name: Perform remediation of Audit rules for open for 32bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - openat + - open syscall_grouping: [] - - name: Check existence of openat in /etc/audit/rules.d/ + - name: Check existence of open in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -61265,7 +61624,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/passwd -F auid>=1000 + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -61275,7 +61634,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -61285,14 +61644,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - openat + - open syscall_grouping: [] - - name: Check existence of openat in /etc/audit/audit.rules + - name: Check existence of open in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -61311,7 +61670,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/passwd -F auid>=1000 + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -61321,7 +61680,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -61330,34 +61689,35 @@ fi when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) tags: - - CCE-80931-9 + - CCE-80956-6 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_passwd_openat + - audit_rules_etc_shadow_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for openat for 64bit platform +- name: Perform remediation of Audit rules for open for 64bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - openat + - open syscall_grouping: [] - - name: Check existence of openat in /etc/audit/rules.d/ + - name: Check existence of open in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -61402,7 +61762,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/passwd -F auid>=1000 + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -61412,7 +61772,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -61422,14 +61782,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - openat + - open syscall_grouping: [] - - name: Check existence of openat in /etc/audit/audit.rules + - name: Check existence of open in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -61448,7 +61808,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/passwd -F auid>=1000 + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -61458,7 +61818,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -61467,65 +61827,22 @@ fi when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - - CCE-80931-9 + - CCE-80956-6 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_passwd_openat + - audit_rules_etc_shadow_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify User/Group Information via open syscall - /etc/shadow - The audit system should collect write events to /etc/shadow file for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - FAU_GEN.1.1.c - Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system. -Auditing these events could serve as evidence of potential system compromise. - - CCE-80956-6 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then @@ -61853,60 +62170,102 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow + The audit system should collect write events to /etc/shadow file for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + CCE-80957-4 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80956-6 + - CCE-80957-4 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_shadow_open + - audit_rules_etc_shadow_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit open tasks +- name: Set architecture for audit open_by_handle_at tasks set_fact: audit_arch: b64 when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - - CCE-80956-6 + - CCE-80957-4 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_shadow_open + - audit_rules_etc_shadow_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open for 32bit platform +- name: Perform remediation of Audit rules for open_by_handle_at for 32bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/rules.d/ + - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -61951,7 +62310,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/shadow -F auid>=1000 + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -61961,7 +62320,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/shadow + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -61971,14 +62330,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/audit.rules + - name: Check existence of open_by_handle_at in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -61997,7 +62356,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/shadow -F auid>=1000 + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -62007,7 +62366,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/shadow + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -62016,35 +62375,34 @@ fi when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - not ( ansible_architecture == "aarch64" ) tags: - - CCE-80956-6 + - CCE-80957-4 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_shadow_open + - audit_rules_etc_shadow_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open for 64bit platform +- name: Perform remediation of Audit rules for open_by_handle_at for 64bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/rules.d/ + - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -62089,7 +62447,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/shadow -F auid>=1000 + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -62099,7 +62457,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/shadow + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -62109,14 +62467,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open + - open_by_handle_at syscall_grouping: [] - - name: Check existence of open in /etc/audit/audit.rules + - name: Check existence of open_by_handle_at in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -62135,7 +62493,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a1&03 -F path=/etc/shadow -F auid>=1000 + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -62145,7 +62503,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/shadow + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=modify create: true mode: o-rwx @@ -62154,65 +62512,21 @@ fi when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - - CCE-80956-6 + - CCE-80957-4 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_shadow_open + - audit_rules_etc_shadow_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow - The audit system should collect write events to /etc/shadow file for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - FAU_GEN.1.1.c - Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system. -Auditing these events could serve as evidence of potential system compromise. - CCE-80957-4 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -62540,24 +62854,67 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Record Events that Modify User/Group Information via openat syscall - /etc/shadow + The audit system should collect write events to /etc/shadow file for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + CCE-80958-2 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80957-4 + - CCE-80958-2 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_shadow_open_by_handle_at + - audit_rules_etc_shadow_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit open_by_handle_at tasks +- name: Set architecture for audit openat tasks set_fact: audit_arch: b64 when: @@ -62566,29 +62923,29 @@ fi - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - - CCE-80957-4 + - CCE-80958-2 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_shadow_open_by_handle_at + - audit_rules_etc_shadow_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open_by_handle_at for 32bit platform +- name: Perform remediation of Audit rules for openat for 32bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ + - name: Check existence of openat in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -62657,10 +63014,10 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/audit.rules + - name: Check existence of openat in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -62703,29 +63060,29 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80957-4 + - CCE-80958-2 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_shadow_open_by_handle_at + - audit_rules_etc_shadow_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for open_by_handle_at for 64bit platform +- name: Perform remediation of Audit rules for openat for 64bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/rules.d/ + - name: Check existence of openat in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -62794,10 +63151,10 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - open_by_handle_at + - openat syscall_grouping: [] - - name: Check existence of open_by_handle_at in /etc/audit/audit.rules + - name: Check existence of openat in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S @@ -62841,62 +63198,19 @@ fi - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - - CCE-80957-4 + - CCE-80958-2 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_etc_shadow_open_by_handle_at + - audit_rules_etc_shadow_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify User/Group Information via openat syscall - /etc/shadow - The audit system should collect write events to /etc/shadow file for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - FAU_GEN.1.1.c - Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system. -Auditing these events could serve as evidence of potential system compromise. - CCE-80958-2 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -63223,320 +63537,6 @@ done else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-80958-2 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_etc_shadow_openat - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Set architecture for audit openat tasks - set_fact: - audit_arch: b64 - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture - == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" - tags: - - CCE-80958-2 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_etc_shadow_openat - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Perform remediation of Audit rules for openat for 32bit platform - block: - - - name: Declare list of syscalls - set_fact: - syscalls: - - openat - syscall_grouping: [] - - - name: Check existence of openat in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: '*.rules' - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Reset syscalls found per file - set_fact: - syscalls_per_file: {} - found_paths_dict: {} - - - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path - :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" - loop: '{{ find_command.results | selectattr(''matched'') | list }}' - - - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten - | map(attribute='path') | list }}" - - - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, - 0) }) }}" - loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') - | list }}' - - - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') - | last).key }}" - when: found_paths | length >= 1 - - - name: No file with syscall found, set path to /etc/audit/rules.d/modify.rules - set_fact: audit_file="/etc/audit/rules.d/modify.rules" - when: found_paths | length == 0 - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/shadow -F auid>=1000 - -F auid!=unset (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow - -F auid>=1000 -F auid!=unset -F key=modify - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - - - name: Declare list of syscalls - set_fact: - syscalls: - - openat - syscall_grouping: [] - - - name: Check existence of openat in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: audit.rules - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/shadow -F auid>=1000 - -F auid!=unset (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow - -F auid>=1000 -F auid!=unset -F key=modify - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80958-2 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_etc_shadow_openat - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Perform remediation of Audit rules for openat for 64bit platform - block: - - - name: Declare list of syscalls - set_fact: - syscalls: - - openat - syscall_grouping: [] - - - name: Check existence of openat in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: '*.rules' - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Reset syscalls found per file - set_fact: - syscalls_per_file: {} - found_paths_dict: {} - - - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path - :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" - loop: '{{ find_command.results | selectattr(''matched'') | list }}' - - - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten - | map(attribute='path') | list }}" - - - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, - 0) }) }}" - loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') - | list }}' - - - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') - | last).key }}" - when: found_paths | length >= 1 - - - name: No file with syscall found, set path to /etc/audit/rules.d/modify.rules - set_fact: audit_file="/etc/audit/rules.d/modify.rules" - when: found_paths | length == 0 - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/shadow -F auid>=1000 - -F auid!=unset (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow - -F auid>=1000 -F auid!=unset -F key=modify - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - - - name: Declare list of syscalls - set_fact: - syscalls: - - openat - syscall_grouping: [] - - - name: Check existence of openat in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: audit.rules - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a2&03 -F path=/etc/shadow -F auid>=1000 - -F auid!=unset (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow - -F auid>=1000 -F auid!=unset -F key=modify - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch == "b64" - tags: - - CCE-80958-2 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_etc_shadow_openat - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy @@ -63690,35 +63690,20 @@ well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation. CCE-80708-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# Traverse all of: -# -# /etc/audit/audit.rules, (for auditctl case) -# /etc/audit/rules.d/*.rules (for augenrules case) -# -# files to check if '-e .*' setting is present in that '*.rules' file already. -# If found, delete such occurrence since auditctl(8) manual page instructs the -# '-e 2' rule should be placed as the last rule in the configuration -find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';' - -# Append '-e 2' requirement at the end of both: -# * /etc/audit/audit.rules file (for auditctl case) -# * /etc/audit/rules.d/immutable.rules (for augenrules case) - -for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules" -do - echo '' >> $AUDIT_FILE - echo '# Set the audit.rules configuration immutable per security requirements' >> $AUDIT_FILE - echo '# Reboot is required to change audit rules once this setting is applied' >> $AUDIT_FILE - echo '-e 2' >> $AUDIT_FILE - chmod o-rwx $AUDIT_FILE -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-e%202%0A + mode: 0600 + path: /etc/audit/rules.d/90-immutable.rules + overwrite: true - name: Gather the package facts package_facts: @@ -63821,20 +63806,35 @@ fi - reboot_required - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,-e%202%0A - mode: 0600 - path: /etc/audit/rules.d/90-immutable.rules - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# Traverse all of: +# +# /etc/audit/audit.rules, (for auditctl case) +# /etc/audit/rules.d/*.rules (for augenrules case) +# +# files to check if '-e .*' setting is present in that '*.rules' file already. +# If found, delete such occurrence since auditctl(8) manual page instructs the +# '-e 2' rule should be placed as the last rule in the configuration +find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';' + +# Append '-e 2' requirement at the end of both: +# * /etc/audit/audit.rules file (for auditctl case) +# * /etc/audit/rules.d/immutable.rules (for augenrules case) + +for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules" +do + echo '' >> $AUDIT_FILE + echo '# Set the audit.rules configuration immutable per security requirements' >> $AUDIT_FILE + echo '# Reboot is required to change audit rules once this setting is applied' >> $AUDIT_FILE + echo '-e 2' >> $AUDIT_FILE + chmod o-rwx $AUDIT_FILE +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -63872,30 +63872,6 @@ immutable: If modification of login UIDs is not prevented, they can be changed by unprivileged users and make auditing complicated or impossible. CCE-90783-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# in case auditctl is used -if grep -q '^\s*ExecStartPost=-/sbin/auditctl' /usr/lib/systemd/system/auditd.service; then - if ! grep -q '^\s*--loginuid-immutable\s*$' /etc/audit/audit.rules; then - echo "--loginuid-immutable" >> /etc/audit/audit.rules - fi -else - immutable_found=0 - while IFS= read -r -d '' f; do - if grep -q '^\s*--loginuid-immutable\s*$' "$f"; then - immutable_found=1 - fi - done < <(find /etc/audit/rules.d -maxdepth 1 -name '*.rules' -print0) - if [ $immutable_found -eq 0 ]; then - echo "--loginuid-immutable" >> /etc/audit/rules.d/immutable.rules - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -63980,6 +63956,30 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# in case auditctl is used +if grep -q '^\s*ExecStartPost=-/sbin/auditctl' /usr/lib/systemd/system/auditd.service; then + if ! grep -q '^\s*--loginuid-immutable\s*$' /etc/audit/audit.rules; then + echo "--loginuid-immutable" >> /etc/audit/audit.rules + fi +else + immutable_found=0 + while IFS= read -r -d '' f; do + if grep -q '^\s*--loginuid-immutable\s*$' "$f"; then + immutable_found=1 + fi + done < <(find /etc/audit/rules.d -maxdepth 1 -name '*.rules' -print0) + if [ $immutable_found -eq 0 ]; then + echo "--loginuid-immutable" >> /etc/audit/rules.d/immutable.rules + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -64122,146 +64122,21 @@ utility to read audit rules during daemon startup, add the following line to arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited. CCE-80721-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/selinux/" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/selinux/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/selinux/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/selinux/ -p wa -k MAC-policy" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/MAC-policy.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/selinux/" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/MAC-policy.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/MAC-policy.rules" - # If the MAC-policy.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/selinux/" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/selinux/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/selinux/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/selinux/ -p wa -k MAC-policy" >> "$audit_rules_file" - fi -done + --- -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ -w%20/etc/selinux/%20-p%20wa%20-k%20MAC-policy%0A }} + mode: 0600 + path: /etc/audit/rules.d/75-etcselinux-wa-MAC-policy.rules + overwrite: true - name: Gather the package facts package_facts: @@ -64464,145 +64339,7 @@ fi - reboot_required - restrict_strategy - --- - -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ -w%20/etc/selinux/%20-p%20wa%20-k%20MAC-policy%0A }} - mode: 0600 - path: /etc/audit/rules.d/75-etcselinux-wa-MAC-policy.rules - overwrite: true - - - - - - - - - - Record Events that Modify the System's Mandatory Access Controls in usr/share - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d: --w /usr/share/selinux/ -p wa -k MAC-policy -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --w /usr/share/selinux/ -p wa -k MAC-policy - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.8 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.5.5 - 4.1.3.14 - The system's mandatory access policy (SELinux) should not be -arbitrarily changed by anything other than administrator action. All changes to -MAC policy should be audited. - CCE-86342-3 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' @@ -64629,7 +64366,7 @@ files_to_inspect+=('/etc/audit/audit.rules') for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/usr/share/selinux/" "$audit_rules_file" + if grep -q -P -- "^[\s]*-w[\s]+/etc/selinux/" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits @@ -64637,7 +64374,7 @@ do # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/usr/share/selinux/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/selinux/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) @@ -64653,12 +64390,12 @@ do done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/usr/share/selinux/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + sed -i "s#\($sp*-w$sp\+/etc/selinux/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key - echo "-w /usr/share/selinux/ -p wa -k MAC-policy" >> "$audit_rules_file" + echo "-w /etc/selinux/ -p wa -k MAC-policy" >> "$audit_rules_file" fi done # Create a list of audit *.rules files that should be inspected for presence and correctness @@ -64677,7 +64414,7 @@ files_to_inspect=() # If the audit is 'augenrules', then check if rule is already defined # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. # If rule isn't defined, add '/etc/audit/rules.d/MAC-policy.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/usr/share/selinux/" /etc/audit/rules.d/*.rules) +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/selinux/" /etc/audit/rules.d/*.rules) # For each of the matched entries for match in "${matches[@]}" @@ -64706,7 +64443,7 @@ fi for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/usr/share/selinux/" "$audit_rules_file" + if grep -q -P -- "^[\s]*-w[\s]+/etc/selinux/" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits @@ -64714,7 +64451,7 @@ do # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/usr/share/selinux/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/selinux/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) @@ -64730,12 +64467,12 @@ do done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/usr/share/selinux/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + sed -i "s#\($sp*-w$sp\+/etc/selinux/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key - echo "-w /usr/share/selinux/ -p wa -k MAC-policy" >> "$audit_rules_file" + echo "-w /etc/selinux/ -p wa -k MAC-policy" >> "$audit_rules_file" fi done @@ -64743,6 +64480,128 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Events that Modify the System's Mandatory Access Controls in usr/share + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d: +-w /usr/share/selinux/ -p wa -k MAC-policy +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-w /usr/share/selinux/ -p wa -k MAC-policy + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.8 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + 4.1.3.14 + The system's mandatory access policy (SELinux) should not be +arbitrarily changed by anything other than administrator action. All changes to +MAC policy should be audited. + CCE-86342-3 - name: Gather the package facts package_facts: manager: auto @@ -64927,6 +64786,147 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/usr/share/selinux/" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/usr/share/selinux/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/usr/share/selinux/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /usr/share/selinux/ -p wa -k MAC-policy" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/MAC-policy.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/usr/share/selinux/" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/MAC-policy.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/MAC-policy.rules" + # If the MAC-policy.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/usr/share/selinux/" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/usr/share/selinux/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/usr/share/selinux/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /usr/share/selinux/ -p wa -k MAC-policy" >> "$audit_rules_file" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -65087,334 +65087,6 @@ where classified information, Privacy Act information, and intellectual property trail should be created each time a filesystem is mounted to help identify and guard against information loss. CCE-80722-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# First perform the remediation of the syscall rule -# Retrieve hardware architecture of the underlying system -[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") - -for ARCH in "${RULE_ARCHS[@]}" -do - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="" - AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="mount" - KEY="perm_mod" - SYSCALL_GROUPING="" - - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - -# If audit tool is 'augenrules', then check if the audit rule is defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection -# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection -default_file="/etc/audit/rules.d/$KEY.rules" -# As other_filters may include paths, lets use a different delimiter for it -# The "F" script expression tells sed to print the filenames where the expressions matched -readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) -# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet -if [ ${#files_to_inspect[@]} -eq "0" ] -then - file_to_inspect="/etc/audit/rules.d/$KEY.rules" - files_to_inspect=("$file_to_inspect") - if [ ! -e "$file_to_inspect" ] - then - touch "$file_to_inspect" - chmod 0640 "$file_to_inspect" - fi -fi - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - - -# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# file to the list of files to be inspected -default_file="/etc/audit/audit.rules" -files_to_inspect+=('/etc/audit/audit.rules' ) - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -65745,158 +65417,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify the System's Network Environment - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: --a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification --w /etc/issue -p wa -k audit_rules_networkconfig_modification --w /etc/issue.net -p wa -k audit_rules_networkconfig_modification --w /etc/hosts -p wa -k audit_rules_networkconfig_modification --w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: --a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification --w /etc/issue -p wa -k audit_rules_networkconfig_modification --w /etc/issue.net -p wa -k audit_rules_networkconfig_modification --w /etc/hosts -p wa -k audit_rules_networkconfig_modification --w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - Req-10.5.5 - 10.3.4 - 4.1.3.5 - The network environment should not be modified by anything other -than administrator action. Any change to network parameters should be -audited. - CCE-80723-0 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -65907,10 +65428,11 @@ for ARCH in "${RULE_ARCHS[@]}" do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" - AUID_FILTERS="" - SYSCALL="sethostname setdomainname" - KEY="audit_rules_networkconfig_modification" - SYSCALL_GROUPING="sethostname setdomainname" + AUID_FILTERS="-F auid>=1000 -F auid!=unset" + SYSCALL="mount" + KEY="perm_mod" + SYSCALL_GROUPING="" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' unset syscall_a unset syscall_grouping @@ -66219,541 +65741,161 @@ if [ "$skip" -ne 0 ]; then fi done -# Then perform the remediations for the watch rules -# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/issue" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/issue$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/issue -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/issue" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules" - # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/issue" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/issue$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/issue -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/issue.net" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue.net $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/issue.net$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/issue.net" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules" - # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/issue.net" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue.net $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/issue.net$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/hosts" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/hosts $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/hosts$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/hosts" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules" - # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/hosts" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/hosts $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/hosts$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/sysconfig/network" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/sysconfig/network$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/sysconfig/network" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules" - # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/sysconfig/network" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/sysconfig/network$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" - fi -done - else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Events that Modify the System's Network Environment + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification +-w /etc/issue -p wa -k audit_rules_networkconfig_modification +-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification +-w /etc/hosts -p wa -k audit_rules_networkconfig_modification +-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification +-w /etc/issue -p wa -k audit_rules_networkconfig_modification +-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification +-w /etc/hosts -p wa -k audit_rules_networkconfig_modification +-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + Req-10.5.5 + 10.3.4 + 4.1.3.5 + The network environment should not be modified by anything other +than administrator action. Any change to network parameters should be +audited. + CCE-80723-0 - name: Gather the package facts package_facts: manager: auto @@ -67844,163 +66986,330 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - Record Attempts to Alter Process and Session Initiation Information - The audit system already collects process information for all -users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d in order to watch for attempted manual -edits of files involved in storing such process information: --w /var/run/utmp -p wa -k session --w /var/log/btmp -p wa -k session --w /var/log/wtmp -p wa -k session -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file in order to watch for attempted manual -edits of files involved in storing such process information: --w /var/run/utmp -p wa -k session --w /var/log/btmp -p wa -k session --w /var/log/wtmp -p wa -k session - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - 0582 - 0584 - 05885 - 0586 - 0846 - 0957 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.3 - 10.2.1.3 - SRG-APP-000505-CTR-001285 - 4.1.3.11 - Manual editing of these files may indicate nefarious activity, such -as an attacker attempting to remove evidence of an intrusion. - CCE-80742-0 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="" + AUID_FILTERS="" + SYSCALL="sethostname setdomainname" + KEY="audit_rules_networkconfig_modification" + SYSCALL_GROUPING="sethostname setdomainname" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + +# If audit tool is 'augenrules', then check if the audit rule is defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection +# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection +default_file="/etc/audit/rules.d/$KEY.rules" +# As other_filters may include paths, lets use a different delimiter for it +# The "F" script expression tells sed to print the filenames where the expressions matched +readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) +# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet +if [ ${#files_to_inspect[@]} -eq "0" ] +then + file_to_inspect="/etc/audit/rules.d/$KEY.rules" + files_to_inspect=("$file_to_inspect") + if [ ! -e "$file_to_inspect" ] + then + touch "$file_to_inspect" + chmod 0640 "$file_to_inspect" + fi +fi + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + + +# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# file to the list of files to be inspected +default_file="/etc/audit/audit.rules" +files_to_inspect+=('/etc/audit/audit.rules' ) + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi +done + +# Then perform the remediations for the watch rules # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' # Create a list of audit *.rules files that should be inspected for presence and correctness # of a particular audit rule. The scheme is as follows: @@ -68025,7 +67334,7 @@ files_to_inspect+=('/etc/audit/audit.rules') for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/var/run/utmp" "$audit_rules_file" + if grep -q -P -- "^[\s]*-w[\s]+/etc/issue" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits @@ -68033,7 +67342,7 @@ do # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/run/utmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) @@ -68049,12 +67358,12 @@ do done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/var/run/utmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + sed -i "s#\($sp*-w$sp\+/etc/issue$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key - echo "-w /var/run/utmp -p wa -k session" >> "$audit_rules_file" + echo "-w /etc/issue -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" fi done # Create a list of audit *.rules files that should be inspected for presence and correctness @@ -68072,8 +67381,8 @@ files_to_inspect=() # If the audit is 'augenrules', then check if rule is already defined # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/session.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/run/utmp" /etc/audit/rules.d/*.rules) +# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/issue" /etc/audit/rules.d/*.rules) # For each of the matched entries for match in "${matches[@]}" @@ -68086,9 +67395,9 @@ done # Case when particular audit rule isn't defined yet if [ "${#files_to_inspect[@]}" -eq "0" ] then - # Append '/etc/audit/rules.d/session.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/session.rules" - # If the session.rules file doesn't exist yet, create it with correct permissions + # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules" + # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions if [ ! -e "$key_rule_file" ] then touch "$key_rule_file" @@ -68102,7 +67411,7 @@ fi for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/var/run/utmp" "$audit_rules_file" + if grep -q -P -- "^[\s]*-w[\s]+/etc/issue" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits @@ -68110,7 +67419,7 @@ do # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/run/utmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) @@ -68126,12 +67435,12 @@ do done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/var/run/utmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + sed -i "s#\($sp*-w$sp\+/etc/issue$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key - echo "-w /var/run/utmp -p wa -k session" >> "$audit_rules_file" + echo "-w /etc/issue -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" fi done # Create a list of audit *.rules files that should be inspected for presence and correctness @@ -68157,7 +67466,7 @@ files_to_inspect+=('/etc/audit/audit.rules') for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/var/log/btmp" "$audit_rules_file" + if grep -q -P -- "^[\s]*-w[\s]+/etc/issue.net" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits @@ -68165,7 +67474,7 @@ do # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/btmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue.net $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) @@ -68181,12 +67490,12 @@ do done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/var/log/btmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + sed -i "s#\($sp*-w$sp\+/etc/issue.net$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key - echo "-w /var/log/btmp -p wa -k session" >> "$audit_rules_file" + echo "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" fi done # Create a list of audit *.rules files that should be inspected for presence and correctness @@ -68204,8 +67513,8 @@ files_to_inspect=() # If the audit is 'augenrules', then check if rule is already defined # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/session.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/log/btmp" /etc/audit/rules.d/*.rules) +# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/issue.net" /etc/audit/rules.d/*.rules) # For each of the matched entries for match in "${matches[@]}" @@ -68218,9 +67527,9 @@ done # Case when particular audit rule isn't defined yet if [ "${#files_to_inspect[@]}" -eq "0" ] then - # Append '/etc/audit/rules.d/session.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/session.rules" - # If the session.rules file doesn't exist yet, create it with correct permissions + # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules" + # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions if [ ! -e "$key_rule_file" ] then touch "$key_rule_file" @@ -68234,7 +67543,7 @@ fi for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/var/log/btmp" "$audit_rules_file" + if grep -q -P -- "^[\s]*-w[\s]+/etc/issue.net" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits @@ -68242,7 +67551,7 @@ do # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/btmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue.net $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) @@ -68258,12 +67567,12 @@ do done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/var/log/btmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + sed -i "s#\($sp*-w$sp\+/etc/issue.net$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key - echo "-w /var/log/btmp -p wa -k session" >> "$audit_rules_file" + echo "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" fi done # Create a list of audit *.rules files that should be inspected for presence and correctness @@ -68289,7 +67598,7 @@ files_to_inspect+=('/etc/audit/audit.rules') for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/var/log/wtmp" "$audit_rules_file" + if grep -q -P -- "^[\s]*-w[\s]+/etc/hosts" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits @@ -68297,7 +67606,7 @@ do # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/wtmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/hosts $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) @@ -68313,12 +67622,12 @@ do done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/var/log/wtmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + sed -i "s#\($sp*-w$sp\+/etc/hosts$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key - echo "-w /var/log/wtmp -p wa -k session" >> "$audit_rules_file" + echo "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" fi done # Create a list of audit *.rules files that should be inspected for presence and correctness @@ -68336,8 +67645,8 @@ files_to_inspect=() # If the audit is 'augenrules', then check if rule is already defined # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/session.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/log/wtmp" /etc/audit/rules.d/*.rules) +# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/hosts" /etc/audit/rules.d/*.rules) # For each of the matched entries for match in "${matches[@]}" @@ -68350,9 +67659,9 @@ done # Case when particular audit rule isn't defined yet if [ "${#files_to_inspect[@]}" -eq "0" ] then - # Append '/etc/audit/rules.d/session.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/session.rules" - # If the session.rules file doesn't exist yet, create it with correct permissions + # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules" + # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions if [ ! -e "$key_rule_file" ] then touch "$key_rule_file" @@ -68366,7 +67675,7 @@ fi for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/var/log/wtmp" "$audit_rules_file" + if grep -q -P -- "^[\s]*-w[\s]+/etc/hosts" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits @@ -68374,7 +67683,7 @@ do # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/wtmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/hosts $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) @@ -68390,18 +67699,321 @@ do done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/var/log/wtmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + sed -i "s#\($sp*-w$sp\+/etc/hosts$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key - echo "-w /var/log/wtmp -p wa -k session" >> "$audit_rules_file" + echo "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/sysconfig/network" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/sysconfig/network$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/sysconfig/network" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules" + # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/sysconfig/network" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/sysconfig/network$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" fi done else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Record Attempts to Alter Process and Session Initiation Information + The audit system already collects process information for all +users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d in order to watch for attempted manual +edits of files involved in storing such process information: +-w /var/run/utmp -p wa -k session +-w /var/log/btmp -p wa -k session +-w /var/log/wtmp -p wa -k session +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file in order to watch for attempted manual +edits of files involved in storing such process information: +-w /var/run/utmp -p wa -k session +-w /var/log/btmp -p wa -k session +-w /var/log/wtmp -p wa -k session + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 0582 + 0584 + 05885 + 0586 + 0846 + 0957 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.3 + 10.2.1.3 + SRG-APP-000505-CTR-001285 + 4.1.3.11 + Manual editing of these files may indicate nefarious activity, such +as an attacker attempting to remove evidence of an intrusion. + CCE-80742-0 + --- + + +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %0A-w%20/var/run/utmp%20-p%20wa%20-k%20session%0A-w%20/var/log/btmp%20-p%20wa%20-k%20session%0A-w%20/var/log/wtmp%20-p%20wa%20-k%20session%0A }} + mode: 0600 + path: /etc/audit/rules.d/75-audit-session-events.rules + overwrite: true - name: Gather the package facts package_facts: @@ -68968,76 +68580,7 @@ fi - reboot_required - restrict_strategy - --- - - -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %0A-w%20/var/run/utmp%20-p%20wa%20-k%20session%0A-w%20/var/log/btmp%20-p%20wa%20-k%20session%0A-w%20/var/log/wtmp%20-p%20wa%20-k%20session%0A }} - mode: 0600 - path: /etc/audit/rules.d/75-audit-session-events.rules - overwrite: true - - - - - - - Ensure auditd Collects System Administrator Actions - /etc/sudoers - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: --w /etc/sudoers -p wa -k actions -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --w /etc/sudoers -p wa -k actions - CCI-000018 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-001403 - CCI-001404 - CCI-002130 - CCI-002132 - CCI-002884 - SRG-OS-000004-GPOS-00004 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000304-GPOS-00121 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000470-GPOS-00214 - SRG-OS-000471-GPOS-00215 - SRG-OS-000239-GPOS-00089 - SRG-OS-000240-GPOS-00090 - SRG-OS-000241-GPOS-00091 - SRG-OS-000303-GPOS-00120 - SRG-OS-000466-GPOS-00210 - SRG-OS-000476-GPOS-00221 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - SRG-APP-000503-CTR-001275 - RHEL-08-030171 - SV-230409r627750_rule - The actions taken by system administrators should be audited to keep a record -of what was executed on the system, as well as, for accountability purposes. -Editing the sudoers file may be sign of an attacker trying to -establish persistent methods to a system, auditing the editing of the sudoers -files mitigates this risk. - CCE-90175-1 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' @@ -69064,7 +68607,7 @@ files_to_inspect+=('/etc/audit/audit.rules') for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers" "$audit_rules_file" + if grep -q -P -- "^[\s]*-w[\s]+/var/run/utmp" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits @@ -69072,7 +68615,7 @@ do # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/run/utmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) @@ -69088,12 +68631,12 @@ do done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/sudoers$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + sed -i "s#\($sp*-w$sp\+/var/run/utmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key - echo "-w /etc/sudoers -p wa -k actions" >> "$audit_rules_file" + echo "-w /var/run/utmp -p wa -k session" >> "$audit_rules_file" fi done # Create a list of audit *.rules files that should be inspected for presence and correctness @@ -69111,8 +68654,8 @@ files_to_inspect=() # If the audit is 'augenrules', then check if rule is already defined # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/actions.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/sudoers" /etc/audit/rules.d/*.rules) +# If rule isn't defined, add '/etc/audit/rules.d/session.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/run/utmp" /etc/audit/rules.d/*.rules) # For each of the matched entries for match in "${matches[@]}" @@ -69125,9 +68668,9 @@ done # Case when particular audit rule isn't defined yet if [ "${#files_to_inspect[@]}" -eq "0" ] then - # Append '/etc/audit/rules.d/actions.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/actions.rules" - # If the actions.rules file doesn't exist yet, create it with correct permissions + # Append '/etc/audit/rules.d/session.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/session.rules" + # If the session.rules file doesn't exist yet, create it with correct permissions if [ ! -e "$key_rule_file" ] then touch "$key_rule_file" @@ -69141,7 +68684,7 @@ fi for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers" "$audit_rules_file" + if grep -q -P -- "^[\s]*-w[\s]+/var/run/utmp" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits @@ -69149,7 +68692,7 @@ do # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/run/utmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) @@ -69165,71 +68708,387 @@ do done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/sudoers$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + sed -i "s#\($sp*-w$sp\+/var/run/utmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key - echo "-w /etc/sudoers -p wa -k actions" >> "$audit_rules_file" + echo "-w /var/run/utmp -p wa -k session" >> "$audit_rules_file" fi done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-90175-1 - - DISA-STIG-RHEL-08-030171 - - audit_rules_sudoers - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy -- name: Check if watch rule for /etc/sudoers already exists in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^\s*-w\s+/etc/sudoers\s+-p\s+wa(\s|$)+ - patterns: '*.rules' - register: find_existing_watch_rules_d - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-90175-1 - - DISA-STIG-RHEL-08-030171 - - audit_rules_sudoers - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') -- name: Search /etc/audit/rules.d for other rules with specified key actions - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)actions$ - patterns: '*.rules' - register: find_watch_key - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched - == 0 - tags: - - CCE-90175-1 - - DISA-STIG-RHEL-08-030171 - - audit_rules_sudoers - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/var/log/btmp" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/btmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/var/log/btmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /var/log/btmp -p wa -k session" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/session.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/log/btmp" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/session.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/session.rules" + # If the session.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/var/log/btmp" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/btmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/var/log/btmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /var/log/btmp -p wa -k session" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/var/log/wtmp" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/wtmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/var/log/wtmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /var/log/wtmp -p wa -k session" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/session.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/log/wtmp" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/session.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/session.rules" + # If the session.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/var/log/wtmp" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/wtmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/var/log/wtmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /var/log/wtmp -p wa -k session" >> "$audit_rules_file" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + + + + + + Ensure auditd Collects System Administrator Actions - /etc/sudoers + At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +-w /etc/sudoers -p wa -k actions +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-w /etc/sudoers -p wa -k actions + CCI-000018 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-001403 + CCI-001404 + CCI-002130 + CCI-002132 + CCI-002884 + SRG-OS-000004-GPOS-00004 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000304-GPOS-00121 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000470-GPOS-00214 + SRG-OS-000471-GPOS-00215 + SRG-OS-000239-GPOS-00089 + SRG-OS-000240-GPOS-00090 + SRG-OS-000241-GPOS-00091 + SRG-OS-000303-GPOS-00120 + SRG-OS-000466-GPOS-00210 + SRG-OS-000476-GPOS-00221 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + SRG-APP-000503-CTR-001275 + RHEL-08-030171 + SV-230409r627750_rule + The actions taken by system administrators should be audited to keep a record +of what was executed on the system, as well as, for accountability purposes. +Editing the sudoers file may be sign of an attacker trying to +establish persistent methods to a system, auditing the editing of the sudoers +files mitigates this risk. + CCE-90175-1 + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-90175-1 + - DISA-STIG-RHEL-08-030171 + - audit_rules_sudoers + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Check if watch rule for /etc/sudoers already exists in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/etc/sudoers\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-90175-1 + - DISA-STIG-RHEL-08-030171 + - audit_rules_sudoers + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Search /etc/audit/rules.d for other rules with specified key actions + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)actions$ + patterns: '*.rules' + register: find_watch_key + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched + == 0 + tags: + - CCE-90175-1 + - DISA-STIG-RHEL-08-030171 + - audit_rules_sudoers + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy - name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule set_fact: @@ -69331,62 +69190,7 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: --w /etc/sudoers.d/ -p wa -k actions -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --w /etc/sudoers.d/ -p wa -k actions - CCI-000018 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-001403 - CCI-001404 - CCI-002130 - CCI-002132 - CCI-002884 - SRG-OS-000004-GPOS-00004 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000304-GPOS-00121 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000470-GPOS-00214 - SRG-OS-000471-GPOS-00215 - SRG-OS-000239-GPOS-00089 - SRG-OS-000240-GPOS-00090 - SRG-OS-000241-GPOS-00091 - SRG-OS-000303-GPOS-00120 - SRG-OS-000466-GPOS-00210 - SRG-OS-000476-GPOS-00221 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - SRG-APP-000503-CTR-001275 - RHEL-08-030172 - SV-230410r627750_rule - The actions taken by system administrators should be audited to keep a record -of what was executed on the system, as well as, for accountability purposes. -Editing the sudoers file may be sign of an attacker trying to -establish persistent methods to a system, auditing the editing of the sudoers -files mitigates this risk. - CCE-89497-2 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' @@ -69413,7 +69217,7 @@ files_to_inspect+=('/etc/audit/audit.rules') for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers.d/" "$audit_rules_file" + if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits @@ -69421,7 +69225,7 @@ do # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers.d/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) @@ -69437,12 +69241,12 @@ do done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/sudoers.d/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + sed -i "s#\($sp*-w$sp\+/etc/sudoers$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key - echo "-w /etc/sudoers.d/ -p wa -k actions" >> "$audit_rules_file" + echo "-w /etc/sudoers -p wa -k actions" >> "$audit_rules_file" fi done # Create a list of audit *.rules files that should be inspected for presence and correctness @@ -69461,7 +69265,7 @@ files_to_inspect=() # If the audit is 'augenrules', then check if rule is already defined # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. # If rule isn't defined, add '/etc/audit/rules.d/actions.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/sudoers.d/" /etc/audit/rules.d/*.rules) +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/sudoers" /etc/audit/rules.d/*.rules) # For each of the matched entries for match in "${matches[@]}" @@ -69490,7 +69294,7 @@ fi for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers.d/" "$audit_rules_file" + if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits @@ -69498,7 +69302,7 @@ do # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers.d/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) @@ -69514,12 +69318,12 @@ do done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/sudoers.d/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + sed -i "s#\($sp*-w$sp\+/etc/sudoers$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key - echo "-w /etc/sudoers.d/ -p wa -k actions" >> "$audit_rules_file" + echo "-w /etc/sudoers -p wa -k actions" >> "$audit_rules_file" fi done @@ -69527,6 +69331,61 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ + At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +-w /etc/sudoers.d/ -p wa -k actions +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-w /etc/sudoers.d/ -p wa -k actions + CCI-000018 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-001403 + CCI-001404 + CCI-002130 + CCI-002132 + CCI-002884 + SRG-OS-000004-GPOS-00004 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000304-GPOS-00121 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000470-GPOS-00214 + SRG-OS-000471-GPOS-00215 + SRG-OS-000239-GPOS-00089 + SRG-OS-000240-GPOS-00090 + SRG-OS-000241-GPOS-00091 + SRG-OS-000303-GPOS-00120 + SRG-OS-000466-GPOS-00210 + SRG-OS-000476-GPOS-00221 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + SRG-APP-000503-CTR-001275 + RHEL-08-030172 + SV-230410r627750_rule + The actions taken by system administrators should be audited to keep a record +of what was executed on the system, as well as, for accountability purposes. +Editing the sudoers file may be sign of an attacker trying to +establish persistent methods to a system, auditing the editing of the sudoers +files mitigates this risk. + CCE-89497-2 - name: Gather the package facts package_facts: manager: auto @@ -69679,6 +69538,147 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers.d/" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers.d/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/sudoers.d/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/sudoers.d/ -p wa -k actions" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/actions.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/sudoers.d/" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/actions.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/actions.rules" + # If the actions.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers.d/" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers.d/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/sudoers.d/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/sudoers.d/ -p wa -k actions" >> "$audit_rules_file" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -69719,6 +69719,128 @@ of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. CCE-90209-8 + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-90209-8 + - audit_rules_suid_auid_privilege_function + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Service facts + ansible.builtin.service_facts: null + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-90209-8 + - audit_rules_suid_auid_privilege_function + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Check the rules script being used + ansible.builtin.command: grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service + register: check_rules_scripts_result + changed_when: false + failed_when: false + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-90209-8 + - audit_rules_suid_auid_privilege_function + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Set suid_audit_rules fact + ansible.builtin.set_fact: + suid_audit_rules: + - rule: -a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation + regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-C[\s]+euid!=uid[\s]+-F[\s]+auid!=unset[\s]+-S[\s]+execve[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + - rule: -a always,exit -F arch=b64 -S execve -C euid!=uid -F auid!=unset -k user_emulation + regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-C[\s]+euid!=uid[\s]+-F[\s]+auid!=unset[\s]+-S[\s]+execve[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-90209-8 + - audit_rules_suid_auid_privilege_function + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Update /etc/audit/rules.d/user_emulation.rules to audit privileged functions + ansible.builtin.lineinfile: + path: /etc/audit/rules.d/user_emulation.rules + line: '{{ item.rule }}' + regexp: '{{ item.regex }}' + create: true + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"auditd.service" in ansible_facts.services' + - '"augenrules" in check_rules_scripts_result.stdout' + register: augenrules_audit_rules_privilege_function_update_result + with_items: '{{ suid_audit_rules }}' + tags: + - CCE-90209-8 + - audit_rules_suid_auid_privilege_function + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Update Update /etc/audit/audit.rules to audit privileged functions + ansible.builtin.lineinfile: + path: /etc/audit/audit.rules + line: '{{ item.rule }}' + regexp: '{{ item.regex }}' + create: true + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"auditd.service" in ansible_facts.services' + - '"auditctl" in check_rules_scripts_result.stdout' + register: auditctl_audit_rules_privilege_function_update_result + with_items: '{{ suid_audit_rules }}' + tags: + - CCE-90209-8 + - audit_rules_suid_auid_privilege_function + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Restart Auditd + ansible.builtin.command: /usr/sbin/service auditd restart + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (augenrules_audit_rules_privilege_function_update_result.changed or auditctl_audit_rules_privilege_function_update_result.changed) + - ansible_facts.services["auditd.service"].state == "running" + tags: + - CCE-90209-8 + - audit_rules_suid_auid_privilege_function + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -70046,12 +70168,98 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Record Events When Privileged Executables Are Run + Verify the system generates an audit record when privileged functions are executed. + +If audit is using the "auditctl" tool to load the rules, run the following command: + +$ sudo grep execve /etc/audit/audit.rules + +If audit is using the "augenrules" tool to load the rules, run the following command: + +$ sudo grep -r execve /etc/audit/rules.d + + +-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid +-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid +-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid +-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid + + +If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding. +If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding. + Note that these rules can be configured in a +number of ways while still achieving the desired effect. + CCI-001814 + CCI-001882 + CCI-001889 + CCI-001880 + CCI-001881 + CCI-001878 + CCI-001879 + CCI-001875 + CCI-001877 + CCI-001914 + CCI-002233 + CCI-002234 + CM-5(1) + AU-7(a) + AU-7(b) + AU-8(b) + AU-12(3) + AC-6(9) + 10.2.1.2 + SRG-OS-000326-GPOS-00126 + SRG-OS-000327-GPOS-00127 + SRG-APP-000343-CTR-000780 + SRG-APP-000381-CTR-000905 + RHEL-08-030000 + SV-230386r854037_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have +compromised information system accounts, is a serious and ongoing concern +and can have significant adverse impacts on organizations. Auditing the use +of privileged functions is one way to detect such misuse and identify the +risk from insider threats and the advanced persistent threat. + + CCE-83556-1 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db32%20-S%20execve%20-C%20uid%21%3Deuid%20-F%20euid%3D0%20-k%20execpriv%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20execve%20-C%20uid%21%3Deuid%20-F%20euid%3D0%20-k%20execpriv%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20execve%20-C%20gid%21%3Degid%20-F%20egid%3D0%20-k%20execpriv%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20execve%20-C%20gid%21%3Degid%20-F%20egid%3D0%20-k%20execpriv%0A }} + mode: 0600 + path: /etc/audit/rules.d/75-audit-suid-privilege-function.rules + overwrite: true + + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-90209-8 - - audit_rules_suid_auid_privilege_function + - CCE-83556-1 + - DISA-STIG-RHEL-08-030000 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(3) + - NIST-800-53-AU-7(a) + - NIST-800-53-AU-7(b) + - NIST-800-53-AU-8(b) + - NIST-800-53-CM-5(1) + - PCI-DSSv4-10.2.1.2 + - audit_rules_suid_privilege_function - low_complexity - low_disruption - medium_severity @@ -70064,8 +70272,16 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-90209-8 - - audit_rules_suid_auid_privilege_function + - CCE-83556-1 + - DISA-STIG-RHEL-08-030000 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(3) + - NIST-800-53-AU-7(a) + - NIST-800-53-AU-7(b) + - NIST-800-53-AU-8(b) + - NIST-800-53-CM-5(1) + - PCI-DSSv4-10.2.1.2 + - audit_rules_suid_privilege_function - low_complexity - low_disruption - medium_severity @@ -70081,8 +70297,16 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-90209-8 - - audit_rules_suid_auid_privilege_function + - CCE-83556-1 + - DISA-STIG-RHEL-08-030000 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(3) + - NIST-800-53-AU-7(a) + - NIST-800-53-AU-7(b) + - NIST-800-53-AU-8(b) + - NIST-800-53-CM-5(1) + - PCI-DSSv4-10.2.1.2 + - audit_rules_suid_privilege_function - low_complexity - low_disruption - medium_severity @@ -70092,25 +70316,37 @@ fi - name: Set suid_audit_rules fact ansible.builtin.set_fact: suid_audit_rules: - - rule: -a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation - regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-C[\s]+euid!=uid[\s]+-F[\s]+auid!=unset[\s]+-S[\s]+execve[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - - rule: -a always,exit -F arch=b64 -S execve -C euid!=uid -F auid!=unset -k user_emulation - regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-C[\s]+euid!=uid[\s]+-F[\s]+auid!=unset[\s]+-S[\s]+execve[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + - rule: -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid + regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + - rule: -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid + regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + - rule: -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid + regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + - rule: -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid + regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-90209-8 - - audit_rules_suid_auid_privilege_function + - CCE-83556-1 + - DISA-STIG-RHEL-08-030000 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(3) + - NIST-800-53-AU-7(a) + - NIST-800-53-AU-7(b) + - NIST-800-53-AU-8(b) + - NIST-800-53-CM-5(1) + - PCI-DSSv4-10.2.1.2 + - audit_rules_suid_privilege_function - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Update /etc/audit/rules.d/user_emulation.rules to audit privileged functions +- name: Update /etc/audit/rules.d/privileged.rules to audit privileged functions ansible.builtin.lineinfile: - path: /etc/audit/rules.d/user_emulation.rules + path: /etc/audit/rules.d/privileged.rules line: '{{ item.rule }}' regexp: '{{ item.regex }}' create: true @@ -70122,8 +70358,16 @@ fi register: augenrules_audit_rules_privilege_function_update_result with_items: '{{ suid_audit_rules }}' tags: - - CCE-90209-8 - - audit_rules_suid_auid_privilege_function + - CCE-83556-1 + - DISA-STIG-RHEL-08-030000 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(3) + - NIST-800-53-AU-7(a) + - NIST-800-53-AU-7(b) + - NIST-800-53-AU-8(b) + - NIST-800-53-CM-5(1) + - PCI-DSSv4-10.2.1.2 + - audit_rules_suid_privilege_function - low_complexity - low_disruption - medium_severity @@ -70144,8 +70388,16 @@ fi register: auditctl_audit_rules_privilege_function_update_result with_items: '{{ suid_audit_rules }}' tags: - - CCE-90209-8 - - audit_rules_suid_auid_privilege_function + - CCE-83556-1 + - DISA-STIG-RHEL-08-030000 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(3) + - NIST-800-53-AU-7(a) + - NIST-800-53-AU-7(b) + - NIST-800-53-AU-8(b) + - NIST-800-53-CM-5(1) + - PCI-DSSv4-10.2.1.2 + - audit_rules_suid_privilege_function - low_complexity - low_disruption - medium_severity @@ -70160,77 +70412,22 @@ fi - (augenrules_audit_rules_privilege_function_update_result.changed or auditctl_audit_rules_privilege_function_update_result.changed) - ansible_facts.services["auditd.service"].state == "running" tags: - - CCE-90209-8 - - audit_rules_suid_auid_privilege_function + - CCE-83556-1 + - DISA-STIG-RHEL-08-030000 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(3) + - NIST-800-53-AU-7(a) + - NIST-800-53-AU-7(b) + - NIST-800-53-AU-8(b) + - NIST-800-53-CM-5(1) + - PCI-DSSv4-10.2.1.2 + - audit_rules_suid_privilege_function - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Record Events When Privileged Executables Are Run - Verify the system generates an audit record when privileged functions are executed. - -If audit is using the "auditctl" tool to load the rules, run the following command: - -$ sudo grep execve /etc/audit/audit.rules - -If audit is using the "augenrules" tool to load the rules, run the following command: - -$ sudo grep -r execve /etc/audit/rules.d - - --a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid --a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid --a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid --a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid - - -If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding. -If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding. - Note that these rules can be configured in a -number of ways while still achieving the desired effect. - CCI-001814 - CCI-001882 - CCI-001889 - CCI-001880 - CCI-001881 - CCI-001878 - CCI-001879 - CCI-001875 - CCI-001877 - CCI-001914 - CCI-002233 - CCI-002234 - CM-5(1) - AU-7(a) - AU-7(b) - AU-8(b) - AU-12(3) - AC-6(9) - 10.2.1.2 - SRG-OS-000326-GPOS-00126 - SRG-OS-000327-GPOS-00127 - SRG-APP-000343-CTR-000780 - SRG-APP-000381-CTR-000905 - RHEL-08-030000 - SV-230386r854037_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have -compromised information system accounts, is a serious and ongoing concern -and can have significant adverse impacts on organizations. Auditing the use -of privileged functions is one way to detect such misuse and identify the -risk from insider threats and the advanced persistent threat. - - CCE-83556-1 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -70877,203 +71074,6 @@ done else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83556-1 - - DISA-STIG-RHEL-08-030000 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(3) - - NIST-800-53-AU-7(a) - - NIST-800-53-AU-7(b) - - NIST-800-53-AU-8(b) - - NIST-800-53-CM-5(1) - - PCI-DSSv4-10.2.1.2 - - audit_rules_suid_privilege_function - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Service facts - ansible.builtin.service_facts: null - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-83556-1 - - DISA-STIG-RHEL-08-030000 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(3) - - NIST-800-53-AU-7(a) - - NIST-800-53-AU-7(b) - - NIST-800-53-AU-8(b) - - NIST-800-53-CM-5(1) - - PCI-DSSv4-10.2.1.2 - - audit_rules_suid_privilege_function - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Check the rules script being used - ansible.builtin.command: grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service - register: check_rules_scripts_result - changed_when: false - failed_when: false - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-83556-1 - - DISA-STIG-RHEL-08-030000 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(3) - - NIST-800-53-AU-7(a) - - NIST-800-53-AU-7(b) - - NIST-800-53-AU-8(b) - - NIST-800-53-CM-5(1) - - PCI-DSSv4-10.2.1.2 - - audit_rules_suid_privilege_function - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Set suid_audit_rules fact - ansible.builtin.set_fact: - suid_audit_rules: - - rule: -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid - regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - - rule: -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid - regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - - rule: -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid - regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - - rule: -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid - regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-83556-1 - - DISA-STIG-RHEL-08-030000 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(3) - - NIST-800-53-AU-7(a) - - NIST-800-53-AU-7(b) - - NIST-800-53-AU-8(b) - - NIST-800-53-CM-5(1) - - PCI-DSSv4-10.2.1.2 - - audit_rules_suid_privilege_function - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Update /etc/audit/rules.d/privileged.rules to audit privileged functions - ansible.builtin.lineinfile: - path: /etc/audit/rules.d/privileged.rules - line: '{{ item.rule }}' - regexp: '{{ item.regex }}' - create: true - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - '"auditd.service" in ansible_facts.services' - - '"augenrules" in check_rules_scripts_result.stdout' - register: augenrules_audit_rules_privilege_function_update_result - with_items: '{{ suid_audit_rules }}' - tags: - - CCE-83556-1 - - DISA-STIG-RHEL-08-030000 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(3) - - NIST-800-53-AU-7(a) - - NIST-800-53-AU-7(b) - - NIST-800-53-AU-8(b) - - NIST-800-53-CM-5(1) - - PCI-DSSv4-10.2.1.2 - - audit_rules_suid_privilege_function - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Update Update /etc/audit/audit.rules to audit privileged functions - ansible.builtin.lineinfile: - path: /etc/audit/audit.rules - line: '{{ item.rule }}' - regexp: '{{ item.regex }}' - create: true - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - '"auditd.service" in ansible_facts.services' - - '"auditctl" in check_rules_scripts_result.stdout' - register: auditctl_audit_rules_privilege_function_update_result - with_items: '{{ suid_audit_rules }}' - tags: - - CCE-83556-1 - - DISA-STIG-RHEL-08-030000 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(3) - - NIST-800-53-AU-7(a) - - NIST-800-53-AU-7(b) - - NIST-800-53-AU-8(b) - - NIST-800-53-CM-5(1) - - PCI-DSSv4-10.2.1.2 - - audit_rules_suid_privilege_function - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Restart Auditd - ansible.builtin.command: /usr/sbin/service auditd restart - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - (augenrules_audit_rules_privilege_function_update_result.changed or auditctl_audit_rules_privilege_function_update_result.changed) - - ansible_facts.services["auditd.service"].state == "running" - tags: - - CCE-83556-1 - - DISA-STIG-RHEL-08-030000 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(3) - - NIST-800-53-AU-7(a) - - NIST-800-53-AU-7(b) - - NIST-800-53-AU-8(b) - - NIST-800-53-CM-5(1) - - PCI-DSSv4-10.2.1.2 - - audit_rules_suid_privilege_function - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db32%20-S%20execve%20-C%20uid%21%3Deuid%20-F%20euid%3D0%20-k%20execpriv%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20execve%20-C%20uid%21%3Deuid%20-F%20euid%3D0%20-k%20execpriv%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20execve%20-C%20gid%21%3Degid%20-F%20egid%3D0%20-k%20execpriv%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20execve%20-C%20gid%21%3Degid%20-F%20egid%3D0%20-k%20execpriv%0A }} - mode: 0600 - path: /etc/audit/rules.d/75-audit-suid-privilege-function.rules - overwrite: true @@ -71287,279 +71287,20 @@ utility to read audit rules during daemon startup, add the following line to The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. CCE-80743-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/sudoers$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/sudoers -p wa -k actions" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/actions.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/sudoers" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/actions.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/actions.rules" - # If the actions.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/sudoers$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/sudoers -p wa -k actions" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers.d/" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers.d/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/sudoers.d/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/sudoers.d/ -p wa -k actions" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/actions.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/sudoers.d/" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/actions.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/actions.rules" - # If the actions.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers.d/" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers.d/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/sudoers.d/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/sudoers.d/ -p wa -k actions" >> "$audit_rules_file" - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ -w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A }} + mode: 0600 + path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules + overwrite: true - name: Gather the package facts package_facts: @@ -71989,20 +71730,279 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ -w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A }} - mode: 0600 - path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/sudoers$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/sudoers -p wa -k actions" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/actions.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/sudoers" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/actions.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/actions.rules" + # If the actions.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/sudoers$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/sudoers -p wa -k actions" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers.d/" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers.d/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/sudoers.d/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/sudoers.d/ -p wa -k actions" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/actions.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/sudoers.d/" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/actions.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/actions.rules" + # If the actions.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers.d/" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers.d/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/sudoers.d/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/sudoers.d/ -p wa -k actions" >> "$audit_rules_file" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -72076,29 +72076,6 @@ Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. CCE-80744-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_audit_failure_mode='' - - -# Traverse all of: -# -# /etc/audit/audit.rules, (for auditctl case) -# /etc/audit/rules.d/*.rules (for augenrules case) -find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';' - -for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules" -do - echo '' >> $AUDIT_FILE - echo '# Set the audit.rules configuration to halt system upon audit failure per security requirements' >> $AUDIT_FILE - echo "-f $var_audit_failure_mode" >> $AUDIT_FILE -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -72191,6 +72168,29 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_audit_failure_mode='' + + +# Traverse all of: +# +# /etc/audit/audit.rules, (for auditctl case) +# /etc/audit/rules.d/*.rules (for augenrules case) +find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';' + +for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules" +do + echo '' >> $AUDIT_FILE + echo '# Set the audit.rules configuration to halt system upon audit failure per security requirements' >> $AUDIT_FILE + echo "-f $var_audit_failure_mode" >> $AUDIT_FILE +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -73302,148 +73302,6 @@ account changes: will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. CCE-80758-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/group" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/group $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/group$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/group -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/group" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules" - # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/group" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/group $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/group$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/group -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -73669,6 +73527,148 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/group" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/group $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/group$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/group -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/group" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules" + # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/group" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/group $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/group$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/group -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -73895,148 +73895,6 @@ account changes: will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. CCE-80759-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/gshadow" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/gshadow $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/gshadow$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/gshadow -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/gshadow" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules" - # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/gshadow" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/gshadow $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/gshadow$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/gshadow -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -74262,6 +74120,148 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/gshadow" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/gshadow $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/gshadow$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/gshadow -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/gshadow" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules" + # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/gshadow" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/gshadow $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/gshadow$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/gshadow -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -74490,148 +74490,6 @@ account changes: will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. CCE-80760-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/security/opasswd" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/security/opasswd $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/security/opasswd$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/security/opasswd" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules" - # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/security/opasswd" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/security/opasswd $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/security/opasswd$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -74857,6 +74715,148 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/security/opasswd" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/security/opasswd $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/security/opasswd$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/security/opasswd" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules" + # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/security/opasswd" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/security/opasswd $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/security/opasswd$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -75088,148 +75088,6 @@ account changes: will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. CCE-80761-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/passwd" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/passwd $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/passwd$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/passwd -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/passwd" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules" - # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/passwd" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/passwd $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/passwd$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/passwd -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -75455,6 +75313,148 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/passwd" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/passwd $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/passwd$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/passwd -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/passwd" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules" + # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/passwd" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/passwd $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/passwd$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/passwd -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -75681,148 +75681,6 @@ account changes: will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. CCE-80762-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/shadow" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/shadow $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/shadow$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/shadow -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/shadow" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules" - # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/shadow" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/shadow $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/shadow$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/shadow -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -76049,58 +75907,11 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Attempts to perform maintenance activities - The Red Hat Enterprise Linux 8 operating system must generate audit records for -privileged activities, nonlocal maintenance, diagnostic sessions and -other system-level access. - -Verify the operating system audits activities performed during nonlocal -maintenance and diagnostic sessions. Run the following command: -$ sudo auditctl -l | grep sudo.log --w /var/log/sudo.log -p wa -k maintenance - BP28(R73) - CCI-000172 - CCI-002884 - Req-10.2.2 - Req-10.2.5.b - 10.2.1.4 - SRG-OS-000392-GPOS-00172 - SRG-OS-000471-GPOS-00215 - 4.1.3.3 - If events associated with nonlocal administrative access or diagnostic -sessions are not logged, a major tool for assessing and investigating -attacks would not be available. -This requirement addresses auditing-related issues associated with -maintenance tools used specifically for diagnostic and repair actions -on organizational information systems. -Nonlocal maintenance and diagnostic activities are those activities -conducted by individuals communicating through a network, either an -external network (e.g., the internet) or an internal network. Local -maintenance and diagnostic activities are those activities carried -out by individuals physically present at the information system or -information system component and not communicating across a network -connection. -This requirement applies to hardware/software diagnostic test -equipment or tools. This requirement does not cover hardware/software -components that may support information system maintenance, yet are a -part of the system, for example, the software implementing "ping," -"ls," "ipconfig," or the hardware and software implementing the -monitoring port of an Ethernet switch. - CCE-86432-2 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - # Create a list of audit *.rules files that should be inspected for presence and correctness # of a particular audit rule. The scheme is as follows: # @@ -76124,7 +75935,7 @@ files_to_inspect+=('/etc/audit/audit.rules') for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/var/log/sudo.log" "$audit_rules_file" + if grep -q -P -- "^[\s]*-w[\s]+/etc/shadow" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits @@ -76132,7 +75943,7 @@ do # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/sudo.log $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/shadow $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) @@ -76148,12 +75959,12 @@ do done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/var/log/sudo.log$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + sed -i "s#\($sp*-w$sp\+/etc/shadow$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key - echo "-w /var/log/sudo.log -p wa -k logins" >> "$audit_rules_file" + echo "-w /etc/shadow -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" fi done # Create a list of audit *.rules files that should be inspected for presence and correctness @@ -76171,8 +75982,8 @@ files_to_inspect=() # If the audit is 'augenrules', then check if rule is already defined # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/log/sudo.log" /etc/audit/rules.d/*.rules) +# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/shadow" /etc/audit/rules.d/*.rules) # For each of the matched entries for match in "${matches[@]}" @@ -76185,9 +75996,9 @@ done # Case when particular audit rule isn't defined yet if [ "${#files_to_inspect[@]}" -eq "0" ] then - # Append '/etc/audit/rules.d/logins.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/logins.rules" - # If the logins.rules file doesn't exist yet, create it with correct permissions + # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules" + # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions if [ ! -e "$key_rule_file" ] then touch "$key_rule_file" @@ -76201,7 +76012,7 @@ fi for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/var/log/sudo.log" "$audit_rules_file" + if grep -q -P -- "^[\s]*-w[\s]+/etc/shadow" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits @@ -76209,7 +76020,7 @@ do # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/sudo.log $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/shadow $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) @@ -76225,12 +76036,12 @@ do done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/var/log/sudo.log$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + sed -i "s#\($sp*-w$sp\+/etc/shadow$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key - echo "-w /var/log/sudo.log -p wa -k logins" >> "$audit_rules_file" + echo "-w /etc/shadow -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file" fi done @@ -76238,6 +76049,52 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Attempts to perform maintenance activities + The Red Hat Enterprise Linux 8 operating system must generate audit records for +privileged activities, nonlocal maintenance, diagnostic sessions and +other system-level access. + +Verify the operating system audits activities performed during nonlocal +maintenance and diagnostic sessions. Run the following command: +$ sudo auditctl -l | grep sudo.log +-w /var/log/sudo.log -p wa -k maintenance + BP28(R73) + CCI-000172 + CCI-002884 + Req-10.2.2 + Req-10.2.5.b + 10.2.1.4 + SRG-OS-000392-GPOS-00172 + SRG-OS-000471-GPOS-00215 + 4.1.3.3 + If events associated with nonlocal administrative access or diagnostic +sessions are not logged, a major tool for assessing and investigating +attacks would not be available. +This requirement addresses auditing-related issues associated with +maintenance tools used specifically for diagnostic and repair actions +on organizational information systems. +Nonlocal maintenance and diagnostic activities are those activities +conducted by individuals communicating through a network, either an +external network (e.g., the internet) or an internal network. Local +maintenance and diagnostic activities are those activities carried +out by individuals physically present at the information system or +information system component and not communicating across a network +connection. +This requirement applies to hardware/software diagnostic test +equipment or tools. This requirement does not cover hardware/software +components that may support information system maintenance, yet are a +part of the system, for example, the software implementing "ping," +"ls," "ipconfig," or the hardware and software implementing the +monitoring port of an Ethernet switch. + CCE-86432-2 - name: Gather the package facts package_facts: manager: auto @@ -76406,6 +76263,149 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/var/log/sudo.log" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/sudo.log $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/var/log/sudo.log$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /var/log/sudo.log -p wa -k logins" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/log/sudo.log" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/logins.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/logins.rules" + # If the logins.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/var/log/sudo.log" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/sudo.log $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/var/log/sudo.log$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /var/log/sudo.log -p wa -k logins" >> "$audit_rules_file" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -76437,6 +76437,158 @@ utility to read audit rules during daemon startup, add the rule to Auditing these events could serve as evidence of potential system compromise.' CCE-80941-8 + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80941-8 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-10.3.1 + - directory_access_var_log_audit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for /var/log/audit + block: + + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + + - name: Check existence of in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F + dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path + :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten + | map(attribute='path') | list }}" + + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, + 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') + | list }}' + + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') + | last).key }}" + when: found_paths | length >= 1 + + - name: No file with syscall found, set path to /etc/audit/rules.d/access-audit-trail.rules + set_fact: audit_file="/etc/audit/rules.d/access-audit-trail.rules" + when: found_paths | length == 0 + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F dir=/var/log/audit/ -F perm=r -F + auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F dir=/var/log/audit/ -F perm=r + -F auid>=1000 -F auid!=unset -F key=access-audit-trail + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + + - name: Check existence of in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F + dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: audit.rules + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Set path to /etc/audit/audit.rules + set_fact: audit_file="/etc/audit/audit.rules" + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( + -S |,)\w+)+)( -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset + (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F dir=/var/log/audit/ -F perm=r + -F auid>=1000 -F auid!=unset -F key=access-audit-trail + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80941-8 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-10.3.1 + - directory_access_var_log_audit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -76756,158 +76908,6 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-80941-8 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSSv4-10.3.1 - - directory_access_var_log_audit - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Perform remediation of Audit rules for /var/log/audit - block: - - - name: Declare list of syscalls - set_fact: - syscalls: [] - syscall_grouping: [] - - - name: Check existence of in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: '*.rules' - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Reset syscalls found per file - set_fact: - syscalls_per_file: {} - found_paths_dict: {} - - - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path - :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" - loop: '{{ find_command.results | selectattr(''matched'') | list }}' - - - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten - | map(attribute='path') | list }}" - - - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, - 0) }) }}" - loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') - | list }}' - - - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') - | last).key }}" - when: found_paths | length >= 1 - - - name: No file with syscall found, set path to /etc/audit/rules.d/access-audit-trail.rules - set_fact: audit_file="/etc/audit/rules.d/access-audit-trail.rules" - when: found_paths | length == 0 - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F dir=/var/log/audit/ -F perm=r -F - auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F dir=/var/log/audit/ -F perm=r - -F auid>=1000 -F auid!=unset -F key=access-audit-trail - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - - - name: Declare list of syscalls - set_fact: - syscalls: [] - syscall_grouping: [] - - - name: Check existence of in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: audit.rules - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset - (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F dir=/var/log/audit/ -F perm=r - -F auid>=1000 -F auid!=unset -F key=access-audit-trail - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80941-8 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSSv4-10.3.1 - - directory_access_var_log_audit - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy @@ -77029,27 +77029,6 @@ group account, change the group ownership of the audit directories to this speci Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. CCE-88225-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then - GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') -else - GROUP=root -fi -if LC_ALL=C grep -iw ^log_file /etc/audit/auditd.conf; then - DIR=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ' | rev | cut -d"/" -f2- | rev) -else - DIR="/var/log/audit" -fi - - -find ${DIR} -type d -exec chgrp ${GROUP} {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -77120,6 +77099,27 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then + GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') +else + GROUP=root +fi +if LC_ALL=C grep -iw ^log_file /etc/audit/auditd.conf; then + DIR=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ' | rev | cut -d"/" -f2- | rev) +else + DIR="/var/log/audit" +fi + + +find ${DIR} -type d -exec chgrp ${GROUP} {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -77238,21 +77238,6 @@ To properly set the owner of /var/log/audit, run the comm Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. CCE-88226-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -if LC_ALL=C grep -iw ^log_file /etc/audit/auditd.conf; then - FILE=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') - LOGPATH="$(dirname "$FILE")" - chown root $LOGPATH -else - chown root /var/log/audit -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -77320,6 +77305,21 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +if LC_ALL=C grep -iw ^log_file /etc/audit/auditd.conf; then + FILE=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') + LOGPATH="$(dirname "$FILE")" + chown root $LOGPATH +else + chown root /var/log/audit +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -77635,17 +77635,6 @@ Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -find /etc/audit/ -maxdepth 1 -type f ! -group 0 -regex '^audit(\.rules|d\.conf)$' -exec chgrp 0 {} \; - -find /etc/audit/rules.d/ -maxdepth 1 -type f ! -group 0 -regex '^.*\.rules$' -exec chgrp 0 {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -77726,6 +77715,17 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +find /etc/audit/ -maxdepth 1 -type f ! -group 0 -regex '^audit(\.rules|d\.conf)$' -exec chgrp 0 {} \; + +find /etc/audit/rules.d/ -maxdepth 1 -type f ! -group 0 -regex '^.*\.rules$' -exec chgrp 0 {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -77752,17 +77752,6 @@ Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -find /etc/audit/ -maxdepth 1 -type f ! -uid 0 -regex '^audit(\.rules|d\.conf)$' -exec chown 0 {} \; - -find /etc/audit/rules.d/ -maxdepth 1 -type f ! -uid 0 -regex '^.*\.rules$' -exec chown 0 {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -77843,6 +77832,17 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +find /etc/audit/ -maxdepth 1 -type f ! -uid 0 -regex '^audit(\.rules|d\.conf)$' -exec chown 0 {} \; + +find /etc/audit/rules.d/ -maxdepth 1 -type f ! -uid 0 -regex '^.*\.rules$' -exec chown 0 {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -78144,17 +78144,6 @@ Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -find -H /etc/audit/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex '.*audit\(\.rules\|d\.conf\)$' -exec chmod u-xs,g-xws,o-xwrt {} \; - -find -H /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex '.*\.rules$' -exec chmod u-xs,g-xws,o-xwrt {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -78237,6 +78226,17 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +find -H /etc/audit/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex '.*audit\(\.rules\|d\.conf\)$' -exec chmod u-xs,g-xws,o-xwrt {} \; + +find -H /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex '.*\.rules$' -exec chmod u-xs,g-xws,o-xwrt {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -78369,22 +78369,6 @@ By default, audit_log_file is "/var/log/audit/audit.log".SV-230396r902733_rule If users can write to audit logs, audit trails can be modified or destroyed. CCE-80819-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -if LC_ALL=C grep -iw ^log_file /etc/audit/auditd.conf; then - FILE=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') -else - FILE="/var/log/audit/audit.log" -fi - - -chmod 0600 $FILE - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -78525,6 +78509,22 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +if LC_ALL=C grep -iw ^log_file /etc/audit/auditd.conf; then + FILE=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') +else + FILE="/var/log/audit/audit.log" +fi + + +chmod 0600 $FILE + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -78721,334 +78721,6 @@ can facilitate the identification of patterns of abuse among both authorized and unauthorized users. CCE-80685-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then - -# First perform the remediation of the syscall rule -# Retrieve hardware architecture of the underlying system -[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") - -for ARCH in "${RULE_ARCHS[@]}" -do - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="" - AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="chmod" - KEY="perm_mod" - SYSCALL_GROUPING="chmod fchmod fchmodat" - - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - -# If audit tool is 'augenrules', then check if the audit rule is defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection -# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection -default_file="/etc/audit/rules.d/$KEY.rules" -# As other_filters may include paths, lets use a different delimiter for it -# The "F" script expression tells sed to print the filenames where the expressions matched -readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) -# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet -if [ ${#files_to_inspect[@]} -eq "0" ] -then - file_to_inspect="/etc/audit/rules.d/$KEY.rules" - files_to_inspect=("$file_to_inspect") - if [ ! -e "$file_to_inspect" ] - then - touch "$file_to_inspect" - chmod 0640 "$file_to_inspect" - fi -fi - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - - -# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# file to the list of files to be inspected -default_file="/etc/audit/audit.rules" -files_to_inspect+=('/etc/audit/audit.rules' ) - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -79390,185 +79062,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify the System's Discretionary Access Controls - chown - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000126 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.5.5 - 10.3.4 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000064-GPOS-00033 - SRG-OS-000466-GPOS-00210 - SRG-OS-000458-GPOS-00203 - SRG-OS-000474-GPOS-00219 - SRG-APP-000091-CTR-000160 - SRG-APP-000492-CTR-001220 - SRG-APP-000493-CTR-001225 - SRG-APP-000494-CTR-001230 - SRG-APP-000500-CTR-001260 - SRG-APP-000507-CTR-001295 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - RHEL-08-030480 - 4.1.3.9 - SV-230455r810459_rule - The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. - - CCE-80686-9 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then # First perform the remediation of the syscall rule @@ -79580,9 +79074,9 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="chown" + SYSCALL="chmod" KEY="perm_mod" - SYSCALL_GROUPING="chown fchown fchownat lchown" + SYSCALL_GROUPING="chmod fchmod fchmodat" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' unset syscall_a @@ -79896,6 +79390,184 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - chown + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000126 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + 10.3.4 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000064-GPOS-00033 + SRG-OS-000466-GPOS-00210 + SRG-OS-000458-GPOS-00203 + SRG-OS-000474-GPOS-00219 + SRG-APP-000091-CTR-000160 + SRG-APP-000492-CTR-001220 + SRG-APP-000493-CTR-001225 + SRG-APP-000494-CTR-001230 + SRG-APP-000500-CTR-001260 + SRG-APP-000507-CTR-001295 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + RHEL-08-030480 + 4.1.3.9 + SV-230455r810459_rule + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + + CCE-80686-9 - name: Gather the package facts package_facts: manager: auto @@ -80241,184 +79913,8 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify the System's Discretionary Access Controls - fchmod - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000126 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.5.5 - 10.3.4 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000064-GPOS-00033 - SRG-OS-000466-GPOS-00210 - SRG-OS-000458-GPOS-00203 - SRG-APP-000091-CTR-000160 - SRG-APP-000492-CTR-001220 - SRG-APP-000493-CTR-001225 - SRG-APP-000494-CTR-001230 - SRG-APP-000500-CTR-001260 - SRG-APP-000507-CTR-001295 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - RHEL-08-030490 - 4.1.3.9 - SV-230456r810462_rule - The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. - CCE-80687-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system @@ -80429,9 +79925,9 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="fchmod" + SYSCALL="chown" KEY="perm_mod" - SYSCALL_GROUPING="chmod fchmod fchmodat" + SYSCALL_GROUPING="chown fchown fchownat lchown" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' unset syscall_a @@ -80745,6 +80241,182 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - fchmod + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000126 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + 10.3.4 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000064-GPOS-00033 + SRG-OS-000466-GPOS-00210 + SRG-OS-000458-GPOS-00203 + SRG-APP-000091-CTR-000160 + SRG-APP-000492-CTR-001220 + SRG-APP-000493-CTR-001225 + SRG-APP-000494-CTR-001230 + SRG-APP-000500-CTR-001260 + SRG-APP-000507-CTR-001295 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + RHEL-08-030490 + 4.1.3.9 + SV-230456r810462_rule + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + CCE-80687-7 - name: Gather the package facts package_facts: manager: auto @@ -81083,183 +80755,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify the System's Discretionary Access Controls - fchmodat - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000126 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.5.5 - 10.3.4 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000064-GPOS-00033 - SRG-OS-000466-GPOS-00210 - SRG-OS-000458-GPOS-00203 - SRG-APP-000091-CTR-000160 - SRG-APP-000492-CTR-001220 - SRG-APP-000493-CTR-001225 - SRG-APP-000494-CTR-001230 - SRG-APP-000500-CTR-001260 - SRG-APP-000507-CTR-001295 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - RHEL-08-030490 - 4.1.3.9 - SV-230456r810462_rule - The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. - CCE-80688-5 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -81271,7 +80767,7 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="fchmodat" + SYSCALL="fchmod" KEY="perm_mod" SYSCALL_GROUPING="chmod fchmod fchmodat" @@ -81587,6 +81083,182 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - fchmodat + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000126 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + 10.3.4 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000064-GPOS-00033 + SRG-OS-000466-GPOS-00210 + SRG-OS-000458-GPOS-00203 + SRG-APP-000091-CTR-000160 + SRG-APP-000492-CTR-001220 + SRG-APP-000493-CTR-001225 + SRG-APP-000494-CTR-001230 + SRG-APP-000500-CTR-001260 + SRG-APP-000507-CTR-001295 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + RHEL-08-030490 + 4.1.3.9 + SV-230456r810462_rule + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + CCE-80688-5 - name: Gather the package facts package_facts: manager: auto @@ -81925,187 +81597,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify the System's Discretionary Access Controls - fchown - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod - -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod - -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod - -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000126 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.5.5 - 10.3.4 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000064-GPOS-00033 - SRG-OS-000466-GPOS-00210 - SRG-OS-000458-GPOS-00203 - SRG-OS-000474-GPOS-00219 - SRG-APP-000091-CTR-000160 - SRG-APP-000492-CTR-001220 - SRG-APP-000493-CTR-001225 - SRG-APP-000494-CTR-001230 - SRG-APP-000500-CTR-001260 - SRG-APP-000507-CTR-001295 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - RHEL-08-030480 - 4.1.3.9 - SV-230455r810459_rule - The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. - CCE-80689-3 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -82117,9 +81609,9 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="fchown" + SYSCALL="fchmodat" KEY="perm_mod" - SYSCALL_GROUPING="chown fchown fchownat lchown" + SYSCALL_GROUPING="chmod fchmod fchmodat" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' unset syscall_a @@ -82433,6 +81925,186 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - fchown + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000126 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + 10.3.4 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000064-GPOS-00033 + SRG-OS-000466-GPOS-00210 + SRG-OS-000458-GPOS-00203 + SRG-OS-000474-GPOS-00219 + SRG-APP-000091-CTR-000160 + SRG-APP-000492-CTR-001220 + SRG-APP-000493-CTR-001225 + SRG-APP-000494-CTR-001230 + SRG-APP-000500-CTR-001260 + SRG-APP-000507-CTR-001295 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + RHEL-08-030480 + 4.1.3.9 + SV-230455r810459_rule + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + CCE-80689-3 - name: Gather the package facts package_facts: manager: auto @@ -82775,184 +82447,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify the System's Discretionary Access Controls - fchownat - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000126 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.5.5 - 10.3.4 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000064-GPOS-00033 - SRG-OS-000466-GPOS-00210 - SRG-OS-000458-GPOS-00203 - SRG-OS-000474-GPOS-00219 - SRG-APP-000091-CTR-000160 - SRG-APP-000492-CTR-001220 - SRG-APP-000493-CTR-001225 - SRG-APP-000494-CTR-001230 - SRG-APP-000500-CTR-001260 - SRG-APP-000507-CTR-001295 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - RHEL-08-030480 - 4.1.3.9 - SV-230455r810459_rule - The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. - CCE-80690-1 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -82964,7 +82459,7 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="fchownat" + SYSCALL="fchown" KEY="perm_mod" SYSCALL_GROUPING="chown fchown fchownat lchown" @@ -83280,6 +82775,183 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - fchownat + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000126 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + 10.3.4 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000064-GPOS-00033 + SRG-OS-000466-GPOS-00210 + SRG-OS-000458-GPOS-00203 + SRG-OS-000474-GPOS-00219 + SRG-APP-000091-CTR-000160 + SRG-APP-000492-CTR-001220 + SRG-APP-000493-CTR-001225 + SRG-APP-000494-CTR-001230 + SRG-APP-000500-CTR-001260 + SRG-APP-000507-CTR-001295 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + RHEL-08-030480 + 4.1.3.9 + SV-230455r810459_rule + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + CCE-80690-1 - name: Gather the package facts package_facts: manager: auto @@ -83622,197 +83294,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify the System's Discretionary Access Controls - fremovexattr - At a minimum, the audit system should collect file permission -changes for all users and root. - -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod - -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod - -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod - -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.5.5 - 10.3.4 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000458-GPOS-00203 - SRG-OS-000462-GPOS-00206 - SRG-OS-000463-GPOS-00207 - SRG-OS-000471-GPOS-00215 - SRG-OS-000474-GPOS-00219 - SRG-OS-000466-GPOS-00210 - SRG-OS-000468-GPOS-00212 - SRG-OS-000064-GPOS-00033 - SRG-APP-000091-CTR-000160 - SRG-APP-000492-CTR-001220 - SRG-APP-000493-CTR-001225 - SRG-APP-000494-CTR-001230 - SRG-APP-000500-CTR-001260 - SRG-APP-000507-CTR-001295 - SRG-APP-000495-CTR-001235 - SRG-APP-000496-CTR-001240 - SRG-APP-000497-CTR-001245 - SRG-APP-000498-CTR-001250 - SRG-APP-000499-CTR-001255 - RHEL-08-030200 - 4.1.3.9 - SV-230413r810463_rule - The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. - CCE-80691-9 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -83824,328 +83306,9 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="fremovexattr" - KEY="perm_mod" - SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" - - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - -# If audit tool is 'augenrules', then check if the audit rule is defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection -# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection -default_file="/etc/audit/rules.d/$KEY.rules" -# As other_filters may include paths, lets use a different delimiter for it -# The "F" script expression tells sed to print the filenames where the expressions matched -readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) -# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet -if [ ${#files_to_inspect[@]} -eq "0" ] -then - file_to_inspect="/etc/audit/rules.d/$KEY.rules" - files_to_inspect=("$file_to_inspect") - if [ ! -e "$file_to_inspect" ] - then - touch "$file_to_inspect" - chmod 0640 "$file_to_inspect" - fi -fi - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - - -# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# file to the list of files to be inspected -default_file="/etc/audit/audit.rules" -files_to_inspect+=('/etc/audit/audit.rules' ) - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi -done - - - -for ARCH in "${RULE_ARCHS[@]}" -do - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="" - AUID_FILTERS="-F auid=0" - SYSCALL="fremovexattr" + SYSCALL="fchownat" KEY="perm_mod" - SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" + SYSCALL_GROUPING="chown fchown fchownat lchown" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' unset syscall_a @@ -84459,6 +83622,196 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - fremovexattr + At a minimum, the audit system should collect file permission +changes for all users and root. + +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod + +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod + +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + 10.3.4 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000462-GPOS-00206 + SRG-OS-000463-GPOS-00207 + SRG-OS-000471-GPOS-00215 + SRG-OS-000474-GPOS-00219 + SRG-OS-000466-GPOS-00210 + SRG-OS-000468-GPOS-00212 + SRG-OS-000064-GPOS-00033 + SRG-APP-000091-CTR-000160 + SRG-APP-000492-CTR-001220 + SRG-APP-000493-CTR-001225 + SRG-APP-000494-CTR-001230 + SRG-APP-000500-CTR-001260 + SRG-APP-000507-CTR-001295 + SRG-APP-000495-CTR-001235 + SRG-APP-000496-CTR-001240 + SRG-APP-000497-CTR-001245 + SRG-APP-000498-CTR-001250 + SRG-APP-000499-CTR-001255 + RHEL-08-030200 + 4.1.3.9 + SV-230413r810463_rule + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + CCE-80691-9 - name: Gather the package facts package_facts: manager: auto @@ -85065,194 +84418,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify the System's Discretionary Access Controls - fsetxattr - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000126 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.5.5 - 10.3.4 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000458-GPOS-00203 - SRG-OS-000462-GPOS-00206 - SRG-OS-000463-GPOS-00207 - SRG-OS-000466-GPOS-00210 - SRG-OS-000468-GPOS-00212 - SRG-OS-000471-GPOS-00215 - SRG-OS-000474-GPOS-00219 - SRG-OS-000064-GPOS-00033 - SRG-APP-000091-CTR-000160 - SRG-APP-000492-CTR-001220 - SRG-APP-000493-CTR-001225 - SRG-APP-000494-CTR-001230 - SRG-APP-000500-CTR-001260 - SRG-APP-000507-CTR-001295 - SRG-APP-000495-CTR-001235 - SRG-APP-000496-CTR-001240 - SRG-APP-000497-CTR-001245 - SRG-APP-000498-CTR-001250 - SRG-APP-000501-CTR-001265 - SRG-APP-000502-CTR-001270 - RHEL-08-030200 - 4.1.3.9 - SV-230413r810463_rule - The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. - CCE-80692-7 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -85264,7 +84430,7 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="fsetxattr" + SYSCALL="fremovexattr" KEY="perm_mod" SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" @@ -85583,7 +84749,7 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid=0" - SYSCALL="fsetxattr" + SYSCALL="fremovexattr" KEY="perm_mod" SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" @@ -85899,132 +85065,319 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-80692-7 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030200 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - PCI-DSSv4-10.3.4 - - audit_rules_dac_modification_fsetxattr - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Set architecture for audit fsetxattr tasks - set_fact: - audit_arch: b64 - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture - == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" - tags: - - CCE-80692-7 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030200 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - PCI-DSSv4-10.3.4 - - audit_rules_dac_modification_fsetxattr - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Perform remediation of Audit rules for fsetxattr for 32bit platform - block: - - - name: Declare list of syscalls - set_fact: - syscalls: - - fsetxattr - syscall_grouping: - - fremovexattr - - lremovexattr - - removexattr - - fsetxattr - - lsetxattr - - setxattr - - - name: Check existence of fsetxattr in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: '*.rules' - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Reset syscalls found per file - set_fact: - syscalls_per_file: {} - found_paths_dict: {} - - - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path - :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" - loop: '{{ find_command.results | selectattr(''matched'') | list }}' - - - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten - | map(attribute='path') | list }}" - - - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, - 0) }) }}" - loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') - | list }}' - - - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') - | last).key }}" - when: found_paths | length >= 1 - - - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" - when: found_paths | length == 0 - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k - |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 - -F auid!=unset -F key=perm_mod - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - fsetxattr + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000126 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + 10.3.4 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000462-GPOS-00206 + SRG-OS-000463-GPOS-00207 + SRG-OS-000466-GPOS-00210 + SRG-OS-000468-GPOS-00212 + SRG-OS-000471-GPOS-00215 + SRG-OS-000474-GPOS-00219 + SRG-OS-000064-GPOS-00033 + SRG-APP-000091-CTR-000160 + SRG-APP-000492-CTR-001220 + SRG-APP-000493-CTR-001225 + SRG-APP-000494-CTR-001230 + SRG-APP-000500-CTR-001260 + SRG-APP-000507-CTR-001295 + SRG-APP-000495-CTR-001235 + SRG-APP-000496-CTR-001240 + SRG-APP-000497-CTR-001245 + SRG-APP-000498-CTR-001250 + SRG-APP-000501-CTR-001265 + SRG-APP-000502-CTR-001270 + RHEL-08-030200 + 4.1.3.9 + SV-230413r810463_rule + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + CCE-80692-7 + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80692-7 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-08-030200 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 + - audit_rules_dac_modification_fsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Set architecture for audit fsetxattr tasks + set_fact: + audit_arch: b64 + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture + == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" + tags: + - CCE-80692-7 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-08-030200 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 + - audit_rules_dac_modification_fsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Perform remediation of Audit rules for fsetxattr for 32bit platform + block: + + - name: Declare list of syscalls + set_fact: + syscalls: + - fsetxattr + syscall_grouping: + - fremovexattr + - lremovexattr + - removexattr + - fsetxattr + - lsetxattr + - setxattr + + - name: Check existence of fsetxattr in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S + |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path + :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten + | map(attribute='path') | list }}" + + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, + 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') + | list }}' + + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') + | last).key }}" + when: found_paths | length >= 1 + + - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules + set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + when: found_paths | length == 0 + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k + |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 + -F auid!=unset -F key=perm_mod + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + - name: Declare list of syscalls set_fact: syscalls: @@ -86505,186 +85858,8 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify the System's Discretionary Access Controls - lchown - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000126 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.5.5 - 10.3.4 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000064-GPOS-00033 - SRG-OS-000466-GPOS-00210 - SRG-OS-000458-GPOS-00203 - SRG-OS-000474-GPOS-00219 - SRG-APP-000091-CTR-000160 - SRG-APP-000492-CTR-001220 - SRG-APP-000493-CTR-001225 - SRG-APP-000494-CTR-001230 - SRG-APP-000500-CTR-001260 - SRG-APP-000507-CTR-001295 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - RHEL-08-030480 - 4.1.3.9 - SV-230455r810459_rule - The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. - - CCE-80693-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system @@ -86695,9 +85870,328 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="lchown" + SYSCALL="fsetxattr" KEY="perm_mod" - SYSCALL_GROUPING="chown fchown fchownat lchown" + SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" + + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + +# If audit tool is 'augenrules', then check if the audit rule is defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection +# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection +default_file="/etc/audit/rules.d/$KEY.rules" +# As other_filters may include paths, lets use a different delimiter for it +# The "F" script expression tells sed to print the filenames where the expressions matched +readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) +# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet +if [ ${#files_to_inspect[@]} -eq "0" ] +then + file_to_inspect="/etc/audit/rules.d/$KEY.rules" + files_to_inspect=("$file_to_inspect") + if [ ! -e "$file_to_inspect" ] + then + touch "$file_to_inspect" + chmod 0640 "$file_to_inspect" + fi +fi + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + + +# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# file to the list of files to be inspected +default_file="/etc/audit/audit.rules" +files_to_inspect+=('/etc/audit/audit.rules' ) + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi +done + + + +for ARCH in "${RULE_ARCHS[@]}" +do + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="" + AUID_FILTERS="-F auid=0" + SYSCALL="fsetxattr" + KEY="perm_mod" + SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' unset syscall_a @@ -87011,6 +86505,184 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - lchown + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000126 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + 10.3.4 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000064-GPOS-00033 + SRG-OS-000466-GPOS-00210 + SRG-OS-000458-GPOS-00203 + SRG-OS-000474-GPOS-00219 + SRG-APP-000091-CTR-000160 + SRG-APP-000492-CTR-001220 + SRG-APP-000493-CTR-001225 + SRG-APP-000494-CTR-001230 + SRG-APP-000500-CTR-001260 + SRG-APP-000507-CTR-001295 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + RHEL-08-030480 + 4.1.3.9 + SV-230455r810459_rule + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + + CCE-80693-5 - name: Gather the package facts package_facts: manager: auto @@ -87356,200 +87028,8 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify the System's Discretionary Access Controls - lremovexattr - At a minimum, the audit system should collect file permission -changes for all users and root. - -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod - -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod - -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod - -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.5.5 - 10.3.4 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000458-GPOS-00203 - SRG-OS-000462-GPOS-00206 - SRG-OS-000463-GPOS-00207 - SRG-OS-000468-GPOS-00212 - SRG-OS-000471-GPOS-00215 - SRG-OS-000474-GPOS-00219 - SRG-OS-000466-GPOS-00210 - SRG-OS-000064-GPOS-00033 - SRG-APP-000091-CTR-000160 - SRG-APP-000492-CTR-001220 - SRG-APP-000493-CTR-001225 - SRG-APP-000494-CTR-001230 - SRG-APP-000500-CTR-001260 - SRG-APP-000507-CTR-001295 - SRG-APP-000495-CTR-001235 - SRG-APP-000496-CTR-001240 - SRG-APP-000497-CTR-001245 - SRG-APP-000498-CTR-001250 - SRG-APP-000499-CTR-001255 - SRG-APP-000501-CTR-001265 - SRG-APP-000502-CTR-001270 - RHEL-08-030200 - 4.1.3.9 - SV-230413r810463_rule - The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. - CCE-80694-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system @@ -87560,328 +87040,9 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="lremovexattr" - KEY="perm_mod" - SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" - - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - -# If audit tool is 'augenrules', then check if the audit rule is defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection -# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection -default_file="/etc/audit/rules.d/$KEY.rules" -# As other_filters may include paths, lets use a different delimiter for it -# The "F" script expression tells sed to print the filenames where the expressions matched -readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) -# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet -if [ ${#files_to_inspect[@]} -eq "0" ] -then - file_to_inspect="/etc/audit/rules.d/$KEY.rules" - files_to_inspect=("$file_to_inspect") - if [ ! -e "$file_to_inspect" ] - then - touch "$file_to_inspect" - chmod 0640 "$file_to_inspect" - fi -fi - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - - -# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# file to the list of files to be inspected -default_file="/etc/audit/audit.rules" -files_to_inspect+=('/etc/audit/audit.rules' ) - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi -done - - - -for ARCH in "${RULE_ARCHS[@]}" -do - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="" - AUID_FILTERS="-F auid=0" - SYSCALL="lremovexattr" + SYSCALL="lchown" KEY="perm_mod" - SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" + SYSCALL_GROUPING="chown fchown fchownat lchown" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' unset syscall_a @@ -88195,6 +87356,198 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - lremovexattr + At a minimum, the audit system should collect file permission +changes for all users and root. + +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod + +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod + +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + 10.3.4 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000462-GPOS-00206 + SRG-OS-000463-GPOS-00207 + SRG-OS-000468-GPOS-00212 + SRG-OS-000471-GPOS-00215 + SRG-OS-000474-GPOS-00219 + SRG-OS-000466-GPOS-00210 + SRG-OS-000064-GPOS-00033 + SRG-APP-000091-CTR-000160 + SRG-APP-000492-CTR-001220 + SRG-APP-000493-CTR-001225 + SRG-APP-000494-CTR-001230 + SRG-APP-000500-CTR-001260 + SRG-APP-000507-CTR-001295 + SRG-APP-000495-CTR-001235 + SRG-APP-000496-CTR-001240 + SRG-APP-000497-CTR-001245 + SRG-APP-000498-CTR-001250 + SRG-APP-000499-CTR-001255 + SRG-APP-000501-CTR-001265 + SRG-APP-000502-CTR-001270 + RHEL-08-030200 + 4.1.3.9 + SV-230413r810463_rule + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + CCE-80694-3 - name: Gather the package facts package_facts: manager: auto @@ -88801,194 +88154,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify the System's Discretionary Access Controls - lsetxattr - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000126 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.5.5 - 10.3.4 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000458-GPOS-00203 - SRG-OS-000462-GPOS-00206 - SRG-OS-000463-GPOS-00207 - SRG-OS-000466-GPOS-00210 - SRG-OS-000468-GPOS-00212 - SRG-OS-000471-GPOS-00215 - SRG-OS-000474-GPOS-00219 - SRG-OS-000064-GPOS-00033 - SRG-APP-000091-CTR-000160 - SRG-APP-000492-CTR-001220 - SRG-APP-000493-CTR-001225 - SRG-APP-000494-CTR-001230 - SRG-APP-000500-CTR-001260 - SRG-APP-000507-CTR-001295 - SRG-APP-000495-CTR-001235 - SRG-APP-000496-CTR-001240 - SRG-APP-000497-CTR-001245 - SRG-APP-000498-CTR-001250 - SRG-APP-000501-CTR-001265 - SRG-APP-000502-CTR-001270 - RHEL-08-030200 - 4.1.3.9 - SV-230413r810463_rule - The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. - CCE-80695-0 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -89000,7 +88166,7 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="lsetxattr" + SYSCALL="lremovexattr" KEY="perm_mod" SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" @@ -89319,7 +88485,7 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid=0" - SYSCALL="lsetxattr" + SYSCALL="lremovexattr" KEY="perm_mod" SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" @@ -89635,6 +88801,193 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000126 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + 10.3.4 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000462-GPOS-00206 + SRG-OS-000463-GPOS-00207 + SRG-OS-000466-GPOS-00210 + SRG-OS-000468-GPOS-00212 + SRG-OS-000471-GPOS-00215 + SRG-OS-000474-GPOS-00219 + SRG-OS-000064-GPOS-00033 + SRG-APP-000091-CTR-000160 + SRG-APP-000492-CTR-001220 + SRG-APP-000493-CTR-001225 + SRG-APP-000494-CTR-001230 + SRG-APP-000500-CTR-001260 + SRG-APP-000507-CTR-001295 + SRG-APP-000495-CTR-001235 + SRG-APP-000496-CTR-001240 + SRG-APP-000497-CTR-001245 + SRG-APP-000498-CTR-001250 + SRG-APP-000501-CTR-001265 + SRG-APP-000502-CTR-001270 + RHEL-08-030200 + 4.1.3.9 + SV-230413r810463_rule + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + CCE-80695-0 - name: Gather the package facts package_facts: manager: auto @@ -90241,198 +89594,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify the System's Discretionary Access Controls - removexattr - At a minimum, the audit system should collect file permission -changes for all users and root. - -If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -following line to a file with suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod - -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod - -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod - -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.5.5 - 10.3.4 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000458-GPOS-00203 - SRG-OS-000462-GPOS-00206 - SRG-OS-000463-GPOS-00207 - SRG-OS-000468-GPOS-00212 - SRG-OS-000471-GPOS-00215 - SRG-OS-000474-GPOS-00219 - SRG-OS-000466-GPOS-00210 - SRG-OS-000064-GPOS-00033 - SRG-APP-000091-CTR-000160 - SRG-APP-000492-CTR-001220 - SRG-APP-000493-CTR-001225 - SRG-APP-000494-CTR-001230 - SRG-APP-000500-CTR-001260 - SRG-APP-000507-CTR-001295 - SRG-APP-000495-CTR-001235 - SRG-APP-000496-CTR-001240 - SRG-APP-000497-CTR-001245 - SRG-APP-000498-CTR-001250 - SRG-APP-000499-CTR-001255 - SRG-APP-000501-CTR-001265 - SRG-APP-000502-CTR-001270 - RHEL-08-030200 - 4.1.3.9 - SV-230413r810463_rule - The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. - CCE-80696-8 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -90444,7 +89606,7 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="removexattr" + SYSCALL="lsetxattr" KEY="perm_mod" SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" @@ -90763,7 +89925,7 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid=0" - SYSCALL="removexattr" + SYSCALL="lsetxattr" KEY="perm_mod" SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" @@ -91079,6 +90241,197 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - removexattr + At a minimum, the audit system should collect file permission +changes for all users and root. + +If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +following line to a file with suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod + +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod + +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + 10.3.4 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000462-GPOS-00206 + SRG-OS-000463-GPOS-00207 + SRG-OS-000468-GPOS-00212 + SRG-OS-000471-GPOS-00215 + SRG-OS-000474-GPOS-00219 + SRG-OS-000466-GPOS-00210 + SRG-OS-000064-GPOS-00033 + SRG-APP-000091-CTR-000160 + SRG-APP-000492-CTR-001220 + SRG-APP-000493-CTR-001225 + SRG-APP-000494-CTR-001230 + SRG-APP-000500-CTR-001260 + SRG-APP-000507-CTR-001295 + SRG-APP-000495-CTR-001235 + SRG-APP-000496-CTR-001240 + SRG-APP-000497-CTR-001245 + SRG-APP-000498-CTR-001250 + SRG-APP-000499-CTR-001255 + SRG-APP-000501-CTR-001265 + SRG-APP-000502-CTR-001270 + RHEL-08-030200 + 4.1.3.9 + SV-230413r810463_rule + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + CCE-80696-8 - name: Gather the package facts package_facts: manager: auto @@ -91685,186 +91038,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify the System's Discretionary Access Controls - setxattr - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod --a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000126 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.5.5 - 10.3.4 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000466-GPOS-00210 - SRG-OS-000471-GPOS-00215 - SRG-OS-000064-GPOS-00033 - SRG-OS-000458-GPOS-00203 - SRG-APP-000091-CTR-000160 - SRG-APP-000492-CTR-001220 - SRG-APP-000493-CTR-001225 - SRG-APP-000494-CTR-001230 - SRG-APP-000500-CTR-001260 - SRG-APP-000507-CTR-001295 - SRG-APP-000495-CTR-001235 - RHEL-08-030200 - 4.1.3.9 - SV-230413r810463_rule - The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. - CCE-80697-6 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -91876,7 +91050,7 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="setxattr" + SYSCALL="removexattr" KEY="perm_mod" SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" @@ -92195,7 +91369,7 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid=0" - SYSCALL="setxattr" + SYSCALL="removexattr" KEY="perm_mod" SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" @@ -92511,6 +91685,185 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - setxattr + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000126 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + 10.3.4 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000466-GPOS-00210 + SRG-OS-000471-GPOS-00215 + SRG-OS-000064-GPOS-00033 + SRG-OS-000458-GPOS-00203 + SRG-APP-000091-CTR-000160 + SRG-APP-000492-CTR-001220 + SRG-APP-000493-CTR-001225 + SRG-APP-000494-CTR-001230 + SRG-APP-000500-CTR-001260 + SRG-APP-000507-CTR-001295 + SRG-APP-000495-CTR-001235 + RHEL-08-030200 + 4.1.3.9 + SV-230413r810463_rule + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + CCE-80697-6 - name: Gather the package facts package_facts: manager: auto @@ -93117,215 +92470,183 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify the System's Discretionary Access Controls - umount - At a minimum, the audit system should collect file system umount -changes. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - CCI-000130 - CCI-000169 - CCI-000172 - CCI-002884 - SRG-OS-000037-GPOS-00015 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000495-CTR-001235 - The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then - -ACTION_ARCH_FILTERS="-a always,exit -F arch=b32" -OTHER_FILTERS="" -AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="umount" -KEY="perm_mod" -SYSCALL_GROUPING="" - -# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' -unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - -# If audit tool is 'augenrules', then check if the audit rule is defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection -# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection -default_file="/etc/audit/rules.d/$KEY.rules" -# As other_filters may include paths, lets use a different delimiter for it -# The "F" script expression tells sed to print the filenames where the expressions matched -readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) -# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet -if [ ${#files_to_inspect[@]} -eq "0" ] -then - file_to_inspect="/etc/audit/rules.d/$KEY.rules" - files_to_inspect=("$file_to_inspect") - if [ ! -e "$file_to_inspect" ] - then - touch "$file_to_inspect" - chmod 0640 "$file_to_inspect" - fi -fi + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") -for audit_file in "${files_to_inspect[@]}" +for ARCH in "${RULE_ARCHS[@]}" do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="" + AUID_FILTERS="-F auid>=1000 -F auid!=unset" + SYSCALL="setxattr" + KEY="perm_mod" + SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi -unset syscall_a + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + +# If audit tool is 'augenrules', then check if the audit rule is defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection +# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection +default_file="/etc/audit/rules.d/$KEY.rules" +# As other_filters may include paths, lets use a different delimiter for it +# The "F" script expression tells sed to print the filenames where the expressions matched +readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) +# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet +if [ ${#files_to_inspect[@]} -eq "0" ] +then + file_to_inspect="/etc/audit/rules.d/$KEY.rules" + files_to_inspect=("$file_to_inspect") + if [ ! -e "$file_to_inspect" ] + then + touch "$file_to_inspect" + chmod 0640 "$file_to_inspect" + fi +fi + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi + unset syscall_a unset syscall_grouping unset syscall_string unset syscall @@ -93471,11 +92792,369 @@ if [ "$skip" -ne 0 ]; then sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" fi fi +done + + + +for ARCH in "${RULE_ARCHS[@]}" +do + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="" + AUID_FILTERS="-F auid=0" + SYSCALL="setxattr" + KEY="perm_mod" + SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr" + + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + +# If audit tool is 'augenrules', then check if the audit rule is defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection +# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection +default_file="/etc/audit/rules.d/$KEY.rules" +# As other_filters may include paths, lets use a different delimiter for it +# The "F" script expression tells sed to print the filenames where the expressions matched +readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) +# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet +if [ ${#files_to_inspect[@]} -eq "0" ] +then + file_to_inspect="/etc/audit/rules.d/$KEY.rules" + files_to_inspect=("$file_to_inspect") + if [ ! -e "$file_to_inspect" ] + then + touch "$file_to_inspect" + chmod 0640 "$file_to_inspect" + fi +fi + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + + +# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# file to the list of files to be inspected +default_file="/etc/audit/audit.rules" +files_to_inspect+=('/etc/audit/audit.rules' ) + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi +done else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - umount + At a minimum, the audit system should collect file system umount +changes. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + CCI-000130 + CCI-000169 + CCI-000172 + CCI-002884 + SRG-OS-000037-GPOS-00015 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000495-CTR-001235 + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + - name: Gather the package facts package_facts: manager: auto @@ -93619,67 +93298,18 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Events that Modify the System's Discretionary Access Controls - umount2 - At a minimum, the audit system should collect file system umount2 -changes. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - CCI-000130 - CCI-000169 - CCI-000172 - CCI-002884 - SRG-OS-000037-GPOS-00015 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000495-CTR-001235 - The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. - CCE-90776-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# First perform the remediation of the syscall rule -# Retrieve hardware architecture of the underlying system -[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then -for ARCH in "${RULE_ARCHS[@]}" -do - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="" - AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="umount2" - KEY="perm_mod" - SYSCALL_GROUPING="" +ACTION_ARCH_FILTERS="-a always,exit -F arch=b32" +OTHER_FILTERS="" +AUID_FILTERS="-F auid>=1000 -F auid!=unset" +SYSCALL="umount" +KEY="perm_mod" +SYSCALL_GROUPING="" - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - unset syscall_a +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +unset syscall_a unset syscall_grouping unset syscall_string unset syscall @@ -93838,7 +93468,7 @@ if [ "$skip" -ne 0 ]; then sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" fi fi - unset syscall_a +unset syscall_a unset syscall_grouping unset syscall_string unset syscall @@ -93984,12 +93614,54 @@ if [ "$skip" -ne 0 ]; then sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" fi fi -done else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - umount2 + At a minimum, the audit system should collect file system umount2 +changes. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + CCI-000130 + CCI-000169 + CCI-000172 + CCI-002884 + SRG-OS-000037-GPOS-00015 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000495-CTR-001235 + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + CCE-90776-6 - name: Gather the package facts package_facts: manager: auto @@ -94284,65 +93956,24 @@ fi - reboot_required - restrict_strategy - - - - - - - - - - Record Execution Attempts to Run ACL Privileged Commands - At a minimum, the audit system should collect the execution of -ACL privileged commands for all users and root. - - Record Any Attempts to Run chacl - At a minimum, the audit system should collect any execution attempt -of the chacl command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000466-GPOS-00210 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - RHEL-08-030570 - 4.1.3.17 - SV-230464r627750_rule - Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify -those responsible for one. -Audit records can be generated from various components within the -information system (e.g., module or policy filter). - CCE-89446-9 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then -ACTION_ARCH_FILTERS="-a always,exit" -OTHER_FILTERS="-F path=/usr/bin/chacl -F perm=x" -AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="" -KEY="privileged" -SYSCALL_GROUPING="" -# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' -unset syscall_a +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="" + AUID_FILTERS="-F auid>=1000 -F auid!=unset" + SYSCALL="umount2" + KEY="perm_mod" + SYSCALL_GROUPING="" + + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + unset syscall_a unset syscall_grouping unset syscall_string unset syscall @@ -94501,7 +94132,7 @@ if [ "$skip" -ne 0 ]; then sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" fi fi -unset syscall_a + unset syscall_a unset syscall_grouping unset syscall_string unset syscall @@ -94647,11 +94278,60 @@ if [ "$skip" -ne 0 ]; then sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" fi fi +done else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Record Execution Attempts to Run ACL Privileged Commands + At a minimum, the audit system should collect the execution of +ACL privileged commands for all users and root. + + Record Any Attempts to Run chacl + At a minimum, the audit system should collect any execution attempt +of the chacl command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000466-GPOS-00210 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + RHEL-08-030570 + 4.1.3.17 + SV-230464r627750_rule + Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify +those responsible for one. +Audit records can be generated from various components within the +information system (e.g., module or policy filter). + CCE-89446-9 - name: Gather the package facts package_facts: manager: auto @@ -94796,52 +94476,11 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - Record Any Attempts to Run setfacl - At a minimum, the audit system should collect any execution attempt -of the setfacl command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000495-CTR-001235 - RHEL-08-030330 - 4.1.3.16 - SV-230435r627750_rule - Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify -those responsible for one. -Audit records can be generated from various components within the -information system (e.g., module or policy filter). - CCE-88437-9 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then ACTION_ARCH_FILTERS="-a always,exit" -OTHER_FILTERS="-F path=/usr/bin/setfacl -F perm=x" +OTHER_FILTERS="-F path=/usr/bin/chacl -F perm=x" AUID_FILTERS="-F auid>=1000 -F auid!=unset" SYSCALL="" KEY="privileged" @@ -95157,6 +94796,47 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Any Attempts to Run setfacl + At a minimum, the audit system should collect any execution attempt +of the setfacl command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000495-CTR-001235 + RHEL-08-030330 + 4.1.3.16 + SV-230435r627750_rule + Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify +those responsible for one. +Audit records can be generated from various components within the +information system (e.g., module or policy filter). + CCE-88437-9 - name: Gather the package facts package_facts: manager: auto @@ -95301,140 +94981,11 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - - Record Execution Attempts to Run SELinux Privileged Commands - At a minimum, the audit system should collect the execution of -SELinux privileged commands for all users and root. - - Record Any Attempts to Run chcon - At a minimum, the audit system should collect any execution attempt -of the chcon command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - FAU_GEN.1.1.c - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000468-GPOS-00212 - SRG-OS-000471-GPOS-00215 - SRG-OS-000463-GPOS-00207 - SRG-OS-000465-GPOS-00209 - SRG-APP-000495-CTR-001235 - SRG-APP-000496-CTR-001240 - SRG-APP-000497-CTR-001245 - SRG-APP-000498-CTR-001250 - SRG-APP-000501-CTR-001265 - SRG-APP-000502-CTR-001270 - RHEL-08-030260 - 4.1.3.15 - SV-230419r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80698-4 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then ACTION_ARCH_FILTERS="-a always,exit" -OTHER_FILTERS="-F path=/usr/bin/chcon -F perm=x" +OTHER_FILTERS="-F path=/usr/bin/setfacl -F perm=x" AUID_FILTERS="-F auid>=1000 -F auid!=unset" SYSCALL="" KEY="privileged" @@ -95750,6 +95301,135 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Record Execution Attempts to Run SELinux Privileged Commands + At a minimum, the audit system should collect the execution of +SELinux privileged commands for all users and root. + + Record Any Attempts to Run chcon + At a minimum, the audit system should collect any execution attempt +of the chcon command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000468-GPOS-00212 + SRG-OS-000471-GPOS-00215 + SRG-OS-000463-GPOS-00207 + SRG-OS-000465-GPOS-00209 + SRG-APP-000495-CTR-001235 + SRG-APP-000496-CTR-001240 + SRG-APP-000497-CTR-001245 + SRG-APP-000498-CTR-001250 + SRG-APP-000501-CTR-001265 + SRG-APP-000502-CTR-001270 + RHEL-08-030260 + 4.1.3.15 + SV-230419r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80698-4 - name: Gather the package facts package_facts: manager: auto @@ -95904,117 +95584,11 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - Record Any Attempts to Run restorecon - At a minimum, the audit system should collect any execution attempt -of the restorecon command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - FAU_GEN.1.1.c - SRG-OS-000392-GPOS-00172 - SRG-OS-000463-GPOS-00207 - SRG-OS-000465-GPOS-00209 - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80699-2 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then ACTION_ARCH_FILTERS="-a always,exit" -OTHER_FILTERS="-F path=/usr/sbin/restorecon -F perm=x" +OTHER_FILTERS="-F path=/usr/bin/chcon -F perm=x" AUID_FILTERS="-F auid>=1000 -F auid!=unset" SYSCALL="" KEY="privileged" @@ -96330,6 +95904,112 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Any Attempts to Run restorecon + At a minimum, the audit system should collect any execution attempt +of the restorecon command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000392-GPOS-00172 + SRG-OS-000463-GPOS-00207 + SRG-OS-000465-GPOS-00209 + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80699-2 - name: Gather the package facts package_facts: manager: auto @@ -96482,138 +96162,11 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - Record Any Attempts to Run semanage - At a minimum, the audit system should collect any execution attempt -of the semanage command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - FAU_GEN.1.1.c - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000463-GPOS-00207 - SRG-OS-000465-GPOS-00209 - SRG-APP-000495-CTR-001235 - SRG-APP-000496-CTR-001240 - SRG-APP-000497-CTR-001245 - SRG-APP-000498-CTR-001250 - RHEL-08-030313 - SV-230429r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80700-8 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then ACTION_ARCH_FILTERS="-a always,exit" -OTHER_FILTERS="-F path=/usr/sbin/semanage -F perm=x" +OTHER_FILTERS="-F path=/usr/sbin/restorecon -F perm=x" AUID_FILTERS="-F auid>=1000 -F auid!=unset" SYSCALL="" KEY="privileged" @@ -96929,6 +96482,133 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Any Attempts to Run semanage + At a minimum, the audit system should collect any execution attempt +of the semanage command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000463-GPOS-00207 + SRG-OS-000465-GPOS-00209 + SRG-APP-000495-CTR-001235 + SRG-APP-000496-CTR-001240 + SRG-APP-000497-CTR-001245 + SRG-APP-000498-CTR-001250 + RHEL-08-030313 + SV-230429r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80700-8 - name: Gather the package facts package_facts: manager: auto @@ -97085,62 +96765,11 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - Record Any Attempts to Run setfiles - At a minimum, the audit system should collect any execution attempt -of the setfiles command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - CCI-000169 - CCI-000172 - CCI-002884 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000463-GPOS-00207 - SRG-OS-000465-GPOS-00209 - SRG-APP-000495-CTR-001235 - SRG-APP-000496-CTR-001240 - SRG-APP-000497-CTR-001245 - SRG-APP-000498-CTR-001250 - RHEL-08-030314 - SV-230430r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-82280-9 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then ACTION_ARCH_FILTERS="-a always,exit" -OTHER_FILTERS="-F path=/usr/sbin/setfiles -F perm=x" +OTHER_FILTERS="-F path=/usr/sbin/semanage -F perm=x" AUID_FILTERS="-F auid>=1000 -F auid!=unset" SYSCALL="" KEY="privileged" @@ -97456,6 +97085,57 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Any Attempts to Run setfiles + At a minimum, the audit system should collect any execution attempt +of the setfiles command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + CCI-000169 + CCI-000172 + CCI-002884 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000463-GPOS-00207 + SRG-OS-000465-GPOS-00209 + SRG-APP-000495-CTR-001235 + SRG-APP-000496-CTR-001240 + SRG-APP-000497-CTR-001245 + SRG-APP-000498-CTR-001250 + RHEL-08-030314 + SV-230430r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-82280-9 - name: Gather the package facts package_facts: manager: auto @@ -97608,131 +97288,11 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - Record Any Attempts to Run setsebool - At a minimum, the audit system should collect any execution attempt -of the setsebool command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - FAU_GEN.1.1.c - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000463-GPOS-00207 - SRG-OS-000465-GPOS-00209 - SRG-APP-000495-CTR-001235 - SRG-APP-000496-CTR-001240 - SRG-APP-000497-CTR-001245 - SRG-APP-000498-CTR-001250 - RHEL-08-030316 - SV-230432r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80701-6 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then ACTION_ARCH_FILTERS="-a always,exit" -OTHER_FILTERS="-F path=/usr/sbin/setsebool -F perm=x" +OTHER_FILTERS="-F path=/usr/sbin/setfiles -F perm=x" AUID_FILTERS="-F auid>=1000 -F auid!=unset" SYSCALL="" KEY="privileged" @@ -98048,6 +97608,126 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Any Attempts to Run setsebool + At a minimum, the audit system should collect any execution attempt +of the setsebool command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000463-GPOS-00207 + SRG-OS-000465-GPOS-00209 + SRG-APP-000495-CTR-001235 + SRG-APP-000496-CTR-001240 + SRG-APP-000497-CTR-001245 + SRG-APP-000498-CTR-001250 + RHEL-08-030316 + SV-230432r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80701-6 - name: Gather the package facts package_facts: manager: auto @@ -98202,47 +97882,11 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - Record Any Attempts to Run seunshare - At a minimum, the audit system should collect any execution attempt -of the seunshare command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - CCI-000172 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - FAU_GEN.1.1.c - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80933-5 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then ACTION_ARCH_FILTERS="-a always,exit" -OTHER_FILTERS="-F path=/usr/sbin/seunshare -F perm=x" +OTHER_FILTERS="-F path=/usr/sbin/setsebool -F perm=x" AUID_FILTERS="-F auid>=1000 -F auid!=unset" SYSCALL="" KEY="privileged" @@ -98558,6 +98202,42 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Any Attempts to Run seunshare + At a minimum, the audit system should collect any execution attempt +of the seunshare command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + CCI-000172 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80933-5 - name: Gather the package facts package_facts: manager: auto @@ -98708,180 +98388,17 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - - Record File Deletion Events by User - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: --a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: --a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete - - Ensure auditd Collects File Deletion Events by User - At a minimum the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: --a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: --a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=unset -F key=delete - This rule checks for multiple syscalls related to file deletion; -it was written with DISA STIG in mind. Other policies should use a -separate rule for each syscall that needs to be checked. For example: -audit_rules_file_deletion_events_rmdiraudit_rules_file_deletion_events_unlinkaudit_rules_file_deletion_events_unlinkat - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000366 - CCI-000172 - CCI-002884 - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.7 - 4.1.14 - Auditing file deletions will create an audit trail for files that are removed -from the system. The audit trail could aid in system troubleshooting, as well as, detecting -malicious processes that attempt to delete log files to conceal their presence. - CCE-80702-4 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then -# Perform the remediation for the syscall rule -# Retrieve hardware architecture of the underlying system -[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") - -for ARCH in "${RULE_ARCHS[@]}" -do - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="" - AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="rmdir unlink unlinkat rename renameat" - KEY="delete" - SYSCALL_GROUPING="rmdir unlink unlinkat rename renameat" - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - unset syscall_a +ACTION_ARCH_FILTERS="-a always,exit" +OTHER_FILTERS="-F path=/usr/sbin/seunshare -F perm=x" +AUID_FILTERS="-F auid>=1000 -F auid!=unset" +SYSCALL="" +KEY="privileged" +SYSCALL_GROUPING="" +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +unset syscall_a unset syscall_grouping unset syscall_string unset syscall @@ -99040,7 +98557,7 @@ if [ "$skip" -ne 0 ]; then sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" fi fi - unset syscall_a +unset syscall_a unset syscall_grouping unset syscall_string unset syscall @@ -99186,34 +98703,51 @@ if [ "$skip" -ne 0 ]; then sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" fi fi -done else >&2 echo 'Remediation is not applicable, nothing was done' fi - + - + - - Ensure auditd Collects File Deletion Events by User - rename - At a minimum, the audit system should collect file deletion events + + + Record File Deletion Events by User + At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: --a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete +-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: --a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete - BP28(R73) +-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete + + Ensure auditd Collects File Deletion Events by User + At a minimum the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=unset -F key=delete + This rule checks for multiple syscalls related to file deletion; +it was written with DISA STIG in mind. Other policies should use a +separate rule for each syscall that needs to be checked. For example: +audit_rules_file_deletion_events_rmdiraudit_rules_file_deletion_events_unlinkaudit_rules_file_deletion_events_unlinkat 1 11 12 @@ -99230,6 +98764,7 @@ appropriate for your system: 7 8 9 + 5.4.1.1 APO10.01 APO10.03 APO10.04 @@ -99258,27 +98793,14 @@ appropriate for your system: MEA01.05 MEA02.01 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 CCI-000366 + CCI-000172 CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) 4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 - 4.3.3.6.5 4.3.3.6.6 - 4.3.3.6.7 - 4.3.3.6.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 @@ -99305,7 +98827,6 @@ appropriate for your system: SR 6.2 SR 7.1 SR 7.6 - A.11.2.4 A.11.2.6 A.12.4.1 A.12.4.2 @@ -99316,7 +98837,6 @@ appropriate for your system: A.13.2.1 A.14.1.3 A.14.2.7 - A.15.1.1 A.15.2.1 A.15.2.2 A.16.1.4 @@ -99334,39 +98854,21 @@ appropriate for your system: DE.CM-7 ID.SC-4 PR.AC-3 - PR.MA-2 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4 FAU_GEN.1.1.c Req-10.2.7 - 10.2.1.7 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000466-GPOS-00210 - SRG-OS-000467-GPOS-00211 - SRG-OS-000468-GPOS-00212 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - SRG-APP-000501-CTR-001265 - SRG-APP-000502-CTR-001270 - RHEL-08-030361 - 4.1.3.13 - SV-230439r810465_rule + 4.1.14 Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. - - CCE-80703-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then + CCE-80702-4 + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then -# First perform the remediation of the syscall rule +# Perform the remediation for the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") @@ -99375,9 +98877,9 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="rename" + SYSCALL="rmdir unlink unlinkat rename renameat" KEY="delete" - SYSCALL_GROUPING="unlink unlinkat rename renameat rmdir" + SYSCALL_GROUPING="rmdir unlink unlinkat rename renameat" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' unset syscall_a unset syscall_grouping @@ -99690,6 +99192,177 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Ensure auditd Collects File Deletion Events by User - rename + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-000366 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.4 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.1.1 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.MA-2 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.7 + 10.2.1.7 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000466-GPOS-00210 + SRG-OS-000467-GPOS-00211 + SRG-OS-000468-GPOS-00212 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + SRG-APP-000501-CTR-001265 + SRG-APP-000502-CTR-001270 + RHEL-08-030361 + 4.1.3.13 + SV-230439r810465_rule + Auditing file deletions will create an audit trail for files that are removed +from the system. The audit trail could aid in system troubleshooting, as well as, detecting +malicious processes that attempt to delete log files to conceal their presence. + + CCE-80703-2 - name: Gather the package facts package_facts: manager: auto @@ -100035,178 +99708,8 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Ensure auditd Collects File Deletion Events by User - renameat - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: --a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: --a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-000366 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.5 - 4.3.3.6.6 - 4.3.3.6.7 - 4.3.3.6.8 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.4 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.1.1 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.MA-2 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.7 - 10.2.1.7 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000466-GPOS-00210 - SRG-OS-000467-GPOS-00211 - SRG-OS-000468-GPOS-00212 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - SRG-APP-000501-CTR-001265 - SRG-APP-000502-CTR-001270 - RHEL-08-030361 - 4.1.3.13 - SV-230439r810465_rule - Auditing file deletions will create an audit trail for files that are removed -from the system. The audit trail could aid in system troubleshooting, as well as, detecting -malicious processes that attempt to delete log files to conceal their presence. - CCE-80704-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system @@ -100217,7 +99720,7 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="renameat" + SYSCALL="rename" KEY="delete" SYSCALL_GROUPING="unlink unlinkat rename renameat rmdir" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' @@ -100532,6 +100035,176 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Ensure auditd Collects File Deletion Events by User - renameat + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-000366 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.4 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.1.1 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.MA-2 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.7 + 10.2.1.7 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000466-GPOS-00210 + SRG-OS-000467-GPOS-00211 + SRG-OS-000468-GPOS-00212 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + SRG-APP-000501-CTR-001265 + SRG-APP-000502-CTR-001270 + RHEL-08-030361 + 4.1.3.13 + SV-230439r810465_rule + Auditing file deletions will create an audit trail for files that are removed +from the system. The audit trail could aid in system troubleshooting, as well as, detecting +malicious processes that attempt to delete log files to conceal their presence. + CCE-80704-0 - name: Gather the package facts package_facts: manager: auto @@ -100874,179 +100547,8 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Ensure auditd Collects File Deletion Events by User - rmdir - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: --a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: --a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-000366 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.5 - 4.3.3.6.6 - 4.3.3.6.7 - 4.3.3.6.8 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.4 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.1.1 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.MA-2 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.7 - 10.2.1.7 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000466-GPOS-00210 - SRG-OS-000467-GPOS-00211 - SRG-OS-000468-GPOS-00212 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - SRG-APP-000501-CTR-001265 - SRG-APP-000502-CTR-001270 - RHEL-08-030361 - 4.1.14 - SV-230439r810465_rule - Auditing file deletions will create an audit trail for files that are removed -from the system. The audit trail could aid in system troubleshooting, as well as, detecting -malicious processes that attempt to delete log files to conceal their presence. - - CCE-80705-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system @@ -101057,7 +100559,7 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="rmdir" + SYSCALL="renameat" KEY="delete" SYSCALL_GROUPING="unlink unlinkat rename renameat rmdir" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' @@ -101372,6 +100874,177 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Ensure auditd Collects File Deletion Events by User - rmdir + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-000366 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.4 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.1.1 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.MA-2 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.7 + 10.2.1.7 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000466-GPOS-00210 + SRG-OS-000467-GPOS-00211 + SRG-OS-000468-GPOS-00212 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + SRG-APP-000501-CTR-001265 + SRG-APP-000502-CTR-001270 + RHEL-08-030361 + 4.1.14 + SV-230439r810465_rule + Auditing file deletions will create an audit trail for files that are removed +from the system. The audit trail could aid in system troubleshooting, as well as, detecting +malicious processes that attempt to delete log files to conceal their presence. + + CCE-80705-7 - name: Gather the package facts package_facts: manager: auto @@ -101717,178 +101390,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Ensure auditd Collects File Deletion Events by User - unlink - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: --a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: --a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-000366 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.5 - 4.3.3.6.6 - 4.3.3.6.7 - 4.3.3.6.8 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.4 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.1.1 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.MA-2 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.7 - 10.2.1.7 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000466-GPOS-00210 - SRG-OS-000467-GPOS-00211 - SRG-OS-000468-GPOS-00212 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - SRG-APP-000501-CTR-001265 - SRG-APP-000502-CTR-001270 - RHEL-08-030361 - 4.1.3.13 - SV-230439r810465_rule - Auditing file deletions will create an audit trail for files that are removed -from the system. The audit trail could aid in system troubleshooting, as well as, detecting -malicious processes that attempt to delete log files to conceal their presence. - - CCE-80706-5 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then # First perform the remediation of the syscall rule @@ -101900,7 +101402,7 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="unlink" + SYSCALL="rmdir" KEY="delete" SYSCALL_GROUPING="unlink unlinkat rename renameat rmdir" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' @@ -102215,6 +101717,177 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Ensure auditd Collects File Deletion Events by User - unlink + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-000366 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.4 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.1.1 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.MA-2 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.7 + 10.2.1.7 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000466-GPOS-00210 + SRG-OS-000467-GPOS-00211 + SRG-OS-000468-GPOS-00212 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + SRG-APP-000501-CTR-001265 + SRG-APP-000502-CTR-001270 + RHEL-08-030361 + 4.1.3.13 + SV-230439r810465_rule + Auditing file deletions will create an audit trail for files that are removed +from the system. The audit trail could aid in system troubleshooting, as well as, detecting +malicious processes that attempt to delete log files to conceal their presence. + + CCE-80706-5 - name: Gather the package facts package_facts: manager: auto @@ -102560,178 +102233,8 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Ensure auditd Collects File Deletion Events by User - unlinkat - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: --a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: --a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-000366 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.5 - 4.3.3.6.6 - 4.3.3.6.7 - 4.3.3.6.8 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.4 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.1.1 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.MA-2 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.7 - 10.2.1.7 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000466-GPOS-00210 - SRG-OS-000467-GPOS-00211 - SRG-OS-000468-GPOS-00212 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - SRG-APP-000501-CTR-001265 - SRG-APP-000502-CTR-001270 - RHEL-08-030361 - 4.1.3.13 - SV-230439r810465_rule - Auditing file deletions will create an audit trail for files that are removed -from the system. The audit trail could aid in system troubleshooting, as well as, detecting -malicious processes that attempt to delete log files to conceal their presence. - CCE-80707-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system @@ -102742,7 +102245,7 @@ do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="unlinkat" + SYSCALL="unlink" KEY="delete" SYSCALL_GROUPING="unlink unlinkat rename renameat rmdir" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' @@ -103057,6 +102560,176 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Ensure auditd Collects File Deletion Events by User - unlinkat + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-000366 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.4 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.1.1 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.MA-2 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.7 + 10.2.1.7 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000466-GPOS-00210 + SRG-OS-000467-GPOS-00211 + SRG-OS-000468-GPOS-00212 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + SRG-APP-000501-CTR-001265 + SRG-APP-000502-CTR-001270 + RHEL-08-030361 + 4.1.3.13 + SV-230439r810465_rule + Auditing file deletions will create an audit trail for files that are removed +from the system. The audit trail could aid in system troubleshooting, as well as, detecting +malicious processes that attempt to delete log files to conceal their presence. + CCE-80707-3 - name: Gather the package facts package_facts: manager: auto @@ -103398,6 +103071,333 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="" + AUID_FILTERS="-F auid>=1000 -F auid!=unset" + SYSCALL="unlinkat" + KEY="delete" + SYSCALL_GROUPING="unlink unlinkat rename renameat rmdir" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + +# If audit tool is 'augenrules', then check if the audit rule is defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection +# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection +default_file="/etc/audit/rules.d/$KEY.rules" +# As other_filters may include paths, lets use a different delimiter for it +# The "F" script expression tells sed to print the filenames where the expressions matched +readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) +# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet +if [ ${#files_to_inspect[@]} -eq "0" ] +then + file_to_inspect="/etc/audit/rules.d/$KEY.rules" + files_to_inspect=("$file_to_inspect") + if [ ! -e "$file_to_inspect" ] + then + touch "$file_to_inspect" + chmod 0640 "$file_to_inspect" + fi +fi + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + + +# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# file to the list of files to be inspected +default_file="/etc/audit/audit.rules" +files_to_inspect+=('/etc/audit/audit.rules' ) + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -105196,646 +105196,6 @@ to the same event is more efficient. See the following example: these events could serve as evidence of potential system compromise. CCE-80975-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then - -# First perform the remediation of the syscall rule -# Retrieve hardware architecture of the underlying system -[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") - -AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="chmod" -KEY="access" -SYSCALL_GROUPING="chmod fchmod fchmodat fsetxattr lsetxattr setxattr" - -for ARCH in "${RULE_ARCHS[@]}" -do - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="-F exit=-EACCES" - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - -# If audit tool is 'augenrules', then check if the audit rule is defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection -# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection -default_file="/etc/audit/rules.d/$KEY.rules" -# As other_filters may include paths, lets use a different delimiter for it -# The "F" script expression tells sed to print the filenames where the expressions matched -readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) -# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet -if [ ${#files_to_inspect[@]} -eq "0" ] -then - file_to_inspect="/etc/audit/rules.d/$KEY.rules" - files_to_inspect=("$file_to_inspect") - if [ ! -e "$file_to_inspect" ] - then - touch "$file_to_inspect" - chmod 0640 "$file_to_inspect" - fi -fi - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - - -# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# file to the list of files to be inspected -default_file="/etc/audit/audit.rules" -files_to_inspect+=('/etc/audit/audit.rules' ) - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi -done - -for ARCH in "${RULE_ARCHS[@]}" -do - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="-F exit=-EPERM" - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - -# If audit tool is 'augenrules', then check if the audit rule is defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection -# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection -default_file="/etc/audit/rules.d/$KEY.rules" -# As other_filters may include paths, lets use a different delimiter for it -# The "F" script expression tells sed to print the filenames where the expressions matched -readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) -# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet -if [ ${#files_to_inspect[@]} -eq "0" ] -then - file_to_inspect="/etc/audit/rules.d/$KEY.rules" - files_to_inspect=("$file_to_inspect") - if [ ! -e "$file_to_inspect" ] - then - touch "$file_to_inspect" - chmod 0640 "$file_to_inspect" - fi -fi - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - - -# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# file to the list of files to be inspected -default_file="/etc/audit/audit.rules" -files_to_inspect+=('/etc/audit/audit.rules' ) - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -106466,43 +105826,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Ownership Changes to Files - chown - The audit system should collect unsuccessful file ownership change -attempts for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. --a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -If the system is 64 bit then also add the following lines: --a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the audit rule checks a -system call independently of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - CCI-000172 - AU-2(d) - AU-12(c) - CM-6(a) - Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - - CCE-80984-8 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then # First perform the remediation of the syscall rule @@ -106510,9 +105834,9 @@ if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm -- [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="chown" +SYSCALL="chmod" KEY="access" -SYSCALL_GROUPING="chown fchown fchownat lchown" +SYSCALL_GROUPING="chmod fchmod fchmodat fsetxattr lsetxattr setxattr" for ARCH in "${RULE_ARCHS[@]}" do @@ -107142,6 +106466,42 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Ownership Changes to Files - chown + The audit system should collect unsuccessful file ownership change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + CCE-80984-8 - name: Gather the package facts package_facts: manager: auto @@ -107756,179 +107116,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Access Attempts to Files - creat - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.4 - Req-10.2.1 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000064-GPOS-00033 - SRG-OS-000458-GPOS-00203 - SRG-OS-000461-GPOS-00205 - SRG-APP-000495-CTR-001235 - RHEL-08-030420 - 4.1.3.7 - SV-230449r810455_rule - Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - - CCE-80751-1 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then # First perform the remediation of the syscall rule @@ -107936,9 +107124,9 @@ if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm -- [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="creat" +SYSCALL="chown" KEY="access" -SYSCALL_GROUPING="creat ftruncate truncate open openat open_by_handle_at" +SYSCALL_GROUPING="chown fchown fchownat lchown" for ARCH in "${RULE_ARCHS[@]}" do @@ -108568,6 +107756,178 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Access Attempts to Files - creat + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000064-GPOS-00033 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-APP-000495-CTR-001235 + RHEL-08-030420 + 4.1.3.7 + SV-230449r810455_rule + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + CCE-80751-1 - name: Gather the package facts package_facts: manager: auto @@ -109222,52 +108582,17 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Permission Changes to Files - fchmod - The audit system should collect unsuccessful file permission change -attempts for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. --a always,exit -F arch=b32 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b32 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -If the system is 64 bit then also add the following lines: --a always,exit -F arch=b64 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b64 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the audit rule checks a -system call independently of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - CCI-000172 - AU-2(d) - AU-12(c) - CM-6(a) - Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80977-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="fchmod" +SYSCALL="creat" KEY="access" -SYSCALL_GROUPING="chmod fchmod fchmodat fsetxattr lsetxattr setxattr" +SYSCALL_GROUPING="creat ftruncate truncate open openat open_by_handle_at" for ARCH in "${RULE_ARCHS[@]}" do @@ -109897,6 +109222,41 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Permission Changes to Files - fchmod + The audit system should collect unsuccessful file permission change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80977-2 - name: Gather the package facts package_facts: manager: auto @@ -110522,42 +109882,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Permission Changes to Files - fchmodat - The audit system should collect unsuccessful file permission change -attempts for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. --a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -If the system is 64 bit then also add the following lines: --a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the audit rule checks a -system call independently of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - CCI-000172 - AU-2(d) - AU-12(c) - CM-6(a) - Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80976-4 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -110565,7 +109890,7 @@ if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm -- [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="fchmodat" +SYSCALL="fchmod" KEY="access" SYSCALL_GROUPING="chmod fchmod fchmodat fsetxattr lsetxattr setxattr" @@ -111197,6 +110522,41 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Permission Changes to Files - fchmodat + The audit system should collect unsuccessful file permission change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80976-4 - name: Gather the package facts package_facts: manager: auto @@ -111822,42 +111182,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Ownership Changes to Files - fchown - The audit system should collect unsuccessful file ownership change -attempts for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. --a always,exit -F arch=b32 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b32 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -If the system is 64 bit then also add the following lines: --a always,exit -F arch=b64 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b64 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the audit rule checks a -system call independently of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - CCI-000172 - AU-2(d) - AU-12(c) - CM-6(a) - Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80986-3 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -111865,9 +111190,9 @@ if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm -- [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="fchown" +SYSCALL="fchmodat" KEY="access" -SYSCALL_GROUPING="chown fchown fchownat lchown" +SYSCALL_GROUPING="chmod fchmod fchmodat fsetxattr lsetxattr setxattr" for ARCH in "${RULE_ARCHS[@]}" do @@ -112497,6 +111822,41 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Ownership Changes to Files - fchown + The audit system should collect unsuccessful file ownership change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80986-3 - name: Gather the package facts package_facts: manager: auto @@ -113106,42 +112466,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Ownership Changes to Files - fchownat - The audit system should collect unsuccessful file ownership change -attempts for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. --a always,exit -F arch=b32 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b32 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -If the system is 64 bit then also add the following lines: --a always,exit -F arch=b64 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b64 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the audit rule checks a -system call independently of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - CCI-000172 - AU-2(d) - AU-12(c) - CM-6(a) - Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80985-5 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -113149,7 +112474,7 @@ if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm -- [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="fchownat" +SYSCALL="fchown" KEY="access" SYSCALL_GROUPING="chown fchown fchownat lchown" @@ -113781,6 +113106,41 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Ownership Changes to Files - fchownat + The audit system should collect unsuccessful file ownership change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80985-5 - name: Gather the package facts package_facts: manager: auto @@ -114390,42 +113750,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Permission Changes to Files - fremovexattr - The audit system should collect unsuccessful file permission change -attempts for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. --a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -If the system is 64 bit then also add the following lines: --a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the audit rule checks a -system call independently of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - CCI-000172 - AU-2(d) - AU-12(c) - CM-6(a) - Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80978-0 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -114433,9 +113758,9 @@ if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm -- [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="fremovexattr" +SYSCALL="fchownat" KEY="access" -SYSCALL_GROUPING="" +SYSCALL_GROUPING="chown fchown fchownat lchown" for ARCH in "${RULE_ARCHS[@]}" do @@ -115065,6 +114390,41 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Permission Changes to Files - fremovexattr + The audit system should collect unsuccessful file permission change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80978-0 - name: Gather the package facts package_facts: manager: auto @@ -115642,42 +115002,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Permission Changes to Files - fsetxattr - The audit system should collect unsuccessful file permission change -attempts for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. --a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -If the system is 64 bit then also add the following lines: --a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the audit rule checks a -system call independently of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - CCI-000172 - AU-2(d) - AU-12(c) - CM-6(a) - Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80979-8 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -115685,9 +115010,9 @@ if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm -- [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="fsetxattr" +SYSCALL="fremovexattr" KEY="access" -SYSCALL_GROUPING="chmod fchmod fchmodat fsetxattr lsetxattr setxattr" +SYSCALL_GROUPING="" for ARCH in "${RULE_ARCHS[@]}" do @@ -116317,6 +115642,41 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Permission Changes to Files - fsetxattr + The audit system should collect unsuccessful file permission change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80979-8 - name: Gather the package facts package_facts: manager: auto @@ -116942,181 +116302,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Access Attempts to Files - ftruncate - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access - -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access - -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access - -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.4 - Req-10.2.1 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000064-GPOS-00033 - SRG-OS-000458-GPOS-00203 - SRG-OS-000461-GPOS-00205 - SRG-APP-000495-CTR-001235 - RHEL-08-030420 - 4.1.3.7 - SV-230449r810455_rule - Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80752-9 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -117124,9 +116310,9 @@ if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm -- [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="ftruncate" +SYSCALL="fsetxattr" KEY="access" -SYSCALL_GROUPING="creat ftruncate truncate open openat open_by_handle_at" +SYSCALL_GROUPING="chmod fchmod fchmodat fsetxattr lsetxattr setxattr" for ARCH in "${RULE_ARCHS[@]}" do @@ -117756,6 +116942,180 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Access Attempts to Files - ftruncate + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000064-GPOS-00033 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-APP-000495-CTR-001235 + RHEL-08-030420 + 4.1.3.7 + SV-230449r810455_rule + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80752-9 - name: Gather the package facts package_facts: manager: auto @@ -118405,57 +117765,17 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Ownership Changes to Files - lchown - The audit system should collect unsuccessful file ownership change -attempts for all users and root. - -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. - --a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - -If the system is 64 bit then also add the following lines: --a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the audit rule checks a -system call independently of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - CCI-000172 - AU-2(d) - AU-12(c) - CM-6(a) - Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - - CCE-80987-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="lchown" +SYSCALL="ftruncate" KEY="access" -SYSCALL_GROUPING="chown fchown fchownat lchown" +SYSCALL_GROUPING="creat ftruncate truncate open openat open_by_handle_at" for ARCH in "${RULE_ARCHS[@]}" do @@ -119085,6 +118405,46 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Ownership Changes to Files - lchown + The audit system should collect unsuccessful file ownership change +attempts for all users and root. + +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. + +-a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + CCE-80987-1 - name: Gather the package facts package_facts: manager: auto @@ -119699,52 +119059,17 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Permission Changes to Files - lremovexattr - The audit system should collect unsuccessful file permission change -attempts for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. --a always,exit -F arch=b32 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b32 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -If the system is 64 bit then also add the following lines: --a always,exit -F arch=b64 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b64 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the audit rule checks a -system call independently of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - CCI-000172 - AU-2(d) - AU-12(c) - CM-6(a) - Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80980-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="lremovexattr" +SYSCALL="lchown" KEY="access" -SYSCALL_GROUPING="" +SYSCALL_GROUPING="chown fchown fchownat lchown" for ARCH in "${RULE_ARCHS[@]}" do @@ -120374,6 +119699,41 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Permission Changes to Files - lremovexattr + The audit system should collect unsuccessful file permission change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80980-6 - name: Gather the package facts package_facts: manager: auto @@ -120951,42 +120311,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Permission Changes to Files - lsetxattr - The audit system should collect unsuccessful file permission change -attempts for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. --a always,exit -F arch=b32 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b32 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -If the system is 64 bit then also add the following lines: --a always,exit -F arch=b64 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b64 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the audit rule checks a -system call independently of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - CCI-000172 - AU-2(d) - AU-12(c) - CM-6(a) - Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80981-4 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -120994,9 +120319,9 @@ if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm -- [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="lsetxattr" +SYSCALL="lremovexattr" KEY="access" -SYSCALL_GROUPING="chmod fchmod fchmodat fsetxattr lsetxattr setxattr" +SYSCALL_GROUPING="" for ARCH in "${RULE_ARCHS[@]}" do @@ -121626,6 +120951,41 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Permission Changes to Files - lsetxattr + The audit system should collect unsuccessful file permission change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80981-4 - name: Gather the package facts package_facts: manager: auto @@ -122251,192 +121611,17 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Access Attempts to Files - open - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access - -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access - -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access - -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.4 - Req-10.2.1 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000064-GPOS-00033 - SRG-OS-000458-GPOS-00203 - SRG-OS-000461-GPOS-00205 - SRG-APP-000495-CTR-001235 - RHEL-08-030420 - 4.1.3.7 - SV-230449r810455_rule - Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - - CCE-80753-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="open" +SYSCALL="lsetxattr" KEY="access" -SYSCALL_GROUPING="creat ftruncate truncate open openat open_by_handle_at" +SYSCALL_GROUPING="chmod fchmod fchmodat fsetxattr lsetxattr setxattr" for ARCH in "${RULE_ARCHS[@]}" do @@ -123066,6 +122251,181 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Access Attempts to Files - open + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000064-GPOS-00033 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-APP-000495-CTR-001235 + RHEL-08-030420 + 4.1.3.7 + SV-230449r810455_rule + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + CCE-80753-7 - name: Gather the package facts package_facts: manager: auto @@ -123720,185 +123080,15 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Access Attempts to Files - open_by_handle_at - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.4 - Req-10.2.1 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000064-GPOS-00033 - SRG-OS-000458-GPOS-00203 - SRG-OS-000461-GPOS-00205 - SRG-APP-000495-CTR-001235 - RHEL-08-030420 - 4.1.10 - SV-230449r810455_rule - Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80755-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="open_by_handle_at" +SYSCALL="open" KEY="access" SYSCALL_GROUPING="creat ftruncate truncate open openat open_by_handle_at" @@ -124530,6 +123720,176 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Access Attempts to Files - open_by_handle_at + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000064-GPOS-00033 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-APP-000495-CTR-001235 + RHEL-08-030420 + 4.1.10 + SV-230449r810455_rule + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80755-2 - name: Gather the package facts package_facts: manager: auto @@ -125180,6 +124540,646 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +AUID_FILTERS="-F auid>=1000 -F auid!=unset" +SYSCALL="open_by_handle_at" +KEY="access" +SYSCALL_GROUPING="creat ftruncate truncate open openat open_by_handle_at" + +for ARCH in "${RULE_ARCHS[@]}" +do + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="-F exit=-EACCES" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + +# If audit tool is 'augenrules', then check if the audit rule is defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection +# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection +default_file="/etc/audit/rules.d/$KEY.rules" +# As other_filters may include paths, lets use a different delimiter for it +# The "F" script expression tells sed to print the filenames where the expressions matched +readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) +# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet +if [ ${#files_to_inspect[@]} -eq "0" ] +then + file_to_inspect="/etc/audit/rules.d/$KEY.rules" + files_to_inspect=("$file_to_inspect") + if [ ! -e "$file_to_inspect" ] + then + touch "$file_to_inspect" + chmod 0640 "$file_to_inspect" + fi +fi + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + + +# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# file to the list of files to be inspected +default_file="/etc/audit/audit.rules" +files_to_inspect+=('/etc/audit/audit.rules' ) + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi +done + +for ARCH in "${RULE_ARCHS[@]}" +do + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="-F exit=-EPERM" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + +# If audit tool is 'augenrules', then check if the audit rule is defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection +# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection +default_file="/etc/audit/rules.d/$KEY.rules" +# As other_filters may include paths, lets use a different delimiter for it +# The "F" script expression tells sed to print the filenames where the expressions matched +readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) +# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet +if [ ${#files_to_inspect[@]} -eq "0" ] +then + file_to_inspect="/etc/audit/rules.d/$KEY.rules" + files_to_inspect=("$file_to_inspect") + if [ ! -e "$file_to_inspect" ] + then + touch "$file_to_inspect" + chmod 0640 "$file_to_inspect" + fi +fi + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + + +# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# file to the list of files to be inspected +default_file="/etc/audit/audit.rules" +files_to_inspect+=('/etc/audit/audit.rules' ) + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -125345,57 +125345,6 @@ to the same event is more efficient. See the following example: Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. CCE-80965-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')" -cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules" -## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance. -## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules - -## The purpose of these rules is to meet the requirements for Operating -## System Protection Profile (OSPP)v4.2. These rules depends on having -## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. - -## Unsuccessful file creation (open with O_CREAT) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -## Unsuccessful file modifications (open for write or truncate) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -## Unsuccessful file access (any other opens) This has to go last. --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -EOF - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -125476,6 +125425,57 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')" +cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules" +## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance. +## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules + +## The purpose of these rules is to meet the requirements for Operating +## System Protection Profile (OSPP)v4.2. These rules depends on having +## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. + +## Unsuccessful file creation (open with O_CREAT) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + +## Unsuccessful file modifications (open for write or truncate) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + +## Unsuccessful file access (any other opens) This has to go last. +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +EOF + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -125641,57 +125641,6 @@ to the same event is more efficient. See the following example: Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. CCE-80966-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')" -cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules" -## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance. -## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules - -## The purpose of these rules is to meet the requirements for Operating -## System Protection Profile (OSPP)v4.2. These rules depends on having -## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. - -## Unsuccessful file creation (open with O_CREAT) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -## Unsuccessful file modifications (open for write or truncate) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -## Unsuccessful file access (any other opens) This has to go last. --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -EOF - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -125772,6 +125721,57 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')" +cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules" +## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance. +## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules + +## The purpose of these rules is to meet the requirements for Operating +## System Protection Profile (OSPP)v4.2. These rules depends on having +## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. + +## Unsuccessful file creation (open with O_CREAT) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + +## Unsuccessful file modifications (open for write or truncate) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + +## Unsuccessful file access (any other opens) This has to go last. +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +EOF + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -126156,57 +126156,6 @@ to the same event is more efficient. See the following example: these events could serve as evidence of potential system compromise. CCE-80968-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then - -mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')" -cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules" -## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance. -## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules - -## The purpose of these rules is to meet the requirements for Operating -## System Protection Profile (OSPP)v4.2. These rules depends on having -## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. - -## Unsuccessful file creation (open with O_CREAT) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -## Unsuccessful file modifications (open for write or truncate) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -## Unsuccessful file access (any other opens) This has to go last. --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -EOF - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -126288,6 +126237,57 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then + +mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')" +cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules" +## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance. +## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules + +## The purpose of these rules is to meet the requirements for Operating +## System Protection Profile (OSPP)v4.2. These rules depends on having +## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. + +## Unsuccessful file creation (open with O_CREAT) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + +## Unsuccessful file modifications (open for write or truncate) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + +## Unsuccessful file access (any other opens) This has to go last. +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +EOF + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -126450,57 +126450,6 @@ to the same event is more efficient. See the following example: these events could serve as evidence of potential system compromise. CCE-80969-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then - -mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')" -cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules" -## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance. -## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules - -## The purpose of these rules is to meet the requirements for Operating -## System Protection Profile (OSPP)v4.2. These rules depends on having -## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. - -## Unsuccessful file creation (open with O_CREAT) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -## Unsuccessful file modifications (open for write or truncate) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -## Unsuccessful file access (any other opens) This has to go last. --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -EOF - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -126582,6 +126531,57 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then + +mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')" +cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules" +## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance. +## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules + +## The purpose of these rules is to meet the requirements for Operating +## System Protection Profile (OSPP)v4.2. These rules depends on having +## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. + +## Unsuccessful file creation (open with O_CREAT) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + +## Unsuccessful file modifications (open for write or truncate) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + +## Unsuccessful file access (any other opens) This has to go last. +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +EOF + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -126976,646 +126976,6 @@ calls with others as identifying earlier in this guide is more efficient.Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. CCE-80754-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# First perform the remediation of the syscall rule -# Retrieve hardware architecture of the underlying system -[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") - -AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="openat" -KEY="access" -SYSCALL_GROUPING="creat ftruncate truncate open openat open_by_handle_at" - -for ARCH in "${RULE_ARCHS[@]}" -do - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="-F exit=-EACCES" - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - -# If audit tool is 'augenrules', then check if the audit rule is defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection -# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection -default_file="/etc/audit/rules.d/$KEY.rules" -# As other_filters may include paths, lets use a different delimiter for it -# The "F" script expression tells sed to print the filenames where the expressions matched -readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) -# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet -if [ ${#files_to_inspect[@]} -eq "0" ] -then - file_to_inspect="/etc/audit/rules.d/$KEY.rules" - files_to_inspect=("$file_to_inspect") - if [ ! -e "$file_to_inspect" ] - then - touch "$file_to_inspect" - chmod 0640 "$file_to_inspect" - fi -fi - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - - -# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# file to the list of files to be inspected -default_file="/etc/audit/audit.rules" -files_to_inspect+=('/etc/audit/audit.rules' ) - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi -done - -for ARCH in "${RULE_ARCHS[@]}" -do - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="-F exit=-EPERM" - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - -# If audit tool is 'augenrules', then check if the audit rule is defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection -# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection -default_file="/etc/audit/rules.d/$KEY.rules" -# As other_filters may include paths, lets use a different delimiter for it -# The "F" script expression tells sed to print the filenames where the expressions matched -readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) -# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet -if [ ${#files_to_inspect[@]} -eq "0" ] -then - file_to_inspect="/etc/audit/rules.d/$KEY.rules" - files_to_inspect=("$file_to_inspect") - if [ ! -e "$file_to_inspect" ] - then - touch "$file_to_inspect" - chmod 0640 "$file_to_inspect" - fi -fi - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -# -files_to_inspect=() - - -# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# file to the list of files to be inspected -default_file="/etc/audit/audit.rules" -files_to_inspect+=('/etc/audit/audit.rules' ) - -# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead -skip=1 - -for audit_file in "${files_to_inspect[@]}" -do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi -done - -if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi -fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -128265,882 +127625,37 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Creation Attempts to Files - openat O_CREAT - The audit system should collect unauthorized file accesses for -all users and root. The openat syscall can be used to create new files -when O_CREAT flag is specified. + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then -The following auidt rules will asure that unsuccessful attempts to create a -file via openat syscall are collected. +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") -If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -rules below to a file with suffix .rules in the directory -/etc/audit/rules.d. +AUID_FILTERS="-F auid>=1000 -F auid!=unset" +SYSCALL="openat" +KEY="access" +SYSCALL_GROUPING="creat ftruncate truncate open openat open_by_handle_at" -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the rules below to -/etc/audit/audit.rules file. - --a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - +for ARCH in "${RULE_ARCHS[@]}" +do + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="-F exit=-EACCES" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.4 - Req-10.2.1 - SRG-OS-000064-GPOS-00033 - SRG-OS-000458-GPOS-00203 - SRG-OS-000461-GPOS-00205 - SRG-OS-000392-GPOS-00172 - Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80962-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')" -cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules" -## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance. -## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules - -## The purpose of these rules is to meet the requirements for Operating -## System Protection Profile (OSPP)v4.2. These rules depends on having -## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. - -## Unsuccessful file creation (open with O_CREAT) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -## Unsuccessful file modifications (open for write or truncate) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -## Unsuccessful file access (any other opens) This has to go last. --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -EOF - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-80962-4 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_openat_o_creat - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Add unsuccessful file operations audit rules - blockinfile: - path: /etc/audit/rules.d/30-ospp-v42-remediation.rules - create: true - block: |- - ## This content is a section of an Audit config snapshot recommended for Red Hat Enterprise Linux 8 systems that target OSPP compliance. - ## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules - - ## The purpose of these rules is to meet the requirements for Operating - ## System Protection Profile (OSPP)v4.2. These rules depends on having - ## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. - - ## Unsuccessful file creation (open with O_CREAT) - -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - - ## Unsuccessful file modifications (open for write or truncate) - -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - - ## Unsuccessful file access (any other opens) This has to go last. - -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80962-4 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_openat_o_creat - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - - - - - - - - - Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE - The audit system should collect detailed unauthorized file accesses for -all users and root. The openat syscall can be used to modify files -if called for write operation of with O_TRUNC_WRITE flag. - -The following auidt rules will asure that unsuccessful attempts to modify a -file via openat syscall are collected. - -If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -rules below to a file with suffix .rules in the directory -/etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the rules below to -/etc/audit/audit.rules file. - --a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - - -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.4 - Req-10.2.1 - SRG-OS-000064-GPOS-00033 - SRG-OS-000458-GPOS-00203 - SRG-OS-000461-GPOS-00205 - SRG-OS-000392-GPOS-00172 - Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80963-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')" -cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules" -## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance. -## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules - -## The purpose of these rules is to meet the requirements for Operating -## System Protection Profile (OSPP)v4.2. These rules depends on having -## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. - -## Unsuccessful file creation (open with O_CREAT) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -## Unsuccessful file modifications (open for write or truncate) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -## Unsuccessful file access (any other opens) This has to go last. --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -EOF - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-80963-2 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_openat_o_trunc_write - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Add unsuccessful file operations audit rules - blockinfile: - path: /etc/audit/rules.d/30-ospp-v42-remediation.rules - create: true - block: |- - ## This content is a section of an Audit config snapshot recommended for Red Hat Enterprise Linux 8 systems that target OSPP compliance. - ## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules - - ## The purpose of these rules is to meet the requirements for Operating - ## System Protection Profile (OSPP)v4.2. These rules depends on having - ## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. - - ## Unsuccessful file creation (open with O_CREAT) - -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - - ## Unsuccessful file modifications (open for write or truncate) - -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - - ## Unsuccessful file access (any other opens) This has to go last. - -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80963-2 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_openat_o_trunc_write - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - - - - - - - - - Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly - The audit system should collect detailed unauthorized file -accesses for all users and root. -To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access -of files via openat syscall the audit rules collecting these events need to be in certain order. -The more specific rules need to come before the less specific rules. The reason for that is that more -specific rules cover a subset of events covered in the less specific rules, thus, they need to come -before to not be overshadowed by less specific rules, which match a bigger set of events. -Make sure that rules for unsuccessful calls of openat syscall are in the order shown below. -If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), check the order of -rules below in a file with suffix .rules in the directory -/etc/audit/rules.d. -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, check the order of rules below in -/etc/audit/audit.rules file. - --a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.4 - Req-10.2.1 - SRG-OS-000064-GPOS-00033 - SRG-OS-000458-GPOS-00203 - SRG-OS-000461-GPOS-00205 - SRG-OS-000392-GPOS-00172 - The more specific rules cover a subset of events covered by the less specific rules. -By ordering them from more specific to less specific, it is assured that the less specific -rule will not catch events better recorded by the more specific rule. - CCE-80964-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')" -cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules" -## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance. -## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules - -## The purpose of these rules is to meet the requirements for Operating -## System Protection Profile (OSPP)v4.2. These rules depends on having -## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. - -## Unsuccessful file creation (open with O_CREAT) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -## Unsuccessful file modifications (open for write or truncate) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -## Unsuccessful file access (any other opens) This has to go last. --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access --a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -EOF - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - - - - - - - - - Record Unsuccessful Permission Changes to Files - removexattr - The audit system should collect unsuccessful file permission change -attempts for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. --a always,exit -F arch=b32 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b32 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -If the system is 64 bit then also add the following lines: --a always,exit -F arch=b64 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b64 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the audit rule checks a -system call independently of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - CCI-000172 - AU-2(d) - AU-12(c) - CM-6(a) - Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80982-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# First perform the remediation of the syscall rule -# Retrieve hardware architecture of the underlying system -[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") - -AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="removexattr" -KEY="access" -SYSCALL_GROUPING="" - -for ARCH in "${RULE_ARCHS[@]}" -do - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="-F exit=-EACCES" - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - unset syscall_a -unset syscall_grouping -unset syscall_string -unset syscall -unset file_to_edit -unset rule_to_edit -unset rule_syscalls_to_edit -unset other_string -unset auid_string -unset full_rule - -# Load macro arguments into arrays -read -a syscall_a <<< $SYSCALL -read -a syscall_grouping <<< $SYSCALL_GROUPING +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING # Create a list of audit *.rules files that should be inspected for presence and correctness # of a particular audit rule. The scheme is as follows: @@ -129750,85 +128265,930 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Record Unsuccessful Creation Attempts to Files - openat O_CREAT + The audit system should collect unauthorized file accesses for +all users and root. The openat syscall can be used to create new files +when O_CREAT flag is specified. + +The following auidt rules will asure that unsuccessful attempts to create a +file via openat syscall are collected. + +If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +rules below to a file with suffix .rules in the directory +/etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the rules below to +/etc/audit/audit.rules file. + +-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000064-GPOS-00033 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000392-GPOS-00172 + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80962-4 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80982-2 + - CCE-80962-4 + - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_unsuccessful_file_modification_removexattr + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_openat_o_creat - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Set architecture for audit removexattr tasks - set_fact: - audit_arch: b64 +- name: Add unsuccessful file operations audit rules + blockinfile: + path: /etc/audit/rules.d/30-ospp-v42-remediation.rules + create: true + block: |- + ## This content is a section of an Audit config snapshot recommended for Red Hat Enterprise Linux 8 systems that target OSPP compliance. + ## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules + + ## The purpose of these rules is to meet the requirements for Operating + ## System Protection Profile (OSPP)v4.2. These rules depends on having + ## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. + + ## Unsuccessful file creation (open with O_CREAT) + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + + ## Unsuccessful file modifications (open for write or truncate) + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + + ## Unsuccessful file access (any other opens) This has to go last. + -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access when: - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture - == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - - CCE-80982-2 + - CCE-80962-4 + - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_unsuccessful_file_modification_removexattr + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_openat_o_creat - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then -- name: Perform remediation of Audit rules for removexattr EACCES for 32bit platform - block: - - - name: Declare list of syscalls - set_fact: - syscalls: - - removexattr - syscall_grouping: [] - - - name: Check existence of removexattr in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: '*.rules' - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Reset syscalls found per file - set_fact: - syscalls_per_file: {} - found_paths_dict: {} +mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')" +cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules" +## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance. +## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules - - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path - :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" - loop: '{{ find_command.results | selectattr(''matched'') | list }}' +## The purpose of these rules is to meet the requirements for Operating +## System Protection Profile (OSPP)v4.2. These rules depends on having +## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. - - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten - | map(attribute='path') | list }}" +## Unsuccessful file creation (open with O_CREAT) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, - 0) }) }}" - loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') - | list }}' +## Unsuccessful file modifications (open for write or truncate) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') - | last).key }}" - when: found_paths | length >= 1 +## Unsuccessful file access (any other opens) This has to go last. +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +EOF - - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + + + + + + + + + Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE + The audit system should collect detailed unauthorized file accesses for +all users and root. The openat syscall can be used to modify files +if called for write operation of with O_TRUNC_WRITE flag. + +The following auidt rules will asure that unsuccessful attempts to modify a +file via openat syscall are collected. + +If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +rules below to a file with suffix .rules in the directory +/etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the rules below to +/etc/audit/audit.rules file. + +-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000064-GPOS-00033 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000392-GPOS-00172 + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80963-2 + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80963-2 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_openat_o_trunc_write + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Add unsuccessful file operations audit rules + blockinfile: + path: /etc/audit/rules.d/30-ospp-v42-remediation.rules + create: true + block: |- + ## This content is a section of an Audit config snapshot recommended for Red Hat Enterprise Linux 8 systems that target OSPP compliance. + ## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules + + ## The purpose of these rules is to meet the requirements for Operating + ## System Protection Profile (OSPP)v4.2. These rules depends on having + ## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. + + ## Unsuccessful file creation (open with O_CREAT) + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + + ## Unsuccessful file modifications (open for write or truncate) + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + + ## Unsuccessful file access (any other opens) This has to go last. + -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80963-2 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_openat_o_trunc_write + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')" +cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules" +## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance. +## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules + +## The purpose of these rules is to meet the requirements for Operating +## System Protection Profile (OSPP)v4.2. These rules depends on having +## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. + +## Unsuccessful file creation (open with O_CREAT) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + +## Unsuccessful file modifications (open for write or truncate) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + +## Unsuccessful file access (any other opens) This has to go last. +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +EOF + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + + + + + + + + + Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly + The audit system should collect detailed unauthorized file +accesses for all users and root. +To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access +of files via openat syscall the audit rules collecting these events need to be in certain order. +The more specific rules need to come before the less specific rules. The reason for that is that more +specific rules cover a subset of events covered in the less specific rules, thus, they need to come +before to not be overshadowed by less specific rules, which match a bigger set of events. +Make sure that rules for unsuccessful calls of openat syscall are in the order shown below. +If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), check the order of +rules below in a file with suffix .rules in the directory +/etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, check the order of rules below in +/etc/audit/audit.rules file. + +-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000064-GPOS-00033 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000392-GPOS-00172 + The more specific rules cover a subset of events covered by the less specific rules. +By ordering them from more specific to less specific, it is assured that the less specific +rule will not catch events better recorded by the more specific rule. + CCE-80964-0 + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')" +cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules" +## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance. +## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules + +## The purpose of these rules is to meet the requirements for Operating +## System Protection Profile (OSPP)v4.2. These rules depends on having +## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. + +## Unsuccessful file creation (open with O_CREAT) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + +## Unsuccessful file modifications (open for write or truncate) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + +## Unsuccessful file access (any other opens) This has to go last. +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +EOF + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + + + + + + + + + Record Unsuccessful Permission Changes to Files - removexattr + The audit system should collect unsuccessful file permission change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80982-2 + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80982-2 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_removexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Set architecture for audit removexattr tasks + set_fact: + audit_arch: b64 + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture + == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" + tags: + - CCE-80982-2 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_removexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Perform remediation of Audit rules for removexattr EACCES for 32bit platform + block: + + - name: Declare list of syscalls + set_fact: + syscalls: + - removexattr + syscall_grouping: [] + + - name: Check existence of removexattr in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S + |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path + :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten + | map(attribute='path') | list }}" + + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, + 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') + | list }}' + + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') + | last).key }}" + when: found_paths | length >= 1 + + - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 @@ -130327,172 +129687,17 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Delete Attempts to Files - rename - The audit system should collect unsuccessful file deletion -attempts for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. --a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete --a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete --a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.4 - Req-10.2.1 - SRG-OS-000064-GPOS-00033 - SRG-OS-000392-GPOS-00172 - SRG-OS-000458-GPOS-00203 - SRG-OS-000461-GPOS-00205 - SRG-OS-000468-GPOS-00212 - Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - - CCE-80973-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="rename" +SYSCALL="removexattr" KEY="access" -SYSCALL_GROUPING="rename renameat unlink unlinkat" +SYSCALL_GROUPING="" for ARCH in "${RULE_ARCHS[@]}" do @@ -131122,6 +130327,161 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Delete Attempts to Files - rename + The audit system should collect unsuccessful file deletion +attempts for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000468-GPOS-00212 + Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + CCE-80973-1 - name: Gather the package facts package_facts: manager: auto @@ -131754,171 +131114,15 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Delete Attempts to Files - renameat - -The audit system should collect unsuccessful file deletion -attempts for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. --a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete --a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete --a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: - --a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.4 - Req-10.2.1 - SRG-OS-000064-GPOS-00033 - SRG-OS-000392-GPOS-00172 - SRG-OS-000458-GPOS-00203 - SRG-OS-000461-GPOS-00205 - SRG-OS-000468-GPOS-00212 - Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80974-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="renameat" +SYSCALL="rename" KEY="access" SYSCALL_GROUPING="rename renameat unlink unlinkat" @@ -132550,6 +131754,162 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Delete Attempts to Files - renameat + +The audit system should collect unsuccessful file deletion +attempts for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: + +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000468-GPOS-00212 + Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80974-9 - name: Gather the package facts package_facts: manager: auto @@ -133177,42 +132537,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Permission Changes to Files - setxattr - The audit system should collect unsuccessful file permission change -attempts for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. --a always,exit -F arch=b32 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b32 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change -If the system is 64 bit then also add the following lines: --a always,exit -F arch=b64 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change --a always,exit -F arch=b64 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the audit rule checks a -system call independently of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - CCI-000172 - AU-2(d) - AU-12(c) - CM-6(a) - Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80983-0 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -133220,9 +132545,9 @@ if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm -- [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="setxattr" +SYSCALL="renameat" KEY="access" -SYSCALL_GROUPING="chmod fchmod fchmodat fsetxattr lsetxattr setxattr" +SYSCALL_GROUPING="rename renameat unlink unlinkat" for ARCH in "${RULE_ARCHS[@]}" do @@ -133852,6 +133177,41 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Permission Changes to Files - setxattr + The audit system should collect unsuccessful file permission change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80983-0 - name: Gather the package facts package_facts: manager: auto @@ -134477,181 +133837,7 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Access Attempts to Files - truncate - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access - -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access - -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access - -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping these system -calls with others as identifying earlier in this guide is more efficient. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.4 - Req-10.2.1 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000064-GPOS-00033 - SRG-OS-000458-GPOS-00203 - SRG-OS-000461-GPOS-00205 - SRG-APP-000495-CTR-001235 - RHEL-08-030420 - 4.1.3.7 - SV-230449r810455_rule - Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80756-0 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -134659,9 +133845,9 @@ if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm -- [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="truncate" +SYSCALL="setxattr" KEY="access" -SYSCALL_GROUPING="creat ftruncate truncate open openat open_by_handle_at" +SYSCALL_GROUPING="chmod fchmod fchmodat fsetxattr lsetxattr setxattr" for ARCH in "${RULE_ARCHS[@]}" do @@ -135291,6 +134477,180 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Access Attempts to Files - truncate + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000064-GPOS-00033 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-APP-000495-CTR-001235 + RHEL-08-030420 + 4.1.3.7 + SV-230449r810455_rule + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80756-0 - name: Gather the package facts package_facts: manager: auto @@ -135940,176 +135300,17 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Delete Attempts to Files - unlink - -The audit system should collect unsuccessful file deletion -attempts for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. --a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete --a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete - -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete --a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: - --a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.4 - Req-10.2.1 - SRG-OS-000064-GPOS-00033 - SRG-OS-000392-GPOS-00172 - SRG-OS-000458-GPOS-00203 - SRG-OS-000461-GPOS-00205 - SRG-OS-000468-GPOS-00212 - Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - - CCE-80971-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="unlink" +SYSCALL="truncate" KEY="access" -SYSCALL_GROUPING="rename renameat unlink unlinkat" +SYSCALL_GROUPING="creat ftruncate truncate open openat open_by_handle_at" for ARCH in "${RULE_ARCHS[@]}" do @@ -136739,6 +135940,165 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Delete Attempts to Files - unlink + +The audit system should collect unsuccessful file deletion +attempts for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: + +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000468-GPOS-00212 + Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + CCE-80971-5 - name: Gather the package facts package_facts: manager: auto @@ -137371,173 +136731,15 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Record Unsuccessful Delete Attempts to Files - unlinkat - -The audit system should collect unsuccessful file deletion -attempts for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. --a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete --a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete - -If the system is 64 bit then also add the following lines: - --a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete --a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete - Note that these rules can be configured in a -number of ways while still achieving the desired effect. Here the system calls -have been placed independent of other system calls. Grouping system calls related -to the same event is more efficient. See the following example: - --a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.4 - Req-10.2.1 - SRG-OS-000064-GPOS-00033 - SRG-OS-000392-GPOS-00172 - SRG-OS-000458-GPOS-00203 - SRG-OS-000461-GPOS-00205 - SRG-OS-000468-GPOS-00212 - Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - CCE-80972-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") AUID_FILTERS="-F auid>=1000 -F auid!=unset" -SYSCALL="unlinkat" +SYSCALL="unlink" KEY="access" SYSCALL_GROUPING="rename renameat unlink unlinkat" @@ -138169,6 +137371,164 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Record Unsuccessful Delete Attempts to Files - unlinkat + +The audit system should collect unsuccessful file deletion +attempts for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: + +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000468-GPOS-00212 + Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + CCE-80972-3 - name: Gather the package facts package_facts: manager: auto @@ -138796,180 +138156,24 @@ fi - reboot_required - restrict_strategy - - - - - - - - - - Record Information on Kernel Modules Loading and Unloading - To capture kernel module loading and unloading events, use following lines, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - --a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules - - -Place to add the lines depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the lines to a file with suffix -.rules in the directory /etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl utility, -add the lines to file /etc/audit/audit.rules. - - Ensure auditd Collects Information on Kernel Module Loading and Unloading - To capture kernel module loading and unloading events, use following lines, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - --a always,exit -F arch=ARCH -S init_module,finit_module,delete_module -F key=modules - - -The place to add the lines depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the lines to a file with suffix -.rules in the directory /etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl utility, -add the lines to file /etc/audit/audit.rules. - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000172 - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - Req-10.2.7 - 4.1.15 - The addition/removal of kernel modules can be used to alter the behavior of -the kernel and potentially introduce malicious code into kernel space. It is important -to have an audit trail of modules that have been introduced into the kernel. - CCE-80709-9 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system -# Note: 32-bit and 64-bit kernel syscall numbers not always line up => -# it's required on a 64-bit system to check also for the presence -# of 32-bit's equivalent of the corresponding rule. -# (See `man 7 audit.rules` for details ) [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") +AUID_FILTERS="-F auid>=1000 -F auid!=unset" +SYSCALL="unlinkat" +KEY="access" +SYSCALL_GROUPING="rename renameat unlink unlinkat" + for ARCH in "${RULE_ARCHS[@]}" do - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="" - - AUID_FILTERS="-F auid>=1000 -F auid!=unset" - - SYSCALL="init_module finit_module delete_module" - KEY="modules" - SYSCALL_GROUPING="init_module finit_module delete_module" - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - unset syscall_a + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="-F exit=-EACCES" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + unset syscall_a unset syscall_grouping unset syscall_string unset syscall @@ -139128,7 +138332,319 @@ if [ "$skip" -ne 0 ]; then sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" fi fi - unset syscall_a + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + + +# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# file to the list of files to be inspected +default_file="/etc/audit/audit.rules" +files_to_inspect+=('/etc/audit/audit.rules' ) + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi +done + +for ARCH in "${RULE_ARCHS[@]}" +do + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="-F exit=-EPERM" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + +# If audit tool is 'augenrules', then check if the audit rule is defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection +# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection +default_file="/etc/audit/rules.d/$KEY.rules" +# As other_filters may include paths, lets use a different delimiter for it +# The "F" script expression tells sed to print the filenames where the expressions matched +readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) +# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet +if [ ${#files_to_inspect[@]} -eq "0" ] +then + file_to_inspect="/etc/audit/rules.d/$KEY.rules" + files_to_inspect=("$file_to_inspect") + if [ ! -e "$file_to_inspect" ] + then + touch "$file_to_inspect" + chmod 0640 "$file_to_inspect" + fi +fi + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi + unset syscall_a unset syscall_grouping unset syscall_string unset syscall @@ -139280,6 +138796,157 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Record Information on Kernel Modules Loading and Unloading + To capture kernel module loading and unloading events, use following lines, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: + +-a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules + + +Place to add the lines depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the lines to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the lines to file /etc/audit/audit.rules. + + Ensure auditd Collects Information on Kernel Module Loading and Unloading + To capture kernel module loading and unloading events, use following lines, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: + +-a always,exit -F arch=ARCH -S init_module,finit_module,delete_module -F key=modules + + +The place to add the lines depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the lines to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the lines to file /etc/audit/audit.rules. + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000172 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + Req-10.2.7 + 4.1.15 + The addition/removal of kernel modules can be used to alter the behavior of +the kernel and potentially introduce malicious code into kernel space. It is important +to have an audit trail of modules that have been introduced into the kernel. + CCE-80709-9 - name: Gather the package facts package_facts: manager: auto @@ -139622,36 +139289,8 @@ fi - reboot_required - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on Kernel Module Unloading - create_module - To capture kernel module unloading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: --a always,exit -F arch=ARCH -S create_module -F key=module-change - -Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. - CCI-000172 - SRG-OS-000471-GPOS-00216 - SRG-OS-000477-GPOS-00222 - 4.1.3.19 - The removal of kernel modules can be used to alter the behavior of -the kernel and potentially introduce malicious code into kernel space. It is important -to have an audit trail of modules that have been introduced into the kernel. - - CCE-88435-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system @@ -139663,15 +139302,16 @@ if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm -- for ARCH in "${RULE_ARCHS[@]}" do - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="" - AUID_FILTERS="" - SYSCALL="create_module" - KEY="module-change" - SYSCALL_GROUPING="" - - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - unset syscall_a + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="" + + AUID_FILTERS="-F auid>=1000 -F auid!=unset" + + SYSCALL="init_module finit_module delete_module" + KEY="modules" + SYSCALL_GROUPING="init_module finit_module delete_module" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + unset syscall_a unset syscall_grouping unset syscall_string unset syscall @@ -139830,7 +139470,7 @@ if [ "$skip" -ne 0 ]; then sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" fi fi - unset syscall_a + unset syscall_a unset syscall_grouping unset syscall_string unset syscall @@ -139981,6 +139621,49 @@ done else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Ensure auditd Collects Information on Kernel Module Unloading - create_module + To capture kernel module unloading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: +-a always,exit -F arch=ARCH -S create_module -F key=module-change + +Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. + CCI-000172 + SRG-OS-000471-GPOS-00216 + SRG-OS-000477-GPOS-00222 + 4.1.3.19 + The removal of kernel modules can be used to alter the behavior of +the kernel and potentially introduce malicious code into kernel space. It is important +to have an audit trail of modules that have been introduced into the kernel. + + CCE-88435-3 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20create_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20create_module%20-k%20module-change%0A + mode: 0600 + path: /etc/audit/rules.d/75-kernel-module-loading-create.rules + overwrite: true - name: Gather the package facts package_facts: @@ -140271,183 +139954,8 @@ fi - medium_severity - no_reboot_needed - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20create_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20create_module%20-k%20module-change%0A - mode: 0600 - path: /etc/audit/rules.d/75-kernel-module-loading-create.rules - overwrite: true - - - - - - - - - - Ensure auditd Collects Information on Kernel Module Unloading - delete_module - To capture kernel module unloading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - --a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules - - -Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.7 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000471-GPOS-00216 - SRG-OS-000477-GPOS-00222 - SRG-APP-000495-CTR-001235 - SRG-APP-000504-CTR-001280 - RHEL-08-030390 - 4.1.3.19 - SV-230446r627750_rule - The removal of kernel modules can be used to alter the behavior of -the kernel and potentially introduce malicious code into kernel space. It is important -to have an audit trail of modules that have been introduced into the kernel. - CCE-80711-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system @@ -140461,12 +139969,11 @@ for ARCH in "${RULE_ARCHS[@]}" do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" - - AUID_FILTERS="-F auid>=1000 -F auid!=unset" - - SYSCALL="delete_module" - KEY="modules" - SYSCALL_GROUPING="delete_module" + AUID_FILTERS="" + SYSCALL="create_module" + KEY="module-change" + SYSCALL_GROUPING="" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' unset syscall_a unset syscall_grouping @@ -140778,6 +140285,181 @@ done else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Ensure auditd Collects Information on Kernel Module Unloading - delete_module + To capture kernel module unloading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: + +-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules + + +Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.7 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000471-GPOS-00216 + SRG-OS-000477-GPOS-00222 + SRG-APP-000495-CTR-001235 + SRG-APP-000504-CTR-001280 + RHEL-08-030390 + 4.1.3.19 + SV-230446r627750_rule + The removal of kernel modules can be used to alter the behavior of +the kernel and potentially introduce malicious code into kernel space. It is important +to have an audit trail of modules that have been introduced into the kernel. + CCE-80711-5 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A + mode: 0600 + path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules + overwrite: true - name: Gather the package facts package_facts: @@ -141101,182 +140783,7 @@ fi - medium_severity - no_reboot_needed - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A - mode: 0600 - path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules - overwrite: true - - - - - - - - - - Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module - If the auditd daemon is configured to use the augenrules program -to read audit rules during daemon startup (the default), add the following lines to a file -with suffix .rules in the directory /etc/audit/rules.d to capture kernel module -loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: - --a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules - If the auditd daemon is configured to use the auditctl utility to read audit -rules during daemon startup, add the following lines to /etc/audit/audit.rules file -in order to capture kernel module loading and unloading events, setting ARCH to either b32 or -b64 as appropriate for your system: - --a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.7 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000471-GPOS-00216 - SRG-OS-000477-GPOS-00222 - SRG-APP-000495-CTR-001235 - SRG-APP-000504-CTR-001280 - RHEL-08-030360 - 4.1.3.19 - SV-230438r810464_rule - The addition/removal of kernel modules can be used to alter the behavior of -the kernel and potentially introduce malicious code into kernel space. It is important -to have an audit trail of modules that have been introduced into the kernel. - CCE-80712-3 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -141294,9 +140801,9 @@ do AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="finit_module" + SYSCALL="delete_module" KEY="modules" - SYSCALL_GROUPING="init_module finit_module" + SYSCALL_GROUPING="delete_module" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' unset syscall_a unset syscall_grouping @@ -141608,6 +141115,181 @@ done else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module + If the auditd daemon is configured to use the augenrules program +to read audit rules during daemon startup (the default), add the following lines to a file +with suffix .rules in the directory /etc/audit/rules.d to capture kernel module +loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: + +-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules + If the auditd daemon is configured to use the auditctl utility to read audit +rules during daemon startup, add the following lines to /etc/audit/audit.rules file +in order to capture kernel module loading and unloading events, setting ARCH to either b32 or +b64 as appropriate for your system: + +-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.7 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000471-GPOS-00216 + SRG-OS-000477-GPOS-00222 + SRG-APP-000495-CTR-001235 + SRG-APP-000504-CTR-001280 + RHEL-08-030360 + 4.1.3.19 + SV-230438r810464_rule + The addition/removal of kernel modules can be used to alter the behavior of +the kernel and potentially introduce malicious code into kernel space. It is important +to have an audit trail of modules that have been introduced into the kernel. + CCE-80712-3 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20finit_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20finit_module%20-k%20module-change%0A + mode: 0600 + path: /etc/audit/rules.d/75-kernel-module-loading-finit.rules + overwrite: true - name: Gather the package facts package_facts: @@ -141939,182 +141621,7 @@ fi - medium_severity - no_reboot_needed - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20finit_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20finit_module%20-k%20module-change%0A - mode: 0600 - path: /etc/audit/rules.d/75-kernel-module-loading-finit.rules - overwrite: true - - - - - - - - - - Ensure auditd Collects Information on Kernel Module Loading - init_module - To capture kernel module loading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - --a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules - - -Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - FAU_GEN.1.1.c - Req-10.2.7 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000471-GPOS-00216 - SRG-OS-000477-GPOS-00222 - SRG-APP-000495-CTR-001235 - SRG-APP-000504-CTR-001280 - RHEL-08-030360 - 4.1.3.19 - SV-230438r810464_rule - The addition of kernel modules can be used to alter the behavior of -the kernel and potentially introduce malicious code into kernel space. It is important -to have an audit trail of modules that have been introduced into the kernel. - CCE-80713-1 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule @@ -142132,7 +141639,7 @@ do AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="init_module" + SYSCALL="finit_module" KEY="modules" SYSCALL_GROUPING="init_module finit_module" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' @@ -142446,6 +141953,181 @@ done else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Ensure auditd Collects Information on Kernel Module Loading - init_module + To capture kernel module loading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: + +-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules + + +Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.7 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000471-GPOS-00216 + SRG-OS-000477-GPOS-00222 + SRG-APP-000495-CTR-001235 + SRG-APP-000504-CTR-001280 + RHEL-08-030360 + 4.1.3.19 + SV-230438r810464_rule + The addition of kernel modules can be used to alter the behavior of +the kernel and potentially introduce malicious code into kernel space. It is important +to have an audit trail of modules that have been introduced into the kernel. + CCE-80713-1 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20init_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20init_module%20-k%20module-change%0A + mode: 0600 + path: /etc/audit/rules.d/75-kernel-module-loading-init.rules + overwrite: true - name: Gather the package facts package_facts: @@ -142777,48 +142459,8 @@ fi - medium_severity - no_reboot_needed - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20init_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20init_module%20-k%20module-change%0A - mode: 0600 - path: /etc/audit/rules.d/75-kernel-module-loading-init.rules - overwrite: true - - - - - - - - - - Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_module - If the auditd daemon is configured to use the augenrules program -to read audit rules during daemon startup (the default), add the following lines to a file -with suffix .rules in the directory /etc/audit/rules.d to capture kernel module -loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: --a always,exit -F arch=ARCH -S query_module -F auid>=1000 -F auid!=unset -F key=modules -If the auditd daemon is configured to use the auditctl utility to read audit -rules during daemon startup, add the following lines to /etc/audit/audit.rules file -in order to capture kernel module loading and unloading events, setting ARCH to either b32 or -b64 as appropriate for your system: --a always,exit -F arch=ARCH -S query_module -F auid>=1000 -F auid!=unset -F key=modules - 4.1.3.19 - The addition/removal of kernel modules can be used to alter the behavior of -the kernel and potentially introduce malicious code into kernel space. It is important -to have an audit trail of modules that have been introduced into the kernel. - - CCE-88748-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system @@ -142832,10 +142474,12 @@ for ARCH in "${RULE_ARCHS[@]}" do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" + AUID_FILTERS="-F auid>=1000 -F auid!=unset" - SYSCALL="query_module" + + SYSCALL="init_module" KEY="modules" - SYSCALL_GROUPING="init_module query_module" + SYSCALL_GROUPING="init_module finit_module" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' unset syscall_a unset syscall_grouping @@ -143148,6 +142792,31 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_module + If the auditd daemon is configured to use the augenrules program +to read audit rules during daemon startup (the default), add the following lines to a file +with suffix .rules in the directory /etc/audit/rules.d to capture kernel module +loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: +-a always,exit -F arch=ARCH -S query_module -F auid>=1000 -F auid!=unset -F key=modules +If the auditd daemon is configured to use the auditctl utility to read audit +rules during daemon startup, add the following lines to /etc/audit/audit.rules file +in order to capture kernel module loading and unloading events, setting ARCH to either b32 or +b64 as appropriate for your system: +-a always,exit -F arch=ARCH -S query_module -F auid>=1000 -F auid!=unset -F key=modules + 4.1.3.19 + The addition/removal of kernel modules can be used to alter the behavior of +the kernel and potentially introduce malicious code into kernel space. It is important +to have an audit trail of modules that have been introduced into the kernel. + + CCE-88748-9 - name: Gather the package facts package_facts: manager: auto @@ -143452,6 +143121,337 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +# Note: 32-bit and 64-bit kernel syscall numbers not always line up => +# it's required on a 64-bit system to check also for the presence +# of 32-bit's equivalent of the corresponding rule. +# (See `man 7 audit.rules` for details ) +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + OTHER_FILTERS="" + AUID_FILTERS="-F auid>=1000 -F auid!=unset" + SYSCALL="query_module" + KEY="modules" + SYSCALL_GROUPING="init_module query_module" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + +# If audit tool is 'augenrules', then check if the audit rule is defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection +# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection +default_file="/etc/audit/rules.d/$KEY.rules" +# As other_filters may include paths, lets use a different delimiter for it +# The "F" script expression tells sed to print the filenames where the expressions matched +readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) +# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet +if [ ${#files_to_inspect[@]} -eq "0" ] +then + file_to_inspect="/etc/audit/rules.d/$KEY.rules" + files_to_inspect=("$file_to_inspect") + if [ ! -e "$file_to_inspect" ] + then + touch "$file_to_inspect" + chmod 0640 "$file_to_inspect" + fi +fi + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi + unset syscall_a +unset syscall_grouping +unset syscall_string +unset syscall +unset file_to_edit +unset rule_to_edit +unset rule_syscalls_to_edit +unset other_string +unset auid_string +unset full_rule + +# Load macro arguments into arrays +read -a syscall_a <<< $SYSCALL +read -a syscall_grouping <<< $SYSCALL_GROUPING + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +files_to_inspect=() + + +# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# file to the list of files to be inspected +default_file="/etc/audit/audit.rules" +files_to_inspect+=('/etc/audit/audit.rules' ) + +# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead +skip=1 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi +done + +if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi +fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -144177,151 +144177,6 @@ edits of files involved in storing logon events: Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. CCE-80718-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - - -var_accounts_passwords_pam_faillock_dir='' - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+${var_accounts_passwords_pam_faillock_dir}" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+${var_accounts_passwords_pam_faillock_dir} $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+${var_accounts_passwords_pam_faillock_dir}$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w ${var_accounts_passwords_pam_faillock_dir} -p wa -k logins" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+${var_accounts_passwords_pam_faillock_dir}" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/logins.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/logins.rules" - # If the logins.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+${var_accounts_passwords_pam_faillock_dir}" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+${var_accounts_passwords_pam_faillock_dir} $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+${var_accounts_passwords_pam_faillock_dir}$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w ${var_accounts_passwords_pam_faillock_dir} -p wa -k logins" >> "$audit_rules_file" - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -144537,6 +144392,151 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + +var_accounts_passwords_pam_faillock_dir='' + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+${var_accounts_passwords_pam_faillock_dir}" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+${var_accounts_passwords_pam_faillock_dir} $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+${var_accounts_passwords_pam_faillock_dir}$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w ${var_accounts_passwords_pam_faillock_dir} -p wa -k logins" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+${var_accounts_passwords_pam_faillock_dir}" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/logins.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/logins.rules" + # If the logins.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+${var_accounts_passwords_pam_faillock_dir}" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+${var_accounts_passwords_pam_faillock_dir} $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+${var_accounts_passwords_pam_faillock_dir}$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w ${var_accounts_passwords_pam_faillock_dir} -p wa -k logins" >> "$audit_rules_file" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -144701,149 +144701,6 @@ edits of files involved in storing logon events: Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. CCE-80719-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/var/log/lastlog" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/lastlog $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/var/log/lastlog$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /var/log/lastlog -p wa -k logins" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/log/lastlog" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/logins.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/logins.rules" - # If the logins.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/var/log/lastlog" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/lastlog $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/var/log/lastlog$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /var/log/lastlog -p wa -k logins" >> "$audit_rules_file" - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -145052,6 +144909,149 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/var/log/lastlog" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/lastlog $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/var/log/lastlog$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /var/log/lastlog -p wa -k logins" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/log/lastlog" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/logins.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/logins.rules" + # If the logins.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/var/log/lastlog" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/lastlog $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/var/log/lastlog$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /var/log/lastlog -p wa -k logins" >> "$audit_rules_file" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -145201,149 +145201,6 @@ edits of files involved in storing logon events: Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. CCE-80720-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - - -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/var/log/tallylog" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/tallylog $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/var/log/tallylog$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /var/log/tallylog -p wa -k logins" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/log/tallylog" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/logins.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/logins.rules" - # If the logins.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/var/log/tallylog" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/tallylog $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/var/log/tallylog$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /var/log/tallylog -p wa -k logins" >> "$audit_rules_file" - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -145544,6 +145401,149 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/var/log/tallylog" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/tallylog $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/var/log/tallylog$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /var/log/tallylog -p wa -k logins" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/log/tallylog" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/logins.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/logins.rules" + # If the logins.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/var/log/tallylog" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/tallylog $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/var/log/tallylog$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /var/log/tallylog -p wa -k logins" >> "$audit_rules_file" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -145573,6 +145573,148 @@ form to /etc/audit/audit.rules: AU-12(c) SRG-OS-000477-GPOS-00222 Misuse of the init command may cause availability issues for the system. + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-AU-12(c) + - audit_privileged_commands_init + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for /usr/sbin/init + block: + + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + + - name: Check existence of in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F + path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path + :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten + | map(attribute='path') | list }}" + + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, + 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') + | list }}' + + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') + | last).key }}" + when: found_paths | length >= 1 + + - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules + set_fact: audit_file="/etc/audit/rules.d/privileged.rules" + when: found_paths | length == 0 + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/init -F perm=x -F + auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/init -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + + - name: Check existence of in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F + path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: audit.rules + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Set path to /etc/audit/audit.rules + set_fact: audit_file="/etc/audit/audit.rules" + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( + -S |,)\w+)+)( -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset + (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/init -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - audit_privileged_commands_init + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -145893,31 +146035,54 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts - package_facts: - manager: auto - tags: - - NIST-800-53-AU-12(c) - - audit_privileged_commands_init - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Perform remediation of Audit rules for /usr/sbin/init - block: - - - name: Declare list of syscalls - set_fact: - syscalls: [] - syscall_grouping: [] - + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - poweroff + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/poweroff -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/sbin/poweroff -F auid>=1000 -F auid!=unset -F key=privileged + CCI-000172 + AU-12(c) + SRG-OS-000477-GPOS-00222 + Misuse of the poweroff command may cause availability issues for the system. + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-AU-12(c) + - audit_privileged_commands_poweroff + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for /usr/sbin/poweroff + block: + + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + - name: Check existence of in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -145962,8 +146127,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/init -F perm=x -F - auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/poweroff -F perm=x + -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -145972,8 +146137,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/init -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/poweroff -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -145988,7 +146153,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -146007,7 +146172,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -146017,8 +146182,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/init -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/poweroff -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -146028,36 +146193,13 @@ fi - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-53-AU-12(c) - - audit_privileged_commands_init + - audit_privileged_commands_poweroff - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - poweroff - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/sbin/poweroff -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/sbin/poweroff -F auid>=1000 -F auid!=unset -F key=privileged - CCI-000172 - AU-12(c) - SRG-OS-000477-GPOS-00222 - Misuse of the poweroff command may cause availability issues for the system. # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -146378,19 +146520,42 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - reboot + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/reboot -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/sbin/reboot -F auid>=1000 -F auid!=unset -F key=privileged + CCI-000172 + AU-12(c) + SRG-OS-000477-GPOS-00222 + Misuse of the reboot command may cause availability issues for the system. + - name: Gather the package facts package_facts: manager: auto tags: - NIST-800-53-AU-12(c) - - audit_privileged_commands_poweroff + - audit_privileged_commands_reboot - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/sbin/poweroff +- name: Perform remediation of Audit rules for /usr/sbin/reboot block: - name: Declare list of syscalls @@ -146402,7 +146567,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -146447,7 +146612,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/poweroff -F perm=x + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -146457,8 +146622,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/poweroff -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/reboot -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -146473,7 +146638,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -146492,7 +146657,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -146502,8 +146667,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/poweroff -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/reboot -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -146513,36 +146678,13 @@ fi - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-53-AU-12(c) - - audit_privileged_commands_poweroff + - audit_privileged_commands_reboot - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - reboot - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/sbin/reboot -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/sbin/reboot -F auid>=1000 -F auid!=unset -F key=privileged - CCI-000172 - AU-12(c) - SRG-OS-000477-GPOS-00222 - Misuse of the reboot command may cause availability issues for the system. # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -146862,148 +147004,6 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - NIST-800-53-AU-12(c) - - audit_privileged_commands_reboot - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Perform remediation of Audit rules for /usr/sbin/reboot - block: - - - name: Declare list of syscalls - set_fact: - syscalls: [] - syscall_grouping: [] - - - name: Check existence of in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: '*.rules' - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Reset syscalls found per file - set_fact: - syscalls_per_file: {} - found_paths_dict: {} - - - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path - :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" - loop: '{{ find_command.results | selectattr(''matched'') | list }}' - - - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten - | map(attribute='path') | list }}" - - - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, - 0) }) }}" - loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') - | list }}' - - - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') - | last).key }}" - when: found_paths | length >= 1 - - - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules - set_fact: audit_file="/etc/audit/rules.d/privileged.rules" - when: found_paths | length == 0 - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/reboot -F perm=x - -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/reboot -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - - - name: Declare list of syscalls - set_fact: - syscalls: [] - syscall_grouping: [] - - - name: Check existence of in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: audit.rules - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset - (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/reboot -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - NIST-800-53-AU-12(c) - - audit_privileged_commands_reboot - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy @@ -147028,6 +147028,148 @@ form to /etc/audit/audit.rules: AU-12(c) SRG-OS-000477-GPOS-00222 Misuse of the shutdown command may cause availability issues for the system. + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-AU-12(c) + - audit_privileged_commands_shutdown + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for /usr/sbin/shutdown + block: + + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + + - name: Check existence of in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F + path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path + :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten + | map(attribute='path') | list }}" + + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, + 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') + | list }}' + + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') + | last).key }}" + when: found_paths | length >= 1 + + - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules + set_fact: audit_file="/etc/audit/rules.d/privileged.rules" + when: found_paths | length == 0 + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/shutdown -F perm=x + -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/shutdown -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + + - name: Check existence of in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F + path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: audit.rules + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Set path to /etc/audit/audit.rules + set_fact: audit_file="/etc/audit/audit.rules" + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( + -S |,)\w+)+)( -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset + (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/shutdown -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - audit_privileged_commands_shutdown + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -147347,148 +147489,6 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - NIST-800-53-AU-12(c) - - audit_privileged_commands_shutdown - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Perform remediation of Audit rules for /usr/sbin/shutdown - block: - - - name: Declare list of syscalls - set_fact: - syscalls: [] - syscall_grouping: [] - - - name: Check existence of in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: '*.rules' - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Reset syscalls found per file - set_fact: - syscalls_per_file: {} - found_paths_dict: {} - - - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path - :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" - loop: '{{ find_command.results | selectattr(''matched'') | list }}' - - - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten - | map(attribute='path') | list }}" - - - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, - 0) }) }}" - loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') - | list }}' - - - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') - | last).key }}" - when: found_paths | length >= 1 - - - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules - set_fact: audit_file="/etc/audit/rules.d/privileged.rules" - when: found_paths | length == 0 - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/shutdown -F perm=x - -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/shutdown -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - - - name: Declare list of syscalls - set_fact: - syscalls: [] - syscall_grouping: [] - - - name: Check existence of in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: audit.rules - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset - (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/shutdown -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - NIST-800-53-AU-12(c) - - audit_privileged_commands_shutdown - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy @@ -147679,6 +147679,174 @@ Privileged programs are subject to escalation-of-privilege attacks, which attemp their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80724-8 + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80724-8 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - audit_rules_privileged_commands + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure auditd Collects Information on the Use of Privileged Commands - Set + List of Mount Points Which Permits Execution of Privileged Commands + ansible.builtin.set_fact: + privileged_mount_points: '{{(ansible_facts.mounts | rejectattr(''options'', ''search'', + ''noexec|nosuid'') | rejectattr(''mount'', ''match'', ''/proc($|/.*$)'') | map(attribute=''mount'') + | list ) }}' + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80724-8 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - audit_rules_privileged_commands + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure auditd Collects Information on the Use of Privileged Commands - Search + for Privileged Commands in Eligible Mount Points + ansible.builtin.shell: + cmd: find {{ item }} -xdev -perm /6000 -type f 2>/dev/null + register: result_privileged_commands_search + changed_when: false + failed_when: false + with_items: '{{ privileged_mount_points }}' + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80724-8 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - audit_rules_privileged_commands + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure auditd Collects Information on the Use of Privileged Commands - Set + List of Privileged Commands Found in Eligible Mount Points + ansible.builtin.set_fact: + privileged_commands: '{{( result_privileged_commands_search.results | map(attribute=''stdout_lines'') + | select() | list ) | sum(start=[]) }}' + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80724-8 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - audit_rules_privileged_commands + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure auditd Collects Information on the Use of Privileged Commands - Privileged + Commands are Present in the System + block: + + - name: Ensure auditd Collects Information on the Use of Privileged Commands - Ensure + Rules for All Privileged Commands in augenrules Format + ansible.builtin.lineinfile: + path: /etc/audit/rules.d/privileged.rules + line: -a always,exit -F path={{ item }} -F perm=x -F auid>=1000 -F auid!=unset + -F key=privileged + regexp: ^.*path={{ item | regex_escape() }} .*$ + create: true + with_items: + - '{{ privileged_commands }}' + + - name: Ensure auditd Collects Information on the Use of Privileged Commands - Ensure + Rules for All Privileged Commands in auditctl Format + ansible.builtin.lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path={{ item }} -F perm=x -F auid>=1000 -F auid!=unset + -F key=privileged + regexp: ^.*path={{ item | regex_escape() }} .*$ + create: true + with_items: + - '{{ privileged_commands }}' + + - name: Ensure auditd Collects Information on the Use of Privileged Commands - Search + for Duplicated Rules in Other Files + ansible.builtin.find: + paths: /etc/audit/rules.d + recurse: false + contains: ^-a always,exit -F path={{ item }} .*$ + patterns: '*.rules' + with_items: + - '{{ privileged_commands }}' + register: result_augenrules_files + + - name: Ensure auditd Collects Information on the Use of Privileged Commands - Ensure + Rules for Privileged Commands are Defined Only in One File + ansible.builtin.lineinfile: + path: '{{ item.1.path }}' + regexp: ^-a always,exit -F path={{ item.0.item }} .*$ + state: absent + with_subelements: + - '{{ result_augenrules_files.results }}' + - files + when: + - item.1.path != '/etc/audit/rules.d/privileged.rules' + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - privileged_commands is defined + tags: + - CCE-80724-8 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - audit_rules_privileged_commands + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -148006,174 +148174,6 @@ done else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-80724-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - audit_rules_privileged_commands - - configure_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - -- name: Ensure auditd Collects Information on the Use of Privileged Commands - Set - List of Mount Points Which Permits Execution of Privileged Commands - ansible.builtin.set_fact: - privileged_mount_points: '{{(ansible_facts.mounts | rejectattr(''options'', ''search'', - ''noexec|nosuid'') | rejectattr(''mount'', ''match'', ''/proc($|/.*$)'') | map(attribute=''mount'') - | list ) }}' - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80724-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - audit_rules_privileged_commands - - configure_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - -- name: Ensure auditd Collects Information on the Use of Privileged Commands - Search - for Privileged Commands in Eligible Mount Points - ansible.builtin.shell: - cmd: find {{ item }} -xdev -perm /6000 -type f 2>/dev/null - register: result_privileged_commands_search - changed_when: false - failed_when: false - with_items: '{{ privileged_mount_points }}' - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80724-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - audit_rules_privileged_commands - - configure_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - -- name: Ensure auditd Collects Information on the Use of Privileged Commands - Set - List of Privileged Commands Found in Eligible Mount Points - ansible.builtin.set_fact: - privileged_commands: '{{( result_privileged_commands_search.results | map(attribute=''stdout_lines'') - | select() | list ) | sum(start=[]) }}' - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80724-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - audit_rules_privileged_commands - - configure_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - -- name: Ensure auditd Collects Information on the Use of Privileged Commands - Privileged - Commands are Present in the System - block: - - - name: Ensure auditd Collects Information on the Use of Privileged Commands - Ensure - Rules for All Privileged Commands in augenrules Format - ansible.builtin.lineinfile: - path: /etc/audit/rules.d/privileged.rules - line: -a always,exit -F path={{ item }} -F perm=x -F auid>=1000 -F auid!=unset - -F key=privileged - regexp: ^.*path={{ item | regex_escape() }} .*$ - create: true - with_items: - - '{{ privileged_commands }}' - - - name: Ensure auditd Collects Information on the Use of Privileged Commands - Ensure - Rules for All Privileged Commands in auditctl Format - ansible.builtin.lineinfile: - path: /etc/audit/audit.rules - line: -a always,exit -F path={{ item }} -F perm=x -F auid>=1000 -F auid!=unset - -F key=privileged - regexp: ^.*path={{ item | regex_escape() }} .*$ - create: true - with_items: - - '{{ privileged_commands }}' - - - name: Ensure auditd Collects Information on the Use of Privileged Commands - Search - for Duplicated Rules in Other Files - ansible.builtin.find: - paths: /etc/audit/rules.d - recurse: false - contains: ^-a always,exit -F path={{ item }} .*$ - patterns: '*.rules' - with_items: - - '{{ privileged_commands }}' - register: result_augenrules_files - - - name: Ensure auditd Collects Information on the Use of Privileged Commands - Ensure - Rules for Privileged Commands are Defined Only in One File - ansible.builtin.lineinfile: - path: '{{ item.1.path }}' - regexp: ^-a always,exit -F path={{ item.0.item }} .*$ - state: absent - with_subelements: - - '{{ result_augenrules_files.results }}' - - files - when: - - item.1.path != '/etc/audit/rules.d/privileged.rules' - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - privileged_commands is defined - tags: - - CCE-80724-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - audit_rules_privileged_commands - - configure_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed @@ -148211,6 +148211,156 @@ which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80988-9 + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80988-9 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_at + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for /usr/bin/at + block: + + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + + - name: Check existence of in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F + path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path + :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten + | map(attribute='path') | list }}" + + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, + 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') + | list }}' + + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') + | last).key }}" + when: found_paths | length >= 1 + + - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules + set_fact: audit_file="/etc/audit/rules.d/privileged.rules" + when: found_paths | length == 0 + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/at -F perm=x -F auid>=1000 + -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/at -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + + - name: Check existence of in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F + path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: audit.rules + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Set path to /etc/audit/audit.rules + set_fact: audit_file="/etc/audit/audit.rules" + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( + -S |,)\w+)+)( -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset (?:-k + |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/at -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80988-9 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_at + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -148531,23 +148681,153 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - chage + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000468-GPOS-00212 + SRG-OS-000471-GPOS-00215 + SRG-APP-000029-CTR-000085 + SRG-APP-000495-CTR-001235 + SRG-APP-000501-CTR-001265 + SRG-APP-000502-CTR-001270 + RHEL-08-030250 + SV-230418r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80725-5 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80988-9 + - CCE-80725-5 + - DISA-STIG-RHEL-08-030250 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_at + - audit_rules_privileged_commands_chage - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/bin/at +- name: Perform remediation of Audit rules for /usr/bin/chage block: - name: Declare list of syscalls @@ -148559,7 +148839,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -148604,8 +148884,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/at -F perm=x -F auid>=1000 - -F auid!=unset (?:-k |-F key=)\w+) + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chage -F perm=x -F + auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -148614,7 +148894,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/at -F perm=x + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -148630,7 +148910,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -148649,8 +148929,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset (?:-k - |-F key=)\w+) + -S |,)\w+)+)( -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset + (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -148659,7 +148939,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/at -F perm=x + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -148669,145 +148949,21 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80988-9 + - CCE-80725-5 + - DISA-STIG-RHEL-08-030250 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_at + - audit_rules_privileged_commands_chage - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - chage - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000468-GPOS-00212 - SRG-OS-000471-GPOS-00215 - SRG-APP-000029-CTR-000085 - SRG-APP-000495-CTR-001235 - SRG-APP-000501-CTR-001265 - SRG-APP-000502-CTR-001270 - RHEL-08-030250 - SV-230418r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80725-5 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -149128,26 +149284,149 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - chsh + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000495-CTR-001235 + RHEL-08-030410 + SV-230448r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80726-3 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80725-5 - - DISA-STIG-RHEL-08-030250 + - CCE-80726-3 + - DISA-STIG-RHEL-08-030410 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/bin/chage +- name: Perform remediation of Audit rules for /usr/bin/chsh block: - name: Declare list of syscalls @@ -149159,7 +149438,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -149204,7 +149483,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chage -F perm=x -F + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -149214,7 +149493,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chage -F perm=x + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -149230,7 +149509,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -149249,7 +149528,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -149259,7 +149538,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chage -F perm=x + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -149269,144 +149548,21 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80725-5 - - DISA-STIG-RHEL-08-030250 + - CCE-80726-3 + - DISA-STIG-RHEL-08-030410 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - chsh - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000495-CTR-001235 - RHEL-08-030410 - SV-230448r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80726-3 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -149727,26 +149883,139 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - crontab + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000495-CTR-001235 + RHEL-08-030400 + SV-230447r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80727-1 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80726-3 - - DISA-STIG-RHEL-08-030410 + - CCE-80727-1 + - DISA-STIG-RHEL-08-030400 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/bin/chsh +- name: Perform remediation of Audit rules for /usr/bin/crontab block: - name: Declare list of syscalls @@ -149758,7 +150027,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -149803,8 +150072,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chsh -F perm=x -F - auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/crontab -F perm=x + -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -149813,7 +150082,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chsh -F perm=x + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -149829,7 +150098,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -149848,7 +150117,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -149858,7 +150127,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chsh -F perm=x + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -149868,135 +150137,20 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80726-3 - - DISA-STIG-RHEL-08-030410 + - CCE-80727-1 + - DISA-STIG-RHEL-08-030400 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - crontab - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000495-CTR-001235 - RHEL-08-030400 - SV-230447r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80727-1 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -150317,25 +150471,151 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000029-CTR-000085 + SRG-APP-000495-CTR-001235 + RHEL-08-030370 + SV-230444r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80728-9 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80727-1 - - DISA-STIG-RHEL-08-030400 + - CCE-80728-9 + - DISA-STIG-RHEL-08-030370 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/bin/crontab +- name: Perform remediation of Audit rules for /usr/bin/gpasswd block: - name: Declare list of syscalls @@ -150347,7 +150627,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -150392,7 +150672,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/crontab -F perm=x + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -150402,7 +150682,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/crontab -F perm=x + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -150418,7 +150698,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -150437,7 +150717,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -150447,7 +150727,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/crontab -F perm=x + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -150457,145 +150737,21 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80727-1 - - DISA-STIG-RHEL-08-030400 + - CCE-80728-9 + - DISA-STIG-RHEL-08-030370 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - FAU_GEN.1.1.c - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000029-CTR-000085 - SRG-APP-000495-CTR-001235 - RHEL-08-030370 - SV-230444r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80728-9 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -150915,162 +151071,6 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-80728-9 - - DISA-STIG-RHEL-08-030370 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_gpasswd - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Perform remediation of Audit rules for /usr/bin/gpasswd - block: - - - name: Declare list of syscalls - set_fact: - syscalls: [] - syscall_grouping: [] - - - name: Check existence of in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: '*.rules' - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Reset syscalls found per file - set_fact: - syscalls_per_file: {} - found_paths_dict: {} - - - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path - :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" - loop: '{{ find_command.results | selectattr(''matched'') | list }}' - - - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten - | map(attribute='path') | list }}" - - - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, - 0) }) }}" - loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') - | list }}' - - - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') - | last).key }}" - when: found_paths | length >= 1 - - - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules - set_fact: audit_file="/etc/audit/rules.d/privileged.rules" - when: found_paths | length == 0 - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/gpasswd -F perm=x - -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/gpasswd -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - - - name: Declare list of syscalls - set_fact: - syscalls: [] - syscall_grouping: [] - - - name: Check existence of in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: audit.rules - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset - (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/gpasswd -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80728-9 - - DISA-STIG-RHEL-08-030370 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_gpasswd - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy @@ -151125,147 +151125,6 @@ Audit records can be generated from various components within the information system (e.g., module or policy filter). CCE-89455-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/usr/bin/kmod" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/usr/bin/kmod $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "x" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/usr/bin/kmod$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /usr/bin/kmod -p x -k modules" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/modules.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/usr/bin/kmod" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/modules.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/modules.rules" - # If the modules.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/usr/bin/kmod" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/usr/bin/kmod $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "x" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/usr/bin/kmod$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /usr/bin/kmod -p x -k modules" >> "$audit_rules_file" - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -151466,6 +151325,147 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/usr/bin/kmod" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/usr/bin/kmod $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "x" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/usr/bin/kmod$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /usr/bin/kmod -p x -k modules" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/modules.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/usr/bin/kmod" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/modules.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/modules.rules" + # If the modules.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/usr/bin/kmod" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/usr/bin/kmod $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "x" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/usr/bin/kmod$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /usr/bin/kmod -p x -k modules" >> "$audit_rules_file" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -151516,6 +151516,158 @@ which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80989-7 + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80989-7 + - DISA-STIG-RHEL-08-030300 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_mount + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for /usr/bin/mount + block: + + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + + - name: Check existence of in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F + path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path + :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten + | map(attribute='path') | list }}" + + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, + 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') + | list }}' + + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') + | last).key }}" + when: found_paths | length >= 1 + + - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules + set_fact: audit_file="/etc/audit/rules.d/privileged.rules" + when: found_paths | length == 0 + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/mount -F perm=x -F + auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/mount -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + + - name: Check existence of in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F + path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: audit.rules + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Set path to /etc/audit/audit.rules + set_fact: audit_file="/etc/audit/audit.rules" + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( + -S |,)\w+)+)( -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset + (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/mount -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80989-7 + - DISA-STIG-RHEL-08-030300 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_mount + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -151836,24 +151988,69 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + CCI-000172 + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80991-3 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80989-7 - - DISA-STIG-RHEL-08-030300 + - CCE-80991-3 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgidmap - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/bin/mount +- name: Perform remediation of Audit rules for /usr/bin/newgidmap block: - name: Declare list of syscalls @@ -151865,7 +152062,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -151910,8 +152107,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/mount -F perm=x -F - auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/newgidmap -F perm=x + -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -151920,8 +152117,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/mount -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/newgidmap -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -151936,7 +152133,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -151955,7 +152152,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -151965,8 +152162,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/mount -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/newgidmap -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -151975,64 +152172,19 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80989-7 - - DISA-STIG-RHEL-08-030300 + - CCE-80991-3 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_newgidmap - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - CCI-000172 - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - FAU_GEN.1.1.c - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80991-3 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -152353,24 +152505,151 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - newgrp + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000169 + CCI-000135 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000029-CTR-000085 + SRG-APP-000495-CTR-001235 + RHEL-08-030350 + SV-230437r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80729-7 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80991-3 + - CCE-80729-7 + - DISA-STIG-RHEL-08-030350 + - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_newgidmap + - audit_rules_privileged_commands_newgrp - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/bin/newgidmap +- name: Perform remediation of Audit rules for /usr/bin/newgrp block: - name: Declare list of syscalls @@ -152382,7 +152661,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -152427,8 +152706,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/newgidmap -F perm=x - -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/newgrp -F perm=x -F + auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -152437,8 +152716,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/newgidmap -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/newgrp -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -152453,7 +152732,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -152472,7 +152751,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -152482,8 +152761,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/newgidmap -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/newgrp -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -152492,144 +152771,21 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80991-3 + - CCE-80729-7 + - DISA-STIG-RHEL-08-030350 + - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_newgidmap + - audit_rules_privileged_commands_newgrp - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - newgrp - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000169 - CCI-000135 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - FAU_GEN.1.1.c - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000029-CTR-000085 - SRG-APP-000495-CTR-001235 - RHEL-08-030350 - SV-230437r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80729-7 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -152950,26 +153106,69 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + CCI-000172 + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80992-1 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80729-7 - - DISA-STIG-RHEL-08-030350 - - NIST-800-171-3.1.7 + - CCE-80992-1 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_newuidmap - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/bin/newgrp +- name: Perform remediation of Audit rules for /usr/bin/newuidmap block: - name: Declare list of syscalls @@ -152981,7 +153180,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -153026,8 +153225,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/newgrp -F perm=x -F - auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/newuidmap -F perm=x + -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -153036,8 +153235,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/newgrp -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/newuidmap -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -153052,7 +153251,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -153071,7 +153270,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -153081,8 +153280,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/newgrp -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/newuidmap -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -153091,66 +153290,19 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80729-7 - - DISA-STIG-RHEL-08-030350 - - NIST-800-171-3.1.7 + - CCE-80992-1 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_newuidmap - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - CCI-000172 - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - FAU_GEN.1.1.c - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80992-1 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -153470,158 +153622,6 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-80992-1 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_newuidmap - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Perform remediation of Audit rules for /usr/bin/newuidmap - block: - - - name: Declare list of syscalls - set_fact: - syscalls: [] - syscall_grouping: [] - - - name: Check existence of in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: '*.rules' - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Reset syscalls found per file - set_fact: - syscalls_per_file: {} - found_paths_dict: {} - - - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path - :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" - loop: '{{ find_command.results | selectattr(''matched'') | list }}' - - - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten - | map(attribute='path') | list }}" - - - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, - 0) }) }}" - loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') - | list }}' - - - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') - | last).key }}" - when: found_paths | length >= 1 - - - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules - set_fact: audit_file="/etc/audit/rules.d/privileged.rules" - when: found_paths | length == 0 - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/newuidmap -F perm=x - -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/newuidmap -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - - - name: Declare list of syscalls - set_fact: - syscalls: [] - syscall_grouping: [] - - - name: Check existence of in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: audit.rules - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset - (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/newuidmap -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80992-1 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_newuidmap - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy @@ -153740,6 +153740,162 @@ which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80730-5 + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80730-5 + - DISA-STIG-RHEL-08-030340 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_pam_timestamp_check + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for /usr/sbin/pam_timestamp_check + block: + + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + + - name: Check existence of in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F + path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset + (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path + :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten + | map(attribute='path') | list }}" + + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, + 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') + | list }}' + + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') + | last).key }}" + when: found_paths | length >= 1 + + - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules + set_fact: audit_file="/etc/audit/rules.d/privileged.rules" + when: found_paths | length == 0 + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/pam_timestamp_check + -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/pam_timestamp_check + -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + + - name: Check existence of in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F + path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset + (-k\s+|-F\s+key=)\S+\s*$ + patterns: audit.rules + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Set path to /etc/audit/audit.rules + set_fact: audit_file="/etc/audit/audit.rules" + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( + -S |,)\w+)+)( -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 + -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/pam_timestamp_check + -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80730-5 + - DISA-STIG-RHEL-08-030340 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_pam_timestamp_check + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -154060,25 +154216,151 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - passwd + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000029-CTR-000085 + SRG-APP-000495-CTR-001235 + RHEL-08-030290 + SV-230422r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80731-3 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80730-5 - - DISA-STIG-RHEL-08-030340 + - CCE-80731-3 + - DISA-STIG-RHEL-08-030290 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/sbin/pam_timestamp_check +- name: Perform remediation of Audit rules for /usr/bin/passwd block: - name: Declare list of syscalls @@ -154090,8 +154372,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset - (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -154136,8 +154417,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/pam_timestamp_check - -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/passwd -F perm=x -F + auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -154146,8 +154427,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/pam_timestamp_check - -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/passwd -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -154162,8 +154443,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset - (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -154182,8 +154462,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 - -F auid!=unset (?:-k |-F key=)\w+) + -S |,)\w+)+)( -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset + (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -154192,8 +154472,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/pam_timestamp_check - -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/passwd -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -154202,145 +154482,21 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80730-5 - - DISA-STIG-RHEL-08-030340 + - CCE-80731-3 + - DISA-STIG-RHEL-08-030290 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - passwd - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - FAU_GEN.1.1.c - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000029-CTR-000085 - SRG-APP-000495-CTR-001235 - RHEL-08-030290 - SV-230422r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80731-3 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -154661,26 +154817,139 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - postdrop + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000495-CTR-001235 + RHEL-08-030311 + SV-230427r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80732-1 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80731-3 - - DISA-STIG-RHEL-08-030290 + - CCE-80732-1 + - DISA-STIG-RHEL-08-030311 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_postdrop - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/bin/passwd +- name: Perform remediation of Audit rules for /usr/sbin/postdrop block: - name: Declare list of syscalls @@ -154692,7 +154961,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -154737,8 +155006,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/passwd -F perm=x -F - auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/postdrop -F perm=x + -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -154747,8 +155016,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/passwd -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/postdrop -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -154763,7 +155032,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -154782,7 +155051,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -154792,8 +155061,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/passwd -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/postdrop -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -154802,135 +155071,20 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80731-3 - - DISA-STIG-RHEL-08-030290 + - CCE-80732-1 + - DISA-STIG-RHEL-08-030311 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_postdrop - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - postdrop - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000495-CTR-001235 - RHEL-08-030311 - SV-230427r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80732-1 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -155251,25 +155405,139 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - postqueue + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000495-CTR-001235 + RHEL-08-030312 + SV-230428r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80733-9 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80732-1 - - DISA-STIG-RHEL-08-030311 + - CCE-80733-9 + - DISA-STIG-RHEL-08-030312 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/sbin/postdrop +- name: Perform remediation of Audit rules for /usr/sbin/postqueue block: - name: Declare list of syscalls @@ -155281,7 +155549,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -155326,7 +155594,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/postdrop -F perm=x + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -155336,7 +155604,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/postdrop -F + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -155352,7 +155620,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -155371,7 +155639,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -155381,7 +155649,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/postdrop -F + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -155391,134 +155659,20 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80732-1 - - DISA-STIG-RHEL-08-030311 + - CCE-80733-9 + - DISA-STIG-RHEL-08-030312 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - postqueue - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000495-CTR-001235 - RHEL-08-030312 - SV-230428r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80733-9 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -155839,25 +155993,123 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000135 + CCI-000172 + CCI-002884 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + SRG-OS-000042-GPOS-00020 + SRG-OS-000392-GPOS-00172 + SRG-OS-000471-GPOS-00215 + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80734-7 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80733-9 - - DISA-STIG-RHEL-08-030312 + - CCE-80734-7 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_pt_chown - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/sbin/postqueue +- name: Perform remediation of Audit rules for /usr/libexec/pt_chown block: - name: Declare list of syscalls @@ -155869,7 +156121,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -155914,7 +156166,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/postqueue -F perm=x + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -155924,8 +156176,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/postqueue -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/libexec/pt_chown + -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -155940,7 +156192,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -155959,7 +156211,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -155969,8 +156221,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/postqueue -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/libexec/pt_chown + -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -155979,119 +156231,19 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80733-9 - - DISA-STIG-RHEL-08-030312 + - CCE-80734-7 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_pt_chown - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000135 - CCI-000172 - CCI-002884 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - SRG-OS-000042-GPOS-00020 - SRG-OS-000392-GPOS-00172 - SRG-OS-000471-GPOS-00215 - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80734-7 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -156412,24 +156564,61 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Record Any Attempts to Run ssh-agent + At a minimum, the audit system should collect any execution attempt +of the ssh-agent command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000495-CTR-001235 + RHEL-08-030280 + SV-230421r627750_rule + Without generating audit records that are specific to the security and +mission needs of the organization, it would be difficult to establish, +correlate, and investigate the events relating to an incident or identify +those responsible for one. + +Audit records can be generated from various components within the +information system (e.g., module or policy filter). + CCE-85944-7 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80734-7 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_pt_chown + - CCE-85944-7 + - DISA-STIG-RHEL-08-030280 + - audit_rules_privileged_commands_ssh_agent - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/libexec/pt_chown +- name: Perform remediation of Audit rules for /usr/bin/ssh-agent block: - name: Declare list of syscalls @@ -156441,7 +156630,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -156486,7 +156675,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/libexec/pt_chown -F perm=x + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -156496,8 +156685,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/libexec/pt_chown - -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/ssh-agent -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -156512,7 +156701,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -156531,7 +156720,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -156541,8 +156730,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/libexec/pt_chown - -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/ssh-agent -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -156551,60 +156740,15 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80734-7 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_pt_chown + - CCE-85944-7 + - DISA-STIG-RHEL-08-030280 + - audit_rules_privileged_commands_ssh_agent - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Record Any Attempts to Run ssh-agent - At a minimum, the audit system should collect any execution attempt -of the ssh-agent command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: --a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000495-CTR-001235 - RHEL-08-030280 - SV-230421r627750_rule - Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify -those responsible for one. - -Audit records can be generated from various components within the -information system (e.g., module or policy filter). - CCE-85944-7 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -156924,150 +157068,6 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-85944-7 - - DISA-STIG-RHEL-08-030280 - - audit_rules_privileged_commands_ssh_agent - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Perform remediation of Audit rules for /usr/bin/ssh-agent - block: - - - name: Declare list of syscalls - set_fact: - syscalls: [] - syscall_grouping: [] - - - name: Check existence of in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: '*.rules' - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Reset syscalls found per file - set_fact: - syscalls_per_file: {} - found_paths_dict: {} - - - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path - :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" - loop: '{{ find_command.results | selectattr(''matched'') | list }}' - - - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten - | map(attribute='path') | list }}" - - - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, - 0) }) }}" - loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') - | list }}' - - - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') - | last).key }}" - when: found_paths | length >= 1 - - - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules - set_fact: audit_file="/etc/audit/rules.d/privileged.rules" - when: found_paths | length == 0 - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/ssh-agent -F perm=x - -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/ssh-agent -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - - - name: Declare list of syscalls - set_fact: - syscalls: [] - syscall_grouping: [] - - - name: Check existence of in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: audit.rules - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset - (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/ssh-agent -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-85944-7 - - DISA-STIG-RHEL-08-030280 - - audit_rules_privileged_commands_ssh_agent - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy @@ -157185,6 +157185,162 @@ which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. CCE-80735-4 + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80735-4 + - DISA-STIG-RHEL-08-030320 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_ssh_keysign + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for /usr/libexec/openssh/ssh-keysign + block: + + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + + - name: Check existence of in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F + path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset + (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path + :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten + | map(attribute='path') | list }}" + + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, + 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') + | list }}' + + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') + | last).key }}" + when: found_paths | length >= 1 + + - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules + set_fact: audit_file="/etc/audit/rules.d/privileged.rules" + when: found_paths | length == 0 + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/libexec/openssh/ssh-keysign + -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/libexec/openssh/ssh-keysign + -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + + - name: Check existence of in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F + path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset + (-k\s+|-F\s+key=)\S+\s*$ + patterns: audit.rules + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Set path to /etc/audit/audit.rules + set_fact: audit_file="/etc/audit/audit.rules" + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( + -S |,)\w+)+)( -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 + -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/libexec/openssh/ssh-keysign + -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80735-4 + - DISA-STIG-RHEL-08-030320 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_ssh_keysign + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -157505,25 +157661,144 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - su + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000064-GPOS-0003 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000466-GPOS-00210 + SRG-APP-000029-CTR-000085 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + RHEL-08-030190 + SV-230412r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80736-2 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80735-4 - - DISA-STIG-RHEL-08-030320 + - CCE-80736-2 + - DISA-STIG-RHEL-08-030190 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/libexec/openssh/ssh-keysign +- name: Perform remediation of Audit rules for /usr/bin/su block: - name: Declare list of syscalls @@ -157535,8 +157810,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset - (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -157581,8 +157855,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/libexec/openssh/ssh-keysign - -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/su -F perm=x -F auid>=1000 + -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -157591,8 +157865,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/libexec/openssh/ssh-keysign - -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/su -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -157607,8 +157881,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset - (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -157627,8 +157900,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 - -F auid!=unset (?:-k |-F key=)\w+) + -S |,)\w+)+)( -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset (?:-k + |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -157637,8 +157910,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/libexec/openssh/ssh-keysign - -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/su -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -157647,139 +157920,20 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80735-4 - - DISA-STIG-RHEL-08-030320 + - CCE-80736-2 + - DISA-STIG-RHEL-08-030190 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - su - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - FAU_GEN.1.1.c - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000064-GPOS-0003 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000466-GPOS-00210 - SRG-APP-000029-CTR-000085 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - RHEL-08-030190 - SV-230412r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80736-2 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -158100,25 +158254,144 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - sudo + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + BP28(R19) + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000466-GPOS-00210 + SRG-APP-000029-CTR-000085 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + RHEL-08-030550 + SV-230462r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80737-0 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80736-2 - - DISA-STIG-RHEL-08-030190 + - CCE-80737-0 + - DISA-STIG-RHEL-08-030550 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/bin/su +- name: Perform remediation of Audit rules for /usr/bin/sudo block: - name: Declare list of syscalls @@ -158130,7 +158403,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -158175,8 +158448,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/su -F perm=x -F auid>=1000 - -F auid!=unset (?:-k |-F key=)\w+) + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/sudo -F perm=x -F + auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -158185,7 +158458,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/su -F perm=x + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -158201,7 +158474,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -158220,8 +158493,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset (?:-k - |-F key=)\w+) + -S |,)\w+)+)( -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset + (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -158230,7 +158503,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/su -F perm=x + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -158240,139 +158513,20 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80736-2 - - DISA-STIG-RHEL-08-030190 + - CCE-80737-0 + - DISA-STIG-RHEL-08-030550 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - sudo - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - BP28(R19) - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - FAU_GEN.1.1.c - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000466-GPOS-00210 - SRG-APP-000029-CTR-000085 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - RHEL-08-030550 - SV-230462r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80737-0 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -158693,25 +158847,137 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000495-CTR-001235 + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80738-8 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80737-0 - - DISA-STIG-RHEL-08-030550 + - CCE-80738-8 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/bin/sudo +- name: Perform remediation of Audit rules for /usr/bin/sudoedit block: - name: Declare list of syscalls @@ -158723,7 +158989,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -158768,8 +159034,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/sudo -F perm=x -F - auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/sudoedit -F perm=x + -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -158778,8 +159044,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/sudo -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/sudoedit -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -158794,7 +159060,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -158813,7 +159079,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -158823,8 +159089,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/sudo -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/sudoedit -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -158833,133 +159099,19 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80737-0 - - DISA-STIG-RHEL-08-030550 + - CCE-80738-8 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - FAU_GEN.1.1.c - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000495-CTR-001235 - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80738-8 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -159280,24 +159432,139 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - umount + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000169 + CCI-000135 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000029-CTR-000085 + RHEL-08-030301 + SV-230424r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80739-6 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80738-8 + - CCE-80739-6 + - DISA-STIG-RHEL-08-030301 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/bin/sudoedit +- name: Perform remediation of Audit rules for /usr/bin/umount block: - name: Declare list of syscalls @@ -159309,7 +159576,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -159354,8 +159621,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/sudoedit -F perm=x - -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/umount -F perm=x -F + auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -159364,8 +159631,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/sudoedit -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/umount -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -159380,7 +159647,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -159399,7 +159666,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -159409,8 +159676,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/sudoedit -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/umount -F perm=x + -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -159419,133 +159686,20 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80738-8 + - CCE-80739-6 + - DISA-STIG-RHEL-08-030301 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - umount - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000169 - CCI-000135 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000029-CTR-000085 - RHEL-08-030301 - SV-230424r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80739-6 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -159866,25 +160020,164 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + CIP-007-3 R6.5 + AC-2(4) + AU-2(d) + AU-3 + AU-3.1 + AU-12(a) + AU-12(c) + AU-12.1(ii) + AU-12.1(iv) + AC-6(9) + CM-6(a) + MA-4(1)(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000029-CTR-000085 + SRG-APP-000495-CTR-001235 + RHEL-08-030317 + SV-230433r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80740-4 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80739-6 - - DISA-STIG-RHEL-08-030301 + - CCE-80740-4 + - DISA-STIG-RHEL-08-030317 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) + - NIST-800-53-AU-12.1(ii) + - NIST-800-53-AU-12.1(iv) - NIST-800-53-AU-2(d) + - NIST-800-53-AU-3 + - NIST-800-53-AU-3.1 - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_umount + - NIST-800-53-MA-4(1)(a) + - audit_rules_privileged_commands_unix_chkpwd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/bin/umount +- name: Perform remediation of Audit rules for /usr/sbin/unix_chkpwd block: - name: Declare list of syscalls @@ -159896,7 +160189,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -159941,8 +160234,8 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/umount -F perm=x -F - auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/unix_chkpwd -F perm=x + -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -159951,8 +160244,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/umount -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/unix_chkpwd + -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -159967,7 +160260,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -159986,7 +160279,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -159996,8 +160289,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/umount -F perm=x - -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/unix_chkpwd + -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -160006,152 +160299,27 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80739-6 - - DISA-STIG-RHEL-08-030301 + - CCE-80740-4 + - DISA-STIG-RHEL-08-030317 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) + - NIST-800-53-AU-12.1(ii) + - NIST-800-53-AU-12.1(iv) - NIST-800-53-AU-2(d) + - NIST-800-53-AU-3 + - NIST-800-53-AU-3.1 - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_umount + - NIST-800-53-MA-4(1)(a) + - audit_rules_privileged_commands_unix_chkpwd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - CIP-007-3 R6.5 - AC-2(4) - AU-2(d) - AU-3 - AU-3.1 - AU-12(a) - AU-12(c) - AU-12.1(ii) - AU-12.1(iv) - AC-6(9) - CM-6(a) - MA-4(1)(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - FAU_GEN.1.1.c - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000029-CTR-000085 - SRG-APP-000495-CTR-001235 - RHEL-08-030317 - SV-230433r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80740-4 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -160472,32 +160640,65 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - unix_update + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000495-CTR-001235 + RHEL-08-030310 + SV-230426r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-89480-8 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80740-4 - - DISA-STIG-RHEL-08-030317 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(a) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-12.1(ii) - - NIST-800-53-AU-12.1(iv) - - NIST-800-53-AU-2(d) - - NIST-800-53-AU-3 - - NIST-800-53-AU-3.1 - - NIST-800-53-CM-6(a) - - NIST-800-53-MA-4(1)(a) - - audit_rules_privileged_commands_unix_chkpwd + - CCE-89480-8 + - DISA-STIG-RHEL-08-030310 + - audit_rules_privileged_commands_unix_update - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/sbin/unix_chkpwd +- name: Perform remediation of Audit rules for /usr/sbin/unix_update block: - name: Declare list of syscalls @@ -160509,7 +160710,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -160554,7 +160755,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/unix_chkpwd -F perm=x + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -160564,7 +160765,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/unix_chkpwd + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -160580,7 +160781,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -160599,7 +160800,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -160609,7 +160810,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/unix_chkpwd + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -160619,72 +160820,15 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80740-4 - - DISA-STIG-RHEL-08-030317 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(a) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-12.1(ii) - - NIST-800-53-AU-12.1(iv) - - NIST-800-53-AU-2(d) - - NIST-800-53-AU-3 - - NIST-800-53-AU-3.1 - - NIST-800-53-CM-6(a) - - NIST-800-53-MA-4(1)(a) - - audit_rules_privileged_commands_unix_chkpwd + - CCE-89480-8 + - DISA-STIG-RHEL-08-030310 + - audit_rules_privileged_commands_unix_update - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - unix_update - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000064-GPOS-00033 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000495-CTR-001235 - RHEL-08-030310 - SV-230426r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-89480-8 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -161005,20 +161149,139 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - userhelper + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-APP-000495-CTR-001235 + RHEL-08-030315 + SV-230431r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80741-2 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-89480-8 - - DISA-STIG-RHEL-08-030310 - - audit_rules_privileged_commands_unix_update + - CCE-80741-2 + - DISA-STIG-RHEL-08-030315 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_userhelper - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/sbin/unix_update +- name: Perform remediation of Audit rules for /usr/sbin/userhelper block: - name: Declare list of syscalls @@ -161030,7 +161293,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -161075,7 +161338,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/unix_update -F perm=x + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -161085,7 +161348,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/unix_update + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -161101,7 +161364,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -161120,7 +161383,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -161130,7 +161393,7 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/unix_update + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx @@ -161140,129 +161403,20 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-89480-8 - - DISA-STIG-RHEL-08-030310 - - audit_rules_privileged_commands_unix_update + - CCE-80741-2 + - DISA-STIG-RHEL-08-030315 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_userhelper - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - userhelper - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - 1 - 12 - 13 - 14 - 15 - 16 - 2 - 3 - 5 - 6 - 7 - 8 - 9 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - BAI03.05 - DSS01.03 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.4.4.7 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.8 - SR 2.9 - SR 6.1 - SR 6.2 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.14.2.7 - A.15.2.1 - A.15.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.PT-1 - FAU_GEN.1.1.c - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-APP-000495-CTR-001235 - RHEL-08-030315 - SV-230431r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80741-2 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -161583,25 +161737,67 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - usermod + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000466-GPOS-00210 + SRG-APP-000495-CTR-001235 + SRG-APP-000499-CTR-001255 + RHEL-08-030560 + 4.1.3.18 + SV-230463r627750_rule + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-86027-0 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80741-2 - - DISA-STIG-RHEL-08-030315 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_userhelper + - CCE-86027-0 + - DISA-STIG-RHEL-08-030560 + - audit_rules_privileged_commands_usermod - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/sbin/userhelper +- name: Perform remediation of Audit rules for /usr/sbin/usermod block: - name: Declare list of syscalls @@ -161613,7 +161809,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -161658,7 +161854,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/userhelper -F perm=x + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -161668,8 +161864,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/userhelper - -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/usermod -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -161684,7 +161880,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -161703,7 +161899,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -161713,8 +161909,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/userhelper - -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/usermod -F + perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -161723,67 +161919,15 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80741-2 - - DISA-STIG-RHEL-08-030315 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_userhelper + - CCE-86027-0 + - DISA-STIG-RHEL-08-030560 + - audit_rules_privileged_commands_usermod - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - usermod - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - CCI-000130 - CCI-000135 - CCI-000169 - CCI-000172 - CCI-002884 - SRG-OS-000037-GPOS-00015 - SRG-OS-000042-GPOS-00020 - SRG-OS-000062-GPOS-00031 - SRG-OS-000392-GPOS-00172 - SRG-OS-000462-GPOS-00206 - SRG-OS-000471-GPOS-00215 - SRG-OS-000466-GPOS-00210 - SRG-APP-000495-CTR-001235 - SRG-APP-000499-CTR-001255 - RHEL-08-030560 - 4.1.3.18 - SV-230463r627750_rule - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-86027-0 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -162104,20 +162248,69 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + CCI-000172 + CIP-004-6 R2.2.2 + CIP-004-6 R2.2.3 + CIP-007-3 R.1.3 + CIP-007-3 R5 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.3 + CIP-007-3 R5.2.1 + CIP-007-3 R5.2.3 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + CCE-80990-5 + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-86027-0 - - DISA-STIG-RHEL-08-030560 - - audit_rules_privileged_commands_usermod + - CCE-80990-5 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_usernetctl - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for /usr/sbin/usermod +- name: Perform remediation of Audit rules for /usr/sbin/usernetctl block: - name: Declare list of syscalls @@ -162129,7 +162322,7 @@ fi find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -162174,7 +162367,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/usermod -F perm=x + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -162184,8 +162377,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/usermod -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/usernetctl + -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -162200,7 +162393,7 @@ fi find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -162219,7 +162412,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset + -S |,)\w+)+)( -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true @@ -162229,8 +162422,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/usermod -F - perm=x -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/usernetctl + -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: o-rwx state: present @@ -162239,60 +162432,19 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-86027-0 - - DISA-STIG-RHEL-08-030560 - - audit_rules_privileged_commands_usermod + - CCE-80990-5 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_usernetctl - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: --a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: --a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - CCI-000172 - CIP-004-6 R2.2.2 - CIP-004-6 R2.2.3 - CIP-007-3 R.1.3 - CIP-007-3 R5 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.3 - CIP-007-3 R5.2.1 - CIP-007-3 R5.2.3 - AC-2(4) - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - FAU_GEN.1.1.c - Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. - -Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. - CCE-80990-5 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -162612,158 +162764,6 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-80990-5 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_usernetctl - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Perform remediation of Audit rules for /usr/sbin/usernetctl - block: - - - name: Declare list of syscalls - set_fact: - syscalls: [] - syscall_grouping: [] - - - name: Check existence of in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: '*.rules' - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Reset syscalls found per file - set_fact: - syscalls_per_file: {} - found_paths_dict: {} - - - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path - :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" - loop: '{{ find_command.results | selectattr(''matched'') | list }}' - - - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten - | map(attribute='path') | list }}" - - - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, - 0) }) }}" - loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') - | list }}' - - - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') - | last).key }}" - when: found_paths | length >= 1 - - - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules - set_fact: audit_file="/etc/audit/rules.d/privileged.rules" - when: found_paths | length == 0 - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/usernetctl -F perm=x - -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/usernetctl - -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - - - name: Declare list of syscalls - set_fact: - syscalls: [] - syscall_grouping: [] - - - name: Check existence of in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F - path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ - patterns: audit.rules - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( - -S |,)\w+)+)( -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset - (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/usernetctl - -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80990-5 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_usernetctl - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy @@ -162925,6 +162925,350 @@ nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. CCE-80745-3 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }} + mode: 0600 + path: /etc/audit/rules.d/75-syscall-adjtimex.rules + overwrite: true + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80745-3 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - PCI-DSSv4-10.6.3 + - audit_rules_time_adjtimex + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Set architecture for audit tasks + set_fact: + audit_arch: b64 + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture + == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" + tags: + - CCE-80745-3 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - PCI-DSSv4-10.6.3 + - audit_rules_time_adjtimex + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for adjtimex for 32bit platform + block: + + - name: Declare list of syscalls + set_fact: + syscalls: + - adjtimex + syscall_grouping: + - adjtimex + - settimeofday + - stime + + - name: Check existence of adjtimex in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S + |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path + :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten + | map(attribute='path') | list }}" + + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, + 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') + | list }}' + + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') + | last).key }}" + when: found_paths | length >= 1 + + - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules + set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules" + when: found_paths | length == 0 + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] + | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + + - name: Declare list of syscalls + set_fact: + syscalls: + - adjtimex + syscall_grouping: + - adjtimex + - settimeofday + - stime + + - name: Check existence of adjtimex in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S + |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ + patterns: audit.rules + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Set path to /etc/audit/audit.rules + set_fact: audit_file="/etc/audit/audit.rules" + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | + join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80745-3 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - PCI-DSSv4-10.6.3 + - audit_rules_time_adjtimex + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for adjtimex for 64bit platform + block: + + - name: Declare list of syscalls + set_fact: + syscalls: + - adjtimex + syscall_grouping: + - adjtimex + - settimeofday + + - name: Check existence of adjtimex in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S + |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path + :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten + | map(attribute='path') | list }}" + + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, + 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') + | list }}' + + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') + | last).key }}" + when: found_paths | length >= 1 + + - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules + set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules" + when: found_paths | length == 0 + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] + | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + + - name: Declare list of syscalls + set_fact: + syscalls: + - adjtimex + syscall_grouping: + - adjtimex + - settimeofday + - stime + + - name: Check existence of adjtimex in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S + |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ + patterns: audit.rules + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Set path to /etc/audit/audit.rules + set_fact: audit_file="/etc/audit/audit.rules" + + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') + | list }}" + + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | + join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch == "b64" + tags: + - CCE-80745-3 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - PCI-DSSv4-10.6.3 + - audit_rules_time_adjtimex + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -163264,11 +163608,179 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi - - name: Gather the package facts + + + + + + + + + Record Attempts to Alter Time Through clock_settime + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change +The -k option allows for the specification of a key in string form that can +be used for better reporting capability through ausearch and aureport. +Multiple system calls can be defined on the same line to save space if +desired, but is not required. See an example of multiple combined syscalls: +-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-001487 + CCI-000169 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + Req-10.4.2.b + 10.6.3 + 4.1.3.4 + Arbitrary changes to the system time can be used to obfuscate +nefarious activities in log files, as well as to confuse network services that +are highly dependent upon an accurate system time (such as sshd). All changes +to the system time should be audited. + CCE-80746-1 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }} + mode: 0600 + path: /etc/audit/rules.d/75-syscall-clock-settime.rules + overwrite: true + + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-80745-3 + - CCE-80746-1 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) @@ -163277,7 +163789,7 @@ fi - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b - PCI-DSSv4-10.6.3 - - audit_rules_time_adjtimex + - audit_rules_time_clock_settime - low_complexity - low_disruption - medium_severity @@ -163293,7 +163805,7 @@ fi - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - - CCE-80745-3 + - CCE-80746-1 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) @@ -163302,30 +163814,27 @@ fi - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b - PCI-DSSv4-10.6.3 - - audit_rules_time_adjtimex + - audit_rules_time_clock_settime - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for adjtimex for 32bit platform +- name: Perform remediation of Audit rules for clock_settime for 32bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - adjtimex - syscall_grouping: - - adjtimex - - settimeofday - - stime + - clock_settime + syscall_grouping: [] - - name: Check existence of adjtimex in /etc/audit/rules.d/ + - name: Check existence of clock_settime in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -163355,8 +163864,8 @@ fi | last).key }}" when: found_paths | length >= 1 - - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules - set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules" + - name: No file with syscall found, set path to /etc/audit/rules.d/time-change.rules + set_fact: audit_file="/etc/audit/rules.d/time-change.rules" when: found_paths | length == 0 - name: Declare found syscalls @@ -163370,7 +163879,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -163379,7 +163888,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a0=0x0 -F + key=time-change create: true mode: o-rwx state: present @@ -163388,17 +163898,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - adjtimex - syscall_grouping: - - adjtimex - - settimeofday - - stime + - clock_settime + syscall_grouping: [] - - name: Check existence of adjtimex in /etc/audit/audit.rules + - name: Check existence of clock_settime in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -163417,7 +163924,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -163426,7 +163933,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a0=0x0 -F + key=time-change create: true mode: o-rwx state: present @@ -163435,7 +163943,7 @@ fi - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80745-3 + - CCE-80746-1 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) @@ -163444,29 +163952,27 @@ fi - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b - PCI-DSSv4-10.6.3 - - audit_rules_time_adjtimex + - audit_rules_time_clock_settime - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for adjtimex for 64bit platform +- name: Perform remediation of Audit rules for clock_settime for 64bit platform block: - name: Declare list of syscalls set_fact: syscalls: - - adjtimex - syscall_grouping: - - adjtimex - - settimeofday + - clock_settime + syscall_grouping: [] - - name: Check existence of adjtimex in /etc/audit/rules.d/ + - name: Check existence of clock_settime in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -163496,8 +164002,8 @@ fi | last).key }}" when: found_paths | length >= 1 - - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules - set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules" + - name: No file with syscall found, set path to /etc/audit/rules.d/time-change.rules + set_fact: audit_file="/etc/audit/rules.d/time-change.rules" when: found_paths | length == 0 - name: Declare found syscalls @@ -163511,7 +164017,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) + | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -163520,7 +164026,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a0=0x0 -F + key=time-change create: true mode: o-rwx state: present @@ -163529,17 +164036,14 @@ fi - name: Declare list of syscalls set_fact: syscalls: - - adjtimex - syscall_grouping: - - adjtimex - - settimeofday - - stime + - clock_settime + syscall_grouping: [] - - name: Check existence of adjtimex in /etc/audit/audit.rules + - name: Check existence of clock_settime in /etc/audit/audit.rules find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ + |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -163558,7 +164062,7 @@ fi lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) + join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -163567,7 +164071,8 @@ fi - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a0=0x0 -F + key=time-change create: true mode: o-rwx state: present @@ -163577,7 +164082,7 @@ fi - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - - CCE-80745-3 + - CCE-80746-1 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) @@ -163586,181 +164091,13 @@ fi - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b - PCI-DSSv4-10.6.3 - - audit_rules_time_adjtimex + - audit_rules_time_clock_settime - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }} - mode: 0600 - path: /etc/audit/rules.d/75-syscall-adjtimex.rules - overwrite: true - - - - - - - - - - Record Attempts to Alter Time Through clock_settime - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d: --a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change -If the system is 64 bit then also add the following line: --a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change -The -k option allows for the specification of a key in string form that can -be used for better reporting capability through ausearch and aureport. -Multiple system calls can be defined on the same line to save space if -desired, but is not required. See an example of multiple combined syscalls: --a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-001487 - CCI-000169 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - Req-10.4.2.b - 10.6.3 - 4.1.3.4 - Arbitrary changes to the system time can be used to obfuscate -nefarious activities in log files, as well as to confuse network services that -are highly dependent upon an accurate system time (such as sshd). All changes -to the system time should be audited. - CCE-80746-1 # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -164087,343 +164424,6 @@ done else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-80746-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - PCI-DSSv4-10.6.3 - - audit_rules_time_clock_settime - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Set architecture for audit tasks - set_fact: - audit_arch: b64 - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture - == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" - tags: - - CCE-80746-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - PCI-DSSv4-10.6.3 - - audit_rules_time_clock_settime - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Perform remediation of Audit rules for clock_settime for 32bit platform - block: - - - name: Declare list of syscalls - set_fact: - syscalls: - - clock_settime - syscall_grouping: [] - - - name: Check existence of clock_settime in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$ - patterns: '*.rules' - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Reset syscalls found per file - set_fact: - syscalls_per_file: {} - found_paths_dict: {} - - - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path - :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" - loop: '{{ find_command.results | selectattr(''matched'') | list }}' - - - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten - | map(attribute='path') | list }}" - - - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, - 0) }) }}" - loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') - | list }}' - - - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') - | last).key }}" - when: found_paths | length >= 1 - - - name: No file with syscall found, set path to /etc/audit/rules.d/time-change.rules - set_fact: audit_file="/etc/audit/rules.d/time-change.rules" - when: found_paths | length == 0 - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a0=0x0 -F - key=time-change - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - - - name: Declare list of syscalls - set_fact: - syscalls: - - clock_settime - syscall_grouping: [] - - - name: Check existence of clock_settime in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$ - patterns: audit.rules - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a0=0x0 -F - key=time-change - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80746-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - PCI-DSSv4-10.6.3 - - audit_rules_time_clock_settime - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Perform remediation of Audit rules for clock_settime for 64bit platform - block: - - - name: Declare list of syscalls - set_fact: - syscalls: - - clock_settime - syscall_grouping: [] - - - name: Check existence of clock_settime in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$ - patterns: '*.rules' - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Reset syscalls found per file - set_fact: - syscalls_per_file: {} - found_paths_dict: {} - - - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path - :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" - loop: '{{ find_command.results | selectattr(''matched'') | list }}' - - - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten - | map(attribute='path') | list }}" - - - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, - 0) }) }}" - loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') - | list }}' - - - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') - | last).key }}" - when: found_paths | length >= 1 - - - name: No file with syscall found, set path to /etc/audit/rules.d/time-change.rules - set_fact: audit_file="/etc/audit/rules.d/time-change.rules" - when: found_paths | length == 0 - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] - | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a0=0x0 -F - key=time-change - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - - - name: Declare list of syscalls - set_fact: - syscalls: - - clock_settime - syscall_grouping: [] - - - name: Check existence of clock_settime in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S - |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$ - patterns: audit.rules - register: find_command - loop: '{{ (syscall_grouping + syscalls) | unique }}' - - - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" - - - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') - | list }}" - - - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - - - name: Replace the audit rule in {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | - join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+) - line: \1\2\3{{ missing_syscalls | join("\3") }}\4 - backrefs: true - state: present - when: syscalls_found | length > 0 and missing_syscalls | length > 0 - - - name: Add the audit rule to {{ audit_file }} - lineinfile: - path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a0=0x0 -F - key=time-change - create: true - mode: o-rwx - state: present - when: syscalls_found | length == 0 - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch == "b64" - tags: - - CCE-80746-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - PCI-DSSv4-10.6.3 - - audit_rules_time_clock_settime - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }} - mode: 0600 - path: /etc/audit/rules.d/75-syscall-clock-settime.rules - overwrite: true @@ -164577,344 +164577,20 @@ nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. CCE-80747-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# Retrieve hardware architecture of the underlying system -[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") - -for ARCH in "${RULE_ARCHS[@]}" -do - # Create expected audit group and audit rule form for particular system call & architecture - if [ ${ARCH} = "b32" ] - then - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output) - # so append it to the list of time group system calls to be audited - SYSCALL="adjtimex settimeofday stime" - SYSCALL_GROUPING="adjtimex settimeofday stime" - elif [ ${ARCH} = "b64" ] - then - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output) - # therefore don't add it to the list of time group system calls to be audited - SYSCALL="adjtimex settimeofday" - SYSCALL_GROUPING="adjtimex settimeofday" - fi - OTHER_FILTERS="" - AUID_FILTERS="" - KEY="audit_time_rules" - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - unset syscall_a - unset syscall_grouping - unset syscall_string - unset syscall - unset file_to_edit - unset rule_to_edit - unset rule_syscalls_to_edit - unset other_string - unset auid_string - unset full_rule - - # Load macro arguments into arrays - read -a syscall_a <<< $SYSCALL - read -a syscall_grouping <<< $SYSCALL_GROUPING - - # Create a list of audit *.rules files that should be inspected for presence and correctness - # of a particular audit rule. The scheme is as follows: - # - # ----------------------------------------------------------------------------------------- - # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | - # ----------------------------------------------------------------------------------------- - # auditctl | Doesn't matter | /etc/audit/audit.rules | - # ----------------------------------------------------------------------------------------- - # augenrules | Yes | /etc/audit/rules.d/*.rules | - # augenrules | No | /etc/audit/rules.d/$key.rules | - # ----------------------------------------------------------------------------------------- - # - files_to_inspect=() - - # If audit tool is 'augenrules', then check if the audit rule is defined - # If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection - # If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection - default_file="/etc/audit/rules.d/$KEY.rules" - # As other_filters may include paths, lets use a different delimiter for it - # The "F" script expression tells sed to print the filenames where the expressions matched - readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) - # Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet - if [ ${#files_to_inspect[@]} -eq "0" ] - then - file_to_inspect="/etc/audit/rules.d/$KEY.rules" - files_to_inspect=("$file_to_inspect") - if [ ! -e "$file_to_inspect" ] - then - touch "$file_to_inspect" - chmod 0640 "$file_to_inspect" - fi - fi - - # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead - skip=1 - - for audit_file in "${files_to_inspect[@]}" - do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi - done - - if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi - fi - unset syscall_a - unset syscall_grouping - unset syscall_string - unset syscall - unset file_to_edit - unset rule_to_edit - unset rule_syscalls_to_edit - unset other_string - unset auid_string - unset full_rule - - # Load macro arguments into arrays - read -a syscall_a <<< $SYSCALL - read -a syscall_grouping <<< $SYSCALL_GROUPING - - # Create a list of audit *.rules files that should be inspected for presence and correctness - # of a particular audit rule. The scheme is as follows: - # - # ----------------------------------------------------------------------------------------- - # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | - # ----------------------------------------------------------------------------------------- - # auditctl | Doesn't matter | /etc/audit/audit.rules | - # ----------------------------------------------------------------------------------------- - # augenrules | Yes | /etc/audit/rules.d/*.rules | - # augenrules | No | /etc/audit/rules.d/$key.rules | - # ----------------------------------------------------------------------------------------- - # - files_to_inspect=() - - - # If audit tool is 'auditctl', then add '/etc/audit/audit.rules' - # file to the list of files to be inspected - default_file="/etc/audit/audit.rules" - files_to_inspect+=('/etc/audit/audit.rules' ) - - # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead - skip=1 - - for audit_file in "${files_to_inspect[@]}" - do - # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, - # i.e, collect rules that match: - # * the action, list and arch, (2-nd argument) - # * the other filters, (3-rd argument) - # * the auid filters, (4-rd argument) - readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") - - candidate_rules=() - # Filter out rules that have more fields then required. This will remove rules more specific than the required scope - for s_rule in "${similar_rules[@]}" - do - # Strip all the options and fields we know of, - # than check if there was any field left over - extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") - grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") - done - - if [[ ${#syscall_a[@]} -ge 1 ]] - then - # Check if the syscall we want is present in any of the similar existing rules - for rule in "${candidate_rules[@]}" - do - rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) - all_syscalls_found=0 - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { - # A syscall was not found in the candidate rule - all_syscalls_found=1 - } - done - if [[ $all_syscalls_found -eq 0 ]] - then - # We found a rule with all the syscall(s) we want; skip rest of macro - skip=0 - break - fi - - # Check if this rule can be grouped with our target syscall and keep track of it - for syscall_g in "${syscall_grouping[@]}" - do - if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" - then - file_to_edit=${audit_file} - rule_to_edit=${rule} - rule_syscalls_to_edit=${rule_syscalls} - fi - done - done - else - # If there is any candidate rule, it is compliant; skip rest of macro - if [ "${#candidate_rules[@]}" -gt 0 ] - then - skip=0 - fi - fi - - if [ "$skip" -eq 0 ]; then - break - fi - done - - if [ "$skip" -ne 0 ]; then - # We checked all rules that matched the expected resemblance pattern (action, arch & auid) - # At this point we know if we need to either append the $full_rule or group - # the syscall together with an exsiting rule - - # Append the full_rule if it cannot be grouped to any other rule - if [ -z ${rule_to_edit+x} ] - then - # Build full_rule while avoid adding double spaces when other_filters is empty - if [ "${#syscall_a[@]}" -gt 0 ] - then - syscall_string="" - for syscall in "${syscall_a[@]}" - do - syscall_string+=" -S $syscall" - done - fi - other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true - auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true - full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true - echo "$full_rule" >> "$default_file" - chmod o-rwx ${default_file} - else - # Check if the syscalls are declared as a comma separated list or - # as multiple -S parameters - if grep -q -- "," <<< "${rule_syscalls_to_edit}" - then - delimiter="," - else - delimiter=" -S " - fi - new_grouped_syscalls="${rule_syscalls_to_edit}" - for syscall in "${syscall_a[@]}" - do - grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { - # A syscall was not found in the candidate rule - new_grouped_syscalls+="${delimiter}${syscall}" - } - done - - # Group the syscall in the rule - sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" - fi - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20settimeofday%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20settimeofday%20-k%20audit_time_rules%0A }} + mode: 0600 + path: /etc/audit/rules.d/75-syscall-settimeofday.rules + overwrite: true - name: Gather the package facts package_facts: @@ -165246,181 +164922,8 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20settimeofday%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20settimeofday%20-k%20audit_time_rules%0A }} - mode: 0600 - path: /etc/audit/rules.d/75-syscall-settimeofday.rules - overwrite: true - - - - - - - - - - Record Attempts to Alter Time Through stime - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d for both 32 bit and 64 bit systems: --a always,exit -F arch=b32 -S stime -F key=audit_time_rules -Since the 64 bit version of the "stime" system call is not defined in the audit -lookup table, the corresponding "-F arch=b64" form of this rule is not expected -to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule -form itself is sufficient for both 32 bit and 64 bit systems). If the -auditd daemon is configured to use the auditctl utility to -read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file for both 32 bit and 64 bit systems: --a always,exit -F arch=b32 -S stime -F key=audit_time_rules -Since the 64 bit version of the "stime" system call is not defined in the audit -lookup table, the corresponding "-F arch=b64" form of this rule is not expected -to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule -form itself is sufficient for both 32 bit and 64 bit systems). The -k option -allows for the specification of a key in string form that can be used for -better reporting capability through ausearch and aureport. Multiple system -calls can be defined on the same line to save space if desired, but is not -required. See an example of multiple combined system calls: --a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-001487 - CCI-000169 - 164.308(a)(1)(ii)(D) - 164.308(a)(3)(ii)(A) - 164.308(a)(5)(ii)(C) - 164.312(a)(2)(i) - 164.312(b) - 164.312(d) - 164.312(e) - 4.2.3.10 - 4.3.2.6.7 - 4.3.3.3.9 - 4.3.3.5.8 - 4.3.3.6.6 - 4.3.4.4.7 - 4.3.4.5.6 - 4.3.4.5.7 - 4.3.4.5.8 - 4.4.2.1 - 4.4.2.2 - 4.4.2.4 - SR 1.13 - SR 2.10 - SR 2.11 - SR 2.12 - SR 2.6 - SR 2.8 - SR 2.9 - SR 3.1 - SR 3.5 - SR 3.8 - SR 4.1 - SR 4.3 - SR 5.1 - SR 5.2 - SR 5.3 - SR 6.1 - SR 6.2 - SR 7.1 - SR 7.6 - A.11.2.6 - A.12.4.1 - A.12.4.2 - A.12.4.3 - A.12.4.4 - A.12.7.1 - A.13.1.1 - A.13.2.1 - A.14.1.3 - A.14.2.7 - A.15.2.1 - A.15.2.2 - A.16.1.4 - A.16.1.5 - A.16.1.7 - A.6.2.1 - A.6.2.2 - AU-2(d) - AU-12(c) - AC-6(9) - CM-6(a) - DE.AE-3 - DE.AE-5 - DE.CM-1 - DE.CM-3 - DE.CM-7 - ID.SC-4 - PR.AC-3 - PR.PT-1 - PR.PT-4 - RS.AN-1 - RS.AN-4 - Req-10.4.2.b - 10.6.3 - 4.1.3.4 - Arbitrary changes to the system time can be used to obfuscate -nefarious activities in log files, as well as to confuse network services that -are highly dependent upon an accurate system time (such as sshd). All changes -to the system time should be audited. - - CCE-80748-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ( ! ( grep -q aarch64 /proc/sys/kernel/osrelease ) && ! ( grep -q s390x /proc/sys/kernel/osrelease ) ); }; then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") @@ -165757,6 +165260,179 @@ done else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Record Attempts to Alter Time Through stime + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d for both 32 bit and 64 bit systems: +-a always,exit -F arch=b32 -S stime -F key=audit_time_rules +Since the 64 bit version of the "stime" system call is not defined in the audit +lookup table, the corresponding "-F arch=b64" form of this rule is not expected +to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule +form itself is sufficient for both 32 bit and 64 bit systems). If the +auditd daemon is configured to use the auditctl utility to +read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file for both 32 bit and 64 bit systems: +-a always,exit -F arch=b32 -S stime -F key=audit_time_rules +Since the 64 bit version of the "stime" system call is not defined in the audit +lookup table, the corresponding "-F arch=b64" form of this rule is not expected +to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule +form itself is sufficient for both 32 bit and 64 bit systems). The -k option +allows for the specification of a key in string form that can be used for +better reporting capability through ausearch and aureport. Multiple system +calls can be defined on the same line to save space if desired, but is not +required. See an example of multiple combined system calls: +-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-001487 + CCI-000169 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + Req-10.4.2.b + 10.6.3 + 4.1.3.4 + Arbitrary changes to the system time can be used to obfuscate +nefarious activities in log files, as well as to confuse network services that +are highly dependent upon an accurate system time (such as sshd). All changes +to the system time should be audited. + + CCE-80748-7 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20stime%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20stime%20-k%20audit_time_rules%0A }} + mode: 0600 + path: /etc/audit/rules.d/75-syscall-stime.rules + overwrite: true - name: Gather the package facts package_facts: @@ -165922,90 +165598,414 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20stime%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20stime%20-k%20audit_time_rules%0A }} - mode: 0600 - path: /etc/audit/rules.d/75-syscall-stime.rules - overwrite: true - - - - - - - - - - Record Attempts to Alter the localtime File - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: --w /etc/localtime -p wa -k audit_time_rules -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: --w /etc/localtime -p wa -k audit_time_rules -The -k option allows for the specification of a key in string form that can -be used for better reporting capability through ausearch and aureport and -should always be used. - BP28(R73) - 1 - 11 - 12 - 13 - 14 - 15 - 16 - 19 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 5.4.1.1 - APO10.01 - APO10.03 - APO10.04 - APO10.05 - APO11.04 - APO12.06 - APO13.01 - BAI03.05 - BAI08.02 - DSS01.03 - DSS01.04 - DSS02.02 - DSS02.04 - DSS02.07 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.03 - DSS05.04 - DSS05.05 - DSS05.07 - MEA01.01 - MEA01.02 - MEA01.03 - MEA01.04 - MEA01.05 - MEA02.01 - 3.1.7 - CCI-001487 - CCI-000169 + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ( ! ( grep -q aarch64 /proc/sys/kernel/osrelease ) && ! ( grep -q s390x /proc/sys/kernel/osrelease ) ); }; then + +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + # Create expected audit group and audit rule form for particular system call & architecture + if [ ${ARCH} = "b32" ] + then + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output) + # so append it to the list of time group system calls to be audited + SYSCALL="adjtimex settimeofday stime" + SYSCALL_GROUPING="adjtimex settimeofday stime" + elif [ ${ARCH} = "b64" ] + then + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output) + # therefore don't add it to the list of time group system calls to be audited + SYSCALL="adjtimex settimeofday" + SYSCALL_GROUPING="adjtimex settimeofday" + fi + OTHER_FILTERS="" + AUID_FILTERS="" + KEY="audit_time_rules" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + unset syscall_a + unset syscall_grouping + unset syscall_string + unset syscall + unset file_to_edit + unset rule_to_edit + unset rule_syscalls_to_edit + unset other_string + unset auid_string + unset full_rule + + # Load macro arguments into arrays + read -a syscall_a <<< $SYSCALL + read -a syscall_grouping <<< $SYSCALL_GROUPING + + # Create a list of audit *.rules files that should be inspected for presence and correctness + # of a particular audit rule. The scheme is as follows: + # + # ----------------------------------------------------------------------------------------- + # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | + # ----------------------------------------------------------------------------------------- + # auditctl | Doesn't matter | /etc/audit/audit.rules | + # ----------------------------------------------------------------------------------------- + # augenrules | Yes | /etc/audit/rules.d/*.rules | + # augenrules | No | /etc/audit/rules.d/$key.rules | + # ----------------------------------------------------------------------------------------- + # + files_to_inspect=() + + # If audit tool is 'augenrules', then check if the audit rule is defined + # If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection + # If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection + default_file="/etc/audit/rules.d/$KEY.rules" + # As other_filters may include paths, lets use a different delimiter for it + # The "F" script expression tells sed to print the filenames where the expressions matched + readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) + # Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet + if [ ${#files_to_inspect[@]} -eq "0" ] + then + file_to_inspect="/etc/audit/rules.d/$KEY.rules" + files_to_inspect=("$file_to_inspect") + if [ ! -e "$file_to_inspect" ] + then + touch "$file_to_inspect" + chmod 0640 "$file_to_inspect" + fi + fi + + # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead + skip=1 + + for audit_file in "${files_to_inspect[@]}" + do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi + done + + if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi + fi + unset syscall_a + unset syscall_grouping + unset syscall_string + unset syscall + unset file_to_edit + unset rule_to_edit + unset rule_syscalls_to_edit + unset other_string + unset auid_string + unset full_rule + + # Load macro arguments into arrays + read -a syscall_a <<< $SYSCALL + read -a syscall_grouping <<< $SYSCALL_GROUPING + + # Create a list of audit *.rules files that should be inspected for presence and correctness + # of a particular audit rule. The scheme is as follows: + # + # ----------------------------------------------------------------------------------------- + # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | + # ----------------------------------------------------------------------------------------- + # auditctl | Doesn't matter | /etc/audit/audit.rules | + # ----------------------------------------------------------------------------------------- + # augenrules | Yes | /etc/audit/rules.d/*.rules | + # augenrules | No | /etc/audit/rules.d/$key.rules | + # ----------------------------------------------------------------------------------------- + # + files_to_inspect=() + + + # If audit tool is 'auditctl', then add '/etc/audit/audit.rules' + # file to the list of files to be inspected + default_file="/etc/audit/audit.rules" + files_to_inspect+=('/etc/audit/audit.rules' ) + + # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead + skip=1 + + for audit_file in "${files_to_inspect[@]}" + do + # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, + # i.e, collect rules that match: + # * the action, list and arch, (2-nd argument) + # * the other filters, (3-rd argument) + # * the auid filters, (4-rd argument) + readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") + + candidate_rules=() + # Filter out rules that have more fields then required. This will remove rules more specific than the required scope + for s_rule in "${similar_rules[@]}" + do + # Strip all the options and fields we know of, + # than check if there was any field left over + extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") + grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") + done + + if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) + all_syscalls_found=0 + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { + # A syscall was not found in the candidate rule + all_syscalls_found=1 + } + done + if [[ $all_syscalls_found -eq 0 ]] + then + # We found a rule with all the syscall(s) we want; skip rest of macro + skip=0 + break + fi + + # Check if this rule can be grouped with our target syscall and keep track of it + for syscall_g in "${syscall_grouping[@]}" + do + if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then + file_to_edit=${audit_file} + rule_to_edit=${rule} + rule_syscalls_to_edit=${rule_syscalls} + fi + done + done + else + # If there is any candidate rule, it is compliant; skip rest of macro + if [ "${#candidate_rules[@]}" -gt 0 ] + then + skip=0 + fi + fi + + if [ "$skip" -eq 0 ]; then + break + fi + done + + if [ "$skip" -ne 0 ]; then + # We checked all rules that matched the expected resemblance pattern (action, arch & auid) + # At this point we know if we need to either append the $full_rule or group + # the syscall together with an exsiting rule + + # Append the full_rule if it cannot be grouped to any other rule + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [ "${#syscall_a[@]}" -gt 0 ] + then + syscall_string="" + for syscall in "${syscall_a[@]}" + do + syscall_string+=" -S $syscall" + done + fi + other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true + auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true + full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true + echo "$full_rule" >> "$default_file" + chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then + delimiter="," + else + delimiter=" -S " + fi + new_grouped_syscalls="${rule_syscalls_to_edit}" + for syscall in "${syscall_a[@]}" + do + grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { + # A syscall was not found in the candidate rule + new_grouped_syscalls+="${delimiter}${syscall}" + } + done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + fi + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + + + + + + + + + Record Attempts to Alter the localtime File + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +-w /etc/localtime -p wa -k audit_time_rules +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-w /etc/localtime -p wa -k audit_time_rules +The -k option allows for the specification of a key in string form that can +be used for better reporting capability through ausearch and aureport and +should always be used. + BP28(R73) + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 5.4.1.1 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 3.1.7 + CCI-001487 + CCI-000169 164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) @@ -166085,146 +166085,20 @@ nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. CCE-80749-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - - -# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' -# into the list of files to be inspected -files_to_inspect+=('/etc/audit/audit.rules') - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/localtime" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/localtime $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/localtime$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/localtime -p wa -k audit_time_rules" >> "$audit_rules_file" - fi -done -# Create a list of audit *.rules files that should be inspected for presence and correctness -# of a particular audit rule. The scheme is as follows: -# -# ----------------------------------------------------------------------------------------- -# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | -# ----------------------------------------------------------------------------------------- -# auditctl | Doesn't matter | /etc/audit/audit.rules | -# ----------------------------------------------------------------------------------------- -# augenrules | Yes | /etc/audit/rules.d/*.rules | -# augenrules | No | /etc/audit/rules.d/$key.rules | -# ----------------------------------------------------------------------------------------- -files_to_inspect=() - -# If the audit is 'augenrules', then check if rule is already defined -# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. -# If rule isn't defined, add '/etc/audit/rules.d/audit_time_rules.rules' to list of files for inspection. -readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/localtime" /etc/audit/rules.d/*.rules) - -# For each of the matched entries -for match in "${matches[@]}" -do - # Extract filepath from the match - rulesd_audit_file=$(echo $match | cut -f1 -d ':') - # Append that path into list of files for inspection - files_to_inspect+=("$rulesd_audit_file") -done -# Case when particular audit rule isn't defined yet -if [ "${#files_to_inspect[@]}" -eq "0" ] -then - # Append '/etc/audit/rules.d/audit_time_rules.rules' into list of files for inspection - key_rule_file="/etc/audit/rules.d/audit_time_rules.rules" - # If the audit_time_rules.rules file doesn't exist yet, create it with correct permissions - if [ ! -e "$key_rule_file" ] - then - touch "$key_rule_file" - chmod 0640 "$key_rule_file" - fi - files_to_inspect+=("$key_rule_file") -fi - -# Finally perform the inspection and possible subsequent audit rule -# correction for each of the files previously identified for inspection -for audit_rules_file in "${files_to_inspect[@]}" -do - # Check if audit watch file system object rule for given path already present - if grep -q -P -- "^[\s]*-w[\s]+/etc/localtime" "$audit_rules_file" - then - # Rule is found => verify yet if existing rule definition contains - # all of the required access type bits - - # Define BRE whitespace class shortcut - sp="[[:space:]]" - # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule - current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/localtime $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") - # Split required access bits string into characters array - # (to check bit's presence for one bit at a time) - for access_bit in $(echo "wa" | grep -o .) - do - # For each from the required access bits (e.g. 'w', 'a') check - # if they are already present in current access bits for rule. - # If not, append that bit at the end - if ! grep -q "$access_bit" <<< "$current_access_bits" - then - # Concatenate the existing mask with the missing bit - current_access_bits="$current_access_bits$access_bit" - fi - done - # Propagate the updated rule's access bits (original + the required - # ones) back into the /etc/audit/audit.rules file for that rule - sed -i "s#\($sp*-w$sp\+/etc/localtime$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" - else - # Rule isn't present yet. Append it at the end of $audit_rules_file file - # with proper key - - echo "-w /etc/localtime -p wa -k audit_time_rules" >> "$audit_rules_file" - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ -w%20/etc/localtime%20-p%20wa%20-k%20audit_time_rules%0A }} + mode: 0600 + path: /etc/audit/rules.d/75-etclocaltime-wa-audit_time_rules.rules + overwrite: true - name: Gather the package facts package_facts: @@ -166443,20 +166317,146 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ -w%20/etc/localtime%20-p%20wa%20-k%20audit_time_rules%0A }} - mode: 0600 - path: /etc/audit/rules.d/75-etclocaltime-wa-audit_time_rules.rules - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + + +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +files_to_inspect+=('/etc/audit/audit.rules') + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/localtime" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/localtime $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/localtime$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/localtime -p wa -k audit_time_rules" >> "$audit_rules_file" + fi +done +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +files_to_inspect=() + +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/audit_time_rules.rules' to list of files for inspection. +readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/localtime" /etc/audit/rules.d/*.rules) + +# For each of the matched entries +for match in "${matches[@]}" +do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") +done +# Case when particular audit rule isn't defined yet +if [ "${#files_to_inspect[@]}" -eq "0" ] +then + # Append '/etc/audit/rules.d/audit_time_rules.rules' into list of files for inspection + key_rule_file="/etc/audit/rules.d/audit_time_rules.rules" + # If the audit_time_rules.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + files_to_inspect+=("$key_rule_file") +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "^[\s]*-w[\s]+/etc/localtime" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Define BRE whitespace class shortcut + sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/localtime $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "wa" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s#\($sp*-w$sp\+/etc/localtime$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w /etc/localtime -p wa -k audit_time_rules" >> "$audit_rules_file" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -166709,42 +166709,6 @@ send audit records to. For example deletion or alteration.Off-loading is a common process in information systems with limited audit storage capacity. CCE-80925-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_audispd_remote_server='' - - -AUDITCONFIG=/etc/audit/audisp-remote.conf - - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^remote_server") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_audispd_remote_server" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^remote_server\\>" "$AUDITCONFIG"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^remote_server\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" -else - if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" - fi - cce="CCE-80925-1" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG" - printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -166780,6 +166744,42 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_audispd_remote_server='' + + +AUDITCONFIG=/etc/audit/audisp-remote.conf + + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^remote_server") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_audispd_remote_server" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^remote_server\\>" "$AUDITCONFIG"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^remote_server\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" +else + if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" + fi + cce="CCE-80925-1" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG" + printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -166847,38 +166847,6 @@ determined. SRG-OS-000479-GPOS-00224 Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_audispd_disk_full_action='' - - -AUDITCONFIG=/etc/audit/audisp-remote.conf - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^disk_full_action") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_audispd_disk_full_action" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^disk_full_action\\>" "$AUDITCONFIG"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^disk_full_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" -else - if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" - fi - printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -166922,6 +166890,38 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_audispd_disk_full_action='' + + +AUDITCONFIG=/etc/audit/audisp-remote.conf + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^disk_full_action") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_audispd_disk_full_action" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^disk_full_action\\>" "$AUDITCONFIG"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^disk_full_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" +else + if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" + fi + printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -167012,38 +167012,6 @@ This profile configures the action to be SRG-OS-000479-GPOS-00224 Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_audispd_network_failure_action='' - - -AUDITCONFIG=/etc/audit/audisp-remote.conf - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^network_failure_action") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_audispd_network_failure_action" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^network_failure_action\\>" "$AUDITCONFIG"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^network_failure_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" -else - if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" - fi - printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -167087,6 +167055,38 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_audispd_network_failure_action='' + + +AUDITCONFIG=/etc/audit/audisp-remote.conf + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^network_failure_action") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_audispd_network_failure_action" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^network_failure_action\\>" "$AUDITCONFIG"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^network_failure_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" +else + if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" + fi + printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -167181,39 +167181,6 @@ records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server. CCE-80677-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_syslog_active="yes" - -AUDISP_SYSLOGCONFIG=/etc/audit/plugins.d/syslog.conf - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^active") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_syslog_active" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^active\\>" "$AUDISP_SYSLOGCONFIG"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^active\\>.*/$escaped_formatted_output/gi" "$AUDISP_SYSLOGCONFIG" -else - if [[ -s "$AUDISP_SYSLOGCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDISP_SYSLOGCONFIG" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDISP_SYSLOGCONFIG" - fi - cce="CCE-80677-8" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDISP_SYSLOGCONFIG" >> "$AUDISP_SYSLOGCONFIG" - printf '%s\n' "$formatted_output" >> "$AUDISP_SYSLOGCONFIG" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -167255,6 +167222,39 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_syslog_active="yes" + +AUDISP_SYSLOGCONFIG=/etc/audit/plugins.d/syslog.conf + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^active") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_syslog_active" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^active\\>" "$AUDISP_SYSLOGCONFIG"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^active\\>.*/$escaped_formatted_output/gi" "$AUDISP_SYSLOGCONFIG" +else + if [[ -s "$AUDISP_SYSLOGCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDISP_SYSLOGCONFIG" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDISP_SYSLOGCONFIG" + fi + cce="CCE-80677-8" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDISP_SYSLOGCONFIG" >> "$AUDISP_SYSLOGCONFIG" + printf '%s\n' "$formatted_output" >> "$AUDISP_SYSLOGCONFIG" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -167357,11 +167357,74 @@ determined. Details regarding all possible values for ACTION ar Taking appropriate action in case of disk errors will minimize the possibility of losing audit records. CCE-84046-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_disk_error_action='' - + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-84046-2 + - DISA-STIG-RHEL-08-030040 + - NIST-800-53-AU-5(1) + - NIST-800-53-AU-5(2) + - NIST-800-53-AU-5(4) + - NIST-800-53-AU-5(b) + - NIST-800-53-CM-6(a) + - auditd_data_disk_error_action + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy +- name: XCCDF Value var_auditd_disk_error_action # promote to variable + set_fact: + var_auditd_disk_error_action: !!str + tags: + - always + +- name: Configure auditd Disk Error Action on Disk Error + lineinfile: + dest: /etc/audit/auditd.conf + line: disk_error_action = {{ var_auditd_disk_error_action.split('|')[0] }} + regexp: ^\s*disk_error_action\s*=\s*.*$ + state: present + create: true + when: + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-84046-2 + - DISA-STIG-RHEL-08-030040 + - NIST-800-53-AU-5(1) + - NIST-800-53-AU-5(2) + - NIST-800-53-AU-5(4) + - NIST-800-53-AU-5(b) + - NIST-800-53-CM-6(a) + - auditd_data_disk_error_action + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_disk_error_action='' + # # If disk_error_action present in /etc/audit/auditd.conf, change value @@ -167395,69 +167458,6 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84046-2 - - DISA-STIG-RHEL-08-030040 - - NIST-800-53-AU-5(1) - - NIST-800-53-AU-5(2) - - NIST-800-53-AU-5(4) - - NIST-800-53-AU-5(b) - - NIST-800-53-CM-6(a) - - auditd_data_disk_error_action - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy -- name: XCCDF Value var_auditd_disk_error_action # promote to variable - set_fact: - var_auditd_disk_error_action: !!str - tags: - - always - -- name: Configure auditd Disk Error Action on Disk Error - lineinfile: - dest: /etc/audit/auditd.conf - line: disk_error_action = {{ var_auditd_disk_error_action.split('|')[0] }} - regexp: ^\s*disk_error_action\s*=\s*.*$ - state: present - create: true - when: - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-84046-2 - - DISA-STIG-RHEL-08-030040 - - NIST-800-53-AU-5(1) - - NIST-800-53-AU-5(2) - - NIST-800-53-AU-5(4) - - NIST-800-53-AU-5(b) - - NIST-800-53-CM-6(a) - - auditd_data_disk_error_action - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true @@ -167551,35 +167551,20 @@ determined. Details regarding all possible values for ACTION ar SRG-OS-000047-GPOS-00023 Taking appropriate action in case of disk errors will minimize the possibility of losing audit records. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_disk_error_action='' - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^disk_error_action") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_disk_error_action" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^disk_error_action\\>" "/etc/audit/auditd.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^disk_error_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf" -else - if [[ -s "/etc/audit/auditd.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/audit/auditd.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/audit/auditd.conf" - fi - printf '%s\n' "$formatted_output" >> "/etc/audit/auditd.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -167625,20 +167610,35 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_disk_error_action='' + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^disk_error_action") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_disk_error_action" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^disk_error_action\\>" "/etc/audit/auditd.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^disk_error_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf" +else + if [[ -s "/etc/audit/auditd.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/audit/auditd.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/audit/auditd.conf" + fi + printf '%s\n' "$formatted_output" >> "/etc/audit/auditd.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -167737,39 +167737,20 @@ determined. Details regarding all possible values for ACTION ar Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. CCE-84045-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_disk_full_action='' - - -var_auditd_disk_full_action="$(echo $var_auditd_disk_full_action | cut -d \| -f 1)" - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^disk_full_action") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_disk_full_action" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^disk_full_action\\>" "/etc/audit/auditd.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^disk_full_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf" -else - if [[ -s "/etc/audit/auditd.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/audit/auditd.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/audit/auditd.conf" - fi - cce="CCE-84045-4" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/audit/auditd.conf" >> "/etc/audit/auditd.conf" - printf '%s\n' "$formatted_output" >> "/etc/audit/auditd.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -167819,20 +167800,39 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_disk_full_action='' + + +var_auditd_disk_full_action="$(echo $var_auditd_disk_full_action | cut -d \| -f 1)" + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^disk_full_action") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_disk_full_action" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^disk_full_action\\>" "/etc/audit/auditd.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^disk_full_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf" +else + if [[ -s "/etc/audit/auditd.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/audit/auditd.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/audit/auditd.conf" + fi + cce="CCE-84045-4" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/audit/auditd.conf" >> "/etc/audit/auditd.conf" + printf '%s\n' "$formatted_output" >> "/etc/audit/auditd.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -167926,35 +167926,20 @@ determined. Details regarding all possible values for ACTION ar SRG-OS-000047-GPOS-00023 Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_disk_full_action='' - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^disk_full_action") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_disk_full_action" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^disk_full_action\\>" "/etc/audit/auditd.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^disk_full_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf" -else - if [[ -s "/etc/audit/auditd.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/audit/auditd.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/audit/auditd.conf" - fi - printf '%s\n' "$formatted_output" >> "/etc/audit/auditd.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -168000,20 +167985,35 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_disk_full_action='' + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^disk_full_action") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_disk_full_action" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^disk_full_action\\>" "/etc/audit/auditd.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^disk_full_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf" +else + if [[ -s "/etc/audit/auditd.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/audit/auditd.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/audit/auditd.conf" + fi + printf '%s\n' "$formatted_output" >> "/etc/audit/auditd.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -168124,40 +168124,6 @@ via email for those situations: Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action. CCE-80678-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_action_mail_acct='' - - -AUDITCONFIG=/etc/audit/auditd.conf - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^action_mail_acct") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_action_mail_acct" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^action_mail_acct\\>" "$AUDITCONFIG"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^action_mail_acct\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" -else - if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" - fi - cce="CCE-80678-6" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG" - printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -168208,6 +168174,40 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_action_mail_acct='' + + +AUDITCONFIG=/etc/audit/auditd.conf + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^action_mail_acct") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_action_mail_acct" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^action_mail_acct\\>" "$AUDITCONFIG"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^action_mail_acct\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" +else + if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" + fi + cce="CCE-80678-6" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG" + printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -168311,39 +168311,20 @@ determined. Details regarding all possible values for ACTION ar audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur. CCE-80679-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_admin_space_left_action='' - - -AUDITCONFIG=/etc/audit/auditd.conf - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^admin_space_left_action") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_admin_space_left_action" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^admin_space_left_action\\>" "$AUDITCONFIG"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^admin_space_left_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" -else - if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" - fi - cce="CCE-80679-4" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG" - printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -168399,20 +168380,39 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_admin_space_left_action='' + + +AUDITCONFIG=/etc/audit/auditd.conf + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^admin_space_left_action") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_admin_space_left_action" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^admin_space_left_action\\>" "$AUDITCONFIG"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^admin_space_left_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" +else + if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" + fi + cce="CCE-80679-4" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG" + printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -168503,20 +168503,6 @@ to cause the system to perform an action. SRG-OS-000343-GPOS-00134 Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_admin_space_left_percentage='' - - -grep -q "^admin_space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \ - sed -i "s/^admin_space_left[[:space:]]*=.*$/admin_space_left = $var_auditd_admin_space_left_percentage%/g" /etc/audit/auditd.conf || \ - echo "admin_space_left = $var_auditd_admin_space_left_percentage%" >> /etc/audit/auditd.conf - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -168562,6 +168548,20 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_admin_space_left_percentage='' + + +grep -q "^admin_space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \ + sed -i "s/^admin_space_left[[:space:]]*=.*$/admin_space_left = $var_auditd_admin_space_left_percentage%/g" /etc/audit/auditd.conf || \ + echo "admin_space_left = $var_auditd_admin_space_left_percentage%" >> /etc/audit/auditd.conf + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -168659,42 +168659,20 @@ fully synchronized with the log files on the disk: log integrity. These parameters assure that all audit event data is fully synchronized with the log files on the disk. CCE-80680-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_flush='' - - -AUDITCONFIG=/etc/audit/auditd.conf - -# if flush is present, flush param edited to var_auditd_flush -# else flush param is defined by var_auditd_flush -# -# the freq param is only used for values 'incremental' and 'incremental_async' and will be -# commented out if flush != incremental or flush != incremental_async -# -# if flush == incremental or flush == incremental_async && freq param is not defined, it -# will be defined as the package-default value of 20 - -grep -q ^flush $AUDITCONFIG && \ - sed -i 's/^flush.*/flush = '"$var_auditd_flush"'/g' $AUDITCONFIG -if ! [ $? -eq 0 ]; then - echo "flush = $var_auditd_flush" >> $AUDITCONFIG -fi - -if ! [ "$var_auditd_flush" == "incremental" ] && ! [ "$var_auditd_flush" == "incremental_async" ]; then - sed -i 's/^freq/##freq/g' $AUDITCONFIG -elif [ "$var_auditd_flush" == "incremental" ] || [ "$var_auditd_flush" == "incremental_async" ]; then - grep -q freq $AUDITCONFIG && \ - sed -i 's/^#\+freq/freq/g' $AUDITCONFIG - if ! [ $? -eq 0 ]; then - echo "freq = 20" >> $AUDITCONFIG - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -168738,20 +168716,42 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_flush='' + + +AUDITCONFIG=/etc/audit/auditd.conf + +# if flush is present, flush param edited to var_auditd_flush +# else flush param is defined by var_auditd_flush +# +# the freq param is only used for values 'incremental' and 'incremental_async' and will be +# commented out if flush != incremental or flush != incremental_async +# +# if flush == incremental or flush == incremental_async && freq param is not defined, it +# will be defined as the package-default value of 20 + +grep -q ^flush $AUDITCONFIG && \ + sed -i 's/^flush.*/flush = '"$var_auditd_flush"'/g' $AUDITCONFIG +if ! [ $? -eq 0 ]; then + echo "flush = $var_auditd_flush" >> $AUDITCONFIG +fi + +if ! [ "$var_auditd_flush" == "incremental" ] && ! [ "$var_auditd_flush" == "incremental_async" ]; then + sed -i 's/^freq/##freq/g' $AUDITCONFIG +elif [ "$var_auditd_flush" == "incremental" ] || [ "$var_auditd_flush" == "incremental_async" ]; then + grep -q freq $AUDITCONFIG && \ + sed -i 's/^#\+freq/freq/g' $AUDITCONFIG + if ! [ $? -eq 0 ]; then + echo "freq = 20" >> $AUDITCONFIG + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -168841,39 +168841,20 @@ support retention of even more audit data. log information over the period required. This is a function of the maximum log file size and the number of logs retained. CCE-80681-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_max_log_file='' - - -AUDITCONFIG=/etc/audit/auditd.conf - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^max_log_file") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_max_log_file" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^max_log_file\\>" "$AUDITCONFIG"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^max_log_file\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" -else - if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" - fi - cce="CCE-80681-0" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG" - printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -168919,20 +168900,39 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_max_log_file='' + + +AUDITCONFIG=/etc/audit/auditd.conf + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^max_log_file") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_max_log_file" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^max_log_file\\>" "$AUDITCONFIG"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^max_log_file\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" +else + if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" + fi + cce="CCE-80681-0" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG" + printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -169032,39 +169032,20 @@ being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, keep_logs can be employed. CCE-80682-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_max_log_file_action='' - - -AUDITCONFIG=/etc/audit/auditd.conf - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^max_log_file_action") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_max_log_file_action" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^max_log_file_action\\>" "$AUDITCONFIG"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^max_log_file_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" -else - if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" - fi - cce="CCE-80682-8" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG" - printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -169116,20 +169097,39 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_max_log_file_action='' + + +AUDITCONFIG=/etc/audit/auditd.conf + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^max_log_file_action") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_max_log_file_action" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^max_log_file_action\\>" "$AUDITCONFIG"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^max_log_file_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" +else + if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" + fi + cce="CCE-80682-8" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG" + printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -169233,35 +169233,20 @@ minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, keep_logs can be employed. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_max_log_file_action='' - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^max_log_file_action") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_max_log_file_action" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^max_log_file_action\\>" "/etc/audit/auditd.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^max_log_file_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf" -else - if [[ -s "/etc/audit/auditd.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/audit/auditd.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/audit/auditd.conf" - fi - printf '%s\n' "$formatted_output" >> "/etc/audit/auditd.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -169309,20 +169294,35 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_max_log_file_action='' + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^max_log_file_action") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_max_log_file_action" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^max_log_file_action\\>" "/etc/audit/auditd.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^max_log_file_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf" +else + if [[ -s "/etc/audit/auditd.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/audit/auditd.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/audit/auditd.conf" + fi + printf '%s\n' "$formatted_output" >> "/etc/audit/auditd.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -169410,39 +169410,20 @@ Note that values less than 2 result in no log rotation. log information over the period required. This is a function of the maximum log file size and the number of logs retained. CCE-80683-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_num_logs='' - - -AUDITCONFIG=/etc/audit/auditd.conf - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^num_logs") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_num_logs" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^num_logs\\>" "$AUDITCONFIG"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^num_logs\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" -else - if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" - fi - cce="CCE-80683-6" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG" - printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -169490,20 +169471,39 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_num_logs='' + + +AUDITCONFIG=/etc/audit/auditd.conf + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^num_logs") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_num_logs" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^num_logs\\>" "$AUDITCONFIG"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^num_logs\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" +else + if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" + fi + cce="CCE-80683-6" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG" + printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -169596,19 +169596,20 @@ notify the user of an issue. Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. CCE-83619-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_space_left='' - - -grep -q "^space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \ - sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf || \ - echo "space_left = $var_auditd_space_left" >> /etc/audit/auditd.conf - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -169660,20 +169661,19 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_space_left='' + + +grep -q "^space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \ + sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf || \ + echo "space_left = $var_auditd_space_left" >> /etc/audit/auditd.conf + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -169776,45 +169776,20 @@ also include suspend, single, and Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. CCE-80684-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_space_left_action='' - - -# -# If space_left_action present in /etc/audit/auditd.conf, change value -# to var_auditd_space_left_action, else -# add "space_left_action = $var_auditd_space_left_action" to /etc/audit/auditd.conf -# - -AUDITCONFIG=/etc/audit/auditd.conf - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^space_left_action") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_space_left_action" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^space_left_action\\>" "$AUDITCONFIG"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^space_left_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" -else - if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" - fi - cce="CCE-80684-4" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG" - printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -169872,20 +169847,45 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_space_left_action='' + + +# +# If space_left_action present in /etc/audit/auditd.conf, change value +# to var_auditd_space_left_action, else +# add "space_left_action = $var_auditd_space_left_action" to /etc/audit/auditd.conf +# + +AUDITCONFIG=/etc/audit/auditd.conf + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^space_left_action") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_space_left_action" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^space_left_action\\>" "$AUDITCONFIG"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^space_left_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG" +else + if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG" + fi + cce="CCE-80684-4" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG" + printf '%s\n' "$formatted_output" >> "$AUDITCONFIG" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -169979,20 +169979,6 @@ notify the user of an issue. Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. CCE-86055-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_space_left_percentage='' - - -grep -q "^space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \ - sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left_percentage%/g" /etc/audit/auditd.conf || \ - echo "space_left = $var_auditd_space_left_percentage%" >> /etc/audit/auditd.conf - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -170042,6 +170028,20 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_space_left_percentage='' + + +grep -q "^space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \ + sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left_percentage%/g" /etc/audit/auditd.conf || \ + echo "space_left = $var_auditd_space_left_percentage%" >> /etc/audit/auditd.conf + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -170063,27 +170063,20 @@ in /etc/audit/auditd.conf. may happen after higher number of records, increasing the danger of audit loss. CCE-82258-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -if [ -e "/etc/audit/auditd.conf" ] ; then - - LC_ALL=C sed -i "/^\s*freq\s*=\s*/Id" "/etc/audit/auditd.conf" -else - touch "/etc/audit/auditd.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/audit/auditd.conf" - -cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak" -# Insert at the end of the file -printf '%s\n' "freq = 50" >> "/etc/audit/auditd.conf" -# Clean up after ourselves. -rm "/etc/audit/auditd.conf.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -170139,20 +170132,27 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +if [ -e "/etc/audit/auditd.conf" ] ; then + + LC_ALL=C sed -i "/^\s*freq\s*=\s*/Id" "/etc/audit/auditd.conf" +else + touch "/etc/audit/auditd.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/audit/auditd.conf" + +cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak" +# Insert at the end of the file +printf '%s\n' "freq = 50" >> "/etc/audit/auditd.conf" +# Clean up after ourselves. +rm "/etc/audit/auditd.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -170176,27 +170176,20 @@ This is the default setting. If option local_events isn't set to yes only events from network will be aggregated. CCE-82233-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -if [ -e "/etc/audit/auditd.conf" ] ; then - - LC_ALL=C sed -i "/^\s*local_events\s*=\s*/Id" "/etc/audit/auditd.conf" -else - touch "/etc/audit/auditd.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/audit/auditd.conf" - -cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak" -# Insert at the end of the file -printf '%s\n' "local_events = yes" >> "/etc/audit/auditd.conf" -# Clean up after ourselves. -rm "/etc/audit/auditd.conf.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -170254,20 +170247,27 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +if [ -e "/etc/audit/auditd.conf" ] ; then + + LC_ALL=C sed -i "/^\s*local_events\s*=\s*/Id" "/etc/audit/auditd.conf" +else + touch "/etc/audit/auditd.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/audit/auditd.conf" + +cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak" +# Insert at the end of the file +printf '%s\n' "local_events = yes" >> "/etc/audit/auditd.conf" +# Clean up after ourselves. +rm "/etc/audit/auditd.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -170302,27 +170302,20 @@ in /etc/audit/auditd.conf. If option log_format isn't set to ENRICHED, the audit records will be stored in a format exactly as the kernel sends them. CCE-82201-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -if [ -e "/etc/audit/auditd.conf" ] ; then - - LC_ALL=C sed -i "/^\s*log_format\s*=\s*/Id" "/etc/audit/auditd.conf" -else - touch "/etc/audit/auditd.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/audit/auditd.conf" - -cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak" -# Insert at the end of the file -printf '%s\n' "log_format = ENRICHED" >> "/etc/audit/auditd.conf" -# Clean up after ourselves. -rm "/etc/audit/auditd.conf.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -170382,20 +170375,27 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +if [ -e "/etc/audit/auditd.conf" ] ; then + + LC_ALL=C sed -i "/^\s*log_format\s*=\s*/Id" "/etc/audit/auditd.conf" +else + touch "/etc/audit/auditd.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/audit/auditd.conf" + +cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak" +# Insert at the end of the file +printf '%s\n' "log_format = ENRICHED" >> "/etc/audit/auditd.conf" +# Clean up after ourselves. +rm "/etc/audit/auditd.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -170425,32 +170425,20 @@ in /etc/audit/auditd.conf. none, audit events from different computers may be hard to distinguish. CCE-82897-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -var_auditd_name_format='' - - -var_auditd_name_format="$(echo $var_auditd_name_format | cut -d \| -f 1)" - -if [ -e "/etc/audit/auditd.conf" ] ; then - - LC_ALL=C sed -i "/^\s*name_format\s*=\s*/Id" "/etc/audit/auditd.conf" -else - touch "/etc/audit/auditd.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/audit/auditd.conf" - -cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak" -# Insert at the end of the file -printf '%s\n' "name_format = $var_auditd_name_format" >> "/etc/audit/auditd.conf" -# Clean up after ourselves. -rm "/etc/audit/auditd.conf.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -170534,20 +170522,32 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +var_auditd_name_format='' + + +var_auditd_name_format="$(echo $var_auditd_name_format | cut -d \| -f 1)" + +if [ -e "/etc/audit/auditd.conf" ] ; then + + LC_ALL=C sed -i "/^\s*name_format\s*=\s*/Id" "/etc/audit/auditd.conf" +else + touch "/etc/audit/auditd.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/audit/auditd.conf" + +cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak" +# Insert at the end of the file +printf '%s\n' "name_format = $var_auditd_name_format" >> "/etc/audit/auditd.conf" +# Clean up after ourselves. +rm "/etc/audit/auditd.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -170571,28 +170571,6 @@ to one of the following values: syslog, single The audit system should have an action setup in the event the internal event queue becomes full so that no data is lost. CCE-85889-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then - -if [ -e "/etc/audit/auditd.conf" ] ; then - - LC_ALL=C sed -i "/^\s*overflow_action\s*=\s*/Id" "/etc/audit/auditd.conf" -else - touch "/etc/audit/auditd.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/audit/auditd.conf" - -cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak" -# Insert at the end of the file -printf '%s\n' "overflow_action = syslog" >> "/etc/audit/auditd.conf" -# Clean up after ourselves. -rm "/etc/audit/auditd.conf.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -170649,30 +170627,12 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - Write Audit Logs to the Disk - To configure Audit daemon to write Audit logs to the disk, set -write_logs to yes in /etc/audit/auditd.conf. -This is the default setting. - CM-6 - FAU_STG.1 - SRG-OS-000480-GPOS-00227 - If write_logs isn't set to yes, the Audit logs will -not be written to the disk. - CCE-82366-6 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then if [ -e "/etc/audit/auditd.conf" ] ; then - LC_ALL=C sed -i "/^\s*write_logs\s*=\s*/Id" "/etc/audit/auditd.conf" + LC_ALL=C sed -i "/^\s*overflow_action\s*=\s*/Id" "/etc/audit/auditd.conf" else touch "/etc/audit/auditd.conf" fi @@ -170681,13 +170641,46 @@ sed -i -e '$a\' "/etc/audit/auditd.conf" cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak" # Insert at the end of the file -printf '%s\n' "write_logs = yes" >> "/etc/audit/auditd.conf" +printf '%s\n' "overflow_action = syslog" >> "/etc/audit/auditd.conf" # Clean up after ourselves. rm "/etc/audit/auditd.conf.bak" else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Write Audit Logs to the Disk + To configure Audit daemon to write Audit logs to the disk, set +write_logs to yes in /etc/audit/auditd.conf. +This is the default setting. + CM-6 + FAU_STG.1 + SRG-OS-000480-GPOS-00227 + If write_logs isn't set to yes, the Audit logs will +not be written to the disk. + CCE-82366-6 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true - name: Gather the package facts package_facts: @@ -170743,20 +170736,27 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }} - mode: 0640 - path: /etc/audit/auditd.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then + +if [ -e "/etc/audit/auditd.conf" ] ; then + + LC_ALL=C sed -i "/^\s*write_logs\s*=\s*/Id" "/etc/audit/auditd.conf" +else + touch "/etc/audit/auditd.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/audit/auditd.conf" + +cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak" +# Insert at the end of the file +printf '%s\n' "write_logs = yes" >> "/etc/audit/auditd.conf" +# Clean up after ourselves. +rm "/etc/audit/auditd.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -170810,25 +170810,6 @@ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You SRG-APP-000507-CTR-001295 Unsuccessful attempts to access a file might be signs of malicious activity happening within the system. Auditing of such activities helps in their monitoring and investigation. CCE-82833-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules -## Unsuccessful file access (any other opens) This has to go last. --a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access --a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access --a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access --a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access -EOF - -chmod o-rwx /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules - -augenrules --load - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Put contents into /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules according to policy copy: @@ -170865,6 +170846,25 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules +## Unsuccessful file access (any other opens) This has to go last. +-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access +-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access +-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access +-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access +EOF + +chmod o-rwx /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -170903,23 +170903,20 @@ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You SRG-OS-000461-GPOS-00205 Auditing of successful attempts to access a file helps in investigation of activities performed on the system. CCE-82834-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-3-access-success.rules -## Successful file access (any other opens) This has to go last. -## These next two are likely to result in a whole lot of events --a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access --a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access -EOF - -chmod o-rwx /etc/audit/rules.d/30-ospp-v42-3-access-success.rules - -augenrules --load - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%23%20Successful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A%23%23%20These%20next%20two%20are%20likely%20to%20result%20in%20a%20whole%20lot%20of%20events%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-access + mode: 0600 + path: /etc/audit/rules.d/30-ospp-v42-3-access-success.rules + overwrite: true - name: Put contents into /etc/audit/rules.d/30-ospp-v42-3-access-success.rules according to policy @@ -170957,20 +170954,23 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,%23%23%20Successful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A%23%23%20These%20next%20two%20are%20likely%20to%20result%20in%20a%20whole%20lot%20of%20events%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-access - mode: 0600 - path: /etc/audit/rules.d/30-ospp-v42-3-access-success.rules - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-3-access-success.rules +## Successful file access (any other opens) This has to go last. +## These next two are likely to result in a whole lot of events +-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access +-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access +EOF + +chmod o-rwx /etc/audit/rules.d/30-ospp-v42-3-access-success.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -171007,32 +171007,20 @@ Load new Audit rules into kernel by running: SRG-OS-000475-GPOS-00220 Without basic configurations, audit may not perform as expected. It may not be able to correctly handle events under stressful conditions, or log events in case of failure. CCE-82827-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/10-base-config.rules -## First rule - delete all --D - -## Increase the buffers to survive stress events. -## Make this bigger for busy systems --b 8192 - -## This determine how long to wait in burst of events ---backlog_wait_time 60000 - -## Set failure mode to syslog --f 1 - -EOF - -chmod o-rwx /etc/audit/rules.d/10-base-config.rules - -augenrules --load - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%23%20First%20rule%20-%20delete%20all%0A-D%0A%0A%23%23%20Increase%20the%20buffers%20to%20survive%20stress%20events.%0A%23%23%20Make%20this%20bigger%20for%20busy%20systems%0A-b%208192%0A%0A%23%23%20This%20determine%20how%20long%20to%20wait%20in%20burst%20of%20events%0A--backlog_wait_time%2060000%0A%0A%23%23%20Set%20failure%20mode%20to%20syslog%0A-f%201%0A + mode: 0600 + path: /etc/audit/rules.d/10-base-config.rules + overwrite: true - name: Put contents into /etc/audit/rules.d/10-base-config.rules according to policy copy: @@ -171078,20 +171066,32 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,%23%23%20First%20rule%20-%20delete%20all%0A-D%0A%0A%23%23%20Increase%20the%20buffers%20to%20survive%20stress%20events.%0A%23%23%20Make%20this%20bigger%20for%20busy%20systems%0A-b%208192%0A%0A%23%23%20This%20determine%20how%20long%20to%20wait%20in%20burst%20of%20events%0A--backlog_wait_time%2060000%0A%0A%23%23%20Set%20failure%20mode%20to%20syslog%0A-f%201%0A - mode: 0600 - path: /etc/audit/rules.d/10-base-config.rules - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat << 'EOF' > /etc/audit/rules.d/10-base-config.rules +## First rule - delete all +-D + +## Increase the buffers to survive stress events. +## Make this bigger for busy systems +-b 8192 + +## This determine how long to wait in burst of events +--backlog_wait_time 60000 + +## Set failure mode to syslog +-f 1 + +EOF + +chmod o-rwx /etc/audit/rules.d/10-base-config.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -171139,33 +171139,6 @@ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You SRG-APP-000507-CTR-001295 Unsuccessful file creations might be a sign of a malicious action being performed on the system. Keeping log of such events helps in monitoring and investigation of such actions. CCE-82374-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules -## Unsuccessful file creation (open with O_CREAT) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -EOF - -chmod o-rwx /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules - -augenrules --load - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Put contents into /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules according to policy copy: @@ -171210,6 +171183,33 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules +## Unsuccessful file creation (open with O_CREAT) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +EOF + +chmod o-rwx /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -171245,27 +171245,6 @@ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You SRG-OS-000461-GPOS-00205 Auditing of successful attempts to create a file helps in investigation of actions which happened on the system. CCE-82829-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-1-create-success.rules -## Successful file creation (open with O_CREAT) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create --a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create --a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create -EOF - -chmod o-rwx /etc/audit/rules.d/30-ospp-v42-1-create-success.rules - -augenrules --load - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Put contents into /etc/audit/rules.d/30-ospp-v42-1-create-success.rules according to policy copy: @@ -171304,6 +171283,27 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-1-create-success.rules +## Successful file creation (open with O_CREAT) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +EOF + +chmod o-rwx /etc/audit/rules.d/30-ospp-v42-1-create-success.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -171338,24 +171338,20 @@ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You SRG-OS-000468-GPOS-00212 Unsuccessful attempts to delete a file might be signs of malicious activities. Auditing of such events help in monitoring and investigating of such activities. CCE-82835-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules -## Unsuccessful file delete --a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete --a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete --a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete --a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -EOF - -chmod o-rwx /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules - -augenrules --load - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%23%20Unsuccessful%20file%20delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete + mode: 0600 + path: /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules + overwrite: true - name: Put contents into /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules according to policy @@ -171394,20 +171390,24 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,%23%23%20Unsuccessful%20file%20delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete - mode: 0600 - path: /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules +## Unsuccessful file delete +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +EOF + +chmod o-rwx /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -171440,22 +171440,21 @@ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You SRG-OS-000468-GPOS-00212 Auditing of successful attempts to delete a file may help in monitoring and investigation of activities performed on the system. CCE-82836-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules -## Successful file delete --a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete --a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete -EOF - -chmod o-rwx /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules - -augenrules --load + --- -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%23%20Successful%20file%20delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-delete }} + mode: 0600 + path: /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules + overwrite: true - name: Put contents into /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules according to policy @@ -171492,21 +171491,22 @@ fi - no_reboot_needed - restrict_strategy - --- + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%23%20Successful%20file%20delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-delete }} - mode: 0600 - path: /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules - overwrite: true +cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules +## Successful file delete +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete +-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete +EOF + +chmod o-rwx /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -171544,22 +171544,20 @@ Load new Audit rules into kernel by running: If modification of login UIDs is not prevented, they can be changed by unprivileged users and make auditing complicated or impossible. CCE-82828-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/11-loginuid.rules -## Make the loginuid immutable. This prevents tampering with the auid. ---loginuid-immutable - -EOF - -chmod o-rwx /etc/audit/rules.d/11-loginuid.rules - -augenrules --load - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%23%20Make%20the%20loginuid%20immutable.%20This%20prevents%20tampering%20with%20the%20auid.%0A--loginuid-immutable%0A%0A + mode: 0600 + path: /etc/audit/rules.d/11-loginuid.rules + overwrite: true - name: Put contents into /etc/audit/rules.d/11-loginuid.rules according to policy copy: @@ -171597,20 +171595,22 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,%23%23%20Make%20the%20loginuid%20immutable.%20This%20prevents%20tampering%20with%20the%20auid.%0A--loginuid-immutable%0A%0A - mode: 0600 - path: /etc/audit/rules.d/11-loginuid.rules - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat << 'EOF' > /etc/audit/rules.d/11-loginuid.rules +## Make the loginuid immutable. This prevents tampering with the auid. +--loginuid-immutable + +EOF + +chmod o-rwx /etc/audit/rules.d/11-loginuid.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -171658,32 +171658,20 @@ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You SRG-APP-000507-CTR-001295 Unsuccessful file modifications might be a sign of a malicious action being performed on the system. Auditing of such events helps in detection and investigation of such actions. CCE-82830-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules -## Unsuccessful file modifications (open for write or truncate) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -EOF - -chmod o-rwx /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules - -augenrules --load - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A + mode: 0600 + path: /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules + overwrite: true - name: Put contents into /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules according to policy @@ -171730,20 +171718,32 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A - mode: 0600 - path: /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules +## Unsuccessful file modifications (open for write or truncate) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +EOF + +chmod o-rwx /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -171779,26 +171779,20 @@ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You SRG-OS-000461-GPOS-00205 Auditing of successful attempts to modify a file helps in investigation of actions which happened on the system. CCE-82832-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules -## Successful file modifications (open for write or truncate) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification -EOF - -chmod o-rwx /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules - -augenrules --load - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%23%20Successful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%26amp%3B01003%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%26amp%3B01003%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%26amp%3B01003%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%26amp%3B01003%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A + mode: 0600 + path: /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules + overwrite: true - name: Put contents into /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules according to policy @@ -171839,20 +171833,26 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,%23%23%20Successful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%26amp%3B01003%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%26amp%3B01003%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%26amp%3B01003%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%26amp%3B01003%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A - mode: 0600 - path: /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules +## Successful file modifications (open for write or truncate) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +EOF + +chmod o-rwx /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -171882,25 +171882,20 @@ Load new Audit rules into kernel by running: SRG-OS-000475-GPOS-00220 Loading of a malicious kernel module introduces a risk to the system, as the module has access to sensitive data and perform actions at the operating system kernel level. Having such events audited helps in monitoring and investigating of malicious activities. CCE-82838-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/43-module-load.rules -## These rules watch for kernel module insertion. By monitoring -## the syscall, we do not need any watches on programs. --a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load --a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load --a always,exit -F arch=b32 -S delete_module -F key=module-unload --a always,exit -F arch=b64 -S delete_module -F key=module-unload -EOF - -chmod o-rwx /etc/audit/rules.d/43-module-load.rules - -augenrules --load - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%23%20These%20rules%20watch%20for%20kernel%20module%20insertion.%20By%20monitoring%0A%23%23%20the%20syscall%2C%20we%20do%20not%20need%20any%20watches%20on%20programs.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20init_module%2Cfinit_module%20-F%20key%3Dmodule-load%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20init_module%2Cfinit_module%20-F%20key%3Dmodule-load%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-F%20key%3Dmodule-unload%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-F%20key%3Dmodule-unload%0A + mode: 0600 + path: /etc/audit/rules.d/43-module-load.rules + overwrite: true - name: Put contents into /etc/audit/rules.d/43-module-load.rules according to policy copy: @@ -171939,20 +171934,25 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,%23%23%20These%20rules%20watch%20for%20kernel%20module%20insertion.%20By%20monitoring%0A%23%23%20the%20syscall%2C%20we%20do%20not%20need%20any%20watches%20on%20programs.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20init_module%2Cfinit_module%20-F%20key%3Dmodule-load%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20init_module%2Cfinit_module%20-F%20key%3Dmodule-load%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-F%20key%3Dmodule-unload%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-F%20key%3Dmodule-unload%0A - mode: 0600 - path: /etc/audit/rules.d/43-module-load.rules - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat << 'EOF' > /etc/audit/rules.d/43-module-load.rules +## These rules watch for kernel module insertion. By monitoring +## the syscall, we do not need any watches on programs. +-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load +-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load +-a always,exit -F arch=b32 -S delete_module -F key=module-unload +-a always,exit -F arch=b64 -S delete_module -F key=module-unload +EOF + +chmod o-rwx /etc/audit/rules.d/43-module-load.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -172070,103 +172070,20 @@ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You SRG-OS-000304-GPOS-00121 Auditing of events listed in the description provides data for monitoring and investigation of potentially malicious events e.g. tampering with Audit logs, malicious access to files storing information about system users and groups etc. CCE-82373-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42.rules -## The purpose of these rules is to meet the requirements for Operating -## System Protection Profile (OSPP)v4.2. These rules depends on having -## the following rule files copied to /etc/audit/rules.d: -## -## 10-base-config.rules, 11-loginuid.rules, -## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules, -## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules, -## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules, -## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules, -## 30-ospp-v42-5-perm-change-failed.rules, -## 30-ospp-v42-5-perm-change-success.rules, -## 30-ospp-v42-6-owner-change-failed.rules, -## 30-ospp-v42-6-owner-change-success.rules -## -## original copies may be found in /usr/share/audit/sample-rules/ - - -## User add delete modify. This is covered by pam. However, someone could -## open a file and directly create or modify a user, so we'll watch passwd and -## shadow for writes --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify - -## User enable and disable. This is entirely handled by pam. - -## Group add delete modify. This is covered by pam. However, someone could -## open a file and directly create or modify a user, so we'll watch group and -## gshadow for writes --a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify --a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify - - -## Use of special rights for config changes. This would be use of setuid -## programs that relate to user accts. This is not all setuid apps because -## requirements are only for ones that affect system configuration. --a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes - -## Privilege escalation via su or sudo. This is entirely handled by pam. - -## Watch for configuration changes to privilege escalation. --a always,exit -F path=/etc/sudoers -F perm=wa -F key=special-config-changes --a always,exit -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes - -## Audit log access --a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail -## Attempts to Alter Process and Session Initiation Information --a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session --a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session --a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session - -## Attempts to modify MAC controls --a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy - -## Software updates. This is entirely handled by rpm. - -## System start and shutdown. This is entirely handled by systemd - -## Kernel Module loading. This is handled in 43-module-load.rules - -## Application invocation. The requirements list an optional requirement -## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to -## state results from that policy. This would be handled entirely by -## that daemon. - -EOF - -chmod o-rwx /etc/audit/rules.d/30-ospp-v42.rules - -augenrules --load - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%20the%20following%20rule%20files%20copied%20to%20%2Fetc%2Faudit%2Frules.d%3A%0A%23%23%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%0A%23%23%2030-ospp-v42-1-create-failed.rules%2C%2030-ospp-v42-1-create-success.rules%2C%0A%23%23%2030-ospp-v42-2-modify-failed.rules%2C%2030-ospp-v42-2-modify-success.rules%2C%0A%23%23%2030-ospp-v42-3-access-failed.rules%2C%2030-ospp-v42-3-access-success.rules%2C%0A%23%23%2030-ospp-v42-4-delete-failed.rules%2C%2030-ospp-v42-4-delete-success.rules%2C%0A%23%23%2030-ospp-v42-5-perm-change-failed.rules%2C%0A%23%23%2030-ospp-v42-5-perm-change-success.rules%2C%0A%23%23%2030-ospp-v42-6-owner-change-failed.rules%2C%0A%23%23%2030-ospp-v42-6-owner-change-success.rules%0A%23%23%0A%23%23%20original%20copies%20may%20be%20found%20in%20%2Fusr%2Fshare%2Faudit%2Fsample-rules%2F%0A%0A%0A%23%23%20User%20add%20delete%20modify.%20This%20is%20covered%20by%20pam.%20However%2C%20someone%20could%0A%23%23%20open%20a%20file%20and%20directly%20create%20or%20modify%20a%20user%2C%20so%20we%27ll%20watch%20passwd%20and%0A%23%23%20shadow%20for%20writes%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2603%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D%2Fetc%2Fshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D%2Fetc%2Fshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2603%20-F%20path%3D%2Fetc%2Fshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D%2Fetc%2Fshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A%0A%23%23%20User%20enable%20and%20disable.%20This%20is%20entirely%20handled%20by%20pam.%0A%0A%23%23%20Group%20add%20delete%20modify.%20This%20is%20covered%20by%20pam.%20However%2C%20someone%20could%0A%23%23%20open%20a%20file%20and%20directly%20create%20or%20modify%20a%20user%2C%20so%20we%27ll%20watch%20group%20and%0A%23%23%20gshadow%20for%20writes%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fshadow%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fgroup%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dgroup-modify%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fgshadow%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dgroup-modify%0A%0A%0A%23%23%20Use%20of%20special%20rights%20for%20config%20changes.%20This%20would%20be%20use%20of%20setuid%0A%23%23%20programs%20that%20relate%20to%20user%20accts.%20This%20is%20not%20all%20setuid%20apps%20because%0A%23%23%20requirements%20are%20only%20for%20ones%20that%20affect%20system%20configuration.%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Funix_chkpwd%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Fusernetctl%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Fuserhelper%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Fseunshare%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fmount%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fnewgrp%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fnewuidmap%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fgpasswd%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fnewgidmap%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fumount%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fpasswd%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fcrontab%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fat%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A%0A%23%23%20Privilege%20escalation%20via%20su%20or%20sudo.%20This%20is%20entirely%20handled%20by%20pam.%0A%0A%23%23%20Watch%20for%20configuration%20changes%20to%20privilege%20escalation.%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fsudoers%20-F%20perm%3Dwa%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20dir%3D%2Fetc%2Fsudoers.d%2F%20-F%20perm%3Dwa%20-F%20key%3Dspecial-config-changes%0A%0A%23%23%20Audit%20log%20access%0A-a%20always%2Cexit%20-F%20dir%3D%2Fvar%2Flog%2Faudit%2F%20-F%20perm%3Dr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess-audit-trail%0A%23%23%20Attempts%20to%20Alter%20Process%20and%20Session%20Initiation%20Information%0A-a%20always%2Cexit%20-F%20path%3D%2Fvar%2Frun%2Futmp%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsession%0A-a%20always%2Cexit%20-F%20path%3D%2Fvar%2Flog%2Fbtmp%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsession%0A-a%20always%2Cexit%20-F%20path%3D%2Fvar%2Flog%2Fwtmp%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsession%0A%0A%23%23%20Attempts%20to%20modify%20MAC%20controls%0A-a%20always%2Cexit%20-F%20dir%3D%2Fetc%2Fselinux%2F%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3DMAC-policy%0A%0A%23%23%20Software%20updates.%20This%20is%20entirely%20handled%20by%20rpm.%0A%0A%23%23%20System%20start%20and%20shutdown.%20This%20is%20entirely%20handled%20by%20systemd%0A%0A%23%23%20Kernel%20Module%20loading.%20This%20is%20handled%20in%2043-module-load.rules%0A%0A%23%23%20Application%20invocation.%20The%20requirements%20list%20an%20optional%20requirement%0A%23%23%20FPT_SRP_EXT.1%20Software%20Restriction%20Policies.%20This%20event%20is%20intended%20to%0A%23%23%20state%20results%20from%20that%20policy.%20This%20would%20be%20handled%20entirely%20by%0A%23%23%20that%20daemon.%0A%0A + mode: 0600 + path: /etc/audit/rules.d/30-ospp-v42.rules + overwrite: true - name: Put contents into /etc/audit/rules.d/30-ospp-v42.rules according to policy copy: @@ -172283,20 +172200,103 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%20the%20following%20rule%20files%20copied%20to%20%2Fetc%2Faudit%2Frules.d%3A%0A%23%23%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%0A%23%23%2030-ospp-v42-1-create-failed.rules%2C%2030-ospp-v42-1-create-success.rules%2C%0A%23%23%2030-ospp-v42-2-modify-failed.rules%2C%2030-ospp-v42-2-modify-success.rules%2C%0A%23%23%2030-ospp-v42-3-access-failed.rules%2C%2030-ospp-v42-3-access-success.rules%2C%0A%23%23%2030-ospp-v42-4-delete-failed.rules%2C%2030-ospp-v42-4-delete-success.rules%2C%0A%23%23%2030-ospp-v42-5-perm-change-failed.rules%2C%0A%23%23%2030-ospp-v42-5-perm-change-success.rules%2C%0A%23%23%2030-ospp-v42-6-owner-change-failed.rules%2C%0A%23%23%2030-ospp-v42-6-owner-change-success.rules%0A%23%23%0A%23%23%20original%20copies%20may%20be%20found%20in%20%2Fusr%2Fshare%2Faudit%2Fsample-rules%2F%0A%0A%0A%23%23%20User%20add%20delete%20modify.%20This%20is%20covered%20by%20pam.%20However%2C%20someone%20could%0A%23%23%20open%20a%20file%20and%20directly%20create%20or%20modify%20a%20user%2C%20so%20we%27ll%20watch%20passwd%20and%0A%23%23%20shadow%20for%20writes%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2603%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D%2Fetc%2Fshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D%2Fetc%2Fshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2603%20-F%20path%3D%2Fetc%2Fshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D%2Fetc%2Fshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A%0A%23%23%20User%20enable%20and%20disable.%20This%20is%20entirely%20handled%20by%20pam.%0A%0A%23%23%20Group%20add%20delete%20modify.%20This%20is%20covered%20by%20pam.%20However%2C%20someone%20could%0A%23%23%20open%20a%20file%20and%20directly%20create%20or%20modify%20a%20user%2C%20so%20we%27ll%20watch%20group%20and%0A%23%23%20gshadow%20for%20writes%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fshadow%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fgroup%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dgroup-modify%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fgshadow%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dgroup-modify%0A%0A%0A%23%23%20Use%20of%20special%20rights%20for%20config%20changes.%20This%20would%20be%20use%20of%20setuid%0A%23%23%20programs%20that%20relate%20to%20user%20accts.%20This%20is%20not%20all%20setuid%20apps%20because%0A%23%23%20requirements%20are%20only%20for%20ones%20that%20affect%20system%20configuration.%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Funix_chkpwd%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Fusernetctl%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Fuserhelper%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Fseunshare%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fmount%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fnewgrp%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fnewuidmap%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fgpasswd%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fnewgidmap%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fumount%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fpasswd%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fcrontab%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fat%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A%0A%23%23%20Privilege%20escalation%20via%20su%20or%20sudo.%20This%20is%20entirely%20handled%20by%20pam.%0A%0A%23%23%20Watch%20for%20configuration%20changes%20to%20privilege%20escalation.%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fsudoers%20-F%20perm%3Dwa%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20dir%3D%2Fetc%2Fsudoers.d%2F%20-F%20perm%3Dwa%20-F%20key%3Dspecial-config-changes%0A%0A%23%23%20Audit%20log%20access%0A-a%20always%2Cexit%20-F%20dir%3D%2Fvar%2Flog%2Faudit%2F%20-F%20perm%3Dr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess-audit-trail%0A%23%23%20Attempts%20to%20Alter%20Process%20and%20Session%20Initiation%20Information%0A-a%20always%2Cexit%20-F%20path%3D%2Fvar%2Frun%2Futmp%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsession%0A-a%20always%2Cexit%20-F%20path%3D%2Fvar%2Flog%2Fbtmp%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsession%0A-a%20always%2Cexit%20-F%20path%3D%2Fvar%2Flog%2Fwtmp%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsession%0A%0A%23%23%20Attempts%20to%20modify%20MAC%20controls%0A-a%20always%2Cexit%20-F%20dir%3D%2Fetc%2Fselinux%2F%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3DMAC-policy%0A%0A%23%23%20Software%20updates.%20This%20is%20entirely%20handled%20by%20rpm.%0A%0A%23%23%20System%20start%20and%20shutdown.%20This%20is%20entirely%20handled%20by%20systemd%0A%0A%23%23%20Kernel%20Module%20loading.%20This%20is%20handled%20in%2043-module-load.rules%0A%0A%23%23%20Application%20invocation.%20The%20requirements%20list%20an%20optional%20requirement%0A%23%23%20FPT_SRP_EXT.1%20Software%20Restriction%20Policies.%20This%20event%20is%20intended%20to%0A%23%23%20state%20results%20from%20that%20policy.%20This%20would%20be%20handled%20entirely%20by%0A%23%23%20that%20daemon.%0A%0A - mode: 0600 - path: /etc/audit/rules.d/30-ospp-v42.rules - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42.rules +## The purpose of these rules is to meet the requirements for Operating +## System Protection Profile (OSPP)v4.2. These rules depends on having +## the following rule files copied to /etc/audit/rules.d: +## +## 10-base-config.rules, 11-loginuid.rules, +## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules, +## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules, +## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules, +## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules, +## 30-ospp-v42-5-perm-change-failed.rules, +## 30-ospp-v42-5-perm-change-success.rules, +## 30-ospp-v42-6-owner-change-failed.rules, +## 30-ospp-v42-6-owner-change-success.rules +## +## original copies may be found in /usr/share/audit/sample-rules/ + + +## User add delete modify. This is covered by pam. However, someone could +## open a file and directly create or modify a user, so we'll watch passwd and +## shadow for writes +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify + +## User enable and disable. This is entirely handled by pam. + +## Group add delete modify. This is covered by pam. However, someone could +## open a file and directly create or modify a user, so we'll watch group and +## gshadow for writes +-a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify +-a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify + + +## Use of special rights for config changes. This would be use of setuid +## programs that relate to user accts. This is not all setuid apps because +## requirements are only for ones that affect system configuration. +-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes + +## Privilege escalation via su or sudo. This is entirely handled by pam. + +## Watch for configuration changes to privilege escalation. +-a always,exit -F path=/etc/sudoers -F perm=wa -F key=special-config-changes +-a always,exit -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes + +## Audit log access +-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail +## Attempts to Alter Process and Session Initiation Information +-a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session +-a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session +-a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session + +## Attempts to modify MAC controls +-a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy + +## Software updates. This is entirely handled by rpm. + +## System start and shutdown. This is entirely handled by systemd + +## Kernel Module loading. This is handled in 43-module-load.rules + +## Application invocation. The requirements list an optional requirement +## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to +## state results from that policy. This would be handled entirely by +## that daemon. + +EOF + +chmod o-rwx /etc/audit/rules.d/30-ospp-v42.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -172331,25 +172331,6 @@ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You SRG-OS-000064-GPOS-00033 Unsuccessful attempts to change an ownership of files or directories might be signs of a malicious activity. Having such events audited helps in monitoring and investigation of such activities. CCE-82384-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules -## Unsuccessful ownership change --a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change --a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change --a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change --a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change -EOF - -chmod o-rwx /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules - -augenrules --load - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Put contents into /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules according to policy copy: @@ -172386,6 +172367,25 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules +## Unsuccessful ownership change +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change +-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change +-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change +EOF + +chmod o-rwx /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -172418,23 +172418,6 @@ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You SRG-OS-000064-GPOS-00033 Auditing of successful ownership changes of files or directories helps in monitoring or investingating of activities performed on the system. CCE-82385-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules -## Successful ownership change --a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change --a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change -EOF - -chmod o-rwx /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules - -augenrules --load - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Put contents into /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules according to policy copy: @@ -172469,6 +172452,23 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules +## Successful ownership change +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change +-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change +EOF + +chmod o-rwx /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -172503,25 +172503,6 @@ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You SRG-OS-000064-GPOS-00033 Unsuccessful attempts to change permissions of files or directories might be signs of malicious activity. Having such events audited helps in monitoring and investigation of such activities. CCE-82837-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules -## Unsuccessful permission change --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change -EOF - -chmod o-rwx /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules - -augenrules --load - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Put contents into /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules according to policy copy: @@ -172558,6 +172539,25 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules +## Unsuccessful permission change +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change +EOF + +chmod o-rwx /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -172590,23 +172590,6 @@ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You SRG-OS-000064-GPOS-00033 Auditing successful file or directory permission changes helps in monitoring and investigating of activities performed on the system. CCE-82383-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules -## Successful permission change --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change -EOF - -chmod o-rwx /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules - -augenrules --load - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Put contents into /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules according to policy copy: @@ -172641,6 +172624,23 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules +## Successful permission change +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change +EOF + +chmod o-rwx /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules + +augenrules --load + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -172799,21 +172799,6 @@ also required to change the runtime configuration, run: or other services, weakening system security. CCE-86006-4 - # Remediation is applicable only in certain platforms -if rpm --quiet -q grub2-common; then - -if grep -q '^GRUB_DISABLE_RECOVERY=.*' '/etc/default/grub' ; then - sed -i 's/GRUB_DISABLE_RECOVERY=.*/GRUB_DISABLE_RECOVERY=true/' "/etc/default/grub" -else - echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub' -fi - -grubby --update-kernel=ALL --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -172853,6 +172838,21 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common; then + +if grep -q '^GRUB_DISABLE_RECOVERY=.*' '/etc/default/grub' ; then + sed -i 's/GRUB_DISABLE_RECOVERY=.*/GRUB_DISABLE_RECOVERY=true/' "/etc/default/grub" +else + echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub' +fi + +grubby --update-kernel=ALL --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -172879,15 +172879,6 @@ Run the following command to update command line for already installed kernels:< CCE-83920-9 [customizations.kernel] append = "iommu=force" - - # Remediation is applicable only in certain platforms -if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -grubby --update-kernel=ALL --args=iommu=force --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - name: Gather the package facts package_facts: @@ -172914,6 +172905,15 @@ fi - reboot_required - restrict_strategy - unknown_severity + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +grubby --update-kernel=ALL --args=iommu=force --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -172948,15 +172948,6 @@ slow because there is not yet enough entropy in the system.CCE-83314-5 [customizations.kernel] append = "random.trust_cpu=on" - - # Remediation is applicable only in certain platforms -if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -grubby --update-kernel=ALL --args=random.trust_cpu=on --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - name: Gather the package facts package_facts: @@ -172983,6 +172974,15 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +grubby --update-kernel=ALL --args=random.trust_cpu=on --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -173019,19 +173019,6 @@ location that is cached in the L1 Data Cache. CCE-88123-5 [customizations.kernel] append = "l1tf=" - - # Remediation is applicable only in certain platforms -if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -var_l1tf_options='' - - - -grubby --update-kernel=ALL --args=l1tf=$var_l1tf_options --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - name: Gather the package facts package_facts: @@ -173063,6 +173050,19 @@ fi - medium_complexity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +var_l1tf_options='' + + + +grubby --update-kernel=ALL --args=l1tf=$var_l1tf_options --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -173095,15 +173095,6 @@ trying to exploit a vulnerability such as Rowhammer. CCE-87098-0 [customizations.kernel] append = "mce=0" - - # Remediation is applicable only in certain platforms -if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -grubby --update-kernel=ALL --args=mce=0 --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - name: Gather the package facts package_facts: @@ -173130,6 +173121,15 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +grubby --update-kernel=ALL --args=mce=0 --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -173156,15 +173156,6 @@ Run the following command to update command line for already installed kernels: manipulation of data in the user space. CCE-87345-5 - # Remediation is applicable only in certain platforms -if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -grubby --update-kernel=ALL --remove-args=nosmap --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -173190,6 +173181,15 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +grubby --update-kernel=ALL --remove-args=nosmap --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -173216,15 +173216,6 @@ Run the following command to update command line for already installed kernels: the kernel to unintentionally execute code in less privileged memory space. CCE-85989-2 - # Remediation is applicable only in certain platforms -if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -grubby --update-kernel=ALL --remove-args=nosmep --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -173250,6 +173241,15 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +grubby --update-kernel=ALL --remove-args=nosmep --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -173284,15 +173284,6 @@ randomization (KASLR). CCE-82194-2 [customizations.kernel] append = "pti=on" - - # Remediation is applicable only in certain platforms -if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -grubby --update-kernel=ALL --args=pti=on --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - name: Gather the package facts package_facts: @@ -173323,6 +173314,15 @@ fi - medium_complexity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +grubby --update-kernel=ALL --args=pti=on --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -173362,19 +173362,6 @@ from the hardware number generators available in the system helps fill up the en CCE-89567-2 [customizations.kernel] append = "rng_core.default_quality=" - - # Remediation is applicable only in certain platforms -if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -var_rng_core_default_quality='' - - - -grubby --update-kernel=ALL --args=rng_core.default_quality=$var_rng_core_default_quality --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - name: Gather the package facts package_facts: @@ -173407,6 +173394,19 @@ fi - medium_complexity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +var_rng_core_default_quality='' + + + +grubby --update-kernel=ALL --args=rng_core.default_quality=$var_rng_core_default_quality --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -173442,15 +173442,6 @@ Overall, this reduces the kernel attack surface area by isolating slabs from eac CCE-86777-0 [customizations.kernel] append = "slab_nomerge=yes" - - # Remediation is applicable only in certain platforms -if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -grubby --update-kernel=ALL --args=slab_nomerge=yes --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - name: Gather the package facts package_facts: @@ -173477,6 +173468,15 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +grubby --update-kernel=ALL --args=slab_nomerge=yes --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -173516,19 +173516,6 @@ for example inside the sandboxed code. CCE-89234-9 [customizations.kernel] append = "spec_store_bypass_disable=" - - # Remediation is applicable only in certain platforms -if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -var_spec_store_bypass_disable_options='' - - - -grubby --update-kernel=ALL --args=spec_store_bypass_disable=$var_spec_store_bypass_disable_options --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - name: Gather the package facts package_facts: @@ -173561,6 +173548,19 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +var_spec_store_bypass_disable_options='' + + + +grubby --update-kernel=ALL --args=spec_store_bypass_disable=$var_spec_store_bypass_disable_options --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -173596,15 +173596,6 @@ access to. CCE-89345-3 [customizations.kernel] append = "spectre_v2=on" - - # Remediation is applicable only in certain platforms -if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -grubby --update-kernel=ALL --args=spectre_v2=on --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - name: Gather the package facts package_facts: @@ -173631,6 +173622,15 @@ fi - medium_complexity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +grubby --update-kernel=ALL --args=spectre_v2=on --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -173662,15 +173662,6 @@ Run the following command to update command line for already installed kernels: on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. - # Remediation is applicable only in certain platforms -if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -grubby --update-kernel=ALL --remove-args=systemd.debug-shell --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -173694,6 +173685,15 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +grubby --update-kernel=ALL --remove-args=systemd.debug-shell --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -173726,15 +173726,6 @@ of the return instruction pointer. CCE-80946-7 [customizations.kernel] append = "vsyscall=none" - - # Remediation is applicable only in certain platforms -if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -grubby --update-kernel=ALL --args=vsyscall=none --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - name: Gather the package facts package_facts: @@ -173765,6 +173756,15 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +grubby --update-kernel=ALL --args=vsyscall=none --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -173849,15 +173849,6 @@ To properly set the group owner of /boot/grub2/grub.cfg, file should not have any access privileges anyway. CCE-80800-6 - # Remediation is applicable only in certain platforms -if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -chgrp 0 /boot/grub2/grub.cfg - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -173922,6 +173913,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +chgrp 0 /boot/grub2/grub.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -174002,15 +174002,6 @@ file should not have any access privileges anyway. Non-root users who read the b may be able to identify weaknesses in security upon boot and be able to exploit them. CCE-86009-8 - # Remediation is applicable only in certain platforms -if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -chgrp 0 /boot/grub2/user.cfg - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -174075,6 +174066,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +chgrp 0 /boot/grub2/user.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -174154,15 +174154,6 @@ To properly set the owner of /boot/grub2/grub.cfg, run th Only root should be able to modify important boot parameters. CCE-80805-5 - # Remediation is applicable only in certain platforms -if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -chown 0 /boot/grub2/grub.cfg - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -174227,6 +174218,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +chown 0 /boot/grub2/grub.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -174306,15 +174306,6 @@ the boot parameters may be able to identify weaknesses in security upon boot and exploit them. CCE-86015-5 - # Remediation is applicable only in certain platforms -if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -chown 0 /boot/grub2/user.cfg - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -174379,6 +174370,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +chown 0 /boot/grub2/user.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -174454,15 +174454,6 @@ To properly set the permissions of /boot/grub2/grub.cfg, parameters. CCE-80814-7 - # Remediation is applicable only in certain platforms -if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -chmod u-xs,g-xwrs,o-xwrt /boot/grub2/grub.cfg - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -174521,6 +174512,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +chmod u-xs,g-xwrs,o-xwrt /boot/grub2/grub.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -174596,15 +174596,6 @@ To properly set the permissions of /boot/grub2/user.cfg, parameters. CCE-86024-7 - # Remediation is applicable only in certain platforms -if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -chmod u-xs,g-xwrs,o-xwrt /boot/grub2/user.cfg - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -174663,6 +174654,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +chmod u-xs,g-xwrs,o-xwrt /boot/grub2/user.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -175019,15 +175019,6 @@ To properly set the group owner of /boot/efi/EFI/redhat/grub.cfg CCE-85915-7 - # Remediation is applicable only in certain platforms -if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -chgrp 0 /boot/efi/EFI/redhat/grub.cfg - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -175089,6 +175080,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +chgrp 0 /boot/efi/EFI/redhat/grub.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -175156,15 +175156,6 @@ file should not have any access privileges anyway. Non-root users who read the b may be able to identify weaknesses in security upon boot and be able to exploit them. CCE-86012-2 - # Remediation is applicable only in certain platforms -if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -chgrp 0 /boot/efi/EFI/redhat/user.cfg - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -175226,6 +175217,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +chgrp 0 /boot/efi/EFI/redhat/user.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -175292,15 +175292,6 @@ To properly set the owner of /boot/efi/EFI/redhat/grub.cfgOnly root should be able to modify important boot parameters. CCE-85913-2 - # Remediation is applicable only in certain platforms -if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -chown 0 /boot/efi/EFI/redhat/grub.cfg - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -175362,6 +175353,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +chown 0 /boot/efi/EFI/redhat/grub.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -175429,15 +175429,6 @@ the boot parameters may be able to identify weaknesses in security upon boot and exploit them. CCE-86021-3 - # Remediation is applicable only in certain platforms -if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -chown 0 /boot/efi/EFI/redhat/user.cfg - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -175499,6 +175490,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +chown 0 /boot/efi/EFI/redhat/user.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -175562,15 +175562,6 @@ To properly set the permissions of /boot/efi/EFI/redhat/grub.cfg CCE-85912-4 - # Remediation is applicable only in certain platforms -if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -chmod u-s,g-xwrs,o-xwrt /boot/efi/EFI/redhat/grub.cfg - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -175626,6 +175617,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +chmod u-s,g-xwrs,o-xwrt /boot/efi/EFI/redhat/grub.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -175689,15 +175689,6 @@ To properly set the permissions of /boot/efi/EFI/redhat/user.cfg CCE-86028-8 - # Remediation is applicable only in certain platforms -if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -chmod u-s,g-xwrs,o-xwrt /boot/efi/EFI/redhat/user.cfg - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -175753,6 +175744,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +chmod u-s,g-xwrs,o-xwrt /boot/efi/EFI/redhat/user.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -176041,24 +176041,6 @@ this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot. CCE-83321-0 - # Remediation is applicable only in certain platforms -if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Correct BLS option using grubby, which is a thin wrapper around BLS operations -grubby --update-kernel=ALL --args="audit=1" - -# Ensure new kernels and boot entries retain the boot option -if [ ! -f /etc/kernel/cmdline ]; then - echo "audit=1" > /etc/kernel/cmdline -elif ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline; then - - sed -Ei 's/^(.*)$/\1 audit=1/' /etc/kernel/cmdline -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure BLS boot entries options contain audit=1 block: @@ -176118,6 +176100,24 @@ fi - medium_severity - reboot_required - zipl_audit_argument + + # Remediation is applicable only in certain platforms +if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Correct BLS option using grubby, which is a thin wrapper around BLS operations +grubby --update-kernel=ALL --args="audit=1" + +# Ensure new kernels and boot entries retain the boot option +if [ ! -f /etc/kernel/cmdline ]; then + echo "audit=1" > /etc/kernel/cmdline +elif ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline; then + + sed -Ei 's/^(.*)$/\1 audit=1/' /etc/kernel/cmdline +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -176141,24 +176141,6 @@ are stored in this queue. If the queue is overrun during boot process, the acti defined by audit failure flag is taken. CCE-83341-8 - # Remediation is applicable only in certain platforms -if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Correct BLS option using grubby, which is a thin wrapper around BLS operations -grubby --update-kernel=ALL --args="audit_backlog_limit=8192" - -# Ensure new kernels and boot entries retain the boot option -if [ ! -f /etc/kernel/cmdline ]; then - echo "audit_backlog_limit=8192" > /etc/kernel/cmdline -elif ! grep -q '^(.*\s)?audit_backlog_limit=8192(\s.*)?$' /etc/kernel/cmdline; then - - sed -Ei 's/^(.*)$/\1 audit_backlog_limit=8192/' /etc/kernel/cmdline -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure BLS boot entries options contain audit_backlog_limit=8192 block: @@ -176218,6 +176200,24 @@ fi - medium_severity - reboot_required - zipl_audit_backlog_limit_argument + + # Remediation is applicable only in certain platforms +if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Correct BLS option using grubby, which is a thin wrapper around BLS operations +grubby --update-kernel=ALL --args="audit_backlog_limit=8192" + +# Ensure new kernels and boot entries retain the boot option +if [ ! -f /etc/kernel/cmdline ]; then + echo "audit_backlog_limit=8192" > /etc/kernel/cmdline +elif ! grep -q '^(.*\s)?audit_backlog_limit=8192(\s.*)?$' /etc/kernel/cmdline; then + + sed -Ei 's/^(.*)$/\1 audit_backlog_limit=8192/' /etc/kernel/cmdline +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -176253,15 +176253,6 @@ Run zipl command to generate an updated /boot/ boot correct kernel and options. CCE-83486-1 - # Remediation is applicable only in certain platforms -if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -/usr/sbin/zipl - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure zIPL bootmap is up to date block: @@ -176291,6 +176282,15 @@ fi - medium_severity - no_reboot_needed - zipl_bootmap_is_up_to_date + + # Remediation is applicable only in certain platforms +if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +/usr/sbin/zipl + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -176326,24 +176326,6 @@ This prevents many types of use-after-free vulnerabilities at little performance Also prevents leak of data and detection of corrupted memory. CCE-83351-7 - # Remediation is applicable only in certain platforms -if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Correct BLS option using grubby, which is a thin wrapper around BLS operations -grubby --update-kernel=ALL --args="page_poison=1" - -# Ensure new kernels and boot entries retain the boot option -if [ ! -f /etc/kernel/cmdline ]; then - echo "page_poison=1" > /etc/kernel/cmdline -elif ! grep -q '^(.*\s)?page_poison=1(\s.*)?$' /etc/kernel/cmdline; then - - sed -Ei 's/^(.*)$/\1 page_poison=1/' /etc/kernel/cmdline -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure BLS boot entries options contain page_poison=1 block: @@ -176403,6 +176385,24 @@ fi - medium_severity - reboot_required - zipl_page_poison_argument + + # Remediation is applicable only in certain platforms +if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Correct BLS option using grubby, which is a thin wrapper around BLS operations +grubby --update-kernel=ALL --args="page_poison=1" + +# Ensure new kernels and boot entries retain the boot option +if [ ! -f /etc/kernel/cmdline ]; then + echo "page_poison=1" > /etc/kernel/cmdline +elif ! grep -q '^(.*\s)?page_poison=1(\s.*)?$' /etc/kernel/cmdline; then + + sed -Ei 's/^(.*)$/\1 page_poison=1/' /etc/kernel/cmdline +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -176425,24 +176425,6 @@ This prevents many types of use-after-free vulnerabilities at little performance Also prevents leak of data and detection of corrupted memory. CCE-83371-5 - # Remediation is applicable only in certain platforms -if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Correct BLS option using grubby, which is a thin wrapper around BLS operations -grubby --update-kernel=ALL --args="slub_debug=P" - -# Ensure new kernels and boot entries retain the boot option -if [ ! -f /etc/kernel/cmdline ]; then - echo "slub_debug=P" > /etc/kernel/cmdline -elif ! grep -q '^(.*\s)?slub_debug=P(\s.*)?$' /etc/kernel/cmdline; then - - sed -Ei 's/^(.*)$/\1 slub_debug=P/' /etc/kernel/cmdline -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure BLS boot entries options contain slub_debug=P block: @@ -176502,6 +176484,24 @@ fi - medium_severity - reboot_required - zipl_slub_debug_argument + + # Remediation is applicable only in certain platforms +if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Correct BLS option using grubby, which is a thin wrapper around BLS operations +grubby --update-kernel=ALL --args="slub_debug=P" + +# Ensure new kernels and boot entries retain the boot option +if [ ! -f /etc/kernel/cmdline ]; then + echo "slub_debug=P" > /etc/kernel/cmdline +elif ! grep -q '^(.*\s)?slub_debug=P(\s.*)?$' /etc/kernel/cmdline; then + + sed -Ei 's/^(.*)$/\1 slub_debug=P/' /etc/kernel/cmdline +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -176533,21 +176533,6 @@ that systemd.debug-shell=1 is not present in / on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. - # Remediation is applicable only in certain platforms -if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Correct BLS option using grubby, which is a thin wrapper around BLS operations -grubby --update-kernel=ALL --remove-args="systemd.debug-shell" - -# Ensure new kernels and boot entries retain the boot option -if grep -q '\bsystemd.debug-shell\b' /etc/kernel/cmdline; then - sed -Ei 's/^(.*)\s*systemd.debug-shell\b\S*(.*)/\1\2/' /etc/kernel/cmdline -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure BLS boot entries options contain systemd.debug-shell block: @@ -176592,6 +176577,21 @@ fi - medium_severity - reboot_required - zipl_systemd_debug-shell_argument_absent + + # Remediation is applicable only in certain platforms +if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Correct BLS option using grubby, which is a thin wrapper around BLS operations +grubby --update-kernel=ALL --remove-args="systemd.debug-shell" + +# Ensure new kernels and boot entries retain the boot option +if grep -q '\bsystemd.debug-shell\b' /etc/kernel/cmdline; then + sed -Ei 's/^(.*)\s*systemd.debug-shell\b\S*(.*)/\1\2/' /etc/kernel/cmdline +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -176612,24 +176612,6 @@ add vsyscall=none to /etc/kernel/cmdline CCE-83381-4 - # Remediation is applicable only in certain platforms -if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# Correct BLS option using grubby, which is a thin wrapper around BLS operations -grubby --update-kernel=ALL --args="vsyscall=none" - -# Ensure new kernels and boot entries retain the boot option -if [ ! -f /etc/kernel/cmdline ]; then - echo "vsyscall=none" > /etc/kernel/cmdline -elif ! grep -q '^(.*\s)?vsyscall=none(\s.*)?$' /etc/kernel/cmdline; then - - sed -Ei 's/^(.*)$/\1 vsyscall=none/' /etc/kernel/cmdline -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure BLS boot entries options contain vsyscall=none block: @@ -176689,6 +176671,24 @@ fi - medium_severity - reboot_required - zipl_vsyscall_argument + + # Remediation is applicable only in certain platforms +if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Correct BLS option using grubby, which is a thin wrapper around BLS operations +grubby --update-kernel=ALL --args="vsyscall=none" + +# Ensure new kernels and boot entries retain the boot option +if [ ! -f /etc/kernel/cmdline ]; then + echo "vsyscall=none" > /etc/kernel/cmdline +elif ! grep -q '^(.*\s)?vsyscall=none(\s.*)?$' /etc/kernel/cmdline; then + + sed -Ei 's/^(.*)$/\1 vsyscall=none/' /etc/kernel/cmdline +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -178333,21 +178333,13 @@ $ sudo yum install rsyslog-gnutls The rsyslog-gnutls package provides Transport Layer Security (TLS) support for the rsyslog daemon, which enables secure remote logging. CCE-82859-0 + +package --add=rsyslog-gnutls + [[packages]] name = "rsyslog-gnutls" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "rsyslog-gnutls" ; then - yum install -y "rsyslog-gnutls" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_rsyslog-gnutls @@ -178372,8 +178364,16 @@ class install_rsyslog-gnutls { - no_reboot_needed - package_rsyslog-gnutls_installed - -package --add=rsyslog-gnutls + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "rsyslog-gnutls" ; then + yum install -y "rsyslog-gnutls" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -178429,21 +178429,13 @@ package --add=rsyslog-gnutls The rsyslog package provides the rsyslog daemon, which provides system logging services. CCE-80847-7 + +package --add=rsyslog + [[packages]] name = "rsyslog" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "rsyslog" ; then - yum install -y "rsyslog" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_rsyslog @@ -178469,8 +178461,16 @@ class install_rsyslog { - no_reboot_needed - package_rsyslog_installed - -package --add=rsyslog + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "rsyslog" ; then + yum install -y "rsyslog" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -178568,18 +178568,6 @@ logging services, which are essential to system administration. [customizations.services] enabled = ["rsyslog"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'rsyslog.service' -"$SYSTEMCTL_EXEC" start 'rsyslog.service' -"$SYSTEMCTL_EXEC" enable 'rsyslog.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_rsyslog @@ -178617,6 +178605,18 @@ class enable_rsyslog { - medium_severity - no_reboot_needed - service_rsyslog_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'rsyslog.service' +"$SYSTEMCTL_EXEC" start 'rsyslog.service' +"$SYSTEMCTL_EXEC" enable 'rsyslog.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -178645,38 +178645,6 @@ created files. It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected. CCE-88321-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -readarray -t targets < <(grep -H '^\s*$FileCreateMode' /etc/rsyslog.conf /etc/rsyslog.d/*) - -# if $FileCreateMode set in multiple places -if [ ${#targets[@]} -gt 1 ]; then - # delete all and create new entry with expected value - sed -i '/^\s*$FileCreateMode/d' /etc/rsyslog.conf /etc/rsyslog.d/* - echo '$FileCreateMode 0640' > /etc/rsyslog.d/99-rsyslog_filecreatemode.conf -# if $FileCreateMode set in only one place -elif [ "${#targets[@]}" -eq 1 ]; then - filename=$(echo "${targets[0]}" | cut -d':' -f1) - value=$(echo "${targets[0]}" | cut -d' ' -f2) - #convert to decimal and bitwise or operation - result=$((8#$value | 416)) - # if more permissive than expected, then set it to 0640 - if [ $result -ne 416 ]; then - # if value is wrong remove it - sed -i '/^\s*$FileCreateMode/d' $filename - echo '$FileCreateMode 0640' > $filename - fi -else - echo '$FileCreateMode 0640' > /etc/rsyslog.d/99-rsyslog_filecreatemode.conf -fi - -systemctl restart rsyslog.service - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure rsyslog Default File Permissions Configured - Search for $FileCreateMode Parameter in rsyslog Main Config File ansible.builtin.find: @@ -178785,6 +178753,38 @@ fi - medium_severity - no_reboot_needed - rsyslog_filecreatemode + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +readarray -t targets < <(grep -H '^\s*$FileCreateMode' /etc/rsyslog.conf /etc/rsyslog.d/*) + +# if $FileCreateMode set in multiple places +if [ ${#targets[@]} -gt 1 ]; then + # delete all and create new entry with expected value + sed -i '/^\s*$FileCreateMode/d' /etc/rsyslog.conf /etc/rsyslog.d/* + echo '$FileCreateMode 0640' > /etc/rsyslog.d/99-rsyslog_filecreatemode.conf +# if $FileCreateMode set in only one place +elif [ "${#targets[@]}" -eq 1 ]; then + filename=$(echo "${targets[0]}" | cut -d':' -f1) + value=$(echo "${targets[0]}" | cut -d' ' -f2) + #convert to decimal and bitwise or operation + result=$((8#$value | 416)) + # if more permissive than expected, then set it to 0640 + if [ $result -ne 416 ]; then + # if value is wrong remove it + sed -i '/^\s*$FileCreateMode/d' $filename + echo '$FileCreateMode 0640' > $filename + fi +else + echo '$FileCreateMode 0640' > /etc/rsyslog.d/99-rsyslog_filecreatemode.conf +fi + +systemctl restart rsyslog.service + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -178953,30 +178953,6 @@ When using rsyslogd to off-load logs the remote system mu configuration, user authentication, and other such information. Audit records should be protected from unauthorized access. CCE-86339-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -sed -i '/^.*\$ActionSendStreamDriverAuthMode.*/d' /etc/rsyslog.conf /etc/rsyslog.d/*.conf 2> /dev/null - -if [ -e "/etc/rsyslog.d/stream_driver_auth.conf" ] ; then - - LC_ALL=C sed -i "/^\s*\$ActionSendStreamDriverAuthMode /Id" "/etc/rsyslog.d/stream_driver_auth.conf" -else - touch "/etc/rsyslog.d/stream_driver_auth.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/rsyslog.d/stream_driver_auth.conf" - -cp "/etc/rsyslog.d/stream_driver_auth.conf" "/etc/rsyslog.d/stream_driver_auth.conf.bak" -# Insert at the end of the file -printf '%s\n' "\$ActionSendStreamDriverAuthMode x509/name" >> "/etc/rsyslog.d/stream_driver_auth.conf" -# Clean up after ourselves. -rm "/etc/rsyslog.d/stream_driver_auth.conf.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure Rsyslog Authenticates Off-Loaded Audit Records block: @@ -179028,6 +179004,30 @@ fi - medium_severity - no_reboot_needed - rsyslog_encrypt_offload_actionsendstreamdriverauthmode + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +sed -i '/^.*\$ActionSendStreamDriverAuthMode.*/d' /etc/rsyslog.conf /etc/rsyslog.d/*.conf 2> /dev/null + +if [ -e "/etc/rsyslog.d/stream_driver_auth.conf" ] ; then + + LC_ALL=C sed -i "/^\s*\$ActionSendStreamDriverAuthMode /Id" "/etc/rsyslog.d/stream_driver_auth.conf" +else + touch "/etc/rsyslog.d/stream_driver_auth.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/rsyslog.d/stream_driver_auth.conf" + +cp "/etc/rsyslog.d/stream_driver_auth.conf" "/etc/rsyslog.d/stream_driver_auth.conf.bak" +# Insert at the end of the file +printf '%s\n' "\$ActionSendStreamDriverAuthMode x509/name" >> "/etc/rsyslog.d/stream_driver_auth.conf" +# Clean up after ourselves. +rm "/etc/rsyslog.d/stream_driver_auth.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -179055,28 +179055,6 @@ When using rsyslogd to off-load logs off a encrpytion sys configuration, user authentication, and other such information. Audit records should be protected from unauthorized access. CCE-86098-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/rsyslog.d/encrypt.conf" ] ; then - - LC_ALL=C sed -i "/^\s*\$ActionSendStreamDriverMode /Id" "/etc/rsyslog.d/encrypt.conf" -else - touch "/etc/rsyslog.d/encrypt.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/rsyslog.d/encrypt.conf" - -cp "/etc/rsyslog.d/encrypt.conf" "/etc/rsyslog.d/encrypt.conf.bak" -# Insert at the end of the file -printf '%s\n' "\$ActionSendStreamDriverMode 1" >> "/etc/rsyslog.d/encrypt.conf" -# Clean up after ourselves. -rm "/etc/rsyslog.d/encrypt.conf.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure Rsyslog Encrypts Off-Loaded Audit Records block: @@ -179128,6 +179106,28 @@ fi - medium_severity - no_reboot_needed - rsyslog_encrypt_offload_actionsendstreamdrivermode + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/rsyslog.d/encrypt.conf" ] ; then + + LC_ALL=C sed -i "/^\s*\$ActionSendStreamDriverMode /Id" "/etc/rsyslog.d/encrypt.conf" +else + touch "/etc/rsyslog.d/encrypt.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/rsyslog.d/encrypt.conf" + +cp "/etc/rsyslog.d/encrypt.conf" "/etc/rsyslog.d/encrypt.conf.bak" +# Insert at the end of the file +printf '%s\n' "\$ActionSendStreamDriverMode 1" >> "/etc/rsyslog.d/encrypt.conf" +# Clean up after ourselves. +rm "/etc/rsyslog.d/encrypt.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -179155,28 +179155,6 @@ When using rsyslogd to off-load logs off an encryption sy configuration, user authentication, and other such information. Audit records should be protected from unauthorized access. CCE-85992-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/rsyslog.d/encrypt.conf" ] ; then - - LC_ALL=C sed -i "/^\s*\$DefaultNetstreamDriver /Id" "/etc/rsyslog.d/encrypt.conf" -else - touch "/etc/rsyslog.d/encrypt.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/rsyslog.d/encrypt.conf" - -cp "/etc/rsyslog.d/encrypt.conf" "/etc/rsyslog.d/encrypt.conf.bak" -# Insert at the end of the file -printf '%s\n' "\$DefaultNetstreamDriver gtls" >> "/etc/rsyslog.d/encrypt.conf" -# Clean up after ourselves. -rm "/etc/rsyslog.d/encrypt.conf.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure Rsyslog Encrypts Off-Loaded Audit Records block: @@ -179228,6 +179206,28 @@ fi - medium_severity - no_reboot_needed - rsyslog_encrypt_offload_defaultnetstreamdriver + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/rsyslog.d/encrypt.conf" ] ; then + + LC_ALL=C sed -i "/^\s*\$DefaultNetstreamDriver /Id" "/etc/rsyslog.d/encrypt.conf" +else + touch "/etc/rsyslog.d/encrypt.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/rsyslog.d/encrypt.conf" + +cp "/etc/rsyslog.d/encrypt.conf" "/etc/rsyslog.d/encrypt.conf.bak" +# Insert at the end of the file +printf '%s\n' "\$DefaultNetstreamDriver gtls" >> "/etc/rsyslog.d/encrypt.conf" +# Clean up after ourselves. +rm "/etc/rsyslog.d/encrypt.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -179312,109 +179312,6 @@ correct this: configuration, user authentication, and other such information. Log files should be protected from unauthorized access. CCE-80860-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# List of log file paths to be inspected for correct permissions -# * Primarily inspect log file paths listed in /etc/rsyslog.conf -RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" -# * And also the log file paths listed after rsyslog's $IncludeConfig directive -# (store the result into array for the case there's shell glob used as value of IncludeConfig) -readarray -t OLD_INC < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2) -readarray -t RSYSLOG_INCLUDE_CONFIG < <(for INCPATH in "${OLD_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done) -readarray -t NEW_INC < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) -readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done) - -# Declare an array to hold the final list of different log file paths -declare -a LOG_FILE_PATHS - -# Array to hold all rsyslog config entries -RSYSLOG_CONFIGS=() -RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}") - -# Get full list of files to be checked -# RSYSLOG_CONFIGS may contain globs such as -# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule -# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files. -RSYSLOG_CONFIG_FILES=() -for ENTRY in "${RSYSLOG_CONFIGS[@]}" -do - # If directory, rsyslog will search for config files in recursively. - # However, files in hidden sub-directories or hidden files will be ignored. - if [ -d "${ENTRY}" ] - then - readarray -t FINDOUT < <(find "${ENTRY}" -not -path '*/.*' -type f) - RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}") - elif [ -f "${ENTRY}" ] - then - RSYSLOG_CONFIG_FILES+=("${ENTRY}") - else - echo "Invalid include object: ${ENTRY}" - fi -done - -# Browse each file selected above as containing paths of log files -# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration) -for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}" -do - # From each of these files extract just particular log file path(s), thus: - # * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters, - # * Ignore empty lines, - # * Strip quotes and closing brackets from paths. - # * Ignore paths that match /dev|/etc.*\.conf, as those are paths, but likely not log files - # * From the remaining valid rows select only fields constituting a log file path - # Text file column is understood to represent a log file path if and only if all of the - # following are met: - # * it contains at least one slash '/' character, - # * it is preceded by space - # * it doesn't contain space (' '), colon (':'), and semicolon (';') characters - # Search log file for path(s) only in case it exists! - if [[ -f "${LOG_FILE}" ]] - then - NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[#|$]/d" "${LOG_FILE}") - LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' <<< "${NORMALIZED_CONFIG_FILE_LINES}") - FILTERED_PATHS=$(awk '{if(NF>=2&&($NF~/^\//||$NF~/^-\//)){sub(/^-\//,"/",$NF);print $NF}}' <<< "${LINES_WITH_PATHS}") - CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}") - MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}") - # Since above sed command might return more than one item (delimited by newline), split - # the particular matches entries into new array specific for this log file - readarray -t ARRAY_FOR_LOG_FILE <<< "$MATCHED_ITEMS" - # Concatenate the two arrays - previous content of $LOG_FILE_PATHS array with - # items from newly created array for this log file - LOG_FILE_PATHS+=("${ARRAY_FOR_LOG_FILE[@]}") - # Delete the temporary array - unset ARRAY_FOR_LOG_FILE - fi -done - -# Check for RainerScript action log format which might be also multiline so grep regex is a bit -# curly: -# extract possibly multiline action omfile expressions -# extract File="logfile" expression -# match only "logfile" expression -for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}" -do - ACTION_OMFILE_LINES=$(grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" "${LOG_FILE}") - OMFILE_LINES=$(echo "${ACTION_OMFILE_LINES}"| grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)") - LOG_FILE_PATHS+=("$(echo "${OMFILE_LINES}"| grep -oE "\"([/[:alnum:][:punct:]]*)\""|tr -d "\"")") -done - -# Ensure the correct attribute if file exists -FILE_CMD="chgrp" -for LOG_FILE_PATH in "${LOG_FILE_PATHS[@]}" -do - # Sanity check - if particular $LOG_FILE_PATH is empty string, skip it from further processing - if [ -z "$LOG_FILE_PATH" ] - then - continue - fi - $FILE_CMD "root" "$LOG_FILE_PATH" -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure Log Files Are Owned By Appropriate Group - Set rsyslog logfile configuration facts ansible.builtin.set_fact: @@ -179611,97 +179508,7 @@ fi - no_reboot_needed - rsyslog_files_groupownership - - - - - - - - - Ensure Log Files Are Owned By Appropriate User - The owner of all log files written by -rsyslog should be - -root. - -These log files are determined by the second part of each Rule line in -/etc/rsyslog.conf and typically all appear in /var/log. -For each log file LOGFILE referenced in /etc/rsyslog.conf, -run the following command to inspect the file's owner: -$ ls -l LOGFILE -If the owner is not - -root, - -run the following command to -correct this: - -$ sudo chown root LOGFILE - BP28(R46) - BP28(R5) - 12 - 13 - 14 - 15 - 16 - 18 - 3 - 5 - APO01.06 - DSS05.04 - DSS05.07 - DSS06.02 - CCI-001314 - 4.3.3.7.3 - SR 2.1 - SR 5.2 - 0988 - 1405 - A.10.1.1 - A.11.1.4 - A.11.1.5 - A.11.2.1 - A.13.1.1 - A.13.1.3 - A.13.2.1 - A.13.2.3 - A.13.2.4 - A.14.1.2 - A.14.1.3 - A.6.1.2 - A.7.1.1 - A.7.1.2 - A.7.3.1 - A.8.2.2 - A.8.2.3 - A.9.1.1 - A.9.1.2 - A.9.2.3 - A.9.4.1 - A.9.4.4 - A.9.4.5 - CIP-003-8 R5.1.1 - CIP-003-8 R5.3 - CIP-004-6 R2.3 - CIP-007-3 R2.1 - CIP-007-3 R2.2 - CIP-007-3 R2.3 - CIP-007-3 R5.1 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.2 - CM-6(a) - AC-6(1) - PR.AC-4 - PR.DS-5 - Req-10.5.1 - Req-10.5.2 - 10.3.2 - The log files generated by rsyslog contain valuable information regarding system -configuration, user authentication, and other such information. Log files should be -protected from unauthorized access. - CCE-80861-8 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then # List of log file paths to be inspected for correct permissions @@ -179789,7 +179596,7 @@ do done # Ensure the correct attribute if file exists -FILE_CMD="chown" +FILE_CMD="chgrp" for LOG_FILE_PATH in "${LOG_FILE_PATHS[@]}" do # Sanity check - if particular $LOG_FILE_PATH is empty string, skip it from further processing @@ -179804,6 +179611,96 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Ensure Log Files Are Owned By Appropriate User + The owner of all log files written by +rsyslog should be + +root. + +These log files are determined by the second part of each Rule line in +/etc/rsyslog.conf and typically all appear in /var/log. +For each log file LOGFILE referenced in /etc/rsyslog.conf, +run the following command to inspect the file's owner: +$ ls -l LOGFILE +If the owner is not + +root, + +run the following command to +correct this: + +$ sudo chown root LOGFILE + BP28(R46) + BP28(R5) + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + CCI-001314 + 4.3.3.7.3 + SR 2.1 + SR 5.2 + 0988 + 1405 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + CIP-003-8 R5.1.1 + CIP-003-8 R5.3 + CIP-004-6 R2.3 + CIP-007-3 R2.1 + CIP-007-3 R2.2 + CIP-007-3 R2.3 + CIP-007-3 R5.1 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.2 + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + Req-10.5.1 + Req-10.5.2 + 10.3.2 + The log files generated by rsyslog contain valuable information regarding system +configuration, user authentication, and other such information. Log files should be +protected from unauthorized access. + CCE-80861-8 - name: Ensure Log Files Are Owned By Appropriate User - Set rsyslog logfile configuration facts ansible.builtin.set_fact: @@ -180000,49 +179897,7 @@ fi - no_reboot_needed - rsyslog_files_ownership - - - - - - - - - Ensure System Log Files Have Correct Permissions - The file permissions for all log files written by rsyslog should -be set to 640, or more restrictive. These log files are determined by the -second part of each Rule line in /etc/rsyslog.conf and typically -all appear in /var/log. For each log file LOGFILE -referenced in /etc/rsyslog.conf, run the following command to -inspect the file's permissions: -$ ls -l LOGFILE -If the permissions are not 640 or more restrictive, run the following -command to correct this: -$ sudo chmod 640 LOGFILE" - BP28(R36) - CCI-001314 - 0988 - 1405 - CIP-003-8 R5.1.1 - CIP-003-8 R5.3 - CIP-004-6 R2.3 - CIP-007-3 R2.1 - CIP-007-3 R2.2 - CIP-007-3 R2.3 - CIP-007-3 R5.1 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.2 - CM-6(a) - AC-6(1) - Req-10.5.1 - Req-10.5.2 - 10.3.1 - 4.2.3 - Log files can contain valuable information regarding system -configuration. If the system log files are not protected unauthorized -users could change the logged data, eliminating their forensic value. - CCE-80862-6 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then # List of log file paths to be inspected for correct permissions @@ -180130,7 +179985,7 @@ do done # Ensure the correct attribute if file exists -FILE_CMD="chmod" +FILE_CMD="chown" for LOG_FILE_PATH in "${LOG_FILE_PATHS[@]}" do # Sanity check - if particular $LOG_FILE_PATH is empty string, skip it from further processing @@ -180138,13 +179993,55 @@ do then continue fi - $FILE_CMD "0640" "$LOG_FILE_PATH" + $FILE_CMD "root" "$LOG_FILE_PATH" done else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Ensure System Log Files Have Correct Permissions + The file permissions for all log files written by rsyslog should +be set to 640, or more restrictive. These log files are determined by the +second part of each Rule line in /etc/rsyslog.conf and typically +all appear in /var/log. For each log file LOGFILE +referenced in /etc/rsyslog.conf, run the following command to +inspect the file's permissions: +$ ls -l LOGFILE +If the permissions are not 640 or more restrictive, run the following +command to correct this: +$ sudo chmod 640 LOGFILE" + BP28(R36) + CCI-001314 + 0988 + 1405 + CIP-003-8 R5.1.1 + CIP-003-8 R5.3 + CIP-004-6 R2.3 + CIP-007-3 R2.1 + CIP-007-3 R2.2 + CIP-007-3 R2.3 + CIP-007-3 R5.1 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.2 + CM-6(a) + AC-6(1) + Req-10.5.1 + Req-10.5.2 + 10.3.1 + 4.2.3 + Log files can contain valuable information regarding system +configuration. If the system log files are not protected unauthorized +users could change the logged data, eliminating their forensic value. + CCE-80862-6 - name: Ensure System Log Files Have Correct Permissions - Set rsyslog logfile configuration facts ansible.builtin.set_fact: @@ -180340,6 +180237,109 @@ fi - medium_severity - no_reboot_needed - rsyslog_files_permissions + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# List of log file paths to be inspected for correct permissions +# * Primarily inspect log file paths listed in /etc/rsyslog.conf +RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" +# * And also the log file paths listed after rsyslog's $IncludeConfig directive +# (store the result into array for the case there's shell glob used as value of IncludeConfig) +readarray -t OLD_INC < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2) +readarray -t RSYSLOG_INCLUDE_CONFIG < <(for INCPATH in "${OLD_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done) +readarray -t NEW_INC < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) +readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done) + +# Declare an array to hold the final list of different log file paths +declare -a LOG_FILE_PATHS + +# Array to hold all rsyslog config entries +RSYSLOG_CONFIGS=() +RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}") + +# Get full list of files to be checked +# RSYSLOG_CONFIGS may contain globs such as +# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule +# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files. +RSYSLOG_CONFIG_FILES=() +for ENTRY in "${RSYSLOG_CONFIGS[@]}" +do + # If directory, rsyslog will search for config files in recursively. + # However, files in hidden sub-directories or hidden files will be ignored. + if [ -d "${ENTRY}" ] + then + readarray -t FINDOUT < <(find "${ENTRY}" -not -path '*/.*' -type f) + RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}") + elif [ -f "${ENTRY}" ] + then + RSYSLOG_CONFIG_FILES+=("${ENTRY}") + else + echo "Invalid include object: ${ENTRY}" + fi +done + +# Browse each file selected above as containing paths of log files +# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration) +for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}" +do + # From each of these files extract just particular log file path(s), thus: + # * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters, + # * Ignore empty lines, + # * Strip quotes and closing brackets from paths. + # * Ignore paths that match /dev|/etc.*\.conf, as those are paths, but likely not log files + # * From the remaining valid rows select only fields constituting a log file path + # Text file column is understood to represent a log file path if and only if all of the + # following are met: + # * it contains at least one slash '/' character, + # * it is preceded by space + # * it doesn't contain space (' '), colon (':'), and semicolon (';') characters + # Search log file for path(s) only in case it exists! + if [[ -f "${LOG_FILE}" ]] + then + NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[#|$]/d" "${LOG_FILE}") + LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' <<< "${NORMALIZED_CONFIG_FILE_LINES}") + FILTERED_PATHS=$(awk '{if(NF>=2&&($NF~/^\//||$NF~/^-\//)){sub(/^-\//,"/",$NF);print $NF}}' <<< "${LINES_WITH_PATHS}") + CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}") + MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}") + # Since above sed command might return more than one item (delimited by newline), split + # the particular matches entries into new array specific for this log file + readarray -t ARRAY_FOR_LOG_FILE <<< "$MATCHED_ITEMS" + # Concatenate the two arrays - previous content of $LOG_FILE_PATHS array with + # items from newly created array for this log file + LOG_FILE_PATHS+=("${ARRAY_FOR_LOG_FILE[@]}") + # Delete the temporary array + unset ARRAY_FOR_LOG_FILE + fi +done + +# Check for RainerScript action log format which might be also multiline so grep regex is a bit +# curly: +# extract possibly multiline action omfile expressions +# extract File="logfile" expression +# match only "logfile" expression +for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}" +do + ACTION_OMFILE_LINES=$(grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" "${LOG_FILE}") + OMFILE_LINES=$(echo "${ACTION_OMFILE_LINES}"| grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)") + LOG_FILE_PATHS+=("$(echo "${OMFILE_LINES}"| grep -oE "\"([/[:alnum:][:punct:]]*)\""|tr -d "\"")") +done + +# Ensure the correct attribute if file exists +FILE_CMD="chmod" +for LOG_FILE_PATH in "${LOG_FILE_PATHS[@]}" +do + # Sanity check - if particular $LOG_FILE_PATH is empty string, skip it from further processing + if [ -z "$LOG_FILE_PATH" ] + then + continue + fi + $FILE_CMD "0640" "$LOG_FILE_PATH" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -180389,37 +180389,6 @@ associated with remote user access management. It can also be used to spot cyber attacks and ensure ongoing compliance with organizational policies surrounding the use of remote access methods. CCE-83426-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -declare -A REMOTE_METHODS=( ['auth.*']='^[^#]*auth\.\*.*$' ['authpriv.*']='^[^#]*authpriv\.\*.*$' ['daemon.*']='^[^#]*daemon\.\*.*$' ) - -if [[ ! -f /etc/rsyslog.conf ]]; then - # Something is not right, create the file - touch /etc/rsyslog.conf -fi - -APPEND_LINE=$(sed -rn '/^\S+\s+\/var\/log\/secure$/p' /etc/rsyslog.conf) - -# Loop through the remote methods associative array -for K in "${!REMOTE_METHODS[@]}" -do - # Check to see if selector/value exists - if ! grep -rq "${REMOTE_METHODS[$K]}" /etc/rsyslog.*; then - # Make sure we have a line to insert after, otherwise append to end - if [[ ! -z ${APPEND_LINE} ]]; then - # Add selector to file - sed -r -i "0,/^(\S+\s+\/var\/log\/secure$)/s//\1\n${K} \/var\/log\/secure/" /etc/rsyslog.conf - else - echo "${K} /var/log/secure" >> /etc/rsyslog.conf - fi - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: 'Ensure remote access methods are monitored in Rsyslog: Set facts' set_fact: conf_files: @@ -180539,6 +180508,37 @@ fi - medium_severity - no_reboot_needed - rsyslog_remote_access_monitoring + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +declare -A REMOTE_METHODS=( ['auth.*']='^[^#]*auth\.\*.*$' ['authpriv.*']='^[^#]*authpriv\.\*.*$' ['daemon.*']='^[^#]*daemon\.\*.*$' ) + +if [[ ! -f /etc/rsyslog.conf ]]; then + # Something is not right, create the file + touch /etc/rsyslog.conf +fi + +APPEND_LINE=$(sed -rn '/^\S+\s+\/var\/log\/secure$/p' /etc/rsyslog.conf) + +# Loop through the remote methods associative array +for K in "${!REMOTE_METHODS[@]}" +do + # Check to see if selector/value exists + if ! grep -rq "${REMOTE_METHODS[$K]}" /etc/rsyslog.*; then + # Make sure we have a line to insert after, otherwise append to end + if [[ ! -z ${APPEND_LINE} ]]; then + # Add selector to file + sed -r -i "0,/^(\S+\s+\/var\/log\/secure$)/s//\1\n${K} \/var\/log\/secure/" /etc/rsyslog.conf + else + echo "${K} /var/log/secure" >> /etc/rsyslog.conf + fi + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -180566,21 +180566,13 @@ from remote hosts, thus enabling centralised log management.Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system. + +package --add=systemd-journal-remote + [[packages]] name = "systemd-journal-remote" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "systemd-journal-remote" ; then - yum install -y "systemd-journal-remote" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_systemd-journal-remote @@ -180603,8 +180595,16 @@ class install_systemd-journal-remote { - no_reboot_needed - package_systemd-journal-remote_installed - -package --add=systemd-journal-remote + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "systemd-journal-remote" ; then + yum install -y "systemd-journal-remote" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -180630,18 +180630,6 @@ The systemd-journald service can be enabled with the foll [customizations.services] enabled = ["systemd-journald"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'systemd-journald.service' -"$SYSTEMCTL_EXEC" start 'systemd-journald.service' -"$SYSTEMCTL_EXEC" enable 'systemd-journald.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_systemd-journald @@ -180677,6 +180665,18 @@ class enable_systemd-journald { - medium_severity - no_reboot_needed - service_systemd-journald_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'systemd-journald.service' +"$SYSTEMCTL_EXEC" start 'systemd-journald.service' +"$SYSTEMCTL_EXEC" enable 'systemd-journald.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -180691,37 +180691,6 @@ class enable_systemd-journald { 4.2.2.3 Log files that are not properly compressed run the risk of growing so large that they fill up the log partition. Valuable logging information could be lost if the log partition becomes full. CCE-85930-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/systemd/journald.conf" ] ; then - - LC_ALL=C sed -i "/^\s*Compress\s*=\s*/d" "/etc/systemd/journald.conf" -else - touch "/etc/systemd/journald.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/systemd/journald.conf" - -cp "/etc/systemd/journald.conf" "/etc/systemd/journald.conf.bak" -# Insert before the line matching the regex '^#\s*Compress'. -line_number="$(LC_ALL=C grep -n "^#\s*Compress" "/etc/systemd/journald.conf.bak" | LC_ALL=C sed 's/:.*//g')" -if [ -z "$line_number" ]; then - # There was no match of '^#\s*Compress', insert at - # the end of the file. - printf '%s\n' "Compress=yes" >> "/etc/systemd/journald.conf" -else - head -n "$(( line_number - 1 ))" "/etc/systemd/journald.conf.bak" > "/etc/systemd/journald.conf" - printf '%s\n' "Compress=yes" >> "/etc/systemd/journald.conf" - tail -n "+$(( line_number ))" "/etc/systemd/journald.conf.bak" >> "/etc/systemd/journald.conf" -fi -# Clean up after ourselves. -rm "/etc/systemd/journald.conf.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Setting unquoted shell-style assignment of 'Compress' to 'yes' in '/etc/systemd/journald.conf' block: @@ -180762,26 +180731,12 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure journald is configured to send logs to rsyslog - Data from journald may be stored in volatile memory or persisted locally. -Utilities exist to accept remote export of journald logs. - 4.2.1.3 - Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system. - CCE-85995-9 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then if [ -e "/etc/systemd/journald.conf" ] ; then - LC_ALL=C sed -i "/^\s*ForwardToSyslog\s*=\s*/d" "/etc/systemd/journald.conf" + LC_ALL=C sed -i "/^\s*Compress\s*=\s*/d" "/etc/systemd/journald.conf" else touch "/etc/systemd/journald.conf" fi @@ -180789,15 +180744,15 @@ fi sed -i -e '$a\' "/etc/systemd/journald.conf" cp "/etc/systemd/journald.conf" "/etc/systemd/journald.conf.bak" -# Insert before the line matching the regex '^#\s*ForwardToSyslog'. -line_number="$(LC_ALL=C grep -n "^#\s*ForwardToSyslog" "/etc/systemd/journald.conf.bak" | LC_ALL=C sed 's/:.*//g')" +# Insert before the line matching the regex '^#\s*Compress'. +line_number="$(LC_ALL=C grep -n "^#\s*Compress" "/etc/systemd/journald.conf.bak" | LC_ALL=C sed 's/:.*//g')" if [ -z "$line_number" ]; then - # There was no match of '^#\s*ForwardToSyslog', insert at + # There was no match of '^#\s*Compress', insert at # the end of the file. - printf '%s\n' "ForwardToSyslog=yes" >> "/etc/systemd/journald.conf" + printf '%s\n' "Compress=yes" >> "/etc/systemd/journald.conf" else head -n "$(( line_number - 1 ))" "/etc/systemd/journald.conf.bak" > "/etc/systemd/journald.conf" - printf '%s\n' "ForwardToSyslog=yes" >> "/etc/systemd/journald.conf" + printf '%s\n' "Compress=yes" >> "/etc/systemd/journald.conf" tail -n "+$(( line_number ))" "/etc/systemd/journald.conf.bak" >> "/etc/systemd/journald.conf" fi # Clean up after ourselves. @@ -180807,6 +180762,20 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Ensure journald is configured to send logs to rsyslog + Data from journald may be stored in volatile memory or persisted locally. +Utilities exist to accept remote export of journald logs. + 4.2.1.3 + Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system. + CCE-85995-9 - name: Setting unquoted shell-style assignment of 'ForwardToSyslog' to 'yes' in '/etc/systemd/journald.conf' block: @@ -180847,26 +180816,12 @@ fi - no_reboot_needed - restrict_strategy - - - - - - - - - Ensure journald is configured to write log files to persistent disk - The journald system may store log files in volatile memory or locally on disk. -If the logs are only stored in volatile memory they will we lost upon reboot. - 4.2.2.4 - Log files contain valuable data and need to be persistent to aid in possible investigations. - CCE-86045-2 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then if [ -e "/etc/systemd/journald.conf" ] ; then - LC_ALL=C sed -i "/^\s*Storage\s*=\s*/d" "/etc/systemd/journald.conf" + LC_ALL=C sed -i "/^\s*ForwardToSyslog\s*=\s*/d" "/etc/systemd/journald.conf" else touch "/etc/systemd/journald.conf" fi @@ -180874,15 +180829,15 @@ fi sed -i -e '$a\' "/etc/systemd/journald.conf" cp "/etc/systemd/journald.conf" "/etc/systemd/journald.conf.bak" -# Insert before the line matching the regex '^#\s*Storage'. -line_number="$(LC_ALL=C grep -n "^#\s*Storage" "/etc/systemd/journald.conf.bak" | LC_ALL=C sed 's/:.*//g')" +# Insert before the line matching the regex '^#\s*ForwardToSyslog'. +line_number="$(LC_ALL=C grep -n "^#\s*ForwardToSyslog" "/etc/systemd/journald.conf.bak" | LC_ALL=C sed 's/:.*//g')" if [ -z "$line_number" ]; then - # There was no match of '^#\s*Storage', insert at + # There was no match of '^#\s*ForwardToSyslog', insert at # the end of the file. - printf '%s\n' "Storage=persistent" >> "/etc/systemd/journald.conf" + printf '%s\n' "ForwardToSyslog=yes" >> "/etc/systemd/journald.conf" else head -n "$(( line_number - 1 ))" "/etc/systemd/journald.conf.bak" > "/etc/systemd/journald.conf" - printf '%s\n' "Storage=persistent" >> "/etc/systemd/journald.conf" + printf '%s\n' "ForwardToSyslog=yes" >> "/etc/systemd/journald.conf" tail -n "+$(( line_number ))" "/etc/systemd/journald.conf.bak" >> "/etc/systemd/journald.conf" fi # Clean up after ourselves. @@ -180892,6 +180847,20 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Ensure journald is configured to write log files to persistent disk + The journald system may store log files in volatile memory or locally on disk. +If the logs are only stored in volatile memory they will we lost upon reboot. + 4.2.2.4 + Log files contain valuable data and need to be persistent to aid in possible investigations. + CCE-86045-2 - name: Setting unquoted shell-style assignment of 'Storage' to 'persistent' in '/etc/systemd/journald.conf' block: @@ -180931,6 +180900,37 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/systemd/journald.conf" ] ; then + + LC_ALL=C sed -i "/^\s*Storage\s*=\s*/d" "/etc/systemd/journald.conf" +else + touch "/etc/systemd/journald.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/systemd/journald.conf" + +cp "/etc/systemd/journald.conf" "/etc/systemd/journald.conf.bak" +# Insert before the line matching the regex '^#\s*Storage'. +line_number="$(LC_ALL=C grep -n "^#\s*Storage" "/etc/systemd/journald.conf.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^#\s*Storage', insert at + # the end of the file. + printf '%s\n' "Storage=persistent" >> "/etc/systemd/journald.conf" +else + head -n "$(( line_number - 1 ))" "/etc/systemd/journald.conf.bak" > "/etc/systemd/journald.conf" + printf '%s\n' "Storage=persistent" >> "/etc/systemd/journald.conf" + tail -n "+$(( line_number ))" "/etc/systemd/journald.conf.bak" >> "/etc/systemd/journald.conf" +fi +# Clean up after ourselves. +rm "/etc/systemd/journald.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -180953,21 +180953,6 @@ NOTE: If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary. CCE-87605-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SOCKET_NAME="systemd-journal-remote.socket" -SYSTEMCTL_EXEC='/usr/bin/systemctl' - -if "$SYSTEMCTL_EXEC" -q list-unit-files --type socket | grep -q "$SOCKET_NAME"; then - "$SYSTEMCTL_EXEC" stop "$SOCKET_NAME" - "$SYSTEMCTL_EXEC" mask "$SOCKET_NAME" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Disable systemd-journal-remote Socket - Collect systemd Socket Units Present in the System ansible.builtin.command: @@ -181002,6 +180987,21 @@ fi - medium_severity - no_reboot_needed - socket_systemd-journal-remote_disabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SOCKET_NAME="systemd-journal-remote.socket" +SYSTEMCTL_EXEC='/usr/bin/systemctl' + +if "$SYSTEMCTL_EXEC" -q list-unit-files --type socket | grep -q "$SOCKET_NAME"; then + "$SYSTEMCTL_EXEC" stop "$SOCKET_NAME" + "$SYSTEMCTL_EXEC" mask "$SOCKET_NAME" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -181076,21 +181076,13 @@ used. 4.3 The logrotate package provides the logrotate services. CCE-86154-2 + +package --add=logrotate + [[packages]] name = "logrotate" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "logrotate" ; then - yum install -y "logrotate" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_logrotate @@ -181117,8 +181109,16 @@ class install_logrotate { - no_reboot_needed - package_logrotate_installed - -package --add=logrotate + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "logrotate" ; then + yum install -y "logrotate" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -181175,30 +181175,20 @@ that they fill up the /var/log partition. Valuable logging information could be if the /var/log partition becomes full. CCE-80794-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q logrotate; }; then - -LOGROTATE_CONF_FILE="/etc/logrotate.conf" - -CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate" - - -# daily rotation is configured -grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE - -# remove any line configuring weekly, monthly or yearly rotation -sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE - - -# configure cron.daily if not already -if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then - echo '#!/bin/sh' > $CRON_DAILY_LOGROTATE_FILE - echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%20see%20%22man%20logrotate%22%20for%20details%0A%23%20rotate%20log%20files%20daily%0Adaily%0A%0A%23%20keep%204%20weeks%20worth%20of%20backlogs%0Arotate%2030%0A%0A%23%20create%20new%20%28empty%29%20log%20files%20after%20rotating%20old%20ones%0Acreate%0A%0A%23%20use%20date%20as%20a%20suffix%20of%20the%20rotated%20file%0Adateext%0A%0A%23%20uncomment%20this%20if%20you%20want%20your%20log%20files%20compressed%0A%23compress%0A%0A%23%20RPM%20packages%20drop%20log%20rotation%20information%20into%20this%20directory%0Ainclude%20/etc/logrotate.d%0A%0A%23%20system-specific%20logs%20may%20be%20also%20be%20configured%20here. }} + mode: 0644 + path: /etc/logrotate.conf + overwrite: true - name: Gather the package facts package_facts: @@ -181283,20 +181273,30 @@ fi - medium_severity - no_reboot_needed - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%20see%20%22man%20logrotate%22%20for%20details%0A%23%20rotate%20log%20files%20daily%0Adaily%0A%0A%23%20keep%204%20weeks%20worth%20of%20backlogs%0Arotate%2030%0A%0A%23%20create%20new%20%28empty%29%20log%20files%20after%20rotating%20old%20ones%0Acreate%0A%0A%23%20use%20date%20as%20a%20suffix%20of%20the%20rotated%20file%0Adateext%0A%0A%23%20uncomment%20this%20if%20you%20want%20your%20log%20files%20compressed%0A%23compress%0A%0A%23%20RPM%20packages%20drop%20log%20rotation%20information%20into%20this%20directory%0Ainclude%20/etc/logrotate.d%0A%0A%23%20system-specific%20logs%20may%20be%20also%20be%20configured%20here. }} - mode: 0644 - path: /etc/logrotate.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q logrotate; }; then + +LOGROTATE_CONF_FILE="/etc/logrotate.conf" + +CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate" + + +# daily rotation is configured +grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE + +# remove any line configuring weekly, monthly or yearly rotation +sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE + + +# configure cron.daily if not already +if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then + echo '#!/bin/sh' > $CRON_DAILY_LOGROTATE_FILE + echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -181351,17 +181351,6 @@ that they fill up the /var/log partition. Valuable logging information could be if the /var/log partition becomes full. CCE-86157-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ( grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="9"; printf "%s\n%s" "$expected" "$real" | sort -VC; } && rpm --quiet -q logrotate ); }; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" start 'logrotate.timer' -"$SYSTEMCTL_EXEC" enable 'logrotate.timer' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -181406,6 +181395,17 @@ fi - medium_severity - no_reboot_needed - timer_logrotate_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ( grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="9"; printf "%s\n%s" "$expected" "$real" | sort -VC; } && rpm --quiet -q logrotate ); }; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" start 'logrotate.timer' +"$SYSTEMCTL_EXEC" enable 'logrotate.timer' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -181466,21 +181466,13 @@ $ sudo yum install syslog-ng-core PR.PT-1 The syslog-ng-core package provides the syslog-ng daemon, which provides system logging services. + +package --add=syslog-ng + [[packages]] name = "syslog-ng" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "syslog-ng" ; then - yum install -y "syslog-ng" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_syslog-ng @@ -181504,8 +181496,16 @@ class install_syslog-ng { - no_reboot_needed - package_syslogng_installed - -package --add=syslog-ng + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "syslog-ng" ; then + yum install -y "syslog-ng" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -181598,18 +181598,6 @@ logging services, which are essential to system administration. [customizations.services] enabled = ["syslog-ng"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'syslog-ng.service' -"$SYSTEMCTL_EXEC" start 'syslog-ng.service' -"$SYSTEMCTL_EXEC" enable 'syslog-ng.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_syslog-ng @@ -181645,6 +181633,18 @@ class enable_syslog-ng { - medium_severity - no_reboot_needed - service_syslogng_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'syslog-ng.service' +"$SYSTEMCTL_EXEC" start 'syslog-ng.service' +"$SYSTEMCTL_EXEC" enable 'syslog-ng.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -181888,38 +181888,6 @@ input(type="imudp" port="514") messages. This risk can be eliminated for rsyslog by configuring it not to listen on the network. CCE-84275-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -legacy_regex='^\s*\$(((Input(TCP|RELP)|UDP)ServerRun)|ModLoad\s+(imtcp|imudp|imrelp))' -rainer_regex='^\s*(module|input)\((load|type)="(imtcp|imudp)".*$' - -readarray -t legacy_targets < <(grep -l -E -r "${legacy_regex[@]}" /etc/rsyslog.conf /etc/rsyslog.d/) -readarray -t rainer_targets < <(grep -l -E -r "${rainer_regex[@]}" /etc/rsyslog.conf /etc/rsyslog.d/) - -config_changed=false -if [ ${#legacy_targets[@]} -gt 0 ]; then - for target in "${legacy_targets[@]}"; do - sed -E -i "/$legacy_regex/ s/^/# /" "$target" - done - config_changed=true -fi - -if [ ${#rainer_targets[@]} -gt 0 ]; then - for target in "${rainer_targets[@]}"; do - sed -E -i "/$rainer_regex/ s/^/# /" "$target" - done - config_changed=true -fi - -if $config_changed; then - systemctl restart rsyslog.service -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server - Define Rsyslog Config Lines Regex in Legacy Syntax ansible.builtin.set_fact: @@ -182137,6 +182105,38 @@ fi - medium_severity - no_reboot_needed - rsyslog_nolisten + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +legacy_regex='^\s*\$(((Input(TCP|RELP)|UDP)ServerRun)|ModLoad\s+(imtcp|imudp|imrelp))' +rainer_regex='^\s*(module|input)\((load|type)="(imtcp|imudp)".*$' + +readarray -t legacy_targets < <(grep -l -E -r "${legacy_regex[@]}" /etc/rsyslog.conf /etc/rsyslog.d/) +readarray -t rainer_targets < <(grep -l -E -r "${rainer_regex[@]}" /etc/rsyslog.conf /etc/rsyslog.d/) + +config_changed=false +if [ ${#legacy_targets[@]} -gt 0 ]; then + for target in "${legacy_targets[@]}"; do + sed -E -i "/$legacy_regex/ s/^/# /" "$target" + done + config_changed=true +fi + +if [ ${#rainer_targets[@]} -gt 0 ]; then + for target in "${rainer_targets[@]}"; do + sed -E -i "/$rainer_regex/ s/^/# /" "$target" + done + config_changed=true +fi + +if $config_changed; then + systemctl restart rsyslog.service +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -182284,6 +182284,32 @@ system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise. CCE-80863-4 + - name: XCCDF Value rsyslog_remote_loghost_address # promote to variable + set_fact: + rsyslog_remote_loghost_address: !!str + tags: + - always + +- name: Set rsyslog remote loghost + lineinfile: + dest: /etc/rsyslog.conf + regexp: ^\*\.\* + line: '*.* @@{{ rsyslog_remote_loghost_address }}' + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80863-4 + - DISA-STIG-RHEL-08-030690 + - NIST-800-53-AU-4(1) + - NIST-800-53-AU-9(2) + - NIST-800-53-CM-6(a) + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - rsyslog_remote_loghost + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -182315,32 +182341,6 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: XCCDF Value rsyslog_remote_loghost_address # promote to variable - set_fact: - rsyslog_remote_loghost_address: !!str - tags: - - always - -- name: Set rsyslog remote loghost - lineinfile: - dest: /etc/rsyslog.conf - regexp: ^\*\.\* - line: '*.* @@{{ rsyslog_remote_loghost_address }}' - create: true - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80863-4 - - DISA-STIG-RHEL-08-030690 - - NIST-800-53-AU-4(1) - - NIST-800-53-AU-9(2) - - NIST-800-53-CM-6(a) - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - rsyslog_remote_loghost @@ -182373,36 +182373,6 @@ Replace the <remote system> in the above command wi For protection of data being logged, the connection to the remote logging server needs to be authenticated and encrypted. CCE-82457-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -rsyslog_remote_loghost_address='' - -params_to_add_if_missing=("protocol" "target" "port" "StreamDriver" "StreamDriverMode" "StreamDriverAuthMode" "streamdriver.CheckExtendedKeyPurpose") -values_to_add_if_missing=("tcp" "$rsyslog_remote_loghost_address" "6514" "gtls" "1" "x509/name" "on") -params_to_replace_if_wrong_value=("protocol" "StreamDriver" "StreamDriverMode" "StreamDriverAuthMode" "streamdriver.CheckExtendedKeyPurpose") -values_to_replace_if_wrong_value=("tcp" "gtls" "1" "x509/name" "on") - -files_containing_omfwd=("$(grep -ilE '^[^#]*\s*action\s*\(\s*type\s*=\s*"omfwd".*' /etc/rsyslog.conf /etc/rsyslog.d/*.conf)") -if [ -n "${files_containing_omfwd[*]}" ]; then - for file in "${files_containing_omfwd[@]}"; do - for ((i=0; i<${#params_to_replace_if_wrong_value[@]}; i++)); do - sed -i -E -e 'H;$!d;x;s/^\n//' -e "s|(\s*action\s*\(\s*type\s*=\s*[\"]omfwd[\"].*?)${params_to_replace_if_wrong_value[$i]}\s*=\s*[\"]\S*[\"](.*\))|\1${params_to_replace_if_wrong_value[$i]}=\"${values_to_replace_if_wrong_value[$i]}\"\2|gI" "$file" - done - for ((i=0; i<${#params_to_add_if_missing[@]}; i++)); do - if ! grep -qPzi "(?s)\s*action\s*\(\s*type\s*=\s*[\"]omfwd[\"].*?${params_to_add_if_missing[$i]}.*?\).*" "$file"; then - sed -i -E -e 'H;$!d;x;s/^\n//' -e "s|(\s*action\s*\(\s*type\s*=\s*[\"]omfwd[\"])|\1\n${params_to_add_if_missing[$i]}=\"${values_to_add_if_missing[$i]}\"|gI" "$file" - fi - done - done -else - echo "action(type=\"omfwd\" protocol=\"tcp\" Target=\"$rsyslog_remote_loghost_address\" port=\"6514\" StreamDriver=\"gtls\" StreamDriverMode=\"1\" StreamDriverAuthMode=\"x509/name\" streamdriver.CheckExtendedKeyPurpose=\"on\")" >> /etc/rsyslog.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value rsyslog_remote_loghost_address # promote to variable set_fact: rsyslog_remote_loghost_address: !!str @@ -182609,6 +182579,36 @@ fi - medium_severity - no_reboot_needed - rsyslog_remote_tls + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +rsyslog_remote_loghost_address='' + +params_to_add_if_missing=("protocol" "target" "port" "StreamDriver" "StreamDriverMode" "StreamDriverAuthMode" "streamdriver.CheckExtendedKeyPurpose") +values_to_add_if_missing=("tcp" "$rsyslog_remote_loghost_address" "6514" "gtls" "1" "x509/name" "on") +params_to_replace_if_wrong_value=("protocol" "StreamDriver" "StreamDriverMode" "StreamDriverAuthMode" "streamdriver.CheckExtendedKeyPurpose") +values_to_replace_if_wrong_value=("tcp" "gtls" "1" "x509/name" "on") + +files_containing_omfwd=("$(grep -ilE '^[^#]*\s*action\s*\(\s*type\s*=\s*"omfwd".*' /etc/rsyslog.conf /etc/rsyslog.d/*.conf)") +if [ -n "${files_containing_omfwd[*]}" ]; then + for file in "${files_containing_omfwd[@]}"; do + for ((i=0; i<${#params_to_replace_if_wrong_value[@]}; i++)); do + sed -i -E -e 'H;$!d;x;s/^\n//' -e "s|(\s*action\s*\(\s*type\s*=\s*[\"]omfwd[\"].*?)${params_to_replace_if_wrong_value[$i]}\s*=\s*[\"]\S*[\"](.*\))|\1${params_to_replace_if_wrong_value[$i]}=\"${values_to_replace_if_wrong_value[$i]}\"\2|gI" "$file" + done + for ((i=0; i<${#params_to_add_if_missing[@]}; i++)); do + if ! grep -qPzi "(?s)\s*action\s*\(\s*type\s*=\s*[\"]omfwd[\"].*?${params_to_add_if_missing[$i]}.*?\).*" "$file"; then + sed -i -E -e 'H;$!d;x;s/^\n//' -e "s|(\s*action\s*\(\s*type\s*=\s*[\"]omfwd[\"])|\1\n${params_to_add_if_missing[$i]}=\"${values_to_add_if_missing[$i]}\"|gI" "$file" + fi + done + done +else + echo "action(type=\"omfwd\" protocol=\"tcp\" Target=\"$rsyslog_remote_loghost_address\" port=\"6514\" StreamDriver=\"gtls\" StreamDriverMode=\"1\" StreamDriverAuthMode=\"x509/name\" streamdriver.CheckExtendedKeyPurpose=\"on\")" >> /etc/rsyslog.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -182876,15 +182876,6 @@ untrusted access, prevent system availability, and/or can lead to a compromise o attack. CCE-82179-3 - # Remediation is applicable only in certain platforms -if rpm --quiet -q polkit; then - -printf "[Disable General User Access to NetworkManager]\nIdentity=default\nAction=org.freedesktop.NetworkManager.*\nResultAny=no\nResultInactive=no\nResultActive=auth_admin\n" > /etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -182933,6 +182924,15 @@ fi - network_nmcli_permissions - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q polkit; then + +printf "[Disable General User Access to NetworkManager]\nIdentity=default\nAction=org.freedesktop.NetworkManager.*\nResultAny=no\nResultInactive=no\nResultActive=auth_admin\n" > /etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -183056,17 +183056,6 @@ tools must be documented with the Information Systems Security Manager (ISSM) an to only authorized personnel. CCE-82283-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -for interface in $(ip link show | grep -E '^[0-9]' | cut -d ":" -f 2); do - ip link set dev $interface multicast off promisc off -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure System is Not Acting as a Network Sniffer - Gather network interfaces ansible.builtin.command: cmd: ip link show @@ -183110,6 +183099,17 @@ fi - network_sniffer_disabled - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +for interface in $(ip link show | grep -E '^[0-9]' | cut -d ":" -f 2); do + ip link set dev $interface multicast off promisc off +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -183150,37 +183150,6 @@ the firewall has to be reloaded. Utilizing the limit statement in "nftables" can help to mitigate DoS attacks. CCE-86506-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q firewalld; }; then - -if [ -e "/etc/firewalld/firewalld.conf" ] ; then - - LC_ALL=C sed -i "/^\s*FirewallBackend\s*=\s*/d" "/etc/firewalld/firewalld.conf" -else - touch "/etc/firewalld/firewalld.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/firewalld/firewalld.conf" - -cp "/etc/firewalld/firewalld.conf" "/etc/firewalld/firewalld.conf.bak" -# Insert before the line matching the regex '^#\s*FirewallBackend'. -line_number="$(LC_ALL=C grep -n "^#\s*FirewallBackend" "/etc/firewalld/firewalld.conf.bak" | LC_ALL=C sed 's/:.*//g')" -if [ -z "$line_number" ]; then - # There was no match of '^#\s*FirewallBackend', insert at - # the end of the file. - printf '%s\n' "FirewallBackend=nftables" >> "/etc/firewalld/firewalld.conf" -else - head -n "$(( line_number - 1 ))" "/etc/firewalld/firewalld.conf.bak" > "/etc/firewalld/firewalld.conf" - printf '%s\n' "FirewallBackend=nftables" >> "/etc/firewalld/firewalld.conf" - tail -n "+$(( line_number ))" "/etc/firewalld/firewalld.conf.bak" >> "/etc/firewalld/firewalld.conf" -fi -# Clean up after ourselves. -rm "/etc/firewalld/firewalld.conf.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -183239,6 +183208,37 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q firewalld; }; then + +if [ -e "/etc/firewalld/firewalld.conf" ] ; then + + LC_ALL=C sed -i "/^\s*FirewallBackend\s*=\s*/d" "/etc/firewalld/firewalld.conf" +else + touch "/etc/firewalld/firewalld.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/firewalld/firewalld.conf" + +cp "/etc/firewalld/firewalld.conf" "/etc/firewalld/firewalld.conf.bak" +# Insert before the line matching the regex '^#\s*FirewallBackend'. +line_number="$(LC_ALL=C grep -n "^#\s*FirewallBackend" "/etc/firewalld/firewalld.conf.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^#\s*FirewallBackend', insert at + # the end of the file. + printf '%s\n' "FirewallBackend=nftables" >> "/etc/firewalld/firewalld.conf" +else + head -n "$(( line_number - 1 ))" "/etc/firewalld/firewalld.conf.bak" > "/etc/firewalld/firewalld.conf" + printf '%s\n' "FirewallBackend=nftables" >> "/etc/firewalld/firewalld.conf" + tail -n "+$(( line_number ))" "/etc/firewalld/firewalld.conf.bak" >> "/etc/firewalld/firewalld.conf" +fi +# Clean up after ourselves. +rm "/etc/firewalld/firewalld.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -183350,21 +183350,13 @@ Remote access is access to DoD nonpublic information systems by an authorized us Red Hat Enterprise Linux 8 functionality (e.g., SSH) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets)." CCE-82998-6 + +package --add=firewalld + [[packages]] name = "firewalld" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "firewalld" ; then - yum install -y "firewalld" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_firewalld @@ -183390,8 +183382,16 @@ class install_firewalld { - no_reboot_needed - package_firewalld_installed - -package --add=firewalld + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "firewalld" ; then + yum install -y "firewalld" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -183453,18 +183453,6 @@ prevents connections from unknown hosts and protocols. [customizations.services] enabled = ["firewalld"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q firewalld; }; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'firewalld.service' -"$SYSTEMCTL_EXEC" start 'firewalld.service' -"$SYSTEMCTL_EXEC" enable 'firewalld.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_firewalld @@ -183531,6 +183519,18 @@ class enable_firewalld { - medium_severity - no_reboot_needed - service_firewalld_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q firewalld; }; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'firewalld.service' +"$SYSTEMCTL_EXEC" start 'firewalld.service' +"$SYSTEMCTL_EXEC" enable 'firewalld.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -183872,15 +183872,13 @@ $ sudo yum install libreswan to initiate a secure VPN connection protects information when it is transmitted over a wide area network. CCE-80845-1 + +package --add=libreswan + [[packages]] name = "libreswan" version = "*" - - -if ! rpm -q --quiet "libreswan" ; then - yum install -y "libreswan" -fi include install_libreswan @@ -183905,8 +183903,10 @@ class install_libreswan { - no_reboot_needed - package_libreswan_installed - -package --add=libreswan + +if ! rpm -q --quiet "libreswan" ; then + yum install -y "libreswan" +fi @@ -184043,21 +184043,13 @@ These services load the iptables rules during the system startup and also allow the iptables rules during runtime. CCE-85982-7 + +package --add=iptables-services + [[packages]] name = "iptables-services" version = "*" - - # Remediation is applicable only in certain platforms -if rpm --quiet -q iptables; then - -if ! rpm -q --quiet "iptables-services" ; then - yum install -y "iptables-services" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_iptables-services @@ -184095,8 +184087,16 @@ class install_iptables-services { - no_reboot_needed - package_iptables-services_installed - -package --add=iptables-services + # Remediation is applicable only in certain platforms +if rpm --quiet -q iptables; then + +if ! rpm -q --quiet "iptables-services" ; then + yum install -y "iptables-services" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -184119,21 +184119,13 @@ code. iptables allows system operators to set up firewall masquerading, etc. CCE-82982-0 + +package --add=iptables + [[packages]] name = "iptables" version = "*" - - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] ); then - -if ! rpm -q --quiet "iptables" ; then - yum install -y "iptables" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_iptables @@ -184160,8 +184152,16 @@ class install_iptables { - no_reboot_needed - package_iptables_installed - -package --add=iptables + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] ); then + +if ! rpm -q --quiet "iptables" ; then + yum install -y "iptables" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -184184,24 +184184,8 @@ during runtime. Those iptables services conflicts with firewalld so they should firewalld is used. CCE-86679-8 - # Remediation is applicable only in certain platforms -if rpm --quiet -q iptables; then - -# CAUTION: This remediation script will remove iptables-services -# from the system, and may remove any packages -# that depend on iptables-services. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "iptables-services" ; then - - yum remove -y "iptables-services" - -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +package --remove=iptables-services include remove_iptables-services @@ -184237,8 +184221,24 @@ class remove_iptables-services { - no_reboot_needed - package_iptables-services_removed - -package --remove=iptables-services + # Remediation is applicable only in certain platforms +if rpm --quiet -q iptables; then + +# CAUTION: This remediation script will remove iptables-services +# from the system, and may remove any packages +# that depend on iptables-services. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "iptables-services" ; then + + yum remove -y "iptables-services" + +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -184417,18 +184417,6 @@ capability for IPv6 and ICMPv6. [customizations.services] enabled = ["ip6tables"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'ip6tables.service' -"$SYSTEMCTL_EXEC" start 'ip6tables.service' -"$SYSTEMCTL_EXEC" enable 'ip6tables.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_ip6tables @@ -184468,6 +184456,18 @@ class enable_ip6tables { - medium_severity - no_reboot_needed - service_ip6tables_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'ip6tables.service' +"$SYSTEMCTL_EXEC" start 'ip6tables.service' +"$SYSTEMCTL_EXEC" enable 'ip6tables.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -184619,18 +184619,6 @@ capability for IPv4 and ICMP. [customizations.services] enabled = ["iptables"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'iptables.service' -"$SYSTEMCTL_EXEC" start 'iptables.service' -"$SYSTEMCTL_EXEC" enable 'iptables.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_iptables @@ -184670,6 +184658,18 @@ class enable_iptables { - medium_severity - no_reboot_needed - service_iptables_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'iptables.service' +"$SYSTEMCTL_EXEC" start 'iptables.service' +"$SYSTEMCTL_EXEC" enable 'iptables.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -185138,15 +185138,6 @@ the vulnerability to exploitation. CCE-82887-1 [customizations.kernel] append = "ipv6.disable=1" - - # Remediation is applicable only in certain platforms -if rpm --quiet -q grub2-common; then - -grubby --update-kernel=ALL --args=ipv6.disable=1 --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - name: Gather the package facts package_facts: @@ -185175,6 +185166,15 @@ fi - medium_complexity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common; then + +grubby --update-kernel=ALL --args=ipv6.disable=1 --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -185264,39 +185264,6 @@ depend on it), while disabling support for the IPv6 protocol. CCE-82872-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Prevent the IPv6 kernel module (ipv6) from loading the IPv6 networking stack -echo "options ipv6 disable=1" > /etc/modprobe.d/ipv6.conf - -# Since according to: https://access.redhat.com/solutions/72733 -# "ipv6 disable=1" options doesn't always disable the IPv6 networking stack from -# loading, instruct also sysctl configuration to disable IPv6 according to: -# https://access.redhat.com/solutions/8709#rhel6disable - -declare -a IPV6_SETTINGS=("net.ipv6.conf.all.disable_ipv6" "net.ipv6.conf.default.disable_ipv6") - -for setting in "${IPV6_SETTINGS[@]}" -do - # Set runtime =1 for setting - /sbin/sysctl -q -n -w "$setting=1" - - # If setting is present in /etc/sysctl.conf, change value to "1" - # else, add "$setting = 1" to /etc/sysctl.conf - if grep -q ^"$setting" /etc/sysctl.conf ; then - sed -i "s/^$setting.*/$setting = 1/g" /etc/sysctl.conf - else - echo "" >> /etc/sysctl.conf - echo "# Set $setting = 1 per security requirements" >> /etc/sysctl.conf - echo "$setting = 1" >> /etc/sysctl.conf - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Disable IPv6 Networking kernel module lineinfile: create: true @@ -185337,6 +185304,39 @@ fi - medium_disruption - medium_severity - reboot_required + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Prevent the IPv6 kernel module (ipv6) from loading the IPv6 networking stack +echo "options ipv6 disable=1" > /etc/modprobe.d/ipv6.conf + +# Since according to: https://access.redhat.com/solutions/72733 +# "ipv6 disable=1" options doesn't always disable the IPv6 networking stack from +# loading, instruct also sysctl configuration to disable IPv6 according to: +# https://access.redhat.com/solutions/8709#rhel6disable + +declare -a IPV6_SETTINGS=("net.ipv6.conf.all.disable_ipv6" "net.ipv6.conf.default.disable_ipv6") + +for setting in "${IPV6_SETTINGS[@]}" +do + # Set runtime =1 for setting + /sbin/sysctl -q -n -w "$setting=1" + + # If setting is present in /etc/sysctl.conf, change value to "1" + # else, add "$setting = 1" to /etc/sysctl.conf + if grep -q ^"$setting" /etc/sysctl.conf ; then + sed -i "s/^$setting.*/$setting = 1/g" /etc/sysctl.conf + else + echo "" >> /etc/sysctl.conf + echo "# Set $setting = 1 per security requirements" >> /etc/sysctl.conf + echo "$setting = 1" >> /etc/sysctl.conf + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -185525,66 +185525,6 @@ functionality require the IPv6 stack loaded to work. the vulnerability to exploitation. CCE-85904-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv6.conf.all.disable_ipv6 from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.disable_ipv6.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.all.disable_ipv6" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - - -# -# Set runtime for net.ipv6.conf.all.disable_ipv6 -# -/sbin/sysctl -q -n -w net.ipv6.conf.all.disable_ipv6="1" - -# -# If net.ipv6.conf.all.disable_ipv6 present in /etc/sysctl.conf, change value to "1" -# else, add "net.ipv6.conf.all.disable_ipv6 = 1" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.disable_ipv6") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "1" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.disable_ipv6\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.disable_ipv6\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-85904-1" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: List /etc/sysctl.d/*.conf files find: paths: @@ -185650,6 +185590,66 @@ fi - medium_severity - reboot_required - sysctl_net_ipv6_conf_all_disable_ipv6 + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv6.conf.all.disable_ipv6 from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.disable_ipv6.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv6.conf.all.disable_ipv6" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + + +# +# Set runtime for net.ipv6.conf.all.disable_ipv6 +# +/sbin/sysctl -q -n -w net.ipv6.conf.all.disable_ipv6="1" + +# +# If net.ipv6.conf.all.disable_ipv6 present in /etc/sysctl.conf, change value to "1" +# else, add "net.ipv6.conf.all.disable_ipv6 = 1" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.disable_ipv6") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "1" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.disable_ipv6\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.disable_ipv6\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-85904-1" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -185739,66 +185739,6 @@ functionality require the IPv6 stack loaded to work. the vulnerability to exploitation. CCE-86004-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv6.conf.default.disable_ipv6 from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.disable_ipv6.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.default.disable_ipv6" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - - -# -# Set runtime for net.ipv6.conf.default.disable_ipv6 -# -/sbin/sysctl -q -n -w net.ipv6.conf.default.disable_ipv6="1" - -# -# If net.ipv6.conf.default.disable_ipv6 present in /etc/sysctl.conf, change value to "1" -# else, add "net.ipv6.conf.default.disable_ipv6 = 1" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.disable_ipv6") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "1" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.disable_ipv6\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.disable_ipv6\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-86004-9" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: List /etc/sysctl.d/*.conf files find: paths: @@ -185864,6 +185804,66 @@ fi - medium_severity - reboot_required - sysctl_net_ipv6_conf_default_disable_ipv6 + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv6.conf.default.disable_ipv6 from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.disable_ipv6.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv6.conf.default.disable_ipv6" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + + +# +# Set runtime for net.ipv6.conf.default.disable_ipv6 +# +/sbin/sysctl -q -n -w net.ipv6.conf.default.disable_ipv6="1" + +# +# If net.ipv6.conf.default.disable_ipv6 present in /etc/sysctl.conf, change value to "1" +# else, add "net.ipv6.conf.default.disable_ipv6 = 1" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.disable_ipv6") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "1" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.disable_ipv6\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.disable_ipv6\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-86004-9" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -186167,67 +186167,20 @@ To make sure that the setting is persistent, add the following line to a file in An illicit router advertisement message could result in a man-in-the-middle attack. CCE-81006-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv6.conf.all.accept_ra from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_ra.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.all.accept_ra" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv6_conf_all_accept_ra_value='' - - -# -# Set runtime for net.ipv6.conf.all.accept_ra -# -/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra="$sysctl_net_ipv6_conf_all_accept_ra_value" - -# -# If net.ipv6.conf.all.accept_ra present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.all.accept_ra = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_ra") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_ra_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_ra\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_ra\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81006-9" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv6.conf.all.accept_ra%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_all_accept_ra.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -186302,49 +186255,18 @@ fi - reboot_required - sysctl_net_ipv6_conf_all_accept_ra - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv6.conf.all.accept_ra%3D0%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_all_accept_ra.conf - overwrite: true - - - - - - - - - - - Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces - To set the runtime status of the net.ipv6.conf.all.accept_ra_defrtr kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra_defrtr=0 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_ra_defrtr = 0 - BP28(R22) - An illicit router advertisement message could result in a man-in-the-middle attack. - - CCE-84272-4 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv6.conf.all.accept_ra_defrtr from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv6.conf.all.accept_ra from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_ra_defrtr.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_ra.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.all.accept_ra_defrtr" matches to preserve user data + # comment out "net.ipv6.conf.all.accept_ra" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -186356,37 +186278,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv6_conf_all_accept_ra_defrtr_value='' +sysctl_net_ipv6_conf_all_accept_ra_value='' # -# Set runtime for net.ipv6.conf.all.accept_ra_defrtr +# Set runtime for net.ipv6.conf.all.accept_ra # -/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra_defrtr="$sysctl_net_ipv6_conf_all_accept_ra_defrtr_value" +/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra="$sysctl_net_ipv6_conf_all_accept_ra_value" # -# If net.ipv6.conf.all.accept_ra_defrtr present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.all.accept_ra_defrtr = value" to /etc/sysctl.conf +# If net.ipv6.conf.all.accept_ra present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.all.accept_ra = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_ra_defrtr") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_ra") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_ra_defrtr_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_ra_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_ra_defrtr\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_ra\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_ra_defrtr\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_ra\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-84272-4" + cce="CCE-81006-9" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -186395,6 +186317,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces + To set the runtime status of the net.ipv6.conf.all.accept_ra_defrtr kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra_defrtr=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_ra_defrtr = 0 + BP28(R22) + An illicit router advertisement message could result in a man-in-the-middle attack. + + CCE-84272-4 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -186454,34 +186392,18 @@ fi - sysctl_net_ipv6_conf_all_accept_ra_defrtr - unknown_severity - - - - - - - - - - Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces - To set the runtime status of the net.ipv6.conf.all.accept_ra_pinfo kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra_pinfo=0 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_ra_pinfo = 0 - BP28(R22) - An illicit router advertisement message could result in a man-in-the-middle attack. - - CCE-84280-7 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv6.conf.all.accept_ra_pinfo from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv6.conf.all.accept_ra_defrtr from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_ra_pinfo.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_ra_defrtr.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.all.accept_ra_pinfo" matches to preserve user data + # comment out "net.ipv6.conf.all.accept_ra_defrtr" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -186493,37 +186415,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv6_conf_all_accept_ra_pinfo_value='' +sysctl_net_ipv6_conf_all_accept_ra_defrtr_value='' # -# Set runtime for net.ipv6.conf.all.accept_ra_pinfo +# Set runtime for net.ipv6.conf.all.accept_ra_defrtr # -/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra_pinfo="$sysctl_net_ipv6_conf_all_accept_ra_pinfo_value" +/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra_defrtr="$sysctl_net_ipv6_conf_all_accept_ra_defrtr_value" # -# If net.ipv6.conf.all.accept_ra_pinfo present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.all.accept_ra_pinfo = value" to /etc/sysctl.conf +# If net.ipv6.conf.all.accept_ra_defrtr present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.all.accept_ra_defrtr = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_ra_pinfo") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_ra_defrtr") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_ra_pinfo_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_ra_defrtr_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_ra_pinfo\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_ra_defrtr\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_ra_pinfo\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_ra_defrtr\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-84280-7" + cce="CCE-84272-4" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -186532,6 +186454,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces + To set the runtime status of the net.ipv6.conf.all.accept_ra_pinfo kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra_pinfo=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_ra_pinfo = 0 + BP28(R22) + An illicit router advertisement message could result in a man-in-the-middle attack. + + CCE-84280-7 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -186591,34 +186529,18 @@ fi - sysctl_net_ipv6_conf_all_accept_ra_pinfo - unknown_severity - - - - - - - - - - Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces - To set the runtime status of the net.ipv6.conf.all.accept_ra_rtr_pref kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra_rtr_pref=0 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_ra_rtr_pref = 0 - BP28(R22) - An illicit router advertisement message could result in a man-in-the-middle attack. - - CCE-84288-0 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv6.conf.all.accept_ra_rtr_pref from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv6.conf.all.accept_ra_pinfo from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_ra_rtr_pref.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_ra_pinfo.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.all.accept_ra_rtr_pref" matches to preserve user data + # comment out "net.ipv6.conf.all.accept_ra_pinfo" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -186630,37 +186552,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_value='' +sysctl_net_ipv6_conf_all_accept_ra_pinfo_value='' # -# Set runtime for net.ipv6.conf.all.accept_ra_rtr_pref +# Set runtime for net.ipv6.conf.all.accept_ra_pinfo # -/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra_rtr_pref="$sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_value" +/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra_pinfo="$sysctl_net_ipv6_conf_all_accept_ra_pinfo_value" # -# If net.ipv6.conf.all.accept_ra_rtr_pref present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.all.accept_ra_rtr_pref = value" to /etc/sysctl.conf +# If net.ipv6.conf.all.accept_ra_pinfo present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.all.accept_ra_pinfo = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_ra_rtr_pref") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_ra_pinfo") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_ra_pinfo_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_ra_rtr_pref\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_ra_pinfo\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_ra_rtr_pref\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_ra_pinfo\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-84288-0" + cce="CCE-84280-7" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -186669,6 +186591,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces + To set the runtime status of the net.ipv6.conf.all.accept_ra_rtr_pref kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra_rtr_pref=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_ra_rtr_pref = 0 + BP28(R22) + An illicit router advertisement message could result in a man-in-the-middle attack. + + CCE-84288-0 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -186727,6 +186665,68 @@ fi - reboot_required - sysctl_net_ipv6_conf_all_accept_ra_rtr_pref - unknown_severity + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv6.conf.all.accept_ra_rtr_pref from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_ra_rtr_pref.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv6.conf.all.accept_ra_rtr_pref" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_value='' + + +# +# Set runtime for net.ipv6.conf.all.accept_ra_rtr_pref +# +/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra_rtr_pref="$sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_value" + +# +# If net.ipv6.conf.all.accept_ra_rtr_pref present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.all.accept_ra_rtr_pref = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_ra_rtr_pref") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_ra_rtr_pref\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_ra_rtr_pref\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-84288-0" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -186820,67 +186820,20 @@ To make sure that the setting is persistent, add the following line to a file in An illicit ICMP redirect message could result in a man-in-the-middle attack. CCE-81009-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv6.conf.all.accept_redirects from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_redirects.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.all.accept_redirects" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv6_conf_all_accept_redirects_value='' - - -# -# Set runtime for net.ipv6.conf.all.accept_redirects -# -/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_redirects="$sysctl_net_ipv6_conf_all_accept_redirects_value" - -# -# If net.ipv6.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.all.accept_redirects = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_redirects") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_redirects_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_redirects\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81009-3" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv6.conf.all.accept_redirects%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_all_accept_redirects.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -186962,20 +186915,67 @@ fi - reboot_required - sysctl_net_ipv6_conf_all_accept_redirects - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv6.conf.all.accept_redirects%3D0%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_all_accept_redirects.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv6.conf.all.accept_redirects from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_redirects.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv6.conf.all.accept_redirects" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv6_conf_all_accept_redirects_value='' + + +# +# Set runtime for net.ipv6.conf.all.accept_redirects +# +/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_redirects="$sysctl_net_ipv6_conf_all_accept_redirects_value" + +# +# If net.ipv6.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.all.accept_redirects = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_redirects") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_redirects_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_redirects\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-81009-3" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -187073,67 +187073,20 @@ Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required. CCE-81013-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv6.conf.all.accept_source_route from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_source_route.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.all.accept_source_route" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv6_conf_all_accept_source_route_value='' - - -# -# Set runtime for net.ipv6.conf.all.accept_source_route -# -/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_source_route="$sysctl_net_ipv6_conf_all_accept_source_route_value" - -# -# If net.ipv6.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.all.accept_source_route = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_source_route") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_source_route_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_source_route\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81013-5" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv6.conf.all.accept_source_route%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_all_accept_source_route.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -187209,49 +187162,18 @@ fi - reboot_required - sysctl_net_ipv6_conf_all_accept_source_route - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv6.conf.all.accept_source_route%3D0%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_all_accept_source_route.conf - overwrite: true - - - - - - - - - - - Configure Auto Configuration on All IPv6 Interfaces - To set the runtime status of the net.ipv6.conf.all.autoconf kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.autoconf=0 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.autoconf = 0 - BP28(R22) - An illicit router advertisement message could result in a man-in-the-middle attack. - - CCE-84266-6 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv6.conf.all.autoconf from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv6.conf.all.accept_source_route from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.autoconf.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_source_route.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.all.autoconf" matches to preserve user data + # comment out "net.ipv6.conf.all.accept_source_route" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -187263,37 +187185,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv6_conf_all_autoconf_value='' +sysctl_net_ipv6_conf_all_accept_source_route_value='' # -# Set runtime for net.ipv6.conf.all.autoconf +# Set runtime for net.ipv6.conf.all.accept_source_route # -/sbin/sysctl -q -n -w net.ipv6.conf.all.autoconf="$sysctl_net_ipv6_conf_all_autoconf_value" +/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_source_route="$sysctl_net_ipv6_conf_all_accept_source_route_value" # -# If net.ipv6.conf.all.autoconf present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.all.autoconf = value" to /etc/sysctl.conf +# If net.ipv6.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.all.accept_source_route = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.autoconf") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_source_route") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_autoconf_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_source_route_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.autoconf\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_source_route\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.autoconf\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-84266-6" + cce="CCE-81013-5" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -187302,6 +187224,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure Auto Configuration on All IPv6 Interfaces + To set the runtime status of the net.ipv6.conf.all.autoconf kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.autoconf=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.autoconf = 0 + BP28(R22) + An illicit router advertisement message could result in a man-in-the-middle attack. + + CCE-84266-6 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -187359,6 +187297,68 @@ fi - reboot_required - sysctl_net_ipv6_conf_all_autoconf - unknown_severity + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv6.conf.all.autoconf from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.autoconf.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv6.conf.all.autoconf" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv6_conf_all_autoconf_value='' + + +# +# Set runtime for net.ipv6.conf.all.autoconf +# +/sbin/sysctl -q -n -w net.ipv6.conf.all.autoconf="$sysctl_net_ipv6_conf_all_autoconf_value" + +# +# If net.ipv6.conf.all.autoconf present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.all.autoconf = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.autoconf") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_autoconf_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.autoconf\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.autoconf\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-84266-6" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -187471,68 +187471,6 @@ interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers. CCE-82863-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv6.conf.all.forwarding from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.forwarding.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.all.forwarding" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv6_conf_all_forwarding_value='' - - -# -# Set runtime for net.ipv6.conf.all.forwarding -# -/sbin/sysctl -q -n -w net.ipv6.conf.all.forwarding="$sysctl_net_ipv6_conf_all_forwarding_value" - -# -# If net.ipv6.conf.all.forwarding present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.all.forwarding = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.forwarding") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_forwarding_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.forwarding\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.forwarding\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-82863-2" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: List /etc/sysctl.d/*.conf files find: paths: @@ -187609,34 +187547,18 @@ fi - reboot_required - sysctl_net_ipv6_conf_all_forwarding - - - - - - - - - - Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces - To set the runtime status of the net.ipv6.conf.all.max_addresses kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.max_addresses=1 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.max_addresses = 1 - BP28(R22) - The number of global unicast IPv6 addresses for each interface should be limited exactly to the number of statically configured addresses. - - CCE-84259-1 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv6.conf.all.max_addresses from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv6.conf.all.forwarding from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.max_addresses.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.forwarding.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.all.max_addresses" matches to preserve user data + # comment out "net.ipv6.conf.all.forwarding" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -187648,37 +187570,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv6_conf_all_max_addresses_value='' +sysctl_net_ipv6_conf_all_forwarding_value='' # -# Set runtime for net.ipv6.conf.all.max_addresses +# Set runtime for net.ipv6.conf.all.forwarding # -/sbin/sysctl -q -n -w net.ipv6.conf.all.max_addresses="$sysctl_net_ipv6_conf_all_max_addresses_value" +/sbin/sysctl -q -n -w net.ipv6.conf.all.forwarding="$sysctl_net_ipv6_conf_all_forwarding_value" # -# If net.ipv6.conf.all.max_addresses present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.all.max_addresses = value" to /etc/sysctl.conf +# If net.ipv6.conf.all.forwarding present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.all.forwarding = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.max_addresses") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.forwarding") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_max_addresses_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_forwarding_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.max_addresses\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.forwarding\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.max_addresses\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.forwarding\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-84259-1" + cce="CCE-82863-2" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -187687,6 +187609,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces + To set the runtime status of the net.ipv6.conf.all.max_addresses kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.max_addresses=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.max_addresses = 1 + BP28(R22) + The number of global unicast IPv6 addresses for each interface should be limited exactly to the number of statically configured addresses. + + CCE-84259-1 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -187746,34 +187684,18 @@ fi - sysctl_net_ipv6_conf_all_max_addresses - unknown_severity - - - - - - - - - - Configure Denying Router Solicitations on All IPv6 Interfaces - To set the runtime status of the net.ipv6.conf.all.router_solicitations kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.router_solicitations=0 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.router_solicitations = 0 - BP28(R22) - To prevent discovery of the system by other systems, router solicitation requests should be denied. - - CCE-84109-8 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv6.conf.all.router_solicitations from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv6.conf.all.max_addresses from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.router_solicitations.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.max_addresses.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.all.router_solicitations" matches to preserve user data + # comment out "net.ipv6.conf.all.max_addresses" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -187785,37 +187707,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv6_conf_all_router_solicitations_value='' +sysctl_net_ipv6_conf_all_max_addresses_value='' # -# Set runtime for net.ipv6.conf.all.router_solicitations +# Set runtime for net.ipv6.conf.all.max_addresses # -/sbin/sysctl -q -n -w net.ipv6.conf.all.router_solicitations="$sysctl_net_ipv6_conf_all_router_solicitations_value" +/sbin/sysctl -q -n -w net.ipv6.conf.all.max_addresses="$sysctl_net_ipv6_conf_all_max_addresses_value" # -# If net.ipv6.conf.all.router_solicitations present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.all.router_solicitations = value" to /etc/sysctl.conf +# If net.ipv6.conf.all.max_addresses present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.all.max_addresses = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.router_solicitations") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.max_addresses") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_router_solicitations_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_max_addresses_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.router_solicitations\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.max_addresses\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.router_solicitations\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.max_addresses\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-84109-8" + cce="CCE-84259-1" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -187824,6 +187746,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure Denying Router Solicitations on All IPv6 Interfaces + To set the runtime status of the net.ipv6.conf.all.router_solicitations kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.router_solicitations=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.router_solicitations = 0 + BP28(R22) + To prevent discovery of the system by other systems, router solicitation requests should be denied. + + CCE-84109-8 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -187882,6 +187820,68 @@ fi - reboot_required - sysctl_net_ipv6_conf_all_router_solicitations - unknown_severity + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv6.conf.all.router_solicitations from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.router_solicitations.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv6.conf.all.router_solicitations" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv6_conf_all_router_solicitations_value='' + + +# +# Set runtime for net.ipv6.conf.all.router_solicitations +# +/sbin/sysctl -q -n -w net.ipv6.conf.all.router_solicitations="$sysctl_net_ipv6_conf_all_router_solicitations_value" + +# +# If net.ipv6.conf.all.router_solicitations present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.all.router_solicitations = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.router_solicitations") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_router_solicitations_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.router_solicitations\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.router_solicitations\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-84109-8" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -187971,67 +187971,20 @@ To make sure that the setting is persistent, add the following line to a file in An illicit router advertisement message could result in a man-in-the-middle attack. CCE-81007-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv6.conf.default.accept_ra from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_ra.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.default.accept_ra" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv6_conf_default_accept_ra_value='' - - -# -# Set runtime for net.ipv6.conf.default.accept_ra -# -/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra="$sysctl_net_ipv6_conf_default_accept_ra_value" - -# -# If net.ipv6.conf.default.accept_ra present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.default.accept_ra = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_ra") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_ra_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_ra\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_ra\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81007-7" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv6.conf.default.accept_ra%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_ra.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -188107,49 +188060,18 @@ fi - reboot_required - sysctl_net_ipv6_conf_default_accept_ra - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv6.conf.default.accept_ra%3D0%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_ra.conf - overwrite: true - - - - - - - - - - - Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default - To set the runtime status of the net.ipv6.conf.default.accept_ra_defrtr kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra_defrtr=0 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra_defrtr = 0 - BP28(R22) - An illicit router advertisement message could result in a man-in-the-middle attack. - - CCE-84268-2 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv6.conf.default.accept_ra_defrtr from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv6.conf.default.accept_ra from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_ra_defrtr.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_ra.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.default.accept_ra_defrtr" matches to preserve user data + # comment out "net.ipv6.conf.default.accept_ra" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -188161,37 +188083,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv6_conf_default_accept_ra_defrtr_value='' +sysctl_net_ipv6_conf_default_accept_ra_value='' # -# Set runtime for net.ipv6.conf.default.accept_ra_defrtr +# Set runtime for net.ipv6.conf.default.accept_ra # -/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra_defrtr="$sysctl_net_ipv6_conf_default_accept_ra_defrtr_value" +/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra="$sysctl_net_ipv6_conf_default_accept_ra_value" # -# If net.ipv6.conf.default.accept_ra_defrtr present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.default.accept_ra_defrtr = value" to /etc/sysctl.conf +# If net.ipv6.conf.default.accept_ra present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.default.accept_ra = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_ra_defrtr") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_ra") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_ra_defrtr_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_ra_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_ra_defrtr\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_ra\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_ra_defrtr\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_ra\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-84268-2" + cce="CCE-81007-7" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -188200,6 +188122,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default + To set the runtime status of the net.ipv6.conf.default.accept_ra_defrtr kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra_defrtr=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra_defrtr = 0 + BP28(R22) + An illicit router advertisement message could result in a man-in-the-middle attack. + + CCE-84268-2 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -188259,34 +188197,18 @@ fi - sysctl_net_ipv6_conf_default_accept_ra_defrtr - unknown_severity - - - - - - - - - - Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default - To set the runtime status of the net.ipv6.conf.default.accept_ra_pinfo kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra_pinfo=0 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra_pinfo = 0 - BP28(R22) - An illicit router advertisement message could result in a man-in-the-middle attack. - - CCE-84051-2 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv6.conf.default.accept_ra_pinfo from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv6.conf.default.accept_ra_defrtr from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_ra_pinfo.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_ra_defrtr.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.default.accept_ra_pinfo" matches to preserve user data + # comment out "net.ipv6.conf.default.accept_ra_defrtr" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -188298,37 +188220,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv6_conf_default_accept_ra_pinfo_value='' +sysctl_net_ipv6_conf_default_accept_ra_defrtr_value='' # -# Set runtime for net.ipv6.conf.default.accept_ra_pinfo +# Set runtime for net.ipv6.conf.default.accept_ra_defrtr # -/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra_pinfo="$sysctl_net_ipv6_conf_default_accept_ra_pinfo_value" +/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra_defrtr="$sysctl_net_ipv6_conf_default_accept_ra_defrtr_value" # -# If net.ipv6.conf.default.accept_ra_pinfo present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.default.accept_ra_pinfo = value" to /etc/sysctl.conf +# If net.ipv6.conf.default.accept_ra_defrtr present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.default.accept_ra_defrtr = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_ra_pinfo") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_ra_defrtr") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_ra_pinfo_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_ra_defrtr_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_ra_pinfo\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_ra_defrtr\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_ra_pinfo\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_ra_defrtr\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-84051-2" + cce="CCE-84268-2" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -188337,6 +188259,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default + To set the runtime status of the net.ipv6.conf.default.accept_ra_pinfo kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra_pinfo=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra_pinfo = 0 + BP28(R22) + An illicit router advertisement message could result in a man-in-the-middle attack. + + CCE-84051-2 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -188396,34 +188334,18 @@ fi - sysctl_net_ipv6_conf_default_accept_ra_pinfo - unknown_severity - - - - - - - - - - Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default - To set the runtime status of the net.ipv6.conf.default.accept_ra_rtr_pref kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra_rtr_pref=0 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra_rtr_pref = 0 - BP28(R22) - An illicit router advertisement message could result in a man-in-the-middle attack. - - CCE-84291-4 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv6.conf.default.accept_ra_rtr_pref from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv6.conf.default.accept_ra_pinfo from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_ra_rtr_pref.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_ra_pinfo.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.default.accept_ra_rtr_pref" matches to preserve user data + # comment out "net.ipv6.conf.default.accept_ra_pinfo" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -188435,37 +188357,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_value='' +sysctl_net_ipv6_conf_default_accept_ra_pinfo_value='' # -# Set runtime for net.ipv6.conf.default.accept_ra_rtr_pref +# Set runtime for net.ipv6.conf.default.accept_ra_pinfo # -/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra_rtr_pref="$sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_value" +/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra_pinfo="$sysctl_net_ipv6_conf_default_accept_ra_pinfo_value" # -# If net.ipv6.conf.default.accept_ra_rtr_pref present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.default.accept_ra_rtr_pref = value" to /etc/sysctl.conf +# If net.ipv6.conf.default.accept_ra_pinfo present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.default.accept_ra_pinfo = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_ra_rtr_pref") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_ra_pinfo") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_ra_pinfo_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_ra_rtr_pref\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_ra_pinfo\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_ra_rtr_pref\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_ra_pinfo\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-84291-4" + cce="CCE-84051-2" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -188474,6 +188396,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default + To set the runtime status of the net.ipv6.conf.default.accept_ra_rtr_pref kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra_rtr_pref=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra_rtr_pref = 0 + BP28(R22) + An illicit router advertisement message could result in a man-in-the-middle attack. + + CCE-84291-4 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -188533,32 +188471,94 @@ fi - sysctl_net_ipv6_conf_default_accept_ra_rtr_pref - unknown_severity - - - - - - - - - - Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces - To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_redirects = 0 - BP28(R22) - 11 - 14 - 3 - 9 - BAI10.01 - BAI10.02 - BAI10.03 - BAI10.05 - DSS05.02 - DSS05.05 - DSS06.06 - 3.1.20 - CCI-000366 + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv6.conf.default.accept_ra_rtr_pref from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_ra_rtr_pref.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv6.conf.default.accept_ra_rtr_pref" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_value='' + + +# +# Set runtime for net.ipv6.conf.default.accept_ra_rtr_pref +# +/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra_rtr_pref="$sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_value" + +# +# If net.ipv6.conf.default.accept_ra_rtr_pref present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.default.accept_ra_rtr_pref = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_ra_rtr_pref") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_ra_rtr_pref\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_ra_rtr_pref\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-84291-4" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + + + + + + + + + + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces + To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_redirects = 0 + BP28(R22) + 11 + 14 + 3 + 9 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + 3.1.20 + CCI-000366 CCI-001551 4.3.3.5.1 4.3.3.5.2 @@ -188623,67 +188623,20 @@ To make sure that the setting is persistent, add the following line to a file in An illicit ICMP redirect message could result in a man-in-the-middle attack. CCE-81010-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv6.conf.default.accept_redirects from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_redirects.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.default.accept_redirects" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv6_conf_default_accept_redirects_value='' - - -# -# Set runtime for net.ipv6.conf.default.accept_redirects -# -/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_redirects="$sysctl_net_ipv6_conf_default_accept_redirects_value" - -# -# If net.ipv6.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.default.accept_redirects = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_redirects") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_redirects_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_redirects\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81010-1" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv6.conf.default.accept_redirects%20%3D%200%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_redirects.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -188759,20 +188712,67 @@ fi - reboot_required - sysctl_net_ipv6_conf_default_accept_redirects - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv6.conf.default.accept_redirects%20%3D%200%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_redirects.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv6.conf.default.accept_redirects from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_redirects.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv6.conf.default.accept_redirects" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv6_conf_default_accept_redirects_value='' + + +# +# Set runtime for net.ipv6.conf.default.accept_redirects +# +/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_redirects="$sysctl_net_ipv6_conf_default_accept_redirects_value" + +# +# If net.ipv6.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.default.accept_redirects = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_redirects") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_redirects_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_redirects\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-81010-1" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -188874,67 +188874,20 @@ Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required. CCE-81015-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv6.conf.default.accept_source_route from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_source_route.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.default.accept_source_route" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv6_conf_default_accept_source_route_value='' - - -# -# Set runtime for net.ipv6.conf.default.accept_source_route -# -/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_source_route="$sysctl_net_ipv6_conf_default_accept_source_route_value" - -# -# If net.ipv6.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.default.accept_source_route = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_source_route") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_source_route_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_source_route\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81015-0" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv6.conf.default.accept_source_route%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_source_route.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -189022,49 +188975,18 @@ fi - reboot_required - sysctl_net_ipv6_conf_default_accept_source_route - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv6.conf.default.accept_source_route%3D0%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_source_route.conf - overwrite: true - - - - - - - - - - - Configure Auto Configuration on All IPv6 Interfaces By Default - To set the runtime status of the net.ipv6.conf.default.autoconf kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.autoconf=0 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.autoconf = 0 - BP28(R22) - An illicit router advertisement message could result in a man-in-the-middle attack. - - CCE-84264-1 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv6.conf.default.autoconf from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv6.conf.default.accept_source_route from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.autoconf.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_source_route.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.default.autoconf" matches to preserve user data + # comment out "net.ipv6.conf.default.accept_source_route" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -189076,37 +188998,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv6_conf_default_autoconf_value='' +sysctl_net_ipv6_conf_default_accept_source_route_value='' # -# Set runtime for net.ipv6.conf.default.autoconf +# Set runtime for net.ipv6.conf.default.accept_source_route # -/sbin/sysctl -q -n -w net.ipv6.conf.default.autoconf="$sysctl_net_ipv6_conf_default_autoconf_value" +/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_source_route="$sysctl_net_ipv6_conf_default_accept_source_route_value" # -# If net.ipv6.conf.default.autoconf present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.default.autoconf = value" to /etc/sysctl.conf +# If net.ipv6.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.default.accept_source_route = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.autoconf") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_source_route") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_autoconf_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_source_route_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.autoconf\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_source_route\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.autoconf\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-84264-1" + cce="CCE-81015-0" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -189115,6 +189037,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure Auto Configuration on All IPv6 Interfaces By Default + To set the runtime status of the net.ipv6.conf.default.autoconf kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.autoconf=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.autoconf = 0 + BP28(R22) + An illicit router advertisement message could result in a man-in-the-middle attack. + + CCE-84264-1 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -189174,34 +189112,18 @@ fi - sysctl_net_ipv6_conf_default_autoconf - unknown_severity - - - - - - - - - - Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default - To set the runtime status of the net.ipv6.conf.default.max_addresses kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.max_addresses=1 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.max_addresses = 1 - BP28(R22) - The number of global unicast IPv6 addresses for each interface should be limited exactly to the number of statically configured addresses. - - CCE-84257-5 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv6.conf.default.max_addresses from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv6.conf.default.autoconf from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.max_addresses.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.autoconf.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.default.max_addresses" matches to preserve user data + # comment out "net.ipv6.conf.default.autoconf" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -189213,37 +189135,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv6_conf_default_max_addresses_value='' +sysctl_net_ipv6_conf_default_autoconf_value='' # -# Set runtime for net.ipv6.conf.default.max_addresses +# Set runtime for net.ipv6.conf.default.autoconf # -/sbin/sysctl -q -n -w net.ipv6.conf.default.max_addresses="$sysctl_net_ipv6_conf_default_max_addresses_value" +/sbin/sysctl -q -n -w net.ipv6.conf.default.autoconf="$sysctl_net_ipv6_conf_default_autoconf_value" # -# If net.ipv6.conf.default.max_addresses present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.default.max_addresses = value" to /etc/sysctl.conf +# If net.ipv6.conf.default.autoconf present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.default.autoconf = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.max_addresses") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.autoconf") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_max_addresses_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_autoconf_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.max_addresses\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.autoconf\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.max_addresses\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.autoconf\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-84257-5" + cce="CCE-84264-1" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -189252,6 +189174,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default + To set the runtime status of the net.ipv6.conf.default.max_addresses kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.max_addresses=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.max_addresses = 1 + BP28(R22) + The number of global unicast IPv6 addresses for each interface should be limited exactly to the number of statically configured addresses. + + CCE-84257-5 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -189311,34 +189249,18 @@ fi - sysctl_net_ipv6_conf_default_max_addresses - unknown_severity - - - - - - - - - - Configure Denying Router Solicitations on All IPv6 Interfaces By Default - To set the runtime status of the net.ipv6.conf.default.router_solicitations kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.router_solicitations=0 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.router_solicitations = 0 - BP28(R22) - To prevent discovery of the system by other systems, router solicitation requests should be denied. - - CCE-83477-0 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv6.conf.default.router_solicitations from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv6.conf.default.max_addresses from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.router_solicitations.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.max_addresses.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv6.conf.default.router_solicitations" matches to preserve user data + # comment out "net.ipv6.conf.default.max_addresses" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -189350,37 +189272,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv6_conf_default_router_solicitations_value='' +sysctl_net_ipv6_conf_default_max_addresses_value='' # -# Set runtime for net.ipv6.conf.default.router_solicitations +# Set runtime for net.ipv6.conf.default.max_addresses # -/sbin/sysctl -q -n -w net.ipv6.conf.default.router_solicitations="$sysctl_net_ipv6_conf_default_router_solicitations_value" +/sbin/sysctl -q -n -w net.ipv6.conf.default.max_addresses="$sysctl_net_ipv6_conf_default_max_addresses_value" # -# If net.ipv6.conf.default.router_solicitations present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv6.conf.default.router_solicitations = value" to /etc/sysctl.conf +# If net.ipv6.conf.default.max_addresses present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.default.max_addresses = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.router_solicitations") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.max_addresses") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_router_solicitations_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_max_addresses_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.router_solicitations\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.max_addresses\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.router_solicitations\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.max_addresses\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-83477-0" + cce="CCE-84257-5" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -189389,6 +189311,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure Denying Router Solicitations on All IPv6 Interfaces By Default + To set the runtime status of the net.ipv6.conf.default.router_solicitations kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.router_solicitations=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.router_solicitations = 0 + BP28(R22) + To prevent discovery of the system by other systems, router solicitation requests should be denied. + + CCE-83477-0 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -189447,6 +189385,68 @@ fi - reboot_required - sysctl_net_ipv6_conf_default_router_solicitations - unknown_severity + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv6.conf.default.router_solicitations from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.router_solicitations.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv6.conf.default.router_solicitations" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv6_conf_default_router_solicitations_value='' + + +# +# Set runtime for net.ipv6.conf.default.router_solicitations +# +/sbin/sysctl -q -n -w net.ipv6.conf.default.router_solicitations="$sysctl_net_ipv6_conf_default_router_solicitations_value" + +# +# If net.ipv6.conf.default.router_solicitations present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.default.router_solicitations = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.router_solicitations") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_router_solicitations_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.router_solicitations\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.router_solicitations\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-83477-0" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -189694,6 +189694,60 @@ received from outside whose source is the 127.0.0.0/8 address block. In combination with suitable routing, this can be used to direct packets between two local interfaces over the wire and have them accepted properly. CCE-88789-3 + - name: List /etc/sysctl.d/*.conf files + find: + paths: + - /etc/sysctl.d/ + - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ + contains: ^[\s]*net.ipv4.conf.all.accept_local.*$ + patterns: '*.conf' + file_type: any + register: find_sysctl_d + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-88789-3 + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_all_accept_local + +- name: Comment out any occurrences of net.ipv4.conf.all.accept_local from config + files + replace: + path: '{{ item.path }}' + regexp: ^[\s]*net.ipv4.conf.all.accept_local + replace: '#net.ipv4.conf.all.accept_local' + loop: '{{ find_sysctl_d.files }}' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-88789-3 + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_all_accept_local + +- name: Ensure sysctl net.ipv4.conf.all.accept_local is set to 0 + sysctl: + name: net.ipv4.conf.all.accept_local + value: '0' + sysctl_file: /etc/sysctl.conf + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-88789-3 + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_all_accept_local + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -189753,60 +189807,6 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: List /etc/sysctl.d/*.conf files - find: - paths: - - /etc/sysctl.d/ - - /run/sysctl.d/ - - /usr/local/lib/sysctl.d/ - contains: ^[\s]*net.ipv4.conf.all.accept_local.*$ - patterns: '*.conf' - file_type: any - register: find_sysctl_d - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-88789-3 - - disable_strategy - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_net_ipv4_conf_all_accept_local - -- name: Comment out any occurrences of net.ipv4.conf.all.accept_local from config - files - replace: - path: '{{ item.path }}' - regexp: ^[\s]*net.ipv4.conf.all.accept_local - replace: '#net.ipv4.conf.all.accept_local' - loop: '{{ find_sysctl_d.files }}' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-88789-3 - - disable_strategy - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_net_ipv4_conf_all_accept_local - -- name: Ensure sysctl net.ipv4.conf.all.accept_local is set to 0 - sysctl: - name: net.ipv4.conf.all.accept_local - value: '0' - sysctl_file: /etc/sysctl.conf - state: present - reload: true - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-88789-3 - - disable_strategy - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_net_ipv4_conf_all_accept_local @@ -189925,67 +189925,20 @@ message could result in a man-in-the-middle attack. This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required." CCE-80917-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.conf.all.accept_redirects from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.accept_redirects.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.all.accept_redirects" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv4_conf_all_accept_redirects_value='' - - -# -# Set runtime for net.ipv4.conf.all.accept_redirects -# -/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_redirects="$sysctl_net_ipv4_conf_all_accept_redirects_value" - -# -# If net.ipv4.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.conf.all.accept_redirects = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.accept_redirects") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_accept_redirects_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.accept_redirects\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-80917-8" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.all.accept_redirects%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_accept_redirects.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -190067,20 +190020,67 @@ fi - reboot_required - sysctl_net_ipv4_conf_all_accept_redirects - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv4.conf.all.accept_redirects%3D0%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_accept_redirects.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.conf.all.accept_redirects from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.accept_redirects.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.conf.all.accept_redirects" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv4_conf_all_accept_redirects_value='' + + +# +# Set runtime for net.ipv4.conf.all.accept_redirects +# +/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_redirects="$sysctl_net_ipv4_conf_all_accept_redirects_value" + +# +# If net.ipv4.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.all.accept_redirects = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.accept_redirects") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_accept_redirects_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.accept_redirects\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-80917-8" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -190252,67 +190252,20 @@ forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required. CCE-81011-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.conf.all.accept_source_route from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.accept_source_route.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.all.accept_source_route" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv4_conf_all_accept_source_route_value='' - - -# -# Set runtime for net.ipv4.conf.all.accept_source_route -# -/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_source_route="$sysctl_net_ipv4_conf_all_accept_source_route_value" - -# -# If net.ipv4.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.conf.all.accept_source_route = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.accept_source_route") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_accept_source_route_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.accept_source_route\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81011-9" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.all.accept_source_route%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_accept_source_route.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -190394,51 +190347,18 @@ fi - reboot_required - sysctl_net_ipv4_conf_all_accept_source_route - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv4.conf.all.accept_source_route%3D0%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_accept_source_route.conf - overwrite: true - - - - - - - - - - - Configure ARP filtering for All IPv4 Interfaces - To set the runtime status of the net.ipv4.conf.all.arp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.arp_filter= -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.arp_filter = - This behaviour may cause problems to system on a high availability or load balancing configuration. - BP28(R12) - Prevents the Linux Kernel from handling the ARP table globally. -By default, the kernel may respond to an ARP request from a certain interface with information -from another interface. - CCE-88555-8 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv4.conf.all.arp_filter from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv4.conf.all.accept_source_route from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.arp_filter.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.accept_source_route.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.all.arp_filter" matches to preserve user data + # comment out "net.ipv4.conf.all.accept_source_route" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -190450,37 +190370,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv4_conf_all_arp_filter_value='' +sysctl_net_ipv4_conf_all_accept_source_route_value='' # -# Set runtime for net.ipv4.conf.all.arp_filter +# Set runtime for net.ipv4.conf.all.accept_source_route # -/sbin/sysctl -q -n -w net.ipv4.conf.all.arp_filter="$sysctl_net_ipv4_conf_all_arp_filter_value" +/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_source_route="$sysctl_net_ipv4_conf_all_accept_source_route_value" # -# If net.ipv4.conf.all.arp_filter present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.conf.all.arp_filter = value" to /etc/sysctl.conf +# If net.ipv4.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.all.accept_source_route = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.arp_filter") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.accept_source_route") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_arp_filter_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_accept_source_route_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.arp_filter\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.accept_source_route\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.arp_filter\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-88555-8" + cce="CCE-81011-9" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -190489,6 +190409,24 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure ARP filtering for All IPv4 Interfaces + To set the runtime status of the net.ipv4.conf.all.arp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.arp_filter= +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.arp_filter = + This behaviour may cause problems to system on a high availability or load balancing configuration. + BP28(R12) + Prevents the Linux Kernel from handling the ARP table globally. +By default, the kernel may respond to an ARP request from a certain interface with information +from another interface. + CCE-88555-8 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -190547,34 +190485,18 @@ fi - reboot_required - sysctl_net_ipv4_conf_all_arp_filter - - - - - - - - - - Configure Response Mode of ARP Requests for All IPv4 Interfaces - To set the runtime status of the net.ipv4.conf.all.arp_ignore kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.arp_ignore= -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.arp_ignore = - The ARP response mode may impact behaviour of workloads and firewalls on the system. - BP28(R12) - Avoids ARP Flux on system that have more than one interface on the same subnet. - CCE-88889-1 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv4.conf.all.arp_ignore from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv4.conf.all.arp_filter from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.arp_ignore.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.arp_filter.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.all.arp_ignore" matches to preserve user data + # comment out "net.ipv4.conf.all.arp_filter" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -190586,37 +190508,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv4_conf_all_arp_ignore_value='' +sysctl_net_ipv4_conf_all_arp_filter_value='' # -# Set runtime for net.ipv4.conf.all.arp_ignore +# Set runtime for net.ipv4.conf.all.arp_filter # -/sbin/sysctl -q -n -w net.ipv4.conf.all.arp_ignore="$sysctl_net_ipv4_conf_all_arp_ignore_value" +/sbin/sysctl -q -n -w net.ipv4.conf.all.arp_filter="$sysctl_net_ipv4_conf_all_arp_filter_value" # -# If net.ipv4.conf.all.arp_ignore present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.conf.all.arp_ignore = value" to /etc/sysctl.conf +# If net.ipv4.conf.all.arp_filter present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.all.arp_filter = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.arp_ignore") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.arp_filter") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_arp_ignore_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_arp_filter_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.arp_ignore\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.arp_filter\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.arp_ignore\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.arp_filter\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-88889-1" + cce="CCE-88555-8" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -190625,6 +190547,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure Response Mode of ARP Requests for All IPv4 Interfaces + To set the runtime status of the net.ipv4.conf.all.arp_ignore kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.arp_ignore= +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.arp_ignore = + The ARP response mode may impact behaviour of workloads and firewalls on the system. + BP28(R12) + Avoids ARP Flux on system that have more than one interface on the same subnet. + CCE-88889-1 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -190683,34 +190621,18 @@ fi - reboot_required - sysctl_net_ipv4_conf_all_arp_ignore - - - - - - - - - - Drop Gratuitious ARP frames on All IPv4 Interfaces - To set the runtime status of the net.ipv4.conf.all.drop_gratuitous_arp kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.drop_gratuitous_arp=1 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.drop_gratuitous_arp = 1 - This can cause problems if ARP proxies are used in the network. - BP28(R12) - Drop Gratuitous ARP frames to prevent ARP poisoning. - CCE-88001-3 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv4.conf.all.drop_gratuitous_arp from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv4.conf.all.arp_ignore from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.drop_gratuitous_arp.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.arp_ignore.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.all.drop_gratuitous_arp" matches to preserve user data + # comment out "net.ipv4.conf.all.arp_ignore" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -190722,35 +190644,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" +sysctl_net_ipv4_conf_all_arp_ignore_value='' + # -# Set runtime for net.ipv4.conf.all.drop_gratuitous_arp +# Set runtime for net.ipv4.conf.all.arp_ignore # -/sbin/sysctl -q -n -w net.ipv4.conf.all.drop_gratuitous_arp="1" +/sbin/sysctl -q -n -w net.ipv4.conf.all.arp_ignore="$sysctl_net_ipv4_conf_all_arp_ignore_value" # -# If net.ipv4.conf.all.drop_gratuitous_arp present in /etc/sysctl.conf, change value to "1" -# else, add "net.ipv4.conf.all.drop_gratuitous_arp = 1" to /etc/sysctl.conf +# If net.ipv4.conf.all.arp_ignore present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.all.arp_ignore = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.drop_gratuitous_arp") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.arp_ignore") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "1" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_arp_ignore_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.drop_gratuitous_arp\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.arp_ignore\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.drop_gratuitous_arp\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.arp_ignore\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-88001-3" + cce="CCE-88889-1" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -190759,6 +190683,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Drop Gratuitious ARP frames on All IPv4 Interfaces + To set the runtime status of the net.ipv4.conf.all.drop_gratuitous_arp kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.drop_gratuitous_arp=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.drop_gratuitous_arp = 1 + This can cause problems if ARP proxies are used in the network. + BP28(R12) + Drop Gratuitous ARP frames to prevent ARP poisoning. + CCE-88001-3 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -190813,44 +190753,18 @@ fi - reboot_required - sysctl_net_ipv4_conf_all_drop_gratuitous_arp - - - - - - - - - Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces - To set the runtime status of the net.ipv4.conf.all.forwarding kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.forwarding=0 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.forwarding = 0 - There might be cases when certain applications can systematically override this option. -One such case is Libvirt; a toolkit for managing of virtualization platforms. -By default, Libvirt requires IP forwarding to be enabled to facilitate -network communication between the virtualization host and guest -machines. It enables IP forwarding after every reboot. - CCI-000366 - CM-6(b) - SRG-OS-000480-GPOS-00227 - RHEL-08-040259 - SV-250317r858808_rule - IP forwarding permits the kernel to forward packets from one network -interface to another. The ability to forward packets between two networks is -only appropriate for systems acting as routers. - - CCE-86220-1 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv4.conf.all.forwarding from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv4.conf.all.drop_gratuitous_arp from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.forwarding.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.drop_gratuitous_arp.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.all.forwarding" matches to preserve user data + # comment out "net.ipv4.conf.all.drop_gratuitous_arp" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -190862,37 +190776,35 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv4_conf_all_forwarding_value='' - # -# Set runtime for net.ipv4.conf.all.forwarding +# Set runtime for net.ipv4.conf.all.drop_gratuitous_arp # -/sbin/sysctl -q -n -w net.ipv4.conf.all.forwarding="$sysctl_net_ipv4_conf_all_forwarding_value" +/sbin/sysctl -q -n -w net.ipv4.conf.all.drop_gratuitous_arp="1" # -# If net.ipv4.conf.all.forwarding present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.conf.all.forwarding = value" to /etc/sysctl.conf +# If net.ipv4.conf.all.drop_gratuitous_arp present in /etc/sysctl.conf, change value to "1" +# else, add "net.ipv4.conf.all.drop_gratuitous_arp = 1" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.forwarding") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.drop_gratuitous_arp") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_forwarding_value" +printf -v formatted_output "%s = %s" "$stripped_key" "1" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.forwarding\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.drop_gratuitous_arp\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.forwarding\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.drop_gratuitous_arp\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-86220-1" + cce="CCE-88001-3" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -190901,6 +190813,32 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces + To set the runtime status of the net.ipv4.conf.all.forwarding kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.forwarding=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.forwarding = 0 + There might be cases when certain applications can systematically override this option. +One such case is Libvirt; a toolkit for managing of virtualization platforms. +By default, Libvirt requires IP forwarding to be enabled to facilitate +network communication between the virtualization host and guest +machines. It enables IP forwarding after every reboot. + CCI-000366 + CM-6(b) + SRG-OS-000480-GPOS-00227 + RHEL-08-040259 + SV-250317r858808_rule + IP forwarding permits the kernel to forward packets from one network +interface to another. The ability to forward packets between two networks is +only appropriate for systems acting as routers. + + CCE-86220-1 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -190964,6 +190902,68 @@ fi - medium_severity - reboot_required - sysctl_net_ipv4_conf_all_forwarding + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.conf.all.forwarding from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.forwarding.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.conf.all.forwarding" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv4_conf_all_forwarding_value='' + + +# +# Set runtime for net.ipv4.conf.all.forwarding +# +/sbin/sysctl -q -n -w net.ipv4.conf.all.forwarding="$sysctl_net_ipv4_conf_all_forwarding_value" + +# +# If net.ipv4.conf.all.forwarding present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.all.forwarding = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.forwarding") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_forwarding_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.forwarding\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.forwarding\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-86220-1" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -191091,67 +191091,20 @@ as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. CCE-81018-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.conf.all.log_martians from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.log_martians.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.all.log_martians" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv4_conf_all_log_martians_value='' - - -# -# Set runtime for net.ipv4.conf.all.log_martians -# -/sbin/sysctl -q -n -w net.ipv4.conf.all.log_martians="$sysctl_net_ipv4_conf_all_log_martians_value" - -# -# If net.ipv4.conf.all.log_martians present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.conf.all.log_martians = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.log_martians") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_log_martians_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.log_martians\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.log_martians\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81018-4" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.all.log_martians%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_log_martians.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -191224,50 +191177,18 @@ fi - sysctl_net_ipv4_conf_all_log_martians - unknown_severity - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv4.conf.all.log_martians%3D1%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_log_martians.conf - overwrite: true - - - - - - - - - - - Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces - To set the runtime status of the net.ipv4.conf.all.route_localnet kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.route_localnet=0 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.route_localnet = 0 - BP28(R12) - Refuse the routing of packets whose source or destination address is the local loopback. -This prohibits the use of network 127/8 for local routing purposes. -Enabling route_localnet can expose applications listening on localhost to external traffic. - CCE-88023-7 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv4.conf.all.route_localnet from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv4.conf.all.log_martians from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.route_localnet.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.log_martians.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.all.route_localnet" matches to preserve user data + # comment out "net.ipv4.conf.all.log_martians" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -191279,35 +191200,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" +sysctl_net_ipv4_conf_all_log_martians_value='' + # -# Set runtime for net.ipv4.conf.all.route_localnet +# Set runtime for net.ipv4.conf.all.log_martians # -/sbin/sysctl -q -n -w net.ipv4.conf.all.route_localnet="0" +/sbin/sysctl -q -n -w net.ipv4.conf.all.log_martians="$sysctl_net_ipv4_conf_all_log_martians_value" # -# If net.ipv4.conf.all.route_localnet present in /etc/sysctl.conf, change value to "0" -# else, add "net.ipv4.conf.all.route_localnet = 0" to /etc/sysctl.conf +# If net.ipv4.conf.all.log_martians present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.all.log_martians = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.route_localnet") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.log_martians") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "0" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_log_martians_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.route_localnet\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.log_martians\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.route_localnet\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.log_martians\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-88023-7" + cce="CCE-81018-4" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -191316,6 +191239,23 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces + To set the runtime status of the net.ipv4.conf.all.route_localnet kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.route_localnet=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.route_localnet = 0 + BP28(R12) + Refuse the routing of packets whose source or destination address is the local loopback. +This prohibits the use of network 127/8 for local routing purposes. +Enabling route_localnet can expose applications listening on localhost to external traffic. + CCE-88023-7 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -191369,6 +191309,66 @@ fi - medium_severity - reboot_required - sysctl_net_ipv4_conf_all_route_localnet + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.conf.all.route_localnet from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.route_localnet.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.conf.all.route_localnet" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + + +# +# Set runtime for net.ipv4.conf.all.route_localnet +# +/sbin/sysctl -q -n -w net.ipv4.conf.all.route_localnet="0" + +# +# If net.ipv4.conf.all.route_localnet present in /etc/sysctl.conf, change value to "0" +# else, add "net.ipv4.conf.all.route_localnet = 0" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.route_localnet") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "0" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.route_localnet\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.route_localnet\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-88023-7" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -191476,67 +191476,20 @@ received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. CCE-81021-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.conf.all.rp_filter from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.rp_filter.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.all.rp_filter" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv4_conf_all_rp_filter_value='' - - -# -# Set runtime for net.ipv4.conf.all.rp_filter -# -/sbin/sysctl -q -n -w net.ipv4.conf.all.rp_filter="$sysctl_net_ipv4_conf_all_rp_filter_value" - -# -# If net.ipv4.conf.all.rp_filter present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.conf.all.rp_filter = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.rp_filter") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_rp_filter_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.rp_filter\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.rp_filter\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81021-8" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.all.rp_filter%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_rp_filter.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -191620,20 +191573,67 @@ fi - reboot_required - sysctl_net_ipv4_conf_all_rp_filter - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv4.conf.all.rp_filter%3D1%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_rp_filter.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.conf.all.rp_filter from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.rp_filter.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.conf.all.rp_filter" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv4_conf_all_rp_filter_value='' + + +# +# Set runtime for net.ipv4.conf.all.rp_filter +# +/sbin/sysctl -q -n -w net.ipv4.conf.all.rp_filter="$sysctl_net_ipv4_conf_all_rp_filter_value" + +# +# If net.ipv4.conf.all.rp_filter present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.all.rp_filter = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.rp_filter") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_rp_filter_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.rp_filter\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.rp_filter\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-81021-8" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -191795,67 +191795,20 @@ To make sure that the setting is persistent, add the following line to a file in default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. CCE-81016-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.conf.all.secure_redirects from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.secure_redirects.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.all.secure_redirects" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv4_conf_all_secure_redirects_value='' - - -# -# Set runtime for net.ipv4.conf.all.secure_redirects -# -/sbin/sysctl -q -n -w net.ipv4.conf.all.secure_redirects="$sysctl_net_ipv4_conf_all_secure_redirects_value" - -# -# If net.ipv4.conf.all.secure_redirects present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.conf.all.secure_redirects = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.secure_redirects") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_secure_redirects_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.secure_redirects\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.secure_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81016-8" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.all.secure_redirects%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_secure_redirects.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -191937,49 +191890,18 @@ fi - reboot_required - sysctl_net_ipv4_conf_all_secure_redirects - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv4.conf.all.secure_redirects%3D0%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_secure_redirects.conf - overwrite: true - - - - - - - - - - - Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces - To set the runtime status of the net.ipv4.conf.all.shared_media kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.shared_media= -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.shared_media = - BP28(R12) - This setting should be aligned with net.ipv4.conf.all.secure_redirects because it overrides it. -If shared_media is enabled for an interface secure_redirects will be enabled too. - CCE-88333-0 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv4.conf.all.shared_media from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv4.conf.all.secure_redirects from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.shared_media.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.secure_redirects.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.all.shared_media" matches to preserve user data + # comment out "net.ipv4.conf.all.secure_redirects" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -191991,37 +191913,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv4_conf_all_shared_media_value='' +sysctl_net_ipv4_conf_all_secure_redirects_value='' # -# Set runtime for net.ipv4.conf.all.shared_media +# Set runtime for net.ipv4.conf.all.secure_redirects # -/sbin/sysctl -q -n -w net.ipv4.conf.all.shared_media="$sysctl_net_ipv4_conf_all_shared_media_value" +/sbin/sysctl -q -n -w net.ipv4.conf.all.secure_redirects="$sysctl_net_ipv4_conf_all_secure_redirects_value" # -# If net.ipv4.conf.all.shared_media present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.conf.all.shared_media = value" to /etc/sysctl.conf +# If net.ipv4.conf.all.secure_redirects present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.all.secure_redirects = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.shared_media") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.secure_redirects") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_shared_media_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_secure_redirects_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.shared_media\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.secure_redirects\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.shared_media\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.secure_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-88333-0" + cce="CCE-81016-8" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -192030,6 +191952,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces + To set the runtime status of the net.ipv4.conf.all.shared_media kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.shared_media= +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.shared_media = + BP28(R12) + This setting should be aligned with net.ipv4.conf.all.secure_redirects because it overrides it. +If shared_media is enabled for an interface secure_redirects will be enabled too. + CCE-88333-0 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -192088,6 +192026,68 @@ fi - medium_severity - reboot_required - sysctl_net_ipv4_conf_all_shared_media + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.conf.all.shared_media from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.shared_media.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.conf.all.shared_media" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv4_conf_all_shared_media_value='' + + +# +# Set runtime for net.ipv4.conf.all.shared_media +# +/sbin/sysctl -q -n -w net.ipv4.conf.all.shared_media="$sysctl_net_ipv4_conf_all_shared_media_value" + +# +# If net.ipv4.conf.all.shared_media present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.all.shared_media = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.shared_media") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_shared_media_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.shared_media\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.shared_media\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-88333-0" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -192256,67 +192256,20 @@ message could result in a man-in-the-middle attack. This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required. CCE-80919-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.conf.default.accept_redirects from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.accept_redirects.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.default.accept_redirects" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv4_conf_default_accept_redirects_value='' - - -# -# Set runtime for net.ipv4.conf.default.accept_redirects -# -/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_redirects="$sysctl_net_ipv4_conf_default_accept_redirects_value" - -# -# If net.ipv4.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.conf.default.accept_redirects = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.accept_redirects") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_accept_redirects_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.accept_redirects\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-80919-4" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.default.accept_redirects%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_accept_redirects.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -192404,20 +192357,67 @@ fi - reboot_required - sysctl_net_ipv4_conf_default_accept_redirects - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv4.conf.default.accept_redirects%3D0%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_accept_redirects.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.conf.default.accept_redirects from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.accept_redirects.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.conf.default.accept_redirects" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv4_conf_default_accept_redirects_value='' + + +# +# Set runtime for net.ipv4.conf.default.accept_redirects +# +/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_redirects="$sysctl_net_ipv4_conf_default_accept_redirects_value" + +# +# If net.ipv4.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.default.accept_redirects = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.accept_redirects") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_accept_redirects_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.accept_redirects\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-80919-4" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -192590,67 +192590,20 @@ uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router. CCE-80920-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.conf.default.accept_source_route from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.accept_source_route.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.default.accept_source_route" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv4_conf_default_accept_source_route_value='' - - -# -# Set runtime for net.ipv4.conf.default.accept_source_route -# -/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_source_route="$sysctl_net_ipv4_conf_default_accept_source_route_value" - -# -# If net.ipv4.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.conf.default.accept_source_route = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.accept_source_route") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_accept_source_route_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.accept_source_route\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-80920-2" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.default.accept_source_route%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_accept_source_route.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -192732,20 +192685,67 @@ fi - reboot_required - sysctl_net_ipv4_conf_default_accept_source_route - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv4.conf.default.accept_source_route%3D0%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_accept_source_route.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.conf.default.accept_source_route from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.accept_source_route.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.conf.default.accept_source_route" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv4_conf_default_accept_source_route_value='' + + +# +# Set runtime for net.ipv4.conf.default.accept_source_route +# +/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_source_route="$sysctl_net_ipv4_conf_default_accept_source_route_value" + +# +# If net.ipv4.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.default.accept_source_route = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.accept_source_route") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_accept_source_route_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.accept_source_route\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-80920-2" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -192873,67 +192873,20 @@ as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. CCE-81020-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.conf.default.log_martians from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.log_martians.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.default.log_martians" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv4_conf_default_log_martians_value='' - - -# -# Set runtime for net.ipv4.conf.default.log_martians -# -/sbin/sysctl -q -n -w net.ipv4.conf.default.log_martians="$sysctl_net_ipv4_conf_default_log_martians_value" - -# -# If net.ipv4.conf.default.log_martians present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.conf.default.log_martians = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.log_martians") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_log_martians_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.log_martians\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.log_martians\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81020-0" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.default.log_martians%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_log_martians.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -193006,20 +192959,67 @@ fi - sysctl_net_ipv4_conf_default_log_martians - unknown_severity - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv4.conf.default.log_martians%3D1%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_log_martians.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.conf.default.log_martians from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.log_martians.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.conf.default.log_martians" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv4_conf_default_log_martians_value='' + + +# +# Set runtime for net.ipv4.conf.default.log_martians +# +/sbin/sysctl -q -n -w net.ipv4.conf.default.log_martians="$sysctl_net_ipv4_conf_default_log_martians_value" + +# +# If net.ipv4.conf.default.log_martians present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.default.log_martians = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.log_martians") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_log_martians_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.log_martians\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.log_martians\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-81020-0" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -193123,67 +193123,20 @@ received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. CCE-81022-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.conf.default.rp_filter from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.rp_filter.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.default.rp_filter" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv4_conf_default_rp_filter_value='' - - -# -# Set runtime for net.ipv4.conf.default.rp_filter -# -/sbin/sysctl -q -n -w net.ipv4.conf.default.rp_filter="$sysctl_net_ipv4_conf_default_rp_filter_value" - -# -# If net.ipv4.conf.default.rp_filter present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.conf.default.rp_filter = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.rp_filter") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_rp_filter_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.rp_filter\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.rp_filter\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81022-6" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.default.rp_filter%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_rp_filter.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -193259,20 +193212,67 @@ fi - reboot_required - sysctl_net_ipv4_conf_default_rp_filter - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv4.conf.default.rp_filter%3D1%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_rp_filter.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.conf.default.rp_filter from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.rp_filter.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.conf.default.rp_filter" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv4_conf_default_rp_filter_value='' + + +# +# Set runtime for net.ipv4.conf.default.rp_filter +# +/sbin/sysctl -q -n -w net.ipv4.conf.default.rp_filter="$sysctl_net_ipv4_conf_default_rp_filter_value" + +# +# If net.ipv4.conf.default.rp_filter present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.default.rp_filter = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.rp_filter") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_rp_filter_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.rp_filter\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.rp_filter\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-81022-6" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -193436,67 +193436,20 @@ To make sure that the setting is persistent, add the following line to a file in default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. CCE-81017-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.conf.default.secure_redirects from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.secure_redirects.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.default.secure_redirects" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv4_conf_default_secure_redirects_value='' - - -# -# Set runtime for net.ipv4.conf.default.secure_redirects -# -/sbin/sysctl -q -n -w net.ipv4.conf.default.secure_redirects="$sysctl_net_ipv4_conf_default_secure_redirects_value" - -# -# If net.ipv4.conf.default.secure_redirects present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.conf.default.secure_redirects = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.secure_redirects") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_secure_redirects_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.secure_redirects\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.secure_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81017-6" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.default.secure_redirects%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_secure_redirects.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -193572,49 +193525,18 @@ fi - reboot_required - sysctl_net_ipv4_conf_default_secure_redirects - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv4.conf.default.secure_redirects%3D0%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_secure_redirects.conf - overwrite: true - - - - - - - - - - - Configure Sending and Accepting Shared Media Redirects by Default - To set the runtime status of the net.ipv4.conf.default.shared_media kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.shared_media= -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.shared_media = - BP28(R12) - This setting should be aligned with net.ipv4.conf.default.secure_redirects because it overrides it. -If shared_media is enabled for an interface secure_redirects will be enabled too. - CCE-88444-5 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv4.conf.default.shared_media from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv4.conf.default.secure_redirects from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.shared_media.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.secure_redirects.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.default.shared_media" matches to preserve user data + # comment out "net.ipv4.conf.default.secure_redirects" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -193626,37 +193548,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv4_conf_default_shared_media_value='' +sysctl_net_ipv4_conf_default_secure_redirects_value='' # -# Set runtime for net.ipv4.conf.default.shared_media +# Set runtime for net.ipv4.conf.default.secure_redirects # -/sbin/sysctl -q -n -w net.ipv4.conf.default.shared_media="$sysctl_net_ipv4_conf_default_shared_media_value" +/sbin/sysctl -q -n -w net.ipv4.conf.default.secure_redirects="$sysctl_net_ipv4_conf_default_secure_redirects_value" # -# If net.ipv4.conf.default.shared_media present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.conf.default.shared_media = value" to /etc/sysctl.conf +# If net.ipv4.conf.default.secure_redirects present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.default.secure_redirects = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.shared_media") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.secure_redirects") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_shared_media_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_secure_redirects_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.shared_media\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.secure_redirects\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.shared_media\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.secure_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-88444-5" + cce="CCE-81017-6" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -193665,6 +193587,22 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure Sending and Accepting Shared Media Redirects by Default + To set the runtime status of the net.ipv4.conf.default.shared_media kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.shared_media= +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.shared_media = + BP28(R12) + This setting should be aligned with net.ipv4.conf.default.secure_redirects because it overrides it. +If shared_media is enabled for an interface secure_redirects will be enabled too. + CCE-88444-5 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -193723,6 +193661,68 @@ fi - medium_severity - reboot_required - sysctl_net_ipv4_conf_default_shared_media + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.conf.default.shared_media from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.shared_media.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.conf.default.shared_media" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv4_conf_default_shared_media_value='' + + +# +# Set runtime for net.ipv4.conf.default.shared_media +# +/sbin/sysctl -q -n -w net.ipv4.conf.default.shared_media="$sysctl_net_ipv4_conf_default_shared_media_value" + +# +# If net.ipv4.conf.default.shared_media present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.default.shared_media = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.shared_media") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_shared_media_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.shared_media\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.shared_media\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-88444-5" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -193891,67 +193891,20 @@ and provides a vector for amplification attacks. Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network. CCE-80922-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.icmp_echo_ignore_broadcasts from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.icmp_echo_ignore_broadcasts.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.icmp_echo_ignore_broadcasts" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value='' - - -# -# Set runtime for net.ipv4.icmp_echo_ignore_broadcasts -# -/sbin/sysctl -q -n -w net.ipv4.icmp_echo_ignore_broadcasts="$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" - -# -# If net.ipv4.icmp_echo_ignore_broadcasts present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.icmp_echo_ignore_broadcasts = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.icmp_echo_ignore_broadcasts") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.icmp_echo_ignore_broadcasts\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.icmp_echo_ignore_broadcasts\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-80922-8" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.icmp_echo_ignore_broadcasts%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_icmp_echo_ignore_broadcasts.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -194036,20 +193989,67 @@ fi - reboot_required - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv4.icmp_echo_ignore_broadcasts%3D1%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv4_icmp_echo_ignore_broadcasts.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.icmp_echo_ignore_broadcasts from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.icmp_echo_ignore_broadcasts.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.icmp_echo_ignore_broadcasts" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value='' + + +# +# Set runtime for net.ipv4.icmp_echo_ignore_broadcasts +# +/sbin/sysctl -q -n -w net.ipv4.icmp_echo_ignore_broadcasts="$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" + +# +# If net.ipv4.icmp_echo_ignore_broadcasts present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.icmp_echo_ignore_broadcasts = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.icmp_echo_ignore_broadcasts") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.icmp_echo_ignore_broadcasts\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.icmp_echo_ignore_broadcasts\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-80922-8" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -194163,67 +194163,20 @@ To make sure that the setting is persistent, add the following line to a file in Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged. CCE-81023-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.icmp_ignore_bogus_error_responses from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.icmp_ignore_bogus_error_responses.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.icmp_ignore_bogus_error_responses" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value='' - - -# -# Set runtime for net.ipv4.icmp_ignore_bogus_error_responses -# -/sbin/sysctl -q -n -w net.ipv4.icmp_ignore_bogus_error_responses="$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value" - -# -# If net.ipv4.icmp_ignore_bogus_error_responses present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.icmp_ignore_bogus_error_responses = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.icmp_ignore_bogus_error_responses") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.icmp_ignore_bogus_error_responses\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.icmp_ignore_bogus_error_responses\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81023-4" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.icmp_ignore_bogus_error_responses%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_icmp_ignore_bogus_error_responses.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -194302,50 +194255,18 @@ fi - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - unknown_severity - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv4.icmp_ignore_bogus_error_responses%3D1%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv4_icmp_ignore_bogus_error_responses.conf - overwrite: true - - - - - - - - - - - Set Kernel Parameter to Increase Local Port Range - To set the runtime status of the net.ipv4.ip_local_port_range kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_local_port_range=32768 65535 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.ip_local_port_range = 32768 65535 - BP28(R22) - This setting defines the local port range that is used by TCP and UDP to -choose the local port. The first number is the first, the second the last -local port number. - CCE-84277-3 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv4.ip_local_port_range from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv4.icmp_ignore_bogus_error_responses from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.ip_local_port_range.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.icmp_ignore_bogus_error_responses.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.ip_local_port_range" matches to preserve user data + # comment out "net.ipv4.icmp_ignore_bogus_error_responses" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -194357,35 +194278,37 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" +sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value='' + # -# Set runtime for net.ipv4.ip_local_port_range +# Set runtime for net.ipv4.icmp_ignore_bogus_error_responses # -/sbin/sysctl -q -n -w net.ipv4.ip_local_port_range="32768 65535" +/sbin/sysctl -q -n -w net.ipv4.icmp_ignore_bogus_error_responses="$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value" # -# If net.ipv4.ip_local_port_range present in /etc/sysctl.conf, change value to "32768 65535" -# else, add "net.ipv4.ip_local_port_range = 32768 65535" to /etc/sysctl.conf +# If net.ipv4.icmp_ignore_bogus_error_responses present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.icmp_ignore_bogus_error_responses = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.ip_local_port_range") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.icmp_ignore_bogus_error_responses") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "32768 65535" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.ip_local_port_range\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.icmp_ignore_bogus_error_responses\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.ip_local_port_range\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.icmp_ignore_bogus_error_responses\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-84277-3" + cce="CCE-81023-4" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -194394,6 +194317,23 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Set Kernel Parameter to Increase Local Port Range + To set the runtime status of the net.ipv4.ip_local_port_range kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_local_port_range=32768 65535 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.ip_local_port_range = 32768 65535 + BP28(R22) + This setting defines the local port range that is used by TCP and UDP to +choose the local port. The first number is the first, the second the last +local port number. + CCE-84277-3 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -194447,56 +194387,18 @@ fi - reboot_required - sysctl_net_ipv4_ip_local_port_range - - - - - - - - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments - Make sure that the system is configured to limit the maximal rate for sending -duplicate acknowledgments in response to incoming TCP packets that are for -an existing connection but that are invalid due to any of these reasons: - -(a) out-of-window sequence number, (b) out-of-window acknowledgment number, -or (c) PAWS (Protection Against Wrapped Sequence numbers) check failure -This measure protects against or limits effects of DoS attacks against the system. -Set the system to implement rate-limiting measures by adding the following line to -/etc/sysctl.conf or a configuration file in the /etc/sysctl.d/ directory -(or modify the line to have the required value): -net.ipv4.tcp_invalid_ratelimit = -Issue the following command to make the changes take effect: -# sysctl --system - CCI-002385 - CIP-007-3 R4 - CIP-007-3 R4.1 - CIP-007-3 R4.2 - CIP-007-3 R5.1 - SC-5 - SRG-OS-000420-GPOS-00186 - Denial of Service (DoS) is a condition when a resource is not available for legitimate users. When -this occurs, the organization either cannot accomplish its mission or must -operate at degraded capacity. - -This can help mitigate simple “ack loop” DoS attacks, wherein a buggy or -malicious middlebox or man-in-the-middle can rewrite TCP header fields in -manner that causes each endpoint to think that the other is sending invalid -TCP segments, thus causing each side to send an unterminating stream of -duplicate acknowledgments for invalid segments. - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv4.tcp_invalid_ratelimit from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv4.ip_local_port_range from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.tcp_invalid_ratelimit.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.ip_local_port_range.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.tcp_invalid_ratelimit" matches to preserve user data + # comment out "net.ipv4.ip_local_port_range" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -194508,36 +194410,36 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv4_tcp_invalid_ratelimit_value='' - # -# Set runtime for net.ipv4.tcp_invalid_ratelimit +# Set runtime for net.ipv4.ip_local_port_range # -/sbin/sysctl -q -n -w net.ipv4.tcp_invalid_ratelimit="$sysctl_net_ipv4_tcp_invalid_ratelimit_value" +/sbin/sysctl -q -n -w net.ipv4.ip_local_port_range="32768 65535" # -# If net.ipv4.tcp_invalid_ratelimit present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.tcp_invalid_ratelimit = value" to /etc/sysctl.conf +# If net.ipv4.ip_local_port_range present in /etc/sysctl.conf, change value to "32768 65535" +# else, add "net.ipv4.ip_local_port_range = 32768 65535" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.tcp_invalid_ratelimit") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.ip_local_port_range") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_tcp_invalid_ratelimit_value" +printf -v formatted_output "%s = %s" "$stripped_key" "32768 65535" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.tcp_invalid_ratelimit\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.ip_local_port_range\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.tcp_invalid_ratelimit\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.ip_local_port_range\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi + cce="CCE-84277-3" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -194545,6 +194447,44 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + Make sure that the system is configured to limit the maximal rate for sending +duplicate acknowledgments in response to incoming TCP packets that are for +an existing connection but that are invalid due to any of these reasons: + +(a) out-of-window sequence number, (b) out-of-window acknowledgment number, +or (c) PAWS (Protection Against Wrapped Sequence numbers) check failure +This measure protects against or limits effects of DoS attacks against the system. +Set the system to implement rate-limiting measures by adding the following line to +/etc/sysctl.conf or a configuration file in the /etc/sysctl.d/ directory +(or modify the line to have the required value): +net.ipv4.tcp_invalid_ratelimit = +Issue the following command to make the changes take effect: +# sysctl --system + CCI-002385 + CIP-007-3 R4 + CIP-007-3 R4.1 + CIP-007-3 R4.2 + CIP-007-3 R5.1 + SC-5 + SRG-OS-000420-GPOS-00186 + Denial of Service (DoS) is a condition when a resource is not available for legitimate users. When +this occurs, the organization either cannot accomplish its mission or must +operate at degraded capacity. + +This can help mitigate simple “ack loop” DoS attacks, wherein a buggy or +malicious middlebox or man-in-the-middle can rewrite TCP header fields in +manner that causes each endpoint to think that the other is sending invalid +TCP segments, thus causing each side to send an unterminating stream of +duplicate acknowledgments for invalid segments. - name: List /etc/sysctl.d/*.conf files find: paths: @@ -194604,35 +194544,18 @@ fi - reboot_required - sysctl_net_ipv4_tcp_invalid_ratelimit - - - - - - - - - - Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces - To set the runtime status of the net.ipv4.tcp_rfc1337 kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_rfc1337=1 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_rfc1337 = 1 - BP28(R22) - Enable TCP behavior conformant with RFC 1337. When disabled, if a RST is -received in TIME_WAIT state, we close the socket immediately without waiting -for the end of the TIME_WAIT period. - CCE-84270-8 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.ipv4.tcp_rfc1337 from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.ipv4.tcp_invalid_ratelimit from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.tcp_rfc1337.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.tcp_invalid_ratelimit.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.tcp_rfc1337" matches to preserve user data + # comment out "net.ipv4.tcp_invalid_ratelimit" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -194644,38 +194567,36 @@ done SYSCONFIG_FILE="/etc/sysctl.conf" -sysctl_net_ipv4_tcp_rfc1337_value='' +sysctl_net_ipv4_tcp_invalid_ratelimit_value='' # -# Set runtime for net.ipv4.tcp_rfc1337 +# Set runtime for net.ipv4.tcp_invalid_ratelimit # -/sbin/sysctl -q -n -w net.ipv4.tcp_rfc1337="$sysctl_net_ipv4_tcp_rfc1337_value" +/sbin/sysctl -q -n -w net.ipv4.tcp_invalid_ratelimit="$sysctl_net_ipv4_tcp_invalid_ratelimit_value" # -# If net.ipv4.tcp_rfc1337 present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.tcp_rfc1337 = value" to /etc/sysctl.conf +# If net.ipv4.tcp_invalid_ratelimit present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.tcp_invalid_ratelimit = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.tcp_rfc1337") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.tcp_invalid_ratelimit") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_tcp_rfc1337_value" +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_tcp_invalid_ratelimit_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.tcp_rfc1337\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.tcp_invalid_ratelimit\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.tcp_rfc1337\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.tcp_invalid_ratelimit\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-84270-8" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -194683,6 +194604,23 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces + To set the runtime status of the net.ipv4.tcp_rfc1337 kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_rfc1337=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_rfc1337 = 1 + BP28(R22) + Enable TCP behavior conformant with RFC 1337. When disabled, if a RST is +received in TIME_WAIT state, we close the socket immediately without waiting +for the end of the TIME_WAIT period. + CCE-84270-8 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -194741,50 +194679,112 @@ fi - reboot_required - sysctl_net_ipv4_tcp_rfc1337 - - - - - - - - - - Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces - To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1 - BP28(R22) - 1 - 12 - 13 - 14 - 15 - 16 - 18 - 2 - 4 - 6 - 7 - 8 - 9 - 5.10.1.1 - APO01.06 - APO13.01 - BAI04.04 - DSS01.03 - DSS01.05 - DSS03.01 - DSS03.05 - DSS05.02 - DSS05.04 - DSS05.07 - DSS06.02 - 3.1.20 - CCI-000366 - CCI-001095 - 4.2.3.4 - 4.3.3.4 - 4.4.3.3 + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.tcp_rfc1337 from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.tcp_rfc1337.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.tcp_rfc1337" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv4_tcp_rfc1337_value='' + + +# +# Set runtime for net.ipv4.tcp_rfc1337 +# +/sbin/sysctl -q -n -w net.ipv4.tcp_rfc1337="$sysctl_net_ipv4_tcp_rfc1337_value" + +# +# If net.ipv4.tcp_rfc1337 present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.tcp_rfc1337 = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.tcp_rfc1337") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_tcp_rfc1337_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.tcp_rfc1337\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.tcp_rfc1337\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-84270-8" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + + + + + + + + + + Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces + To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1 + BP28(R22) + 1 + 12 + 13 + 14 + 15 + 16 + 18 + 2 + 4 + 6 + 7 + 8 + 9 + 5.10.1.1 + APO01.06 + APO13.01 + BAI04.04 + DSS01.03 + DSS01.05 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.07 + DSS06.02 + 3.1.20 + CCI-000366 + CCI-001095 + 4.2.3.4 + 4.3.3.4 + 4.4.3.3 SR 3.1 SR 3.5 SR 3.8 @@ -194852,67 +194852,20 @@ verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests. CCE-80923-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.tcp_syncookies from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.tcp_syncookies.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.tcp_syncookies" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_net_ipv4_tcp_syncookies_value='' - - -# -# Set runtime for net.ipv4.tcp_syncookies -# -/sbin/sysctl -q -n -w net.ipv4.tcp_syncookies="$sysctl_net_ipv4_tcp_syncookies_value" - -# -# If net.ipv4.tcp_syncookies present in /etc/sysctl.conf, change value to appropriate value -# else, add "net.ipv4.tcp_syncookies = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.tcp_syncookies") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_tcp_syncookies_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.tcp_syncookies\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.tcp_syncookies\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-80923-6" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.tcp_syncookies%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_tcp_syncookies.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -195002,20 +194955,67 @@ fi - reboot_required - sysctl_net_ipv4_tcp_syncookies - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv4.tcp_syncookies%3D1%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv4_tcp_syncookies.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.tcp_syncookies from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.tcp_syncookies.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.tcp_syncookies" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_net_ipv4_tcp_syncookies_value='' + + +# +# Set runtime for net.ipv4.tcp_syncookies +# +/sbin/sysctl -q -n -w net.ipv4.tcp_syncookies="$sysctl_net_ipv4_tcp_syncookies_value" + +# +# If net.ipv4.tcp_syncookies present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.tcp_syncookies = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.tcp_syncookies") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_tcp_syncookies_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.tcp_syncookies\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.tcp_syncookies\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-80923-6" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -195193,65 +195193,20 @@ from the system's route table possibly revealing portions of the network topolog The ability to send ICMP redirects is only appropriate for systems acting as routers. CCE-80918-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.conf.all.send_redirects from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.send_redirects.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.all.send_redirects" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - - -# -# Set runtime for net.ipv4.conf.all.send_redirects -# -/sbin/sysctl -q -n -w net.ipv4.conf.all.send_redirects="0" - -# -# If net.ipv4.conf.all.send_redirects present in /etc/sysctl.conf, change value to "0" -# else, add "net.ipv4.conf.all.send_redirects = 0" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.send_redirects") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "0" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.send_redirects\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.send_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-80918-6" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.all.send_redirects%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_send_redirects.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -195334,20 +195289,65 @@ fi - reboot_required - sysctl_net_ipv4_conf_all_send_redirects - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv4.conf.all.send_redirects%3D0%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_send_redirects.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.conf.all.send_redirects from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.send_redirects.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.conf.all.send_redirects" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + + +# +# Set runtime for net.ipv4.conf.all.send_redirects +# +/sbin/sysctl -q -n -w net.ipv4.conf.all.send_redirects="0" + +# +# If net.ipv4.conf.all.send_redirects present in /etc/sysctl.conf, change value to "0" +# else, add "net.ipv4.conf.all.send_redirects = 0" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.send_redirects") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "0" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.send_redirects\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.send_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-80918-6" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -195517,65 +195517,20 @@ from the system's route table possibly revealing portions of the network topolog The ability to send ICMP redirects is only appropriate for systems acting as routers. CCE-80921-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.conf.default.send_redirects from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.send_redirects.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.conf.default.send_redirects" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - - -# -# Set runtime for net.ipv4.conf.default.send_redirects -# -/sbin/sysctl -q -n -w net.ipv4.conf.default.send_redirects="0" - -# -# If net.ipv4.conf.default.send_redirects present in /etc/sysctl.conf, change value to "0" -# else, add "net.ipv4.conf.default.send_redirects = 0" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.send_redirects") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "0" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.send_redirects\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.send_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-80921-0" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.default.send_redirects%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_send_redirects.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -195658,20 +195613,65 @@ fi - reboot_required - sysctl_net_ipv4_conf_default_send_redirects - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.ipv4.conf.default.send_redirects%3D0%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_send_redirects.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.conf.default.send_redirects from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.send_redirects.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.conf.default.send_redirects" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + + +# +# Set runtime for net.ipv4.conf.default.send_redirects +# +/sbin/sysctl -q -n -w net.ipv4.conf.default.send_redirects="0" + +# +# If net.ipv4.conf.default.send_redirects present in /etc/sysctl.conf, change value to "0" +# else, add "net.ipv4.conf.default.send_redirects = 0" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.send_redirects") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "0" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.send_redirects\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.send_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-80921-0" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -195808,66 +195808,6 @@ not required, system network information may be unnecessarily transmitted across the network. CCE-81024-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of net.ipv4.ip_forward from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.ip_forward.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.ipv4.ip_forward" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - - -# -# Set runtime for net.ipv4.ip_forward -# -/sbin/sysctl -q -n -w net.ipv4.ip_forward="0" - -# -# If net.ipv4.ip_forward present in /etc/sysctl.conf, change value to "0" -# else, add "net.ipv4.ip_forward = 0" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.ip_forward") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "0" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.ip_forward\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.ip_forward\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81024-2" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: List /etc/sysctl.d/*.conf files find: paths: @@ -195947,6 +195887,66 @@ fi - medium_severity - reboot_required - sysctl_net_ipv4_ip_forward + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of net.ipv4.ip_forward from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.ip_forward.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "net.ipv4.ip_forward" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + + +# +# Set runtime for net.ipv4.ip_forward +# +/sbin/sysctl -q -n -w net.ipv4.ip_forward="0" + +# +# If net.ipv4.ip_forward present in /etc/sysctl.conf, change value to "0" +# else, add "net.ipv4.ip_forward = 0" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.ip_forward") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "0" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.ip_forward\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.ip_forward\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-81024-2" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -196155,21 +196155,13 @@ originating from within a corporate network to include malicious mobile code and configured software on a host. CCE-86376-1 + +package --add=nftables + [[packages]] name = "nftables" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "nftables" ; then - yum install -y "nftables" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_nftables @@ -196194,8 +196186,16 @@ class install_nftables { - no_reboot_needed - package_nftables_installed - -package --add=nftables + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "nftables" ; then + yum install -y "nftables" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -196220,18 +196220,6 @@ the nftables service [customizations.services] enabled = ["nftables"] - - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q nftables ); then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'nftables.service' -"$SYSTEMCTL_EXEC" start 'nftables.service' -"$SYSTEMCTL_EXEC" enable 'nftables.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_nftables @@ -196279,6 +196267,18 @@ class enable_nftables { - medium_severity - no_reboot_needed - service_nftables_enabled + + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q nftables ); then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'nftables.service' +"$SYSTEMCTL_EXEC" start 'nftables.service' +"$SYSTEMCTL_EXEC" enable 'nftables.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -196303,26 +196303,20 @@ is actually one of the backends for firewalld management [customizations.services] disabled = ["nftables"] - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q firewalld && rpm --quiet -q nftables ); then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'nftables.service' -"$SYSTEMCTL_EXEC" disable 'nftables.service' -"$SYSTEMCTL_EXEC" mask 'nftables.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files nftables.socket; then - "$SYSTEMCTL_EXEC" stop 'nftables.socket' - "$SYSTEMCTL_EXEC" mask 'nftables.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'nftables.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: nftables.service + enabled: false + mask: true + - name: nftables.socket + enabled: false + mask: true include disable_nftables @@ -196416,20 +196410,26 @@ class disable_nftables { - no_reboot_needed - service_nftables_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: nftables.service - enabled: false - mask: true - - name: nftables.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q firewalld && rpm --quiet -q nftables ); then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'nftables.service' +"$SYSTEMCTL_EXEC" disable 'nftables.service' +"$SYSTEMCTL_EXEC" mask 'nftables.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files nftables.socket; then + "$SYSTEMCTL_EXEC" stop 'nftables.socket' + "$SYSTEMCTL_EXEC" mask 'nftables.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'nftables.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -196449,27 +196449,6 @@ network traffic. Note: adding rules to a running nftables can cause loss of connectivity to the system. CCE-86162-5 - # Remediation is applicable only in certain platforms -if rpm --quiet -q nftables; then - -#Set nftables family name -var_nftables_family='' - - -#Set nftables table name -var_nftables_table='' - - -IS_TABLE=$(nft list tables) -if [ -z "$IS_TABLE" ] -then - nft create table "$var_nftables_family" "$var_nftables_table" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -196519,6 +196498,27 @@ fi - no_reboot_needed - restrict_strategy - set_nftables_table + + # Remediation is applicable only in certain platforms +if rpm --quiet -q nftables; then + +#Set nftables family name +var_nftables_family='' + + +#Set nftables table name +var_nftables_table='' + + +IS_TABLE=$(nft list tables) +if [ -z "$IS_TABLE" ] +then + nft create table "$var_nftables_family" "$var_nftables_table" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -196563,18 +196563,6 @@ The ufw service can be enabled with the following command [customizations.services] enabled = ["ufw"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q ufw ); }; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'ufw.service' -"$SYSTEMCTL_EXEC" start 'ufw.service' -"$SYSTEMCTL_EXEC" enable 'ufw.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_ufw @@ -196622,6 +196610,18 @@ class enable_ufw { - medium_severity - no_reboot_needed - service_ufw_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q ufw ); }; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'ufw.service' +"$SYSTEMCTL_EXEC" start 'ufw.service' +"$SYSTEMCTL_EXEC" enable 'ufw.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -196665,24 +196665,20 @@ add the following line to file /etc/modprobe.d/atm.conf: Disabling ATM protects the system against exploitation of any flaws in its implementation. CCE-82028-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install atm" /etc/modprobe.d/atm.conf ; then - - sed -i 's#^install atm.*#install atm /bin/true#g' /etc/modprobe.d/atm.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/atm.conf - echo "install atm /bin/true" >> /etc/modprobe.d/atm.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist atm$" /etc/modprobe.d/atm.conf ; then - echo "blacklist atm" >> /etc/modprobe.d/atm.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20atm%20/bin/true%0Ablacklist%20atm%0A + mode: 0644 + path: /etc/modprobe.d/atm.conf + overwrite: true - name: Ensure kernel module 'atm' is disabled lineinfile: @@ -196720,20 +196716,24 @@ fi - medium_severity - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20atm%20/bin/true%0Ablacklist%20atm%0A - mode: 0644 - path: /etc/modprobe.d/atm.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install atm" /etc/modprobe.d/atm.conf ; then + + sed -i 's#^install atm.*#install atm /bin/true#g' /etc/modprobe.d/atm.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/atm.conf + echo "install atm /bin/true" >> /etc/modprobe.d/atm.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist atm$" /etc/modprobe.d/atm.conf ; then + echo "blacklist atm" >> /etc/modprobe.d/atm.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -196766,24 +196766,20 @@ add the following line to file /etc/modprobe.d/can.conf: Disabling CAN protects the system against exploitation of any flaws in its implementation. CCE-82059-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install can" /etc/modprobe.d/can.conf ; then - - sed -i 's#^install can.*#install can /bin/true#g' /etc/modprobe.d/can.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/can.conf - echo "install can /bin/true" >> /etc/modprobe.d/can.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist can$" /etc/modprobe.d/can.conf ; then - echo "blacklist can" >> /etc/modprobe.d/can.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20can%20/bin/true%0Ablacklist%20can%0A + mode: 0644 + path: /etc/modprobe.d/can.conf + overwrite: true - name: Ensure kernel module 'can' is disabled lineinfile: @@ -196821,20 +196817,24 @@ fi - medium_severity - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20can%20/bin/true%0Ablacklist%20can%0A - mode: 0644 - path: /etc/modprobe.d/can.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install can" /etc/modprobe.d/can.conf ; then + + sed -i 's#^install can.*#install can /bin/true#g' /etc/modprobe.d/can.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/can.conf + echo "install can /bin/true" >> /etc/modprobe.d/can.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist can$" /etc/modprobe.d/can.conf ; then + echo "blacklist can" >> /etc/modprobe.d/can.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -196934,24 +196934,20 @@ add the following line to file /etc/modprobe.d/dccp.conf: Disabling DCCP protects the system against exploitation of any flaws in its implementation. CCE-80833-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install dccp" /etc/modprobe.d/dccp.conf ; then - - sed -i 's#^install dccp.*#install dccp /bin/true#g' /etc/modprobe.d/dccp.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/dccp.conf - echo "install dccp /bin/true" >> /etc/modprobe.d/dccp.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist dccp$" /etc/modprobe.d/dccp.conf ; then - echo "blacklist dccp" >> /etc/modprobe.d/dccp.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20dccp%20/bin/true%0Ablacklist%20dccp%0A + mode: 0644 + path: /etc/modprobe.d/dccp.conf + overwrite: true - name: Ensure kernel module 'dccp' is disabled lineinfile: @@ -196999,20 +196995,24 @@ fi - medium_severity - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20dccp%20/bin/true%0Ablacklist%20dccp%0A - mode: 0644 - path: /etc/modprobe.d/dccp.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install dccp" /etc/modprobe.d/dccp.conf ; then + + sed -i 's#^install dccp.*#install dccp /bin/true#g' /etc/modprobe.d/dccp.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/dccp.conf + echo "install dccp /bin/true" >> /etc/modprobe.d/dccp.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist dccp$" /etc/modprobe.d/dccp.conf ; then + echo "blacklist dccp" >> /etc/modprobe.d/dccp.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -197042,24 +197042,20 @@ add the following line to file /etc/modprobe.d/firewire-core.confDisabling FireWire protects the system against exploitation of any flaws in its implementation. CCE-82005-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install firewire-core" /etc/modprobe.d/firewire-core.conf ; then - - sed -i 's#^install firewire-core.*#install firewire-core /bin/true#g' /etc/modprobe.d/firewire-core.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/firewire-core.conf - echo "install firewire-core /bin/true" >> /etc/modprobe.d/firewire-core.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist firewire-core$" /etc/modprobe.d/firewire-core.conf ; then - echo "blacklist firewire-core" >> /etc/modprobe.d/firewire-core.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20firewire-core%20/bin/true%0Ablacklist%20firewire-core%0A + mode: 0644 + path: /etc/modprobe.d/firewire-core.conf + overwrite: true - name: Ensure kernel module 'firewire-core' is disabled lineinfile: @@ -197097,20 +197093,24 @@ fi - medium_disruption - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20firewire-core%20/bin/true%0Ablacklist%20firewire-core%0A - mode: 0644 - path: /etc/modprobe.d/firewire-core.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install firewire-core" /etc/modprobe.d/firewire-core.conf ; then + + sed -i 's#^install firewire-core.*#install firewire-core /bin/true#g' /etc/modprobe.d/firewire-core.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/firewire-core.conf + echo "install firewire-core /bin/true" >> /etc/modprobe.d/firewire-core.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist firewire-core$" /etc/modprobe.d/firewire-core.conf ; then + echo "blacklist firewire-core" >> /etc/modprobe.d/firewire-core.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -197202,24 +197202,20 @@ add the following line to file /etc/modprobe.d/rds.conf: Disabling RDS protects the system against exploitation of any flaws in its implementation. CCE-82870-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install rds" /etc/modprobe.d/rds.conf ; then - - sed -i 's#^install rds.*#install rds /bin/true#g' /etc/modprobe.d/rds.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/rds.conf - echo "install rds /bin/true" >> /etc/modprobe.d/rds.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist rds$" /etc/modprobe.d/rds.conf ; then - echo "blacklist rds" >> /etc/modprobe.d/rds.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20rds%20/bin/true%0Ablacklist%20rds%0A + mode: 0644 + path: /etc/modprobe.d/rds.conf + overwrite: true - name: Ensure kernel module 'rds' is disabled lineinfile: @@ -197259,20 +197255,24 @@ fi - medium_disruption - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20rds%20/bin/true%0Ablacklist%20rds%0A - mode: 0644 - path: /etc/modprobe.d/rds.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install rds" /etc/modprobe.d/rds.conf ; then + + sed -i 's#^install rds.*#install rds /bin/true#g' /etc/modprobe.d/rds.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/rds.conf + echo "install rds /bin/true" >> /etc/modprobe.d/rds.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist rds$" /etc/modprobe.d/rds.conf ; then + echo "blacklist rds" >> /etc/modprobe.d/rds.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -197376,24 +197376,20 @@ add the following line to file /etc/modprobe.d/sctp.conf: Disabling SCTP protects the system against exploitation of any flaws in its implementation. CCE-80834-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install sctp" /etc/modprobe.d/sctp.conf ; then - - sed -i 's#^install sctp.*#install sctp /bin/true#g' /etc/modprobe.d/sctp.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/sctp.conf - echo "install sctp /bin/true" >> /etc/modprobe.d/sctp.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist sctp$" /etc/modprobe.d/sctp.conf ; then - echo "blacklist sctp" >> /etc/modprobe.d/sctp.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20sctp%20/bin/true%0Ablacklist%20sctp%0A + mode: 0644 + path: /etc/modprobe.d/sctp.conf + overwrite: true - name: Ensure kernel module 'sctp' is disabled lineinfile: @@ -197443,20 +197439,24 @@ fi - medium_severity - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20sctp%20/bin/true%0Ablacklist%20sctp%0A - mode: 0644 - path: /etc/modprobe.d/sctp.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install sctp" /etc/modprobe.d/sctp.conf ; then + + sed -i 's#^install sctp.*#install sctp /bin/true#g' /etc/modprobe.d/sctp.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/sctp.conf + echo "install sctp /bin/true" >> /etc/modprobe.d/sctp.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist sctp$" /etc/modprobe.d/sctp.conf ; then + echo "blacklist sctp" >> /etc/modprobe.d/sctp.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -197557,24 +197557,20 @@ the tipc kernel module will be loaded.Disabling TIPC protects the system against exploitation of any flaws in its implementation. CCE-82297-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install tipc" /etc/modprobe.d/tipc.conf ; then - - sed -i 's#^install tipc.*#install tipc /bin/true#g' /etc/modprobe.d/tipc.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/tipc.conf - echo "install tipc /bin/true" >> /etc/modprobe.d/tipc.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist tipc$" /etc/modprobe.d/tipc.conf ; then - echo "blacklist tipc" >> /etc/modprobe.d/tipc.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20tipc%20/bin/true%0Ablacklist%20tipc%0A + mode: 0644 + path: /etc/modprobe.d/tipc.conf + overwrite: true - name: Ensure kernel module 'tipc' is disabled lineinfile: @@ -197616,20 +197612,24 @@ fi - medium_disruption - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20tipc%20/bin/true%0Ablacklist%20tipc%0A - mode: 0644 - path: /etc/modprobe.d/tipc.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install tipc" /etc/modprobe.d/tipc.conf ; then + + sed -i 's#^install tipc.*#install tipc /bin/true#g' /etc/modprobe.d/tipc.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/tipc.conf + echo "install tipc /bin/true" >> /etc/modprobe.d/tipc.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist tipc$" /etc/modprobe.d/tipc.conf ; then + echo "blacklist tipc" >> /etc/modprobe.d/tipc.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -197773,26 +197773,20 @@ utility of Bluetooth connectivity and its limited range. [customizations.services] disabled = ["bluetooth"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'bluetooth.service' -"$SYSTEMCTL_EXEC" disable 'bluetooth.service' -"$SYSTEMCTL_EXEC" mask 'bluetooth.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files bluetooth.socket; then - "$SYSTEMCTL_EXEC" stop 'bluetooth.socket' - "$SYSTEMCTL_EXEC" mask 'bluetooth.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'bluetooth.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: bluetooth.service + enabled: false + mask: true + - name: bluetooth.socket + enabled: false + mask: true include disable_bluetooth @@ -197882,20 +197876,26 @@ class disable_bluetooth { - no_reboot_needed - service_bluetooth_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: bluetooth.service - enabled: false - mask: true - - name: bluetooth.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'bluetooth.service' +"$SYSTEMCTL_EXEC" disable 'bluetooth.service' +"$SYSTEMCTL_EXEC" mask 'bluetooth.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files bluetooth.socket; then + "$SYSTEMCTL_EXEC" stop 'bluetooth.socket' + "$SYSTEMCTL_EXEC" mask 'bluetooth.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'bluetooth.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -198020,24 +198020,20 @@ from loading the kernel module provides an additional safeguard against its activation. CCE-80832-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install bluetooth" /etc/modprobe.d/bluetooth.conf ; then - - sed -i 's#^install bluetooth.*#install bluetooth /bin/true#g' /etc/modprobe.d/bluetooth.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/bluetooth.conf - echo "install bluetooth /bin/true" >> /etc/modprobe.d/bluetooth.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist bluetooth$" /etc/modprobe.d/bluetooth.conf ; then - echo "blacklist bluetooth" >> /etc/modprobe.d/bluetooth.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20bluetooth%20/bin/true%0Ablacklist%20bluetooth%0A + mode: 0644 + path: /etc/modprobe.d/bluetooth.conf + overwrite: true - name: Ensure kernel module 'bluetooth' is disabled lineinfile: @@ -198089,20 +198085,24 @@ fi - medium_severity - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20bluetooth%20/bin/true%0Ablacklist%20bluetooth%0A - mode: 0644 - path: /etc/modprobe.d/bluetooth.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install bluetooth" /etc/modprobe.d/bluetooth.conf ; then + + sed -i 's#^install bluetooth.*#install bluetooth /bin/true#g' /etc/modprobe.d/bluetooth.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/bluetooth.conf + echo "install bluetooth /bin/true" >> /etc/modprobe.d/bluetooth.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist bluetooth$" /etc/modprobe.d/bluetooth.conf ; then + echo "blacklist bluetooth" >> /etc/modprobe.d/bluetooth.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -198132,24 +198132,20 @@ add the following line to file /etc/modprobe.d/cfg80211.conf - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install cfg80211" /etc/modprobe.d/cfg80211.conf ; then - - sed -i 's#^install cfg80211.*#install cfg80211 /bin/true#g' /etc/modprobe.d/cfg80211.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/cfg80211.conf - echo "install cfg80211 /bin/true" >> /etc/modprobe.d/cfg80211.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist cfg80211$" /etc/modprobe.d/cfg80211.conf ; then - echo "blacklist cfg80211" >> /etc/modprobe.d/cfg80211.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20cfg80211%20/bin/true%0Ablacklist%20cfg80211%0A + mode: 0644 + path: /etc/modprobe.d/cfg80211.conf + overwrite: true - name: Ensure kernel module 'cfg80211' is disabled lineinfile: @@ -198195,20 +198191,24 @@ fi - medium_severity - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20cfg80211%20/bin/true%0Ablacklist%20cfg80211%0A - mode: 0644 - path: /etc/modprobe.d/cfg80211.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install cfg80211" /etc/modprobe.d/cfg80211.conf ; then + + sed -i 's#^install cfg80211.*#install cfg80211 /bin/true#g' /etc/modprobe.d/cfg80211.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/cfg80211.conf + echo "install cfg80211 /bin/true" >> /etc/modprobe.d/cfg80211.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist cfg80211$" /etc/modprobe.d/cfg80211.conf ; then + echo "blacklist cfg80211" >> /etc/modprobe.d/cfg80211.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -198238,24 +198238,20 @@ add the following line to file /etc/modprobe.d/iwlmvm.conf - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install iwlmvm" /etc/modprobe.d/iwlmvm.conf ; then - - sed -i 's#^install iwlmvm.*#install iwlmvm /bin/true#g' /etc/modprobe.d/iwlmvm.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/iwlmvm.conf - echo "install iwlmvm /bin/true" >> /etc/modprobe.d/iwlmvm.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist iwlmvm$" /etc/modprobe.d/iwlmvm.conf ; then - echo "blacklist iwlmvm" >> /etc/modprobe.d/iwlmvm.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20iwlmvm%20/bin/true%0Ablacklist%20iwlmvm%0A + mode: 0644 + path: /etc/modprobe.d/iwlmvm.conf + overwrite: true - name: Ensure kernel module 'iwlmvm' is disabled lineinfile: @@ -198301,20 +198297,24 @@ fi - medium_severity - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20iwlmvm%20/bin/true%0Ablacklist%20iwlmvm%0A - mode: 0644 - path: /etc/modprobe.d/iwlmvm.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install iwlmvm" /etc/modprobe.d/iwlmvm.conf ; then + + sed -i 's#^install iwlmvm.*#install iwlmvm /bin/true#g' /etc/modprobe.d/iwlmvm.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/iwlmvm.conf + echo "install iwlmvm /bin/true" >> /etc/modprobe.d/iwlmvm.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist iwlmvm$" /etc/modprobe.d/iwlmvm.conf ; then + echo "blacklist iwlmvm" >> /etc/modprobe.d/iwlmvm.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -198344,24 +198344,20 @@ add the following line to file /etc/modprobe.d/iwlwifi.conf - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install iwlwifi" /etc/modprobe.d/iwlwifi.conf ; then - - sed -i 's#^install iwlwifi.*#install iwlwifi /bin/true#g' /etc/modprobe.d/iwlwifi.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/iwlwifi.conf - echo "install iwlwifi /bin/true" >> /etc/modprobe.d/iwlwifi.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist iwlwifi$" /etc/modprobe.d/iwlwifi.conf ; then - echo "blacklist iwlwifi" >> /etc/modprobe.d/iwlwifi.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20iwlwifi%20/bin/true%0Ablacklist%20iwlwifi%0A + mode: 0644 + path: /etc/modprobe.d/iwlwifi.conf + overwrite: true - name: Ensure kernel module 'iwlwifi' is disabled lineinfile: @@ -198407,20 +198403,24 @@ fi - medium_severity - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20iwlwifi%20/bin/true%0Ablacklist%20iwlwifi%0A - mode: 0644 - path: /etc/modprobe.d/iwlwifi.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install iwlwifi" /etc/modprobe.d/iwlwifi.conf ; then + + sed -i 's#^install iwlwifi.*#install iwlwifi /bin/true#g' /etc/modprobe.d/iwlwifi.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/iwlwifi.conf + echo "install iwlwifi /bin/true" >> /etc/modprobe.d/iwlwifi.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist iwlwifi$" /etc/modprobe.d/iwlwifi.conf ; then + echo "blacklist iwlwifi" >> /etc/modprobe.d/iwlwifi.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -198450,24 +198450,20 @@ add the following line to file /etc/modprobe.d/mac80211.conf - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install mac80211" /etc/modprobe.d/mac80211.conf ; then - - sed -i 's#^install mac80211.*#install mac80211 /bin/true#g' /etc/modprobe.d/mac80211.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/mac80211.conf - echo "install mac80211 /bin/true" >> /etc/modprobe.d/mac80211.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist mac80211$" /etc/modprobe.d/mac80211.conf ; then - echo "blacklist mac80211" >> /etc/modprobe.d/mac80211.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20mac80211%20/bin/true%0Ablacklist%20mac80211%0A + mode: 0644 + path: /etc/modprobe.d/mac80211.conf + overwrite: true - name: Ensure kernel module 'mac80211' is disabled lineinfile: @@ -198513,20 +198509,24 @@ fi - medium_severity - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20mac80211%20/bin/true%0Ablacklist%20mac80211%0A - mode: 0644 - path: /etc/modprobe.d/mac80211.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install mac80211" /etc/modprobe.d/mac80211.conf ; then + + sed -i 's#^install mac80211.*#install mac80211 /bin/true#g' /etc/modprobe.d/mac80211.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/mac80211.conf + echo "install mac80211 /bin/true" >> /etc/modprobe.d/mac80211.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist mac80211$" /etc/modprobe.d/mac80211.conf ; then + echo "blacklist mac80211" >> /etc/modprobe.d/mac80211.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -198768,13 +198768,6 @@ serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources. CCE-83501-7 - -if ! rpm -q --quiet "NetworkManager" ; then - yum install -y "NetworkManager" -fi - -nmcli radio all off - - name: Gather the package facts package_facts: manager: auto @@ -198846,6 +198839,13 @@ nmcli radio all off - no_reboot_needed - unknown_strategy - wireless_disable_interfaces + + +if ! rpm -q --quiet "NetworkManager" ; then + yum install -y "NetworkManager" +fi + +nmcli radio all off @@ -198944,16 +198944,6 @@ Following this, the files should be deleted or assigned to root user. CCE-83375-6 - -# At least under containerized env /proc can have files w/o possilibity to -# modify even as root. And touching /proc is not good idea anyways. -find / -path /proc -prune -o \ - -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs \ - -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 \ - -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs \ - -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs \ - -not -fstype fuse.sshfs -type d -perm -0002 -uid +0 -exec chown root {} \; - - name: Ensure All World-Writable Directories Are Owned by root User - Define Excluded (Non-Local) File Systems and Paths ansible.builtin.set_fact: @@ -199123,6 +199113,16 @@ find / -path /proc -prune -o \ - medium_severity - no_reboot_needed - restrict_strategy + + +# At least under containerized env /proc can have files w/o possilibity to +# modify even as root. And touching /proc is not good idea anyways. +find / -path /proc -prune -o \ + -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs \ + -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 \ + -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs \ + -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs \ + -not -fstype fuse.sshfs -type d -perm -0002 -uid +0 -exec chown root {} \; @@ -199214,11 +199214,6 @@ repositories. The setting is normally reserved for directories used by the system, by users for temporary file storage (such as /tmp), and for directories requiring global read/write access. CCE-80783-4 - df --local -P | awk '{if (NR!=1) print $6}' \ -| xargs -I '$6' find '$6' -xdev -type d \ -\( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \ --exec chmod a+t {} + - - name: Verify that All World-Writable Directories Have Sticky Bits Set - Define Excluded (Non-Local) File Systems and Paths ansible.builtin.set_fact: @@ -199415,6 +199410,11 @@ for directories requiring global read/write access. - medium_severity - no_reboot_needed - restrict_strategy + + df --local -P | awk '{if (NR!=1) print $6}' \ +| xargs -I '$6' find '$6' -xdev -type d \ +\( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \ +-exec chmod a+t {} + @@ -199569,13 +199569,6 @@ the audit log. Misconfigured audits may also make it more difficult to establish correlate, and investigate the events relating to an incident or identify those responsible for one. CCE-85871-2 - - - - - -chmod u-xs,g-xws,o-xwrt /etc/audit/auditd.conf - - name: Test for existence /etc/audit/auditd.conf stat: path: /etc/audit/auditd.conf @@ -199606,6 +199599,13 @@ chmod u-xs,g-xws,o-xwrt /etc/audit/auditd.conf - low_disruption - medium_severity - no_reboot_needed + + + + + + +chmod u-xs,g-xws,o-xwrt /etc/audit/auditd.conf @@ -199631,13 +199631,6 @@ the audit log. Misconfigured audits may also make it more difficult to establish correlate, and investigate the events relating to an incident or identify those responsible for one. CCE-85875-3 - - - - - -find -H /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex '^.*rules$' -exec chmod u-xs,g-xws,o-xwrt {} \; - - name: Find /etc/audit/rules.d/ file(s) command: find -H /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex "^.*rules$" @@ -199673,6 +199666,13 @@ find -H /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex - low_disruption - medium_severity - no_reboot_needed + + + + + + +find -H /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex '^.*rules$' -exec chmod u-xs,g-xws,o-xwrt {} \; @@ -200228,65 +200228,20 @@ based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). CCE-81027-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of fs.protected_hardlinks from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*fs.protected_hardlinks.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "fs.protected_hardlinks" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - - -# -# Set runtime for fs.protected_hardlinks -# -/sbin/sysctl -q -n -w fs.protected_hardlinks="1" - -# -# If fs.protected_hardlinks present in /etc/sysctl.conf, change value to "1" -# else, add "fs.protected_hardlinks = 1" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^fs.protected_hardlinks") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "1" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^fs.protected_hardlinks\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^fs.protected_hardlinks\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-81027-5" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,fs.protected_hardlinks%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_fs_protected_hardlinks.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -200350,70 +200305,18 @@ fi - reboot_required - sysctl_fs_protected_hardlinks - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,fs.protected_hardlinks%3D1%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_fs_protected_hardlinks.conf - overwrite: true - - - - - - - - - - Enable Kernel Parameter to Enforce DAC on Symlinks - To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: $ sudo sysctl -w fs.protected_symlinks=1 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: fs.protected_symlinks = 1 - BP28(R23) - CCI-002165 - CIP-003-8 R5.1.1 - CIP-003-8 R5.3 - CIP-004-6 R2.3 - CIP-007-3 R2.1 - CIP-007-3 R2.2 - CIP-007-3 R2.3 - CIP-007-3 R5.1 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.2 - CM-6(a) - AC-6(1) - SRG-OS-000312-GPOS-00122 - SRG-OS-000312-GPOS-00123 - SRG-OS-000324-GPOS-00125 - RHEL-08-010373 - SV-230267r858751_rule - By enabling this kernel parameter, symbolic links are permitted to be followed -only when outside a sticky world-writable directory, or when the UID of the -link and follower match, or when the directory owner matches the symlink's owner. -Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system -accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of -open() or creat(). - - CCE-81030-9 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of fs.protected_symlinks from /etc/sysctl.d/*.conf files +# Comment out any occurrences of fs.protected_hardlinks from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*fs.protected_symlinks.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*fs.protected_hardlinks.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "fs.protected_symlinks" matches to preserve user data + # comment out "fs.protected_hardlinks" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -200427,18 +200330,18 @@ SYSCONFIG_FILE="/etc/sysctl.conf" # -# Set runtime for fs.protected_symlinks +# Set runtime for fs.protected_hardlinks # -/sbin/sysctl -q -n -w fs.protected_symlinks="1" +/sbin/sysctl -q -n -w fs.protected_hardlinks="1" # -# If fs.protected_symlinks present in /etc/sysctl.conf, change value to "1" -# else, add "fs.protected_symlinks = 1" to /etc/sysctl.conf +# If fs.protected_hardlinks present in /etc/sysctl.conf, change value to "1" +# else, add "fs.protected_hardlinks = 1" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^fs.protected_symlinks") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^fs.protected_hardlinks") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "1" @@ -200446,14 +200349,14 @@ printf -v formatted_output "%s = %s" "$stripped_key" "1" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^fs.protected_symlinks\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^fs.protected_hardlinks\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^fs.protected_symlinks\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^fs.protected_hardlinks\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-81030-9" + cce="CCE-81027-5" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -200461,6 +200364,58 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Enable Kernel Parameter to Enforce DAC on Symlinks + To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: $ sudo sysctl -w fs.protected_symlinks=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: fs.protected_symlinks = 1 + BP28(R23) + CCI-002165 + CIP-003-8 R5.1.1 + CIP-003-8 R5.3 + CIP-004-6 R2.3 + CIP-007-3 R2.1 + CIP-007-3 R2.2 + CIP-007-3 R2.3 + CIP-007-3 R5.1 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.2 + CM-6(a) + AC-6(1) + SRG-OS-000312-GPOS-00122 + SRG-OS-000312-GPOS-00123 + SRG-OS-000324-GPOS-00125 + RHEL-08-010373 + SV-230267r858751_rule + By enabling this kernel parameter, symbolic links are permitted to be followed +only when outside a sticky world-writable directory, or when the UID of the +link and follower match, or when the directory owner matches the symlink's owner. +Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system +accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of +open() or creat(). + + CCE-81030-9 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,fs.protected_symlinks%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_fs_protected_symlinks.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -200524,20 +200479,65 @@ fi - reboot_required - sysctl_fs_protected_symlinks - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,fs.protected_symlinks%3D1%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_fs_protected_symlinks.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of fs.protected_symlinks from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*fs.protected_symlinks.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "fs.protected_symlinks" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + + +# +# Set runtime for fs.protected_symlinks +# +/sbin/sysctl -q -n -w fs.protected_symlinks="1" + +# +# If fs.protected_symlinks present in /etc/sysctl.conf, change value to "1" +# else, add "fs.protected_symlinks = 1" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^fs.protected_symlinks") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "1" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^fs.protected_symlinks\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^fs.protected_symlinks\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-81030-9" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -200567,8 +200567,6 @@ passwords, and should never be enabled. it contains information regarding groups that are configured on the system. Protection of this file is important for system security. CCE-83475-4 - chgrp 0 /etc/group- - - name: Test for existence /etc/group- stat: path: /etc/group- @@ -200601,6 +200599,8 @@ Protection of this file is important for system security. - low_disruption - medium_severity - no_reboot_needed + + chgrp 0 /etc/group- @@ -200621,8 +200621,6 @@ Protection of this file is important for system security. The /etc/gshadow- file is a backup of /etc/gshadow, and as such, it contains group password hashes. Protection of this file is critical for system security. CCE-83535-5 - chgrp 0 /etc/gshadow- - - name: Test for existence /etc/gshadow- stat: path: /etc/gshadow- @@ -200655,6 +200653,8 @@ it contains group password hashes. Protection of this file is critical for syste - low_disruption - medium_severity - no_reboot_needed + + chgrp 0 /etc/gshadow- @@ -200676,8 +200676,6 @@ it contains group password hashes. Protection of this file is critical for syste it contains information about the users that are configured on the system. Protection of this file is critical for system security. CCE-83324-4 - chgrp 0 /etc/passwd- - - name: Test for existence /etc/passwd- stat: path: /etc/passwd- @@ -200710,6 +200708,8 @@ Protection of this file is critical for system security. - low_disruption - medium_severity - no_reboot_needed + + chgrp 0 /etc/passwd- @@ -200729,8 +200729,6 @@ Protection of this file is critical for system security. it contains the list of local system accounts and password hashes. Protection of this file is critical for system security. CCE-83415-0 - chgrp 0 /etc/shadow- - - name: Test for existence /etc/shadow- stat: path: /etc/shadow- @@ -200761,6 +200759,8 @@ Protection of this file is critical for system security. - low_disruption - medium_severity - no_reboot_needed + + chgrp 0 /etc/shadow- @@ -200831,8 +200831,6 @@ Protection of this file is critical for system security. The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security. CCE-80796-6 - chgrp 0 /etc/group - - name: Test for existence /etc/group stat: path: /etc/group @@ -200869,6 +200867,8 @@ on the system. Protection of this file is important for system security. + chgrp 0 /etc/group @@ -200936,8 +200936,6 @@ on the system. Protection of this file is important for system security.The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. CCE-80797-4 - chgrp 0 /etc/gshadow - - name: Test for existence /etc/gshadow stat: path: /etc/gshadow @@ -200968,6 +200966,8 @@ is critical for system security. - low_disruption - medium_severity - no_reboot_needed + + chgrp 0 /etc/gshadow @@ -201038,8 +201038,6 @@ is critical for system security. The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security. CCE-80798-2 - chgrp 0 /etc/passwd - - name: Test for existence /etc/passwd stat: path: /etc/passwd @@ -201076,6 +201074,8 @@ the system. Protection of this file is critical for system security. + chgrp 0 /etc/passwd @@ -201146,8 +201146,6 @@ the system. Protection of this file is critical for system security.The /etc/shadow file stores password hashes. Protection of this file is critical for system security. CCE-80799-0 - chgrp 0 /etc/shadow - - name: Test for existence /etc/shadow stat: path: /etc/shadow @@ -201184,6 +201182,8 @@ critical for system security. - low_disruption - medium_severity - no_reboot_needed + + chgrp 0 /etc/shadow @@ -201205,8 +201205,6 @@ critical for system security. it contains information regarding groups that are configured on the system. Protection of this file is important for system security. CCE-83473-9 - chown 0 /etc/group- - - name: Test for existence /etc/group- stat: path: /etc/group- @@ -201239,6 +201237,8 @@ Protection of this file is important for system security. - low_disruption - medium_severity - no_reboot_needed + + chown 0 /etc/group- @@ -201259,8 +201259,6 @@ Protection of this file is important for system security. The /etc/gshadow- file is a backup of /etc/gshadow, and as such, it contains group password hashes. Protection of this file is critical for system security. CCE-83533-0 - chown 0 /etc/gshadow- - - name: Test for existence /etc/gshadow- stat: path: /etc/gshadow- @@ -201293,6 +201291,8 @@ it contains group password hashes. Protection of this file is critical for syste - low_disruption - medium_severity - no_reboot_needed + + chown 0 /etc/gshadow- @@ -201314,8 +201314,6 @@ it contains group password hashes. Protection of this file is critical for syste it contains information about the users that are configured on the system. Protection of this file is critical for system security. CCE-83326-9 - chown 0 /etc/passwd- - - name: Test for existence /etc/passwd- stat: path: /etc/passwd- @@ -201348,6 +201346,8 @@ Protection of this file is critical for system security. - low_disruption - medium_severity - no_reboot_needed + + chown 0 /etc/passwd- @@ -201369,8 +201369,6 @@ Protection of this file is critical for system security. it contains the list of local system accounts and password hashes. Protection of this file is critical for system security. CCE-83413-5 - chown 0 /etc/shadow- - - name: Test for existence /etc/shadow- stat: path: /etc/shadow- @@ -201403,6 +201401,8 @@ Protection of this file is critical for system security. - low_disruption - medium_severity - no_reboot_needed + + chown 0 /etc/shadow- @@ -201474,8 +201474,6 @@ Protection of this file is critical for system security. The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security. CCE-80801-4 - chown 0 /etc/group - - name: Test for existence /etc/group stat: path: /etc/group @@ -201512,6 +201510,8 @@ on the system. Protection of this file is important for system security. + chown 0 /etc/group @@ -201581,8 +201581,6 @@ on the system. Protection of this file is important for system security.The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. CCE-80802-2 - chown 0 /etc/gshadow - - name: Test for existence /etc/gshadow stat: path: /etc/gshadow @@ -201613,6 +201611,8 @@ is critical for system security. - low_disruption - medium_severity - no_reboot_needed + + chown 0 /etc/gshadow @@ -201684,8 +201684,6 @@ is critical for system security. The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security. CCE-80803-0 - chown 0 /etc/passwd - - name: Test for existence /etc/passwd stat: path: /etc/passwd @@ -201722,6 +201720,8 @@ the system. Protection of this file is critical for system security. + chown 0 /etc/passwd @@ -201797,8 +201797,6 @@ critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture. CCE-80804-8 - chown 0 /etc/shadow - - name: Test for existence /etc/shadow stat: path: /etc/shadow @@ -201835,6 +201833,8 @@ which could weaken the system security posture. - low_disruption - medium_severity - no_reboot_needed + + chown 0 /etc/shadow @@ -201858,13 +201858,6 @@ To properly set the permissions of /etc/group-, run the c it contains information regarding groups that are configured on the system. Protection of this file is important for system security. CCE-83483-8 - - - - - -chmod u-xs,g-xws,o-xwt /etc/group- - - name: Test for existence /etc/group- stat: path: /etc/group- @@ -201897,6 +201890,13 @@ chmod u-xs,g-xws,o-xwt /etc/group- - low_disruption - medium_severity - no_reboot_needed + + + + + + +chmod u-xs,g-xws,o-xwt /etc/group- @@ -201917,13 +201917,6 @@ To properly set the permissions of /etc/gshadow-, run the The /etc/gshadow- file is a backup of /etc/gshadow, and as such, it contains group password hashes. Protection of this file is critical for system security. CCE-83573-6 - - - - - -chmod u-xwrs,g-xwrs,o-xwrt /etc/gshadow- - - name: Test for existence /etc/gshadow- stat: path: /etc/gshadow- @@ -201952,6 +201945,13 @@ chmod u-xwrs,g-xwrs,o-xwrt /etc/gshadow- - low_disruption - medium_severity - no_reboot_needed + + + + + + +chmod u-xwrs,g-xwrs,o-xwrt /etc/gshadow- @@ -201975,13 +201975,6 @@ To properly set the permissions of /etc/passwd-, run the it contains information about the users that are configured on the system. Protection of this file is critical for system security. CCE-83332-7 - - - - - -chmod u-xs,g-xws,o-xwt /etc/passwd- - - name: Test for existence /etc/passwd- stat: path: /etc/passwd- @@ -202014,6 +202007,13 @@ chmod u-xs,g-xws,o-xwt /etc/passwd- - low_disruption - medium_severity - no_reboot_needed + + + + + + +chmod u-xs,g-xws,o-xwt /etc/passwd- @@ -202037,13 +202037,6 @@ To properly set the permissions of /etc/shadow-, run the it contains the list of local system accounts and password hashes. Protection of this file is critical for system security. CCE-83417-6 - - - - - -chmod u-xwrs,g-xwrs,o-xwrt /etc/shadow- - - name: Test for existence /etc/shadow- stat: path: /etc/shadow- @@ -202076,6 +202069,13 @@ chmod u-xwrs,g-xwrs,o-xwrt /etc/shadow- - low_disruption - medium_severity - no_reboot_needed + + + + + + +chmod u-xwrs,g-xwrs,o-xwrt /etc/shadow- @@ -202150,13 +202150,6 @@ To properly set the permissions of /etc/passwd, run the c The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security. CCE-80810-5 - - - - - -chmod u-xs,g-xws,o-xwt /etc/group - - name: Test for existence /etc/group stat: path: /etc/group @@ -202193,6 +202186,13 @@ chmod u-xs,g-xws,o-xwt /etc/group - low_disruption - medium_severity - no_reboot_needed + + + + + + +chmod u-xs,g-xws,o-xwt /etc/group @@ -202264,13 +202264,6 @@ To properly set the permissions of /etc/gshadow, run the The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. CCE-80811-3 - - - - - -chmod u-xwrs,g-xwrs,o-xwrt /etc/gshadow - - name: Test for existence /etc/gshadow stat: path: /etc/gshadow @@ -202301,6 +202294,13 @@ chmod u-xwrs,g-xwrs,o-xwrt /etc/gshadow - low_disruption - medium_severity - no_reboot_needed + + + + + + +chmod u-xwrs,g-xwrs,o-xwrt /etc/gshadow @@ -202377,13 +202377,6 @@ world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security. CCE-80812-1 - - - - - -chmod u-xs,g-xws,o-xwt /etc/passwd - - name: Test for existence /etc/passwd stat: path: /etc/passwd @@ -202420,6 +202413,13 @@ chmod u-xs,g-xws,o-xwt /etc/passwd - low_disruption - medium_severity - no_reboot_needed + + + + + + +chmod u-xs,g-xws,o-xwt /etc/passwd @@ -202497,13 +202497,6 @@ critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture. CCE-80813-9 - - - - - -chmod u-xwrs,g-xwrs,o-xwrt /etc/shadow - - name: Test for existence /etc/shadow stat: path: /etc/shadow @@ -202540,6 +202533,13 @@ chmod u-xwrs,g-xwrs,o-xwrt /etc/shadow - low_disruption - medium_severity - no_reboot_needed + + + + + + +chmod u-xwrs,g-xwrs,o-xwrt /etc/shadow @@ -202566,8 +202566,6 @@ personnel. messages in the system and should only be accessed by authorized personnel. CCE-83659-3 - find -H /var/log/ -maxdepth 1 -type d -exec chgrp 0 {} \; - - name: Ensure group owner on /var/log/ file: path: /var/log/ @@ -202582,6 +202580,8 @@ personnel. - low_disruption - medium_severity - no_reboot_needed + + find -H /var/log/ -maxdepth 1 -type d -exec chgrp 0 {} \; @@ -202600,8 +202600,6 @@ personnel. The /var/log/messages file contains logs of error messages in the system and should only be accessed by authorized personnel. CCE-83660-1 - chgrp 0 /var/log/messages - - name: Test for existence /var/log/messages stat: path: /var/log/messages @@ -202630,6 +202628,8 @@ the system and should only be accessed by authorized personnel. + chgrp 0 /var/log/messages @@ -202645,8 +202645,6 @@ the system and should only be accessed by authorized personnel.SRG-OS-000206-GPOS-00084 The /var/log/syslog file contains logs of error messages in the system and should only be accessed by authorized personnel. - chgrp 4 /var/log/syslog - - name: Test for existence /var/log/syslog stat: path: /var/log/syslog @@ -202671,6 +202669,8 @@ the system and should only be accessed by authorized personnel. + chgrp 4 /var/log/syslog @@ -202691,8 +202691,6 @@ the system and should only be accessed by authorized personnel. CCE-83661-9 - find -H /var/log/ -maxdepth 1 -type d -exec chown 0 {} \; - - name: Ensure owner on directory /var/log/ file: path: /var/log/ @@ -202707,6 +202705,8 @@ personnel. - low_disruption - medium_severity - no_reboot_needed + + find -H /var/log/ -maxdepth 1 -type d -exec chown 0 {} \; @@ -202725,8 +202725,6 @@ personnel. The /var/log/messages file contains logs of error messages in the system and should only be accessed by authorized personnel. CCE-83662-7 - chown 0 /var/log/messages - - name: Test for existence /var/log/messages stat: path: /var/log/messages @@ -202755,6 +202753,8 @@ the system and should only be accessed by authorized personnel. + chown 0 /var/log/messages @@ -202770,8 +202770,6 @@ the system and should only be accessed by authorized personnel.SRG-OS-000206-GPOS-00084 The /var/log/syslog file contains logs of error messages in the system and should only be accessed by authorized personnel. - chown 104 /var/log/syslog - - name: Test for existence /var/log/syslog stat: path: /var/log/syslog @@ -202796,6 +202794,8 @@ the system and should only be accessed by authorized personnel. + chown 104 /var/log/syslog @@ -202818,13 +202818,6 @@ To properly set the permissions of /var/log, run the comm messages in the system and should only be accessed by authorized personnel. CCE-83663-5 - - - - - -find -H /var/log/ -maxdepth 1 -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \; - - name: Find /var/log/ file(s) command: 'find -H /var/log/ -maxdepth 1 -perm /u+s,g+ws,o+wt -type d ' register: files_found @@ -202857,6 +202850,13 @@ find -H /var/log/ -maxdepth 1 -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws, - low_disruption - medium_severity - no_reboot_needed + + + + + + +find -H /var/log/ -maxdepth 1 -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \; @@ -202877,13 +202877,6 @@ To properly set the permissions of /var/log/messages, run The /var/log/messages file contains logs of error messages in the system and should only be accessed by authorized personnel. CCE-83665-0 - - - - - -chmod u-xs,g-xws,o-xwrt /var/log/messages - - name: Test for existence /var/log/messages stat: path: /var/log/messages @@ -202912,6 +202905,13 @@ chmod u-xs,g-xws,o-xwrt /var/log/messages - low_disruption - medium_severity - no_reboot_needed + + + + + + +chmod u-xs,g-xws,o-xwrt /var/log/messages @@ -202929,13 +202929,6 @@ To properly set the permissions of /var/log/syslog, run t SRG-OS-000206-GPOS-00084 The /var/log/syslog file contains logs of error messages in the system and should only be accessed by authorized personnel. - - - - - -chmod u-xs,g-xws,o-xwrt /var/log/syslog - - name: Test for existence /var/log/syslog stat: path: /var/log/syslog @@ -202960,6 +202953,13 @@ chmod u-xs,g-xws,o-xwrt /var/log/syslog - low_disruption - medium_severity - no_reboot_needed + + + + + + +chmod u-xs,g-xws,o-xwrt /var/log/syslog @@ -203003,11 +203003,6 @@ space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership of library directories is necessary to protect the integrity of the system. CCE-85894-4 - find -H /lib/ -type d -exec chgrp 0 {} \; -find -H /lib64/ -type d -exec chgrp 0 {} \; -find -H /usr/lib/ -type d -exec chgrp 0 {} \; -find -H /usr/lib64/ -type d -exec chgrp 0 {} \; - - name: Ensure group owner on /lib/ recursively file: path: /lib/ @@ -203079,6 +203074,11 @@ find -H /usr/lib64/ -type d -exec chgrp 0 {} \; - low_disruption - medium_severity - no_reboot_needed + + find -H /lib/ -type d -exec chgrp 0 {} \; +find -H /lib64/ -type d -exec chgrp 0 {} \; +find -H /usr/lib/ -type d -exec chgrp 0 {} \; +find -H /usr/lib64/ -type d -exec chgrp 0 {} \; @@ -203105,13 +203105,6 @@ following command: System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. - find -H /bin/ -type d -exec chown 0 {} \; -find -H /sbin/ -type d -exec chown 0 {} \; -find -H /usr/bin/ -type d -exec chown 0 {} \; -find -H /usr/sbin/ -type d -exec chown 0 {} \; -find -H /usr/local/bin/ -type d -exec chown 0 {} \; -find -H /usr/local/sbin/ -type d -exec chown 0 {} \; - - name: Ensure owner on directory /bin/ recursively file: path: /bin/ @@ -203195,6 +203188,13 @@ find -H /usr/local/sbin/ -type d -exec chown 0 {} \; - low_disruption - medium_severity - no_reboot_needed + + find -H /bin/ -type d -exec chown 0 {} \; +find -H /sbin/ -type d -exec chown 0 {} \; +find -H /usr/bin/ -type d -exec chown 0 {} \; +find -H /usr/sbin/ -type d -exec chown 0 {} \; +find -H /usr/local/bin/ -type d -exec chown 0 {} \; +find -H /usr/local/sbin/ -type d -exec chown 0 {} \; @@ -203230,11 +203230,6 @@ space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership of library directories is necessary to protect the integrity of the system. CCE-89021-0 - find -H /lib/ -type d -exec chown 0 {} \; -find -H /lib64/ -type d -exec chown 0 {} \; -find -H /usr/lib/ -type d -exec chown 0 {} \; -find -H /usr/lib64/ -type d -exec chown 0 {} \; - - name: Ensure owner on directory /lib/ recursively file: path: /lib/ @@ -203306,6 +203301,11 @@ find -H /usr/lib64/ -type d -exec chown 0 {} \; - low_disruption - medium_severity - no_reboot_needed + + find -H /lib/ -type d -exec chown 0 {} \; +find -H /lib64/ -type d -exec chown 0 {} \; +find -H /usr/lib/ -type d -exec chown 0 {} \; +find -H /usr/lib64/ -type d -exec chown 0 {} \; @@ -203333,23 +203333,6 @@ following command: System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted. - - - - - -find -H /bin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \; - -find -H /sbin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \; - -find -H /usr/bin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \; - -find -H /usr/sbin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \; - -find -H /usr/local/bin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \; - -find -H /usr/local/sbin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \; - - name: Find /bin/ file(s) recursively command: 'find -H /bin/ -perm /u+s,g+ws,o+wt -type d ' register: files_found @@ -203523,6 +203506,23 @@ find -H /usr/local/sbin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt - low_disruption - medium_severity - no_reboot_needed + + + + + + +find -H /bin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \; + +find -H /sbin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \; + +find -H /usr/bin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \; + +find -H /usr/sbin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \; + +find -H /usr/local/bin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \; + +find -H /usr/local/sbin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \; @@ -203565,19 +203565,6 @@ privileged programs which execute with escalated privileges. Only qualified and individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. CCE-88692-9 - - - - - -find -H /lib/ -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \; - -find -H /lib64/ -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \; - -find -H /usr/lib/ -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \; - -find -H /usr/lib64/ -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \; - - name: Find /lib/ file(s) recursively command: 'find -H /lib/ -perm /g+w,o+w -type d ' register: files_found @@ -203733,6 +203720,19 @@ find -H /usr/lib64/ -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \; - low_disruption - medium_severity - no_reboot_needed + + + + + + +find -H /lib/ -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \; + +find -H /lib64/ -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \; + +find -H /usr/lib/ -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \; + +find -H /usr/lib64/ -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \; @@ -203774,14 +203774,6 @@ will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools. CCE-86455-3 - chgrp 0 /sbin/auditctl -chgrp 0 /sbin/aureport -chgrp 0 /sbin/ausearch -chgrp 0 /sbin/autrace -chgrp 0 /sbin/auditd -chgrp 0 /sbin/audispd -chgrp 0 /sbin/augenrules - - name: Test for existence /sbin/auditctl stat: path: /sbin/auditctl @@ -203970,6 +203962,14 @@ chgrp 0 /sbin/augenrules - low_disruption - medium_severity - no_reboot_needed + + chgrp 0 /sbin/auditctl +chgrp 0 /sbin/aureport +chgrp 0 /sbin/ausearch +chgrp 0 /sbin/autrace +chgrp 0 /sbin/auditd +chgrp 0 /sbin/audispd +chgrp 0 /sbin/augenrules @@ -204011,12 +204011,6 @@ escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. CCE-86519-6 - -for SYSCMDFILES in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -do - find -L $SYSCMDFILES \! -group root -type f -exec chgrp root '{}' \; -done - - name: Retrieve the system command files and set their group ownership to root command: find -L {{ item }} ! -group root -type f -exec chgrp root '{}' \; with_items: @@ -204040,6 +204034,12 @@ done - medium_severity - no_reboot_needed - restrict_strategy + + +for SYSCMDFILES in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin +do + find -L $SYSCMDFILES \! -group root -type f -exec chgrp root '{}' \; +done @@ -204081,14 +204081,6 @@ will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools. CCE-86453-8 - chown 0 /sbin/auditctl -chown 0 /sbin/aureport -chown 0 /sbin/ausearch -chown 0 /sbin/autrace -chown 0 /sbin/auditd -chown 0 /sbin/audispd -chown 0 /sbin/augenrules - - name: Test for existence /sbin/auditctl stat: path: /sbin/auditctl @@ -204277,6 +204269,14 @@ chown 0 /sbin/augenrules - low_disruption - medium_severity - no_reboot_needed + + chown 0 /sbin/auditctl +chown 0 /sbin/aureport +chown 0 /sbin/ausearch +chown 0 /sbin/autrace +chown 0 /sbin/auditd +chown 0 /sbin/audispd +chown 0 /sbin/augenrules @@ -204361,15 +204361,6 @@ following command: and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. CCE-80806-3 - find /bin/ \ -/usr/bin/ \ -/usr/local/bin/ \ -/sbin/ \ -/usr/sbin/ \ -/usr/local/sbin/ \ -/usr/libexec \ -\! -user root -execdir chown root {} \; - - name: Read list of system executables without root ownership command: find /bin/ /usr/bin/ /usr/local/bin/ /sbin/ /usr/sbin/ /usr/local/sbin/ /usr/libexec \! -user root @@ -204410,6 +204401,15 @@ execution of these programs cannot be co-opted. - medium_severity - no_reboot_needed - restrict_strategy + + find /bin/ \ +/usr/bin/ \ +/usr/local/bin/ \ +/sbin/ \ +/usr/sbin/ \ +/usr/local/sbin/ \ +/usr/libexec \ +\! -user root -execdir chown root {} \; @@ -204495,15 +204495,6 @@ ownership with the following command: space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system. CCE-80807-1 - -find /lib/ -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \; - -find /lib64/ -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \; - -find /usr/lib/ -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \; - -find /usr/lib64/ -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \; - - name: Find /lib/ file(s) matching ^.*$ recursively command: find -H /lib/ -type f ! -uid 0 -regex "^.*$" register: files_found @@ -204667,6 +204658,15 @@ find /usr/lib64/ -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \; - low_disruption - medium_severity - no_reboot_needed + + +find /lib/ -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \; + +find /lib64/ -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \; + +find /usr/lib/ -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \; + +find /usr/lib64/ -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \; @@ -204708,25 +204708,6 @@ will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools. CCE-86447-0 - - - - - -chmod u-s,g-ws,o-wt /sbin/auditctl - -chmod u-s,g-ws,o-wt /sbin/aureport - -chmod u-s,g-ws,o-wt /sbin/ausearch - -chmod u-s,g-ws,o-wt /sbin/autrace - -chmod u-s,g-ws,o-wt /sbin/auditd - -chmod u-s,g-ws,o-wt /sbin/audispd - -chmod u-s,g-ws,o-wt /sbin/augenrules - - name: Test for existence /sbin/auditctl stat: path: /sbin/auditctl @@ -204915,6 +204896,25 @@ chmod u-s,g-ws,o-wt /sbin/augenrules - low_disruption - medium_severity - no_reboot_needed + + + + + + +chmod u-s,g-ws,o-wt /sbin/auditctl + +chmod u-s,g-ws,o-wt /sbin/aureport + +chmod u-s,g-ws,o-wt /sbin/ausearch + +chmod u-s,g-ws,o-wt /sbin/autrace + +chmod u-s,g-ws,o-wt /sbin/auditd + +chmod u-s,g-ws,o-wt /sbin/audispd + +chmod u-s,g-ws,o-wt /sbin/augenrules @@ -204999,11 +204999,6 @@ following command: and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted. CCE-80809-7 - DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec" -for dirPath in $DIRS; do - find "$dirPath" -perm /022 -exec chmod go-w '{}' \; -done - - name: Read list of world and group writable system executables ansible.builtin.command: find /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec -perm /022 -type f @@ -205045,6 +205040,11 @@ done - medium_severity - no_reboot_needed - restrict_strategy + + DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec" +for dirPath in $DIRS; do + find "$dirPath" -perm /022 -exec chmod go-w '{}' \; +done @@ -205130,19 +205130,6 @@ its permission with the following command: space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system. CCE-80815-4 - - - - - -find -H /lib/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w {} \; - -find -H /lib64/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w {} \; - -find -H /usr/lib/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w {} \; - -find -H /usr/lib64/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w {} \; - - name: Find /lib/ file(s) recursively command: find -H /lib/ -perm /g+w,o+w -type f -regex "^.*$" register: files_found @@ -205306,6 +205293,19 @@ find -H /usr/lib64/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w { - low_disruption - medium_severity - no_reboot_needed + + + + + + +find -H /lib/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w {} \; + +find -H /lib64/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w {} \; + +find -H /usr/lib/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w {} \; + +find -H /usr/lib64/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w {} \; @@ -205344,15 +205344,6 @@ also include privileged programs which execute with escalated privileges. Only q and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. CCE-86523-8 - -find /lib/ -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \; - -find /lib64/ -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \; - -find /usr/lib/ -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \; - -find /usr/lib64/ -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \; - - name: Find /lib/ file(s) matching ^.*$ recursively command: find -H /lib/ -type f ! -group 0 -regex "^.*$" register: files_found @@ -205500,6 +205491,15 @@ find /usr/lib64/ -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \; - medium_severity - no_reboot_needed - root_permissions_syslibrary_files + + +find /lib/ -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \; + +find /lib64/ -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \; + +find /usr/lib/ -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \; + +find /usr/lib64/ -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \; @@ -205629,26 +205629,17 @@ unknown devices, thereby facilitating malicious activity. [customizations.services] disabled = ["autofs"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'autofs.service' -"$SYSTEMCTL_EXEC" disable 'autofs.service' -"$SYSTEMCTL_EXEC" mask 'autofs.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files autofs.socket; then - "$SYSTEMCTL_EXEC" stop 'autofs.socket' - "$SYSTEMCTL_EXEC" mask 'autofs.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'autofs.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - enabled: false + name: autofs.service include disable_autofs @@ -205738,17 +205729,26 @@ class disable_autofs { - no_reboot_needed - service_autofs_disabled - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - enabled: false - name: autofs.service + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'autofs.service' +"$SYSTEMCTL_EXEC" disable 'autofs.service' +"$SYSTEMCTL_EXEC" mask 'autofs.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files autofs.socket; then + "$SYSTEMCTL_EXEC" stop 'autofs.socket' + "$SYSTEMCTL_EXEC" mask 'autofs.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'autofs.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -205966,24 +205966,20 @@ decompress the image. of the server. CCE-81031-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install cramfs" /etc/modprobe.d/cramfs.conf ; then - - sed -i 's#^install cramfs.*#install cramfs /bin/true#g' /etc/modprobe.d/cramfs.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/cramfs.conf - echo "install cramfs /bin/true" >> /etc/modprobe.d/cramfs.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist cramfs$" /etc/modprobe.d/cramfs.conf ; then - echo "blacklist cramfs" >> /etc/modprobe.d/cramfs.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20cramfs%20/bin/true%0Ablacklist%20cramfs%0A + mode: 0644 + path: /etc/modprobe.d/cramfs.conf + overwrite: true - name: Ensure kernel module 'cramfs' is disabled lineinfile: @@ -206027,20 +206023,24 @@ fi - medium_disruption - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20cramfs%20/bin/true%0Ablacklist%20cramfs%0A - mode: 0644 - path: /etc/modprobe.d/cramfs.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install cramfs" /etc/modprobe.d/cramfs.conf ; then + + sed -i 's#^install cramfs.*#install cramfs /bin/true#g' /etc/modprobe.d/cramfs.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/cramfs.conf + echo "install cramfs /bin/true" >> /etc/modprobe.d/cramfs.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist cramfs$" /etc/modprobe.d/cramfs.conf ; then + echo "blacklist cramfs" >> /etc/modprobe.d/cramfs.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -206132,24 +206132,20 @@ This effectively prevents usage of this uncommon filesystem.Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install freevxfs" /etc/modprobe.d/freevxfs.conf ; then - - sed -i 's#^install freevxfs.*#install freevxfs /bin/true#g' /etc/modprobe.d/freevxfs.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/freevxfs.conf - echo "install freevxfs /bin/true" >> /etc/modprobe.d/freevxfs.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist freevxfs$" /etc/modprobe.d/freevxfs.conf ; then - echo "blacklist freevxfs" >> /etc/modprobe.d/freevxfs.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20freevxfs%20/bin/true%0Ablacklist%20freevxfs%0A + mode: 0644 + path: /etc/modprobe.d/freevxfs.conf + overwrite: true - name: Ensure kernel module 'freevxfs' is disabled lineinfile: @@ -206189,20 +206185,24 @@ fi - medium_disruption - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20freevxfs%20/bin/true%0Ablacklist%20freevxfs%0A - mode: 0644 - path: /etc/modprobe.d/freevxfs.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install freevxfs" /etc/modprobe.d/freevxfs.conf ; then + + sed -i 's#^install freevxfs.*#install freevxfs /bin/true#g' /etc/modprobe.d/freevxfs.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/freevxfs.conf + echo "install freevxfs /bin/true" >> /etc/modprobe.d/freevxfs.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist freevxfs$" /etc/modprobe.d/freevxfs.conf ; then + echo "blacklist freevxfs" >> /etc/modprobe.d/freevxfs.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -206291,24 +206291,20 @@ This effectively prevents usage of this uncommon filesystem.Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install hfs" /etc/modprobe.d/hfs.conf ; then - - sed -i 's#^install hfs.*#install hfs /bin/true#g' /etc/modprobe.d/hfs.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/hfs.conf - echo "install hfs /bin/true" >> /etc/modprobe.d/hfs.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist hfs$" /etc/modprobe.d/hfs.conf ; then - echo "blacklist hfs" >> /etc/modprobe.d/hfs.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20hfs%20/bin/true%0Ablacklist%20hfs%0A + mode: 0644 + path: /etc/modprobe.d/hfs.conf + overwrite: true - name: Ensure kernel module 'hfs' is disabled lineinfile: @@ -206348,20 +206344,24 @@ fi - medium_disruption - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20hfs%20/bin/true%0Ablacklist%20hfs%0A - mode: 0644 - path: /etc/modprobe.d/hfs.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install hfs" /etc/modprobe.d/hfs.conf ; then + + sed -i 's#^install hfs.*#install hfs /bin/true#g' /etc/modprobe.d/hfs.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/hfs.conf + echo "install hfs /bin/true" >> /etc/modprobe.d/hfs.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist hfs$" /etc/modprobe.d/hfs.conf ; then + echo "blacklist hfs" >> /etc/modprobe.d/hfs.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -206450,24 +206450,20 @@ This effectively prevents usage of this uncommon filesystem.Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install hfsplus" /etc/modprobe.d/hfsplus.conf ; then - - sed -i 's#^install hfsplus.*#install hfsplus /bin/true#g' /etc/modprobe.d/hfsplus.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/hfsplus.conf - echo "install hfsplus /bin/true" >> /etc/modprobe.d/hfsplus.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist hfsplus$" /etc/modprobe.d/hfsplus.conf ; then - echo "blacklist hfsplus" >> /etc/modprobe.d/hfsplus.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20hfsplus%20/bin/true%0Ablacklist%20hfsplus%0A + mode: 0644 + path: /etc/modprobe.d/hfsplus.conf + overwrite: true - name: Ensure kernel module 'hfsplus' is disabled lineinfile: @@ -206507,20 +206503,24 @@ fi - medium_disruption - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20hfsplus%20/bin/true%0Ablacklist%20hfsplus%0A - mode: 0644 - path: /etc/modprobe.d/hfsplus.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install hfsplus" /etc/modprobe.d/hfsplus.conf ; then + + sed -i 's#^install hfsplus.*#install hfsplus /bin/true#g' /etc/modprobe.d/hfsplus.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/hfsplus.conf + echo "install hfsplus /bin/true" >> /etc/modprobe.d/hfsplus.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist hfsplus$" /etc/modprobe.d/hfsplus.conf ; then + echo "blacklist hfsplus" >> /etc/modprobe.d/hfsplus.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -206609,24 +206609,20 @@ This effectively prevents usage of this uncommon filesystem.Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install jffs2" /etc/modprobe.d/jffs2.conf ; then - - sed -i 's#^install jffs2.*#install jffs2 /bin/true#g' /etc/modprobe.d/jffs2.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/jffs2.conf - echo "install jffs2 /bin/true" >> /etc/modprobe.d/jffs2.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist jffs2$" /etc/modprobe.d/jffs2.conf ; then - echo "blacklist jffs2" >> /etc/modprobe.d/jffs2.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20jffs2%20/bin/true%0Ablacklist%20jffs2%0A + mode: 0644 + path: /etc/modprobe.d/jffs2.conf + overwrite: true - name: Ensure kernel module 'jffs2' is disabled lineinfile: @@ -206666,20 +206662,24 @@ fi - medium_disruption - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20jffs2%20/bin/true%0Ablacklist%20jffs2%0A - mode: 0644 - path: /etc/modprobe.d/jffs2.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install jffs2" /etc/modprobe.d/jffs2.conf ; then + + sed -i 's#^install jffs2.*#install jffs2 /bin/true#g' /etc/modprobe.d/jffs2.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/jffs2.conf + echo "install jffs2 /bin/true" >> /etc/modprobe.d/jffs2.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist jffs2$" /etc/modprobe.d/jffs2.conf ; then + echo "blacklist jffs2" >> /etc/modprobe.d/jffs2.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -206775,24 +206775,20 @@ to first decompress the image. surface of the system. CCE-83498-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install squashfs" /etc/modprobe.d/squashfs.conf ; then - - sed -i 's#^install squashfs.*#install squashfs /bin/true#g' /etc/modprobe.d/squashfs.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/squashfs.conf - echo "install squashfs /bin/true" >> /etc/modprobe.d/squashfs.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist squashfs$" /etc/modprobe.d/squashfs.conf ; then - echo "blacklist squashfs" >> /etc/modprobe.d/squashfs.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20squashfs%20/bin/true%0Ablacklist%20squashfs%0A + mode: 0644 + path: /etc/modprobe.d/squashfs.conf + overwrite: true - name: Ensure kernel module 'squashfs' is disabled lineinfile: @@ -206834,20 +206830,24 @@ fi - medium_disruption - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20squashfs%20/bin/true%0Ablacklist%20squashfs%0A - mode: 0644 - path: /etc/modprobe.d/squashfs.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install squashfs" /etc/modprobe.d/squashfs.conf ; then + + sed -i 's#^install squashfs.*#install squashfs /bin/true#g' /etc/modprobe.d/squashfs.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/squashfs.conf + echo "install squashfs /bin/true" >> /etc/modprobe.d/squashfs.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist squashfs$" /etc/modprobe.d/squashfs.conf ; then + echo "blacklist squashfs" >> /etc/modprobe.d/squashfs.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -206944,24 +206944,20 @@ writing DVDs and newer optical disc formats. attack surface of the system. CCE-82729-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install udf" /etc/modprobe.d/udf.conf ; then - - sed -i 's#^install udf.*#install udf /bin/true#g' /etc/modprobe.d/udf.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/udf.conf - echo "install udf /bin/true" >> /etc/modprobe.d/udf.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist udf$" /etc/modprobe.d/udf.conf ; then - echo "blacklist udf" >> /etc/modprobe.d/udf.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20udf%20/bin/true%0Ablacklist%20udf%0A + mode: 0644 + path: /etc/modprobe.d/udf.conf + overwrite: true - name: Ensure kernel module 'udf' is disabled lineinfile: @@ -207003,20 +206999,24 @@ fi - medium_disruption - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20udf%20/bin/true%0Ablacklist%20udf%0A - mode: 0644 - path: /etc/modprobe.d/udf.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install udf" /etc/modprobe.d/udf.conf ; then + + sed -i 's#^install udf.*#install udf /bin/true#g' /etc/modprobe.d/udf.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/udf.conf + echo "install udf /bin/true" >> /etc/modprobe.d/udf.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist udf$" /etc/modprobe.d/udf.conf ; then + echo "blacklist udf" >> /etc/modprobe.d/udf.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -207123,24 +207123,20 @@ module, but will not prevent an administrator (or another program) from using th malicious software. CCE-80835-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install usb-storage" /etc/modprobe.d/usb-storage.conf ; then - - sed -i 's#^install usb-storage.*#install usb-storage /bin/true#g' /etc/modprobe.d/usb-storage.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/usb-storage.conf - echo "install usb-storage /bin/true" >> /etc/modprobe.d/usb-storage.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist usb-storage$" /etc/modprobe.d/usb-storage.conf ; then - echo "blacklist usb-storage" >> /etc/modprobe.d/usb-storage.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20usb-storage%20/bin/true%0Ablacklist%20usb-storage%0A + mode: 0644 + path: /etc/modprobe.d/usb-storage.conf + overwrite: true - name: Ensure kernel module 'usb-storage' is disabled lineinfile: @@ -207188,20 +207184,24 @@ fi - medium_severity - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20usb-storage%20/bin/true%0Ablacklist%20usb-storage%0A - mode: 0644 - path: /etc/modprobe.d/usb-storage.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install usb-storage" /etc/modprobe.d/usb-storage.conf ; then + + sed -i 's#^install usb-storage.*#install usb-storage /bin/true#g' /etc/modprobe.d/usb-storage.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/usb-storage.conf + echo "install usb-storage /bin/true" >> /etc/modprobe.d/usb-storage.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist usb-storage$" /etc/modprobe.d/usb-storage.conf ; then + echo "blacklist usb-storage" >> /etc/modprobe.d/usb-storage.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -207300,24 +207300,20 @@ all of which are supported by the vfat kernel module. CCE-82170-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install vfat" /etc/modprobe.d/vfat.conf ; then - - sed -i 's#^install vfat.*#install vfat /bin/true#g' /etc/modprobe.d/vfat.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/vfat.conf - echo "install vfat /bin/true" >> /etc/modprobe.d/vfat.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist vfat$" /etc/modprobe.d/vfat.conf ; then - echo "blacklist vfat" >> /etc/modprobe.d/vfat.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20vfat%20/bin/true%0Ablacklist%20vfat%0A + mode: 0644 + path: /etc/modprobe.d/vfat.conf + overwrite: true - name: Ensure kernel module 'vfat' is disabled lineinfile: @@ -207359,20 +207355,24 @@ fi - medium_disruption - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20vfat%20/bin/true%0Ablacklist%20vfat%0A - mode: 0644 - path: /etc/modprobe.d/vfat.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install vfat" /etc/modprobe.d/vfat.conf ; then + + sed -i 's#^install vfat.*#install vfat /bin/true#g' /etc/modprobe.d/vfat.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/vfat.conf + echo "install vfat /bin/true" >> /etc/modprobe.d/vfat.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist vfat$" /etc/modprobe.d/vfat.conf ; then + echo "blacklist vfat" >> /etc/modprobe.d/vfat.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -207426,54 +207426,6 @@ Add the nosuid option to the fourth column of should not be able to execute SUID or SGID binaries from boot partitions. CCE-86038-7 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && [ -d /sys/firmware/efi ] ); then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/boot/efi")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/boot/efi' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /boot/efi in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /boot/efi)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /boot/efi defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab - fi - - - if mkdir -p "/boot/efi"; then - if mountpoint -q "/boot/efi"; then - mount -o remount --target "/boot/efi" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: 'Add nosuid Option to /boot/efi: Check information associated to mountpoint' command: findmnt --fstab '/boot/efi' register: device_name @@ -207592,51 +207544,26 @@ fi - mount_option_boot_efi_nosuid - no_reboot_needed - - - - - - - - - Add noauto Option to /boot - The noauto mount option is used to prevent automatic mounting of th -/boot partition. -Add the noauto option to the fourth column of -/etc/fstab for the line which controls mounting of -/boot. - Although contents of the /boot partition should not be needed -during normal system operation, they might need to be accessible during -system maintenance and upgrades. Make sure that applying this rule will -not break upgrade or maintenance processes affecting the system. - BP28(R12) - The /boot partition contains the kernel and the bootloader. Access -to the partition after the boot process finishes should not be needed. Files -contained within this partition can be analysed and gained information can -be used for exploit creation. - - CCE-83345-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && [ -d /sys/firmware/efi ] ); then function perform_remediation { - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/boot")" + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/boot/efi")" grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/boot' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /boot in /etc/fstab" >&2; return 1; } + || { echo "The mount point '/boot/efi' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /boot/efi in /etc/fstab" >&2; return 1; } - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /boot)" + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /boot/efi)" # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|noauto)(,|$)//g;s/,$//") + | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. @@ -207644,17 +207571,17 @@ function perform_remediation { if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi - echo " /boot defaults,${previous_mount_opts}noauto 0 0" >> /etc/fstab + echo " /boot/efi defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noauto"; then + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noauto|" /etc/fstab + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab fi - if mkdir -p "/boot"; then - if mountpoint -q "/boot"; then - mount -o remount --target "/boot" + if mkdir -p "/boot/efi"; then + if mountpoint -q "/boot/efi"; then + mount -o remount --target "/boot/efi" fi fi } @@ -207664,6 +207591,34 @@ perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Add noauto Option to /boot + The noauto mount option is used to prevent automatic mounting of th +/boot partition. +Add the noauto option to the fourth column of +/etc/fstab for the line which controls mounting of +/boot. + Although contents of the /boot partition should not be needed +during normal system operation, they might need to be accessible during +system maintenance and upgrades. Make sure that applying this rule will +not break upgrade or maintenance processes affecting the system. + BP28(R12) + The /boot partition contains the kernel and the bootloader. Access +to the partition after the boot process finishes should not be needed. Files +contained within this partition can be analysed and gained information can +be used for exploit creation. + + CCE-83345-9 + +part /boot --mountoptions="noauto" - name: 'Add noauto Option to /boot: Check information associated to mountpoint' command: findmnt --fstab '/boot' @@ -207761,50 +207716,7 @@ fi - mount_option_boot_noauto - no_reboot_needed - -part /boot --mountoptions="noauto" - - - - - - - - - - Add nodev Option to /boot - The nodev mount option can be used to prevent device files from -being created in /boot. -Legitimate character and block devices should exist only in -the /dev directory on the root partition or within chroot -jails built for system services. -Add the nodev option to the fourth column of -/etc/fstab for the line which controls mounting of -/boot. - CIP-003-8 R5.1.1 - CIP-003-8 R5.3 - CIP-004-6 R2.3 - CIP-007-3 R2.1 - CIP-007-3 R2.2 - CIP-007-3 R2.3 - CIP-007-3 R5.1 - CIP-007-3 R5.1.1 - CIP-007-3 R5.1.2 - CM-7(a) - CM-7(b) - CM-6(a) - AC-6 - AC-6(1) - MP-7 - PR.IP-1 - PR.PT-2 - PR.PT-3 - SRG-OS-000368-GPOS-00154 - The only legitimate location for device files is the /dev directory -located on the root partition. The only exception to this is chroot jails. - - CCE-82941-6 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then function perform_remediation { @@ -207823,7 +207735,7 @@ function perform_remediation { if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") + | sed -E "s/(rw|defaults|seclabel|noauto)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. @@ -207831,11 +207743,11 @@ function perform_remediation { if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi - echo " /boot defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab + echo " /boot defaults,${previous_mount_opts}noauto 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noauto"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noauto|" /etc/fstab fi @@ -207851,6 +207763,49 @@ perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Add nodev Option to /boot + The nodev mount option can be used to prevent device files from +being created in /boot. +Legitimate character and block devices should exist only in +the /dev directory on the root partition or within chroot +jails built for system services. +Add the nodev option to the fourth column of +/etc/fstab for the line which controls mounting of +/boot. + CIP-003-8 R5.1.1 + CIP-003-8 R5.3 + CIP-004-6 R2.3 + CIP-007-3 R2.1 + CIP-007-3 R2.2 + CIP-007-3 R2.3 + CIP-007-3 R5.1 + CIP-007-3 R5.1.1 + CIP-007-3 R5.1.2 + CM-7(a) + CM-7(b) + CM-6(a) + AC-6 + AC-6(1) + MP-7 + PR.IP-1 + PR.PT-2 + PR.PT-3 + SRG-OS-000368-GPOS-00154 + The only legitimate location for device files is the /dev directory +located on the root partition. The only exception to this is chroot jails. + + CCE-82941-6 + +part /boot --mountoptions="nodev" - name: 'Add nodev Option to /boot: Check information associated to mountpoint' command: findmnt --fstab '/boot' @@ -207978,8 +207933,53 @@ fi - mount_option_boot_nodev - no_reboot_needed - -part /boot --mountoptions="nodev" + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/boot")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/boot' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /boot in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /boot)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /boot defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab + fi + + + if mkdir -p "/boot"; then + if mountpoint -q "/boot"; then + mount -o remount --target "/boot" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -208001,53 +208001,8 @@ binaries should be executed from this partition after the booting process finishes. CCE-83316-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/boot")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/boot' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /boot in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /boot)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /boot defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab - fi - - - if mkdir -p "/boot"; then - if mountpoint -q "/boot"; then - mount -o remount --target "/boot" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /boot --mountoptions="noexec" - name: 'Add noexec Option to /boot: Check information associated to mountpoint' command: findmnt --fstab '/boot' @@ -208145,8 +208100,53 @@ fi - mount_option_boot_noexec - no_reboot_needed - -part /boot --mountoptions="noexec" + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/boot")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/boot' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /boot in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /boot)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /boot defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab + fi + + + if mkdir -p "/boot"; then + if mountpoint -q "/boot"; then + mount -o remount --target "/boot" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -208191,53 +208191,8 @@ Add the nosuid option to the fourth column of should not be able to execute SUID or SGID binaries from boot partitions. CCE-81033-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/boot")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/boot' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /boot in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /boot)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /boot defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab - fi - - - if mkdir -p "/boot"; then - if mountpoint -q "/boot"; then - mount -o remount --target "/boot" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /boot --mountoptions="nosuid" - name: 'Add nosuid Option to /boot: Check information associated to mountpoint' command: findmnt --fstab '/boot' @@ -208370,8 +208325,53 @@ fi - mount_option_boot_nosuid - no_reboot_needed - -part /boot --mountoptions="nosuid" + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/boot")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/boot' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /boot in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /boot)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /boot defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab + fi + + + if mkdir -p "/boot"; then + if mountpoint -q "/boot"; then + mount -o remount --target "/boot" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -208487,48 +208487,6 @@ Add the nodev option to the fourth column of located on the root partition. The only exception to this is chroot jails. CCE-80837-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -function perform_remediation { - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /dev/shm)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="tmpfs" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab - fi - - - if mkdir -p "/dev/shm"; then - if mountpoint -q "/dev/shm"; then - mount -o remount --target "/dev/shm" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: 'Add nodev Option to /dev/shm: Check information associated to mountpoint' command: findmnt '/dev/shm' register: device_name @@ -208659,6 +208617,48 @@ fi - medium_severity - mount_option_dev_shm_nodev - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +function perform_remediation { + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /dev/shm)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="tmpfs" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab + fi + + + if mkdir -p "/dev/shm"; then + if mountpoint -q "/dev/shm"; then + mount -o remount --target "/dev/shm" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -208775,48 +208775,6 @@ Add the noexec option to the fourth column of such as /dev/shm can expose the system to potential compromise. CCE-80838-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -function perform_remediation { - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /dev/shm)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="tmpfs" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab - fi - - - if mkdir -p "/dev/shm"; then - if mountpoint -q "/dev/shm"; then - mount -o remount --target "/dev/shm" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: 'Add noexec Option to /dev/shm: Check information associated to mountpoint' command: findmnt '/dev/shm' register: device_name @@ -208948,6 +208906,48 @@ fi - medium_severity - mount_option_dev_shm_noexec - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +function perform_remediation { + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /dev/shm)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="tmpfs" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab + fi + + + if mkdir -p "/dev/shm"; then + if mountpoint -q "/dev/shm"; then + mount -o remount --target "/dev/shm" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -209063,48 +209063,6 @@ Add the nosuid option to the fourth column of should not be able to execute SUID or SGID binaries from temporary storage partitions. CCE-80839-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -function perform_remediation { - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /dev/shm)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="tmpfs" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab - fi - - - if mkdir -p "/dev/shm"; then - if mountpoint -q "/dev/shm"; then - mount -o remount --target "/dev/shm" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: 'Add nosuid Option to /dev/shm: Check information associated to mountpoint' command: findmnt '/dev/shm' register: device_name @@ -209237,69 +209195,38 @@ fi - mount_option_dev_shm_nosuid - no_reboot_needed - - - - - - - - - Add grpquota Option to /home - The grpquota mount option allows for the filesystem to have disk quotas configured. -Add the grpquota option to the fourth column of -/etc/fstab for the line which controls mounting of -/home. - The quota options for XFS file systems can only be activated when mounting the partition. -It is not possible to enable them by remounting an already mounted partition. Therefore, -if the desired options were not defined before mounting the partition, dismount and mount -it again to apply the quota options. - CM-6(b) - 1.1.7.5 - To ensure the availability of disk space on /home, it is important to limit the impact a -single user or group can cause for other users (or the wider system) by intentionally or -accidentally filling up the partition. Quotas can also be applied to inodes for filesystems -where inode exhaustion is a concern. - - CCE-86039-5 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then function perform_remediation { - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/home")" - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/home' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; } - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /home)" + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /dev/shm)" # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|grpquota)(,|$)//g;s/,$//") + | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" + fs_type="tmpfs" if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi - echo " /home defaults,${previous_mount_opts}grpquota 0 0" >> /etc/fstab + echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "grpquota"; then + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,grpquota|" /etc/fstab + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab fi - if mkdir -p "/home"; then - if mountpoint -q "/home"; then - mount -o remount --target "/home" + if mkdir -p "/dev/shm"; then + if mountpoint -q "/dev/shm"; then + mount -o remount --target "/dev/shm" fi fi } @@ -209309,6 +209236,34 @@ perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Add grpquota Option to /home + The grpquota mount option allows for the filesystem to have disk quotas configured. +Add the grpquota option to the fourth column of +/etc/fstab for the line which controls mounting of +/home. + The quota options for XFS file systems can only be activated when mounting the partition. +It is not possible to enable them by remounting an already mounted partition. Therefore, +if the desired options were not defined before mounting the partition, dismount and mount +it again to apply the quota options. + CM-6(b) + 1.1.7.5 + To ensure the availability of disk space on /home, it is important to limit the impact a +single user or group can cause for other users (or the wider system) by intentionally or +accidentally filling up the partition. Quotas can also be applied to inodes for filesystems +where inode exhaustion is a concern. + + CCE-86039-5 + +part /home --mountoptions="grpquota" - name: 'Add grpquota Option to /home: Check information associated to mountpoint' command: findmnt --fstab '/home' @@ -209416,34 +209371,7 @@ fi - mount_option_home_grpquota - no_reboot_needed - -part /home --mountoptions="grpquota" - - - - - - - - - - Add nodev Option to /home - The nodev mount option can be used to prevent device files from -being created in /home. -Legitimate character and block devices should exist only in -the /dev directory on the root partition or within chroot -jails built for system services. -Add the nodev option to the fourth column of -/etc/fstab for the line which controls mounting of -/home. - BP28(R12) - SRG-OS-000368-GPOS-00154 - 1.1.7.2 - The only legitimate location for device files is the /dev directory -located on the root partition. The only exception to this is chroot jails. - - CCE-81048-1 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); then function perform_remediation { @@ -209462,7 +209390,7 @@ function perform_remediation { if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") + | sed -E "s/(rw|defaults|seclabel|grpquota)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. @@ -209470,11 +209398,11 @@ function perform_remediation { if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi - echo " /home defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab + echo " /home defaults,${previous_mount_opts}grpquota 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "grpquota"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,grpquota|" /etc/fstab fi @@ -209490,6 +209418,33 @@ perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Add nodev Option to /home + The nodev mount option can be used to prevent device files from +being created in /home. +Legitimate character and block devices should exist only in +the /dev directory on the root partition or within chroot +jails built for system services. +Add the nodev option to the fourth column of +/etc/fstab for the line which controls mounting of +/home. + BP28(R12) + SRG-OS-000368-GPOS-00154 + 1.1.7.2 + The only legitimate location for device files is the /dev directory +located on the root partition. The only exception to this is chroot jails. + + CCE-81048-1 + +part /home --mountoptions="nodev" - name: 'Add nodev Option to /home: Check information associated to mountpoint' command: findmnt --fstab '/home' @@ -209592,36 +209547,8 @@ fi - no_reboot_needed - unknown_severity - -part /home --mountoptions="nodev" - - - - - - - - - - Add noexec Option to /home - The noexec mount option can be used to prevent binaries from being -executed out of /home. -Add the noexec option to the fourth column of -/etc/fstab for the line which controls mounting of -/home. - BP28(R12) - CCI-000366 - CM-6(b) - SRG-OS-000480-GPOS-00227 - RHEL-08-010590 - SV-230302r627750_rule - The /home directory contains data of individual users. Binaries in -this directory should not be considered as trusted and users should not be -able to execute them. - - CCE-83328-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); then function perform_remediation { @@ -209639,7 +209566,7 @@ function perform_remediation { if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") + | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. @@ -209647,11 +209574,11 @@ function perform_remediation { if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi - echo " /home defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab + echo " /home defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab fi @@ -209667,6 +209594,34 @@ perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Add noexec Option to /home + The noexec mount option can be used to prevent binaries from being +executed out of /home. +Add the noexec option to the fourth column of +/etc/fstab for the line which controls mounting of +/home. + BP28(R12) + CCI-000366 + CM-6(b) + SRG-OS-000480-GPOS-00227 + RHEL-08-010590 + SV-230302r627750_rule + The /home directory contains data of individual users. Binaries in +this directory should not be considered as trusted and users should not be +able to execute them. + + CCE-83328-5 + +part /home --mountoptions="noexec" - name: 'Add noexec Option to /home: Check information associated to mountpoint' command: findmnt --fstab '/home' @@ -209774,8 +209729,53 @@ fi - mount_option_home_noexec - no_reboot_needed - -part /home --mountoptions="noexec" + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/home")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/home' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /home)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /home defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab + fi + + + if mkdir -p "/home"; then + if mountpoint -q "/home"; then + mount -o remount --target "/home" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -209893,53 +209893,8 @@ Add the nosuid option to the fourth column of should not be able to execute SUID or SGID binaries from user home directory partitions. CCE-81050-7 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/home")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/home' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /home)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /home defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab - fi - - - if mkdir -p "/home"; then - if mountpoint -q "/home"; then - mount -o remount --target "/home" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /home --mountoptions="nosuid" - name: 'Add nosuid Option to /home: Check information associated to mountpoint' command: findmnt --fstab '/home' @@ -210077,35 +210032,7 @@ fi - mount_option_home_nosuid - no_reboot_needed - -part /home --mountoptions="nosuid" - - - - - - - - - - Add usrquota Option to /home - The usrquota mount option allows for the filesystem to have disk quotas configured. -Add the usrquota option to the fourth column of -/etc/fstab for the line which controls mounting of -/home. - The quota options for XFS file systems can only be activated when mounting the partition. -It is not possible to enable them by remounting an already mounted partition. Therefore, -if the desired options were not defined before mounting the partition, dismount and mount -it again to apply the quota options. - CM-6(b) - 1.1.7.4 - To ensure the availability of disk space on /home, it is important to limit the impact a -single user or group can cause for other users (or the wider system) by intentionally or -accidentally filling up the partition. Quotas can also be applied to inodes for filesystems -where inode exhaustion is a concern. - - CCE-86035-3 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); then function perform_remediation { @@ -210124,7 +210051,7 @@ function perform_remediation { if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|usrquota)(,|$)//g;s/,$//") + | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. @@ -210132,11 +210059,11 @@ function perform_remediation { if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi - echo " /home defaults,${previous_mount_opts}usrquota 0 0" >> /etc/fstab + echo " /home defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "usrquota"; then + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,usrquota|" /etc/fstab + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab fi @@ -210152,6 +210079,34 @@ perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Add usrquota Option to /home + The usrquota mount option allows for the filesystem to have disk quotas configured. +Add the usrquota option to the fourth column of +/etc/fstab for the line which controls mounting of +/home. + The quota options for XFS file systems can only be activated when mounting the partition. +It is not possible to enable them by remounting an already mounted partition. Therefore, +if the desired options were not defined before mounting the partition, dismount and mount +it again to apply the quota options. + CM-6(b) + 1.1.7.4 + To ensure the availability of disk space on /home, it is important to limit the impact a +single user or group can cause for other users (or the wider system) by intentionally or +accidentally filling up the partition. Quotas can also be applied to inodes for filesystems +where inode exhaustion is a concern. + + CCE-86035-3 + +part /home --mountoptions="usrquota" - name: 'Add usrquota Option to /home: Check information associated to mountpoint' command: findmnt --fstab '/home' @@ -210259,8 +210214,53 @@ fi - mount_option_home_usrquota - no_reboot_needed - -part /home --mountoptions="usrquota" + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/home")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/home' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /home)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|usrquota)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /home defaults,${previous_mount_opts}usrquota 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "usrquota"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,usrquota|" /etc/fstab + fi + + + if mkdir -p "/home"; then + if mountpoint -q "/home"; then + mount -o remount --target "/home" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -210371,6 +210371,35 @@ The only exception to this is chroot jails, for which it is not advised to set nodev on these filesystems. CCE-82069-6 + - name: Ensure non-root local partitions are mounted with nodev option + mount: + path: '{{ item.mount }}' + src: '{{ item.device }}' + opts: '{{ item.options }},nodev' + state: mounted + fstype: '{{ item.fstype }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - item.mount is match('/\w') + - item.options is not search('nodev') + with_items: + - '{{ ansible_facts.mounts }}' + tags: + - CCE-82069-6 + - DISA-STIG-RHEL-08-010580 + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_nodev_nonroot_local_partitions + - no_reboot_needed + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -210421,35 +210450,6 @@ done else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Ensure non-root local partitions are mounted with nodev option - mount: - path: '{{ item.mount }}' - src: '{{ item.device }}' - opts: '{{ item.options }},nodev' - state: mounted - fstype: '{{ item.fstype }}' - when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - item.mount is match('/\w') - - item.options is not search('nodev') - with_items: - - '{{ ansible_facts.mounts }}' - tags: - - CCE-82069-6 - - DISA-STIG-RHEL-08-010580 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_nodev_nonroot_local_partitions - - no_reboot_needed @@ -210587,26 +210587,6 @@ not advised to set nodev on partitions which contain thei filesystems. CCE-82742-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_removable_partition='' - - -device_regex="^\s*$var_removable_partition\s\+" -mount_option="nodev" - -if grep -q $device_regex /etc/fstab ; then - previous_opts=$(grep $device_regex /etc/fstab | awk '{print $4}') - sed -i "s|\($device_regex.*$previous_opts\)|\1,$mount_option|" /etc/fstab -else - echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2 -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_removable_partition # promote to variable set_fact: var_removable_partition: !!str @@ -210635,6 +210615,26 @@ fi - medium_severity - mount_option_nodev_removable_partitions - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_removable_partition='' + + +device_regex="^\s*$var_removable_partition\s\+" +mount_option="nodev" + +if grep -q $device_regex /etc/fstab ; then + previous_opts=$(grep $device_regex /etc/fstab | awk '{print $4}') + sed -i "s|\($device_regex.*$previous_opts\)|\1,$mount_option|" /etc/fstab +else + echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2 +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -210771,26 +210771,6 @@ Add the noexec option to the fourth column of the system to potential compromise. CCE-82746-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_removable_partition='' - - -device_regex="^\s*$var_removable_partition\s\+" -mount_option="noexec" - -if grep -q $device_regex /etc/fstab ; then - previous_opts=$(grep $device_regex /etc/fstab | awk '{print $4}') - sed -i "s|\($device_regex.*$previous_opts\)|\1,$mount_option|" /etc/fstab -else - echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2 -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_removable_partition # promote to variable set_fact: var_removable_partition: !!str @@ -210819,6 +210799,26 @@ fi - medium_severity - mount_option_noexec_removable_partitions - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_removable_partition='' + + +device_regex="^\s*$var_removable_partition\s\+" +mount_option="noexec" + +if grep -q $device_regex /etc/fstab ; then + previous_opts=$(grep $device_regex /etc/fstab | awk '{print $4}') + sed -i "s|\($device_regex.*$previous_opts\)|\1,$mount_option|" /etc/fstab +else + echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2 +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -210981,26 +210981,6 @@ users to introduce SUID or SGID binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs. CCE-82744-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_removable_partition='' - - -device_regex="^\s*$var_removable_partition\s\+" -mount_option="nosuid" - -if grep -q $device_regex /etc/fstab ; then - previous_opts=$(grep $device_regex /etc/fstab | awk '{print $4}') - sed -i "s|\($device_regex.*$previous_opts\)|\1,$mount_option|" /etc/fstab -else - echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2 -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_removable_partition # promote to variable set_fact: var_removable_partition: !!str @@ -211029,6 +211009,26 @@ fi - medium_severity - mount_option_nosuid_removable_partitions - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_removable_partition='' + + +device_regex="^\s*$var_removable_partition\s\+" +mount_option="nosuid" + +if grep -q $device_regex /etc/fstab ; then + previous_opts=$(grep $device_regex /etc/fstab | awk '{print $4}') + sed -i "s|\($device_regex.*$previous_opts\)|\1,$mount_option|" /etc/fstab +else + echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2 +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -211052,53 +211052,8 @@ Add the nosuid option to the fourth column of not be able to execute SUID or SGID binaries from this directory. CCE-83319-4 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/opt" > /dev/null || findmnt --fstab "/opt" > /dev/null ); then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/opt")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/opt' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /opt in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /opt)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /opt defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab - fi - - - if mkdir -p "/opt"; then - if mountpoint -q "/opt"; then - mount -o remount --target "/opt" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /opt --mountoptions="nosuid" - name: 'Add nosuid Option to /opt: Check information associated to mountpoint' command: findmnt --fstab '/opt' @@ -211201,8 +211156,53 @@ fi - mount_option_opt_nosuid - no_reboot_needed - -part /opt --mountoptions="nosuid" + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/opt" > /dev/null || findmnt --fstab "/opt" > /dev/null ); then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/opt")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/opt' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /opt in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /opt)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /opt defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab + fi + + + if mkdir -p "/opt"; then + if mountpoint -q "/opt"; then + mount -o remount --target "/opt" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -211238,51 +211238,6 @@ related to their own processes in a system. Otherwise, sensitive information fro other users could be seem. CCE-85882-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -function perform_remediation { - - - - var_mount_option_proc_hidepid='' - - mountoption="hidepid=$var_mount_option_proc_hidepid" - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /proc)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|$mountoption)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="proc" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo "proc /proc proc defaults,${previous_mount_opts}$mountoption 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "$mountoption"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,$mountoption|" /etc/fstab - fi - - - if mkdir -p "/proc"; then - if mountpoint -q "/proc"; then - mount -o remount --target "/proc" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mount_option_proc_hidepid # promote to variable set_fact: var_mount_option_proc_hidepid: !!str @@ -211385,66 +211340,41 @@ fi - mount_option_proc_hidepid - no_reboot_needed - - - - - - - - - - Add nosuid Option to /srv - The nosuid mount option can be used to prevent -execution of setuid programs in /srv. The SUID and SGID permissions -should not be required in this directory. -Add the nosuid option to the fourth column of -/etc/fstab for the line which controls mounting of -/srv. - BP28(R12) - The presence of SUID and SGID executables should be tightly controlled. The -/srv directory contains files served by various network services such as FTP. Users should -not be able to execute SUID or SGID binaries from this directory. - - CCE-83322-8 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/srv" > /dev/null || findmnt --fstab "/srv" > /dev/null ); then + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then function perform_remediation { - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/srv")" - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/srv' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /srv in /etc/fstab" >&2; return 1; } - + var_mount_option_proc_hidepid='' - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /srv)" + mountoption="hidepid=$var_mount_option_proc_hidepid" + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /proc)" # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") + | sed -E "s/(rw|defaults|seclabel|$mountoption)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" + fs_type="proc" if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi - echo " /srv defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab + echo "proc /proc proc defaults,${previous_mount_opts}$mountoption 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "$mountoption"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,$mountoption|" /etc/fstab fi - if mkdir -p "/srv"; then - if mountpoint -q "/srv"; then - mount -o remount --target "/srv" + if mkdir -p "/proc"; then + if mountpoint -q "/proc"; then + mount -o remount --target "/proc" fi fi } @@ -211454,6 +211384,31 @@ perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + + Add nosuid Option to /srv + The nosuid mount option can be used to prevent +execution of setuid programs in /srv. The SUID and SGID permissions +should not be required in this directory. +Add the nosuid option to the fourth column of +/etc/fstab for the line which controls mounting of +/srv. + BP28(R12) + The presence of SUID and SGID executables should be tightly controlled. The +/srv directory contains files served by various network services such as FTP. Users should +not be able to execute SUID or SGID binaries from this directory. + + CCE-83322-8 + +part /srv --mountoptions="nosuid" - name: 'Add nosuid Option to /srv: Check information associated to mountpoint' command: findmnt --fstab '/srv' @@ -211556,8 +211511,53 @@ fi - mount_option_srv_nosuid - no_reboot_needed - -part /srv --mountoptions="nosuid" + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/srv" > /dev/null || findmnt --fstab "/srv" > /dev/null ); then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/srv")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/srv' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /srv in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /srv)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /srv defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab + fi + + + if mkdir -p "/srv"; then + if mountpoint -q "/srv"; then + mount -o remount --target "/srv" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -211674,53 +211674,8 @@ Add the nodev option to the fourth column of located on the root partition. The only exception to this is chroot jails. CCE-82623-0 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/tmp" > /dev/null || findmnt --fstab "/tmp" > /dev/null ); then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/tmp")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /tmp)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /tmp defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab - fi - - - if mkdir -p "/tmp"; then - if mountpoint -q "/tmp"; then - mount -o remount --target "/tmp" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /tmp --mountoptions="nodev" - name: 'Add nodev Option to /tmp: Check information associated to mountpoint' command: findmnt --fstab '/tmp' @@ -211857,8 +211812,53 @@ fi - mount_option_tmp_nodev - no_reboot_needed - -part /tmp --mountoptions="nodev" + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/tmp" > /dev/null || findmnt --fstab "/tmp" > /dev/null ); then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/tmp")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /tmp)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /tmp defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab + fi + + + if mkdir -p "/tmp"; then + if mountpoint -q "/tmp"; then + mount -o remount --target "/tmp" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -211975,53 +211975,8 @@ such as /tmp should never be necessary in normal operatio can expose the system to potential compromise. CCE-82139-7 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/tmp" > /dev/null || findmnt --fstab "/tmp" > /dev/null ); then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/tmp")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /tmp)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /tmp defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab - fi - - - if mkdir -p "/tmp"; then - if mountpoint -q "/tmp"; then - mount -o remount --target "/tmp" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /tmp --mountoptions="noexec" - name: 'Add noexec Option to /tmp: Check information associated to mountpoint' command: findmnt --fstab '/tmp' @@ -212159,8 +212114,53 @@ fi - mount_option_tmp_noexec - no_reboot_needed - -part /tmp --mountoptions="noexec" + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/tmp" > /dev/null || findmnt --fstab "/tmp" > /dev/null ); then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/tmp")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /tmp)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /tmp defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab + fi + + + if mkdir -p "/tmp"; then + if mountpoint -q "/tmp"; then + mount -o remount --target "/tmp" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -212277,53 +212277,8 @@ Add the nosuid option to the fourth column of should not be able to execute SUID or SGID binaries from temporary storage partitions. CCE-82140-5 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/tmp" > /dev/null || findmnt --fstab "/tmp" > /dev/null ); then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/tmp")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /tmp)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /tmp defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab - fi - - - if mkdir -p "/tmp"; then - if mountpoint -q "/tmp"; then - mount -o remount --target "/tmp" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /tmp --mountoptions="nosuid" - name: 'Add nosuid Option to /tmp: Check information associated to mountpoint' command: findmnt --fstab '/tmp' @@ -212461,8 +212416,53 @@ fi - mount_option_tmp_nosuid - no_reboot_needed - -part /tmp --mountoptions="nosuid" + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/tmp" > /dev/null || findmnt --fstab "/tmp" > /dev/null ); then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/tmp")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /tmp)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /tmp defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab + fi + + + if mkdir -p "/tmp"; then + if mountpoint -q "/tmp"; then + mount -o remount --target "/tmp" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -212508,53 +212508,8 @@ Add the nodev option to the fourth column of located on the root partition. The only exception to this is chroot jails. CCE-82080-3 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log/audit" > /dev/null || findmnt --fstab "/var/log/audit" > /dev/null ); then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log/audit")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/var/log/audit' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log/audit)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /var/log/audit defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab - fi - - - if mkdir -p "/var/log/audit"; then - if mountpoint -q "/var/log/audit"; then - mount -o remount --target "/var/log/audit" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /var/log/audit --mountoptions="nodev" - name: 'Add nodev Option to /var/log/audit: Check information associated to mountpoint' command: findmnt --fstab '/var/log/audit' @@ -212695,8 +212650,53 @@ fi - mount_option_var_log_audit_nodev - no_reboot_needed - -part /var/log/audit --mountoptions="nodev" + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log/audit" > /dev/null || findmnt --fstab "/var/log/audit" > /dev/null ); then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log/audit")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/var/log/audit' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log/audit)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /var/log/audit defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab + fi + + + if mkdir -p "/var/log/audit"; then + if mountpoint -q "/var/log/audit"; then + mount -o remount --target "/var/log/audit" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -212740,53 +212740,8 @@ such as /var/log/audit should never be necessary in norma can expose the system to potential compromise. CCE-82975-4 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log/audit" > /dev/null || findmnt --fstab "/var/log/audit" > /dev/null ); then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log/audit")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/var/log/audit' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log/audit)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /var/log/audit defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab - fi - - - if mkdir -p "/var/log/audit"; then - if mountpoint -q "/var/log/audit"; then - mount -o remount --target "/var/log/audit" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /var/log/audit --mountoptions="noexec" - name: 'Add noexec Option to /var/log/audit: Check information associated to mountpoint' command: findmnt --fstab '/var/log/audit' @@ -212927,8 +212882,53 @@ fi - mount_option_var_log_audit_noexec - no_reboot_needed - -part /var/log/audit --mountoptions="noexec" + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log/audit" > /dev/null || findmnt --fstab "/var/log/audit" > /dev/null ); then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log/audit")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/var/log/audit' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log/audit)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /var/log/audit defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab + fi + + + if mkdir -p "/var/log/audit"; then + if mountpoint -q "/var/log/audit"; then + mount -o remount --target "/var/log/audit" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -212973,53 +212973,8 @@ should not be able to execute SUID or SGID binaries from partitions designated for audit log files. CCE-82921-8 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log/audit" > /dev/null || findmnt --fstab "/var/log/audit" > /dev/null ); then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log/audit")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/var/log/audit' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log/audit)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /var/log/audit defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab - fi - - - if mkdir -p "/var/log/audit"; then - if mountpoint -q "/var/log/audit"; then - mount -o remount --target "/var/log/audit" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /var/log/audit --mountoptions="nosuid" - name: 'Add nosuid Option to /var/log/audit: Check information associated to mountpoint' command: findmnt --fstab '/var/log/audit' @@ -213160,8 +213115,53 @@ fi - mount_option_var_log_audit_nosuid - no_reboot_needed - -part /var/log/audit --mountoptions="nosuid" + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log/audit" > /dev/null || findmnt --fstab "/var/log/audit" > /dev/null ); then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log/audit")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/var/log/audit' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log/audit)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /var/log/audit defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab + fi + + + if mkdir -p "/var/log/audit"; then + if mountpoint -q "/var/log/audit"; then + mount -o remount --target "/var/log/audit" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -213207,53 +213207,8 @@ Add the nodev option to the fourth column of located on the root partition. The only exception to this is chroot jails. CCE-82077-9 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log" > /dev/null || findmnt --fstab "/var/log" > /dev/null ); then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/var/log' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /var/log defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab - fi - - - if mkdir -p "/var/log"; then - if mountpoint -q "/var/log"; then - mount -o remount --target "/var/log" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /var/log --mountoptions="nodev" - name: 'Add nodev Option to /var/log: Check information associated to mountpoint' command: findmnt --fstab '/var/log' @@ -213392,8 +213347,53 @@ fi - mount_option_var_log_nodev - no_reboot_needed - -part /var/log --mountoptions="nodev" + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log" > /dev/null || findmnt --fstab "/var/log" > /dev/null ); then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/var/log' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /var/log defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab + fi + + + if mkdir -p "/var/log"; then + if mountpoint -q "/var/log"; then + mount -o remount --target "/var/log" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -213438,53 +213438,8 @@ such as /var/log should never be necessary in normal oper can expose the system to potential compromise. CCE-82008-4 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log" > /dev/null || findmnt --fstab "/var/log" > /dev/null ); then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/var/log' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /var/log defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab - fi - - - if mkdir -p "/var/log"; then - if mountpoint -q "/var/log"; then - mount -o remount --target "/var/log" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /var/log --mountoptions="noexec" - name: 'Add noexec Option to /var/log: Check information associated to mountpoint' command: findmnt --fstab '/var/log' @@ -213624,8 +213579,53 @@ fi - mount_option_var_log_noexec - no_reboot_needed - -part /var/log --mountoptions="noexec" + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log" > /dev/null || findmnt --fstab "/var/log" > /dev/null ); then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/var/log' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /var/log defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab + fi + + + if mkdir -p "/var/log"; then + if mountpoint -q "/var/log"; then + mount -o remount --target "/var/log" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -213671,53 +213671,8 @@ should not be able to execute SUID or SGID binaries from partitions designated for log files. CCE-82065-4 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log" > /dev/null || findmnt --fstab "/var/log" > /dev/null ); then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/var/log' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /var/log defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab - fi - - - if mkdir -p "/var/log"; then - if mountpoint -q "/var/log"; then - mount -o remount --target "/var/log" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /var/log --mountoptions="nosuid" - name: 'Add nosuid Option to /var/log: Check information associated to mountpoint' command: findmnt --fstab '/var/log' @@ -213857,8 +213812,53 @@ fi - mount_option_var_log_nosuid - no_reboot_needed - -part /var/log --mountoptions="nosuid" + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log" > /dev/null || findmnt --fstab "/var/log" > /dev/null ); then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/var/log' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /var/log defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab + fi + + + if mkdir -p "/var/log"; then + if mountpoint -q "/var/log"; then + mount -o remount --target "/var/log" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -213901,53 +213901,8 @@ Add the nodev option to the fourth column of located on the root partition. The only exception to this is chroot jails. CCE-82062-1 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var" > /dev/null || findmnt --fstab "/var" > /dev/null ); then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/var' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /var in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /var defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab - fi - - - if mkdir -p "/var"; then - if mountpoint -q "/var"; then - mount -o remount --target "/var" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /var --mountoptions="nodev" - name: 'Add nodev Option to /var: Check information associated to mountpoint' command: findmnt --fstab '/var' @@ -214079,8 +214034,53 @@ fi - mount_option_var_nodev - no_reboot_needed - -part /var --mountoptions="nodev" + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var" > /dev/null || findmnt --fstab "/var" > /dev/null ); then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/var' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /var in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /var defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab + fi + + + if mkdir -p "/var"; then + if mountpoint -q "/var"; then + mount -o remount --target "/var" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -214102,53 +214102,8 @@ Add the noexec option to the fourth column of mails and caches. No binaries should be executed from this directory. CCE-83330-1 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var" > /dev/null || findmnt --fstab "/var" > /dev/null ); then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/var' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /var in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /var defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab - fi - - - if mkdir -p "/var"; then - if mountpoint -q "/var"; then - mount -o remount --target "/var" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /var --mountoptions="noexec" - name: 'Add noexec Option to /var: Check information associated to mountpoint' command: findmnt --fstab '/var' @@ -214251,30 +214206,7 @@ fi - mount_option_var_noexec - no_reboot_needed - -part /var --mountoptions="noexec" - - - - - - - - - - Add nosuid Option to /var - The nosuid mount option can be used to prevent -execution of setuid programs in /var. The SUID and SGID permissions -should not be required for this directory. -Add the nosuid option to the fourth column of -/etc/fstab for the line which controls mounting of -/var. - BP28(R12) - 1.1.3.4 - The presence of SUID and SGID executables should be tightly controlled. - - CCE-83383-0 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var" > /dev/null || findmnt --fstab "/var" > /dev/null ); then function perform_remediation { @@ -214293,7 +214225,7 @@ function perform_remediation { if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") + | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. @@ -214301,11 +214233,11 @@ function perform_remediation { if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi - echo " /var defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab + echo " /var defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab fi @@ -214321,6 +214253,29 @@ perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Add nosuid Option to /var + The nosuid mount option can be used to prevent +execution of setuid programs in /var. The SUID and SGID permissions +should not be required for this directory. +Add the nosuid option to the fourth column of +/etc/fstab for the line which controls mounting of +/var. + BP28(R12) + 1.1.3.4 + The presence of SUID and SGID executables should be tightly controlled. + + CCE-83383-0 + +part /var --mountoptions="nosuid" - name: 'Add nosuid Option to /var: Check information associated to mountpoint' command: findmnt --fstab '/var' @@ -214423,8 +214378,53 @@ fi - mount_option_var_nosuid - no_reboot_needed - -part /var --mountoptions="nosuid" + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var" > /dev/null || findmnt --fstab "/var" > /dev/null ); then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/var' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /var in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /var defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab + fi + + + if mkdir -p "/var"; then + if mountpoint -q "/var"; then + mount -o remount --target "/var" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -214558,53 +214558,8 @@ Add the nodev option to the fourth column of located on the root partition. The only exception to this is chroot jails. CCE-82068-8 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/tmp" > /dev/null || findmnt --fstab "/var/tmp" > /dev/null ); then - -function perform_remediation { - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/tmp")" - - grep "$mount_point_match_regexp" -q /etc/fstab \ - || { echo "The mount point '/var/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2; - echo "Not remediating, because there is no record of /var/tmp in /etc/fstab" >&2; return 1; } - - - - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/tmp)" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " /var/tmp defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab - fi - - - if mkdir -p "/var/tmp"; then - if mountpoint -q "/var/tmp"; then - mount -o remount --target "/var/tmp" - fi - fi -} - -perform_remediation - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +part /var/tmp --mountoptions="nodev" - name: 'Add nodev Option to /var/tmp: Check information associated to mountpoint' command: findmnt --fstab '/var/tmp' @@ -214713,35 +214668,7 @@ fi - mount_option_var_tmp_nodev - no_reboot_needed - -part /var/tmp --mountoptions="nodev" - - - - - - - - - - Add noexec Option to /var/tmp - The noexec mount option can be used to prevent binaries -from being executed out of /var/tmp. -Add the noexec option to the fourth column of -/etc/fstab for the line which controls mounting of -/var/tmp. - BP28(R12) - CCI-001764 - SRG-OS-000368-GPOS-00154 - RHEL-08-040134 - 1.1.4.2 - SV-230522r854063_rule - Allowing users to execute binaries from world-writable directories -such as /var/tmp should never be necessary in normal operation and -can expose the system to potential compromise. - - CCE-82151-2 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/tmp" > /dev/null || findmnt --fstab "/var/tmp" > /dev/null ); then function perform_remediation { @@ -214760,7 +214687,7 @@ function perform_remediation { if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") + | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. @@ -214768,11 +214695,11 @@ function perform_remediation { if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi - echo " /var/tmp defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab + echo " /var/tmp defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab fi @@ -214788,6 +214715,34 @@ perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Add noexec Option to /var/tmp + The noexec mount option can be used to prevent binaries +from being executed out of /var/tmp. +Add the noexec option to the fourth column of +/etc/fstab for the line which controls mounting of +/var/tmp. + BP28(R12) + CCI-001764 + SRG-OS-000368-GPOS-00154 + RHEL-08-040134 + 1.1.4.2 + SV-230522r854063_rule + Allowing users to execute binaries from world-writable directories +such as /var/tmp should never be necessary in normal operation and +can expose the system to potential compromise. + + CCE-82151-2 + +part /var/tmp --mountoptions="noexec" - name: 'Add noexec Option to /var/tmp: Check information associated to mountpoint' command: findmnt --fstab '/var/tmp' @@ -214897,35 +214852,7 @@ fi - mount_option_var_tmp_noexec - no_reboot_needed - -part /var/tmp --mountoptions="noexec" - - - - - - - - - - Add nosuid Option to /var/tmp - The nosuid mount option can be used to prevent -execution of setuid programs in /var/tmp. The SUID and SGID permissions -should not be required in these world-writable directories. -Add the nosuid option to the fourth column of -/etc/fstab for the line which controls mounting of -/var/tmp. - BP28(R12) - CCI-001764 - SRG-OS-000368-GPOS-00154 - RHEL-08-040133 - 1.1.4.3 - SV-230521r854062_rule - The presence of SUID and SGID executables should be tightly controlled. Users -should not be able to execute SUID or SGID binaries from temporary storage partitions. - - CCE-82154-6 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/tmp" > /dev/null || findmnt --fstab "/var/tmp" > /dev/null ); then function perform_remediation { @@ -214944,7 +214871,7 @@ function perform_remediation { if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") + | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. @@ -214952,11 +214879,11 @@ function perform_remediation { if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi - echo " /var/tmp defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab + echo " /var/tmp defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab fi @@ -214972,6 +214899,34 @@ perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Add nosuid Option to /var/tmp + The nosuid mount option can be used to prevent +execution of setuid programs in /var/tmp. The SUID and SGID permissions +should not be required in these world-writable directories. +Add the nosuid option to the fourth column of +/etc/fstab for the line which controls mounting of +/var/tmp. + BP28(R12) + CCI-001764 + SRG-OS-000368-GPOS-00154 + RHEL-08-040133 + 1.1.4.3 + SV-230521r854062_rule + The presence of SUID and SGID executables should be tightly controlled. Users +should not be able to execute SUID or SGID binaries from temporary storage partitions. + + CCE-82154-6 + +part /var/tmp --mountoptions="nosuid" - name: 'Add nosuid Option to /var/tmp: Check information associated to mountpoint' command: findmnt --fstab '/var/tmp' @@ -215081,8 +215036,53 @@ fi - mount_option_var_tmp_nosuid - no_reboot_needed - -part /var/tmp --mountoptions="nosuid" + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/tmp" > /dev/null || findmnt --fstab "/var/tmp" > /dev/null ); then + +function perform_remediation { + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/tmp")" + + grep "$mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '/var/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2; + echo "Not remediating, because there is no record of /var/tmp in /etc/fstab" >&2; return 1; } + + + + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/tmp)" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " /var/tmp defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab + fi + + + if mkdir -p "/var/tmp"; then + if mountpoint -q "/var/tmp"; then + mount -o remount --target "/var/tmp" + fi + fi +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -215130,24 +215130,20 @@ or compromised programs. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure participants actually carry out the disconnect activity without having to go through complex and tedious procedures. CCE-86960-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if LC_ALL=C grep -q -m 1 "^install uvcvideo" /etc/modprobe.d/uvcvideo.conf ; then - - sed -i 's#^install uvcvideo.*#install uvcvideo /bin/true#g' /etc/modprobe.d/uvcvideo.conf -else - echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/uvcvideo.conf - echo "install uvcvideo /bin/true" >> /etc/modprobe.d/uvcvideo.conf -fi - -if ! LC_ALL=C grep -q -m 1 "^blacklist uvcvideo$" /etc/modprobe.d/uvcvideo.conf ; then - echo "blacklist uvcvideo" >> /etc/modprobe.d/uvcvideo.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20uvcvideo%20/bin/true%0Ablacklist%20uvcvideo%0A + mode: 0644 + path: /etc/modprobe.d/uvcvideo.conf + overwrite: true - name: Ensure kernel module 'uvcvideo' is disabled lineinfile: @@ -215187,20 +215183,24 @@ fi - medium_severity - reboot_required - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,install%20uvcvideo%20/bin/true%0Ablacklist%20uvcvideo%0A - mode: 0644 - path: /etc/modprobe.d/uvcvideo.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install uvcvideo" /etc/modprobe.d/uvcvideo.conf ; then + + sed -i 's#^install uvcvideo.*#install uvcvideo /bin/true#g' /etc/modprobe.d/uvcvideo.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/uvcvideo.conf + echo "install uvcvideo /bin/true" >> /etc/modprobe.d/uvcvideo.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist uvcvideo$" /etc/modprobe.d/uvcvideo.conf ; then + echo "blacklist uvcvideo" >> /etc/modprobe.d/uvcvideo.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -215225,65 +215225,20 @@ terminates an application. The memory image could contain sensitive data and is only for developers trying to debug problems. CCE-82215-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*kernel.core_pattern.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "kernel.core_pattern" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - - -# -# Set runtime for kernel.core_pattern -# -/sbin/sysctl -q -n -w kernel.core_pattern="|/bin/false" - -# -# If kernel.core_pattern present in /etc/sysctl.conf, change value to "|/bin/false" -# else, add "kernel.core_pattern = |/bin/false" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.core_pattern") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "|/bin/false" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.core_pattern\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^kernel.core_pattern\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-82215-5" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,kernel.core_pattern%20%3D%20%7C/bin/false%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_kernel_core_pattern.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -215347,54 +215302,18 @@ fi - reboot_required - sysctl_kernel_core_pattern - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,kernel.core_pattern%20%3D%20%7C/bin/false%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_kernel_core_pattern.conf - overwrite: true - - - - - - - - - - Configure file name of core dumps - To set the runtime status of the kernel.core_uses_pid kernel parameter, run the following command: $ sudo sysctl -w kernel.core_uses_pid=0 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.core_uses_pid = 0 - FMT_SMF_EXT.1 - The default coredump filename is core. By setting -core_uses_pid to 1, the coredump filename becomes -core.PID. If core_pattern does not include -%p (default does not) and core_uses_pid is set, then -.PID will be appended to the filename. -When combined with kernel.core_pattern = "" configuration, it -is ensured that no core dumps are generated and also no confusing error -messages are printed by a shell. - - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of kernel.core_uses_pid from /etc/sysctl.d/*.conf files +# Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*kernel.core_uses_pid.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*kernel.core_pattern.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "kernel.core_uses_pid" matches to preserve user data + # comment out "kernel.core_pattern" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -215408,32 +215327,34 @@ SYSCONFIG_FILE="/etc/sysctl.conf" # -# Set runtime for kernel.core_uses_pid +# Set runtime for kernel.core_pattern # -/sbin/sysctl -q -n -w kernel.core_uses_pid="0" +/sbin/sysctl -q -n -w kernel.core_pattern="|/bin/false" # -# If kernel.core_uses_pid present in /etc/sysctl.conf, change value to "0" -# else, add "kernel.core_uses_pid = 0" to /etc/sysctl.conf +# If kernel.core_pattern present in /etc/sysctl.conf, change value to "|/bin/false" +# else, add "kernel.core_pattern = |/bin/false" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.core_uses_pid") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.core_pattern") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "0" +printf -v formatted_output "%s = %s" "$stripped_key" "|/bin/false" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.core_uses_pid\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^kernel.core_pattern\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^kernel.core_uses_pid\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^kernel.core_pattern\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi + cce="CCE-82215-5" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -215441,6 +215362,27 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Configure file name of core dumps + To set the runtime status of the kernel.core_uses_pid kernel parameter, run the following command: $ sudo sysctl -w kernel.core_uses_pid=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.core_uses_pid = 0 + FMT_SMF_EXT.1 + The default coredump filename is core. By setting +core_uses_pid to 1, the coredump filename becomes +core.PID. If core_pattern does not include +%p (default does not) and core_uses_pid is set, then +.PID will be appended to the filename. +When combined with kernel.core_pattern = "" configuration, it +is ensured that no core dumps are generated and also no confusing error +messages are printed by a shell. + - name: List /etc/sysctl.d/*.conf files find: paths: @@ -215491,51 +215433,18 @@ fi - reboot_required - sysctl_kernel_core_uses_pid - - - - - - - - - Restrict Access to Kernel Message Buffer - To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.dmesg_restrict=1 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.dmesg_restrict = 1 - BP28(R23) - 3.1.5 - CCI-001090 - CCI-001314 - 164.308(a)(1)(ii)(D) - 164.308(a)(3) - 164.308(a)(4) - 164.310(b) - 164.310(c) - 164.312(a) - 164.312(e) - SI-11(a) - SI-11(b) - SRG-OS-000132-GPOS-00067 - SRG-OS-000138-GPOS-00069 - SRG-APP-000243-CTR-000600 - RHEL-08-010375 - SV-230269r858756_rule - Unprivileged access to the kernel syslog can expose sensitive kernel -address information. - - CCE-80913-7 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of kernel.dmesg_restrict from /etc/sysctl.d/*.conf files +# Comment out any occurrences of kernel.core_uses_pid from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*kernel.dmesg_restrict.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*kernel.core_uses_pid.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "kernel.dmesg_restrict" matches to preserve user data + # comment out "kernel.core_uses_pid" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -215549,40 +215458,86 @@ SYSCONFIG_FILE="/etc/sysctl.conf" # -# Set runtime for kernel.dmesg_restrict +# Set runtime for kernel.core_uses_pid # -/sbin/sysctl -q -n -w kernel.dmesg_restrict="1" +/sbin/sysctl -q -n -w kernel.core_uses_pid="0" # -# If kernel.dmesg_restrict present in /etc/sysctl.conf, change value to "1" -# else, add "kernel.dmesg_restrict = 1" to /etc/sysctl.conf +# If kernel.core_uses_pid present in /etc/sysctl.conf, change value to "0" +# else, add "kernel.core_uses_pid = 0" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.dmesg_restrict") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.core_uses_pid") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "1" +printf -v formatted_output "%s = %s" "$stripped_key" "0" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.dmesg_restrict\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^kernel.core_uses_pid\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^kernel.dmesg_restrict\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^kernel.core_uses_pid\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-80913-7" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Restrict Access to Kernel Message Buffer + To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.dmesg_restrict=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.dmesg_restrict = 1 + BP28(R23) + 3.1.5 + CCI-001090 + CCI-001314 + 164.308(a)(1)(ii)(D) + 164.308(a)(3) + 164.308(a)(4) + 164.310(b) + 164.310(c) + 164.312(a) + 164.312(e) + SI-11(a) + SI-11(b) + SRG-OS-000132-GPOS-00067 + SRG-OS-000138-GPOS-00069 + SRG-APP-000243-CTR-000600 + RHEL-08-010375 + SV-230269r858756_rule + Unprivileged access to the kernel syslog can expose sensitive kernel +address information. + + CCE-80913-7 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,kernel.dmesg_restrict%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_kernel_dmesg_restrict.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -215649,55 +215604,18 @@ fi - reboot_required - sysctl_kernel_dmesg_restrict - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,kernel.dmesg_restrict%3D1%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_kernel_dmesg_restrict.conf - overwrite: true - - - - - - - - - - Disable Kernel Image Loading - To set the runtime status of the kernel.kexec_load_disabled kernel parameter, run the following command: $ sudo sysctl -w kernel.kexec_load_disabled=1 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.kexec_load_disabled = 1 - CCI-001749 - CM-6 - SRG-OS-000480-GPOS-00227 - SRG-OS-000366-GPOS-00153 - RHEL-08-010372 - SV-230266r877463_rule - Disabling kexec_load allows greater control of the kernel memory. -It makes it impossible to load another kernel image after it has been disabled. - - - CCE-80952-5 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of kernel.kexec_load_disabled from /etc/sysctl.d/*.conf files +# Comment out any occurrences of kernel.dmesg_restrict from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*kernel.kexec_load_disabled.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*kernel.dmesg_restrict.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "kernel.kexec_load_disabled" matches to preserve user data + # comment out "kernel.dmesg_restrict" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -215711,18 +215629,18 @@ SYSCONFIG_FILE="/etc/sysctl.conf" # -# Set runtime for kernel.kexec_load_disabled +# Set runtime for kernel.dmesg_restrict # -/sbin/sysctl -q -n -w kernel.kexec_load_disabled="1" +/sbin/sysctl -q -n -w kernel.dmesg_restrict="1" # -# If kernel.kexec_load_disabled present in /etc/sysctl.conf, change value to "1" -# else, add "kernel.kexec_load_disabled = 1" to /etc/sysctl.conf +# If kernel.dmesg_restrict present in /etc/sysctl.conf, change value to "1" +# else, add "kernel.dmesg_restrict = 1" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.kexec_load_disabled") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.dmesg_restrict") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "1" @@ -215730,14 +215648,14 @@ printf -v formatted_output "%s = %s" "$stripped_key" "1" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.kexec_load_disabled\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^kernel.dmesg_restrict\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^kernel.kexec_load_disabled\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^kernel.dmesg_restrict\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-80952-5" + cce="CCE-80913-7" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -215745,6 +215663,43 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Disable Kernel Image Loading + To set the runtime status of the kernel.kexec_load_disabled kernel parameter, run the following command: $ sudo sysctl -w kernel.kexec_load_disabled=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.kexec_load_disabled = 1 + CCI-001749 + CM-6 + SRG-OS-000480-GPOS-00227 + SRG-OS-000366-GPOS-00153 + RHEL-08-010372 + SV-230266r877463_rule + Disabling kexec_load allows greater control of the kernel memory. +It makes it impossible to load another kernel image after it has been disabled. + + + CCE-80952-5 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,kernel.kexec_load_disabled%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_kernel_kexec_load_disabled.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -215805,20 +215760,65 @@ fi - reboot_required - sysctl_kernel_kexec_load_disabled - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,kernel.kexec_load_disabled%3D1%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_kernel_kexec_load_disabled.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of kernel.kexec_load_disabled from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*kernel.kexec_load_disabled.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "kernel.kexec_load_disabled" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + + +# +# Set runtime for kernel.kexec_load_disabled +# +/sbin/sysctl -q -n -w kernel.kexec_load_disabled="1" + +# +# If kernel.kexec_load_disabled present in /etc/sysctl.conf, change value to "1" +# else, add "kernel.kexec_load_disabled = 1" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.kexec_load_disabled") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "1" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^kernel.kexec_load_disabled\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^kernel.kexec_load_disabled\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-80952-5" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -215911,66 +215911,6 @@ would have allowed the system to continue operating will now result in a panic.< panicking the system will impede them from continuing. CCE-87666-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of kernel.panic_on_oops from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*kernel.panic_on_oops.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "kernel.panic_on_oops" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - - -# -# Set runtime for kernel.panic_on_oops -# -/sbin/sysctl -q -n -w kernel.panic_on_oops="1" - -# -# If kernel.panic_on_oops present in /etc/sysctl.conf, change value to "1" -# else, add "kernel.panic_on_oops = 1" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.panic_on_oops") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "1" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.panic_on_oops\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^kernel.panic_on_oops\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-87666-4" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: List /etc/sysctl.d/*.conf files find: paths: @@ -216024,35 +215964,18 @@ fi - reboot_required - sysctl_kernel_panic_on_oops - - - - - - - - - Limit CPU consumption of the Perf system - To set the runtime status of the kernel.perf_cpu_time_max_percent kernel parameter, run the following command: $ sudo sysctl -w kernel.perf_cpu_time_max_percent=1 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.perf_cpu_time_max_percent = 1 - BP28(R23) - The kernel.perf_cpu_time_max_percent configures a treshold of -maximum percentile of CPU that can be used by Perf system. Restricting usage -of Perf system decreases risk of potential availability problems. - - CCE-83373-1 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of kernel.perf_cpu_time_max_percent from /etc/sysctl.d/*.conf files +# Comment out any occurrences of kernel.panic_on_oops from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*kernel.perf_cpu_time_max_percent.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*kernel.panic_on_oops.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "kernel.perf_cpu_time_max_percent" matches to preserve user data + # comment out "kernel.panic_on_oops" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -216066,18 +215989,18 @@ SYSCONFIG_FILE="/etc/sysctl.conf" # -# Set runtime for kernel.perf_cpu_time_max_percent +# Set runtime for kernel.panic_on_oops # -/sbin/sysctl -q -n -w kernel.perf_cpu_time_max_percent="1" +/sbin/sysctl -q -n -w kernel.panic_on_oops="1" # -# If kernel.perf_cpu_time_max_percent present in /etc/sysctl.conf, change value to "1" -# else, add "kernel.perf_cpu_time_max_percent = 1" to /etc/sysctl.conf +# If kernel.panic_on_oops present in /etc/sysctl.conf, change value to "1" +# else, add "kernel.panic_on_oops = 1" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.perf_cpu_time_max_percent") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.panic_on_oops") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "1" @@ -216085,14 +216008,14 @@ printf -v formatted_output "%s = %s" "$stripped_key" "1" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.perf_cpu_time_max_percent\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^kernel.panic_on_oops\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^kernel.perf_cpu_time_max_percent\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^kernel.panic_on_oops\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-83373-1" + cce="CCE-87666-4" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -216101,6 +216024,23 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Limit CPU consumption of the Perf system + To set the runtime status of the kernel.perf_cpu_time_max_percent kernel parameter, run the following command: $ sudo sysctl -w kernel.perf_cpu_time_max_percent=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.perf_cpu_time_max_percent = 1 + BP28(R23) + The kernel.perf_cpu_time_max_percent configures a treshold of +maximum percentile of CPU that can be used by Perf system. Restricting usage +of Perf system decreases risk of potential availability problems. + + CCE-83373-1 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -216155,36 +216095,18 @@ fi - reboot_required - sysctl_kernel_perf_cpu_time_max_percent - - - - - - - - - Limit sampling frequency of the Perf system - To set the runtime status of the kernel.perf_event_max_sample_rate kernel parameter, run the following command: $ sudo sysctl -w kernel.perf_event_max_sample_rate=1 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.perf_event_max_sample_rate = 1 - BP28(R23) - The kernel.perf_event_max_sample_rate parameter configures maximum -frequency of collecting of samples for the Perf system. It is expressed in -samples per second. Restricting usage of Perf system decreases risk -of potential availability problems. - - CCE-83368-1 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of kernel.perf_event_max_sample_rate from /etc/sysctl.d/*.conf files +# Comment out any occurrences of kernel.perf_cpu_time_max_percent from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*kernel.perf_event_max_sample_rate.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*kernel.perf_cpu_time_max_percent.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "kernel.perf_event_max_sample_rate" matches to preserve user data + # comment out "kernel.perf_cpu_time_max_percent" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -216198,18 +216120,18 @@ SYSCONFIG_FILE="/etc/sysctl.conf" # -# Set runtime for kernel.perf_event_max_sample_rate +# Set runtime for kernel.perf_cpu_time_max_percent # -/sbin/sysctl -q -n -w kernel.perf_event_max_sample_rate="1" +/sbin/sysctl -q -n -w kernel.perf_cpu_time_max_percent="1" # -# If kernel.perf_event_max_sample_rate present in /etc/sysctl.conf, change value to "1" -# else, add "kernel.perf_event_max_sample_rate = 1" to /etc/sysctl.conf +# If kernel.perf_cpu_time_max_percent present in /etc/sysctl.conf, change value to "1" +# else, add "kernel.perf_cpu_time_max_percent = 1" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.perf_event_max_sample_rate") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.perf_cpu_time_max_percent") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "1" @@ -216217,14 +216139,14 @@ printf -v formatted_output "%s = %s" "$stripped_key" "1" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.perf_event_max_sample_rate\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^kernel.perf_cpu_time_max_percent\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^kernel.perf_event_max_sample_rate\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^kernel.perf_cpu_time_max_percent\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-83368-1" + cce="CCE-83373-1" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -216233,6 +216155,24 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Limit sampling frequency of the Perf system + To set the runtime status of the kernel.perf_event_max_sample_rate kernel parameter, run the following command: $ sudo sysctl -w kernel.perf_event_max_sample_rate=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.perf_event_max_sample_rate = 1 + BP28(R23) + The kernel.perf_event_max_sample_rate parameter configures maximum +frequency of collecting of samples for the Perf system. It is expressed in +samples per second. Restricting usage of Perf system decreases risk +of potential availability problems. + + CCE-83368-1 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -216287,41 +216227,18 @@ fi - reboot_required - sysctl_kernel_perf_event_max_sample_rate - - - - - - - - - Disallow kernel profiling by unprivileged users - To set the runtime status of the kernel.perf_event_paranoid kernel parameter, run the following command: $ sudo sysctl -w kernel.perf_event_paranoid=2 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.perf_event_paranoid = 2 - BP28(R23) - CCI-001090 - AC-6 - FMT_SMF_EXT.1 - SRG-OS-000132-GPOS-00067 - SRG-OS-000138-GPOS-00069 - SRG-APP-000243-CTR-000600 - RHEL-08-010376 - SV-230270r858758_rule - Kernel profiling can reveal sensitive information about kernel behaviour. - - CCE-81054-9 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of kernel.perf_event_paranoid from /etc/sysctl.d/*.conf files +# Comment out any occurrences of kernel.perf_event_max_sample_rate from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*kernel.perf_event_paranoid.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*kernel.perf_event_max_sample_rate.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "kernel.perf_event_paranoid" matches to preserve user data + # comment out "kernel.perf_event_max_sample_rate" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -216335,33 +216252,33 @@ SYSCONFIG_FILE="/etc/sysctl.conf" # -# Set runtime for kernel.perf_event_paranoid +# Set runtime for kernel.perf_event_max_sample_rate # -/sbin/sysctl -q -n -w kernel.perf_event_paranoid="2" +/sbin/sysctl -q -n -w kernel.perf_event_max_sample_rate="1" # -# If kernel.perf_event_paranoid present in /etc/sysctl.conf, change value to "2" -# else, add "kernel.perf_event_paranoid = 2" to /etc/sysctl.conf +# If kernel.perf_event_max_sample_rate present in /etc/sysctl.conf, change value to "1" +# else, add "kernel.perf_event_max_sample_rate = 1" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.perf_event_paranoid") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.perf_event_max_sample_rate") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "2" +printf -v formatted_output "%s = %s" "$stripped_key" "1" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.perf_event_paranoid\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^kernel.perf_event_max_sample_rate\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^kernel.perf_event_paranoid\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^kernel.perf_event_max_sample_rate\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-81054-9" + cce="CCE-83368-1" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -216369,6 +216286,44 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Disallow kernel profiling by unprivileged users + To set the runtime status of the kernel.perf_event_paranoid kernel parameter, run the following command: $ sudo sysctl -w kernel.perf_event_paranoid=2 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.perf_event_paranoid = 2 + BP28(R23) + CCI-001090 + AC-6 + FMT_SMF_EXT.1 + SRG-OS-000132-GPOS-00067 + SRG-OS-000138-GPOS-00069 + SRG-APP-000243-CTR-000600 + RHEL-08-010376 + SV-230270r858758_rule + Kernel profiling can reveal sensitive information about kernel behaviour. + + CCE-81054-9 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,kernel.perf_event_paranoid%3D2%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_kernel_perf_event_paranoid.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -216429,51 +216384,18 @@ fi - reboot_required - sysctl_kernel_perf_event_paranoid - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,kernel.perf_event_paranoid%3D2%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_kernel_perf_event_paranoid.conf - overwrite: true - - - - - - - - - - Configure maximum number of process identifiers - To set the runtime status of the kernel.pid_max kernel parameter, run the following command: $ sudo sysctl -w kernel.pid_max=65536 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.pid_max = 65536 - BP28(R23) - The kernel.pid_max parameter configures upper limit on process -identifiers (PID). If this number is not high enough, it might happen that -forking of new processes is not possible, because all available PIDs are -exhausted. Increasing this number enhances availability. - - CCE-83366-5 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of kernel.pid_max from /etc/sysctl.d/*.conf files +# Comment out any occurrences of kernel.perf_event_paranoid from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*kernel.pid_max.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*kernel.perf_event_paranoid.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "kernel.pid_max" matches to preserve user data + # comment out "kernel.perf_event_paranoid" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -216487,33 +216409,33 @@ SYSCONFIG_FILE="/etc/sysctl.conf" # -# Set runtime for kernel.pid_max +# Set runtime for kernel.perf_event_paranoid # -/sbin/sysctl -q -n -w kernel.pid_max="65536" +/sbin/sysctl -q -n -w kernel.perf_event_paranoid="2" # -# If kernel.pid_max present in /etc/sysctl.conf, change value to "65536" -# else, add "kernel.pid_max = 65536" to /etc/sysctl.conf +# If kernel.perf_event_paranoid present in /etc/sysctl.conf, change value to "2" +# else, add "kernel.perf_event_paranoid = 2" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.pid_max") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.perf_event_paranoid") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "65536" +printf -v formatted_output "%s = %s" "$stripped_key" "2" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.pid_max\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^kernel.perf_event_paranoid\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^kernel.pid_max\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^kernel.perf_event_paranoid\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-83366-5" + cce="CCE-81054-9" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -216522,6 +216444,24 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Configure maximum number of process identifiers + To set the runtime status of the kernel.pid_max kernel parameter, run the following command: $ sudo sysctl -w kernel.pid_max=65536 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.pid_max = 65536 + BP28(R23) + The kernel.pid_max parameter configures upper limit on process +identifiers (PID). If this number is not high enough, it might happen that +forking of new processes is not possible, because all available PIDs are +exhausted. Increasing this number enhances availability. + + CCE-83366-5 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -216575,36 +216515,18 @@ fi - reboot_required - sysctl_kernel_pid_max - - - - - - - - - Disallow magic SysRq key - To set the runtime status of the kernel.sysrq kernel parameter, run the following command: $ sudo sysctl -w kernel.sysrq=0 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.sysrq = 0 - BP28(R23) - The Magic SysRq key allows sending certain commands directly to the running -kernel. It can dump various system and process information, potentially -revealing sensitive information. It can also reboot or shutdown the machine, -disturbing its availability. - - CCE-83355-8 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of kernel.sysrq from /etc/sysctl.d/*.conf files +# Comment out any occurrences of kernel.pid_max from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*kernel.sysrq.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*kernel.pid_max.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "kernel.sysrq" matches to preserve user data + # comment out "kernel.pid_max" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -216618,33 +216540,33 @@ SYSCONFIG_FILE="/etc/sysctl.conf" # -# Set runtime for kernel.sysrq +# Set runtime for kernel.pid_max # -/sbin/sysctl -q -n -w kernel.sysrq="0" +/sbin/sysctl -q -n -w kernel.pid_max="65536" # -# If kernel.sysrq present in /etc/sysctl.conf, change value to "0" -# else, add "kernel.sysrq = 0" to /etc/sysctl.conf +# If kernel.pid_max present in /etc/sysctl.conf, change value to "65536" +# else, add "kernel.pid_max = 65536" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.sysrq") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.pid_max") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "0" +printf -v formatted_output "%s = %s" "$stripped_key" "65536" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.sysrq\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^kernel.pid_max\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^kernel.sysrq\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^kernel.pid_max\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-83355-8" + cce="CCE-83366-5" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -216653,6 +216575,24 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Disallow magic SysRq key + To set the runtime status of the kernel.sysrq kernel parameter, run the following command: $ sudo sysctl -w kernel.sysrq=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.sysrq = 0 + BP28(R23) + The Magic SysRq key allows sending certain commands directly to the running +kernel. It can dump various system and process information, potentially +revealing sensitive information. It can also reboot or shutdown the machine, +disturbing its availability. + + CCE-83355-8 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -216706,42 +216646,18 @@ fi - reboot_required - sysctl_kernel_sysrq - - - - - - - - - Disable Access to Network bpf() Syscall From Unprivileged Processes - To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command: $ sudo sysctl -w kernel.unprivileged_bpf_disabled=1 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.unprivileged_bpf_disabled = 1 - BP28(R9) - CCI-000366 - AC-6 - SC-7(10) - FMT_SMF_EXT.1 - SRG-OS-000132-GPOS-00067 - SRG-OS-000480-GPOS-00227 - RHEL-08-040281 - SV-230545r858822_rule - Loading and accessing the packet filters programs and maps using the bpf() -syscall has the potential of revealing sensitive information about the kernel state. - - CCE-82974-7 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of kernel.unprivileged_bpf_disabled from /etc/sysctl.d/*.conf files +# Comment out any occurrences of kernel.sysrq from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*kernel.unprivileged_bpf_disabled.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*kernel.sysrq.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "kernel.unprivileged_bpf_disabled" matches to preserve user data + # comment out "kernel.sysrq" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -216755,33 +216671,33 @@ SYSCONFIG_FILE="/etc/sysctl.conf" # -# Set runtime for kernel.unprivileged_bpf_disabled +# Set runtime for kernel.sysrq # -/sbin/sysctl -q -n -w kernel.unprivileged_bpf_disabled="1" +/sbin/sysctl -q -n -w kernel.sysrq="0" # -# If kernel.unprivileged_bpf_disabled present in /etc/sysctl.conf, change value to "1" -# else, add "kernel.unprivileged_bpf_disabled = 1" to /etc/sysctl.conf +# If kernel.sysrq present in /etc/sysctl.conf, change value to "0" +# else, add "kernel.sysrq = 0" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.unprivileged_bpf_disabled") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.sysrq") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "1" +printf -v formatted_output "%s = %s" "$stripped_key" "0" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.unprivileged_bpf_disabled\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^kernel.sysrq\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^kernel.unprivileged_bpf_disabled\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^kernel.sysrq\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-82974-7" + cce="CCE-83355-8" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -216789,6 +216705,45 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Disable Access to Network bpf() Syscall From Unprivileged Processes + To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command: $ sudo sysctl -w kernel.unprivileged_bpf_disabled=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.unprivileged_bpf_disabled = 1 + BP28(R9) + CCI-000366 + AC-6 + SC-7(10) + FMT_SMF_EXT.1 + SRG-OS-000132-GPOS-00067 + SRG-OS-000480-GPOS-00227 + RHEL-08-040281 + SV-230545r858822_rule + Loading and accessing the packet filters programs and maps using the bpf() +syscall has the potential of revealing sensitive information about the kernel state. + + CCE-82974-7 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,kernel.unprivileged_bpf_disabled%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_kernel_unprivileged_bpf_disabled.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -216853,58 +216808,18 @@ fi - reboot_required - sysctl_kernel_unprivileged_bpf_disabled - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,kernel.unprivileged_bpf_disabled%3D1%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_kernel_unprivileged_bpf_disabled.conf - overwrite: true - - - - - - - - - - Restrict usage of ptrace to descendant processes - To set the runtime status of the kernel.yama.ptrace_scope kernel parameter, run the following command: $ sudo sysctl -w kernel.yama.ptrace_scope=1 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.yama.ptrace_scope = 1 - BP28(R25) - CCI-000366 - SC-7(10) - SRG-OS-000132-GPOS-00067 - SRG-OS-000480-GPOS-00227 - RHEL-08-040282 - SV-230546r858824_rule - Unrestricted usage of ptrace allows compromised binaries to run ptrace -on another processes of the user. Like this, the attacker can steal -sensitive information from the target processes (e.g. SSH sessions, web browser, ...) -without any additional assistance from the user (i.e. without resorting to phishing). - - - CCE-80953-3 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of kernel.yama.ptrace_scope from /etc/sysctl.d/*.conf files +# Comment out any occurrences of kernel.unprivileged_bpf_disabled from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*kernel.yama.ptrace_scope.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*kernel.unprivileged_bpf_disabled.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "kernel.yama.ptrace_scope" matches to preserve user data + # comment out "kernel.unprivileged_bpf_disabled" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -216918,18 +216833,18 @@ SYSCONFIG_FILE="/etc/sysctl.conf" # -# Set runtime for kernel.yama.ptrace_scope +# Set runtime for kernel.unprivileged_bpf_disabled # -/sbin/sysctl -q -n -w kernel.yama.ptrace_scope="1" +/sbin/sysctl -q -n -w kernel.unprivileged_bpf_disabled="1" # -# If kernel.yama.ptrace_scope present in /etc/sysctl.conf, change value to "1" -# else, add "kernel.yama.ptrace_scope = 1" to /etc/sysctl.conf +# If kernel.unprivileged_bpf_disabled present in /etc/sysctl.conf, change value to "1" +# else, add "kernel.unprivileged_bpf_disabled = 1" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.yama.ptrace_scope") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.unprivileged_bpf_disabled") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "1" @@ -216937,14 +216852,14 @@ printf -v formatted_output "%s = %s" "$stripped_key" "1" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.yama.ptrace_scope\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^kernel.unprivileged_bpf_disabled\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^kernel.yama.ptrace_scope\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^kernel.unprivileged_bpf_disabled\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-80953-3" + cce="CCE-82974-7" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -216952,6 +216867,46 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Restrict usage of ptrace to descendant processes + To set the runtime status of the kernel.yama.ptrace_scope kernel parameter, run the following command: $ sudo sysctl -w kernel.yama.ptrace_scope=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.yama.ptrace_scope = 1 + BP28(R25) + CCI-000366 + SC-7(10) + SRG-OS-000132-GPOS-00067 + SRG-OS-000480-GPOS-00227 + RHEL-08-040282 + SV-230546r858824_rule + Unrestricted usage of ptrace allows compromised binaries to run ptrace +on another processes of the user. Like this, the attacker can steal +sensitive information from the target processes (e.g. SSH sessions, web browser, ...) +without any additional assistance from the user (i.e. without resorting to phishing). + + + CCE-80953-3 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,kernel.yama.ptrace_scope%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_kernel_yama_ptrace_scope.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -217012,57 +216967,18 @@ fi - reboot_required - sysctl_kernel_yama_ptrace_scope - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,kernel.yama.ptrace_scope%3D1%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_kernel_yama_ptrace_scope.conf - overwrite: true - - - - - - - - - - Harden the operation of the BPF just-in-time compiler - To set the runtime status of the net.core.bpf_jit_harden kernel parameter, run the following command: $ sudo sysctl -w net.core.bpf_jit_harden=2 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.core.bpf_jit_harden = 2 - BP28(R12) - CCI-000366 - CM-6 - SC-7(10) - FMT_SMF_EXT.1 - SRG-OS-000480-GPOS-00227 - RHEL-08-040286 - SV-244554r858832_rule - When hardened, the extended Berkeley Packet Filter just-in-time compiler -will randomize any kernel addresses in the BPF programs and maps, -and will not expose the JIT addresses in /proc/kallsyms. - - CCE-82934-1 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of net.core.bpf_jit_harden from /etc/sysctl.d/*.conf files +# Comment out any occurrences of kernel.yama.ptrace_scope from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*net.core.bpf_jit_harden.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*kernel.yama.ptrace_scope.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "net.core.bpf_jit_harden" matches to preserve user data + # comment out "kernel.yama.ptrace_scope" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -217076,33 +216992,33 @@ SYSCONFIG_FILE="/etc/sysctl.conf" # -# Set runtime for net.core.bpf_jit_harden +# Set runtime for kernel.yama.ptrace_scope # -/sbin/sysctl -q -n -w net.core.bpf_jit_harden="2" +/sbin/sysctl -q -n -w kernel.yama.ptrace_scope="1" # -# If net.core.bpf_jit_harden present in /etc/sysctl.conf, change value to "2" -# else, add "net.core.bpf_jit_harden = 2" to /etc/sysctl.conf +# If kernel.yama.ptrace_scope present in /etc/sysctl.conf, change value to "1" +# else, add "kernel.yama.ptrace_scope = 1" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.core.bpf_jit_harden") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.yama.ptrace_scope") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "2" +printf -v formatted_output "%s = %s" "$stripped_key" "1" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^net.core.bpf_jit_harden\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^kernel.yama.ptrace_scope\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^net.core.bpf_jit_harden\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^kernel.yama.ptrace_scope\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-82934-1" + cce="CCE-80953-3" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -217110,6 +217026,45 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Harden the operation of the BPF just-in-time compiler + To set the runtime status of the net.core.bpf_jit_harden kernel parameter, run the following command: $ sudo sysctl -w net.core.bpf_jit_harden=2 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.core.bpf_jit_harden = 2 + BP28(R12) + CCI-000366 + CM-6 + SC-7(10) + FMT_SMF_EXT.1 + SRG-OS-000480-GPOS-00227 + RHEL-08-040286 + SV-244554r858832_rule + When hardened, the extended Berkeley Packet Filter just-in-time compiler +will randomize any kernel addresses in the BPF programs and maps, +and will not expose the JIT addresses in /proc/kallsyms. + + CCE-82934-1 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.core.bpf_jit_harden%3D2%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_core_bpf_jit_harden.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -217173,68 +217128,18 @@ fi - reboot_required - sysctl_net_core_bpf_jit_harden - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,net.core.bpf_jit_harden%3D2%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_net_core_bpf_jit_harden.conf - overwrite: true - - - - - - - - - - Disable the use of user namespaces - To set the runtime status of the user.max_user_namespaces kernel parameter, -run the following command: -$ sudo sysctl -w user.max_user_namespaces=0 - -To make sure that the setting is persistent, -add the following line to a file in the directory /etc/sysctl.d: -user.max_user_namespaces = 0 -When containers are deployed on the machine, the value should be set -to large non-zero value. - This configuration baseline was created to deploy the base operating system for general purpose -workloads. When the operating system is configured for certain purposes, such as to host Linux Containers, -it is expected that user.max_user_namespaces will be enabled. - CCI-000366 - SC-39 - CM-6(a) - FMT_SMF_EXT.1 - SRG-OS-000480-GPOS-00227 - RHEL-08-040284 - SV-230548r858828_rule - It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or system objectives. -These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. -They increase the risk to the platform by providing additional attack vectors. -User namespaces are used primarily for Linux containers. The value 0 -disallows the use of user namespaces. - - CCE-82211-4 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of user.max_user_namespaces from /etc/sysctl.d/*.conf files +# Comment out any occurrences of net.core.bpf_jit_harden from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*user.max_user_namespaces.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*net.core.bpf_jit_harden.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "user.max_user_namespaces" matches to preserve user data + # comment out "net.core.bpf_jit_harden" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -217248,33 +217153,33 @@ SYSCONFIG_FILE="/etc/sysctl.conf" # -# Set runtime for user.max_user_namespaces +# Set runtime for net.core.bpf_jit_harden # -/sbin/sysctl -q -n -w user.max_user_namespaces="0" +/sbin/sysctl -q -n -w net.core.bpf_jit_harden="2" # -# If user.max_user_namespaces present in /etc/sysctl.conf, change value to "0" -# else, add "user.max_user_namespaces = 0" to /etc/sysctl.conf +# If net.core.bpf_jit_harden present in /etc/sysctl.conf, change value to "2" +# else, add "net.core.bpf_jit_harden = 2" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^user.max_user_namespaces") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.core.bpf_jit_harden") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "0" +printf -v formatted_output "%s = %s" "$stripped_key" "2" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^user.max_user_namespaces\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^net.core.bpf_jit_harden\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^user.max_user_namespaces\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^net.core.bpf_jit_harden\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-82211-4" + cce="CCE-82934-1" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -217282,6 +217187,56 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Disable the use of user namespaces + To set the runtime status of the user.max_user_namespaces kernel parameter, +run the following command: +$ sudo sysctl -w user.max_user_namespaces=0 + +To make sure that the setting is persistent, +add the following line to a file in the directory /etc/sysctl.d: +user.max_user_namespaces = 0 +When containers are deployed on the machine, the value should be set +to large non-zero value. + This configuration baseline was created to deploy the base operating system for general purpose +workloads. When the operating system is configured for certain purposes, such as to host Linux Containers, +it is expected that user.max_user_namespaces will be enabled. + CCI-000366 + SC-39 + CM-6(a) + FMT_SMF_EXT.1 + SRG-OS-000480-GPOS-00227 + RHEL-08-040284 + SV-230548r858828_rule + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or system objectives. +These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. +They increase the risk to the platform by providing additional attack vectors. +User namespaces are used primarily for Linux containers. The value 0 +disallows the use of user namespaces. + + CCE-82211-4 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,user.max_user_namespaces%20%3D%200%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_user_max_user_namespaces.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -217345,51 +217300,18 @@ fi - reboot_required - sysctl_user_max_user_namespaces - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,user.max_user_namespaces%20%3D%200%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_user_max_user_namespaces.conf - overwrite: true - - - - - - - - - - Prevent applications from mapping low portion of virtual memory - To set the runtime status of the vm.mmap_min_addr kernel parameter, run the following command: $ sudo sysctl -w vm.mmap_min_addr=65536 -To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: vm.mmap_min_addr = 65536 - BP28(R23) - The vm.mmap_min_addr parameter specifies the minimum virtual -address that a process is allowed to mmap. Allowing a process to mmap low -portion of virtual memory can have security implications such as such as -heightened risk of kernel null pointer dereference defects. - - CCE-83363-2 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -# Comment out any occurrences of vm.mmap_min_addr from /etc/sysctl.d/*.conf files +# Comment out any occurrences of user.max_user_namespaces from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - matching_list=$(grep -P '^(?!#).*[\s]*vm.mmap_min_addr.*$' $f | uniq ) + matching_list=$(grep -P '^(?!#).*[\s]*user.max_user_namespaces.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "vm.mmap_min_addr" matches to preserve user data + # comment out "user.max_user_namespaces" matches to preserve user data sed -i "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi @@ -217403,33 +217325,33 @@ SYSCONFIG_FILE="/etc/sysctl.conf" # -# Set runtime for vm.mmap_min_addr +# Set runtime for user.max_user_namespaces # -/sbin/sysctl -q -n -w vm.mmap_min_addr="65536" +/sbin/sysctl -q -n -w user.max_user_namespaces="0" # -# If vm.mmap_min_addr present in /etc/sysctl.conf, change value to "65536" -# else, add "vm.mmap_min_addr = 65536" to /etc/sysctl.conf +# If user.max_user_namespaces present in /etc/sysctl.conf, change value to "0" +# else, add "user.max_user_namespaces = 0" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^vm.mmap_min_addr") +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^user.max_user_namespaces") # shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "65536" +printf -v formatted_output "%s = %s" "$stripped_key" "0" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^vm.mmap_min_addr\\>" "${SYSCONFIG_FILE}"; then +if LC_ALL=C grep -q -m 1 -i -e "^user.max_user_namespaces\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^vm.mmap_min_addr\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" + LC_ALL=C sed -i --follow-symlinks "s/^user.max_user_namespaces\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi - cce="CCE-83363-2" + cce="CCE-82211-4" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi @@ -217438,6 +217360,24 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Prevent applications from mapping low portion of virtual memory + To set the runtime status of the vm.mmap_min_addr kernel parameter, run the following command: $ sudo sysctl -w vm.mmap_min_addr=65536 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: vm.mmap_min_addr = 65536 + BP28(R23) + The vm.mmap_min_addr parameter specifies the minimum virtual +address that a process is allowed to mmap. Allowing a process to mmap low +portion of virtual memory can have security implications such as such as +heightened risk of kernel null pointer dereference defects. + + CCE-83363-2 - name: List /etc/sysctl.d/*.conf files find: paths: @@ -217490,6 +217430,66 @@ fi - medium_severity - reboot_required - sysctl_vm_mmap_min_addr + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of vm.mmap_min_addr from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*vm.mmap_min_addr.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "vm.mmap_min_addr" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + + +# +# Set runtime for vm.mmap_min_addr +# +/sbin/sysctl -q -n -w vm.mmap_min_addr="65536" + +# +# If vm.mmap_min_addr present in /etc/sysctl.conf, change value to "65536" +# else, add "vm.mmap_min_addr = 65536" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^vm.mmap_min_addr") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "65536" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^vm.mmap_min_addr\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^vm.mmap_min_addr\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-83363-2" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -217534,21 +217534,6 @@ terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. CCE-82881-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SOCKET_NAME="systemd-coredump.socket" -SYSTEMCTL_EXEC='/usr/bin/systemctl' - -if "$SYSTEMCTL_EXEC" -q list-unit-files --type socket | grep -q "$SOCKET_NAME"; then - "$SYSTEMCTL_EXEC" stop "$SOCKET_NAME" - "$SYSTEMCTL_EXEC" mask "$SOCKET_NAME" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Disable acquiring, saving, and processing core dumps - Collect systemd Socket Units Present in the System ansible.builtin.command: @@ -217587,6 +217572,21 @@ fi - medium_severity - no_reboot_needed - service_systemd-coredump_disabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SOCKET_NAME="systemd-coredump.socket" +SYSTEMCTL_EXEC='/usr/bin/systemctl' + +if "$SYSTEMCTL_EXEC" -q list-unit-files --type socket | grep -q "$SOCKET_NAME"; then + "$SYSTEMCTL_EXEC" stop "$SOCKET_NAME" + "$SYSTEMCTL_EXEC" mask "$SOCKET_NAME" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -217625,27 +217625,20 @@ debuging. Permitting temporary enablement of core dumps during such situations should be reviewed through local needs and policy. CCE-82251-0 - # Remediation is applicable only in certain platforms -if rpm --quiet -q systemd; then - -if [ -e "/etc/systemd/coredump.conf" ] ; then - - LC_ALL=C sed -i "/^\s*ProcessSizeMax\s*=\s*/Id" "/etc/systemd/coredump.conf" -else - touch "/etc/systemd/coredump.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/systemd/coredump.conf" - -cp "/etc/systemd/coredump.conf" "/etc/systemd/coredump.conf.bak" -# Insert at the end of the file -printf '%s\n' "ProcessSizeMax=0" >> "/etc/systemd/coredump.conf" -# Clean up after ourselves. -rm "/etc/systemd/coredump.conf.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%20%20This%20file%20is%20part%20of%20systemd.%0A%23%0A%23%20%20systemd%20is%20free%20software%3B%20you%20can%20redistribute%20it%20and/or%20modify%20it%0A%23%20%20under%20the%20terms%20of%20the%20GNU%20Lesser%20General%20Public%20License%20as%20published%20by%0A%23%20%20the%20Free%20Software%20Foundation%3B%20either%20version%202.1%20of%20the%20License%2C%20or%0A%23%20%20%28at%20your%20option%29%20any%20later%20version.%0A%23%0A%23%20Entries%20in%20this%20file%20show%20the%20compile%20time%20defaults.%0A%23%20You%20can%20change%20settings%20by%20editing%20this%20file.%0A%23%20Defaults%20can%20be%20restored%20by%20simply%20deleting%20this%20file.%0A%23%0A%23%20See%20coredump.conf%285%29%20for%20details.%0A%0A%5BCoredump%5D%0A%23Storage%3Dexternal%0A%23Compress%3Dyes%0A%23ProcessSizeMax%3D2G%0A%23ExternalSizeMax%3D2G%0A%23JournalSizeMax%3D767M%0A%23MaxUse%3D%0A%23KeepFree%3D%0AStorage%3Dnone%0AProcessSizeMax%3D0%0A + mode: 0644 + path: /etc/systemd/coredump.conf + overwrite: true - name: Gather the package facts package_facts: @@ -217705,20 +217698,27 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,%23%20%20This%20file%20is%20part%20of%20systemd.%0A%23%0A%23%20%20systemd%20is%20free%20software%3B%20you%20can%20redistribute%20it%20and/or%20modify%20it%0A%23%20%20under%20the%20terms%20of%20the%20GNU%20Lesser%20General%20Public%20License%20as%20published%20by%0A%23%20%20the%20Free%20Software%20Foundation%3B%20either%20version%202.1%20of%20the%20License%2C%20or%0A%23%20%20%28at%20your%20option%29%20any%20later%20version.%0A%23%0A%23%20Entries%20in%20this%20file%20show%20the%20compile%20time%20defaults.%0A%23%20You%20can%20change%20settings%20by%20editing%20this%20file.%0A%23%20Defaults%20can%20be%20restored%20by%20simply%20deleting%20this%20file.%0A%23%0A%23%20See%20coredump.conf%285%29%20for%20details.%0A%0A%5BCoredump%5D%0A%23Storage%3Dexternal%0A%23Compress%3Dyes%0A%23ProcessSizeMax%3D2G%0A%23ExternalSizeMax%3D2G%0A%23JournalSizeMax%3D767M%0A%23MaxUse%3D%0A%23KeepFree%3D%0AStorage%3Dnone%0AProcessSizeMax%3D0%0A - mode: 0644 - path: /etc/systemd/coredump.conf - overwrite: true + # Remediation is applicable only in certain platforms +if rpm --quiet -q systemd; then + +if [ -e "/etc/systemd/coredump.conf" ] ; then + + LC_ALL=C sed -i "/^\s*ProcessSizeMax\s*=\s*/Id" "/etc/systemd/coredump.conf" +else + touch "/etc/systemd/coredump.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/systemd/coredump.conf" + +cp "/etc/systemd/coredump.conf" "/etc/systemd/coredump.conf.bak" +# Insert at the end of the file +printf '%s\n' "ProcessSizeMax=0" >> "/etc/systemd/coredump.conf" +# Clean up after ourselves. +rm "/etc/systemd/coredump.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -217752,27 +217752,20 @@ debuging. Permitting temporary enablement of core dumps during such situations should be reviewed through local needs and policy. CCE-82252-8 - # Remediation is applicable only in certain platforms -if rpm --quiet -q systemd; then - -if [ -e "/etc/systemd/coredump.conf" ] ; then - - LC_ALL=C sed -i "/^\s*Storage\s*=\s*/Id" "/etc/systemd/coredump.conf" -else - touch "/etc/systemd/coredump.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/systemd/coredump.conf" - -cp "/etc/systemd/coredump.conf" "/etc/systemd/coredump.conf.bak" -# Insert at the end of the file -printf '%s\n' "Storage=none" >> "/etc/systemd/coredump.conf" -# Clean up after ourselves. -rm "/etc/systemd/coredump.conf.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%20%20This%20file%20is%20part%20of%20systemd.%0A%23%0A%23%20%20systemd%20is%20free%20software%3B%20you%20can%20redistribute%20it%20and/or%20modify%20it%0A%23%20%20under%20the%20terms%20of%20the%20GNU%20Lesser%20General%20Public%20License%20as%20published%20by%0A%23%20%20the%20Free%20Software%20Foundation%3B%20either%20version%202.1%20of%20the%20License%2C%20or%0A%23%20%20%28at%20your%20option%29%20any%20later%20version.%0A%23%0A%23%20Entries%20in%20this%20file%20show%20the%20compile%20time%20defaults.%0A%23%20You%20can%20change%20settings%20by%20editing%20this%20file.%0A%23%20Defaults%20can%20be%20restored%20by%20simply%20deleting%20this%20file.%0A%23%0A%23%20See%20coredump.conf%285%29%20for%20details.%0A%0A%5BCoredump%5D%0A%23Storage%3Dexternal%0A%23Compress%3Dyes%0A%23ProcessSizeMax%3D2G%0A%23ExternalSizeMax%3D2G%0A%23JournalSizeMax%3D767M%0A%23MaxUse%3D%0A%23KeepFree%3D%0AStorage%3Dnone%0AProcessSizeMax%3D0%0A + mode: 0644 + path: /etc/systemd/coredump.conf + overwrite: true - name: Gather the package facts package_facts: @@ -217832,20 +217825,27 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,%23%20%20This%20file%20is%20part%20of%20systemd.%0A%23%0A%23%20%20systemd%20is%20free%20software%3B%20you%20can%20redistribute%20it%20and/or%20modify%20it%0A%23%20%20under%20the%20terms%20of%20the%20GNU%20Lesser%20General%20Public%20License%20as%20published%20by%0A%23%20%20the%20Free%20Software%20Foundation%3B%20either%20version%202.1%20of%20the%20License%2C%20or%0A%23%20%20%28at%20your%20option%29%20any%20later%20version.%0A%23%0A%23%20Entries%20in%20this%20file%20show%20the%20compile%20time%20defaults.%0A%23%20You%20can%20change%20settings%20by%20editing%20this%20file.%0A%23%20Defaults%20can%20be%20restored%20by%20simply%20deleting%20this%20file.%0A%23%0A%23%20See%20coredump.conf%285%29%20for%20details.%0A%0A%5BCoredump%5D%0A%23Storage%3Dexternal%0A%23Compress%3Dyes%0A%23ProcessSizeMax%3D2G%0A%23ExternalSizeMax%3D2G%0A%23JournalSizeMax%3D767M%0A%23MaxUse%3D%0A%23KeepFree%3D%0AStorage%3Dnone%0AProcessSizeMax%3D0%0A - mode: 0644 - path: /etc/systemd/coredump.conf - overwrite: true + # Remediation is applicable only in certain platforms +if rpm --quiet -q systemd; then + +if [ -e "/etc/systemd/coredump.conf" ] ; then + + LC_ALL=C sed -i "/^\s*Storage\s*=\s*/Id" "/etc/systemd/coredump.conf" +else + touch "/etc/systemd/coredump.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/systemd/coredump.conf" + +cp "/etc/systemd/coredump.conf" "/etc/systemd/coredump.conf.bak" +# Insert at the end of the file +printf '%s\n' "Storage=none" >> "/etc/systemd/coredump.conf" +# Clean up after ourselves. +rm "/etc/systemd/coredump.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -217893,24 +217893,20 @@ terminates an application. The memory image could contain sensitive data and is only for developers trying to debug problems. CCE-81038-2 - # Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -SECURITY_LIMITS_FILE="/etc/security/limits.conf" - -if grep -qE '^\s*\*\s+hard\s+core' $SECURITY_LIMITS_FILE; then - sed -ri 's/(hard\s+core\s+)[[:digit:]]+/\1 0/' $SECURITY_LIMITS_FILE -else - echo "* hard core 0" >> $SECURITY_LIMITS_FILE -fi - -if ls /etc/security/limits.d/*.conf > /dev/null; then - sed -ri '/^\s*\*\s+hard\s+core/d' /etc/security/limits.d/*.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%2A%20%20%20%20%20hard%20%20%20core%20%20%20%200 + mode: 0644 + path: /etc/security/limits.d/75-disable_users_coredumps.conf + overwrite: true - name: Gather the package facts package_facts: @@ -217948,20 +217944,24 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,%2A%20%20%20%20%20hard%20%20%20core%20%20%20%200 - mode: 0644 - path: /etc/security/limits.d/75-disable_users_coredumps.conf - overwrite: true + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +SECURITY_LIMITS_FILE="/etc/security/limits.conf" + +if grep -qE '^\s*\*\s+hard\s+core' $SECURITY_LIMITS_FILE; then + sed -ri 's/(hard\s+core\s+)[[:digit:]]+/\1 0/' $SECURITY_LIMITS_FILE +else + echo "* hard core 0" >> $SECURITY_LIMITS_FILE +fi + +if ls /etc/security/limits.d/*.conf > /dev/null; then + sed -ri '/^\s*\*\s+hard\s+core/d' /etc/security/limits.d/*.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -217993,66 +217993,6 @@ setuid program to write a core file decreases the risk of unauthorized access of such data. CCE-80912-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of fs.suid_dumpable from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*fs.suid_dumpable.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "fs.suid_dumpable" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - - -# -# Set runtime for fs.suid_dumpable -# -/sbin/sysctl -q -n -w fs.suid_dumpable="0" - -# -# If fs.suid_dumpable present in /etc/sysctl.conf, change value to "0" -# else, add "fs.suid_dumpable = 0" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^fs.suid_dumpable") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "0" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^fs.suid_dumpable\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^fs.suid_dumpable\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-80912-9" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: List /etc/sysctl.d/*.conf files find: paths: @@ -218114,6 +218054,66 @@ fi - medium_severity - reboot_required - sysctl_fs_suid_dumpable + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of fs.suid_dumpable from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*fs.suid_dumpable.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "fs.suid_dumpable" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + + +# +# Set runtime for fs.suid_dumpable +# +/sbin/sysctl -q -n -w fs.suid_dumpable="0" + +# +# If fs.suid_dumpable present in /etc/sysctl.conf, change value to "0" +# else, add "fs.suid_dumpable = 0" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^fs.suid_dumpable") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "0" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^fs.suid_dumpable\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^fs.suid_dumpable\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-80912-9" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -218274,15 +218274,6 @@ prevents execution in that address range. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware. CCE-80914-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -grubby --update-kernel=ALL --remove-args=noexec --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Update grub defaults and the bootloader menu command: /sbin/grubby --update-kernel=ALL --remove-args="noexec" when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] @@ -218297,6 +218288,15 @@ fi - reboot_required - restrict_strategy - sysctl_kernel_exec_shield + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +grubby --update-kernel=ALL --remove-args=noexec --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -218351,67 +218351,20 @@ be compromised. This option disallow any program without the CAP_SYSLOG capabili to get the addresses of kernel pointers by replacing them with 0. CCE-80915-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of kernel.kptr_restrict from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*kernel.kptr_restrict.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "kernel.kptr_restrict" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - -sysctl_kernel_kptr_restrict_value='' - - -# -# Set runtime for kernel.kptr_restrict -# -/sbin/sysctl -q -n -w kernel.kptr_restrict="$sysctl_kernel_kptr_restrict_value" - -# -# If kernel.kptr_restrict present in /etc/sysctl.conf, change value to appropriate value -# else, add "kernel.kptr_restrict = value" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.kptr_restrict") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_kernel_kptr_restrict_value" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.kptr_restrict\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^kernel.kptr_restrict\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-80915-2" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,kernel.kptr_restrict%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_kernel_kptr_restrict.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -218486,30 +218439,77 @@ fi - reboot_required - sysctl_kernel_kptr_restrict - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,kernel.kptr_restrict%3D1%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_kernel_kptr_restrict.conf - overwrite: true - - - - - - - - - - Enable Randomized Layout of Virtual Address Space + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of kernel.kptr_restrict from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*kernel.kptr_restrict.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "kernel.kptr_restrict" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + +sysctl_kernel_kptr_restrict_value='' + + +# +# Set runtime for kernel.kptr_restrict +# +/sbin/sysctl -q -n -w kernel.kptr_restrict="$sysctl_kernel_kptr_restrict_value" + +# +# If kernel.kptr_restrict present in /etc/sysctl.conf, change value to appropriate value +# else, add "kernel.kptr_restrict = value" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.kptr_restrict") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_kernel_kptr_restrict_value" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^kernel.kptr_restrict\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^kernel.kptr_restrict\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-80915-2" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + + + + + + + + + Enable Randomized Layout of Virtual Address Space To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: $ sudo sysctl -w kernel.randomize_va_space=2 To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.randomize_va_space = 2 BP28(R23) @@ -218565,65 +218565,20 @@ existing code in order to re-purpose it using return oriented programming (ROP) techniques. CCE-80916-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Comment out any occurrences of kernel.randomize_va_space from /etc/sysctl.d/*.conf files - -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*kernel.randomize_va_space.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "kernel.randomize_va_space" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set sysctl config file which to save the desired value -# - -SYSCONFIG_FILE="/etc/sysctl.conf" - - -# -# Set runtime for kernel.randomize_va_space -# -/sbin/sysctl -q -n -w kernel.randomize_va_space="2" - -# -# If kernel.randomize_va_space present in /etc/sysctl.conf, change value to "2" -# else, add "kernel.randomize_va_space = 2" to /etc/sysctl.conf -# - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.randomize_va_space") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "2" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.randomize_va_space\\>" "${SYSCONFIG_FILE}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^kernel.randomize_va_space\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" -else - if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" - fi - cce="CCE-80916-0" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" - printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,kernel.randomize_va_space%3D2%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_kernel_randomize_va_space.conf + overwrite: true - name: List /etc/sysctl.d/*.conf files find: @@ -218699,20 +218654,65 @@ fi - reboot_required - sysctl_kernel_randomize_va_space - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,kernel.randomize_va_space%3D2%0A - mode: 0644 - path: /etc/sysctl.d/75-sysctl_kernel_randomize_va_space.conf - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Comment out any occurrences of kernel.randomize_va_space from /etc/sysctl.d/*.conf files + +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + matching_list=$(grep -P '^(?!#).*[\s]*kernel.randomize_va_space.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") + # comment out "kernel.randomize_va_space" matches to preserve user data + sed -i "s/^${escaped_entry}$/# &/g" $f + done <<< "$matching_list" + fi +done + +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE="/etc/sysctl.conf" + + +# +# Set runtime for kernel.randomize_va_space +# +/sbin/sysctl -q -n -w kernel.randomize_va_space="2" + +# +# If kernel.randomize_va_space present in /etc/sysctl.conf, change value to "2" +# else, add "kernel.randomize_va_space = 2" to /etc/sysctl.conf +# + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.randomize_va_space") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s = %s" "$stripped_key" "2" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^kernel.randomize_va_space\\>" "${SYSCONFIG_FILE}"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^kernel.randomize_va_space\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" +else + if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" + fi + cce="CCE-80916-0" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" + printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -218870,15 +218870,6 @@ Also prevents leak of data and detection of corrupted memory.CCE-80944-2 [customizations.kernel] append = "page_poison=1" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then - -grubby --update-kernel=ALL --args=page_poison=1 --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - name: Gather the package facts package_facts: @@ -218909,6 +218900,15 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then + +grubby --update-kernel=ALL --args=page_poison=1 --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -218944,19 +218944,6 @@ Also prevents leak of data and detection of corrupted memory.CCE-80945-9 [customizations.kernel] append = "slub_debug=" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then - -var_slub_debug_options='' - - - -grubby --update-kernel=ALL --args=slub_debug=$var_slub_debug_options --env=/boot/grub2/grubenv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - name: Gather the package facts package_facts: @@ -218993,6 +218980,19 @@ fi - medium_severity - reboot_required - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then + +var_slub_debug_options='' + + + +grubby --update-kernel=ALL --args=slub_debug=$var_slub_debug_options --env=/boot/grub2/grubenv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -219063,21 +219063,13 @@ with enhanced security functionality designed to add mandatory access controls t The libselinux package contains the core library of the Security-enhanced Linux system. CCE-82877-2 + +package --add=libselinux + [[packages]] name = "libselinux" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "libselinux" ; then - yum install -y "libselinux" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_libselinux @@ -219102,8 +219094,16 @@ class install_libselinux { - no_reboot_needed - package_libselinux_installed - -package --add=libselinux + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "libselinux" ; then + yum install -y "libselinux" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -219121,21 +219121,13 @@ $ sudo yum install policycoreutils-python-utilsThis package is required to operate and manage an SELinux environment and its policies. It provides utilities such as semanage, audit2allow, audit2why, chcat and sandbox. CCE-82724-6 + +package --add=policycoreutils-python-utils + [[packages]] name = "policycoreutils-python-utils" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "policycoreutils-python-utils" ; then - yum install -y "policycoreutils-python-utils" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_policycoreutils-python-utils @@ -219159,8 +219151,16 @@ class install_policycoreutils-python-utils { - no_reboot_needed - package_policycoreutils-python-utils_installed - -package --add=policycoreutils-python-utils + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "policycoreutils-python-utils" ; then + yum install -y "policycoreutils-python-utils" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -219192,21 +219192,13 @@ basic operation of an SELinux-enabled system. These utilities include setfiles to label filesystems, newrole to switch roles, and so on. CCE-82976-2 + +package --add=policycoreutils + [[packages]] name = "policycoreutils" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "policycoreutils" ; then - yum install -y "policycoreutils" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_policycoreutils @@ -219231,8 +219223,16 @@ class install_policycoreutils { - no_reboot_needed - package_policycoreutils_installed - -package --add=policycoreutils + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "policycoreutils" ; then + yum install -y "policycoreutils" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -219253,24 +219253,8 @@ $ sudo yum erase mcstrans Since this service is not used very often, disable it to reduce the amount of potentially vulnerable code running on the system. CCE-82756-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# CAUTION: This remediation script will remove mcstrans -# from the system, and may remove any packages -# that depend on mcstrans. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "mcstrans" ; then - - yum remove -y "mcstrans" - -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +package --remove=mcstrans include remove_mcstrans @@ -219294,8 +219278,24 @@ class remove_mcstrans { - no_reboot_needed - package_mcstrans_removed - -package --remove=mcstrans + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# CAUTION: This remediation script will remove mcstrans +# from the system, and may remove any packages +# that depend on mcstrans. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "mcstrans" ; then + + yum remove -y "mcstrans" + +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -219312,24 +219312,8 @@ $ sudo yum erase setroubleshoot-plugins The SETroubleshoot service is an unnecessary daemon to have running on a server. CCE-84250-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# CAUTION: This remediation script will remove setroubleshoot-plugins -# from the system, and may remove any packages -# that depend on setroubleshoot-plugins. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "setroubleshoot-plugins" ; then - - yum remove -y "setroubleshoot-plugins" - -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +package --remove=setroubleshoot-plugins include remove_setroubleshoot-plugins @@ -219353,8 +219337,24 @@ class remove_setroubleshoot-plugins { - no_reboot_needed - package_setroubleshoot-plugins_removed - -package --remove=setroubleshoot-plugins + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# CAUTION: This remediation script will remove setroubleshoot-plugins +# from the system, and may remove any packages +# that depend on setroubleshoot-plugins. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "setroubleshoot-plugins" ; then + + yum remove -y "setroubleshoot-plugins" + +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -219375,24 +219375,8 @@ $ sudo yum erase setroubleshoot-server The SETroubleshoot service is an unnecessary daemon to have running on a server. CCE-83490-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# CAUTION: This remediation script will remove setroubleshoot-server -# from the system, and may remove any packages -# that depend on setroubleshoot-server. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "setroubleshoot-server" ; then - - yum remove -y "setroubleshoot-server" - -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +package --remove=setroubleshoot-server include remove_setroubleshoot-server @@ -219416,8 +219400,24 @@ class remove_setroubleshoot-server { - no_reboot_needed - package_setroubleshoot-server_removed - -package --remove=setroubleshoot-server + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# CAUTION: This remediation script will remove setroubleshoot-server +# from the system, and may remove any packages +# that depend on setroubleshoot-server. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "setroubleshoot-server" ; then + + yum remove -y "setroubleshoot-server" + +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -219440,24 +219440,8 @@ $ sudo yum erase setroubleshoot have running on a server, especially if X Windows is removed or disabled. CCE-82755-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# CAUTION: This remediation script will remove setroubleshoot -# from the system, and may remove any packages -# that depend on setroubleshoot. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "setroubleshoot" ; then - - yum remove -y "setroubleshoot" - -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +package --remove=setroubleshoot include remove_setroubleshoot @@ -219481,8 +219465,24 @@ class remove_setroubleshoot { - no_reboot_needed - package_setroubleshoot_removed - -package --remove=setroubleshoot + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# CAUTION: This remediation script will remove setroubleshoot +# from the system, and may remove any packages +# that depend on setroubleshoot. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "setroubleshoot" ; then + + yum remove -y "setroubleshoot" + +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -219833,16 +219833,6 @@ it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation. CCE-80827-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then - -sed -i --follow-symlinks "s/selinux=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/* -sed -i --follow-symlinks "s/enforcing=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/* - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -219996,6 +219986,16 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then + +sed -i --follow-symlinks "s/selinux=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/* +sed -i --follow-symlinks "s/enforcing=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/* + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -220365,31 +220365,6 @@ before setting it to "enforcing", which is strongly recommended. CCE-86151-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/selinux/config" ] ; then - - LC_ALL=C sed -i "/^SELINUX=/Id" "/etc/selinux/config" -else - touch "/etc/selinux/config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/selinux/config" - -cp "/etc/selinux/config" "/etc/selinux/config.bak" -# Insert at the end of the file -printf '%s\n' "SELINUX=permissive" >> "/etc/selinux/config" -# Clean up after ourselves. -rm "/etc/selinux/config.bak" - -fixfiles onboot -fixfiles -f relabel - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure SELinux is Not Disabled block: @@ -220427,6 +220402,31 @@ fi - reboot_required - restrict_strategy - selinux_not_disabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/selinux/config" ] ; then + + LC_ALL=C sed -i "/^SELINUX=/Id" "/etc/selinux/config" +else + touch "/etc/selinux/config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/selinux/config" + +cp "/etc/selinux/config" "/etc/selinux/config.bak" +# Insert at the end of the file +printf '%s\n' "SELINUX=permissive" >> "/etc/selinux/config" +# Clean up after ourselves. +rm "/etc/selinux/config.bak" + +fixfiles onboot +fixfiles -f relabel + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -220625,31 +220625,6 @@ temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to . CCE-80868-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_selinux_policy_name='' - - -if [ -e "/etc/selinux/config" ] ; then - - LC_ALL=C sed -i "/^SELINUXTYPE=/Id" "/etc/selinux/config" -else - touch "/etc/selinux/config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/selinux/config" - -cp "/etc/selinux/config" "/etc/selinux/config.bak" -# Insert at the end of the file -printf '%s\n' "SELINUXTYPE=$var_selinux_policy_name" >> "/etc/selinux/config" -# Clean up after ourselves. -rm "/etc/selinux/config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_selinux_policy_name # promote to variable set_fact: var_selinux_policy_name: !!str @@ -220701,6 +220676,31 @@ fi - reboot_required - restrict_strategy - selinux_policytype + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_selinux_policy_name='' + + +if [ -e "/etc/selinux/config" ] ; then + + LC_ALL=C sed -i "/^SELINUXTYPE=/Id" "/etc/selinux/config" +else + touch "/etc/selinux/config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/selinux/config" + +cp "/etc/selinux/config" "/etc/selinux/config.bak" +# Insert at the end of the file +printf '%s\n' "SELINUXTYPE=$var_selinux_policy_name" >> "/etc/selinux/config" +# Clean up after ourselves. +rm "/etc/selinux/config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -220892,34 +220892,6 @@ potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. CCE-80869-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_selinux_state='' - - -if [ -e "/etc/selinux/config" ] ; then - - LC_ALL=C sed -i "/^SELINUX=/Id" "/etc/selinux/config" -else - touch "/etc/selinux/config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/selinux/config" - -cp "/etc/selinux/config" "/etc/selinux/config.bak" -# Insert at the end of the file -printf '%s\n' "SELINUX=$var_selinux_state" >> "/etc/selinux/config" -# Clean up after ourselves. -rm "/etc/selinux/config.bak" - -fixfiles onboot -fixfiles -f relabel - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_selinux_state # promote to variable set_fact: var_selinux_state: !!str @@ -220970,6 +220942,34 @@ fi - no_reboot_needed - restrict_strategy - selinux_state + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_selinux_state='' + + +if [ -e "/etc/selinux/config" ] ; then + + LC_ALL=C sed -i "/^SELINUX=/Id" "/etc/selinux/config" +else + touch "/etc/selinux/config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/selinux/config" + +cp "/etc/selinux/config" "/etc/selinux/config.bak" +# Insert at the end of the file +printf '%s\n' "SELINUX=$var_selinux_state" >> "/etc/selinux/config" +# Clean up after ourselves. +rm "/etc/selinux/config.bak" + +fixfiles onboot +fixfiles -f relabel + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -223691,18 +223691,6 @@ To disable the abrt_anon_write SELinux boolean, run the f $ sudo setsebool -P abrt_anon_write off 3.7.2 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_abrt_anon_write='' - - -setsebool -P abrt_anon_write $var_abrt_anon_write - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_abrt_anon_write # promote to variable set_fact: var_abrt_anon_write: !!str @@ -223741,6 +223729,18 @@ fi - medium_severity - no_reboot_needed - sebool_abrt_anon_write + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_abrt_anon_write='' + + +setsebool -P abrt_anon_write $var_abrt_anon_write + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -223759,18 +223759,6 @@ To disable the abrt_handle_event SELinux boolean, run the $ sudo setsebool -P abrt_handle_event off 3.7.2 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_abrt_handle_event='' - - -setsebool -P abrt_handle_event $var_abrt_handle_event - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_abrt_handle_event # promote to variable set_fact: var_abrt_handle_event: !!str @@ -223809,6 +223797,18 @@ fi - medium_severity - no_reboot_needed - sebool_abrt_handle_event + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_abrt_handle_event='' + + +setsebool -P abrt_handle_event $var_abrt_handle_event + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -223828,18 +223828,6 @@ To disable the abrt_upload_watch_anon_write SELinux boole $ sudo setsebool -P abrt_upload_watch_anon_write off 3.7.2 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_abrt_upload_watch_anon_write='' - - -setsebool -P abrt_upload_watch_anon_write $var_abrt_upload_watch_anon_write - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_abrt_upload_watch_anon_write # promote to variable set_fact: var_abrt_upload_watch_anon_write: !!str @@ -223878,6 +223866,18 @@ fi - medium_severity - no_reboot_needed - sebool_abrt_upload_watch_anon_write + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_abrt_upload_watch_anon_write='' + + +setsebool -P abrt_upload_watch_anon_write $var_abrt_upload_watch_anon_write + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -223897,18 +223897,6 @@ To enable the antivirus_can_scan_system SELinux boolean, $ sudo setsebool -P antivirus_can_scan_system on 3.7.2 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_antivirus_can_scan_system='' - - -setsebool -P antivirus_can_scan_system $var_antivirus_can_scan_system - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_antivirus_can_scan_system # promote to variable set_fact: var_antivirus_can_scan_system: !!str @@ -223947,6 +223935,18 @@ fi - medium_severity - no_reboot_needed - sebool_antivirus_can_scan_system + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_antivirus_can_scan_system='' + + +setsebool -P antivirus_can_scan_system $var_antivirus_can_scan_system + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -223965,18 +223965,6 @@ To disable the antivirus_use_jit SELinux boolean, run the $ sudo setsebool -P antivirus_use_jit off 3.7.2 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_antivirus_use_jit='' - - -setsebool -P antivirus_use_jit $var_antivirus_use_jit - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_antivirus_use_jit # promote to variable set_fact: var_antivirus_use_jit: !!str @@ -224015,6 +224003,18 @@ fi - medium_severity - no_reboot_needed - sebool_antivirus_use_jit + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_antivirus_use_jit='' + + +setsebool -P antivirus_use_jit $var_antivirus_use_jit + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -224040,18 +224040,6 @@ To enable the auditadm_exec_content SELinux boolean, run 0957 CCE-84297-1 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_auditadm_exec_content='' - - -setsebool -P auditadm_exec_content $var_auditadm_exec_content - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_auditadm_exec_content # promote to variable set_fact: var_auditadm_exec_content: !!str @@ -224092,6 +224080,18 @@ fi - medium_severity - no_reboot_needed - sebool_auditadm_exec_content + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_auditadm_exec_content='' + + +setsebool -P auditadm_exec_content $var_auditadm_exec_content + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -224125,18 +224125,6 @@ To disable the authlogin_nsswitch_use_ldap SELinux boolea 1561 CCE-84296-3 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_authlogin_nsswitch_use_ldap='' - - -setsebool -P authlogin_nsswitch_use_ldap $var_authlogin_nsswitch_use_ldap - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_authlogin_nsswitch_use_ldap # promote to variable set_fact: var_authlogin_nsswitch_use_ldap: !!str @@ -224177,6 +224165,18 @@ fi - medium_severity - no_reboot_needed - sebool_authlogin_nsswitch_use_ldap + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_authlogin_nsswitch_use_ldap='' + + +setsebool -P authlogin_nsswitch_use_ldap $var_authlogin_nsswitch_use_ldap + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -224210,18 +224210,6 @@ To disable the authlogin_radius SELinux boolean, run the 1561 CCE-84294-8 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_authlogin_radius='' - - -setsebool -P authlogin_radius $var_authlogin_radius - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_authlogin_radius # promote to variable set_fact: var_authlogin_radius: !!str @@ -224262,6 +224250,18 @@ fi - medium_severity - no_reboot_needed - sebool_authlogin_radius + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_authlogin_radius='' + + +setsebool -P authlogin_radius $var_authlogin_radius + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -224280,18 +224280,6 @@ To disable the authlogin_yubikey SELinux boolean, run the $ sudo setsebool -P authlogin_yubikey off 3.7.2 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_authlogin_yubikey='' - - -setsebool -P authlogin_yubikey $var_authlogin_yubikey - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_authlogin_yubikey # promote to variable set_fact: var_authlogin_yubikey: !!str @@ -224330,6 +224318,18 @@ fi - medium_severity - no_reboot_needed - sebool_authlogin_yubikey + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_authlogin_yubikey='' + + +setsebool -P authlogin_yubikey $var_authlogin_yubikey + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -224348,18 +224348,6 @@ To disable the awstats_purge_apache_log_files SELinux boo $ sudo setsebool -P awstats_purge_apache_log_files off 3.7.2 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_awstats_purge_apache_log_files='' - - -setsebool -P awstats_purge_apache_log_files $var_awstats_purge_apache_log_files - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_awstats_purge_apache_log_files # promote to variable set_fact: var_awstats_purge_apache_log_files: !!str @@ -224398,6 +224386,18 @@ fi - medium_severity - no_reboot_needed - sebool_awstats_purge_apache_log_files + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_awstats_purge_apache_log_files='' + + +setsebool -P awstats_purge_apache_log_files $var_awstats_purge_apache_log_files + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -224418,18 +224418,6 @@ To disable the boinc_execmem SELinux boolean, run the fol 3.7.2 CCE-83304-6 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_boinc_execmem='' - - -setsebool -P boinc_execmem $var_boinc_execmem - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_boinc_execmem # promote to variable set_fact: var_boinc_execmem: !!str @@ -224470,6 +224458,18 @@ fi - medium_severity - no_reboot_needed - sebool_boinc_execmem + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_boinc_execmem='' + + +setsebool -P boinc_execmem $var_boinc_execmem + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -224487,18 +224487,6 @@ If this setting is enabled, it should be disabled. To disable the cdrecord_read_content SELinux boolean, run the following command: $ sudo setsebool -P cdrecord_read_content off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_cdrecord_read_content='' - - -setsebool -P cdrecord_read_content $var_cdrecord_read_content - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_cdrecord_read_content # promote to variable set_fact: var_cdrecord_read_content: !!str @@ -224535,6 +224523,18 @@ fi - medium_severity - no_reboot_needed - sebool_cdrecord_read_content + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_cdrecord_read_content='' + + +setsebool -P cdrecord_read_content $var_cdrecord_read_content + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -224552,18 +224552,6 @@ If this setting is enabled, it should be disabled. To disable the cluster_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P cluster_can_network_connect off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_cluster_can_network_connect='' - - -setsebool -P cluster_can_network_connect $var_cluster_can_network_connect - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_cluster_can_network_connect # promote to variable set_fact: var_cluster_can_network_connect: !!str @@ -224600,6 +224588,18 @@ fi - medium_severity - no_reboot_needed - sebool_cluster_can_network_connect + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_cluster_can_network_connect='' + + +setsebool -P cluster_can_network_connect $var_cluster_can_network_connect + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -224617,18 +224617,6 @@ If this setting is enabled, it should be disabled. To disable the cluster_manage_all_files SELinux boolean, run the following command: $ sudo setsebool -P cluster_manage_all_files off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_cluster_manage_all_files='' - - -setsebool -P cluster_manage_all_files $var_cluster_manage_all_files - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_cluster_manage_all_files # promote to variable set_fact: var_cluster_manage_all_files: !!str @@ -224665,6 +224653,18 @@ fi - medium_severity - no_reboot_needed - sebool_cluster_manage_all_files + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_cluster_manage_all_files='' + + +setsebool -P cluster_manage_all_files $var_cluster_manage_all_files + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -224684,18 +224684,6 @@ To disable the cluster_use_execmem SELinux boolean, run t BP28(R67) CCE-83305-3 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_cluster_use_execmem='' - - -setsebool -P cluster_use_execmem $var_cluster_use_execmem - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_cluster_use_execmem # promote to variable set_fact: var_cluster_use_execmem: !!str @@ -224734,6 +224722,18 @@ fi - medium_severity - no_reboot_needed - sebool_cluster_use_execmem + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_cluster_use_execmem='' + + +setsebool -P cluster_use_execmem $var_cluster_use_execmem + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -224751,18 +224751,6 @@ If this setting is enabled, it should be disabled. To disable the cobbler_anon_write SELinux boolean, run the following command: $ sudo setsebool -P cobbler_anon_write off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_cobbler_anon_write='' - - -setsebool -P cobbler_anon_write $var_cobbler_anon_write - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_cobbler_anon_write # promote to variable set_fact: var_cobbler_anon_write: !!str @@ -224799,6 +224787,18 @@ fi - medium_severity - no_reboot_needed - sebool_cobbler_anon_write + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_cobbler_anon_write='' + + +setsebool -P cobbler_anon_write $var_cobbler_anon_write + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -224816,18 +224816,6 @@ If this setting is enabled, it should be disabled. To disable the cobbler_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P cobbler_can_network_connect off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_cobbler_can_network_connect='' - - -setsebool -P cobbler_can_network_connect $var_cobbler_can_network_connect - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_cobbler_can_network_connect # promote to variable set_fact: var_cobbler_can_network_connect: !!str @@ -224864,6 +224852,18 @@ fi - medium_severity - no_reboot_needed - sebool_cobbler_can_network_connect + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_cobbler_can_network_connect='' + + +setsebool -P cobbler_can_network_connect $var_cobbler_can_network_connect + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -224881,18 +224881,6 @@ If this setting is enabled, it should be disabled. To disable the cobbler_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P cobbler_use_cifs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_cobbler_use_cifs='' - - -setsebool -P cobbler_use_cifs $var_cobbler_use_cifs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_cobbler_use_cifs # promote to variable set_fact: var_cobbler_use_cifs: !!str @@ -224929,6 +224917,18 @@ fi - medium_severity - no_reboot_needed - sebool_cobbler_use_cifs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_cobbler_use_cifs='' + + +setsebool -P cobbler_use_cifs $var_cobbler_use_cifs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -224946,18 +224946,6 @@ If this setting is enabled, it should be disabled. To disable the cobbler_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P cobbler_use_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_cobbler_use_nfs='' - - -setsebool -P cobbler_use_nfs $var_cobbler_use_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_cobbler_use_nfs # promote to variable set_fact: var_cobbler_use_nfs: !!str @@ -224994,6 +224982,18 @@ fi - medium_severity - no_reboot_needed - sebool_cobbler_use_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_cobbler_use_nfs='' + + +setsebool -P cobbler_use_nfs $var_cobbler_use_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225011,18 +225011,6 @@ If this setting is enabled, it should be disabled. To disable the collectd_tcp_network_connect SELinux boolean, run the following command: $ sudo setsebool -P collectd_tcp_network_connect off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_collectd_tcp_network_connect='' - - -setsebool -P collectd_tcp_network_connect $var_collectd_tcp_network_connect - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_collectd_tcp_network_connect # promote to variable set_fact: var_collectd_tcp_network_connect: !!str @@ -225059,6 +225047,18 @@ fi - medium_severity - no_reboot_needed - sebool_collectd_tcp_network_connect + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_collectd_tcp_network_connect='' + + +setsebool -P collectd_tcp_network_connect $var_collectd_tcp_network_connect + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225076,18 +225076,6 @@ If this setting is enabled, it should be disabled. To disable the condor_tcp_network_connect SELinux boolean, run the following command: $ sudo setsebool -P condor_tcp_network_connect off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_condor_tcp_network_connect='' - - -setsebool -P condor_tcp_network_connect $var_condor_tcp_network_connect - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_condor_tcp_network_connect # promote to variable set_fact: var_condor_tcp_network_connect: !!str @@ -225124,6 +225112,18 @@ fi - medium_severity - no_reboot_needed - sebool_condor_tcp_network_connect + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_condor_tcp_network_connect='' + + +setsebool -P condor_tcp_network_connect $var_condor_tcp_network_connect + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225141,18 +225141,6 @@ If this setting is enabled, it should be disabled. To disable the conman_can_network SELinux boolean, run the following command: $ sudo setsebool -P conman_can_network off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_conman_can_network='' - - -setsebool -P conman_can_network $var_conman_can_network - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_conman_can_network # promote to variable set_fact: var_conman_can_network: !!str @@ -225189,6 +225177,18 @@ fi - medium_severity - no_reboot_needed - sebool_conman_can_network + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_conman_can_network='' + + +setsebool -P conman_can_network $var_conman_can_network + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225206,18 +225206,6 @@ If this setting is enabled, it should be disabled. To disable the container_connect_any SELinux boolean, run the following command: $ sudo setsebool -P container_connect_any off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_container_connect_any='' - - -setsebool -P container_connect_any $var_container_connect_any - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_container_connect_any # promote to variable set_fact: var_container_connect_any: !!str @@ -225254,6 +225242,18 @@ fi - medium_severity - no_reboot_needed - sebool_container_connect_any + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_container_connect_any='' + + +setsebool -P container_connect_any $var_container_connect_any + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225271,18 +225271,6 @@ If this setting is enabled, it should be disabled. To disable the cron_can_relabel SELinux boolean, run the following command: $ sudo setsebool -P cron_can_relabel off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_cron_can_relabel='' - - -setsebool -P cron_can_relabel $var_cron_can_relabel - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_cron_can_relabel # promote to variable set_fact: var_cron_can_relabel: !!str @@ -225319,6 +225307,18 @@ fi - medium_severity - no_reboot_needed - sebool_cron_can_relabel + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_cron_can_relabel='' + + +setsebool -P cron_can_relabel $var_cron_can_relabel + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225336,18 +225336,6 @@ If this setting is enabled, it should be disabled. To disable the cron_system_cronjob_use_shares SELinux boolean, run the following command: $ sudo setsebool -P cron_system_cronjob_use_shares off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_cron_system_cronjob_use_shares='' - - -setsebool -P cron_system_cronjob_use_shares $var_cron_system_cronjob_use_shares - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_cron_system_cronjob_use_shares # promote to variable set_fact: var_cron_system_cronjob_use_shares: !!str @@ -225384,6 +225372,18 @@ fi - medium_severity - no_reboot_needed - sebool_cron_system_cronjob_use_shares + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_cron_system_cronjob_use_shares='' + + +setsebool -P cron_system_cronjob_use_shares $var_cron_system_cronjob_use_shares + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225402,18 +225402,6 @@ associated user domain(s) instead of the general cronjob domain. To enable the cron_userdomain_transition SELinux boolean, run the following command: $ sudo setsebool -P cron_userdomain_transition on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_cron_userdomain_transition='' - - -setsebool -P cron_userdomain_transition $var_cron_userdomain_transition - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_cron_userdomain_transition # promote to variable set_fact: var_cron_userdomain_transition: !!str @@ -225450,6 +225438,18 @@ fi - medium_severity - no_reboot_needed - sebool_cron_userdomain_transition + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_cron_userdomain_transition='' + + +setsebool -P cron_userdomain_transition $var_cron_userdomain_transition + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225469,18 +225469,6 @@ To disable the cups_execmem SELinux boolean, run the foll BP28(R67) CCE-83306-1 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_cups_execmem='' - - -setsebool -P cups_execmem $var_cups_execmem - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_cups_execmem # promote to variable set_fact: var_cups_execmem: !!str @@ -225519,6 +225507,18 @@ fi - medium_severity - no_reboot_needed - sebool_cups_execmem + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_cups_execmem='' + + +setsebool -P cups_execmem $var_cups_execmem + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225536,18 +225536,6 @@ If this setting is enabled, it should be disabled. To disable the cvs_read_shadow SELinux boolean, run the following command: $ sudo setsebool -P cvs_read_shadow off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_cvs_read_shadow='' - - -setsebool -P cvs_read_shadow $var_cvs_read_shadow - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_cvs_read_shadow # promote to variable set_fact: var_cvs_read_shadow: !!str @@ -225584,6 +225572,18 @@ fi - medium_severity - no_reboot_needed - sebool_cvs_read_shadow + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_cvs_read_shadow='' + + +setsebool -P cvs_read_shadow $var_cvs_read_shadow + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225601,18 +225601,6 @@ If this setting is enabled, it should be disabled. To disable the daemons_dump_core SELinux boolean, run the following command: $ sudo setsebool -P daemons_dump_core off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_daemons_dump_core='' - - -setsebool -P daemons_dump_core $var_daemons_dump_core - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_daemons_dump_core # promote to variable set_fact: var_daemons_dump_core: !!str @@ -225649,6 +225637,18 @@ fi - medium_severity - no_reboot_needed - sebool_daemons_dump_core + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_daemons_dump_core='' + + +setsebool -P daemons_dump_core $var_daemons_dump_core + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225666,18 +225666,6 @@ If this setting is enabled, it should be disabled. To disable the daemons_enable_cluster_mode SELinux boolean, run the following command: $ sudo setsebool -P daemons_enable_cluster_mode off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_daemons_enable_cluster_mode='' - - -setsebool -P daemons_enable_cluster_mode $var_daemons_enable_cluster_mode - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_daemons_enable_cluster_mode # promote to variable set_fact: var_daemons_enable_cluster_mode: !!str @@ -225714,6 +225702,18 @@ fi - medium_severity - no_reboot_needed - sebool_daemons_enable_cluster_mode + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_daemons_enable_cluster_mode='' + + +setsebool -P daemons_enable_cluster_mode $var_daemons_enable_cluster_mode + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225731,18 +225731,6 @@ If this setting is enabled, it should be disabled. To disable the daemons_use_tcp_wrapper SELinux boolean, run the following command: $ sudo setsebool -P daemons_use_tcp_wrapper off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_daemons_use_tcp_wrapper='' - - -setsebool -P daemons_use_tcp_wrapper $var_daemons_use_tcp_wrapper - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_daemons_use_tcp_wrapper # promote to variable set_fact: var_daemons_use_tcp_wrapper: !!str @@ -225779,6 +225767,18 @@ fi - medium_severity - no_reboot_needed - sebool_daemons_use_tcp_wrapper + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_daemons_use_tcp_wrapper='' + + +setsebool -P daemons_use_tcp_wrapper $var_daemons_use_tcp_wrapper + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225796,18 +225796,6 @@ If this setting is enabled, it should be disabled. To disable the daemons_use_tty SELinux boolean, run the following command: $ sudo setsebool -P daemons_use_tty off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_daemons_use_tty='' - - -setsebool -P daemons_use_tty $var_daemons_use_tty - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_daemons_use_tty # promote to variable set_fact: var_daemons_use_tty: !!str @@ -225844,6 +225832,18 @@ fi - medium_severity - no_reboot_needed - sebool_daemons_use_tty + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_daemons_use_tty='' + + +setsebool -P daemons_use_tty $var_daemons_use_tty + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225861,18 +225861,6 @@ If this setting is disabled, it should be enabled. To enable the dbadm_exec_content SELinux boolean, run the following command: $ sudo setsebool -P dbadm_exec_content on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_dbadm_exec_content='' - - -setsebool -P dbadm_exec_content $var_dbadm_exec_content - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_dbadm_exec_content # promote to variable set_fact: var_dbadm_exec_content: !!str @@ -225909,6 +225897,18 @@ fi - medium_severity - no_reboot_needed - sebool_dbadm_exec_content + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_dbadm_exec_content='' + + +setsebool -P dbadm_exec_content $var_dbadm_exec_content + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225926,18 +225926,6 @@ If this setting is enabled, it should be disabled. To disable the dbadm_manage_user_files SELinux boolean, run the following command: $ sudo setsebool -P dbadm_manage_user_files off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_dbadm_manage_user_files='' - - -setsebool -P dbadm_manage_user_files $var_dbadm_manage_user_files - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_dbadm_manage_user_files # promote to variable set_fact: var_dbadm_manage_user_files: !!str @@ -225974,6 +225962,18 @@ fi - medium_severity - no_reboot_needed - sebool_dbadm_manage_user_files + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_dbadm_manage_user_files='' + + +setsebool -P dbadm_manage_user_files $var_dbadm_manage_user_files + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -225991,18 +225991,6 @@ If this setting is enabled, it should be disabled. To disable the dbadm_read_user_files SELinux boolean, run the following command: $ sudo setsebool -P dbadm_read_user_files off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_dbadm_read_user_files='' - - -setsebool -P dbadm_read_user_files $var_dbadm_read_user_files - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_dbadm_read_user_files # promote to variable set_fact: var_dbadm_read_user_files: !!str @@ -226039,6 +226027,18 @@ fi - medium_severity - no_reboot_needed - sebool_dbadm_read_user_files + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_dbadm_read_user_files='' + + +setsebool -P dbadm_read_user_files $var_dbadm_read_user_files + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -226079,18 +226079,6 @@ If this setting is enabled, it should be disabled. To disable the deny_ptrace SELinux boolean, run the following command: $ sudo setsebool -P deny_ptrace off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_deny_ptrace='' - - -setsebool -P deny_ptrace $var_deny_ptrace - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_deny_ptrace # promote to variable set_fact: var_deny_ptrace: !!str @@ -226127,6 +226115,18 @@ fi - medium_severity - no_reboot_needed - sebool_deny_ptrace + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_deny_ptrace='' + + +setsebool -P deny_ptrace $var_deny_ptrace + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -226144,18 +226144,6 @@ If this setting is enabled, it should be disabled. To disable the dhcpc_exec_iptables SELinux boolean, run the following command: $ sudo setsebool -P dhcpc_exec_iptables off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_dhcpc_exec_iptables='' - - -setsebool -P dhcpc_exec_iptables $var_dhcpc_exec_iptables - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_dhcpc_exec_iptables # promote to variable set_fact: var_dhcpc_exec_iptables: !!str @@ -226192,6 +226180,18 @@ fi - medium_severity - no_reboot_needed - sebool_dhcpc_exec_iptables + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_dhcpc_exec_iptables='' + + +setsebool -P dhcpc_exec_iptables $var_dhcpc_exec_iptables + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -226209,18 +226209,6 @@ If this setting is enabled, it should be disabled. To disable the dhcpd_use_ldap SELinux boolean, run the following command: $ sudo setsebool -P dhcpd_use_ldap off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_dhcpd_use_ldap='' - - -setsebool -P dhcpd_use_ldap $var_dhcpd_use_ldap - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_dhcpd_use_ldap # promote to variable set_fact: var_dhcpd_use_ldap: !!str @@ -226257,6 +226245,18 @@ fi - medium_severity - no_reboot_needed - sebool_dhcpd_use_ldap + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_dhcpd_use_ldap='' + + +setsebool -P dhcpd_use_ldap $var_dhcpd_use_ldap + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -226274,18 +226274,6 @@ If this setting is disabled, it should be enabled. To enable the domain_fd_use SELinux boolean, run the following command: $ sudo setsebool -P domain_fd_use on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_domain_fd_use='' - - -setsebool -P domain_fd_use $var_domain_fd_use - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_domain_fd_use # promote to variable set_fact: var_domain_fd_use: !!str @@ -226322,6 +226310,18 @@ fi - medium_severity - no_reboot_needed - sebool_domain_fd_use + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_domain_fd_use='' + + +setsebool -P domain_fd_use $var_domain_fd_use + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -226339,18 +226339,6 @@ If this setting is enabled, it should be disabled. To disable the domain_kernel_load_modules SELinux boolean, run the following command: $ sudo setsebool -P domain_kernel_load_modules off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_domain_kernel_load_modules='' - - -setsebool -P domain_kernel_load_modules $var_domain_kernel_load_modules - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_domain_kernel_load_modules # promote to variable set_fact: var_domain_kernel_load_modules: !!str @@ -226387,6 +226375,18 @@ fi - medium_severity - no_reboot_needed - sebool_domain_kernel_load_modules + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_domain_kernel_load_modules='' + + +setsebool -P domain_kernel_load_modules $var_domain_kernel_load_modules + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -226404,18 +226404,6 @@ This setting should be disabled as it uses audit input to generate entropy. To disable the entropyd_use_audio SELinux boolean, run the following command: $ sudo setsebool -P entropyd_use_audio off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_entropyd_use_audio='' - - -setsebool -P entropyd_use_audio $var_entropyd_use_audio - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_entropyd_use_audio # promote to variable set_fact: var_entropyd_use_audio: !!str @@ -226452,6 +226440,18 @@ fi - medium_severity - no_reboot_needed - sebool_entropyd_use_audio + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_entropyd_use_audio='' + + +setsebool -P entropyd_use_audio $var_entropyd_use_audio + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -226469,18 +226469,6 @@ If this setting is enabled, it should be disabled. To disable the exim_can_connect_db SELinux boolean, run the following command: $ sudo setsebool -P exim_can_connect_db off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_exim_can_connect_db='' - - -setsebool -P exim_can_connect_db $var_exim_can_connect_db - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_exim_can_connect_db # promote to variable set_fact: var_exim_can_connect_db: !!str @@ -226517,6 +226505,18 @@ fi - medium_severity - no_reboot_needed - sebool_exim_can_connect_db + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_exim_can_connect_db='' + + +setsebool -P exim_can_connect_db $var_exim_can_connect_db + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -226534,18 +226534,6 @@ If this setting is enabled, it should be disabled. To disable the exim_manage_user_files SELinux boolean, run the following command: $ sudo setsebool -P exim_manage_user_files off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_exim_manage_user_files='' - - -setsebool -P exim_manage_user_files $var_exim_manage_user_files - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_exim_manage_user_files # promote to variable set_fact: var_exim_manage_user_files: !!str @@ -226582,6 +226570,18 @@ fi - medium_severity - no_reboot_needed - sebool_exim_manage_user_files + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_exim_manage_user_files='' + + +setsebool -P exim_manage_user_files $var_exim_manage_user_files + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -226599,18 +226599,6 @@ If this setting is enabled, it should be disabled. To disable the exim_read_user_files SELinux boolean, run the following command: $ sudo setsebool -P exim_read_user_files off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_exim_read_user_files='' - - -setsebool -P exim_read_user_files $var_exim_read_user_files - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_exim_read_user_files # promote to variable set_fact: var_exim_read_user_files: !!str @@ -226647,6 +226635,18 @@ fi - medium_severity - no_reboot_needed - sebool_exim_read_user_files + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_exim_read_user_files='' + + +setsebool -P exim_read_user_files $var_exim_read_user_files + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -226664,18 +226664,6 @@ If this setting is enabled, it should be disabled. To disable the fcron_crond SELinux boolean, run the following command: $ sudo setsebool -P fcron_crond off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_fcron_crond='' - - -setsebool -P fcron_crond $var_fcron_crond - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_fcron_crond # promote to variable set_fact: var_fcron_crond: !!str @@ -226712,6 +226700,18 @@ fi - medium_severity - no_reboot_needed - sebool_fcron_crond + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_fcron_crond='' + + +setsebool -P fcron_crond $var_fcron_crond + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -226729,18 +226729,6 @@ If this setting is enabled, it should be disabled. To disable the fenced_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P fenced_can_network_connect off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_fenced_can_network_connect='' - - -setsebool -P fenced_can_network_connect $var_fenced_can_network_connect - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_fenced_can_network_connect # promote to variable set_fact: var_fenced_can_network_connect: !!str @@ -226777,6 +226765,18 @@ fi - medium_severity - no_reboot_needed - sebool_fenced_can_network_connect + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_fenced_can_network_connect='' + + +setsebool -P fenced_can_network_connect $var_fenced_can_network_connect + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -226794,18 +226794,6 @@ If this setting is enabled, it should be disabled. To disable the fenced_can_ssh SELinux boolean, run the following command: $ sudo setsebool -P fenced_can_ssh off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_fenced_can_ssh='' - - -setsebool -P fenced_can_ssh $var_fenced_can_ssh - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_fenced_can_ssh # promote to variable set_fact: var_fenced_can_ssh: !!str @@ -226842,6 +226830,18 @@ fi - medium_severity - no_reboot_needed - sebool_fenced_can_ssh + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_fenced_can_ssh='' + + +setsebool -P fenced_can_ssh $var_fenced_can_ssh + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -226897,18 +226897,6 @@ To enable the fips_mode SELinux boolean, run the followin SC-12 PR.DS-5 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_fips_mode='' - - -setsebool -P fips_mode $var_fips_mode - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_fips_mode # promote to variable set_fact: var_fips_mode: !!str @@ -226959,6 +226947,18 @@ fi - medium_severity - no_reboot_needed - sebool_fips_mode + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_fips_mode='' + + +setsebool -P fips_mode $var_fips_mode + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -226976,18 +226976,6 @@ If this setting is enabled, it should be disabled. To disable the ftpd_anon_write SELinux boolean, run the following command: $ sudo setsebool -P ftpd_anon_write off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_ftpd_anon_write='' - - -setsebool -P ftpd_anon_write $var_ftpd_anon_write - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_ftpd_anon_write # promote to variable set_fact: var_ftpd_anon_write: !!str @@ -227024,6 +227012,18 @@ fi - medium_severity - no_reboot_needed - sebool_ftpd_anon_write + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_ftpd_anon_write='' + + +setsebool -P ftpd_anon_write $var_ftpd_anon_write + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -227041,18 +227041,6 @@ If this setting is enabled, it should be disabled. To disable the ftpd_connect_all_unreserved SELinux boolean, run the following command: $ sudo setsebool -P ftpd_connect_all_unreserved off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_ftpd_connect_all_unreserved='' - - -setsebool -P ftpd_connect_all_unreserved $var_ftpd_connect_all_unreserved - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_ftpd_connect_all_unreserved # promote to variable set_fact: var_ftpd_connect_all_unreserved: !!str @@ -227089,6 +227077,18 @@ fi - medium_severity - no_reboot_needed - sebool_ftpd_connect_all_unreserved + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_ftpd_connect_all_unreserved='' + + +setsebool -P ftpd_connect_all_unreserved $var_ftpd_connect_all_unreserved + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -227106,18 +227106,6 @@ If this setting is enabled, it should be disabled. To disable the ftpd_connect_db SELinux boolean, run the following command: $ sudo setsebool -P ftpd_connect_db off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_ftpd_connect_db='' - - -setsebool -P ftpd_connect_db $var_ftpd_connect_db - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_ftpd_connect_db # promote to variable set_fact: var_ftpd_connect_db: !!str @@ -227154,6 +227142,18 @@ fi - medium_severity - no_reboot_needed - sebool_ftpd_connect_db + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_ftpd_connect_db='' + + +setsebool -P ftpd_connect_db $var_ftpd_connect_db + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -227171,18 +227171,6 @@ If this setting is enabled, it should be disabled. To disable the ftpd_full_access SELinux boolean, run the following command: $ sudo setsebool -P ftpd_full_access off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_ftpd_full_access='' - - -setsebool -P ftpd_full_access $var_ftpd_full_access - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_ftpd_full_access # promote to variable set_fact: var_ftpd_full_access: !!str @@ -227219,6 +227207,18 @@ fi - medium_severity - no_reboot_needed - sebool_ftpd_full_access + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_ftpd_full_access='' + + +setsebool -P ftpd_full_access $var_ftpd_full_access + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -227236,18 +227236,6 @@ If this setting is enabled, it should be disabled. To disable the ftpd_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P ftpd_use_cifs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_ftpd_use_cifs='' - - -setsebool -P ftpd_use_cifs $var_ftpd_use_cifs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_ftpd_use_cifs # promote to variable set_fact: var_ftpd_use_cifs: !!str @@ -227284,6 +227272,18 @@ fi - medium_severity - no_reboot_needed - sebool_ftpd_use_cifs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_ftpd_use_cifs='' + + +setsebool -P ftpd_use_cifs $var_ftpd_use_cifs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -227301,18 +227301,6 @@ If this setting is enabled, it should be disabled. To disable the ftpd_use_fusefs SELinux boolean, run the following command: $ sudo setsebool -P ftpd_use_fusefs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_ftpd_use_fusefs='' - - -setsebool -P ftpd_use_fusefs $var_ftpd_use_fusefs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_ftpd_use_fusefs # promote to variable set_fact: var_ftpd_use_fusefs: !!str @@ -227349,6 +227337,18 @@ fi - medium_severity - no_reboot_needed - sebool_ftpd_use_fusefs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_ftpd_use_fusefs='' + + +setsebool -P ftpd_use_fusefs $var_ftpd_use_fusefs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -227366,18 +227366,6 @@ If this setting is enabled, it should be disabled. To disable the ftpd_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P ftpd_use_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_ftpd_use_nfs='' - - -setsebool -P ftpd_use_nfs $var_ftpd_use_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_ftpd_use_nfs # promote to variable set_fact: var_ftpd_use_nfs: !!str @@ -227414,6 +227402,18 @@ fi - medium_severity - no_reboot_needed - sebool_ftpd_use_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_ftpd_use_nfs='' + + +setsebool -P ftpd_use_nfs $var_ftpd_use_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -227431,18 +227431,6 @@ If this setting is enabled, it should be disabled. To disable the ftpd_use_passive_mode SELinux boolean, run the following command: $ sudo setsebool -P ftpd_use_passive_mode off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_ftpd_use_passive_mode='' - - -setsebool -P ftpd_use_passive_mode $var_ftpd_use_passive_mode - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_ftpd_use_passive_mode # promote to variable set_fact: var_ftpd_use_passive_mode: !!str @@ -227479,6 +227467,18 @@ fi - medium_severity - no_reboot_needed - sebool_ftpd_use_passive_mode + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_ftpd_use_passive_mode='' + + +setsebool -P ftpd_use_passive_mode $var_ftpd_use_passive_mode + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -227496,18 +227496,6 @@ If this setting is enabled, it should be disabled. To disable the git_cgi_enable_homedirs SELinux boolean, run the following command: $ sudo setsebool -P git_cgi_enable_homedirs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_git_cgi_enable_homedirs='' - - -setsebool -P git_cgi_enable_homedirs $var_git_cgi_enable_homedirs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_git_cgi_enable_homedirs # promote to variable set_fact: var_git_cgi_enable_homedirs: !!str @@ -227544,6 +227532,18 @@ fi - medium_severity - no_reboot_needed - sebool_git_cgi_enable_homedirs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_git_cgi_enable_homedirs='' + + +setsebool -P git_cgi_enable_homedirs $var_git_cgi_enable_homedirs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -227561,18 +227561,6 @@ If this setting is enabled, it should be disabled. To disable the git_cgi_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P git_cgi_use_cifs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_git_cgi_use_cifs='' - - -setsebool -P git_cgi_use_cifs $var_git_cgi_use_cifs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_git_cgi_use_cifs # promote to variable set_fact: var_git_cgi_use_cifs: !!str @@ -227609,6 +227597,18 @@ fi - medium_severity - no_reboot_needed - sebool_git_cgi_use_cifs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_git_cgi_use_cifs='' + + +setsebool -P git_cgi_use_cifs $var_git_cgi_use_cifs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -227626,18 +227626,6 @@ If this setting is enabled, it should be disabled. To disable the git_cgi_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P git_cgi_use_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_git_cgi_use_nfs='' - - -setsebool -P git_cgi_use_nfs $var_git_cgi_use_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_git_cgi_use_nfs # promote to variable set_fact: var_git_cgi_use_nfs: !!str @@ -227674,6 +227662,18 @@ fi - medium_severity - no_reboot_needed - sebool_git_cgi_use_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_git_cgi_use_nfs='' + + +setsebool -P git_cgi_use_nfs $var_git_cgi_use_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -227691,18 +227691,6 @@ If this setting is enabled, it should be disabled. To disable the git_session_bind_all_unreserved_ports SELinux boolean, run the following command: $ sudo setsebool -P git_session_bind_all_unreserved_ports off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_git_session_bind_all_unreserved_ports='' - - -setsebool -P git_session_bind_all_unreserved_ports $var_git_session_bind_all_unreserved_ports - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_git_session_bind_all_unreserved_ports # promote to variable set_fact: var_git_session_bind_all_unreserved_ports: !!str @@ -227739,6 +227727,18 @@ fi - medium_severity - no_reboot_needed - sebool_git_session_bind_all_unreserved_ports + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_git_session_bind_all_unreserved_ports='' + + +setsebool -P git_session_bind_all_unreserved_ports $var_git_session_bind_all_unreserved_ports + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -227756,18 +227756,6 @@ If this setting is enabled, it should be disabled. To disable the git_session_users SELinux boolean, run the following command: $ sudo setsebool -P git_session_users off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_git_session_users='' - - -setsebool -P git_session_users $var_git_session_users - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_git_session_users # promote to variable set_fact: var_git_session_users: !!str @@ -227804,6 +227792,18 @@ fi - medium_severity - no_reboot_needed - sebool_git_session_users + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_git_session_users='' + + +setsebool -P git_session_users $var_git_session_users + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -227821,18 +227821,6 @@ If this setting is enabled, it should be disabled. To disable the git_system_enable_homedirs SELinux boolean, run the following command: $ sudo setsebool -P git_system_enable_homedirs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_git_system_enable_homedirs='' - - -setsebool -P git_system_enable_homedirs $var_git_system_enable_homedirs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_git_system_enable_homedirs # promote to variable set_fact: var_git_system_enable_homedirs: !!str @@ -227869,6 +227857,18 @@ fi - medium_severity - no_reboot_needed - sebool_git_system_enable_homedirs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_git_system_enable_homedirs='' + + +setsebool -P git_system_enable_homedirs $var_git_system_enable_homedirs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -227886,18 +227886,6 @@ If this setting is enabled, it should be disabled. To disable the git_system_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P git_system_use_cifs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_git_system_use_cifs='' - - -setsebool -P git_system_use_cifs $var_git_system_use_cifs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_git_system_use_cifs # promote to variable set_fact: var_git_system_use_cifs: !!str @@ -227934,6 +227922,18 @@ fi - medium_severity - no_reboot_needed - sebool_git_system_use_cifs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_git_system_use_cifs='' + + +setsebool -P git_system_use_cifs $var_git_system_use_cifs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -227951,18 +227951,6 @@ If this setting is enabled, it should be disabled. To disable the git_system_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P git_system_use_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_git_system_use_nfs='' - - -setsebool -P git_system_use_nfs $var_git_system_use_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_git_system_use_nfs # promote to variable set_fact: var_git_system_use_nfs: !!str @@ -227999,6 +227987,18 @@ fi - medium_severity - no_reboot_needed - sebool_git_system_use_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_git_system_use_nfs='' + + +setsebool -P git_system_use_nfs $var_git_system_use_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228016,18 +228016,6 @@ If this setting is enabled, it should be disabled. To disable the gitosis_can_sendmail SELinux boolean, run the following command: $ sudo setsebool -P gitosis_can_sendmail off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_gitosis_can_sendmail='' - - -setsebool -P gitosis_can_sendmail $var_gitosis_can_sendmail - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_gitosis_can_sendmail # promote to variable set_fact: var_gitosis_can_sendmail: !!str @@ -228064,6 +228052,18 @@ fi - medium_severity - no_reboot_needed - sebool_gitosis_can_sendmail + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_gitosis_can_sendmail='' + + +setsebool -P gitosis_can_sendmail $var_gitosis_can_sendmail + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228081,18 +228081,6 @@ If this setting is enabled, it should be disabled. To disable the glance_api_can_network SELinux boolean, run the following command: $ sudo setsebool -P glance_api_can_network off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_glance_api_can_network='' - - -setsebool -P glance_api_can_network $var_glance_api_can_network - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_glance_api_can_network # promote to variable set_fact: var_glance_api_can_network: !!str @@ -228129,6 +228117,18 @@ fi - medium_severity - no_reboot_needed - sebool_glance_api_can_network + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_glance_api_can_network='' + + +setsebool -P glance_api_can_network $var_glance_api_can_network + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228148,18 +228148,6 @@ To disable the glance_use_execmem SELinux boolean, run th BP28(R67) CCE-83308-7 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_glance_use_execmem='' - - -setsebool -P glance_use_execmem $var_glance_use_execmem - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_glance_use_execmem # promote to variable set_fact: var_glance_use_execmem: !!str @@ -228198,6 +228186,18 @@ fi - medium_severity - no_reboot_needed - sebool_glance_use_execmem + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_glance_use_execmem='' + + +setsebool -P glance_use_execmem $var_glance_use_execmem + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228215,18 +228215,6 @@ If this setting is enabled, it should be disabled. To disable the glance_use_fusefs SELinux boolean, run the following command: $ sudo setsebool -P glance_use_fusefs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_glance_use_fusefs='' - - -setsebool -P glance_use_fusefs $var_glance_use_fusefs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_glance_use_fusefs # promote to variable set_fact: var_glance_use_fusefs: !!str @@ -228263,6 +228251,18 @@ fi - medium_severity - no_reboot_needed - sebool_glance_use_fusefs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_glance_use_fusefs='' + + +setsebool -P glance_use_fusefs $var_glance_use_fusefs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228280,18 +228280,6 @@ If this setting is enabled, it should be disabled. To disable the global_ssp SELinux boolean, run the following command: $ sudo setsebool -P global_ssp off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_global_ssp='' - - -setsebool -P global_ssp $var_global_ssp - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_global_ssp # promote to variable set_fact: var_global_ssp: !!str @@ -228328,6 +228316,18 @@ fi - medium_severity - no_reboot_needed - sebool_global_ssp + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_global_ssp='' + + +setsebool -P global_ssp $var_global_ssp + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228345,18 +228345,6 @@ If this setting is enabled, it should be disabled. To disable the gluster_anon_write SELinux boolean, run the following command: $ sudo setsebool -P gluster_anon_write off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_gluster_anon_write='' - - -setsebool -P gluster_anon_write $var_gluster_anon_write - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_gluster_anon_write # promote to variable set_fact: var_gluster_anon_write: !!str @@ -228393,6 +228381,18 @@ fi - medium_severity - no_reboot_needed - sebool_gluster_anon_write + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_gluster_anon_write='' + + +setsebool -P gluster_anon_write $var_gluster_anon_write + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228410,18 +228410,6 @@ If this setting is enabled, it should be disabled. To disable the gluster_export_all_ro SELinux boolean, run the following command: $ sudo setsebool -P gluster_export_all_ro off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_gluster_export_all_ro='' - - -setsebool -P gluster_export_all_ro $var_gluster_export_all_ro - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_gluster_export_all_ro # promote to variable set_fact: var_gluster_export_all_ro: !!str @@ -228458,6 +228446,18 @@ fi - medium_severity - no_reboot_needed - sebool_gluster_export_all_ro + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_gluster_export_all_ro='' + + +setsebool -P gluster_export_all_ro $var_gluster_export_all_ro + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228476,18 +228476,6 @@ disable it. To disable the gluster_export_all_rw SELinux boolean, run the following command: $ sudo setsebool -P gluster_export_all_rw off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_gluster_export_all_rw='' - - -setsebool -P gluster_export_all_rw $var_gluster_export_all_rw - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_gluster_export_all_rw # promote to variable set_fact: var_gluster_export_all_rw: !!str @@ -228524,6 +228512,18 @@ fi - medium_severity - no_reboot_needed - sebool_gluster_export_all_rw + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_gluster_export_all_rw='' + + +setsebool -P gluster_export_all_rw $var_gluster_export_all_rw + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228541,18 +228541,6 @@ If this setting is enabled, it should be disabled. To disable the gpg_web_anon_write SELinux boolean, run the following command: $ sudo setsebool -P gpg_web_anon_write off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_gpg_web_anon_write='' - - -setsebool -P gpg_web_anon_write $var_gpg_web_anon_write - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_gpg_web_anon_write # promote to variable set_fact: var_gpg_web_anon_write: !!str @@ -228589,6 +228577,18 @@ fi - medium_severity - no_reboot_needed - sebool_gpg_web_anon_write + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_gpg_web_anon_write='' + + +setsebool -P gpg_web_anon_write $var_gpg_web_anon_write + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228608,18 +228608,6 @@ be enabled. To enable the gssd_read_tmp SELinux boolean, run the following command: $ sudo setsebool -P gssd_read_tmp on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_gssd_read_tmp='' - - -setsebool -P gssd_read_tmp $var_gssd_read_tmp - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_gssd_read_tmp # promote to variable set_fact: var_gssd_read_tmp: !!str @@ -228656,6 +228644,18 @@ fi - medium_severity - no_reboot_needed - sebool_gssd_read_tmp + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_gssd_read_tmp='' + + +setsebool -P gssd_read_tmp $var_gssd_read_tmp + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228673,18 +228673,6 @@ This setting should be disabled as no guest accounts should be used. To disable the guest_exec_content SELinux boolean, run the following command: $ sudo setsebool -P guest_exec_content off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_guest_exec_content='' - - -setsebool -P guest_exec_content $var_guest_exec_content - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_guest_exec_content # promote to variable set_fact: var_guest_exec_content: !!str @@ -228721,6 +228709,18 @@ fi - medium_severity - no_reboot_needed - sebool_guest_exec_content + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_guest_exec_content='' + + +setsebool -P guest_exec_content $var_guest_exec_content + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228738,18 +228738,6 @@ If this setting is enabled, it should be disabled. To disable the haproxy_connect_any SELinux boolean, run the following command: $ sudo setsebool -P haproxy_connect_any off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_haproxy_connect_any='' - - -setsebool -P haproxy_connect_any $var_haproxy_connect_any - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_haproxy_connect_any # promote to variable set_fact: var_haproxy_connect_any: !!str @@ -228786,6 +228774,18 @@ fi - medium_severity - no_reboot_needed - sebool_haproxy_connect_any + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_haproxy_connect_any='' + + +setsebool -P haproxy_connect_any $var_haproxy_connect_any + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228803,18 +228803,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_anon_write SELinux boolean, run the following command: $ sudo setsebool -P httpd_anon_write off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_anon_write='' - - -setsebool -P httpd_anon_write $var_httpd_anon_write - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_anon_write # promote to variable set_fact: var_httpd_anon_write: !!str @@ -228851,6 +228839,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_anon_write + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_anon_write='' + + +setsebool -P httpd_anon_write $var_httpd_anon_write + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228869,18 +228869,6 @@ or some similary scripting language. To disable the httpd_builtin_scripting SELinux boolean, run the following command: $ sudo setsebool -P httpd_builtin_scripting off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_builtin_scripting='' - - -setsebool -P httpd_builtin_scripting $var_httpd_builtin_scripting - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_builtin_scripting # promote to variable set_fact: var_httpd_builtin_scripting: !!str @@ -228917,6 +228905,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_builtin_scripting + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_builtin_scripting='' + + +setsebool -P httpd_builtin_scripting $var_httpd_builtin_scripting + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228934,18 +228934,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_can_check_spam SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_check_spam off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_can_check_spam='' - - -setsebool -P httpd_can_check_spam $var_httpd_can_check_spam - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_can_check_spam # promote to variable set_fact: var_httpd_can_check_spam: !!str @@ -228982,6 +228970,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_can_check_spam + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_can_check_spam='' + + +setsebool -P httpd_can_check_spam $var_httpd_can_check_spam + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -228999,18 +228999,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_can_connect_ftp SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_connect_ftp off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_can_connect_ftp='' - - -setsebool -P httpd_can_connect_ftp $var_httpd_can_connect_ftp - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_can_connect_ftp # promote to variable set_fact: var_httpd_can_connect_ftp: !!str @@ -229047,6 +229035,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_can_connect_ftp + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_can_connect_ftp='' + + +setsebool -P httpd_can_connect_ftp $var_httpd_can_connect_ftp + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -229064,18 +229064,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_can_connect_ldap SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_connect_ldap off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_can_connect_ldap='' - - -setsebool -P httpd_can_connect_ldap $var_httpd_can_connect_ldap - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_can_connect_ldap # promote to variable set_fact: var_httpd_can_connect_ldap: !!str @@ -229112,6 +229100,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_can_connect_ldap + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_can_connect_ldap='' + + +setsebool -P httpd_can_connect_ldap $var_httpd_can_connect_ldap + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -229129,18 +229129,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_can_connect_mythtv SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_connect_mythtv off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_can_connect_mythtv='' - - -setsebool -P httpd_can_connect_mythtv $var_httpd_can_connect_mythtv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_can_connect_mythtv # promote to variable set_fact: var_httpd_can_connect_mythtv: !!str @@ -229177,6 +229165,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_can_connect_mythtv + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_can_connect_mythtv='' + + +setsebool -P httpd_can_connect_mythtv $var_httpd_can_connect_mythtv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -229194,18 +229194,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_can_connect_zabbix SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_connect_zabbix off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_can_connect_zabbix='' - - -setsebool -P httpd_can_connect_zabbix $var_httpd_can_connect_zabbix - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_can_connect_zabbix # promote to variable set_fact: var_httpd_can_connect_zabbix: !!str @@ -229242,6 +229230,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_can_connect_zabbix + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_can_connect_zabbix='' + + +setsebool -P httpd_can_connect_zabbix $var_httpd_can_connect_zabbix + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -229259,18 +229259,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_network_connect off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_can_network_connect='' - - -setsebool -P httpd_can_network_connect $var_httpd_can_network_connect - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_can_network_connect # promote to variable set_fact: var_httpd_can_network_connect: !!str @@ -229307,6 +229295,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_can_network_connect + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_can_network_connect='' + + +setsebool -P httpd_can_network_connect $var_httpd_can_network_connect + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -229324,18 +229324,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_can_network_connect_cobbler SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_network_connect_cobbler off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_can_network_connect_cobbler='' - - -setsebool -P httpd_can_network_connect_cobbler $var_httpd_can_network_connect_cobbler - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_can_network_connect_cobbler # promote to variable set_fact: var_httpd_can_network_connect_cobbler: !!str @@ -229372,6 +229360,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_can_network_connect_cobbler + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_can_network_connect_cobbler='' + + +setsebool -P httpd_can_network_connect_cobbler $var_httpd_can_network_connect_cobbler + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -229389,18 +229389,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_can_network_connect_db SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_network_connect_db off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_can_network_connect_db='' - - -setsebool -P httpd_can_network_connect_db $var_httpd_can_network_connect_db - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_can_network_connect_db # promote to variable set_fact: var_httpd_can_network_connect_db: !!str @@ -229437,6 +229425,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_can_network_connect_db + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_can_network_connect_db='' + + +setsebool -P httpd_can_network_connect_db $var_httpd_can_network_connect_db + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -229454,18 +229454,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_can_network_memcache SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_network_memcache off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_can_network_memcache='' - - -setsebool -P httpd_can_network_memcache $var_httpd_can_network_memcache - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_can_network_memcache # promote to variable set_fact: var_httpd_can_network_memcache: !!str @@ -229502,6 +229490,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_can_network_memcache + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_can_network_memcache='' + + +setsebool -P httpd_can_network_memcache $var_httpd_can_network_memcache + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -229519,18 +229519,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_can_network_relay SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_network_relay off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_can_network_relay='' - - -setsebool -P httpd_can_network_relay $var_httpd_can_network_relay - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_can_network_relay # promote to variable set_fact: var_httpd_can_network_relay: !!str @@ -229567,6 +229555,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_can_network_relay + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_can_network_relay='' + + +setsebool -P httpd_can_network_relay $var_httpd_can_network_relay + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -229584,18 +229584,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_can_sendmail SELinux boolean, run the following command: $ sudo setsebool -P httpd_can_sendmail off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_can_sendmail='' - - -setsebool -P httpd_can_sendmail $var_httpd_can_sendmail - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_can_sendmail # promote to variable set_fact: var_httpd_can_sendmail: !!str @@ -229632,6 +229620,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_can_sendmail + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_can_sendmail='' + + +setsebool -P httpd_can_sendmail $var_httpd_can_sendmail + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -229649,18 +229649,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_dbus_avahi SELinux boolean, run the following command: $ sudo setsebool -P httpd_dbus_avahi off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_dbus_avahi='' - - -setsebool -P httpd_dbus_avahi $var_httpd_dbus_avahi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_dbus_avahi # promote to variable set_fact: var_httpd_dbus_avahi: !!str @@ -229697,6 +229685,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_dbus_avahi + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_dbus_avahi='' + + +setsebool -P httpd_dbus_avahi $var_httpd_dbus_avahi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -229714,18 +229714,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_dbus_sssd SELinux boolean, run the following command: $ sudo setsebool -P httpd_dbus_sssd off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_dbus_sssd='' - - -setsebool -P httpd_dbus_sssd $var_httpd_dbus_sssd - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_dbus_sssd # promote to variable set_fact: var_httpd_dbus_sssd: !!str @@ -229762,6 +229750,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_dbus_sssd + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_dbus_sssd='' + + +setsebool -P httpd_dbus_sssd $var_httpd_dbus_sssd + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -229779,18 +229779,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_dontaudit_search_dirs SELinux boolean, run the following command: $ sudo setsebool -P httpd_dontaudit_search_dirs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_dontaudit_search_dirs='' - - -setsebool -P httpd_dontaudit_search_dirs $var_httpd_dontaudit_search_dirs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_dontaudit_search_dirs # promote to variable set_fact: var_httpd_dontaudit_search_dirs: !!str @@ -229827,6 +229815,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_dontaudit_search_dirs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_dontaudit_search_dirs='' + + +setsebool -P httpd_dontaudit_search_dirs $var_httpd_dontaudit_search_dirs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -229845,18 +229845,6 @@ scripting. To disable the httpd_enable_cgi SELinux boolean, run the following command: $ sudo setsebool -P httpd_enable_cgi off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_enable_cgi='' - - -setsebool -P httpd_enable_cgi $var_httpd_enable_cgi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_enable_cgi # promote to variable set_fact: var_httpd_enable_cgi: !!str @@ -229893,6 +229881,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_enable_cgi + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_enable_cgi='' + + +setsebool -P httpd_enable_cgi $var_httpd_enable_cgi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -229910,18 +229910,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_enable_ftp_server SELinux boolean, run the following command: $ sudo setsebool -P httpd_enable_ftp_server off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_enable_ftp_server='' - - -setsebool -P httpd_enable_ftp_server $var_httpd_enable_ftp_server - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_enable_ftp_server # promote to variable set_fact: var_httpd_enable_ftp_server: !!str @@ -229958,6 +229946,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_enable_ftp_server + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_enable_ftp_server='' + + +setsebool -P httpd_enable_ftp_server $var_httpd_enable_ftp_server + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -229975,18 +229975,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_enable_homedirs SELinux boolean, run the following command: $ sudo setsebool -P httpd_enable_homedirs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_enable_homedirs='' - - -setsebool -P httpd_enable_homedirs $var_httpd_enable_homedirs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_enable_homedirs # promote to variable set_fact: var_httpd_enable_homedirs: !!str @@ -230023,6 +230011,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_enable_homedirs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_enable_homedirs='' + + +setsebool -P httpd_enable_homedirs $var_httpd_enable_homedirs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -230042,18 +230042,6 @@ To disable the httpd_execmem SELinux boolean, run the fol BP28(R67) CCE-83309-5 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_execmem='' - - -setsebool -P httpd_execmem $var_httpd_execmem - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_execmem # promote to variable set_fact: var_httpd_execmem: !!str @@ -230092,6 +230080,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_execmem + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_execmem='' + + +setsebool -P httpd_execmem $var_httpd_execmem + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -230109,18 +230109,6 @@ If this setting is disabled, it should be enabled. To enable the httpd_graceful_shutdown SELinux boolean, run the following command: $ sudo setsebool -P httpd_graceful_shutdown on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_graceful_shutdown='' - - -setsebool -P httpd_graceful_shutdown $var_httpd_graceful_shutdown - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_graceful_shutdown # promote to variable set_fact: var_httpd_graceful_shutdown: !!str @@ -230157,6 +230145,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_graceful_shutdown + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_graceful_shutdown='' + + +setsebool -P httpd_graceful_shutdown $var_httpd_graceful_shutdown + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -230174,18 +230174,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_manage_ipa SELinux boolean, run the following command: $ sudo setsebool -P httpd_manage_ipa off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_manage_ipa='' - - -setsebool -P httpd_manage_ipa $var_httpd_manage_ipa - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_manage_ipa # promote to variable set_fact: var_httpd_manage_ipa: !!str @@ -230222,6 +230210,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_manage_ipa + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_manage_ipa='' + + +setsebool -P httpd_manage_ipa $var_httpd_manage_ipa + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -230239,18 +230239,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_mod_auth_ntlm_winbind SELinux boolean, run the following command: $ sudo setsebool -P httpd_mod_auth_ntlm_winbind off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_mod_auth_ntlm_winbind='' - - -setsebool -P httpd_mod_auth_ntlm_winbind $var_httpd_mod_auth_ntlm_winbind - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_mod_auth_ntlm_winbind # promote to variable set_fact: var_httpd_mod_auth_ntlm_winbind: !!str @@ -230287,6 +230275,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_mod_auth_ntlm_winbind + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_mod_auth_ntlm_winbind='' + + +setsebool -P httpd_mod_auth_ntlm_winbind $var_httpd_mod_auth_ntlm_winbind + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -230304,18 +230304,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_mod_auth_pam SELinux boolean, run the following command: $ sudo setsebool -P httpd_mod_auth_pam off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_mod_auth_pam='' - - -setsebool -P httpd_mod_auth_pam $var_httpd_mod_auth_pam - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_mod_auth_pam # promote to variable set_fact: var_httpd_mod_auth_pam: !!str @@ -230352,6 +230340,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_mod_auth_pam + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_mod_auth_pam='' + + +setsebool -P httpd_mod_auth_pam $var_httpd_mod_auth_pam + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -230369,18 +230369,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_read_user_content SELinux boolean, run the following command: $ sudo setsebool -P httpd_read_user_content off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_read_user_content='' - - -setsebool -P httpd_read_user_content $var_httpd_read_user_content - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_read_user_content # promote to variable set_fact: var_httpd_read_user_content: !!str @@ -230417,6 +230405,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_read_user_content + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_read_user_content='' + + +setsebool -P httpd_read_user_content $var_httpd_read_user_content + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -230434,18 +230434,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_run_ipa SELinux boolean, run the following command: $ sudo setsebool -P httpd_run_ipa off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_run_ipa='' - - -setsebool -P httpd_run_ipa $var_httpd_run_ipa - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_run_ipa # promote to variable set_fact: var_httpd_run_ipa: !!str @@ -230482,6 +230470,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_run_ipa + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_run_ipa='' + + +setsebool -P httpd_run_ipa $var_httpd_run_ipa + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -230499,18 +230499,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_run_preupgrade SELinux boolean, run the following command: $ sudo setsebool -P httpd_run_preupgrade off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_run_preupgrade='' - - -setsebool -P httpd_run_preupgrade $var_httpd_run_preupgrade - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_run_preupgrade # promote to variable set_fact: var_httpd_run_preupgrade: !!str @@ -230547,6 +230535,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_run_preupgrade + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_run_preupgrade='' + + +setsebool -P httpd_run_preupgrade $var_httpd_run_preupgrade + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -230564,18 +230564,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_run_stickshift SELinux boolean, run the following command: $ sudo setsebool -P httpd_run_stickshift off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_run_stickshift='' - - -setsebool -P httpd_run_stickshift $var_httpd_run_stickshift - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_run_stickshift # promote to variable set_fact: var_httpd_run_stickshift: !!str @@ -230612,6 +230600,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_run_stickshift + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_run_stickshift='' + + +setsebool -P httpd_run_stickshift $var_httpd_run_stickshift + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -230629,18 +230629,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_serve_cobbler_files SELinux boolean, run the following command: $ sudo setsebool -P httpd_serve_cobbler_files off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_serve_cobbler_files='' - - -setsebool -P httpd_serve_cobbler_files $var_httpd_serve_cobbler_files - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_serve_cobbler_files # promote to variable set_fact: var_httpd_serve_cobbler_files: !!str @@ -230677,6 +230665,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_serve_cobbler_files + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_serve_cobbler_files='' + + +setsebool -P httpd_serve_cobbler_files $var_httpd_serve_cobbler_files + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -230694,18 +230694,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_setrlimit SELinux boolean, run the following command: $ sudo setsebool -P httpd_setrlimit off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_setrlimit='' - - -setsebool -P httpd_setrlimit $var_httpd_setrlimit - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_setrlimit # promote to variable set_fact: var_httpd_setrlimit: !!str @@ -230742,6 +230730,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_setrlimit + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_setrlimit='' + + +setsebool -P httpd_setrlimit $var_httpd_setrlimit + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -230759,18 +230759,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_ssi_exec SELinux boolean, run the following command: $ sudo setsebool -P httpd_ssi_exec off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_ssi_exec='' - - -setsebool -P httpd_ssi_exec $var_httpd_ssi_exec - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_ssi_exec # promote to variable set_fact: var_httpd_ssi_exec: !!str @@ -230807,6 +230795,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_ssi_exec + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_ssi_exec='' + + +setsebool -P httpd_ssi_exec $var_httpd_ssi_exec + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -230824,18 +230824,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_sys_script_anon_write SELinux boolean, run the following command: $ sudo setsebool -P httpd_sys_script_anon_write off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_sys_script_anon_write='' - - -setsebool -P httpd_sys_script_anon_write $var_httpd_sys_script_anon_write - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_sys_script_anon_write # promote to variable set_fact: var_httpd_sys_script_anon_write: !!str @@ -230872,6 +230860,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_sys_script_anon_write + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_sys_script_anon_write='' + + +setsebool -P httpd_sys_script_anon_write $var_httpd_sys_script_anon_write + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -230889,18 +230889,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_tmp_exec SELinux boolean, run the following command: $ sudo setsebool -P httpd_tmp_exec off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_tmp_exec='' - - -setsebool -P httpd_tmp_exec $var_httpd_tmp_exec - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_tmp_exec # promote to variable set_fact: var_httpd_tmp_exec: !!str @@ -230937,6 +230925,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_tmp_exec + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_tmp_exec='' + + +setsebool -P httpd_tmp_exec $var_httpd_tmp_exec + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -230954,18 +230954,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_tty_comm SELinux boolean, run the following command: $ sudo setsebool -P httpd_tty_comm off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_tty_comm='' - - -setsebool -P httpd_tty_comm $var_httpd_tty_comm - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_tty_comm # promote to variable set_fact: var_httpd_tty_comm: !!str @@ -231002,6 +230990,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_tty_comm + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_tty_comm='' + + +setsebool -P httpd_tty_comm $var_httpd_tty_comm + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -231019,18 +231019,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_unified SELinux boolean, run the following command: $ sudo setsebool -P httpd_unified off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_unified='' - - -setsebool -P httpd_unified $var_httpd_unified - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_unified # promote to variable set_fact: var_httpd_unified: !!str @@ -231067,6 +231055,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_unified + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_unified='' + + +setsebool -P httpd_unified $var_httpd_unified + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -231084,18 +231084,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P httpd_use_cifs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_use_cifs='' - - -setsebool -P httpd_use_cifs $var_httpd_use_cifs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_use_cifs # promote to variable set_fact: var_httpd_use_cifs: !!str @@ -231132,6 +231120,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_use_cifs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_use_cifs='' + + +setsebool -P httpd_use_cifs $var_httpd_use_cifs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -231149,18 +231149,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_use_fusefs SELinux boolean, run the following command: $ sudo setsebool -P httpd_use_fusefs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_use_fusefs='' - - -setsebool -P httpd_use_fusefs $var_httpd_use_fusefs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_use_fusefs # promote to variable set_fact: var_httpd_use_fusefs: !!str @@ -231197,6 +231185,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_use_fusefs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_use_fusefs='' + + +setsebool -P httpd_use_fusefs $var_httpd_use_fusefs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -231214,18 +231214,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_use_gpg SELinux boolean, run the following command: $ sudo setsebool -P httpd_use_gpg off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_use_gpg='' - - -setsebool -P httpd_use_gpg $var_httpd_use_gpg - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_use_gpg # promote to variable set_fact: var_httpd_use_gpg: !!str @@ -231262,6 +231250,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_use_gpg + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_use_gpg='' + + +setsebool -P httpd_use_gpg $var_httpd_use_gpg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -231279,18 +231279,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P httpd_use_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_use_nfs='' - - -setsebool -P httpd_use_nfs $var_httpd_use_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_use_nfs # promote to variable set_fact: var_httpd_use_nfs: !!str @@ -231327,6 +231315,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_use_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_use_nfs='' + + +setsebool -P httpd_use_nfs $var_httpd_use_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -231344,18 +231344,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_use_openstack SELinux boolean, run the following command: $ sudo setsebool -P httpd_use_openstack off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_use_openstack='' - - -setsebool -P httpd_use_openstack $var_httpd_use_openstack - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_use_openstack # promote to variable set_fact: var_httpd_use_openstack: !!str @@ -231392,6 +231380,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_use_openstack + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_use_openstack='' + + +setsebool -P httpd_use_openstack $var_httpd_use_openstack + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -231409,18 +231409,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_use_sasl SELinux boolean, run the following command: $ sudo setsebool -P httpd_use_sasl off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_use_sasl='' - - -setsebool -P httpd_use_sasl $var_httpd_use_sasl - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_use_sasl # promote to variable set_fact: var_httpd_use_sasl: !!str @@ -231457,6 +231445,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_use_sasl + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_use_sasl='' + + +setsebool -P httpd_use_sasl $var_httpd_use_sasl + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -231474,18 +231474,6 @@ If this setting is enabled, it should be disabled. To disable the httpd_verify_dns SELinux boolean, run the following command: $ sudo setsebool -P httpd_verify_dns off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_httpd_verify_dns='' - - -setsebool -P httpd_verify_dns $var_httpd_verify_dns - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_httpd_verify_dns # promote to variable set_fact: var_httpd_verify_dns: !!str @@ -231522,6 +231510,18 @@ fi - medium_severity - no_reboot_needed - sebool_httpd_verify_dns + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_httpd_verify_dns='' + + +setsebool -P httpd_verify_dns $var_httpd_verify_dns + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -231539,18 +231539,6 @@ If this setting is enabled, it should be disabled. To disable the icecast_use_any_tcp_ports SELinux boolean, run the following command: $ sudo setsebool -P icecast_use_any_tcp_ports off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_icecast_use_any_tcp_ports='' - - -setsebool -P icecast_use_any_tcp_ports $var_icecast_use_any_tcp_ports - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_icecast_use_any_tcp_ports # promote to variable set_fact: var_icecast_use_any_tcp_ports: !!str @@ -231587,6 +231575,18 @@ fi - medium_severity - no_reboot_needed - sebool_icecast_use_any_tcp_ports + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_icecast_use_any_tcp_ports='' + + +setsebool -P icecast_use_any_tcp_ports $var_icecast_use_any_tcp_ports + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -231604,18 +231604,6 @@ If this setting is enabled, it should be disabled. To disable the irc_use_any_tcp_ports SELinux boolean, run the following command: $ sudo setsebool -P irc_use_any_tcp_ports off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_irc_use_any_tcp_ports='' - - -setsebool -P irc_use_any_tcp_ports $var_irc_use_any_tcp_ports - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_irc_use_any_tcp_ports # promote to variable set_fact: var_irc_use_any_tcp_ports: !!str @@ -231652,6 +231640,18 @@ fi - medium_severity - no_reboot_needed - sebool_irc_use_any_tcp_ports + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_irc_use_any_tcp_ports='' + + +setsebool -P irc_use_any_tcp_ports $var_irc_use_any_tcp_ports + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -231669,18 +231669,6 @@ If this setting is enabled, it should be disabled. To disable the irssi_use_full_network SELinux boolean, run the following command: $ sudo setsebool -P irssi_use_full_network off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_irssi_use_full_network='' - - -setsebool -P irssi_use_full_network $var_irssi_use_full_network - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_irssi_use_full_network # promote to variable set_fact: var_irssi_use_full_network: !!str @@ -231717,6 +231705,18 @@ fi - medium_severity - no_reboot_needed - sebool_irssi_use_full_network + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_irssi_use_full_network='' + + +setsebool -P irssi_use_full_network $var_irssi_use_full_network + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -231734,18 +231734,6 @@ If this setting is enabled, it should be disabled. To disable the kdumpgui_run_bootloader SELinux boolean, run the following command: $ sudo setsebool -P kdumpgui_run_bootloader off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_kdumpgui_run_bootloader='' - - -setsebool -P kdumpgui_run_bootloader $var_kdumpgui_run_bootloader - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_kdumpgui_run_bootloader # promote to variable set_fact: var_kdumpgui_run_bootloader: !!str @@ -231782,6 +231770,18 @@ fi - medium_severity - no_reboot_needed - sebool_kdumpgui_run_bootloader + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_kdumpgui_run_bootloader='' + + +setsebool -P kdumpgui_run_bootloader $var_kdumpgui_run_bootloader + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -231804,18 +231804,6 @@ To enable the kerberos_enabled SELinux boolean, run the f 1402 CCE-84293-0 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_kerberos_enabled='' - - -setsebool -P kerberos_enabled $var_kerberos_enabled - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_kerberos_enabled # promote to variable set_fact: var_kerberos_enabled: !!str @@ -231854,6 +231842,18 @@ fi - medium_severity - no_reboot_needed - sebool_kerberos_enabled + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_kerberos_enabled='' + + +setsebool -P kerberos_enabled $var_kerberos_enabled + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -231871,18 +231871,6 @@ If this setting is enabled, it should be disabled. To disable the ksmtuned_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P ksmtuned_use_cifs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_ksmtuned_use_cifs='' - - -setsebool -P ksmtuned_use_cifs $var_ksmtuned_use_cifs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_ksmtuned_use_cifs # promote to variable set_fact: var_ksmtuned_use_cifs: !!str @@ -231919,6 +231907,18 @@ fi - medium_severity - no_reboot_needed - sebool_ksmtuned_use_cifs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_ksmtuned_use_cifs='' + + +setsebool -P ksmtuned_use_cifs $var_ksmtuned_use_cifs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -231936,18 +231936,6 @@ If this setting is enabled, it should be disabled. To disable the ksmtuned_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P ksmtuned_use_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_ksmtuned_use_nfs='' - - -setsebool -P ksmtuned_use_nfs $var_ksmtuned_use_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_ksmtuned_use_nfs # promote to variable set_fact: var_ksmtuned_use_nfs: !!str @@ -231984,6 +231972,18 @@ fi - medium_severity - no_reboot_needed - sebool_ksmtuned_use_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_ksmtuned_use_nfs='' + + +setsebool -P ksmtuned_use_nfs $var_ksmtuned_use_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -232001,18 +232001,6 @@ If this setting is disabled, it should be enabled. To enable the logadm_exec_content SELinux boolean, run the following command: $ sudo setsebool -P logadm_exec_content on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_logadm_exec_content='' - - -setsebool -P logadm_exec_content $var_logadm_exec_content - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_logadm_exec_content # promote to variable set_fact: var_logadm_exec_content: !!str @@ -232049,6 +232037,18 @@ fi - medium_severity - no_reboot_needed - sebool_logadm_exec_content + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_logadm_exec_content='' + + +setsebool -P logadm_exec_content $var_logadm_exec_content + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -232066,18 +232066,6 @@ If this setting is enabled, it should be disabled. To disable the logging_syslogd_can_sendmail SELinux boolean, run the following command: $ sudo setsebool -P logging_syslogd_can_sendmail off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_logging_syslogd_can_sendmail='' - - -setsebool -P logging_syslogd_can_sendmail $var_logging_syslogd_can_sendmail - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_logging_syslogd_can_sendmail # promote to variable set_fact: var_logging_syslogd_can_sendmail: !!str @@ -232114,6 +232102,18 @@ fi - medium_severity - no_reboot_needed - sebool_logging_syslogd_can_sendmail + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_logging_syslogd_can_sendmail='' + + +setsebool -P logging_syslogd_can_sendmail $var_logging_syslogd_can_sendmail + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -232131,18 +232131,6 @@ If this setting is enabled, it should be disabled. To disable the logging_syslogd_run_nagios_plugins SELinux boolean, run the following command: $ sudo setsebool -P logging_syslogd_run_nagios_plugins off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_logging_syslogd_run_nagios_plugins='' - - -setsebool -P logging_syslogd_run_nagios_plugins $var_logging_syslogd_run_nagios_plugins - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_logging_syslogd_run_nagios_plugins # promote to variable set_fact: var_logging_syslogd_run_nagios_plugins: !!str @@ -232179,6 +232167,18 @@ fi - medium_severity - no_reboot_needed - sebool_logging_syslogd_run_nagios_plugins + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_logging_syslogd_run_nagios_plugins='' + + +setsebool -P logging_syslogd_run_nagios_plugins $var_logging_syslogd_run_nagios_plugins + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -232197,18 +232197,6 @@ the ability to read/write to terminal. To enable the logging_syslogd_use_tty SELinux boolean, run the following command: $ sudo setsebool -P logging_syslogd_use_tty on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_logging_syslogd_use_tty='' - - -setsebool -P logging_syslogd_use_tty $var_logging_syslogd_use_tty - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_logging_syslogd_use_tty # promote to variable set_fact: var_logging_syslogd_use_tty: !!str @@ -232245,6 +232233,18 @@ fi - medium_severity - no_reboot_needed - sebool_logging_syslogd_use_tty + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_logging_syslogd_use_tty='' + + +setsebool -P logging_syslogd_use_tty $var_logging_syslogd_use_tty + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -232263,18 +232263,6 @@ If this setting is disabled, it should be enabled as it allows login from To enable the login_console_enabled SELinux boolean, run the following command: $ sudo setsebool -P login_console_enabled on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_login_console_enabled='' - - -setsebool -P login_console_enabled $var_login_console_enabled - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_login_console_enabled # promote to variable set_fact: var_login_console_enabled: !!str @@ -232311,6 +232299,18 @@ fi - medium_severity - no_reboot_needed - sebool_login_console_enabled + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_login_console_enabled='' + + +setsebool -P login_console_enabled $var_login_console_enabled + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -232328,18 +232328,6 @@ If this setting is enabled, it should be disabled. To disable the logrotate_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P logrotate_use_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_logrotate_use_nfs='' - - -setsebool -P logrotate_use_nfs $var_logrotate_use_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_logrotate_use_nfs # promote to variable set_fact: var_logrotate_use_nfs: !!str @@ -232376,6 +232364,18 @@ fi - medium_severity - no_reboot_needed - sebool_logrotate_use_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_logrotate_use_nfs='' + + +setsebool -P logrotate_use_nfs $var_logrotate_use_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -232393,18 +232393,6 @@ If this setting is enabled, it should be disabled. To disable the logwatch_can_network_connect_mail SELinux boolean, run the following command: $ sudo setsebool -P logwatch_can_network_connect_mail off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_logwatch_can_network_connect_mail='' - - -setsebool -P logwatch_can_network_connect_mail $var_logwatch_can_network_connect_mail - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_logwatch_can_network_connect_mail # promote to variable set_fact: var_logwatch_can_network_connect_mail: !!str @@ -232441,6 +232429,18 @@ fi - medium_severity - no_reboot_needed - sebool_logwatch_can_network_connect_mail + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_logwatch_can_network_connect_mail='' + + +setsebool -P logwatch_can_network_connect_mail $var_logwatch_can_network_connect_mail + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -232458,18 +232458,6 @@ If this setting is enabled, it should be disabled. To disable the lsmd_plugin_connect_any SELinux boolean, run the following command: $ sudo setsebool -P lsmd_plugin_connect_any off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_lsmd_plugin_connect_any='' - - -setsebool -P lsmd_plugin_connect_any $var_lsmd_plugin_connect_any - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_lsmd_plugin_connect_any # promote to variable set_fact: var_lsmd_plugin_connect_any: !!str @@ -232506,6 +232494,18 @@ fi - medium_severity - no_reboot_needed - sebool_lsmd_plugin_connect_any + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_lsmd_plugin_connect_any='' + + +setsebool -P lsmd_plugin_connect_any $var_lsmd_plugin_connect_any + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -232523,18 +232523,6 @@ If this setting is enabled, it should be disabled. To disable the mailman_use_fusefs SELinux boolean, run the following command: $ sudo setsebool -P mailman_use_fusefs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mailman_use_fusefs='' - - -setsebool -P mailman_use_fusefs $var_mailman_use_fusefs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mailman_use_fusefs # promote to variable set_fact: var_mailman_use_fusefs: !!str @@ -232571,6 +232559,18 @@ fi - medium_severity - no_reboot_needed - sebool_mailman_use_fusefs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mailman_use_fusefs='' + + +setsebool -P mailman_use_fusefs $var_mailman_use_fusefs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -232588,18 +232588,6 @@ If this setting is enabled, it should be disabled. To disable the mcelog_client SELinux boolean, run the following command: $ sudo setsebool -P mcelog_client off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mcelog_client='' - - -setsebool -P mcelog_client $var_mcelog_client - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mcelog_client # promote to variable set_fact: var_mcelog_client: !!str @@ -232636,6 +232624,18 @@ fi - medium_severity - no_reboot_needed - sebool_mcelog_client + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mcelog_client='' + + +setsebool -P mcelog_client $var_mcelog_client + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -232653,18 +232653,6 @@ If this setting is disabled, it should be enabled. To enable the mcelog_exec_scripts SELinux boolean, run the following command: $ sudo setsebool -P mcelog_exec_scripts on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mcelog_exec_scripts='' - - -setsebool -P mcelog_exec_scripts $var_mcelog_exec_scripts - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mcelog_exec_scripts # promote to variable set_fact: var_mcelog_exec_scripts: !!str @@ -232701,6 +232689,18 @@ fi - medium_severity - no_reboot_needed - sebool_mcelog_exec_scripts + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mcelog_exec_scripts='' + + +setsebool -P mcelog_exec_scripts $var_mcelog_exec_scripts + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -232718,18 +232718,6 @@ If this setting is enabled, it should be disabled. To disable the mcelog_foreground SELinux boolean, run the following command: $ sudo setsebool -P mcelog_foreground off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mcelog_foreground='' - - -setsebool -P mcelog_foreground $var_mcelog_foreground - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mcelog_foreground # promote to variable set_fact: var_mcelog_foreground: !!str @@ -232766,6 +232754,18 @@ fi - medium_severity - no_reboot_needed - sebool_mcelog_foreground + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mcelog_foreground='' + + +setsebool -P mcelog_foreground $var_mcelog_foreground + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -232783,18 +232783,6 @@ If this setting is enabled, it should be disabled. To disable the mcelog_server SELinux boolean, run the following command: $ sudo setsebool -P mcelog_server off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mcelog_server='' - - -setsebool -P mcelog_server $var_mcelog_server - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mcelog_server # promote to variable set_fact: var_mcelog_server: !!str @@ -232831,6 +232819,18 @@ fi - medium_severity - no_reboot_needed - sebool_mcelog_server + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mcelog_server='' + + +setsebool -P mcelog_server $var_mcelog_server + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -232848,18 +232848,6 @@ If this setting is enabled, it should be disabled. To disable the minidlna_read_generic_user_content SELinux boolean, run the following command: $ sudo setsebool -P minidlna_read_generic_user_content off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_minidlna_read_generic_user_content='' - - -setsebool -P minidlna_read_generic_user_content $var_minidlna_read_generic_user_content - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_minidlna_read_generic_user_content # promote to variable set_fact: var_minidlna_read_generic_user_content: !!str @@ -232896,6 +232884,18 @@ fi - medium_severity - no_reboot_needed - sebool_minidlna_read_generic_user_content + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_minidlna_read_generic_user_content='' + + +setsebool -P minidlna_read_generic_user_content $var_minidlna_read_generic_user_content + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -232913,18 +232913,6 @@ If this setting is enabled, it should be disabled. To disable the mmap_low_allowed SELinux boolean, run the following command: $ sudo setsebool -P mmap_low_allowed off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mmap_low_allowed='' - - -setsebool -P mmap_low_allowed $var_mmap_low_allowed - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mmap_low_allowed # promote to variable set_fact: var_mmap_low_allowed: !!str @@ -232961,6 +232949,18 @@ fi - medium_severity - no_reboot_needed - sebool_mmap_low_allowed + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mmap_low_allowed='' + + +setsebool -P mmap_low_allowed $var_mmap_low_allowed + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -232978,18 +232978,6 @@ If this setting is enabled, it should be disabled. To disable the mock_enable_homedirs SELinux boolean, run the following command: $ sudo setsebool -P mock_enable_homedirs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mock_enable_homedirs='' - - -setsebool -P mock_enable_homedirs $var_mock_enable_homedirs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mock_enable_homedirs # promote to variable set_fact: var_mock_enable_homedirs: !!str @@ -233026,6 +233014,18 @@ fi - medium_severity - no_reboot_needed - sebool_mock_enable_homedirs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mock_enable_homedirs='' + + +setsebool -P mock_enable_homedirs $var_mock_enable_homedirs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -233044,18 +233044,6 @@ or directory to be mounted. To enable the mount_anyfile SELinux boolean, run the following command: $ sudo setsebool -P mount_anyfile on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mount_anyfile='' - - -setsebool -P mount_anyfile $var_mount_anyfile - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mount_anyfile # promote to variable set_fact: var_mount_anyfile: !!str @@ -233092,6 +233080,18 @@ fi - medium_severity - no_reboot_needed - sebool_mount_anyfile + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mount_anyfile='' + + +setsebool -P mount_anyfile $var_mount_anyfile + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -233109,18 +233109,6 @@ If this setting is enabled, it should be disabled. To disable the mozilla_plugin_bind_unreserved_ports SELinux boolean, run the following command: $ sudo setsebool -P mozilla_plugin_bind_unreserved_ports off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mozilla_plugin_bind_unreserved_ports='' - - -setsebool -P mozilla_plugin_bind_unreserved_ports $var_mozilla_plugin_bind_unreserved_ports - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mozilla_plugin_bind_unreserved_ports # promote to variable set_fact: var_mozilla_plugin_bind_unreserved_ports: !!str @@ -233157,6 +233145,18 @@ fi - medium_severity - no_reboot_needed - sebool_mozilla_plugin_bind_unreserved_ports + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mozilla_plugin_bind_unreserved_ports='' + + +setsebool -P mozilla_plugin_bind_unreserved_ports $var_mozilla_plugin_bind_unreserved_ports + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -233174,18 +233174,6 @@ If this setting is enabled, it should be disabled. To disable the mozilla_plugin_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P mozilla_plugin_can_network_connect off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mozilla_plugin_can_network_connect='' - - -setsebool -P mozilla_plugin_can_network_connect $var_mozilla_plugin_can_network_connect - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mozilla_plugin_can_network_connect # promote to variable set_fact: var_mozilla_plugin_can_network_connect: !!str @@ -233222,6 +233210,18 @@ fi - medium_severity - no_reboot_needed - sebool_mozilla_plugin_can_network_connect + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mozilla_plugin_can_network_connect='' + + +setsebool -P mozilla_plugin_can_network_connect $var_mozilla_plugin_can_network_connect + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -233239,18 +233239,6 @@ If this setting is enabled, it should be disabled. To disable the mozilla_plugin_use_bluejeans SELinux boolean, run the following command: $ sudo setsebool -P mozilla_plugin_use_bluejeans off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mozilla_plugin_use_bluejeans='' - - -setsebool -P mozilla_plugin_use_bluejeans $var_mozilla_plugin_use_bluejeans - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mozilla_plugin_use_bluejeans # promote to variable set_fact: var_mozilla_plugin_use_bluejeans: !!str @@ -233287,6 +233275,18 @@ fi - medium_severity - no_reboot_needed - sebool_mozilla_plugin_use_bluejeans + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mozilla_plugin_use_bluejeans='' + + +setsebool -P mozilla_plugin_use_bluejeans $var_mozilla_plugin_use_bluejeans + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -233304,18 +233304,6 @@ If this setting is enabled, it should be disabled. To disable the mozilla_plugin_use_gps SELinux boolean, run the following command: $ sudo setsebool -P mozilla_plugin_use_gps off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mozilla_plugin_use_gps='' - - -setsebool -P mozilla_plugin_use_gps $var_mozilla_plugin_use_gps - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mozilla_plugin_use_gps # promote to variable set_fact: var_mozilla_plugin_use_gps: !!str @@ -233352,6 +233340,18 @@ fi - medium_severity - no_reboot_needed - sebool_mozilla_plugin_use_gps + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mozilla_plugin_use_gps='' + + +setsebool -P mozilla_plugin_use_gps $var_mozilla_plugin_use_gps + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -233369,18 +233369,6 @@ If this setting is enabled, it should be disabled. To disable the mozilla_plugin_use_spice SELinux boolean, run the following command: $ sudo setsebool -P mozilla_plugin_use_spice off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mozilla_plugin_use_spice='' - - -setsebool -P mozilla_plugin_use_spice $var_mozilla_plugin_use_spice - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mozilla_plugin_use_spice # promote to variable set_fact: var_mozilla_plugin_use_spice: !!str @@ -233417,6 +233405,18 @@ fi - medium_severity - no_reboot_needed - sebool_mozilla_plugin_use_spice + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mozilla_plugin_use_spice='' + + +setsebool -P mozilla_plugin_use_spice $var_mozilla_plugin_use_spice + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -233434,18 +233434,6 @@ If this setting is enabled, it should be disabled. To disable the mozilla_read_content SELinux boolean, run the following command: $ sudo setsebool -P mozilla_read_content off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mozilla_read_content='' - - -setsebool -P mozilla_read_content $var_mozilla_read_content - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mozilla_read_content # promote to variable set_fact: var_mozilla_read_content: !!str @@ -233482,6 +233470,18 @@ fi - medium_severity - no_reboot_needed - sebool_mozilla_read_content + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mozilla_read_content='' + + +setsebool -P mozilla_read_content $var_mozilla_read_content + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -233499,18 +233499,6 @@ If this setting is enabled, it should be disabled. To disable the mpd_enable_homedirs SELinux boolean, run the following command: $ sudo setsebool -P mpd_enable_homedirs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mpd_enable_homedirs='' - - -setsebool -P mpd_enable_homedirs $var_mpd_enable_homedirs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mpd_enable_homedirs # promote to variable set_fact: var_mpd_enable_homedirs: !!str @@ -233547,6 +233535,18 @@ fi - medium_severity - no_reboot_needed - sebool_mpd_enable_homedirs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mpd_enable_homedirs='' + + +setsebool -P mpd_enable_homedirs $var_mpd_enable_homedirs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -233564,18 +233564,6 @@ If this setting is enabled, it should be disabled. To disable the mpd_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P mpd_use_cifs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mpd_use_cifs='' - - -setsebool -P mpd_use_cifs $var_mpd_use_cifs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mpd_use_cifs # promote to variable set_fact: var_mpd_use_cifs: !!str @@ -233612,6 +233600,18 @@ fi - medium_severity - no_reboot_needed - sebool_mpd_use_cifs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mpd_use_cifs='' + + +setsebool -P mpd_use_cifs $var_mpd_use_cifs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -233629,18 +233629,6 @@ If this setting is enabled, it should be disabled. To disable the mpd_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P mpd_use_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mpd_use_nfs='' - - -setsebool -P mpd_use_nfs $var_mpd_use_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mpd_use_nfs # promote to variable set_fact: var_mpd_use_nfs: !!str @@ -233677,6 +233665,18 @@ fi - medium_severity - no_reboot_needed - sebool_mpd_use_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mpd_use_nfs='' + + +setsebool -P mpd_use_nfs $var_mpd_use_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -233694,18 +233694,6 @@ If this setting is enabled, it should be disabled. To disable the mplayer_execstack SELinux boolean, run the following command: $ sudo setsebool -P mplayer_execstack off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mplayer_execstack='' - - -setsebool -P mplayer_execstack $var_mplayer_execstack - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mplayer_execstack # promote to variable set_fact: var_mplayer_execstack: !!str @@ -233742,6 +233730,18 @@ fi - medium_severity - no_reboot_needed - sebool_mplayer_execstack + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mplayer_execstack='' + + +setsebool -P mplayer_execstack $var_mplayer_execstack + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -233759,18 +233759,6 @@ If this setting is enabled, it should be disabled. To disable the mysql_connect_any SELinux boolean, run the following command: $ sudo setsebool -P mysql_connect_any off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_mysql_connect_any='' - - -setsebool -P mysql_connect_any $var_mysql_connect_any - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_mysql_connect_any # promote to variable set_fact: var_mysql_connect_any: !!str @@ -233807,6 +233795,18 @@ fi - medium_severity - no_reboot_needed - sebool_mysql_connect_any + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_mysql_connect_any='' + + +setsebool -P mysql_connect_any $var_mysql_connect_any + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -233824,18 +233824,6 @@ If this setting is enabled, it should be disabled. To disable the nagios_run_pnp4nagios SELinux boolean, run the following command: $ sudo setsebool -P nagios_run_pnp4nagios off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_nagios_run_pnp4nagios='' - - -setsebool -P nagios_run_pnp4nagios $var_nagios_run_pnp4nagios - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_nagios_run_pnp4nagios # promote to variable set_fact: var_nagios_run_pnp4nagios: !!str @@ -233872,6 +233860,18 @@ fi - medium_severity - no_reboot_needed - sebool_nagios_run_pnp4nagios + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_nagios_run_pnp4nagios='' + + +setsebool -P nagios_run_pnp4nagios $var_nagios_run_pnp4nagios + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -233889,18 +233889,6 @@ If this setting is enabled, it should be disabled. To disable the nagios_run_sudo SELinux boolean, run the following command: $ sudo setsebool -P nagios_run_sudo off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_nagios_run_sudo='' - - -setsebool -P nagios_run_sudo $var_nagios_run_sudo - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_nagios_run_sudo # promote to variable set_fact: var_nagios_run_sudo: !!str @@ -233937,6 +233925,18 @@ fi - medium_severity - no_reboot_needed - sebool_nagios_run_sudo + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_nagios_run_sudo='' + + +setsebool -P nagios_run_sudo $var_nagios_run_sudo + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -233954,18 +233954,6 @@ If this setting is enabled, it should be disabled. To disable the named_tcp_bind_http_port SELinux boolean, run the following command: $ sudo setsebool -P named_tcp_bind_http_port off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_named_tcp_bind_http_port='' - - -setsebool -P named_tcp_bind_http_port $var_named_tcp_bind_http_port - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_named_tcp_bind_http_port # promote to variable set_fact: var_named_tcp_bind_http_port: !!str @@ -234002,6 +233990,18 @@ fi - medium_severity - no_reboot_needed - sebool_named_tcp_bind_http_port + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_named_tcp_bind_http_port='' + + +setsebool -P named_tcp_bind_http_port $var_named_tcp_bind_http_port + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234019,18 +234019,6 @@ If this setting is enabled, it should be disabled. To disable the named_write_master_zones SELinux boolean, run the following command: $ sudo setsebool -P named_write_master_zones off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_named_write_master_zones='' - - -setsebool -P named_write_master_zones $var_named_write_master_zones - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_named_write_master_zones # promote to variable set_fact: var_named_write_master_zones: !!str @@ -234067,6 +234055,18 @@ fi - medium_severity - no_reboot_needed - sebool_named_write_master_zones + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_named_write_master_zones='' + + +setsebool -P named_write_master_zones $var_named_write_master_zones + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234084,18 +234084,6 @@ If this setting is enabled, it should be disabled. To disable the neutron_can_network SELinux boolean, run the following command: $ sudo setsebool -P neutron_can_network off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_neutron_can_network='' - - -setsebool -P neutron_can_network $var_neutron_can_network - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_neutron_can_network # promote to variable set_fact: var_neutron_can_network: !!str @@ -234132,6 +234120,18 @@ fi - medium_severity - no_reboot_needed - sebool_neutron_can_network + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_neutron_can_network='' + + +setsebool -P neutron_can_network $var_neutron_can_network + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234150,18 +234150,6 @@ export read-only mounts. To enable the nfs_export_all_ro SELinux boolean, run the following command: $ sudo setsebool -P nfs_export_all_ro on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_nfs_export_all_ro='' - - -setsebool -P nfs_export_all_ro $var_nfs_export_all_ro - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_nfs_export_all_ro # promote to variable set_fact: var_nfs_export_all_ro: !!str @@ -234198,6 +234186,18 @@ fi - medium_severity - no_reboot_needed - sebool_nfs_export_all_ro + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_nfs_export_all_ro='' + + +setsebool -P nfs_export_all_ro $var_nfs_export_all_ro + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234216,18 +234216,6 @@ export read/write mounts. To enable the nfs_export_all_rw SELinux boolean, run the following command: $ sudo setsebool -P nfs_export_all_rw on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_nfs_export_all_rw='' - - -setsebool -P nfs_export_all_rw $var_nfs_export_all_rw - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_nfs_export_all_rw # promote to variable set_fact: var_nfs_export_all_rw: !!str @@ -234264,6 +234252,18 @@ fi - medium_severity - no_reboot_needed - sebool_nfs_export_all_rw + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_nfs_export_all_rw='' + + +setsebool -P nfs_export_all_rw $var_nfs_export_all_rw + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234281,18 +234281,6 @@ If this setting is enabled, it should be disabled. To disable the nfsd_anon_write SELinux boolean, run the following command: $ sudo setsebool -P nfsd_anon_write off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_nfsd_anon_write='' - - -setsebool -P nfsd_anon_write $var_nfsd_anon_write - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_nfsd_anon_write # promote to variable set_fact: var_nfsd_anon_write: !!str @@ -234329,6 +234317,18 @@ fi - medium_severity - no_reboot_needed - sebool_nfsd_anon_write + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_nfsd_anon_write='' + + +setsebool -P nfsd_anon_write $var_nfsd_anon_write + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234346,18 +234346,6 @@ If this setting is enabled, it should be disabled. To disable the nis_enabled SELinux boolean, run the following command: $ sudo setsebool -P nis_enabled off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_nis_enabled='' - - -setsebool -P nis_enabled $var_nis_enabled - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_nis_enabled # promote to variable set_fact: var_nis_enabled: !!str @@ -234394,6 +234382,18 @@ fi - medium_severity - no_reboot_needed - sebool_nis_enabled + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_nis_enabled='' + + +setsebool -P nis_enabled $var_nis_enabled + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234412,18 +234412,6 @@ to use shared memory. To enable the nscd_use_shm SELinux boolean, run the following command: $ sudo setsebool -P nscd_use_shm on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_nscd_use_shm='' - - -setsebool -P nscd_use_shm $var_nscd_use_shm - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_nscd_use_shm # promote to variable set_fact: var_nscd_use_shm: !!str @@ -234460,6 +234448,18 @@ fi - medium_severity - no_reboot_needed - sebool_nscd_use_shm + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_nscd_use_shm='' + + +setsebool -P nscd_use_shm $var_nscd_use_shm + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234477,18 +234477,6 @@ If this setting is enabled, it should be disabled. To disable the openshift_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P openshift_use_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_openshift_use_nfs='' - - -setsebool -P openshift_use_nfs $var_openshift_use_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_openshift_use_nfs # promote to variable set_fact: var_openshift_use_nfs: !!str @@ -234525,6 +234513,18 @@ fi - medium_severity - no_reboot_needed - sebool_openshift_use_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_openshift_use_nfs='' + + +setsebool -P openshift_use_nfs $var_openshift_use_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234542,18 +234542,6 @@ This setting should be disabled. To disable the openvpn_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P openvpn_can_network_connect off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_openvpn_can_network_connect='' - - -setsebool -P openvpn_can_network_connect $var_openvpn_can_network_connect - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_openvpn_can_network_connect # promote to variable set_fact: var_openvpn_can_network_connect: !!str @@ -234590,6 +234578,18 @@ fi - medium_severity - no_reboot_needed - sebool_openvpn_can_network_connect + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_openvpn_can_network_connect='' + + +setsebool -P openvpn_can_network_connect $var_openvpn_can_network_connect + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234607,18 +234607,6 @@ This setting should be disabled. To disable the openvpn_enable_homedirs SELinux boolean, run the following command: $ sudo setsebool -P openvpn_enable_homedirs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_openvpn_enable_homedirs='' - - -setsebool -P openvpn_enable_homedirs $var_openvpn_enable_homedirs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_openvpn_enable_homedirs # promote to variable set_fact: var_openvpn_enable_homedirs: !!str @@ -234655,6 +234643,18 @@ fi - medium_severity - no_reboot_needed - sebool_openvpn_enable_homedirs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_openvpn_enable_homedirs='' + + +setsebool -P openvpn_enable_homedirs $var_openvpn_enable_homedirs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234672,18 +234672,6 @@ If this setting is enabled, it should be disabled. To disable the openvpn_run_unconfined SELinux boolean, run the following command: $ sudo setsebool -P openvpn_run_unconfined off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_openvpn_run_unconfined='' - - -setsebool -P openvpn_run_unconfined $var_openvpn_run_unconfined - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_openvpn_run_unconfined # promote to variable set_fact: var_openvpn_run_unconfined: !!str @@ -234720,6 +234708,18 @@ fi - medium_severity - no_reboot_needed - sebool_openvpn_run_unconfined + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_openvpn_run_unconfined='' + + +setsebool -P openvpn_run_unconfined $var_openvpn_run_unconfined + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234737,18 +234737,6 @@ If this setting is enabled, it should be disabled. To disable the pcp_bind_all_unreserved_ports SELinux boolean, run the following command: $ sudo setsebool -P pcp_bind_all_unreserved_ports off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_pcp_bind_all_unreserved_ports='' - - -setsebool -P pcp_bind_all_unreserved_ports $var_pcp_bind_all_unreserved_ports - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_pcp_bind_all_unreserved_ports # promote to variable set_fact: var_pcp_bind_all_unreserved_ports: !!str @@ -234785,6 +234773,18 @@ fi - medium_severity - no_reboot_needed - sebool_pcp_bind_all_unreserved_ports + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_pcp_bind_all_unreserved_ports='' + + +setsebool -P pcp_bind_all_unreserved_ports $var_pcp_bind_all_unreserved_ports + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234802,18 +234802,6 @@ If this setting is enabled, it should be disabled. To disable the pcp_read_generic_logs SELinux boolean, run the following command: $ sudo setsebool -P pcp_read_generic_logs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_pcp_read_generic_logs='' - - -setsebool -P pcp_read_generic_logs $var_pcp_read_generic_logs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_pcp_read_generic_logs # promote to variable set_fact: var_pcp_read_generic_logs: !!str @@ -234850,6 +234838,18 @@ fi - medium_severity - no_reboot_needed - sebool_pcp_read_generic_logs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_pcp_read_generic_logs='' + + +setsebool -P pcp_read_generic_logs $var_pcp_read_generic_logs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234867,18 +234867,6 @@ If this setting is enabled, it should be disabled. To disable the piranha_lvs_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P piranha_lvs_can_network_connect off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_piranha_lvs_can_network_connect='' - - -setsebool -P piranha_lvs_can_network_connect $var_piranha_lvs_can_network_connect - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_piranha_lvs_can_network_connect # promote to variable set_fact: var_piranha_lvs_can_network_connect: !!str @@ -234915,6 +234903,18 @@ fi - medium_severity - no_reboot_needed - sebool_piranha_lvs_can_network_connect + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_piranha_lvs_can_network_connect='' + + +setsebool -P piranha_lvs_can_network_connect $var_piranha_lvs_can_network_connect + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234932,18 +234932,6 @@ If this setting is enabled, it should be disabled. To disable the polipo_connect_all_unreserved SELinux boolean, run the following command: $ sudo setsebool -P polipo_connect_all_unreserved off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_polipo_connect_all_unreserved='' - - -setsebool -P polipo_connect_all_unreserved $var_polipo_connect_all_unreserved - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_polipo_connect_all_unreserved # promote to variable set_fact: var_polipo_connect_all_unreserved: !!str @@ -234980,6 +234968,18 @@ fi - medium_severity - no_reboot_needed - sebool_polipo_connect_all_unreserved + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_polipo_connect_all_unreserved='' + + +setsebool -P polipo_connect_all_unreserved $var_polipo_connect_all_unreserved + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -234997,18 +234997,6 @@ If this setting is enabled, it should be disabled. To disable the polipo_session_bind_all_unreserved_ports SELinux boolean, run the following command: $ sudo setsebool -P polipo_session_bind_all_unreserved_ports off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_polipo_session_bind_all_unreserved_ports='' - - -setsebool -P polipo_session_bind_all_unreserved_ports $var_polipo_session_bind_all_unreserved_ports - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_polipo_session_bind_all_unreserved_ports # promote to variable set_fact: var_polipo_session_bind_all_unreserved_ports: !!str @@ -235045,6 +235033,18 @@ fi - medium_severity - no_reboot_needed - sebool_polipo_session_bind_all_unreserved_ports + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_polipo_session_bind_all_unreserved_ports='' + + +setsebool -P polipo_session_bind_all_unreserved_ports $var_polipo_session_bind_all_unreserved_ports + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -235062,18 +235062,6 @@ If this setting is enabled, it should be disabled. To disable the polipo_session_users SELinux boolean, run the following command: $ sudo setsebool -P polipo_session_users off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_polipo_session_users='' - - -setsebool -P polipo_session_users $var_polipo_session_users - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_polipo_session_users # promote to variable set_fact: var_polipo_session_users: !!str @@ -235110,6 +235098,18 @@ fi - medium_severity - no_reboot_needed - sebool_polipo_session_users + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_polipo_session_users='' + + +setsebool -P polipo_session_users $var_polipo_session_users + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -235127,18 +235127,6 @@ If this setting is enabled, it should be disabled. To disable the polipo_use_cifs SELinux boolean, run the following command: $ sudo setsebool -P polipo_use_cifs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_polipo_use_cifs='' - - -setsebool -P polipo_use_cifs $var_polipo_use_cifs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_polipo_use_cifs # promote to variable set_fact: var_polipo_use_cifs: !!str @@ -235175,6 +235163,18 @@ fi - medium_severity - no_reboot_needed - sebool_polipo_use_cifs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_polipo_use_cifs='' + + +setsebool -P polipo_use_cifs $var_polipo_use_cifs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -235192,18 +235192,6 @@ If this setting is enabled, it should be disabled. To disable the polipo_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P polipo_use_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_polipo_use_nfs='' - - -setsebool -P polipo_use_nfs $var_polipo_use_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_polipo_use_nfs # promote to variable set_fact: var_polipo_use_nfs: !!str @@ -235240,6 +235228,18 @@ fi - medium_severity - no_reboot_needed - sebool_polipo_use_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_polipo_use_nfs='' + + +setsebool -P polipo_use_nfs $var_polipo_use_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -235259,18 +235259,6 @@ To set the polyinstantiation_enabled SELinux boolean, run BP28(R39) CCE-84230-2 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_polyinstantiation_enabled='' - - -setsebool -P polyinstantiation_enabled $var_polyinstantiation_enabled - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_polyinstantiation_enabled # promote to variable set_fact: var_polyinstantiation_enabled: !!str @@ -235309,6 +235297,18 @@ fi - medium_severity - no_reboot_needed - sebool_polyinstantiation_enabled + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_polyinstantiation_enabled='' + + +setsebool -P polyinstantiation_enabled $var_polyinstantiation_enabled + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -235327,18 +235327,6 @@ to the mail spool directories. To enable the postfix_local_write_mail_spool SELinux boolean, run the following command: $ sudo setsebool -P postfix_local_write_mail_spool on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_postfix_local_write_mail_spool='' - - -setsebool -P postfix_local_write_mail_spool $var_postfix_local_write_mail_spool - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_postfix_local_write_mail_spool # promote to variable set_fact: var_postfix_local_write_mail_spool: !!str @@ -235375,6 +235363,18 @@ fi - medium_severity - no_reboot_needed - sebool_postfix_local_write_mail_spool + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_postfix_local_write_mail_spool='' + + +setsebool -P postfix_local_write_mail_spool $var_postfix_local_write_mail_spool + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -235392,18 +235392,6 @@ If this setting is enabled, it should be disabled. To disable the postgresql_can_rsync SELinux boolean, run the following command: $ sudo setsebool -P postgresql_can_rsync off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_postgresql_can_rsync='' - - -setsebool -P postgresql_can_rsync $var_postgresql_can_rsync - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_postgresql_can_rsync # promote to variable set_fact: var_postgresql_can_rsync: !!str @@ -235440,6 +235428,18 @@ fi - medium_severity - no_reboot_needed - sebool_postgresql_can_rsync + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_postgresql_can_rsync='' + + +setsebool -P postgresql_can_rsync $var_postgresql_can_rsync + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -235457,18 +235457,6 @@ If this setting is enabled, it should be disabled. To disable the postgresql_selinux_transmit_client_label SELinux boolean, run the following command: $ sudo setsebool -P postgresql_selinux_transmit_client_label off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_postgresql_selinux_transmit_client_label='' - - -setsebool -P postgresql_selinux_transmit_client_label $var_postgresql_selinux_transmit_client_label - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_postgresql_selinux_transmit_client_label # promote to variable set_fact: var_postgresql_selinux_transmit_client_label: !!str @@ -235505,6 +235493,18 @@ fi - medium_severity - no_reboot_needed - sebool_postgresql_selinux_transmit_client_label + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_postgresql_selinux_transmit_client_label='' + + +setsebool -P postgresql_selinux_transmit_client_label $var_postgresql_selinux_transmit_client_label + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -235523,18 +235523,6 @@ execute Data Manipulation Language (DML) statements. To enable the postgresql_selinux_unconfined_dbadm SELinux boolean, run the following command: $ sudo setsebool -P postgresql_selinux_unconfined_dbadm on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_postgresql_selinux_unconfined_dbadm='' - - -setsebool -P postgresql_selinux_unconfined_dbadm $var_postgresql_selinux_unconfined_dbadm - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_postgresql_selinux_unconfined_dbadm # promote to variable set_fact: var_postgresql_selinux_unconfined_dbadm: !!str @@ -235571,6 +235559,18 @@ fi - medium_severity - no_reboot_needed - sebool_postgresql_selinux_unconfined_dbadm + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_postgresql_selinux_unconfined_dbadm='' + + +setsebool -P postgresql_selinux_unconfined_dbadm $var_postgresql_selinux_unconfined_dbadm + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -235589,18 +235589,6 @@ execute Data Definition Language (DDL) statements. To enable the postgresql_selinux_users_ddl SELinux boolean, run the following command: $ sudo setsebool -P postgresql_selinux_users_ddl on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_postgresql_selinux_users_ddl='' - - -setsebool -P postgresql_selinux_users_ddl $var_postgresql_selinux_users_ddl - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_postgresql_selinux_users_ddl # promote to variable set_fact: var_postgresql_selinux_users_ddl: !!str @@ -235637,6 +235625,18 @@ fi - medium_severity - no_reboot_needed - sebool_postgresql_selinux_users_ddl + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_postgresql_selinux_users_ddl='' + + +setsebool -P postgresql_selinux_users_ddl $var_postgresql_selinux_users_ddl + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -235654,18 +235654,6 @@ If this setting is enabled, it should be disabled. To disable the pppd_can_insmod SELinux boolean, run the following command: $ sudo setsebool -P pppd_can_insmod off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_pppd_can_insmod='' - - -setsebool -P pppd_can_insmod $var_pppd_can_insmod - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_pppd_can_insmod # promote to variable set_fact: var_pppd_can_insmod: !!str @@ -235702,6 +235690,18 @@ fi - medium_severity - no_reboot_needed - sebool_pppd_can_insmod + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_pppd_can_insmod='' + + +setsebool -P pppd_can_insmod $var_pppd_can_insmod + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -235719,18 +235719,6 @@ If this setting is enabled, it should be disabled. To disable the pppd_for_user SELinux boolean, run the following command: $ sudo setsebool -P pppd_for_user off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_pppd_for_user='' - - -setsebool -P pppd_for_user $var_pppd_for_user - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_pppd_for_user # promote to variable set_fact: var_pppd_for_user: !!str @@ -235767,6 +235755,18 @@ fi - medium_severity - no_reboot_needed - sebool_pppd_for_user + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_pppd_for_user='' + + +setsebool -P pppd_for_user $var_pppd_for_user + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -235784,18 +235784,6 @@ This setting should be disabled. To disable the privoxy_connect_any SELinux boolean, run the following command: $ sudo setsebool -P privoxy_connect_any off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_privoxy_connect_any='' - - -setsebool -P privoxy_connect_any $var_privoxy_connect_any - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_privoxy_connect_any # promote to variable set_fact: var_privoxy_connect_any: !!str @@ -235832,6 +235820,18 @@ fi - medium_severity - no_reboot_needed - sebool_privoxy_connect_any + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_privoxy_connect_any='' + + +setsebool -P privoxy_connect_any $var_privoxy_connect_any + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -235849,18 +235849,6 @@ If this setting is enabled, it should be disabled. To disable the prosody_bind_http_port SELinux boolean, run the following command: $ sudo setsebool -P prosody_bind_http_port off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_prosody_bind_http_port='' - - -setsebool -P prosody_bind_http_port $var_prosody_bind_http_port - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_prosody_bind_http_port # promote to variable set_fact: var_prosody_bind_http_port: !!str @@ -235897,6 +235885,18 @@ fi - medium_severity - no_reboot_needed - sebool_prosody_bind_http_port + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_prosody_bind_http_port='' + + +setsebool -P prosody_bind_http_port $var_prosody_bind_http_port + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -235914,18 +235914,6 @@ If this setting is enabled, it should be disabled. To disable the puppetagent_manage_all_files SELinux boolean, run the following command: $ sudo setsebool -P puppetagent_manage_all_files off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_puppetagent_manage_all_files='' - - -setsebool -P puppetagent_manage_all_files $var_puppetagent_manage_all_files - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_puppetagent_manage_all_files # promote to variable set_fact: var_puppetagent_manage_all_files: !!str @@ -235962,6 +235950,18 @@ fi - medium_severity - no_reboot_needed - sebool_puppetagent_manage_all_files + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_puppetagent_manage_all_files='' + + +setsebool -P puppetagent_manage_all_files $var_puppetagent_manage_all_files + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -235979,18 +235979,6 @@ If this setting is enabled, it should be disabled. To disable the puppetmaster_use_db SELinux boolean, run the following command: $ sudo setsebool -P puppetmaster_use_db off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_puppetmaster_use_db='' - - -setsebool -P puppetmaster_use_db $var_puppetmaster_use_db - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_puppetmaster_use_db # promote to variable set_fact: var_puppetmaster_use_db: !!str @@ -236027,6 +236015,18 @@ fi - medium_severity - no_reboot_needed - sebool_puppetmaster_use_db + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_puppetmaster_use_db='' + + +setsebool -P puppetmaster_use_db $var_puppetmaster_use_db + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -236044,18 +236044,6 @@ If this setting is enabled, it should be disabled. To disable the racoon_read_shadow SELinux boolean, run the following command: $ sudo setsebool -P racoon_read_shadow off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_racoon_read_shadow='' - - -setsebool -P racoon_read_shadow $var_racoon_read_shadow - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_racoon_read_shadow # promote to variable set_fact: var_racoon_read_shadow: !!str @@ -236092,6 +236080,18 @@ fi - medium_severity - no_reboot_needed - sebool_racoon_read_shadow + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_racoon_read_shadow='' + + +setsebool -P racoon_read_shadow $var_racoon_read_shadow + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -236109,18 +236109,6 @@ If this setting is enabled, it should be disabled. To disable the rsync_anon_write SELinux boolean, run the following command: $ sudo setsebool -P rsync_anon_write off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_rsync_anon_write='' - - -setsebool -P rsync_anon_write $var_rsync_anon_write - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_rsync_anon_write # promote to variable set_fact: var_rsync_anon_write: !!str @@ -236157,6 +236145,18 @@ fi - medium_severity - no_reboot_needed - sebool_rsync_anon_write + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_rsync_anon_write='' + + +setsebool -P rsync_anon_write $var_rsync_anon_write + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -236174,18 +236174,6 @@ If this setting is enabled, it should be disabled. To disable the rsync_client SELinux boolean, run the following command: $ sudo setsebool -P rsync_client off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_rsync_client='' - - -setsebool -P rsync_client $var_rsync_client - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_rsync_client # promote to variable set_fact: var_rsync_client: !!str @@ -236222,6 +236210,18 @@ fi - medium_severity - no_reboot_needed - sebool_rsync_client + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_rsync_client='' + + +setsebool -P rsync_client $var_rsync_client + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -236239,18 +236239,6 @@ If this setting is enabled, it should be disabled. To disable the rsync_export_all_ro SELinux boolean, run the following command: $ sudo setsebool -P rsync_export_all_ro off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_rsync_export_all_ro='' - - -setsebool -P rsync_export_all_ro $var_rsync_export_all_ro - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_rsync_export_all_ro # promote to variable set_fact: var_rsync_export_all_ro: !!str @@ -236287,6 +236275,18 @@ fi - medium_severity - no_reboot_needed - sebool_rsync_export_all_ro + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_rsync_export_all_ro='' + + +setsebool -P rsync_export_all_ro $var_rsync_export_all_ro + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -236304,18 +236304,6 @@ If this setting is enabled, it should be disabled. To disable the rsync_full_access SELinux boolean, run the following command: $ sudo setsebool -P rsync_full_access off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_rsync_full_access='' - - -setsebool -P rsync_full_access $var_rsync_full_access - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_rsync_full_access # promote to variable set_fact: var_rsync_full_access: !!str @@ -236352,6 +236340,18 @@ fi - medium_severity - no_reboot_needed - sebool_rsync_full_access + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_rsync_full_access='' + + +setsebool -P rsync_full_access $var_rsync_full_access + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -236369,18 +236369,6 @@ If this setting is enabled, it should be disabled. To disable the samba_create_home_dirs SELinux boolean, run the following command: $ sudo setsebool -P samba_create_home_dirs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_samba_create_home_dirs='' - - -setsebool -P samba_create_home_dirs $var_samba_create_home_dirs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_samba_create_home_dirs # promote to variable set_fact: var_samba_create_home_dirs: !!str @@ -236417,6 +236405,18 @@ fi - medium_severity - no_reboot_needed - sebool_samba_create_home_dirs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_samba_create_home_dirs='' + + +setsebool -P samba_create_home_dirs $var_samba_create_home_dirs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -236434,18 +236434,6 @@ If this setting is enabled, it should be disabled. To disable the samba_domain_controller SELinux boolean, run the following command: $ sudo setsebool -P samba_domain_controller off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_samba_domain_controller='' - - -setsebool -P samba_domain_controller $var_samba_domain_controller - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_samba_domain_controller # promote to variable set_fact: var_samba_domain_controller: !!str @@ -236482,6 +236470,18 @@ fi - medium_severity - no_reboot_needed - sebool_samba_domain_controller + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_samba_domain_controller='' + + +setsebool -P samba_domain_controller $var_samba_domain_controller + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -236499,18 +236499,6 @@ If this setting is enabled, it should be disabled. To disable the samba_enable_home_dirs SELinux boolean, run the following command: $ sudo setsebool -P samba_enable_home_dirs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_samba_enable_home_dirs='' - - -setsebool -P samba_enable_home_dirs $var_samba_enable_home_dirs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_samba_enable_home_dirs # promote to variable set_fact: var_samba_enable_home_dirs: !!str @@ -236547,6 +236535,18 @@ fi - medium_severity - no_reboot_needed - sebool_samba_enable_home_dirs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_samba_enable_home_dirs='' + + +setsebool -P samba_enable_home_dirs $var_samba_enable_home_dirs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -236564,18 +236564,6 @@ If this setting is enabled, it should be disabled. To disable the samba_export_all_ro SELinux boolean, run the following command: $ sudo setsebool -P samba_export_all_ro off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_samba_export_all_ro='' - - -setsebool -P samba_export_all_ro $var_samba_export_all_ro - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_samba_export_all_ro # promote to variable set_fact: var_samba_export_all_ro: !!str @@ -236612,6 +236600,18 @@ fi - medium_severity - no_reboot_needed - sebool_samba_export_all_ro + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_samba_export_all_ro='' + + +setsebool -P samba_export_all_ro $var_samba_export_all_ro + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -236629,18 +236629,6 @@ If this setting is enabled, it should be disabled. To disable the samba_export_all_rw SELinux boolean, run the following command: $ sudo setsebool -P samba_export_all_rw off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_samba_export_all_rw='' - - -setsebool -P samba_export_all_rw $var_samba_export_all_rw - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_samba_export_all_rw # promote to variable set_fact: var_samba_export_all_rw: !!str @@ -236677,6 +236665,18 @@ fi - medium_severity - no_reboot_needed - sebool_samba_export_all_rw + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_samba_export_all_rw='' + + +setsebool -P samba_export_all_rw $var_samba_export_all_rw + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -236694,18 +236694,6 @@ If this setting is enabled, it should be disabled. To disable the samba_load_libgfapi SELinux boolean, run the following command: $ sudo setsebool -P samba_load_libgfapi off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_samba_load_libgfapi='' - - -setsebool -P samba_load_libgfapi $var_samba_load_libgfapi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_samba_load_libgfapi # promote to variable set_fact: var_samba_load_libgfapi: !!str @@ -236742,6 +236730,18 @@ fi - medium_severity - no_reboot_needed - sebool_samba_load_libgfapi + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_samba_load_libgfapi='' + + +setsebool -P samba_load_libgfapi $var_samba_load_libgfapi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -236759,18 +236759,6 @@ If this setting is enabled, it should be disabled. To disable the samba_portmapper SELinux boolean, run the following command: $ sudo setsebool -P samba_portmapper off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_samba_portmapper='' - - -setsebool -P samba_portmapper $var_samba_portmapper - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_samba_portmapper # promote to variable set_fact: var_samba_portmapper: !!str @@ -236807,6 +236795,18 @@ fi - medium_severity - no_reboot_needed - sebool_samba_portmapper + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_samba_portmapper='' + + +setsebool -P samba_portmapper $var_samba_portmapper + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -236824,18 +236824,6 @@ If this setting is enabled, it should be disabled. To disable the samba_run_unconfined SELinux boolean, run the following command: $ sudo setsebool -P samba_run_unconfined off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_samba_run_unconfined='' - - -setsebool -P samba_run_unconfined $var_samba_run_unconfined - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_samba_run_unconfined # promote to variable set_fact: var_samba_run_unconfined: !!str @@ -236872,6 +236860,18 @@ fi - medium_severity - no_reboot_needed - sebool_samba_run_unconfined + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_samba_run_unconfined='' + + +setsebool -P samba_run_unconfined $var_samba_run_unconfined + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -236889,18 +236889,6 @@ If this setting is enabled, it should be disabled. To disable the samba_share_fusefs SELinux boolean, run the following command: $ sudo setsebool -P samba_share_fusefs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_samba_share_fusefs='' - - -setsebool -P samba_share_fusefs $var_samba_share_fusefs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_samba_share_fusefs # promote to variable set_fact: var_samba_share_fusefs: !!str @@ -236937,6 +236925,18 @@ fi - medium_severity - no_reboot_needed - sebool_samba_share_fusefs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_samba_share_fusefs='' + + +setsebool -P samba_share_fusefs $var_samba_share_fusefs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -236954,18 +236954,6 @@ If this setting is enabled, it should be disabled. To disable the samba_share_nfs SELinux boolean, run the following command: $ sudo setsebool -P samba_share_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_samba_share_nfs='' - - -setsebool -P samba_share_nfs $var_samba_share_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_samba_share_nfs # promote to variable set_fact: var_samba_share_nfs: !!str @@ -237002,6 +236990,18 @@ fi - medium_severity - no_reboot_needed - sebool_samba_share_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_samba_share_nfs='' + + +setsebool -P samba_share_nfs $var_samba_share_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -237019,18 +237019,6 @@ If this setting is enabled, it should be disabled. To disable the sanlock_use_fusefs SELinux boolean, run the following command: $ sudo setsebool -P sanlock_use_fusefs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_sanlock_use_fusefs='' - - -setsebool -P sanlock_use_fusefs $var_sanlock_use_fusefs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_sanlock_use_fusefs # promote to variable set_fact: var_sanlock_use_fusefs: !!str @@ -237067,6 +237055,18 @@ fi - medium_severity - no_reboot_needed - sebool_sanlock_use_fusefs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_sanlock_use_fusefs='' + + +setsebool -P sanlock_use_fusefs $var_sanlock_use_fusefs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -237084,18 +237084,6 @@ If this setting is enabled, it should be disabled. To disable the sanlock_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P sanlock_use_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_sanlock_use_nfs='' - - -setsebool -P sanlock_use_nfs $var_sanlock_use_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_sanlock_use_nfs # promote to variable set_fact: var_sanlock_use_nfs: !!str @@ -237132,6 +237120,18 @@ fi - medium_severity - no_reboot_needed - sebool_sanlock_use_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_sanlock_use_nfs='' + + +setsebool -P sanlock_use_nfs $var_sanlock_use_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -237149,18 +237149,6 @@ If this setting is enabled, it should be disabled. To disable the sanlock_use_samba SELinux boolean, run the following command: $ sudo setsebool -P sanlock_use_samba off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_sanlock_use_samba='' - - -setsebool -P sanlock_use_samba $var_sanlock_use_samba - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_sanlock_use_samba # promote to variable set_fact: var_sanlock_use_samba: !!str @@ -237197,6 +237185,18 @@ fi - medium_severity - no_reboot_needed - sebool_sanlock_use_samba + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_sanlock_use_samba='' + + +setsebool -P sanlock_use_samba $var_sanlock_use_samba + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -237214,18 +237214,6 @@ If this setting is enabled, it should be disabled. To disable the saslauthd_read_shadow SELinux boolean, run the following command: $ sudo setsebool -P saslauthd_read_shadow off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_saslauthd_read_shadow='' - - -setsebool -P saslauthd_read_shadow $var_saslauthd_read_shadow - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_saslauthd_read_shadow # promote to variable set_fact: var_saslauthd_read_shadow: !!str @@ -237262,6 +237250,18 @@ fi - medium_severity - no_reboot_needed - sebool_saslauthd_read_shadow + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_saslauthd_read_shadow='' + + +setsebool -P saslauthd_read_shadow $var_saslauthd_read_shadow + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -237279,18 +237279,6 @@ If this setting is disabled, it should be enabled. To enable the secadm_exec_content SELinux boolean, run the following command: $ sudo setsebool -P secadm_exec_content on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_secadm_exec_content='' - - -setsebool -P secadm_exec_content $var_secadm_exec_content - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_secadm_exec_content # promote to variable set_fact: var_secadm_exec_content: !!str @@ -237327,6 +237315,18 @@ fi - medium_severity - no_reboot_needed - sebool_secadm_exec_content + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_secadm_exec_content='' + + +setsebool -P secadm_exec_content $var_secadm_exec_content + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -237344,18 +237344,6 @@ If this setting is enabled, it should be disabled. To disable the secure_mode SELinux boolean, run the following command: $ sudo setsebool -P secure_mode off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_secure_mode='' - - -setsebool -P secure_mode $var_secure_mode - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_secure_mode # promote to variable set_fact: var_secure_mode: !!str @@ -237392,6 +237380,18 @@ fi - medium_severity - no_reboot_needed - sebool_secure_mode + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_secure_mode='' + + +setsebool -P secure_mode $var_secure_mode + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -237411,18 +237411,6 @@ To set the secure_mode_insmod SELinux boolean, run the fo BP28(R67) CCE-83310-3 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_secure_mode_insmod='' - - -setsebool -P secure_mode_insmod $var_secure_mode_insmod - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_secure_mode_insmod # promote to variable set_fact: var_secure_mode_insmod: !!str @@ -237461,6 +237449,18 @@ fi - medium_severity - no_reboot_needed - sebool_secure_mode_insmod + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_secure_mode_insmod='' + + +setsebool -P secure_mode_insmod $var_secure_mode_insmod + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -237478,18 +237478,6 @@ If this setting is enabled, it should be disabled. To disable the secure_mode_policyload SELinux boolean, run the following command: $ sudo setsebool -P secure_mode_policyload off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_secure_mode_policyload='' - - -setsebool -P secure_mode_policyload $var_secure_mode_policyload - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_secure_mode_policyload # promote to variable set_fact: var_secure_mode_policyload: !!str @@ -237526,6 +237514,18 @@ fi - medium_severity - no_reboot_needed - sebool_secure_mode_policyload + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_secure_mode_policyload='' + + +setsebool -P secure_mode_policyload $var_secure_mode_policyload + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -237544,18 +237544,6 @@ Otherwise, enable it. To disable the selinuxuser_direct_dri_enabled SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_direct_dri_enabled off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_selinuxuser_direct_dri_enabled='' - - -setsebool -P selinuxuser_direct_dri_enabled $var_selinuxuser_direct_dri_enabled - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_selinuxuser_direct_dri_enabled # promote to variable set_fact: var_selinuxuser_direct_dri_enabled: !!str @@ -237592,6 +237580,18 @@ fi - medium_severity - no_reboot_needed - sebool_selinuxuser_direct_dri_enabled + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_selinuxuser_direct_dri_enabled='' + + +setsebool -P selinuxuser_direct_dri_enabled $var_selinuxuser_direct_dri_enabled + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -237619,18 +237619,6 @@ To disable the selinuxuser_execheap SELinux boolean, run 164.312(e) Disabling code execution from the heap blocks buffer overflow attacks. CCE-80949-1 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_selinuxuser_execheap='' - - -setsebool -P selinuxuser_execheap $var_selinuxuser_execheap - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_selinuxuser_execheap # promote to variable set_fact: var_selinuxuser_execheap: !!str @@ -237669,6 +237657,18 @@ fi - medium_severity - no_reboot_needed - sebool_selinuxuser_execheap + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_selinuxuser_execheap='' + + +setsebool -P selinuxuser_execheap $var_selinuxuser_execheap + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -237694,18 +237694,6 @@ To enable the selinuxuser_execmod SELinux boolean, run th 164.312(e) CCE-80950-9 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_selinuxuser_execmod='' - - -setsebool -P selinuxuser_execmod $var_selinuxuser_execmod - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_selinuxuser_execmod # promote to variable set_fact: var_selinuxuser_execmod: !!str @@ -237744,6 +237732,18 @@ fi - medium_severity - no_reboot_needed - sebool_selinuxuser_execmod + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_selinuxuser_execmod='' + + +setsebool -P selinuxuser_execmod $var_selinuxuser_execmod + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -237771,18 +237771,6 @@ To disable the selinuxuser_execstack SELinux boolean, run 164.312(e) Disabling code execution from the stack blocks buffer overflow attacks. CCE-80951-7 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_selinuxuser_execstack='' - - -setsebool -P selinuxuser_execstack $var_selinuxuser_execstack - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_selinuxuser_execstack # promote to variable set_fact: var_selinuxuser_execstack: !!str @@ -237821,6 +237809,18 @@ fi - medium_severity - no_reboot_needed - sebool_selinuxuser_execstack + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_selinuxuser_execstack='' + + +setsebool -P selinuxuser_execstack $var_selinuxuser_execstack + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -237838,18 +237838,6 @@ If this setting is enabled, it should be disabled. To disable the selinuxuser_mysql_connect_enabled SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_mysql_connect_enabled off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_selinuxuser_mysql_connect_enabled='' - - -setsebool -P selinuxuser_mysql_connect_enabled $var_selinuxuser_mysql_connect_enabled - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_selinuxuser_mysql_connect_enabled # promote to variable set_fact: var_selinuxuser_mysql_connect_enabled: !!str @@ -237886,6 +237874,18 @@ fi - medium_severity - no_reboot_needed - sebool_selinuxuser_mysql_connect_enabled + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_selinuxuser_mysql_connect_enabled='' + + +setsebool -P selinuxuser_mysql_connect_enabled $var_selinuxuser_mysql_connect_enabled + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -237904,18 +237904,6 @@ to use ping and traceroute which is helpful for network troubleshooting. To enable the selinuxuser_ping SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_ping on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_selinuxuser_ping='' - - -setsebool -P selinuxuser_ping $var_selinuxuser_ping - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_selinuxuser_ping # promote to variable set_fact: var_selinuxuser_ping: !!str @@ -237952,6 +237940,18 @@ fi - medium_severity - no_reboot_needed - sebool_selinuxuser_ping + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_selinuxuser_ping='' + + +setsebool -P selinuxuser_ping $var_selinuxuser_ping + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -237969,18 +237969,6 @@ If this setting is enabled, it should be disabled. To disable the selinuxuser_postgresql_connect_enabled SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_postgresql_connect_enabled off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_selinuxuser_postgresql_connect_enabled='' - - -setsebool -P selinuxuser_postgresql_connect_enabled $var_selinuxuser_postgresql_connect_enabled - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_selinuxuser_postgresql_connect_enabled # promote to variable set_fact: var_selinuxuser_postgresql_connect_enabled: !!str @@ -238017,6 +238005,18 @@ fi - medium_severity - no_reboot_needed - sebool_selinuxuser_postgresql_connect_enabled + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_selinuxuser_postgresql_connect_enabled='' + + +setsebool -P selinuxuser_postgresql_connect_enabled $var_selinuxuser_postgresql_connect_enabled + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -238035,18 +238035,6 @@ on filesystems that do not have extended attributes e.g. FAT, CDROM, FLOPPY, etc To disable the selinuxuser_rw_noexattrfile SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_rw_noexattrfile off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_selinuxuser_rw_noexattrfile='' - - -setsebool -P selinuxuser_rw_noexattrfile $var_selinuxuser_rw_noexattrfile - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_selinuxuser_rw_noexattrfile # promote to variable set_fact: var_selinuxuser_rw_noexattrfile: !!str @@ -238083,6 +238071,18 @@ fi - medium_severity - no_reboot_needed - sebool_selinuxuser_rw_noexattrfile + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_selinuxuser_rw_noexattrfile='' + + +setsebool -P selinuxuser_rw_noexattrfile $var_selinuxuser_rw_noexattrfile + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -238100,18 +238100,6 @@ If this setting is enabled, it should be disabled. To disable the selinuxuser_share_music SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_share_music off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_selinuxuser_share_music='' - - -setsebool -P selinuxuser_share_music $var_selinuxuser_share_music - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_selinuxuser_share_music # promote to variable set_fact: var_selinuxuser_share_music: !!str @@ -238148,6 +238136,18 @@ fi - medium_severity - no_reboot_needed - sebool_selinuxuser_share_music + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_selinuxuser_share_music='' + + +setsebool -P selinuxuser_share_music $var_selinuxuser_share_music + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -238165,18 +238165,6 @@ If this setting is enabled, it should be disabled. To disable the selinuxuser_tcp_server SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_tcp_server off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_selinuxuser_tcp_server='' - - -setsebool -P selinuxuser_tcp_server $var_selinuxuser_tcp_server - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_selinuxuser_tcp_server # promote to variable set_fact: var_selinuxuser_tcp_server: !!str @@ -238213,6 +238201,18 @@ fi - medium_severity - no_reboot_needed - sebool_selinuxuser_tcp_server + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_selinuxuser_tcp_server='' + + +setsebool -P selinuxuser_tcp_server $var_selinuxuser_tcp_server + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -238230,18 +238230,6 @@ If this setting is enabled, it should be disabled. To disable the selinuxuser_udp_server SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_udp_server off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_selinuxuser_udp_server='' - - -setsebool -P selinuxuser_udp_server $var_selinuxuser_udp_server - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_selinuxuser_udp_server # promote to variable set_fact: var_selinuxuser_udp_server: !!str @@ -238278,6 +238266,18 @@ fi - medium_severity - no_reboot_needed - sebool_selinuxuser_udp_server + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_selinuxuser_udp_server='' + + +setsebool -P selinuxuser_udp_server $var_selinuxuser_udp_server + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -238295,18 +238295,6 @@ If this setting is enabled, it should be disabled. To disable the selinuxuser_use_ssh_chroot SELinux boolean, run the following command: $ sudo setsebool -P selinuxuser_use_ssh_chroot off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_selinuxuser_use_ssh_chroot='' - - -setsebool -P selinuxuser_use_ssh_chroot $var_selinuxuser_use_ssh_chroot - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_selinuxuser_use_ssh_chroot # promote to variable set_fact: var_selinuxuser_use_ssh_chroot: !!str @@ -238343,6 +238331,18 @@ fi - medium_severity - no_reboot_needed - sebool_selinuxuser_use_ssh_chroot + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_selinuxuser_use_ssh_chroot='' + + +setsebool -P selinuxuser_use_ssh_chroot $var_selinuxuser_use_ssh_chroot + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -238360,18 +238360,6 @@ If this setting is enabled, it should be disabled. To disable the sge_domain_can_network_connect SELinux boolean, run the following command: $ sudo setsebool -P sge_domain_can_network_connect off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_sge_domain_can_network_connect='' - - -setsebool -P sge_domain_can_network_connect $var_sge_domain_can_network_connect - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_sge_domain_can_network_connect # promote to variable set_fact: var_sge_domain_can_network_connect: !!str @@ -238408,6 +238396,18 @@ fi - medium_severity - no_reboot_needed - sebool_sge_domain_can_network_connect + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_sge_domain_can_network_connect='' + + +setsebool -P sge_domain_can_network_connect $var_sge_domain_can_network_connect + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -238425,18 +238425,6 @@ If this setting is enabled, it should be disabled. To disable the sge_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P sge_use_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_sge_use_nfs='' - - -setsebool -P sge_use_nfs $var_sge_use_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_sge_use_nfs # promote to variable set_fact: var_sge_use_nfs: !!str @@ -238473,6 +238461,18 @@ fi - medium_severity - no_reboot_needed - sebool_sge_use_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_sge_use_nfs='' + + +setsebool -P sge_use_nfs $var_sge_use_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -238490,18 +238490,6 @@ If this setting is enabled, it should be disabled. To disable the smartmon_3ware SELinux boolean, run the following command: $ sudo setsebool -P smartmon_3ware off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_smartmon_3ware='' - - -setsebool -P smartmon_3ware $var_smartmon_3ware - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_smartmon_3ware # promote to variable set_fact: var_smartmon_3ware: !!str @@ -238538,6 +238526,18 @@ fi - medium_severity - no_reboot_needed - sebool_smartmon_3ware + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_smartmon_3ware='' + + +setsebool -P smartmon_3ware $var_smartmon_3ware + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -238555,18 +238555,6 @@ If this setting is enabled, it should be disabled. To disable the smbd_anon_write SELinux boolean, run the following command: $ sudo setsebool -P smbd_anon_write off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_smbd_anon_write='' - - -setsebool -P smbd_anon_write $var_smbd_anon_write - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_smbd_anon_write # promote to variable set_fact: var_smbd_anon_write: !!str @@ -238603,6 +238591,18 @@ fi - medium_severity - no_reboot_needed - sebool_smbd_anon_write + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_smbd_anon_write='' + + +setsebool -P smbd_anon_write $var_smbd_anon_write + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -238620,18 +238620,6 @@ If this setting is enabled, it should be disabled. To disable the spamassassin_can_network SELinux boolean, run the following command: $ sudo setsebool -P spamassassin_can_network off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_spamassassin_can_network='' - - -setsebool -P spamassassin_can_network $var_spamassassin_can_network - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_spamassassin_can_network # promote to variable set_fact: var_spamassassin_can_network: !!str @@ -238668,6 +238656,18 @@ fi - medium_severity - no_reboot_needed - sebool_spamassassin_can_network + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_spamassassin_can_network='' + + +setsebool -P spamassassin_can_network $var_spamassassin_can_network + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -238685,18 +238685,6 @@ If this setting is disabled, it should be enabled. To enable the spamd_enable_home_dirs SELinux boolean, run the following command: $ sudo setsebool -P spamd_enable_home_dirs on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_spamd_enable_home_dirs='' - - -setsebool -P spamd_enable_home_dirs $var_spamd_enable_home_dirs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_spamd_enable_home_dirs # promote to variable set_fact: var_spamd_enable_home_dirs: !!str @@ -238733,6 +238721,18 @@ fi - medium_severity - no_reboot_needed - sebool_spamd_enable_home_dirs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_spamd_enable_home_dirs='' + + +setsebool -P spamd_enable_home_dirs $var_spamd_enable_home_dirs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -238751,18 +238751,6 @@ ports. To disable the squid_connect_any SELinux boolean, run the following command: $ sudo setsebool -P squid_connect_any off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_squid_connect_any='' - - -setsebool -P squid_connect_any $var_squid_connect_any - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_squid_connect_any # promote to variable set_fact: var_squid_connect_any: !!str @@ -238799,6 +238787,18 @@ fi - medium_severity - no_reboot_needed - sebool_squid_connect_any + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_squid_connect_any='' + + +setsebool -P squid_connect_any $var_squid_connect_any + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -238816,18 +238816,6 @@ If this setting is enabled, it should be disabled. To disable the squid_use_tproxy SELinux boolean, run the following command: $ sudo setsebool -P squid_use_tproxy off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_squid_use_tproxy='' - - -setsebool -P squid_use_tproxy $var_squid_use_tproxy - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_squid_use_tproxy # promote to variable set_fact: var_squid_use_tproxy: !!str @@ -238864,6 +238852,18 @@ fi - medium_severity - no_reboot_needed - sebool_squid_use_tproxy + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_squid_use_tproxy='' + + +setsebool -P squid_use_tproxy $var_squid_use_tproxy + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -238881,18 +238881,6 @@ If this setting is enabled, it should be disabled. To disable the ssh_chroot_rw_homedirs SELinux boolean, run the following command: $ sudo setsebool -P ssh_chroot_rw_homedirs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_ssh_chroot_rw_homedirs='' - - -setsebool -P ssh_chroot_rw_homedirs $var_ssh_chroot_rw_homedirs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_ssh_chroot_rw_homedirs # promote to variable set_fact: var_ssh_chroot_rw_homedirs: !!str @@ -238929,6 +238917,18 @@ fi - medium_severity - no_reboot_needed - sebool_ssh_chroot_rw_homedirs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_ssh_chroot_rw_homedirs='' + + +setsebool -P ssh_chroot_rw_homedirs $var_ssh_chroot_rw_homedirs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -238946,18 +238946,6 @@ If this setting is enabled, it should be disabled. To disable the ssh_keysign SELinux boolean, run the following command: $ sudo setsebool -P ssh_keysign off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_ssh_keysign='' - - -setsebool -P ssh_keysign $var_ssh_keysign - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_ssh_keysign # promote to variable set_fact: var_ssh_keysign: !!str @@ -238994,6 +238982,18 @@ fi - medium_severity - no_reboot_needed - sebool_ssh_keysign + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_ssh_keysign='' + + +setsebool -P ssh_keysign $var_ssh_keysign + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -239025,18 +239025,6 @@ authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. CCE-83311-1 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_ssh_sysadm_login='' - - -setsebool -P ssh_sysadm_login $var_ssh_sysadm_login - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_ssh_sysadm_login # promote to variable set_fact: var_ssh_sysadm_login: !!str @@ -239075,6 +239063,18 @@ fi - medium_severity - no_reboot_needed - sebool_ssh_sysadm_login + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_ssh_sysadm_login='' + + +setsebool -P ssh_sysadm_login $var_ssh_sysadm_login + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -239092,18 +239092,6 @@ If this setting is disabled, it should be enabled. To enable the staff_exec_content SELinux boolean, run the following command: $ sudo setsebool -P staff_exec_content on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_staff_exec_content='' - - -setsebool -P staff_exec_content $var_staff_exec_content - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_staff_exec_content # promote to variable set_fact: var_staff_exec_content: !!str @@ -239140,6 +239128,18 @@ fi - medium_severity - no_reboot_needed - sebool_staff_exec_content + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_staff_exec_content='' + + +setsebool -P staff_exec_content $var_staff_exec_content + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -239157,18 +239157,6 @@ If this setting is enabled, it should be disabled. To disable the staff_use_svirt SELinux boolean, run the following command: $ sudo setsebool -P staff_use_svirt off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_staff_use_svirt='' - - -setsebool -P staff_use_svirt $var_staff_use_svirt - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_staff_use_svirt # promote to variable set_fact: var_staff_use_svirt: !!str @@ -239205,6 +239193,18 @@ fi - medium_severity - no_reboot_needed - sebool_staff_use_svirt + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_staff_use_svirt='' + + +setsebool -P staff_use_svirt $var_staff_use_svirt + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -239222,18 +239222,6 @@ If this setting is enabled, it should be disabled. To disable the swift_can_network SELinux boolean, run the following command: $ sudo setsebool -P swift_can_network off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_swift_can_network='' - - -setsebool -P swift_can_network $var_swift_can_network - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_swift_can_network # promote to variable set_fact: var_swift_can_network: !!str @@ -239270,6 +239258,18 @@ fi - medium_severity - no_reboot_needed - sebool_swift_can_network + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_swift_can_network='' + + +setsebool -P swift_can_network $var_swift_can_network + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -239287,18 +239287,6 @@ If this setting is disabled, it should be enabled. To enable the sysadm_exec_content SELinux boolean, run the following command: $ sudo setsebool -P sysadm_exec_content on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_sysadm_exec_content='' - - -setsebool -P sysadm_exec_content $var_sysadm_exec_content - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_sysadm_exec_content # promote to variable set_fact: var_sysadm_exec_content: !!str @@ -239335,6 +239323,18 @@ fi - medium_severity - no_reboot_needed - sebool_sysadm_exec_content + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_sysadm_exec_content='' + + +setsebool -P sysadm_exec_content $var_sysadm_exec_content + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -239352,18 +239352,6 @@ If this setting is enabled, it should be disabled. To disable the telepathy_connect_all_ports SELinux boolean, run the following command: $ sudo setsebool -P telepathy_connect_all_ports off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_telepathy_connect_all_ports='' - - -setsebool -P telepathy_connect_all_ports $var_telepathy_connect_all_ports - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_telepathy_connect_all_ports # promote to variable set_fact: var_telepathy_connect_all_ports: !!str @@ -239400,6 +239388,18 @@ fi - medium_severity - no_reboot_needed - sebool_telepathy_connect_all_ports + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_telepathy_connect_all_ports='' + + +setsebool -P telepathy_connect_all_ports $var_telepathy_connect_all_ports + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -239418,18 +239418,6 @@ ports. To disable the telepathy_tcp_connect_generic_network_ports SELinux boolean, run the following command: $ sudo setsebool -P telepathy_tcp_connect_generic_network_ports off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_telepathy_tcp_connect_generic_network_ports='' - - -setsebool -P telepathy_tcp_connect_generic_network_ports $var_telepathy_tcp_connect_generic_network_ports - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_telepathy_tcp_connect_generic_network_ports # promote to variable set_fact: var_telepathy_tcp_connect_generic_network_ports: !!str @@ -239466,6 +239454,18 @@ fi - medium_severity - no_reboot_needed - sebool_telepathy_tcp_connect_generic_network_ports + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_telepathy_tcp_connect_generic_network_ports='' + + +setsebool -P telepathy_tcp_connect_generic_network_ports $var_telepathy_tcp_connect_generic_network_ports + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -239483,18 +239483,6 @@ If this setting is enabled, it should be disabled. To disable the tftp_anon_write SELinux boolean, run the following command: $ sudo setsebool -P tftp_anon_write off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_tftp_anon_write='' - - -setsebool -P tftp_anon_write $var_tftp_anon_write - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_tftp_anon_write # promote to variable set_fact: var_tftp_anon_write: !!str @@ -239531,6 +239519,18 @@ fi - medium_severity - no_reboot_needed - sebool_tftp_anon_write + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_tftp_anon_write='' + + +setsebool -P tftp_anon_write $var_tftp_anon_write + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -239548,18 +239548,6 @@ If this setting is enabled, it should be disabled. To disable the tftp_home_dir SELinux boolean, run the following command: $ sudo setsebool -P tftp_home_dir off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_tftp_home_dir='' - - -setsebool -P tftp_home_dir $var_tftp_home_dir - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_tftp_home_dir # promote to variable set_fact: var_tftp_home_dir: !!str @@ -239596,6 +239584,18 @@ fi - medium_severity - no_reboot_needed - sebool_tftp_home_dir + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_tftp_home_dir='' + + +setsebool -P tftp_home_dir $var_tftp_home_dir + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -239613,18 +239613,6 @@ If this setting is enabled, it should be disabled. To disable the tmpreaper_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P tmpreaper_use_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_tmpreaper_use_nfs='' - - -setsebool -P tmpreaper_use_nfs $var_tmpreaper_use_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_tmpreaper_use_nfs # promote to variable set_fact: var_tmpreaper_use_nfs: !!str @@ -239661,6 +239649,18 @@ fi - medium_severity - no_reboot_needed - sebool_tmpreaper_use_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_tmpreaper_use_nfs='' + + +setsebool -P tmpreaper_use_nfs $var_tmpreaper_use_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -239678,18 +239678,6 @@ If this setting is enabled, it should be disabled. To disable the tmpreaper_use_samba SELinux boolean, run the following command: $ sudo setsebool -P tmpreaper_use_samba off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_tmpreaper_use_samba='' - - -setsebool -P tmpreaper_use_samba $var_tmpreaper_use_samba - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_tmpreaper_use_samba # promote to variable set_fact: var_tmpreaper_use_samba: !!str @@ -239726,6 +239714,18 @@ fi - medium_severity - no_reboot_needed - sebool_tmpreaper_use_samba + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_tmpreaper_use_samba='' + + +setsebool -P tmpreaper_use_samba $var_tmpreaper_use_samba + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -239743,18 +239743,6 @@ If this setting is enabled, it should be disabled. To disable the tor_bind_all_unreserved_ports SELinux boolean, run the following command: $ sudo setsebool -P tor_bind_all_unreserved_ports off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_tor_bind_all_unreserved_ports='' - - -setsebool -P tor_bind_all_unreserved_ports $var_tor_bind_all_unreserved_ports - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_tor_bind_all_unreserved_ports # promote to variable set_fact: var_tor_bind_all_unreserved_ports: !!str @@ -239791,6 +239779,18 @@ fi - medium_severity - no_reboot_needed - sebool_tor_bind_all_unreserved_ports + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_tor_bind_all_unreserved_ports='' + + +setsebool -P tor_bind_all_unreserved_ports $var_tor_bind_all_unreserved_ports + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -239808,18 +239808,6 @@ If this setting is enabled, it should be disabled. To disable the tor_can_network_relay SELinux boolean, run the following command: $ sudo setsebool -P tor_can_network_relay off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_tor_can_network_relay='' - - -setsebool -P tor_can_network_relay $var_tor_can_network_relay - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_tor_can_network_relay # promote to variable set_fact: var_tor_can_network_relay: !!str @@ -239856,6 +239844,18 @@ fi - medium_severity - no_reboot_needed - sebool_tor_can_network_relay + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_tor_can_network_relay='' + + +setsebool -P tor_can_network_relay $var_tor_can_network_relay + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -239873,18 +239873,6 @@ If this setting is disabled, it should be enabled. To enable the unconfined_chrome_sandbox_transition SELinux boolean, run the following command: $ sudo setsebool -P unconfined_chrome_sandbox_transition on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_unconfined_chrome_sandbox_transition='' - - -setsebool -P unconfined_chrome_sandbox_transition $var_unconfined_chrome_sandbox_transition - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_unconfined_chrome_sandbox_transition # promote to variable set_fact: var_unconfined_chrome_sandbox_transition: !!str @@ -239921,6 +239909,18 @@ fi - medium_severity - no_reboot_needed - sebool_unconfined_chrome_sandbox_transition + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_unconfined_chrome_sandbox_transition='' + + +setsebool -P unconfined_chrome_sandbox_transition $var_unconfined_chrome_sandbox_transition + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -239938,18 +239938,6 @@ If this setting is disabled, it should be enabled. To enable the unconfined_login SELinux boolean, run the following command: $ sudo setsebool -P unconfined_login on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_unconfined_login='' - - -setsebool -P unconfined_login $var_unconfined_login - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_unconfined_login # promote to variable set_fact: var_unconfined_login: !!str @@ -239986,6 +239974,18 @@ fi - medium_severity - no_reboot_needed - sebool_unconfined_login + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_unconfined_login='' + + +setsebool -P unconfined_login $var_unconfined_login + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240003,18 +240003,6 @@ If this setting is disabled, it should be enabled. To enable the unconfined_mozilla_plugin_transition SELinux boolean, run the following command: $ sudo setsebool -P unconfined_mozilla_plugin_transition on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_unconfined_mozilla_plugin_transition='' - - -setsebool -P unconfined_mozilla_plugin_transition $var_unconfined_mozilla_plugin_transition - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_unconfined_mozilla_plugin_transition # promote to variable set_fact: var_unconfined_mozilla_plugin_transition: !!str @@ -240051,6 +240039,18 @@ fi - medium_severity - no_reboot_needed - sebool_unconfined_mozilla_plugin_transition + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_unconfined_mozilla_plugin_transition='' + + +setsebool -P unconfined_mozilla_plugin_transition $var_unconfined_mozilla_plugin_transition + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240068,18 +240068,6 @@ If this setting is enabled, it should be disabled. To disable the unprivuser_use_svirt SELinux boolean, run the following command: $ sudo setsebool -P unprivuser_use_svirt off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_unprivuser_use_svirt='' - - -setsebool -P unprivuser_use_svirt $var_unprivuser_use_svirt - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_unprivuser_use_svirt # promote to variable set_fact: var_unprivuser_use_svirt: !!str @@ -240116,6 +240104,18 @@ fi - medium_severity - no_reboot_needed - sebool_unprivuser_use_svirt + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_unprivuser_use_svirt='' + + +setsebool -P unprivuser_use_svirt $var_unprivuser_use_svirt + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240133,18 +240133,6 @@ If this setting is enabled, it should be disabled. To disable the use_ecryptfs_home_dirs SELinux boolean, run the following command: $ sudo setsebool -P use_ecryptfs_home_dirs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_use_ecryptfs_home_dirs='' - - -setsebool -P use_ecryptfs_home_dirs $var_use_ecryptfs_home_dirs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_use_ecryptfs_home_dirs # promote to variable set_fact: var_use_ecryptfs_home_dirs: !!str @@ -240181,6 +240169,18 @@ fi - medium_severity - no_reboot_needed - sebool_use_ecryptfs_home_dirs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_use_ecryptfs_home_dirs='' + + +setsebool -P use_ecryptfs_home_dirs $var_use_ecryptfs_home_dirs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240198,18 +240198,6 @@ If this setting is enabled, it should be disabled. To disable the use_fusefs_home_dirs SELinux boolean, run the following command: $ sudo setsebool -P use_fusefs_home_dirs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_use_fusefs_home_dirs='' - - -setsebool -P use_fusefs_home_dirs $var_use_fusefs_home_dirs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_use_fusefs_home_dirs # promote to variable set_fact: var_use_fusefs_home_dirs: !!str @@ -240246,6 +240234,18 @@ fi - medium_severity - no_reboot_needed - sebool_use_fusefs_home_dirs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_use_fusefs_home_dirs='' + + +setsebool -P use_fusefs_home_dirs $var_use_fusefs_home_dirs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240263,18 +240263,6 @@ If this setting is enabled, it should be disabled. To disable the use_lpd_server SELinux boolean, run the following command: $ sudo setsebool -P use_lpd_server off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_use_lpd_server='' - - -setsebool -P use_lpd_server $var_use_lpd_server - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_use_lpd_server # promote to variable set_fact: var_use_lpd_server: !!str @@ -240311,6 +240299,18 @@ fi - medium_severity - no_reboot_needed - sebool_use_lpd_server + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_use_lpd_server='' + + +setsebool -P use_lpd_server $var_use_lpd_server + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240328,18 +240328,6 @@ If this setting is enabled, it should be disabled. To disable the use_nfs_home_dirs SELinux boolean, run the following command: $ sudo setsebool -P use_nfs_home_dirs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_use_nfs_home_dirs='' - - -setsebool -P use_nfs_home_dirs $var_use_nfs_home_dirs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_use_nfs_home_dirs # promote to variable set_fact: var_use_nfs_home_dirs: !!str @@ -240376,6 +240364,18 @@ fi - medium_severity - no_reboot_needed - sebool_use_nfs_home_dirs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_use_nfs_home_dirs='' + + +setsebool -P use_nfs_home_dirs $var_use_nfs_home_dirs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240393,18 +240393,6 @@ If this setting is enabled, it should be disabled. To disable the use_samba_home_dirs SELinux boolean, run the following command: $ sudo setsebool -P use_samba_home_dirs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_use_samba_home_dirs='' - - -setsebool -P use_samba_home_dirs $var_use_samba_home_dirs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_use_samba_home_dirs # promote to variable set_fact: var_use_samba_home_dirs: !!str @@ -240441,6 +240429,18 @@ fi - medium_severity - no_reboot_needed - sebool_use_samba_home_dirs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_use_samba_home_dirs='' + + +setsebool -P use_samba_home_dirs $var_use_samba_home_dirs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240458,18 +240458,6 @@ If this setting is disabled, it should be enabled. To enable the user_exec_content SELinux boolean, run the following command: $ sudo setsebool -P user_exec_content on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_user_exec_content='' - - -setsebool -P user_exec_content $var_user_exec_content - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_user_exec_content # promote to variable set_fact: var_user_exec_content: !!str @@ -240506,6 +240494,18 @@ fi - medium_severity - no_reboot_needed - sebool_user_exec_content + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_user_exec_content='' + + +setsebool -P user_exec_content $var_user_exec_content + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240523,18 +240523,6 @@ If this setting is enabled, it should be disabled. To disable the varnishd_connect_any SELinux boolean, run the following command: $ sudo setsebool -P varnishd_connect_any off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_varnishd_connect_any='' - - -setsebool -P varnishd_connect_any $var_varnishd_connect_any - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_varnishd_connect_any # promote to variable set_fact: var_varnishd_connect_any: !!str @@ -240571,6 +240559,18 @@ fi - medium_severity - no_reboot_needed - sebool_varnishd_connect_any + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_varnishd_connect_any='' + + +setsebool -P varnishd_connect_any $var_varnishd_connect_any + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240588,18 +240588,6 @@ If this setting is enabled, it should be disabled. To disable the virt_read_qemu_ga_data SELinux boolean, run the following command: $ sudo setsebool -P virt_read_qemu_ga_data off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_read_qemu_ga_data='' - - -setsebool -P virt_read_qemu_ga_data $var_virt_read_qemu_ga_data - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_read_qemu_ga_data # promote to variable set_fact: var_virt_read_qemu_ga_data: !!str @@ -240636,6 +240624,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_read_qemu_ga_data + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_read_qemu_ga_data='' + + +setsebool -P virt_read_qemu_ga_data $var_virt_read_qemu_ga_data + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240653,18 +240653,6 @@ If this setting is enabled, it should be disabled. To disable the virt_rw_qemu_ga_data SELinux boolean, run the following command: $ sudo setsebool -P virt_rw_qemu_ga_data off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_rw_qemu_ga_data='' - - -setsebool -P virt_rw_qemu_ga_data $var_virt_rw_qemu_ga_data - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_rw_qemu_ga_data # promote to variable set_fact: var_virt_rw_qemu_ga_data: !!str @@ -240701,6 +240689,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_rw_qemu_ga_data + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_rw_qemu_ga_data='' + + +setsebool -P virt_rw_qemu_ga_data $var_virt_rw_qemu_ga_data + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240718,18 +240718,6 @@ This setting is disabled as containers should not run with privileges. To disable the virt_sandbox_use_all_caps SELinux boolean, run the following command: $ sudo setsebool -P virt_sandbox_use_all_caps off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_sandbox_use_all_caps='' - - -setsebool -P virt_sandbox_use_all_caps $var_virt_sandbox_use_all_caps - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_sandbox_use_all_caps # promote to variable set_fact: var_virt_sandbox_use_all_caps: !!str @@ -240766,6 +240754,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_sandbox_use_all_caps + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_sandbox_use_all_caps='' + + +setsebool -P virt_sandbox_use_all_caps $var_virt_sandbox_use_all_caps + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240784,18 +240784,6 @@ to send audit messages. To enable the virt_sandbox_use_audit SELinux boolean, run the following command: $ sudo setsebool -P virt_sandbox_use_audit on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_sandbox_use_audit='' - - -setsebool -P virt_sandbox_use_audit $var_virt_sandbox_use_audit - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_sandbox_use_audit # promote to variable set_fact: var_virt_sandbox_use_audit: !!str @@ -240832,6 +240820,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_sandbox_use_audit + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_sandbox_use_audit='' + + +setsebool -P virt_sandbox_use_audit $var_virt_sandbox_use_audit + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240849,18 +240849,6 @@ If this setting is enabled, it should be disabled. To disable the virt_sandbox_use_mknod SELinux boolean, run the following command: $ sudo setsebool -P virt_sandbox_use_mknod off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_sandbox_use_mknod='' - - -setsebool -P virt_sandbox_use_mknod $var_virt_sandbox_use_mknod - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_sandbox_use_mknod # promote to variable set_fact: var_virt_sandbox_use_mknod: !!str @@ -240897,6 +240885,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_sandbox_use_mknod + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_sandbox_use_mknod='' + + +setsebool -P virt_sandbox_use_mknod $var_virt_sandbox_use_mknod + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240914,18 +240914,6 @@ If this setting is enabled, it should be disabled. To disable the virt_sandbox_use_netlink SELinux boolean, run the following command: $ sudo setsebool -P virt_sandbox_use_netlink off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_sandbox_use_netlink='' - - -setsebool -P virt_sandbox_use_netlink $var_virt_sandbox_use_netlink - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_sandbox_use_netlink # promote to variable set_fact: var_virt_sandbox_use_netlink: !!str @@ -240962,6 +240950,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_sandbox_use_netlink + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_sandbox_use_netlink='' + + +setsebool -P virt_sandbox_use_netlink $var_virt_sandbox_use_netlink + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -240979,18 +240979,6 @@ If this setting is enabled, it should be disabled. To disable the virt_sandbox_use_sys_admin SELinux boolean, run the following command: $ sudo setsebool -P virt_sandbox_use_sys_admin off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_sandbox_use_sys_admin='' - - -setsebool -P virt_sandbox_use_sys_admin $var_virt_sandbox_use_sys_admin - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_sandbox_use_sys_admin # promote to variable set_fact: var_virt_sandbox_use_sys_admin: !!str @@ -241027,6 +241015,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_sandbox_use_sys_admin + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_sandbox_use_sys_admin='' + + +setsebool -P virt_sandbox_use_sys_admin $var_virt_sandbox_use_sys_admin + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -241044,18 +241044,6 @@ If this setting is enabled, it should be disabled. To disable the virt_transition_userdomain SELinux boolean, run the following command: $ sudo setsebool -P virt_transition_userdomain off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_transition_userdomain='' - - -setsebool -P virt_transition_userdomain $var_virt_transition_userdomain - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_transition_userdomain # promote to variable set_fact: var_virt_transition_userdomain: !!str @@ -241092,6 +241080,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_transition_userdomain + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_transition_userdomain='' + + +setsebool -P virt_transition_userdomain $var_virt_transition_userdomain + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -241109,18 +241109,6 @@ If this setting is enabled, it should be disabled. To disable the virt_use_comm SELinux boolean, run the following command: $ sudo setsebool -P virt_use_comm off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_use_comm='' - - -setsebool -P virt_use_comm $var_virt_use_comm - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_use_comm # promote to variable set_fact: var_virt_use_comm: !!str @@ -241157,6 +241145,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_use_comm + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_use_comm='' + + +setsebool -P virt_use_comm $var_virt_use_comm + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -241176,18 +241176,6 @@ To disable the virt_use_execmem SELinux boolean, run the BP28(R67) CCE-83312-9 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_use_execmem='' - - -setsebool -P virt_use_execmem $var_virt_use_execmem - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_use_execmem # promote to variable set_fact: var_virt_use_execmem: !!str @@ -241226,6 +241214,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_use_execmem + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_use_execmem='' + + +setsebool -P virt_use_execmem $var_virt_use_execmem + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -241243,18 +241243,6 @@ If this setting is enabled, it should be disabled. To disable the virt_use_fusefs SELinux boolean, run the following command: $ sudo setsebool -P virt_use_fusefs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_use_fusefs='' - - -setsebool -P virt_use_fusefs $var_virt_use_fusefs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_use_fusefs # promote to variable set_fact: var_virt_use_fusefs: !!str @@ -241291,6 +241279,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_use_fusefs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_use_fusefs='' + + +setsebool -P virt_use_fusefs $var_virt_use_fusefs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -241308,18 +241308,6 @@ If this setting is enabled, it should be disabled. To disable the virt_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P virt_use_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_use_nfs='' - - -setsebool -P virt_use_nfs $var_virt_use_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_use_nfs # promote to variable set_fact: var_virt_use_nfs: !!str @@ -241356,6 +241344,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_use_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_use_nfs='' + + +setsebool -P virt_use_nfs $var_virt_use_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -241373,18 +241373,6 @@ If this setting is enabled, it should be disabled. To disable the virt_use_rawip SELinux boolean, run the following command: $ sudo setsebool -P virt_use_rawip off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_use_rawip='' - - -setsebool -P virt_use_rawip $var_virt_use_rawip - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_use_rawip # promote to variable set_fact: var_virt_use_rawip: !!str @@ -241421,6 +241409,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_use_rawip + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_use_rawip='' + + +setsebool -P virt_use_rawip $var_virt_use_rawip + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -241438,18 +241438,6 @@ If this setting is enabled, it should be disabled. To disable the virt_use_samba SELinux boolean, run the following command: $ sudo setsebool -P virt_use_samba off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_use_samba='' - - -setsebool -P virt_use_samba $var_virt_use_samba - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_use_samba # promote to variable set_fact: var_virt_use_samba: !!str @@ -241486,6 +241474,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_use_samba + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_use_samba='' + + +setsebool -P virt_use_samba $var_virt_use_samba + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -241503,18 +241503,6 @@ If this setting is enabled, it should be disabled. To disable the virt_use_sanlock SELinux boolean, run the following command: $ sudo setsebool -P virt_use_sanlock off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_use_sanlock='' - - -setsebool -P virt_use_sanlock $var_virt_use_sanlock - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_use_sanlock # promote to variable set_fact: var_virt_use_sanlock: !!str @@ -241551,6 +241539,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_use_sanlock + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_use_sanlock='' + + +setsebool -P virt_use_sanlock $var_virt_use_sanlock + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -241568,18 +241568,6 @@ This setting should be disabled. To disable the virt_use_usb SELinux boolean, run the following command: $ sudo setsebool -P virt_use_usb off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_use_usb='' - - -setsebool -P virt_use_usb $var_virt_use_usb - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_use_usb # promote to variable set_fact: var_virt_use_usb: !!str @@ -241616,6 +241604,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_use_usb + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_use_usb='' + + +setsebool -P virt_use_usb $var_virt_use_usb + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -241633,18 +241633,6 @@ If this setting is enabled, it should be disabled. To disable the virt_use_xserver SELinux boolean, run the following command: $ sudo setsebool -P virt_use_xserver off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_virt_use_xserver='' - - -setsebool -P virt_use_xserver $var_virt_use_xserver - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_virt_use_xserver # promote to variable set_fact: var_virt_use_xserver: !!str @@ -241681,6 +241669,18 @@ fi - medium_severity - no_reboot_needed - sebool_virt_use_xserver + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_virt_use_xserver='' + + +setsebool -P virt_use_xserver $var_virt_use_xserver + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -241698,18 +241698,6 @@ If this setting is enabled, it should be disabled. To disable the webadm_manage_user_files SELinux boolean, run the following command: $ sudo setsebool -P webadm_manage_user_files off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_webadm_manage_user_files='' - - -setsebool -P webadm_manage_user_files $var_webadm_manage_user_files - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_webadm_manage_user_files # promote to variable set_fact: var_webadm_manage_user_files: !!str @@ -241746,6 +241734,18 @@ fi - medium_severity - no_reboot_needed - sebool_webadm_manage_user_files + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_webadm_manage_user_files='' + + +setsebool -P webadm_manage_user_files $var_webadm_manage_user_files + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -241763,18 +241763,6 @@ If this setting is enabled, it should be disabled. To disable the webadm_read_user_files SELinux boolean, run the following command: $ sudo setsebool -P webadm_read_user_files off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_webadm_read_user_files='' - - -setsebool -P webadm_read_user_files $var_webadm_read_user_files - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_webadm_read_user_files # promote to variable set_fact: var_webadm_read_user_files: !!str @@ -241811,6 +241799,18 @@ fi - medium_severity - no_reboot_needed - sebool_webadm_read_user_files + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_webadm_read_user_files='' + + +setsebool -P webadm_read_user_files $var_webadm_read_user_files + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -241828,18 +241828,6 @@ If this setting is enabled, it should be disabled. To disable the wine_mmap_zero_ignore SELinux boolean, run the following command: $ sudo setsebool -P wine_mmap_zero_ignore off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_wine_mmap_zero_ignore='' - - -setsebool -P wine_mmap_zero_ignore $var_wine_mmap_zero_ignore - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_wine_mmap_zero_ignore # promote to variable set_fact: var_wine_mmap_zero_ignore: !!str @@ -241876,6 +241864,18 @@ fi - medium_severity - no_reboot_needed - sebool_wine_mmap_zero_ignore + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_wine_mmap_zero_ignore='' + + +setsebool -P wine_mmap_zero_ignore $var_wine_mmap_zero_ignore + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -241893,18 +241893,6 @@ If this setting is enabled, it should be disabled. To disable the xdm_bind_vnc_tcp_port SELinux boolean, run the following command: $ sudo setsebool -P xdm_bind_vnc_tcp_port off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_xdm_bind_vnc_tcp_port='' - - -setsebool -P xdm_bind_vnc_tcp_port $var_xdm_bind_vnc_tcp_port - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_xdm_bind_vnc_tcp_port # promote to variable set_fact: var_xdm_bind_vnc_tcp_port: !!str @@ -241941,6 +241929,18 @@ fi - medium_severity - no_reboot_needed - sebool_xdm_bind_vnc_tcp_port + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_xdm_bind_vnc_tcp_port='' + + +setsebool -P xdm_bind_vnc_tcp_port $var_xdm_bind_vnc_tcp_port + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -241958,18 +241958,6 @@ If this setting is enabled, it should be disabled. To disable the xdm_exec_bootloader SELinux boolean, run the following command: $ sudo setsebool -P xdm_exec_bootloader off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_xdm_exec_bootloader='' - - -setsebool -P xdm_exec_bootloader $var_xdm_exec_bootloader - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_xdm_exec_bootloader # promote to variable set_fact: var_xdm_exec_bootloader: !!str @@ -242006,6 +241994,18 @@ fi - medium_severity - no_reboot_needed - sebool_xdm_exec_bootloader + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_xdm_exec_bootloader='' + + +setsebool -P xdm_exec_bootloader $var_xdm_exec_bootloader + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -242023,18 +242023,6 @@ If this setting is enabled, it should be disabled. To disable the xdm_sysadm_login SELinux boolean, run the following command: $ sudo setsebool -P xdm_sysadm_login off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_xdm_sysadm_login='' - - -setsebool -P xdm_sysadm_login $var_xdm_sysadm_login - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_xdm_sysadm_login # promote to variable set_fact: var_xdm_sysadm_login: !!str @@ -242071,6 +242059,18 @@ fi - medium_severity - no_reboot_needed - sebool_xdm_sysadm_login + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_xdm_sysadm_login='' + + +setsebool -P xdm_sysadm_login $var_xdm_sysadm_login + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -242088,18 +242088,6 @@ If this setting is enabled, it should be disabled. To disable the xdm_write_home SELinux boolean, run the following command: $ sudo setsebool -P xdm_write_home off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_xdm_write_home='' - - -setsebool -P xdm_write_home $var_xdm_write_home - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_xdm_write_home # promote to variable set_fact: var_xdm_write_home: !!str @@ -242136,6 +242124,18 @@ fi - medium_severity - no_reboot_needed - sebool_xdm_write_home + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_xdm_write_home='' + + +setsebool -P xdm_write_home $var_xdm_write_home + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -242153,18 +242153,6 @@ If this setting is enabled, it should be disabled. To disable the xen_use_nfs SELinux boolean, run the following command: $ sudo setsebool -P xen_use_nfs off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_xen_use_nfs='' - - -setsebool -P xen_use_nfs $var_xen_use_nfs - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_xen_use_nfs # promote to variable set_fact: var_xen_use_nfs: !!str @@ -242201,6 +242189,18 @@ fi - medium_severity - no_reboot_needed - sebool_xen_use_nfs + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_xen_use_nfs='' + + +setsebool -P xen_use_nfs $var_xen_use_nfs + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -242218,18 +242218,6 @@ If this setting is disabled, it should be enabled. To enable the xend_run_blktap SELinux boolean, run the following command: $ sudo setsebool -P xend_run_blktap on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_xend_run_blktap='' - - -setsebool -P xend_run_blktap $var_xend_run_blktap - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_xend_run_blktap # promote to variable set_fact: var_xend_run_blktap: !!str @@ -242266,6 +242254,18 @@ fi - medium_severity - no_reboot_needed - sebool_xend_run_blktap + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_xend_run_blktap='' + + +setsebool -P xend_run_blktap $var_xend_run_blktap + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -242283,18 +242283,6 @@ If this setting is disabled, it should be enabled. To enable the xend_run_qemu SELinux boolean, run the following command: $ sudo setsebool -P xend_run_qemu on - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_xend_run_qemu='' - - -setsebool -P xend_run_qemu $var_xend_run_qemu - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_xend_run_qemu # promote to variable set_fact: var_xend_run_qemu: !!str @@ -242331,6 +242319,18 @@ fi - medium_severity - no_reboot_needed - sebool_xend_run_qemu + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_xend_run_qemu='' + + +setsebool -P xend_run_qemu $var_xend_run_qemu + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -242349,18 +242349,6 @@ This setting should be disabled as guest users should not be able to configure To disable the xguest_connect_network SELinux boolean, run the following command: $ sudo setsebool -P xguest_connect_network off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_xguest_connect_network='' - - -setsebool -P xguest_connect_network $var_xguest_connect_network - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_xguest_connect_network # promote to variable set_fact: var_xguest_connect_network: !!str @@ -242397,6 +242385,18 @@ fi - medium_severity - no_reboot_needed - sebool_xguest_connect_network + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_xguest_connect_network='' + + +setsebool -P xguest_connect_network $var_xguest_connect_network + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -242415,18 +242415,6 @@ executables. To disable the xguest_exec_content SELinux boolean, run the following command: $ sudo setsebool -P xguest_exec_content off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_xguest_exec_content='' - - -setsebool -P xguest_exec_content $var_xguest_exec_content - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_xguest_exec_content # promote to variable set_fact: var_xguest_exec_content: !!str @@ -242463,6 +242451,18 @@ fi - medium_severity - no_reboot_needed - sebool_xguest_exec_content + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_xguest_exec_content='' + + +setsebool -P xguest_exec_content $var_xguest_exec_content + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -242481,18 +242481,6 @@ any media. To disable the xguest_mount_media SELinux boolean, run the following command: $ sudo setsebool -P xguest_mount_media off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_xguest_mount_media='' - - -setsebool -P xguest_mount_media $var_xguest_mount_media - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_xguest_mount_media # promote to variable set_fact: var_xguest_mount_media: !!str @@ -242529,6 +242517,18 @@ fi - medium_severity - no_reboot_needed - sebool_xguest_mount_media + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_xguest_mount_media='' + + +setsebool -P xguest_mount_media $var_xguest_mount_media + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -242547,18 +242547,6 @@ or use bluetooth. To disable the xguest_use_bluetooth SELinux boolean, run the following command: $ sudo setsebool -P xguest_use_bluetooth off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_xguest_use_bluetooth='' - - -setsebool -P xguest_use_bluetooth $var_xguest_use_bluetooth - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_xguest_use_bluetooth # promote to variable set_fact: var_xguest_use_bluetooth: !!str @@ -242595,6 +242583,18 @@ fi - medium_severity - no_reboot_needed - sebool_xguest_use_bluetooth + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_xguest_use_bluetooth='' + + +setsebool -P xguest_use_bluetooth $var_xguest_use_bluetooth + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -242612,18 +242612,6 @@ If this setting is enabled, it should be disabled. To disable the xserver_clients_write_xshm SELinux boolean, run the following command: $ sudo setsebool -P xserver_clients_write_xshm off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_xserver_clients_write_xshm='' - - -setsebool -P xserver_clients_write_xshm $var_xserver_clients_write_xshm - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_xserver_clients_write_xshm # promote to variable set_fact: var_xserver_clients_write_xshm: !!str @@ -242660,6 +242648,18 @@ fi - medium_severity - no_reboot_needed - sebool_xserver_clients_write_xshm + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_xserver_clients_write_xshm='' + + +setsebool -P xserver_clients_write_xshm $var_xserver_clients_write_xshm + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -242679,18 +242679,6 @@ To disable the xserver_execmem SELinux boolean, run the f BP28(R67) CCE-83313-7 - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_xserver_execmem='' - - -setsebool -P xserver_execmem $var_xserver_execmem - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_xserver_execmem # promote to variable set_fact: var_xserver_execmem: !!str @@ -242729,6 +242717,18 @@ fi - medium_severity - no_reboot_needed - sebool_xserver_execmem + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_xserver_execmem='' + + +setsebool -P xserver_execmem $var_xserver_execmem + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -242746,18 +242746,6 @@ If this setting is enabled, it should be disabled. To disable the xserver_object_manager SELinux boolean, run the following command: $ sudo setsebool -P xserver_object_manager off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_xserver_object_manager='' - - -setsebool -P xserver_object_manager $var_xserver_object_manager - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_xserver_object_manager # promote to variable set_fact: var_xserver_object_manager: !!str @@ -242794,6 +242782,18 @@ fi - medium_severity - no_reboot_needed - sebool_xserver_object_manager + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_xserver_object_manager='' + + +setsebool -P xserver_object_manager $var_xserver_object_manager + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -242811,18 +242811,6 @@ If this setting is enabled, it should be disabled. To disable the zabbix_can_network SELinux boolean, run the following command: $ sudo setsebool -P zabbix_can_network off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_zabbix_can_network='' - - -setsebool -P zabbix_can_network $var_zabbix_can_network - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_zabbix_can_network # promote to variable set_fact: var_zabbix_can_network: !!str @@ -242859,6 +242847,18 @@ fi - medium_severity - no_reboot_needed - sebool_zabbix_can_network + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_zabbix_can_network='' + + +setsebool -P zabbix_can_network $var_zabbix_can_network + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -242876,18 +242876,6 @@ If this setting is enabled, it should be disabled. To disable the zarafa_setrlimit SELinux boolean, run the following command: $ sudo setsebool -P zarafa_setrlimit off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_zarafa_setrlimit='' - - -setsebool -P zarafa_setrlimit $var_zarafa_setrlimit - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_zarafa_setrlimit # promote to variable set_fact: var_zarafa_setrlimit: !!str @@ -242924,6 +242912,18 @@ fi - medium_severity - no_reboot_needed - sebool_zarafa_setrlimit + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_zarafa_setrlimit='' + + +setsebool -P zarafa_setrlimit $var_zarafa_setrlimit + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -242941,18 +242941,6 @@ If this setting is enabled, it should be disabled. To disable the zebra_write_config SELinux boolean, run the following command: $ sudo setsebool -P zebra_write_config off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_zebra_write_config='' - - -setsebool -P zebra_write_config $var_zebra_write_config - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_zebra_write_config # promote to variable set_fact: var_zebra_write_config: !!str @@ -242989,6 +242977,18 @@ fi - medium_severity - no_reboot_needed - sebool_zebra_write_config + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_zebra_write_config='' + + +setsebool -P zebra_write_config $var_zebra_write_config + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -243006,18 +243006,6 @@ If this setting is enabled, it should be disabled. To disable the zoneminder_anon_write SELinux boolean, run the following command: $ sudo setsebool -P zoneminder_anon_write off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_zoneminder_anon_write='' - - -setsebool -P zoneminder_anon_write $var_zoneminder_anon_write - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_zoneminder_anon_write # promote to variable set_fact: var_zoneminder_anon_write: !!str @@ -243054,6 +243042,18 @@ fi - medium_severity - no_reboot_needed - sebool_zoneminder_anon_write + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_zoneminder_anon_write='' + + +setsebool -P zoneminder_anon_write $var_zoneminder_anon_write + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -243071,18 +243071,6 @@ If this setting is enabled, it should be disabled. To disable the zoneminder_run_sudo SELinux boolean, run the following command: $ sudo setsebool -P zoneminder_run_sudo off - # Remediation is applicable only in certain platforms -if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_zoneminder_run_sudo='' - - -setsebool -P zoneminder_run_sudo $var_zoneminder_run_sudo - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_zoneminder_run_sudo # promote to variable set_fact: var_zoneminder_run_sudo: !!str @@ -243119,6 +243107,18 @@ fi - medium_severity - no_reboot_needed - sebool_zoneminder_run_sudo + + # Remediation is applicable only in certain platforms +if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_zoneminder_run_sudo='' + + +setsebool -P zoneminder_run_sudo $var_zoneminder_run_sudo + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -243648,18 +243648,8 @@ the avahi-autoipd and avahi packages can be uninstalled. system functionality. It is recommended to remove this package to reduce the potential attack surface. CCE-86515-4 - -# CAUTION: This remediation script will remove avahi-autoipd -# from the system, and may remove any packages -# that depend on avahi-autoipd. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "avahi-autoipd" ; then - - yum remove -y "avahi-autoipd" - -fi + +package --remove=avahi-autoipd include remove_avahi-autoipd @@ -243685,8 +243675,18 @@ class remove_avahi-autoipd { - no_reboot_needed - package_avahi-autoipd_removed - -package --remove=avahi-autoipd + +# CAUTION: This remediation script will remove avahi-autoipd +# from the system, and may remove any packages +# that depend on avahi-autoipd. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "avahi-autoipd" ; then + + yum remove -y "avahi-autoipd" + +fi @@ -243773,18 +243773,8 @@ the avahi-autoipd and avahi packages can be uninstalled. system functionality. It is recommended to remove this package to reduce the potential attack surface. CCE-86512-1 - -# CAUTION: This remediation script will remove avahi -# from the system, and may remove any packages -# that depend on avahi. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "avahi" ; then - - yum remove -y "avahi" - -fi + +package --remove=avahi include remove_avahi @@ -243810,8 +243800,18 @@ class remove_avahi { - no_reboot_needed - package_avahi_removed - -package --remove=avahi + +# CAUTION: This remediation script will remove avahi +# from the system, and may remove any packages +# that depend on avahi. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "avahi" ; then + + yum remove -y "avahi" + +fi @@ -243904,26 +243904,20 @@ can be trusted. [customizations.services] disabled = ["avahi-daemon"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'avahi-daemon.service' -"$SYSTEMCTL_EXEC" disable 'avahi-daemon.service' -"$SYSTEMCTL_EXEC" mask 'avahi-daemon.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files avahi-daemon.socket; then - "$SYSTEMCTL_EXEC" stop 'avahi-daemon.socket' - "$SYSTEMCTL_EXEC" mask 'avahi-daemon.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'avahi-daemon.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: avahi-daemon.service + enabled: false + mask: true + - name: avahi-daemon.socket + enabled: false + mask: true include disable_avahi-daemon @@ -244007,20 +244001,26 @@ class disable_avahi-daemon { - no_reboot_needed - service_avahi-daemon_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: avahi-daemon.service - enabled: false - mask: true - - name: avahi-daemon.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'avahi-daemon.service' +"$SYSTEMCTL_EXEC" disable 'avahi-daemon.service' +"$SYSTEMCTL_EXEC" mask 'avahi-daemon.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files avahi-daemon.socket; then + "$SYSTEMCTL_EXEC" stop 'avahi-daemon.socket' + "$SYSTEMCTL_EXEC" mask 'avahi-daemon.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'avahi-daemon.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -244170,15 +244170,13 @@ view into some user activities. However, it should be noted that the auditing system and its audit records provide more authoritative and comprehensive records. CCE-82404-5 + +package --add=psacct + [[packages]] name = "psacct" version = "*" - - -if ! rpm -q --quiet "psacct" ; then - yum install -y "psacct" -fi include install_psacct @@ -244203,8 +244201,10 @@ class install_psacct { - no_reboot_needed - package_psacct_installed - -package --add=psacct + +if ! rpm -q --quiet "psacct" ; then + yum install -y "psacct" +fi @@ -244231,18 +244231,8 @@ $ sudo yum erase abrt vulnerabilities in software executing on the system, as well as sensitive information from within a process's address space or registers. CCE-80948-3 - -# CAUTION: This remediation script will remove abrt -# from the system, and may remove any packages -# that depend on abrt. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "abrt" ; then - - yum remove -y "abrt" - -fi + +package --remove=abrt include remove_abrt @@ -244266,8 +244256,18 @@ class remove_abrt { - no_reboot_needed - package_abrt_removed - -package --remove=abrt + +# CAUTION: This remediation script will remove abrt +# from the system, and may remove any packages +# that depend on abrt. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "abrt" ; then + + yum remove -y "abrt" + +fi @@ -244411,18 +244411,6 @@ records. [customizations.services] enabled = ["psacct"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'psacct.service' -"$SYSTEMCTL_EXEC" start 'psacct.service' -"$SYSTEMCTL_EXEC" enable 'psacct.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_psacct @@ -244459,6 +244447,18 @@ class enable_psacct { - low_severity - no_reboot_needed - service_psacct_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'psacct.service' +"$SYSTEMCTL_EXEC" start 'psacct.service' +"$SYSTEMCTL_EXEC" enable 'psacct.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -244575,26 +244575,20 @@ information from within a process's address space or registers. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'abrtd.service' -"$SYSTEMCTL_EXEC" disable 'abrtd.service' -"$SYSTEMCTL_EXEC" mask 'abrtd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files abrtd.socket; then - "$SYSTEMCTL_EXEC" stop 'abrtd.socket' - "$SYSTEMCTL_EXEC" mask 'abrtd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'abrtd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: abrtd.service + enabled: false + mask: true + - name: abrtd.socket + enabled: false + mask: true include disable_abrtd @@ -244672,20 +244666,26 @@ class disable_abrtd { - no_reboot_needed - service_abrtd_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: abrtd.service - enabled: false - mask: true - - name: abrtd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'abrtd.service' +"$SYSTEMCTL_EXEC" disable 'abrtd.service' +"$SYSTEMCTL_EXEC" mask 'abrtd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files abrtd.socket; then + "$SYSTEMCTL_EXEC" stop 'abrtd.socket' + "$SYSTEMCTL_EXEC" mask 'abrtd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'abrtd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -244779,26 +244779,20 @@ it is appropriate. [customizations.services] disabled = ["acpid"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'acpid.service' -"$SYSTEMCTL_EXEC" disable 'acpid.service' -"$SYSTEMCTL_EXEC" mask 'acpid.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files acpid.socket; then - "$SYSTEMCTL_EXEC" stop 'acpid.socket' - "$SYSTEMCTL_EXEC" mask 'acpid.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'acpid.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: acpid.service + enabled: false + mask: true + - name: acpid.socket + enabled: false + mask: true include disable_acpid @@ -244879,20 +244873,26 @@ class disable_acpid { - no_reboot_needed - service_acpid_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: acpid.service - enabled: false - mask: true - - name: acpid.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'acpid.service' +"$SYSTEMCTL_EXEC" disable 'acpid.service' +"$SYSTEMCTL_EXEC" mask 'acpid.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files acpid.socket; then + "$SYSTEMCTL_EXEC" stop 'acpid.socket' + "$SYSTEMCTL_EXEC" mask 'acpid.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'acpid.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -244985,6 +244985,100 @@ for many other use cases. [customizations.services] disabled = ["certmonger"] + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: certmonger.service + enabled: false + mask: true + - name: certmonger.socket + enabled: false + mask: true + + include disable_certmonger + +class disable_certmonger { + service {'certmonger': + enable => false, + ensure => 'stopped', + } +} + + - name: Block Disable service certmonger + block: + + - name: Disable service certmonger + block: + + - name: Disable service certmonger + systemd: + name: certmonger.service + enabled: 'no' + state: stopped + masked: 'yes' + rescue: + + - name: Intentionally ignored previous 'Disable service certmonger' failure, service + was already disabled + meta: noop + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-82452-4 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - service_certmonger_disabled + +- name: Unit Socket Exists - certmonger.socket + command: systemctl -q list-unit-files certmonger.socket + register: socket_file_exists + changed_when: false + failed_when: socket_file_exists.rc not in [0, 1] + check_mode: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-82452-4 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - service_certmonger_disabled + +- name: Disable socket certmonger + systemd: + name: certmonger.socket + enabled: 'no' + state: stopped + masked: 'yes' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - socket_file_exists.stdout_lines is search("certmonger.socket",multiline=True) + tags: + - CCE-82452-4 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - service_certmonger_disabled # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -245006,100 +245100,6 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - - include disable_certmonger - -class disable_certmonger { - service {'certmonger': - enable => false, - ensure => 'stopped', - } -} - - - name: Block Disable service certmonger - block: - - - name: Disable service certmonger - block: - - - name: Disable service certmonger - systemd: - name: certmonger.service - enabled: 'no' - state: stopped - masked: 'yes' - rescue: - - - name: Intentionally ignored previous 'Disable service certmonger' failure, service - was already disabled - meta: noop - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-82452-4 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - service_certmonger_disabled - -- name: Unit Socket Exists - certmonger.socket - command: systemctl -q list-unit-files certmonger.socket - register: socket_file_exists - changed_when: false - failed_when: socket_file_exists.rc not in [0, 1] - check_mode: false - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-82452-4 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - service_certmonger_disabled - -- name: Disable socket certmonger - systemd: - name: certmonger.socket - enabled: 'no' - state: stopped - masked: 'yes' - when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - socket_file_exists.stdout_lines is search("certmonger.socket",multiline=True) - tags: - - CCE-82452-4 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - service_certmonger_disabled - - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: certmonger.service - enabled: false - mask: true - - name: certmonger.socket - enabled: false - mask: true @@ -245121,26 +245121,20 @@ The cockpit service can be disabled with the following co [customizations.services] disabled = ["cockpit"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'cockpit.service' -"$SYSTEMCTL_EXEC" disable 'cockpit.service' -"$SYSTEMCTL_EXEC" mask 'cockpit.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files cockpit.socket; then - "$SYSTEMCTL_EXEC" stop 'cockpit.socket' - "$SYSTEMCTL_EXEC" mask 'cockpit.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'cockpit.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: cockpit.service + enabled: false + mask: true + - name: cockpit.socket + enabled: false + mask: true include disable_cockpit @@ -245209,20 +245203,26 @@ class disable_cockpit { - no_reboot_needed - service_cockpit_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: cockpit.service - enabled: false - mask: true - - name: cockpit.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'cockpit.service' +"$SYSTEMCTL_EXEC" disable 'cockpit.service' +"$SYSTEMCTL_EXEC" mask 'cockpit.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files cockpit.socket; then + "$SYSTEMCTL_EXEC" stop 'cockpit.socket' + "$SYSTEMCTL_EXEC" mask 'cockpit.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'cockpit.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -245315,26 +245315,20 @@ highly desirable or necessary. [customizations.services] disabled = ["cpupower"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'cpupower.service' -"$SYSTEMCTL_EXEC" disable 'cpupower.service' -"$SYSTEMCTL_EXEC" mask 'cpupower.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files cpupower.socket; then - "$SYSTEMCTL_EXEC" stop 'cpupower.socket' - "$SYSTEMCTL_EXEC" mask 'cpupower.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'cpupower.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: cpupower.service + enabled: false + mask: true + - name: cpupower.socket + enabled: false + mask: true include disable_cpupower @@ -245415,20 +245409,26 @@ class disable_cpupower { - no_reboot_needed - service_cpupower_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: cpupower.service - enabled: false - mask: true - - name: cpupower.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'cpupower.service' +"$SYSTEMCTL_EXEC" disable 'cpupower.service' +"$SYSTEMCTL_EXEC" mask 'cpupower.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files cpupower.socket; then + "$SYSTEMCTL_EXEC" stop 'cpupower.socket' + "$SYSTEMCTL_EXEC" mask 'cpupower.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'cpupower.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -245556,30 +245556,27 @@ on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service. CCE-80878-2 + +kdump --disable + [customizations.services] disabled = ["kdump"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'kdump.service' -"$SYSTEMCTL_EXEC" disable 'kdump.service' -"$SYSTEMCTL_EXEC" mask 'kdump.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files kdump.socket; then - "$SYSTEMCTL_EXEC" stop 'kdump.socket' - "$SYSTEMCTL_EXEC" mask 'kdump.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'kdump.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: kdump.service + enabled: false + mask: true + - name: kdump.socket + enabled: false + mask: true include disable_kdump @@ -245663,23 +245660,26 @@ class disable_kdump { - no_reboot_needed - service_kdump_disabled - -kdump --disable - - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: kdump.service - enabled: false - mask: true - - name: kdump.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'kdump.service' +"$SYSTEMCTL_EXEC" disable 'kdump.service' +"$SYSTEMCTL_EXEC" mask 'kdump.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files kdump.socket; then + "$SYSTEMCTL_EXEC" stop 'kdump.socket' + "$SYSTEMCTL_EXEC" mask 'kdump.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'kdump.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -245770,26 +245770,20 @@ there is no need to run this service. [customizations.services] disabled = ["mdmonitor"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'mdmonitor.service' -"$SYSTEMCTL_EXEC" disable 'mdmonitor.service' -"$SYSTEMCTL_EXEC" mask 'mdmonitor.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files mdmonitor.socket; then - "$SYSTEMCTL_EXEC" stop 'mdmonitor.socket' - "$SYSTEMCTL_EXEC" mask 'mdmonitor.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'mdmonitor.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: mdmonitor.service + enabled: false + mask: true + - name: mdmonitor.socket + enabled: false + mask: true include disable_mdmonitor @@ -245870,20 +245864,26 @@ class disable_mdmonitor { - no_reboot_needed - service_mdmonitor_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: mdmonitor.service - enabled: false - mask: true - - name: mdmonitor.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'mdmonitor.service' +"$SYSTEMCTL_EXEC" disable 'mdmonitor.service' +"$SYSTEMCTL_EXEC" mask 'mdmonitor.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files mdmonitor.socket; then + "$SYSTEMCTL_EXEC" stop 'mdmonitor.socket' + "$SYSTEMCTL_EXEC" mask 'mdmonitor.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'mdmonitor.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -246000,26 +246000,20 @@ kernel panics, which is not common. [customizations.services] disabled = ["netconsole"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'netconsole.service' -"$SYSTEMCTL_EXEC" disable 'netconsole.service' -"$SYSTEMCTL_EXEC" mask 'netconsole.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files netconsole.socket; then - "$SYSTEMCTL_EXEC" stop 'netconsole.socket' - "$SYSTEMCTL_EXEC" mask 'netconsole.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'netconsole.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: netconsole.service + enabled: false + mask: true + - name: netconsole.socket + enabled: false + mask: true include disable_netconsole @@ -246100,20 +246094,26 @@ class disable_netconsole { - no_reboot_needed - service_netconsole_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: netconsole.service - enabled: false - mask: true - - name: netconsole.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'netconsole.service' +"$SYSTEMCTL_EXEC" disable 'netconsole.service' +"$SYSTEMCTL_EXEC" mask 'netconsole.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files netconsole.socket; then + "$SYSTEMCTL_EXEC" stop 'netconsole.socket' + "$SYSTEMCTL_EXEC" mask 'netconsole.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'netconsole.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -246232,6 +246232,100 @@ available in the ntpd program and should be considered deprecated. [customizations.services] disabled = ["ntpdate"] + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: ntpdate.service + enabled: false + mask: true + - name: ntpdate.socket + enabled: false + mask: true + + include disable_ntpdate + +class disable_ntpdate { + service {'ntpdate': + enable => false, + ensure => 'stopped', + } +} + + - name: Block Disable service ntpdate + block: + + - name: Disable service ntpdate + block: + + - name: Disable service ntpdate + systemd: + name: ntpdate.service + enabled: 'no' + state: stopped + masked: 'yes' + rescue: + + - name: Intentionally ignored previous 'Disable service ntpdate' failure, service + was already disabled + meta: noop + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80879-0 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - service_ntpdate_disabled + +- name: Unit Socket Exists - ntpdate.socket + command: systemctl -q list-unit-files ntpdate.socket + register: socket_file_exists + changed_when: false + failed_when: socket_file_exists.rc not in [0, 1] + check_mode: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80879-0 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - service_ntpdate_disabled + +- name: Disable socket ntpdate + systemd: + name: ntpdate.socket + enabled: 'no' + state: stopped + masked: 'yes' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - socket_file_exists.stdout_lines is search("ntpdate.socket",multiline=True) + tags: + - CCE-80879-0 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - service_ntpdate_disabled # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -246253,100 +246347,6 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - - include disable_ntpdate - -class disable_ntpdate { - service {'ntpdate': - enable => false, - ensure => 'stopped', - } -} - - - name: Block Disable service ntpdate - block: - - - name: Disable service ntpdate - block: - - - name: Disable service ntpdate - systemd: - name: ntpdate.service - enabled: 'no' - state: stopped - masked: 'yes' - rescue: - - - name: Intentionally ignored previous 'Disable service ntpdate' failure, service - was already disabled - meta: noop - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80879-0 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - service_ntpdate_disabled - -- name: Unit Socket Exists - ntpdate.socket - command: systemctl -q list-unit-files ntpdate.socket - register: socket_file_exists - changed_when: false - failed_when: socket_file_exists.rc not in [0, 1] - check_mode: false - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80879-0 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - service_ntpdate_disabled - -- name: Disable socket ntpdate - systemd: - name: ntpdate.socket - enabled: 'no' - state: stopped - masked: 'yes' - when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - socket_file_exists.stdout_lines is search("ntpdate.socket",multiline=True) - tags: - - CCE-80879-0 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - service_ntpdate_disabled - - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: ntpdate.service - enabled: false - mask: true - - name: ntpdate.socket - enabled: false - mask: true @@ -246442,26 +246442,20 @@ been a source of privilege escalation security issues. [customizations.services] disabled = ["oddjobd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'oddjobd.service' -"$SYSTEMCTL_EXEC" disable 'oddjobd.service' -"$SYSTEMCTL_EXEC" mask 'oddjobd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files oddjobd.socket; then - "$SYSTEMCTL_EXEC" stop 'oddjobd.socket' - "$SYSTEMCTL_EXEC" mask 'oddjobd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'oddjobd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: oddjobd.service + enabled: false + mask: true + - name: oddjobd.socket + enabled: false + mask: true include disable_oddjobd @@ -246542,20 +246536,26 @@ class disable_oddjobd { - no_reboot_needed - service_oddjobd_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: oddjobd.service - enabled: false - mask: true - - name: oddjobd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'oddjobd.service' +"$SYSTEMCTL_EXEC" disable 'oddjobd.service' +"$SYSTEMCTL_EXEC" mask 'oddjobd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files oddjobd.socket; then + "$SYSTEMCTL_EXEC" stop 'oddjobd.socket' + "$SYSTEMCTL_EXEC" mask 'oddjobd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'oddjobd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -246671,26 +246671,20 @@ disabled if not needed. [customizations.services] disabled = ["portreserve"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'portreserve.service' -"$SYSTEMCTL_EXEC" disable 'portreserve.service' -"$SYSTEMCTL_EXEC" mask 'portreserve.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files portreserve.socket; then - "$SYSTEMCTL_EXEC" stop 'portreserve.socket' - "$SYSTEMCTL_EXEC" mask 'portreserve.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'portreserve.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: portreserve.service + enabled: false + mask: true + - name: portreserve.socket + enabled: false + mask: true include disable_portreserve @@ -246771,20 +246765,26 @@ class disable_portreserve { - no_reboot_needed - service_portreserve_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: portreserve.service - enabled: false - mask: true - - name: portreserve.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'portreserve.service' +"$SYSTEMCTL_EXEC" disable 'portreserve.service' +"$SYSTEMCTL_EXEC" mask 'portreserve.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files portreserve.socket; then + "$SYSTEMCTL_EXEC" stop 'portreserve.socket' + "$SYSTEMCTL_EXEC" mask 'portreserve.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'portreserve.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -246904,26 +246904,20 @@ service is not needed and should be disabled or removed. [customizations.services] disabled = ["qpidd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'qpidd.service' -"$SYSTEMCTL_EXEC" disable 'qpidd.service' -"$SYSTEMCTL_EXEC" mask 'qpidd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files qpidd.socket; then - "$SYSTEMCTL_EXEC" stop 'qpidd.socket' - "$SYSTEMCTL_EXEC" mask 'qpidd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'qpidd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: qpidd.service + enabled: false + mask: true + - name: qpidd.socket + enabled: false + mask: true include disable_qpidd @@ -247004,20 +246998,26 @@ class disable_qpidd { - no_reboot_needed - service_qpidd_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: qpidd.service - enabled: false - mask: true - - name: qpidd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'qpidd.service' +"$SYSTEMCTL_EXEC" disable 'qpidd.service' +"$SYSTEMCTL_EXEC" mask 'qpidd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files qpidd.socket; then + "$SYSTEMCTL_EXEC" stop 'qpidd.socket' + "$SYSTEMCTL_EXEC" mask 'qpidd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'qpidd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -247114,26 +247114,20 @@ service. [customizations.services] disabled = ["quota_nld"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'quota_nld.service' -"$SYSTEMCTL_EXEC" disable 'quota_nld.service' -"$SYSTEMCTL_EXEC" mask 'quota_nld.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files quota_nld.socket; then - "$SYSTEMCTL_EXEC" stop 'quota_nld.socket' - "$SYSTEMCTL_EXEC" mask 'quota_nld.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'quota_nld.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: quota_nld.service + enabled: false + mask: true + - name: quota_nld.socket + enabled: false + mask: true include disable_quota_nld @@ -247214,20 +247208,26 @@ class disable_quota_nld { - no_reboot_needed - service_quota_nld_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: quota_nld.service - enabled: false - mask: true - - name: quota_nld.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'quota_nld.service' +"$SYSTEMCTL_EXEC" disable 'quota_nld.service' +"$SYSTEMCTL_EXEC" mask 'quota_nld.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files quota_nld.socket; then + "$SYSTEMCTL_EXEC" stop 'quota_nld.socket' + "$SYSTEMCTL_EXEC" mask 'quota_nld.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'quota_nld.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -247388,26 +247388,20 @@ dynamic network configuration information. [customizations.services] disabled = ["rdisc"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'rdisc.service' -"$SYSTEMCTL_EXEC" disable 'rdisc.service' -"$SYSTEMCTL_EXEC" mask 'rdisc.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files rdisc.socket; then - "$SYSTEMCTL_EXEC" stop 'rdisc.socket' - "$SYSTEMCTL_EXEC" mask 'rdisc.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'rdisc.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: rdisc.service + enabled: false + mask: true + - name: rdisc.socket + enabled: false + mask: true include disable_rdisc @@ -247491,20 +247485,26 @@ class disable_rdisc { - no_reboot_needed - service_rdisc_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: rdisc.service - enabled: false - mask: true - - name: rdisc.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'rdisc.service' +"$SYSTEMCTL_EXEC" disable 'rdisc.service' +"$SYSTEMCTL_EXEC" mask 'rdisc.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files rdisc.socket; then + "$SYSTEMCTL_EXEC" stop 'rdisc.socket' + "$SYSTEMCTL_EXEC" mask 'rdisc.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'rdisc.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -247623,6 +247623,100 @@ desirable for some environments. However, if the system is being managed by RHN [customizations.services] disabled = ["rhnsd"] + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: rhnsd.service + enabled: false + mask: true + - name: rhnsd.socket + enabled: false + mask: true + + include disable_rhnsd + +class disable_rhnsd { + service {'rhnsd': + enable => false, + ensure => 'stopped', + } +} + + - name: Block Disable service rhnsd + block: + + - name: Disable service rhnsd + block: + + - name: Disable service rhnsd + systemd: + name: rhnsd.service + enabled: 'no' + state: stopped + masked: 'yes' + rescue: + + - name: Intentionally ignored previous 'Disable service rhnsd' failure, service + was already disabled + meta: noop + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-82405-2 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - service_rhnsd_disabled + +- name: Unit Socket Exists - rhnsd.socket + command: systemctl -q list-unit-files rhnsd.socket + register: socket_file_exists + changed_when: false + failed_when: socket_file_exists.rc not in [0, 1] + check_mode: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-82405-2 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - service_rhnsd_disabled + +- name: Disable socket rhnsd + systemd: + name: rhnsd.socket + enabled: 'no' + state: stopped + masked: 'yes' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - socket_file_exists.stdout_lines is search("rhnsd.socket",multiline=True) + tags: + - CCE-82405-2 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - service_rhnsd_disabled # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -247644,100 +247738,6 @@ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - - include disable_rhnsd - -class disable_rhnsd { - service {'rhnsd': - enable => false, - ensure => 'stopped', - } -} - - - name: Block Disable service rhnsd - block: - - - name: Disable service rhnsd - block: - - - name: Disable service rhnsd - systemd: - name: rhnsd.service - enabled: 'no' - state: stopped - masked: 'yes' - rescue: - - - name: Intentionally ignored previous 'Disable service rhnsd' failure, service - was already disabled - meta: noop - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-82405-2 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - service_rhnsd_disabled - -- name: Unit Socket Exists - rhnsd.socket - command: systemctl -q list-unit-files rhnsd.socket - register: socket_file_exists - changed_when: false - failed_when: socket_file_exists.rc not in [0, 1] - check_mode: false - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-82405-2 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - service_rhnsd_disabled - -- name: Disable socket rhnsd - systemd: - name: rhnsd.socket - enabled: 'no' - state: stopped - masked: 'yes' - when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - socket_file_exists.stdout_lines is search("rhnsd.socket",multiline=True) - tags: - - CCE-82405-2 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - service_rhnsd_disabled - - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: rhnsd.service - enabled: false - mask: true - - name: rhnsd.socket - enabled: false - mask: true @@ -247832,26 +247832,20 @@ unnecessary and can be disabled. [customizations.services] disabled = ["rhsmcertd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'rhsmcertd.service' -"$SYSTEMCTL_EXEC" disable 'rhsmcertd.service' -"$SYSTEMCTL_EXEC" mask 'rhsmcertd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files rhsmcertd.socket; then - "$SYSTEMCTL_EXEC" stop 'rhsmcertd.socket' - "$SYSTEMCTL_EXEC" mask 'rhsmcertd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'rhsmcertd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: rhsmcertd.service + enabled: false + mask: true + - name: rhsmcertd.socket + enabled: false + mask: true include disable_rhsmcertd @@ -247932,20 +247926,26 @@ class disable_rhsmcertd { - no_reboot_needed - service_rhsmcertd_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: rhsmcertd.service - enabled: false - mask: true - - name: rhsmcertd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'rhsmcertd.service' +"$SYSTEMCTL_EXEC" disable 'rhsmcertd.service' +"$SYSTEMCTL_EXEC" mask 'rhsmcertd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files rhsmcertd.socket; then + "$SYSTEMCTL_EXEC" stop 'rhsmcertd.socket' + "$SYSTEMCTL_EXEC" mask 'rhsmcertd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'rhsmcertd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -248064,26 +248064,20 @@ consulted, it is not necessary and should be disabled. [customizations.services] disabled = ["saslauthd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'saslauthd.service' -"$SYSTEMCTL_EXEC" disable 'saslauthd.service' -"$SYSTEMCTL_EXEC" mask 'saslauthd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files saslauthd.socket; then - "$SYSTEMCTL_EXEC" stop 'saslauthd.socket' - "$SYSTEMCTL_EXEC" mask 'saslauthd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'saslauthd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: saslauthd.service + enabled: false + mask: true + - name: saslauthd.socket + enabled: false + mask: true include disable_saslauthd @@ -248164,20 +248158,26 @@ class disable_saslauthd { - no_reboot_needed - service_saslauthd_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: saslauthd.service - enabled: false - mask: true - - name: saslauthd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'saslauthd.service' +"$SYSTEMCTL_EXEC" disable 'saslauthd.service' +"$SYSTEMCTL_EXEC" mask 'saslauthd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files saslauthd.socket; then + "$SYSTEMCTL_EXEC" stop 'saslauthd.socket' + "$SYSTEMCTL_EXEC" mask 'saslauthd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'saslauthd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -248272,26 +248272,20 @@ this service should be disabled. [customizations.services] disabled = ["sysstat"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'sysstat.service' -"$SYSTEMCTL_EXEC" disable 'sysstat.service' -"$SYSTEMCTL_EXEC" mask 'sysstat.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files sysstat.socket; then - "$SYSTEMCTL_EXEC" stop 'sysstat.socket' - "$SYSTEMCTL_EXEC" mask 'sysstat.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'sysstat.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: sysstat.service + enabled: false + mask: true + - name: sysstat.socket + enabled: false + mask: true include disable_sysstat @@ -248372,20 +248366,26 @@ class disable_sysstat { - no_reboot_needed - service_sysstat_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: sysstat.service - enabled: false - mask: true - - name: sysstat.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'sysstat.service' +"$SYSTEMCTL_EXEC" disable 'sysstat.service' +"$SYSTEMCTL_EXEC" mask 'sysstat.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files sysstat.socket; then + "$SYSTEMCTL_EXEC" stop 'sysstat.socket' + "$SYSTEMCTL_EXEC" mask 'sysstat.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'sysstat.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -248479,21 +248479,13 @@ configured defensively. PR.IP-1 PR.PT-3 The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only. + +package --add=cron + [[packages]] name = "cron" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "cron" ; then - yum install -y "cron" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_cron @@ -248517,8 +248509,16 @@ class install_cron { - no_reboot_needed - package_cron_installed - -package --add=cron + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "cron" ; then + yum install -y "cron" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -248612,18 +248612,6 @@ enabling the cron daemon is essential. [customizations.services] enabled = ["cron"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'cron.service' -"$SYSTEMCTL_EXEC" start 'cron.service' -"$SYSTEMCTL_EXEC" enable 'cron.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_cron @@ -248659,6 +248647,18 @@ class enable_cron { - medium_severity - no_reboot_needed - service_cron_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'cron.service' +"$SYSTEMCTL_EXEC" start 'cron.service' +"$SYSTEMCTL_EXEC" enable 'cron.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -248753,18 +248753,6 @@ enabling the cron daemon is essential. [customizations.services] enabled = ["crond"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'crond.service' -"$SYSTEMCTL_EXEC" start 'crond.service' -"$SYSTEMCTL_EXEC" enable 'crond.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_crond @@ -248800,6 +248788,18 @@ class enable_crond { - medium_severity - no_reboot_needed - service_crond_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'crond.service' +"$SYSTEMCTL_EXEC" start 'crond.service' +"$SYSTEMCTL_EXEC" enable 'crond.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -248896,26 +248896,20 @@ accountability. Furthermore, the need to schedule tasks with at - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'atd.service' -"$SYSTEMCTL_EXEC" disable 'atd.service' -"$SYSTEMCTL_EXEC" mask 'atd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files atd.socket; then - "$SYSTEMCTL_EXEC" stop 'atd.socket' - "$SYSTEMCTL_EXEC" mask 'atd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'atd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: atd.service + enabled: false + mask: true + - name: atd.socket + enabled: false + mask: true include disable_atd @@ -248996,20 +248990,26 @@ class disable_atd { - no_reboot_needed - service_atd_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: atd.service - enabled: false - mask: true - - name: atd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'atd.service' +"$SYSTEMCTL_EXEC" disable 'atd.service' +"$SYSTEMCTL_EXEC" mask 'atd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files atd.socket; then + "$SYSTEMCTL_EXEC" stop 'atd.socket' + "$SYSTEMCTL_EXEC" mask 'atd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'atd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -249155,15 +249155,6 @@ To properly set the group owner of /etc/cron.d, run the c can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes. CCE-82268-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find -H /etc/cron.d/ -maxdepth 1 -type d -exec chgrp 0 {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure group owner on /etc/cron.d/ file: path: /etc/cron.d/ @@ -249181,6 +249172,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find -H /etc/cron.d/ -maxdepth 1 -type d -exec chgrp 0 {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -249243,15 +249243,6 @@ To properly set the group owner of /etc/cron.daily, run t can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes. CCE-82234-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find -H /etc/cron.daily/ -maxdepth 1 -type d -exec chgrp 0 {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure group owner on /etc/cron.daily/ file: path: /etc/cron.daily/ @@ -249269,6 +249260,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find -H /etc/cron.daily/ -maxdepth 1 -type d -exec chgrp 0 {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -249331,15 +249331,6 @@ To properly set the group owner of /etc/cron.hourly, run can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes. CCE-82227-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find -H /etc/cron.hourly/ -maxdepth 1 -type d -exec chgrp 0 {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure group owner on /etc/cron.hourly/ file: path: /etc/cron.hourly/ @@ -249357,6 +249348,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find -H /etc/cron.hourly/ -maxdepth 1 -type d -exec chgrp 0 {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -249419,15 +249419,6 @@ To properly set the group owner of /etc/cron.monthly, run can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes. CCE-82256-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find -H /etc/cron.monthly/ -maxdepth 1 -type d -exec chgrp 0 {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure group owner on /etc/cron.monthly/ file: path: /etc/cron.monthly/ @@ -249445,6 +249436,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find -H /etc/cron.monthly/ -maxdepth 1 -type d -exec chgrp 0 {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -249507,15 +249507,6 @@ To properly set the group owner of /etc/cron.weekly, run can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes. CCE-82244-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find -H /etc/cron.weekly/ -maxdepth 1 -type d -exec chgrp 0 {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure group owner on /etc/cron.weekly/ file: path: /etc/cron.weekly/ @@ -249533,6 +249524,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find -H /etc/cron.weekly/ -maxdepth 1 -type d -exec chgrp 0 {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -249595,15 +249595,6 @@ To properly set the group owner of /etc/crontab, run the can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes. CCE-82223-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -chgrp 0 /etc/crontab - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Test for existence /etc/crontab stat: path: /etc/crontab @@ -249639,6 +249630,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chgrp 0 /etc/crontab + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -249701,15 +249701,6 @@ To properly set the owner of /etc/cron.d, run the command can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes. CCE-82272-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find -H /etc/cron.d/ -maxdepth 1 -type d -exec chown 0 {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure owner on directory /etc/cron.d/ file: path: /etc/cron.d/ @@ -249727,6 +249718,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find -H /etc/cron.d/ -maxdepth 1 -type d -exec chown 0 {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -249789,15 +249789,6 @@ To properly set the owner of /etc/cron.daily, run the com can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes. CCE-82237-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find -H /etc/cron.daily/ -maxdepth 1 -type d -exec chown 0 {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure owner on directory /etc/cron.daily/ file: path: /etc/cron.daily/ @@ -249815,6 +249806,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find -H /etc/cron.daily/ -maxdepth 1 -type d -exec chown 0 {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -249877,15 +249877,6 @@ To properly set the owner of /etc/cron.hourly, run the co can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes. CCE-82209-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find -H /etc/cron.hourly/ -maxdepth 1 -type d -exec chown 0 {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure owner on directory /etc/cron.hourly/ file: path: /etc/cron.hourly/ @@ -249903,6 +249894,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find -H /etc/cron.hourly/ -maxdepth 1 -type d -exec chown 0 {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -249965,15 +249965,6 @@ To properly set the owner of /etc/cron.monthly, run the c can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes. CCE-82260-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find -H /etc/cron.monthly/ -maxdepth 1 -type d -exec chown 0 {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure owner on directory /etc/cron.monthly/ file: path: /etc/cron.monthly/ @@ -249991,6 +249982,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find -H /etc/cron.monthly/ -maxdepth 1 -type d -exec chown 0 {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -250053,15 +250053,6 @@ To properly set the owner of /etc/cron.weekly, run the co can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes. CCE-82247-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find -H /etc/cron.weekly/ -maxdepth 1 -type d -exec chown 0 {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure owner on directory /etc/cron.weekly/ file: path: /etc/cron.weekly/ @@ -250079,6 +250070,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find -H /etc/cron.weekly/ -maxdepth 1 -type d -exec chown 0 {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -250141,15 +250141,6 @@ To properly set the owner of /etc/crontab, run the comman can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes. CCE-82224-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -chown 0 /etc/crontab - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Test for existence /etc/crontab stat: path: /etc/crontab @@ -250185,6 +250176,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chown 0 /etc/crontab + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -250247,15 +250247,6 @@ To properly set the permissions of /etc/cron.d, run the c can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes. CCE-82277-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find -H /etc/cron.d/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Find /etc/cron.d/ file(s) command: 'find -H /etc/cron.d/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' register: files_found @@ -250294,6 +250285,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find -H /etc/cron.d/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -250356,15 +250356,6 @@ To properly set the permissions of /etc/cron.daily, run t can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes. CCE-82240-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find -H /etc/cron.daily/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Find /etc/cron.daily/ file(s) command: 'find -H /etc/cron.daily/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' register: files_found @@ -250404,128 +250395,27 @@ fi - medium_severity - no_reboot_needed - - - - - - - - - Verify Permissions on cron.hourly - -To properly set the permissions of /etc/cron.hourly, run the command: -$ sudo chmod 0700 /etc/cron.hourly - 12 - 13 - 14 - 15 - 16 - 18 - 3 - 5 - APO01.06 - DSS05.04 - DSS05.07 - DSS06.02 - 4.3.3.7.3 - SR 2.1 - SR 5.2 - A.10.1.1 - A.11.1.4 - A.11.1.5 - A.11.2.1 - A.13.1.1 - A.13.1.3 - A.13.2.1 - A.13.2.3 - A.13.2.4 - A.14.1.2 - A.14.1.3 - A.6.1.2 - A.7.1.1 - A.7.1.2 - A.7.3.1 - A.8.2.2 - A.8.2.3 - A.9.1.1 - A.9.1.2 - A.9.2.3 - A.9.4.1 - A.9.4.4 - A.9.4.5 - CM-6(a) - AC-6(1) - PR.AC-4 - PR.DS-5 - 2.2.6 - SRG-OS-000480-GPOS-00227 - 5.1.3 - Service configuration files enable or disable features of their respective services that if configured incorrectly -can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the -correct access rights to prevent unauthorized changes. - CCE-82230-4 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -find -H /etc/cron.hourly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \; +find -H /etc/cron.daily/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \; else >&2 echo 'Remediation is not applicable, nothing was done' fi - - - name: Find /etc/cron.hourly/ file(s) - command: 'find -H /etc/cron.hourly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type - d ' - register: files_found - changed_when: false - failed_when: false - check_mode: false - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-82230-4 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_permissions_cron_hourly - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - -- name: Set permissions for /etc/cron.hourly/ file(s) - file: - path: '{{ item }}' - mode: u-s,g-xwrs,o-xwrt - state: directory - with_items: - - '{{ files_found.stdout_lines }}' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-82230-4 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_permissions_cron_hourly - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - + - + - - Verify Permissions on cron.monthly + + Verify Permissions on cron.hourly -To properly set the permissions of /etc/cron.monthly, run the command: -$ sudo chmod 0700 /etc/cron.monthly +To properly set the permissions of /etc/cron.hourly, run the command: +$ sudo chmod 0700 /etc/cron.hourly 12 13 14 @@ -250570,20 +250460,121 @@ To properly set the permissions of /etc/cron.monthly, run PR.DS-5 2.2.6 SRG-OS-000480-GPOS-00227 - 5.1.6 + 5.1.3 Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes. - CCE-82263-5 - # Remediation is applicable only in certain platforms + CCE-82230-4 + - name: Find /etc/cron.hourly/ file(s) + command: 'find -H /etc/cron.hourly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type + d ' + register: files_found + changed_when: false + failed_when: false + check_mode: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-82230-4 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_permissions_cron_hourly + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Set permissions for /etc/cron.hourly/ file(s) + file: + path: '{{ item }}' + mode: u-s,g-xwrs,o-xwrt + state: directory + with_items: + - '{{ files_found.stdout_lines }}' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-82230-4 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_permissions_cron_hourly + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -find -H /etc/cron.monthly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \; +find -H /etc/cron.hourly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \; else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + Verify Permissions on cron.monthly + +To properly set the permissions of /etc/cron.monthly, run the command: +$ sudo chmod 0700 /etc/cron.monthly + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + 4.3.3.7.3 + SR 2.1 + SR 5.2 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + 2.2.6 + SRG-OS-000480-GPOS-00227 + 5.1.6 + Service configuration files enable or disable features of their respective services that if configured incorrectly +can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the +correct access rights to prevent unauthorized changes. + CCE-82263-5 - name: Find /etc/cron.monthly/ file(s) command: 'find -H /etc/cron.monthly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' @@ -250623,6 +250614,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find -H /etc/cron.monthly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -250685,15 +250685,6 @@ To properly set the permissions of /etc/cron.weekly, run can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes. CCE-82253-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find -H /etc/cron.weekly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Find /etc/cron.weekly/ file(s) command: 'find -H /etc/cron.weekly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' @@ -250733,6 +250724,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find -H /etc/cron.weekly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -250795,15 +250795,6 @@ To properly set the permissions of /etc/crontab, run the can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes. CCE-82206-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -chmod u-xs,g-xwrs,o-xwrt /etc/crontab - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Test for existence /etc/crontab stat: path: /etc/crontab @@ -250839,6 +250830,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chmod u-xs,g-xwrs,o-xwrt /etc/crontab + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -250874,21 +250874,6 @@ Use /etc/at.allow instead. Access to at should be restricted. It is easier to manage an allow list than a deny list. CCE-86945-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -#!/bin/bash - - - - if [[ -f /etc/at.deny ]]; then - rm /etc/at.deny - fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Remove /etc/at.deny file: path: /etc/at.deny @@ -250903,6 +250888,21 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +#!/bin/bash + + + + if [[ -f /etc/at.deny ]]; then + rm /etc/at.deny + fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -250920,21 +250920,6 @@ Use /etc/cron.allow instead. Access to cron should be restricted. It is easier to manage an allow list than a deny list. CCE-86849-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -#!/bin/bash - - - - if [[ -f /etc/cron.deny ]]; then - rm /etc/cron.deny - fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Remove /etc/cron.deny file: path: /etc/cron.deny @@ -250949,6 +250934,21 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +#!/bin/bash + + + + if [[ -f /etc/cron.deny ]]; then + rm /etc/cron.deny + fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -250968,15 +250968,6 @@ To properly set the group owner of /etc/at.allow, run the If the owner of the at.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information. CCE-87102-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -chgrp 0 /etc/at.allow - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Test for existence /etc/at.allow stat: path: /etc/at.allow @@ -251008,6 +250999,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chgrp 0 /etc/at.allow + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -251071,15 +251071,6 @@ To properly set the group owner of /etc/cron.allow, run t If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information. CCE-86829-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -chgrp 0 /etc/cron.allow - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Test for existence /etc/cron.allow stat: path: /etc/cron.allow @@ -251115,6 +251106,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chgrp 0 /etc/cron.allow + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -251177,15 +251177,6 @@ To properly set the owner of /etc/cron.allow, run the com If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information. CCE-86843-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -chown 0 /etc/cron.allow - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Test for existence /etc/cron.allow stat: path: /etc/cron.allow @@ -251219,6 +251210,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chown 0 /etc/cron.allow + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -251240,15 +251240,6 @@ To properly set the permissions of /etc/at.allow, run the If the permissions of the at.allow file are not set to 0600 or more restrictive, the possibility exists for an unauthorized user to view or edit sensitive information. CCE-86903-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -chmod u-xs,g-xwrs,o-xwrt /etc/at.allow - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Test for existence /etc/at.allow stat: path: /etc/at.allow @@ -251280,6 +251271,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chmod u-xs,g-xwrs,o-xwrt /etc/at.allow + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -251302,15 +251302,6 @@ To properly set the permissions of /etc/cron.allow, run t If the permissions of the cron.allow file are not set to 0600 or more restrictive, the possibility exists for an unauthorized user to view or edit sensitive information. CCE-86876-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -chmod u-xs,g-xwrs,o-xwrt /etc/cron.allow - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Test for existence /etc/cron.allow stat: path: /etc/cron.allow @@ -251342,6 +251333,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chmod u-xs,g-xwrs,o-xwrt /etc/cron.allow + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -251453,18 +251453,8 @@ confidentiality in network exchange, usage as uncontrolled communication channel telnet allows clear text communications, and does not protect any data transmission between client and server. Any confidential data can be listened and no integrity checking is made. - -# CAUTION: This remediation script will remove inetutils-telnetd -# from the system, and may remove any packages -# that depend on inetutils-telnetd. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "inetutils-telnetd" ; then - - yum remove -y "inetutils-telnetd" - -fi + +package --remove=inetutils-telnetd include remove_inetutils-telnetd @@ -251489,8 +251479,18 @@ class remove_inetutils-telnetd { - no_reboot_needed - package_inetutils-telnetd_removed - -package --remove=inetutils-telnetd + +# CAUTION: This remediation script will remove inetutils-telnetd +# from the system, and may remove any packages +# that depend on inetutils-telnetd. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "inetutils-telnetd" ; then + + yum remove -y "inetutils-telnetd" + +fi @@ -251501,18 +251501,8 @@ package --remove=inetutils-telnetd The support for Yellowpages should not be installed unless it is required. NIS is the historical SUN service for central account management, more and more replaced by LDAP. NIS does not support efficiently security constraints, ACL, etc. and should not be used. - -# CAUTION: This remediation script will remove nis -# from the system, and may remove any packages -# that depend on nis. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "nis" ; then - - yum remove -y "nis" - -fi + +package --remove=nis include remove_nis @@ -251534,8 +251524,18 @@ class remove_nis { - no_reboot_needed - package_nis_removed - -package --remove=nis + +# CAUTION: This remediation script will remove nis +# from the system, and may remove any packages +# that depend on nis. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "nis" ; then + + yum remove -y "nis" + +fi @@ -251545,18 +251545,8 @@ package --remove=nis Uninstall the ntpdate package ntpdate is a historical ntp synchronization client for unixes. It sould be uninstalled. ntpdate is an old not security-compliant ntp client. It should be replaced by modern ntp clients such as ntpd, able to use cryptographic mechanisms integrated in NTP. - -# CAUTION: This remediation script will remove ntpdate -# from the system, and may remove any packages -# that depend on ntpdate. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "ntpdate" ; then - - yum remove -y "ntpdate" - -fi + +package --remove=ntpdate include remove_ntpdate @@ -251578,8 +251568,18 @@ class remove_ntpdate { - no_reboot_needed - package_ntpdate_removed - -package --remove=ntpdate + +# CAUTION: This remediation script will remove ntpdate +# from the system, and may remove any packages +# that depend on ntpdate. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "ntpdate" ; then + + yum remove -y "ntpdate" + +fi @@ -251681,18 +251681,8 @@ package --remove=ntpdate PR.PT-4 telnet, even with ssl support, should not be installed. When remote shell is required, up-to-date ssh daemon can be used. - -# CAUTION: This remediation script will remove telnetd-ssl -# from the system, and may remove any packages -# that depend on telnetd-ssl. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "telnetd-ssl" ; then - - yum remove -y "telnetd-ssl" - -fi + +package --remove=telnetd-ssl include remove_telnetd-ssl @@ -251717,8 +251707,18 @@ class remove_telnetd-ssl { - no_reboot_needed - package_telnetd-ssl_removed - -package --remove=telnetd-ssl + +# CAUTION: This remediation script will remove telnetd-ssl +# from the system, and may remove any packages +# that depend on telnetd-ssl. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "telnetd-ssl" ; then + + yum remove -y "telnetd-ssl" + +fi @@ -251823,18 +251823,8 @@ package --remove=telnetd-ssl any data transmission between client and server. Any confidential data can be listened and no integrity checking is made.' CCE-83302-0 - -# CAUTION: This remediation script will remove telnetd -# from the system, and may remove any packages -# that depend on telnetd. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "telnetd" ; then - - yum remove -y "telnetd" - -fi + +package --remove=telnetd include remove_telnetd @@ -251860,8 +251850,18 @@ class remove_telnetd { - no_reboot_needed - package_telnetd_removed - -package --remove=telnetd + +# CAUTION: This remediation script will remove telnetd +# from the system, and may remove any packages +# that depend on telnetd. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "telnetd" ; then + + yum remove -y "telnetd" + +fi @@ -252537,18 +252537,8 @@ $ sudo yum erase dhcp-server Removing the DHCP server ensures that it cannot be easily or accidentally reactivated and disrupt network operation. CCE-83385-5 - -# CAUTION: This remediation script will remove dhcp-server -# from the system, and may remove any packages -# that depend on dhcp-server. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "dhcp-server" ; then - - yum remove -y "dhcp-server" - -fi + +package --remove=dhcp-server include remove_dhcp-server @@ -252575,8 +252565,18 @@ class remove_dhcp-server { - no_reboot_needed - package_dhcp_removed - -package --remove=dhcp-server + +# CAUTION: This remediation script will remove dhcp-server +# from the system, and may remove any packages +# that depend on dhcp-server. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "dhcp-server" ; then + + yum remove -y "dhcp-server" + +fi @@ -252670,26 +252670,20 @@ DHCP server if there is one. [customizations.services] disabled = ["dhcpd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'dhcpd.service' -"$SYSTEMCTL_EXEC" disable 'dhcpd.service' -"$SYSTEMCTL_EXEC" mask 'dhcpd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files dhcpd.socket; then - "$SYSTEMCTL_EXEC" stop 'dhcpd.socket' - "$SYSTEMCTL_EXEC" mask 'dhcpd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'dhcpd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: dhcpd.service + enabled: false + mask: true + - name: dhcpd.socket + enabled: false + mask: true include disable_dhcpd @@ -252770,20 +252764,26 @@ class disable_dhcpd { - no_reboot_needed - service_dhcpd_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: dhcpd.service - enabled: false - mask: true - - name: dhcpd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'dhcpd.service' +"$SYSTEMCTL_EXEC" disable 'dhcpd.service' +"$SYSTEMCTL_EXEC" mask 'dhcpd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files dhcpd.socket; then + "$SYSTEMCTL_EXEC" stop 'dhcpd.socket' + "$SYSTEMCTL_EXEC" mask 'dhcpd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'dhcpd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -252886,18 +252886,8 @@ $ sudo yum erase bind If there is no need to make DNS server software available, removing it provides a safeguard against its activation. CCE-82408-6 - -# CAUTION: This remediation script will remove bind -# from the system, and may remove any packages -# that depend on bind. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "bind" ; then - - yum remove -y "bind" - -fi + +package --remove=bind include remove_bind @@ -252923,8 +252913,18 @@ class remove_bind { - no_reboot_needed - package_bind_removed - -package --remove=bind + +# CAUTION: This remediation script will remove bind +# from the system, and may remove any packages +# that depend on bind. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "bind" ; then + + yum remove -y "bind" + +fi @@ -253015,26 +253015,20 @@ implementation flaws and should be disabled if possible. [customizations.services] disabled = ["named"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'named.service' -"$SYSTEMCTL_EXEC" disable 'named.service' -"$SYSTEMCTL_EXEC" mask 'named.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files named.socket; then - "$SYSTEMCTL_EXEC" stop 'named.socket' - "$SYSTEMCTL_EXEC" mask 'named.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'named.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: named.service + enabled: false + mask: true + - name: named.socket + enabled: false + mask: true include disable_named @@ -253115,20 +253109,26 @@ class disable_named { - no_reboot_needed - service_named_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: named.service - enabled: false - mask: true - - name: named.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'named.service' +"$SYSTEMCTL_EXEC" disable 'named.service' +"$SYSTEMCTL_EXEC" mask 'named.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files named.socket; then + "$SYSTEMCTL_EXEC" stop 'named.socket' + "$SYSTEMCTL_EXEC" mask 'named.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'named.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -253430,21 +253430,13 @@ $ sudo yum install fapolicyd fapolicyd (File Access Policy Daemon) implements application whitelisting to decide file access rights. CCE-82191-8 + +package --add=fapolicyd + [[packages]] name = "fapolicyd" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "fapolicyd" ; then - yum install -y "fapolicyd" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_fapolicyd @@ -253471,8 +253463,16 @@ class install_fapolicyd { - no_reboot_needed - package_fapolicyd_installed - -package --add=fapolicyd + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "fapolicyd" ; then + yum install -y "fapolicyd" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -253503,18 +253503,6 @@ implements application whitelisting to decide file access rights. [customizations.services] enabled = ["fapolicyd"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'fapolicyd.service' -"$SYSTEMCTL_EXEC" start 'fapolicyd.service' -"$SYSTEMCTL_EXEC" enable 'fapolicyd.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_fapolicyd @@ -253552,6 +253540,18 @@ class enable_fapolicyd { - medium_severity - no_reboot_needed - service_fapolicyd_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'fapolicyd.service' +"$SYSTEMCTL_EXEC" start 'fapolicyd.service' +"$SYSTEMCTL_EXEC" enable 'fapolicyd.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -253579,38 +253579,6 @@ Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. CCE-86478-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -cat > /etc/fapolicyd/rules.d/99-deny-everything.rules << EOF -# Red Hat KCS 7003854 (https://access.redhat.com/solutions/7003854) -deny perm=any all : all -EOF - -chmod 644 /etc/fapolicyd/rules.d/99-deny-everything.rules -chgrp fapolicyd /etc/fapolicyd/rules.d/99-deny-everything.rules - -if [ -e "/etc/fapolicyd/fapolicyd.conf" ] ; then - - LC_ALL=C sed -i "/^\s*permissive\s*=\s*/Id" "/etc/fapolicyd/fapolicyd.conf" -else - touch "/etc/fapolicyd/fapolicyd.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/fapolicyd/fapolicyd.conf" - -cp "/etc/fapolicyd/fapolicyd.conf" "/etc/fapolicyd/fapolicyd.conf.bak" -# Insert at the end of the file -printf '%s\n' "permissive = 0" >> "/etc/fapolicyd/fapolicyd.conf" -# Clean up after ourselves. -rm "/etc/fapolicyd/fapolicyd.conf.bak" - -systemctl restart fapolicyd - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs. - Ensure a Final Rule Denying Everything @@ -253681,6 +253649,38 @@ fi - medium_severity - no_reboot_needed - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +cat > /etc/fapolicyd/rules.d/99-deny-everything.rules << EOF +# Red Hat KCS 7003854 (https://access.redhat.com/solutions/7003854) +deny perm=any all : all +EOF + +chmod 644 /etc/fapolicyd/rules.d/99-deny-everything.rules +chgrp fapolicyd /etc/fapolicyd/rules.d/99-deny-everything.rules + +if [ -e "/etc/fapolicyd/fapolicyd.conf" ] ; then + + LC_ALL=C sed -i "/^\s*permissive\s*=\s*/Id" "/etc/fapolicyd/fapolicyd.conf" +else + touch "/etc/fapolicyd/fapolicyd.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/fapolicyd/fapolicyd.conf" + +cp "/etc/fapolicyd/fapolicyd.conf" "/etc/fapolicyd/fapolicyd.conf.bak" +# Insert at the end of the file +printf '%s\n' "permissive = 0" >> "/etc/fapolicyd/fapolicyd.conf" +# Clean up after ourselves. +rm "/etc/fapolicyd/fapolicyd.conf.bak" + +systemctl restart fapolicyd + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -253805,18 +253805,8 @@ possible. Removing the vsftpd package decreases the risk of its accidental activation. CCE-82414-4 - -# CAUTION: This remediation script will remove vsftpd -# from the system, and may remove any packages -# that depend on vsftpd. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "vsftpd" ; then - - yum remove -y "vsftpd" - -fi + +package --remove=vsftpd include remove_vsftpd @@ -253847,8 +253837,18 @@ class remove_vsftpd { - no_reboot_needed - package_vsftpd_removed - -package --remove=vsftpd + +# CAUTION: This remediation script will remove vsftpd +# from the system, and may remove any packages +# that depend on vsftpd. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "vsftpd" ; then + + yum remove -y "vsftpd" + +fi @@ -253941,26 +253941,20 @@ a risk of compromising sensitive information. [customizations.services] disabled = ["vsftpd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'vsftpd.service' -"$SYSTEMCTL_EXEC" disable 'vsftpd.service' -"$SYSTEMCTL_EXEC" mask 'vsftpd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files vsftpd.socket; then - "$SYSTEMCTL_EXEC" stop 'vsftpd.socket' - "$SYSTEMCTL_EXEC" mask 'vsftpd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'vsftpd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: vsftpd.service + enabled: false + mask: true + - name: vsftpd.socket + enabled: false + mask: true include disable_vsftpd @@ -254041,20 +254035,26 @@ class disable_vsftpd { - no_reboot_needed - service_vsftpd_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: vsftpd.service - enabled: false - mask: true - - name: vsftpd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'vsftpd.service' +"$SYSTEMCTL_EXEC" disable 'vsftpd.service' +"$SYSTEMCTL_EXEC" mask 'vsftpd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files vsftpd.socket; then + "$SYSTEMCTL_EXEC" stop 'vsftpd.socket' + "$SYSTEMCTL_EXEC" mask 'vsftpd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'vsftpd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -254349,15 +254349,13 @@ $ sudo yum install vsftpd Red Hat Enterprise Linux to distributing vsftpd. For security and for consistency with future Red Hat releases, the use of vsftpd is recommended. CCE-82411-0 + +package --add=vsftpd + [[packages]] name = "vsftpd" version = "*" - - -if ! rpm -q --quiet "vsftpd" ; then - yum install -y "vsftpd" -fi include install_vsftpd @@ -254381,8 +254379,10 @@ class install_vsftpd { - no_reboot_needed - package_vsftpd_installed - -package --add=vsftpd + +if ! rpm -q --quiet "vsftpd" ; then + yum install -y "vsftpd" +fi @@ -254484,18 +254484,8 @@ $ sudo yum erase httpd If there is no need to make the web server software available, removing it provides a safeguard against its activation. CCE-85970-2 - -# CAUTION: This remediation script will remove httpd -# from the system, and may remove any packages -# that depend on httpd. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "httpd" ; then - - yum remove -y "httpd" - -fi + +package --remove=httpd include remove_httpd @@ -254521,8 +254511,18 @@ class remove_httpd { - package_httpd_removed - unknown_severity - -package --remove=httpd + +# CAUTION: This remediation script will remove httpd +# from the system, and may remove any packages +# that depend on httpd. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "httpd" ; then + + yum remove -y "httpd" + +fi @@ -254611,26 +254611,20 @@ of attack, and should be disabled if not needed. [customizations.services] disabled = ["httpd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'httpd.service' -"$SYSTEMCTL_EXEC" disable 'httpd.service' -"$SYSTEMCTL_EXEC" mask 'httpd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files httpd.socket; then - "$SYSTEMCTL_EXEC" stop 'httpd.socket' - "$SYSTEMCTL_EXEC" mask 'httpd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'httpd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: httpd.service + enabled: false + mask: true + - name: httpd.socket + enabled: false + mask: true include disable_httpd @@ -254711,20 +254705,26 @@ class disable_httpd { - service_httpd_disabled - unknown_severity - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: httpd.service - enabled: false - mask: true - - name: httpd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'httpd.service' +"$SYSTEMCTL_EXEC" disable 'httpd.service' +"$SYSTEMCTL_EXEC" mask 'httpd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files httpd.socket; then + "$SYSTEMCTL_EXEC" stop 'httpd.socket' + "$SYSTEMCTL_EXEC" mask 'httpd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'httpd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -254810,18 +254810,8 @@ $ sudo yum erase nginx If there is no need to make the web server software available, removing it provides a safeguard against its activation. CCE-88034-4 - -# CAUTION: This remediation script will remove nginx -# from the system, and may remove any packages -# that depend on nginx. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "nginx" ; then - - yum remove -y "nginx" - -fi + +package --remove=nginx include remove_nginx @@ -254847,8 +254837,18 @@ class remove_nginx { - package_nginx_removed - unknown_severity - -package --remove=nginx + +# CAUTION: This remediation script will remove nginx +# from the system, and may remove any packages +# that depend on nginx. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "nginx" ; then + + yum remove -y "nginx" + +fi @@ -255375,13 +255375,6 @@ these files. PR.PT-3 Access to the web server's configuration files may allow an unauthorized user or attacker to access information about the web server or to alter the server's configuration files. - - - - - -find -H /etc/httpd/conf.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex '^.*$' -exec chmod u-xs,g-xws,o-xwrt {} \; - - name: Find /etc/httpd/conf.d/ file(s) command: find -H /etc/httpd/conf.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex "^.*$" @@ -255419,6 +255412,13 @@ find -H /etc/httpd/conf.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex - low_disruption - no_reboot_needed - unknown_severity + + + + + + +find -H /etc/httpd/conf.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex '^.*$' -exec chmod u-xs,g-xws,o-xwrt {} \; @@ -255500,13 +255500,6 @@ find -H /etc/httpd/conf.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex PR.PT-3 Access to the web server's configuration files may allow an unauthorized user or attacker to access information about the web server or to alter the server's configuration files. - - - - - -find -H /etc/httpd/conf/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex '^.*$' -exec chmod u-xs,g-xws,o-xwrt {} \; - - name: Find /etc/httpd/conf/ file(s) command: find -H /etc/httpd/conf/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex "^.*$" @@ -255544,6 +255537,13 @@ find -H /etc/httpd/conf/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex '^ - low_disruption - no_reboot_needed - unknown_severity + + + + + + +find -H /etc/httpd/conf/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex '^.*$' -exec chmod u-xs,g-xws,o-xwrt {} \; @@ -256650,18 +256650,8 @@ $ sudo yum erase cyrus-imapd If there is no need to make the cyrus-imapd software available, removing it provides a safeguard against its activation. CCE-88119-3 - -# CAUTION: This remediation script will remove cyrus-imapd -# from the system, and may remove any packages -# that depend on cyrus-imapd. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "cyrus-imapd" ; then - - yum remove -y "cyrus-imapd" - -fi + +package --remove=cyrus-imapd include remove_cyrus-imapd @@ -256684,8 +256674,18 @@ class remove_cyrus-imapd { - package_cyrus-imapd_removed - unknown_severity - -package --remove=cyrus-imapd + +# CAUTION: This remediation script will remove cyrus-imapd +# from the system, and may remove any packages +# that depend on cyrus-imapd. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "cyrus-imapd" ; then + + yum remove -y "cyrus-imapd" + +fi @@ -256709,18 +256709,8 @@ $ sudo yum erase dovecot If there is no need to make the Dovecot software available, removing it provides a safeguard against its activation. CCE-85976-9 - -# CAUTION: This remediation script will remove dovecot -# from the system, and may remove any packages -# that depend on dovecot. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "dovecot" ; then - - yum remove -y "dovecot" - -fi + +package --remove=dovecot include remove_dovecot @@ -256743,8 +256733,18 @@ class remove_dovecot { - package_dovecot_removed - unknown_severity - -package --remove=dovecot + +# CAUTION: This remediation script will remove dovecot +# from the system, and may remove any packages +# that depend on dovecot. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "dovecot" ; then + + yum remove -y "dovecot" + +fi @@ -256766,26 +256766,20 @@ avenue of attack, and should be disabled if not needed. [customizations.services] disabled = ["dovecot"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'dovecot.service' -"$SYSTEMCTL_EXEC" disable 'dovecot.service' -"$SYSTEMCTL_EXEC" mask 'dovecot.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files dovecot.socket; then - "$SYSTEMCTL_EXEC" stop 'dovecot.socket' - "$SYSTEMCTL_EXEC" mask 'dovecot.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'dovecot.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: dovecot.service + enabled: false + mask: true + - name: dovecot.socket + enabled: false + mask: true include disable_dovecot @@ -256857,20 +256851,26 @@ class disable_dovecot { - service_dovecot_disabled - unknown_severity - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: dovecot.service - enabled: false - mask: true - - name: dovecot.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'dovecot.service' +"$SYSTEMCTL_EXEC" disable 'dovecot.service' +"$SYSTEMCTL_EXEC" mask 'dovecot.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files dovecot.socket; then + "$SYSTEMCTL_EXEC" stop 'dovecot.socket' + "$SYSTEMCTL_EXEC" mask 'dovecot.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'dovecot.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -256911,24 +256911,8 @@ surface of the system. While this software is clearly essential on an KDC server, it is not necessary on typical desktop or workstation systems. CCE-85887-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# CAUTION: This remediation script will remove krb5-server -# from the system, and may remove any packages -# that depend on krb5-server. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "krb5-server" ; then - - yum remove -y "krb5-server" - -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +package --remove=krb5-server include remove_krb5-server @@ -256955,8 +256939,24 @@ class remove_krb5-server { - no_reboot_needed - package_krb5-server_removed - -package --remove=krb5-server + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# CAUTION: This remediation script will remove krb5-server +# from the system, and may remove any packages +# that depend on krb5-server. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "krb5-server" ; then + + yum remove -y "krb5-server" + +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -256982,15 +256982,6 @@ remove the Kerberos keytab files, especially The key derivation function (KDF) in Kerberos is not FIPS compatible. CCE-82175-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -rm -f /etc/*.keytab - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Find keytab files find: paths: /etc/ @@ -257022,6 +257013,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +rm -f /etc/*.keytab + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -257061,18 +257061,8 @@ $ sudo yum erase openldap-clients 2.3.5 If the system does not need to act as an LDAP client, it is recommended that the software is removed to reduce the potential attack surface. CCE-82885-5 - -# CAUTION: This remediation script will remove openldap-clients -# from the system, and may remove any packages -# that depend on openldap-clients. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "openldap-clients" ; then - - yum remove -y "openldap-clients" - -fi + +package --remove=openldap-clients include remove_openldap-clients @@ -257095,8 +257085,18 @@ class remove_openldap-clients { - no_reboot_needed - package_openldap-clients_removed - -package --remove=openldap-clients + +# CAUTION: This remediation script will remove openldap-clients +# from the system, and may remove any packages +# that depend on openldap-clients. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "openldap-clients" ; then + + yum remove -y "openldap-clients" + +fi @@ -257563,18 +257563,8 @@ intended for use as an LDAP Server it should be removed. surface of the system. While this software is clearly essential on an LDAP server, it is not necessary on typical desktop or workstation systems. CCE-82415-1 - -# CAUTION: This remediation script will remove openldap-servers -# from the system, and may remove any packages -# that depend on openldap-servers. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "openldap-servers" ; then - - yum remove -y "openldap-servers" - -fi + +package --remove=openldap-servers include remove_openldap-servers @@ -257600,8 +257590,18 @@ class remove_openldap-servers { - no_reboot_needed - package_openldap-servers_removed - -package --remove=openldap-servers + +# CAUTION: This remediation script will remove openldap-servers +# from the system, and may remove any packages +# that depend on openldap-servers. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "openldap-servers" ; then + + yum remove -y "openldap-servers" + +fi @@ -257621,26 +257621,20 @@ disabled to reduce the potential attack surface. [customizations.services] disabled = ["slapd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'slapd.service' -"$SYSTEMCTL_EXEC" disable 'slapd.service' -"$SYSTEMCTL_EXEC" mask 'slapd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files slapd.socket; then - "$SYSTEMCTL_EXEC" stop 'slapd.socket' - "$SYSTEMCTL_EXEC" mask 'slapd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'slapd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: slapd.service + enabled: false + mask: true + - name: slapd.socket + enabled: false + mask: true include disable_slapd @@ -257712,20 +257706,26 @@ class disable_slapd { - no_reboot_needed - service_slapd_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: slapd.service - enabled: false - mask: true - - name: slapd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'slapd.service' +"$SYSTEMCTL_EXEC" disable 'slapd.service' +"$SYSTEMCTL_EXEC" mask 'slapd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files slapd.socket; then + "$SYSTEMCTL_EXEC" stop 'slapd.socket' + "$SYSTEMCTL_EXEC" mask 'slapd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'slapd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -257801,21 +257801,13 @@ $ sudo yum install mailx Emails can be used to notify designated personnel about important system events such as failures or warnings. CCE-87036-0 + +package --add=mailx + [[packages]] name = "mailx" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "mailx" ; then - yum install -y "mailx" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_mailx @@ -257841,8 +257833,16 @@ class install_mailx { - no_reboot_needed - package_mailx_installed - -package --add=mailx + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "mailx" ; then + yum install -y "mailx" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -257863,21 +257863,13 @@ $ sudo yum install postfix Emails can be used to notify designated personnel about important system events such as failures or warnings. CCE-85983-5 + +package --add=postfix + [[packages]] name = "postfix" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "postfix" ; then - yum install -y "postfix" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_postfix @@ -257902,8 +257894,16 @@ class install_postfix { - no_reboot_needed - package_postfix_installed - -package --add=postfix + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "postfix" ; then + yum install -y "postfix" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -257996,24 +257996,8 @@ $ sudo yum erase sendmail its design prevents it from being effectively contained by SELinux. Postfix should be used instead. CCE-81039-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# CAUTION: This remediation script will remove sendmail -# from the system, and may remove any packages -# that depend on sendmail. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "sendmail" ; then - - yum remove -y "sendmail" - -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +package --remove=sendmail include remove_sendmail @@ -258041,8 +258025,24 @@ class remove_sendmail { - no_reboot_needed - package_sendmail_removed - -package --remove=sendmail + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# CAUTION: This remediation script will remove sendmail +# from the system, and may remove any packages +# that depend on sendmail. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "sendmail" ; then + + yum remove -y "sendmail" + +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -258065,18 +258065,6 @@ notification tasks. [customizations.services] enabled = ["postfix"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'postfix.service' -"$SYSTEMCTL_EXEC" start 'postfix.service' -"$SYSTEMCTL_EXEC" enable 'postfix.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_postfix @@ -258110,6 +258098,18 @@ class enable_postfix { - no_reboot_needed - service_postfix_enabled - unknown_severity + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'postfix.service' +"$SYSTEMCTL_EXEC" start 'postfix.service' +"$SYSTEMCTL_EXEC" enable 'postfix.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -258178,42 +258178,6 @@ $ sudo newaliases notify system administrators of active or impending issues. These messages must be forwarded to at least one monitored email address. CCE-82381-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_postfix_root_mail_alias='' - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^root") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s: %s" "$stripped_key" "$var_postfix_root_mail_alias" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^root\\>" "/etc/aliases"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^root\\>.*/$escaped_formatted_output/gi" "/etc/aliases" -else - if [[ -s "/etc/aliases" ]] && [[ -n "$(tail -c 1 -- "/etc/aliases" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/aliases" - fi - cce="CCE-82381-5" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/aliases" >> "/etc/aliases" - printf '%s\n' "$formatted_output" >> "/etc/aliases" -fi - -if [ -f /usr/bin/newaliases ]; then - newaliases -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_postfix_root_mail_alias # promote to variable set_fact: var_postfix_root_mail_alias: !!str @@ -258268,6 +258232,42 @@ fi - medium_severity - no_reboot_needed - postfix_client_configure_mail_alias + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_postfix_root_mail_alias='' + + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^root") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s: %s" "$stripped_key" "$var_postfix_root_mail_alias" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^root\\>" "/etc/aliases"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^root\\>.*/$escaped_formatted_output/gi" "/etc/aliases" +else + if [[ -s "/etc/aliases" ]] && [[ -n "$(tail -c 1 -- "/etc/aliases" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/aliases" + fi + cce="CCE-82381-5" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/aliases" >> "/etc/aliases" + printf '%s\n' "$formatted_output" >> "/etc/aliases" +fi + +if [ -f /usr/bin/newaliases ]; then + newaliases +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -258298,32 +258298,6 @@ affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. CCE-89063-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/aliases" ] ; then - - LC_ALL=C sed -i "/^\s*postmaster\s*:\s*/Id" "/etc/aliases" -else - touch "/etc/aliases" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/aliases" - -cp "/etc/aliases" "/etc/aliases.bak" -# Insert at the end of the file -printf '%s\n' "postmaster: root" >> "/etc/aliases" -# Clean up after ourselves. -rm "/etc/aliases.bak" - -if [ -f /usr/bin/newaliases ]; then - newaliases -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Configure System to Forward All Mail From Postmaster to The Root Account block: @@ -258399,6 +258373,32 @@ fi - medium_severity - no_reboot_needed - postfix_client_configure_mail_alias_postmaster + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/aliases" ] ; then + + LC_ALL=C sed -i "/^\s*postmaster\s*:\s*/Id" "/etc/aliases" +else + touch "/etc/aliases" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/aliases" + +cp "/etc/aliases" "/etc/aliases.bak" +# Insert at the end of the file +printf '%s\n' "postmaster: root" >> "/etc/aliases" +# Clean up after ourselves. +rm "/etc/aliases.bak" + +if [ -f /usr/bin/newaliases ]; then + newaliases +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -258502,33 +258502,6 @@ may help prevent spam or viruses from being delivered. and not from the network, which protects it from network attack. CCE-82174-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q postfix; }; then - -var_postfix_inet_interfaces='' - - -if [ -e "/etc/postfix/main.cf" ] ; then - - LC_ALL=C sed -i "/^\s*inet_interfaces\s\+=\s\+/Id" "/etc/postfix/main.cf" -else - touch "/etc/postfix/main.cf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/postfix/main.cf" - -cp "/etc/postfix/main.cf" "/etc/postfix/main.cf.bak" -# Insert at the end of the file -printf '%s\n' "inet_interfaces=$var_postfix_inet_interfaces" >> "/etc/postfix/main.cf" -# Clean up after ourselves. -rm "/etc/postfix/main.cf.bak" - -systemctl restart postfix - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_postfix_inet_interfaces # promote to variable set_fact: var_postfix_inet_interfaces: !!str @@ -258578,6 +258551,33 @@ fi - no_reboot_needed - postfix_network_listening_disabled - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q postfix; }; then + +var_postfix_inet_interfaces='' + + +if [ -e "/etc/postfix/main.cf" ] ; then + + LC_ALL=C sed -i "/^\s*inet_interfaces\s\+=\s\+/Id" "/etc/postfix/main.cf" +else + touch "/etc/postfix/main.cf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/postfix/main.cf" + +cp "/etc/postfix/main.cf" "/etc/postfix/main.cf.bak" +# Insert at the end of the file +printf '%s\n' "inet_interfaces=$var_postfix_inet_interfaces" >> "/etc/postfix/main.cf" +# Clean up after ourselves. +rm "/etc/postfix/main.cf.bak" + +systemctl restart postfix + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -258719,19 +258719,6 @@ to the local network with the following command: host as a mail relay for the purpose of sending spam or other unauthorized activity. CCE-84054-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q postfix; then - -if ! grep -q ^smtpd_client_restrictions /etc/postfix/main.cf; then - echo "smtpd_client_restrictions = permit_mynetworks,reject" >> /etc/postfix/main.cf -else - sed -i "s/^smtpd_client_restrictions.*/smtpd_client_restrictions = permit_mynetworks,reject/g" /etc/postfix/main.cf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -258785,6 +258772,19 @@ fi - no_reboot_needed - postfix_prevent_unrestricted_relay - restrict_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q postfix; then + +if ! grep -q ^smtpd_client_restrictions /etc/postfix/main.cf; then + echo "smtpd_client_restrictions = permit_mynetworks,reject" >> /etc/postfix/main.cf +else + sed -i "s/^smtpd_client_restrictions.*/smtpd_client_restrictions = permit_mynetworks,reject/g" /etc/postfix/main.cf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -258883,18 +258883,8 @@ daemon on a remote host for information about the Network File System (NFS) serv remote host. For example, showmount can display the clients which are mounted on that host. CCE-82932-5 - -# CAUTION: This remediation script will remove nfs-utils -# from the system, and may remove any packages -# that depend on nfs-utils. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "nfs-utils" ; then - - yum remove -y "nfs-utils" - -fi + +package --remove=nfs-utils include remove_nfs-utils @@ -258917,8 +258907,18 @@ class remove_nfs-utils { - no_reboot_needed - package_nfs-utils_removed - -package --remove=nfs-utils + +# CAUTION: This remediation script will remove nfs-utils +# from the system, and may remove any packages +# that depend on nfs-utils. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "nfs-utils" ; then + + yum remove -y "nfs-utils" + +fi @@ -258957,26 +258957,20 @@ The netfs service can be disabled with the following comm [customizations.services] disabled = ["netfs"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'netfs.service' -"$SYSTEMCTL_EXEC" disable 'netfs.service' -"$SYSTEMCTL_EXEC" mask 'netfs.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files netfs.socket; then - "$SYSTEMCTL_EXEC" stop 'netfs.socket' - "$SYSTEMCTL_EXEC" mask 'netfs.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'netfs.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: netfs.service + enabled: false + mask: true + - name: netfs.socket + enabled: false + mask: true include disable_netfs @@ -259045,20 +259039,26 @@ class disable_netfs { - service_netfs_disabled - unknown_severity - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: netfs.service - enabled: false - mask: true - - name: netfs.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'netfs.service' +"$SYSTEMCTL_EXEC" disable 'netfs.service' +"$SYSTEMCTL_EXEC" mask 'netfs.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files netfs.socket; then + "$SYSTEMCTL_EXEC" stop 'netfs.socket' + "$SYSTEMCTL_EXEC" mask 'netfs.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'netfs.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -259088,24 +259088,8 @@ $ sudo yum erase rpcbind If the system does not require rpc based services, it is recommended that rpcbind be disabled to reduce the attack surface. CCE-86645-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# CAUTION: This remediation script will remove rpcbind -# from the system, and may remove any packages -# that depend on rpcbind. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "rpcbind" ; then - - yum remove -y "rpcbind" - -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +package --remove=rpcbind include remove_rpcbind @@ -259129,8 +259113,24 @@ class remove_rpcbind { - no_reboot_needed - package_rpcbind_removed - -package --remove=rpcbind + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# CAUTION: This remediation script will remove rpcbind +# from the system, and may remove any packages +# that depend on rpcbind. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "rpcbind" ; then + + yum remove -y "rpcbind" + +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -259153,26 +259153,20 @@ The nfslock service can be disabled with the following co [customizations.services] disabled = ["nfslock"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'nfslock.service' -"$SYSTEMCTL_EXEC" disable 'nfslock.service' -"$SYSTEMCTL_EXEC" mask 'nfslock.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files nfslock.socket; then - "$SYSTEMCTL_EXEC" stop 'nfslock.socket' - "$SYSTEMCTL_EXEC" mask 'nfslock.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'nfslock.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: nfslock.service + enabled: false + mask: true + - name: nfslock.socket + enabled: false + mask: true include disable_nfslock @@ -259241,20 +259235,26 @@ class disable_nfslock { - service_nfslock_disabled - unknown_severity - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: nfslock.service - enabled: false - mask: true - - name: nfslock.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'nfslock.service' +"$SYSTEMCTL_EXEC" disable 'nfslock.service' +"$SYSTEMCTL_EXEC" mask 'nfslock.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files nfslock.socket; then + "$SYSTEMCTL_EXEC" stop 'nfslock.socket' + "$SYSTEMCTL_EXEC" mask 'nfslock.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'nfslock.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -259280,26 +259280,20 @@ rpcbind be disabled to reduce the attack surface. [customizations.services] disabled = ["rpcbind"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'rpcbind.service' -"$SYSTEMCTL_EXEC" disable 'rpcbind.service' -"$SYSTEMCTL_EXEC" mask 'rpcbind.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files rpcbind.socket; then - "$SYSTEMCTL_EXEC" stop 'rpcbind.socket' - "$SYSTEMCTL_EXEC" mask 'rpcbind.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'rpcbind.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: rpcbind.service + enabled: false + mask: true + - name: rpcbind.socket + enabled: false + mask: true include disable_rpcbind @@ -259374,20 +259368,26 @@ class disable_rpcbind { - no_reboot_needed - service_rpcbind_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: rpcbind.service - enabled: false - mask: true - - name: rpcbind.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'rpcbind.service' +"$SYSTEMCTL_EXEC" disable 'rpcbind.service' +"$SYSTEMCTL_EXEC" mask 'rpcbind.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files rpcbind.socket; then + "$SYSTEMCTL_EXEC" stop 'rpcbind.socket' + "$SYSTEMCTL_EXEC" mask 'rpcbind.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'rpcbind.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -259407,26 +259407,20 @@ The rpcgssd service can be disabled with the following co [customizations.services] disabled = ["rpcgssd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'rpcgssd.service' -"$SYSTEMCTL_EXEC" disable 'rpcgssd.service' -"$SYSTEMCTL_EXEC" mask 'rpcgssd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files rpcgssd.socket; then - "$SYSTEMCTL_EXEC" stop 'rpcgssd.socket' - "$SYSTEMCTL_EXEC" mask 'rpcgssd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'rpcgssd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: rpcgssd.service + enabled: false + mask: true + - name: rpcgssd.socket + enabled: false + mask: true include disable_rpcgssd @@ -259495,20 +259489,26 @@ class disable_rpcgssd { - service_rpcgssd_disabled - unknown_severity - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: rpcgssd.service - enabled: false - mask: true - - name: rpcgssd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'rpcgssd.service' +"$SYSTEMCTL_EXEC" disable 'rpcgssd.service' +"$SYSTEMCTL_EXEC" mask 'rpcgssd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files rpcgssd.socket; then + "$SYSTEMCTL_EXEC" stop 'rpcgssd.socket' + "$SYSTEMCTL_EXEC" mask 'rpcgssd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'rpcgssd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -259527,26 +259527,20 @@ The rpcidmapd service can be disabled with the following [customizations.services] disabled = ["rpcidmapd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'rpcidmapd.service' -"$SYSTEMCTL_EXEC" disable 'rpcidmapd.service' -"$SYSTEMCTL_EXEC" mask 'rpcidmapd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files rpcidmapd.socket; then - "$SYSTEMCTL_EXEC" stop 'rpcidmapd.socket' - "$SYSTEMCTL_EXEC" mask 'rpcidmapd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'rpcidmapd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: rpcidmapd.service + enabled: false + mask: true + - name: rpcidmapd.socket + enabled: false + mask: true include disable_rpcidmapd @@ -259615,20 +259609,26 @@ class disable_rpcidmapd { - service_rpcidmapd_disabled - unknown_severity - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: rpcidmapd.service - enabled: false - mask: true - - name: rpcidmapd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'rpcidmapd.service' +"$SYSTEMCTL_EXEC" disable 'rpcidmapd.service' +"$SYSTEMCTL_EXEC" mask 'rpcidmapd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files rpcidmapd.socket; then + "$SYSTEMCTL_EXEC" stop 'rpcidmapd.socket' + "$SYSTEMCTL_EXEC" mask 'rpcidmapd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'rpcidmapd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -259811,26 +259811,20 @@ The nfs-server service can be disabled with the following [customizations.services] disabled = ["nfs-server"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'nfs-server.service' -"$SYSTEMCTL_EXEC" disable 'nfs-server.service' -"$SYSTEMCTL_EXEC" mask 'nfs-server.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files nfs-server.socket; then - "$SYSTEMCTL_EXEC" stop 'nfs-server.socket' - "$SYSTEMCTL_EXEC" mask 'nfs-server.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'nfs-server.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: nfs-server.service + enabled: false + mask: true + - name: nfs-server.socket + enabled: false + mask: true include disable_nfs-server @@ -259911,20 +259905,26 @@ class disable_nfs-server { - service_nfs_disabled - unknown_severity - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: nfs-server.service - enabled: false - mask: true - - name: nfs-server.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'nfs-server.service' +"$SYSTEMCTL_EXEC" disable 'nfs-server.service' +"$SYSTEMCTL_EXEC" mask 'nfs-server.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files nfs-server.socket; then + "$SYSTEMCTL_EXEC" stop 'nfs-server.socket' + "$SYSTEMCTL_EXEC" mask 'nfs-server.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'nfs-server.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -259948,26 +259948,20 @@ The rpcsvcgssd service can be disabled with the following [customizations.services] disabled = ["rpcsvcgssd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'rpcsvcgssd.service' -"$SYSTEMCTL_EXEC" disable 'rpcsvcgssd.service' -"$SYSTEMCTL_EXEC" mask 'rpcsvcgssd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files rpcsvcgssd.socket; then - "$SYSTEMCTL_EXEC" stop 'rpcsvcgssd.socket' - "$SYSTEMCTL_EXEC" mask 'rpcsvcgssd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'rpcsvcgssd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: rpcsvcgssd.service + enabled: false + mask: true + - name: rpcsvcgssd.socket + enabled: false + mask: true include disable_rpcsvcgssd @@ -260036,20 +260030,26 @@ class disable_rpcsvcgssd { - service_rpcsvcgssd_disabled - unknown_severity - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: rpcsvcgssd.service - enabled: false - mask: true - - name: rpcsvcgssd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'rpcsvcgssd.service' +"$SYSTEMCTL_EXEC" disable 'rpcsvcgssd.service' +"$SYSTEMCTL_EXEC" mask 'rpcsvcgssd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files rpcsvcgssd.socket; then + "$SYSTEMCTL_EXEC" stop 'rpcsvcgssd.socket' + "$SYSTEMCTL_EXEC" mask 'rpcsvcgssd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'rpcsvcgssd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -260151,40 +260151,6 @@ any NFS mounts. requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -vfstype_points=() -readarray -t vfstype_points < <(grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | awk '{print $2}') - -for vfstype_point in "${vfstype_points[@]}" -do - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" ${vfstype_point//\\/\\\\})" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|sec=krb5:krb5i:krb5p)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="nfs4" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " ${vfstype_point//\\/\\\\} nfs4 defaults,${previous_mount_opts}sec=krb5:krb5i:krb5p 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "sec=krb5:krb5i:krb5p"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,sec=krb5:krb5i:krb5p|" /etc/fstab - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Get nfs and nfs4 mount points, that don't have sec=krb5:krb5i:krb5p command: findmnt --fstab --types nfs,nfs4 -O nosec=krb5:krb5i:krb5p -n -P register: points_register @@ -260232,6 +260198,40 @@ fi - medium_severity - mount_option_krb_sec_remote_filesystems - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +vfstype_points=() +readarray -t vfstype_points < <(grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | awk '{print $2}') + +for vfstype_point in "${vfstype_points[@]}" +do + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" ${vfstype_point//\\/\\\\})" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|sec=krb5:krb5i:krb5p)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="nfs4" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " ${vfstype_point//\\/\\\\} nfs4 defaults,${previous_mount_opts}sec=krb5:krb5i:krb5p 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "sec=krb5:krb5i:krb5p"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,sec=krb5:krb5i:krb5p|" /etc/fstab + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -260328,40 +260328,6 @@ any NFS mounts. Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users. CCE-84052-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -vfstype_points=() -readarray -t vfstype_points < <(grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | awk '{print $2}') - -for vfstype_point in "${vfstype_points[@]}" -do - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" ${vfstype_point//\\/\\\\})" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="nfs4" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " ${vfstype_point//\\/\\\\} nfs4 defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Get nfs and nfs4 mount points, that don't have nodev command: findmnt --fstab --types nfs,nfs4 -O nonodev -n -P register: points_register @@ -260403,6 +260369,40 @@ fi - medium_severity - mount_option_nodev_remote_filesystems - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +vfstype_points=() +readarray -t vfstype_points < <(grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | awk '{print $2}') + +for vfstype_point in "${vfstype_points[@]}" +do + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" ${vfstype_point//\\/\\\\})" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="nfs4" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " ${vfstype_point//\\/\\\\} nfs4 defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -260468,40 +260468,6 @@ for mounting any file system not containing approved binary files as they may be files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. CCE-84050-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -vfstype_points=() -readarray -t vfstype_points < <(grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | awk '{print $2}') - -for vfstype_point in "${vfstype_points[@]}" -do - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" ${vfstype_point//\\/\\\\})" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="nfs4" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " ${vfstype_point//\\/\\\\} nfs4 defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Get nfs and nfs4 mount points, that don't have noexec command: findmnt --fstab --types nfs,nfs4 -O nonoexec -n -P register: points_register @@ -260547,6 +260513,40 @@ fi - medium_severity - mount_option_noexec_remote_filesystems - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +vfstype_points=() +readarray -t vfstype_points < <(grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | awk '{print $2}') + +for vfstype_point in "${vfstype_points[@]}" +do + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" ${vfstype_point//\\/\\\\})" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="nfs4" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " ${vfstype_point//\\/\\\\} nfs4 defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -260609,40 +260609,6 @@ any NFS mounts. NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem. CCE-84053-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -vfstype_points=() -readarray -t vfstype_points < <(grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | awk '{print $2}') - -for vfstype_point in "${vfstype_points[@]}" -do - mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" ${vfstype_point//\\/\\\\})" - - # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab - if ! grep -q "$mount_point_match_regexp" /etc/fstab; then - # runtime opts without some automatic kernel/userspace-added defaults - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") - [ "$previous_mount_opts" ] && previous_mount_opts+="," - # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in - # fstab as "block". The next variable is to satisfy shellcheck SC2050. - fs_type="nfs4" - if [ "$fs_type" == "iso9660" ] ; then - previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") - fi - echo " ${vfstype_point//\\/\\\\} nfs4 defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab - # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it - elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then - previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') - sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Get nfs and nfs4 mount points, that don't have nosuid command: findmnt --fstab --types nfs,nfs4 -O nonosuid -n -P register: points_register @@ -260686,6 +260652,40 @@ fi - medium_severity - mount_option_nosuid_remote_filesystems - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +vfstype_points=() +readarray -t vfstype_points < <(grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | awk '{print $2}') + +for vfstype_point in "${vfstype_points[@]}" +do + mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" ${vfstype_point//\\/\\\\})" + + # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab + if ! grep -q "$mount_point_match_regexp" /etc/fstab; then + # runtime opts without some automatic kernel/userspace-added defaults + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") + [ "$previous_mount_opts" ] && previous_mount_opts+="," + # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in + # fstab as "block". The next variable is to satisfy shellcheck SC2050. + fs_type="nfs4" + if [ "$fs_type" == "iso9660" ] ; then + previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") + fi + echo " ${vfstype_point//\\/\\\\} nfs4 defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab + # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it + elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then + previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -260884,21 +260884,6 @@ requests from the remote user. The userid and groupid could mistakenly or malici incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request. CCE-80924-4 - -nfs_exports=() -readarray -t nfs_exports < <(grep -E "^/.*[[:space:]]+ .*\(.*\)[[:space:]]*$" /etc/exports | awk '{print $2}') - -for nfs_export in "${nfs_exports[@]}" -do - correct_export="" - if [ "$(grep -c "sec=" <<<"$nfs_export")" -eq 0 ]; then - correct_export="$(echo $nfs_export|sed -e 's/).*$/,sec=krb5\:krb5i\:krb5p)/')" - else - correct_export="$(echo $nfs_export|sed -e 's/sec=[^\,\)]*/sec=krb5\:krb5i\:krb5p/')" - fi - sed -i "s|$nfs_export|$correct_export|g" /etc/exports -done - - name: Drop any security clause for every export replace: path: /etc/exports @@ -260940,6 +260925,21 @@ done - medium_severity - no_reboot_needed - use_kerberos_security_all_exports + + +nfs_exports=() +readarray -t nfs_exports < <(grep -E "^/.*[[:space:]]+ .*\(.*\)[[:space:]]*$" /etc/exports | awk '{print $2}') + +for nfs_export in "${nfs_exports[@]}" +do + correct_export="" + if [ "$(grep -c "sec=" <<<"$nfs_export")" -eq 0 ]; then + correct_export="$(echo $nfs_export|sed -e 's/).*$/,sec=krb5\:krb5i\:krb5p)/')" + else + correct_export="$(echo $nfs_export|sed -e 's/sec=[^\,\)]*/sec=krb5\:krb5i\:krb5p/')" + fi + sed -i "s|$nfs_export|$correct_export|g" /etc/exports +done @@ -261106,21 +261106,13 @@ Kerberos and also ensures log files have consistent time records across the ente which aids in forensic investigations. CCE-82874-9 + +package --add=chrony + [[packages]] name = "chrony" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "chrony" ; then - yum install -y "chrony" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_chrony @@ -261146,8 +261138,16 @@ class install_chrony { - no_reboot_needed - package_chrony_installed - -package --add=chrony + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "chrony" ; then + yum install -y "chrony" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -261193,21 +261193,13 @@ package --add=chrony PR.PT-1 Req-10.4 Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906. + +package --add=ntp + [[packages]] name = "ntp" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "ntp" ; then - yum install -y "ntp" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_ntp @@ -261232,8 +261224,16 @@ class install_ntp { - no_reboot_needed - package_ntp_installed - -package --add=ntp + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "ntp" ; then + yum install -y "ntp" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -261264,18 +261264,6 @@ synchronization is working properly. [customizations.services] enabled = ["chronyd"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q chrony; }; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'chronyd.service' -"$SYSTEMCTL_EXEC" start 'chronyd.service' -"$SYSTEMCTL_EXEC" enable 'chronyd.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_chronyd @@ -261324,6 +261312,18 @@ class enable_chronyd { - medium_severity - no_reboot_needed - service_chronyd_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q chrony; }; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'chronyd.service' +"$SYSTEMCTL_EXEC" start 'chronyd.service' +"$SYSTEMCTL_EXEC" enable 'chronyd.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -261409,47 +261409,6 @@ The chronyd and ntpd NTP daemons o functionality of ntpdate, which is now deprecated. CCE-80874-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if rpm --quiet -q "chrony" ; then - if ! /usr/sbin/pidof ntpd ; then - /usr/bin/systemctl enable "chronyd" - /usr/bin/systemctl start "chronyd" - # The service may not be running because it has been started and failed, - # so let's reset the state so OVAL checks pass. - # Service should be 'inactive', not 'failed' after reboot though. - if /usr/bin/systemctl --failed | grep -q "chronyd"; then - /usr/bin/systemctl reset-failed "chronyd" - fi - fi -elif rpm --quiet -q "ntp" ; then - /usr/bin/systemctl enable "ntpd" - /usr/bin/systemctl start "ntpd" - # The service may not be running because it has been started and failed, - # so let's reset the state so OVAL checks pass. - # Service should be 'inactive', not 'failed' after reboot though. - if /usr/bin/systemctl --failed | grep -q "ntpd"; then - /usr/bin/systemctl reset-failed "ntpd" - fi -else - if ! rpm -q --quiet "chrony" ; then - yum install -y "chrony" - fi - /usr/bin/systemctl enable "chronyd" - /usr/bin/systemctl start "chronyd" - # The service may not be running because it has been started and failed, - # so let's reset the state so OVAL checks pass. - # Service should be 'inactive', not 'failed' after reboot though. - if /usr/bin/systemctl --failed | grep -q "chronyd"; then - /usr/bin/systemctl reset-failed "chronyd" - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -261534,6 +261493,47 @@ fi - medium_severity - no_reboot_needed - service_chronyd_or_ntpd_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if rpm --quiet -q "chrony" ; then + if ! /usr/sbin/pidof ntpd ; then + /usr/bin/systemctl enable "chronyd" + /usr/bin/systemctl start "chronyd" + # The service may not be running because it has been started and failed, + # so let's reset the state so OVAL checks pass. + # Service should be 'inactive', not 'failed' after reboot though. + if /usr/bin/systemctl --failed | grep -q "chronyd"; then + /usr/bin/systemctl reset-failed "chronyd" + fi + fi +elif rpm --quiet -q "ntp" ; then + /usr/bin/systemctl enable "ntpd" + /usr/bin/systemctl start "ntpd" + # The service may not be running because it has been started and failed, + # so let's reset the state so OVAL checks pass. + # Service should be 'inactive', not 'failed' after reboot though. + if /usr/bin/systemctl --failed | grep -q "ntpd"; then + /usr/bin/systemctl reset-failed "ntpd" + fi +else + if ! rpm -q --quiet "chrony" ; then + yum install -y "chrony" + fi + /usr/bin/systemctl enable "chronyd" + /usr/bin/systemctl start "chronyd" + # The service may not be running because it has been started and failed, + # so let's reset the state so OVAL checks pass. + # Service should be 'inactive', not 'failed' after reboot though. + if /usr/bin/systemctl --failed | grep -q "chronyd"; then + /usr/bin/systemctl reset-failed "chronyd" + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -261595,18 +261595,6 @@ deprecated. [customizations.services] enabled = ["ntpd"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q ntp; }; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'ntpd.service' -"$SYSTEMCTL_EXEC" start 'ntpd.service' -"$SYSTEMCTL_EXEC" enable 'ntpd.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_ntpd @@ -261663,6 +261651,18 @@ class enable_ntpd { - medium_severity - no_reboot_needed - service_ntpd_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q ntp; }; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'ntpd.service' +"$SYSTEMCTL_EXEC" start 'ntpd.service' +"$SYSTEMCTL_EXEC" enable 'ntpd.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -261689,34 +261689,30 @@ Operating systems are capable of providing a wide variety of functions and servi To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues. CCE-82988-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^port") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s %s" "$stripped_key" "0" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^port\\>" "/etc/chrony.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^port\\>.*/$escaped_formatted_output/gi" "/etc/chrony.conf" -else - if [[ -s "/etc/chrony.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/chrony.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/chrony.conf" - fi - cce="CCE-82988-7" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/chrony.conf" >> "/etc/chrony.conf" - printf '%s\n' "$formatted_output" >> "/etc/chrony.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }} + mode: 420 + overwrite: true + path: /etc/chrony.conf + - contents: + source: data:, + mode: 420 + overwrite: true + path: /etc/chrony.d/.mco-keep + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }} + mode: 420 + overwrite: true + path: /etc/chrony.d/ntp-server.conf - name: Disable chrony daemon from acting as server block: @@ -261759,30 +261755,34 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }} - mode: 420 - overwrite: true - path: /etc/chrony.conf - - contents: - source: data:, - mode: 420 - overwrite: true - path: /etc/chrony.d/.mco-keep - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }} - mode: 420 - overwrite: true - path: /etc/chrony.d/ntp-server.conf + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^port") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s %s" "$stripped_key" "0" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^port\\>" "/etc/chrony.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^port\\>.*/$escaped_formatted_output/gi" "/etc/chrony.conf" +else + if [[ -s "/etc/chrony.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/chrony.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/chrony.conf" + fi + cce="CCE-82988-7" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/chrony.conf" >> "/etc/chrony.conf" + printf '%s\n' "$formatted_output" >> "/etc/chrony.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -261807,34 +261807,30 @@ for management connections made by chronyc. daemon diminishes the attack surface. CCE-82840-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^cmdport") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s %s" "$stripped_key" "0" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^cmdport\\>" "/etc/chrony.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^cmdport\\>.*/$escaped_formatted_output/gi" "/etc/chrony.conf" -else - if [[ -s "/etc/chrony.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/chrony.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/chrony.conf" - fi - cce="CCE-82840-0" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/chrony.conf" >> "/etc/chrony.conf" - printf '%s\n' "$formatted_output" >> "/etc/chrony.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }} + mode: 420 + overwrite: true + path: /etc/chrony.conf + - contents: + source: data:, + mode: 420 + overwrite: true + path: /etc/chrony.d/.mco-keep + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }} + mode: 420 + overwrite: true + path: /etc/chrony.d/ntp-server.conf - name: Disable network management of chrony daemon block: @@ -261876,30 +261872,34 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }} - mode: 420 - overwrite: true - path: /etc/chrony.conf - - contents: - source: data:, - mode: 420 - overwrite: true - path: /etc/chrony.d/.mco-keep - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }} - mode: 420 - overwrite: true - path: /etc/chrony.d/ntp-server.conf + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^cmdport") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s %s" "$stripped_key" "0" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^cmdport\\>" "/etc/chrony.conf"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^cmdport\\>.*/$escaped_formatted_output/gi" "/etc/chrony.conf" +else + if [[ -s "/etc/chrony.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/chrony.conf" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/chrony.conf" + fi + cce="CCE-82840-0" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/chrony.conf" >> "/etc/chrony.conf" + printf '%s\n' "$formatted_output" >> "/etc/chrony.conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -261964,44 +261964,30 @@ Synchronizing internal information system clocks provides uniformity of time sta Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). CCE-84059-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ( rpm --quiet -q chrony || rpm --quiet -q ntp ); }; then - -var_time_service_set_maxpoll='' - - - - -pof="/usr/sbin/pidof" - - -CONFIG_FILES="/etc/ntp.conf" -$pof ntpd || { - CHRONY_NAME=/etc/chrony.conf - CHRONY_PATH=${CHRONY_NAME%%.*} - CONFIG_FILES=$(find ${CHRONY_PATH}.* -type f -name '*.conf') -} - -# get list of ntp files - -for config_file in $CONFIG_FILES; do - # Set maxpoll values to var_time_service_set_maxpoll - sed -i "s/^\(\(server\|pool\|peer\).*maxpoll\) [0-9][0-9]*\(.*\)$/\1 $var_time_service_set_maxpoll \3/" "$config_file" -done - - - - -for config_file in $CONFIG_FILES; do - # Add maxpoll to server, pool or peer entries without maxpoll - grep "^\(server\|pool\|peer\)" "$config_file" | grep -v maxpoll | while read -r line ; do - sed -i "s/$line/& maxpoll $var_time_service_set_maxpoll/" "$config_file" - done -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }} + mode: 420 + overwrite: true + path: /etc/chrony.conf + - contents: + source: data:, + mode: 420 + overwrite: true + path: /etc/chrony.d/.mco-keep + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }} + mode: 420 + overwrite: true + path: /etc/chrony.d/ntp-server.conf - name: Gather the package facts package_facts: @@ -262196,30 +262182,44 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }} - mode: 420 - overwrite: true - path: /etc/chrony.conf - - contents: - source: data:, - mode: 420 - overwrite: true - path: /etc/chrony.d/.mco-keep - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }} - mode: 420 - overwrite: true - path: /etc/chrony.d/ntp-server.conf + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ( rpm --quiet -q chrony || rpm --quiet -q ntp ); }; then + +var_time_service_set_maxpoll='' + + + + +pof="/usr/sbin/pidof" + + +CONFIG_FILES="/etc/ntp.conf" +$pof ntpd || { + CHRONY_NAME=/etc/chrony.conf + CHRONY_PATH=${CHRONY_NAME%%.*} + CONFIG_FILES=$(find ${CHRONY_PATH}.* -type f -name '*.conf') +} + +# get list of ntp files + +for config_file in $CONFIG_FILES; do + # Set maxpoll values to var_time_service_set_maxpoll + sed -i "s/^\(\(server\|pool\|peer\).*maxpoll\) [0-9][0-9]*\(.*\)$/\1 $var_time_service_set_maxpoll \3/" "$config_file" +done + + + + +for config_file in $CONFIG_FILES; do + # Add maxpoll to server, pool or peer entries without maxpoll + grep "^\(server\|pool\|peer\)" "$config_file" | grep -v maxpoll | while read -r line ; do + sed -i "s/$line/& maxpoll $var_time_service_set_maxpoll/" "$config_file" + done +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -262292,28 +262292,30 @@ unavailable. This is typical for a system acting as an NTP server for other systems. CCE-80764-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_multiple_time_servers='' - - -config_file="/etc/ntp.conf" -/usr/sbin/pidof ntpd || config_file="/etc/chrony.conf" - -if ! [ "$(grep -c '^server' "$config_file")" -gt 1 ] ; then - if ! grep -q '#[[:space:]]*server' "$config_file" ; then - for server in $(echo "$var_multiple_time_servers" | tr ',' '\n') ; do - printf '\nserver %s' "$server" >> "$config_file" - done - else - sed -i 's/#[ \t]*server/server/g' "$config_file" - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }} + mode: 420 + overwrite: true + path: /etc/chrony.conf + - contents: + source: data:, + mode: 420 + overwrite: true + path: /etc/chrony.d/.mco-keep + - contents: + source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }} + mode: 420 + overwrite: true + path: /etc/chrony.d/ntp-server.conf - name: XCCDF Value var_multiple_time_servers # promote to variable set_fact: @@ -262409,30 +262411,28 @@ fi - medium_severity - no_reboot_needed - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }} - mode: 420 - overwrite: true - path: /etc/chrony.conf - - contents: - source: data:, - mode: 420 - overwrite: true - path: /etc/chrony.d/.mco-keep - - contents: - source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }} - mode: 420 - overwrite: true - path: /etc/chrony.d/ntp-server.conf + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_multiple_time_servers='' + + +config_file="/etc/ntp.conf" +/usr/sbin/pidof ntpd || config_file="/etc/chrony.conf" + +if ! [ "$(grep -c '^server' "$config_file")" -gt 1 ] ; then + if ! grep -q '#[[:space:]]*server' "$config_file" ; then + for server in $(echo "$var_multiple_time_servers" | tr ',' '\n') ; do + printf '\nserver %s' "$server" >> "$config_file" + done + else + sed -i 's/#[ \t]*server/server/g' "$config_file" + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -262504,29 +262504,6 @@ data. logs from multiple sources or correlate computer events with real time events. CCE-80765-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ( rpm --quiet -q chrony || rpm --quiet -q ntp ) ); }; then - -var_multiple_time_servers='' - - -config_file="/etc/ntp.conf" -/usr/sbin/pidof ntpd || config_file="/etc/chrony.conf" - -if ! grep -q ^server "$config_file" ; then - if ! grep -q '#[[:space:]]*server' "$config_file" ; then - for server in $(echo "$var_multiple_time_servers" | tr ',' '\n') ; do - printf '\nserver %s' "$server" >> "$config_file" - done - else - sed -i 's/#[ \t]*server/server/g' "$config_file" - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - --- apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig @@ -262551,6 +262528,29 @@ spec: mode: 420 overwrite: true path: /etc/chrony.d/ntp-server.conf + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ( rpm --quiet -q chrony || rpm --quiet -q ntp ) ); }; then + +var_multiple_time_servers='' + + +config_file="/etc/ntp.conf" +/usr/sbin/pidof ntpd || config_file="/etc/chrony.conf" + +if ! grep -q ^server "$config_file" ; then + if ! grep -q '#[[:space:]]*server' "$config_file" ; then + for server in $(echo "$var_multiple_time_servers" | tr ',' '\n') ; do + printf '\nserver %s' "$server" >> "$config_file" + done + else + sed -i 's/#[ \t]*server/server/g' "$config_file" + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -262577,27 +262577,6 @@ This recommendation only applies if chrony is in use on the system. CCE-82879-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q chrony; }; then - -if grep -q 'OPTIONS=.*' /etc/sysconfig/chronyd; then - # trying to solve cases where the parameter after OPTIONS - #may or may not be enclosed in quotes - sed -i -E -e 's/\s*-u\s*\w+\s*/ /' -e 's/^([\s]*OPTIONS=["]?[^"]*)("?)/\1\2/' /etc/sysconfig/chronyd -fi - -if grep -q 'OPTIONS=.*' /etc/sysconfig/chronyd; then - # trying to solve cases where the parameter after OPTIONS - #may or may not be enclosed in quotes - sed -i -E -e 's/\s*-u\s*\w+\s*/ /' -e 's/^([\s]*OPTIONS=["]?[^"]*)("?)/\1 -u chrony\2/' /etc/sysconfig/chronyd -else - echo 'OPTIONS="-u chrony"' >> /etc/sysconfig/chronyd -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -262648,6 +262627,27 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q chrony; }; then + +if grep -q 'OPTIONS=.*' /etc/sysconfig/chronyd; then + # trying to solve cases where the parameter after OPTIONS + #may or may not be enclosed in quotes + sed -i -E -e 's/\s*-u\s*\w+\s*/ /' -e 's/^([\s]*OPTIONS=["]?[^"]*)("?)/\1\2/' /etc/sysconfig/chronyd +fi + +if grep -q 'OPTIONS=.*' /etc/sysconfig/chronyd; then + # trying to solve cases where the parameter after OPTIONS + #may or may not be enclosed in quotes + sed -i -E -e 's/\s*-u\s*\w+\s*/ /' -e 's/^([\s]*OPTIONS=["]?[^"]*)("?)/\1 -u chrony\2/' /etc/sysconfig/chronyd +else + echo 'OPTIONS="-u chrony"' >> /etc/sysconfig/chronyd +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -262701,28 +262701,6 @@ Multiple servers may be configured. synchronization is working properly. CCE-82873-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q chrony; }; then - -var_multiple_time_servers='' - - -config_file="/etc/chrony.conf" - -if ! grep -q '^[[:space:]]*\(server\|pool\)[[:space:]]\+[[:graph:]]\+' "$config_file" ; then - if ! grep -q '#[[:space:]]*server' "$config_file" ; then - for server in $(echo "$var_multiple_time_servers" | tr ',' '\n') ; do - printf '\nserver %s' "$server" >> "$config_file" - done - else - sed -i 's/#[ \t]*server/server/g' "$config_file" - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -262789,6 +262767,28 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q chrony; }; then + +var_multiple_time_servers='' + + +config_file="/etc/chrony.conf" + +if ! grep -q '^[[:space:]]*\(server\|pool\)[[:space:]]\+[[:graph:]]\+' "$config_file" ; then + if ! grep -q '#[[:space:]]*server' "$config_file" ; then + for server in $(echo "$var_multiple_time_servers" | tr ',' '\n') ; do + printf '\nserver %s' "$server" >> "$config_file" + done + else + sed -i 's/#[ \t]*server/server/g' "$config_file" + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -262931,18 +262931,8 @@ $ sudo yum erase rsync-daemon The rsyncd service presents a security risk as it uses unencrypted protocols for communication. CCE-86335-7 - -# CAUTION: This remediation script will remove rsync-daemon -# from the system, and may remove any packages -# that depend on rsync-daemon. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "rsync-daemon" ; then - - yum remove -y "rsync-daemon" - -fi + +package --remove=rsync-daemon include remove_rsync-daemon @@ -262965,8 +262955,18 @@ class remove_rsync-daemon { - no_reboot_needed - package_rsync_removed - -package --remove=rsync-daemon + +# CAUTION: This remediation script will remove rsync-daemon +# from the system, and may remove any packages +# that depend on rsync-daemon. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "rsync-daemon" ; then + + yum remove -y "rsync-daemon" + +fi @@ -262990,26 +262990,20 @@ communication. [customizations.services] disabled = ["rsyncd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'rsyncd.service' -"$SYSTEMCTL_EXEC" disable 'rsyncd.service' -"$SYSTEMCTL_EXEC" mask 'rsyncd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files rsyncd.socket; then - "$SYSTEMCTL_EXEC" stop 'rsyncd.socket' - "$SYSTEMCTL_EXEC" mask 'rsyncd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'rsyncd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: rsyncd.service + enabled: false + mask: true + - name: rsyncd.socket + enabled: false + mask: true include disable_rsyncd @@ -263084,20 +263078,26 @@ class disable_rsyncd { - no_reboot_needed - service_rsyncd_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: rsyncd.service - enabled: false - mask: true - - name: rsyncd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'rsyncd.service' +"$SYSTEMCTL_EXEC" disable 'rsyncd.service' +"$SYSTEMCTL_EXEC" mask 'rsyncd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files rsyncd.socket; then + "$SYSTEMCTL_EXEC" stop 'rsyncd.socket' + "$SYSTEMCTL_EXEC" mask 'rsyncd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'rsyncd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -263222,24 +263222,8 @@ $ sudo yum erase xinetd Removing the xinetd package decreases the risk of the xinetd service's accidental (or intentional) activation. CCE-80850-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# CAUTION: This remediation script will remove xinetd -# from the system, and may remove any packages -# that depend on xinetd. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "xinetd" ; then - - yum remove -y "xinetd" - -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +package --remove=xinetd include remove_xinetd @@ -263267,8 +263251,24 @@ class remove_xinetd { - no_reboot_needed - package_xinetd_removed - -package --remove=xinetd + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# CAUTION: This remediation script will remove xinetd +# from the system, and may remove any packages +# that depend on xinetd. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "xinetd" ; then + + yum remove -y "xinetd" + +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -263391,26 +263391,20 @@ attacks against xinetd itself. [customizations.services] disabled = ["xinetd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'xinetd.service' -"$SYSTEMCTL_EXEC" disable 'xinetd.service' -"$SYSTEMCTL_EXEC" mask 'xinetd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files xinetd.socket; then - "$SYSTEMCTL_EXEC" stop 'xinetd.socket' - "$SYSTEMCTL_EXEC" mask 'xinetd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'xinetd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: xinetd.service + enabled: false + mask: true + - name: xinetd.socket + enabled: false + mask: true include disable_xinetd @@ -263494,20 +263488,26 @@ class disable_xinetd { - no_reboot_needed - service_xinetd_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: xinetd.service - enabled: false - mask: true - - name: xinetd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'xinetd.service' +"$SYSTEMCTL_EXEC" disable 'xinetd.service' +"$SYSTEMCTL_EXEC" mask 'xinetd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files xinetd.socket; then + "$SYSTEMCTL_EXEC" stop 'xinetd.socket' + "$SYSTEMCTL_EXEC" mask 'xinetd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'xinetd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -263546,18 +263546,8 @@ NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed. CCE-82181-9 - -# CAUTION: This remediation script will remove ypbind -# from the system, and may remove any packages -# that depend on ypbind. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "ypbind" ; then - - yum remove -y "ypbind" - -fi + +package --remove=ypbind include remove_ypbind @@ -263581,8 +263571,18 @@ class remove_ypbind { - package_ypbind_removed - unknown_severity - -package --remove=ypbind + +# CAUTION: This remediation script will remove ypbind +# from the system, and may remove any packages +# that depend on ypbind. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "ypbind" ; then + + yum remove -y "ypbind" + +fi @@ -263706,18 +263706,8 @@ remote session. Removing the ypserv package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services. CCE-82432-6 - -# CAUTION: This remediation script will remove ypserv -# from the system, and may remove any packages -# that depend on ypserv. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "ypserv" ; then - - yum remove -y "ypserv" - -fi + +package --remove=ypserv include remove_ypserv @@ -263746,8 +263736,18 @@ class remove_ypserv { - no_reboot_needed - package_ypserv_removed - -package --remove=ypserv + +# CAUTION: This remediation script will remove ypserv +# from the system, and may remove any packages +# that depend on ypserv. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "ypserv" ; then + + yum remove -y "ypserv" + +fi @@ -263870,26 +263870,20 @@ unless in use. [customizations.services] disabled = ["ypbind"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'ypbind.service' -"$SYSTEMCTL_EXEC" disable 'ypbind.service' -"$SYSTEMCTL_EXEC" mask 'ypbind.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files ypbind.socket; then - "$SYSTEMCTL_EXEC" stop 'ypbind.socket' - "$SYSTEMCTL_EXEC" mask 'ypbind.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'ypbind.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: ypbind.service + enabled: false + mask: true + - name: ypbind.socket + enabled: false + mask: true include disable_ypbind @@ -263973,20 +263967,26 @@ class disable_ypbind { - no_reboot_needed - service_ypbind_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: ypbind.service - enabled: false - mask: true - - name: ypbind.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'ypbind.service' +"$SYSTEMCTL_EXEC" disable 'ypbind.service' +"$SYSTEMCTL_EXEC" mask 'ypbind.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files ypbind.socket; then + "$SYSTEMCTL_EXEC" stop 'ypbind.socket' + "$SYSTEMCTL_EXEC" mask 'ypbind.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'ypbind.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -264011,26 +264011,20 @@ unless in use. [customizations.services] disabled = ["ypserv"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'ypserv.service' -"$SYSTEMCTL_EXEC" disable 'ypserv.service' -"$SYSTEMCTL_EXEC" mask 'ypserv.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files ypserv.socket; then - "$SYSTEMCTL_EXEC" stop 'ypserv.socket' - "$SYSTEMCTL_EXEC" mask 'ypserv.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'ypserv.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: ypserv.service + enabled: false + mask: true + - name: ypserv.socket + enabled: false + mask: true include disable_ypserv @@ -264102,20 +264096,26 @@ class disable_ypserv { - no_reboot_needed - service_ypserv_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: ypserv.service - enabled: false - mask: true - - name: ypserv.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'ypserv.service' +"$SYSTEMCTL_EXEC" disable 'ypserv.service' +"$SYSTEMCTL_EXEC" mask 'ypserv.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files ypserv.socket; then + "$SYSTEMCTL_EXEC" stop 'ypserv.socket' + "$SYSTEMCTL_EXEC" mask 'ypserv.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'ypserv.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -264245,18 +264245,8 @@ could be compromised. The rsh-server package provides sev network services. Removing it decreases the risk of those services' accidental (or intentional) activation. CCE-82184-3 - -# CAUTION: This remediation script will remove rsh-server -# from the system, and may remove any packages -# that depend on rsh-server. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "rsh-server" ; then - - yum remove -y "rsh-server" - -fi + +package --remove=rsh-server include remove_rsh-server @@ -264285,8 +264275,18 @@ class remove_rsh-server { - no_reboot_needed - package_rsh-server_removed - -package --remove=rsh-server + +# CAUTION: This remediation script will remove rsh-server +# from the system, and may remove any packages +# that depend on rsh-server. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "rsh-server" ; then + + yum remove -y "rsh-server" + +fi @@ -264326,18 +264326,8 @@ their credentials. Note that removing the rsh package rem the clients for rsh,rcp, and rlogin. CCE-82183-5 - -# CAUTION: This remediation script will remove rsh -# from the system, and may remove any packages -# that depend on rsh. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "rsh" ; then - - yum remove -y "rsh" - -fi + +package --remove=rsh include remove_rsh @@ -264362,8 +264352,18 @@ class remove_rsh { - package_rsh_removed - unknown_severity - -package --remove=rsh + +# CAUTION: This remediation script will remove rsh +# from the system, and may remove any packages +# that depend on rsh. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "rsh" ; then + + yum remove -y "rsh" + +fi @@ -264491,26 +264491,20 @@ stolen by eavesdroppers on the network. [customizations.services] disabled = ["rexec"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'rexec.service' -"$SYSTEMCTL_EXEC" disable 'rexec.service' -"$SYSTEMCTL_EXEC" mask 'rexec.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files rexec.socket; then - "$SYSTEMCTL_EXEC" stop 'rexec.socket' - "$SYSTEMCTL_EXEC" mask 'rexec.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'rexec.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: rexec.service + enabled: false + mask: true + - name: rexec.socket + enabled: false + mask: true include disable_rexec @@ -264600,20 +264594,26 @@ class disable_rexec { - no_reboot_needed - service_rexec_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: rexec.service - enabled: false - mask: true - - name: rexec.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'rexec.service' +"$SYSTEMCTL_EXEC" disable 'rexec.service' +"$SYSTEMCTL_EXEC" mask 'rexec.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files rexec.socket; then + "$SYSTEMCTL_EXEC" stop 'rexec.socket' + "$SYSTEMCTL_EXEC" mask 'rexec.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'rexec.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -264763,26 +264763,20 @@ stolen by eavesdroppers on the network. [customizations.services] disabled = ["rlogin"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'rlogin.service' -"$SYSTEMCTL_EXEC" disable 'rlogin.service' -"$SYSTEMCTL_EXEC" mask 'rlogin.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files rlogin.socket; then - "$SYSTEMCTL_EXEC" stop 'rlogin.socket' - "$SYSTEMCTL_EXEC" mask 'rlogin.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'rlogin.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: rlogin.service + enabled: false + mask: true + - name: rlogin.socket + enabled: false + mask: true include disable_rlogin @@ -264872,20 +264866,26 @@ class disable_rlogin { - no_reboot_needed - service_rlogin_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: rlogin.service - enabled: false - mask: true - - name: rlogin.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'rlogin.service' +"$SYSTEMCTL_EXEC" disable 'rlogin.service' +"$SYSTEMCTL_EXEC" mask 'rlogin.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files rlogin.socket; then + "$SYSTEMCTL_EXEC" stop 'rlogin.socket' + "$SYSTEMCTL_EXEC" mask 'rlogin.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'rlogin.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -265036,26 +265036,20 @@ stolen by eavesdroppers on the network. [customizations.services] disabled = ["rsh"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'rsh.service' -"$SYSTEMCTL_EXEC" disable 'rsh.service' -"$SYSTEMCTL_EXEC" mask 'rsh.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files rsh.socket; then - "$SYSTEMCTL_EXEC" stop 'rsh.socket' - "$SYSTEMCTL_EXEC" mask 'rsh.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'rsh.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: rsh.service + enabled: false + mask: true + - name: rsh.socket + enabled: false + mask: true include disable_rsh @@ -265145,20 +265139,26 @@ class disable_rsh { - no_reboot_needed - service_rsh_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: rsh.service - enabled: false - mask: true - - name: rsh.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'rsh.service' +"$SYSTEMCTL_EXEC" disable 'rsh.service' +"$SYSTEMCTL_EXEC" mask 'rsh.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files rsh.socket; then + "$SYSTEMCTL_EXEC" stop 'rsh.socket' + "$SYSTEMCTL_EXEC" mask 'rsh.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'rsh.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -265181,16 +265181,6 @@ Host-based authentication is not sufficient for preventing unauthorized access t as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. CCE-84055-3 - -# Identify local mounts -MOUNT_LIST=$(df --local | awk '{ print $6 }') - -# Find file on each listed mount point -for cur_mount in ${MOUNT_LIST} -do - find ${cur_mount} -xdev -type f -name "shosts.equiv" -exec rm -f {} \; -done - - name: Remove Host-Based Authentication Files - Define Excluded (Non-Local) File Systems and Paths ansible.builtin.set_fact: @@ -265359,6 +265349,16 @@ done - no_host_based_files - no_reboot_needed - restrict_strategy + + +# Identify local mounts +MOUNT_LIST=$(df --local | awk '{ print $6 }') + +# Find file on each listed mount point +for cur_mount in ${MOUNT_LIST} +do + find ${cur_mount} -xdev -type f -name "shosts.equiv" -exec rm -f {} \; +done @@ -265479,17 +265479,6 @@ through PAM. Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system. CCE-80842-8 - # Remediation is applicable only in certain platforms -if rpm --quiet -q rsh-server; then - -find /root -xdev -type f -name ".rhosts" -exec rm -f {} \; -find /home -maxdepth 2 -xdev -type f -name ".rhosts" -exec rm -f {} \; -rm -f /etc/hosts.equiv - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -265565,6 +265554,17 @@ fi - no_reboot_needed - no_rsh_trust_files - restrict_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q rsh-server; then + +find /root -xdev -type f -name ".rhosts" -exec rm -f {} \; +find /home -maxdepth 2 -xdev -type f -name ".rhosts" -exec rm -f {} \; +rm -f /etc/hosts.equiv + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -265590,16 +265590,6 @@ sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. CCE-84056-1 - -# Identify local mounts -MOUNT_LIST=$(df --local | awk '{ print $6 }') - -# Find file on each listed mount point -for cur_mount in ${MOUNT_LIST} -do - find ${cur_mount} -xdev -type f -name ".shosts" -exec rm -f {} \; -done - - name: Remove User Host-Based Authentication Files - Define Excluded (Non-Local) File Systems and Paths ansible.builtin.set_fact: @@ -265768,6 +265758,16 @@ done - no_reboot_needed - no_user_host_based_files - restrict_strategy + + +# Identify local mounts +MOUNT_LIST=$(df --local | awk '{ print $6 }') + +# Find file on each listed mount point +for cur_mount in ${MOUNT_LIST} +do + find ${cur_mount} -xdev -type f -name ".shosts" -exec rm -f {} \; +done @@ -265796,18 +265796,8 @@ across systems through a terminal session. for communications. Removing the talk-server package decreases the risk of the accidental (or intentional) activation of talk services. CCE-82180-1 - -# CAUTION: This remediation script will remove talk-server -# from the system, and may remove any packages -# that depend on talk-server. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "talk-server" ; then - - yum remove -y "talk-server" - -fi + +package --remove=talk-server include remove_talk-server @@ -265831,8 +265821,18 @@ class remove_talk-server { - no_reboot_needed - package_talk-server_removed - -package --remove=talk-server + +# CAUTION: This remediation script will remove talk-server +# from the system, and may remove any packages +# that depend on talk-server. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "talk-server" ; then + + yum remove -y "talk-server" + +fi @@ -265863,18 +265863,8 @@ $ sudo yum erase talk for communications. Removing the talk package decreases the risk of the accidental (or intentional) activation of talk client program. CCE-80848-5 - -# CAUTION: This remediation script will remove talk -# from the system, and may remove any packages -# that depend on talk. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "talk" ; then - - yum remove -y "talk" - -fi + +package --remove=talk include remove_talk @@ -265898,8 +265888,18 @@ class remove_talk { - no_reboot_needed - package_talk_removed - -package --remove=talk + +# CAUTION: This remediation script will remove talk +# from the system, and may remove any packages +# that depend on talk. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "talk" ; then + + yum remove -y "talk" + +fi @@ -266038,18 +266038,8 @@ privileged user password could be compromised. Removing the telnet-server package decreases the risk of the telnet service's accidental (or intentional) activation. CCE-82182-7 - -# CAUTION: This remediation script will remove telnet-server -# from the system, and may remove any packages -# that depend on telnet-server. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "telnet-server" ; then - - yum remove -y "telnet-server" - -fi + +package --remove=telnet-server include remove_telnet-server @@ -266078,8 +266068,18 @@ class remove_telnet-server { - no_reboot_needed - package_telnet-server_removed - -package --remove=telnet-server + +# CAUTION: This remediation script will remove telnet-server +# from the system, and may remove any packages +# that depend on telnet-server. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "telnet-server" ; then + + yum remove -y "telnet-server" + +fi @@ -266113,18 +266113,8 @@ of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in Red Hat Enterprise Linux 8. CCE-80849-3 - -# CAUTION: This remediation script will remove telnet -# from the system, and may remove any packages -# that depend on telnet. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "telnet" ; then - - yum remove -y "telnet" - -fi + +package --remove=telnet include remove_telnet @@ -266149,8 +266139,18 @@ class remove_telnet { - no_reboot_needed - package_telnet_removed - -package --remove=telnet + +# CAUTION: This remediation script will remove telnet +# from the system, and may remove any packages +# that depend on telnet. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "telnet" ; then + + yum remove -y "telnet" + +fi @@ -266299,26 +266299,20 @@ man-in-the-middle attacks. [customizations.services] disabled = ["telnet"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'telnet.service' -"$SYSTEMCTL_EXEC" disable 'telnet.service' -"$SYSTEMCTL_EXEC" mask 'telnet.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files telnet.socket; then - "$SYSTEMCTL_EXEC" stop 'telnet.socket' - "$SYSTEMCTL_EXEC" mask 'telnet.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'telnet.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: telnet.service + enabled: false + mask: true + - name: telnet.socket + enabled: false + mask: true include disable_telnet @@ -266408,20 +266402,26 @@ class disable_telnet { - no_reboot_needed - service_telnet_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: telnet.service - enabled: false - mask: true - - name: telnet.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'telnet.service' +"$SYSTEMCTL_EXEC" disable 'telnet.service' +"$SYSTEMCTL_EXEC" mask 'telnet.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files telnet.socket; then + "$SYSTEMCTL_EXEC" stop 'telnet.socket' + "$SYSTEMCTL_EXEC" mask 'telnet.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'telnet.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -266558,18 +266558,8 @@ configurations), its use must be documented with the Information Systems Securty Manager (ISSM), restricted to only authorized personnel, and have access control rules established. CCE-82436-7 - -# CAUTION: This remediation script will remove tftp-server -# from the system, and may remove any packages -# that depend on tftp-server. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "tftp-server" ; then - - yum remove -y "tftp-server" - -fi + +package --remove=tftp-server include remove_tftp-server @@ -266597,8 +266587,18 @@ class remove_tftp-server { - no_reboot_needed - package_tftp-server_removed - -package --remove=tftp-server + +# CAUTION: This remediation script will remove tftp-server +# from the system, and may remove any packages +# that depend on tftp-server. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "tftp-server" ; then + + yum remove -y "tftp-server" + +fi @@ -266620,18 +266620,8 @@ TFTP does not support authentication and can be easily hacked. The package for TFTP (such as a boot server). In that case, use extreme caution when configuring the services. CCE-83590-0 - -# CAUTION: This remediation script will remove tftp -# from the system, and may remove any packages -# that depend on tftp. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "tftp" ; then - - yum remove -y "tftp" - -fi + +package --remove=tftp include remove_tftp @@ -266655,8 +266645,18 @@ class remove_tftp { - no_reboot_needed - package_tftp_removed - -package --remove=tftp + +# CAUTION: This remediation script will remove tftp +# from the system, and may remove any packages +# that depend on tftp. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "tftp" ; then + + yum remove -y "tftp" + +fi @@ -266770,26 +266770,20 @@ as a TFTP server, which does not provide encryption or authentication. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'tftp.service' -"$SYSTEMCTL_EXEC" disable 'tftp.service' -"$SYSTEMCTL_EXEC" mask 'tftp.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files tftp.socket; then - "$SYSTEMCTL_EXEC" stop 'tftp.socket' - "$SYSTEMCTL_EXEC" mask 'tftp.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'tftp.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: tftp.service + enabled: false + mask: true + - name: tftp.socket + enabled: false + mask: true include disable_tftp @@ -266870,20 +266864,26 @@ class disable_tftp { - no_reboot_needed - service_tftp_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: tftp.service - enabled: false - mask: true - - name: tftp.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'tftp.service' +"$SYSTEMCTL_EXEC" disable 'tftp.service' +"$SYSTEMCTL_EXEC" mask 'tftp.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files tftp.socket; then + "$SYSTEMCTL_EXEC" stop 'tftp.socket' + "$SYSTEMCTL_EXEC" mask 'tftp.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'tftp.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -267027,22 +267027,6 @@ given directory. Serving files from an intentionally-specified directory reduces the risk of sharing files which should remain private. CCE-82434-2 - # Remediation is applicable only in certain platforms -if rpm --quiet -q tftp-server; then - -var_tftpd_secure_directory='' - - -if grep -q 'server_args' /etc/xinetd.d/tftp; then - sed -i -E "s;^([[:blank:]]*server_args[[:blank:]]+=[[:blank:]]+.*?)(-s[[:blank:]]+[[:graph:]]+)*(.*)$;\1 -s $var_tftpd_secure_directory \3;" /etc/xinetd.d/tftp -else - echo "server_args = -s $var_tftpd_secure_directory" >> /etc/xinetd.d/tftp -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -267128,6 +267112,22 @@ fi - medium_severity - no_reboot_needed - tftpd_uses_secure_mode + + # Remediation is applicable only in certain platforms +if rpm --quiet -q tftp-server; then + +var_tftpd_secure_directory='' + + +if grep -q 'server_args' /etc/xinetd.d/tftp; then + sed -i -E "s;^([[:blank:]]*server_args[[:blank:]]+=[[:blank:]]+.*?)(-s[[:blank:]]+[[:graph:]]+)*(.*)$;\1 -s $var_tftpd_secure_directory \3;" /etc/xinetd.d/tftp +else + echo "server_args = -s $var_tftpd_secure_directory" >> /etc/xinetd.d/tftp +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -267226,18 +267226,8 @@ $ sudo yum erase cups If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be removed to reduce the potential attack surface. CCE-86299-5 - -# CAUTION: This remediation script will remove cups -# from the system, and may remove any packages -# that depend on cups. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "cups" ; then - - yum remove -y "cups" - -fi + +package --remove=cups include remove_cups @@ -267263,8 +267253,18 @@ class remove_cups { - package_cups_removed - unknown_severity - -package --remove=cups + +# CAUTION: This remediation script will remove cups +# from the system, and may remove any packages +# that depend on cups. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "cups" ; then + + yum remove -y "cups" + +fi @@ -267353,26 +267353,20 @@ The cups service can be disabled with the following comma [customizations.services] disabled = ["cups"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'cups.service' -"$SYSTEMCTL_EXEC" disable 'cups.service' -"$SYSTEMCTL_EXEC" mask 'cups.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files cups.socket; then - "$SYSTEMCTL_EXEC" stop 'cups.socket' - "$SYSTEMCTL_EXEC" mask 'cups.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'cups.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: cups.service + enabled: false + mask: true + - name: cups.socket + enabled: false + mask: true include disable_cups @@ -267453,20 +267447,26 @@ class disable_cups { - service_cups_disabled - unknown_severity - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: cups.service - enabled: false - mask: true - - name: cups.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'cups.service' +"$SYSTEMCTL_EXEC" disable 'cups.service' +"$SYSTEMCTL_EXEC" mask 'cups.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files cups.socket; then + "$SYSTEMCTL_EXEC" stop 'cups.socket' + "$SYSTEMCTL_EXEC" mask 'cups.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'cups.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -267681,18 +267681,8 @@ and removed. If there is no need to make the proxy server software available, removing it provides a safeguard against its activation. CCE-82189-2 - -# CAUTION: This remediation script will remove squid -# from the system, and may remove any packages -# that depend on squid. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "squid" ; then - - yum remove -y "squid" - -fi + +package --remove=squid include remove_squid @@ -267715,8 +267705,18 @@ class remove_squid { - package_squid_removed - unknown_severity - -package --remove=squid + +# CAUTION: This remediation script will remove squid +# from the system, and may remove any packages +# that depend on squid. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "squid" ; then + + yum remove -y "squid" + +fi @@ -267738,26 +267738,20 @@ of attack, and should be removed if not needed. [customizations.services] disabled = ["squid"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'squid.service' -"$SYSTEMCTL_EXEC" disable 'squid.service' -"$SYSTEMCTL_EXEC" mask 'squid.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files squid.socket; then - "$SYSTEMCTL_EXEC" stop 'squid.socket' - "$SYSTEMCTL_EXEC" mask 'squid.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'squid.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: squid.service + enabled: false + mask: true + - name: squid.socket + enabled: false + mask: true include disable_squid @@ -267829,20 +267823,26 @@ class disable_squid { - service_squid_disabled - unknown_severity - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: squid.service - enabled: false - mask: true - - name: squid.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'squid.service' +"$SYSTEMCTL_EXEC" disable 'squid.service' +"$SYSTEMCTL_EXEC" mask 'squid.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files squid.socket; then + "$SYSTEMCTL_EXEC" stop 'squid.socket' + "$SYSTEMCTL_EXEC" mask 'squid.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'squid.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -267874,18 +267874,8 @@ intended for use as a RADIUS Server it should be removed. CCE-82752-7 - -# CAUTION: This remediation script will remove freeradius -# from the system, and may remove any packages -# that depend on freeradius. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "freeradius" ; then - - yum remove -y "freeradius" - -fi + +package --remove=freeradius include remove_freeradius @@ -267908,8 +267898,18 @@ class remove_freeradius { - no_reboot_needed - package_freeradius_removed - -package --remove=freeradius + +# CAUTION: This remediation script will remove freeradius +# from the system, and may remove any packages +# that depend on freeradius. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "freeradius" ; then + + yum remove -y "freeradius" + +fi @@ -267944,18 +267944,6 @@ feeds random data from hardware device to kernel random device. [customizations.services] enabled = ["rngd"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.3"; printf "%s\n%s" "$real" "$expected" | sort -VC; }; }; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'rngd.service' -"$SYSTEMCTL_EXEC" start 'rngd.service' -"$SYSTEMCTL_EXEC" enable 'rngd.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_rngd @@ -267994,6 +267982,18 @@ class enable_rngd { - low_severity - no_reboot_needed - service_rngd_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.3"; printf "%s\n%s" "$real" "$expected" | sort -VC; }; }; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'rngd.service' +"$SYSTEMCTL_EXEC" start 'rngd.service' +"$SYSTEMCTL_EXEC" enable 'rngd.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -268052,18 +268052,8 @@ information may be unnecessarily transmitted across the network. If there is no need to make the router software available, removing it provides a safeguard against its activation. CCE-82187-6 - -# CAUTION: This remediation script will remove quagga -# from the system, and may remove any packages -# that depend on quagga. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "quagga" ; then - - yum remove -y "quagga" - -fi + +package --remove=quagga include remove_quagga @@ -268089,8 +268079,18 @@ class remove_quagga { - no_reboot_needed - package_quagga_removed - -package --remove=quagga + +# CAUTION: This remediation script will remove quagga +# from the system, and may remove any packages +# that depend on quagga. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "quagga" ; then + + yum remove -y "quagga" + +fi @@ -268144,26 +268144,20 @@ the network. [customizations.services] disabled = ["zebra"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'zebra.service' -"$SYSTEMCTL_EXEC" disable 'zebra.service' -"$SYSTEMCTL_EXEC" mask 'zebra.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files zebra.socket; then - "$SYSTEMCTL_EXEC" stop 'zebra.socket' - "$SYSTEMCTL_EXEC" mask 'zebra.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'zebra.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: zebra.service + enabled: false + mask: true + - name: zebra.socket + enabled: false + mask: true include disable_zebra @@ -268244,20 +268238,26 @@ class disable_zebra { - no_reboot_needed - service_zebra_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: zebra.service - enabled: false - mask: true - - name: zebra.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'zebra.service' +"$SYSTEMCTL_EXEC" disable 'zebra.service' +"$SYSTEMCTL_EXEC" mask 'zebra.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files zebra.socket; then + "$SYSTEMCTL_EXEC" stop 'zebra.socket' + "$SYSTEMCTL_EXEC" mask 'zebra.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'zebra.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -268297,15 +268297,13 @@ The samba-common package can be installed with the follow $ sudo yum install samba-common If the samba-common package is not installed, samba cannot be configured. + +package --add=samba-common + [[packages]] name = "samba-common" version = "*" - - -if ! rpm -q --quiet "samba-common" ; then - yum install -y "samba-common" -fi include install_samba-common @@ -268327,8 +268325,10 @@ class install_samba-common { - no_reboot_needed - package_samba-common_installed - -package --add=samba-common + +if ! rpm -q --quiet "samba-common" ; then + yum install -y "samba-common" +fi @@ -268369,20 +268369,6 @@ only communicate with servers that support packet signing.Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit. - ###################################################################### -#By Luke "Brisk-OH" Brisk -#luke.brisk@boeing.com or luke.brisk@gmail.com -###################################################################### - -CLIENTSIGNING=$( grep -ic 'client signing' /etc/samba/smb.conf ) - -if [ "$CLIENTSIGNING" -eq 0 ]; then - # Add to global section - sed -i 's/\[global\]/\[global\]\n\n\tclient signing = mandatory/g' /etc/samba/smb.conf -else - sed -i 's/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/ client signing = mandatory/g' /etc/samba/smb.conf -fi - - name: Check if /etc/samba/smb.conf exists stat: path: /etc/samba/smb.conf @@ -268410,6 +268396,20 @@ fi - no_reboot_needed - require_smb_client_signing - unknown_severity + + ###################################################################### +#By Luke "Brisk-OH" Brisk +#luke.brisk@boeing.com or luke.brisk@gmail.com +###################################################################### + +CLIENTSIGNING=$( grep -ic 'client signing' /etc/samba/smb.conf ) + +if [ "$CLIENTSIGNING" -eq 0 ]; then + # Add to global section + sed -i 's/\[global\]/\[global\]\n\n\tclient signing = mandatory/g' /etc/samba/smb.conf +else + sed -i 's/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/ client signing = mandatory/g' /etc/samba/smb.conf +fi @@ -268495,18 +268495,8 @@ sharing functionality. If there is no need to make the Samba software available, removing it provides a safeguard against its activation. CCE-85978-5 - -# CAUTION: This remediation script will remove samba -# from the system, and may remove any packages -# that depend on samba. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "samba" ; then - - yum remove -y "samba" - -fi + +package --remove=samba include remove_samba @@ -268529,8 +268519,18 @@ class remove_samba { - package_samba_removed - unknown_severity - -package --remove=samba + +# CAUTION: This remediation script will remove samba +# from the system, and may remove any packages +# that depend on samba. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "samba" ; then + + yum remove -y "samba" + +fi @@ -268553,26 +268553,20 @@ should be disabled if not needed. [customizations.services] disabled = ["smb"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'smb.service' -"$SYSTEMCTL_EXEC" disable 'smb.service' -"$SYSTEMCTL_EXEC" mask 'smb.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files smb.socket; then - "$SYSTEMCTL_EXEC" stop 'smb.socket' - "$SYSTEMCTL_EXEC" mask 'smb.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'smb.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: smb.service + enabled: false + mask: true + - name: smb.socket + enabled: false + mask: true include disable_smb @@ -268644,20 +268638,26 @@ class disable_smb { - no_reboot_needed - service_smb_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: smb.service - enabled: false - mask: true - - name: smb.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'smb.service' +"$SYSTEMCTL_EXEC" disable 'smb.service' +"$SYSTEMCTL_EXEC" mask 'smb.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files smb.socket; then + "$SYSTEMCTL_EXEC" stop 'smb.socket' + "$SYSTEMCTL_EXEC" mask 'smb.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'smb.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -268694,18 +268694,8 @@ $ sudo yum erase net-snmp removing the package provides a safeguard against its activation. CCE-85980-1 - -# CAUTION: This remediation script will remove net-snmp -# from the system, and may remove any packages -# that depend on net-snmp. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "net-snmp" ; then - - yum remove -y "net-snmp" - -fi + +package --remove=net-snmp include remove_net-snmp @@ -268729,8 +268719,18 @@ class remove_net-snmp { - package_net-snmp_removed - unknown_severity - -package --remove=net-snmp + +# CAUTION: This remediation script will remove net-snmp +# from the system, and may remove any packages +# that depend on net-snmp. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "net-snmp" ; then + + yum remove -y "net-snmp" + +fi @@ -268753,26 +268753,20 @@ should be disabled if not needed. [customizations.services] disabled = ["snmpd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'snmpd.service' -"$SYSTEMCTL_EXEC" disable 'snmpd.service' -"$SYSTEMCTL_EXEC" mask 'snmpd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files snmpd.socket; then - "$SYSTEMCTL_EXEC" stop 'snmpd.socket' - "$SYSTEMCTL_EXEC" mask 'snmpd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'snmpd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: snmpd.service + enabled: false + mask: true + - name: snmpd.socket + enabled: false + mask: true include disable_snmpd @@ -268844,20 +268838,26 @@ class disable_snmpd { - no_reboot_needed - service_snmpd_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: snmpd.service - enabled: false - mask: true - - name: snmpd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'snmpd.service' +"$SYSTEMCTL_EXEC" disable 'snmpd.service' +"$SYSTEMCTL_EXEC" mask 'snmpd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files snmpd.socket; then + "$SYSTEMCTL_EXEC" stop 'snmpd.socket' + "$SYSTEMCTL_EXEC" mask 'snmpd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'snmpd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -268975,27 +268975,6 @@ default authenticators, then anyone can gather data about the system and the net and use the information to potentially compromise the integrity of the system and network(s). - # Remediation is applicable only in certain platforms -if rpm --quiet -q net-snmp; then - -var_snmpd_ro_string='' -var_snmpd_rw_string='' - - -# remediate read-only community string -if grep -q 'public' /etc/snmp/snmpd.conf; then - sed -i "s/public/$var_snmpd_ro_string/" /etc/snmp/snmpd.conf -fi - -# remediate read-write community string -if grep -q 'private' /etc/snmp/snmpd.conf; then - sed -i "s/private/$var_snmpd_rw_string/" /etc/snmp/snmpd.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -269065,6 +269044,27 @@ fi - medium_disruption - no_reboot_needed - snmpd_not_default_password + + # Remediation is applicable only in certain platforms +if rpm --quiet -q net-snmp; then + +var_snmpd_ro_string='' +var_snmpd_rw_string='' + + +# remediate read-only community string +if grep -q 'public' /etc/snmp/snmpd.conf; then + sed -i "s/public/$var_snmpd_ro_string/" /etc/snmp/snmpd.conf +fi + +# remediate read-write community string +if grep -q 'private' /etc/snmp/snmpd.conf; then + sed -i "s/private/$var_snmpd_rw_string/" /etc/snmp/snmpd.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -269235,21 +269235,13 @@ $ sudo yum install openssh-clients This package includes utilities to make encrypted connections and transfer files securely to SSH servers. CCE-82722-0 + +package --add=openssh-clients + [[packages]] name = "openssh-clients" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "openssh-clients" ; then - yum install -y "openssh-clients" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_openssh-clients @@ -269273,8 +269265,16 @@ class install_openssh-clients { - no_reboot_needed - package_openssh-clients_installed - -package --add=openssh-clients + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "openssh-clients" ; then + yum install -y "openssh-clients" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -269346,21 +269346,13 @@ $ sudo yum install openssh-server integrity may be compromised because unprotected communications can be intercepted and either read or altered. CCE-83303-8 + +package --add=openssh-server + [[packages]] name = "openssh-server" version = "*" - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "openssh-server" ; then - yum install -y "openssh-server" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_openssh-server @@ -269386,8 +269378,16 @@ class install_openssh-server { - no_reboot_needed - package_openssh-server_installed - -package --add=openssh-server + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "openssh-server" ; then + yum install -y "openssh-server" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -269405,24 +269405,8 @@ $ sudo yum erase openssh-server Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# CAUTION: This remediation script will remove openssh-server -# from the system, and may remove any packages -# that depend on openssh-server. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "openssh-server" ; then - - yum remove -y "openssh-server" - -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + +package --remove=openssh-server include remove_openssh-server @@ -269445,8 +269429,24 @@ class remove_openssh-server { - no_reboot_needed - package_openssh-server_removed - -package --remove=openssh-server + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# CAUTION: This remediation script will remove openssh-server +# from the system, and may remove any packages +# that depend on openssh-server. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "openssh-server" ; then + + yum remove -y "openssh-server" + +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -269531,18 +269531,6 @@ of interception and modification. [customizations.services] enabled = ["sshd"] - - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'sshd.service' -"$SYSTEMCTL_EXEC" start 'sshd.service' -"$SYSTEMCTL_EXEC" enable 'sshd.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_sshd @@ -269587,6 +269575,18 @@ class enable_sshd { - medium_severity - no_reboot_needed - service_sshd_enabled + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'sshd.service' +"$SYSTEMCTL_EXEC" start 'sshd.service' +"$SYSTEMCTL_EXEC" enable 'sshd.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -269611,26 +269611,20 @@ remote access. [customizations.services] disabled = ["sshd"] - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" stop 'sshd.service' -"$SYSTEMCTL_EXEC" disable 'sshd.service' -"$SYSTEMCTL_EXEC" mask 'sshd.service' -# Disable socket activation if we have a unit file for it -if "$SYSTEMCTL_EXEC" -q list-unit-files sshd.socket; then - "$SYSTEMCTL_EXEC" stop 'sshd.socket' - "$SYSTEMCTL_EXEC" mask 'sshd.socket' -fi -# The service may not be running because it has been started and failed, -# so let's reset the state so OVAL checks pass. -# Service should be 'inactive', not 'failed' after reboot though. -"$SYSTEMCTL_EXEC" reset-failed 'sshd.service' || true - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: sshd.service + enabled: false + mask: true + - name: sshd.socket + enabled: false + mask: true include disable_sshd @@ -269705,20 +269699,26 @@ class disable_sshd { - no_reboot_needed - service_sshd_disabled - apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: sshd.service - enabled: false - mask: true - - name: sshd.socket - enabled: false - mask: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'sshd.service' +"$SYSTEMCTL_EXEC" disable 'sshd.service' +"$SYSTEMCTL_EXEC" mask 'sshd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" -q list-unit-files sshd.socket; then + "$SYSTEMCTL_EXEC" stop 'sshd.socket' + "$SYSTEMCTL_EXEC" mask 'sshd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'sshd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -269791,15 +269791,6 @@ services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes. CCE-82901-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -chgrp 0 /etc/ssh/sshd_config - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Test for existence /etc/ssh/sshd_config stat: path: /etc/ssh/sshd_config @@ -269835,6 +269826,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chgrp 0 /etc/ssh/sshd_config + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -269850,15 +269850,6 @@ group-owned by ssh_keys group. 5.2.2 If an unauthorized user obtains the private SSH host key file, the host could be impersonated. CCE-86126-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find /etc/ssh/ -maxdepth 1 -type f ! -group ssh_keys -regex '^.*_key$' -exec chgrp ssh_keys {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Find /etc/ssh/ file(s) matching ^.*_key$ command: find -H /etc/ssh/ -maxdepth 1 -type f ! -group ssh_keys -regex "^.*_key$" register: files_found @@ -269891,6 +269882,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find /etc/ssh/ -maxdepth 1 -type f ! -group ssh_keys -regex '^.*_key$' -exec chgrp ssh_keys {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -269907,15 +269907,6 @@ group-owned by root group. If a public host key file is modified by an unauthorized user, the SSH service may be compromised. CCE-86133-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find /etc/ssh/ -maxdepth 1 -type f ! -group 0 -regex '^.*\.pub$' -exec chgrp 0 {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Find /etc/ssh/ file(s) matching ^.*\.pub$ command: find -H /etc/ssh/ -maxdepth 1 -type f ! -group 0 -regex "^.*\.pub$" register: files_found @@ -269948,6 +269939,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find /etc/ssh/ -maxdepth 1 -type f ! -group 0 -regex '^.*\.pub$' -exec chgrp 0 {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -270020,15 +270020,6 @@ services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes. CCE-82898-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -chown 0 /etc/ssh/sshd_config - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Test for existence /etc/ssh/sshd_config stat: path: /etc/ssh/sshd_config @@ -270064,6 +270055,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chown 0 /etc/ssh/sshd_config + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -270079,15 +270079,6 @@ by root user. 5.2.2 If an unauthorized user obtains the private SSH host key file, the host could be impersonated. CCE-86118-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regex '^.*_key$' -exec chown 0 {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Find /etc/ssh/ file(s) matching ^.*_key$ command: find -H /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regex "^.*_key$" register: files_found @@ -270120,6 +270111,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regex '^.*_key$' -exec chown 0 {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -270136,15 +270136,6 @@ by root user. If a public host key file is modified by an unauthorized user, the SSH service may be compromised. CCE-86129-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regex '^.*\.pub$' -exec chown 0 {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Find /etc/ssh/ file(s) matching ^.*\.pub$ command: find -H /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regex "^.*\.pub$" register: files_found @@ -270177,6 +270168,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regex '^.*\.pub$' -exec chown 0 {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -270250,15 +270250,6 @@ services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes. CCE-82894-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -chmod u-xs,g-xwrs,o-xwrt /etc/ssh/sshd_config - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Test for existence /etc/ssh/sshd_config stat: path: /etc/ssh/sshd_config @@ -270296,6 +270287,15 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chmod u-xs,g-xwrs,o-xwrt /etc/ssh/sshd_config + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -270374,26 +270374,6 @@ If they are owned by the root user, but by a dedicated gr If an unauthorized user obtains the private SSH host key file, the host could be impersonated. CCE-82424-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -for keyfile in /etc/ssh/*_key; do - test -f "$keyfile" || continue - if test root:root = "$(stat -c "%U:%G" "$keyfile")"; then - - chmod u-xs,g-xwrs,o-xwrt "$keyfile" - - elif test root:ssh_keys = "$(stat -c "%U:%G" "$keyfile")"; then - chmod u-xs,g-xws,o-xwrt "$keyfile" - else - echo "Key-like file '$keyfile' is owned by an unexpected user:group combination" - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - include ssh_private_key_perms class ssh_private_key_perms { @@ -270502,6 +270482,26 @@ class ssh_private_key_perms { - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +for keyfile in /etc/ssh/*_key; do + test -f "$keyfile" || continue + if test root:root = "$(stat -c "%U:%G" "$keyfile")"; then + + chmod u-xs,g-xwrs,o-xwrt "$keyfile" + + elif test root:ssh_keys = "$(stat -c "%U:%G" "$keyfile")"; then + chmod u-xs,g-xws,o-xwrt "$keyfile" + else + echo "Key-like file '$keyfile' is owned by an unexpected user:group combination" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -270577,15 +270577,6 @@ class ssh_private_key_perms { If a public host key file is modified by an unauthorized user, the SSH service may be compromised. CCE-82428-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -find -H /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt -type f -regex '^.*\.pub$' -exec chmod u-xs,g-xws,o-xwt {} \; - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - include ssh_public_key_perms class ssh_public_key_perms { @@ -270643,6 +270634,15 @@ class ssh_public_key_perms { - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +find -H /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt -type f -regex '^.*\.pub$' -exec chmod u-xs,g-xws,o-xwt {} \; + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -270713,45 +270713,6 @@ processed before 02-rekey-limit.conf containing definitio time-based limit, effects of potential attacks against encryption keys are limited. CCE-82880-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_ssh_client_rekey_limit_size='' -var_ssh_client_rekey_limit_time='' - - -main_config="/etc/ssh/ssh_config" -include_directory="/etc/ssh/ssh_config.d" - -if grep -q '^[\s]*RekeyLimit.*$' "$main_config"; then - sed -i '/^[\s]*RekeyLimit.*/d' "$main_config" -fi - -for file in "$include_directory"/*.conf; do - if grep -q '^[\s]*RekeyLimit.*$' "$file"; then - sed -i '/^[\s]*RekeyLimit.*/d' "$file" - fi -done - -if [ -e "/etc/ssh/ssh_config.d/02-rekey-limit.conf" ] ; then - - LC_ALL=C sed -i "/^\s*RekeyLimit\s\+/d" "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -else - touch "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/ssh_config.d/02-rekey-limit.conf" - -cp "/etc/ssh/ssh_config.d/02-rekey-limit.conf" "/etc/ssh/ssh_config.d/02-rekey-limit.conf.bak" -# Insert at the end of the file -printf '%s\n' "RekeyLimit $var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time" >> "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -# Clean up after ourselves. -rm "/etc/ssh/ssh_config.d/02-rekey-limit.conf.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_ssh_client_rekey_limit_size # promote to variable set_fact: var_ssh_client_rekey_limit_size: !!str @@ -270830,6 +270791,45 @@ fi - medium_severity - no_reboot_needed - ssh_client_rekey_limit + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_ssh_client_rekey_limit_size='' +var_ssh_client_rekey_limit_time='' + + +main_config="/etc/ssh/ssh_config" +include_directory="/etc/ssh/ssh_config.d" + +if grep -q '^[\s]*RekeyLimit.*$' "$main_config"; then + sed -i '/^[\s]*RekeyLimit.*/d' "$main_config" +fi + +for file in "$include_directory"/*.conf; do + if grep -q '^[\s]*RekeyLimit.*$' "$file"; then + sed -i '/^[\s]*RekeyLimit.*/d' "$file" + fi +done + +if [ -e "/etc/ssh/ssh_config.d/02-rekey-limit.conf" ] ; then + + LC_ALL=C sed -i "/^\s*RekeyLimit\s\+/d" "/etc/ssh/ssh_config.d/02-rekey-limit.conf" +else + touch "/etc/ssh/ssh_config.d/02-rekey-limit.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/ssh_config.d/02-rekey-limit.conf" + +cp "/etc/ssh/ssh_config.d/02-rekey-limit.conf" "/etc/ssh/ssh_config.d/02-rekey-limit.conf.bak" +# Insert at the end of the file +printf '%s\n' "RekeyLimit $var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time" >> "/etc/ssh/ssh_config.d/02-rekey-limit.conf" +# Clean up after ourselves. +rm "/etc/ssh/ssh_config.d/02-rekey-limit.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -270855,19 +270855,6 @@ Randomness is needed to generate considerably more secure data-encryption keys. in encryption algorithms, and high-quality entropy eliminates the possibility that the output of the random number generator used by SSH would be known to potential attackers. CCE-83349-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# put line into the file -echo "setenv SSH_USE_STRONG_RNG 32" > /etc/profile.d/cc-ssh-strong-rng.csh - -# remove eventual override in /etc/profile -sed -i '/^[[:space:]]*setenv[[:space:]]\+SSH_USE_STRONG_RNG.*$/d' /etc/profile - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure that correct variable is exported in /etc/profile.d/cc-ssh-strong-rng.csh lineinfile: path: /etc/profile.d/cc-ssh-strong-rng.csh @@ -270899,6 +270886,19 @@ fi - medium_severity - no_reboot_needed - ssh_client_use_strong_rng_csh + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# put line into the file +echo "setenv SSH_USE_STRONG_RNG 32" > /etc/profile.d/cc-ssh-strong-rng.csh + +# remove eventual override in /etc/profile +sed -i '/^[[:space:]]*setenv[[:space:]]\+SSH_USE_STRONG_RNG.*$/d' /etc/profile + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -270922,19 +270922,6 @@ Randomness is needed to generate considerably more secure data-encryption keys. in encryption algorithms, and high-quality entropy eliminates the possibility that the output of the random number generator used by SSH would be known to potential attackers. CCE-83346-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# put line into the file -echo "export SSH_USE_STRONG_RNG=32" > /etc/profile.d/cc-ssh-strong-rng.sh - -# remove eventual override in /etc/profile -sed -i '/^[[:space:]]*export[[:space:]]\+SSH_USE_STRONG_RNG=.*$/d' /etc/profile - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Ensure that correct variable is exported in /etc/profile.d/cc-ssh-strong-rng.sh lineinfile: path: /etc/profile.d/cc-ssh-strong-rng.sh @@ -270966,6 +270953,19 @@ fi - medium_severity - no_reboot_needed - ssh_client_use_strong_rng_sh + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# put line into the file +echo "export SSH_USE_STRONG_RNG=32" > /etc/profile.d/cc-ssh-strong-rng.sh + +# remove eventual override in /etc/profile +sed -i '/^[[:space:]]*export[[:space:]]\+SSH_USE_STRONG_RNG=.*$/d' /etc/profile + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -271166,29 +271166,6 @@ value of 0 in is reached. CCE-83405-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*ClientAliveCountMax\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "ClientAliveCountMax 0" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Set SSH Client Alive Count Max to zero block: @@ -271236,6 +271213,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_set_keepalive_0 + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*ClientAliveCountMax\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "ClientAliveCountMax 0" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -271372,32 +271372,6 @@ a keep alive message. is reached. CCE-80907-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_sshd_set_keepalive='' - - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*ClientAliveCountMax\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "ClientAliveCountMax $var_sshd_set_keepalive" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_sshd_set_keepalive # promote to variable set_fact: var_sshd_set_keepalive: !!str @@ -271453,6 +271427,32 @@ fi - no_reboot_needed - restrict_strategy - sshd_set_keepalive + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_sshd_set_keepalive='' + + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*ClientAliveCountMax\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "ClientAliveCountMax $var_sshd_set_keepalive" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -271594,32 +271594,6 @@ enabled on the console or console port that has been let unattended. CCE-80906-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.5"; printf "%s\n%s" "$real" "$expected" | sort -VC; }; }; then - -sshd_idle_timeout_value='' - - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*ClientAliveInterval\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "ClientAliveInterval $sshd_idle_timeout_value" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value sshd_idle_timeout_value # promote to variable set_fact: sshd_idle_timeout_value: !!str @@ -271680,6 +271654,32 @@ fi - no_reboot_needed - restrict_strategy - sshd_set_idle_timeout + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.5"; printf "%s\n%s" "$real" "$expected" | sort -VC; }; }; then + +sshd_idle_timeout_value='' + + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*ClientAliveInterval\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "ClientAliveInterval $sshd_idle_timeout_value" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -271834,28 +271834,20 @@ following line in SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. CCE-80786-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*HostbasedAuthentication\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "HostbasedAuthentication no" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018%2F04%2F09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fbin%3A%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Fsbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20%2Fetc%2Fssh%2Fssh_host_rsa_key%0AHostKey%20%2Fetc%2Fssh%2Fssh_host_ecdsa_key%0AHostKey%20%2Fetc%2Fssh%2Fssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20512M%201h%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20%2Fetc%2Fsysconfig%2Fsshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%202m%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh%2Fauthorized_keys%20and%20.ssh%2Fauthorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh%2Fauthorized_keys%0AAuthorizedKeysFile%09.ssh%2Fauthorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20%2Fetc%2Fssh%2Fssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~%2F.ssh%2Fknown_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~%2F.rhosts%20and%20~%2F.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s%2Fkey%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20%2Fetc%2Fpam.d%2Fsshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20no%0AClientAliveInterval%20600%0AClientAliveCountMax%200%0A%23UseDNS%20no%0A%23PidFile%20%2Fvar%2Frun%2Fsshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20%2Fetc%2Fissue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09%2Fusr%2Flibexec%2Fopenssh%2Fsftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20sandbox + mode: 0600 + path: /etc/ssh/sshd_config + overwrite: true - name: Disable Host-Based Authentication block: @@ -271905,20 +271897,28 @@ fi - no_reboot_needed - restrict_strategy - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018%2F04%2F09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fbin%3A%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Fsbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20%2Fetc%2Fssh%2Fssh_host_rsa_key%0AHostKey%20%2Fetc%2Fssh%2Fssh_host_ecdsa_key%0AHostKey%20%2Fetc%2Fssh%2Fssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20512M%201h%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20%2Fetc%2Fsysconfig%2Fsshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%202m%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh%2Fauthorized_keys%20and%20.ssh%2Fauthorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh%2Fauthorized_keys%0AAuthorizedKeysFile%09.ssh%2Fauthorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20%2Fetc%2Fssh%2Fssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~%2F.ssh%2Fknown_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~%2F.rhosts%20and%20~%2F.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s%2Fkey%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20%2Fetc%2Fpam.d%2Fsshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20no%0AClientAliveInterval%20600%0AClientAliveCountMax%200%0A%23UseDNS%20no%0A%23PidFile%20%2Fvar%2Frun%2Fsshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20%2Fetc%2Fissue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09%2Fusr%2Flibexec%2Fopenssh%2Fsftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20sandbox - mode: 0600 - path: /etc/ssh/sshd_config - overwrite: true + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*HostbasedAuthentication\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "HostbasedAuthentication no" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -271963,55 +271963,6 @@ properly configured. will allow remote access through the SSH port. CCE-80820-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if ! rpm -q --quiet "firewalld" ; then - yum install -y "firewalld" -fi -if ! rpm -q --quiet "NetworkManager" ; then - yum install -y "NetworkManager" -fi -firewalld_sshd_zone='' - - -if systemctl is-active NetworkManager && systemctl is-active firewalld; then - # First make sure the SSH service is enabled in run-time for the proper zone. - # This is to avoid connection issues when new interfaces are addeded to this zone. - firewall-cmd --zone="$firewalld_sshd_zone" --add-service=ssh - - # This will collect all NetworkManager connections names - readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') - # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. - # This will not change connections which are already assigned to any firewalld zone. - for connection in "${nm_connections[@]}"; do - current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') - if [ $current_zone = "--" ]; then - nmcli connection modify "$connection" connection.zone $firewalld_sshd_zone - fi - done - systemctl restart NetworkManager - - # Active zones are zones with at least one interface assigned to it. - # It is possible that traffic is comming by any active interface and consequently any - # active zone. So, this make sure all active zones are permanently allowing SSH service. - readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) - for zone in "${firewalld_active_zones[@]}"; do - firewall-cmd --permanent --zone="$zone" --add-service=ssh - done - firewall-cmd --reload -else - echo " - firewalld and NetworkManager services are not active. Remediation aborted! - This remediation could not be applied because it depends on firewalld and NetworkManager services running. - The service is not started by this remediation in order to prevent connection issues." - exit 1 -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value firewalld_sshd_zone # promote to variable set_fact: firewalld_sshd_zone: !!str @@ -272171,6 +272122,55 @@ fi - low_disruption - medium_severity - no_reboot_needed + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "firewalld" ; then + yum install -y "firewalld" +fi +if ! rpm -q --quiet "NetworkManager" ; then + yum install -y "NetworkManager" +fi +firewalld_sshd_zone='' + + +if systemctl is-active NetworkManager && systemctl is-active firewalld; then + # First make sure the SSH service is enabled in run-time for the proper zone. + # This is to avoid connection issues when new interfaces are addeded to this zone. + firewall-cmd --zone="$firewalld_sshd_zone" --add-service=ssh + + # This will collect all NetworkManager connections names + readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') + # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. + # This will not change connections which are already assigned to any firewalld zone. + for connection in "${nm_connections[@]}"; do + current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}') + if [ $current_zone = "--" ]; then + nmcli connection modify "$connection" connection.zone $firewalld_sshd_zone + fi + done + systemctl restart NetworkManager + + # Active zones are zones with at least one interface assigned to it. + # It is possible that traffic is comming by any active interface and consequently any + # active zone. So, this make sure all active zones are permanently allowing SSH service. + readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces) + for zone in "${firewalld_active_zones[@]}"; do + firewall-cmd --permanent --zone="$zone" --add-service=ssh + done + firewall-cmd --reload +else + echo " + firewalld and NetworkManager services are not active. Remediation aborted! + This remediation could not be applied because it depends on firewalld and NetworkManager services running. + The service is not started by this remediation in order to prevent connection issues." + exit 1 +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -272294,35 +272294,6 @@ supported is version 2, and line Protocol 2 in has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. CCE-80894-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^Protocol") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s %s" "$stripped_key" "2" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^Protocol\\>" "/etc/ssh/sshd_config"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^Protocol\\>.*/$escaped_formatted_output/gi" "/etc/ssh/sshd_config" -else - if [[ -s "/etc/ssh/sshd_config" ]] && [[ -n "$(tail -c 1 -- "/etc/ssh/sshd_config" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/ssh/sshd_config" - fi - cce="CCE-80894-9" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/ssh/sshd_config" >> "/etc/ssh/sshd_config" - printf '%s\n' "$formatted_output" >> "/etc/ssh/sshd_config" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Allow Only SSH Protocol 2 block: @@ -272371,6 +272342,35 @@ fi - no_reboot_needed - restrict_strategy - sshd_allow_only_protocol2 + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^Protocol") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s %s" "$stripped_key" "2" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^Protocol\\>" "/etc/ssh/sshd_config"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^Protocol\\>.*/$escaped_formatted_output/gi" "/etc/ssh/sshd_config" +else + if [[ -s "/etc/ssh/sshd_config" ]] && [[ -n "$(tail -c 1 -- "/etc/ssh/sshd_config" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/ssh/sshd_config" + fi + cce="CCE-80894-9" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/ssh/sshd_config" >> "/etc/ssh/sshd_config" + printf '%s\n' "$formatted_output" >> "/etc/ssh/sshd_config" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -272423,33 +272423,6 @@ a user has successfully authenticated, add or correct the following line in the vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges. CCE-80895-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_sshd_disable_compression='' - - - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*Compression\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "Compression $var_sshd_disable_compression" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_sshd_disable_compression # promote to variable set_fact: var_sshd_disable_compression: !!str @@ -272500,6 +272473,33 @@ fi - no_reboot_needed - restrict_strategy - sshd_disable_compression + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_sshd_disable_compression='' + + + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*Compression\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "Compression $var_sshd_disable_compression" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -272658,29 +272658,6 @@ should prevent users from being able to assign themselves empty passwords. CCE-80896-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*PermitEmptyPasswords\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "PermitEmptyPasswords no" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Disable SSH Access via Empty Passwords block: @@ -272730,6 +272707,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_disable_empty_passwords + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*PermitEmptyPasswords\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "PermitEmptyPasswords no" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -272800,29 +272800,6 @@ To explicitly disable GSSAPI authentication, add or correct the following line i applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. CCE-80897-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "GSSAPIAuthentication no" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Disable GSSAPI Authentication block: @@ -272868,6 +272845,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_disable_gssapi_auth + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "GSSAPIAuthentication no" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -272950,29 +272950,6 @@ is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere. CCE-80898-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*KerberosAuthentication\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "KerberosAuthentication no" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Disable Kerberos Authentication block: @@ -273018,6 +272995,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_disable_kerb_auth + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*KerberosAuthentication\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "KerberosAuthentication no" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -273041,29 +273041,6 @@ correct the following line in applications. Allowing PubkeyAuthentication authentication through SSH allows users to generate their own authentication tokens, increasing the attack surface of the system. CCE-82345-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*PubkeyAuthentication\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "PubkeyAuthentication no" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Disable PubkeyAuthentication Authentication block: @@ -273103,6 +273080,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_disable_pubkey_auth + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*PubkeyAuthentication\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "PubkeyAuthentication no" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -273223,29 +273223,6 @@ To explicitly disable support for .rhosts files, add or correct the following li SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. CCE-80899-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*IgnoreRhosts\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "IgnoreRhosts yes" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Disable SSH Support for .rhosts Files block: @@ -273292,6 +273269,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_disable_rhosts + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*IgnoreRhosts\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "IgnoreRhosts yes" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -273348,35 +273348,6 @@ necessary. assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. CCE-80900-4 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^RhostsRSAAuthentication") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s %s" "$stripped_key" "no" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^RhostsRSAAuthentication\\>" "/etc/ssh/sshd_config"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^RhostsRSAAuthentication\\>.*/$escaped_formatted_output/gi" "/etc/ssh/sshd_config" -else - if [[ -s "/etc/ssh/sshd_config" ]] && [[ -n "$(tail -c 1 -- "/etc/ssh/sshd_config" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/ssh/sshd_config" - fi - cce="CCE-80900-4" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/ssh/sshd_config" >> "/etc/ssh/sshd_config" - printf '%s\n' "$formatted_output" >> "/etc/ssh/sshd_config" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Disable SSH Support for Rhosts RSA Authentication block: @@ -273421,6 +273392,35 @@ fi - no_reboot_needed - restrict_strategy - sshd_disable_rhosts_rsa + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Strip any search characters in the key arg so that the key can be replaced without +# adding any search characters to the config file. +stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^RhostsRSAAuthentication") + +# shellcheck disable=SC2059 +printf -v formatted_output "%s %s" "$stripped_key" "no" + +# If the key exists, change it. Otherwise, add it to the config_file. +# We search for the key string followed by a word boundary (matched by \>), +# so if we search for 'setting', 'setting2' won't match. +if LC_ALL=C grep -q -m 1 -i -e "^RhostsRSAAuthentication\\>" "/etc/ssh/sshd_config"; then + escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") + LC_ALL=C sed -i --follow-symlinks "s/^RhostsRSAAuthentication\\>.*/$escaped_formatted_output/gi" "/etc/ssh/sshd_config" +else + if [[ -s "/etc/ssh/sshd_config" ]] && [[ -n "$(tail -c 1 -- "/etc/ssh/sshd_config" || true)" ]]; then + LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/ssh/sshd_config" + fi + cce="CCE-80900-4" + printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/ssh/sshd_config" >> "/etc/ssh/sshd_config" + printf '%s\n' "$formatted_output" >> "/etc/ssh/sshd_config" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -273593,29 +273593,6 @@ accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password. CCE-80901-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "PermitRootLogin no" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Disable SSH Root Login block: @@ -273668,6 +273645,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_disable_root_login + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "PermitRootLogin no" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -273695,29 +273695,6 @@ see CCE-27100-7, CCE-27445-6, CCE-80901-2, and similar. Even though the communications channel may be encrypted, an additional layer of security is gained by preventing use of a password. This also helps to minimize direct attack attempts on root's password. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "PermitRootLogin prohibit-password" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Disable SSH root Login with a Password (Insecure) block: @@ -273756,6 +273733,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_disable_root_password_login + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "PermitRootLogin prohibit-password" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -273778,29 +273778,6 @@ To disable TCP forwarding, add or correct the following line in 5.2.13 Leaving port forwarding enabled can expose the organization to security risks and back-doors. CCE-83301-2 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*AllowTcpForwarding\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "AllowTcpForwarding no" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Disable SSH TCP Forwarding block: @@ -273841,6 +273818,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_disable_tcp_forwarding + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*AllowTcpForwarding\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "AllowTcpForwarding no" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -273898,29 +273898,6 @@ To ensure this behavior is disabled, add or correct the following line in assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. CCE-80902-0 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*IgnoreUserKnownHosts\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "IgnoreUserKnownHosts yes" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Disable SSH Support for User Known Hosts block: @@ -273966,6 +273943,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_disable_user_known_hosts + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*IgnoreUserKnownHosts\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "IgnoreUserKnownHosts yes" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -274004,29 +274004,6 @@ users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders. CCE-83360-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "X11Forwarding no" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Disable X11 Forwarding block: @@ -274069,6 +274046,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_disable_x11_forwarding + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "X11Forwarding no" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -274130,29 +274130,6 @@ To explicitly disable Environment options, add or correct the following SSH environment options potentially allow users to bypass access restriction in some configurations. CCE-80903-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*PermitUserEnvironment\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "PermitUserEnvironment no" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Do Not Allow SSH Environment Options block: @@ -274201,6 +274178,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_do_not_permit_user_env + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*PermitUserEnvironment\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "PermitUserEnvironment no" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -274228,29 +274228,6 @@ Kerberos implementations may be subject to exploitation. For enterprises, Kerberos is often enabled and used with GSSAPI for centralized user account management which may necessitate enabling of GSSAPI functionality in SSH. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "GSSAPIAuthentication yes" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Enable GSSAPI Authentication block: @@ -274289,6 +274266,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_enable_gssapi_auth + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "GSSAPIAuthentication yes" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -274320,29 +274320,6 @@ important if you want to restrict access to services based off of IP, time or ot the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server. CCE-86721-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*UsePAM\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "UsePAM yes" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Enable PAM block: @@ -274383,6 +274360,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_enable_pam + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*UsePAM\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "UsePAM yes" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -274420,29 +274420,6 @@ A privileged account is defined as an information system account with authorizations of a privileged user. The DoD CAC with DoD-approved PKI is an example of multifactor authentication. - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*PubkeyAuthentication\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "PubkeyAuthentication yes" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Enable Public Key Authentication block: @@ -274481,6 +274458,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_enable_pubkey_auth + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*PubkeyAuthentication\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "PubkeyAuthentication yes" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -274571,29 +274571,6 @@ To explicitly enable StrictModes in SSH, add or correct t If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user. CCE-80904-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*StrictModes\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "StrictModes yes" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Enable Use of Strict Mode Checking block: @@ -274638,6 +274615,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_enable_strictmodes + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*StrictModes\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "StrictModes yes" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -274718,29 +274718,6 @@ facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution. CCE-80905-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "Banner /etc/issue" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Enable SSH Warning Banner block: @@ -274788,6 +274765,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_enable_warning_banner + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "Banner /etc/issue" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -274861,29 +274861,6 @@ facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution. CCE-87978-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "Banner /etc/issue.net" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Enable SSH Warning Banner block: @@ -274929,6 +274906,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_enable_warning_banner_net + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "Banner /etc/issue.net" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -274996,29 +274996,6 @@ To enable X11 Forwarding, add or correct the following line in Non-encrypted X displays allow an attacker to capture keystrokes and to execute commands remotely. CCE-82421-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "X11Forwarding yes" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Enable Encrypted X11 Forwarding block: @@ -275062,6 +275039,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_enable_x11_forwarding + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "X11Forwarding yes" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -275242,29 +275242,6 @@ To explicitly enable LastLog in SSH, add or correct the following line in Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. CCE-82281-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*PrintLastLog\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "PrintLastLog yes" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Enable SSH Print Last Log block: @@ -275307,6 +275284,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_print_last_log + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*PrintLastLog\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "PrintLastLog yes" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -275338,35 +275338,6 @@ To decrease the default limits, add or correct the following line in time-based limit, effects of potential attacks against encryption keys are limited. CCE-82177-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_rekey_limit_size='' -var_rekey_limit_time='' - - - - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*RekeyLimit\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "RekeyLimit $var_rekey_limit_size $var_rekey_limit_time" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_rekey_limit_size # promote to variable set_fact: var_rekey_limit_size: !!str @@ -275419,37 +275390,18 @@ fi - no_reboot_needed - sshd_rekey_limit - - - - - - - - - - - - Ensure SSH LoginGraceTime is configured - The LoginGraceTime parameter to the SSH server specifies the time allowed for successful authentication to -the SSH server. The longer the Grace period is the more open unauthenticated connections -can exist. Like other session controls in this session the Grace Period should be limited to -appropriate limits to ensure the service is available for needed access. - 2.2.6 - 5.2.19 - Setting the LoginGraceTime parameter to a low number will minimize the risk of successful -brute force attacks to the SSH server. It will also limit the number of concurrent -unauthenticated connections. - CCE-86551-9 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -var_sshd_set_login_grace_time='' +var_rekey_limit_size='' +var_rekey_limit_time='' + + if [ -e "/etc/ssh/sshd_config" ] ; then - LC_ALL=C sed -i "/^\s*LoginGraceTime\s\+/Id" "/etc/ssh/sshd_config" + LC_ALL=C sed -i "/^\s*RekeyLimit\s\+/Id" "/etc/ssh/sshd_config" else touch "/etc/ssh/sshd_config" fi @@ -275458,7 +275410,7 @@ sed -i -e '$a\' "/etc/ssh/sshd_config" cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" # Insert at the beginning of the file -printf '%s\n' "LoginGraceTime $var_sshd_set_login_grace_time" > "/etc/ssh/sshd_config" +printf '%s\n' "RekeyLimit $var_rekey_limit_size $var_rekey_limit_time" > "/etc/ssh/sshd_config" cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" # Clean up after ourselves. rm "/etc/ssh/sshd_config.bak" @@ -275467,6 +275419,28 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + + + Ensure SSH LoginGraceTime is configured + The LoginGraceTime parameter to the SSH server specifies the time allowed for successful authentication to +the SSH server. The longer the Grace period is the more open unauthenticated connections +can exist. Like other session controls in this session the Grace Period should be limited to +appropriate limits to ensure the service is available for needed access. + 2.2.6 + 5.2.19 + Setting the LoginGraceTime parameter to a low number will minimize the risk of successful +brute force attacks to the SSH server. It will also limit the number of concurrent +unauthenticated connections. + CCE-86551-9 - name: XCCDF Value var_sshd_set_login_grace_time # promote to variable set_fact: var_sshd_set_login_grace_time: !!str @@ -275513,6 +275487,32 @@ fi - no_reboot_needed - restrict_strategy - sshd_set_login_grace_time + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_sshd_set_login_grace_time='' + + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*LoginGraceTime\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "LoginGraceTime $var_sshd_set_login_grace_time" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -275546,29 +275546,6 @@ basic level that only records login activity of SSH users. In many situations, s Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. CCE-82282-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "LogLevel INFO" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Set LogLevel to INFO block: @@ -275610,6 +275587,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_set_loglevel_info + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "LogLevel INFO" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -275646,29 +275646,6 @@ situations, such as Incident Response, it is important to determine when a parti on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. CCE-82420-1 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "LogLevel VERBOSE" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Set SSH Daemon LogLevel to VERBOSE block: @@ -275713,6 +275690,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_set_loglevel_verbose + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "LogLevel VERBOSE" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -275747,32 +275747,6 @@ to set MaxAUthTries edit /etc/ssh/sshd_config as follows: Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. CCE-83500-9 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -sshd_max_auth_tries_value='' - - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*MaxAuthTries\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "MaxAuthTries $sshd_max_auth_tries_value" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value sshd_max_auth_tries_value # promote to variable set_fact: sshd_max_auth_tries_value: !!str @@ -275820,35 +275794,15 @@ fi - restrict_strategy - sshd_set_max_auth_tries - - - - - - - - - - - Set SSH MaxSessions limit - The MaxSessions parameter specifies the maximum number of open sessions permitted -from a given connection. To set MaxSessions edit -/etc/ssh/sshd_config as follows: MaxSessions - 2.2.6 - 5.2.18 - To protect a system from denial of service due to a large number of concurrent -sessions, use the rate limiting function of MaxSessions to protect availability -of sshd logins and prevent overwhelming the daemon. - CCE-83357-4 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -var_sshd_max_sessions='' +sshd_max_auth_tries_value='' if [ -e "/etc/ssh/sshd_config" ] ; then - LC_ALL=C sed -i "/^\s*MaxSessions\s\+/Id" "/etc/ssh/sshd_config" + LC_ALL=C sed -i "/^\s*MaxAuthTries\s\+/Id" "/etc/ssh/sshd_config" else touch "/etc/ssh/sshd_config" fi @@ -275857,7 +275811,7 @@ sed -i -e '$a\' "/etc/ssh/sshd_config" cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" # Insert at the beginning of the file -printf '%s\n' "MaxSessions $var_sshd_max_sessions" > "/etc/ssh/sshd_config" +printf '%s\n' "MaxAuthTries $sshd_max_auth_tries_value" > "/etc/ssh/sshd_config" cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" # Clean up after ourselves. rm "/etc/ssh/sshd_config.bak" @@ -275866,6 +275820,26 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + + Set SSH MaxSessions limit + The MaxSessions parameter specifies the maximum number of open sessions permitted +from a given connection. To set MaxSessions edit +/etc/ssh/sshd_config as follows: MaxSessions + 2.2.6 + 5.2.18 + To protect a system from denial of service due to a large number of concurrent +sessions, use the rate limiting function of MaxSessions to protect availability +of sshd logins and prevent overwhelming the daemon. + CCE-83357-4 - name: XCCDF Value var_sshd_max_sessions # promote to variable set_fact: var_sshd_max_sessions: !!str @@ -275912,6 +275886,32 @@ fi - medium_severity - no_reboot_needed - sshd_set_max_sessions + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_sshd_max_sessions='' + + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*MaxSessions\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "MaxSessions $var_sshd_max_sessions" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -275939,32 +275939,6 @@ dictated by site policy. authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon. CCE-90718-8 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_sshd_set_maxstartups='' - - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*MaxStartups\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "MaxStartups $var_sshd_set_maxstartups" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_sshd_set_maxstartups # promote to variable set_fact: var_sshd_set_maxstartups: !!str @@ -276011,6 +275985,32 @@ fi - no_reboot_needed - restrict_strategy - sshd_set_maxstartups + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_sshd_set_maxstartups='' + + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*MaxStartups\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "MaxStartups $var_sshd_set_maxstartups" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -276487,32 +276487,6 @@ SSH, add or correct the following line in the /etc/ssh/sshd_config CCE-80908-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -var_sshd_priv_separation='' - - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*UsePrivilegeSeparation\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "UsePrivilegeSeparation $var_sshd_priv_separation" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: XCCDF Value var_sshd_priv_separation # promote to variable set_fact: var_sshd_priv_separation: !!str @@ -276562,6 +276536,32 @@ fi - no_reboot_needed - restrict_strategy - sshd_use_priv_separation + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +var_sshd_priv_separation='' + + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*UsePrivilegeSeparation\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "UsePrivilegeSeparation $var_sshd_priv_separation" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -276591,37 +276591,6 @@ plaintext padding and initialization vectors in encryption algorithms, and high- entropy elliminates the possibility that the output of the random number generator used by SSH would be known to potential attackers. CCE-82462-3 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/sysconfig/sshd" ] ; then - - LC_ALL=C sed -i "/^\s*SSH_USE_STRONG_RNG\s*=\s*/d" "/etc/sysconfig/sshd" -else - touch "/etc/sysconfig/sshd" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/sysconfig/sshd" - -cp "/etc/sysconfig/sshd" "/etc/sysconfig/sshd.bak" -# Insert before the line matching the regex '^#\s*SSH_USE_STRONG_RNG'. -line_number="$(LC_ALL=C grep -n "^#\s*SSH_USE_STRONG_RNG" "/etc/sysconfig/sshd.bak" | LC_ALL=C sed 's/:.*//g')" -if [ -z "$line_number" ]; then - # There was no match of '^#\s*SSH_USE_STRONG_RNG', insert at - # the end of the file. - printf '%s\n' "SSH_USE_STRONG_RNG=32" >> "/etc/sysconfig/sshd" -else - head -n "$(( line_number - 1 ))" "/etc/sysconfig/sshd.bak" > "/etc/sysconfig/sshd" - printf '%s\n' "SSH_USE_STRONG_RNG=32" >> "/etc/sysconfig/sshd" - tail -n "+$(( line_number ))" "/etc/sysconfig/sshd.bak" >> "/etc/sysconfig/sshd" -fi -# Clean up after ourselves. -rm "/etc/sysconfig/sshd.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Setting unquoted shell-style assignment of 'SSH_USE_STRONG_RNG' to '32' in '/etc/sysconfig/sshd' block: @@ -276663,6 +276632,37 @@ fi - no_reboot_needed - restrict_strategy - sshd_use_strong_rng + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/sysconfig/sshd" ] ; then + + LC_ALL=C sed -i "/^\s*SSH_USE_STRONG_RNG\s*=\s*/d" "/etc/sysconfig/sshd" +else + touch "/etc/sysconfig/sshd" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/sysconfig/sshd" + +cp "/etc/sysconfig/sshd" "/etc/sysconfig/sshd.bak" +# Insert before the line matching the regex '^#\s*SSH_USE_STRONG_RNG'. +line_number="$(LC_ALL=C grep -n "^#\s*SSH_USE_STRONG_RNG" "/etc/sysconfig/sshd.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^#\s*SSH_USE_STRONG_RNG', insert at + # the end of the file. + printf '%s\n' "SSH_USE_STRONG_RNG=32" >> "/etc/sysconfig/sshd" +else + head -n "$(( line_number - 1 ))" "/etc/sysconfig/sshd.bak" > "/etc/sysconfig/sshd" + printf '%s\n' "SSH_USE_STRONG_RNG=32" >> "/etc/sysconfig/sshd" + tail -n "+$(( line_number ))" "/etc/sysconfig/sshd.bak" >> "/etc/sysconfig/sshd" +fi +# Clean up after ourselves. +rm "/etc/sysconfig/sshd.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -276698,29 +276698,6 @@ loopback address and sets the hostname part of the DISPLAY CCE-84058-7 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -if [ -e "/etc/ssh/sshd_config" ] ; then - - LC_ALL=C sed -i "/^\s*X11UseLocalhost\s\+/Id" "/etc/ssh/sshd_config" -else - touch "/etc/ssh/sshd_config" -fi -# make sure file has newline at the end -sed -i -e '$a\' "/etc/ssh/sshd_config" - -cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" -# Insert at the beginning of the file -printf '%s\n' "X11UseLocalhost yes" > "/etc/ssh/sshd_config" -cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" -# Clean up after ourselves. -rm "/etc/ssh/sshd_config.bak" - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Prevent remote hosts from connecting to the proxy display block: @@ -276762,6 +276739,29 @@ fi - no_reboot_needed - restrict_strategy - sshd_x11_use_localhost + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + + LC_ALL=C sed -i "/^\s*X11UseLocalhost\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/ssh/sshd_config" + +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert at the beginning of the file +printf '%s\n' "X11UseLocalhost yes" > "/etc/ssh/sshd_config" +cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -276840,21 +276840,13 @@ $ sudo yum install sssd-ipa sssd-ipa provides the IPA back end that the SSSD can utilize to fetch identity data from and authenticate against an IPA server. CCE-82994-5 + +package --add=sssd-ipa + [[packages]] name = "sssd-ipa" version = "*" - - # Remediation is applicable only in certain platforms -if rpm --quiet -q sssd-common; then - -if ! rpm -q --quiet "sssd-ipa" ; then - yum install -y "sssd-ipa" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_sssd-ipa @@ -276890,8 +276882,16 @@ class install_sssd-ipa { - no_reboot_needed - package_sssd-ipa_installed - -package --add=sssd-ipa + # Remediation is applicable only in certain platforms +if rpm --quiet -q sssd-common; then + +if ! rpm -q --quiet "sssd-ipa" ; then + yum install -y "sssd-ipa" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -276957,21 +276957,13 @@ $ sudo yum install sssd PR.AC-7 CCE-82444-1 + +package --add=sssd + [[packages]] name = "sssd" version = "*" - - # Remediation is applicable only in certain platforms -if rpm --quiet -q sssd-common; then - -if ! rpm -q --quiet "sssd" ; then - yum install -y "sssd" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include install_sssd @@ -277009,8 +277001,16 @@ class install_sssd { - no_reboot_needed - package_sssd_installed - -package --add=sssd + # Remediation is applicable only in certain platforms +if rpm --quiet -q sssd-common; then + +if ! rpm -q --quiet "sssd" ; then + yum install -y "sssd" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -277081,18 +277081,6 @@ The sssd service can be enabled with the following comman [customizations.services] enabled = ["sssd"] - - # Remediation is applicable only in certain platforms -if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'sssd.service' -"$SYSTEMCTL_EXEC" start 'sssd.service' -"$SYSTEMCTL_EXEC" enable 'sssd.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi include enable_sssd @@ -277145,6 +277133,18 @@ class enable_sssd { - medium_severity - no_reboot_needed - service_sssd_enabled + + # Remediation is applicable only in certain platforms +if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'sssd.service' +"$SYSTEMCTL_EXEC" start 'sssd.service' +"$SYSTEMCTL_EXEC" enable 'sssd.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -277169,52 +277169,6 @@ multifactor solutions are checked via Online Certificate Status Protocol (OCSP). Ensuring that multifactor solutions certificates are checked via Online Certificate Status Protocol (OCSP) ensures the security of the system. CCE-86120-3 - # Remediation is applicable only in certain platforms -if rpm --quiet -q sssd-common; then - -var_sssd_certificate_verification_digest_function='' - - -# sssd configuration files must be created with 600 permissions if they don't exist -# otherwise the sssd module fails to start -OLD_UMASK=$(umask) -umask u=rw,go= - -MAIN_CONF="/etc/sssd/conf.d/certificate_verification.conf" - -found=false - -# set value in all files if they contain section or key -for f in $(echo -n "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf"); do - if [ ! -e "$f" ]; then - continue - fi - - # find key in section and change value - if grep -qzosP "[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*certificate_verification" "$f"; then - sed -i "s/certificate_verification[^(\n)]*/certificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function/" "$f" - found=true - - # find section and add key = value to it - elif grep -qs "[[:space:]]*\[sssd\]" "$f"; then - sed -i "/[[:space:]]*\[sssd\]/a certificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function" "$f" - found=true - fi -done - -# if section not in any file, append section with key = value to FIRST file in files parameter -if ! $found ; then - file=$(echo "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf" | cut -f1 -d ' ') - mkdir -p "$(dirname "$file")" - echo -e "[sssd]\ncertificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function" >> "$file" -fi - -umask $OLD_UMASK - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -277291,6 +277245,52 @@ fi - medium_severity - no_reboot_needed - sssd_certificate_verification + + # Remediation is applicable only in certain platforms +if rpm --quiet -q sssd-common; then + +var_sssd_certificate_verification_digest_function='' + + +# sssd configuration files must be created with 600 permissions if they don't exist +# otherwise the sssd module fails to start +OLD_UMASK=$(umask) +umask u=rw,go= + +MAIN_CONF="/etc/sssd/conf.d/certificate_verification.conf" + +found=false + +# set value in all files if they contain section or key +for f in $(echo -n "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf"); do + if [ ! -e "$f" ]; then + continue + fi + + # find key in section and change value + if grep -qzosP "[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*certificate_verification" "$f"; then + sed -i "s/certificate_verification[^(\n)]*/certificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function/" "$f" + found=true + + # find section and add key = value to it + elif grep -qs "[[:space:]]*\[sssd\]" "$f"; then + sed -i "/[[:space:]]*\[sssd\]/a certificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function" "$f" + found=true + fi +done + +# if section not in any file, append section with key = value to FIRST file in files parameter +if ! $found ; then + file=$(echo "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf" | cut -f1 -d ' ') + mkdir -p "$(dirname "$file")" + echo -e "[sssd]\ncertificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function" >> "$file" +fi + +umask $OLD_UMASK + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -277518,89 +277518,6 @@ as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. CCE-80909-5 - # Remediation is applicable only in certain platforms -if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# sssd configuration files must be created with 600 permissions if they don't exist -# otherwise the sssd module fails to start -OLD_UMASK=$(umask) -umask u=rw,go= - -found=false - -# set value in all files if they contain section or key -for f in $(echo -n "/etc/sssd/sssd.conf"); do - if [ ! -e "$f" ]; then - continue - fi - - # find key in section and change value - if grep -qzosP "[[:space:]]*\[pam\]([^\n\[]*\n+)+?[[:space:]]*pam_cert_auth" "$f"; then - sed -i "s/pam_cert_auth[^(\n)]*/pam_cert_auth = True/" "$f" - found=true - - # find section and add key = value to it - elif grep -qs "[[:space:]]*\[pam\]" "$f"; then - sed -i "/[[:space:]]*\[pam\]/a pam_cert_auth = True" "$f" - found=true - fi -done - -# if section not in any file, append section with key = value to FIRST file in files parameter -if ! $found ; then - file=$(echo "/etc/sssd/sssd.conf" | cut -f1 -d ' ') - mkdir -p "$(dirname "$file")" - echo -e "[pam]\npam_cert_auth = True" >> "$file" -fi - -umask $OLD_UMASK - - -if [ -f /usr/bin/authselect ]; then - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - authselect enable-feature with-smartcard - - authselect apply-changes -b -else - if ! grep -qP '^\s*auth\s+'"sufficient"'\s+pam_sss.so\s*.*' "/etc/pam.d/smartcard-auth"; then - # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*auth\s+.*\s+pam_sss.so\s*' "/etc/pam.d/smartcard-auth")" -eq 1 ]; then - # The control is updated only if one single line matches. - sed -i -E --follow-symlinks 's/^(\s*auth\s+).*(\bpam_sss.so.*)/\1'"sufficient"' \2/' "/etc/pam.d/smartcard-auth" - else - echo 'auth '"sufficient"' pam_sss.so' >> "/etc/pam.d/smartcard-auth" - fi - fi - # Check the option - if ! grep -qP '^\s*auth\s+'"sufficient"'\s+pam_sss.so\s*.*\sallow_missing_name\b' "/etc/pam.d/smartcard-auth"; then - sed -i -E --follow-symlinks '/\s*auth\s+'"sufficient"'\s+pam_sss.so.*/ s/$/ allow_missing_name/' "/etc/pam.d/smartcard-auth" - fi - if ! grep -qP '^\s*auth\s+'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"'\s+pam_sss.so\s*.*' "/etc/pam.d/system-auth"; then - # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*auth\s+.*\s+pam_sss.so\s*' "/etc/pam.d/system-auth")" -eq 1 ]; then - # The control is updated only if one single line matches. - sed -i -E --follow-symlinks 's/^(\s*auth\s+).*(\bpam_sss.so.*)/\1'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"' \2/' "/etc/pam.d/system-auth" - else - echo 'auth '"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"' pam_sss.so' >> "/etc/pam.d/system-auth" - fi - fi - # Check the option - if ! grep -qP '^\s*auth\s+'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"'\s+pam_sss.so\s*.*\stry_cert_auth\b' "/etc/pam.d/system-auth"; then - sed -i -E --follow-symlinks '/\s*auth\s+'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"'\s+pam_sss.so.*/ s/$/ try_cert_auth/' "/etc/pam.d/system-auth" - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -277953,6 +277870,89 @@ fi - medium_severity - no_reboot_needed - sssd_enable_smartcards + + # Remediation is applicable only in certain platforms +if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# sssd configuration files must be created with 600 permissions if they don't exist +# otherwise the sssd module fails to start +OLD_UMASK=$(umask) +umask u=rw,go= + +found=false + +# set value in all files if they contain section or key +for f in $(echo -n "/etc/sssd/sssd.conf"); do + if [ ! -e "$f" ]; then + continue + fi + + # find key in section and change value + if grep -qzosP "[[:space:]]*\[pam\]([^\n\[]*\n+)+?[[:space:]]*pam_cert_auth" "$f"; then + sed -i "s/pam_cert_auth[^(\n)]*/pam_cert_auth = True/" "$f" + found=true + + # find section and add key = value to it + elif grep -qs "[[:space:]]*\[pam\]" "$f"; then + sed -i "/[[:space:]]*\[pam\]/a pam_cert_auth = True" "$f" + found=true + fi +done + +# if section not in any file, append section with key = value to FIRST file in files parameter +if ! $found ; then + file=$(echo "/etc/sssd/sssd.conf" | cut -f1 -d ' ') + mkdir -p "$(dirname "$file")" + echo -e "[pam]\npam_cert_auth = True" >> "$file" +fi + +umask $OLD_UMASK + + +if [ -f /usr/bin/authselect ]; then + if ! authselect check; then + echo " + authselect integrity check failed. Remediation aborted! + This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. + It is not recommended to manually edit the PAM files when authselect tool is available. + In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." + exit 1 + fi + authselect enable-feature with-smartcard + + authselect apply-changes -b +else + if ! grep -qP '^\s*auth\s+'"sufficient"'\s+pam_sss.so\s*.*' "/etc/pam.d/smartcard-auth"; then + # Line matching group + control + module was not found. Check group + module. + if [ "$(grep -cP '^\s*auth\s+.*\s+pam_sss.so\s*' "/etc/pam.d/smartcard-auth")" -eq 1 ]; then + # The control is updated only if one single line matches. + sed -i -E --follow-symlinks 's/^(\s*auth\s+).*(\bpam_sss.so.*)/\1'"sufficient"' \2/' "/etc/pam.d/smartcard-auth" + else + echo 'auth '"sufficient"' pam_sss.so' >> "/etc/pam.d/smartcard-auth" + fi + fi + # Check the option + if ! grep -qP '^\s*auth\s+'"sufficient"'\s+pam_sss.so\s*.*\sallow_missing_name\b' "/etc/pam.d/smartcard-auth"; then + sed -i -E --follow-symlinks '/\s*auth\s+'"sufficient"'\s+pam_sss.so.*/ s/$/ allow_missing_name/' "/etc/pam.d/smartcard-auth" + fi + if ! grep -qP '^\s*auth\s+'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"'\s+pam_sss.so\s*.*' "/etc/pam.d/system-auth"; then + # Line matching group + control + module was not found. Check group + module. + if [ "$(grep -cP '^\s*auth\s+.*\s+pam_sss.so\s*' "/etc/pam.d/system-auth")" -eq 1 ]; then + # The control is updated only if one single line matches. + sed -i -E --follow-symlinks 's/^(\s*auth\s+).*(\bpam_sss.so.*)/\1'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"' \2/' "/etc/pam.d/system-auth" + else + echo 'auth '"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"' pam_sss.so' >> "/etc/pam.d/system-auth" + fi + fi + # Check the option + if ! grep -qP '^\s*auth\s+'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"'\s+pam_sss.so\s*.*\stry_cert_auth\b' "/etc/pam.d/system-auth"; then + sed -i -E --follow-symlinks '/\s*auth\s+'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"'\s+pam_sss.so.*/ s/$/ try_cert_auth/' "/etc/pam.d/system-auth" + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -278061,50 +278061,6 @@ memcache_timeout = CCE-80910-3 - # Remediation is applicable only in certain platforms -if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -var_sssd_memcache_timeout='' - - -# sssd configuration files must be created with 600 permissions if they don't exist -# otherwise the sssd module fails to start -OLD_UMASK=$(umask) -umask u=rw,go= - -found=false - -# set value in all files if they contain section or key -for f in $(echo -n "/etc/sssd/sssd.conf"); do - if [ ! -e "$f" ]; then - continue - fi - - # find key in section and change value - if grep -qzosP "[[:space:]]*\[nss\]([^\n\[]*\n+)+?[[:space:]]*memcache_timeout" "$f"; then - sed -i "s/memcache_timeout[^(\n)]*/memcache_timeout = $var_sssd_memcache_timeout/" "$f" - found=true - - # find section and add key = value to it - elif grep -qs "[[:space:]]*\[nss\]" "$f"; then - sed -i "/[[:space:]]*\[nss\]/a memcache_timeout = $var_sssd_memcache_timeout" "$f" - found=true - fi -done - -# if section not in any file, append section with key = value to FIRST file in files parameter -if ! $found ; then - file=$(echo "/etc/sssd/sssd.conf" | cut -f1 -d ' ') - mkdir -p "$(dirname "$file")" - echo -e "[nss]\nmemcache_timeout = $var_sssd_memcache_timeout" >> "$file" -fi - -umask $OLD_UMASK - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -278196,6 +278152,50 @@ fi - no_reboot_needed - sssd_memcache_timeout - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +var_sssd_memcache_timeout='' + + +# sssd configuration files must be created with 600 permissions if they don't exist +# otherwise the sssd module fails to start +OLD_UMASK=$(umask) +umask u=rw,go= + +found=false + +# set value in all files if they contain section or key +for f in $(echo -n "/etc/sssd/sssd.conf"); do + if [ ! -e "$f" ]; then + continue + fi + + # find key in section and change value + if grep -qzosP "[[:space:]]*\[nss\]([^\n\[]*\n+)+?[[:space:]]*memcache_timeout" "$f"; then + sed -i "s/memcache_timeout[^(\n)]*/memcache_timeout = $var_sssd_memcache_timeout/" "$f" + found=true + + # find section and add key = value to it + elif grep -qs "[[:space:]]*\[nss\]" "$f"; then + sed -i "/[[:space:]]*\[nss\]/a memcache_timeout = $var_sssd_memcache_timeout" "$f" + found=true + fi +done + +# if section not in any file, append section with key = value to FIRST file in files parameter +if ! $found ; then + file=$(echo "/etc/sssd/sssd.conf" | cut -f1 -d ' ') + mkdir -p "$(dirname "$file")" + echo -e "[nss]\nmemcache_timeout = $var_sssd_memcache_timeout" >> "$file" +fi + +umask $OLD_UMASK + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -278280,47 +278280,6 @@ offline_credentials_expiration = 1 authentication information may be questionable. CCE-82460-7 - # Remediation is applicable only in certain platforms -if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -# sssd configuration files must be created with 600 permissions if they don't exist -# otherwise the sssd module fails to start -OLD_UMASK=$(umask) -umask u=rw,go= - -found=false - -# set value in all files if they contain section or key -for f in $(echo -n "/etc/sssd/sssd.conf"); do - if [ ! -e "$f" ]; then - continue - fi - - # find key in section and change value - if grep -qzosP "[[:space:]]*\[pam\]([^\n\[]*\n+)+?[[:space:]]*offline_credentials_expiration" "$f"; then - sed -i "s/offline_credentials_expiration[^(\n)]*/offline_credentials_expiration = 1/" "$f" - found=true - - # find section and add key = value to it - elif grep -qs "[[:space:]]*\[pam\]" "$f"; then - sed -i "/[[:space:]]*\[pam\]/a offline_credentials_expiration = 1" "$f" - found=true - fi -done - -# if section not in any file, append section with key = value to FIRST file in files parameter -if ! $found ; then - file=$(echo "/etc/sssd/sssd.conf" | cut -f1 -d ' ') - mkdir -p "$(dirname "$file")" - echo -e "[pam]\noffline_credentials_expiration = 1" >> "$file" -fi - -umask $OLD_UMASK - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -278411,6 +278370,47 @@ fi - medium_severity - no_reboot_needed - sssd_offline_cred_expiration + + # Remediation is applicable only in certain platforms +if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# sssd configuration files must be created with 600 permissions if they don't exist +# otherwise the sssd module fails to start +OLD_UMASK=$(umask) +umask u=rw,go= + +found=false + +# set value in all files if they contain section or key +for f in $(echo -n "/etc/sssd/sssd.conf"); do + if [ ! -e "$f" ]; then + continue + fi + + # find key in section and change value + if grep -qzosP "[[:space:]]*\[pam\]([^\n\[]*\n+)+?[[:space:]]*offline_credentials_expiration" "$f"; then + sed -i "s/offline_credentials_expiration[^(\n)]*/offline_credentials_expiration = 1/" "$f" + found=true + + # find section and add key = value to it + elif grep -qs "[[:space:]]*\[pam\]" "$f"; then + sed -i "/[[:space:]]*\[pam\]/a offline_credentials_expiration = 1" "$f" + found=true + fi +done + +# if section not in any file, append section with key = value to FIRST file in files parameter +if ! $found ; then + file=$(echo "/etc/sssd/sssd.conf" | cut -f1 -d ' ') + mkdir -p "$(dirname "$file")" + echo -e "[pam]\noffline_credentials_expiration = 1" >> "$file" +fi + +umask $OLD_UMASK + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -278543,50 +278543,6 @@ ssh_known_hosts_timeout = CCE-82442-5 - # Remediation is applicable only in certain platforms -if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then - -var_sssd_ssh_known_hosts_timeout='' - - -# sssd configuration files must be created with 600 permissions if they don't exist -# otherwise the sssd module fails to start -OLD_UMASK=$(umask) -umask u=rw,go= - -found=false - -# set value in all files if they contain section or key -for f in $(echo -n "/etc/sssd/sssd.conf"); do - if [ ! -e "$f" ]; then - continue - fi - - # find key in section and change value - if grep -qzosP "[[:space:]]*\[ssh\]([^\n\[]*\n+)+?[[:space:]]*ssh_known_hosts_timeout" "$f"; then - sed -i "s/ssh_known_hosts_timeout[^(\n)]*/ssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout/" "$f" - found=true - - # find section and add key = value to it - elif grep -qs "[[:space:]]*\[ssh\]" "$f"; then - sed -i "/[[:space:]]*\[ssh\]/a ssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout" "$f" - found=true - fi -done - -# if section not in any file, append section with key = value to FIRST file in files parameter -if ! $found ; then - file=$(echo "/etc/sssd/sssd.conf" | cut -f1 -d ' ') - mkdir -p "$(dirname "$file")" - echo -e "[ssh]\nssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout" >> "$file" -fi - -umask $OLD_UMASK - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -278678,6 +278634,50 @@ fi - no_reboot_needed - sssd_ssh_known_hosts_timeout - unknown_strategy + + # Remediation is applicable only in certain platforms +if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +var_sssd_ssh_known_hosts_timeout='' + + +# sssd configuration files must be created with 600 permissions if they don't exist +# otherwise the sssd module fails to start +OLD_UMASK=$(umask) +umask u=rw,go= + +found=false + +# set value in all files if they contain section or key +for f in $(echo -n "/etc/sssd/sssd.conf"); do + if [ ! -e "$f" ]; then + continue + fi + + # find key in section and change value + if grep -qzosP "[[:space:]]*\[ssh\]([^\n\[]*\n+)+?[[:space:]]*ssh_known_hosts_timeout" "$f"; then + sed -i "s/ssh_known_hosts_timeout[^(\n)]*/ssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout/" "$f" + found=true + + # find section and add key = value to it + elif grep -qs "[[:space:]]*\[ssh\]" "$f"; then + sed -i "/[[:space:]]*\[ssh\]/a ssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout" "$f" + found=true + fi +done + +# if section not in any file, append section with key = value to FIRST file in files parameter +if ! $found ; then + file=$(echo "/etc/sssd/sssd.conf" | cut -f1 -d ' ') + mkdir -p "$(dirname "$file")" + echo -e "[ssh]\nssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout" >> "$file" +fi + +umask $OLD_UMASK + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -278749,40 +278749,6 @@ to verify the hash information while maintaining the confidentiality of the key used to generate the hash. CCE-82456-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q sssd-common; then - -var_sssd_ldap_tls_ca_dir='' - - -SSSD_CONF="/etc/sssd/sssd.conf" -LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_tls_cacertdir' -AD_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*id_provider[[:space:]]*=[[:space:]]*((?i)ad)[[:space:]]*$' -DOMAIN_REGEX="[[:space:]]*\[domain\/[^]]*]" - -# Check if id_provider is not set to ad (Active Directory) which makes start_tls not applicable, note the -v option to invert the grep. -# Try to find [domain/..] and ldap_tls_cacertdir in sssd.conf, if it exists, set to '$var_sssd_ldap_tls_ca_dir' -# if ldap_tls_cacertdir isn't here, add it -# if [domain/..] doesn't exist, add it here for default domain -if grep -qvzosP $AD_REGEX $SSSD_CONF; then - if grep -qzosP $LDAP_REGEX $SSSD_CONF; then - - sed -i "s#ldap_tls_cacertdir[^(\n)]*#ldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir#" $SSSD_CONF - elif grep -qs $DOMAIN_REGEX $SSSD_CONF; then - sed -i "/$DOMAIN_REGEX/a ldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir" $SSSD_CONF - else - if test -f "$SSSD_CONF"; then - echo -e "[domain/default]\nldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir" >> $SSSD_CONF - else - echo "Config file '$SSSD_CONF' doesnt exist, not remediating, assuming non-applicability." >&2 - fi - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -278901,49 +278867,30 @@ fi - sssd_ldap_configure_tls_ca_dir - unknown_strategy - - - - - - - - - - Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server - Configure SSSD to demand a valid certificate from the server to -protect the integrity of LDAP remote access sessions by setting -the ldap_tls_reqcert option in /etc/sssd/sssd.conf -to demand. - CCI-001453 - SC-12(3) - CM-6(a) - SRG-OS-000250-GPOS-00093 - Without a valid certificate presented to the LDAP client backend, the identity of a -server can be forged compromising LDAP remote access sessions. - - CCE-84062-9 - # Remediation is applicable only in certain platforms + # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q sssd-common; then +var_sssd_ldap_tls_ca_dir='' + + SSSD_CONF="/etc/sssd/sssd.conf" -LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_tls_reqcert' +LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_tls_cacertdir' AD_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*id_provider[[:space:]]*=[[:space:]]*((?i)ad)[[:space:]]*$' DOMAIN_REGEX="[[:space:]]*\[domain\/[^]]*]" # Check if id_provider is not set to ad (Active Directory) which makes start_tls not applicable, note the -v option to invert the grep. -# Try to find [domain/..] and ldap_tls_reqcert in sssd.conf, if it exists, set to 'demand' -# if ldap_tls_reqcert isn't here, add it +# Try to find [domain/..] and ldap_tls_cacertdir in sssd.conf, if it exists, set to '$var_sssd_ldap_tls_ca_dir' +# if ldap_tls_cacertdir isn't here, add it # if [domain/..] doesn't exist, add it here for default domain if grep -qvzosP $AD_REGEX $SSSD_CONF; then if grep -qzosP $LDAP_REGEX $SSSD_CONF; then - sed -i "s#ldap_tls_reqcert[^(\n)]*#ldap_tls_reqcert = demand#" $SSSD_CONF + sed -i "s#ldap_tls_cacertdir[^(\n)]*#ldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir#" $SSSD_CONF elif grep -qs $DOMAIN_REGEX $SSSD_CONF; then - sed -i "/$DOMAIN_REGEX/a ldap_tls_reqcert = demand" $SSSD_CONF + sed -i "/$DOMAIN_REGEX/a ldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir" $SSSD_CONF else if test -f "$SSSD_CONF"; then - echo -e "[domain/default]\nldap_tls_reqcert = demand" >> $SSSD_CONF + echo -e "[domain/default]\nldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir" >> $SSSD_CONF else echo "Config file '$SSSD_CONF' doesnt exist, not remediating, assuming non-applicability." >&2 fi @@ -278954,6 +278901,28 @@ else >&2 echo 'Remediation is not applicable, nothing was done' fi + + + + + + + + + + Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server + Configure SSSD to demand a valid certificate from the server to +protect the integrity of LDAP remote access sessions by setting +the ldap_tls_reqcert option in /etc/sssd/sssd.conf +to demand. + CCI-001453 + SC-12(3) + CM-6(a) + SRG-OS-000250-GPOS-00093 + Without a valid certificate presented to the LDAP client backend, the identity of a +server can be forged compromising LDAP remote access sessions. + + CCE-84062-9 - name: Gather the package facts package_facts: manager: auto @@ -279066,6 +279035,37 @@ fi - no_reboot_needed - sssd_ldap_configure_tls_reqcert - unknown_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q sssd-common; then + +SSSD_CONF="/etc/sssd/sssd.conf" +LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_tls_reqcert' +AD_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*id_provider[[:space:]]*=[[:space:]]*((?i)ad)[[:space:]]*$' +DOMAIN_REGEX="[[:space:]]*\[domain\/[^]]*]" + +# Check if id_provider is not set to ad (Active Directory) which makes start_tls not applicable, note the -v option to invert the grep. +# Try to find [domain/..] and ldap_tls_reqcert in sssd.conf, if it exists, set to 'demand' +# if ldap_tls_reqcert isn't here, add it +# if [domain/..] doesn't exist, add it here for default domain +if grep -qvzosP $AD_REGEX $SSSD_CONF; then + if grep -qzosP $LDAP_REGEX $SSSD_CONF; then + + sed -i "s#ldap_tls_reqcert[^(\n)]*#ldap_tls_reqcert = demand#" $SSSD_CONF + elif grep -qs $DOMAIN_REGEX $SSSD_CONF; then + sed -i "/$DOMAIN_REGEX/a ldap_tls_reqcert = demand" $SSSD_CONF + else + if test -f "$SSSD_CONF"; then + echo -e "[domain/default]\nldap_tls_reqcert = demand" >> $SSSD_CONF + else + echo "Config file '$SSSD_CONF' doesnt exist, not remediating, assuming non-applicability." >&2 + fi + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -279183,37 +279183,6 @@ whether to use TLS or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL. CCE-82437-5 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q sssd-common; then - -SSSD_CONF="/etc/sssd/sssd.conf" -LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_id_use_start_tls' -AD_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*id_provider[[:space:]]*=[[:space:]]*((?i)ad)[[:space:]]*$' -DOMAIN_REGEX="[[:space:]]*\[domain\/[^]]*]" - -# Check if id_provider is not set to ad (Active Directory) which makes start_tls not applicable, note the -v option to invert the grep. -# Try to find [domain/..] and ldap_id_use_start_tls in sssd.conf, if it exists, set to 'true' -# if ldap_id_use_start_tls isn't here, add it -# if [domain/..] doesn't exist, add it here for default domain -if grep -qvzosP $AD_REGEX $SSSD_CONF; then - if grep -qzosP $LDAP_REGEX $SSSD_CONF; then - - sed -i "s#ldap_id_use_start_tls[^(\n)]*#ldap_id_use_start_tls = true#" $SSSD_CONF - elif grep -qs $DOMAIN_REGEX $SSSD_CONF; then - sed -i "/$DOMAIN_REGEX/a ldap_id_use_start_tls = true" $SSSD_CONF - else - if test -f "$SSSD_CONF"; then - echo -e "[domain/default]\nldap_id_use_start_tls = true" >> $SSSD_CONF - else - echo "Config file '$SSSD_CONF' doesnt exist, not remediating, assuming non-applicability." >&2 - fi - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -279331,6 +279300,37 @@ fi - no_reboot_needed - sssd_ldap_start_tls - unknown_strategy + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q sssd-common; then + +SSSD_CONF="/etc/sssd/sssd.conf" +LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_id_use_start_tls' +AD_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*id_provider[[:space:]]*=[[:space:]]*((?i)ad)[[:space:]]*$' +DOMAIN_REGEX="[[:space:]]*\[domain\/[^]]*]" + +# Check if id_provider is not set to ad (Active Directory) which makes start_tls not applicable, note the -v option to invert the grep. +# Try to find [domain/..] and ldap_id_use_start_tls in sssd.conf, if it exists, set to 'true' +# if ldap_id_use_start_tls isn't here, add it +# if [domain/..] doesn't exist, add it here for default domain +if grep -qvzosP $AD_REGEX $SSSD_CONF; then + if grep -qzosP $LDAP_REGEX $SSSD_CONF; then + + sed -i "s#ldap_id_use_start_tls[^(\n)]*#ldap_id_use_start_tls = true#" $SSSD_CONF + elif grep -qs $DOMAIN_REGEX $SSSD_CONF; then + sed -i "/$DOMAIN_REGEX/a ldap_id_use_start_tls = true" $SSSD_CONF + else + if test -f "$SSSD_CONF"; then + echo -e "[domain/default]\nldap_id_use_start_tls = true" >> $SSSD_CONF + else + echo "Config file '$SSSD_CONF' doesnt exist, not remediating, assuming non-applicability." >&2 + fi + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -279362,21 +279362,23 @@ $ sudo yum install usbguard against rogue USB devices by implementing basic whitelisting/blacklisting capabilities based on USB device attributes. CCE-82959-8 + +package --add=usbguard + [[packages]] name = "usbguard" version = "*" - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then - -if ! rpm -q --quiet "usbguard" ; then - yum install -y "usbguard" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + extensions: + - usbguard include install_usbguard @@ -279404,18 +279406,16 @@ class install_usbguard { - no_reboot_needed - package_usbguard_installed - -package --add=usbguard - - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -spec: - config: - ignition: - version: 3.1.0 - extensions: - - usbguard + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then + +if ! rpm -q --quiet "usbguard" ; then + yum install -y "usbguard" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -279446,17 +279446,20 @@ enforce the USB device authorization policy for all USB devices. - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" unmask 'usbguard.service' -"$SYSTEMCTL_EXEC" start 'usbguard.service' -"$SYSTEMCTL_EXEC" enable 'usbguard.service' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +metadata: + annotations: + complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: usbguard.service + enabled: true include enable_usbguard @@ -279496,20 +279499,17 @@ class enable_usbguard { - no_reboot_needed - service_usbguard_enabled - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -metadata: - annotations: - complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed -spec: - config: - ignition: - version: 3.1.0 - systemd: - units: - - name: usbguard.service - enabled: true + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'usbguard.service' +"$SYSTEMCTL_EXEC" start 'usbguard.service' +"$SYSTEMCTL_EXEC" enable 'usbguard.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -279539,6 +279539,25 @@ needs to be set to LinuxAudit. of events. CCE-82168-6 + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +metadata: + annotations: + complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed + complianceascode.io/ocp-version: '>=4.7.0' +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %0A%23%0A%23%20Rule%20set%20file%20path.%0A%23%0A%23%20The%20USBGuard%20daemon%20will%20use%20this%20file%20to%20load%20the%20policy%0A%23%20rule%20set%20from%20it%20and%20to%20write%20new%20rules%20received%20via%20the%0A%23%20IPC%20interface.%0A%23%0A%23%20RuleFile%3D/path/to/rules.conf%0A%23%0ARuleFile%3D/etc/usbguard/rules.conf%0A%0A%23%0A%23%20Rule%20set%20folder%20path.%0A%23%0A%23%20The%20USBGuard%20daemon%20will%20use%20this%20folder%20to%20load%20the%20policy%0A%23%20rule%20set%20from%20it%20and%20to%20write%20new%20rules%20received%20via%20the%0A%23%20IPC%20interface.%20Usually%2C%20we%20set%20the%20option%20to%0A%23%20/etc/usbguard/rules.d/.%20The%20USBGuard%20daemon%20is%20supposed%20to%0A%23%20behave%20like%20any%20other%20standard%20Linux%20daemon%20therefore%20it%0A%23%20loads%20rule%20files%20in%20alpha-numeric%20order.%20File%20names%20inside%0A%23%20RuleFolder%20directory%20should%20start%20with%20a%20two-digit%20number%0A%23%20prefix%20indicating%20the%20position%2C%20in%20which%20the%20rules%20are%0A%23%20scanned%20by%20the%20daemon.%0A%23%0A%23%20RuleFolder%3D/path/to/rulesfolder/%0A%23%0ARuleFolder%3D/etc/usbguard/rules.d/%0A%0A%23%0A%23%20Implicit%20policy%20target.%0A%23%0A%23%20How%20to%20treat%20devices%20that%20don%27t%20match%20any%20rule%20in%20the%0A%23%20policy.%20One%20of%3A%0A%23%0A%23%20%2A%20allow%20%20-%20authorize%20the%20device%0A%23%20%2A%20block%20%20-%20block%20the%20device%0A%23%20%2A%20reject%20-%20remove%20the%20device%0A%23%0AImplicitPolicyTarget%3Dblock%0A%0A%23%0A%23%20Present%20device%20policy.%0A%23%0A%23%20How%20to%20treat%20devices%20that%20are%20already%20connected%20when%20the%0A%23%20daemon%20starts.%20One%20of%3A%0A%23%0A%23%20%2A%20allow%20%20%20%20%20%20%20%20-%20authorize%20every%20present%20device%0A%23%20%2A%20block%20%20%20%20%20%20%20%20-%20deauthorize%20every%20present%20device%0A%23%20%2A%20reject%20%20%20%20%20%20%20-%20remove%20every%20present%20device%0A%23%20%2A%20keep%20%20%20%20%20%20%20%20%20-%20just%20sync%20the%20internal%20state%20and%20leave%20it%0A%23%20%2A%20apply-policy%20-%20evaluate%20the%20ruleset%20for%20every%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20device%0A%23%0APresentDevicePolicy%3Dapply-policy%0A%0A%23%0A%23%20Present%20controller%20policy.%0A%23%0A%23%20How%20to%20treat%20USB%20controllers%20that%20are%20already%20connected%0A%23%20when%20the%20daemon%20starts.%20One%20of%3A%0A%23%0A%23%20%2A%20allow%20%20%20%20%20%20%20%20-%20authorize%20every%20present%20device%0A%23%20%2A%20block%20%20%20%20%20%20%20%20-%20deauthorize%20every%20present%20device%0A%23%20%2A%20reject%20%20%20%20%20%20%20-%20remove%20every%20present%20device%0A%23%20%2A%20keep%20%20%20%20%20%20%20%20%20-%20just%20sync%20the%20internal%20state%20and%20leave%20it%0A%23%20%2A%20apply-policy%20-%20evaluate%20the%20ruleset%20for%20every%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20device%0A%23%0APresentControllerPolicy%3Dkeep%0A%0A%23%0A%23%20Inserted%20device%20policy.%0A%23%0A%23%20How%20to%20treat%20USB%20devices%20that%20are%20already%20connected%0A%23%20%2Aafter%2A%20the%20daemon%20starts.%20One%20of%3A%0A%23%0A%23%20%2A%20block%20%20%20%20%20%20%20%20-%20deauthorize%20every%20present%20device%0A%23%20%2A%20reject%20%20%20%20%20%20%20-%20remove%20every%20present%20device%0A%23%20%2A%20apply-policy%20-%20evaluate%20the%20ruleset%20for%20every%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20device%0A%23%0AInsertedDevicePolicy%3Dapply-policy%0A%0A%23%0A%23%20Control%20which%20devices%20are%20authorized%20by%20default.%0A%23%0A%23%20The%20USBGuard%20daemon%20modifies%20some%20the%20default%20authorization%20state%20attributes%0A%23%20of%20controller%20devices.%20This%20setting%2C%20enables%20you%20to%20define%20what%20value%20the%0A%23%20default%20authorization%20is%20set%20to.%0A%23%0A%23%20%2A%20keep%20%20%20%20%20%20%20%20%20-%20do%20not%20change%20the%20authorization%20state%0A%23%20%2A%20none%20%20%20%20%20%20%20%20%20-%20every%20new%20device%20starts%20out%20deauthorized%0A%23%20%2A%20all%20%20%20%20%20%20%20%20%20%20-%20every%20new%20device%20starts%20out%20authorized%0A%23%20%2A%20internal%20%20%20%20%20-%20internal%20devices%20start%20out%20authorized%2C%20external%20devices%20start%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20out%20deauthorized%20%28this%20requires%20the%20ACPI%20tables%20to%20properly%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20label%20internal%20devices%2C%20and%20kernel%20support%29%0A%23%0A%23AuthorizedDefault%3Dnone%0A%0A%23%0A%23%20Restore%20controller%20device%20state.%0A%23%0A%23%20The%20USBGuard%20daemon%20modifies%20some%20attributes%20of%20controller%0A%23%20devices%20like%20the%20default%20authorization%20state%20of%20new%20child%20device%0A%23%20instances.%20Using%20this%20setting%2C%20you%20can%20control%20whether%20the%0A%23%20daemon%20will%20try%20to%20restore%20the%20attribute%20values%20to%20the%20state%0A%23%20before%20modification%20on%20shutdown.%0A%23%0A%23%20SECURITY%20CONSIDERATIONS%3A%20If%20set%20to%20true%2C%20the%20USB%20authorization%0A%23%20policy%20could%20be%20bypassed%20by%20performing%20some%20sort%20of%20attack%20on%20the%0A%23%20daemon%20%28via%20a%20local%20exploit%20or%20via%20a%20USB%20device%29%20to%20make%20it%20shutdown%0A%23%20and%20restore%20to%20the%20operating-system%20default%20state%20%28known%20to%20be%20permissive%29.%0A%23%0ARestoreControllerDeviceState%3Dfalse%0A%0A%23%0A%23%20Device%20manager%20backend%0A%23%0A%23%20Which%20device%20manager%20backend%20implementation%20to%20use.%20One%20of%3A%0A%23%0A%23%20%2A%20uevent%20%20%20-%20Netlink%20based%20implementation%20which%20uses%20sysfs%20to%20scan%20for%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20devices%20and%20an%20uevent%20netlink%20socket%20for%20receiving%20USB%20device%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20related%20events.%0A%23%20%2A%20umockdev%20-%20umockdev%20based%20device%20manager%20capable%20of%20simulating%20devices%20based%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20on%20umockdev-record%20files.%20Useful%20for%20testing.%0A%23%0ADeviceManagerBackend%3Duevent%0A%0A%23%21%21%21%20WARNING%3A%20It%27s%20good%20practice%20to%20set%20at%20least%20one%20of%20the%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20two%20options%20bellow.%20If%20none%20of%20them%20are%20set%2C%20%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20the%20daemon%20will%20accept%20IPC%20connections%20from%20%20%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20anyone%2C%20thus%20allowing%20anyone%20to%20modify%20the%20%20%20%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20rule%20set%20and%20%28de%29authorize%20USB%20devices.%20%20%20%20%20%20%20%21%21%21%0A%0A%23%0A%23%20Users%20allowed%20to%20use%20the%20IPC%20interface.%0A%23%0A%23%20A%20space%20delimited%20list%20of%20usernames%20that%20the%20daemon%20will%0A%23%20accept%20IPC%20connections%20from.%0A%23%0A%23%20IPCAllowedUsers%3Dusername1%20username2%20...%0A%23%0AIPCAllowedUsers%3Droot%0A%0A%23%0A%23%20Groups%20allowed%20to%20use%20the%20IPC%20interface.%0A%23%0A%23%20A%20space%20delimited%20list%20of%20groupnames%20that%20the%20daemon%20will%0A%23%20accept%20IPC%20connections%20from.%0A%23%0A%23%20IPCAllowedGroups%3Dgroupname1%20groupname2%20...%0A%23%0AIPCAllowedGroups%3Dwheel%0A%0A%23%0A%23%20IPC%20access%20control%20definition%20files%20path.%0A%23%0A%23%20The%20files%20at%20this%20location%20will%20be%20interpreted%20by%20the%20daemon%0A%23%20as%20access%20control%20definition%20files.%20The%20%28base%29name%20of%20a%20file%0A%23%20should%20be%20in%20the%20form%3A%0A%23%0A%23%20%20%20%5Buser%5D%5B%3A%3Cgroup%3E%5D%0A%23%0A%23%20and%20should%20contain%20lines%20in%20the%20form%3A%0A%23%0A%23%20%20%20%3Csection%3E%3D%5Bprivilege%5D%20...%0A%23%0A%23%20This%20way%20each%20file%20defines%20who%20is%20able%20to%20connect%20to%20the%20IPC%0A%23%20bus%20and%20what%20privileges%20he%20has.%0A%23%0AIPCAccessControlFiles%3D/etc/usbguard/IPCAccessControl.d/%0A%0A%23%0A%23%20Generate%20device%20specific%20rules%20including%20the%20%22via-port%22%0A%23%20attribute.%0A%23%0A%23%20This%20option%20modifies%20the%20behavior%20of%20the%20allowDevice%0A%23%20action.%20When%20instructed%20to%20generate%20a%20permanent%20rule%2C%0A%23%20the%20action%20can%20generate%20a%20port%20specific%20rule.%20Because%0A%23%20some%20systems%20have%20unstable%20port%20numbering%2C%20the%20generated%0A%23%20rule%20might%20not%20match%20the%20device%20after%20rebooting%20the%20system.%0A%23%0A%23%20If%20set%20to%20false%2C%20the%20generated%20rule%20will%20still%20contain%0A%23%20the%20%22parent-hash%22%20attribute%20which%20also%20defines%20an%20association%0A%23%20to%20the%20parent%20device.%20See%20usbguard-rules.conf%285%29%20for%20more%0A%23%20details.%0A%23%0ADeviceRulesWithPort%3Dfalse%0A%0A%23%0A%23%20USBGuard%20Audit%20events%20log%20backend%0A%23%0A%23%20One%20of%3A%0A%23%0A%23%20%2A%20FileAudit%20-%20Log%20audit%20events%20into%20a%20file%20specified%20by%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20AuditFilePath%20setting%20%28see%20below%29%0A%23%20%2A%20LinuxAudit%20-%20Log%20audit%20events%20using%20the%20Linux%20Audit%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20subsystem%20%28using%20audit_log_user_message%29%0A%23%0AAuditBackend%3DLinuxAudit%0A%0A%23%0A%23%20USBGuard%20audit%20events%20log%20file%20path.%0A%23%0A%23AuditFilePath%3D/var/log/usbguard/usbguard-audit.log%0A%0A%23%0A%23%20Hides%20personally%20identifiable%20information%20such%20as%20device%20serial%20numbers%20and%0A%23%20hashes%20of%20descriptors%20%28which%20include%20the%20serial%20number%29%20from%20audit%20entries.%0A%23%0A%23HidePII%3Dfalse }} + mode: 0600 + path: /etc/usbguard/usbguard-daemon.conf + overwrite: true + # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ) && { rpm --quiet -q usbguard; }; then @@ -279560,25 +279579,6 @@ rm "/etc/usbguard/usbguard-daemon.conf.bak" else >&2 echo 'Remediation is not applicable, nothing was done' fi - - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -metadata: - annotations: - complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed - complianceascode.io/ocp-version: '>=4.7.0' -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %0A%23%0A%23%20Rule%20set%20file%20path.%0A%23%0A%23%20The%20USBGuard%20daemon%20will%20use%20this%20file%20to%20load%20the%20policy%0A%23%20rule%20set%20from%20it%20and%20to%20write%20new%20rules%20received%20via%20the%0A%23%20IPC%20interface.%0A%23%0A%23%20RuleFile%3D/path/to/rules.conf%0A%23%0ARuleFile%3D/etc/usbguard/rules.conf%0A%0A%23%0A%23%20Rule%20set%20folder%20path.%0A%23%0A%23%20The%20USBGuard%20daemon%20will%20use%20this%20folder%20to%20load%20the%20policy%0A%23%20rule%20set%20from%20it%20and%20to%20write%20new%20rules%20received%20via%20the%0A%23%20IPC%20interface.%20Usually%2C%20we%20set%20the%20option%20to%0A%23%20/etc/usbguard/rules.d/.%20The%20USBGuard%20daemon%20is%20supposed%20to%0A%23%20behave%20like%20any%20other%20standard%20Linux%20daemon%20therefore%20it%0A%23%20loads%20rule%20files%20in%20alpha-numeric%20order.%20File%20names%20inside%0A%23%20RuleFolder%20directory%20should%20start%20with%20a%20two-digit%20number%0A%23%20prefix%20indicating%20the%20position%2C%20in%20which%20the%20rules%20are%0A%23%20scanned%20by%20the%20daemon.%0A%23%0A%23%20RuleFolder%3D/path/to/rulesfolder/%0A%23%0ARuleFolder%3D/etc/usbguard/rules.d/%0A%0A%23%0A%23%20Implicit%20policy%20target.%0A%23%0A%23%20How%20to%20treat%20devices%20that%20don%27t%20match%20any%20rule%20in%20the%0A%23%20policy.%20One%20of%3A%0A%23%0A%23%20%2A%20allow%20%20-%20authorize%20the%20device%0A%23%20%2A%20block%20%20-%20block%20the%20device%0A%23%20%2A%20reject%20-%20remove%20the%20device%0A%23%0AImplicitPolicyTarget%3Dblock%0A%0A%23%0A%23%20Present%20device%20policy.%0A%23%0A%23%20How%20to%20treat%20devices%20that%20are%20already%20connected%20when%20the%0A%23%20daemon%20starts.%20One%20of%3A%0A%23%0A%23%20%2A%20allow%20%20%20%20%20%20%20%20-%20authorize%20every%20present%20device%0A%23%20%2A%20block%20%20%20%20%20%20%20%20-%20deauthorize%20every%20present%20device%0A%23%20%2A%20reject%20%20%20%20%20%20%20-%20remove%20every%20present%20device%0A%23%20%2A%20keep%20%20%20%20%20%20%20%20%20-%20just%20sync%20the%20internal%20state%20and%20leave%20it%0A%23%20%2A%20apply-policy%20-%20evaluate%20the%20ruleset%20for%20every%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20device%0A%23%0APresentDevicePolicy%3Dapply-policy%0A%0A%23%0A%23%20Present%20controller%20policy.%0A%23%0A%23%20How%20to%20treat%20USB%20controllers%20that%20are%20already%20connected%0A%23%20when%20the%20daemon%20starts.%20One%20of%3A%0A%23%0A%23%20%2A%20allow%20%20%20%20%20%20%20%20-%20authorize%20every%20present%20device%0A%23%20%2A%20block%20%20%20%20%20%20%20%20-%20deauthorize%20every%20present%20device%0A%23%20%2A%20reject%20%20%20%20%20%20%20-%20remove%20every%20present%20device%0A%23%20%2A%20keep%20%20%20%20%20%20%20%20%20-%20just%20sync%20the%20internal%20state%20and%20leave%20it%0A%23%20%2A%20apply-policy%20-%20evaluate%20the%20ruleset%20for%20every%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20device%0A%23%0APresentControllerPolicy%3Dkeep%0A%0A%23%0A%23%20Inserted%20device%20policy.%0A%23%0A%23%20How%20to%20treat%20USB%20devices%20that%20are%20already%20connected%0A%23%20%2Aafter%2A%20the%20daemon%20starts.%20One%20of%3A%0A%23%0A%23%20%2A%20block%20%20%20%20%20%20%20%20-%20deauthorize%20every%20present%20device%0A%23%20%2A%20reject%20%20%20%20%20%20%20-%20remove%20every%20present%20device%0A%23%20%2A%20apply-policy%20-%20evaluate%20the%20ruleset%20for%20every%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20device%0A%23%0AInsertedDevicePolicy%3Dapply-policy%0A%0A%23%0A%23%20Control%20which%20devices%20are%20authorized%20by%20default.%0A%23%0A%23%20The%20USBGuard%20daemon%20modifies%20some%20the%20default%20authorization%20state%20attributes%0A%23%20of%20controller%20devices.%20This%20setting%2C%20enables%20you%20to%20define%20what%20value%20the%0A%23%20default%20authorization%20is%20set%20to.%0A%23%0A%23%20%2A%20keep%20%20%20%20%20%20%20%20%20-%20do%20not%20change%20the%20authorization%20state%0A%23%20%2A%20none%20%20%20%20%20%20%20%20%20-%20every%20new%20device%20starts%20out%20deauthorized%0A%23%20%2A%20all%20%20%20%20%20%20%20%20%20%20-%20every%20new%20device%20starts%20out%20authorized%0A%23%20%2A%20internal%20%20%20%20%20-%20internal%20devices%20start%20out%20authorized%2C%20external%20devices%20start%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20out%20deauthorized%20%28this%20requires%20the%20ACPI%20tables%20to%20properly%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20label%20internal%20devices%2C%20and%20kernel%20support%29%0A%23%0A%23AuthorizedDefault%3Dnone%0A%0A%23%0A%23%20Restore%20controller%20device%20state.%0A%23%0A%23%20The%20USBGuard%20daemon%20modifies%20some%20attributes%20of%20controller%0A%23%20devices%20like%20the%20default%20authorization%20state%20of%20new%20child%20device%0A%23%20instances.%20Using%20this%20setting%2C%20you%20can%20control%20whether%20the%0A%23%20daemon%20will%20try%20to%20restore%20the%20attribute%20values%20to%20the%20state%0A%23%20before%20modification%20on%20shutdown.%0A%23%0A%23%20SECURITY%20CONSIDERATIONS%3A%20If%20set%20to%20true%2C%20the%20USB%20authorization%0A%23%20policy%20could%20be%20bypassed%20by%20performing%20some%20sort%20of%20attack%20on%20the%0A%23%20daemon%20%28via%20a%20local%20exploit%20or%20via%20a%20USB%20device%29%20to%20make%20it%20shutdown%0A%23%20and%20restore%20to%20the%20operating-system%20default%20state%20%28known%20to%20be%20permissive%29.%0A%23%0ARestoreControllerDeviceState%3Dfalse%0A%0A%23%0A%23%20Device%20manager%20backend%0A%23%0A%23%20Which%20device%20manager%20backend%20implementation%20to%20use.%20One%20of%3A%0A%23%0A%23%20%2A%20uevent%20%20%20-%20Netlink%20based%20implementation%20which%20uses%20sysfs%20to%20scan%20for%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20devices%20and%20an%20uevent%20netlink%20socket%20for%20receiving%20USB%20device%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20related%20events.%0A%23%20%2A%20umockdev%20-%20umockdev%20based%20device%20manager%20capable%20of%20simulating%20devices%20based%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20on%20umockdev-record%20files.%20Useful%20for%20testing.%0A%23%0ADeviceManagerBackend%3Duevent%0A%0A%23%21%21%21%20WARNING%3A%20It%27s%20good%20practice%20to%20set%20at%20least%20one%20of%20the%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20two%20options%20bellow.%20If%20none%20of%20them%20are%20set%2C%20%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20the%20daemon%20will%20accept%20IPC%20connections%20from%20%20%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20anyone%2C%20thus%20allowing%20anyone%20to%20modify%20the%20%20%20%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20rule%20set%20and%20%28de%29authorize%20USB%20devices.%20%20%20%20%20%20%20%21%21%21%0A%0A%23%0A%23%20Users%20allowed%20to%20use%20the%20IPC%20interface.%0A%23%0A%23%20A%20space%20delimited%20list%20of%20usernames%20that%20the%20daemon%20will%0A%23%20accept%20IPC%20connections%20from.%0A%23%0A%23%20IPCAllowedUsers%3Dusername1%20username2%20...%0A%23%0AIPCAllowedUsers%3Droot%0A%0A%23%0A%23%20Groups%20allowed%20to%20use%20the%20IPC%20interface.%0A%23%0A%23%20A%20space%20delimited%20list%20of%20groupnames%20that%20the%20daemon%20will%0A%23%20accept%20IPC%20connections%20from.%0A%23%0A%23%20IPCAllowedGroups%3Dgroupname1%20groupname2%20...%0A%23%0AIPCAllowedGroups%3Dwheel%0A%0A%23%0A%23%20IPC%20access%20control%20definition%20files%20path.%0A%23%0A%23%20The%20files%20at%20this%20location%20will%20be%20interpreted%20by%20the%20daemon%0A%23%20as%20access%20control%20definition%20files.%20The%20%28base%29name%20of%20a%20file%0A%23%20should%20be%20in%20the%20form%3A%0A%23%0A%23%20%20%20%5Buser%5D%5B%3A%3Cgroup%3E%5D%0A%23%0A%23%20and%20should%20contain%20lines%20in%20the%20form%3A%0A%23%0A%23%20%20%20%3Csection%3E%3D%5Bprivilege%5D%20...%0A%23%0A%23%20This%20way%20each%20file%20defines%20who%20is%20able%20to%20connect%20to%20the%20IPC%0A%23%20bus%20and%20what%20privileges%20he%20has.%0A%23%0AIPCAccessControlFiles%3D/etc/usbguard/IPCAccessControl.d/%0A%0A%23%0A%23%20Generate%20device%20specific%20rules%20including%20the%20%22via-port%22%0A%23%20attribute.%0A%23%0A%23%20This%20option%20modifies%20the%20behavior%20of%20the%20allowDevice%0A%23%20action.%20When%20instructed%20to%20generate%20a%20permanent%20rule%2C%0A%23%20the%20action%20can%20generate%20a%20port%20specific%20rule.%20Because%0A%23%20some%20systems%20have%20unstable%20port%20numbering%2C%20the%20generated%0A%23%20rule%20might%20not%20match%20the%20device%20after%20rebooting%20the%20system.%0A%23%0A%23%20If%20set%20to%20false%2C%20the%20generated%20rule%20will%20still%20contain%0A%23%20the%20%22parent-hash%22%20attribute%20which%20also%20defines%20an%20association%0A%23%20to%20the%20parent%20device.%20See%20usbguard-rules.conf%285%29%20for%20more%0A%23%20details.%0A%23%0ADeviceRulesWithPort%3Dfalse%0A%0A%23%0A%23%20USBGuard%20Audit%20events%20log%20backend%0A%23%0A%23%20One%20of%3A%0A%23%0A%23%20%2A%20FileAudit%20-%20Log%20audit%20events%20into%20a%20file%20specified%20by%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20AuditFilePath%20setting%20%28see%20below%29%0A%23%20%2A%20LinuxAudit%20-%20Log%20audit%20events%20using%20the%20Linux%20Audit%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20subsystem%20%28using%20audit_log_user_message%29%0A%23%0AAuditBackend%3DLinuxAudit%0A%0A%23%0A%23%20USBGuard%20audit%20events%20log%20file%20path.%0A%23%0A%23AuditFilePath%3D/var/log/usbguard/usbguard-audit.log%0A%0A%23%0A%23%20Hides%20personally%20identifiable%20information%20such%20as%20device%20serial%20numbers%20and%0A%23%20hashes%20of%20descriptors%20%28which%20include%20the%20serial%20number%29%20from%20audit%20entries.%0A%23%0A%23HidePII%3Dfalse }} - mode: 0600 - path: /etc/usbguard/usbguard-daemon.conf - overwrite: true @@ -279600,18 +279600,6 @@ to /etc/usbguard/rules.conf. Without allowing Human Interface Devices, it might not be possible to interact with the system. CCE-82274-2 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then - -# path of file with Usbguard rules -rulesfile="/etc/usbguard/rules.conf" - -echo "allow with-interface match-all { 03:*:* }" >> $rulesfile - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Allow HID devices lineinfile: path: /etc/usbguard/rules.conf @@ -279628,6 +279616,18 @@ fi - medium_severity - no_reboot_needed - usbguard_allow_hid + + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then + +# path of file with Usbguard rules +rulesfile="/etc/usbguard/rules.conf" + +echo "allow with-interface match-all { 03:*:* }" >> $rulesfile + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -279652,14 +279652,23 @@ to /etc/usbguard/rules.conf. to interact with the system. Without allowing hubs, it might not be possible to use any USB devices on the system. CCE-82368-2 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then - -echo "allow with-interface match-all { 03:*:* 09:00:* }" >> /etc/usbguard/rules.conf - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +metadata: + annotations: + complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,{{ %0Aallow%20with-interface%20match-all%20%7B%2003%3A%2A%3A%2A%2009%3A00%3A%2A%20%7D }} + mode: 0600 + path: /etc/usbguard/rules.d/75-hid-and-hub.conf + overwrite: true - name: Allow HID devices and hubs lineinfile: @@ -279680,23 +279689,14 @@ fi - no_reboot_needed - usbguard_allow_hid_and_hub - --- -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -metadata: - annotations: - complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ %0Aallow%20with-interface%20match-all%20%7B%2003%3A%2A%3A%2A%2009%3A00%3A%2A%20%7D }} - mode: 0600 - path: /etc/usbguard/rules.d/75-hid-and-hub.conf - overwrite: true + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then + +echo "allow with-interface match-all { 03:*:* 09:00:* }" >> /etc/usbguard/rules.conf + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -279717,15 +279717,6 @@ to /etc/usbguard/rules.conf. Without allowing hubs, it might not be possible to use any USB devices on the system. CCE-82273-4 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then - -echo "allow with-interface match-all { 09:00:* }" >> /etc/usbguard/rules.conf - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Allow hubs lineinfile: path: /etc/usbguard/rules.conf @@ -279742,6 +279733,15 @@ fi - medium_severity - no_reboot_needed - usbguard_allow_hub + + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then + +echo "allow with-interface match-all { 09:00:* }" >> /etc/usbguard/rules.conf + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -279767,36 +279767,6 @@ devices. The usbguard must be configured to allow connected USB devices to work properly, avoiding the system to become inaccessible. CCE-83774-0 - # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then - -if rpm --quiet -q usbguard -then - USBGUARD_CONF=/etc/usbguard/rules.conf - if [ ! -f "$USBGUARD_CONF" ] || [ ! -s "$USBGUARD_CONF" ]; then - usbguard generate-policy > $USBGUARD_CONF - if [ ! -s "$USBGUARD_CONF" ]; then - # make sure OVAL check doesn't fail on systems where - # generate-policy doesn't find any USB devices (for - # example a system might not have a USB bus) - echo "# No USB devices found" > $USBGUARD_CONF - fi - # make sure it has correct permissions - chmod 600 $USBGUARD_CONF - - SYSTEMCTL_EXEC='/usr/bin/systemctl' - "$SYSTEMCTL_EXEC" unmask 'usbguard.service' - "$SYSTEMCTL_EXEC" restart 'usbguard.service' - "$SYSTEMCTL_EXEC" enable 'usbguard.service' - fi -else - echo "USBGuard is not installed. No remediation was applied!" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Gather the package facts package_facts: manager: auto @@ -279864,6 +279834,36 @@ fi - medium_severity - no_reboot_needed - usbguard_generate_policy + + # Remediation is applicable only in certain platforms +if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then + +if rpm --quiet -q usbguard +then + USBGUARD_CONF=/etc/usbguard/rules.conf + if [ ! -f "$USBGUARD_CONF" ] || [ ! -s "$USBGUARD_CONF" ]; then + usbguard generate-policy > $USBGUARD_CONF + if [ ! -s "$USBGUARD_CONF" ]; then + # make sure OVAL check doesn't fail on systems where + # generate-policy doesn't find any USB devices (for + # example a system might not have a USB bus) + echo "# No USB devices found" > $USBGUARD_CONF + fi + # make sure it has correct permissions + chmod 600 $USBGUARD_CONF + + SYSTEMCTL_EXEC='/usr/bin/systemctl' + "$SYSTEMCTL_EXEC" unmask 'usbguard.service' + "$SYSTEMCTL_EXEC" restart 'usbguard.service' + "$SYSTEMCTL_EXEC" enable 'usbguard.service' + fi +else + echo "USBGuard is not installed. No remediation was applied!" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -279935,18 +279935,8 @@ continuing installation. Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be installed unless approved and documented. CCE-82757-6 - -# CAUTION: This remediation script will remove xorg-x11-server-common -# from the system, and may remove any packages -# that depend on xorg-x11-server-common. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "xorg-x11-server-common" ; then - - yum remove -y "xorg-x11-server-common" - -fi + +package --remove=xorg-x11-server-common include remove_xorg-x11-server-common @@ -279972,8 +279962,18 @@ class remove_xorg-x11-server-common { - no_reboot_needed - package_xorg-x11-server-common_removed - -package --remove=xorg-x11-server-common + +# CAUTION: This remediation script will remove xorg-x11-server-common +# from the system, and may remove any packages +# that depend on xorg-x11-server-common. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "xorg-x11-server-common" ; then + + yum remove -y "xorg-x11-server-common" + +fi @@ -280011,6 +280011,28 @@ X11 graphic libraries are dependency of OpenStack Cinderlib storage provider. CCE-83411-9 + +package --remove=xorg-x11-server-Xorg --remove=xorg-x11-server-common --remove=xorg-x11-server-utils --remove=xorg-x11-server-Xwayland + + - name: Ensure xorg packages are removed + package: + name: + - xorg-x11-server-Xorg + - xorg-x11-server-common + - xorg-x11-server-utils + - xorg-x11-server-Xwayland + state: absent + tags: + - CCE-83411-9 + - DISA-STIG-RHEL-08-040320 + - NIST-800-53-CM-6(b) + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + - xwindows_remove_packages + # remove packages @@ -280035,28 +280057,6 @@ if rpm -q --quiet "xorg-x11-server-Xwayland" ; then yum remove -y "xorg-x11-server-Xwayland" fi - - - name: Ensure xorg packages are removed - package: - name: - - xorg-x11-server-Xorg - - xorg-x11-server-common - - xorg-x11-server-utils - - xorg-x11-server-Xwayland - state: absent - tags: - - CCE-83411-9 - - DISA-STIG-RHEL-08-040320 - - NIST-800-53-CM-6(b) - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - - xwindows_remove_packages - - -package --remove=xorg-x11-server-Xorg --remove=xorg-x11-server-common --remove=xorg-x11-server-utils --remove=xorg-x11-server-Xwayland @@ -280117,15 +280117,6 @@ long history of security vulnerabilities and should not be used unless approved and documented. CCE-83380-6 - # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -systemctl set-default multi-user.target - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - - name: Switch to multi-user runlevel file: src: /usr/lib/systemd/system/multi-user.target @@ -280145,6 +280136,15 @@ fi - reboot_required - restrict_strategy - xwindows_runlevel_target + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +systemctl set-default multi-user.target + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi @@ -280276,13 +280276,13 @@ which the system will be deployed as closely as possible. - + Script combine_ovals.py from SCAP Security Guide ssg: [0, 1, 71], python: 3.10.12 5.11 - 2023-11-20T00:06:14 + 2023-11-21T00:06:13 @@ -345556,2329 +345556,2341 @@ which the system will be deployed as closely as possible. - + build_shorthand.py from SCAP Security Guide ssg: 0.1.71 2.0 - 2023-11-20T00:06:34 + 2023-11-21T00:06:34 - - Uninstall httpd Package + + Ensure network interfaces are assigned to appropriate zone - ocil:ssg-package_httpd_removed_action:testaction:1 + ocil:ssg-set_firewalld_appropriate_zone_action:testaction:1 - - Disable the authlogin_radius SELinux Boolean + + Verify that audit tools are owned by root - ocil:ssg-sebool_authlogin_radius_action:testaction:1 + ocil:ssg-file_ownership_audit_binaries_action:testaction:1 - - Verify that Shared Library Directories Have Root Group Ownership + + Stack Protector buffer overlow detection - ocil:ssg-dir_group_ownership_library_dirs_action:testaction:1 + ocil:ssg-kernel_config_stackprotector_action:testaction:1 - - Record Attempts to Alter Time Through stime + + Disable the xguest_mount_media SELinux Boolean - ocil:ssg-audit_rules_time_stime_action:testaction:1 + ocil:ssg-sebool_xguest_mount_media_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - unix_update + + Install libselinux Package - ocil:ssg-audit_rules_privileged_commands_unix_update_action:testaction:1 + ocil:ssg-package_libselinux_installed_action:testaction:1 - - Verify Group Ownership of System Login Banner + + Verify User Who Owns gshadow File - ocil:ssg-file_groupowner_etc_issue_action:testaction:1 + ocil:ssg-file_owner_etc_gshadow_action:testaction:1 - - Disable the httpd_run_ipa SELinux Boolean + + Ensure SSH LoginGraceTime is configured - ocil:ssg-sebool_httpd_run_ipa_action:testaction:1 + ocil:ssg-sshd_set_login_grace_time_action:testaction:1 - - Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE + + Disable the cobbler_use_cifs SELinux Boolean - ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write_action:testaction:1 + ocil:ssg-sebool_cobbler_use_cifs_action:testaction:1 - - Only Authorized Local User Accounts Exist on Operating System + + Verify Only Root Has UID 0 - ocil:ssg-accounts_authorized_local_users_action:testaction:1 + ocil:ssg-accounts_no_uid_except_zero_action:testaction:1 - - Verify Owner on SSH Server config file + + Configure Polyinstantiation of /var/tmp Directories - ocil:ssg-file_owner_sshd_config_action:testaction:1 + ocil:ssg-accounts_polyinstantiated_var_tmp_action:testaction:1 - - Enable the staff_exec_content SELinux Boolean + + Prevent user from disabling the screen lock - ocil:ssg-sebool_staff_exec_content_action:testaction:1 + ocil:ssg-no_tmux_in_shells_action:testaction:1 - - Enable checks on notifier call chains + + All GIDs referenced in /etc/passwd must be defined in /etc/group - ocil:ssg-kernel_config_debug_notifiers_action:testaction:1 + ocil:ssg-gid_passwd_group_same_action:testaction:1 - - Disable Full User Name on Splash Shield + + Add nosuid Option to /srv - ocil:ssg-dconf_gnome_screensaver_user_info_action:testaction:1 + ocil:ssg-mount_option_srv_nosuid_action:testaction:1 - - A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ extension + + Disable the racoon_read_shadow SELinux Boolean - ocil:ssg-httpd_nipr_accredited_dmz_action:testaction:1 + ocil:ssg-sebool_racoon_read_shadow_action:testaction:1 - - Disable kexec system call + + Ensure auditd Collects Information on the Use of Privileged Commands - newgrp - ocil:ssg-kernel_config_kexec_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_newgrp_action:testaction:1 - - Strong Stack Protector + + Disable the virt_use_xserver SELinux Boolean - ocil:ssg-kernel_config_stackprotector_strong_action:testaction:1 + ocil:ssg-sebool_virt_use_xserver_action:testaction:1 - - Disable the mozilla_plugin_use_bluejeans SELinux Boolean + + Remove Write Permissions From Filesystem Paths And Server Scripts - ocil:ssg-sebool_mozilla_plugin_use_bluejeans_action:testaction:1 + ocil:ssg-httpd_configure_script_permissions_action:testaction:1 - - Configure auditing of unsuccessful file modifications + + Uninstall tuned Package - ocil:ssg-audit_modify_failed_action:testaction:1 + ocil:ssg-package_tuned_removed_action:testaction:1 - - Add noexec Option to /var/log/audit + + Ignore HTTPD .htaccess Files - ocil:ssg-mount_option_var_log_audit_noexec_action:testaction:1 + ocil:ssg-httpd_ignore_htaccess_files_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - poweroff + + Disable Cockpit Management Server - ocil:ssg-audit_privileged_commands_poweroff_action:testaction:1 + ocil:ssg-service_cockpit_disabled_action:testaction:1 - - Enable seccomp to safely compute untrusted bytecode + + Ensure PAM Enforces Password Requirements - Minimum Different Characters - ocil:ssg-kernel_config_seccomp_action:testaction:1 + ocil:ssg-accounts_password_pam_difok_action:testaction:1 - - Enable the SSSD Service + + Disable the exim_manage_user_files SELinux Boolean - ocil:ssg-service_sssd_enabled_action:testaction:1 + ocil:ssg-sebool_exim_manage_user_files_action:testaction:1 - - Disable the neutron_can_network SELinux Boolean + + Install the opensc Package For Multifactor Authentication - ocil:ssg-sebool_neutron_can_network_action:testaction:1 + ocil:ssg-package_opensc_installed_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - lremovexattr + + Ensure zIPL bootmap is up to date - ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 + ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1 - - Record Successful Access Attempts to Files - truncate + + Enable Kernel Parameter to Enforce DAC on Hardlinks - ocil:ssg-audit_rules_successful_file_modification_truncate_action:testaction:1 + ocil:ssg-sysctl_fs_protected_hardlinks_action:testaction:1 - - Ensure /boot Located On Separate Partition + + Ensure All Groups on the System Have Unique Group ID - ocil:ssg-partition_for_boot_action:testaction:1 + ocil:ssg-group_unique_id_action:testaction:1 - - Mount Remote Filesystems with noexec + + Ensure All-Squashing Disabled On All Exports - ocil:ssg-mount_option_noexec_remote_filesystems_action:testaction:1 + ocil:ssg-no_all_squash_exports_action:testaction:1 - - Install the Samba Common Package + + Ensure Web Content Located on Separate partition - ocil:ssg-package_samba-common_installed_action:testaction:1 + ocil:ssg-partition_for_web_content_action:testaction:1 - - Disable the secure_mode SELinux Boolean + + Account Lockouts Must Persist - ocil:ssg-sebool_secure_mode_action:testaction:1 + ocil:ssg-account_passwords_pam_faillock_dir_action:testaction:1 - - Resolve information before writing to audit logs + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Configure dnf-automatic to Install Only Security Updates + + Add nosuid Option to /var/tmp - ocil:ssg-dnf-automatic_security_updates_only_action:testaction:1 + ocil:ssg-mount_option_var_tmp_nosuid_action:testaction:1 - - Disable the spamassassin_can_network SELinux Boolean + + Modify the System Login Banner for Remote Connections - ocil:ssg-sebool_spamassassin_can_network_action:testaction:1 + ocil:ssg-banner_etc_issue_net_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Configure the polyinstantiation_enabled SELinux Boolean - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 - - Disable the cobbler_use_cifs SELinux Boolean + + Verify Owner on SSH Server config file - ocil:ssg-sebool_cobbler_use_cifs_action:testaction:1 + ocil:ssg-file_owner_sshd_config_action:testaction:1 - - Disable the polipo_session_bind_all_unreserved_ports SELinux Boolean + + Disable the virt_sandbox_use_mknod SELinux Boolean - ocil:ssg-sebool_polipo_session_bind_all_unreserved_ports_action:testaction:1 + ocil:ssg-sebool_virt_sandbox_use_mknod_action:testaction:1 - - Disable GDM Automatic Login + + Record Attempts to Alter the localtime File - ocil:ssg-gnome_gdm_disable_automatic_login_action:testaction:1 + ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 - - Disable the mozilla_plugin_use_spice SELinux Boolean + + Disable the zoneminder_run_sudo SELinux Boolean - ocil:ssg-sebool_mozilla_plugin_use_spice_action:testaction:1 + ocil:ssg-sebool_zoneminder_run_sudo_action:testaction:1 - - Assign Expiration Date to Emergency Accounts + + Ensure /opt Located On Separate Partition - ocil:ssg-account_emergency_expire_date_action:testaction:1 + ocil:ssg-partition_for_opt_action:testaction:1 - - Verify Permissions on Backup passwd File + + Enable the GNOME3 Login Smartcard Authentication - ocil:ssg-file_permissions_backup_etc_passwd_action:testaction:1 + ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1 - - Configure Logind to terminate idle sessions after certain time of inactivity + + Enable the antivirus_can_scan_system SELinux Boolean - ocil:ssg-logind_session_timeout_action:testaction:1 + ocil:ssg-sebool_antivirus_can_scan_system_action:testaction:1 - - Disable vsyscall mapping + + Ensure auditd Collects Information on the Use of Privileged Commands - crontab - ocil:ssg-kernel_config_legacy_vsyscall_none_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_crontab_action:testaction:1 - - Ensure auditd Collects File Deletion Events by User + + Enforce pam_faillock for Local Accounts Only - ocil:ssg-audit_rules_file_deletion_events_action:testaction:1 + ocil:ssg-accounts_passwords_pam_faillock_enforce_local_action:testaction:1 - - Ensure gpgcheck Enabled for Local Packages + + Verify the UEFI Boot Loader grub.cfg Group Ownership - ocil:ssg-ensure_gpgcheck_local_packages_action:testaction:1 + ocil:ssg-file_groupowner_efi_grub2_cfg_action:testaction:1 - - Disable kernel debugfs + + Disable the abrt_handle_event SELinux Boolean - ocil:ssg-kernel_config_debug_fs_action:testaction:1 + ocil:ssg-sebool_abrt_handle_event_action:testaction:1 - - Disable the cluster_can_network_connect SELinux Boolean + + Disable the squid_connect_any SELinux Boolean - ocil:ssg-sebool_cluster_can_network_connect_action:testaction:1 + ocil:ssg-sebool_squid_connect_any_action:testaction:1 - - Disable SSH Support for Rhosts RSA Authentication + + Record Unsuccessful Access Attempts to Files - creat - ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_creat_action:testaction:1 - - Enable Certmap in SSSD + + Ensure nss-tools is installed - ocil:ssg-sssd_enable_certmap_action:testaction:1 + ocil:ssg-package_nss-tools_installed_action:testaction:1 - - Verify iptables Enabled + + Disable the ftpd_connect_all_unreserved SELinux Boolean - ocil:ssg-service_iptables_enabled_action:testaction:1 + ocil:ssg-sebool_ftpd_connect_all_unreserved_action:testaction:1 - - Ensure All SGID Executables Are Authorized + + Install usbguard Package - ocil:ssg-file_permissions_unauthorized_sgid_action:testaction:1 + ocil:ssg-package_usbguard_installed_action:testaction:1 - - Remove the X Windows Package Group + + All Interactive Users Must Have A Home Directory Defined - ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1 + ocil:ssg-accounts_user_interactive_home_directory_defined_action:testaction:1 - - Enable Transport Layer Security (TLS) Encryption + + Authorize USB hubs in USBGuard daemon - ocil:ssg-httpd_configure_tls_action:testaction:1 + ocil:ssg-usbguard_allow_hub_action:testaction:1 - - Disable Printer Browsing Entirely if Possible + + Disable the exim_can_connect_db SELinux Boolean - ocil:ssg-cups_disable_browsing_action:testaction:1 + ocil:ssg-sebool_exim_can_connect_db_action:testaction:1 - - Configure SSH to use System Crypto Policy + + Ensure auditd Collects Information on the Use of Privileged Commands - su - ocil:ssg-configure_ssh_crypto_policy_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1 - - SSH client uses strong entropy to seed (Bash-like shells) + + Record Any Attempts to Run seunshare - ocil:ssg-ssh_client_use_strong_rng_sh_action:testaction:1 + ocil:ssg-audit_rules_execution_seunshare_action:testaction:1 - - Install subscription-manager Package + + Configure auditd mail_acct Action on Low Disk Space - ocil:ssg-package_subscription-manager_installed_action:testaction:1 + ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1 - - Configure the confidence in TPM for entropy + + Set Existing Passwords Minimum Age - ocil:ssg-grub2_rng_core_default_quality_argument_action:testaction:1 + ocil:ssg-accounts_password_set_min_life_existing_action:testaction:1 - - Configure Speculative Store Bypass Mitigation + + Enable GNOME3 Screensaver Lock After Idle Period - ocil:ssg-grub2_spec_store_bypass_disable_argument_action:testaction:1 + ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 - - Disable the selinuxuser_execstack SELinux Boolean + + The web server password(s) must be entrusted to the SA or Web Manager - ocil:ssg-sebool_selinuxuser_execstack_action:testaction:1 + ocil:ssg-httpd_entrust_passwords_action:testaction:1 - - Disable the dhcpc_exec_iptables SELinux Boolean + + Ensure auditd Collects System Administrator Actions - ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1 + ocil:ssg-audit_rules_sysadmin_actions_action:testaction:1 - - Install usbguard Package + + Ensure all zIPL boot entries are BLS compliant - ocil:ssg-package_usbguard_installed_action:testaction:1 + ocil:ssg-zipl_bls_entries_only_action:testaction:1 - - Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default + + Enable poison without sanity check - ocil:ssg-sysctl_net_ipv4_conf_default_accept_source_route_action:testaction:1 + ocil:ssg-kernel_config_page_poisoning_no_sanity_action:testaction:1 - - Disable the xserver_execmem SELinux Boolean + + Configure CA certificate for rsyslog remote logging - ocil:ssg-sebool_xserver_execmem_action:testaction:1 + ocil:ssg-rsyslog_remote_tls_cacert_action:testaction:1 - - Uninstall abrt-cli Package + + Disable the pppd_can_insmod SELinux Boolean - ocil:ssg-package_abrt-cli_removed_action:testaction:1 + ocil:ssg-sebool_pppd_can_insmod_action:testaction:1 - - Verify that system commands files are group owned by root or a system account + + Record Successful Access Attempts to Files - openat - ocil:ssg-file_groupownership_system_commands_dirs_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_action:testaction:1 - - Add nodev Option to Removable Media Partitions + + Configure Periodic Execution of AIDE - ocil:ssg-mount_option_nodev_removable_partitions_action:testaction:1 + ocil:ssg-aide_periodic_cron_checking_action:testaction:1 - - Disable the CUPS Service + + Uninstall talk Package - ocil:ssg-service_cups_disabled_action:testaction:1 + ocil:ssg-package_talk_removed_action:testaction:1 - - Disable Kernel iwlwifi Module + + Verify that All World-Writable Directories Have Sticky Bits Set - ocil:ssg-kernel_module_iwlwifi_disabled_action:testaction:1 + ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1 - - Disable the virt_sandbox_use_netlink SELinux Boolean + + Enable FIPS Mode - ocil:ssg-sebool_virt_sandbox_use_netlink_action:testaction:1 + ocil:ssg-enable_fips_mode_action:testaction:1 - - Restrict Serial Port Root Logins + + Remove the X Windows Package Group - ocil:ssg-restrict_serial_port_logins_action:testaction:1 + ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1 - - Set SSH MaxSessions limit + + Install subscription-manager Package - ocil:ssg-sshd_set_max_sessions_action:testaction:1 + ocil:ssg-package_subscription-manager_installed_action:testaction:1 - - Record Successful Ownership Changes to Files - chown + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow - ocil:ssg-audit_rules_successful_file_modification_chown_action:testaction:1 + ocil:ssg-audit_rules_etc_shadow_open_by_handle_at_action:testaction:1 - - Verify ownership of System Login Banner for Remote Connections + + Configure OpenSSL library to use System Crypto Policy - ocil:ssg-file_owner_etc_issue_net_action:testaction:1 + ocil:ssg-configure_openssl_crypto_policy_action:testaction:1 - - Configure audispd's Plugin network_failure_action On Network Failure + + Implement Blank Screensaver - ocil:ssg-auditd_audispd_network_failure_action_action:testaction:1 + ocil:ssg-dconf_gnome_screensaver_mode_blank_action:testaction:1 - - Enforce Usage of pam_wheel with Group Parameter for su Authentication + + Disable the mozilla_plugin_can_network_connect SELinux Boolean - ocil:ssg-use_pam_wheel_group_for_su_action:testaction:1 + ocil:ssg-sebool_mozilla_plugin_can_network_connect_action:testaction:1 - - Record Unsuccessful Permission Changes to Files - fchmodat + + Disable the polipo_session_users SELinux Boolean - ocil:ssg-audit_rules_unsuccessful_file_modification_fchmodat_action:testaction:1 + ocil:ssg-sebool_polipo_session_users_action:testaction:1 - - Disable Client Dynamic DNS Updates + + Uninstall telnet-server Package - ocil:ssg-network_disable_ddns_interfaces_action:testaction:1 + ocil:ssg-package_telnet-server_removed_action:testaction:1 - - Disable the use_lpd_server SELinux Boolean + + Log USBGuard daemon audit events using Linux Audit - ocil:ssg-sebool_use_lpd_server_action:testaction:1 + ocil:ssg-configure_usbguard_auditbackend_action:testaction:1 - - Unmap kernel when running in userspace (aka KAISER) + + OpenSSL uses strong entropy source - ocil:ssg-kernel_config_unmap_kernel_at_el0_action:testaction:1 + ocil:ssg-openssl_use_strong_entropy_action:testaction:1 - - Use Only FIPS 140-2 Validated MACs + + Ensure SELinux is Not Disabled - ocil:ssg-sshd_use_approved_macs_action:testaction:1 + ocil:ssg-selinux_not_disabled_action:testaction:1 - - Ensure there are no legacy + NIS entries in /etc/passwd + + Direct root Logins Not Allowed - ocil:ssg-no_legacy_plus_entries_etc_passwd_action:testaction:1 + ocil:ssg-no_direct_root_logins_action:testaction:1 - - Disable the daemons_use_tcp_wrapper SELinux Boolean + + Verify permissions on System Login Banner - ocil:ssg-sebool_daemons_use_tcp_wrapper_action:testaction:1 + ocil:ssg-file_permissions_etc_issue_action:testaction:1 - - Install the psacct package + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-package_psacct_installed_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Disable Quota Netlink (quota_nld) - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-service_quota_nld_disabled_action:testaction:1 - - Add noexec Option to /dev/shm + + Disable legacy (BSD) PTY support - ocil:ssg-mount_option_dev_shm_noexec_action:testaction:1 + ocil:ssg-kernel_config_legacy_ptys_action:testaction:1 - - All Interactive Users Home Directories Must Exist + + Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config - ocil:ssg-accounts_user_interactive_home_directory_exists_action:testaction:1 + ocil:ssg-harden_sshd_macs_openssh_conf_crypto_policy_action:testaction:1 - - Verify Permissions on cron.daily + + Disable the telepathy_connect_all_ports SELinux Boolean - ocil:ssg-file_permissions_cron_daily_action:testaction:1 + ocil:ssg-sebool_telepathy_connect_all_ports_action:testaction:1 - - Verify permissions on System Login Banner for Remote Connections + + Disable the Automounter - ocil:ssg-file_permissions_etc_issue_net_action:testaction:1 + ocil:ssg-service_autofs_disabled_action:testaction:1 - - Authorize Human Interface Devices and USB hubs in USBGuard daemon + + Verify Permissions on crontab - ocil:ssg-usbguard_allow_hid_and_hub_action:testaction:1 + ocil:ssg-file_permissions_crontab_action:testaction:1 - - Install Virus Scanning Software + + Disable PubkeyAuthentication Authentication - ocil:ssg-install_antivirus_action:testaction:1 + ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 - - Ensure /var Located On Separate Partition + + Ensure debug-shell service is not enabled during boot - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-grub2_systemd_debug-shell_argument_absent_action:testaction:1 - - Configure basic parameters of Audit system + + Configure auditd Disk Full Action when Disk Space Is Full - ocil:ssg-audit_basic_configuration_action:testaction:1 + ocil:ssg-auditd_data_disk_full_action_action:testaction:1 - - Configure SSSD LDAP Backend to Use TLS For All Transactions + + Ensure All SGID Executables Are Authorized - ocil:ssg-sssd_ldap_start_tls_action:testaction:1 + ocil:ssg-file_permissions_unauthorized_sgid_action:testaction:1 - - Ensure /var/log/audit Located On Separate Partition + + Disable the cron_system_cronjob_use_shares SELinux Boolean - ocil:ssg-partition_for_var_log_audit_action:testaction:1 + ocil:ssg-sebool_cron_system_cronjob_use_shares_action:testaction:1 - - Verify ip6tables Enabled if Using IPv6 + + Enable the dbadm_exec_content SELinux Boolean - ocil:ssg-service_ip6tables_enabled_action:testaction:1 + ocil:ssg-sebool_dbadm_exec_content_action:testaction:1 - - Disable storing core dumps + + Configure audispd's Plugin disk_full_action When Disk Is Full - ocil:ssg-sysctl_kernel_core_pattern_action:testaction:1 + ocil:ssg-auditd_audispd_disk_full_action_action:testaction:1 - - Disable the prosody_bind_http_port SELinux Boolean + + Enable log_config_module For HTTPD Logging - ocil:ssg-sebool_prosody_bind_http_port_action:testaction:1 + ocil:ssg-httpd_enable_log_config_action:testaction:1 - - Support session locking with tmux (not enforcing) + + Disable the cups_execmem SELinux Boolean - ocil:ssg-configure_bashrc_tmux_action:testaction:1 + ocil:ssg-sebool_cups_execmem_action:testaction:1 - - Verify File Hashes with RPM + + Disable the webadm_read_user_files SELinux Boolean - ocil:ssg-rpm_verify_hashes_action:testaction:1 + ocil:ssg-sebool_webadm_read_user_files_action:testaction:1 - - Enable SLUB/SLAB allocator poisoning in zIPL + + Uninstall avahi Server Package - ocil:ssg-zipl_slub_debug_argument_action:testaction:1 + ocil:ssg-package_avahi_removed_action:testaction:1 - - Enable SSH Print Last Log + + Disable the httpd_can_network_connect_cobbler SELinux Boolean - ocil:ssg-sshd_print_last_log_action:testaction:1 + ocil:ssg-sebool_httpd_can_network_connect_cobbler_action:testaction:1 - - A private web server must be located on a separate controlled access subnet + + Verify All Account Password Hashes are Shadowed with SHA512 - ocil:ssg-httpd_private_server_on_separate_subnet_action:testaction:1 + ocil:ssg-accounts_password_all_shadowed_sha512_action:testaction:1 - - Ensure auditd Collects Information on Kernel Module Loading and Unloading + + Disable the httpd_use_sasl SELinux Boolean - ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1 + ocil:ssg-sebool_httpd_use_sasl_action:testaction:1 - - Disable the postgresql_can_rsync SELinux Boolean + + Disable KDump Kernel Crash Analyzer (kdump) - ocil:ssg-sebool_postgresql_can_rsync_action:testaction:1 + ocil:ssg-service_kdump_disabled_action:testaction:1 - - Verify Group Ownership of Message of the Day Banner + + Disable debug-shell SystemD Service - ocil:ssg-file_groupowner_etc_motd_action:testaction:1 + ocil:ssg-service_debug-shell_disabled_action:testaction:1 - - Verify User Who Owns Backup group File + + Virus Scanning Software Definitions Are Updated - ocil:ssg-file_owner_backup_etc_group_action:testaction:1 + ocil:ssg-mcafee_antivirus_definitions_updated_action:testaction:1 - - Disable the polipo_use_nfs SELinux Boolean + + Audit Tools Must Be Owned by Root - ocil:ssg-sebool_polipo_use_nfs_action:testaction:1 + ocil:ssg-file_audit_tools_ownership_action:testaction:1 - - Trigger a kernel BUG when data corruption is detected + + Prevent Unrestricted Mail Relaying - ocil:ssg-kernel_config_bug_on_data_corruption_action:testaction:1 + ocil:ssg-postfix_prevent_unrestricted_relay_action:testaction:1 - - Enable the selinuxuser_execmod SELinux Boolean + + Enable use of Berkeley Packet Filter with seccomp - ocil:ssg-sebool_selinuxuser_execmod_action:testaction:1 + ocil:ssg-kernel_config_seccomp_filter_action:testaction:1 - - Configure Periodic Execution of AIDE + + Verify Group Who Owns Backup gshadow File - ocil:ssg-aide_periodic_cron_checking_action:testaction:1 + ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1 - - Disable the glance_use_fusefs SELinux Boolean + + Enable the postgresql_selinux_unconfined_dbadm SELinux Boolean - ocil:ssg-sebool_glance_use_fusefs_action:testaction:1 + ocil:ssg-sebool_postgresql_selinux_unconfined_dbadm_action:testaction:1 - - Web Content Directories Must Not Be Shared Anonymously + + Disable vsyscall mapping - ocil:ssg-httpd_anonymous_content_sharing_action:testaction:1 + ocil:ssg-kernel_config_legacy_vsyscall_none_action:testaction:1 - - Verify that Shared Library Files Have Root Ownership + + Disable the gluster_export_all_ro SELinux Boolean - ocil:ssg-file_ownership_library_dirs_action:testaction:1 + ocil:ssg-sebool_gluster_export_all_ro_action:testaction:1 - - Disable the telepathy_tcp_connect_generic_network_ports SELinux Boolean + + Disable the container_connect_any SELinux Boolean - ocil:ssg-sebool_telepathy_tcp_connect_generic_network_ports_action:testaction:1 + ocil:ssg-sebool_container_connect_any_action:testaction:1 - - Ensure a Table Exists for Nftables + + Install McAfee Virus Scanning Software - ocil:ssg-set_nftables_table_action:testaction:1 + ocil:ssg-install_mcafee_antivirus_action:testaction:1 - - Verify Permissions on SSH Server Private *_key Key Files + + Disable the privoxy_connect_any SELinux Boolean - ocil:ssg-file_permissions_sshd_private_key_action:testaction:1 + ocil:ssg-sebool_privoxy_connect_any_action:testaction:1 - - Disable the git_system_use_cifs SELinux Boolean + + Install the ntp service - ocil:ssg-sebool_git_system_use_cifs_action:testaction:1 + ocil:ssg-package_ntp_installed_action:testaction:1 - - Set existing passwords a period of inactivity before they been locked + + Verify Group Who Owns cron.weekly - ocil:ssg-accounts_set_post_pw_existing_action:testaction:1 + ocil:ssg-file_groupowner_cron_weekly_action:testaction:1 - - Configure System to Forward All Mail For The Root Account + + Ensure Users Cannot Change GNOME3 Screensaver Idle Activation - ocil:ssg-postfix_client_configure_mail_alias_action:testaction:1 + ocil:ssg-dconf_gnome_screensaver_idle_activation_locked_action:testaction:1 - - Disable the virt_use_execmem SELinux Boolean + + Ensure that /etc/at.deny does not exist - ocil:ssg-sebool_virt_use_execmem_action:testaction:1 + ocil:ssg-file_at_deny_not_exist_action:testaction:1 - - Disable the use_fusefs_home_dirs SELinux Boolean + + Set kernel parameter 'crypto.fips_enabled' to 1 - ocil:ssg-sebool_use_fusefs_home_dirs_action:testaction:1 + ocil:ssg-sysctl_crypto_fips_enabled_action:testaction:1 - - Prevent remote hosts from connecting to the proxy display + + Ensure that Users Path Contains Only Local Directories - ocil:ssg-sshd_x11_use_localhost_action:testaction:1 + ocil:ssg-accounts_user_home_paths_only_action:testaction:1 - - All Interactive User Home Directories Must Be Owned By The Primary User + + Set Permissions on All Configuration Files Inside /etc/httpd/conf.d/ - ocil:ssg-file_ownership_home_directories_action:testaction:1 + ocil:ssg-file_permissions_httpd_server_conf_d_files_action:testaction:1 - - Verify Owner on crontab + + Verify User Who Owns /etc/cron.allow file - ocil:ssg-file_owner_crontab_action:testaction:1 + ocil:ssg-file_owner_cron_allow_action:testaction:1 - - Configure GNOME3 DConf User Profile + + Install the SSSD Package - ocil:ssg-enable_dconf_user_profile_action:testaction:1 + ocil:ssg-package_sssd_installed_action:testaction:1 - - Disable the puppetmaster_use_db SELinux Boolean + + Disable CPU Speed (cpupower) - ocil:ssg-sebool_puppetmaster_use_db_action:testaction:1 + ocil:ssg-service_cpupower_disabled_action:testaction:1 - - Disable Dovecot Service + + Disable the secure_mode SELinux Boolean - ocil:ssg-service_dovecot_disabled_action:testaction:1 + ocil:ssg-sebool_secure_mode_action:testaction:1 - - UEFI Boot Loader Is Not Installed On Removeable Media + + Disable the mozilla_plugin_use_bluejeans SELinux Boolean - ocil:ssg-uefi_no_removeable_media_action:testaction:1 + ocil:ssg-sebool_mozilla_plugin_use_bluejeans_action:testaction:1 - - Configure SSSD's Memory Cache to Expire + + Firewalld Must Employ a Deny-all, Allow-by-exception Policy for Allowing Connections to Other Systems - ocil:ssg-sssd_memcache_timeout_action:testaction:1 + ocil:ssg-configured_firewalld_default_deny_action:testaction:1 - - Record Successful Ownership Changes to Files - lchown + + Set Boot Loader Password in grub2 - ocil:ssg-audit_rules_successful_file_modification_lchown_action:testaction:1 + ocil:ssg-grub2_password_action:testaction:1 - - Add nosuid Option to /home + + Restrict Access to Kernel Message Buffer - ocil:ssg-mount_option_home_nosuid_action:testaction:1 + ocil:ssg-sysctl_kernel_dmesg_restrict_action:testaction:1 - - Install binutils Package + + Verify Permissions on cron.monthly - ocil:ssg-package_binutils_installed_action:testaction:1 + ocil:ssg-file_permissions_cron_monthly_action:testaction:1 - - Build and Test AIDE Database + + Disable the httpd_enable_homedirs SELinux Boolean - ocil:ssg-aide_build_database_action:testaction:1 + ocil:ssg-sebool_httpd_enable_homedirs_action:testaction:1 - - Kernel panic timeout + + Add nodev Option to /tmp - ocil:ssg-kernel_config_panic_timeout_action:testaction:1 + ocil:ssg-mount_option_tmp_nodev_action:testaction:1 - - Configure the secure_mode_insmod SELinux Boolean + + Install the psacct package - ocil:ssg-sebool_secure_mode_insmod_action:testaction:1 + ocil:ssg-package_psacct_installed_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - umount + + Require Authentication for Emergency Systemd Target - ocil:ssg-audit_rules_privileged_commands_umount_action:testaction:1 + ocil:ssg-require_emergency_target_auth_action:testaction:1 - - Harden SSHD Crypto Policy + + Mount Remote Filesystems with nodev - ocil:ssg-harden_sshd_crypto_policy_action:testaction:1 + ocil:ssg-mount_option_nodev_remote_filesystems_action:testaction:1 - - Uninstall nginx Package + + Verify that Shared Library Files Have Root Ownership - ocil:ssg-package_nginx_removed_action:testaction:1 + ocil:ssg-file_ownership_library_dirs_action:testaction:1 - - Disable the cups_execmem SELinux Boolean + + Disable X11 Forwarding - ocil:ssg-sebool_cups_execmem_action:testaction:1 + ocil:ssg-sshd_disable_x11_forwarding_action:testaction:1 - - Disable the samba_portmapper SELinux Boolean + + Disable vsyscall emulation - ocil:ssg-sebool_samba_portmapper_action:testaction:1 + ocil:ssg-kernel_config_legacy_vsyscall_emulate_action:testaction:1 - - Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces + + Kernel panic oops - ocil:ssg-sysctl_net_ipv6_conf_all_max_addresses_action:testaction:1 + ocil:ssg-kernel_config_panic_on_oops_action:testaction:1 - - Disable the virt_use_comm SELinux Boolean + + Disable Ctrl-Alt-Del Reboot Activation - ocil:ssg-sebool_virt_use_comm_action:testaction:1 + ocil:ssg-disable_ctrlaltdel_reboot_action:testaction:1 - - Disable IA32 emulation + + Ensure Log Files Are Owned By Appropriate User - ocil:ssg-kernel_config_ia32_emulation_action:testaction:1 + ocil:ssg-rsyslog_files_ownership_action:testaction:1 - - Encrypt Partitions + + Configure tmux to lock session after inactivity - ocil:ssg-encrypt_partitions_action:testaction:1 + ocil:ssg-configure_tmux_lock_after_time_action:testaction:1 - - Disable the httpd_mod_auth_pam SELinux Boolean + + Record Successful Delete Attempts to Files - renameat - ocil:ssg-sebool_httpd_mod_auth_pam_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_renameat_action:testaction:1 - - Add usrquota Option to /home + + Set Password Hashing Algorithm in /etc/login.defs - ocil:ssg-mount_option_home_usrquota_action:testaction:1 + ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 - - Disable telnet Service + + Disable the selinuxuser_postgresql_connect_enabled SELinux Boolean - ocil:ssg-service_telnet_disabled_action:testaction:1 + ocil:ssg-sebool_selinuxuser_postgresql_connect_enabled_action:testaction:1 - - Add nodev Option to /boot + + Disable the irssi_use_full_network SELinux Boolean - ocil:ssg-mount_option_boot_nodev_action:testaction:1 + ocil:ssg-sebool_irssi_use_full_network_action:testaction:1 - - Remove telnet Clients + + Certificate status checking in SSSD - ocil:ssg-package_telnet_removed_action:testaction:1 + ocil:ssg-sssd_certificate_verification_action:testaction:1 - - Disable Postfix Network Listening + + Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd - ocil:ssg-postfix_network_listening_disabled_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_gpasswd_action:testaction:1 - - Ensure PAM Enforces Password Requirements - Enforce for Local Accounts Only + + Restrict usage of ptrace to descendant processes - ocil:ssg-accounts_password_pam_enforce_local_action:testaction:1 + ocil:ssg-sysctl_kernel_yama_ptrace_scope_action:testaction:1 - - Don't target root user in the sudoers file + + Record Unsuccessful Ownership Changes to Files - chown - ocil:ssg-sudoers_no_root_target_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 - - User Initialization Files Must Not Run World-Writable Programs + + Encrypt Partitions - ocil:ssg-accounts_user_dot_no_world_writable_programs_action:testaction:1 + ocil:ssg-encrypt_partitions_action:testaction:1 - - Ensure the Default Umask is Set Correctly in /etc/profile + + Disable the pppd_for_user SELinux Boolean - ocil:ssg-accounts_umask_etc_profile_action:testaction:1 + ocil:ssg-sebool_pppd_for_user_action:testaction:1 - - Ensure auditd Collects Information on Kernel Module Unloading - delete_module + + Disable rexec Service - ocil:ssg-audit_rules_kernel_module_loading_delete_action:testaction:1 + ocil:ssg-service_rexec_disabled_action:testaction:1 - - Audit Tools Must Be Owned by Root + + Disable the ssh_sysadm_login SELinux Boolean - ocil:ssg-file_audit_tools_ownership_action:testaction:1 + ocil:ssg-sebool_ssh_sysadm_login_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - lsetxattr + + Set SSH authentication attempt limit - ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 + ocil:ssg-sshd_set_max_auth_tries_action:testaction:1 - - Disable the virt_sandbox_use_all_caps SELinux Boolean + + Disable vsyscalls - ocil:ssg-sebool_virt_sandbox_use_all_caps_action:testaction:1 + ocil:ssg-grub2_vsyscall_argument_action:testaction:1 - - Disable the virt_rw_qemu_ga_data SELinux Boolean + + Enable the fips_mode SELinux Boolean - ocil:ssg-sebool_virt_rw_qemu_ga_data_action:testaction:1 + ocil:ssg-sebool_fips_mode_action:testaction:1 - - Configure ARP filtering for All IPv4 Interfaces + + Disable the daemons_dump_core SELinux Boolean - ocil:ssg-sysctl_net_ipv4_conf_all_arp_filter_action:testaction:1 + ocil:ssg-sebool_daemons_dump_core_action:testaction:1 - - Install libreswan Package + + Verify and Correct File Permissions with RPM - ocil:ssg-package_libreswan_installed_action:testaction:1 + ocil:ssg-rpm_verify_permissions_action:testaction:1 - - Verify Owner on cron.daily + + Set Password Hashing Algorithm in /etc/libuser.conf - ocil:ssg-file_owner_cron_daily_action:testaction:1 + ocil:ssg-set_password_hashing_algorithm_libuserconf_action:testaction:1 - - Verify /boot/efi/EFI/redhat/user.cfg Group Ownership + + Set SSH Client Alive Count Max to zero - ocil:ssg-file_groupowner_efi_user_cfg_action:testaction:1 + ocil:ssg-sshd_set_keepalive_0_action:testaction:1 - - Disable the xdm_bind_vnc_tcp_port SELinux Boolean + + Enable the mount_anyfile SELinux Boolean - ocil:ssg-sebool_xdm_bind_vnc_tcp_port_action:testaction:1 + ocil:ssg-sebool_mount_anyfile_action:testaction:1 - - Set Existing Passwords Maximum Age + + Set GNOME3 Screensaver Inactivity Timeout - ocil:ssg-accounts_password_set_max_life_existing_action:testaction:1 + ocil:ssg-dconf_gnome_screensaver_idle_delay_action:testaction:1 - - Disable the httpd_can_connect_zabbix SELinux Boolean + + Uninstall dovecot Package - ocil:ssg-sebool_httpd_can_connect_zabbix_action:testaction:1 + ocil:ssg-package_dovecot_removed_action:testaction:1 - - Uninstall net-snmp Package + + Prevent Login to Accounts With Empty Password - ocil:ssg-package_net-snmp_removed_action:testaction:1 + ocil:ssg-no_empty_passwords_action:testaction:1 - - Set Password Warning Age + + Record Successful Permission Changes to Files - lsetxattr - ocil:ssg-accounts_password_warn_age_login_defs_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_lsetxattr_action:testaction:1 - - Configure a Sufficiently Large Partition for Audit Logs + + Disable the virt_rw_qemu_ga_data SELinux Boolean - ocil:ssg-auditd_audispd_configure_sufficiently_large_partition_action:testaction:1 + ocil:ssg-sebool_virt_rw_qemu_ga_data_action:testaction:1 - - Set Lockout Time for Failed Password Attempts + + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces - ocil:ssg-accounts_passwords_pam_faillock_unlock_time_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_all_rp_filter_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit + + Disable Modprobe Loading of USB Storage Driver - ocil:ssg-audit_rules_privileged_commands_sudoedit_action:testaction:1 + ocil:ssg-kernel_module_usb-storage_disabled_action:testaction:1 - - Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_module + + Disable the ftpd_use_nfs SELinux Boolean - ocil:ssg-audit_rules_kernel_module_loading_query_action:testaction:1 + ocil:ssg-sebool_ftpd_use_nfs_action:testaction:1 - - Disable the varnishd_connect_any SELinux Boolean + + Record Successful Creation Attempts to Files - open_by_handle_at O_TRUNC_WRITE - ocil:ssg-sebool_varnishd_connect_any_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_open_by_handle_at_o_trunc_write_action:testaction:1 - - Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs. + + Ensure Red Hat GPG Key Installed - ocil:ssg-fapolicy_default_deny_action:testaction:1 + ocil:ssg-ensure_redhat_gpgkey_installed_action:testaction:1 - - Disable Portreserve (portreserve) + + Configure Response Mode of ARP Requests for All IPv4 Interfaces - ocil:ssg-service_portreserve_disabled_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1 - - Disable ypbind Service + + Configure the tmux lock session key binding - ocil:ssg-service_ypbind_disabled_action:testaction:1 + ocil:ssg-configure_tmux_lock_keybinding_action:testaction:1 - - Disable Kernel mac80211 Module + + Enable Logging of All FTP Transactions - ocil:ssg-kernel_module_mac80211_disabled_action:testaction:1 + ocil:ssg-ftp_log_transactions_action:testaction:1 - - Enable SSH Server firewalld Firewall Exception + + Enable cron Service - ocil:ssg-firewalld_sshd_port_enabled_action:testaction:1 + ocil:ssg-service_crond_enabled_action:testaction:1 - - Disable /dev/kmem virtual device support + + Disable the httpd_use_openstack SELinux Boolean - ocil:ssg-kernel_config_devkmem_action:testaction:1 + ocil:ssg-sebool_httpd_use_openstack_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - init + + Disable the abrt_upload_watch_anon_write SELinux Boolean - ocil:ssg-audit_privileged_commands_init_action:testaction:1 + ocil:ssg-sebool_abrt_upload_watch_anon_write_action:testaction:1 - - Disable Power Settings in GNOME3 + + Configure PAM in SSSD Services - ocil:ssg-dconf_gnome_disable_power_settings_action:testaction:1 + ocil:ssg-sssd_enable_pam_services_action:testaction:1 - - Enable the gssd_read_tmp SELinux Boolean + + Disable the git_system_use_cifs SELinux Boolean - ocil:ssg-sebool_gssd_read_tmp_action:testaction:1 + ocil:ssg-sebool_git_system_use_cifs_action:testaction:1 - - Disable the privoxy_connect_any SELinux Boolean + + Add nodev Option to /var/tmp - ocil:ssg-sebool_privoxy_connect_any_action:testaction:1 + ocil:ssg-mount_option_var_tmp_nodev_action:testaction:1 - - Disable the Automounter + + Disable graphical user interface - ocil:ssg-service_autofs_disabled_action:testaction:1 + ocil:ssg-xwindows_remove_packages_action:testaction:1 - - Disable Software RAID Monitor (mdmonitor) + + Verify User Who Owns Backup passwd File - ocil:ssg-service_mdmonitor_disabled_action:testaction:1 + ocil:ssg-file_owner_backup_etc_passwd_action:testaction:1 - - Disable the dhcpd_use_ldap SELinux Boolean + + Record Successful Access Attempts to Files - creat - ocil:ssg-sebool_dhcpd_use_ldap_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_creat_action:testaction:1 - - Disable Quagga Service + + Disable the use_lpd_server SELinux Boolean - ocil:ssg-service_zebra_disabled_action:testaction:1 + ocil:ssg-sebool_use_lpd_server_action:testaction:1 - - Install fapolicyd Package + + Verify No netrc Files Exist - ocil:ssg-package_fapolicyd_installed_action:testaction:1 + ocil:ssg-no_netrc_files_action:testaction:1 - - Ensure auditd Collects File Deletion Events by User - unlink + + Verify User Who Owns /var/log Directory - ocil:ssg-audit_rules_file_deletion_events_unlink_action:testaction:1 + ocil:ssg-file_owner_var_log_action:testaction:1 - - Remove the GDM Package Group + + Disable Ctrl-Alt-Del Burst Action - ocil:ssg-package_gdm_removed_action:testaction:1 + ocil:ssg-disable_ctrlaltdel_burstaction_action:testaction:1 - - Enable PAM + + Disable Advanced Configuration and Power Interface (acpid) - ocil:ssg-sshd_enable_pam_action:testaction:1 + ocil:ssg-service_acpid_disabled_action:testaction:1 - - Configure SNMP Service to Use Only SNMPv3 or Newer + + Configure Auto Configuration on All IPv6 Interfaces By Default - ocil:ssg-snmpd_use_newer_protocol_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_default_autoconf_action:testaction:1 - - Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces + + Disable the dbadm_read_user_files SELinux Boolean - ocil:ssg-sysctl_net_ipv4_conf_all_secure_redirects_action:testaction:1 + ocil:ssg-sebool_dbadm_read_user_files_action:testaction:1 - - Disable the httpd_mod_auth_ntlm_winbind SELinux Boolean + + Configure auditd Disk Error Action on Disk Error - ocil:ssg-sebool_httpd_mod_auth_ntlm_winbind_action:testaction:1 + ocil:ssg-auditd_data_disk_error_action_stig_action:testaction:1 - - Add nosuid Option to /tmp + + Verify Owner on cron.monthly - ocil:ssg-mount_option_tmp_nosuid_action:testaction:1 + ocil:ssg-file_owner_cron_monthly_action:testaction:1 - - Configure immutable Audit login UIDs + + Disable the daemons_enable_cluster_mode SELinux Boolean - ocil:ssg-audit_rules_immutable_login_uids_action:testaction:1 + ocil:ssg-sebool_daemons_enable_cluster_mode_action:testaction:1 - - Use zero for poisoning instead of debugging value + + Record Access Events to Audit Log Directory - ocil:ssg-kernel_config_page_poisoning_zero_action:testaction:1 + ocil:ssg-directory_access_var_log_audit_action:testaction:1 - - Configure SSSD LDAP Backend Client CA Certificate Location + + Enable Postfix Service - ocil:ssg-sssd_ldap_configure_tls_ca_dir_action:testaction:1 + ocil:ssg-service_postfix_enabled_action:testaction:1 - - Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period + + Enable auditd Service - ocil:ssg-dconf_gnome_screensaver_lock_locked_action:testaction:1 + ocil:ssg-service_auditd_enabled_action:testaction:1 - - Add nodev Option to Non-Root Local Partitions + + Disable Mounting of cramfs - ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + ocil:ssg-kernel_module_cramfs_disabled_action:testaction:1 - - Disable the rsync_full_access SELinux Boolean + + Set number of records to cause an explicit flush to audit logs - ocil:ssg-sebool_rsync_full_access_action:testaction:1 + ocil:ssg-auditd_freq_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - chown + + Install libreswan Package - ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 + ocil:ssg-package_libreswan_installed_action:testaction:1 - - Configure opensc Smart Card Drivers + + Encrypt All File Uploads - ocil:ssg-configure_opensc_card_drivers_action:testaction:1 + ocil:ssg-httpd_encrypt_file_uploads_action:testaction:1 - - Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE + + IOMMU configuration directive - ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1 + ocil:ssg-grub2_enable_iommu_force_action:testaction:1 - - Configure Kerberos to use System Crypto Policy + + Disable the rsync_export_all_ro SELinux Boolean - ocil:ssg-configure_kerberos_crypto_policy_action:testaction:1 + ocil:ssg-sebool_rsync_export_all_ro_action:testaction:1 - - Ensure Sudo Logfile Exists - sudo logfile + + Install McAfee Endpoint Security for Linux (ENSL) - ocil:ssg-sudo_custom_logfile_action:testaction:1 + ocil:ssg-package_mcafeetp_installed_action:testaction:1 - - Disable the logrotate_use_nfs SELinux Boolean + + Encrypt Audit Records Sent With audispd Plugin - ocil:ssg-sebool_logrotate_use_nfs_action:testaction:1 + ocil:ssg-auditd_audispd_encrypt_sent_records_action:testaction:1 - - Disable TIPC Support + + Mount Remote Filesystems with nosuid - ocil:ssg-kernel_module_tipc_disabled_action:testaction:1 + ocil:ssg-mount_option_nosuid_remote_filesystems_action:testaction:1 - - Enable the nscd_use_shm SELinux Boolean + + Make sure that the dconf databases are up-to-date with regards to respective keyfiles - ocil:ssg-sebool_nscd_use_shm_action:testaction:1 + ocil:ssg-dconf_db_up_to_date_action:testaction:1 - - Disable the LDT (local descriptor table) + + Ensure SMAP is not disabled during boot - ocil:ssg-kernel_config_modify_ldt_syscall_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Uninstall iprutils Package + + Configure the confidence in TPM for entropy - ocil:ssg-package_iprutils_removed_action:testaction:1 + ocil:ssg-grub2_rng_core_default_quality_argument_action:testaction:1 - - Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly + + Disable the mcelog_foreground SELinux Boolean - ocil:ssg-audit_rules_unsuccessful_file_modification_open_rule_order_action:testaction:1 + ocil:ssg-sebool_mcelog_foreground_action:testaction:1 - - Ensure only owner and members of group owner of /usr/bin/sudo can execute it + + Disable the git_cgi_use_nfs SELinux Boolean - ocil:ssg-sudo_restrict_others_executable_permission_action:testaction:1 + ocil:ssg-sebool_git_cgi_use_nfs_action:testaction:1 - - Modify the System Login Banner + + Disable Red Hat Network Service (rhnsd) - ocil:ssg-banner_etc_issue_action:testaction:1 + ocil:ssg-service_rhnsd_disabled_action:testaction:1 - - Disable the virt_use_sanlock SELinux Boolean + + User a virtually-mapped stack - ocil:ssg-sebool_virt_use_sanlock_action:testaction:1 + ocil:ssg-kernel_config_vmap_stack_action:testaction:1 - - Ensure logging is configured + + Configure OpenSSL library to use TLS Encryption - ocil:ssg-rsyslog_logging_configured_action:testaction:1 + ocil:ssg-configure_openssl_tls_crypto_policy_action:testaction:1 - - Disable the cobbler_use_nfs SELinux Boolean + + Add noauto Option to /boot - ocil:ssg-sebool_cobbler_use_nfs_action:testaction:1 + ocil:ssg-mount_option_boot_noauto_action:testaction:1 - - Ensure auditd Collects Information on Kernel Module Unloading - create_module + + Ensure All User Initialization Files Have Mode 0740 Or Less Permissive - ocil:ssg-audit_rules_kernel_module_loading_create_action:testaction:1 + ocil:ssg-file_permission_user_init_files_action:testaction:1 - - Prevent Unrestricted Mail Relaying + + Enable the nfs_export_all_rw SELinux Boolean - ocil:ssg-postfix_prevent_unrestricted_relay_action:testaction:1 + ocil:ssg-sebool_nfs_export_all_rw_action:testaction:1 - - Encrypt Audit Records Sent With audispd Plugin + + Disable the secure_mode_policyload SELinux Boolean - ocil:ssg-auditd_audispd_encrypt_sent_records_action:testaction:1 + ocil:ssg-sebool_secure_mode_policyload_action:testaction:1 - - Enable the login_console_enabled SELinux Boolean + + Ensure the Default Umask is Set Correctly For Interactive Users - ocil:ssg-sebool_login_console_enabled_action:testaction:1 + ocil:ssg-accounts_umask_interactive_users_action:testaction:1 - - Ensure all users last password change date is in the past + + Record Successful Creation Attempts to Files - open_by_handle_at O_CREAT - ocil:ssg-accounts_password_last_change_is_in_past_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_open_by_handle_at_o_creat_action:testaction:1 - - Use Kerberos Security on All Exports + + Record Events that Modify User/Group Information - /etc/group - ocil:ssg-use_kerberos_security_all_exports_action:testaction:1 + ocil:ssg-audit_rules_usergroup_modification_group_action:testaction:1 - - Disable the mplayer_execstack SELinux Boolean + + Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl - ocil:ssg-sebool_mplayer_execstack_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_usernetctl_action:testaction:1 - - Verify the UEFI Boot Loader grub.cfg User Ownership + + Install binutils Package - ocil:ssg-file_owner_efi_grub2_cfg_action:testaction:1 + ocil:ssg-package_binutils_installed_action:testaction:1 - - Disable the mpd_use_nfs SELinux Boolean + + Disable the xserver_execmem SELinux Boolean - ocil:ssg-sebool_mpd_use_nfs_action:testaction:1 + ocil:ssg-sebool_xserver_execmem_action:testaction:1 - - Limit Password Reuse: password-auth + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-accounts_password_pam_pwhistory_remember_password_auth_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces + + Enable Process Accounting (psacct) - ocil:ssg-sysctl_net_ipv4_ip_forward_action:testaction:1 + ocil:ssg-service_psacct_enabled_action:testaction:1 - - Install the McAfee Runtime Libraries and Linux Agent + + Disable hibernation - ocil:ssg-install_mcafee_cma_rt_action:testaction:1 + ocil:ssg-kernel_config_hibernation_action:testaction:1 - - Configure dnf-automatic to Install Available Updates Automatically + + Disable the httpd_can_network_connect SELinux Boolean - ocil:ssg-dnf-automatic_apply_updates_action:testaction:1 + ocil:ssg-sebool_httpd_can_network_connect_action:testaction:1 - - Verify nftables Service is Enabled + + Install the Samba Common Package - ocil:ssg-service_nftables_enabled_action:testaction:1 + ocil:ssg-package_samba-common_installed_action:testaction:1 - - Enable cron Service + + Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces - ocil:ssg-service_cron_enabled_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_source_route_action:testaction:1 - - Disable the httpd_manage_ipa SELinux Boolean + + Resolve information before writing to audit logs - ocil:ssg-sebool_httpd_manage_ipa_action:testaction:1 + ocil:ssg-auditd_log_format_action:testaction:1 - - Record Unsuccessful Permission Changes to Files - chmod + + Verify /boot/grub2/grub.cfg Group Ownership - ocil:ssg-audit_rules_unsuccessful_file_modification_chmod_action:testaction:1 + ocil:ssg-file_groupowner_grub2_cfg_action:testaction:1 - - Disable Compression Or Set Compression to delayed + + Disable the httpd_can_connect_zabbix SELinux Boolean - ocil:ssg-sshd_disable_compression_action:testaction:1 + ocil:ssg-sebool_httpd_can_connect_zabbix_action:testaction:1 - - Ensure remote access methods are monitored in Rsyslog + + Disable the polipo_use_cifs SELinux Boolean - ocil:ssg-rsyslog_remote_access_monitoring_action:testaction:1 + ocil:ssg-sebool_polipo_use_cifs_action:testaction:1 - - Enable Yama support + + Configure Logind to terminate idle sessions after certain time of inactivity - ocil:ssg-kernel_config_security_yama_action:testaction:1 + ocil:ssg-logind_session_timeout_action:testaction:1 - - Prefer to use a 64-bit Operating System when supported + + Disable Kernel iwlmvm Module - ocil:ssg-prefer_64bit_os_action:testaction:1 + ocil:ssg-kernel_module_iwlmvm_disabled_action:testaction:1 - - Disable the mozilla_read_content SELinux Boolean + + Record Events that Modify User/Group Information via open syscall - /etc/passwd - ocil:ssg-sebool_mozilla_read_content_action:testaction:1 + ocil:ssg-audit_rules_etc_passwd_open_action:testaction:1 - - Ensure Home Directories are Created for New Users + + Support session locking with tmux (not enforcing) - ocil:ssg-accounts_have_homedir_login_defs_action:testaction:1 + ocil:ssg-configure_bashrc_tmux_action:testaction:1 - - Perform full reference count validation + + Verify Permissions on passwd File - ocil:ssg-kernel_config_refcount_full_action:testaction:1 + ocil:ssg-file_permissions_etc_passwd_action:testaction:1 - - Enable GNOME3 Login Warning Banner + + Disable the glance_api_can_network SELinux Boolean - ocil:ssg-dconf_gnome_banner_enabled_action:testaction:1 + ocil:ssg-sebool_glance_api_can_network_action:testaction:1 - - Disable the xguest_exec_content SELinux Boolean + + Disable the samba_export_all_ro SELinux Boolean - ocil:ssg-sebool_xguest_exec_content_action:testaction:1 + ocil:ssg-sebool_samba_export_all_ro_action:testaction:1 - - Harden memory copies between kernel and userspace + + Ensure /home Located On Separate Partition - ocil:ssg-kernel_config_hardened_usercopy_action:testaction:1 + ocil:ssg-partition_for_home_action:testaction:1 - - Force kernel panic on uncorrected MCEs + + Enable checks on scatter-gather (SG) table operations - ocil:ssg-grub2_mce_argument_action:testaction:1 + ocil:ssg-kernel_config_debug_sg_action:testaction:1 - - Verify /boot/grub2/user.cfg User Ownership + + Harden SSH client Crypto Policy - ocil:ssg-file_owner_user_cfg_action:testaction:1 + ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1 - - Set Password Hashing Rounds in /etc/login.defs + + Record Events that Modify User/Group Information via open syscall - /etc/gshadow - ocil:ssg-set_password_hashing_min_rounds_logindefs_action:testaction:1 + ocil:ssg-audit_rules_etc_gshadow_open_action:testaction:1 - - Ensure /opt Located On Separate Partition + + Disable the glance_use_execmem SELinux Boolean - ocil:ssg-partition_for_opt_action:testaction:1 + ocil:ssg-sebool_glance_use_execmem_action:testaction:1 - - Enable the auditadm_exec_content SELinux Boolean + + Configure System to Forward All Mail For The Root Account - ocil:ssg-sebool_auditadm_exec_content_action:testaction:1 + ocil:ssg-postfix_client_configure_mail_alias_action:testaction:1 - - Disable Kernel Parameter for IPv6 Forwarding + + Enable the xend_run_qemu SELinux Boolean - ocil:ssg-sysctl_net_ipv6_conf_all_forwarding_action:testaction:1 + ocil:ssg-sebool_xend_run_qemu_action:testaction:1 - - Require Client SMB Packet Signing, if using smbclient + + Set the UEFI Boot Loader Password - ocil:ssg-require_smb_client_signing_action:testaction:1 + ocil:ssg-grub2_uefi_password_action:testaction:1 - - Root Path Must Be Vendor Default + + Disable the samba_export_all_rw SELinux Boolean - ocil:ssg-root_path_default_action:testaction:1 + ocil:ssg-sebool_samba_export_all_rw_action:testaction:1 - - Disable the cobbler_anon_write SELinux Boolean + + Ensure auditd Collects File Deletion Events by User - rename - ocil:ssg-sebool_cobbler_anon_write_action:testaction:1 + ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1 - - Verify Permissions on /etc/cron.allow file + + Disable the mplayer_execstack SELinux Boolean - ocil:ssg-file_permissions_cron_allow_action:testaction:1 + ocil:ssg-sebool_mplayer_execstack_action:testaction:1 - - Disable the cluster_use_execmem SELinux Boolean + + Ensure Rsyslog Encrypts Off-Loaded Audit Records - ocil:ssg-sebool_cluster_use_execmem_action:testaction:1 + ocil:ssg-rsyslog_encrypt_offload_actionsendstreamdrivermode_action:testaction:1 - - Modify the System Message of the Day Banner + + Verify Group Who Owns /etc/at.allow file - ocil:ssg-banner_etc_motd_action:testaction:1 + ocil:ssg-file_groupowner_at_allow_action:testaction:1 - - Disable the nis_enabled SELinux Boolean + + Disable the fenced_can_ssh SELinux Boolean - ocil:ssg-sebool_nis_enabled_action:testaction:1 + ocil:ssg-sebool_fenced_can_ssh_action:testaction:1 - - Disable WIFI Network Notification in GNOME3 + + Disable the httpd_use_gpg SELinux Boolean - ocil:ssg-dconf_gnome_disable_wifi_notification_action:testaction:1 + ocil:ssg-sebool_httpd_use_gpg_action:testaction:1 - - Configure auditing of unsuccessful file deletions + + Disable Anonymous FTP Access - ocil:ssg-audit_delete_failed_action:testaction:1 + ocil:ssg-httpd_disable_anonymous_ftp_access_action:testaction:1 - - Disable X11 Forwarding + + Configure the httpd_builtin_scripting SELinux Boolean - ocil:ssg-sshd_disable_x11_forwarding_action:testaction:1 + ocil:ssg-sebool_httpd_builtin_scripting_action:testaction:1 - - Verify that All World-Writable Directories Have Sticky Bits Set + + Ensure gpgcheck Enabled In Main yum Configuration - ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1 + ocil:ssg-ensure_gpgcheck_globally_activated_action:testaction:1 - - Configure Auto Configuration on All IPv6 Interfaces By Default + + Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session - ocil:ssg-sysctl_net_ipv6_conf_default_autoconf_action:testaction:1 + ocil:ssg-accounts_password_pam_retry_action:testaction:1 - - Add nodev Option to /var/log/audit + + Disable SSH Support for User Known Hosts - ocil:ssg-mount_option_var_log_audit_nodev_action:testaction:1 + ocil:ssg-sshd_disable_user_known_hosts_action:testaction:1 - - Configure System to Forward All Mail through a specific host + + Verify User Who Owns /var/log/syslog File - ocil:ssg-postfix_client_configure_relayhost_action:testaction:1 + ocil:ssg-file_owner_var_log_syslog_action:testaction:1 - - Uninstall abrt-plugin-sosreport Package + + Set Password Maximum Consecutive Repeating Characters - ocil:ssg-package_abrt-plugin-sosreport_removed_action:testaction:1 + ocil:ssg-accounts_password_pam_maxrepeat_action:testaction:1 - - Disable the minidlna_read_generic_user_content SELinux Boolean + + Disable named Service - ocil:ssg-sebool_minidlna_read_generic_user_content_action:testaction:1 + ocil:ssg-service_named_disabled_action:testaction:1 - - Configure auditd space_left Action on Low Disk Space + + Disable the webadm_manage_user_files SELinux Boolean - ocil:ssg-auditd_data_retention_space_left_action_action:testaction:1 + ocil:ssg-sebool_webadm_manage_user_files_action:testaction:1 - - Disable anacron Service + + Disable IA32 emulation - ocil:ssg-disable_anacron_action:testaction:1 + ocil:ssg-kernel_config_ia32_emulation_action:testaction:1 - - Disable Network File System (nfs) + + Configure Accepting Router Advertisements on All IPv6 Interfaces - ocil:ssg-service_nfs_disabled_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_action:testaction:1 - - Enable the NTP Daemon + + Enable SSH Print Last Log - ocil:ssg-service_chronyd_or_ntpd_enabled_action:testaction:1 + ocil:ssg-sshd_print_last_log_action:testaction:1 - - Require Credential Prompting for Remote Access in GNOME3 + + Configure Backups of User Data - ocil:ssg-dconf_gnome_remote_access_credential_prompt_action:testaction:1 + ocil:ssg-configure_user_data_backups_action:testaction:1 - - Uninstall gssproxy Package + + Verify that Shared Library Directories Have Root Group Ownership - ocil:ssg-package_gssproxy_removed_action:testaction:1 + ocil:ssg-dir_group_ownership_library_dirs_action:testaction:1 - - Add noexec Option to /var/tmp + + Disable the openvpn_run_unconfined SELinux Boolean - ocil:ssg-mount_option_var_tmp_noexec_action:testaction:1 + ocil:ssg-sebool_openvpn_run_unconfined_action:testaction:1 - - Disable Advanced Configuration and Power Interface (acpid) + + Record Successful Delete Attempts to Files - unlink - ocil:ssg-service_acpid_disabled_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_unlink_action:testaction:1 - - Uninstall avahi-autoipd Server Package + + Disable the use_ecryptfs_home_dirs SELinux Boolean - ocil:ssg-package_avahi-autoipd_removed_action:testaction:1 + ocil:ssg-sebool_use_ecryptfs_home_dirs_action:testaction:1 - - Do not allow ACPI methods to be inserted/replaced at run time + + Verify Owner on cron.daily - ocil:ssg-kernel_config_acpi_custom_method_action:testaction:1 + ocil:ssg-file_owner_cron_daily_action:testaction:1 - - Log USBGuard daemon audit events using Linux Audit + + Configure A Banner Page For Each Website - ocil:ssg-configure_usbguard_auditbackend_action:testaction:1 + ocil:ssg-httpd_configure_banner_page_action:testaction:1 - - Install policycoreutils Package + + Enable seccomp to safely compute untrusted bytecode - ocil:ssg-package_policycoreutils_installed_action:testaction:1 + ocil:ssg-kernel_config_seccomp_action:testaction:1 - - Restrict Access to Kernel Message Buffer + + Set number of Password Hashing Rounds - password-auth - ocil:ssg-sysctl_kernel_dmesg_restrict_action:testaction:1 + ocil:ssg-accounts_password_pam_unix_rounds_password_auth_action:testaction:1 - - Ensure gpgcheck Enabled In Main yum Configuration + + Verify nftables Service is Enabled - ocil:ssg-ensure_gpgcheck_globally_activated_action:testaction:1 + ocil:ssg-service_nftables_enabled_action:testaction:1 - - Verify /boot/grub2/grub.cfg Permissions + + Configure auditing of unsuccessful file accesses - ocil:ssg-file_permissions_grub2_cfg_action:testaction:1 + ocil:ssg-audit_access_failed_action:testaction:1 - - Configure SSSD to Expire Offline Credentials + + Disable the httpd_execmem SELinux Boolean - ocil:ssg-sssd_offline_cred_expiration_action:testaction:1 + ocil:ssg-sebool_httpd_execmem_action:testaction:1 - - Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate + + Enable Kernel Page-Table Isolation (KPTI) - ocil:ssg-sudo_remove_no_authenticate_action:testaction:1 + ocil:ssg-grub2_pti_argument_action:testaction:1 - - Disable the xserver_clients_write_xshm SELinux Boolean + + Enable the OpenSSH Service - ocil:ssg-sebool_xserver_clients_write_xshm_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Record Unsuccessful Permission Changes to Files - lsetxattr + + Configure auditing of unsuccessful file modifications - ocil:ssg-audit_rules_unsuccessful_file_modification_lsetxattr_action:testaction:1 + ocil:ssg-audit_modify_failed_action:testaction:1 - - Disable SSH Support for User Known Hosts + + Disable the httpd_can_network_connect_db SELinux Boolean - ocil:ssg-sshd_disable_user_known_hosts_action:testaction:1 + ocil:ssg-sebool_httpd_can_network_connect_db_action:testaction:1 - - Disable the wine_mmap_zero_ignore SELinux Boolean + + Ensure a dedicated group owns sudo - ocil:ssg-sebool_wine_mmap_zero_ignore_action:testaction:1 + ocil:ssg-sudo_dedicated_group_action:testaction:1 - - Enable syslog-ng Service + + Drop Gratuitious ARP frames on All IPv4 Interfaces - ocil:ssg-service_syslogng_enabled_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_all_drop_gratuitous_arp_action:testaction:1 - - Uninstall Automatic Bug Reporting Tool (abrt) + + Configure auditing of unsuccessful file deletions - ocil:ssg-package_abrt_removed_action:testaction:1 + ocil:ssg-audit_delete_failed_action:testaction:1 - - Ensure '/etc/system-fips' exists + + Public web server resources must not be shared with private assets - ocil:ssg-etc_system_fips_exists_action:testaction:1 + ocil:ssg-httpd_public_resources_not_shared_action:testaction:1 - - Disable RDS Support + + Ensure the Default Umask is Set Correctly in login.defs - ocil:ssg-kernel_module_rds_disabled_action:testaction:1 + ocil:ssg-accounts_umask_etc_login_defs_action:testaction:1 - - Disable the ftpd_connect_all_unreserved SELinux Boolean + + Add nodev Option to /var/log - ocil:ssg-sebool_ftpd_connect_all_unreserved_action:testaction:1 + ocil:ssg-mount_option_var_log_nodev_action:testaction:1 - - Disable the httpd_dbus_avahi SELinux Boolean + + Enable poison of pages after freeing - ocil:ssg-sebool_httpd_dbus_avahi_action:testaction:1 + ocil:ssg-kernel_config_page_poisoning_action:testaction:1 - - Disable the abrt_upload_watch_anon_write SELinux Boolean + + Set type of computer node name logging in audit logs - ocil:ssg-sebool_abrt_upload_watch_anon_write_action:testaction:1 + ocil:ssg-auditd_name_format_action:testaction:1 - - Disable the httpd_can_check_spam SELinux Boolean + + Ensure PAM Enforces Password Requirements - Enforce for root User - ocil:ssg-sebool_httpd_can_check_spam_action:testaction:1 + ocil:ssg-accounts_password_pam_enforce_root_action:testaction:1 - - Record Any Attempts to Run seunshare + + Configure Libreswan to use System Crypto Policy - ocil:ssg-audit_rules_execution_seunshare_action:testaction:1 + ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1 - - Uninstall Sendmail Package + + Disable the cdrecord_read_content SELinux Boolean - ocil:ssg-package_sendmail_removed_action:testaction:1 + ocil:ssg-sebool_cdrecord_read_content_action:testaction:1 - - Disable the unprivuser_use_svirt SELinux Boolean + + Disallow kernel profiling by unprivileged users - ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_event_paranoid_action:testaction:1 - - Make the auditd Configuration Immutable + + Add nosuid Option to /tmp - ocil:ssg-audit_rules_immutable_action:testaction:1 + ocil:ssg-mount_option_tmp_nosuid_action:testaction:1 - - Verify that System Executables Have Root Ownership + + Set GNOME3 Screensaver Lock Delay After Activation Period - ocil:ssg-file_ownership_binary_dirs_action:testaction:1 + ocil:ssg-dconf_gnome_screensaver_lock_delay_action:testaction:1 - - Disable xinetd Service + + Disable the cluster_can_network_connect SELinux Boolean - ocil:ssg-service_xinetd_disabled_action:testaction:1 + ocil:ssg-sebool_cluster_can_network_connect_action:testaction:1 - - Detect stack corruption on calls to schedule() + + Disable TIPC Support - ocil:ssg-kernel_config_sched_stack_end_check_action:testaction:1 + ocil:ssg-kernel_module_tipc_disabled_action:testaction:1 - - Disable the mailman_use_fusefs SELinux Boolean + + Enable the USBGuard Service - ocil:ssg-sebool_mailman_use_fusefs_action:testaction:1 + ocil:ssg-service_usbguard_enabled_action:testaction:1 - - Direct root Logins Not Allowed + + Disable the virt_sandbox_use_netlink SELinux Boolean - ocil:ssg-no_direct_root_logins_action:testaction:1 + ocil:ssg-sebool_virt_sandbox_use_netlink_action:testaction:1 - - Ensure No World-Writable Files Exist + + Disable System Statistics Reset Service (sysstat) - ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 + ocil:ssg-service_sysstat_disabled_action:testaction:1 - - Disable Web Content Symbolic Links + + Uninstall quagga Package - ocil:ssg-httpd_disable_content_symlinks_action:testaction:1 + ocil:ssg-package_quagga_removed_action:testaction:1 - - Verify the UEFI Boot Loader grub.cfg Group Ownership + + Prevent applications from mapping low portion of virtual memory - ocil:ssg-file_groupowner_efi_grub2_cfg_action:testaction:1 + ocil:ssg-sysctl_vm_mmap_min_addr_action:testaction:1 - - Set SSH authentication attempt limit + + Disable the virt_use_execmem SELinux Boolean - ocil:ssg-sshd_set_max_auth_tries_action:testaction:1 + ocil:ssg-sebool_virt_use_execmem_action:testaction:1 - - Disable the exim_manage_user_files SELinux Boolean + + Verify Group Who Owns shadow File - ocil:ssg-sebool_exim_manage_user_files_action:testaction:1 + ocil:ssg-file_groupowner_etc_shadow_action:testaction:1 - - Configure auditing of unsuccessful file accesses + + Verify Permissions on Backup gshadow File - ocil:ssg-audit_access_failed_action:testaction:1 + ocil:ssg-file_permissions_backup_etc_gshadow_action:testaction:1 - - Verify permissions on Message of the Day Banner + + Disable the virt_use_samba SELinux Boolean - ocil:ssg-file_permissions_etc_motd_action:testaction:1 + ocil:ssg-sebool_virt_use_samba_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - reboot + + Disable Full User Name on Splash Shield - ocil:ssg-audit_privileged_commands_reboot_action:testaction:1 + ocil:ssg-dconf_gnome_screensaver_user_info_action:testaction:1 - - Disable the samba_enable_home_dirs SELinux Boolean + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow - ocil:ssg-sebool_samba_enable_home_dirs_action:testaction:1 + ocil:ssg-audit_rules_etc_gshadow_open_by_handle_at_action:testaction:1 - - Enable Use of Privilege Separation + + Enable systemd-journald Service - ocil:ssg-sshd_use_priv_separation_action:testaction:1 + ocil:ssg-service_systemd-journald_enabled_action:testaction:1 - - Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server + + Ensure logging is configured - ocil:ssg-sssd_ldap_configure_tls_reqcert_action:testaction:1 + ocil:ssg-rsyslog_logging_configured_action:testaction:1 - - Ensure All SUID Executables Are Authorized + + Install the Asset Configuration Compliance Module (ACCM) - ocil:ssg-file_permissions_unauthorized_suid_action:testaction:1 + ocil:ssg-install_mcafee_hbss_accm_action:testaction:1 - - Record Events that Modify the System's Mandatory Access Controls in usr/share + + Verify Group Who Owns cron.d - ocil:ssg-audit_rules_mac_modification_usr_share_action:testaction:1 + ocil:ssg-file_groupowner_cron_d_action:testaction:1 - - All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group + + Enable the domain_fd_use SELinux Boolean - ocil:ssg-accounts_users_home_files_groupownership_action:testaction:1 + ocil:ssg-sebool_domain_fd_use_action:testaction:1 - - Disable Kernel iwlmvm Module + + Add usrquota Option to /home - ocil:ssg-kernel_module_iwlmvm_disabled_action:testaction:1 + ocil:ssg-mount_option_home_usrquota_action:testaction:1 - - Ensure All World-Writable Directories Are Owned by a System Account + + Uninstall geolite2-city Package - ocil:ssg-dir_perms_world_writable_system_owned_action:testaction:1 + ocil:ssg-package_geolite2-city_removed_action:testaction:1 - - Enable module signature verification + + Disable GSSAPI Authentication - ocil:ssg-kernel_config_module_sig_action:testaction:1 + ocil:ssg-sshd_disable_gssapi_auth_action:testaction:1 - - Enable poison without sanity check + + Verify Group Who Owns gshadow File - ocil:ssg-kernel_config_page_poisoning_no_sanity_action:testaction:1 + ocil:ssg-file_groupowner_etc_gshadow_action:testaction:1 - - Require Encryption for Remote Access in GNOME3 + + Configure SSSD to Expire Offline Credentials - ocil:ssg-dconf_gnome_remote_access_encryption_action:testaction:1 + ocil:ssg-sssd_offline_cred_expiration_action:testaction:1 - - Remove NIS Client + + Uninstall rsh-server Package - ocil:ssg-package_ypbind_removed_action:testaction:1 + ocil:ssg-package_rsh-server_removed_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - userhelper + + Configure the Firewalld Ports - ocil:ssg-audit_rules_privileged_commands_userhelper_action:testaction:1 + ocil:ssg-configure_firewalld_ports_action:testaction:1 - - Disable the cobbler_can_network_connect SELinux Boolean + + Uninstall libreport-plugin-rhtsupport Package - ocil:ssg-sebool_cobbler_can_network_connect_action:testaction:1 + ocil:ssg-package_libreport-plugin-rhtsupport_removed_action:testaction:1 - - Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly + + Audit Configuration Files Permissions are 640 or More Restrictive - ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order_action:testaction:1 + ocil:ssg-file_permissions_audit_configuration_action:testaction:1 - - Verify User Who Owns /var/log Directory + + Enable Yama support - ocil:ssg-file_owner_var_log_action:testaction:1 + ocil:ssg-kernel_config_security_yama_action:testaction:1 - - Record attempts to alter time through settimeofday + + Ensure auditd Collects Information on Kernel Module Unloading - create_module - ocil:ssg-audit_rules_time_settimeofday_action:testaction:1 + ocil:ssg-audit_rules_kernel_module_loading_create_action:testaction:1 - - Randomize the address of the kernel image (KASLR) + + Configure SNMP Service to Use Only SNMPv3 or Newer - ocil:ssg-kernel_config_randomize_base_action:testaction:1 + ocil:ssg-snmpd_use_newer_protocol_action:testaction:1 - - Disable the abrt_anon_write SELinux Boolean + + The Chronyd service is enabled - ocil:ssg-sebool_abrt_anon_write_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Verify No netrc Files Exist + + Uninstall nfs-utils Package - ocil:ssg-no_netrc_files_action:testaction:1 + ocil:ssg-package_nfs-utils_removed_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_pinfo_action:testaction:1 - - Verify /boot/efi/EFI/redhat/user.cfg User Ownership + + Verify User Who Owns /var/log/messages File - ocil:ssg-file_owner_efi_user_cfg_action:testaction:1 + ocil:ssg-file_owner_var_log_messages_action:testaction:1 - - Enable poison of pages after freeing + + Disable the 32-bit vDSO - ocil:ssg-kernel_config_page_poisoning_action:testaction:1 + ocil:ssg-kernel_config_compat_vdso_action:testaction:1 - - Set Existing Passwords Warning Age + + Disable the polipo_use_nfs SELinux Boolean - ocil:ssg-accounts_password_set_warn_age_existing_action:testaction:1 + ocil:ssg-sebool_polipo_use_nfs_action:testaction:1 - - Disable the xdm_exec_bootloader SELinux Boolean + + Disable Postfix Network Listening - ocil:ssg-sebool_xdm_exec_bootloader_action:testaction:1 + ocil:ssg-postfix_network_listening_disabled_action:testaction:1 - - Enable Randomized Layout of Virtual Address Space + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-sysctl_kernel_randomize_va_space_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - Force initialization of variables containing userspace addresses + + Configure Auto Configuration on All IPv6 Interfaces - ocil:ssg-kernel_config_gcc_plugin_structleak_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_autoconf_action:testaction:1 - - Use Only FIPS 140-2 Validated Ciphers + + Disallow merge of slab caches - ocil:ssg-sshd_use_approved_ciphers_action:testaction:1 + ocil:ssg-kernel_config_slab_merge_default_action:testaction:1 - - Disable the condor_tcp_network_connect SELinux Boolean + + Specify module signing key to use - ocil:ssg-sebool_condor_tcp_network_connect_action:testaction:1 + ocil:ssg-kernel_config_module_sig_key_action:testaction:1 - - Do Not Allow SSH Environment Options + + Record Successful Permission Changes to Files - chmod - ocil:ssg-sshd_do_not_permit_user_env_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_chmod_action:testaction:1 - - Uninstall Samba Package + + Enable the unconfined_chrome_sandbox_transition SELinux Boolean - ocil:ssg-package_samba_removed_action:testaction:1 + ocil:ssg-sebool_unconfined_chrome_sandbox_transition_action:testaction:1 - - Record Successful Creation Attempts to Files - open_by_handle_at O_TRUNC_WRITE + + Require Credential Prompting for Remote Access in GNOME3 - ocil:ssg-audit_rules_successful_file_modification_open_by_handle_at_o_trunc_write_action:testaction:1 + ocil:ssg-dconf_gnome_remote_access_credential_prompt_action:testaction:1 - - Record Successful Permission Changes to Files - setxattr + + Ensure System is Not Acting as a Network Sniffer - ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 + ocil:ssg-network_sniffer_disabled_action:testaction:1 - - Verify Permissions on /etc/audit/rules.d/*.rules + + Enable the File Access Policy Service - ocil:ssg-file_permissions_etc_audit_rulesd_action:testaction:1 + ocil:ssg-service_fapolicyd_enabled_action:testaction:1 - - Record Unsuccessful Ownership Changes to Files - fchownat + + SSH client uses strong entropy to seed (for CSH like shells) - ocil:ssg-audit_rules_unsuccessful_file_modification_fchownat_action:testaction:1 + ocil:ssg-ssh_client_use_strong_rng_csh_action:testaction:1 - - Record Unsuccessful Ownership Changes to Files - chown + + Ensure Software Patches Installed - ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + ocil:ssg-security_patches_up_to_date_action:testaction:1 - - Add nodev Option to /var/tmp + + Verify that Interactive Boot is Disabled - ocil:ssg-mount_option_var_tmp_nodev_action:testaction:1 + ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 - - Configure the tmux Lock Command + + Disable the httpd_can_connect_mythtv SELinux Boolean - ocil:ssg-configure_tmux_lock_command_action:testaction:1 + ocil:ssg-sebool_httpd_can_connect_mythtv_action:testaction:1 - - All GIDs referenced in /etc/passwd must be defined in /etc/group + + Add nodev Option to /dev/shm - ocil:ssg-gid_passwd_group_same_action:testaction:1 + ocil:ssg-mount_option_dev_shm_nodev_action:testaction:1 - - Disable the httpd_can_network_connect SELinux Boolean + + Disable the httpd_can_check_spam SELinux Boolean - ocil:ssg-sebool_httpd_can_network_connect_action:testaction:1 + ocil:ssg-sebool_httpd_can_check_spam_action:testaction:1 - - Enable Dracut FIPS Module + + Disable Cyrus SASL Authentication Daemon (saslauthd) - ocil:ssg-enable_dracut_fips_module_action:testaction:1 + ocil:ssg-service_saslauthd_disabled_action:testaction:1 - - Install policycoreutils-python-utils package + + Enable the Hardware RNG Entropy Gatherer Service - ocil:ssg-package_policycoreutils-python-utils_installed_action:testaction:1 + ocil:ssg-service_rngd_enabled_action:testaction:1 - - Disable the xguest_mount_media SELinux Boolean + + Configure AIDE to Use FIPS 140-2 for Validating Hashes - ocil:ssg-sebool_xguest_mount_media_action:testaction:1 + ocil:ssg-aide_use_fips_hashes_action:testaction:1 - - Authorize USB hubs in USBGuard daemon + + Record Events that Modify User/Group Information via open syscall - /etc/group - ocil:ssg-usbguard_allow_hub_action:testaction:1 + ocil:ssg-audit_rules_etc_group_open_action:testaction:1 - - Make the module text and rodata read-only + + Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default - ocil:ssg-kernel_config_strict_module_rwx_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_default_log_martians_action:testaction:1 - - Ensure There Are No Accounts With Blank or Null Passwords + + User Initialization Files Must Be Group-Owned By The Primary Group - ocil:ssg-no_empty_passwords_etc_shadow_action:testaction:1 + ocil:ssg-accounts_user_dot_group_ownership_action:testaction:1 - - Disable the boinc_execmem SELinux Boolean + + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces - ocil:ssg-sebool_boinc_execmem_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_action:testaction:1 - - Set number of Password Hashing Rounds - password-auth + + Disable the xdm_write_home SELinux Boolean - ocil:ssg-accounts_password_pam_unix_rounds_password_auth_action:testaction:1 + ocil:ssg-sebool_xdm_write_home_action:testaction:1 - - Add noexec Option to Removable Media Partitions + + Disable the tor_can_network_relay SELinux Boolean - ocil:ssg-mount_option_noexec_removable_partitions_action:testaction:1 + ocil:ssg-sebool_tor_can_network_relay_action:testaction:1 - - Record Successful Ownership Changes to Files - fchownat + + Disable the httpd_setrlimit SELinux Boolean - ocil:ssg-audit_rules_successful_file_modification_fchownat_action:testaction:1 + ocil:ssg-sebool_httpd_setrlimit_action:testaction:1 - - Remove the FreeRadius Server Package + + Disable the virt_use_sanlock SELinux Boolean - ocil:ssg-package_freeradius_removed_action:testaction:1 + ocil:ssg-sebool_virt_use_sanlock_action:testaction:1 - - Uninstall nfs-utils Package + + Ensure auditd Collects Information on the Use of Privileged Commands - mount - ocil:ssg-package_nfs-utils_removed_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_mount_action:testaction:1 - - Configure audispd's Plugin disk_full_action When Disk Is Full + + Install the pcsc-lite package - ocil:ssg-auditd_audispd_disk_full_action_action:testaction:1 + ocil:ssg-package_pcsc-lite_installed_action:testaction:1 - - Record Any Attempts to Run chcon + + Configure auditd max_log_file_action Upon Reaching Maximum Log Size - ocil:ssg-audit_rules_execution_chcon_action:testaction:1 + ocil:ssg-auditd_data_retention_max_log_file_action_stig_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - chmod + + Enable HTTPD System Logging - ocil:ssg-audit_rules_dac_modification_chmod_action:testaction:1 + ocil:ssg-httpd_enable_system_logging_action:testaction:1 - - Audit Tools Must Have a Mode of 0755 or Less Permissive + + Ensure McAfee Endpoint Security for Linux (ENSL) is running - ocil:ssg-file_audit_tools_permissions_action:testaction:1 + ocil:ssg-agent_mfetpd_running_action:testaction:1 - - Verify Group Who Owns Backup gshadow File + + Disable Accepting ICMP Redirects for All IPv4 Interfaces - ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_all_accept_redirects_action:testaction:1 - - Uninstall openldap-servers Package + + Ensure tftp Daemon Uses Secure Mode - ocil:ssg-package_openldap-servers_removed_action:testaction:1 + ocil:ssg-tftpd_uses_secure_mode_action:testaction:1 - - Disable the tmpreaper_use_nfs SELinux Boolean + + Configure session renegotiation for SSH client - ocil:ssg-sebool_tmpreaper_use_nfs_action:testaction:1 + ocil:ssg-ssh_client_rekey_limit_action:testaction:1 - - Configure AIDE to Verify Access Control Lists (ACLs) + + Verify the UEFI Boot Loader grub.cfg Permissions - ocil:ssg-aide_verify_acls_action:testaction:1 + ocil:ssg-file_permissions_efi_grub2_cfg_action:testaction:1 - - Disable the irssi_use_full_network SELinux Boolean + + Disable WIFI Network Notification in GNOME3 - ocil:ssg-sebool_irssi_use_full_network_action:testaction:1 + ocil:ssg-dconf_gnome_disable_wifi_notification_action:testaction:1 - - Record Successful Permission Changes to Files - chmod + + Ensure Insecure File Locking is Not Allowed - ocil:ssg-audit_rules_successful_file_modification_chmod_action:testaction:1 + ocil:ssg-no_insecure_locks_exports_action:testaction:1 - - Disable the smartmon_3ware SELinux Boolean + + Ensure All World-Writable Directories Are Group Owned by a System Account - ocil:ssg-sebool_smartmon_3ware_action:testaction:1 + ocil:ssg-dir_perms_world_writable_system_owned_group_action:testaction:1 - - Disable hibernation + + Record Unsuccessful Creation Attempts to Files - openat O_CREAT - ocil:ssg-kernel_config_hibernation_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_openat_o_creat_action:testaction:1 - - Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces + + Uninstall libreport-plugin-logger Package - ocil:ssg-sysctl_net_ipv6_conf_default_accept_redirects_action:testaction:1 + ocil:ssg-package_libreport-plugin-logger_removed_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - fchownat + + Disable GNOME3 Automount Opening - ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1 + ocil:ssg-dconf_gnome_disable_automount_open_action:testaction:1 - - HTTPD Log Files Must Be Owned By Root + + Enable the virt_sandbox_use_audit SELinux Boolean - ocil:ssg-http_configure_log_file_ownership_action:testaction:1 + ocil:ssg-sebool_virt_sandbox_use_audit_action:testaction:1 - - Kernel panic oops + + Configure SSSD to run as user sssd - ocil:ssg-kernel_config_panic_on_oops_action:testaction:1 + ocil:ssg-sssd_run_as_sssd_user_action:testaction:1 - - Disable Recovery Booting + + Disable rlogin Service - ocil:ssg-grub2_disable_recovery_action:testaction:1 + ocil:ssg-service_rlogin_disabled_action:testaction:1 - - Uninstall avahi Server Package + + Ensure auditd Collects Information on the Use of Privileged Commands - init - ocil:ssg-package_avahi_removed_action:testaction:1 + ocil:ssg-audit_privileged_commands_init_action:testaction:1 - - Enable Auditing to Start Prior to the Audit Daemon in zIPL + + Disable SSH Access via Empty Passwords - ocil:ssg-zipl_audit_argument_action:testaction:1 + ocil:ssg-sshd_disable_empty_passwords_action:testaction:1 - - Configure Time Service Maxpoll Interval + + Disable Red Hat Subscription Manager Daemon (rhsmcertd) - ocil:ssg-chronyd_or_ntpd_set_maxpoll_action:testaction:1 + ocil:ssg-service_rhsmcertd_disabled_action:testaction:1 - - Disable the samba_create_home_dirs SELinux Boolean + + Enable SSH Warning Banner - ocil:ssg-sebool_samba_create_home_dirs_action:testaction:1 + ocil:ssg-sshd_enable_warning_banner_action:testaction:1 - - Appropriate Action Must be Setup When the Internal Audit Event Queue is Full + + Disable kernel support for MISC binaries - ocil:ssg-auditd_overflow_action_action:testaction:1 + ocil:ssg-kernel_config_binfmt_misc_action:testaction:1 - - Ensure the Default Bash Umask is Set Correctly + + Set Existing Passwords Maximum Age - ocil:ssg-accounts_umask_etc_bashrc_action:testaction:1 + ocil:ssg-accounts_password_set_max_life_existing_action:testaction:1 + + + + Disable the sge_use_nfs SELinux Boolean + + ocil:ssg-sebool_sge_use_nfs_action:testaction:1 + + + + Add nodev Option to /home + + ocil:ssg-mount_option_home_nodev_action:testaction:1 @@ -347887,580 +347899,586 @@ which the system will be deployed as closely as possible.ocil:ssg-kernel_module_dccp_disabled_action:testaction:1 - - Ensure zIPL bootmap is up to date + + Ensure SELinux State is Enforcing - ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1 + ocil:ssg-selinux_state_action:testaction:1 - - Disable the haproxy_connect_any SELinux Boolean + + Verify Permissions on SSH Server Public *.pub Key Files - ocil:ssg-sebool_haproxy_connect_any_action:testaction:1 + ocil:ssg-file_permissions_sshd_pub_key_action:testaction:1 - - Disable the awstats_purge_apache_log_files SELinux Boolean + + Harden common str/mem functions against buffer overflows - ocil:ssg-sebool_awstats_purge_apache_log_files_action:testaction:1 + ocil:ssg-kernel_config_fortify_source_action:testaction:1 - - Ensure PAM password complexity module is enabled in password-auth + + Add nosuid Option to /var/log/audit - ocil:ssg-accounts_password_pam_pwquality_password_auth_action:testaction:1 + ocil:ssg-mount_option_var_log_audit_nosuid_action:testaction:1 - - Record Successful Delete Attempts to Files - renameat + + Perform full reference count validation - ocil:ssg-audit_rules_successful_file_modification_renameat_action:testaction:1 + ocil:ssg-kernel_config_refcount_full_action:testaction:1 - - Uninstall libreport-plugin-rhtsupport Package + + Disable the nfsd_anon_write SELinux Boolean - ocil:ssg-package_libreport-plugin-rhtsupport_removed_action:testaction:1 + ocil:ssg-sebool_nfsd_anon_write_action:testaction:1 - - Ensure rsyslog is Installed + + Authorize Human Interface Devices and USB hubs in USBGuard daemon - ocil:ssg-package_rsyslog_installed_action:testaction:1 + ocil:ssg-usbguard_allow_hid_and_hub_action:testaction:1 - - Ensure ip6tables Firewall Rules Exist for All Open Ports + + Disable systemd-journal-remote Socket - ocil:ssg-ip6tables_rules_for_open_ports_action:testaction:1 + ocil:ssg-socket_systemd-journal-remote_disabled_action:testaction:1 - - Verify Permissions on SSH Server config file + + Add noexec Option to /var/tmp - ocil:ssg-file_permissions_sshd_config_action:testaction:1 + ocil:ssg-mount_option_var_tmp_noexec_action:testaction:1 - - Assign Expiration Date to Temporary Accounts + + Set Password Hashing Rounds in /etc/login.defs - ocil:ssg-account_temp_expire_date_action:testaction:1 + ocil:ssg-set_password_hashing_min_rounds_logindefs_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - chage + + Disable SSH root Login with a Password (Insecure) - ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 + ocil:ssg-sshd_disable_root_password_login_action:testaction:1 - - Remove the kernel mapping in user mode + + Ensure logrotate is Installed - ocil:ssg-kernel_config_page_table_isolation_action:testaction:1 + ocil:ssg-package_logrotate_installed_action:testaction:1 - - Ensure syslog-ng is Installed + + Verify Group Who Owns Crontab - ocil:ssg-package_syslogng_installed_action:testaction:1 + ocil:ssg-file_groupowner_crontab_action:testaction:1 - - All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive + + Harden SSHD Crypto Policy - ocil:ssg-accounts_users_home_files_permissions_action:testaction:1 + ocil:ssg-harden_sshd_crypto_policy_action:testaction:1 - - Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces + + Audit Tools Must Have a Mode of 0755 or Less Permissive - ocil:ssg-sysctl_net_ipv4_conf_all_accept_source_route_action:testaction:1 + ocil:ssg-file_audit_tools_permissions_action:testaction:1 - - Disable the httpd_run_stickshift SELinux Boolean + + Uninstall Sendmail Package - ocil:ssg-sebool_httpd_run_stickshift_action:testaction:1 + ocil:ssg-package_sendmail_removed_action:testaction:1 - - Configure maximum number of process identifiers + + Disable the httpd_can_connect_ldap SELinux Boolean - ocil:ssg-sysctl_kernel_pid_max_action:testaction:1 + ocil:ssg-sebool_httpd_can_connect_ldap_action:testaction:1 - - Ensure logrotate is Installed + + Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - ocil:ssg-package_logrotate_installed_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_action:testaction:1 - - Disable x86 vsyscall emulation + + Enable Use of Privilege Separation - ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1 + ocil:ssg-sshd_use_priv_separation_action:testaction:1 - - Uninstall setroubleshoot-plugins Package + + Ensure /tmp Located On Separate Partition - ocil:ssg-package_setroubleshoot-plugins_removed_action:testaction:1 + ocil:ssg-partition_for_tmp_action:testaction:1 - - A remote time server for Chrony is configured + + Require Client SMB Packet Signing, if using smbclient - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-require_smb_client_signing_action:testaction:1 - - Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default + + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces - ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_default_accept_redirects_action:testaction:1 - - Disable Mounting of cramfs + + Disable the mcelog_client SELinux Boolean - ocil:ssg-kernel_module_cramfs_disabled_action:testaction:1 + ocil:ssg-sebool_mcelog_client_action:testaction:1 - - Enable the Hardware RNG Entropy Gatherer Service + + Disable the cluster_use_execmem SELinux Boolean - ocil:ssg-service_rngd_enabled_action:testaction:1 + ocil:ssg-sebool_cluster_use_execmem_action:testaction:1 - - Ensure All Accounts on the System Have Unique User IDs + + Set Existing Passwords Warning Age - ocil:ssg-account_unique_id_action:testaction:1 + ocil:ssg-accounts_password_set_warn_age_existing_action:testaction:1 - - Disable Samba + + Disable the httpd_mod_auth_pam SELinux Boolean - ocil:ssg-service_smb_disabled_action:testaction:1 + ocil:ssg-sebool_httpd_mod_auth_pam_action:testaction:1 - - Disable Ctrl-Alt-Del Burst Action + + Uninstall krb5-workstation Package - ocil:ssg-disable_ctrlaltdel_burstaction_action:testaction:1 + ocil:ssg-package_krb5-workstation_removed_action:testaction:1 - - Ensure that System Accounts Are Locked + + Ensure PAM Enforces Password Requirements - Enforce for Local Accounts Only - ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1 + ocil:ssg-accounts_password_pam_enforce_local_action:testaction:1 - - Disable the polipo_connect_all_unreserved SELinux Boolean + + Disable SSH TCP Forwarding - ocil:ssg-sebool_polipo_connect_all_unreserved_action:testaction:1 + ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1 - - Verify Group Ownership on SSH Server Public *.pub Key Files + + Disable SSH Support for Rhosts RSA Authentication - ocil:ssg-file_groupownership_sshd_pub_key_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1 - - Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT + + Record Any Attempts to Run restorecon - ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat_action:testaction:1 + ocil:ssg-audit_rules_execution_restorecon_action:testaction:1 - - Verify All Account Password Hashes are Shadowed + + Enable page allocator poisoning in zIPL - ocil:ssg-accounts_password_all_shadowed_action:testaction:1 + ocil:ssg-zipl_page_poison_argument_action:testaction:1 - - Modify the System Login Banner for Remote Connections + + Disable the cluster_manage_all_files SELinux Boolean - ocil:ssg-banner_etc_issue_net_action:testaction:1 + ocil:ssg-sebool_cluster_manage_all_files_action:testaction:1 - - Set the UEFI Boot Loader Password + + Verify that System Executable Directories Have Restrictive Permissions - ocil:ssg-grub2_uefi_password_action:testaction:1 + ocil:ssg-dir_permissions_binary_dirs_action:testaction:1 - - Disable mutable hooks + + Enable authselect - ocil:ssg-kernel_config_security_writable_hooks_action:testaction:1 + ocil:ssg-enable_authselect_action:testaction:1 - - Configure the gluster_export_all_rw SELinux Boolean + + Build and Test AIDE Database - ocil:ssg-sebool_gluster_export_all_rw_action:testaction:1 + ocil:ssg-aide_build_database_action:testaction:1 - - Disable the httpd_run_preupgrade SELinux Boolean + + Disable the tmpreaper_use_samba SELinux Boolean - ocil:ssg-sebool_httpd_run_preupgrade_action:testaction:1 + ocil:ssg-sebool_tmpreaper_use_samba_action:testaction:1 - - Uninstall rsh Package + + Configure auditd admin_space_left Action on Low Disk Space - ocil:ssg-package_rsh_removed_action:testaction:1 + ocil:ssg-auditd_data_retention_admin_space_left_action_action:testaction:1 - - Remove the OpenSSH Server Package + + Verify Permissions on cron.daily - ocil:ssg-package_openssh-server_removed_action:testaction:1 + ocil:ssg-file_permissions_cron_daily_action:testaction:1 - - Ensure auditd Collects System Administrator Actions + + Disable the ssh_chroot_rw_homedirs SELinux Boolean - ocil:ssg-audit_rules_sysadmin_actions_action:testaction:1 + ocil:ssg-sebool_ssh_chroot_rw_homedirs_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - newgrp + + Uninstall xinetd Package - ocil:ssg-audit_rules_privileged_commands_newgrp_action:testaction:1 + ocil:ssg-package_xinetd_removed_action:testaction:1 - - Disable SSH Server If Possible + + Disable Core Dumps for SUID programs - ocil:ssg-service_sshd_disabled_action:testaction:1 + ocil:ssg-sysctl_fs_suid_dumpable_action:testaction:1 - - Disable GNOME3 Automount running + + Configure dnf-automatic to Install Only Security Updates - ocil:ssg-dconf_gnome_disable_autorun_action:testaction:1 + ocil:ssg-dnf-automatic_security_updates_only_action:testaction:1 - - Record Events that Modify User/Group Information via open syscall - /etc/shadow + + Install the McAfee Runtime Libraries and Linux Agent - ocil:ssg-audit_rules_etc_shadow_open_action:testaction:1 + ocil:ssg-install_mcafee_cma_rt_action:testaction:1 - - Enable the selinuxuser_ping SELinux Boolean + + Set PAM''s Password Hashing Algorithm - ocil:ssg-sebool_selinuxuser_ping_action:testaction:1 + ocil:ssg-set_password_hashing_algorithm_systemauth_action:testaction:1 - - Enable the logadm_exec_content SELinux Boolean + + Disable the zarafa_setrlimit SELinux Boolean - ocil:ssg-sebool_logadm_exec_content_action:testaction:1 + ocil:ssg-sebool_zarafa_setrlimit_action:testaction:1 - - Enable the LDAP Client For Use in Authconfig + + Remove the GDM Package Group - ocil:ssg-enable_ldap_client_action:testaction:1 + ocil:ssg-package_gdm_removed_action:testaction:1 - - Configure auditd max_log_file_action Upon Reaching Maximum Log Size + + Disable User Administration in GNOME3 - ocil:ssg-auditd_data_retention_max_log_file_action_action:testaction:1 + ocil:ssg-dconf_gnome_disable_user_admin_action:testaction:1 - - Disable the exim_can_connect_db SELinux Boolean + + Record Successful Creation Attempts to Files - open O_CREAT - ocil:ssg-sebool_exim_can_connect_db_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_open_o_creat_action:testaction:1 - - Disable System Statistics Reset Service (sysstat) + + Disable support for /proc/kkcore - ocil:ssg-service_sysstat_disabled_action:testaction:1 + ocil:ssg-kernel_config_proc_kcore_action:testaction:1 - - Ensure auditd Collects File Deletion Events by User - rename + + Verify /boot/efi/EFI/redhat/user.cfg Permissions - ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1 + ocil:ssg-file_permissions_efi_user_cfg_action:testaction:1 - - Verify ufw Enabled + + Verify permissions on Message of the Day Banner - ocil:ssg-service_ufw_enabled_action:testaction:1 + ocil:ssg-file_permissions_etc_motd_action:testaction:1 - - Disable LDAP Server (slapd) + + Enable GNOME3 Login Warning Banner - ocil:ssg-service_slapd_disabled_action:testaction:1 + ocil:ssg-dconf_gnome_banner_enabled_action:testaction:1 - - Disable httpd Service + + Mount Remote Filesystems with noexec - ocil:ssg-service_httpd_disabled_action:testaction:1 + ocil:ssg-mount_option_noexec_remote_filesystems_action:testaction:1 - - Enable the kerberos_enabled SELinux Boolean + + Disable the pcp_bind_all_unreserved_ports SELinux Boolean - ocil:ssg-sebool_kerberos_enabled_action:testaction:1 + ocil:ssg-sebool_pcp_bind_all_unreserved_ports_action:testaction:1 - - Record Successful Access Attempts to Files - open_by_handle_at + + Ensure /usr Located On Separate Partition - ocil:ssg-audit_rules_successful_file_modification_open_by_handle_at_action:testaction:1 + ocil:ssg-partition_for_usr_action:testaction:1 - - Uninstall tuned Package + + Ensure that chronyd is running under chrony user account - ocil:ssg-package_tuned_removed_action:testaction:1 + ocil:ssg-chronyd_run_as_chrony_user_action:testaction:1 - - Disable the virt_read_qemu_ga_data SELinux Boolean + + Disable the mock_enable_homedirs SELinux Boolean - ocil:ssg-sebool_virt_read_qemu_ga_data_action:testaction:1 + ocil:ssg-sebool_mock_enable_homedirs_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl + + Record Unsuccessful Access Attempts to Files - open_by_handle_at - ocil:ssg-audit_rules_privileged_commands_usernetctl_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1 - - Verify Group Who Owns /var/log/syslog File + + Disable Web Content Symbolic Links - ocil:ssg-file_groupowner_var_log_syslog_action:testaction:1 + ocil:ssg-httpd_disable_content_symlinks_action:testaction:1 - - Configure the httpd_builtin_scripting SELinux Boolean + + Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces - ocil:ssg-sebool_httpd_builtin_scripting_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_tcp_syncookies_action:testaction:1 - - Add nosuid Option to /var/tmp + + Verify /boot/efi/EFI/redhat/user.cfg User Ownership - ocil:ssg-mount_option_var_tmp_nosuid_action:testaction:1 + ocil:ssg-file_owner_efi_user_cfg_action:testaction:1 - - The Postfix package is installed + + Verify Group Who Owns Backup group File - ocil:ssg-package_postfix_installed_action:testaction:1 + ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1 - - Disallow Configuration to Bypass Password Requirements for Privilege Escalation + + Disable the samba_share_nfs SELinux Boolean - ocil:ssg-disallow_bypass_password_sudo_action:testaction:1 + ocil:ssg-sebool_samba_share_nfs_action:testaction:1 - - Disable the httpd_ssi_exec SELinux Boolean + + Disable telnet Service - ocil:ssg-sebool_httpd_ssi_exec_action:testaction:1 + ocil:ssg-service_telnet_disabled_action:testaction:1 - - Ensure Red Hat GPG Key Installed + + Do Not Allow SSH Environment Options - ocil:ssg-ensure_redhat_gpgkey_installed_action:testaction:1 + ocil:ssg-sshd_do_not_permit_user_env_action:testaction:1 - - Verify Group Ownership on SSH Server Private *_key Key Files + + Enable the auditadm_exec_content SELinux Boolean - ocil:ssg-file_groupownership_sshd_private_key_action:testaction:1 + ocil:ssg-sebool_auditadm_exec_content_action:testaction:1 - - Disable the httpd_unified SELinux Boolean + + Disable the samba_portmapper SELinux Boolean - ocil:ssg-sebool_httpd_unified_action:testaction:1 + ocil:ssg-sebool_samba_portmapper_action:testaction:1 - - Add nosuid Option to /var/log/audit + + Add nosuid Option to /home - ocil:ssg-mount_option_var_log_audit_nosuid_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Disable the ftpd_use_nfs SELinux Boolean + + All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group - ocil:ssg-sebool_ftpd_use_nfs_action:testaction:1 + ocil:ssg-accounts_users_home_files_groupownership_action:testaction:1 - - Disable the authlogin_yubikey SELinux Boolean + + Ensure Logs Sent To Remote Host - ocil:ssg-sebool_authlogin_yubikey_action:testaction:1 + ocil:ssg-rsyslog_remote_loghost_action:testaction:1 - - Verify User Who Owns passwd File + + Record Events that Modify the System's Discretionary Access Controls - removexattr - ocil:ssg-file_owner_etc_passwd_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 - - Configure auditing of successful file accesses + + Install iptables Package - ocil:ssg-audit_access_success_action:testaction:1 + ocil:ssg-package_iptables_installed_action:testaction:1 - - Disable Host-Based Authentication + + Authorize Human Interface Devices in USBGuard daemon - ocil:ssg-disable_host_auth_action:testaction:1 + ocil:ssg-usbguard_allow_hid_action:testaction:1 - - Ensure PAM Enforces Password Requirements - Minimum Different Categories + + Ensure No World-Writable Files Exist - ocil:ssg-accounts_password_pam_minclass_action:testaction:1 + ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 - - Disable SSH Support for .rhosts Files + + Disable the xguest_connect_network SELinux Boolean - ocil:ssg-sshd_disable_rhosts_action:testaction:1 + ocil:ssg-sebool_xguest_connect_network_action:testaction:1 - - Configure GnuTLS library to use DoD-approved TLS Encryption + + Configure kernel to trust the CPU random number generator - ocil:ssg-configure_gnutls_tls_crypto_policy_action:testaction:1 + ocil:ssg-grub2_kernel_trust_cpu_rng_action:testaction:1 - - Set SSH Client Alive Interval + + Disable the git_session_users SELinux Boolean - ocil:ssg-sshd_set_idle_timeout_action:testaction:1 + ocil:ssg-sebool_git_session_users_action:testaction:1 - - Ensure auditd Collects File Deletion Events by User - renameat + + Don't target root user in the sudoers file - ocil:ssg-audit_rules_file_deletion_events_renameat_action:testaction:1 + ocil:ssg-sudoers_no_root_target_action:testaction:1 - - Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces + + Disable the telepathy_tcp_connect_generic_network_ports SELinux Boolean - ocil:ssg-sysctl_net_ipv4_conf_all_log_martians_action:testaction:1 + ocil:ssg-sebool_telepathy_tcp_connect_generic_network_ports_action:testaction:1 - - Disable the fcron_crond SELinux Boolean + + Specify UID and GID for Anonymous NFS Connections - ocil:ssg-sebool_fcron_crond_action:testaction:1 + ocil:ssg-nfs_no_anonymous_action:testaction:1 - - Ensure debug-shell service is not enabled in zIPL + + Set Default ip6tables Policy for Incoming Packets - ocil:ssg-zipl_systemd_debug-shell_argument_absent_action:testaction:1 + ocil:ssg-set_ip6tables_default_rule_action:testaction:1 - - Record Unsuccessful Access Attempts to Files - ftruncate + + Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign - ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_ssh_keysign_action:testaction:1 - - Disable the pcp_read_generic_logs SELinux Boolean + + Enable Dracut FIPS Module - ocil:ssg-sebool_pcp_read_generic_logs_action:testaction:1 + ocil:ssg-enable_dracut_fips_module_action:testaction:1 - - Disable the selinuxuser_use_ssh_chroot SELinux Boolean + + Ensure sudo Runs In A Minimal Environment - sudo env_reset - ocil:ssg-sebool_selinuxuser_use_ssh_chroot_action:testaction:1 + ocil:ssg-sudo_add_env_reset_action:testaction:1 - - Ensure Log Files Are Owned By Appropriate Group + + All Interactive User Home Directories Must Be Group-Owned By The Primary Group - ocil:ssg-rsyslog_files_groupownership_action:testaction:1 + ocil:ssg-file_groupownership_home_directories_action:testaction:1 - - Enable FIPS Mode + + Disable ypserv Service - ocil:ssg-enable_fips_mode_action:testaction:1 + ocil:ssg-service_ypserv_disabled_action:testaction:1 - - Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default + + UEFI Boot Loader Is Not Installed On Removeable Media - ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_pinfo_action:testaction:1 + ocil:ssg-uefi_no_removeable_media_action:testaction:1 - - Verify Group Who Owns /etc/at.allow file + + Install policycoreutils-python-utils package - ocil:ssg-file_groupowner_at_allow_action:testaction:1 + ocil:ssg-package_policycoreutils-python-utils_installed_action:testaction:1 - - Disable the squid_use_tproxy SELinux Boolean + + Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config - ocil:ssg-sebool_squid_use_tproxy_action:testaction:1 + ocil:ssg-harden_sshd_macs_opensshserver_conf_crypto_policy_action:testaction:1 - - Disable the conman_can_network SELinux Boolean + + Ensure /var/log/audit Located On Separate Partition - ocil:ssg-sebool_conman_can_network_action:testaction:1 + ocil:ssg-partition_for_var_log_audit_action:testaction:1 - - Add nodev Option to /home + + Enable SLUB debugging support - ocil:ssg-mount_option_home_nodev_action:testaction:1 + ocil:ssg-kernel_config_slub_debug_action:testaction:1 - - Set Daemon Umask + + Ensure journald is configured to write log files to persistent disk - ocil:ssg-umask_for_daemons_action:testaction:1 + ocil:ssg-journald_storage_action:testaction:1 - - Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty + + Require Authentication for Single User Mode - ocil:ssg-ensure_pam_wheel_group_empty_action:testaction:1 + ocil:ssg-require_singleuser_auth_action:testaction:1 - - Disable the cron_system_cronjob_use_shares SELinux Boolean + + Disable Core Dumps for All Users - ocil:ssg-sebool_cron_system_cronjob_use_shares_action:testaction:1 + ocil:ssg-disable_users_coredumps_action:testaction:1 - + Configure auditd space_left on Low Disk Space - ocil:ssg-auditd_data_retention_space_left_percentage_action:testaction:1 + ocil:ssg-auditd_data_retention_space_left_action:testaction:1 + + + + Record Unsuccessful Delete Attempts to Files - unlinkat + + ocil:ssg-audit_rules_unsuccessful_file_modification_unlinkat_action:testaction:1 @@ -348469,2068 +348487,2056 @@ which the system will be deployed as closely as possible.ocil:ssg-package_iptables-services_removed_action:testaction:1 - - Verify Group Who Owns cron.hourly + + Record Attempts to perform maintenance activities - ocil:ssg-file_groupowner_cron_hourly_action:testaction:1 + ocil:ssg-audit_sudo_log_events_action:testaction:1 - - Configure auditing of unsuccessful permission changes + + Ensure All Files Are Owned by a User - ocil:ssg-audit_perm_change_failed_action:testaction:1 + ocil:ssg-no_files_unowned_by_user_action:testaction:1 - - Disable the mcelog_server SELinux Boolean + + Configure audispd's Plugin network_failure_action On Network Failure - ocil:ssg-sebool_mcelog_server_action:testaction:1 + ocil:ssg-auditd_audispd_network_failure_action_action:testaction:1 - - Disable the samba_run_unconfined SELinux Boolean + + Audit Configuration Files Must Be Owned By Root - ocil:ssg-sebool_samba_run_unconfined_action:testaction:1 + ocil:ssg-file_ownership_audit_configuration_action:testaction:1 - - Disable the webadm_read_user_files SELinux Boolean + + Configure SSSD LDAP Backend Client CA Certificate - ocil:ssg-sebool_webadm_read_user_files_action:testaction:1 + ocil:ssg-sssd_ldap_configure_tls_ca_action:testaction:1 - - Disable the abrt_handle_event SELinux Boolean + + Disable the GNOME3 Login Restart and Shutdown Buttons - ocil:ssg-sebool_abrt_handle_event_action:testaction:1 + ocil:ssg-dconf_gnome_disable_restart_shutdown_action:testaction:1 - - Disable the nagios_run_pnp4nagios SELinux Boolean + + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default - ocil:ssg-sebool_nagios_run_pnp4nagios_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_action:testaction:1 - - Disable the virt_use_samba SELinux Boolean + + Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config - ocil:ssg-sebool_virt_use_samba_action:testaction:1 + ocil:ssg-harden_sshd_ciphers_opensshserver_conf_crypto_policy_action:testaction:1 - - Add nosuid Option to /dev/shm + + Uninstall bind Package - ocil:ssg-mount_option_dev_shm_nosuid_action:testaction:1 + ocil:ssg-package_bind_removed_action:testaction:1 - - Force opensc To Use Defined Smart Card Driver + + Lock Accounts After Failed Password Attempts - ocil:ssg-force_opensc_card_drivers_action:testaction:1 + ocil:ssg-accounts_passwords_pam_faillock_deny_action:testaction:1 - - Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words + + All Interactive Users Home Directories Must Exist - ocil:ssg-accounts_password_pam_dictcheck_action:testaction:1 + ocil:ssg-accounts_user_interactive_home_directory_exists_action:testaction:1 - - Ensure the Default Umask is Set Correctly in login.defs + + Disable the samba_domain_controller SELinux Boolean - ocil:ssg-accounts_umask_etc_login_defs_action:testaction:1 + ocil:ssg-sebool_samba_domain_controller_action:testaction:1 - - Do Not Show System Messages When Unsuccessful Logon Attempts Occur + + Verify that audit tools Have Mode 0755 or less - ocil:ssg-accounts_passwords_pam_faillock_silent_action:testaction:1 + ocil:ssg-file_permissions_audit_binaries_action:testaction:1 - - Disable the httpd_can_connect_ftp SELinux Boolean + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group - ocil:ssg-sebool_httpd_can_connect_ftp_action:testaction:1 + ocil:ssg-audit_rules_etc_group_open_by_handle_at_action:testaction:1 - - Disable the logging_syslogd_can_sendmail SELinux Boolean + + Disable the samba_run_unconfined SELinux Boolean - ocil:ssg-sebool_logging_syslogd_can_sendmail_action:testaction:1 + ocil:ssg-sebool_samba_run_unconfined_action:testaction:1 - - MIME types for csh or sh shell programs must be disabled + + Disallow magic SysRq key - ocil:ssg-httpd_disable_mime_types_action:testaction:1 + ocil:ssg-sysctl_kernel_sysrq_action:testaction:1 - - Ensure McAfee Endpoint Security for Linux (ENSL) is running + + Disable the use_fusefs_home_dirs SELinux Boolean - ocil:ssg-agent_mfetpd_running_action:testaction:1 + ocil:ssg-sebool_use_fusefs_home_dirs_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - shutdown + + Enable the GNOME3 Screen Locking On Smartcard Removal - ocil:ssg-audit_privileged_commands_shutdown_action:testaction:1 + ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1 - - Ensure the audit Subsystem is Installed + + Ensure Home Directories are Created for New Users - ocil:ssg-package_audit_installed_action:testaction:1 + ocil:ssg-accounts_have_homedir_login_defs_action:testaction:1 - - Disable the tor_can_network_relay SELinux Boolean + + Verify /boot/efi/EFI/redhat/user.cfg Group Ownership - ocil:ssg-sebool_tor_can_network_relay_action:testaction:1 + ocil:ssg-file_groupowner_efi_user_cfg_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - mount + + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default - ocil:ssg-audit_rules_privileged_commands_mount_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_default_max_addresses_action:testaction:1 - - Enable SSH Warning Banner + + Disable the wine_mmap_zero_ignore SELinux Boolean - ocil:ssg-sshd_enable_warning_banner_action:testaction:1 + ocil:ssg-sebool_wine_mmap_zero_ignore_action:testaction:1 - - Disable Kerberos by removing host keytab + + Disable Host-Based Authentication - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-disable_host_auth_action:testaction:1 - - Ensure All Accounts on the System Have Unique Names + + Ensure ip6tables Firewall Rules Exist for All Open Ports - ocil:ssg-account_unique_name_action:testaction:1 + ocil:ssg-ip6tables_rules_for_open_ports_action:testaction:1 - - Only the VDSM User Can Use sudo NOPASSWD + + Scan All Uploaded Content for Malicious Software - ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 + ocil:ssg-httpd_antivirus_scan_uploads_action:testaction:1 - - Disable At Service (atd) + + Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server - ocil:ssg-service_atd_disabled_action:testaction:1 + ocil:ssg-rsyslog_nolisten_action:testaction:1 - - Ensure /usr Located On Separate Partition + + Disable the tmpreaper_use_nfs SELinux Boolean - ocil:ssg-partition_for_usr_action:testaction:1 + ocil:ssg-sebool_tmpreaper_use_nfs_action:testaction:1 - - Enable the user_exec_content SELinux Boolean + + Disable the abrt_anon_write SELinux Boolean - ocil:ssg-sebool_user_exec_content_action:testaction:1 + ocil:ssg-sebool_abrt_anon_write_action:testaction:1 - - Install dnf-plugin-subscription-manager Package + + Configure immutable Audit login UIDs - ocil:ssg-package_dnf-plugin-subscription-manager_installed_action:testaction:1 + ocil:ssg-audit_immutable_login_uids_action:testaction:1 - - Disable the virt_sandbox_use_sys_admin SELinux Boolean + + Configure ARP filtering for All IPv4 Interfaces - ocil:ssg-sebool_virt_sandbox_use_sys_admin_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_all_arp_filter_action:testaction:1 - - Configure CA certificate for rsyslog remote logging + + Configure the secure_mode_insmod SELinux Boolean - ocil:ssg-rsyslog_remote_tls_cacert_action:testaction:1 + ocil:ssg-sebool_secure_mode_insmod_action:testaction:1 - - Configure auditing of successful file creations + + Record Successful Permission Changes to Files - removexattr - ocil:ssg-audit_create_success_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_removexattr_action:testaction:1 - - Set Account Expiration Following Inactivity + + Disable Secure RPC Server Service (rpcsvcgssd) - ocil:ssg-account_disable_post_pw_expiration_action:testaction:1 + ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1 - - Configure LDAP Client to Use TLS For All Transactions + + Disable the nis_enabled SELinux Boolean - ocil:ssg-ldap_client_start_tls_action:testaction:1 + ocil:ssg-sebool_nis_enabled_action:testaction:1 - - Install iptables Package + + Ensure All SUID Executables Are Authorized - ocil:ssg-package_iptables_installed_action:testaction:1 + ocil:ssg-file_permissions_unauthorized_suid_action:testaction:1 - - Set the GNOME3 Login Number of Failures + + Configure auditing of unsuccessful file creations - ocil:ssg-dconf_gnome_login_retries_action:testaction:1 + ocil:ssg-audit_create_failed_action:testaction:1 - - Verify the SSH Private Key Files Have a Passcode + + Require Encryption for Remote Access in GNOME3 - ocil:ssg-ssh_keys_passphrase_protected_action:testaction:1 + ocil:ssg-dconf_gnome_remote_access_encryption_action:testaction:1 - - Enable the cron_userdomain_transition SELinux Boolean + + Configure System to Forward All Mail From Postmaster to The Root Account - ocil:ssg-sebool_cron_userdomain_transition_action:testaction:1 + ocil:ssg-postfix_client_configure_mail_alias_postmaster_action:testaction:1 - - Disable rlogin Service + + Ensure There Are No Accounts With Blank or Null Passwords - ocil:ssg-service_rlogin_disabled_action:testaction:1 + ocil:ssg-no_empty_passwords_etc_shadow_action:testaction:1 - - Disable the httpd_verify_dns SELinux Boolean + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-sebool_httpd_verify_dns_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Disable the authlogin_nsswitch_use_ldap SELinux Boolean + + Disable the sanlock_use_nfs SELinux Boolean - ocil:ssg-sebool_authlogin_nsswitch_use_ldap_action:testaction:1 + ocil:ssg-sebool_sanlock_use_nfs_action:testaction:1 - - Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow + + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty - ocil:ssg-audit_rules_etc_gshadow_open_by_handle_at_action:testaction:1 + ocil:ssg-sudo_add_requiretty_action:testaction:1 - - Enable the xend_run_blktap SELinux Boolean + + Disable the httpd_can_connect_ftp SELinux Boolean - ocil:ssg-sebool_xend_run_blktap_action:testaction:1 + ocil:ssg-sebool_httpd_can_connect_ftp_action:testaction:1 - - Uninstall xinetd Package + + Disable the xen_use_nfs SELinux Boolean - ocil:ssg-package_xinetd_removed_action:testaction:1 + ocil:ssg-sebool_xen_use_nfs_action:testaction:1 - - Configure auditd Disk Error Action on Disk Error + + Ensure that System Accounts Do Not Run a Shell Upon Login - ocil:ssg-auditd_data_disk_error_action_stig_action:testaction:1 + ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1 - - Set type of computer node name logging in audit logs + + The operating system must restrict privilege elevation to authorized personnel - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-sudo_restrict_privilege_elevation_to_authorized_action:testaction:1 - - Install vim Package + + Enable PAM - ocil:ssg-package_vim_installed_action:testaction:1 + ocil:ssg-sshd_enable_pam_action:testaction:1 - - Disable the rsync_anon_write SELinux Boolean + + Disable Power Settings in GNOME3 - ocil:ssg-sebool_rsync_anon_write_action:testaction:1 + ocil:ssg-dconf_gnome_disable_power_settings_action:testaction:1 - - Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces + + Disable the cobbler_anon_write SELinux Boolean - ocil:ssg-sysctl_net_ipv4_conf_all_forwarding_action:testaction:1 + ocil:ssg-sebool_cobbler_anon_write_action:testaction:1 - - Ensure auditd Collects Information on Exporting to Media (successful) + + Record attempts to alter time through settimeofday - ocil:ssg-audit_rules_media_export_action:testaction:1 + ocil:ssg-audit_rules_time_settimeofday_action:testaction:1 - - Disable the ftpd_use_passive_mode SELinux Boolean + + Enforce Spectre v2 mitigation - ocil:ssg-sebool_ftpd_use_passive_mode_action:testaction:1 + ocil:ssg-grub2_spectre_v2_argument_action:testaction:1 - - The Installed Operating System Is Vendor Supported + + Disable the httpd_sys_script_anon_write SELinux Boolean - ocil:ssg-installed_OS_is_vendor_supported_action:testaction:1 + ocil:ssg-sebool_httpd_sys_script_anon_write_action:testaction:1 - - Disable the kdumpgui_run_bootloader SELinux Boolean + + Install OpenSSH client software - ocil:ssg-sebool_kdumpgui_run_bootloader_action:testaction:1 + ocil:ssg-package_openssh-clients_installed_action:testaction:1 - - Install McAfee Endpoint Security for Linux (ENSL) + + Enable Auditing for Processes Which Start Prior to the Audit Daemon - ocil:ssg-package_mcafeetp_installed_action:testaction:1 + ocil:ssg-grub2_audit_argument_action:testaction:1 - - Disable the secure_mode_policyload SELinux Boolean + + Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout - ocil:ssg-sebool_secure_mode_policyload_action:testaction:1 + ocil:ssg-sudo_add_passwd_timeout_action:testaction:1 - - Disable the samba_domain_controller SELinux Boolean + + Record Successful Permission Changes to Files - fchmod - ocil:ssg-sebool_samba_domain_controller_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_fchmod_action:testaction:1 - - Disable the squid_connect_any SELinux Boolean + + Disable the swift_can_network SELinux Boolean - ocil:ssg-sebool_squid_connect_any_action:testaction:1 + ocil:ssg-sebool_swift_can_network_action:testaction:1 - - Enable the fips_mode SELinux Boolean + + Disable the zebra_write_config SELinux Boolean - ocil:ssg-sebool_fips_mode_action:testaction:1 + ocil:ssg-sebool_zebra_write_config_action:testaction:1 - - Record Events that Modify User/Group Information via openat syscall - /etc/passwd + + Verify Owner on cron.weekly - ocil:ssg-audit_rules_etc_passwd_openat_action:testaction:1 + ocil:ssg-file_owner_cron_weekly_action:testaction:1 - - Set Password Maximum Consecutive Repeating Characters + + Configure dnf-automatic to Install Available Updates Automatically - ocil:ssg-accounts_password_pam_maxrepeat_action:testaction:1 + ocil:ssg-dnf-automatic_apply_updates_action:testaction:1 - - Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces + + Record Successful Ownership Changes to Files - fchown - ocil:ssg-sysctl_net_ipv4_conf_all_shared_media_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_fchown_action:testaction:1 - - Verify Owner on cron.hourly + + Disable the mpd_use_nfs SELinux Boolean - ocil:ssg-file_owner_cron_hourly_action:testaction:1 + ocil:ssg-sebool_mpd_use_nfs_action:testaction:1 - - OpenSSL uses strong entropy source + + Limit sampling frequency of the Perf system - ocil:ssg-openssl_use_strong_entropy_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_event_max_sample_rate_action:testaction:1 - - Public web server resources must not be shared with private assets + + Record Events that Modify the System's Network Environment - ocil:ssg-httpd_public_resources_not_shared_action:testaction:1 + ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1 - - Uninstall python3-abrt-addon Package + + Disable storing core dumps - ocil:ssg-package_python3-abrt-addon_removed_action:testaction:1 + ocil:ssg-sysctl_kernel_core_pattern_action:testaction:1 - - Configure TLS for rsyslog remote logging + + Each Web Content Directory Must Contain An index.html File - ocil:ssg-rsyslog_remote_tls_action:testaction:1 + ocil:ssg-httpd_configure_documentroot_action:testaction:1 - - Verify User Who Owns Backup shadow File + + Ensure auditd Collects Information on the Use of Privileged Commands - shutdown - ocil:ssg-file_groupowner_backup_etc_shadow_action:testaction:1 + ocil:ssg-audit_privileged_commands_shutdown_action:testaction:1 - - Record Successful Delete Attempts to Files - unlinkat + + Record Unsuccessful Permission Changes to Files - removexattr - ocil:ssg-audit_rules_successful_file_modification_unlinkat_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_removexattr_action:testaction:1 - - Install the OpenSSH Server Package + + Ensure gpgcheck Enabled for All yum Package Repositories - ocil:ssg-package_openssh-server_installed_action:testaction:1 + ocil:ssg-ensure_gpgcheck_never_disabled_action:testaction:1 - - Install McAfee Virus Scanning Software + + Install libcap-ng-utils Package - ocil:ssg-install_mcafee_antivirus_action:testaction:1 + ocil:ssg-package_libcap-ng-utils_installed_action:testaction:1 - - Disable the openvpn_enable_homedirs SELinux Boolean + + Record Events that Modify the System's Discretionary Access Controls - lremovexattr - ocil:ssg-sebool_openvpn_enable_homedirs_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 - - Limit the Number of Concurrent Login Sessions Allowed Per User + + Enable module signature verification - ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1 + ocil:ssg-kernel_config_module_sig_action:testaction:1 - - Ensure Default SNMP Password Is Not Used + + Set Kernel Parameter to Increase Local Port Range - ocil:ssg-snmpd_not_default_password_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_ip_local_port_range_action:testaction:1 - - Set the Boot Loader Admin Username to a Non-Default Value + + Ensure All Groups on the System Have Unique Group Names - ocil:ssg-grub2_admin_username_action:testaction:1 + ocil:ssg-group_unique_name_action:testaction:1 - - Write Audit Logs to the Disk + + Record Successful Permission Changes to Files - setxattr - ocil:ssg-auditd_write_logs_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 - - Ensure Users Cannot Change GNOME3 Session Idle Settings + + Disable Printer Browsing Entirely if Possible - ocil:ssg-dconf_gnome_session_idle_user_locks_action:testaction:1 + ocil:ssg-cups_disable_browsing_action:testaction:1 - - Ensure All Groups on the System Have Unique Group ID + + Uninstall openldap-servers Package - ocil:ssg-group_unique_id_action:testaction:1 + ocil:ssg-package_openldap-servers_removed_action:testaction:1 - - Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces + + Disable core dump backtraces - ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1 + ocil:ssg-coredump_disable_backtraces_action:testaction:1 - - Disable the selinuxuser_postgresql_connect_enabled SELinux Boolean + + Ensure rsyslog-gnutls is installed - ocil:ssg-sebool_selinuxuser_postgresql_connect_enabled_action:testaction:1 + ocil:ssg-package_rsyslog-gnutls_installed_action:testaction:1 - - Ensure All Groups on the System Have Unique Group Names + + Verify Group Who Owns SSH Server config file - ocil:ssg-group_unique_name_action:testaction:1 + ocil:ssg-file_groupowner_sshd_config_action:testaction:1 - - Ensure network interfaces are assigned to appropriate zone + + Disable x86 vsyscall emulation - ocil:ssg-set_firewalld_appropriate_zone_action:testaction:1 + ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1 - - Record Events that Modify the System's Mandatory Access Controls + + Ensure SMEP is not disabled during boot - ocil:ssg-audit_rules_mac_modification_action:testaction:1 + ocil:ssg-grub2_nosmep_argument_absent_action:testaction:1 - - Enable page allocator poisoning in zIPL + + Verify Permissions on Backup passwd File - ocil:ssg-zipl_page_poison_argument_action:testaction:1 + ocil:ssg-file_permissions_backup_etc_passwd_action:testaction:1 - - Force frequent session key renegotiation + + Ensure that System Accounts Are Locked - ocil:ssg-sshd_rekey_limit_action:testaction:1 + ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1 - - Specify UID and GID for Anonymous NFS Connections + + Configure auditd Disk Error Action on Disk Error - ocil:ssg-nfs_no_anonymous_action:testaction:1 + ocil:ssg-auditd_data_disk_error_action_action:testaction:1 - - Disable PubkeyAuthentication Authentication + + Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1 - - Disable the ksmtuned_use_nfs SELinux Boolean + + Uninstall httpd Package - ocil:ssg-sebool_ksmtuned_use_nfs_action:testaction:1 + ocil:ssg-package_httpd_removed_action:testaction:1 - - Disable the xguest_connect_network SELinux Boolean + + Add noexec Option to /dev/shm - ocil:ssg-sebool_xguest_connect_network_action:testaction:1 + ocil:ssg-mount_option_dev_shm_noexec_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/security/opasswd + + Enable Smartcards in SSSD - ocil:ssg-audit_rules_usergroup_modification_opasswd_action:testaction:1 + ocil:ssg-sssd_enable_smartcards_action:testaction:1 - - Avoid speculative indirect branches in kernel + + Disable Recovery Booting - ocil:ssg-kernel_config_retpoline_action:testaction:1 + ocil:ssg-grub2_disable_recovery_action:testaction:1 - - Disable the webadm_manage_user_files SELinux Boolean + + Disable Kerberos by removing host keytab - ocil:ssg-sebool_webadm_manage_user_files_action:testaction:1 + ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 - - Set Password Hashing Algorithm in /etc/login.defs + + Ensure sudo only includes the default configuration directory - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-sudoers_default_includedir_action:testaction:1 - - Disable the mcelog_client SELinux Boolean + + Restrict Exposed Kernel Pointer Addresses Access - ocil:ssg-sebool_mcelog_client_action:testaction:1 + ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1 - - Disable the virt_use_rawip SELinux Boolean + + Disable the tftp_home_dir SELinux Boolean - ocil:ssg-sebool_virt_use_rawip_action:testaction:1 + ocil:ssg-sebool_tftp_home_dir_action:testaction:1 - - Install the SSSD Package + + Record Events that Modify the System's Mandatory Access Controls in usr/share - ocil:ssg-package_sssd_installed_action:testaction:1 + ocil:ssg-audit_rules_mac_modification_usr_share_action:testaction:1 - - Disable the nagios_run_sudo SELinux Boolean + + Ensure journald is configured to send logs to rsyslog - ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 + ocil:ssg-journald_forward_to_syslog_action:testaction:1 - - Remove Host-Based Authentication Files + + Record Any Attempts to Run setfiles - ocil:ssg-no_host_based_files_action:testaction:1 + ocil:ssg-audit_rules_execution_setfiles_action:testaction:1 - - Disable the mozilla_plugin_can_network_connect SELinux Boolean + + Ensure users' .netrc Files are not group or world accessible - ocil:ssg-sebool_mozilla_plugin_can_network_connect_action:testaction:1 + ocil:ssg-accounts_users_netrc_file_permissions_action:testaction:1 - - Disable rexec Service + + Disable XDMCP in GDM - ocil:ssg-service_rexec_disabled_action:testaction:1 + ocil:ssg-gnome_gdm_disable_xdmcp_action:testaction:1 - - Disable the xserver_object_manager SELinux Boolean + + Disable Odd Job Daemon (oddjobd) - ocil:ssg-sebool_xserver_object_manager_action:testaction:1 + ocil:ssg-service_oddjobd_disabled_action:testaction:1 - - Ensure SELinux Not Disabled in the kernel arguments + + Disable the selinuxuser_execstack SELinux Boolean - ocil:ssg-coreos_enable_selinux_kernel_argument_action:testaction:1 + ocil:ssg-sebool_selinuxuser_execstack_action:testaction:1 - - Record Unsuccessful Access Attempts to Files - truncate + + Ensure PAM Displays Last Logon/Access Notification - ocil:ssg-audit_rules_unsuccessful_file_modification_truncate_action:testaction:1 + ocil:ssg-display_login_attempts_action:testaction:1 - - Configure BIND to use System Crypto Policy + + Remove Rsh Trust Files - ocil:ssg-configure_bind_crypto_policy_action:testaction:1 + ocil:ssg-no_rsh_trust_files_action:testaction:1 - - Disable the collectd_tcp_network_connect SELinux Boolean + + Configure the deny_execmem SELinux Boolean - ocil:ssg-sebool_collectd_tcp_network_connect_action:testaction:1 + ocil:ssg-sebool_deny_execmem_action:testaction:1 - - Verify Group Who Owns /etc/cron.allow file + + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty - ocil:ssg-file_groupowner_cron_allow_action:testaction:1 + ocil:ssg-sudo_add_use_pty_action:testaction:1 - - Disable the glance_api_can_network SELinux Boolean + + Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces - ocil:ssg-sebool_glance_api_can_network_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_all_route_localnet_action:testaction:1 - - Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces + + Harden slab freelist metadata - ocil:ssg-sysctl_net_ipv4_conf_default_accept_redirects_action:testaction:1 + ocil:ssg-kernel_config_slab_freelist_hardened_action:testaction:1 - - Disable Core Dumps for All Users + + Disable the selinuxuser_mysql_connect_enabled SELinux Boolean - ocil:ssg-disable_users_coredumps_action:testaction:1 + ocil:ssg-sebool_selinuxuser_mysql_connect_enabled_action:testaction:1 - - Uninstall vsftpd Package + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-package_vsftpd_removed_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Ensure Chrony is only configured with the server directive + + Disable the cvs_read_shadow SELinux Boolean - ocil:ssg-chronyd_server_directive_action:testaction:1 + ocil:ssg-sebool_cvs_read_shadow_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - at + + Configure GnuTLS library to use DoD-approved TLS Encryption - ocil:ssg-audit_rules_privileged_commands_at_action:testaction:1 + ocil:ssg-configure_gnutls_tls_crypto_policy_action:testaction:1 - - Configure L1 Terminal Fault mitigations + + Do not allow ACPI methods to be inserted/replaced at run time - ocil:ssg-grub2_l1tf_argument_action:testaction:1 + ocil:ssg-kernel_config_acpi_custom_method_action:testaction:1 - - Disable the xdm_sysadm_login SELinux Boolean + + Record Unsuccessful Access Attempts to Files - openat - ocil:ssg-sebool_xdm_sysadm_login_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_openat_action:testaction:1 - - Enable Postfix Service + + Verify Permissions on group File - ocil:ssg-service_postfix_enabled_action:testaction:1 + ocil:ssg-file_permissions_etc_group_action:testaction:1 - - Explicit arguments in sudo specifications + + Record Unsuccessful Permission Changes to Files - fsetxattr - ocil:ssg-sudoers_explicit_command_args_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_fsetxattr_action:testaction:1 - - Verify Permissions on Backup shadow File + + Uninstall setroubleshoot-plugins Package - ocil:ssg-file_permissions_backup_etc_shadow_action:testaction:1 + ocil:ssg-package_setroubleshoot-plugins_removed_action:testaction:1 - - Verify Permissions on cron.weekly + + Harden memory copies between kernel and userspace - ocil:ssg-file_permissions_cron_weekly_action:testaction:1 + ocil:ssg-kernel_config_hardened_usercopy_action:testaction:1 - - Disable IEEE 1394 (FireWire) Support + + Record Any Attempts to Run setfacl - ocil:ssg-kernel_module_firewire-core_disabled_action:testaction:1 + ocil:ssg-audit_rules_execution_setfacl_action:testaction:1 - - Enable the unconfined_mozilla_plugin_transition SELinux Boolean + + Disable the httpd_run_ipa SELinux Boolean - ocil:ssg-sebool_unconfined_mozilla_plugin_transition_action:testaction:1 + ocil:ssg-sebool_httpd_run_ipa_action:testaction:1 - - Ignore HTTPD .htaccess Files + + Disable GNOME3 Automount running - ocil:ssg-httpd_ignore_htaccess_files_action:testaction:1 + ocil:ssg-dconf_gnome_disable_autorun_action:testaction:1 - - Disable the irc_use_any_tcp_ports SELinux Boolean + + Uninstall pigz Package - ocil:ssg-sebool_irc_use_any_tcp_ports_action:testaction:1 + ocil:ssg-package_pigz_removed_action:testaction:1 - - Drop Gratuitious ARP frames on All IPv4 Interfaces + + Set number of Password Hashing Rounds - system-auth - ocil:ssg-sysctl_net_ipv4_conf_all_drop_gratuitous_arp_action:testaction:1 + ocil:ssg-accounts_password_pam_unix_rounds_system_auth_action:testaction:1 - - Mount Remote Filesystems with nodev + + Installation of a compiler on production web server is prohibited - ocil:ssg-mount_option_nodev_remote_filesystems_action:testaction:1 + ocil:ssg-httpd_no_compilers_in_prod_action:testaction:1 - - Set Existing Passwords Minimum Age + + Disable the git_system_enable_homedirs SELinux Boolean - ocil:ssg-accounts_password_set_min_life_existing_action:testaction:1 + ocil:ssg-sebool_git_system_enable_homedirs_action:testaction:1 - - Disable the virt_use_fusefs SELinux Boolean + + Record Attempts to Alter Logon and Logout Events - lastlog - ocil:ssg-sebool_virt_use_fusefs_action:testaction:1 + ocil:ssg-audit_rules_login_events_lastlog_action:testaction:1 - - Disable the nfsd_anon_write SELinux Boolean + + Ensure /var/log Located On Separate Partition - ocil:ssg-sebool_nfsd_anon_write_action:testaction:1 + ocil:ssg-partition_for_var_log_action:testaction:1 - - Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE + + Uninstall CUPS Package - ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_trunc_write_action:testaction:1 + ocil:ssg-package_cups_removed_action:testaction:1 - - Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default + + Require Client SMB Packet Signing, if using mount.cifs - ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_action:testaction:1 + ocil:ssg-mount_option_smb_client_signing_action:testaction:1 - - Disable GNOME3 Automount Opening + + Set SSH MaxSessions limit - ocil:ssg-dconf_gnome_disable_automount_open_action:testaction:1 + ocil:ssg-sshd_set_max_sessions_action:testaction:1 - - Restrict Exposed Kernel Pointer Addresses Access + + Record Unsuccessful Creation Attempts to Files - open O_CREAT - ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_creat_action:testaction:1 - - Record Events that Modify User/Group Information via openat syscall - /etc/shadow + + Force initialization of variables containing userspace addresses - ocil:ssg-audit_rules_etc_shadow_openat_action:testaction:1 + ocil:ssg-kernel_config_gcc_plugin_structleak_action:testaction:1 - - Ensure a dedicated group owns sudo + + Set the GNOME3 Login Warning Banner Text - ocil:ssg-sudo_dedicated_group_action:testaction:1 + ocil:ssg-dconf_gnome_login_banner_text_action:testaction:1 - - Disable the sge_domain_can_network_connect SELinux Boolean + + Ensure auditd Collects Information on the Use of Privileged Commands - ocil:ssg-sebool_sge_domain_can_network_connect_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_action:testaction:1 - - Set number of Password Hashing Rounds - system-auth + + Disable the daemons_use_tty SELinux Boolean - ocil:ssg-accounts_password_pam_unix_rounds_system_auth_action:testaction:1 + ocil:ssg-sebool_daemons_use_tty_action:testaction:1 - - Uninstall rsync Package + + Verify Owner on crontab - ocil:ssg-package_rsync_removed_action:testaction:1 + ocil:ssg-file_owner_crontab_action:testaction:1 - - The Chrony package is installed + + Install audispd-plugins Package - ocil:ssg-package_chrony_installed_action:testaction:1 + ocil:ssg-package_audispd-plugins_installed_action:testaction:1 - - Record Unsuccessful Access Attempts to Files - open_by_handle_at + + Disable the mcelog_server SELinux Boolean - ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1 + ocil:ssg-sebool_mcelog_server_action:testaction:1 - - Enable Encrypted X11 Forwarding + + Ensure the Default Bash Umask is Set Correctly - ocil:ssg-sshd_enable_x11_forwarding_action:testaction:1 + ocil:ssg-accounts_umask_etc_bashrc_action:testaction:1 - - Ensure sudo Runs In A Minimal Environment - sudo env_reset + + Kernel panic timeout - ocil:ssg-sudo_add_env_reset_action:testaction:1 + ocil:ssg-kernel_config_panic_timeout_action:testaction:1 - - Install libselinux Package + + Disable Squid - ocil:ssg-package_libselinux_installed_action:testaction:1 + ocil:ssg-service_squid_disabled_action:testaction:1 - - Disable All GNOME3 Thumbnailers + + Ensure Rsyslog Authenticates Off-Loaded Audit Records - ocil:ssg-dconf_gnome_disable_thumbnailers_action:testaction:1 + ocil:ssg-rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action:testaction:1 - - Ensure /home Located On Separate Partition + + Add noexec Option to /var/log - ocil:ssg-partition_for_home_action:testaction:1 + ocil:ssg-mount_option_var_log_noexec_action:testaction:1 - - Verify Only Root Has UID 0 + + Ensure PAM Enforces Password Requirements - Minimum Length - ocil:ssg-accounts_no_uid_except_zero_action:testaction:1 + ocil:ssg-accounts_password_pam_minlen_action:testaction:1 - - Enable the mcelog_exec_scripts SELinux Boolean + + Disable the puppetagent_manage_all_files SELinux Boolean - ocil:ssg-sebool_mcelog_exec_scripts_action:testaction:1 + ocil:ssg-sebool_puppetagent_manage_all_files_action:testaction:1 - - Enable different security models + + Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces - ocil:ssg-kernel_config_security_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_ip_forward_action:testaction:1 - - Enable GNOME3 Screensaver Idle Activation + + Set Default iptables Policy for Forwarded Packets - ocil:ssg-dconf_gnome_screensaver_idle_activation_enabled_action:testaction:1 + ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 - - Ensure nss-tools is installed + + Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - ocil:ssg-package_nss-tools_installed_action:testaction:1 + ocil:ssg-account_password_pam_faillock_password_auth_action:testaction:1 - - Ensure Mail Transfer Agent is not Listening on any non-loopback Address + + Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces - ocil:ssg-has_nonlocal_mta_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses_action:testaction:1 - - Set Permissions on All Configuration Files Inside /etc/httpd/conf.modules.d/ + + Disable the rsync_full_access SELinux Boolean - ocil:ssg-file_permissions_httpd_server_modules_files_action:testaction:1 + ocil:ssg-sebool_rsync_full_access_action:testaction:1 - - Ensure PAM Enforces Password Requirements - Enforce for root User + + Verify /boot/grub2/user.cfg User Ownership - ocil:ssg-accounts_password_pam_enforce_root_action:testaction:1 + ocil:ssg-file_owner_user_cfg_action:testaction:1 - - Ensure rsyslog Default File Permissions Configured + + Disable ypbind Service - ocil:ssg-rsyslog_filecreatemode_action:testaction:1 + ocil:ssg-service_ypbind_disabled_action:testaction:1 - - Verify Permissions on Backup group File + + Ensure journald is configured to compress large log files - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-journald_compress_action:testaction:1 - - Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters + + Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces - ocil:ssg-accounts_password_pam_ucredit_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_all_accept_source_route_action:testaction:1 - - Disable compatibility with brk() + + Record Events that Modify the System's Discretionary Access Controls - lchown - ocil:ssg-kernel_config_compat_brk_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lchown_action:testaction:1 - - Verify Group Who Owns /var/log Directory + + Uninstall rsh Package - ocil:ssg-file_groupowner_var_log_action:testaction:1 + ocil:ssg-package_rsh_removed_action:testaction:1 - - Configure auditing of loading and unloading of kernel modules + + Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default - ocil:ssg-audit_module_load_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_action:testaction:1 - - Ensure SSH LoginGraceTime is configured + + Configure auditd flush priority - ocil:ssg-sshd_set_login_grace_time_action:testaction:1 + ocil:ssg-auditd_data_retention_flush_action:testaction:1 - - Ensure debug-shell service is not enabled during boot + + Disable the tor_bind_all_unreserved_ports SELinux Boolean - ocil:ssg-grub2_systemd_debug-shell_argument_absent_action:testaction:1 + ocil:ssg-sebool_tor_bind_all_unreserved_ports_action:testaction:1 - - Prevent Login to Accounts With Empty Password + + Create Warning Banners for All FTP Users - ocil:ssg-no_empty_passwords_action:testaction:1 + ocil:ssg-ftp_present_banner_action:testaction:1 - - Uninstall dovecot Package + + Ensure rsyslog Default File Permissions Configured - ocil:ssg-package_dovecot_removed_action:testaction:1 + ocil:ssg-rsyslog_filecreatemode_action:testaction:1 - - Verify Permissions on shadow File + + Disable the ftpd_use_fusefs SELinux Boolean - ocil:ssg-file_permissions_etc_shadow_action:testaction:1 + ocil:ssg-sebool_ftpd_use_fusefs_action:testaction:1 - - Uninstall CUPS Package + + Disable the logrotate_use_nfs SELinux Boolean - ocil:ssg-package_cups_removed_action:testaction:1 + ocil:ssg-sebool_logrotate_use_nfs_action:testaction:1 - - Remove the Kerberos Server Package + + Configure immutable Audit login UIDs - ocil:ssg-package_krb5-server_removed_action:testaction:1 + ocil:ssg-audit_rules_immutable_login_uids_action:testaction:1 - - Record Successful Permission Changes to Files - fchmodat + + Install AIDE - ocil:ssg-audit_rules_successful_file_modification_fchmodat_action:testaction:1 + ocil:ssg-package_aide_installed_action:testaction:1 - - Enable the sysadm_exec_content SELinux Boolean + + Verify User Who Owns passwd File - ocil:ssg-sebool_sysadm_exec_content_action:testaction:1 + ocil:ssg-file_owner_etc_passwd_action:testaction:1 - - Enable HTTPD System Logging + + Disable the openvpn_can_network_connect SELinux Boolean - ocil:ssg-httpd_enable_system_logging_action:testaction:1 + ocil:ssg-sebool_openvpn_can_network_connect_action:testaction:1 - - Disable the httpd_serve_cobbler_files SELinux Boolean + + Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_module - ocil:ssg-sebool_httpd_serve_cobbler_files_action:testaction:1 + ocil:ssg-audit_rules_kernel_module_loading_query_action:testaction:1 - - Disable Anonymous FTP Access + + An SELinux Context must be configured for the pam_faillock.so records directory - ocil:ssg-httpd_disable_anonymous_ftp_access_action:testaction:1 + ocil:ssg-account_password_selinux_faillock_dir_action:testaction:1 - - Install the Host Intrusion Prevention System (HIPS) Module + + Warn on W+X mappings found at boot - ocil:ssg-package_MFEhiplsm_installed_action:testaction:1 + ocil:ssg-kernel_config_debug_wx_action:testaction:1 - - Set PAM''s Password Hashing Algorithm - password-auth + + Disable the postgresql_selinux_transmit_client_label SELinux Boolean - ocil:ssg-set_password_hashing_algorithm_passwordauth_action:testaction:1 + ocil:ssg-sebool_postgresql_selinux_transmit_client_label_action:testaction:1 - - Disable the samba_share_fusefs SELinux Boolean + + Install firewalld Package - ocil:ssg-sebool_samba_share_fusefs_action:testaction:1 + ocil:ssg-package_firewalld_installed_action:testaction:1 - - Disable the httpd_use_gpg SELinux Boolean + + Disable ATM Support - ocil:ssg-sebool_httpd_use_gpg_action:testaction:1 + ocil:ssg-kernel_module_atm_disabled_action:testaction:1 - - Disable the tftp_anon_write SELinux Boolean + + Set SSH Client Alive Count Max - ocil:ssg-sebool_tftp_anon_write_action:testaction:1 + ocil:ssg-sshd_set_keepalive_action:testaction:1 - - Disable the httpd_use_nfs SELinux Boolean + + Disable the GNOME3 Login User List - ocil:ssg-sebool_httpd_use_nfs_action:testaction:1 + ocil:ssg-dconf_gnome_disable_user_list_action:testaction:1 - - Verify that local System.map file (if exists) is readable only by root + + Record Successful Ownership Changes to Files - fchownat - ocil:ssg-file_permissions_systemmap_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_fchownat_action:testaction:1 - - Disable the mpd_use_cifs SELinux Boolean + + Enable the SSSD Service - ocil:ssg-sebool_mpd_use_cifs_action:testaction:1 + ocil:ssg-service_sssd_enabled_action:testaction:1 - - Limit Users' SSH Access + + Disable mutable hooks - ocil:ssg-sshd_limit_user_access_action:testaction:1 + ocil:ssg-kernel_config_security_writable_hooks_action:testaction:1 - - Install OpenSSH client software + + Enable Use of Strict Mode Checking - ocil:ssg-package_openssh-clients_installed_action:testaction:1 + ocil:ssg-sshd_enable_strictmodes_action:testaction:1 - - Record Any Attempts to Run setfacl + + Configure the tmux Lock Command - ocil:ssg-audit_rules_execution_setfacl_action:testaction:1 + ocil:ssg-configure_tmux_lock_command_action:testaction:1 - - Enable the NTP Daemon + + Ensure auditd Collects Information on the Use of Privileged Commands - usermod - ocil:ssg-service_ntpd_enabled_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_usermod_action:testaction:1 - - Mount Remote Filesystems with nosuid + + Verify Permissions on cron.d - ocil:ssg-mount_option_nosuid_remote_filesystems_action:testaction:1 + ocil:ssg-file_permissions_cron_d_action:testaction:1 - - Disable the xen_use_nfs SELinux Boolean + + Ensure auditd Collects Information on the Use of Privileged Commands - at - ocil:ssg-sebool_xen_use_nfs_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_at_action:testaction:1 - - Verify ownership of Message of the Day Banner + + Record Events that Modify the System's Discretionary Access Controls - chmod - ocil:ssg-file_owner_etc_motd_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chmod_action:testaction:1 - - Disable acquiring, saving, and processing core dumps + + Enable automatic signing of all modules - ocil:ssg-service_systemd-coredump_disabled_action:testaction:1 + ocil:ssg-kernel_config_module_sig_all_action:testaction:1 - - Limit Password Reuse + + Install pam_pwquality Package - ocil:ssg-accounts_password_pam_unix_remember_action:testaction:1 + ocil:ssg-package_pam_pwquality_installed_action:testaction:1 - - Verify that audit tools are owned by root + + Disable the mysql_connect_any SELinux Boolean - ocil:ssg-file_ownership_audit_binaries_action:testaction:1 + ocil:ssg-sebool_mysql_connect_any_action:testaction:1 - - Map System Users To The Appropriate SELinux Role + + Extend Audit Backlog Limit for the Audit Daemon - ocil:ssg-selinux_user_login_roles_action:testaction:1 + ocil:ssg-grub2_audit_backlog_limit_argument_action:testaction:1 - - Disable the ftpd_full_access SELinux Boolean + + Verify Root Has A Primary GID 0 - ocil:ssg-sebool_ftpd_full_access_action:testaction:1 - - - - Configure Response Mode of ARP Requests for All IPv4 Interfaces - - ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1 - - - - Disable the mysql_connect_any SELinux Boolean - - ocil:ssg-sebool_mysql_connect_any_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Record Successful Access Attempts to Files - creat + + Configure AIDE to Verify the Audit Tools - ocil:ssg-audit_rules_successful_file_modification_creat_action:testaction:1 + ocil:ssg-aide_check_audit_tools_action:testaction:1 - - Account Lockouts Must Be Logged + + Disable the use_nfs_home_dirs SELinux Boolean - ocil:ssg-account_passwords_pam_faillock_audit_action:testaction:1 + ocil:ssg-sebool_use_nfs_home_dirs_action:testaction:1 - - Disable the httpd_sys_script_anon_write SELinux Boolean + + Enable rsyslog Service - ocil:ssg-sebool_httpd_sys_script_anon_write_action:testaction:1 + ocil:ssg-service_rsyslog_enabled_action:testaction:1 - - Record Unsuccessful Delete Attempts to Files - unlink + + Record Successful Creation Attempts to Files - open O_TRUNC_WRITE - ocil:ssg-audit_rules_unsuccessful_file_modification_unlink_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_open_o_trunc_write_action:testaction:1 - - Disable the pppd_can_insmod SELinux Boolean + + Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. - ocil:ssg-sebool_pppd_can_insmod_action:testaction:1 + ocil:ssg-account_password_pam_faillock_system_auth_action:testaction:1 - - Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. + + Enable TCP/IP syncookie support - ocil:ssg-account_password_pam_faillock_password_auth_action:testaction:1 + ocil:ssg-kernel_config_syn_cookies_action:testaction:1 - - Set Interval For Counting Failed Password Attempts + + Verify /boot/grub2/user.cfg Permissions - ocil:ssg-accounts_passwords_pam_faillock_interval_action:testaction:1 + ocil:ssg-file_permissions_user_cfg_action:testaction:1 - - Ensure the Default Umask is Set Correctly For Interactive Users + + Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC - ocil:ssg-accounts_umask_interactive_users_action:testaction:1 + ocil:ssg-sudo_add_noexec_action:testaction:1 - - Require Authentication for Emergency Systemd Target + + Configure The Number of Allowed Simultaneous Requests - ocil:ssg-require_emergency_target_auth_action:testaction:1 + ocil:ssg-httpd_configure_max_keepalive_requests_action:testaction:1 - - Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session + + Verify /boot/grub2/grub.cfg User Ownership - ocil:ssg-accounts_password_pam_retry_action:testaction:1 + ocil:ssg-file_owner_grub2_cfg_action:testaction:1 - - Record Successful Creation Attempts to Files - open O_TRUNC_WRITE + + Ensure rsyslog is Installed - ocil:ssg-audit_rules_successful_file_modification_open_o_trunc_write_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Verify Owner on cron.weekly + + Configure the gluster_export_all_rw SELinux Boolean - ocil:ssg-file_owner_cron_weekly_action:testaction:1 + ocil:ssg-sebool_gluster_export_all_rw_action:testaction:1 - - Disable vsyscall emulation + + Install vim Package - ocil:ssg-kernel_config_legacy_vsyscall_emulate_action:testaction:1 + ocil:ssg-package_vim_installed_action:testaction:1 - - Disable the gluster_anon_write SELinux Boolean + + Disable IEEE 1394 (FireWire) Support - ocil:ssg-sebool_gluster_anon_write_action:testaction:1 + ocil:ssg-kernel_module_firewire-core_disabled_action:testaction:1 - - Disable the use_ecryptfs_home_dirs SELinux Boolean + + Disable the virt_transition_userdomain SELinux Boolean - ocil:ssg-sebool_use_ecryptfs_home_dirs_action:testaction:1 + ocil:ssg-sebool_virt_transition_userdomain_action:testaction:1 - - Disable the lsmd_plugin_connect_any SELinux Boolean + + Verify Group Who Owns cron.hourly - ocil:ssg-sebool_lsmd_plugin_connect_any_action:testaction:1 + ocil:ssg-file_groupowner_cron_hourly_action:testaction:1 - - Disable the httpd_dontaudit_search_dirs SELinux Boolean + + Ensure that User Home Directories are not Group-Writable or World-Readable - ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1 + ocil:ssg-file_permissions_home_dirs_action:testaction:1 - - Disable the virt_transition_userdomain SELinux Boolean + + Disallow Configuration to Bypass Password Requirements for Privilege Escalation - ocil:ssg-sebool_virt_transition_userdomain_action:testaction:1 + ocil:ssg-disallow_bypass_password_sudo_action:testaction:1 - - Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default + + Ensure auditd Collects Information on the Use of Privileged Commands - sudo - ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_sudo_action:testaction:1 - - Configure audit according to OSPP requirements + + Configure Time Service Maxpoll Interval - ocil:ssg-audit_rules_for_ospp_action:testaction:1 + ocil:ssg-chronyd_or_ntpd_set_maxpoll_action:testaction:1 - - System Audit Directories Must Be Group Owned By Root + + Enable the nfs_export_all_ro SELinux Boolean - ocil:ssg-directory_group_ownership_var_log_audit_action:testaction:1 + ocil:ssg-sebool_nfs_export_all_ro_action:testaction:1 - - Record Attempts to perform maintenance activities + + Configure BIND to use System Crypto Policy - ocil:ssg-audit_sudo_log_events_action:testaction:1 + ocil:ssg-configure_bind_crypto_policy_action:testaction:1 - - Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config + + Uninstall abrt-addon-kerneloops Package - ocil:ssg-harden_sshd_ciphers_opensshserver_conf_crypto_policy_action:testaction:1 + ocil:ssg-package_abrt-addon-kerneloops_removed_action:testaction:1 - - Lock Accounts Must Persist + + Disable the logging_syslogd_can_sendmail SELinux Boolean - ocil:ssg-accounts_passwords_pam_faillock_dir_action:testaction:1 + ocil:ssg-sebool_logging_syslogd_can_sendmail_action:testaction:1 - - Extend Audit Backlog Limit for the Audit Daemon in zIPL + + Install the OpenSSH Server Package - ocil:ssg-zipl_audit_backlog_limit_argument_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Disable the httpd_can_network_connect_db SELinux Boolean + + Disable the virt_read_qemu_ga_data SELinux Boolean - ocil:ssg-sebool_httpd_can_network_connect_db_action:testaction:1 + ocil:ssg-sebool_virt_read_qemu_ga_data_action:testaction:1 - - Audit Configuration Files Permissions are 640 or More Restrictive + + Set Default iptables Policy for Incoming Packets - ocil:ssg-file_permissions_audit_configuration_action:testaction:1 + ocil:ssg-set_iptables_default_rule_action:testaction:1 - - Disable the logwatch_can_network_connect_mail SELinux Boolean + + The Installed Operating System Is Vendor Supported - ocil:ssg-sebool_logwatch_can_network_connect_mail_action:testaction:1 + ocil:ssg-installed_OS_is_vendor_supported_action:testaction:1 - - Record Unsuccessful Permission Changes to Files - lremovexattr + + Audit Configuration Files Must Be Owned By Group root - ocil:ssg-audit_rules_unsuccessful_file_modification_lremovexattr_action:testaction:1 + ocil:ssg-file_groupownership_audit_configuration_action:testaction:1 - - Record Attempts to Alter Logon and Logout Events - tallylog + + Disable Compression Or Set Compression to delayed - ocil:ssg-audit_rules_login_events_tallylog_action:testaction:1 + ocil:ssg-sshd_disable_compression_action:testaction:1 - - Disable the glance_use_execmem SELinux Boolean + + Disable the nagios_run_sudo SELinux Boolean - ocil:ssg-sebool_glance_use_execmem_action:testaction:1 + ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 - - Configure auditing of unsuccessful ownership changes + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_owner_change_failed_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Record Any Attempts to Run ssh-agent + + Disable the httpd_tty_comm SELinux Boolean - ocil:ssg-audit_rules_privileged_commands_ssh_agent_action:testaction:1 + ocil:ssg-sebool_httpd_tty_comm_action:testaction:1 - - Disable the samba_share_nfs SELinux Boolean + + Record Unsuccessful Permission Changes to Files - setxattr - ocil:ssg-sebool_samba_share_nfs_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_setxattr_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - passwd + + Account Lockouts Must Be Logged - ocil:ssg-audit_rules_privileged_commands_passwd_action:testaction:1 + ocil:ssg-account_passwords_pam_faillock_audit_action:testaction:1 - - Set Kernel Parameter to Increase Local Port Range + + Disable the dhcpc_exec_iptables SELinux Boolean - ocil:ssg-sysctl_net_ipv4_ip_local_port_range_action:testaction:1 + ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1 - - Disable the virt_use_nfs SELinux Boolean + + The robots.txt Files Must Not Exist - ocil:ssg-sebool_virt_use_nfs_action:testaction:1 + ocil:ssg-httpd_remove_robots_file_action:testaction:1 - - Emulate Privileged Access Never (PAN) + + Verify User Who Owns group File - ocil:ssg-kernel_config_arm64_sw_ttbr0_pan_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Disable Accepting Router Advertisements on all IPv6 Interfaces by Default + + Enable Auditing to Start Prior to the Audit Daemon in zIPL - ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_action:testaction:1 + ocil:ssg-zipl_audit_argument_action:testaction:1 - - Disable support for /proc/kkcore + + Enable the NTP Daemon - ocil:ssg-kernel_config_proc_kcore_action:testaction:1 + ocil:ssg-service_ntpd_enabled_action:testaction:1 - - Record Unsuccessful Permission Changes to Files - removexattr + + Record Any Attempts to Run chcon - ocil:ssg-audit_rules_unsuccessful_file_modification_removexattr_action:testaction:1 + ocil:ssg-audit_rules_execution_chcon_action:testaction:1 - - Disable the ssh_keysign SELinux Boolean + + Remove User Host-Based Authentication Files - ocil:ssg-sebool_ssh_keysign_action:testaction:1 + ocil:ssg-no_user_host_based_files_action:testaction:1 - - Record Attempts to Alter Logon and Logout Events - lastlog + + Disable LDAP Server (slapd) - ocil:ssg-audit_rules_login_events_lastlog_action:testaction:1 + ocil:ssg-service_slapd_disabled_action:testaction:1 - - Disable the zebra_write_config SELinux Boolean + + Disable the fenced_can_network_connect SELinux Boolean - ocil:ssg-sebool_zebra_write_config_action:testaction:1 + ocil:ssg-sebool_fenced_can_network_connect_action:testaction:1 - - Disable rsh Service + + User Initialization Files Must Not Run World-Writable Programs - ocil:ssg-service_rsh_disabled_action:testaction:1 + ocil:ssg-accounts_user_dot_no_world_writable_programs_action:testaction:1 - - Configure PAM in SSSD Services + + Record Events that Modify the System's Discretionary Access Controls - fremovexattr - ocil:ssg-sssd_enable_pam_services_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1 - - Disable the mock_enable_homedirs SELinux Boolean + + Ensure syslog-ng is Installed - ocil:ssg-sebool_mock_enable_homedirs_action:testaction:1 + ocil:ssg-package_syslogng_installed_action:testaction:1 - - Disable ATM Support + + Ensure that Root's Path Does Not Include World or Group-Writable Directories - ocil:ssg-kernel_module_atm_disabled_action:testaction:1 + ocil:ssg-accounts_root_path_dirs_no_write_action:testaction:1 - - Disable the GNOME3 Login User List + + Map System Users To The Appropriate SELinux Role - ocil:ssg-dconf_gnome_disable_user_list_action:testaction:1 + ocil:ssg-selinux_user_login_roles_action:testaction:1 - - Uninstall abrt-plugin-logger Package + + Disable the httpd_unified SELinux Boolean - ocil:ssg-package_abrt-plugin-logger_removed_action:testaction:1 + ocil:ssg-sebool_httpd_unified_action:testaction:1 - - Disable the httpd_anon_write SELinux Boolean + + Disable the mmap_low_allowed SELinux Boolean - ocil:ssg-sebool_httpd_anon_write_action:testaction:1 + ocil:ssg-sebool_mmap_low_allowed_action:testaction:1 - - Disable the 32-bit vDSO + + Ensure invoking users password for privilege escalation when using sudo - ocil:ssg-kernel_config_compat_vdso_action:testaction:1 + ocil:ssg-sudoers_validate_passwd_action:testaction:1 - - Verify /boot/efi/EFI/redhat/user.cfg Permissions + + Force opensc To Use Defined Smart Card Driver - ocil:ssg-file_permissions_efi_user_cfg_action:testaction:1 + ocil:ssg-force_opensc_card_drivers_action:testaction:1 - - Restrict Virtual Console Root Logins + + Verify ownership of System Login Banner for Remote Connections - ocil:ssg-securetty_root_login_console_only_action:testaction:1 + ocil:ssg-file_owner_etc_issue_net_action:testaction:1 - - Record Any Attempts to Run restorecon + + Verify Group Who Owns /etc/cron.allow file - ocil:ssg-audit_rules_execution_restorecon_action:testaction:1 + ocil:ssg-file_groupowner_cron_allow_action:testaction:1 - - Restrict usage of ptrace to descendant processes + + Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE - ocil:ssg-sysctl_kernel_yama_ptrace_scope_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_trunc_write_action:testaction:1 - - Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config + + Disable the openvpn_enable_homedirs SELinux Boolean - ocil:ssg-harden_sshd_ciphers_openssh_conf_crypto_policy_action:testaction:1 + ocil:ssg-sebool_openvpn_enable_homedirs_action:testaction:1 - - Remove .java And .jpp Files + + Record Events that Modify User/Group Information via openat syscall - /etc/shadow - ocil:ssg-httpd_limit_java_files_action:testaction:1 + ocil:ssg-audit_rules_etc_shadow_openat_action:testaction:1 - - Enable the pcscd Service + + Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces - ocil:ssg-service_pcscd_enabled_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_all_forwarding_action:testaction:1 - - Enforce pam_faillock for Local Accounts Only + + Disable the staff_use_svirt SELinux Boolean - ocil:ssg-accounts_passwords_pam_faillock_enforce_local_action:testaction:1 + ocil:ssg-sebool_staff_use_svirt_action:testaction:1 - - Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty + + Configure auditd admin_space_left on Low Disk Space - ocil:ssg-sudo_add_use_pty_action:testaction:1 + ocil:ssg-auditd_data_retention_admin_space_left_percentage_action:testaction:1 - - Enable support for BUG() + + Disable compatibility with brk() - ocil:ssg-kernel_config_bug_action:testaction:1 + ocil:ssg-kernel_config_compat_brk_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - umount + + Uninstall vsftpd Package - ocil:ssg-audit_rules_dac_modification_umount_action:testaction:1 + ocil:ssg-package_vsftpd_removed_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign + + Record Unsuccessful Permission Changes to Files - lremovexattr - ocil:ssg-audit_rules_privileged_commands_ssh_keysign_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_lremovexattr_action:testaction:1 - - Disable the selinuxuser_execheap SELinux Boolean + + Disable SSH Server If Possible - ocil:ssg-sebool_selinuxuser_execheap_action:testaction:1 + ocil:ssg-service_sshd_disabled_action:testaction:1 - - Disable IPv6 Addressing on All IPv6 Interfaces + + Ensure /var Located On Separate Partition - ocil:ssg-sysctl_net_ipv6_conf_all_disable_ipv6_action:testaction:1 + ocil:ssg-partition_for_var_action:testaction:1 - - Ensure iptables Firewall Rules Exist for All Open Ports + + Ensure SELinux Not Disabled in the kernel arguments - ocil:ssg-iptables_rules_for_open_ports_action:testaction:1 + ocil:ssg-coreos_enable_selinux_kernel_argument_action:testaction:1 - - Enable systemd-journald Service + + Enable SLUB/SLAB allocator poisoning - ocil:ssg-service_systemd-journald_enabled_action:testaction:1 + ocil:ssg-grub2_slub_debug_argument_action:testaction:1 - - Configure firewall to Allow Access to the Web Server + + Disable the gluster_anon_write SELinux Boolean - ocil:ssg-httpd_configure_firewall_action:testaction:1 + ocil:ssg-sebool_gluster_anon_write_action:testaction:1 - - Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-sudo_add_requiretty_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Disable snmpd Service + + All User Files and Directories In The Home Directory Must Have a Valid Owner - ocil:ssg-service_snmpd_disabled_action:testaction:1 + ocil:ssg-accounts_users_home_files_ownership_action:testaction:1 - - Record Successful Creation Attempts to Files - openat O_CREAT + + Disable the httpd_can_network_memcache SELinux Boolean - ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1 + ocil:ssg-sebool_httpd_can_network_memcache_action:testaction:1 - - Enforce Spectre v2 mitigation + + Disable the piranha_lvs_can_network_connect SELinux Boolean - ocil:ssg-grub2_spectre_v2_argument_action:testaction:1 + ocil:ssg-sebool_piranha_lvs_can_network_connect_action:testaction:1 - - Install pam_pwquality Package + + Ensure LDAP client is not installed - ocil:ssg-package_pam_pwquality_installed_action:testaction:1 + ocil:ssg-package_openldap-clients_removed_action:testaction:1 - - Configure System Cryptography Policy + + Enable the selinuxuser_execmod SELinux Boolean - ocil:ssg-configure_crypto_policy_action:testaction:1 + ocil:ssg-sebool_selinuxuser_execmod_action:testaction:1 - - Disable the smbd_anon_write SELinux Boolean + + Disable the xguest_exec_content SELinux Boolean - ocil:ssg-sebool_smbd_anon_write_action:testaction:1 + ocil:ssg-sebool_xguest_exec_content_action:testaction:1 - - Ensure Users Cannot Change GNOME3 Screensaver Settings + + Ensure PAM password complexity module is enabled in password-auth - ocil:ssg-dconf_gnome_screensaver_user_locks_action:testaction:1 + ocil:ssg-accounts_password_pam_pwquality_password_auth_action:testaction:1 - - Uninstall pigz Package + + Use Centralized and Automated Authentication - ocil:ssg-package_pigz_removed_action:testaction:1 + ocil:ssg-account_use_centralized_automated_auth_action:testaction:1 - - Disable SSH root Login with a Password (Insecure) + + Configure System Cryptography Policy - ocil:ssg-sshd_disable_root_password_login_action:testaction:1 + ocil:ssg-configure_crypto_policy_action:testaction:1 - - Disable the httpd_can_network_memcache SELinux Boolean + + Configure auditing of unsuccessful ownership changes - ocil:ssg-sebool_httpd_can_network_memcache_action:testaction:1 + ocil:ssg-audit_owner_change_failed_action:testaction:1 - - Enable the GNOME3 Screen Locking On Smartcard Removal + + Ensure PAM Enforces Password Requirements - Minimum Digit Characters - ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1 + ocil:ssg-accounts_password_pam_dcredit_action:testaction:1 - - Disable the zarafa_setrlimit SELinux Boolean + + All Interactive User Home Directories Must Have mode 0750 Or Less Permissive - ocil:ssg-sebool_zarafa_setrlimit_action:testaction:1 + ocil:ssg-file_permissions_home_directories_action:testaction:1 - - Verify that Shared Library Directories Have Restrictive Permissions + + Record Unsuccessful Permission Changes to Files - fchmodat - ocil:ssg-dir_permissions_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_fchmodat_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - fchmod + + Add noexec Option to /tmp - ocil:ssg-audit_rules_dac_modification_fchmod_action:testaction:1 + ocil:ssg-mount_option_tmp_noexec_action:testaction:1 - - Verify the UEFI Boot Loader grub.cfg Permissions + + Enable nails Service - ocil:ssg-file_permissions_efi_grub2_cfg_action:testaction:1 + ocil:ssg-service_nails_enabled_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - fremovexattr + + Record Attempts to Alter Logon and Logout Events - tallylog - ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1 + ocil:ssg-audit_rules_login_events_tallylog_action:testaction:1 - - Verify Permissions on /var/log/messages File + + Record Events that Modify User/Group Information via openat syscall - /etc/gshadow - ocil:ssg-file_permissions_var_log_messages_action:testaction:1 + ocil:ssg-audit_rules_etc_gshadow_openat_action:testaction:1 - - Record Unsuccessful Permission Changes to Files - fremovexattr + + Disable the ftpd_use_cifs SELinux Boolean - ocil:ssg-audit_rules_unsuccessful_file_modification_fremovexattr_action:testaction:1 + ocil:ssg-sebool_ftpd_use_cifs_action:testaction:1 - - Configure the root Account for Failed Password Attempts + + Disable the xdm_exec_bootloader SELinux Boolean - ocil:ssg-accounts_passwords_pam_faillock_deny_root_action:testaction:1 + ocil:ssg-sebool_xdm_exec_bootloader_action:testaction:1 - - Install Intrusion Detection Software + + Generate some entropy during boot and runtime - ocil:ssg-install_hids_action:testaction:1 + ocil:ssg-kernel_config_gcc_plugin_latent_entropy_action:testaction:1 - - Configure auditd admin_space_left Action on Low Disk Space + + Ensure IPv6 is disabled through kernel boot parameter - ocil:ssg-auditd_data_retention_admin_space_left_action_action:testaction:1 + ocil:ssg-grub2_ipv6_disable_argument_action:testaction:1 - - Verify that System Executables Have Restrictive Permissions + + Uninstall abrt-plugin-rhtsupport Package - ocil:ssg-file_permissions_binary_dirs_action:testaction:1 + ocil:ssg-package_abrt-plugin-rhtsupport_removed_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - postqueue + + Enable Public Key Authentication - ocil:ssg-audit_rules_privileged_commands_postqueue_action:testaction:1 + ocil:ssg-sshd_enable_pubkey_auth_action:testaction:1 - - Install audispd-plugins Package + + Ensure Users Cannot Change GNOME3 Session Idle Settings - ocil:ssg-package_audispd-plugins_installed_action:testaction:1 + ocil:ssg-dconf_gnome_session_idle_user_locks_action:testaction:1 - - Ensure SELinux State is Enforcing + + System Audit Directories Must Be Owned By Root - ocil:ssg-selinux_state_action:testaction:1 + ocil:ssg-directory_ownership_var_log_audit_action:testaction:1 - - Disable merging of slabs with similar size + + Ensure auditd Collects Information on Kernel Module Unloading - delete_module - ocil:ssg-grub2_slab_nomerge_argument_action:testaction:1 + ocil:ssg-audit_rules_kernel_module_loading_delete_action:testaction:1 - - Account Lockouts Must Be Logged + + Disable the condor_tcp_network_connect SELinux Boolean - ocil:ssg-accounts_passwords_pam_faillock_audit_action:testaction:1 + ocil:ssg-sebool_condor_tcp_network_connect_action:testaction:1 - - Harden the operation of the BPF just-in-time compiler + + Set the UEFI Boot Loader Admin Username to a Non-Default Value - ocil:ssg-sysctl_net_core_bpf_jit_harden_action:testaction:1 + ocil:ssg-grub2_uefi_admin_username_action:testaction:1 - - Verify /boot/grub2/user.cfg Group Ownership + + Uninstall net-snmp Package - ocil:ssg-file_groupowner_user_cfg_action:testaction:1 + ocil:ssg-package_net-snmp_removed_action:testaction:1 - - Disable the puppetagent_manage_all_files SELinux Boolean + + Verify /boot/grub2/grub.cfg Permissions - ocil:ssg-sebool_puppetagent_manage_all_files_action:testaction:1 + ocil:ssg-file_permissions_grub2_cfg_action:testaction:1 - - Verify Group Who Owns Backup shadow File + + Disable the icecast_use_any_tcp_ports SELinux Boolean - ocil:ssg-file_owner_backup_etc_shadow_action:testaction:1 + ocil:ssg-sebool_icecast_use_any_tcp_ports_action:testaction:1 - - Disable the httpd_can_connect_mythtv SELinux Boolean + + Force kernel panic on uncorrected MCEs - ocil:ssg-sebool_httpd_can_connect_mythtv_action:testaction:1 + ocil:ssg-grub2_mce_argument_action:testaction:1 - - Enable logrotate Timer + + The mailx Package Is Installed - ocil:ssg-timer_logrotate_enabled_action:testaction:1 + ocil:ssg-package_mailx_installed_action:testaction:1 - - Configure System to Forward All Mail From Postmaster to The Root Account + + Record Successful Access Attempts to Files - ftruncate - ocil:ssg-postfix_client_configure_mail_alias_postmaster_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_ftruncate_action:testaction:1 - - Enable checks on linked list manipulation + + Ensure there are no legacy + NIS entries in /etc/shadow - ocil:ssg-kernel_config_debug_list_action:testaction:1 + ocil:ssg-no_legacy_plus_entries_etc_shadow_action:testaction:1 - - Disable the tmpreaper_use_samba SELinux Boolean + + Disable the authlogin_radius SELinux Boolean - ocil:ssg-sebool_tmpreaper_use_samba_action:testaction:1 + ocil:ssg-sebool_authlogin_radius_action:testaction:1 - - Disable the pppd_for_user SELinux Boolean + + Disable vsyscalls in zIPL - ocil:ssg-sebool_pppd_for_user_action:testaction:1 + ocil:ssg-zipl_vsyscall_argument_action:testaction:1 - - Disable the gitosis_can_sendmail SELinux Boolean + + Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters - ocil:ssg-sebool_gitosis_can_sendmail_action:testaction:1 + ocil:ssg-accounts_password_pam_ucredit_action:testaction:1 - - Disable the IPv6 protocol + + Unmap kernel when running in userspace (aka KAISER) - ocil:ssg-kernel_config_ipv6_action:testaction:1 + ocil:ssg-kernel_config_unmap_kernel_at_el0_action:testaction:1 - - Disable SSH Root Login + + Configure Notification of Post-AIDE Scan Details - ocil:ssg-sshd_disable_root_login_action:testaction:1 + ocil:ssg-aide_scan_notification_action:testaction:1 - - Audit Tools Must Be Group-owned by Root + + Configure the root Account for Failed Password Attempts - ocil:ssg-file_audit_tools_group_ownership_action:testaction:1 + ocil:ssg-accounts_passwords_pam_faillock_deny_root_action:testaction:1 - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + + Disable kernel debugfs - ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 + ocil:ssg-kernel_config_debug_fs_action:testaction:1 - - Verify that audit tools Have Mode 0755 or less + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd - ocil:ssg-file_permissions_audit_binaries_action:testaction:1 + ocil:ssg-audit_rules_etc_passwd_open_by_handle_at_action:testaction:1 - - Configure low address space to protect from user allocation + + Verify Permissions on cron.weekly - ocil:ssg-kernel_config_default_mmap_min_addr_action:testaction:1 + ocil:ssg-file_permissions_cron_weekly_action:testaction:1 - - The robots.txt Files Must Not Exist + + Disable the httpd_use_cifs SELinux Boolean - ocil:ssg-httpd_remove_robots_file_action:testaction:1 + ocil:ssg-sebool_httpd_use_cifs_action:testaction:1 - - Verify Permissions on cron.hourly + + Restrict Serial Port Root Logins - ocil:ssg-file_permissions_cron_hourly_action:testaction:1 + ocil:ssg-restrict_serial_port_logins_action:testaction:1 - - Record Successful Permission Changes to Files - fchmod + + Add noexec Option to Removable Media Partitions - ocil:ssg-audit_rules_successful_file_modification_fchmod_action:testaction:1 + ocil:ssg-mount_option_noexec_removable_partitions_action:testaction:1 - - Set LogLevel to INFO + + Enable the unconfined_login SELinux Boolean - ocil:ssg-sshd_set_loglevel_info_action:testaction:1 + ocil:ssg-sebool_unconfined_login_action:testaction:1 - - Install iptables-services Package + + Install tar Package - ocil:ssg-package_iptables-services_installed_action:testaction:1 + ocil:ssg-package_tar_installed_action:testaction:1 - - Ensure rsyslog-gnutls is installed + + Only the VDSM User Can Use sudo NOPASSWD - ocil:ssg-package_rsyslog-gnutls_installed_action:testaction:1 + ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 - - SSSD Has a Correct Trust Anchor + + Record Any Attempts to Run semanage - ocil:ssg-sssd_has_trust_anchor_action:testaction:1 + ocil:ssg-audit_rules_execution_semanage_action:testaction:1 - - Disable vsftpd Service + + Enable the sysadm_exec_content SELinux Boolean - ocil:ssg-service_vsftpd_disabled_action:testaction:1 + ocil:ssg-sebool_sysadm_exec_content_action:testaction:1 - - Disable vsyscalls in zIPL + + Configure A Valid Server Certificate - ocil:ssg-zipl_vsyscall_argument_action:testaction:1 + ocil:ssg-httpd_configure_valid_server_cert_action:testaction:1 - - Backup interactive scripts on the production web server are prohibited + + Uninstall gssproxy Package - ocil:ssg-httpd_remove_backups_action:testaction:1 + ocil:ssg-package_gssproxy_removed_action:testaction:1 - - Configure kernel to trust the CPU random number generator + + A remote time server for Chrony is configured - ocil:ssg-grub2_kernel_trust_cpu_rng_action:testaction:1 + ocil:ssg-chronyd_specify_remote_server_action:testaction:1 - - Install the Asset Configuration Compliance Module (ACCM) + + Require Client Certificates - ocil:ssg-install_mcafee_hbss_accm_action:testaction:1 + ocil:ssg-httpd_require_client_certs_action:testaction:1 - - Disable the tftp_home_dir SELinux Boolean + + Disable the nagios_run_pnp4nagios SELinux Boolean - ocil:ssg-sebool_tftp_home_dir_action:testaction:1 + ocil:ssg-sebool_nagios_run_pnp4nagios_action:testaction:1 - - Record Unsuccessful Creation Attempts to Files - openat O_CREAT + + Remove NIS Client - ocil:ssg-audit_rules_unsuccessful_file_modification_openat_o_creat_action:testaction:1 + ocil:ssg-package_ypbind_removed_action:testaction:1 - - Disable named Service + + Record Successful Ownership Changes to Files - chown - ocil:ssg-service_named_disabled_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_chown_action:testaction:1 - - Record Successful Creation Attempts to Files - open_by_handle_at O_CREAT + + Set Password Warning Age - ocil:ssg-audit_rules_successful_file_modification_open_by_handle_at_o_creat_action:testaction:1 + ocil:ssg-accounts_password_warn_age_login_defs_action:testaction:1 - - Ensure Web Content Located on Separate partition + + Verify Owner on cron.d - ocil:ssg-partition_for_web_content_action:testaction:1 + ocil:ssg-file_owner_cron_d_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - chsh + + Disable the xserver_object_manager SELinux Boolean - ocil:ssg-audit_rules_privileged_commands_chsh_action:testaction:1 + ocil:ssg-sebool_xserver_object_manager_action:testaction:1 - - Verify Permissions on crontab + + Disable the polipo_connect_all_unreserved SELinux Boolean - ocil:ssg-file_permissions_crontab_action:testaction:1 + ocil:ssg-sebool_polipo_connect_all_unreserved_action:testaction:1 - - Verify Permissions on /var/log/syslog File + + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces - ocil:ssg-file_permissions_var_log_syslog_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_default_accept_redirects_action:testaction:1 - - Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. + + Remove tftp Daemon - ocil:ssg-account_password_pam_faillock_system_auth_action:testaction:1 + ocil:ssg-package_tftp_removed_action:testaction:1 - - The Chronyd service is enabled + + Record Successful Permission Changes to Files - fremovexattr - ocil:ssg-service_chronyd_enabled_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_fremovexattr_action:testaction:1 - - System Audit Logs Must Be Owned By Root + + Verify firewalld Enabled - ocil:ssg-file_ownership_var_log_audit_action:testaction:1 + ocil:ssg-service_firewalld_enabled_action:testaction:1 - - Configure AIDE to Verify the Audit Tools + + Disable the httpd_use_nfs SELinux Boolean - ocil:ssg-aide_check_audit_tools_action:testaction:1 + ocil:ssg-sebool_httpd_use_nfs_action:testaction:1 - - Ensure /var/tmp Located On Separate Partition + + Install the Host Intrusion Prevention System (HIPS) Module - ocil:ssg-partition_for_var_tmp_action:testaction:1 + ocil:ssg-package_MFEhiplsm_installed_action:testaction:1 - - Verify Any Configured IPSec Tunnel Connections + + Disable chrony daemon from acting as server - ocil:ssg-libreswan_approved_tunnels_action:testaction:1 + ocil:ssg-chronyd_client_only_action:testaction:1 - - Record Successful Permission Changes to Files - lremovexattr + + Disable the mozilla_plugin_bind_unreserved_ports SELinux Boolean - ocil:ssg-audit_rules_successful_file_modification_lremovexattr_action:testaction:1 + ocil:ssg-sebool_mozilla_plugin_bind_unreserved_ports_action:testaction:1 - - Disable ypserv Service + + Verify Permissions on /var/log/syslog File - ocil:ssg-service_ypserv_disabled_action:testaction:1 + ocil:ssg-file_permissions_var_log_syslog_action:testaction:1 - - Ensure that Users Path Contains Only Local Directories + + Remove Host-Based Authentication Files - ocil:ssg-accounts_user_home_paths_only_action:testaction:1 + ocil:ssg-no_host_based_files_action:testaction:1 - - Limit Password Reuse: system-auth + + Configure SSSD LDAP Backend to Use TLS For All Transactions - ocil:ssg-accounts_password_pam_pwhistory_remember_system_auth_action:testaction:1 + ocil:ssg-sssd_ldap_start_tls_action:testaction:1 - - Disable chrony daemon from acting as server + + Uninstall setroubleshoot-server Package - ocil:ssg-chronyd_client_only_action:testaction:1 + ocil:ssg-package_setroubleshoot-server_removed_action:testaction:1 - - Disable GSSAPI Authentication + + Ensure SELinux Not Disabled in zIPL - ocil:ssg-sshd_disable_gssapi_auth_action:testaction:1 + ocil:ssg-zipl_enable_selinux_action:testaction:1 - - Stack Protector buffer overlow detection + + Configure auditd to use audispd's syslog plugin - ocil:ssg-kernel_config_stackprotector_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Disable the httpd_can_sendmail SELinux Boolean + + Use Only FIPS 140-2 Validated Ciphers - ocil:ssg-sebool_httpd_can_sendmail_action:testaction:1 + ocil:ssg-sshd_use_approved_ciphers_action:testaction:1 - - Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces + + Ensure Logrotate Runs Periodically - ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_pinfo_action:testaction:1 + ocil:ssg-ensure_logrotate_activated_action:testaction:1 - - Limit CPU consumption of the Perf system + + Enable different security models - ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1 + ocil:ssg-kernel_config_security_action:testaction:1 - - Set Default firewalld Zone for Incoming Packets + + Ensure sudo umask is appropriate - sudo umask - ocil:ssg-set_firewalld_default_zone_action:testaction:1 + ocil:ssg-sudo_add_umask_action:testaction:1 - - Enable the mount_anyfile SELinux Boolean + + Ensure the audit Subsystem is Installed - ocil:ssg-sebool_mount_anyfile_action:testaction:1 + ocil:ssg-package_audit_installed_action:testaction:1 - - Record Attempts to Alter the localtime File + + Remove the OpenSSH Server Package - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-package_openssh-server_removed_action:testaction:1 - - Disable the ssh_sysadm_login SELinux Boolean + + Disable the uvcvideo module - ocil:ssg-sebool_ssh_sysadm_login_action:testaction:1 + ocil:ssg-kernel_module_uvcvideo_disabled_action:testaction:1 @@ -350539,862 +350545,862 @@ which the system will be deployed as closely as possible.ocil:ssg-audit_rules_unsuccessful_file_modification_rename_action:testaction:1 - - Record Events When Executables Are Run As Another User + + Enable the gssd_read_tmp SELinux Boolean - ocil:ssg-audit_rules_suid_auid_privilege_function_action:testaction:1 + ocil:ssg-sebool_gssd_read_tmp_action:testaction:1 - - Disable Red Hat Network Service (rhnsd) + + Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate - ocil:ssg-service_rhnsd_disabled_action:testaction:1 + ocil:ssg-sudo_remove_no_authenticate_action:testaction:1 - - Disable the samba_export_all_ro SELinux Boolean + + Uninstall ypserv Package - ocil:ssg-sebool_samba_export_all_ro_action:testaction:1 + ocil:ssg-package_ypserv_removed_action:testaction:1 - - Record Unsuccessful Permission Changes to Files - setxattr + + Add hidepid Option to /proc - ocil:ssg-audit_rules_unsuccessful_file_modification_setxattr_action:testaction:1 + ocil:ssg-mount_option_proc_hidepid_action:testaction:1 - - Disable the httpd_enable_ftp_server SELinux Boolean + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-sebool_httpd_enable_ftp_server_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Ensure PAM Enforces Password Requirements - Minimum Special Characters + + Disable the logging_syslogd_run_nagios_plugins SELinux Boolean - ocil:ssg-accounts_password_pam_ocredit_action:testaction:1 + ocil:ssg-sebool_logging_syslogd_run_nagios_plugins_action:testaction:1 - - Generate some entropy during boot and runtime + + Enable support for BUG() - ocil:ssg-kernel_config_gcc_plugin_latent_entropy_action:testaction:1 + ocil:ssg-kernel_config_bug_action:testaction:1 - - Ensure Rsyslog Authenticates Off-Loaded Audit Records + + Add nosuid Option to /boot/efi - ocil:ssg-rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action:testaction:1 + ocil:ssg-mount_option_boot_efi_nosuid_action:testaction:1 - - Configure auditd Disk Full Action when Disk Space Is Full + + Ensure auditd Collects Information on the Use of Privileged Commands - passwd - ocil:ssg-auditd_data_disk_full_action_stig_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_passwd_action:testaction:1 - - Configure Auto Configuration on All IPv6 Interfaces + + Verify ownership of System Login Banner - ocil:ssg-sysctl_net_ipv6_conf_all_autoconf_action:testaction:1 + ocil:ssg-file_owner_etc_issue_action:testaction:1 - - Disable Apache Qpid (qpidd) + + Verify Permissions on Backup group File - ocil:ssg-service_qpidd_disabled_action:testaction:1 + ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 - - Disable Cockpit Management Server + + Add noexec Option to /boot - ocil:ssg-service_cockpit_disabled_action:testaction:1 + ocil:ssg-mount_option_boot_noexec_action:testaction:1 - - Uninstall telnet-server Package + + Record Events that Modify User/Group Information - ocil:ssg-package_telnet-server_removed_action:testaction:1 + ocil:ssg-audit_rules_usergroup_modification_action:testaction:1 - - Configure the tmux lock session key binding + + Add grpquota Option to /home - ocil:ssg-configure_tmux_lock_keybinding_action:testaction:1 + ocil:ssg-mount_option_home_grpquota_action:testaction:1 - - Ensure that User Home Directories are not Group-Writable or World-Readable + + Record Events that Modify the System's Mandatory Access Controls - ocil:ssg-file_permissions_home_dirs_action:testaction:1 + ocil:ssg-audit_rules_mac_modification_action:testaction:1 - - User a virtually-mapped stack + + Configure Multiple DNS Servers in /etc/resolv.conf - ocil:ssg-kernel_config_vmap_stack_action:testaction:1 + ocil:ssg-network_configure_name_resolution_action:testaction:1 - - Disable CPU Speed (cpupower) + + Disable the httpd_run_preupgrade SELinux Boolean - ocil:ssg-service_cpupower_disabled_action:testaction:1 + ocil:ssg-sebool_httpd_run_preupgrade_action:testaction:1 - - Ensure No Device Files are Unlabeled by SELinux + + Enable checks on linked list manipulation - ocil:ssg-selinux_all_devicefiles_labeled_action:testaction:1 + ocil:ssg-kernel_config_debug_list_action:testaction:1 - - Verify User Who Owns group File + + Enable the mcelog_exec_scripts SELinux Boolean - ocil:ssg-file_owner_etc_group_action:testaction:1 + ocil:ssg-sebool_mcelog_exec_scripts_action:testaction:1 - - Configure Polyinstantiation of /tmp Directories + + Configure HTTP PERL Scripts To Use TAINT Option - ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1 + ocil:ssg-httpd_configure_perl_taint_action:testaction:1 - - Uninstall DHCP Server Package + + Configure SSSD's Memory Cache to Expire - ocil:ssg-package_dhcp_removed_action:testaction:1 + ocil:ssg-sssd_memcache_timeout_action:testaction:1 - - Enable Kernel Page-Table Isolation (KPTI) + + Enforce Usage of pam_wheel with Group Parameter for su Authentication - ocil:ssg-grub2_pti_argument_action:testaction:1 + ocil:ssg-use_pam_wheel_group_for_su_action:testaction:1 - - Install libcap-ng-utils Package + + Uninstall abrt-plugin-logger Package - ocil:ssg-package_libcap-ng-utils_installed_action:testaction:1 + ocil:ssg-package_abrt-plugin-logger_removed_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_openat_o_trunc_write_action:testaction:1 - - Disable Red Hat Subscription Manager Daemon (rhsmcertd) + + Ensure All Files Are Owned by a Group - ocil:ssg-service_rhsmcertd_disabled_action:testaction:1 + ocil:ssg-file_permissions_ungroupowned_action:testaction:1 - - Verify Permissions on gshadow File + + Set SSH Client Alive Interval - ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 + ocil:ssg-sshd_set_idle_timeout_action:testaction:1 - - Disable Squid + + Assign Expiration Date to Emergency Accounts - ocil:ssg-service_squid_disabled_action:testaction:1 + ocil:ssg-account_emergency_expire_date_action:testaction:1 - - Ensure SELinux Not Disabled in /etc/default/grub + + Disable Network File System (nfs) - ocil:ssg-grub2_enable_selinux_action:testaction:1 + ocil:ssg-service_nfs_disabled_action:testaction:1 - - Disable the httpd_execmem SELinux Boolean + + Uninstall avahi-autoipd Server Package - ocil:ssg-sebool_httpd_execmem_action:testaction:1 + ocil:ssg-package_avahi-autoipd_removed_action:testaction:1 - - Record Successful Ownership Changes to Files - fchown + + Remove the Kerberos Server Package - ocil:ssg-audit_rules_successful_file_modification_fchown_action:testaction:1 + ocil:ssg-package_krb5-server_removed_action:testaction:1 - - Verify User Who Owns Backup gshadow File + + Record Events that Modify User/Group Information via open syscall - /etc/shadow - ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1 + ocil:ssg-audit_rules_etc_shadow_open_action:testaction:1 - - Verify Group Who Owns cron.monthly + + Lock Accounts Must Persist - ocil:ssg-file_groupowner_cron_monthly_action:testaction:1 + ocil:ssg-accounts_passwords_pam_faillock_dir_action:testaction:1 - - Record Unsuccessful Delete Attempts to Files - renameat + + Configure audispd Plugin To Send Logs To Remote Server - ocil:ssg-audit_rules_unsuccessful_file_modification_renameat_action:testaction:1 + ocil:ssg-auditd_audispd_configure_remote_server_action:testaction:1 - - Verify Owner on cron.d + + Configure TLS for rsyslog remote logging - ocil:ssg-file_owner_cron_d_action:testaction:1 + ocil:ssg-rsyslog_remote_tls_action:testaction:1 - - Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces + + Disable the httpd_mod_auth_ntlm_winbind SELinux Boolean - ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_action:testaction:1 + ocil:ssg-sebool_httpd_mod_auth_ntlm_winbind_action:testaction:1 - - Verify Permissions on cron.monthly + + Verify Permissions on /var/log/messages File - ocil:ssg-file_permissions_cron_monthly_action:testaction:1 + ocil:ssg-file_permissions_var_log_messages_action:testaction:1 - - Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + + Ensure auditd Collects File Deletion Events by User - ocil:ssg-network_nmcli_permissions_action:testaction:1 + ocil:ssg-audit_rules_file_deletion_events_action:testaction:1 - - Each Web Content Directory Must Contain An index.html File + + Install fapolicyd Package - ocil:ssg-httpd_configure_documentroot_action:testaction:1 + ocil:ssg-package_fapolicyd_installed_action:testaction:1 - - Disable the virt_sandbox_use_mknod SELinux Boolean + + Disable SSH Root Login - ocil:ssg-sebool_virt_sandbox_use_mknod_action:testaction:1 + ocil:ssg-sshd_disable_root_login_action:testaction:1 - - Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default + + Configure firewall to Allow Access to the Web Server - ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_defrtr_action:testaction:1 + ocil:ssg-httpd_configure_firewall_action:testaction:1 - - Disable the selinuxuser_rw_noexattrfile SELinux Boolean + + Uninstall iprutils Package - ocil:ssg-sebool_selinuxuser_rw_noexattrfile_action:testaction:1 + ocil:ssg-package_iprutils_removed_action:testaction:1 - - Disable Accepting Packets Routed Between Local Interfaces + + Ensure auditd Collects Information on the Use of Privileged Commands - postqueue - ocil:ssg-sysctl_net_ipv4_conf_all_accept_local_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_postqueue_action:testaction:1 - - Add nodev Option to /var + + Verify File Hashes with RPM - ocil:ssg-mount_option_var_nodev_action:testaction:1 + ocil:ssg-rpm_verify_hashes_action:testaction:1 - - Disable loading and unloading of kernel modules + + Set Interactive Session Timeout - ocil:ssg-sysctl_kernel_modules_disabled_action:testaction:1 + ocil:ssg-accounts_tmout_action:testaction:1 - - Ensure PAM password complexity module is enabled in system-auth + + Configure a Sufficiently Large Partition for Audit Logs - ocil:ssg-accounts_password_pam_pwquality_system_auth_action:testaction:1 + ocil:ssg-auditd_audispd_configure_sufficiently_large_partition_action:testaction:1 - - Restrict unprivileged access to the kernel syslog + + Ensure auditd Collects Information on Kernel Module Loading and Unloading - ocil:ssg-kernel_config_security_dmesg_restrict_action:testaction:1 + ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Disable the selinuxuser_share_music SELinux Boolean - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-sebool_selinuxuser_share_music_action:testaction:1 - - Enable checks on credential management + + Disable the dhcpd_use_ldap SELinux Boolean - ocil:ssg-kernel_config_debug_credentials_action:testaction:1 + ocil:ssg-sebool_dhcpd_use_ldap_action:testaction:1 - - Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default + + Uninstall abrt-addon-ccpp Package - ocil:ssg-sysctl_net_ipv4_conf_default_rp_filter_action:testaction:1 + ocil:ssg-package_abrt-addon-ccpp_removed_action:testaction:1 - - Disable graphical user interface + + Disable the rsync_anon_write SELinux Boolean - ocil:ssg-xwindows_remove_packages_action:testaction:1 + ocil:ssg-sebool_rsync_anon_write_action:testaction:1 - - Verify User Who Owns /var/log/syslog File + + Uninstall squid Package - ocil:ssg-file_owner_var_log_syslog_action:testaction:1 + ocil:ssg-package_squid_removed_action:testaction:1 - - Disable the httpd_tmp_exec SELinux Boolean + + Disable the logwatch_can_network_connect_mail SELinux Boolean - ocil:ssg-sebool_httpd_tmp_exec_action:testaction:1 + ocil:ssg-sebool_logwatch_can_network_connect_mail_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Enable dnf-automatic Timer - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-timer_dnf-automatic_enabled_action:testaction:1 - - Enable the dbadm_exec_content SELinux Boolean + + Modify the System Login Banner - ocil:ssg-sebool_dbadm_exec_content_action:testaction:1 + ocil:ssg-banner_etc_issue_action:testaction:1 - - Ensure All World-Writable Directories Are Group Owned by a System Account + + Install dnf-automatic Package - ocil:ssg-dir_perms_world_writable_system_owned_group_action:testaction:1 + ocil:ssg-package_dnf-automatic_installed_action:testaction:1 - - Disable Kernel cfg80211 Module + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-kernel_module_cfg80211_disabled_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Disable the git_cgi_use_nfs SELinux Boolean + + Record Events that Modify the System's Discretionary Access Controls - fsetxattr - ocil:ssg-sebool_git_cgi_use_nfs_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1 - - Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout + + Record Unsuccessful Ownership Changes to Files - fchownat - ocil:ssg-sudo_add_passwd_timeout_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_fchownat_action:testaction:1 - - Configure Accepting Router Advertisements on All IPv6 Interfaces + + Restrict Virtual Console Root Logins - ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_action:testaction:1 + ocil:ssg-securetty_root_login_console_only_action:testaction:1 - - Ensure gpgcheck Enabled for All yum Package Repositories + + Configure auditd space_left on Low Disk Space - ocil:ssg-ensure_gpgcheck_never_disabled_action:testaction:1 + ocil:ssg-auditd_data_retention_space_left_percentage_action:testaction:1 - - Record Any Attempts to Run chacl + + Configure auditd Disk Full Action when Disk Space Is Full - ocil:ssg-audit_rules_execution_chacl_action:testaction:1 + ocil:ssg-auditd_data_disk_full_action_stig_action:testaction:1 - - Use Centralized and Automated Authentication + + Enable the nscd_use_shm SELinux Boolean - ocil:ssg-account_use_centralized_automated_auth_action:testaction:1 + ocil:ssg-sebool_nscd_use_shm_action:testaction:1 - - Uninstall libreport-plugin-logger Package + + Set Permissions on the /etc/httpd/conf/ Directory - ocil:ssg-package_libreport-plugin-logger_removed_action:testaction:1 + ocil:ssg-dir_perms_etc_httpd_conf_action:testaction:1 - - Install the ntp service + + Disable the virt_use_rawip SELinux Boolean - ocil:ssg-package_ntp_installed_action:testaction:1 + ocil:ssg-sebool_virt_use_rawip_action:testaction:1 - - Disable the rsync_export_all_ro SELinux Boolean + + Record Events that Modify User/Group Information via openat syscall - /etc/group - ocil:ssg-sebool_rsync_export_all_ro_action:testaction:1 + ocil:ssg-audit_rules_etc_group_openat_action:testaction:1 - - Disallow magic SysRq key + + Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown - ocil:ssg-sysctl_kernel_sysrq_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_pt_chown_action:testaction:1 - - All Interactive User Home Directories Must Be Group-Owned By The Primary Group + + Configure audit according to OSPP requirements - ocil:ssg-file_groupownership_home_directories_action:testaction:1 + ocil:ssg-audit_rules_for_ospp_action:testaction:1 - - Install crypto-policies package + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-package_crypto-policies_installed_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Enable nails Service + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-service_nails_enabled_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Disable the fenced_can_network_connect SELinux Boolean + + Ensure gpgcheck Enabled for Repository Metadata - ocil:ssg-sebool_fenced_can_network_connect_action:testaction:1 + ocil:ssg-ensure_gpgcheck_repo_metadata_action:testaction:1 - - Ensure PAM Enforces Password Requirements - Minimum Length + + Require modules to be validly signed - ocil:ssg-accounts_password_pam_minlen_action:testaction:1 + ocil:ssg-kernel_config_module_sig_force_action:testaction:1 - - Record Successful Permission Changes to Files - removexattr + + Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap - ocil:ssg-audit_rules_successful_file_modification_removexattr_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_newgidmap_action:testaction:1 - - Disable the sanlock_use_nfs SELinux Boolean + + SSSD Has a Correct Trust Anchor - ocil:ssg-sebool_sanlock_use_nfs_action:testaction:1 + ocil:ssg-sssd_has_trust_anchor_action:testaction:1 - - Disable the zoneminder_anon_write SELinux Boolean + + Disable the virt_use_usb SELinux Boolean - ocil:ssg-sebool_zoneminder_anon_write_action:testaction:1 + ocil:ssg-sebool_virt_use_usb_action:testaction:1 - - Enable the httpd_graceful_shutdown SELinux Boolean + + Limit Password Reuse - ocil:ssg-sebool_httpd_graceful_shutdown_action:testaction:1 + ocil:ssg-accounts_password_pam_unix_remember_action:testaction:1 - - Configure the httpd_enable_cgi SELinux Boolean + + Uninstall DHCP Server Package - ocil:ssg-sebool_httpd_enable_cgi_action:testaction:1 + ocil:ssg-package_dhcp_removed_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/shadow + + Disable the httpd_dbus_avahi SELinux Boolean - ocil:ssg-audit_rules_usergroup_modification_shadow_action:testaction:1 + ocil:ssg-sebool_httpd_dbus_avahi_action:testaction:1 - - Configure session renegotiation for SSH client + + Disable the selinuxuser_execheap SELinux Boolean - ocil:ssg-ssh_client_rekey_limit_action:testaction:1 + ocil:ssg-sebool_selinuxuser_execheap_action:testaction:1 - - Ensure SMEP is not disabled during boot + + Verify Group Who Owns Backup shadow File - ocil:ssg-grub2_nosmep_argument_absent_action:testaction:1 + ocil:ssg-file_owner_backup_etc_shadow_action:testaction:1 - - Add noexec Option to /home + + Disable the use of user namespaces - ocil:ssg-mount_option_home_noexec_action:testaction:1 + ocil:ssg-sysctl_user_max_user_namespaces_action:testaction:1 - - Disable Accepting ICMP Redirects for All IPv4 Interfaces + + Write Audit Logs to the Disk - ocil:ssg-sysctl_net_ipv4_conf_all_accept_redirects_action:testaction:1 + ocil:ssg-auditd_write_logs_action:testaction:1 - - Disable the postgresql_selinux_transmit_client_label SELinux Boolean + + Enable the spamd_enable_home_dirs SELinux Boolean - ocil:ssg-sebool_postgresql_selinux_transmit_client_label_action:testaction:1 + ocil:ssg-sebool_spamd_enable_home_dirs_action:testaction:1 - - The operating system must restrict privilege elevation to authorized personnel + + Disable the authlogin_nsswitch_use_ldap SELinux Boolean - ocil:ssg-sudo_restrict_privilege_elevation_to_authorized_action:testaction:1 + ocil:ssg-sebool_authlogin_nsswitch_use_ldap_action:testaction:1 - - Add nosuid Option to /boot/efi + + Disable the use_samba_home_dirs SELinux Boolean - ocil:ssg-mount_option_boot_efi_nosuid_action:testaction:1 + ocil:ssg-sebool_use_samba_home_dirs_action:testaction:1 - - Ensure SSH MaxStartups is configured + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-sshd_set_maxstartups_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Verify Group Who Owns Crontab + + Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces - ocil:ssg-file_groupowner_crontab_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_all_shared_media_action:testaction:1 - - Installation of a compiler on production web server is prohibited + + Ensure SNMP Read Write is disabled - ocil:ssg-httpd_no_compilers_in_prod_action:testaction:1 + ocil:ssg-snmpd_no_rwusers_action:testaction:1 - - Make sure that the dconf databases are up-to-date with regards to respective keyfiles + + Configure Kernel Parameter for Accepting Secure Redirects By Default - ocil:ssg-dconf_db_up_to_date_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_action:testaction:1 - - Disable the use of user namespaces + + Set the Boot Loader Admin Username to a Non-Default Value - ocil:ssg-sysctl_user_max_user_namespaces_action:testaction:1 + ocil:ssg-grub2_admin_username_action:testaction:1 - - Disable the container_connect_any SELinux Boolean + + Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty - ocil:ssg-sebool_container_connect_any_action:testaction:1 + ocil:ssg-ensure_pam_wheel_group_empty_action:testaction:1 - - Install the cron service + + Record Attempts to Alter Logon and Logout Events - faillock - ocil:ssg-package_cron_installed_action:testaction:1 + ocil:ssg-audit_rules_login_events_faillock_action:testaction:1 - - Disable the selinuxuser_tcp_server SELinux Boolean + + Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period - ocil:ssg-sebool_selinuxuser_tcp_server_action:testaction:1 + ocil:ssg-dconf_gnome_screensaver_lock_locked_action:testaction:1 - - Ensure SMAP is not disabled during boot + + Ensure auditd Collects Information on the Use of Privileged Commands - umount - ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_umount_action:testaction:1 - - Disable Odd Job Daemon (oddjobd) + + Record Any Attempts to Run ssh-agent - ocil:ssg-service_oddjobd_disabled_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_ssh_agent_action:testaction:1 - - Uninstall bind Package + + Ensure there are no legacy + NIS entries in /etc/passwd - ocil:ssg-package_bind_removed_action:testaction:1 + ocil:ssg-no_legacy_plus_entries_etc_passwd_action:testaction:1 - - Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class + + Ensure a Table Exists for Nftables - ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 + ocil:ssg-set_nftables_table_action:testaction:1 - - Install the tmux Package + + The Postfix package is installed - ocil:ssg-package_tmux_installed_action:testaction:1 + ocil:ssg-package_postfix_installed_action:testaction:1 - - Disable the telepathy_connect_all_ports SELinux Boolean + + Ensure Remote Administrative Access Is Encrypted - ocil:ssg-sebool_telepathy_connect_all_ports_action:testaction:1 + ocil:ssg-httpd_configure_remote_session_encryption_action:testaction:1 - - Randomize the kernel memory sections + + Verify Group Ownership of Message of the Day Banner - ocil:ssg-kernel_config_randomize_memory_action:testaction:1 + ocil:ssg-file_groupowner_etc_motd_action:testaction:1 - - Configure Multiple DNS Servers in /etc/resolv.conf + + Install crypto-policies package - ocil:ssg-network_configure_name_resolution_action:testaction:1 + ocil:ssg-package_crypto-policies_installed_action:testaction:1 - - Install firewalld Package + + Record Events that Modify User/Group Information - /etc/gshadow - ocil:ssg-package_firewalld_installed_action:testaction:1 + ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 - - Ensure rsyncd service is disabled + + Install dnf-plugin-subscription-manager Package - ocil:ssg-service_rsyncd_disabled_action:testaction:1 + ocil:ssg-package_dnf-plugin-subscription-manager_installed_action:testaction:1 - - Enable the OpenSSH Service + + Allow Only SSH Protocol 2 - ocil:ssg-service_sshd_enabled_action:testaction:1 + ocil:ssg-sshd_allow_only_protocol2_action:testaction:1 - - Disable the selinuxuser_mysql_connect_enabled SELinux Boolean + + Verify Permissions on /var/log Directory - ocil:ssg-sebool_selinuxuser_mysql_connect_enabled_action:testaction:1 + ocil:ssg-file_permissions_var_log_action:testaction:1 - - Implement Blank Screensaver + + Record Unsuccessful Delete Attempts to Files - renameat - ocil:ssg-dconf_gnome_screensaver_mode_blank_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_renameat_action:testaction:1 - - Record Successful Permission Changes to Files - lsetxattr + + Record Unsuccessful Delete Attempts to Files - unlink - ocil:ssg-audit_rules_successful_file_modification_lsetxattr_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_unlink_action:testaction:1 - - Record Successful Access Attempts to Files - ftruncate + + Use Only FIPS 140-2 Validated MACs - ocil:ssg-audit_rules_successful_file_modification_ftruncate_action:testaction:1 + ocil:ssg-sshd_use_approved_macs_action:testaction:1 - - Ensure /tmp Located On Separate Partition + + Disable RDS Support - ocil:ssg-partition_for_tmp_action:testaction:1 + ocil:ssg-kernel_module_rds_disabled_action:testaction:1 - - Record Unsuccessful Access Attempts to Files - openat + + Web Content Directories Must Not Be Shared Anonymously - ocil:ssg-audit_rules_unsuccessful_file_modification_openat_action:testaction:1 + ocil:ssg-httpd_anonymous_content_sharing_action:testaction:1 - - Disable GDM Guest Login + + Disable the virt_sandbox_use_sys_admin SELinux Boolean - ocil:ssg-gnome_gdm_disable_guest_login_action:testaction:1 + ocil:ssg-sebool_virt_sandbox_use_sys_admin_action:testaction:1 - - Verify Group Who Owns group File + + Disable the spamassassin_can_network SELinux Boolean - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-sebool_spamassassin_can_network_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - usermod + + Verify Permissions on cron.hourly - ocil:ssg-audit_rules_privileged_commands_usermod_action:testaction:1 + ocil:ssg-file_permissions_cron_hourly_action:testaction:1 - - Disable the sanlock_use_fusefs SELinux Boolean + + Disable loading and unloading of kernel modules - ocil:ssg-sebool_sanlock_use_fusefs_action:testaction:1 + ocil:ssg-sysctl_kernel_modules_disabled_action:testaction:1 - - Authorize Human Interface Devices in USBGuard daemon + + Configure auditing of successful ownership changes - ocil:ssg-usbguard_allow_hid_action:testaction:1 + ocil:ssg-audit_owner_change_success_action:testaction:1 - - Set Up a Private Namespace in PAM Configuration + + Enable the LDAP Client For Use in Authconfig - ocil:ssg-enable_pam_namespace_action:testaction:1 + ocil:ssg-enable_ldap_client_action:testaction:1 - - Specify module signing key to use + + Enable checks on notifier call chains - ocil:ssg-kernel_config_module_sig_key_action:testaction:1 + ocil:ssg-kernel_config_debug_notifiers_action:testaction:1 - - Limit sampling frequency of the Perf system + + Enable GNOME3 Screensaver Idle Activation - ocil:ssg-sysctl_kernel_perf_event_max_sample_rate_action:testaction:1 + ocil:ssg-dconf_gnome_screensaver_idle_activation_enabled_action:testaction:1 - - Disable the virt_use_usb SELinux Boolean + + Disable the httpd_verify_dns SELinux Boolean - ocil:ssg-sebool_virt_use_usb_action:testaction:1 + ocil:ssg-sebool_httpd_verify_dns_action:testaction:1 - - Record Successful Access Attempts to Files - openat + + Verify Permissions on SSH Server Private *_key Key Files - ocil:ssg-audit_rules_successful_file_modification_openat_action:testaction:1 + ocil:ssg-file_permissions_sshd_private_key_action:testaction:1 - - Ensure the Default C Shell Umask is Set Correctly + + Configure low address space to protect from user allocation - ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 + ocil:ssg-kernel_config_default_mmap_min_addr_action:testaction:1 - - SSH client uses strong entropy to seed (for CSH like shells) + + Disable the httpd_manage_ipa SELinux Boolean - ocil:ssg-ssh_client_use_strong_rng_csh_action:testaction:1 + ocil:ssg-sebool_httpd_manage_ipa_action:testaction:1 - - Install the pcsc-lite package + + Disable the minidlna_read_generic_user_content SELinux Boolean - ocil:ssg-package_pcsc-lite_installed_action:testaction:1 + ocil:ssg-sebool_minidlna_read_generic_user_content_action:testaction:1 - - Set Boot Loader Password in grub2 + + Record Successful Permission Changes to Files - fchmodat - ocil:ssg-grub2_password_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_fchmodat_action:testaction:1 - - Disable the httpd_can_network_connect_cobbler SELinux Boolean + + Disable Avahi Server Software - ocil:ssg-sebool_httpd_can_network_connect_cobbler_action:testaction:1 + ocil:ssg-service_avahi-daemon_disabled_action:testaction:1 - - Disable the deny_ptrace SELinux Boolean + + Ensure Mail Transfer Agent is not Listening on any non-loopback Address - ocil:ssg-sebool_deny_ptrace_action:testaction:1 + ocil:ssg-has_nonlocal_mta_action:testaction:1 - - Configure auditd mail_acct Action on Low Disk Space + + Record Any Attempts to Run setsebool - ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1 + ocil:ssg-audit_rules_execution_setsebool_action:testaction:1 - - Sign kernel modules with SHA-512 + + Ensure gpgcheck Enabled for Local Packages - ocil:ssg-kernel_config_module_sig_sha512_action:testaction:1 + ocil:ssg-ensure_gpgcheck_local_packages_action:testaction:1 - - Set Permissions on the /var/log/httpd/ Directory + + Disable the selinuxuser_tcp_server SELinux Boolean - ocil:ssg-dir_perms_var_log_httpd_action:testaction:1 + ocil:ssg-sebool_selinuxuser_tcp_server_action:testaction:1 - - Uninstall tftp-server Package + + Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces - ocil:ssg-package_tftp-server_removed_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_action:testaction:1 - - Ensure that Root's Path Does Not Include World or Group-Writable Directories + + Verify Any Configured IPSec Tunnel Connections - ocil:ssg-accounts_root_path_dirs_no_write_action:testaction:1 + ocil:ssg-libreswan_approved_tunnels_action:testaction:1 - - Generate USBGuard Policy + + Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words - ocil:ssg-usbguard_generate_policy_action:testaction:1 + ocil:ssg-accounts_password_pam_dictcheck_action:testaction:1 - - Enable TCP/IP syncookie support + + Sign kernel modules with SHA-512 - ocil:ssg-kernel_config_syn_cookies_action:testaction:1 + ocil:ssg-kernel_config_module_sig_sha512_action:testaction:1 - - Install the Policy Auditor (PA) Module + + Assign Expiration Date to Temporary Accounts - ocil:ssg-install_mcafee_hbss_pa_action:testaction:1 + ocil:ssg-account_temp_expire_date_action:testaction:1 - - Uninstall talk-server Package + + Ensure auditd Collects File Deletion Events by User - unlinkat - ocil:ssg-package_talk-server_removed_action:testaction:1 + ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1 - - Disable Secure RPC Server Service (rpcsvcgssd) + + Disable the LDT (local descriptor table) - ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1 + ocil:ssg-kernel_config_modify_ldt_syscall_action:testaction:1 - - Encrypt All File Uploads + + Disable the cobbler_can_network_connect SELinux Boolean - ocil:ssg-httpd_encrypt_file_uploads_action:testaction:1 + ocil:ssg-sebool_cobbler_can_network_connect_action:testaction:1 - - Restrict Web Browser Use for Administrative Accounts + + Add nosuid Option to /boot - ocil:ssg-no_root_webbrowsing_action:testaction:1 + ocil:ssg-mount_option_boot_nosuid_action:testaction:1 - - Ensure /var/log Located On Separate Partition + + Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly - ocil:ssg-partition_for_var_log_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_openat_rule_order_action:testaction:1 - - Verify Owner on cron.monthly + + Verify Permissions on gshadow File - ocil:ssg-file_owner_cron_monthly_action:testaction:1 + ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 - - Set number of records to cause an explicit flush to audit logs + + Ensure PAM Enforces Password Requirements - Minimum Different Categories - ocil:ssg-auditd_freq_action:testaction:1 + ocil:ssg-accounts_password_pam_minclass_action:testaction:1 - - Ensure /dev/shm is configured + + Verify permissions on System Login Banner for Remote Connections - ocil:ssg-partition_for_dev_shm_action:testaction:1 + ocil:ssg-file_permissions_etc_issue_net_action:testaction:1 - - Disable the guest_exec_content SELinux Boolean + + Disable the pcp_read_generic_logs SELinux Boolean - ocil:ssg-sebool_guest_exec_content_action:testaction:1 + ocil:ssg-sebool_pcp_read_generic_logs_action:testaction:1 - - Configure A Banner Page For Each Website + + Ensure All World-Writable Directories Are Owned by a System Account - ocil:ssg-httpd_configure_banner_page_action:testaction:1 + ocil:ssg-dir_perms_world_writable_system_owned_action:testaction:1 @@ -351403,905 +351409,910 @@ which the system will be deployed as closely as possible.ocil:ssg-sebool_git_cgi_use_cifs_action:testaction:1 - - Ensure the Logon Failure Delay is Set Correctly in login.defs + + Set Interval For Counting Failed Password Attempts - ocil:ssg-accounts_logon_fail_delay_action:testaction:1 + ocil:ssg-accounts_passwords_pam_faillock_interval_action:testaction:1 - - Configure immutable Audit login UIDs + + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default - ocil:ssg-audit_immutable_login_uids_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_action:testaction:1 - - Record Unsuccessful Permission Changes to Files - fsetxattr + + Record Events that Modify User/Group Information - /etc/shadow - ocil:ssg-audit_rules_unsuccessful_file_modification_fsetxattr_action:testaction:1 + ocil:ssg-audit_rules_usergroup_modification_shadow_action:testaction:1 - - Disable WIFI Network Connection Creation in GNOME3 + + Record Successful Access Attempts to Files - truncate - ocil:ssg-dconf_gnome_disable_wifi_create_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_truncate_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - umount2 + + Disable the global_ssp SELinux Boolean - ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 + ocil:ssg-sebool_global_ssp_action:testaction:1 - - Ensure auditd Collects System Administrator Actions - /etc/sudoers + + Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot - ocil:ssg-audit_rules_sudoers_action:testaction:1 + ocil:ssg-sudo_add_ignore_dot_action:testaction:1 - - Set Permissions on All Configuration Files Inside /etc/httpd/conf/ + + Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd - ocil:ssg-file_permissions_httpd_server_conf_files_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_unix_chkpwd_action:testaction:1 - - Disable vsyscalls + + Uninstall rsync Package - ocil:ssg-grub2_vsyscall_argument_action:testaction:1 + ocil:ssg-package_rsync_removed_action:testaction:1 - - Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config + + Configure Kerberos to use System Crypto Policy - ocil:ssg-harden_sshd_macs_opensshserver_conf_crypto_policy_action:testaction:1 + ocil:ssg-configure_kerberos_crypto_policy_action:testaction:1 - - Disable the samba_export_all_rw SELinux Boolean + + Enable GSSAPI Authentication - ocil:ssg-sebool_samba_export_all_rw_action:testaction:1 + ocil:ssg-sshd_enable_gssapi_auth_action:testaction:1 - - Record Events that Modify User/Group Information via open syscall - /etc/passwd + + Disable ntpdate Service (ntpdate) - ocil:ssg-audit_rules_etc_passwd_open_action:testaction:1 + ocil:ssg-service_ntpdate_disabled_action:testaction:1 - - Disable the entropyd_use_audio SELinux Boolean + + Disable the ftpd_anon_write SELinux Boolean - ocil:ssg-sebool_entropyd_use_audio_action:testaction:1 + ocil:ssg-sebool_ftpd_anon_write_action:testaction:1 - - Disable the daemons_enable_cluster_mode SELinux Boolean + + Verify ufw Enabled - ocil:ssg-sebool_daemons_enable_cluster_mode_action:testaction:1 + ocil:ssg-service_ufw_enabled_action:testaction:1 - - Ensure All Files Are Owned by a User + + Disable the rsync_client SELinux Boolean - ocil:ssg-no_files_unowned_by_user_action:testaction:1 + ocil:ssg-sebool_rsync_client_action:testaction:1 - - Disable the racoon_read_shadow SELinux Boolean + + Ensure System Log Files Have Correct Permissions - ocil:ssg-sebool_racoon_read_shadow_action:testaction:1 + ocil:ssg-rsyslog_files_permissions_action:testaction:1 - - Kernel panic on oops + + Configure Denying Router Solicitations on All IPv6 Interfaces - ocil:ssg-sysctl_kernel_panic_on_oops_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_router_solicitations_action:testaction:1 - - Disable the daemons_dump_core SELinux Boolean + + Enable Kernel Parameter to Enforce DAC on Symlinks - ocil:ssg-sebool_daemons_dump_core_action:testaction:1 + ocil:ssg-sysctl_fs_protected_symlinks_action:testaction:1 - - Disable Avahi Server Software + + Disable the xdm_sysadm_login SELinux Boolean - ocil:ssg-service_avahi-daemon_disabled_action:testaction:1 + ocil:ssg-sebool_xdm_sysadm_login_action:testaction:1 - - Disable the tor_bind_all_unreserved_ports SELinux Boolean + + Extend Audit Backlog Limit for the Audit Daemon in zIPL - ocil:ssg-sebool_tor_bind_all_unreserved_ports_action:testaction:1 + ocil:ssg-zipl_audit_backlog_limit_argument_action:testaction:1 - - Enable HTTPD LogLevel + + Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces - ocil:ssg-httpd_enable_loglevel_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_all_secure_redirects_action:testaction:1 - - Add nodev Option to /tmp + + Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT - ocil:ssg-mount_option_tmp_nodev_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat_action:testaction:1 - - Ensure auditd Collects Information on Kernel Module Loading - init_module + + Configure auditing of unsuccessful permission changes - ocil:ssg-audit_rules_kernel_module_loading_init_action:testaction:1 + ocil:ssg-audit_perm_change_failed_action:testaction:1 - - Disable the git_system_use_nfs SELinux Boolean + + Make the module text and rodata read-only - ocil:ssg-sebool_git_system_use_nfs_action:testaction:1 + ocil:ssg-kernel_config_strict_module_rwx_action:testaction:1 - - Disable the sanlock_use_samba SELinux Boolean + + Ensure auditd Collects Information on the Use of Privileged Commands - reboot - ocil:ssg-sebool_sanlock_use_samba_action:testaction:1 + ocil:ssg-audit_privileged_commands_reboot_action:testaction:1 - - Disable X Windows Startup By Setting Default Target + + Remove .java And .jpp Files - ocil:ssg-xwindows_runlevel_target_action:testaction:1 + ocil:ssg-httpd_limit_java_files_action:testaction:1 - - Record Events that Modify User/Group Information via openat syscall - /etc/gshadow + + Disable the prosody_bind_http_port SELinux Boolean - ocil:ssg-audit_rules_etc_gshadow_openat_action:testaction:1 + ocil:ssg-sebool_prosody_bind_http_port_action:testaction:1 - - Verify User Who Owns shadow File + + Remove the kernel mapping in user mode - ocil:ssg-file_owner_etc_shadow_action:testaction:1 + ocil:ssg-kernel_config_page_table_isolation_action:testaction:1 - - Install Smart Card Packages For Multifactor Authentication + + Set Default firewalld Zone for Incoming Packets - ocil:ssg-install_smartcard_packages_action:testaction:1 + ocil:ssg-set_firewalld_default_zone_action:testaction:1 - - Install tar Package + + Verify Permissions on /etc/audit/rules.d/*.rules - ocil:ssg-package_tar_installed_action:testaction:1 + ocil:ssg-file_permissions_etc_audit_rulesd_action:testaction:1 - - Disable the openshift_use_nfs SELinux Boolean + + Disable the mpd_use_cifs SELinux Boolean - ocil:ssg-sebool_openshift_use_nfs_action:testaction:1 + ocil:ssg-sebool_mpd_use_cifs_action:testaction:1 - - Enable the unconfined_chrome_sandbox_transition SELinux Boolean + + Verify Permissions on SSH Server config file - ocil:ssg-sebool_unconfined_chrome_sandbox_transition_action:testaction:1 + ocil:ssg-file_permissions_sshd_config_action:testaction:1 - - Harden OpenSSL Crypto Policy + + Disable the git_system_use_nfs SELinux Boolean - ocil:ssg-harden_openssl_crypto_policy_action:testaction:1 + ocil:ssg-sebool_git_system_use_nfs_action:testaction:1 - - Configure SSSD LDAP Backend Client CA Certificate + + Set PAM''s Password Hashing Algorithm - password-auth - ocil:ssg-sssd_ldap_configure_tls_ca_action:testaction:1 + ocil:ssg-set_password_hashing_algorithm_passwordauth_action:testaction:1 - - Uninstall quagga Package + + Kernel panic on oops - ocil:ssg-package_quagga_removed_action:testaction:1 + ocil:ssg-sysctl_kernel_panic_on_oops_action:testaction:1 - - Record Attempts to Alter Time Through clock_settime + + Limit CPU consumption of the Perf system - ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1 - - Enable NX or XD Support in the BIOS + + Record Unsuccessful Ownership Changes to Files - lchown - ocil:ssg-bios_enable_execution_restrictions_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_lchown_action:testaction:1 - - Verify Group Who Owns shadow File + + Record Any Attempts to Run chacl - ocil:ssg-file_groupowner_etc_shadow_action:testaction:1 + ocil:ssg-audit_rules_execution_chacl_action:testaction:1 - - Disable the ftpd_anon_write SELinux Boolean + + Trigger a kernel BUG when data corruption is detected - ocil:ssg-sebool_ftpd_anon_write_action:testaction:1 + ocil:ssg-kernel_config_bug_on_data_corruption_action:testaction:1 - - Disable storing core dump + + Uninstall python3-abrt-addon Package - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-package_python3-abrt-addon_removed_action:testaction:1 - - Configure SSSD to run as user sssd + + Prevent non-Privileged Users from Modifying Network Interfaces using nmcli - ocil:ssg-sssd_run_as_sssd_user_action:testaction:1 + ocil:ssg-network_nmcli_permissions_action:testaction:1 - - Verify Group Who Owns passwd File + + Enable HTTPD LogLevel - ocil:ssg-file_groupowner_etc_passwd_action:testaction:1 + ocil:ssg-httpd_enable_loglevel_action:testaction:1 - - Install the opensc Package For Multifactor Authentication + + Generate USBGuard Policy - ocil:ssg-package_opensc_installed_action:testaction:1 + ocil:ssg-usbguard_generate_policy_action:testaction:1 - - Uninstall abrt-addon-kerneloops Package + + Configure LDAP Client to Use TLS For All Transactions - ocil:ssg-package_abrt-addon-kerneloops_removed_action:testaction:1 + ocil:ssg-ldap_client_start_tls_action:testaction:1 - - Add nosuid Option to /srv + + Disable DHCP Service - ocil:ssg-mount_option_srv_nosuid_action:testaction:1 + ocil:ssg-service_dhcpd_disabled_action:testaction:1 - - Disallow kernel profiling by unprivileged users + + Enable page allocator poisoning - ocil:ssg-sysctl_kernel_perf_event_paranoid_action:testaction:1 + ocil:ssg-grub2_page_poison_argument_action:testaction:1 - - Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC + + Install nftables Package - ocil:ssg-sudo_add_noexec_action:testaction:1 + ocil:ssg-package_nftables_installed_action:testaction:1 - - Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces + + System Audit Logs Must Have Mode 0640 or Less Permissive - ocil:ssg-sysctl_net_ipv6_conf_all_accept_source_route_action:testaction:1 + ocil:ssg-file_permissions_var_log_audit_action:testaction:1 - - Configure The Number of Allowed Simultaneous Requests + + Configure System to Forward All Mail through a specific host - ocil:ssg-httpd_configure_max_keepalive_requests_action:testaction:1 + ocil:ssg-postfix_client_configure_relayhost_action:testaction:1 - - Shutdown System When Auditing Failures Occur + + Verify Permissions on /etc/at.allow file - ocil:ssg-audit_rules_system_shutdown_action:testaction:1 + ocil:ssg-file_permissions_at_allow_action:testaction:1 - - Add noexec Option to /boot + + Limit Password Reuse: system-auth - ocil:ssg-mount_option_boot_noexec_action:testaction:1 + ocil:ssg-accounts_password_pam_pwhistory_remember_system_auth_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - postdrop + + Record Events that Modify the System's Discretionary Access Controls - fchownat - ocil:ssg-audit_rules_privileged_commands_postdrop_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1 - - Disable the rsync_client SELinux Boolean + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces - ocil:ssg-sebool_rsync_client_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1 - - Virus Scanning Software Definitions Are Updated + + Verify that Shared Library Directories Have Restrictive Permissions - ocil:ssg-mcafee_antivirus_definitions_updated_action:testaction:1 + ocil:ssg-dir_permissions_library_dirs_action:testaction:1 - - Enable cron Service + + Make the kernel text and rodata read-only - ocil:ssg-service_crond_enabled_action:testaction:1 + ocil:ssg-kernel_config_strict_kernel_rwx_action:testaction:1 - - Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group + + Ensure the Logon Failure Delay is Set Correctly in login.defs - ocil:ssg-audit_rules_etc_group_open_by_handle_at_action:testaction:1 + ocil:ssg-accounts_logon_fail_delay_action:testaction:1 - - Audit Configuration Files Must Be Owned By Group root + + Ensure there are no legacy + NIS entries in /etc/group - ocil:ssg-file_groupownership_audit_configuration_action:testaction:1 + ocil:ssg-no_legacy_plus_entries_etc_group_action:testaction:1 - - Record Events When Privileged Executables Are Run + + Disable merging of slabs with similar size - ocil:ssg-audit_rules_suid_privilege_function_action:testaction:1 + ocil:ssg-grub2_slab_nomerge_argument_action:testaction:1 - - Disable the ftpd_connect_db SELinux Boolean + + Enable the pcscd Service - ocil:ssg-sebool_ftpd_connect_db_action:testaction:1 + ocil:ssg-service_pcscd_enabled_action:testaction:1 - - Set SSH Client Alive Count Max to zero + + Verify User Who Owns Backup gshadow File - ocil:ssg-sshd_set_keepalive_0_action:testaction:1 + ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1 - - Enable the antivirus_can_scan_system SELinux Boolean + + Disable the sanlock_use_fusefs SELinux Boolean - ocil:ssg-sebool_antivirus_can_scan_system_action:testaction:1 + ocil:ssg-sebool_sanlock_use_fusefs_action:testaction:1 - - Ensure Rsyslog Encrypts Off-Loaded Audit Records + + Disable GDM Guest Login - ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1 + ocil:ssg-gnome_gdm_disable_guest_login_action:testaction:1 - - Set Default iptables Policy for Incoming Packets + + All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive - ocil:ssg-set_iptables_default_rule_action:testaction:1 + ocil:ssg-accounts_users_home_files_permissions_action:testaction:1 - - The Installed Operating System Is FIPS 140-2 Certified + + Boot Loader Is Not Installed On Removeable Media - ocil:ssg-installed_OS_is_FIPS_certified_action:testaction:1 + ocil:ssg-grub2_no_removeable_media_action:testaction:1 - - System Audit Logs Must Be Owned By Root + + Enable the staff_exec_content SELinux Boolean - ocil:ssg-file_ownership_var_log_audit_stig_action:testaction:1 + ocil:ssg-sebool_staff_exec_content_action:testaction:1 - - Disable systemd-journal-remote Socket + + Root Path Must Be Vendor Default - ocil:ssg-socket_systemd-journal-remote_disabled_action:testaction:1 + ocil:ssg-root_path_default_action:testaction:1 - - Disable the icecast_use_any_tcp_ports SELinux Boolean + + Ensure Default SNMP Password Is Not Used - ocil:ssg-sebool_icecast_use_any_tcp_ports_action:testaction:1 + ocil:ssg-snmpd_not_default_password_action:testaction:1 - - Ensure PAM Enforces Password Requirements - Minimum Different Characters + + Disable the xguest_use_bluetooth SELinux Boolean - ocil:ssg-accounts_password_pam_difok_action:testaction:1 + ocil:ssg-sebool_xguest_use_bluetooth_action:testaction:1 - - Add nosuid Option to /boot + + Disable Apache Qpid (qpidd) - ocil:ssg-mount_option_boot_nosuid_action:testaction:1 + ocil:ssg-service_qpidd_disabled_action:testaction:1 - - Configure OpenSSL library to use TLS Encryption + + Record Successful Access Attempts to Files - open - ocil:ssg-configure_openssl_tls_crypto_policy_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_open_action:testaction:1 - - Enable Process Accounting (psacct) + + Configure auditd Max Log File Size - ocil:ssg-service_psacct_enabled_action:testaction:1 + ocil:ssg-auditd_data_retention_max_log_file_action:testaction:1 - - Verify that Shared Library Files Have Restrictive Permissions + + Disable vsftpd Service - ocil:ssg-file_permissions_library_dirs_action:testaction:1 + ocil:ssg-service_vsftpd_disabled_action:testaction:1 - - Set Password Hashing Algorithm in /etc/libuser.conf + + Enable Randomized Layout of Virtual Address Space - ocil:ssg-set_password_hashing_algorithm_libuserconf_action:testaction:1 + ocil:ssg-sysctl_kernel_randomize_va_space_action:testaction:1 - - Deactivate Wireless Network Interfaces + + Disable Accepting Router Advertisements on all IPv6 Interfaces by Default - ocil:ssg-wireless_disable_interfaces_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_action:testaction:1 - - Warn on W+X mappings found at boot + + Mount Remote Filesystems with Kerberos Security - ocil:ssg-kernel_config_debug_wx_action:testaction:1 + ocil:ssg-mount_option_krb_sec_remote_filesystems_action:testaction:1 - - Add nosuid Option to /opt + + Record Successful Creation Attempts to Files - openat O_CREAT - ocil:ssg-mount_option_opt_nosuid_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1 - - Configure auditd Disk Error Action on Disk Error + + Specify the hash to use when signing modules - ocil:ssg-auditd_data_disk_error_action_action:testaction:1 + ocil:ssg-kernel_config_module_sig_hash_action:testaction:1 - - Disable the global_ssp SELinux Boolean + + Add nosuid Option to /var/log - ocil:ssg-sebool_global_ssp_action:testaction:1 + ocil:ssg-mount_option_var_log_nosuid_action:testaction:1 - - Disable the samba_load_libgfapi SELinux Boolean + + Set the GNOME3 Login Number of Failures - ocil:ssg-sebool_samba_load_libgfapi_action:testaction:1 + ocil:ssg-dconf_gnome_login_retries_action:testaction:1 - - Configure the polyinstantiation_enabled SELinux Boolean + + Record Events that Modify the System's Discretionary Access Controls - setxattr - ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 - - Configure HTTP PERL Scripts To Use TAINT Option + + Disable X Windows Startup By Setting Default Target - ocil:ssg-httpd_configure_perl_taint_action:testaction:1 + ocil:ssg-xwindows_runlevel_target_action:testaction:1 - - Configure Libreswan to use System Crypto Policy + + Disable SSH Support for .rhosts Files - ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_action:testaction:1 - - Record Any Attempts to Run semanage + + Configure auditd space_left Action on Low Disk Space - ocil:ssg-audit_rules_execution_semanage_action:testaction:1 + ocil:ssg-auditd_data_retention_space_left_action_action:testaction:1 - - Disable the cvs_read_shadow SELinux Boolean + + Record Unsuccessful Ownership Changes to Files - fchown - ocil:ssg-sebool_cvs_read_shadow_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_fchown_action:testaction:1 - - Disable Access to Network bpf() Syscall From Unprivileged Processes + + Ensure auditd Collects Information on the Use of Privileged Commands - unix_update - ocil:ssg-sysctl_kernel_unprivileged_bpf_disabled_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_unix_update_action:testaction:1 - - Disable IPv6 Networking Support Automatic Loading + + Ensure Rsyslog Encrypts Off-Loaded Audit Records - ocil:ssg-kernel_module_ipv6_option_disabled_action:testaction:1 + ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1 - - Ensure Users Cannot Change GNOME3 Screensaver Idle Activation + + Disable the named_tcp_bind_http_port SELinux Boolean - ocil:ssg-dconf_gnome_screensaver_idle_activation_locked_action:testaction:1 + ocil:ssg-sebool_named_tcp_bind_http_port_action:testaction:1 - - Enable the secadm_exec_content SELinux Boolean + + Enable logrotate Timer - ocil:ssg-sebool_secadm_exec_content_action:testaction:1 + ocil:ssg-timer_logrotate_enabled_action:testaction:1 - - System Audit Directories Must Be Owned By Root + + Disable Network Console (netconsole) - ocil:ssg-directory_ownership_var_log_audit_action:testaction:1 + ocil:ssg-service_netconsole_disabled_action:testaction:1 - - Disable the virt_use_xserver SELinux Boolean + + Modify the System Message of the Day Banner - ocil:ssg-sebool_virt_use_xserver_action:testaction:1 + ocil:ssg-banner_etc_motd_action:testaction:1 - - Uninstall rsh-server Package + + Disable the httpd_dontaudit_search_dirs SELinux Boolean - ocil:ssg-package_rsh-server_removed_action:testaction:1 + ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1 - - Disable the git_session_bind_all_unreserved_ports SELinux Boolean + + Install sudo Package - ocil:ssg-sebool_git_session_bind_all_unreserved_ports_action:testaction:1 + ocil:ssg-package_sudo_installed_action:testaction:1 - - Verify Permissions on group File + + HTTPD Log Files Must Be Owned By Root - ocil:ssg-file_permissions_etc_group_action:testaction:1 + ocil:ssg-http_configure_log_file_ownership_action:testaction:1 - - Add nosuid Option to /var/log + + Configure SSH to use System Crypto Policy - ocil:ssg-mount_option_var_log_nosuid_action:testaction:1 + ocil:ssg-configure_ssh_crypto_policy_action:testaction:1 - - Configure auditing of successful file deletions + + Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs. - ocil:ssg-audit_delete_success_action:testaction:1 + ocil:ssg-fapolicy_default_deny_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Ensure SSH MaxStartups is configured - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-sshd_set_maxstartups_action:testaction:1 - - System Audit Logs Must Have Mode 0750 or Less Permissive + + Ensure '/etc/system-fips' exists - ocil:ssg-directory_permissions_var_log_audit_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Disable legacy (BSD) PTY support + + Enable the xend_run_blktap SELinux Boolean - ocil:ssg-kernel_config_legacy_ptys_action:testaction:1 + ocil:ssg-sebool_xend_run_blktap_action:testaction:1 - - Set Password Minimum Length in login.defs + + Verify Group Who Owns /var/log/messages File - ocil:ssg-accounts_password_minlen_login_defs_action:testaction:1 + ocil:ssg-file_groupowner_var_log_messages_action:testaction:1 - - SSH server uses strong entropy to seed + + Configure Polyinstantiation of /tmp Directories - ocil:ssg-sshd_use_strong_rng_action:testaction:1 + ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1 - - Configure SELinux Policy + + Ensure remote access methods are monitored in Rsyslog - ocil:ssg-selinux_policytype_action:testaction:1 + ocil:ssg-rsyslog_remote_access_monitoring_action:testaction:1 - - Scan All Uploaded Content for Malicious Software + + Ensure /var/tmp Located On Separate Partition - ocil:ssg-httpd_antivirus_scan_uploads_action:testaction:1 + ocil:ssg-partition_for_var_tmp_action:testaction:1 - - Verify Permissions on /etc/audit/auditd.conf + + Install rng-tools Package - ocil:ssg-file_permissions_etc_audit_auditd_action:testaction:1 + ocil:ssg-package_rng-tools_installed_action:testaction:1 - - Enable automatic signing of all modules + + Disable /dev/kmem virtual device support - ocil:ssg-kernel_config_module_sig_all_action:testaction:1 + ocil:ssg-kernel_config_devkmem_action:testaction:1 - - Disable the domain_kernel_load_modules SELinux Boolean + + Set Password Minimum Age - ocil:ssg-sebool_domain_kernel_load_modules_action:testaction:1 + ocil:ssg-accounts_minimum_age_login_defs_action:testaction:1 - - Prevent user from disabling the screen lock + + Install Virus Scanning Software - ocil:ssg-no_tmux_in_shells_action:testaction:1 + ocil:ssg-install_antivirus_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - fchmodat + + Verify Group Who Owns /var/log Directory - ocil:ssg-audit_rules_dac_modification_fchmodat_action:testaction:1 + ocil:ssg-file_groupowner_var_log_action:testaction:1 - - Disable the git_cgi_enable_homedirs SELinux Boolean + + Remove telnet Clients - ocil:ssg-sebool_git_cgi_enable_homedirs_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Configure auditd Disk Full Action when Disk Space Is Full + + Disable Automatic Bug Reporting Tool (abrtd) - ocil:ssg-auditd_data_disk_full_action_action:testaction:1 + ocil:ssg-service_abrtd_disabled_action:testaction:1 - - Enable Kernel Parameter to Enforce DAC on Hardlinks + + SSH server uses strong entropy to seed - ocil:ssg-sysctl_fs_protected_hardlinks_action:testaction:1 + ocil:ssg-sshd_use_strong_rng_action:testaction:1 - - Disable the mozilla_plugin_bind_unreserved_ports SELinux Boolean + + Verify the UEFI Boot Loader grub.cfg User Ownership - ocil:ssg-sebool_mozilla_plugin_bind_unreserved_ports_action:testaction:1 + ocil:ssg-file_owner_efi_grub2_cfg_action:testaction:1 - - Verify Group Who Owns Backup passwd File + + Verify Permissions on shadow File - ocil:ssg-file_groupowner_backup_etc_passwd_action:testaction:1 + ocil:ssg-file_permissions_etc_shadow_action:testaction:1 - - Ensure journald is configured to compress large log files + + Disable Bluetooth Kernel Module - ocil:ssg-journald_compress_action:testaction:1 + ocil:ssg-kernel_module_bluetooth_disabled_action:testaction:1 - - Uninstall squid Package + + Enable the secadm_exec_content SELinux Boolean - ocil:ssg-package_squid_removed_action:testaction:1 + ocil:ssg-sebool_secadm_exec_content_action:testaction:1 - - Disable DHCP Service + + Disable the ssh_keysign SELinux Boolean - ocil:ssg-service_dhcpd_disabled_action:testaction:1 + ocil:ssg-sebool_ssh_keysign_action:testaction:1 - - Disable debug-shell SystemD Service + + Disable the httpd_ssi_exec SELinux Boolean - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-sebool_httpd_ssi_exec_action:testaction:1 - - Enable the postgresql_selinux_unconfined_dbadm SELinux Boolean + + Disable Quagga Service - ocil:ssg-sebool_postgresql_selinux_unconfined_dbadm_action:testaction:1 + ocil:ssg-service_zebra_disabled_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Record Events When Privileged Executables Are Run - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-audit_rules_suid_privilege_function_action:testaction:1 - - Uninstall cyrus-imapd Package + + Explicit arguments in sudo specifications - ocil:ssg-package_cyrus-imapd_removed_action:testaction:1 + ocil:ssg-sudoers_explicit_command_args_action:testaction:1 - - Record Successful Permission Changes to Files - fremovexattr + + Randomize the address of the kernel image (KASLR) - ocil:ssg-audit_rules_successful_file_modification_fremovexattr_action:testaction:1 + ocil:ssg-kernel_config_randomize_base_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - fsetxattr + + Disable the mpd_enable_homedirs SELinux Boolean - ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1 + ocil:ssg-sebool_mpd_enable_homedirs_action:testaction:1 - - Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default + + Configure auditing of loading and unloading of kernel modules - ocil:ssg-sysctl_net_ipv6_conf_default_max_addresses_action:testaction:1 + ocil:ssg-audit_module_load_action:testaction:1 - - Enable the nfs_export_all_ro SELinux Boolean + + Ensure auditd Collects Information on Kernel Module Loading - init_module - ocil:ssg-sebool_nfs_export_all_ro_action:testaction:1 + ocil:ssg-audit_rules_kernel_module_loading_init_action:testaction:1 - - Disable the httpd_dbus_sssd SELinux Boolean + + Install Intrusion Detection Software - ocil:ssg-sebool_httpd_dbus_sssd_action:testaction:1 + ocil:ssg-install_hids_action:testaction:1 - - Configure audispd Plugin To Send Logs To Remote Server + + Disable the zoneminder_anon_write SELinux Boolean - ocil:ssg-auditd_audispd_configure_remote_server_action:testaction:1 + ocil:ssg-sebool_zoneminder_anon_write_action:testaction:1 - - Record Unsuccessful Permission Changes to Files - fchmod + + Disable the guest_exec_content SELinux Boolean - ocil:ssg-audit_rules_unsuccessful_file_modification_fchmod_action:testaction:1 + ocil:ssg-sebool_guest_exec_content_action:testaction:1 - - Record Unsuccessful Delete Attempts to Files - unlinkat + + Disable CAN Support - ocil:ssg-audit_rules_unsuccessful_file_modification_unlinkat_action:testaction:1 + ocil:ssg-kernel_module_can_disabled_action:testaction:1 - - Include Local Events in Audit Logs + + Disable the neutron_can_network SELinux Boolean - ocil:ssg-auditd_local_events_action:testaction:1 + ocil:ssg-sebool_neutron_can_network_action:testaction:1 - - Ensure Insecure File Locking is Not Allowed + + Disable the httpd_can_network_relay SELinux Boolean - ocil:ssg-no_insecure_locks_exports_action:testaction:1 + ocil:ssg-sebool_httpd_can_network_relay_action:testaction:1 - - Don't define allowed commands in sudoers by means of exclusion + + Enable cron Service - ocil:ssg-sudoers_no_command_negation_action:testaction:1 + ocil:ssg-service_cron_enabled_action:testaction:1 - - Set Password Maximum Age + + Add nodev Option to Removable Media Partitions - ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1 + ocil:ssg-mount_option_nodev_removable_partitions_action:testaction:1 - - Configure Sending and Accepting Shared Media Redirects by Default + + Disable acquiring, saving, and processing core dumps - ocil:ssg-sysctl_net_ipv4_conf_default_shared_media_action:testaction:1 + ocil:ssg-service_systemd-coredump_disabled_action:testaction:1 - - Add nosuid Option to /var + + Specify a Remote NTP Server - ocil:ssg-mount_option_var_nosuid_action:testaction:1 + ocil:ssg-ntpd_specify_remote_server_action:testaction:1 - - Ensure Remote Administrative Access Is Encrypted + + Disable the daemons_use_tcp_wrapper SELinux Boolean - ocil:ssg-httpd_configure_remote_session_encryption_action:testaction:1 + ocil:ssg-sebool_daemons_use_tcp_wrapper_action:testaction:1 - - Enable Public Key Authentication + + Ensure that /etc/cron.deny does not exist - ocil:ssg-sshd_enable_pubkey_auth_action:testaction:1 + ocil:ssg-file_cron_deny_not_exist_action:testaction:1 - - Enable the postgresql_selinux_users_ddl SELinux Boolean + + Disable the awstats_purge_apache_log_files SELinux Boolean - ocil:ssg-sebool_postgresql_selinux_users_ddl_action:testaction:1 + ocil:ssg-sebool_awstats_purge_apache_log_files_action:testaction:1 - - Disable Geolocation in GNOME3 + + System Audit Logs Must Have Mode 0750 or Less Permissive - ocil:ssg-dconf_gnome_disable_geolocation_action:testaction:1 + ocil:ssg-directory_permissions_var_log_audit_action:testaction:1 - - Disable Quota Netlink (quota_nld) + + Add noexec Option to /var - ocil:ssg-service_quota_nld_disabled_action:testaction:1 + ocil:ssg-mount_option_var_noexec_action:testaction:1 - - Certificate status checking in SSSD + + Disable IPv6 Networking Support Automatic Loading - ocil:ssg-sssd_certificate_verification_action:testaction:1 + ocil:ssg-kernel_module_ipv6_option_disabled_action:testaction:1 - - Disable Accepting ICMP Redirects for All IPv6 Interfaces + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class - ocil:ssg-sysctl_net_ipv6_conf_all_accept_redirects_action:testaction:1 + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check + + Enable the httpd_graceful_shutdown SELinux Boolean - ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1 + ocil:ssg-sebool_httpd_graceful_shutdown_action:testaction:1 - - Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module + + Enable ExecShield via sysctl - ocil:ssg-audit_rules_kernel_module_loading_finit_action:testaction:1 + ocil:ssg-sysctl_kernel_exec_shield_action:testaction:1 - - Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config + + Verify that Shared Library Files Have Restrictive Permissions - ocil:ssg-harden_sshd_macs_openssh_conf_crypto_policy_action:testaction:1 + ocil:ssg-file_permissions_library_dirs_action:testaction:1 - - Ensure PAM Displays Last Logon/Access Notification + + Configure AIDE to Verify Access Control Lists (ACLs) - ocil:ssg-display_login_attempts_action:testaction:1 + ocil:ssg-aide_verify_acls_action:testaction:1 - - Disable the httpd_read_user_content SELinux Boolean + + Ensure auditd Collects Information on the Use of Privileged Commands - userhelper - ocil:ssg-sebool_httpd_read_user_content_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_userhelper_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - fchown + + Disable Network Router Discovery Daemon (rdisc) - ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1 + ocil:ssg-service_rdisc_disabled_action:testaction:1 - - Verify the system-wide library files in directories -"/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root. + + Configure AIDE to Verify Extended Attributes - ocil:ssg-root_permissions_syslibrary_files_action:testaction:1 + ocil:ssg-aide_verify_ext_attributes_action:testaction:1 - - Ensure Software Patches Installed + + Restrict Web Browser Use for Administrative Accounts - ocil:ssg-security_patches_up_to_date_action:testaction:1 + ocil:ssg-no_root_webbrowsing_action:testaction:1 - - Verify that audit tools are owned by group root + + Record attempts to alter time through adjtimex - ocil:ssg-file_groupownership_audit_binaries_action:testaction:1 + ocil:ssg-audit_rules_time_adjtimex_action:testaction:1 - - Verify nftables Service is Disabled + + Set existing passwords a period of inactivity before they been locked - ocil:ssg-service_nftables_disabled_action:testaction:1 + ocil:ssg-accounts_set_post_pw_existing_action:testaction:1 - - Configure file name of core dumps + + Enable SSH Server firewalld Firewall Exception - ocil:ssg-sysctl_kernel_core_uses_pid_action:testaction:1 + ocil:ssg-firewalld_sshd_port_enabled_action:testaction:1 + + + + Ensure SELinux Not Disabled in /etc/default/grub + + ocil:ssg-grub2_enable_selinux_action:testaction:1 @@ -352310,1936 +352321,1925 @@ which the system will be deployed as closely as possible.ocil:ssg-sebool_antivirus_use_jit_action:testaction:1 - - Ensure that /etc/cron.deny does not exist + + Enable the unconfined_mozilla_plugin_transition SELinux Boolean - ocil:ssg-file_cron_deny_not_exist_action:testaction:1 + ocil:ssg-sebool_unconfined_mozilla_plugin_transition_action:testaction:1 - - Configure the Firewalld Ports + + Use Kerberos Security on All Exports - ocil:ssg-configure_firewalld_ports_action:testaction:1 + ocil:ssg-use_kerberos_security_all_exports_action:testaction:1 - - Disable the ftpd_use_fusefs SELinux Boolean + + Configure auditing of successful file accesses - ocil:ssg-sebool_ftpd_use_fusefs_action:testaction:1 + ocil:ssg-audit_access_success_action:testaction:1 - - Configure auditd to use audispd's syslog plugin + + Record Attempts to Alter Time Through stime - ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 + ocil:ssg-audit_rules_time_stime_action:testaction:1 - - Enable the unconfined_login SELinux Boolean + + Record Events that Modify User/Group Information - /etc/passwd - ocil:ssg-sebool_unconfined_login_action:testaction:1 + ocil:ssg-audit_rules_usergroup_modification_passwd_action:testaction:1 - - Ensure there are no legacy + NIS entries in /etc/group + + System Audit Logs Must Be Group Owned By Root - ocil:ssg-no_legacy_plus_entries_etc_group_action:testaction:1 + ocil:ssg-file_group_ownership_var_log_audit_action:testaction:1 - - Use Only FIPS 140-2 Validated Key Exchange Algorithms + + Ensure /srv Located On Separate Partition - ocil:ssg-sshd_use_approved_kex_ordered_stig_action:testaction:1 + ocil:ssg-partition_for_srv_action:testaction:1 - - Support session locking with tmux + + Disable the lsmd_plugin_connect_any SELinux Boolean - ocil:ssg-configure_bashrc_exec_tmux_action:testaction:1 + ocil:ssg-sebool_lsmd_plugin_connect_any_action:testaction:1 - - Verify permissions on System Login Banner + + Disable IPv6 Addressing on IPv6 Interfaces by Default - ocil:ssg-file_permissions_etc_issue_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_default_disable_ipv6_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - su + + Verify ownership of Message of the Day Banner - ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1 + ocil:ssg-file_owner_etc_motd_action:testaction:1 - - Ensure that System Accounts Do Not Run a Shell Upon Login + + Configure opensc Smart Card Drivers - ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1 + ocil:ssg-configure_opensc_card_drivers_action:testaction:1 - - Set SSH Daemon LogLevel to VERBOSE + + Enable NX or XD Support in the BIOS - ocil:ssg-sshd_set_loglevel_verbose_action:testaction:1 + ocil:ssg-bios_enable_execution_restrictions_action:testaction:1 - - Remove User Host-Based Authentication Files + + Disable the httpd_serve_cobbler_files SELinux Boolean - ocil:ssg-no_user_host_based_files_action:testaction:1 + ocil:ssg-sebool_httpd_serve_cobbler_files_action:testaction:1 - - Enable SLUB debugging support + + Remove the FreeRadius Server Package - ocil:ssg-kernel_config_slub_debug_action:testaction:1 + ocil:ssg-package_freeradius_removed_action:testaction:1 - - Record attempts to alter time through adjtimex + + Verify Permissions on /etc/audit/auditd.conf - ocil:ssg-audit_rules_time_adjtimex_action:testaction:1 + ocil:ssg-file_permissions_etc_audit_auditd_action:testaction:1 - - Disable the use_samba_home_dirs SELinux Boolean + + Disable the ftpd_use_passive_mode SELinux Boolean - ocil:ssg-sebool_use_samba_home_dirs_action:testaction:1 + ocil:ssg-sebool_ftpd_use_passive_mode_action:testaction:1 - - Disable the mcelog_foreground SELinux Boolean + + Disable Samba - ocil:ssg-sebool_mcelog_foreground_action:testaction:1 + ocil:ssg-service_smb_disabled_action:testaction:1 - - Ensure SNMP Read Write is disabled + + Enable the cron_userdomain_transition SELinux Boolean - ocil:ssg-snmpd_no_rwusers_action:testaction:1 + ocil:ssg-sebool_cron_userdomain_transition_action:testaction:1 - - Verify firewalld Enabled + + Verify ip6tables Enabled if Using IPv6 - ocil:ssg-service_firewalld_enabled_action:testaction:1 + ocil:ssg-service_ip6tables_enabled_action:testaction:1 - - Install scap-security-guide Package + + Ensure auditd Collects Information on the Use of Privileged Commands - chsh - ocil:ssg-package_scap-security-guide_installed_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chsh_action:testaction:1 - - Do not allow usercopy whitelist violations to fallback to object size + + Verify that Shared Library Directories Have Root Ownership - ocil:ssg-kernel_config_hardened_usercopy_fallback_action:testaction:1 + ocil:ssg-dir_ownership_library_dirs_action:testaction:1 - - Verify Group Who Owns Backup group File + + System Audit Logs Must Be Owned By Root - ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1 + ocil:ssg-file_ownership_var_log_audit_stig_action:testaction:1 - - Disable the GNOME3 Login Restart and Shutdown Buttons + + Add nosuid Option to /opt - ocil:ssg-dconf_gnome_disable_restart_shutdown_action:testaction:1 + ocil:ssg-mount_option_opt_nosuid_action:testaction:1 - - Enable Use of Strict Mode Checking + + Enable syslog-ng Service - ocil:ssg-sshd_enable_strictmodes_action:testaction:1 + ocil:ssg-service_syslogng_enabled_action:testaction:1 - - Record Events that Modify User/Group Information via openat syscall - /etc/group + + Install systemd-journal-remote Package - ocil:ssg-audit_rules_etc_group_openat_action:testaction:1 + ocil:ssg-package_systemd-journal-remote_installed_action:testaction:1 - - Ensure System Log Files Have Correct Permissions + + Disable GDM Automatic Login - ocil:ssg-rsyslog_files_permissions_action:testaction:1 + ocil:ssg-gnome_gdm_disable_automatic_login_action:testaction:1 - - Require Client Certificates + + Ensure the Default Umask is Set Correctly in /etc/profile - ocil:ssg-httpd_require_client_certs_action:testaction:1 + ocil:ssg-accounts_umask_etc_profile_action:testaction:1 - - Verify Ownership on SSH Server Private *_key Key Files + + The Installed Operating System Is FIPS 140-2 Certified - ocil:ssg-file_ownership_sshd_private_key_action:testaction:1 + ocil:ssg-installed_OS_is_FIPS_certified_action:testaction:1 - - Harden SSH client Crypto Policy + + Disable the mozilla_plugin_use_spice SELinux Boolean - ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1 + ocil:ssg-sebool_mozilla_plugin_use_spice_action:testaction:1 - - Configure Denying Router Solicitations on All IPv6 Interfaces By Default + + Verify Group Who Owns Backup passwd File - ocil:ssg-sysctl_net_ipv6_conf_default_router_solicitations_action:testaction:1 + ocil:ssg-file_groupowner_backup_etc_passwd_action:testaction:1 - - Install sssd-ipa Package + + Record Events that Modify the System's Discretionary Access Controls - fchmodat - ocil:ssg-package_sssd-ipa_installed_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fchmodat_action:testaction:1 - - Disable the ssh_chroot_rw_homedirs SELinux Boolean + + Install openscap-scanner Package - ocil:ssg-sebool_ssh_chroot_rw_homedirs_action:testaction:1 + ocil:ssg-package_openscap-scanner_installed_action:testaction:1 - - Disable the cdrecord_read_content SELinux Boolean + + Disable the IPv6 protocol - ocil:ssg-sebool_cdrecord_read_content_action:testaction:1 + ocil:ssg-kernel_config_ipv6_action:testaction:1 - - Disable CAN Support + + Disable the CUPS Service - ocil:ssg-kernel_module_can_disabled_action:testaction:1 + ocil:ssg-service_cups_disabled_action:testaction:1 - - Disable Cyrus SASL Authentication Daemon (saslauthd) + + Ensure auditd Collects Information on the Use of Privileged Commands - poweroff - ocil:ssg-service_saslauthd_disabled_action:testaction:1 + ocil:ssg-audit_privileged_commands_poweroff_action:testaction:1 - - Configure auditing of successful permission changes + + Shutdown System When Auditing Failures Occur - ocil:ssg-audit_perm_change_success_action:testaction:1 + ocil:ssg-audit_rules_system_shutdown_action:testaction:1 - - All User Files and Directories In The Home Directory Must Have a Valid Owner + + Restrict unprivileged access to the kernel syslog - ocil:ssg-accounts_users_home_files_ownership_action:testaction:1 + ocil:ssg-kernel_config_security_dmesg_restrict_action:testaction:1 - - Enable checks on scatter-gather (SG) table operations + + Use Only FIPS 140-2 Validated Key Exchange Algorithms - ocil:ssg-kernel_config_debug_sg_action:testaction:1 + ocil:ssg-sshd_use_approved_kex_ordered_stig_action:testaction:1 - - Disable ntpdate Service (ntpdate) + + Add nosuid Option to /dev/shm - ocil:ssg-service_ntpdate_disabled_action:testaction:1 + ocil:ssg-mount_option_dev_shm_nosuid_action:testaction:1 - - Disable the xguest_use_bluetooth SELinux Boolean + + Prevent remote hosts from connecting to the proxy display - ocil:ssg-sebool_xguest_use_bluetooth_action:testaction:1 + ocil:ssg-sshd_x11_use_localhost_action:testaction:1 - - Harden slab freelist metadata + + Disable the dbadm_manage_user_files SELinux Boolean - ocil:ssg-kernel_config_slab_freelist_hardened_action:testaction:1 + ocil:ssg-sebool_dbadm_manage_user_files_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/group + + Configure SELinux Policy - ocil:ssg-audit_rules_usergroup_modification_group_action:testaction:1 + ocil:ssg-selinux_policytype_action:testaction:1 - - Disable the pcp_bind_all_unreserved_ports SELinux Boolean + + Uninstall cyrus-imapd Package - ocil:ssg-sebool_pcp_bind_all_unreserved_ports_action:testaction:1 + ocil:ssg-package_cyrus-imapd_removed_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd + + Verify Permissions on Backup shadow File - ocil:ssg-audit_rules_privileged_commands_gpasswd_action:testaction:1 + ocil:ssg-file_permissions_backup_etc_shadow_action:testaction:1 - - Ensure users' .netrc Files are not group or world accessible + + Force frequent session key renegotiation - ocil:ssg-accounts_users_netrc_file_permissions_action:testaction:1 + ocil:ssg-sshd_rekey_limit_action:testaction:1 - - Record Access Events to Audit Log Directory + + Do not allow usercopy whitelist violations to fallback to object size - ocil:ssg-directory_access_var_log_audit_action:testaction:1 + ocil:ssg-kernel_config_hardened_usercopy_fallback_action:testaction:1 - - Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE + + Disable DHCP Client in ifcfg - ocil:ssg-audit_rules_unsuccessful_file_modification_openat_o_trunc_write_action:testaction:1 + ocil:ssg-sysconfig_networking_bootproto_ifcfg_action:testaction:1 - - Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces + + Disable the samba_enable_home_dirs SELinux Boolean - ocil:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_action:testaction:1 + ocil:ssg-sebool_samba_enable_home_dirs_action:testaction:1 - - Configure SSSD to Expire SSH Known Hosts + + Disable the selinuxuser_udp_server SELinux Boolean - ocil:ssg-sssd_ssh_known_hosts_timeout_action:testaction:1 + ocil:ssg-sebool_selinuxuser_udp_server_action:testaction:1 - - Set GNOME3 Screensaver Lock Delay After Activation Period + + Disable Bluetooth Service - ocil:ssg-dconf_gnome_screensaver_lock_delay_action:testaction:1 + ocil:ssg-service_bluetooth_disabled_action:testaction:1 - - Install nftables Package + + Support session locking with tmux - ocil:ssg-package_nftables_installed_action:testaction:1 + ocil:ssg-configure_bashrc_exec_tmux_action:testaction:1 - - Disable the polipo_session_users SELinux Boolean + + Install scap-security-guide Package - ocil:ssg-sebool_polipo_session_users_action:testaction:1 + ocil:ssg-package_scap-security-guide_installed_action:testaction:1 - - Enable log_config_module For HTTPD Logging + + Verify that System Executables Have Root Ownership - ocil:ssg-httpd_enable_log_config_action:testaction:1 + ocil:ssg-file_ownership_binary_dirs_action:testaction:1 - - Enable the spamd_enable_home_dirs SELinux Boolean + + Randomize slab freelist - ocil:ssg-sebool_spamd_enable_home_dirs_action:testaction:1 + ocil:ssg-kernel_config_slab_freelist_random_action:testaction:1 - - Ensure auditd Collects File Deletion Events by User - unlinkat + + Enable the user_exec_content SELinux Boolean - ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1 + ocil:ssg-sebool_user_exec_content_action:testaction:1 - - Disable Network Console (netconsole) + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-service_netconsole_disabled_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Set SSH Client Alive Count Max + + Disable the cobbler_use_nfs SELinux Boolean - ocil:ssg-sshd_set_keepalive_action:testaction:1 + ocil:ssg-sebool_cobbler_use_nfs_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap + + Disable IPv6 Addressing on All IPv6 Interfaces - ocil:ssg-audit_rules_privileged_commands_newuidmap_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_disable_ipv6_action:testaction:1 - - Verify /boot/grub2/user.cfg Permissions + + Disable the httpd_can_sendmail SELinux Boolean - ocil:ssg-file_permissions_user_cfg_action:testaction:1 + ocil:ssg-sebool_httpd_can_sendmail_action:testaction:1 - - Set PAM''s Password Hashing Algorithm + + Verify Group Ownership on SSH Server Private *_key Key Files - ocil:ssg-set_password_hashing_algorithm_systemauth_action:testaction:1 + ocil:ssg-file_groupownership_sshd_private_key_action:testaction:1 - - Configure Polyinstantiation of /var/tmp Directories + + Ensure PAM Enforces Password Requirements - Minimum Special Characters - ocil:ssg-accounts_polyinstantiated_var_tmp_action:testaction:1 + ocil:ssg-accounts_password_pam_ocredit_action:testaction:1 - - Disable DHCP Client in ifcfg - - ocil:ssg-sysconfig_networking_bootproto_ifcfg_action:testaction:1 - - - - Enable the xend_run_qemu SELinux Boolean + + Disable the httpd_enable_ftp_server SELinux Boolean - ocil:ssg-sebool_xend_run_qemu_action:testaction:1 + ocil:ssg-sebool_httpd_enable_ftp_server_action:testaction:1 - - Disable the sge_use_nfs SELinux Boolean + + Record Unsuccessful Permission Changes to Files - fremovexattr - ocil:ssg-sebool_sge_use_nfs_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_fremovexattr_action:testaction:1 - - Uninstall setroubleshoot-server Package + + Disable Client Dynamic DNS Updates - ocil:ssg-package_setroubleshoot-server_removed_action:testaction:1 + ocil:ssg-network_disable_ddns_interfaces_action:testaction:1 - - Record Unsuccessful Ownership Changes to Files - fchown + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-audit_rules_unsuccessful_file_modification_fchown_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Disable the cluster_manage_all_files SELinux Boolean + + MIME types for csh or sh shell programs must be disabled - ocil:ssg-sebool_cluster_manage_all_files_action:testaction:1 + ocil:ssg-httpd_disable_mime_types_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown + + Configure Sending and Accepting Shared Media Redirects by Default - ocil:ssg-audit_rules_privileged_commands_pt_chown_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_default_shared_media_action:testaction:1 - - Add noexec Option to /var/log + + Disable the virt_use_nfs SELinux Boolean - ocil:ssg-mount_option_var_log_noexec_action:testaction:1 + ocil:ssg-sebool_virt_use_nfs_action:testaction:1 - - Install rng-tools Package + + Verify Group Ownership of System Login Banner for Remote Connections - ocil:ssg-package_rng-tools_installed_action:testaction:1 + ocil:ssg-file_groupowner_etc_issue_net_action:testaction:1 - - Enforce usage of pam_wheel for su authentication + + Disable the httpd_read_user_content SELinux Boolean - ocil:ssg-use_pam_wheel_for_su_action:testaction:1 + ocil:ssg-sebool_httpd_read_user_content_action:testaction:1 - - Ensure that /etc/at.deny does not exist + + Randomize the kernel memory sections - ocil:ssg-file_at_deny_not_exist_action:testaction:1 + ocil:ssg-kernel_config_randomize_memory_action:testaction:1 - - Disable the saslauthd_read_shadow SELinux Boolean + + Disable the zabbix_can_network SELinux Boolean - ocil:ssg-sebool_saslauthd_read_shadow_action:testaction:1 + ocil:ssg-sebool_zabbix_can_network_action:testaction:1 - - Disable the httpd_can_network_relay SELinux Boolean + + Record Unsuccessful Permission Changes to Files - lsetxattr - ocil:ssg-sebool_httpd_can_network_relay_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_lsetxattr_action:testaction:1 - - Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ + + Enable SSH Warning Banner - ocil:ssg-audit_rules_sudoers_d_action:testaction:1 + ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1 - - Disable Kernel Image Loading + + Ensure All Accounts on the System Have Unique Names - ocil:ssg-sysctl_kernel_kexec_load_disabled_action:testaction:1 + ocil:ssg-account_unique_name_action:testaction:1 - - Uninstall abrt-plugin-rhtsupport Package + + Uninstall talk-server Package - ocil:ssg-package_abrt-plugin-rhtsupport_removed_action:testaction:1 + ocil:ssg-package_talk-server_removed_action:testaction:1 - - Enable GSSAPI Authentication + + Enable the NTP Daemon - ocil:ssg-sshd_enable_gssapi_auth_action:testaction:1 + ocil:ssg-service_chronyd_or_ntpd_enabled_action:testaction:1 - - User Initialization Files Must Be Group-Owned By The Primary Group + + Configure the selinuxuser_direct_dri_enabled SELinux Boolean - ocil:ssg-accounts_user_dot_group_ownership_action:testaction:1 + ocil:ssg-sebool_selinuxuser_direct_dri_enabled_action:testaction:1 - - Enable the GNOME3 Login Smartcard Authentication + + Record Events that Modify the System's Discretionary Access Controls - fchown - ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1 - - Disable Network Router Discovery Daemon (rdisc) + + Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server - ocil:ssg-service_rdisc_disabled_action:testaction:1 + ocil:ssg-sssd_ldap_configure_tls_reqcert_action:testaction:1 - - Verify and Correct File Permissions with RPM + + Enable Transport Layer Security (TLS) Encryption - ocil:ssg-rpm_verify_permissions_action:testaction:1 + ocil:ssg-httpd_configure_tls_action:testaction:1 - - Disable Bluetooth Service + + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces - ocil:ssg-service_bluetooth_disabled_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_max_addresses_action:testaction:1 - - Ensure All Files Are Owned by a Group + + Make the auditd Configuration Immutable - ocil:ssg-file_permissions_ungroupowned_action:testaction:1 + ocil:ssg-audit_rules_immutable_action:testaction:1 - - Verify Group Ownership of System Login Banner for Remote Connections + + Enable the postgresql_selinux_users_ddl SELinux Boolean - ocil:ssg-file_groupowner_etc_issue_net_action:testaction:1 + ocil:ssg-sebool_postgresql_selinux_users_ddl_action:testaction:1 - - Randomize slab freelist + + Enable the logadm_exec_content SELinux Boolean - ocil:ssg-kernel_config_slab_freelist_random_action:testaction:1 + ocil:ssg-sebool_logadm_exec_content_action:testaction:1 - - Enable authselect + + Disable the ksmtuned_use_nfs SELinux Boolean - ocil:ssg-enable_authselect_action:testaction:1 + ocil:ssg-sebool_ksmtuned_use_nfs_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Add nodev Option to /boot - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-mount_option_boot_nodev_action:testaction:1 - - Enable page allocator poisoning + + Configure auditd max_log_file_action Upon Reaching Maximum Log Size - ocil:ssg-grub2_page_poison_argument_action:testaction:1 + ocil:ssg-auditd_data_retention_max_log_file_action_action:testaction:1 - - Configure tmux to lock session after inactivity + + Ensure auditd Collects System Administrator Actions - /etc/sudoers - ocil:ssg-configure_tmux_lock_after_time_action:testaction:1 + ocil:ssg-audit_rules_sudoers_action:testaction:1 - - Set GNOME3 Screensaver Inactivity Timeout + + Add noexec Option to /var/log/audit - ocil:ssg-dconf_gnome_screensaver_idle_delay_action:testaction:1 + ocil:ssg-mount_option_var_log_audit_noexec_action:testaction:1 - - Remove tftp Daemon + + Ensure Sudo Logfile Exists - sudo logfile - ocil:ssg-package_tftp_removed_action:testaction:1 + ocil:ssg-sudo_custom_logfile_action:testaction:1 - - Ensure tftp Daemon Uses Secure Mode + + Ensure /dev/shm is configured - ocil:ssg-tftpd_uses_secure_mode_action:testaction:1 + ocil:ssg-partition_for_dev_shm_action:testaction:1 - - Ensure Rsyslog Encrypts Off-Loaded Audit Records + + Perform general configuration of Audit for OSPP - ocil:ssg-rsyslog_encrypt_offload_actionsendstreamdrivermode_action:testaction:1 + ocil:ssg-audit_ospp_general_action:testaction:1 - - Ensure invoking users password for privilege escalation when using sudo + + Set Lockout Time for Failed Password Attempts - ocil:ssg-sudoers_validate_passwd_action:testaction:1 + ocil:ssg-accounts_passwords_pam_faillock_unlock_time_action:testaction:1 - - Require Re-Authentication When Using the sudo Command + + Ensure All Accounts on the System Have Unique User IDs - ocil:ssg-sudo_require_reauthentication_action:testaction:1 + ocil:ssg-account_unique_id_action:testaction:1 - - Ensure All World-Writable Directories Are Owned by root User + + Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters - ocil:ssg-dir_perms_world_writable_root_owned_action:testaction:1 + ocil:ssg-accounts_password_pam_lcredit_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Disable the authlogin_yubikey SELinux Boolean - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-sebool_authlogin_yubikey_action:testaction:1 - - Audit Configuration Files Must Be Owned By Root + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default - ocil:ssg-file_ownership_audit_configuration_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_defrtr_action:testaction:1 - - IOMMU configuration directive + + Disable WIFI Network Connection Creation in GNOME3 - ocil:ssg-grub2_enable_iommu_force_action:testaction:1 + ocil:ssg-dconf_gnome_disable_wifi_create_action:testaction:1 - - Configure auditing of successful ownership changes + + Set Permissions on All Configuration Files Inside /etc/httpd/conf/ - ocil:ssg-audit_owner_change_success_action:testaction:1 + ocil:ssg-file_permissions_httpd_server_conf_files_action:testaction:1 - - Set the UEFI Boot Loader Admin Username to a Non-Default Value + + Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE - ocil:ssg-grub2_uefi_admin_username_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write_action:testaction:1 - - Ensure SELinux is Not Disabled + + Ensure only owner and members of group owner of /usr/bin/sudo can execute it - ocil:ssg-selinux_not_disabled_action:testaction:1 + ocil:ssg-sudo_restrict_others_executable_permission_action:testaction:1 - - Record Events that Modify User/Group Information + + Disable the httpd_dbus_sssd SELinux Boolean - ocil:ssg-audit_rules_usergroup_modification_action:testaction:1 + ocil:ssg-sebool_httpd_dbus_sssd_action:testaction:1 - - Make the kernel text and rodata read-only + + Require Re-Authentication When Using the sudo Command - ocil:ssg-kernel_config_strict_kernel_rwx_action:testaction:1 + ocil:ssg-sudo_require_reauthentication_action:testaction:1 - - Ensure all zIPL boot entries are BLS compliant + + Disable snmpd Service - ocil:ssg-zipl_bls_entries_only_action:testaction:1 + ocil:ssg-service_snmpd_disabled_action:testaction:1 - - Disable the named_write_master_zones SELinux Boolean + + Disable Kernel iwlwifi Module - ocil:ssg-sebool_named_write_master_zones_action:testaction:1 + ocil:ssg-kernel_module_iwlwifi_disabled_action:testaction:1 - - Enable SLUB/SLAB allocator poisoning + + Configure auditing of successful file creations - ocil:ssg-grub2_slub_debug_argument_action:testaction:1 + ocil:ssg-audit_create_success_action:testaction:1 - - Enable auditd Service + + Verify Permissions on /etc/cron.allow file - ocil:ssg-service_auditd_enabled_action:testaction:1 + ocil:ssg-file_permissions_cron_allow_action:testaction:1 - - Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot + + Verify No .forward Files Exist - ocil:ssg-sudo_add_ignore_dot_action:testaction:1 + ocil:ssg-no_forward_files_action:testaction:1 - - Configure the selinuxuser_direct_dri_enabled SELinux Boolean + + Verify Group Who Owns /var/log/syslog File - ocil:ssg-sebool_selinuxuser_direct_dri_enabled_action:testaction:1 + ocil:ssg-file_groupowner_var_log_syslog_action:testaction:1 - - Disable the httpd_setrlimit SELinux Boolean + + Disable Accepting ICMP Redirects for All IPv6 Interfaces - ocil:ssg-sebool_httpd_setrlimit_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_redirects_action:testaction:1 - - Firewalld Must Employ a Deny-all, Allow-by-exception Policy for Allowing Connections to Other Systems + + Record Unsuccessful Permission Changes to Files - fchmod - ocil:ssg-configured_firewalld_default_deny_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_fchmod_action:testaction:1 - - Configure Kernel Parameter for Accepting Secure Redirects By Default + + Disable storing core dump - ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_action:testaction:1 + ocil:ssg-coredump_disable_storage_action:testaction:1 - - Harden common str/mem functions against buffer overflows + + Disable the samba_load_libgfapi SELinux Boolean - ocil:ssg-kernel_config_fortify_source_action:testaction:1 + ocil:ssg-sebool_samba_load_libgfapi_action:testaction:1 - - Record Any Attempts to Run setfiles + + Configure L1 Terminal Fault mitigations - ocil:ssg-audit_rules_execution_setfiles_action:testaction:1 + ocil:ssg-grub2_l1tf_argument_action:testaction:1 - - Ensure Log Files Are Owned By Appropriate User + + Prefer to use a 64-bit Operating System when supported - ocil:ssg-rsyslog_files_ownership_action:testaction:1 + ocil:ssg-prefer_64bit_os_action:testaction:1 - - Enable SSH Warning Banner + + Disable the haproxy_connect_any SELinux Boolean - ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1 + ocil:ssg-sebool_haproxy_connect_any_action:testaction:1 - - Allow Only SSH Protocol 2 + + Verify Owner on cron.hourly - ocil:ssg-sshd_allow_only_protocol2_action:testaction:1 + ocil:ssg-file_owner_cron_hourly_action:testaction:1 - - Add grpquota Option to /home + + Disable the samba_share_fusefs SELinux Boolean - ocil:ssg-mount_option_home_grpquota_action:testaction:1 + ocil:ssg-sebool_samba_share_fusefs_action:testaction:1 - - Verify User Who Owns gshadow File + + Disable the sanlock_use_samba SELinux Boolean - ocil:ssg-file_owner_etc_gshadow_action:testaction:1 + ocil:ssg-sebool_sanlock_use_samba_action:testaction:1 - - Ensure SELinux Not Disabled in zIPL + + Configure auditd Number of Logs Retained - ocil:ssg-zipl_enable_selinux_action:testaction:1 + ocil:ssg-auditd_data_retention_num_logs_action:testaction:1 - - Disable the git_session_users SELinux Boolean + + Configure Certificate Directives for LDAP Use of TLS - ocil:ssg-sebool_git_session_users_action:testaction:1 + ocil:ssg-ldap_client_tls_cacertpath_action:testaction:1 - - Add noexec Option to /tmp + + Uninstall abrt-cli Package - ocil:ssg-mount_option_tmp_noexec_action:testaction:1 + ocil:ssg-package_abrt-cli_removed_action:testaction:1 - - Enable the File Access Policy Service + + Disable network management of chrony daemon - ocil:ssg-service_fapolicyd_enabled_action:testaction:1 + ocil:ssg-chronyd_no_chronyc_network_action:testaction:1 - - Disable the staff_use_svirt SELinux Boolean + + Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly - ocil:ssg-sebool_staff_use_svirt_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order_action:testaction:1 - - Require modules to be validly signed + + Disable the openshift_use_nfs SELinux Boolean - ocil:ssg-kernel_config_module_sig_force_action:testaction:1 + ocil:ssg-sebool_openshift_use_nfs_action:testaction:1 - - Disable the openvpn_can_network_connect SELinux Boolean + + Uninstall abrt-plugin-sosreport Package - ocil:ssg-sebool_openvpn_can_network_connect_action:testaction:1 + ocil:ssg-package_abrt-plugin-sosreport_removed_action:testaction:1 - - Uninstall geolite2-city Package + + Disable anacron Service - ocil:ssg-package_geolite2-city_removed_action:testaction:1 + ocil:ssg-disable_anacron_action:testaction:1 - - Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow + + Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module - ocil:ssg-audit_rules_etc_shadow_open_by_handle_at_action:testaction:1 + ocil:ssg-audit_rules_kernel_module_loading_finit_action:testaction:1 - - Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd + + Disable the domain_kernel_load_modules SELinux Boolean - ocil:ssg-audit_rules_etc_passwd_open_by_handle_at_action:testaction:1 + ocil:ssg-sebool_domain_kernel_load_modules_action:testaction:1 - - Set the GNOME3 Login Warning Banner Text + + Record Successful Ownership Changes to Files - lchown - ocil:ssg-dconf_gnome_login_banner_text_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_lchown_action:testaction:1 - - Disable Automatic Bug Reporting Tool (abrtd) + + Include Local Events in Audit Logs - ocil:ssg-service_abrtd_disabled_action:testaction:1 + ocil:ssg-auditd_local_events_action:testaction:1 - - Disable the swift_can_network SELinux Boolean + + Configure maximum number of process identifiers - ocil:ssg-sebool_swift_can_network_action:testaction:1 + ocil:ssg-sysctl_kernel_pid_max_action:testaction:1 - - Disable the uvcvideo module + + Disable Geolocation in GNOME3 - ocil:ssg-kernel_module_uvcvideo_disabled_action:testaction:1 + ocil:ssg-dconf_gnome_disable_geolocation_action:testaction:1 - - Uninstall talk Package + + Account Lockouts Must Be Logged - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-accounts_passwords_pam_faillock_audit_action:testaction:1 - - Verify Group Who Owns cron.daily + + Do Not Show System Messages When Unsuccessful Logon Attempts Occur - ocil:ssg-file_groupowner_cron_daily_action:testaction:1 + ocil:ssg-accounts_passwords_pam_faillock_silent_action:testaction:1 - - Specify a Remote NTP Server + + Disable Kernel mac80211 Module - ocil:ssg-chronyd_or_ntpd_specify_remote_server_action:testaction:1 + ocil:ssg-kernel_module_mac80211_disabled_action:testaction:1 - - Ensure Users Re-Authenticate for Privilege Escalation - sudo + + Disable the smartmon_3ware SELinux Boolean - ocil:ssg-sudo_require_authentication_action:testaction:1 + ocil:ssg-sebool_smartmon_3ware_action:testaction:1 - - Disable IPv6 Addressing on IPv6 Interfaces by Default + + Disable the conman_can_network SELinux Boolean - ocil:ssg-sysctl_net_ipv6_conf_default_disable_ipv6_action:testaction:1 + ocil:ssg-sebool_conman_can_network_action:testaction:1 - - Enable the logging_syslogd_use_tty SELinux Boolean + + Disable the glance_use_fusefs SELinux Boolean - ocil:ssg-sebool_logging_syslogd_use_tty_action:testaction:1 + ocil:ssg-sebool_glance_use_fusefs_action:testaction:1 - - Perform general configuration of Audit for OSPP + + Enable Certmap in SSSD - ocil:ssg-audit_ospp_general_action:testaction:1 + ocil:ssg-sssd_enable_certmap_action:testaction:1 - - Configure Certificate Directives for LDAP Use of TLS + + Configure GNOME3 DConf User Profile - ocil:ssg-ldap_client_tls_cacertpath_action:testaction:1 + ocil:ssg-enable_dconf_user_profile_action:testaction:1 - - Ensure All-Squashing Disabled On All Exports + + Ensure yum Removes Previous Package Versions - ocil:ssg-no_all_squash_exports_action:testaction:1 + ocil:ssg-clean_components_post_updating_action:testaction:1 - - Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) + + Enable the selinuxuser_ping SELinux Boolean - ocil:ssg-audit_rules_unsuccessful_file_modification_action:testaction:1 + ocil:ssg-sebool_selinuxuser_ping_action:testaction:1 - - Add noauto Option to /boot + + Configure the httpd_enable_cgi SELinux Boolean - ocil:ssg-mount_option_boot_noauto_action:testaction:1 + ocil:ssg-sebool_httpd_enable_cgi_action:testaction:1 - - Disable the httpd_use_cifs SELinux Boolean + + Disable GNOME3 Automounting - ocil:ssg-sebool_httpd_use_cifs_action:testaction:1 + ocil:ssg-dconf_gnome_disable_automount_action:testaction:1 - - Record Successful Delete Attempts to Files - unlink + + Record Successful Delete Attempts to Files - rename - ocil:ssg-audit_rules_successful_file_modification_unlink_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_rename_action:testaction:1 - - Uninstall rpcbind Package + + Enable SLUB/SLAB allocator poisoning in zIPL - ocil:ssg-package_rpcbind_removed_action:testaction:1 + ocil:ssg-zipl_slub_debug_argument_action:testaction:1 - - Ensure auditd Collects File Deletion Events by User - rmdir + + Disable the selinuxuser_use_ssh_chroot SELinux Boolean - ocil:ssg-audit_rules_file_deletion_events_rmdir_action:testaction:1 + ocil:ssg-sebool_selinuxuser_use_ssh_chroot_action:testaction:1 - - Disable the dbadm_manage_user_files SELinux Boolean + + Ensure auditd Collects Information on the Use of Privileged Commands - postdrop - ocil:ssg-sebool_dbadm_manage_user_files_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_postdrop_action:testaction:1 - - Set Default ip6tables Policy for Incoming Packets + + Verify that audit tools are owned by group root - ocil:ssg-set_ip6tables_default_rule_action:testaction:1 + ocil:ssg-file_groupownership_audit_binaries_action:testaction:1 - - Disable the gluster_export_all_ro SELinux Boolean + + Harden the operation of the BPF just-in-time compiler - ocil:ssg-sebool_gluster_export_all_ro_action:testaction:1 + ocil:ssg-sysctl_net_core_bpf_jit_harden_action:testaction:1 - - Add nodev Option to /var/log + + Add nosuid Option to /var - ocil:ssg-mount_option_var_log_nodev_action:testaction:1 + ocil:ssg-mount_option_var_nosuid_action:testaction:1 - - Disable the logging_syslogd_run_nagios_plugins SELinux Boolean + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-sebool_logging_syslogd_run_nagios_plugins_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Disable the ftpd_use_cifs SELinux Boolean + + Record Events When Executables Are Run As Another User - ocil:ssg-sebool_ftpd_use_cifs_action:testaction:1 + ocil:ssg-audit_rules_suid_auid_privilege_function_action:testaction:1 - - Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces + + Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces - ocil:ssg-sysctl_net_ipv4_conf_all_send_redirects_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_all_log_martians_action:testaction:1 - - Disable SSH Access via Empty Passwords + + Disable the polipo_session_bind_all_unreserved_ports SELinux Boolean - ocil:ssg-sshd_disable_empty_passwords_action:testaction:1 + ocil:ssg-sebool_polipo_session_bind_all_unreserved_ports_action:testaction:1 - - Record Unsuccessful Access Attempts to Files - creat + + Set Password Minimum Length in login.defs - ocil:ssg-audit_rules_unsuccessful_file_modification_creat_action:testaction:1 + ocil:ssg-accounts_password_minlen_login_defs_action:testaction:1 - - Require Client SMB Packet Signing, if using mount.cifs + + Ensure PAM password complexity module is enabled in system-auth - ocil:ssg-mount_option_smb_client_signing_action:testaction:1 + ocil:ssg-accounts_password_pam_pwquality_system_auth_action:testaction:1 - - Ensure PAM Enforces Password Requirements - Minimum Digit Characters + + Disable the unprivuser_use_svirt SELinux Boolean - ocil:ssg-accounts_password_pam_dcredit_action:testaction:1 + ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Disable the saslauthd_read_shadow SELinux Boolean - ocil:ssg-file_groupowner_sshd_config_action:testaction:1 + ocil:ssg-sebool_saslauthd_read_shadow_action:testaction:1 - - Specify a Remote NTP Server + + Disable Portreserve (portreserve) - ocil:ssg-ntpd_specify_remote_server_action:testaction:1 + ocil:ssg-service_portreserve_disabled_action:testaction:1 - - Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces + + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default - ocil:ssg-sysctl_net_ipv4_conf_all_route_localnet_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_default_rp_filter_action:testaction:1 - - Disable network management of chrony daemon + + Verify Group Who Owns passwd File - ocil:ssg-chronyd_no_chronyc_network_action:testaction:1 + ocil:ssg-file_groupowner_etc_passwd_action:testaction:1 - - Configure OpenSSL library to use System Crypto Policy + + Configure SSSD to Expire SSH Known Hosts - ocil:ssg-configure_openssl_crypto_policy_action:testaction:1 + ocil:ssg-sssd_ssh_known_hosts_timeout_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - sudo + + Ensure gnutls-utils is installed - ocil:ssg-audit_rules_privileged_commands_sudo_action:testaction:1 + ocil:ssg-package_gnutls-utils_installed_action:testaction:1 - - Install dnf-automatic Package + + System Audit Logs Must Be Owned By Root - ocil:ssg-package_dnf-automatic_installed_action:testaction:1 + ocil:ssg-file_ownership_var_log_audit_action:testaction:1 - - Mount Remote Filesystems with Kerberos Security + + Uninstall Automatic Bug Reporting Tool (abrt) - ocil:ssg-mount_option_krb_sec_remote_filesystems_action:testaction:1 + ocil:ssg-package_abrt_removed_action:testaction:1 - - Disable the ksmtuned_use_cifs SELinux Boolean + + Disable Accepting Packets Routed Between Local Interfaces - ocil:ssg-sebool_ksmtuned_use_cifs_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_all_accept_local_action:testaction:1 - - Verify Permissions on passwd File + + Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly - ocil:ssg-file_permissions_etc_passwd_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_rule_order_action:testaction:1 - - Disable the httpd_enable_homedirs SELinux Boolean + + Record Successful Access Attempts to Files - open_by_handle_at - ocil:ssg-sebool_httpd_enable_homedirs_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_open_by_handle_at_action:testaction:1 - - Configure auditd Max Log File Size + + Add noexec Option to /home - ocil:ssg-auditd_data_retention_max_log_file_action:testaction:1 + ocil:ssg-mount_option_home_noexec_action:testaction:1 - - Ensure Logs Sent To Remote Host + + Set Password Maximum Age - ocil:ssg-rsyslog_remote_loghost_action:testaction:1 + ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1 - - Verify Group Who Owns gshadow File + + All Interactive User Home Directories Must Be Owned By The Primary User - ocil:ssg-file_groupowner_etc_gshadow_action:testaction:1 + ocil:ssg-file_ownership_home_directories_action:testaction:1 - - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + + Limit Password Reuse: password-auth - ocil:ssg-sudo_remove_nopasswd_action:testaction:1 + ocil:ssg-accounts_password_pam_pwhistory_remember_password_auth_action:testaction:1 - - Enable HTTPD Error Logging + + Ensure debug-shell service is not enabled in zIPL - ocil:ssg-httpd_enable_error_logging_action:testaction:1 + ocil:ssg-zipl_systemd_debug-shell_argument_absent_action:testaction:1 - - Disable the selinuxuser_share_music SELinux Boolean + + Install policycoreutils Package - ocil:ssg-sebool_selinuxuser_share_music_action:testaction:1 + ocil:ssg-package_policycoreutils_installed_action:testaction:1 - - Configure A Valid Server Certificate + + Ensure auditd Collects File Deletion Events by User - renameat - ocil:ssg-httpd_configure_valid_server_cert_action:testaction:1 + ocil:ssg-audit_rules_file_deletion_events_renameat_action:testaction:1 - - Specify the hash to use when signing modules + + Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE - ocil:ssg-kernel_config_module_sig_hash_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1 - - Verify and Correct Ownership with RPM + + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces - ocil:ssg-rpm_verify_ownership_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_pinfo_action:testaction:1 - - Configure auditd flush priority + + Enable the kerberos_enabled SELinux Boolean - ocil:ssg-auditd_data_retention_flush_action:testaction:1 + ocil:ssg-sebool_kerberos_enabled_action:testaction:1 - - Ensure /srv Located On Separate Partition + + Deactivate Wireless Network Interfaces - ocil:ssg-partition_for_srv_action:testaction:1 + ocil:ssg-wireless_disable_interfaces_action:testaction:1 - - Enable the virt_sandbox_use_audit SELinux Boolean + + Verify iptables Enabled - ocil:ssg-sebool_virt_sandbox_use_audit_action:testaction:1 + ocil:ssg-service_iptables_enabled_action:testaction:1 - - Set Interactive Session Timeout + + Add nosuid Option to Removable Media Partitions - ocil:ssg-accounts_tmout_action:testaction:1 + ocil:ssg-mount_option_nosuid_removable_partitions_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd + + Disable the git_session_bind_all_unreserved_ports SELinux Boolean - ocil:ssg-audit_rules_privileged_commands_unix_chkpwd_action:testaction:1 + ocil:ssg-sebool_git_session_bind_all_unreserved_ports_action:testaction:1 - - Ensure journald is configured to send logs to rsyslog + + Disable the ftpd_full_access SELinux Boolean - ocil:ssg-journald_forward_to_syslog_action:testaction:1 + ocil:ssg-sebool_ftpd_full_access_action:testaction:1 - - Disable GNOME3 Automounting + + Configure Denying Router Solicitations on All IPv6 Interfaces By Default - ocil:ssg-dconf_gnome_disable_automount_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_default_router_solicitations_action:testaction:1 - - Uninstall ypserv Package + + Disable the selinuxuser_rw_noexattrfile SELinux Boolean - ocil:ssg-package_ypserv_removed_action:testaction:1 + ocil:ssg-sebool_selinuxuser_rw_noexattrfile_action:testaction:1 - - Uninstall krb5-workstation Package + + Disable Dovecot Service - ocil:ssg-package_krb5-workstation_removed_action:testaction:1 + ocil:ssg-service_dovecot_disabled_action:testaction:1 - - Verify User Who Owns Backup passwd File + + Enforce usage of pam_wheel for su authentication - ocil:ssg-file_owner_backup_etc_passwd_action:testaction:1 + ocil:ssg-use_pam_wheel_for_su_action:testaction:1 - - Disable XDMCP in GDM + + Uninstall Samba Package - ocil:ssg-gnome_gdm_disable_xdmcp_action:testaction:1 + ocil:ssg-package_samba_removed_action:testaction:1 - - Enable ExecShield via sysctl + + Disable the httpd_use_fusefs SELinux Boolean - ocil:ssg-sysctl_kernel_exec_shield_action:testaction:1 + ocil:ssg-sebool_httpd_use_fusefs_action:testaction:1 - - Verify All Account Password Hashes are Shadowed with SHA512 + + Configure file name of core dumps - ocil:ssg-accounts_password_all_shadowed_sha512_action:testaction:1 + ocil:ssg-sysctl_kernel_core_uses_pid_action:testaction:1 - - Enable Kernel Parameter to Enforce DAC on Symlinks + + Verify that System Executable Have Root Ownership - ocil:ssg-sysctl_fs_protected_symlinks_action:testaction:1 + ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 - - Record Successful Access Attempts to Files - open + + Install iptables-services Package - ocil:ssg-audit_rules_successful_file_modification_open_action:testaction:1 + ocil:ssg-package_iptables-services_installed_action:testaction:1 - - Verify Permissions on /var/log Directory + + Ensure rsyncd service is disabled - ocil:ssg-file_permissions_var_log_action:testaction:1 + ocil:ssg-service_rsyncd_disabled_action:testaction:1 - - Record Events that Modify the System's Network Environment + + Backup interactive scripts on the production web server are prohibited - ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1 + ocil:ssg-httpd_remove_backups_action:testaction:1 - - Disable the named_tcp_bind_http_port SELinux Boolean + + Verify Group Ownership on SSH Server Public *.pub Key Files - ocil:ssg-sebool_named_tcp_bind_http_port_action:testaction:1 + ocil:ssg-file_groupownership_sshd_pub_key_action:testaction:1 - - Configure Notification of Post-AIDE Scan Details + + Add nodev Option to Non-Root Local Partitions - ocil:ssg-aide_scan_notification_action:testaction:1 + ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 - - Disable Bluetooth Kernel Module + + Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config - ocil:ssg-kernel_module_bluetooth_disabled_action:testaction:1 + ocil:ssg-harden_sshd_ciphers_openssh_conf_crypto_policy_action:testaction:1 - - Disable the piranha_lvs_can_network_connect SELinux Boolean + + Record Successful Permission Changes to Files - fsetxattr - ocil:ssg-sebool_piranha_lvs_can_network_connect_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_fsetxattr_action:testaction:1 - - Disable the selinuxuser_udp_server SELinux Boolean + + Record Events that Modify the System's Discretionary Access Controls - umount - ocil:ssg-sebool_selinuxuser_udp_server_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount_action:testaction:1 - - Add hidepid Option to /proc + + Disable the git_cgi_enable_homedirs SELinux Boolean - ocil:ssg-mount_option_proc_hidepid_action:testaction:1 + ocil:ssg-sebool_git_cgi_enable_homedirs_action:testaction:1 - - Record Unsuccessful Creation Attempts to Files - open O_CREAT + + Verify that system commands files are group owned by root or a system account - ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_creat_action:testaction:1 + ocil:ssg-file_groupownership_system_commands_dirs_action:testaction:1 - - Disable the httpd_tty_comm SELinux Boolean + + Configure Error Log Format - ocil:ssg-sebool_httpd_tty_comm_action:testaction:1 + ocil:ssg-httpd_configure_log_format_action:testaction:1 - - Verify Group Who Owns cron.d + + Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments - ocil:ssg-file_groupowner_cron_d_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/passwd + + Set LogLevel to INFO - ocil:ssg-audit_rules_usergroup_modification_passwd_action:testaction:1 + ocil:ssg-sshd_set_loglevel_info_action:testaction:1 - - Disable Modprobe Loading of USB Storage Driver + + Harden OpenSSL Crypto Policy - ocil:ssg-kernel_module_usb-storage_disabled_action:testaction:1 + ocil:ssg-harden_openssl_crypto_policy_action:testaction:1 - - Verify No .forward Files Exist + + Disable the exim_read_user_files SELinux Boolean - ocil:ssg-no_forward_files_action:testaction:1 + ocil:ssg-sebool_exim_read_user_files_action:testaction:1 - - Configure auditd max_log_file_action Upon Reaching Maximum Log Size + + Verify and Correct Ownership with RPM - ocil:ssg-auditd_data_retention_max_log_file_action_stig_action:testaction:1 + ocil:ssg-rpm_verify_ownership_action:testaction:1 - - Verify ownership of System Login Banner + + Uninstall tftp-server Package - ocil:ssg-file_owner_etc_issue_action:testaction:1 + ocil:ssg-package_tftp-server_removed_action:testaction:1 - - Verify /boot/grub2/grub.cfg Group Ownership + + Add nodev Option to /var/log/audit - ocil:ssg-file_groupowner_grub2_cfg_action:testaction:1 + ocil:ssg-mount_option_var_log_audit_nodev_action:testaction:1 - - Extend Audit Backlog Limit for the Audit Daemon + + Disable the deny_ptrace SELinux Boolean - ocil:ssg-grub2_audit_backlog_limit_argument_action:testaction:1 + ocil:ssg-sebool_deny_ptrace_action:testaction:1 - - Disable Certmonger Service (certmonger) + + Disable the kdumpgui_run_bootloader SELinux Boolean - ocil:ssg-service_certmonger_disabled_action:testaction:1 + ocil:ssg-sebool_kdumpgui_run_bootloader_action:testaction:1 - - Record Unsuccessful Ownership Changes to Files - lchown + + Disable kexec system call - ocil:ssg-audit_rules_unsuccessful_file_modification_lchown_action:testaction:1 + ocil:ssg-kernel_config_kexec_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - crontab + + Disable the xdm_bind_vnc_tcp_port SELinux Boolean - ocil:ssg-audit_rules_privileged_commands_crontab_action:testaction:1 + ocil:ssg-sebool_xdm_bind_vnc_tcp_port_action:testaction:1 - - Ensure IPv6 is disabled through kernel boot parameter + + Set SSH Daemon LogLevel to VERBOSE - ocil:ssg-grub2_ipv6_disable_argument_action:testaction:1 + ocil:ssg-sshd_set_loglevel_verbose_action:testaction:1 - - Ensure gnutls-utils is installed + + Set Up a Private Namespace in PAM Configuration - ocil:ssg-package_gnutls-utils_installed_action:testaction:1 + ocil:ssg-enable_pam_namespace_action:testaction:1 - - Enable dnf-automatic Timer + + Disable the collectd_tcp_network_connect SELinux Boolean - ocil:ssg-timer_dnf-automatic_enabled_action:testaction:1 + ocil:ssg-sebool_collectd_tcp_network_connect_action:testaction:1 - - Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 + + Disable the mozilla_read_content SELinux Boolean - ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_action:testaction:1 + ocil:ssg-sebool_mozilla_read_content_action:testaction:1 - - Disable the exim_read_user_files SELinux Boolean + + SSH client uses strong entropy to seed (Bash-like shells) - ocil:ssg-sebool_exim_read_user_files_action:testaction:1 + ocil:ssg-ssh_client_use_strong_rng_sh_action:testaction:1 - - Enable rsyslog Service + + Enable Encrypted X11 Forwarding - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-sshd_enable_x11_forwarding_action:testaction:1 - - Account Lockouts Must Persist + + Install Smart Card Packages For Multifactor Authentication - ocil:ssg-account_passwords_pam_faillock_dir_action:testaction:1 + ocil:ssg-install_smartcard_packages_action:testaction:1 - - Set Password Minimum Age + + Configure SSSD LDAP Backend Client CA Certificate Location - ocil:ssg-accounts_minimum_age_login_defs_action:testaction:1 + ocil:ssg-sssd_ldap_configure_tls_ca_dir_action:testaction:1 - - Verify Group Who Owns cron.weekly + + Ensure auditd Collects File Deletion Events by User - unlink - ocil:ssg-file_groupowner_cron_weekly_action:testaction:1 + ocil:ssg-audit_rules_file_deletion_events_unlink_action:testaction:1 - - Enable the postfix_local_write_mail_spool SELinux Boolean + + Verify User Who Owns shadow File - ocil:ssg-sebool_postfix_local_write_mail_spool_action:testaction:1 + ocil:ssg-file_owner_etc_shadow_action:testaction:1 - - Uninstall geolite2-country Package + + Configure Speculative Store Bypass Mitigation - ocil:ssg-package_geolite2-country_removed_action:testaction:1 + ocil:ssg-grub2_spec_store_bypass_disable_argument_action:testaction:1 - - All Interactive Users Must Have A Home Directory Defined + + Disable SCTP Support - ocil:ssg-accounts_user_interactive_home_directory_defined_action:testaction:1 + ocil:ssg-kernel_module_sctp_disabled_action:testaction:1 - - Enable Auditing for Processes Which Start Prior to the Audit Daemon + + Disable the ksmtuned_use_cifs SELinux Boolean - ocil:ssg-grub2_audit_argument_action:testaction:1 + ocil:ssg-sebool_ksmtuned_use_cifs_action:testaction:1 - - Disable the fenced_can_ssh SELinux Boolean + + User Initialization Files Must Be Owned By the Primary User - ocil:ssg-sebool_fenced_can_ssh_action:testaction:1 + ocil:ssg-accounts_user_dot_user_ownership_action:testaction:1 - - Record Events that Modify User/Group Information via open syscall - /etc/gshadow + + Disable the irc_use_any_tcp_ports SELinux Boolean - ocil:ssg-audit_rules_etc_gshadow_open_action:testaction:1 + ocil:ssg-sebool_irc_use_any_tcp_ports_action:testaction:1 - - Create Warning Banners for All FTP Users - - ocil:ssg-ftp_present_banner_action:testaction:1 - - - - Disable core dump backtraces + + Audit Tools Must Be Group-owned by Root - ocil:ssg-coredump_disable_backtraces_action:testaction:1 + ocil:ssg-file_audit_tools_group_ownership_action:testaction:1 - - Install systemd-journal-remote Package + + Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default - ocil:ssg-package_systemd-journal-remote_installed_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_default_accept_source_route_action:testaction:1 - - Disable SCTP Support + + Emulate Privileged Access Never (PAN) - ocil:ssg-kernel_module_sctp_disabled_action:testaction:1 + ocil:ssg-kernel_config_arm64_sw_ttbr0_pan_action:testaction:1 - - Disable the git_system_enable_homedirs SELinux Boolean + + Record Unsuccessful Access Attempts to Files - ftruncate - ocil:ssg-sebool_git_system_enable_homedirs_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1 - - Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters + + Ensure iptables Firewall Rules Exist for All Open Ports - ocil:ssg-accounts_password_pam_lcredit_action:testaction:1 + ocil:ssg-iptables_rules_for_open_ports_action:testaction:1 - - Disable the gpg_web_anon_write SELinux Boolean + + Uninstall nginx Package - ocil:ssg-sebool_gpg_web_anon_write_action:testaction:1 + ocil:ssg-package_nginx_removed_action:testaction:1 - - Install AIDE + + Disable Kernel cfg80211 Module - ocil:ssg-package_aide_installed_action:testaction:1 + ocil:ssg-kernel_module_cfg80211_disabled_action:testaction:1 - - Disable the xdm_write_home SELinux Boolean + + Install the cron service - ocil:ssg-sebool_xdm_write_home_action:testaction:1 + ocil:ssg-package_cron_installed_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - kmod + + Install the tmux Package - ocil:ssg-audit_rules_privileged_commands_kmod_action:testaction:1 + ocil:ssg-package_tmux_installed_action:testaction:1 - - Ensure System is Not Acting as a Network Sniffer + + Set Permissions on All Configuration Files Inside /etc/httpd/conf.modules.d/ - ocil:ssg-network_sniffer_disabled_action:testaction:1 + ocil:ssg-file_permissions_httpd_server_modules_files_action:testaction:1 - - Set Permissions on the /etc/httpd/conf/ Directory + + Verify User Who Owns Backup shadow File - ocil:ssg-dir_perms_etc_httpd_conf_action:testaction:1 + ocil:ssg-file_groupowner_backup_etc_shadow_action:testaction:1 - - Disable User Administration in GNOME3 + + Ensure auditd Collects File Deletion Events by User - rmdir - ocil:ssg-dconf_gnome_disable_user_admin_action:testaction:1 + ocil:ssg-audit_rules_file_deletion_events_rmdir_action:testaction:1 - - Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly + + Enable the login_console_enabled SELinux Boolean - ocil:ssg-audit_rules_unsuccessful_file_modification_openat_rule_order_action:testaction:1 + ocil:ssg-sebool_login_console_enabled_action:testaction:1 - - Disable tftp Service + + Ensure all users last password change date is in the past - ocil:ssg-service_tftp_disabled_action:testaction:1 + ocil:ssg-accounts_password_last_change_is_in_past_action:testaction:1 - - Ensure sudo only includes the default configuration directory + + Record Successful Delete Attempts to Files - unlinkat - ocil:ssg-sudoers_default_includedir_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_unlinkat_action:testaction:1 - - Disable the openvpn_run_unconfined SELinux Boolean + + Disable xinetd Service - ocil:ssg-sebool_openvpn_run_unconfined_action:testaction:1 + ocil:ssg-service_xinetd_disabled_action:testaction:1 - - Ensure yum Removes Previous Package Versions + + Use zero for poisoning instead of debugging value - ocil:ssg-clean_components_post_updating_action:testaction:1 + ocil:ssg-kernel_config_page_poisoning_zero_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands + + Verify Ownership on SSH Server Private *_key Key Files - ocil:ssg-audit_rules_privileged_commands_action:testaction:1 + ocil:ssg-file_ownership_sshd_private_key_action:testaction:1 - - Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default + + Disable Kernel Parameter for IPv6 Forwarding - ocil:ssg-sysctl_net_ipv4_conf_default_log_martians_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_forwarding_action:testaction:1 - - Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server + + Verify nftables Service is Disabled - ocil:ssg-rsyslog_nolisten_action:testaction:1 + ocil:ssg-service_nftables_disabled_action:testaction:1 - - Ensure there are no legacy + NIS entries in /etc/shadow + + Strong Stack Protector - ocil:ssg-no_legacy_plus_entries_etc_shadow_action:testaction:1 + ocil:ssg-kernel_config_stackprotector_strong_action:testaction:1 - - Ensure LDAP client is not installed + + Enable the postfix_local_write_mail_spool SELinux Boolean - ocil:ssg-package_openldap-clients_removed_action:testaction:1 + ocil:ssg-sebool_postfix_local_write_mail_spool_action:testaction:1 - - Disable the httpd_use_openstack SELinux Boolean + + Enable HTTPD Error Logging - ocil:ssg-sebool_httpd_use_openstack_action:testaction:1 + ocil:ssg-httpd_enable_error_logging_action:testaction:1 - - All Interactive User Home Directories Must Have mode 0750 Or Less Permissive + + Uninstall rpcbind Package - ocil:ssg-file_permissions_home_directories_action:testaction:1 + ocil:ssg-package_rpcbind_removed_action:testaction:1 - - Set kernel parameter 'crypto.fips_enabled' to 1 + + Disable the virt_use_comm SELinux Boolean - ocil:ssg-sysctl_crypto_fips_enabled_action:testaction:1 + ocil:ssg-sebool_virt_use_comm_action:testaction:1 - - Verify that System Executable Directories Have Restrictive Permissions + + Disable At Service (atd) - ocil:ssg-dir_permissions_binary_dirs_action:testaction:1 + ocil:ssg-service_atd_disabled_action:testaction:1 - - Disable the cron_can_relabel SELinux Boolean + + Verify Group Who Owns group File - ocil:ssg-sebool_cron_can_relabel_action:testaction:1 + ocil:ssg-file_groupowner_etc_group_action:testaction:1 - - Verify Permissions on cron.d + + Limit the Number of Concurrent Login Sessions Allowed Per User - ocil:ssg-file_permissions_cron_d_action:testaction:1 + ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1 - - Configure Firewalld to Use the Nftables Backend + + Disable the puppetmaster_use_db SELinux Boolean - ocil:ssg-firewalld-backend_action:testaction:1 + ocil:ssg-sebool_puppetmaster_use_db_action:testaction:1 - - An SELinux Context must be configured for the pam_faillock.so records directory + + Avoid speculative indirect branches in kernel - ocil:ssg-account_password_selinux_faillock_dir_action:testaction:1 + ocil:ssg-kernel_config_retpoline_action:testaction:1 - - The web server password(s) must be entrusted to the SA or Web Manager + + A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ extension - ocil:ssg-httpd_entrust_passwords_action:testaction:1 + ocil:ssg-httpd_nipr_accredited_dmz_action:testaction:1 - - Disable the mozilla_plugin_use_gps SELinux Boolean + + Set Daemon Umask - ocil:ssg-sebool_mozilla_plugin_use_gps_action:testaction:1 + ocil:ssg-umask_for_daemons_action:testaction:1 - - Verify Ownership on SSH Server Public *.pub Key Files + + Disable the fcron_crond SELinux Boolean - ocil:ssg-file_ownership_sshd_pub_key_action:testaction:1 + ocil:ssg-sebool_fcron_crond_action:testaction:1 - - Verify Permissions on Backup gshadow File + + Disable the virt_use_fusefs SELinux Boolean - ocil:ssg-file_permissions_backup_etc_gshadow_action:testaction:1 + ocil:ssg-sebool_virt_use_fusefs_action:testaction:1 - - Record Unsuccessful Access Attempts to Files - open + + Disable tftp Service - ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 + ocil:ssg-service_tftp_disabled_action:testaction:1 - - Disable the zoneminder_run_sudo SELinux Boolean + + Verify Group Who Owns cron.daily - ocil:ssg-sebool_zoneminder_run_sudo_action:testaction:1 + ocil:ssg-file_groupowner_cron_daily_action:testaction:1 - - Add nosuid Option to Removable Media Partitions + + Ensure Chrony is only configured with the server directive - ocil:ssg-mount_option_nosuid_removable_partitions_action:testaction:1 + ocil:ssg-chronyd_server_directive_action:testaction:1 - - Disable the polipo_use_cifs SELinux Boolean + + Disable httpd Service - ocil:ssg-sebool_polipo_use_cifs_action:testaction:1 + ocil:ssg-service_httpd_disabled_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap + + Disable Kernel Image Loading - ocil:ssg-audit_rules_privileged_commands_newgidmap_action:testaction:1 + ocil:ssg-sysctl_kernel_kexec_load_disabled_action:testaction:1 - - Ensure sudo umask is appropriate - sudo umask + + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces - ocil:ssg-sudo_add_umask_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_conf_all_send_redirects_action:testaction:1 - - Enable the USBGuard Service + + Verify Group Ownership of System Login Banner - ocil:ssg-service_usbguard_enabled_action:testaction:1 + ocil:ssg-file_groupowner_etc_issue_action:testaction:1 - - Configure Backups of User Data + + Disable the httpd_anon_write SELinux Boolean - ocil:ssg-configure_user_data_backups_action:testaction:1 + ocil:ssg-sebool_httpd_anon_write_action:testaction:1 - - Disable the httpd_use_fusefs SELinux Boolean + + Disable the named_write_master_zones SELinux Boolean - ocil:ssg-sebool_httpd_use_fusefs_action:testaction:1 + ocil:ssg-sebool_named_write_master_zones_action:testaction:1 - - Disable the use_nfs_home_dirs SELinux Boolean + + Disable All GNOME3 Thumbnailers - ocil:ssg-sebool_use_nfs_home_dirs_action:testaction:1 + ocil:ssg-dconf_gnome_disable_thumbnailers_action:testaction:1 - - Boot Loader Is Not Installed On Removeable Media + + Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces - ocil:ssg-grub2_no_removeable_media_action:testaction:1 + ocil:ssg-sysctl_net_ipv4_tcp_rfc1337_action:testaction:1 - - Require Authentication for Single User Mode + + Verify All Account Password Hashes are Shadowed - ocil:ssg-require_singleuser_auth_action:testaction:1 + ocil:ssg-accounts_password_all_shadowed_action:testaction:1 - - Remove Rsh Trust Files + + Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap - ocil:ssg-no_rsh_trust_files_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_newuidmap_action:testaction:1 - - User Initialization Files Must Be Owned By the Primary User + + Ensure cron Is Logging To Rsyslog - ocil:ssg-accounts_user_dot_user_ownership_action:testaction:1 + ocil:ssg-rsyslog_cron_logging_action:testaction:1 - - Disable SSH TCP Forwarding + + Verify Group Who Owns cron.monthly - ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1 + ocil:ssg-file_groupowner_cron_monthly_action:testaction:1 - - Record Attempts to Alter Logon and Logout Events - faillock + + Disable the cron_can_relabel SELinux Boolean - ocil:ssg-audit_rules_login_events_faillock_action:testaction:1 + ocil:ssg-sebool_cron_can_relabel_action:testaction:1 - - Disable Ctrl-Alt-Del Reboot Activation + + Ensure auditd Collects Information on the Use of Privileged Commands - kmod - ocil:ssg-disable_ctrlaltdel_reboot_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_kmod_action:testaction:1 - - Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces + + Enable the logging_syslogd_use_tty SELinux Boolean - ocil:ssg-sysctl_net_ipv4_tcp_rfc1337_action:testaction:1 + ocil:ssg-sebool_logging_syslogd_use_tty_action:testaction:1 - - Disable the daemons_use_tty SELinux Boolean + + Install the Policy Auditor (PA) Module - ocil:ssg-sebool_daemons_use_tty_action:testaction:1 + ocil:ssg-install_mcafee_hbss_pa_action:testaction:1 - - Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces + + Disable the tftp_anon_write SELinux Boolean - ocil:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses_action:testaction:1 + ocil:ssg-sebool_tftp_anon_write_action:testaction:1 - - Ensure Logrotate Runs Periodically + + Disable the xserver_clients_write_xshm SELinux Boolean - ocil:ssg-ensure_logrotate_activated_action:testaction:1 + ocil:ssg-sebool_xserver_clients_write_xshm_action:testaction:1 - - Disable the dbadm_read_user_files SELinux Boolean + + Disable the postgresql_can_rsync SELinux Boolean - ocil:ssg-sebool_dbadm_read_user_files_action:testaction:1 + ocil:ssg-sebool_postgresql_can_rsync_action:testaction:1 - - Ensure journald is configured to write log files to persistent disk + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-journald_storage_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Disable kernel support for MISC binaries + + Limit Users' SSH Access - ocil:ssg-kernel_config_binfmt_misc_action:testaction:1 + ocil:ssg-sshd_limit_user_access_action:testaction:1 - - Disable the mpd_enable_homedirs SELinux Boolean + + Disable Software RAID Monitor (mdmonitor) - ocil:ssg-sebool_mpd_enable_homedirs_action:testaction:1 + ocil:ssg-service_mdmonitor_disabled_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Install sssd-ipa Package - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-package_sssd-ipa_installed_action:testaction:1 - - Configure auditd admin_space_left on Low Disk Space + + Set Account Expiration Following Inactivity - ocil:ssg-auditd_data_retention_admin_space_left_percentage_action:testaction:1 + ocil:ssg-account_disable_post_pw_expiration_action:testaction:1 - - Record Events that Modify User/Group Information via open syscall - /etc/group + + Set Permissions on the /var/log/httpd/ Directory - ocil:ssg-audit_rules_etc_group_open_action:testaction:1 + ocil:ssg-dir_perms_var_log_httpd_action:testaction:1 - - Enable the domain_fd_use SELinux Boolean + + Disable the varnishd_connect_any SELinux Boolean - ocil:ssg-sebool_domain_fd_use_action:testaction:1 + ocil:ssg-sebool_varnishd_connect_any_action:testaction:1 - - Verify Group Who Owns /var/log/messages File + + Add nodev Option to /var - ocil:ssg-file_groupowner_var_log_messages_action:testaction:1 + ocil:ssg-mount_option_var_nodev_action:testaction:1 - - Disable Kerberos Authentication + + Disable the smbd_anon_write SELinux Boolean - ocil:ssg-sshd_disable_kerb_auth_action:testaction:1 + ocil:ssg-sebool_smbd_anon_write_action:testaction:1 - - Verify Permissions on /etc/at.allow file + + Record Unsuccessful Access Attempts to Files - truncate - ocil:ssg-file_permissions_at_allow_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_truncate_action:testaction:1 - - Add noexec Option to /var + + Verify the system-wide library files in directories +"/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root. - ocil:ssg-mount_option_var_noexec_action:testaction:1 + ocil:ssg-root_permissions_syslibrary_files_action:testaction:1 - - Verify Root Has A Primary GID 0 + + Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ - ocil:ssg-accounts_root_gid_zero_action:testaction:1 + ocil:ssg-audit_rules_sudoers_d_action:testaction:1 - - Ensure gpgcheck Enabled for Repository Metadata + + Configure Firewalld to Use the Nftables Backend - ocil:ssg-ensure_gpgcheck_repo_metadata_action:testaction:1 + ocil:ssg-firewalld-backend_action:testaction:1 - - Disable the mmap_low_allowed SELinux Boolean + + A private web server must be located on a separate controlled access subnet - ocil:ssg-sebool_mmap_low_allowed_action:testaction:1 + ocil:ssg-httpd_private_server_on_separate_subnet_action:testaction:1 - - Install openscap-scanner Package + + Disable the mozilla_plugin_use_gps SELinux Boolean - ocil:ssg-package_openscap-scanner_installed_action:testaction:1 + ocil:ssg-sebool_mozilla_plugin_use_gps_action:testaction:1 - - Install sudo Package + + Configure basic parameters of Audit system - ocil:ssg-package_sudo_installed_action:testaction:1 + ocil:ssg-audit_basic_configuration_action:testaction:1 - - Record Successful Creation Attempts to Files - open O_CREAT + + Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 - ocil:ssg-audit_rules_successful_file_modification_open_o_creat_action:testaction:1 + ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_action:testaction:1 - - Record Any Attempts to Run setsebool + + The Chrony package is installed - ocil:ssg-audit_rules_execution_setsebool_action:testaction:1 + ocil:ssg-package_chrony_installed_action:testaction:1 - - Disable Core Dumps for SUID programs + + Disable the entropyd_use_audio SELinux Boolean - ocil:ssg-sysctl_fs_suid_dumpable_action:testaction:1 + ocil:ssg-sebool_entropyd_use_audio_action:testaction:1 - - Configure AIDE to Use FIPS 140-2 for Validating Hashes + + Record Events that Modify User/Group Information - /etc/security/opasswd - ocil:ssg-aide_use_fips_hashes_action:testaction:1 + ocil:ssg-audit_rules_usergroup_modification_opasswd_action:testaction:1 - - Ensure No Daemons are Unconfined by SELinux + + Verify User Who Owns Backup group File - ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 + ocil:ssg-file_owner_backup_etc_group_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - lchown + + Ensure All World-Writable Directories Are Owned by root User - ocil:ssg-audit_rules_dac_modification_lchown_action:testaction:1 + ocil:ssg-dir_perms_world_writable_root_owned_action:testaction:1 - - Disallow merge of slab caches + + Specify a Remote NTP Server - ocil:ssg-kernel_config_slab_merge_default_action:testaction:1 + ocil:ssg-chronyd_or_ntpd_specify_remote_server_action:testaction:1 - - Disable KDump Kernel Crash Analyzer (kdump) + + Disable Access to Network bpf() Syscall From Unprivileged Processes - ocil:ssg-service_kdump_disabled_action:testaction:1 + ocil:ssg-sysctl_kernel_unprivileged_bpf_disabled_action:testaction:1 - - Lock Accounts After Failed Password Attempts + + Enable checks on credential management - ocil:ssg-accounts_passwords_pam_faillock_deny_action:testaction:1 + ocil:ssg-kernel_config_debug_credentials_action:testaction:1 - - Remove Write Permissions From Filesystem Paths And Server Scripts + + Disable the ftpd_connect_db SELinux Boolean - ocil:ssg-httpd_configure_script_permissions_action:testaction:1 + ocil:ssg-sebool_ftpd_connect_db_action:testaction:1 - - Set Permissions on All Configuration Files Inside /etc/httpd/conf.d/ + + Verify Ownership on SSH Server Public *.pub Key Files - ocil:ssg-file_permissions_httpd_server_conf_d_files_action:testaction:1 + ocil:ssg-file_ownership_sshd_pub_key_action:testaction:1 - - Enable the nfs_export_all_rw SELinux Boolean + + Configure auditing of successful file modifications - ocil:ssg-sebool_nfs_export_all_rw_action:testaction:1 + ocil:ssg-audit_modify_success_action:testaction:1 - - Ensure All User Initialization Files Have Mode 0740 Or Less Permissive + + Disable the httpd_run_stickshift SELinux Boolean - ocil:ssg-file_permission_user_init_files_action:testaction:1 + ocil:ssg-sebool_httpd_run_stickshift_action:testaction:1 - - Add nodev Option to /dev/shm + + Record Unsuccessful Permission Changes to Files - chmod - ocil:ssg-mount_option_dev_shm_nodev_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_chmod_action:testaction:1 - - Configure the deny_execmem SELinux Boolean + + Ensure /boot Located On Separate Partition - ocil:ssg-sebool_deny_execmem_action:testaction:1 + ocil:ssg-partition_for_boot_action:testaction:1 - - Record Successful Delete Attempts to Files - rename + + Disable the gpg_web_anon_write SELinux Boolean - ocil:ssg-audit_rules_successful_file_modification_rename_action:testaction:1 + ocil:ssg-sebool_gpg_web_anon_write_action:testaction:1 - - System Audit Logs Must Have Mode 0640 or Less Permissive + + Disable the boinc_execmem SELinux Boolean - ocil:ssg-file_permissions_var_log_audit_action:testaction:1 + ocil:ssg-sebool_boinc_execmem_action:testaction:1 @@ -354248,147 +354248,147 @@ which the system will be deployed as closely as possible.ocil:ssg-package_rear_installed_action:testaction:1 - - Disable the httpd_can_connect_ldap SELinux Boolean + + Disable the squid_use_tproxy SELinux Boolean - ocil:ssg-sebool_httpd_can_connect_ldap_action:testaction:1 + ocil:ssg-sebool_squid_use_tproxy_action:testaction:1 - - Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces + + Verify the SSH Private Key Files Have a Passcode - ocil:ssg-sysctl_net_ipv4_tcp_syncookies_action:testaction:1 + ocil:ssg-ssh_keys_passphrase_protected_action:testaction:1 - - System Audit Logs Must Be Group Owned By Root + + Detect stack corruption on calls to schedule() - ocil:ssg-file_group_ownership_var_log_audit_action:testaction:1 + ocil:ssg-kernel_config_sched_stack_end_check_action:testaction:1 - - Ensure that chronyd is running under chrony user account + + Record Events that Modify User/Group Information via openat syscall - /etc/passwd - ocil:ssg-chronyd_run_as_chrony_user_action:testaction:1 + ocil:ssg-audit_rules_etc_passwd_openat_action:testaction:1 - - Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces + + Record Events that Modify the System's Discretionary Access Controls - fchmod - ocil:ssg-sysctl_net_ipv4_conf_all_rp_filter_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fchmod_action:testaction:1 - - Disable the httpd_use_sasl SELinux Boolean + + Uninstall geolite2-country Package - ocil:ssg-sebool_httpd_use_sasl_action:testaction:1 + ocil:ssg-package_geolite2-country_removed_action:testaction:1 - - The mailx Package Is Installed + + Configure auditing of successful permission changes - ocil:ssg-package_mailx_installed_action:testaction:1 + ocil:ssg-audit_perm_change_success_action:testaction:1 - - Configure auditd Number of Logs Retained + + Disable the samba_create_home_dirs SELinux Boolean - ocil:ssg-auditd_data_retention_num_logs_action:testaction:1 + ocil:ssg-sebool_samba_create_home_dirs_action:testaction:1 - - Verify Permissions on SSH Server Public *.pub Key Files + + System Audit Directories Must Be Group Owned By Root - ocil:ssg-file_permissions_sshd_pub_key_action:testaction:1 + ocil:ssg-directory_group_ownership_var_log_audit_action:testaction:1 - - Configure auditing of unsuccessful file creations + + Disable the mailman_use_fusefs SELinux Boolean - ocil:ssg-audit_create_failed_action:testaction:1 + ocil:ssg-sebool_mailman_use_fusefs_action:testaction:1 - - Enable use of Berkeley Packet Filter with seccomp + + Disable rsh Service - ocil:ssg-kernel_config_seccomp_filter_action:testaction:1 + ocil:ssg-service_rsh_disabled_action:testaction:1 - - Ensure cron Is Logging To Rsyslog + + Disable the sge_domain_can_network_connect SELinux Boolean - ocil:ssg-rsyslog_cron_logging_action:testaction:1 + ocil:ssg-sebool_sge_domain_can_network_connect_action:testaction:1 - - Enable Smartcards in SSSD + + Disable the httpd_tmp_exec SELinux Boolean - ocil:ssg-sssd_enable_smartcards_action:testaction:1 + ocil:ssg-sebool_httpd_tmp_exec_action:testaction:1 - - Prevent applications from mapping low portion of virtual memory + + Configure auditing of successful file deletions - ocil:ssg-sysctl_vm_mmap_min_addr_action:testaction:1 + ocil:ssg-audit_delete_success_action:testaction:1 - - Configure Denying Router Solicitations on All IPv6 Interfaces + + Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit - ocil:ssg-sysctl_net_ipv6_conf_all_router_solicitations_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_sudoedit_action:testaction:1 - - Configure auditing of successful file modifications + + Disable the gitosis_can_sendmail SELinux Boolean - ocil:ssg-audit_modify_success_action:testaction:1 + ocil:ssg-sebool_gitosis_can_sendmail_action:testaction:1 - - Record Successful Permission Changes to Files - fsetxattr + + Ensure Users Cannot Change GNOME3 Screensaver Settings - ocil:ssg-audit_rules_successful_file_modification_fsetxattr_action:testaction:1 + ocil:ssg-dconf_gnome_screensaver_user_locks_action:testaction:1 - - Configure Error Log Format + + Disable Kerberos Authentication - ocil:ssg-httpd_configure_log_format_action:testaction:1 + ocil:ssg-sshd_disable_kerb_auth_action:testaction:1 - - Disable the zabbix_can_network SELinux Boolean + + Verify /boot/grub2/user.cfg Group Ownership - ocil:ssg-sebool_zabbix_can_network_action:testaction:1 + ocil:ssg-file_groupowner_user_cfg_action:testaction:1 - - Configure auditd space_left on Low Disk Space + + Ensure No Device Files are Unlabeled by SELinux - ocil:ssg-auditd_data_retention_space_left_action:testaction:1 + ocil:ssg-selinux_all_devicefiles_labeled_action:testaction:1 - - Verify /boot/grub2/grub.cfg User Ownership + + Record Successful Permission Changes to Files - lremovexattr - ocil:ssg-file_owner_grub2_cfg_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_lremovexattr_action:testaction:1 - - Enable Logging of All FTP Transactions + + Disable the virt_sandbox_use_all_caps SELinux Boolean - ocil:ssg-ftp_log_transactions_action:testaction:1 + ocil:ssg-sebool_virt_sandbox_use_all_caps_action:testaction:1 - - Uninstall abrt-addon-ccpp Package + + Disable Certmonger Service (certmonger) - ocil:ssg-package_abrt-addon-ccpp_removed_action:testaction:1 + ocil:ssg-service_certmonger_disabled_action:testaction:1 - + PASS @@ -354396,7 +354396,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354404,7 +354404,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354412,7 +354412,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354420,7 +354420,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354428,7 +354428,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354436,7 +354436,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354444,7 +354444,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354452,7 +354452,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354460,7 +354460,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354468,7 +354468,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354476,7 +354476,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354484,7 +354484,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354492,7 +354492,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354500,7 +354500,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354508,7 +354508,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354516,7 +354516,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354524,7 +354524,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354532,7 +354532,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354540,7 +354540,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354548,7 +354548,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354556,7 +354556,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354564,7 +354564,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354572,7 +354572,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354580,7 +354580,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354588,7 +354588,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354596,7 +354596,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354604,7 +354604,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354612,7 +354612,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354620,7 +354620,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354628,7 +354628,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354636,7 +354636,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354644,7 +354644,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354652,7 +354652,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354660,7 +354660,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354668,7 +354668,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354676,7 +354676,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354684,7 +354684,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354692,7 +354692,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354700,7 +354700,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354708,7 +354708,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354716,7 +354716,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354724,7 +354724,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354732,7 +354732,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354740,7 +354740,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354748,7 +354748,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354756,7 +354756,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354764,7 +354764,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354772,7 +354772,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354780,7 +354780,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354788,7 +354788,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354796,7 +354796,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354804,7 +354804,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354812,7 +354812,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354820,7 +354820,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354828,7 +354828,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354836,7 +354836,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354844,7 +354844,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354852,7 +354852,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354860,7 +354860,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354868,7 +354868,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354876,7 +354876,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354884,7 +354884,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354892,7 +354892,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354900,7 +354900,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354908,7 +354908,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354916,7 +354916,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354924,7 +354924,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354932,7 +354932,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354940,7 +354940,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354948,7 +354948,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354956,7 +354956,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354964,7 +354964,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354972,7 +354972,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354980,7 +354980,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354988,7 +354988,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -354996,7 +354996,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355004,7 +355004,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355012,7 +355012,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355020,7 +355020,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355028,7 +355028,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355036,7 +355036,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355044,7 +355044,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355052,7 +355052,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355060,7 +355060,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355068,7 +355068,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355076,7 +355076,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355084,7 +355084,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355092,7 +355092,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355100,7 +355100,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355108,7 +355108,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355116,7 +355116,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355124,7 +355124,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355132,7 +355132,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355140,7 +355140,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355148,7 +355148,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355156,7 +355156,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355164,7 +355164,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355172,7 +355172,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355180,7 +355180,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355188,7 +355188,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355196,7 +355196,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355204,7 +355204,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355212,7 +355212,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355220,7 +355220,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355228,7 +355228,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355236,7 +355236,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355244,7 +355244,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355252,7 +355252,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355260,7 +355260,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355268,7 +355268,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355276,7 +355276,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355284,7 +355284,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355292,7 +355292,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355300,7 +355300,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355308,7 +355308,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355316,7 +355316,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355324,7 +355324,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355332,7 +355332,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355340,7 +355340,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355348,7 +355348,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355356,7 +355356,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355364,7 +355364,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355372,7 +355372,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355380,7 +355380,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355388,7 +355388,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355396,7 +355396,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355404,7 +355404,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355412,7 +355412,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355420,7 +355420,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355428,7 +355428,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355436,7 +355436,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355444,7 +355444,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355452,7 +355452,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355460,7 +355460,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355468,7 +355468,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355476,7 +355476,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355484,7 +355484,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355492,7 +355492,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355500,7 +355500,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355508,7 +355508,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355516,7 +355516,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355524,7 +355524,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355532,7 +355532,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355540,7 +355540,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355548,7 +355548,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355556,7 +355556,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355564,7 +355564,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355572,7 +355572,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355580,7 +355580,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355588,7 +355588,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355596,7 +355596,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355604,7 +355604,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355612,7 +355612,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355620,7 +355620,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355628,7 +355628,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355636,7 +355636,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355644,7 +355644,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355652,7 +355652,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355660,7 +355660,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355668,7 +355668,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355676,7 +355676,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355684,7 +355684,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355692,7 +355692,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355700,7 +355700,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355708,7 +355708,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355716,7 +355716,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355724,7 +355724,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355732,7 +355732,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355740,7 +355740,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355748,7 +355748,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355756,7 +355756,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355764,7 +355764,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355772,7 +355772,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355780,7 +355780,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355788,7 +355788,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355796,7 +355796,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355804,7 +355804,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355812,7 +355812,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355820,7 +355820,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355828,7 +355828,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355836,7 +355836,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355844,7 +355844,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355852,7 +355852,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355860,7 +355860,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355868,7 +355868,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355876,7 +355876,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355884,7 +355884,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355892,7 +355892,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355900,7 +355900,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355908,7 +355908,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355916,7 +355916,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355924,7 +355924,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355932,7 +355932,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355940,7 +355940,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355948,7 +355948,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355956,7 +355956,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355964,7 +355964,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355972,7 +355972,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355980,7 +355980,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355988,7 +355988,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -355996,7 +355996,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356004,7 +356004,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356012,7 +356012,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356020,7 +356020,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356028,7 +356028,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356036,7 +356036,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356044,7 +356044,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356052,7 +356052,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356060,7 +356060,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356068,7 +356068,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356076,7 +356076,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356084,7 +356084,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356092,7 +356092,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356100,7 +356100,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356108,7 +356108,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356116,7 +356116,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356124,7 +356124,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356132,7 +356132,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356140,7 +356140,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356148,7 +356148,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356156,7 +356156,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356164,7 +356164,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356172,7 +356172,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356180,7 +356180,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356188,7 +356188,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356196,7 +356196,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356204,7 +356204,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356212,7 +356212,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356220,7 +356220,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356228,7 +356228,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356236,7 +356236,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356244,7 +356244,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356252,7 +356252,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356260,7 +356260,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356268,7 +356268,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356276,7 +356276,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356284,7 +356284,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356292,7 +356292,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356300,7 +356300,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356308,7 +356308,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356316,7 +356316,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356324,7 +356324,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356332,7 +356332,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356340,7 +356340,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356348,7 +356348,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356356,7 +356356,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356364,7 +356364,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356372,7 +356372,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356380,7 +356380,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356388,7 +356388,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356396,7 +356396,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356404,7 +356404,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356412,7 +356412,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356420,7 +356420,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356428,7 +356428,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356436,7 +356436,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356444,7 +356444,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356452,7 +356452,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356460,7 +356460,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356468,7 +356468,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356476,7 +356476,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356484,7 +356484,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356492,7 +356492,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356500,7 +356500,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356508,7 +356508,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356516,7 +356516,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356524,7 +356524,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356532,7 +356532,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356540,7 +356540,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356548,7 +356548,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356556,7 +356556,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356564,7 +356564,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356572,7 +356572,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356580,7 +356580,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356588,7 +356588,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356596,7 +356596,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356604,7 +356604,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356612,7 +356612,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356620,7 +356620,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356628,7 +356628,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356636,7 +356636,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356644,7 +356644,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356652,7 +356652,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356660,7 +356660,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356668,7 +356668,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356676,7 +356676,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356684,7 +356684,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356692,7 +356692,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356700,7 +356700,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356708,7 +356708,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356716,7 +356716,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356724,7 +356724,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356732,7 +356732,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356740,7 +356740,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356748,7 +356748,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356756,7 +356756,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356764,7 +356764,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356772,7 +356772,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356780,7 +356780,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356788,7 +356788,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356796,7 +356796,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356804,7 +356804,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356812,7 +356812,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356820,7 +356820,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356828,7 +356828,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356836,7 +356836,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356844,7 +356844,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356852,7 +356852,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356860,7 +356860,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356868,7 +356868,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356876,7 +356876,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356884,7 +356884,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356892,7 +356892,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356900,7 +356900,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356908,7 +356908,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356916,7 +356916,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356924,7 +356924,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356932,7 +356932,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356940,7 +356940,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356948,7 +356948,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356956,7 +356956,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356964,7 +356964,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356972,7 +356972,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356980,7 +356980,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356988,7 +356988,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -356996,7 +356996,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357004,7 +357004,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357012,7 +357012,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357020,7 +357020,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357028,7 +357028,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357036,7 +357036,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357044,7 +357044,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357052,7 +357052,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357060,7 +357060,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357068,7 +357068,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357076,7 +357076,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357084,7 +357084,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357092,7 +357092,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357100,7 +357100,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357108,7 +357108,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357116,7 +357116,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357124,7 +357124,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357132,7 +357132,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357140,7 +357140,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357148,7 +357148,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357156,7 +357156,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357164,7 +357164,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357172,7 +357172,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357180,7 +357180,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357188,7 +357188,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357196,7 +357196,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357204,7 +357204,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357212,7 +357212,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357220,7 +357220,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357228,7 +357228,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357236,7 +357236,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357244,7 +357244,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357252,7 +357252,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357260,7 +357260,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357268,7 +357268,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357276,7 +357276,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357284,7 +357284,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357292,7 +357292,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357300,7 +357300,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357308,7 +357308,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357316,7 +357316,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357324,7 +357324,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357332,7 +357332,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357340,7 +357340,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357348,7 +357348,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357356,7 +357356,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357364,7 +357364,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357372,7 +357372,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357380,7 +357380,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357388,7 +357388,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357396,7 +357396,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357404,7 +357404,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357412,7 +357412,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357420,7 +357420,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357428,7 +357428,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357436,7 +357436,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357444,7 +357444,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357452,7 +357452,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357460,7 +357460,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357468,7 +357468,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357476,7 +357476,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357484,7 +357484,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357492,7 +357492,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357500,7 +357500,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357508,7 +357508,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357516,7 +357516,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357524,7 +357524,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357532,7 +357532,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357540,7 +357540,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357548,7 +357548,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357556,7 +357556,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357564,7 +357564,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357572,7 +357572,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357580,7 +357580,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357588,7 +357588,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357596,7 +357596,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357604,7 +357604,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357612,7 +357612,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357620,7 +357620,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357628,7 +357628,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357636,7 +357636,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357644,7 +357644,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357652,7 +357652,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357660,7 +357660,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357668,7 +357668,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357676,7 +357676,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357684,7 +357684,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357692,7 +357692,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357700,7 +357700,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357708,7 +357708,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357716,7 +357716,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357724,7 +357724,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357732,7 +357732,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357740,7 +357740,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357748,7 +357748,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357756,7 +357756,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357764,7 +357764,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357772,7 +357772,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357780,7 +357780,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357788,7 +357788,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357796,7 +357796,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357804,7 +357804,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357812,7 +357812,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357820,7 +357820,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357828,7 +357828,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357836,7 +357836,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357844,7 +357844,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357852,7 +357852,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357860,7 +357860,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357868,7 +357868,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357876,7 +357876,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357884,7 +357884,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357892,7 +357892,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357900,7 +357900,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357908,7 +357908,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357916,7 +357916,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357924,7 +357924,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357932,7 +357932,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357940,7 +357940,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357948,7 +357948,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357956,7 +357956,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357964,7 +357964,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357972,7 +357972,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357980,7 +357980,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357988,7 +357988,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -357996,7 +357996,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358004,7 +358004,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358012,7 +358012,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358020,7 +358020,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358028,7 +358028,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358036,7 +358036,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358044,7 +358044,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358052,7 +358052,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358060,7 +358060,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358068,7 +358068,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358076,7 +358076,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358084,7 +358084,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358092,7 +358092,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358100,7 +358100,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358108,7 +358108,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358116,7 +358116,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358124,7 +358124,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358132,7 +358132,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358140,7 +358140,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358148,7 +358148,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358156,7 +358156,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358164,7 +358164,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358172,7 +358172,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358180,7 +358180,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358188,7 +358188,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358196,7 +358196,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358204,7 +358204,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358212,7 +358212,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358220,7 +358220,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358228,7 +358228,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358236,7 +358236,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358244,7 +358244,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358252,7 +358252,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358260,7 +358260,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358268,7 +358268,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358276,7 +358276,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358284,7 +358284,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358292,7 +358292,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358300,7 +358300,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358308,7 +358308,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358316,7 +358316,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358324,7 +358324,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358332,7 +358332,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358340,7 +358340,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358348,7 +358348,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358356,7 +358356,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358364,7 +358364,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358372,7 +358372,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358380,7 +358380,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358388,7 +358388,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358396,7 +358396,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358404,7 +358404,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358412,7 +358412,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358420,7 +358420,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358428,7 +358428,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358436,7 +358436,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358444,7 +358444,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358452,7 +358452,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358460,7 +358460,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358468,7 +358468,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358476,7 +358476,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358484,7 +358484,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358492,7 +358492,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358500,7 +358500,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358508,7 +358508,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358516,7 +358516,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358524,7 +358524,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358532,7 +358532,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358540,7 +358540,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358548,7 +358548,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358556,7 +358556,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358564,7 +358564,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358572,7 +358572,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358580,7 +358580,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358588,7 +358588,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358596,7 +358596,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358604,7 +358604,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358612,7 +358612,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358620,7 +358620,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358628,7 +358628,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358636,7 +358636,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358644,7 +358644,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358652,7 +358652,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358660,7 +358660,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358668,7 +358668,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358676,7 +358676,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358684,7 +358684,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358692,7 +358692,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358700,7 +358700,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358708,7 +358708,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358716,7 +358716,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358724,7 +358724,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358732,7 +358732,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358740,7 +358740,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358748,7 +358748,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358756,7 +358756,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358764,7 +358764,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358772,7 +358772,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358780,7 +358780,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358788,7 +358788,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358796,7 +358796,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358804,7 +358804,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358812,7 +358812,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358820,7 +358820,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358828,7 +358828,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358836,7 +358836,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358844,7 +358844,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358852,7 +358852,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358860,7 +358860,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358868,7 +358868,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358876,7 +358876,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358884,7 +358884,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358892,7 +358892,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358900,7 +358900,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358908,7 +358908,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358916,7 +358916,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358924,7 +358924,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358932,7 +358932,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358940,7 +358940,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358948,7 +358948,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358956,7 +358956,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358964,7 +358964,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358972,7 +358972,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358980,7 +358980,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358988,7 +358988,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -358996,7 +358996,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359004,7 +359004,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359012,7 +359012,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359020,7 +359020,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359028,7 +359028,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359036,7 +359036,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359044,7 +359044,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359052,7 +359052,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359060,7 +359060,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359068,7 +359068,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359076,7 +359076,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359084,7 +359084,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359092,7 +359092,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359100,7 +359100,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359108,7 +359108,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359116,7 +359116,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359124,7 +359124,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359132,7 +359132,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359140,7 +359140,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359148,7 +359148,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359156,7 +359156,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359164,7 +359164,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359172,7 +359172,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359180,7 +359180,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359188,7 +359188,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359196,7 +359196,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359204,7 +359204,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359212,7 +359212,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359220,7 +359220,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359228,7 +359228,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359236,7 +359236,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359244,7 +359244,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359252,7 +359252,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359260,7 +359260,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359268,7 +359268,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359276,7 +359276,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359284,7 +359284,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359292,7 +359292,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359300,7 +359300,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359308,7 +359308,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359316,7 +359316,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359324,7 +359324,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359332,7 +359332,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359340,7 +359340,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359348,7 +359348,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359356,7 +359356,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359364,7 +359364,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359372,7 +359372,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359380,7 +359380,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359388,7 +359388,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359396,7 +359396,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359404,7 +359404,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359412,7 +359412,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359420,7 +359420,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359428,7 +359428,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359436,7 +359436,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359444,7 +359444,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359452,7 +359452,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359460,7 +359460,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359468,7 +359468,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359476,7 +359476,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359484,7 +359484,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359492,7 +359492,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359500,7 +359500,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359508,7 +359508,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359516,7 +359516,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359524,7 +359524,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359532,7 +359532,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359540,7 +359540,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359548,7 +359548,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359556,7 +359556,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359564,7 +359564,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359572,7 +359572,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359580,7 +359580,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359588,7 +359588,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359596,7 +359596,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359604,7 +359604,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359612,7 +359612,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359620,7 +359620,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359628,7 +359628,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359636,7 +359636,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359644,7 +359644,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359652,7 +359652,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359660,7 +359660,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359668,7 +359668,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359676,7 +359676,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359684,7 +359684,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359692,7 +359692,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359700,7 +359700,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359708,7 +359708,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359716,7 +359716,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359724,7 +359724,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359732,7 +359732,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359740,7 +359740,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359748,7 +359748,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359756,7 +359756,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359764,7 +359764,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359772,7 +359772,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359780,7 +359780,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359788,7 +359788,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359796,7 +359796,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359804,7 +359804,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359812,7 +359812,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359820,7 +359820,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359828,7 +359828,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359836,7 +359836,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359844,7 +359844,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359852,7 +359852,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359860,7 +359860,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359868,7 +359868,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359876,7 +359876,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359884,7 +359884,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359892,7 +359892,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359900,7 +359900,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359908,7 +359908,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359916,7 +359916,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359924,7 +359924,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359932,7 +359932,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359940,7 +359940,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359948,7 +359948,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359956,7 +359956,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359964,7 +359964,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359972,7 +359972,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359980,7 +359980,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359988,7 +359988,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -359996,7 +359996,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360004,7 +360004,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360012,7 +360012,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360020,7 +360020,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360028,7 +360028,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360036,7 +360036,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360044,7 +360044,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360052,7 +360052,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360060,7 +360060,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360068,7 +360068,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360076,7 +360076,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360084,7 +360084,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360092,7 +360092,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360100,7 +360100,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360108,7 +360108,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360116,7 +360116,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360124,7 +360124,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360132,7 +360132,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360140,7 +360140,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360148,7 +360148,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360156,7 +360156,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360164,7 +360164,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360172,7 +360172,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360180,7 +360180,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360188,7 +360188,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360196,7 +360196,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360204,7 +360204,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360212,7 +360212,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360220,7 +360220,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360228,7 +360228,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360236,7 +360236,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360244,7 +360244,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360252,7 +360252,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360260,7 +360260,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360268,7 +360268,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360276,7 +360276,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360284,7 +360284,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360292,7 +360292,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360300,7 +360300,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360308,7 +360308,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360316,7 +360316,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360324,7 +360324,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360332,7 +360332,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360340,7 +360340,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360348,7 +360348,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360356,7 +360356,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360364,7 +360364,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360372,7 +360372,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360380,7 +360380,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360388,7 +360388,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360396,7 +360396,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360404,7 +360404,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360412,7 +360412,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360420,7 +360420,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360428,7 +360428,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360436,7 +360436,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360444,7 +360444,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360452,7 +360452,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360460,7 +360460,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360468,7 +360468,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360476,7 +360476,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360484,7 +360484,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360492,7 +360492,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360500,7 +360500,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360508,7 +360508,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360516,7 +360516,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360524,7 +360524,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360532,7 +360532,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360540,7 +360540,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360548,7 +360548,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360556,7 +360556,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360564,7 +360564,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360572,7 +360572,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360580,7 +360580,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360588,7 +360588,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360596,7 +360596,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360604,7 +360604,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360612,7 +360612,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360620,7 +360620,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360628,7 +360628,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360636,7 +360636,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360644,7 +360644,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360652,7 +360652,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360660,7 +360660,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360668,7 +360668,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360676,7 +360676,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360684,7 +360684,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360692,7 +360692,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360700,7 +360700,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360708,7 +360708,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360716,7 +360716,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360724,7 +360724,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360732,7 +360732,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360740,7 +360740,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360748,7 +360748,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360756,7 +360756,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360764,7 +360764,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360772,7 +360772,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360780,7 +360780,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360788,7 +360788,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360796,7 +360796,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360804,7 +360804,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360812,7 +360812,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360820,7 +360820,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360828,7 +360828,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360836,7 +360836,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360844,7 +360844,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360852,7 +360852,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360860,7 +360860,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360868,7 +360868,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360876,7 +360876,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360884,7 +360884,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360892,7 +360892,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360900,7 +360900,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360908,7 +360908,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360916,7 +360916,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360924,7 +360924,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360932,7 +360932,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360940,7 +360940,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360948,7 +360948,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360956,7 +360956,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360964,7 +360964,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360972,7 +360972,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360980,7 +360980,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360988,7 +360988,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -360996,7 +360996,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361004,7 +361004,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361012,7 +361012,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361020,7 +361020,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361028,7 +361028,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361036,7 +361036,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361044,7 +361044,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361052,7 +361052,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361060,7 +361060,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361068,7 +361068,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361076,7 +361076,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361084,7 +361084,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361092,7 +361092,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361100,7 +361100,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361108,7 +361108,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361116,7 +361116,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361124,7 +361124,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361132,7 +361132,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361140,7 +361140,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361148,7 +361148,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361156,7 +361156,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361164,7 +361164,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361172,7 +361172,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361180,7 +361180,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361188,7 +361188,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361196,7 +361196,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361204,7 +361204,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361212,7 +361212,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361220,7 +361220,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361228,7 +361228,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361236,7 +361236,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361244,7 +361244,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361252,7 +361252,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361260,7 +361260,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361268,7 +361268,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361276,7 +361276,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361284,7 +361284,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361292,7 +361292,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361300,7 +361300,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361308,7 +361308,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361316,7 +361316,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361324,7 +361324,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361332,7 +361332,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361340,7 +361340,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361348,7 +361348,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361356,7 +361356,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361364,7 +361364,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361372,7 +361372,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361380,7 +361380,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361388,7 +361388,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361396,7 +361396,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361404,7 +361404,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361412,7 +361412,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361420,7 +361420,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361428,7 +361428,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361436,7 +361436,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361444,7 +361444,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361452,7 +361452,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361460,7 +361460,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361468,7 +361468,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361476,7 +361476,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361484,7 +361484,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361492,7 +361492,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361500,7 +361500,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361508,7 +361508,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361516,7 +361516,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361524,7 +361524,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361532,7 +361532,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361540,7 +361540,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361548,7 +361548,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361556,7 +361556,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361564,7 +361564,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361572,7 +361572,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361580,7 +361580,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361588,7 +361588,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361596,7 +361596,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361604,7 +361604,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361612,7 +361612,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361620,7 +361620,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361628,7 +361628,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361636,7 +361636,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361644,7 +361644,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361652,7 +361652,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361660,7 +361660,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361668,7 +361668,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361676,7 +361676,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361684,7 +361684,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361692,7 +361692,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361700,7 +361700,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361708,7 +361708,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361716,7 +361716,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361724,7 +361724,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361732,7 +361732,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361740,7 +361740,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361748,7 +361748,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361756,7 +361756,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361764,7 +361764,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361772,7 +361772,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361780,7 +361780,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361788,7 +361788,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361796,7 +361796,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361804,7 +361804,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361812,7 +361812,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361820,7 +361820,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361828,7 +361828,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361836,7 +361836,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361844,7 +361844,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361852,7 +361852,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361860,7 +361860,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361868,7 +361868,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361876,7 +361876,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361884,7 +361884,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361892,7 +361892,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361900,7 +361900,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361908,7 +361908,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361916,7 +361916,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361924,7 +361924,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361932,7 +361932,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361940,7 +361940,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361948,7 +361948,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361956,7 +361956,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361964,7 +361964,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361972,7 +361972,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361980,7 +361980,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361988,7 +361988,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -361996,7 +361996,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362004,7 +362004,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362012,7 +362012,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362020,7 +362020,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362028,7 +362028,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362036,7 +362036,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362044,7 +362044,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362052,7 +362052,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362060,7 +362060,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362068,7 +362068,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362076,7 +362076,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362084,7 +362084,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362092,7 +362092,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362100,7 +362100,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362108,7 +362108,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362116,7 +362116,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362124,7 +362124,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362132,7 +362132,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362140,7 +362140,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362148,7 +362148,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362156,7 +362156,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362164,7 +362164,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362172,7 +362172,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362180,7 +362180,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362188,7 +362188,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362196,7 +362196,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362204,7 +362204,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362212,7 +362212,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362220,7 +362220,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362228,7 +362228,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362236,7 +362236,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362244,7 +362244,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362252,7 +362252,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362260,7 +362260,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362268,7 +362268,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362276,7 +362276,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362284,7 +362284,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362292,7 +362292,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362300,7 +362300,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362308,7 +362308,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362316,7 +362316,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362324,7 +362324,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362332,7 +362332,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362340,7 +362340,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362348,7 +362348,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362356,7 +362356,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362364,7 +362364,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362372,7 +362372,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362380,7 +362380,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362388,7 +362388,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362396,7 +362396,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362404,7 +362404,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362412,7 +362412,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362420,7 +362420,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362428,7 +362428,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362436,7 +362436,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362444,7 +362444,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362452,7 +362452,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362460,7 +362460,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362468,7 +362468,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362476,7 +362476,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362484,7 +362484,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362492,7 +362492,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362500,7 +362500,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362508,7 +362508,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362516,7 +362516,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362524,7 +362524,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362532,7 +362532,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362540,7 +362540,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362548,7 +362548,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362556,7 +362556,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362564,7 +362564,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362572,7 +362572,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362580,7 +362580,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362588,7 +362588,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362596,7 +362596,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362604,7 +362604,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362612,7 +362612,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362620,7 +362620,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362628,7 +362628,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362636,7 +362636,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362644,7 +362644,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362652,7 +362652,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362660,7 +362660,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362668,7 +362668,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362676,7 +362676,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362684,7 +362684,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362692,7 +362692,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362700,7 +362700,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362708,7 +362708,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362716,7 +362716,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362724,7 +362724,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362732,7 +362732,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362740,7 +362740,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362748,7 +362748,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362756,7 +362756,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362764,7 +362764,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362772,7 +362772,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362780,7 +362780,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362788,7 +362788,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362796,7 +362796,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362804,7 +362804,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362812,7 +362812,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362820,7 +362820,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362828,7 +362828,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362836,7 +362836,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362844,7 +362844,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362852,7 +362852,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362860,7 +362860,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362868,7 +362868,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362876,7 +362876,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362884,7 +362884,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362892,7 +362892,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362900,7 +362900,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362908,7 +362908,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362916,7 +362916,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362924,7 +362924,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362932,7 +362932,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362940,7 +362940,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362948,7 +362948,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362956,7 +362956,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362964,7 +362964,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362972,7 +362972,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362980,7 +362980,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362988,7 +362988,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -362996,7 +362996,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363004,7 +363004,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363012,7 +363012,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363020,7 +363020,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363028,7 +363028,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363036,7 +363036,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363044,7 +363044,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363052,7 +363052,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363060,7 +363060,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363068,7 +363068,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363076,7 +363076,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363084,7 +363084,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363092,7 +363092,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363100,7 +363100,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363108,7 +363108,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363116,7 +363116,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363124,7 +363124,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363132,7 +363132,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363140,7 +363140,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363148,7 +363148,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363156,7 +363156,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363164,7 +363164,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363172,7 +363172,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363180,7 +363180,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363188,7 +363188,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363196,7 +363196,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363204,7 +363204,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363212,7 +363212,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363220,7 +363220,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363228,7 +363228,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363236,7 +363236,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363244,7 +363244,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363252,7 +363252,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363260,7 +363260,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363268,7 +363268,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363276,7 +363276,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363284,7 +363284,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363292,7 +363292,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363300,7 +363300,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363308,7 +363308,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363316,7 +363316,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363324,7 +363324,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363332,7 +363332,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363340,7 +363340,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363348,7 +363348,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363356,7 +363356,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363364,7 +363364,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363372,7 +363372,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363380,7 +363380,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363388,7 +363388,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363396,7 +363396,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363404,7 +363404,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363412,7 +363412,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363420,7 +363420,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363428,7 +363428,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363436,7 +363436,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363444,7 +363444,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363452,7 +363452,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363460,7 +363460,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363468,7 +363468,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363476,7 +363476,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363484,7 +363484,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363492,7 +363492,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363500,7 +363500,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363508,7 +363508,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363516,7 +363516,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363524,7 +363524,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363532,7 +363532,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363540,7 +363540,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363548,7 +363548,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363556,7 +363556,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363564,7 +363564,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363572,7 +363572,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363580,7 +363580,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363588,7 +363588,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363596,7 +363596,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363604,7 +363604,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363612,7 +363612,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363620,7 +363620,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363628,7 +363628,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363636,7 +363636,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363644,7 +363644,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363652,7 +363652,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363660,7 +363660,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363668,7 +363668,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363676,7 +363676,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363684,7 +363684,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363692,7 +363692,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363700,7 +363700,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363708,7 +363708,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363716,7 +363716,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363724,7 +363724,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363732,7 +363732,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363740,7 +363740,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363748,7 +363748,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363756,7 +363756,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363764,7 +363764,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363772,7 +363772,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363780,7 +363780,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363788,7 +363788,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363796,7 +363796,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363804,7 +363804,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363812,7 +363812,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363820,7 +363820,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363828,7 +363828,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363836,7 +363836,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363844,7 +363844,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363852,7 +363852,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363860,7 +363860,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363868,7 +363868,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363876,7 +363876,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363884,7 +363884,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363892,7 +363892,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363900,7 +363900,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363908,7 +363908,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363916,7 +363916,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363924,7 +363924,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363932,7 +363932,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363940,7 +363940,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363948,7 +363948,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363956,7 +363956,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363964,7 +363964,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363972,7 +363972,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363980,7 +363980,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363988,7 +363988,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -363996,7 +363996,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364004,7 +364004,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364012,7 +364012,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364020,7 +364020,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364028,7 +364028,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364036,7 +364036,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364044,7 +364044,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364052,7 +364052,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364060,7 +364060,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364068,7 +364068,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364076,7 +364076,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364084,7 +364084,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364092,7 +364092,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364100,7 +364100,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364108,7 +364108,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364116,7 +364116,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364124,7 +364124,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364132,7 +364132,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364140,7 +364140,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364148,7 +364148,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364156,7 +364156,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364164,7 +364164,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364172,7 +364172,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364180,7 +364180,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364188,7 +364188,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364196,7 +364196,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364204,7 +364204,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364212,7 +364212,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364220,7 +364220,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364228,7 +364228,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364236,7 +364236,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364244,7 +364244,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364252,7 +364252,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364260,7 +364260,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364268,7 +364268,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364276,7 +364276,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364284,7 +364284,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364292,7 +364292,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364300,7 +364300,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364308,7 +364308,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364316,7 +364316,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364324,7 +364324,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364332,7 +364332,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364340,7 +364340,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364348,7 +364348,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364356,7 +364356,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364364,7 +364364,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364372,7 +364372,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364380,7 +364380,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364388,7 +364388,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364396,7 +364396,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364404,7 +364404,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364412,7 +364412,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364420,7 +364420,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364428,7 +364428,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364436,7 +364436,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364444,7 +364444,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364452,7 +364452,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364460,7 +364460,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364468,7 +364468,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364476,7 +364476,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364484,7 +364484,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364492,7 +364492,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364500,7 +364500,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364508,7 +364508,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364516,7 +364516,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364524,7 +364524,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364532,7 +364532,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364540,7 +364540,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364548,7 +364548,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364556,7 +364556,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364564,7 +364564,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364572,7 +364572,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364580,7 +364580,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364588,7 +364588,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364596,7 +364596,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364604,7 +364604,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364612,7 +364612,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364620,7 +364620,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364628,7 +364628,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364636,7 +364636,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364644,7 +364644,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364652,7 +364652,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364660,7 +364660,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364668,7 +364668,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364676,7 +364676,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364684,7 +364684,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364692,7 +364692,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364700,7 +364700,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364708,7 +364708,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364716,7 +364716,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364724,7 +364724,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364732,7 +364732,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364740,7 +364740,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364748,7 +364748,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364756,7 +364756,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364764,7 +364764,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364772,7 +364772,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364780,7 +364780,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364788,7 +364788,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364796,7 +364796,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364804,7 +364804,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364812,7 +364812,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364820,7 +364820,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364828,7 +364828,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364836,7 +364836,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364844,7 +364844,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364852,7 +364852,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364860,7 +364860,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364868,7 +364868,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364876,7 +364876,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364884,7 +364884,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364892,7 +364892,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364900,7 +364900,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364908,7 +364908,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364916,7 +364916,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364924,7 +364924,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364932,7 +364932,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364940,7 +364940,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364948,7 +364948,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364956,7 +364956,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364964,7 +364964,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364972,7 +364972,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364980,7 +364980,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364988,7 +364988,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -364996,7 +364996,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365004,7 +365004,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365012,7 +365012,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365020,7 +365020,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365028,7 +365028,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365036,7 +365036,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365044,7 +365044,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365052,7 +365052,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365060,7 +365060,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365068,7 +365068,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365076,7 +365076,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365084,7 +365084,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365092,7 +365092,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365100,7 +365100,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365108,7 +365108,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365116,7 +365116,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365124,7 +365124,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365132,7 +365132,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365140,7 +365140,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365148,7 +365148,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365156,7 +365156,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365164,7 +365164,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365172,7 +365172,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365180,7 +365180,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365188,7 +365188,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365196,7 +365196,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365204,7 +365204,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365212,7 +365212,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365220,7 +365220,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365228,7 +365228,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365236,7 +365236,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365244,7 +365244,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365252,7 +365252,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365260,7 +365260,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365268,7 +365268,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365276,7 +365276,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365284,7 +365284,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365292,7 +365292,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365300,7 +365300,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365308,7 +365308,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365316,7 +365316,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365324,7 +365324,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365332,7 +365332,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365340,7 +365340,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365348,7 +365348,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365356,7 +365356,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365364,7 +365364,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365372,7 +365372,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365380,7 +365380,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365388,7 +365388,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365396,7 +365396,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365404,7 +365404,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365412,7 +365412,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365420,7 +365420,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365428,7 +365428,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365436,7 +365436,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365444,7 +365444,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365452,7 +365452,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365460,7 +365460,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365468,7 +365468,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365476,7 +365476,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365484,7 +365484,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365492,7 +365492,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365500,7 +365500,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365508,7 +365508,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365516,7 +365516,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365524,7 +365524,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365532,7 +365532,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365540,7 +365540,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365548,7 +365548,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365556,7 +365556,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365564,7 +365564,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365572,7 +365572,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365580,7 +365580,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365588,7 +365588,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365596,7 +365596,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365604,7 +365604,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365612,7 +365612,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365620,7 +365620,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365628,7 +365628,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365636,7 +365636,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365644,7 +365644,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365652,7 +365652,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365660,7 +365660,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365668,7 +365668,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365676,7 +365676,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365684,7 +365684,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365692,7 +365692,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365700,7 +365700,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365708,7 +365708,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365716,7 +365716,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365724,7 +365724,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365732,7 +365732,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365740,7 +365740,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365748,7 +365748,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365756,7 +365756,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365764,7 +365764,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365772,7 +365772,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365780,7 +365780,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365788,7 +365788,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365796,7 +365796,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365804,7 +365804,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365812,7 +365812,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365820,7 +365820,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365828,7 +365828,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365836,7 +365836,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365844,7 +365844,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365852,7 +365852,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365860,7 +365860,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365868,7 +365868,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365876,7 +365876,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365884,7 +365884,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365892,7 +365892,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365900,7 +365900,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365908,7 +365908,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365916,7 +365916,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365924,7 +365924,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365932,7 +365932,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365940,7 +365940,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365948,7 +365948,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365964,7 +365964,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365972,7 +365972,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365980,7 +365980,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365988,7 +365988,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -365996,7 +365996,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366004,7 +366004,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366012,7 +366012,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366020,7 +366020,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366028,7 +366028,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366036,7 +366036,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366044,7 +366044,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366052,7 +366052,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366060,7 +366060,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366068,7 +366068,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366076,7 +366076,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366084,7 +366084,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366092,7 +366092,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366100,7 +366100,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366108,7 +366108,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366116,7 +366116,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366124,7 +366124,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366132,7 +366132,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366140,7 +366140,7 @@ which the system will be deployed as closely as possible.FAIL - + PASS @@ -366150,596 +366150,456 @@ which the system will be deployed as closely as possible. - - Run the following command to determine if the httpd package is installed: -$ rpm -q httpd - Is it the case that the package is installed? - - - - -Run the following command to determine if the authlogin_radius SELinux boolean is disabled: -$ getsebool authlogin_radius -If properly configured, the output should show the following: -authlogin_radius --> off - Is it the case that authlogin_radius is not disabled? + + To verify that the interface(s) follow site policy for zone assignment run the +following command: +$ sudo nmcli -t connection show | awk -F: '{if($4){print $4}}' | while read INT; +do firewall-cmd --get-active-zones | grep -B1 $INT; done +If your have to assign an interface to the appropriate zone run the following command: +$ sudo firewall-cmd --zone= --change-interface= + Is it the case that Your system accepts all incoming packets for unnecessary services and ports? - - Verify the system-wide shared library directories are group-owned by "root" with the following command: + + Verify it by running the following command: +$ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules -$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \; +/sbin/auditctl root +/sbin/aureport root +/sbin/ausearch root +/sbin/autrace root +/sbin/auditd root +/sbin/audispd root +/sbin/augenrules root -If any system-wide shared library directory is returned and is not group-owned by a required system account, this is a finding. - Is it the case that any system-wide shared library directory is returned and is not group-owned by a required system account? - - - - If the system is not configured to audit time changes, this is a finding. -If the system is 64-bit only, this is not applicable -ocil: | -To determine if the system is configured to audit calls to the -stime system call, run the following command: -$ sudo grep "stime" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - - - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "unix_update" command with the following command: -$ sudo auditctl -l | grep unix_update +If the command does not return all the above lines, the missing ones +need to be added. --a always,exit -F path=/usr/bin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_update - Is it the case that the command does not return a line, or the line is commented out? +Run the following command to correct the permissions of the missing +entries: +$ sudo chown root [audit_tool] + +Replace "[audit_tool]" with each audit tool not owned by root. + Is it the case that ? - - To check the group ownership of /etc/issue, -run the command: -$ ls -lL /etc/issue -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/issue does not have a group owner of root? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_STACKPROTECTOR /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - + -Run the following command to determine if the httpd_run_ipa SELinux boolean is disabled: -$ getsebool httpd_run_ipa +Run the following command to determine if the xguest_mount_media SELinux boolean is disabled: +$ getsebool xguest_mount_media If properly configured, the output should show the following: -httpd_run_ipa --> off - Is it the case that httpd_run_ipa is not disabled? - - - - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to modify files using the open_by_handle_at system call with O_TRUNC_WRITE flag. - -If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r open_by_handle_at /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep open_by_handle_at /etc/audit/audit.rules - -The output should be the following: - --a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - Is it the case that the command does not return a line, or the line is commented out? +xguest_mount_media --> off + Is it the case that xguest_mount_media is not disabled? - - To verify that there are no unauthorized local user accounts, run the following command: -$ less /etc/passwd -Inspect the results, and if unauthorized local user accounts exist, remove them by running -the following command: -$ sudo userdel unauthorized_user - Is it the case that there are unauthorized local user accounts on the system? + + Run the following command to determine if the libselinux package is installed: $ rpm -q libselinux + Is it the case that the package is not installed? - - To check the ownership of /etc/ssh/sshd_config, + + To check the ownership of /etc/gshadow, run the command: -$ ls -lL /etc/ssh/sshd_config +$ ls -lL /etc/gshadow If properly configured, the output should indicate the following owner: root - Is it the case that /etc/ssh/sshd_config does not have an owner of root? + Is it the case that /etc/gshadow does not have an owner of root? - + + To ensure LoginGraceTime is set correctly, run the following command: +$ sudo grep LoginGraceTime /etc/ssh/sshd_config +If properly configured, the output should be: +LoginGraceTime +If the option is set to a number greater than 0, then the unauthenticated session will be disconnected +after the configured number seconds. + Is it the case that it is commented out or not configured properly? + + + -Run the following command to determine if the staff_exec_content SELinux boolean is enabled: -$ getsebool staff_exec_content +Run the following command to determine if the cobbler_use_cifs SELinux boolean is disabled: +$ getsebool cobbler_use_cifs If properly configured, the output should show the following: -staff_exec_content --> on - Is it the case that staff_exec_content is not enabled? +cobbler_use_cifs --> off + Is it the case that cobbler_use_cifs is not disabled? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_DEBUG_NOTIFIERS /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + Verify that only the "root" account has a UID "0" assignment with the +following command: +$ awk -F: '$3 == 0 {print $1}' /etc/passwd +root + Is it the case that any accounts other than "root" have a UID of "0"? - - To ensure the splash screen is configured not to show user name, run the following command: -$ gsettings get org.gnome.desktop.screensaver show-full-name-in-top-bar -If properly configured, the output should be false. -To ensure that users cannot enable user name on the lock screen, run the following: -$ grep show-full-name-in-top-bar /etc/dconf/db/local.d/locks/* -If properly configured, the output should be /org/gnome/desktop/screensaver/show-full-name-in-top-bar - Is it the case that it is not set or configured properly? + + Run the following command to ensure that /var/tmp is configured as a +polyinstantiated directory: +$ sudo grep /var/tmp /etc/security/namespace.conf +The output should return the following: +/var/tmp /var/tmp/tmp-inst/ level root,adm + Is it the case that is not configured? - - Interview the SA or web administrator to see where the public web server -is logically located in the data center. Review the site network diagram -to see how the web server is connected to the LAN. Visually check the web -server hardware connections to see if it conforms to the site network -diagram. - Is it the case that the web server is not isolated in an accredited DoD DMZ Extension? + + To verify that tmux is not listed as allowed shell on the system +run the following command: +$ grep 'tmux$' /etc/shells +The output should be empty. + Is it the case that tmux is listed in /etc/shells? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_KEXEC /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? + + To ensure all GIDs referenced in /etc/passwd are defined in /etc/group, +run the following command: +$ sudo pwck -qr +There should be no output. + Is it the case that GIDs referenced in /etc/passwd are returned as not defined in /etc/group? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_STACKPROTECTOR_STRONG /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + Verify the nosuid option is configured for the /srv mount point, + run the following command: + $ sudo mount | grep '\s/srv\s' + . . . /srv . . . nosuid . . . + + Is it the case that the "/srv" file system does not have the "nosuid" option set? - + -Run the following command to determine if the mozilla_plugin_use_bluejeans SELinux boolean is disabled: -$ getsebool mozilla_plugin_use_bluejeans +Run the following command to determine if the racoon_read_shadow SELinux boolean is disabled: +$ getsebool racoon_read_shadow If properly configured, the output should show the following: -mozilla_plugin_use_bluejeans --> off - Is it the case that mozilla_plugin_use_bluejeans is not disabled? - - - - To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -cat /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules -The output has to be exactly as follows: -## Unsuccessful file modifications (open for write or truncate) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification - Is it the case that the file does not exist or the content differs? - - - - Verify the noexec option is configured for the /var/log/audit mount point, - run the following command: - $ sudo mount | grep '\s/var/log/audit\s' - . . . /var/log/audit . . . noexec . . . - - Is it the case that the "/var/log/audit" file system does not have the "noexec" option set? +racoon_read_shadow --> off + Is it the case that racoon_read_shadow is not disabled? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "poweroff" command with the following command: + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "newgrp" command with the following command: -$ sudo auditctl -l | grep poweroff +$ sudo auditctl -l | grep newgrp --a always,exit -F path=/poweroff -F perm=x -F auid>=1000 -F auid!=unset -k privileged-poweroff +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-newgrp Is it the case that the command does not return a line, or the line is commented out? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_SECCOMP /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? - - - + - -Run the following command to determine the current status of the -sssd service: -$ sudo systemctl is-active sssd -If the service is running, it should return the following: active - Is it the case that the service is not enabled? +Run the following command to determine if the virt_use_xserver SELinux boolean is disabled: +$ getsebool virt_use_xserver +If properly configured, the output should show the following: +virt_use_xserver --> off + Is it the case that virt_use_xserver is not disabled? - - -Run the following command to determine if the neutron_can_network SELinux boolean is disabled: -$ getsebool neutron_can_network -If properly configured, the output should show the following: -neutron_can_network --> off - Is it the case that neutron_can_network is not disabled? + + Verify that the files and directories of each instance of Alias, +ScriptAlias, and ScriptAliasMatch that exist +have the correct file and directory permissions applied. + Is it the case that it is not? - - To determine if the system is configured to audit calls to the -lremovexattr system call, run the following command: -$ sudo grep "lremovexattr" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + Run the following command to determine if the tuned package is installed: +$ rpm -q tuned + Is it the case that the package is installed? - - To determine if the system is configured to audit successful calls -to the truncate system call, run the following command: -$ sudo grep "truncate" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + To preclude access to the servers root directory, ensure the following +directive is in the httpd.conf file. This entry will also stop users +from setting up .htaccess files which can override security features +configured in /etc/httpd/conf/httpd.conf. +AllowOverride none + Is it the case that it is not? - - Verify that a separate file system/partition has been created for /boot with the following command: + + To check that the cockpit service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled cockpit +Output should indicate the cockpit service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled cockpit disabled -$ mountpoint /boot +Run the following command to verify cockpit is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active cockpit - Is it the case that "/boot is not a mountpoint" is returned? - - - - To verify the noexec option is configured for all NFS mounts, run the following command: -$ mount | grep nfs -All NFS mounts should show the noexec setting in parentheses. This is not applicable if NFS is -not implemented. - Is it the case that the setting does not show? +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the cockpit is masked, run the following command: +$ sudo systemctl show cockpit | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "cockpit" is loaded and not masked? - - Run the following command to determine if the samba-common package is installed: $ rpm -q samba-common - Is it the case that the package is not installed? + + Verify the value of the "difok" option in "/etc/security/pwquality.conf" with the following command: + +$ sudo grep difok /etc/security/pwquality.conf + +difok = + Is it the case that the value of "difok" is set to less than "<sub idref="var_password_pam_difok" />", or is commented out? - + -Run the following command to determine if the secure_mode SELinux boolean is disabled: -$ getsebool secure_mode +Run the following command to determine if the exim_manage_user_files SELinux boolean is disabled: +$ getsebool exim_manage_user_files If properly configured, the output should show the following: -secure_mode --> off - Is it the case that secure_mode is not disabled? +exim_manage_user_files --> off + Is it the case that exim_manage_user_files is not disabled? - - To verify that Audit Daemon is configured to resolve all uid, gid, syscall, -architecture, and socket address information before writing the event to disk, -run the following command: -$ sudo grep log_format /etc/audit/auditd.conf -The output should return the following: -log_format = ENRICHED - Is it the case that log_format isn't set to ENRICHED? + + Run the following command to determine if the opensc package is installed: $ rpm -q opensc + Is it the case that the package is not installed? - - To verify that only security updates will be automatically installed by dnf-automatic, run the following command: -$ sudo grep upgrade_type /etc/dnf/automatic.conf -The output should return the following: -upgrade_type = security - Is it the case that the upgrade_type is not set to security? + + Make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf +and /etc/zipl.conf: +find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap +No line should be returned, if a line is returned /boot/bootmap is outdated and needs to be regenerated. + Is it the case that the bootmap is outdated? - - -Run the following command to determine if the spamassassin_can_network SELinux boolean is disabled: -$ getsebool spamassassin_can_network -If properly configured, the output should show the following: -spamassassin_can_network --> off - Is it the case that spamassassin_can_network is not disabled? + + The runtime status of the fs.protected_hardlinks kernel parameter can be queried +by running the following command: +$ sysctl fs.protected_hardlinks +1. + + Is it the case that the correct value is not returned? - - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: - -$ sudo auditctl -l | grep -E '(/etc/gshadow)' + + Run the following command to check for duplicate group names: +Check that the operating system contains no duplicate group names for interactive users by running the following command: --w /etc/gshadow -p wa -k identity + cut -d : -f 3 /etc/group | uniq -d -If the command does not return a line, or the line is commented out, this is a finding. - Is it the case that the system is not configured to audit account changes? - - - - -Run the following command to determine if the cobbler_use_cifs SELinux boolean is disabled: -$ getsebool cobbler_use_cifs -If properly configured, the output should show the following: -cobbler_use_cifs --> off - Is it the case that cobbler_use_cifs is not disabled? - - - - -Run the following command to determine if the polipo_session_bind_all_unreserved_ports SELinux boolean is disabled: -$ getsebool polipo_session_bind_all_unreserved_ports -If properly configured, the output should show the following: -polipo_session_bind_all_unreserved_ports --> off - Is it the case that polipo_session_bind_all_unreserved_ports is not disabled? +If output is produced, this is a finding. +Configure the operating system to contain no duplicate names for groups. +Edit the file "/etc/group" and provide each group that has a duplicate group id with a unique group id. + Is it the case that the system has duplicate group ids? - - To verify that automatic logins are disabled, run the following command: -$ grep -Pzoi "^\[daemon]\\nautomaticlogin.*" /etc/gdm/custom.conf -The output should show the following: -[daemon] -AutomaticLoginEnable=false - Is it the case that GDM allows users to automatically login? + + To verify all squashing has been disabled, run the following command: +$ grep all_squash /etc/exports + Is it the case that there is output? - - -Run the following command to determine if the mozilla_plugin_use_spice SELinux boolean is disabled: -$ getsebool mozilla_plugin_use_spice -If properly configured, the output should show the following: -mozilla_plugin_use_spice --> off - Is it the case that mozilla_plugin_use_spice is not disabled? + + To verify that each web content directory exists on separate partitions, +run the following command: +$ grep `grep -i documentroot /etc/httpd/conf/httpd.conf | awk -F'"' '{print $2}'` /etc/fstab +Each of the corresponding DocumentRoot entries should have a +corresponding entry in /etc/fstab. + Is it the case that it is not? - - Verify emergency accounts have been provisioned with an expiration date of 72 hours. - -For every emergency account, run the following command to obtain its account aging and expiration information: + + Verify the "/etc/security/faillock.conf" file is configured use a non-default faillock directory to ensure contents persist after reboot: -$ sudo chage -l emergency_account_name +$ sudo grep 'dir =' /etc/security/faillock.conf -Verify each of these accounts has an expiration date set within 72 hours or as documented. - Is it the case that any emergency accounts have no expiration date set or do not expire within 72 hours? +dir = /var/log/faillock + Is it the case that the "dir" option is not set to a non-default documented tally log directory, is missing or commented out? - - To check the permissions of /etc/passwd-, -run the command: -$ ls -l /etc/passwd- -If properly configured, the output should indicate the following permissions: --rw-r--r-- - Is it the case that /etc/passwd- does not have unix mode -rw-r--r--? + + Verify the "umask" setting is configured correctly in the "/etc/csh.cshrc" file with the following command: + +$ grep umask /etc/csh.cshrc + +umask 077 +umask 077 + Is it the case that the value for the "umask" parameter is not "<sub idref="var_accounts_user_umask" />", or the "umask" parameter is missing or is commented out? - - Display the contents of the file /etc/systemd/logind.conf: -cat /etc/systemd/logind.conf -Ensure that there is a section [login] which contains the -configuration StopIdleSessionSec=. - Is it the case that the option is not configured? + + Verify the nosuid option is configured for the /var/tmp mount point, + run the following command: + $ sudo mount | grep '\s/var/tmp\s' + . . . /var/tmp . . . nosuid . . . + + Is it the case that the "/var/tmp" file system does not have the "nosuid" option set? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_LEGACY_VSYSCALL_NONE /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + To check if the system login banner is compliant, run the following command: +$ cat /etc/issue.net + Is it the case that it does not display the required banner? - - To determine if the system is configured to audit calls to the -rmdir system call, run the following command: -$ sudo grep "rmdir" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. -To determine if the system is configured to audit calls to the -unlink system call, run the following command: -$ sudo grep "unlink" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. -To determine if the system is configured to audit calls to the -unlinkat system call, run the following command: -$ sudo grep "unlinkat" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. -To determine if the system is configured to audit calls to the -rename system call, run the following command: -$ sudo grep "rename" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. -To determine if the system is configured to audit calls to the -renameat system call, run the following command: -$ sudo grep "renameat" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + + +Run the following command to get the current configured value for polyinstantiation_enabled +SELinux boolean: +$ getsebool polyinstantiation_enabled +The expected cofiguration is . +"on" means true, and "off" means false + Is it the case that polyinstantiation_enabled is not set as expected? - - Verify that yum verifies the signature of local packages prior to install with the following command: - -$ grep localpkg_gpgcheck /etc/yum.conf - -localpkg_gpgcheck=1 - -If "localpkg_gpgcheck" is not set to "1", or if the option is missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified. - Is it the case that there is no process to validate certificates for local packages that is approved by the organization? + + To check the ownership of /etc/ssh/sshd_config, +run the command: +$ ls -lL /etc/ssh/sshd_config +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/ssh/sshd_config does not have an owner of root? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_DEBUG_FS /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? + + +Run the following command to determine if the virt_sandbox_use_mknod SELinux boolean is disabled: +$ getsebool virt_sandbox_use_mknod +If properly configured, the output should show the following: +virt_sandbox_use_mknod --> off + Is it the case that virt_sandbox_use_mknod is not disabled? - + + To determine if the system is configured to audit attempts to +alter time via the /etc/localtime file, run the following +command: +$ sudo auditctl -l | grep "watch=/etc/localtime" +If the system is configured to audit this activity, it will return a line. + Is it the case that the system is not configured to audit time changes? + + + -Run the following command to determine if the cluster_can_network_connect SELinux boolean is disabled: -$ getsebool cluster_can_network_connect +Run the following command to determine if the zoneminder_run_sudo SELinux boolean is disabled: +$ getsebool zoneminder_run_sudo If properly configured, the output should show the following: -cluster_can_network_connect --> off - Is it the case that cluster_can_network_connect is not disabled? +zoneminder_run_sudo --> off + Is it the case that zoneminder_run_sudo is not disabled? - - To check which SSH protocol version is allowed, check version of -openssh-server with following command: -$ rpm -qi openssh-server | grep Version -Versions equal to or higher than 7.4 have deprecated the RhostsRSAAuthentication option. -If version is lower than 7.4, run the following command to check configuration: -To determine how the SSH daemon's RhostsRSAAuthentication option is set, run the following command: - -$ sudo grep -i RhostsRSAAuthentication /etc/ssh/sshd_config + + Verify that a separate file system/partition has been created for /opt with the following command: -If a line indicating no is returned, then the required value is set. +$ mountpoint /opt - Is it the case that the required value is not set? + Is it the case that "/opt is not a mountpoint" is returned? - - To verify Certmap is enabled in SSSD, run the following command: -$ sudo cat /etc/sssd/sssd.conf -If configured properly, output should contain section like the following - -[certmap/testing.test/rule_name] -matchrule =<SAN>.*EDIPI@mil -maprule = (userCertificate;binary={cert!bin}) -domains = testing.test - - Is it the case that Certmap is not configured in SSSD? + + To ensure smart card authentication on the login screen is enabled, run the following command: +$ grep enable-smartcard-authentication /etc/dconf/db/gdm.d/* +The output should be true. +To ensure that users cannot disable smart card authentication on the login screen, run the following: +$ grep enable-smartcard-authentication /etc/dconf/db/gdm.d/locks/* +If properly configured, the output should be /org/gnome/login-screen/enable-smartcard-authentication + Is it the case that enable-smartcard-authentication has not been configured or is disabled? - + +Run the following command to determine if the antivirus_can_scan_system SELinux boolean is enabled: +$ getsebool antivirus_can_scan_system +If properly configured, the output should show the following: +antivirus_can_scan_system --> on + Is it the case that antivirus_can_scan_system is not enabled? + + + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "crontab" command with the following command: -Run the following command to determine the current status of the -iptables service: -$ sudo systemctl is-active iptables -If the service is running, it should return the following: active - Is it the case that ? +$ sudo auditctl -l | grep crontab + +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab + Is it the case that the command does not return a line, or the line is commented out? - - To find SGID files, run the following command: -$ sudo find / -xdev -type f -perm -2000 - Is it the case that there is output? + + To check if only local user are impacted by pam_faillock, run the following command: +$ grep local_users_only /etc/security/faillock.conf +The output should return local_users_only not commented. + Is it the case that local_users_only is not uncommented or configured correctly? - - To ensure the X Windows package group is removed, run the following command: -$ rpm -qi xorg-x11-server-common -The output should be: -package xorg-x11-server-common is not installed - Is it the case that the X Windows package group or xorg-x11-server-common has not be removed? + + To check the group ownership of /boot/efi/EFI/redhat/grub.cfg, +run the command: +$ ls -lL /boot/efi/EFI/redhat/grub.cfg +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /boot/efi/EFI/redhat/grub.cfg does not have a group owner of root? - - To verify that TLS is configured properly in -/etc/httpd/conf.modules.d/ssl.conf, run the following command: -$ grep -i "sslengine\|sslprotocol" /etc/httpd/conf.d/ssl.conf -The output should return the following: - -SSLEngine on -SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 - - Is it the case that it is not? + + +Run the following command to determine if the abrt_handle_event SELinux boolean is disabled: +$ getsebool abrt_handle_event +If properly configured, the output should show the following: +abrt_handle_event --> off + Is it the case that abrt_handle_event is not disabled? - - To verify that CUPS printer browsing is disabled, run the following command: -$ sudo grep "Browsing\|BrowseAllow" /etc/cups/cupsd.conf -The output should return the following: -Browsing Off -BrowseAllow none - Is it the case that printer browsing is not disabled? + + +Run the following command to determine if the squid_connect_any SELinux boolean is disabled: +$ getsebool squid_connect_any +If properly configured, the output should show the following: +squid_connect_any --> off + Is it the case that squid_connect_any is not disabled? - - Verify that sshd isn't configured to ignore the system wide cryptographic policy. + + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the creat system call. -Check that the CRYPTO_POLICY variable is not set or is commented out in the -/etc/sysconfig/sshd. +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -Run the following command: +$ sudo grep -r creat /etc/audit/rules.d -$ sudo grep CRYPTO_POLICY /etc/sysconfig/sshd - Is it the case that the CRYPTO_POLICY variable is set or is not commented out in the /etc/sysconfig/sshd? - - - - Run the following command to verify that SSH client is configured to use 32 bytes of entropy: -grep SSH_USE_STRONG_RNG /etc/profile.d/cc-ssh-strong-rng.sh -The output should be: -export SSH_USE_STRONG_RNG=32 - Is it the case that SSH client is not configured to use 32 bytes of entropy or more? +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep creat /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access + Is it the case that the command does not return a line, or the line is commented out? - - Run the following command to determine if the subscription-manager package is installed: $ rpm -q subscription-manager + + Run the following command to determine if the nss-tools package is installed: $ rpm -q nss-tools Is it the case that the package is not installed? - - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes rng_core.default_quality=, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub -If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*rng_core.default_quality=.*' /etc/default/grub -If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*rng_core.default_quality=.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'rng_core.default_quality=' -The command should not return any output. - Is it the case that trust on hardware random number generator is not configured appropriately? - - - - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes spec_store_bypass_disable=, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub -If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*spec_store_bypass_disable=.*' /etc/default/grub -If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*spec_store_bypass_disable=.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'spec_store_bypass_disable=' -The command should not return any output. - Is it the case that SSB is not configured appropriately? - - - - -Run the following command to determine if the selinuxuser_execstack SELinux boolean is disabled: -$ getsebool selinuxuser_execstack -If properly configured, the output should show the following: -selinuxuser_execstack --> off - Is it the case that selinuxuser_execstack is not disabled? - - - + -Run the following command to determine if the dhcpc_exec_iptables SELinux boolean is disabled: -$ getsebool dhcpc_exec_iptables +Run the following command to determine if the ftpd_connect_all_unreserved SELinux boolean is disabled: +$ getsebool ftpd_connect_all_unreserved If properly configured, the output should show the following: -dhcpc_exec_iptables --> off - Is it the case that dhcpc_exec_iptables is not disabled? +ftpd_connect_all_unreserved --> off + Is it the case that ftpd_connect_all_unreserved is not disabled? @@ -366747,795 +366607,1048 @@ dhcpc_exec_iptables --> off Is it the case that the package is not installed? - - The runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.conf.default.accept_source_route -0. + + Verify that interactive users on the system have a home directory assigned with the following command: - Is it the case that the correct value is not returned? +$ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd + +Inspect the output and verify that all interactive users (normally users with a UID greater than 1000) have a home directory defined. + Is it the case that users home directory is not defined? - + + To verify that USB hubs will be authorized by the USBGuard daemon, +run the following command: +$ sudo grep allow /etc/usbguard/rules.conf +One of the output lines should be +allow with-interface match-all { 09:00:* } + Is it the case that USB devices of class 9 are not authorized? + + + -Run the following command to determine if the xserver_execmem SELinux boolean is disabled: -$ getsebool xserver_execmem +Run the following command to determine if the exim_can_connect_db SELinux boolean is disabled: +$ getsebool exim_can_connect_db If properly configured, the output should show the following: -xserver_execmem --> off - Is it the case that xserver_execmem is not disabled? +exim_can_connect_db --> off + Is it the case that exim_can_connect_db is not disabled? - - Run the following command to determine if the abrt-cli package is installed: -$ rpm -q abrt-cli - Is it the case that the package is installed? + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "su" command with the following command: + +$ sudo auditctl -l | grep su + +-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-su + Is it the case that the command does not return a line, or the line is commented out? - - Verify the system commands contained in the following directories are group-owned by "root", or a required system account, with the following command: - -$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -exec ls -l {} \; - Is it the case that any system commands are returned and is not group-owned by a required system account? + + To verify that execution of the command is being audited, run the following command: +$ sudo grep "path=/usr/sbin/seunshare" /etc/audit/audit.rules /etc/audit/rules.d/* +The output should return something similar to: +-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + Is it the case that ? - - Verify file systems that are used for removable media are mounted with the "nodev" option with the following command: + + Verify that Red Hat Enterprise Linux 8 is configured to notify the SA and/or ISSO (at a minimum) in the event of an audit processing failure with the following command: -$ sudo more /etc/fstab +$ sudo grep action_mail_acct /etc/audit/auditd.conf -UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0 - Is it the case that a file system found in "/etc/fstab" refers to removable media and it does not have the "nodev" option set? +action_mail_acct = + Is it the case that the value of the "action_mail_acct" keyword is not set to "<sub idref="var_auditd_action_mail_acct" />" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the retuned line is commented out, ask the system administrator to indicate how they and the ISSO are notified of an audit process failure. If there is no evidence of the proper personnel being notified of an audit processing failure? - - To check that the cups service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled cups -Output should indicate the cups service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled cups disabled - -Run the following command to verify cups is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active cups - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the cups is masked, run the following command: -$ sudo systemctl show cups | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: + + Verify that Red Hat Enterprise Linux 8 has configured the minimum time period between password changes for each user account is one day or greater with the following command: -LoadState=masked +$ sudo awk -F: '$4 < 1 {print $1 " " $4}' /etc/shadow + Is it the case that any results are returned that are not associated with a system account? + + + + To check the status of the idle screen lock activation, run the following command: -UnitFileState=masked - Is it the case that the "cups" is loaded and not masked? +$ gsettings get org.gnome.desktop.screensaver lock-enabled +If properly configured, the output should be true. +To ensure that users cannot change how long until the screensaver locks, run the following: +$ grep lock-enabled /etc/dconf/db/local.d/locks/* +If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled + Is it the case that screensaver locking is not enabled and/or has not been set or configured correctly? - - -If the system is configured to prevent the loading of the iwlwifi kernel module, -it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. -These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. + + The reviewed should make a note of the name of the account being used for +the web service. This information may be needed later in the SRR. There +may also be other server services running related to the web server in +support of a particular web application, these passwords must be entrusted +to the SA or Web Manager as well. -These lines can also instruct the module loading system to ignore the iwlwifi kernel module via blacklist keyword. +Query the SA or Web Manager to determine if they have the web service +password(s). -Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -$ grep -r iwlwifi /etc/modprobe.conf /etc/modprobe.d - Is it the case that no line is returned? +NOTE: For installations that run as a service, or without a password, +the SA or Web Manager having an Admin account on the system would meet +the intent of this check. + Is it the case that the web server password(s) are not entrusted to the SA or Web Manager? - - -Run the following command to determine if the virt_sandbox_use_netlink SELinux boolean is disabled: -$ getsebool virt_sandbox_use_netlink -If properly configured, the output should show the following: -virt_sandbox_use_netlink --> off - Is it the case that virt_sandbox_use_netlink is not disabled? + + To verify that auditing is configured for system administrator actions, run the following command: +$ sudo auditctl -l | grep "watch=/etc/sudoers\|watch=/etc/sudoers.d\|-w /etc/sudoers\|-w /etc/sudoers.d" + Is it the case that there is not output? - - To check for serial port entries which permit root login, -run the following command: -$ sudo grep ^ttyS/[0-9] /etc/securetty -If any output is returned, then root login over serial ports is permitted. - Is it the case that root login over serial ports is permitted? + + Check that no boot image file is specified in /etc/zipl.conf: +grep -R "^image\s*=" /etc/zipl.conf +No line should be returned, if a line is returned non BLS compliant boot entries are configured for zIPL. + Is it the case that a non BLS boot entry is configured? - - Run the following command to see what the max sessions number is: -$ sudo grep MaxSessions /etc/ssh/sshd_config -If properly configured, the output should be: -MaxSessions - Is it the case that MaxSessions is not configured or not configured correctly? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_PAGE_POISONING_NO_SANITY /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - + + To verify that rsyslog's Forwarding Output Module has CA certificate +configured for its TLS connections to remote server, run the following command: +$ grep DefaultNetstreamDriverCAFile /etc/rsyslog.conf /etc/rsyslog.d/*.conf +The output should include record similar to +global(DefaultNetstreamDriverCAFile="/etc/pki/tls/cert.pem") +where the path to the CA file (/etc/pki/tls/cert.pem in case above) must point to the correct CA certificate. + Is it the case that CA certificate for rsyslog remote logging via TLS is not set? + + + + +Run the following command to determine if the pppd_can_insmod SELinux boolean is disabled: +$ getsebool pppd_can_insmod +If properly configured, the output should show the following: +pppd_can_insmod --> off + Is it the case that pppd_can_insmod is not disabled? + + + To determine if the system is configured to audit successful calls -to the chown system call, run the following command: -$ sudo grep "chown" /etc/audit.* +to the openat system call, run the following command: +$ sudo grep "openat" /etc/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - To check the ownership of /etc/issue.net, -run the command: -$ ls -lL /etc/issue.net -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/issue.net does not have an owner of root? + + Verify the operating system routinely checks the baseline configuration for unauthorized changes. + +To determine that periodic AIDE execution has been scheduled, run the following command: +$ grep aide /etc/crontab +The output should return something similar to the following: +05 4 * * * root /usr/sbin/aide --check + +NOTE: The usage of special cron times, such as @daily or @weekly, is acceptable. + Is it the case that AIDE is not configured to scan periodically? - - Inspect /etc/audit/audisp-remote.conf and locate the following line to -determine if the system is configured to perform a correct action according to the policy: -$ sudo grep -i network_failure_action /etc/audit/audisp-remote.conf -The output should return: -network_failure_action = - Is it the case that the system is not configured to switch to single user mode for corrective action? + + Run the following command to determine if the talk package is installed: +$ rpm -q talk + Is it the case that the package is installed? - - Run the following command to check if the line is present: -grep pam_wheel /etc/pam.d/su -The output should contain the following line: -auth required pam_wheel.so use_uid group= - Is it the case that the line is not in the file or it is commented? + + To find world-writable directories that lack the sticky bit, run the following command: +$ sudo find / -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null +fixtext: |- +Configure all world-writable directories to have the sticky bit set to prevent unauthorized and unintended information transferred via shared system resources. + +Set the sticky bit on all world-writable directories using the command, replace "[World-Writable Directory]" with any directory path missing the sticky bit: + +$ chmod a+t [World-Writable Directory] +srg_requirement: +A sticky bit must be set on all Red Hat Enterprise Linux 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. + Is it the case that any world-writable directories are missing the sticky bit? - - To determine if the system is configured to audit unsuccessful calls -to the fchmodat system call, run the following command: -$ sudo grep "fchmodat" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + To verify that FIPS mode is enabled properly, run the following command: +fips-mode-setup --check +The output should contain the following: +FIPS mode is enabled. +To verify that the cryptographic policy has been configured correctly, run the +following command: +$ update-crypto-policies --show +The output should return . + Is it the case that FIPS mode is not enabled? - - To verify that clients cannot automatically update DNS records, perform the -following: -$ grep -i dhcp_hostname /etc/sysconfig/network-scripts/ifcfg-* -$ grep -rni "send host-name" /etc/dhclient.conf /etc/dhcp -The output should return no results. - Is it the case that client Dynamic DNS updates are not disabled? + + To ensure the X Windows package group is removed, run the following command: +$ rpm -qi xorg-x11-server-common +The output should be: +package xorg-x11-server-common is not installed + Is it the case that the X Windows package group or xorg-x11-server-common has not be removed? - - -Run the following command to determine if the use_lpd_server SELinux boolean is disabled: -$ getsebool use_lpd_server -If properly configured, the output should show the following: -use_lpd_server --> off - Is it the case that use_lpd_server is not disabled? + + Run the following command to determine if the subscription-manager package is installed: $ rpm -q subscription-manager + Is it the case that the package is not installed? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_UNMAP_KERNEL_AT_EL0 /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + To determine if the system is configured to audit calls to the +open_by_handle_at system call, run the following command: +$ sudo grep "open_by_handle_at" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - Only FIPS-approved MACs should be used. To verify that only FIPS-approved -MACs are in use, run the following command: -$ sudo grep -i macs /etc/ssh/sshd_config -The output should contain only those MACs which are FIPS-approved. Any use of other -ciphers or algorithms will result in the module entering the non-FIPS mode of -operation. - Is it the case that MACs option is commented out or not using FIPS-approved hash algorithms? + + To verify that OpenSSL uses the system crypto policy, check out that the OpenSSL config file +/etc/pki/tls/openssl.cnf contains the [ crypto_policy ] section with the +.include /etc/crypto-policies/back-ends/opensslcnf.config directive: + +$ sudo grep '\.include\s* /etc/crypto-policies/back-ends/opensslcnf.config$' /etc/pki/tls/openssl.cnf. + Is it the case that the OpenSSL config file doesn't contain the whole section, +or the section doesn't contain the <pre>.include /etc/crypto-policies/back-ends/opensslcnf.config</pre> directive? - - To check for legacy lines in /etc/passwd, run the following command: - grep '^\+' /etc/passwd -The command should not return any output. - Is it the case that the file contains legacy lines? + + To ensure the screensaver is configured to be blank, run the following command: +$ gsettings get org.gnome.desktop.screensaver picture-uri +If properly configured, the output should be ''. + +To ensure that users cannot set the screensaver background, run the following: +$ grep picture-uri /etc/dconf/db/local.d/locks/* +If properly configured, the output should be /org/gnome/desktop/screensaver/picture-uri + Is it the case that it is not set or configured properly? - + -Run the following command to determine if the daemons_use_tcp_wrapper SELinux boolean is disabled: -$ getsebool daemons_use_tcp_wrapper +Run the following command to determine if the mozilla_plugin_can_network_connect SELinux boolean is disabled: +$ getsebool mozilla_plugin_can_network_connect If properly configured, the output should show the following: -daemons_use_tcp_wrapper --> off - Is it the case that daemons_use_tcp_wrapper is not disabled? +mozilla_plugin_can_network_connect --> off + Is it the case that mozilla_plugin_can_network_connect is not disabled? - - Run the following command to determine if the psacct package is installed: $ rpm -q psacct - Is it the case that the package is not installed? + + +Run the following command to determine if the polipo_session_users SELinux boolean is disabled: +$ getsebool polipo_session_users +If properly configured, the output should show the following: +polipo_session_users --> off + Is it the case that polipo_session_users is not disabled? - - To check the status of the idle screen lock activation, run the following command: - -$ gsettings get org.gnome.desktop.screensaver lock-enabled -If properly configured, the output should be true. -To ensure that users cannot change how long until the screensaver locks, run the following: -$ grep lock-enabled /etc/dconf/db/local.d/locks/* -If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled - Is it the case that screensaver locking is not enabled and/or has not been set or configured correctly? + + Run the following command to determine if the telnet-server package is installed: +$ rpm -q telnet-server + Is it the case that the package is installed? - - Verify the noexec option is configured for the /dev/shm mount point, - run the following command: - $ sudo mount | grep '\s/dev/shm\s' - . . . /dev/shm . . . noexec . . . - - Is it the case that the "/dev/shm" file system does not have the "noexec" option set? + + To verify that Linux Audit logging is enabled for the USBGuard daemon, +run the following command: +$ sudo grep AuditBackend /etc/usbguard/usbguard-daemon.conf +The output should be +AuditBackend=LinuxAudit + Is it the case that AuditBackend is not set to LinuxAudit? - - Verify the assigned home directories of all interactive users on the system exist with the following command: - -$ sudo pwck -r + + To determine whether OpenSSL is wrapped by a shell function that ensures that every invocation +uses a SP800-90A compliant entropy source, +make sure that the /etc/profile.d/openssl-rand.sh file contents exactly match those +that are included in the rule's description. + Is it the case that there is no <tt>/etc/profile.d/openssl-rand.sh</tt> file, or its contents don't match those in the description? + + + + Ensure that Red Hat Enterprise Linux 8 does not disable SELinux. -user 'mailnull': directory 'var/spool/mqueue' does not exist +Check if "SELinux" is active and in "enforcing" or "permissive" mode with the following command: -The output should not return any interactive users. - Is it the case that users home directory does not exist? +$ sudo getenforce +Enforcing +-OR- +Permissive + Is it the case that SELinux is disabled? - - To check the permissions of /etc/cron.daily, -run the command: -$ ls -l /etc/cron.daily -If properly configured, the output should indicate the following permissions: --rwx------ - Is it the case that /etc/cron.daily does not have unix mode -rwx------? + + To ensure root may not directly login to the system over physical consoles, +run the following command: +cat /etc/securetty +If any output is returned, this is a finding. + Is it the case that the /etc/securetty file is not empty? - - To check the permissions of /etc/issue.net, + + To check the permissions of /etc/issue, run the command: -$ ls -l /etc/issue.net +$ ls -l /etc/issue If properly configured, the output should indicate the following permissions: -rw-r--r-- - Is it the case that /etc/issue.net does not have unix mode -rw-r--r--? - - - - To verify that USB Human Interface Devices and hubs will be authorized by the USBGuard daemon, -run the following command: -$ sudo grep allow /etc/usbguard/rules.conf -The output lines should include -allow with-interface match-all { 03:*:* 09:00:* } - Is it the case that USB devices of class 3 and 9:00 are not authorized? - - - - Verify an anti-virus solution is installed on the system. The anti-virus solution may be -bundled with an approved host-based security solution. - Is it the case that there is no anti-virus solution installed on the system? + Is it the case that /etc/issue does not have unix mode -rw-r--r--? - - Verify that a separate file system/partition has been created for /var with the following command: - -$ mountpoint /var + + Verify the system commands contained in the following directories have mode "755" or less permissive with the following command: - Is it the case that "/var is not a mountpoint" is returned? +$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin -perm /022 -exec ls -l {} \; + Is it the case that any system commands are found to be group-writable or world-writable? - - To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -cat /etc/audit/rules.d/10-base-config.rules -The output has to be exactly as follows: -## First rule - delete all --D + + To check that the quota_nld service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled quota_nld +Output should indicate the quota_nld service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled quota_nld disabled -## Increase the buffers to survive stress events. -## Make this bigger for busy systems --b 8192 +Run the following command to verify quota_nld is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active quota_nld -## This determine how long to wait in burst of events ---backlog_wait_time 60000 +If the service is not running the command will return the following output: +inactive -## Set failure mode to syslog --f 1 - Is it the case that the file does not exist or the content differs? - - - - If the system is not using TLS, set the ldap_id_use_start_tls option -in /etc/sssd/sssd.conf to true. - Is it the case that the 'ldap_id_use_start_tls' option is not set to 'true'? - - - - Verify that a separate file system/partition has been created for /var/log/audit with the following command: +The service will also be masked, to check that the quota_nld is masked, run the following command: +$ sudo systemctl show quota_nld | grep "LoadState\|UnitFileState" -$ mountpoint /var/log/audit +If the service is masked the command will return the following outputs: - Is it the case that "/var/log/audit is not a mountpoint" is returned? +LoadState=masked + +UnitFileState=masked + Is it the case that the "quota_nld" is loaded and not masked? - - If IPv6 is disabled, this is not applicable. - - - -Run the following command to determine the current status of the -ip6tables service: -$ sudo systemctl is-active ip6tables -If the service is running, it should return the following: active - Is it the case that ? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_LEGACY_PTYS /boot/config.* + + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. + + Is it the case that the kernel was not built with the required value? - - The runtime status of the kernel.core_pattern kernel parameter can be queried -by running the following command: -$ sysctl kernel.core_pattern -|/bin/false. - - Is it the case that the returned line does not have a value of "|/bin/false", or a line is not -returned and the need for core dumps is not documented with the Information -System Security Officer (ISSO) as an operational requirement? + + To verify if the OpenSSH client uses defined MACs in the Crypto Policy, run: +$ grep -i macs /etc/crypto-policies/back-ends/openssh.config +and verify that the line matches: +MACs + Is it the case that Crypto Policy for OpenSSH client is not configured correctly? - + -Run the following command to determine if the prosody_bind_http_port SELinux boolean is disabled: -$ getsebool prosody_bind_http_port +Run the following command to determine if the telepathy_connect_all_ports SELinux boolean is disabled: +$ getsebool telepathy_connect_all_ports If properly configured, the output should show the following: -prosody_bind_http_port --> off - Is it the case that prosody_bind_http_port is not disabled? +telepathy_connect_all_ports --> off + Is it the case that telepathy_connect_all_ports is not disabled? - - Verify Red Hat Enterprise Linux 8 shell initialization file is configured to start each shell with the tmux terminal multiplexer. + + To check that the autofs service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled autofs +Output should indicate the autofs service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled autofs disabled -Determine the location of the tmux script with the following command: +Run the following command to verify autofs is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active autofs -$ sudo grep tmux /etc/bashrc /etc/profile.d/* +If the service is not running the command will return the following output: +inactive -/etc/profile.d/tmux.sh: case "$name" in (sshd|login) tmux ;; esac +The service will also be masked, to check that the autofs is masked, run the following command: +$ sudo systemctl show autofs | grep "LoadState\|UnitFileState" -Review the tmux script by using the following example: +If the service is masked the command will return the following outputs: -$ cat /etc/profile.d/tmux.sh +LoadState=masked -if [ "$PS1" ]; then -parent=$(ps -o ppid= -p $$) -name=$(ps -o comm= -p $parent) -case "$name" in (sshd|login) tmux ;; esac -fi +UnitFileState=masked + Is it the case that the "autofs" is loaded and not masked? + + + + To check the permissions of /etc/crontab, +run the command: +$ ls -l /etc/crontab +If properly configured, the output should indicate the following permissions: +-rw------- + Is it the case that /etc/crontab does not have unix mode -rw-------? + + + + To determine how the SSH daemon's PubkeyAuthentication option is set, run the following command: -If the shell file is not configured as the example above, is commented out, or is missing, this is a finding. +$ sudo grep -i PubkeyAuthentication /etc/ssh/sshd_config -Determine if tmux is currently running with the following command: +If a line indicating no is returned, then the required value is set. -$ sudo ps all | grep tmux | grep -v grep - Is it the case that the command does not produce output? - - - - The following command will list which files on the system -have file hashes different from what is expected by the RPM database. -$ rpm -Va --noconfig | awk '$1 ~ /..5/ && $2 != "c"' - Is it the case that there is output? + Is it the case that the required value is not set? - - To check that SLUB/SLAB poisoning is enabled, check all boot entries with following command; -sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf -No line should be returned, each line returned is a boot entry that does not enable poisoning. - Is it the case that SLUB/SLAB poisoning is not enabled? + + Ensure that debug-shell service is not enabled with the following command: +grep systemd\.debug-shell=1 /boot/grub2/grubenv /etc/default/grub +If the command returns a line, it means that debug-shell service is being enabled. + Is it the case that the comand returns a line? - - To determine how the SSH daemon's PrintLastLog option is set, run the following command: + + Verify Red Hat Enterprise Linux 8 takes the appropriate action when the audit storage volume is full. -$ sudo grep -i PrintLastLog /etc/ssh/sshd_config +Check that Red Hat Enterprise Linux 8 takes the appropriate action when the audit storage volume is full with the following command: -If a line indicating yes is returned, then the required value is set. +$ sudo grep disk_full_action /etc/audit/auditd.conf - Is it the case that the required value is not set? +disk_full_action = + +If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full. + Is it the case that there is no evidence of appropriate action? - - Verify the site's network diagram and visually check the web server, to -ensure that the private web server is located on a separate controlled -access subnet and is not part of the public DMZ that houses the public -web servers. - -In addition, the private web server needs to be isolated via a controlled -access mechanism from the local general population lan. - Is it the case that the private web server is not on a separate controlled access subnet? + + To find SGID files, run the following command: +$ sudo find / -xdev -type f -perm -2000 + Is it the case that there is output? - - To determine if the system is configured to audit calls to the -init_module system call, run the following command: -$ sudo grep "init_module" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. -To determine if the system is configured to audit calls to the -delete_module system call, run the following command: -$ sudo grep "delete_module" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + + +Run the following command to determine if the cron_system_cronjob_use_shares SELinux boolean is disabled: +$ getsebool cron_system_cronjob_use_shares +If properly configured, the output should show the following: +cron_system_cronjob_use_shares --> off + Is it the case that cron_system_cronjob_use_shares is not disabled? - + -Run the following command to determine if the postgresql_can_rsync SELinux boolean is disabled: -$ getsebool postgresql_can_rsync +Run the following command to determine if the dbadm_exec_content SELinux boolean is enabled: +$ getsebool dbadm_exec_content If properly configured, the output should show the following: -postgresql_can_rsync --> off - Is it the case that postgresql_can_rsync is not disabled? +dbadm_exec_content --> on + Is it the case that dbadm_exec_content is not enabled? - - To check the group ownership of /etc/motd, -run the command: -$ ls -lL /etc/motd -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/motd does not have a group owner of root? + + Inspect /etc/audit/audisp-remote.conf and locate the following line to +determine if the system is configured to either send to syslog, switch to single user mode, +or halt when the disk is full: +$ sudo grep -i disk_full_action /etc/audit/audisp-remote.conf +The output should return something similar to: +disk_full_action = single +Acceptable values also include syslog and halt. + Is it the case that the system is not configured to switch to single user mode for corrective action? - - To check the ownership of /etc/group-, -run the command: -$ ls -lL /etc/group- -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/group- does not have an owner of root? + + To verify that the log_config_module exists in +/etc/httpd/conf/httpd.conf, run the following command: +$ grep log_config_module /etc/httpd/conf/httpd.conf +The output should return: +<IfModule log_config_module> + Is it the case that it is not? - + -Run the following command to determine if the polipo_use_nfs SELinux boolean is disabled: -$ getsebool polipo_use_nfs +Run the following command to determine if the cups_execmem SELinux boolean is disabled: +$ getsebool cups_execmem If properly configured, the output should show the following: -polipo_use_nfs --> off - Is it the case that polipo_use_nfs is not disabled? - - - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_BUG_ON_DATA_CORRUPTION /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? +cups_execmem --> off + Is it the case that cups_execmem is not disabled? - + -Run the following command to determine if the selinuxuser_execmod SELinux boolean is enabled: -$ getsebool selinuxuser_execmod +Run the following command to determine if the webadm_read_user_files SELinux boolean is disabled: +$ getsebool webadm_read_user_files If properly configured, the output should show the following: -selinuxuser_execmod --> on - Is it the case that selinuxuser_execmod is not enabled? +webadm_read_user_files --> off + Is it the case that webadm_read_user_files is not disabled? - - Verify the operating system routinely checks the baseline configuration for unauthorized changes. - -To determine that periodic AIDE execution has been scheduled, run the following command: -$ grep aide /etc/crontab -The output should return something similar to the following: -05 4 * * * root /usr/sbin/aide --check - -NOTE: The usage of special cron times, such as @daily or @weekly, is acceptable. - Is it the case that AIDE is not configured to scan periodically? + + Run the following command to determine if the avahi package is installed: +$ rpm -q avahi + Is it the case that the package is installed? - + -Run the following command to determine if the glance_use_fusefs SELinux boolean is disabled: -$ getsebool glance_use_fusefs +Run the following command to determine if the httpd_can_network_connect_cobbler SELinux boolean is disabled: +$ getsebool httpd_can_network_connect_cobbler If properly configured, the output should show the following: -glance_use_fusefs --> off - Is it the case that glance_use_fusefs is not disabled? +httpd_can_network_connect_cobbler --> off + Is it the case that httpd_can_network_connect_cobbler is not disabled? - - To verify that web content directories should not be shared anonymously over -remote filesystems such as nfs and smb, inspect each instance -of DocumentRoot and serverRoot and verify that no entry in -/etc/fstab exists or no remote filesystem process is running for -any instance. -$ ps -ef | grep "nfs\|smb" - Is it the case that it is not? - - - - Verify the system-wide shared library files are owned by "root" with the following command: + + Verify that the interactive user account passwords are using a strong +password hash with the following command: -$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -user root -exec ls -l {} \; - Is it the case that any system wide shared library file is not owned by root? +$ sudo cut -d: -f2 /etc/shadow + +$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/ + +Password hashes ! or * indicate inactive accounts not +available for logon and are not evaluated. + Is it the case that any interactive user password hash does not begin with "$6"? - + -Run the following command to determine if the telepathy_tcp_connect_generic_network_ports SELinux boolean is disabled: -$ getsebool telepathy_tcp_connect_generic_network_ports +Run the following command to determine if the httpd_use_sasl SELinux boolean is disabled: +$ getsebool httpd_use_sasl If properly configured, the output should show the following: -telepathy_tcp_connect_generic_network_ports --> off - Is it the case that telepathy_tcp_connect_generic_network_ports is not disabled? +httpd_use_sasl --> off + Is it the case that httpd_use_sasl is not disabled? - - To verify that a nftables table exists, run the following command: -$ sudo nft list tables -Output should include a list of nftables similar to: + + To check that the kdump service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled kdump +Output should indicate the kdump service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled kdump disabled - table inet filter +Run the following command to verify kdump is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active kdump - Is it the case that a nftables table does not exist? +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the kdump is masked, run the following command: +$ sudo systemctl show kdump | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "kdump" is loaded and not masked? - - To check the permissions of /etc/ssh/*_key, + + To check that the debug-shell service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled debug-shell +Output should indicate the debug-shell service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled debug-shell disabled + +Run the following command to verify debug-shell is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active debug-shell + +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the debug-shell is masked, run the following command: +$ sudo systemctl show debug-shell | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "debug-shell" is loaded and not masked? + + + + To check on the age of McAfee virus definition files, run the following command: +$ sudo cd /opt/NAI/LinuxShield/engine/dat +$ sudo ls -la avvscan.dat avvnames.dat avvclean.dat + Is it the case that signatures are out of date? + + + + Verify the audit tools are owned by "root" to prevent any unauthorized access, deletion, or modification. + +Check the owner of each audit tool by running the following command: + +$ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules + +root /sbin/auditctl +root /sbin/aureport +root /sbin/ausearch +root /sbin/autrace +root /sbin/auditd +root /sbin/rsyslogd +root /sbin/augenrules + Is it the case that any audit tools are not owned by root? + + + + Verify that Red Hat Enterprise Linux 8 is configured to prevent unrestricted mail relaying, +run the following command: +$ sudo postconf -n smtpd_client_restrictions + Is it the case that the "smtpd_client_restrictions" parameter contains any entries other than "permit_mynetworks" and "reject"? + + + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_SECCOMP_FILTER /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? + + + + To check the group ownership of /etc/gshadow-, run the command: -$ ls -l /etc/ssh/*_key -If properly configured, the output should indicate the following permissions: --rw------- - Is it the case that /etc/ssh/*_key does not have unix mode -rw-------? +$ ls -lL /etc/gshadow- +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/gshadow- does not have a group owner of root? - + -Run the following command to determine if the git_system_use_cifs SELinux boolean is disabled: -$ getsebool git_system_use_cifs +Run the following command to determine if the postgresql_selinux_unconfined_dbadm SELinux boolean is enabled: +$ getsebool postgresql_selinux_unconfined_dbadm If properly configured, the output should show the following: -git_system_use_cifs --> off - Is it the case that git_system_use_cifs is not disabled? +postgresql_selinux_unconfined_dbadm --> on + Is it the case that postgresql_selinux_unconfined_dbadm is not enabled? - - Verify that Red Hat Enterprise Linux 8 's INACTIVE conforms to site policy (no more than 30 days) with the following command: - -$ sudo awk -F: '$7 > 30 {print $1 " " $7}' /etc/shadow - Is it the case that the value of INACTIVE is greater than the expected value or is -1? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_LEGACY_VSYSCALL_NONE /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - Find the list of alias maps used by the Postfix mail server: -$ sudo postconf alias_maps -Query the Postfix alias maps for an alias for the root user: -$ sudo postmap -q root hash:/etc/aliases -The output should return an alias. - Is it the case that the alias is not set? + + +Run the following command to determine if the gluster_export_all_ro SELinux boolean is disabled: +$ getsebool gluster_export_all_ro +If properly configured, the output should show the following: +gluster_export_all_ro --> off + Is it the case that gluster_export_all_ro is not disabled? - + -Run the following command to determine if the virt_use_execmem SELinux boolean is disabled: -$ getsebool virt_use_execmem +Run the following command to determine if the container_connect_any SELinux boolean is disabled: +$ getsebool container_connect_any If properly configured, the output should show the following: -virt_use_execmem --> off - Is it the case that virt_use_execmem is not disabled? +container_connect_any --> off + Is it the case that container_connect_any is not disabled? - + + To verify that McAfee VirusScan Enterprise for Linux is installed +and running, run the following command(s): +$ sudo systemctl status nails +$ rpm -q McAfeeVSEForLinux + Is it the case that virus scanning software is not installed or running? + + + -Run the following command to determine if the use_fusefs_home_dirs SELinux boolean is disabled: -$ getsebool use_fusefs_home_dirs +Run the following command to determine if the privoxy_connect_any SELinux boolean is disabled: +$ getsebool privoxy_connect_any If properly configured, the output should show the following: -use_fusefs_home_dirs --> off - Is it the case that use_fusefs_home_dirs is not disabled? +privoxy_connect_any --> off + Is it the case that privoxy_connect_any is not disabled? - - To determine how the SSH daemon's X11UseLocalhost option is set, run the following command: + + Run the following command to determine if the ntp package is installed: $ rpm -q ntp + Is it the case that the package is not installed? + + + + To check the group ownership of /etc/cron.weekly, +run the command: +$ ls -lL /etc/cron.weekly +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/cron.weekly does not have a group owner of root? + + + + To ensure that users cannot disable the screensaver idle inactivity setting, run the following: +$ grep idle-activation-enabled /etc/dconf/db/local.d/locks/* +If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled + Is it the case that idle-activation-enabled is not locked? + + + + The file /etc/at.deny should not exist. +This can be checked by running the following -$ sudo grep -i X11UseLocalhost /etc/ssh/sshd_config +stat /etc/at.deny -If a line indicating yes is returned, then the required value is set. - Is it the case that the display proxy is listening on wildcard address? +and the output should be + +stat: cannot stat `/etc/at.deny': No such file or directory + + Is it the case that the file /etc/at.deny exists? - - To verify the home directory ownership, run the following command: -# ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) - Is it the case that the user ownership is incorrect? + + To verify that kernel parameter 'crypto.fips_enabled' is set properly, run the following command: +sysctl crypto.fips_enabled +The output should contain the following: +crypto.fips_enabled = 1 + Is it the case that crypto.fips_enabled is not 1? - - To check the ownership of /etc/crontab, + + Verify that all local interactive user initialization file executable search path statements do not contain statements that will reference a working directory other than user home directories with the following commands: + +$ sudo grep -i path= /home/*/.* + +/home/[localinteractiveuser]/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin + Is it the case that any local interactive user initialization files have executable search path statements that include directories outside of their home directory and is not documented with the ISSO as an operational requirement? + + + + To check the permissions of /etc/http/conf.d/*, run the command: -$ ls -lL /etc/crontab -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/crontab does not have an owner of root? +$ ls -l /etc/http/conf.d/* +If properly configured, the output should indicate the following permissions: +-rw-r----- + Is it the case that /etc/http/conf.d/* does not have unix mode -rw-r-----? - - To verify that the DConf User profile is configured correctly, run the following -command: - -$ cat /etc/dconf/profile/user -The output should show the following: -user-db:user -system-db:local -system-db:site -system-db:distro - Is it the case that DConf User profile does not exist or is not configured correctly? + + To check the ownership of /etc/cron.allow, +run the command: +$ ls -lL /etc/cron.allow +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/cron.allow does not have an owner of root? - - -Run the following command to determine if the puppetmaster_use_db SELinux boolean is disabled: -$ getsebool puppetmaster_use_db -If properly configured, the output should show the following: -puppetmaster_use_db --> off - Is it the case that puppetmaster_use_db is not disabled? + + Run the following command to determine if the sssd package is installed: $ rpm -q sssd + Is it the case that the package is not installed? - - To check that the dovecot service is disabled in system boot configuration, + + To check that the cpupower service is disabled in system boot configuration, run the following command: -$ sudo systemctl is-enabled dovecot -Output should indicate the dovecot service has either not been installed, +$ sudo systemctl is-enabled cpupower +Output should indicate the cpupower service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled dovecot disabled +$ sudo systemctl is-enabled cpupower disabled -Run the following command to verify dovecot is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active dovecot +Run the following command to verify cpupower is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active cpupower If the service is not running the command will return the following output: inactive -The service will also be masked, to check that the dovecot is masked, run the following command: -$ sudo systemctl show dovecot | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the cpupower is masked, run the following command: +$ sudo systemctl show cpupower | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "dovecot" is loaded and not masked? + Is it the case that the "cpupower" is loaded and not masked? - - To verify the system is not configured to use a boot loader on removable media, -check that the grub configuration file has the set root command in each menu -entry with the following commands: -$ sudo grep -cw menuentry /boot/efi/EFI/redhat/grub.cfg -Note that the -c option for the grep command will print -only the count of menuentry occurrences. This number should match -the number of occurrences reported by the following command: -$ sudo grep "set root='hd0" /boot/efi/EFI/redhat/grub.cfg -The output should return something similar to: -set root='hd0,msdos1' -usb0, cd, fd0, etc. are some examples of removeable -media which should not exist in the lines: -set root='hd0,msdos1' - Is it the case that it is not? + + +Run the following command to determine if the secure_mode SELinux boolean is disabled: +$ getsebool secure_mode +If properly configured, the output should show the following: +secure_mode --> off + Is it the case that secure_mode is not disabled? - - To verify that SSSD's in-memory cache expires after a day, run the following command: -$ sudo grep memcache_timeout /etc/sssd/sssd.conf -If configured properly, output should be memcache_timeout = . - Is it the case that it does not exist or is not configured properly? + + +Run the following command to determine if the mozilla_plugin_use_bluejeans SELinux boolean is disabled: +$ getsebool mozilla_plugin_use_bluejeans +If properly configured, the output should show the following: +mozilla_plugin_use_bluejeans --> off + Is it the case that mozilla_plugin_use_bluejeans is not disabled? - - To determine if the system is configured to audit successful calls -to the lchown system call, run the following command: -$ sudo grep "lchown" /etc/audit.* -If the system is configured to audit this activity, it will return a line. + + Verify "firewalld" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands: - Is it the case that no line is returned? +$ sudo firewall-cmd --state + +running + +$ sudo firewall-cmd --get-active-zones + +[custom] +interfaces: ens33 + +$ sudo firewall-cmd --info-zone=[custom] | grep target + +target: DROP + Is it the case that no zones are active on the interfaces or if the target is set to a different option other than "DROP"? - - Verify the nosuid option is configured for the /home mount point, + + First, check whether the password is defined in either /boot/grub2/user.cfg or +/boot/grub2/grub.cfg. +Run the following commands: +$ sudo grep '^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$' /boot/grub2/user.cfg +$ sudo grep '^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$' /boot/grub2/grub.cfg + + +Second, check that a superuser is defined in /boot/grub2/grub.cfg. +$ sudo grep '^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$' /boot/grub2/grub.cfg + Is it the case that it does not produce any output? + + + + The runtime status of the kernel.dmesg_restrict kernel parameter can be queried +by running the following command: +$ sysctl kernel.dmesg_restrict +1. + + Is it the case that the correct value is not returned? + + + + To check the permissions of /etc/cron.monthly, +run the command: +$ ls -l /etc/cron.monthly +If properly configured, the output should indicate the following permissions: +-rwx------ + Is it the case that /etc/cron.monthly does not have unix mode -rwx------? + + + + +Run the following command to determine if the httpd_enable_homedirs SELinux boolean is disabled: +$ getsebool httpd_enable_homedirs +If properly configured, the output should show the following: +httpd_enable_homedirs --> off + Is it the case that httpd_enable_homedirs is not disabled? + + + + Verify the nodev option is configured for the /tmp mount point, run the following command: - $ sudo mount | grep '\s/home\s' - . . . /home . . . nosuid . . . + $ sudo mount | grep '\s/tmp\s' + . . . /tmp . . . nodev . . . - Is it the case that the "/home" file system does not have the "nosuid" option set? + Is it the case that the "/tmp" file system does not have the "nodev" option set? - - Run the following command to determine if the binutils package is installed: $ rpm -q binutils + + Run the following command to determine if the psacct package is installed: $ rpm -q psacct Is it the case that the package is not installed? - - To find the location of the AIDE database file, run the following command: -$ sudo ls -l DBDIR/database_file_name - Is it the case that there is no database file? + + To check if authentication is required for emergency mode, run the following command: +$ grep sulogin /usr/lib/systemd/system/emergency.service +The output should be similar to the following, and the line must begin with +ExecStart and /usr/lib/systemd/systemd-sulogin-shell. + ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency + +Then, check if the emergency target requires the emergency service: +Run the following command: +$ sudo grep Requires /usr/lib/systemd/system/emergency.target +The output should be the following: +Requires=emergency.service + +Then, check if there is no custom emergency target configured in systemd configuration. +Run the following command: +$ sudo grep -r emergency.target /etc/systemd/system/ +The output should be empty. + +Then, check if there is no custom emergency service configured in systemd configuration. +Run the following command: +$ sudo grep -r emergency.service /etc/systemd/system/ +The output should be empty. + Is it the case that the output is different? - + + To verify the nodev option is configured for all NFS mounts, run +the following command: +$ mount | grep nfs +All NFS mounts should show the nodev setting in parentheses. This +is not applicable if NFS is not implemented. + Is it the case that the setting does not show? + + + + Verify the system-wide shared library files are owned by "root" with the following command: + +$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -user root -exec ls -l {} \; + Is it the case that any system wide shared library file is not owned by root? + + + + To determine how the SSH daemon's X11Forwarding option is set, run the following command: + +$ sudo grep -i X11Forwarding /etc/ssh/sshd_config + +If a line indicating no is returned, then the required value is set. + + Is it the case that the required value is not set? + + + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_PANIC_TIMEOUT /boot/config.* + $ grep CONFIG_LEGACY_VSYSCALL_EMULATE /boot/config.* - For each kernel installed, a line with value "" should be returned. + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. Is it the case that the kernel was not built with the required value? - - -Run the following command to get the current configured value for secure_mode_insmod -SELinux boolean: -$ getsebool secure_mode_insmod -The expected cofiguration is . -"on" means true, and "off" means false - Is it the case that secure_mode_insmod is not set as expected? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_PANIC_ON_OOPS /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "umount" command with the following command: + + To ensure the system is configured to mask the Ctrl-Alt-Del sequence, Check +that the ctrl-alt-del.target is masked and not active with the following +command: +sudo systemctl status ctrl-alt-del.target +The output should indicate that the target is masked and not active. It +might resemble following output: +ctrl-alt-del.target +Loaded: masked (/dev/null; bad) +Active: inactive (dead) + Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed? + + + + The owner of all log files written by rsyslog should be -$ sudo auditctl -l | grep umount +root. --a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-umount - Is it the case that the command does not return a line, or the line is commented out? +These log files are determined by the second part of each Rule line in +/etc/rsyslog.conf and typically all appear in /var/log. +To see the owner of a given log file, run the following command: +$ ls -l LOGFILE + Is it the case that the owner is not correct? - - To verify if the OpenSSH server uses defined Crypto Policy, run: -$ grep 'CRYPTO_POLICY' /etc/crypto-policies/back-ends/opensshserver.config | tail -n 1 -and verify that the line matches -CRYPTO_POLICY='-oCiphers=aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc -oMACs=hmac-sha2-512,hmac-sha2-256 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 -oPubkeyAcceptedKeyTypes=rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256' - Is it the case that Crypto Policy for OpenSSH Server is not configured according to CC requirements? + + Verify Red Hat Enterprise Linux 8 initiates a session lock after 15 minutes of inactivity. + +Check the value of the system inactivity timeout with the following command: + +$ grep -i lock-after-time /etc/tmux.conf + +set -g lock-after-time 900 + +Then, verify that the /etc/tmux.conf file can be read by other users than root: + +$ sudo ls -al /etc/tmux.conf + Is it the case that "lock-after-time" is not set to "900" or less in the global tmux configuration file to enforce session lock after inactivity? - - Run the following command to determine if the nginx package is installed: -$ rpm -q nginx - Is it the case that the package is installed? + + To determine if the system is configured to audit successful calls +to the renameat system call, run the following command: +$ sudo grep "renameat" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - + -Run the following command to determine if the cups_execmem SELinux boolean is disabled: -$ getsebool cups_execmem +Verify that the shadow password suite configuration is set to encrypt password with a FIPS 140-2 approved cryptographic hashing algorithm. + +Check the hashing algorithm that is being used to hash passwords with the following command: + +$ sudo grep -i ENCRYPT_METHOD /etc/login.defs + +ENCRYPT_METHOD + Is it the case that ENCRYPT_METHOD is not set to <sub idref="var_password_hashing_algorithm" />? + + + + +Run the following command to determine if the selinuxuser_postgresql_connect_enabled SELinux boolean is disabled: +$ getsebool selinuxuser_postgresql_connect_enabled If properly configured, the output should show the following: -cups_execmem --> off - Is it the case that cups_execmem is not disabled? +selinuxuser_postgresql_connect_enabled --> off + Is it the case that selinuxuser_postgresql_connect_enabled is not disabled? - + -Run the following command to determine if the samba_portmapper SELinux boolean is disabled: -$ getsebool samba_portmapper +Run the following command to determine if the irssi_use_full_network SELinux boolean is disabled: +$ getsebool irssi_use_full_network If properly configured, the output should show the following: -samba_portmapper --> off - Is it the case that samba_portmapper is not disabled? +irssi_use_full_network --> off + Is it the case that irssi_use_full_network is not disabled? - - The runtime status of the net.ipv6.conf.all.max_addresses kernel parameter can be queried + + Check to see if Online Certificate Status Protocol (OCSP) +is enabled and using the proper digest value on the system with the following command: +$ sudo grep certificate_verification /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf | grep -v "^#" +If configured properly, output should look like + + certificate_verification = ocsp_dgst= + + Is it the case that certificate_verification in sssd is not configured? + + + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "gpasswd" command with the following command: + +$ sudo auditctl -l | grep gpasswd + +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd + Is it the case that the command does not return a line, or the line is commented out? + + + + The runtime status of the kernel.yama.ptrace_scope kernel parameter can be queried by running the following command: -$ sysctl net.ipv6.conf.all.max_addresses +$ sysctl kernel.yama.ptrace_scope 1. Is it the case that the correct value is not returned? - - -Run the following command to determine if the virt_use_comm SELinux boolean is disabled: -$ getsebool virt_use_comm -If properly configured, the output should show the following: -virt_use_comm --> off - Is it the case that virt_use_comm is not disabled? - - - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_IA32_EMULATION /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? + + To determine if the system is configured to audit unsuccessful calls +to the chown system call, run the following command: +$ sudo grep "chown" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? @@ -367553,30 +367666,21 @@ are not required to use disk encryption and are not a finding. Is it the case that partitions do not have a type of crypto_LUKS? - + -Run the following command to determine if the httpd_mod_auth_pam SELinux boolean is disabled: -$ getsebool httpd_mod_auth_pam +Run the following command to determine if the pppd_for_user SELinux boolean is disabled: +$ getsebool pppd_for_user If properly configured, the output should show the following: -httpd_mod_auth_pam --> off - Is it the case that httpd_mod_auth_pam is not disabled? - - - - Verify the usrquota option is configured for the /home mount point, - run the following command: - $ sudo mount | grep '\s/home\s' - . . . /home . . . usrquota . . . - - Is it the case that the "/home" file system does not have the "usrquota" option set? +pppd_for_user --> off + Is it the case that pppd_for_user is not disabled? - + -To check that the telnet service is disabled in system boot configuration with xinetd, run the following command: -$ chkconfig telnet --list -Output should indicate the telnet service has either not been installed, or has been disabled, as shown in the example below: -$ chkconfig telnet --list +To check that the rexec service is disabled in system boot configuration with xinetd, run the following command: +$ chkconfig rexec --list +Output should indicate the rexec service has either not been installed, or has been disabled, as shown in the example below: +$ chkconfig rexec --list Note: This output shows SysV services only and does not include native systemd services. SysV configuration data might be overridden by native @@ -367586,22 +367690,22 @@ If you want to list systemd services use 'systemctl list-unit-files'. To see services enabled on particular target use 'systemctl list-dependencies [target]'. -telnet off +rexec off -To check that the telnet socket is disabled in system boot configuration with systemd, run the following command: -$ systemctl is-enabled telnet -Output should indicate the telnet socket has either not been installed, +To check that the rexec socket is disabled in system boot configuration with systemd, run the following command: +$ systemctl is-enabled rexec +Output should indicate the rexec socket has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled telnetdisabled +$ sudo systemctl is-enabled rexecdisabled -Run the following command to verify telnet is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active telnet +Run the following command to verify rexec is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active rexec If the socket is not running the command will return the following output: inactive -The socket will also be masked, to check that the telnet is masked, run the following command: -$ sudo systemctl show telnet | grep "LoadState\|UnitFileState" +The socket will also be masked, to check that the rexec is masked, run the following command: +$ sudo systemctl show rexec | grep "LoadState\|UnitFileState" If the socket is masked the command will return the following outputs: @@ -367611,103 +367715,132 @@ UnitFileState=masked Is it the case that service and/or socket are running? - - Verify the nodev option is configured for the /boot mount point, - run the following command: - $ sudo mount | grep '\s/boot\s' - . . . /boot . . . nodev . . . - - Is it the case that the "/boot" file system does not have the "nodev" option set? + + +Run the following command to determine if the ssh_sysadm_login SELinux boolean is disabled: +$ getsebool ssh_sysadm_login +If properly configured, the output should show the following: +ssh_sysadm_login --> off + Is it the case that ssh_sysadm_login is not disabled? - - The telnet package can be removed with the following command: $ sudo yum erase telnet - Is it the case that ? + + To ensure the MaxAuthTries parameter is set, run the following command: +$ sudo grep MaxAuthTries /etc/ssh/sshd_config +If properly configured, output should be: +MaxAuthTries + Is it the case that it is commented out or not configured properly? - - Run the following command to ensure postfix accepts mail messages from only the local system: -$ grep inet_interfaces /etc/postfix/main.cf -If properly configured, the output should show only . - Is it the case that it does not? + + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes vsyscall=none, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub +If this option is set to true, then check that a line is output by the following command: +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*vsyscall=none.*' /etc/default/grub +If the recovery is disabled, check the line with +$ sudo grep 'GRUB_CMDLINE_LINUX.*vsyscall=none.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +$ sudo grubby --info=ALL | grep args | grep -v 'vsyscall=none' +The command should not return any output. + Is it the case that vsyscalls are enabled? - - To verify if password complexities are only enforce on local users, run the following command: -$ grep local_users_only /etc/security/pwquality.conf -The output should return local_users_only uncommented. - Is it the case that local_users_only is not uncommented or configured correctly? + + +Run the following command to determine if the fips_mode SELinux boolean is enabled: +$ getsebool fips_mode +If properly configured, the output should show the following: +fips_mode --> on + Is it the case that fips_mode is not enabled? - - To determine if the users are allowed to run commands as root, run the following commands: -$ sudo grep -PR '^\s*((?!root\b)[\w]+)\s*(\w+)\s*=\s*(.*,)?\s*[^\(\s]' /etc/sudoers /etc/sudoers.d/ -and -$ sudo grep -PR '^\s*((?!root\b)[\w]+)\s*(\w+)\s*=\s*(.*,)?\s*\([\w\s]*\b(root|ALL)\b[\w\s]*\)' /etc/sudoers /etc/sudoers.d/ -Both commands should return no output. - Is it the case that /etc/sudoers file contains rules that allow non-root users to run commands as root? + + +Run the following command to determine if the daemons_dump_core SELinux boolean is disabled: +$ getsebool daemons_dump_core +If properly configured, the output should show the following: +daemons_dump_core --> off + Is it the case that daemons_dump_core is not disabled? - - Verify that local initialization files do not execute world-writable programs with the following command: + + The following command will list which files on the system have permissions different from what +is expected by the RPM database: +$ rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }' + Is it the case that there is output? + + + + +Verify that the libuser is set to encrypt password with a FIPS 140-2 approved cryptographic hashing algorithm. -Note: The example will be for a system that is configured to create user home directories in the "/home" directory. +Check the hashing algorithm that is being used to hash passwords with the following command: -$ sudo find /home -perm -002 -type f -name ".[^.]*" -exec ls -ld {} \; - Is it the case that any local initialization files are found to reference world-writable files? +$ sudo grep -i crypt_style /etc/libuser.conf + +crypt_style = sha512 + Is it the case that crypt_style is not set to sha512? - - Verify the umask setting is configured correctly in the /etc/profile file -or scripts within /etc/profile.d directory with the following command: -$ grep "umask" /etc/profile* -umask - Is it the case that the value for the "umask" parameter is not "<sub idref="var_accounts_user_umask" />", -or the "umask" parameter is missing or is commented out? + + To ensure ClientAliveInterval is set correctly, run the following command: + +$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config + +If properly configured, the output should be: +ClientAliveCountMax 0 + +In this case, the SSH timeout occurs precisely when +the ClientAliveInterval is set. + Is it the case that it is commented out or not configured properly? - - To determine if the system is configured to audit calls to the -delete_module system call, run the following command: -$ sudo grep "delete_module" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + +Run the following command to determine if the mount_anyfile SELinux boolean is enabled: +$ getsebool mount_anyfile +If properly configured, the output should show the following: +mount_anyfile --> on + Is it the case that mount_anyfile is not enabled? - - Verify the audit tools are owned by "root" to prevent any unauthorized access, deletion, or modification. - -Check the owner of each audit tool by running the following command: + + To check the current idle time-out value, run the following command: +$ gsettings get org.gnome.desktop.session idle-delay +If properly configured, the output should be 'uint32 '. +To ensure that users cannot change the screensaver inactivity timeout setting, run the following: +$ grep idle-delay /etc/dconf/db/local.d/locks/* +If properly configured, the output should be /org/gnome/desktop/session/idle-delay + Is it the case that idle-delay is set to 0 or a value greater than <sub idref="inactivity_timeout_value" />? + + + + Run the following command to determine if the dovecot package is installed: +$ rpm -q dovecot + Is it the case that the package is installed? + + + + To verify that null passwords cannot be used, run the following command: -$ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules +$ grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth -root /sbin/auditctl -root /sbin/aureport -root /sbin/ausearch -root /sbin/autrace -root /sbin/auditd -root /sbin/rsyslogd -root /sbin/augenrules - Is it the case that any audit tools are not owned by root? +If this produces any output, it may be possible to log into accounts +with empty passwords. Remove any instances of the nullok option to +prevent logins with empty passwords. + Is it the case that NULL passwords can be used? - - To determine if the system is configured to audit calls to the -lsetxattr system call, run the following command: -$ sudo grep "lsetxattr" /etc/audit/audit.* + + To determine if the system is configured to audit successful calls +to the lsetxattr system call, run the following command: +$ sudo grep "lsetxattr" /etc/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - - - -Run the following command to determine if the virt_sandbox_use_all_caps SELinux boolean is disabled: -$ getsebool virt_sandbox_use_all_caps -If properly configured, the output should show the following: -virt_sandbox_use_all_caps --> off - Is it the case that virt_sandbox_use_all_caps is not disabled? @@ -367719,713 +367852,874 @@ virt_rw_qemu_ga_data --> off Is it the case that virt_rw_qemu_ga_data is not disabled? - - The runtime status of the net.ipv4.conf.all.arp_filter kernel parameter can be queried + + The runtime status of the net.ipv4.conf.all.rp_filter parameter can be queried by running the following command: -$ sysctl net.ipv4.conf.all.arp_filter -. +$ sysctl net.ipv4.conf.all.rp_filter +The output of the command should indicate either: +net.ipv4.conf.all.rp_filter = 1 +or: +net.ipv4.conf.all.rp_filter = 2 +The output of the command should not indicate: +net.ipv4.conf.all.rp_filter = 0 - Is it the case that the correct value is not returned? - - - - Run the following command to determine if the libreswan package is installed: $ rpm -q libreswan - Is it the case that the package is not installed? - - - - To check the ownership of /etc/cron.daily, -run the command: -$ ls -lL /etc/cron.daily -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/cron.daily does not have an owner of root? - - - - To check the group ownership of /boot/efi/EFI/redhat/user.cfg, -run the command: -$ ls -lL /boot/efi/EFI/redhat/user.cfg -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /boot/efi/EFI/redhat/user.cfg does not have a group owner of root? +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent sysctl parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv4.conf.all.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d +The command should not find any assignments other than: +net.ipv4.conf.all.rp_filter = 1 +or: +net.ipv4.conf.all.rp_filter = 2 + +Conflicting assignments are not allowed. + Is it the case that the net.ipv4.conf.all.rp_filter is not set to 1 or 2 or is configured to be 0? - + -Run the following command to determine if the xdm_bind_vnc_tcp_port SELinux boolean is disabled: -$ getsebool xdm_bind_vnc_tcp_port -If properly configured, the output should show the following: -xdm_bind_vnc_tcp_port --> off - Is it the case that xdm_bind_vnc_tcp_port is not disabled? - - - - Check whether the maximum time period for existing passwords is restricted to days with the following commands: +If the system is configured to prevent the loading of the usb-storage kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. -$ sudo awk -F: '$5 > 60 {print $1 " " $5}' /etc/shadow +These lines can also instruct the module loading system to ignore the usb-storage kernel module via blacklist keyword. -$ sudo awk -F: '$5 <= 0 {print $1 " " $5}' /etc/shadow - Is it the case that any results are returned that are not associated with a system account? +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d + Is it the case that no line is returned? - + -Run the following command to determine if the httpd_can_connect_zabbix SELinux boolean is disabled: -$ getsebool httpd_can_connect_zabbix +Run the following command to determine if the ftpd_use_nfs SELinux boolean is disabled: +$ getsebool ftpd_use_nfs If properly configured, the output should show the following: -httpd_can_connect_zabbix --> off - Is it the case that httpd_can_connect_zabbix is not disabled? +ftpd_use_nfs --> off + Is it the case that ftpd_use_nfs is not disabled? - - Run the following command to determine if the net-snmp package is installed: -$ rpm -q net-snmp - Is it the case that the package is installed? + + To determine if the system is configured to audit successful calls +to the open_by_handle_at system call, run the following command: +$ sudo grep "open_by_handle_at" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - To check the password warning age, run the command: -$ grep PASS_WARN_AGE /etc/login.defs -The DoD requirement is 7. - Is it the case that it is not set to the required value? + + To ensure that the GPG key is installed, run: +$ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey +The command should return the string below: +gpg(Red Hat, Inc. (release key 2) <security@redhat.com> + Is it the case that the Red Hat GPG Key is not installed? - - To verify whether audispd plugin off-loads audit records onto a different -system or media from the system being audited, run the following command: - -$ sudo grep -i remote_server /etc/audit/audisp-remote.conf + + The runtime status of the net.ipv4.conf.all.arp_ignore kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.all.arp_ignore +. -The output should return something similar to where REMOTE_SYSTEM -is an IP address or hostname: -remote_server = REMOTE_SYSTEM + Is it the case that the correct value is not returned? + + + + Verify Red Hat Enterprise Linux 8 enables the user to initiate a session lock trhough key bindings with the following commands: -Determine which partition the audit records are being written to with the -following command: +$ grep "lock-session" /etc/tmux.conf -$ sudo grep log_file /etc/audit/auditd.conf -log_file = /var/log/audit/audit.log +bind X lock-session -Check the size of the partition that audit records are written to with the -following command and verify whether it is sufficiently large: +Then, verify that the /etc/tmux.conf file can be read by other users than root: -$ sudo df -h /var/log/audit/ -/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit - Is it the case that audispd is not sending logs to a remote system and the local partition has inadequate space? +$ sudo ls -al /etc/tmux.conf + Is it the case that the "lock-session" is not bound to a specific key? - - Verify Red Hat Enterprise Linux 8 is configured to lock an account until released by an administrator -after unsuccessful logon -attempts with the command: + + Find if logging is applied to the FTP daemon. +Procedures: -$ grep 'unlock_time =' /etc/security/faillock.conf -unlock_time = - Is it the case that the "unlock_time" option is not set to "<sub idref="var_accounts_passwords_pam_faillock_unlock_time" />", -the line is missing, or commented out? +If vsftpd is started by xinetd the following command will indicate the xinetd.d startup file: +$ grep vsftpd /etc/xinetd.d/* +$ grep server_args vsftpd xinetd.d startup file +This will indicate the vsftpd config file used when starting through xinetd. +If the server_args line is missing or does not include the vsftpd configuration file, then the default config file (/etc/vsftpd/vsftpd.conf) is used. +$ sudo grep xferlog_enable vsftpd config file + Is it the case that xferlog_enable is missing, or is not set to yes? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "sudoedit" command with the following command: - -$ sudo auditctl -l | grep sudoedit + + --a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudoedit - Is it the case that the command does not return a line, or the line is commented out? +Run the following command to determine the current status of the +crond service: +$ sudo systemctl is-active crond +If the service is running, it should return the following: active + Is it the case that ? - - To determine if the system is configured to audit calls to the -query_module system call, run the following command: -$ sudo grep "query_module" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + +Run the following command to determine if the httpd_use_openstack SELinux boolean is disabled: +$ getsebool httpd_use_openstack +If properly configured, the output should show the following: +httpd_use_openstack --> off + Is it the case that httpd_use_openstack is not disabled? - + -Run the following command to determine if the varnishd_connect_any SELinux boolean is disabled: -$ getsebool varnishd_connect_any +Run the following command to determine if the abrt_upload_watch_anon_write SELinux boolean is disabled: +$ getsebool abrt_upload_watch_anon_write If properly configured, the output should show the following: -varnishd_connect_any --> off - Is it the case that varnishd_connect_any is not disabled? +abrt_upload_watch_anon_write --> off + Is it the case that abrt_upload_watch_anon_write is not disabled? - - Verify the Red Hat Enterprise Linux 8 "fapolicyd" employs a deny-all, permit-by-exception policy. - -Check that "fapolicyd" is in enforcement mode with the following command: - -$ sudo grep permissive /etc/fapolicyd/fapolicyd.conf - -permissive = 0 + + To verify that SSSD is configured for PAM services, run the following command: +$ sudo grep services /etc/sssd/sssd.conf +If configured properly, output should be similar to +services = pam + Is it the case that it does not exist or 'pam' is not added to the 'services' option under the 'sssd' section? + + + + +Run the following command to determine if the git_system_use_cifs SELinux boolean is disabled: +$ getsebool git_system_use_cifs +If properly configured, the output should show the following: +git_system_use_cifs --> off + Is it the case that git_system_use_cifs is not disabled? + + + + Verify the nodev option is configured for the /var/tmp mount point, + run the following command: + $ sudo mount | grep '\s/var/tmp\s' + . . . /var/tmp . . . nodev . . . -Check that fapolicyd employs a deny-all policy on system mounts with the following commands: + Is it the case that the "/var/tmp" file system does not have the "nodev" option set? + + + + To ensure the X Windows package group is removed, run the following command: -For RHEL 8.5 systems and older: -$ sudo tail /etc/fapolicyd/fapolicyd.rules +$ rpm -qi xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland -For RHEL 8.6 systems and newer: -$ sudo tail /etc/fapolicyd/compiled.rules +For each package mentioned above you should receive following line: +package <package> is not installed + Is it the case that xorg related packages are not removed and run level is not correctly configured? + + + + To check the ownership of /etc/passwd-, +run the command: +$ ls -lL /etc/passwd- +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/passwd- does not have an owner of root? + + + + To determine if the system is configured to audit successful calls +to the creat system call, run the following command: +$ sudo grep "creat" /etc/audit.* +If the system is configured to audit this activity, it will return a line. -allow exe=/usr/bin/python3.7 : ftype=text/x-python -deny_audit perm=any pattern=ld_so : all -deny perm=any all : all - Is it the case that fapolicyd is not running in enforcement mode with a deny-all, permit-by-exception policy? + Is it the case that no line is returned? - - To check that the portreserve service is disabled in system boot configuration, + + +Run the following command to determine if the use_lpd_server SELinux boolean is disabled: +$ getsebool use_lpd_server +If properly configured, the output should show the following: +use_lpd_server --> off + Is it the case that use_lpd_server is not disabled? + + + + To check the system for the existence of any .netrc files, run the following command: -$ sudo systemctl is-enabled portreserve -Output should indicate the portreserve service has either not been installed, +$ sudo find /home -xdev -name .netrc + Is it the case that any .netrc files exist? + + + + To check the ownership of /var/log, +run the command: +$ ls -lL /var/log +If properly configured, the output should indicate the following owner: +root + Is it the case that /var/log does not have an owner of root? + + + + To ensure the system is configured to ignore the Ctrl-Alt-Del setting, +enter the following command: +$ sudo grep -i ctrlaltdelburstaction /etc/systemd/system.conf +The output should return: +CtrlAltDelBurstAction=none + Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed more than 7 times in 2 seconds.? + + + + To check that the acpid service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled acpid +Output should indicate the acpid service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled portreserve disabled +$ sudo systemctl is-enabled acpid disabled -Run the following command to verify portreserve is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active portreserve +Run the following command to verify acpid is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active acpid If the service is not running the command will return the following output: inactive -The service will also be masked, to check that the portreserve is masked, run the following command: -$ sudo systemctl show portreserve | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the acpid is masked, run the following command: +$ sudo systemctl show acpid | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "portreserve" is loaded and not masked? + Is it the case that the "acpid" is loaded and not masked? - - To check that the ypbind service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled ypbind -Output should indicate the ypbind service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled ypbind disabled + + The runtime status of the net.ipv6.conf.default.autoconf kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.default.autoconf +0. -Run the following command to verify ypbind is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active ypbind + Is it the case that the correct value is not returned? + + + + +Run the following command to determine if the dbadm_read_user_files SELinux boolean is disabled: +$ getsebool dbadm_read_user_files +If properly configured, the output should show the following: +dbadm_read_user_files --> off + Is it the case that dbadm_read_user_files is not disabled? + + + + Verify Red Hat Enterprise Linux 8 takes the appropriate action when an audit processing failure occurs. -If the service is not running the command will return the following output: -inactive +Check that Red Hat Enterprise Linux 8 takes the appropriate action when an audit processing failure occurs with the following command: -The service will also be masked, to check that the ypbind is masked, run the following command: -$ sudo systemctl show ypbind | grep "LoadState\|UnitFileState" +$ sudo grep disk_error_action /etc/audit/auditd.conf -If the service is masked the command will return the following outputs: +disk_error_action = HALT -LoadState=masked +If the value of the "disk_error_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit process failure occurs. + Is it the case that there is no evidence of appropriate action? + + + + To check the ownership of /etc/cron.monthly, +run the command: +$ ls -lL /etc/cron.monthly +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/cron.monthly does not have an owner of root? + + + + +Run the following command to determine if the daemons_enable_cluster_mode SELinux boolean is disabled: +$ getsebool daemons_enable_cluster_mode +If properly configured, the output should show the following: +daemons_enable_cluster_mode --> off + Is it the case that daemons_enable_cluster_mode is not disabled? + + + + To determine if the system is configured to audit accesses to +/var/log/audit directory, run the following command: +$ sudo grep "dir=/var/log/audit" /etc/audit/audit.rules +If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + + + + -UnitFileState=masked - Is it the case that the "ypbind" is loaded and not masked? +Run the following command to determine the current status of the +postfix service: +$ sudo systemctl is-active postfix +If the service is running, it should return the following: active + Is it the case that the system is not a cross domain solution and the service is not enabled? - + -If the system is configured to prevent the loading of the mac80211 kernel module, + +Run the following command to determine the current status of the +auditd service: +$ sudo systemctl is-active auditd +If the service is running, it should return the following: active + Is it the case that the auditd service is not running? + + + + +If the system is configured to prevent the loading of the cramfs kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. -These lines can also instruct the module loading system to ignore the mac80211 kernel module via blacklist keyword. +These lines can also instruct the module loading system to ignore the cramfs kernel module via blacklist keyword. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -$ grep -r mac80211 /etc/modprobe.conf /etc/modprobe.d +$ grep -r cramfs /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? - + + To verify that Audit Daemon is configured to flush to disk after +every records, run the following command: +$ sudo grep freq /etc/audit/auditd.conf +The output should return the following: +freq = + Is it the case that freq isn't set to <sub idref="var_auditd_freq" />? + + + + Run the following command to determine if the libreswan package is installed: $ rpm -q libreswan + Is it the case that the package is not installed? + + + + Determine if there is a process for the uploading of files to the web site. +This process should include the requirement for the use of a secure encrypted +logon and secure encrypted connection. If the remote users are uploading files +without utilizing approved encryption methods, this is a finding. + Is it the case that it is not? + + + + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes iommu=force, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub +If this option is set to true, then check that a line is output by the following command: +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*iommu=force.*' /etc/default/grub +If the recovery is disabled, check the line with +$ sudo grep 'GRUB_CMDLINE_LINUX.*iommu=force.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +$ sudo grubby --info=ALL | grep args | grep -v 'iommu=force' +The command should not return any output. + Is it the case that I/OMMU is not activated? + + + - - -To determine if firewalld is configured to allow access - -on port 22/tcp, run the following command(s): - firewall-cmd --list-ports - - -to ssh - firewall-cmd --list-services - -If firewalld is configured to allow access through the firewall, something similar to the following will be output: - -If it is a service: -ssh - - -If it is a port: -22/tcp - - Is it the case that sshd service is not enabled in the proper firewalld zone? +Run the following command to determine if the rsync_export_all_ro SELinux boolean is disabled: +$ getsebool rsync_export_all_ro +If properly configured, the output should show the following: +rsync_export_all_ro --> off + Is it the case that rsync_export_all_ro is not disabled? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_DEVKMEM /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? + + Run the following command to determine if the McAfeeTP package is installed: $ rpm -q McAfeeTP + Is it the case that the package is not installed? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "init" command with the following command: - -$ sudo auditctl -l | grep init + + To verify the audispd plugin encrypts audit records off-loaded onto a different +system or media from the system being audited, run the following command: --a always,exit -F path=/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged-init - Is it the case that the command does not return a line, or the line is commented out? +$ sudo grep -i transport /etc/audit/audisp-remote.conf +The output should return the following: +transport = KRB5 + Is it the case that audispd is not encrypting audit records when sent over the network? - - To ensure that the GUI power settings are not active, run the following command: -$ gsettings get org.gnome.settings-daemon.plugins.power active -If properly configured, the output should be false. -To ensure that users cannot enable the power settings, run the following: -$ grep power /etc/dconf/db/local.d/locks/* -If properly configured, the output should be -/org/gnome/settings-daemon/plugins/power/active - Is it the case that power settings are enabled and are not disabled? + + To verify the nosuid option is configured for all NFS mounts, run +the following command: +$ mount | grep nfs +All NFS mounts should show the nosuid setting in parentheses. This +is not applicable if NFS is not implemented. + Is it the case that the setting does not show? - + + In order to be sure that the databases are up-to-date, run the +dconf update +command as the administrator. + Is it the case that The system-wide dconf databases are up-to-date with regards to respective keyfiles? + + + + Make sure that the kernel is not disabling SMAP with the following +commands. +grep -q nosmap /boot/config-`uname -r` +If the command returns a line, it means that SMAP is being disabled. + Is it the case that the kernel is configured to disable SMAP? + + + + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes rng_core.default_quality=, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub +If this option is set to true, then check that a line is output by the following command: +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*rng_core.default_quality=.*' /etc/default/grub +If the recovery is disabled, check the line with +$ sudo grep 'GRUB_CMDLINE_LINUX.*rng_core.default_quality=.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +$ sudo grubby --info=ALL | grep args | grep -v 'rng_core.default_quality=' +The command should not return any output. + Is it the case that trust on hardware random number generator is not configured appropriately? + + + -Run the following command to determine if the gssd_read_tmp SELinux boolean is enabled: -$ getsebool gssd_read_tmp +Run the following command to determine if the mcelog_foreground SELinux boolean is disabled: +$ getsebool mcelog_foreground If properly configured, the output should show the following: -gssd_read_tmp --> on - Is it the case that gssd_read_tmp is not enabled? +mcelog_foreground --> off + Is it the case that mcelog_foreground is not disabled? - + -Run the following command to determine if the privoxy_connect_any SELinux boolean is disabled: -$ getsebool privoxy_connect_any +Run the following command to determine if the git_cgi_use_nfs SELinux boolean is disabled: +$ getsebool git_cgi_use_nfs If properly configured, the output should show the following: -privoxy_connect_any --> off - Is it the case that privoxy_connect_any is not disabled? +git_cgi_use_nfs --> off + Is it the case that git_cgi_use_nfs is not disabled? - - To check that the autofs service is disabled in system boot configuration, + + To check that the rhnsd service is disabled in system boot configuration, run the following command: -$ sudo systemctl is-enabled autofs -Output should indicate the autofs service has either not been installed, +$ sudo systemctl is-enabled rhnsd +Output should indicate the rhnsd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled autofs disabled +$ sudo systemctl is-enabled rhnsd disabled -Run the following command to verify autofs is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active autofs +Run the following command to verify rhnsd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active rhnsd If the service is not running the command will return the following output: inactive -The service will also be masked, to check that the autofs is masked, run the following command: -$ sudo systemctl show autofs | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the rhnsd is masked, run the following command: +$ sudo systemctl show rhnsd | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "autofs" is loaded and not masked? + Is it the case that the "rhnsd" is loaded and not masked? - - To check that the mdmonitor service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled mdmonitor -Output should indicate the mdmonitor service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled mdmonitor disabled - -Run the following command to verify mdmonitor is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active mdmonitor - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the mdmonitor is masked, run the following command: -$ sudo systemctl show mdmonitor | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: - -LoadState=masked + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_VMAP_STACK /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? + + + + To verify if the OpenSSL uses defined TLS Crypto Policy, run: +$ grep -P '^(TLS\.)?MinProtocol' /etc/crypto-policies/back-ends/opensslcnf.config +and verify that the value is +TLSv1.2 + Is it the case that cryptographic policy for openssl is not configured or is configured incorrectly? + + + + Verify the noauto option is configured for the /boot mount point, + run the following command: + $ sudo mount | grep '\s/boot\s' + . . . /boot . . . noauto . . . -UnitFileState=masked - Is it the case that the "mdmonitor" is loaded and not masked? + Is it the case that the "/boot" file system does not have the "noauto" option set? - + + To verify that all user initialization files have a mode of 0740 or +less permissive, run the following command: +$ sudo find /home -type f -name '\.*' \( -perm -0002 -o -perm -0020 \) +There should be no output. + Is it the case that they are not 0740 or more permissive? + + + -Run the following command to determine if the dhcpd_use_ldap SELinux boolean is disabled: -$ getsebool dhcpd_use_ldap +Run the following command to determine if the nfs_export_all_rw SELinux boolean is enabled: +$ getsebool nfs_export_all_rw If properly configured, the output should show the following: -dhcpd_use_ldap --> off - Is it the case that dhcpd_use_ldap is not disabled? +nfs_export_all_rw --> on + Is it the case that nfs_export_all_rw is not enabled? - - To check that the zebra service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled zebra -Output should indicate the zebra service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled zebra disabled - -Run the following command to verify zebra is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active zebra + + +Run the following command to determine if the secure_mode_policyload SELinux boolean is disabled: +$ getsebool secure_mode_policyload +If properly configured, the output should show the following: +secure_mode_policyload --> off + Is it the case that secure_mode_policyload is not disabled? + + + + Verify that the default umask for all local interactive users is "077". -If the service is not running the command will return the following output: -inactive +Identify the locations of all local interactive user home directories by looking at the "/etc/passwd" file. -The service will also be masked, to check that the zebra is masked, run the following command: -$ sudo systemctl show zebra | grep "LoadState\|UnitFileState" +Check all local interactive user initialization files for interactive users with the following command: -If the service is masked the command will return the following outputs: +Note: The example is for a system that is configured to create users home directories in the "/home" directory. -LoadState=masked +# grep -ri umask /home/ -UnitFileState=masked - Is it the case that the "zebra" is loaded and not masked? - - - - Run the following command to determine if the fapolicyd package is installed: $ rpm -q fapolicyd - Is it the case that the fapolicyd package is not installed? +/home/smithj/.bash_history:grep -i umask /etc/bashrc /etc/csh.cshrc /etc/profile +/home/smithj/.bash_history:grep -i umask /etc/login.defs + Is it the case that any local interactive user initialization files are found to have a umask statement that sets a value less restrictive than "077"? - - To determine if the system is configured to audit calls to the -unlink system call, run the following command: -$ sudo grep "unlink" /etc/audit/audit.* + + To determine if the system is configured to audit successful calls +to the open_by_handle_at system call, run the following command: +$ sudo grep "open_by_handle_at" /etc/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - To ensure the gdm package group is removed, run the following command: -$ rpm -qi gdm -The output should be: -package gdm is not installed - Is it the case that gdm has not been removed? - - - - To determine how the SSH daemon's UsePAM option is set, run the following command: - -$ sudo grep -i UsePAM /etc/ssh/sshd_config + + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: -If a line indicating yes is returned, then the required value is set. +$ sudo auditctl -l | grep -E '(/etc/group)' - Is it the case that the required value is not set? +-w /etc/group -p wa -k identity + Is it the case that the command does not return a line, or the line is commented out? - - To ensure only SNMPv3 or newer is used, run the following command: -$ sudo grep 'rocommunity\|rwcommunity\|com2sec' /etc/snmp/snmpd.conf | grep -v "^#" -There should be no output. - Is it the case that there is output? + + To verify that auditing of privileged command use is configured, run the +following command: +$ sudo grep usernetctl /etc/audit/audit.rules /etc/audit/rules.d/* +It should return a relevant line in the audit rules. + Is it the case that the command does not return a line, or the line is commented out? - - The runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.conf.all.secure_redirects -0. - - Is it the case that the correct value is not returned? + + Run the following command to determine if the binutils package is installed: $ rpm -q binutils + Is it the case that the package is not installed? - + -Run the following command to determine if the httpd_mod_auth_ntlm_winbind SELinux boolean is disabled: -$ getsebool httpd_mod_auth_ntlm_winbind +Run the following command to determine if the xserver_execmem SELinux boolean is disabled: +$ getsebool xserver_execmem If properly configured, the output should show the following: -httpd_mod_auth_ntlm_winbind --> off - Is it the case that httpd_mod_auth_ntlm_winbind is not disabled? +xserver_execmem --> off + Is it the case that xserver_execmem is not disabled? - - Verify the nosuid option is configured for the /tmp mount point, - run the following command: - $ sudo mount | grep '\s/tmp\s' - . . . /tmp . . . nosuid . . . + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chage" command with the following command: - Is it the case that the "/tmp" file system does not have the "nosuid" option set? +$ sudo auditctl -l | grep chage + +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage + Is it the case that the command does not return a line, or the line is commented out? - - To determine if the system is configured to make login UIDs immutable, run -one of the following commands. -If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), run the following: -sudo grep immutable /etc/audit/rules.d/*.rules -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, run the following command: -sudo grep immutable /etc/audit/audit.rules -The following line should be returned: ---loginuid-immutable - Is it the case that the system is not configured to make login UIDs immutable? + + To check that the psacct service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled psacct +Output should indicate the psacct service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled psacct disabled + +Run the following command to verify psacct is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active psacct + +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the psacct is masked, run the following command: +$ sudo systemctl show psacct | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "psacct" is loaded and not masked? - + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_PAGE_POISONING_ZERO /boot/config.* + $ grep CONFIG_HIBERNATION /boot/config.* - For each kernel installed, a line with value "y" should be returned. + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. Is it the case that the kernel was not built with the required value? - - To verify the operating system implements cryptography to protect the integrity of -remote ldap access sessions, run the following command: -$ sudo grep ldap_tls_cacertdir /etc/sssd/sssd.conf -The output should return the following with a correctly configured CA cert path: -ldap_tls_cacertdir /path/to/tls/cacert - Is it the case that the TLS CA cert is not configured? - - - - To ensure that users cannot change how long until the screensaver locks, run the following: -$ grep lock-enabled /etc/dconf/db/local.d/locks/* -If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled - Is it the case that screensaver locking is not locked? - - - - To verify the nodev option is configured for non-root local partitions, run the following command: -$ sudo mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev' -The output shows local non-root partitions mounted without the nodev option, and there should be no output at all. - - Is it the case that some mounts appear among output lines? - - - + -Run the following command to determine if the rsync_full_access SELinux boolean is disabled: -$ getsebool rsync_full_access +Run the following command to determine if the httpd_can_network_connect SELinux boolean is disabled: +$ getsebool httpd_can_network_connect If properly configured, the output should show the following: -rsync_full_access --> off - Is it the case that rsync_full_access is not disabled? +httpd_can_network_connect --> off + Is it the case that httpd_can_network_connect is not disabled? - - To determine if the system is configured to audit calls to the -chown system call, run the following command: -$ sudo grep "chown" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + Run the following command to determine if the samba-common package is installed: $ rpm -q samba-common + Is it the case that the package is not installed? - - Verify that Red Hat Enterprise Linux 8 loads the driver with the following command: - -$ grep card_drivers /etc/opensc.conf + + The runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.all.accept_source_route +0. -card_drivers = ; - Is it the case that "<sub idref="var_smartcard_drivers" />" is not listed as a card driver, or there is no line returned for "card_drivers"? + Is it the case that the correct value is not returned? - - To determine if the system is configured to audit successful calls -to the openat system call, run the following command: -$ sudo grep "openat" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + To verify that Audit Daemon is configured to resolve all uid, gid, syscall, +architecture, and socket address information before writing the event to disk, +run the following command: +$ sudo grep log_format /etc/audit/auditd.conf +The output should return the following: +log_format = ENRICHED + Is it the case that log_format isn't set to ENRICHED? - - Check that the symlink exists and target the correct Kerberos crypto policy, with the following command: -file /etc/krb5.conf.d/crypto-policies -If command ouput shows the following line, Kerberos is configured to use the system-wide crypto policy. -/etc/krb5.conf.d/crypto-policies: symbolic link to /etc/crypto-policies/back-ends/krb5.config - Is it the case that the symlink does not exist or points to a different target? + + To check the group ownership of /boot/grub2/grub.cfg, +run the command: +$ ls -lL /boot/grub2/grub.cfg +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /boot/grub2/grub.cfg does not have a group owner of root? - - To determine if logfile has been configured for sudo, run the following command: -$ sudo grep -ri "^[\s]*Defaults\s*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/ -The command should return a matching output. - Is it the case that logfile is not enabled in sudo? + + +Run the following command to determine if the httpd_can_connect_zabbix SELinux boolean is disabled: +$ getsebool httpd_can_connect_zabbix +If properly configured, the output should show the following: +httpd_can_connect_zabbix --> off + Is it the case that httpd_can_connect_zabbix is not disabled? - + -Run the following command to determine if the logrotate_use_nfs SELinux boolean is disabled: -$ getsebool logrotate_use_nfs +Run the following command to determine if the polipo_use_cifs SELinux boolean is disabled: +$ getsebool polipo_use_cifs If properly configured, the output should show the following: -logrotate_use_nfs --> off - Is it the case that logrotate_use_nfs is not disabled? +polipo_use_cifs --> off + Is it the case that polipo_use_cifs is not disabled? - + + Display the contents of the file /etc/systemd/logind.conf: +cat /etc/systemd/logind.conf +Ensure that there is a section [login] which contains the +configuration StopIdleSessionSec=. + Is it the case that the option is not configured? + + + -If the system is configured to prevent the loading of the tipc kernel module, +If the system is configured to prevent the loading of the iwlmvm kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. -These lines can also instruct the module loading system to ignore the tipc kernel module via blacklist keyword. +These lines can also instruct the module loading system to ignore the iwlmvm kernel module via blacklist keyword. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -$ grep -r tipc /etc/modprobe.conf /etc/modprobe.d +$ grep -r iwlmvm /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? - - -Run the following command to determine if the nscd_use_shm SELinux boolean is enabled: -$ getsebool nscd_use_shm -If properly configured, the output should show the following: -nscd_use_shm --> on - Is it the case that nscd_use_shm is not enabled? - - - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_MODIFY_LDT_SYSCALL /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? - - - - Run the following command to determine if the iprutils package is installed: -$ rpm -q iprutils - Is it the case that the package is installed? + + To determine if the system is configured to audit calls to the +open system call, run the following command: +$ sudo grep "open" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - Verify that rules for unsuccessful calls of the open syscall are in the order shown below. + + Verify Red Hat Enterprise Linux 8 shell initialization file is configured to start each shell with the tmux terminal multiplexer. - If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix ".rules" in the directory "/etc/audit/rules.d". - If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, check the order of rules below in "/etc/audit/audit.rules" file. +Determine the location of the tmux script with the following command: - -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +$ sudo grep tmux /etc/bashrc /etc/profile.d/* - If the system is 64 bit then also add the following lines: +/etc/profile.d/tmux.sh: case "$name" in (sshd|login) tmux ;; esac - -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - Is it the case that the rules are in a different order? +Review the tmux script by using the following example: + +$ cat /etc/profile.d/tmux.sh + +if [ "$PS1" ]; then +parent=$(ps -o ppid= -p $$) +name=$(ps -o comm= -p $parent) +case "$name" in (sshd|login) tmux ;; esac +fi + +If the shell file is not configured as the example above, is commented out, or is missing, this is a finding. + +Determine if tmux is currently running with the following command: + +$ sudo ps all | grep tmux | grep -v grep + Is it the case that the command does not produce output? - - To check the permissions of /usr/bin/sudo, + + To check the permissions of /etc/passwd, run the command: -$ ls -l /usr/bin/sudo +$ ls -l /etc/passwd If properly configured, the output should indicate the following permissions: ----s--x--- - Is it the case that /usr/bin/sudo does not have unix mode ---s--x---? +-rw-r--r-- + Is it the case that /etc/passwd does not have unix mode -rw-r--r--? - - To check if the system login banner is compliant, -run the following command: -$ cat /etc/issue - Is it the case that it does not display the required banner? + + +Run the following command to determine if the glance_api_can_network SELinux boolean is disabled: +$ getsebool glance_api_can_network +If properly configured, the output should show the following: +glance_api_can_network --> off + Is it the case that glance_api_can_network is not disabled? - + -Run the following command to determine if the virt_use_sanlock SELinux boolean is disabled: -$ getsebool virt_use_sanlock +Run the following command to determine if the samba_export_all_ro SELinux boolean is disabled: +$ getsebool samba_export_all_ro If properly configured, the output should show the following: -virt_use_sanlock --> off - Is it the case that virt_use_sanlock is not disabled? +samba_export_all_ro --> off + Is it the case that samba_export_all_ro is not disabled? - - Review the contents of the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf -files to ensure appropriate logging is set. In addition, run the following command: -ls -l /var/log/ -and verify that the log files are logging information - Is it the case that no logging is configured? + + Verify that a separate file system/partition has been created for /home with the following command: + +$ mountpoint /home + + Is it the case that "/home is not a mountpoint" is returned? - - -Run the following command to determine if the cobbler_use_nfs SELinux boolean is disabled: -$ getsebool cobbler_use_nfs -If properly configured, the output should show the following: -cobbler_use_nfs --> off - Is it the case that cobbler_use_nfs is not disabled? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_DEBUG_SG /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - + + To verify if the OpenSSH Client uses defined Crypto Policy, run: +$ cat /etc/ssh/ssh_config.d/02-ospp.conf +and verify that the line matches +Match final all +RekeyLimit 512M 1h +GSSAPIAuthentication no +Ciphers aes256-ctr,aes256-cbc,aes128-ctr,aes128-cbc +PubkeyAcceptedKeyTypes ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 +MACs hmac-sha2-512,hmac-sha2-256 +KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1 + Is it the case that Crypto Policy for OpenSSH Client is not configured according to CC requirements? + + + To determine if the system is configured to audit calls to the -create_module system call, run the following command: -$ sudo grep "create_module" /etc/audit/audit.* +open system call, run the following command: +$ sudo grep "open" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - Verify that Red Hat Enterprise Linux 8 is configured to prevent unrestricted mail relaying, -run the following command: -$ sudo postconf -n smtpd_client_restrictions - Is it the case that the "smtpd_client_restrictions" parameter contains any entries other than "permit_mynetworks" and "reject"? + + +Run the following command to determine if the glance_use_execmem SELinux boolean is disabled: +$ getsebool glance_use_execmem +If properly configured, the output should show the following: +glance_use_execmem --> off + Is it the case that glance_use_execmem is not disabled? - - To verify the audispd plugin encrypts audit records off-loaded onto a different -system or media from the system being audited, run the following command: - -$ sudo grep -i transport /etc/audit/audisp-remote.conf -The output should return the following: -transport = KRB5 - Is it the case that audispd is not encrypting audit records when sent over the network? + + Find the list of alias maps used by the Postfix mail server: +$ sudo postconf alias_maps +Query the Postfix alias maps for an alias for the root user: +$ sudo postmap -q root hash:/etc/aliases +The output should return an alias. + Is it the case that the alias is not set? - + -Run the following command to determine if the login_console_enabled SELinux boolean is enabled: -$ getsebool login_console_enabled +Run the following command to determine if the xend_run_qemu SELinux boolean is enabled: +$ getsebool xend_run_qemu If properly configured, the output should show the following: -login_console_enabled --> on - Is it the case that login_console_enabled is not enabled? +xend_run_qemu --> on + Is it the case that xend_run_qemu is not enabled? - - Verify that the interactive user account passwords last change time is not in the future -The following command should return no output -$ sudo expiration=$(cat /etc/shadow|awk -F ':' '{print $3}'); -for edate in ${expiration[@]}; do if [[ $edate > $(( $(date +%s)/86400 )) ]]; -then echo "Expiry date in future"; -fi; done - Is it the case that any interactive user password that has last change time in the future? + + To verify the boot loader superuser password has been set, run the following command: +$ sudo grep "^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$" /boot/efi/EFI/redhat/user.cfg +The output should be similar to: +GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC +2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0 +916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7 +0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828 + Is it the case that no password is set? - - To verify the sec option is configured for all NFS mounts, run the following command: -$ grep "sec=" /etc/exports -All configured NFS exports should show the sec=krb5:krb5i:krb5p setting in parentheses. -This is not applicable if NFS is not implemented. - Is it the case that the setting is not configured, has the 'sys' option added, or does not have all Kerberos options added? + + +Run the following command to determine if the samba_export_all_rw SELinux boolean is disabled: +$ getsebool samba_export_all_rw +If properly configured, the output should show the following: +samba_export_all_rw --> off + Is it the case that samba_export_all_rw is not disabled? + + + + To determine if the system is configured to audit calls to the +rename system call, run the following command: +$ sudo grep "rename" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? @@ -368437,327 +368731,351 @@ mplayer_execstack --> off Is it the case that mplayer_execstack is not disabled? - - To check the ownership of /boot/efi/EFI/redhat/grub.cfg, + + Verify the operating system encrypts audit records off-loaded onto a different system +or media from the system being audited with the following commands: + +$ sudo grep -i '$ActionSendStreamDriverMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf + +The output should be: + +/etc/rsyslog.conf:$ActionSendStreamDriverMode 1 + Is it the case that rsyslogd ActionSendStreamDriverMode is not set to 1? + + + + To check the group ownership of /etc/at.allow, run the command: -$ ls -lL /boot/efi/EFI/redhat/grub.cfg -If properly configured, the output should indicate the following owner: +$ ls -lL /etc/at.allow +If properly configured, the output should indicate the following group-owner: root - Is it the case that /boot/efi/EFI/redhat/grub.cfg does not have an owner of root? + Is it the case that /etc/at.allow does not have a group owner of root? - + -Run the following command to determine if the mpd_use_nfs SELinux boolean is disabled: -$ getsebool mpd_use_nfs +Run the following command to determine if the fenced_can_ssh SELinux boolean is disabled: +$ getsebool fenced_can_ssh If properly configured, the output should show the following: -mpd_use_nfs --> off - Is it the case that mpd_use_nfs is not disabled? +fenced_can_ssh --> off + Is it the case that fenced_can_ssh is not disabled? - - Verify Red Hat Enterprise Linux 8 use the "pam_pwhistory.so" module in the /etc/pam.d/password-auth file -and is configured to prohibit password reuse for a minimum of -generations. - -Verify the "/etc/pam.d/password-auth" file with the following command: - -$ grep pam_pwhistory.so /etc/pam.d/password-auth -password pam_pwhistory.so use_authtok remember= - - -Verify the "/etc/security/pwhistory.conf" file using the following command: - -$ grep remember /etc/security/pwhistory.conf -remember = - -The pam_pwhistory.so "remember" option must be configured only in one file. - Is it the case that the pam_pwhistory.so module is not used, the "remember" module option is not set in -/etc/pam.d/password-auth or in /etc/security/pwhistory.conf, or is set in both files, or is set -with a value less than "<sub idref="var_password_pam_remember" />"? + + +Run the following command to determine if the httpd_use_gpg SELinux boolean is disabled: +$ getsebool httpd_use_gpg +If properly configured, the output should show the following: +httpd_use_gpg --> off + Is it the case that httpd_use_gpg is not disabled? - - The runtime status of the net.ipv4.ip_forward kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.ip_forward -0. -The ability to forward packets is only appropriate for routers. - Is it the case that the correct value is not returned? + + Locate the directories containing the CGI scripts. These directories should be +language-specific (e.g., PERL, ASP, JS, JSP, etc.). Examine the file permissions +on the directories using the following command: +ls -l directories +Anonymous FTP users must not have access to these directories. + Is it the case that it is not? - - To verify that McAfee Runtime Libraries (MFErt) and Linux Agent (MFEcma) -are installed, run the following command(s): -$ rpm -q MFEcma -$ rpm -q MFErt - Is it the case that the HBSS HIPS module is not installed? + + +Run the following command to determine if the httpd_builtin_scripting SELinux boolean is disabled: +$ getsebool httpd_builtin_scripting +If properly configured, the output should show the following: +httpd_builtin_scripting --> off + Is it the case that httpd_builtin_scripting is not disabled? - - To verify that packages comprising the available updates will be automatically installed by dnf-automatic, run the following command: -$ sudo grep apply_updates /etc/dnf/automatic.conf -The output should return the following: -apply_updates = yes - Is it the case that apply_updates is not set to yes? + + Verify that yum verifies the signature of packages from a repository prior to install with the following command: + +$ grep gpgcheck /etc/yum.conf + +gpgcheck=1 + +If "gpgcheck" is not set to "1", or if the option is missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified. + Is it the case that there is no process to validate certificates that is approved by the organization? - - + + Verify Red Hat Enterprise Linux 8 is configured to limit the "pwquality" retry option to . -Run the following command to determine the current status of the -nftables service: -$ sudo systemctl is-active nftables -If the service is running, it should return the following: active - Is it the case that the "nftables" service is disabled, masked, or not started.? + +Check for the use of the "pwquality" retry option in the pwquality.conf file with the following command: +$ grep retry /etc/security/pwquality.conf + Is it the case that the value of "retry" is set to "0" or greater than "<sub idref="var_password_pam_retry" />", or is missing? - - + + To determine how the SSH daemon's IgnoreUserKnownHosts option is set, run the following command: -Run the following command to determine the current status of the -cron service: -$ sudo systemctl is-active cron -If the service is running, it should return the following: active - Is it the case that ? +$ sudo grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config + +If a line indicating yes is returned, then the required value is set. + + Is it the case that the required value is not set? - - -Run the following command to determine if the httpd_manage_ipa SELinux boolean is disabled: -$ getsebool httpd_manage_ipa -If properly configured, the output should show the following: -httpd_manage_ipa --> off - Is it the case that httpd_manage_ipa is not disabled? + + To check the ownership of /var/log/syslog, +run the command: +$ ls -lL /var/log/syslog +If properly configured, the output should indicate the following owner: +syslog + Is it the case that /var/log/syslog does not have an owner of syslog? - - To determine if the system is configured to audit unsuccessful calls -to the chmod system call, run the following command: -$ sudo grep "chmod" /etc/audit.* -If the system is configured to audit this activity, it will return a line. + + Verify the value of the "maxrepeat" option in "/etc/security/pwquality.conf" with the following command: - Is it the case that no line is returned? +$ grep maxrepeat /etc/security/pwquality.conf + +maxrepeat = + Is it the case that the value of "maxrepeat" is set to more than "<sub idref="var_password_pam_maxrepeat" />" or is commented out? - - To check if compression is enabled or set correctly, run the -following command: -$ sudo grep Compression /etc/ssh/sshd_config -If configured properly, output should be no or delayed. - Is it the case that it is commented out, or is not set to no or delayed? + + To check that the named service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled named +Output should indicate the named service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled named disabled + +Run the following command to verify named is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active named + +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the named is masked, run the following command: +$ sudo systemctl show named | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "named" is loaded and not masked? - - To verify that remote access methods are logging to rsyslog, -run the following command: -grep -rE '(auth.\*|authpriv.\*|daemon.\*)' /etc/rsyslog.* -The output should contain auth.*, authpriv.*, and daemon.* -pointing to a log file. - Is it the case that remote access methods are not logging to rsyslog? + + +Run the following command to determine if the webadm_manage_user_files SELinux boolean is disabled: +$ getsebool webadm_manage_user_files +If properly configured, the output should show the following: +webadm_manage_user_files --> off + Is it the case that webadm_manage_user_files is not disabled? - + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_SECURITY_YAMA /boot/config.* + $ grep CONFIG_IA32_EMULATION /boot/config.* - For each kernel installed, a line with value "y" should be returned. + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. Is it the case that the kernel was not built with the required value? - - To check if the installed Operating System is 64-bit, run the following command: -$ uname -m -The output should be one of the following: x86_64, aarch64, ppc64le or s390x. -If the output is i686 or i386 the operating system is 32-bit. -Check if the installed CPU supports 64-bit operating systems by running the following command: -$ lscpu | grep "CPU op-mode" -If the output contains 64bit, the CPU supports 64-bit operating systems. - Is it the case that the installed operating sytem is 32-bit but the CPU supports operation in 64-bit? - - - - -Run the following command to determine if the mozilla_read_content SELinux boolean is disabled: -$ getsebool mozilla_read_content -If properly configured, the output should show the following: -mozilla_read_content --> off - Is it the case that mozilla_read_content is not disabled? + + The runtime status of the net.ipv6.conf.all.accept_ra kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.all.accept_ra +0. + + Is it the case that the correct value is not returned? - - Verify all local interactive users on Red Hat Enterprise Linux 8 are assigned a home -directory upon creation with the following command: -$ grep -i create_home /etc/login.defs -CREATE_HOME yes - Is it the case that the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out? + + To determine how the SSH daemon's PrintLastLog option is set, run the following command: + +$ sudo grep -i PrintLastLog /etc/ssh/sshd_config + +If a line indicating yes is returned, then the required value is set. + + Is it the case that the required value is not set? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_REFCOUNT_FULL /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + Verify that the system backups user data. + Is it the case that it is not? - - To ensure a login warning banner is enabled, run the following: -$ grep banner-message-enable /etc/dconf/db/gdm.d/* -If properly configured, the output should be true. -To ensure a login warning banner is locked and cannot be changed by a user, run the following: -$ grep banner-message-enable /etc/dconf/db/gdm.d/locks/* -If properly configured, the output should be /org/gnome/login-screen/banner-message-enable. - Is it the case that it is not? + + Verify the system-wide shared library directories are group-owned by "root" with the following command: + +$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \; + +If any system-wide shared library directory is returned and is not group-owned by a required system account, this is a finding. + Is it the case that any system-wide shared library directory is returned and is not group-owned by a required system account? - + -Run the following command to determine if the xguest_exec_content SELinux boolean is disabled: -$ getsebool xguest_exec_content +Run the following command to determine if the openvpn_run_unconfined SELinux boolean is disabled: +$ getsebool openvpn_run_unconfined If properly configured, the output should show the following: -xguest_exec_content --> off - Is it the case that xguest_exec_content is not disabled? +openvpn_run_unconfined --> off + Is it the case that openvpn_run_unconfined is not disabled? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_HARDENED_USERCOPY /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + To determine if the system is configured to audit successful calls +to the unlink system call, run the following command: +$ sudo grep "unlink" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes mce=0, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub -If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*mce=0.*' /etc/default/grub -If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*mce=0.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'mce=0' -The command should not return any output. - Is it the case that MCE tolerance is not set to zero? + + +Run the following command to determine if the use_ecryptfs_home_dirs SELinux boolean is disabled: +$ getsebool use_ecryptfs_home_dirs +If properly configured, the output should show the following: +use_ecryptfs_home_dirs --> off + Is it the case that use_ecryptfs_home_dirs is not disabled? - - To check the ownership of /boot/grub2/user.cfg, + + To check the ownership of /etc/cron.daily, run the command: -$ ls -lL /boot/grub2/user.cfg +$ ls -lL /etc/cron.daily If properly configured, the output should indicate the following owner: root - Is it the case that /boot/grub2/user.cfg does not have an owner of root? - - - - Inspect /etc/login.defs and ensure that if eihter -SHA_CRYPT_MIN_ROUNDS or SHA_CRYPT_MAX_ROUNDS -are set, they must have the minimum value of 5000. - Is it the case that it does not? + Is it the case that /etc/cron.daily does not have an owner of root? - - Verify that a separate file system/partition has been created for /opt with the following command: - -$ mountpoint /opt - - Is it the case that "/opt is not a mountpoint" is returned? + + The document, DoDI 8500.01, establishes the policy on the use of DoD +information systems. It requires the use of a standard Notice and Consent Banner +and standard text to be included in user agreements. The banner should be set +to the following: + Is it the case that it is not display the required banner? - - -Run the following command to determine if the auditadm_exec_content SELinux boolean is enabled: -$ getsebool auditadm_exec_content -If properly configured, the output should show the following: -auditadm_exec_content --> on - Is it the case that auditadm_exec_content is not enabled? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_SECCOMP /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - The runtime status of the net.ipv6.conf.all.forwarding kernel parameter can be queried -by running the following command: -$ sysctl net.ipv6.conf.all.forwarding -0. -The ability to forward packets is only appropriate for routers. - Is it the case that IP forwarding value is "1" and the system is not router? + + To verify the number of rounds for the password hashing algorithm is configured, run the following command: +$ sudo grep rounds /etc/pam.d/password-auth +The output should show the following match: +password sufficient pam_unix.so sha512 rounds= + Is it the case that rounds is not set to <sub idref="var_password_pam_unix_rounds" /> or is commented out? - - To verify that Samba clients running smbclient must use packet signing, run the following command: -$ grep signing /etc/samba/smb.conf -The output should show: -client signing = mandatory - Is it the case that it is not? + + + +Run the following command to determine the current status of the +nftables service: +$ sudo systemctl is-active nftables +If the service is running, it should return the following: active + Is it the case that the "nftables" service is disabled, masked, or not started.? - - To view the root user's PATH, run the following command: -$ sudo env | grep PATH -If correctly configured, the PATH must: use vendor default settings, -have no empty entries, and have no entries beginning with a character -other than a slash (/). - Is it the case that any of these conditions are not met? + + To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: +cat /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules +The output has to be exactly as follows: +## Unsuccessful file access (any other opens) This has to go last. +-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access +-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access +-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access +-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access + Is it the case that the file does not exist or the content differs? - + -Run the following command to determine if the cobbler_anon_write SELinux boolean is disabled: -$ getsebool cobbler_anon_write +Run the following command to determine if the httpd_execmem SELinux boolean is disabled: +$ getsebool httpd_execmem If properly configured, the output should show the following: -cobbler_anon_write --> off - Is it the case that cobbler_anon_write is not disabled? +httpd_execmem --> off + Is it the case that httpd_execmem is not disabled? - - To check the permissions of /etc/cron.allow, -run the command: -$ ls -l /etc/cron.allow -If properly configured, the output should indicate the following permissions: --rw------- - Is it the case that /etc/cron.allow does not have unix mode -rw-------? + + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes pti=on, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub +If this option is set to true, then check that a line is output by the following command: +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*pti=on.*' /etc/default/grub +If the recovery is disabled, check the line with +$ sudo grep 'GRUB_CMDLINE_LINUX.*pti=on.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +$ sudo grubby --info=ALL | grep args | grep -v 'pti=on' +The command should not return any output. + Is it the case that Kernel page-table isolation is not enabled? - + -Run the following command to determine if the cluster_use_execmem SELinux boolean is disabled: -$ getsebool cluster_use_execmem -If properly configured, the output should show the following: -cluster_use_execmem --> off - Is it the case that cluster_use_execmem is not disabled? + +Run the following command to determine the current status of the +sshd service: +$ sudo systemctl is-active sshd +If the service is running, it should return the following: active + Is it the case that sshd service is disabled? - - To check if the system motd banner is compliant, -run the following command: -$ cat /etc/motd - Is it the case that it does not display the required banner? + + To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: +cat /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules +The output has to be exactly as follows: +## Unsuccessful file modifications (open for write or truncate) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification + Is it the case that the file does not exist or the content differs? - + -Run the following command to determine if the nis_enabled SELinux boolean is disabled: -$ getsebool nis_enabled +Run the following command to determine if the httpd_can_network_connect_db SELinux boolean is disabled: +$ getsebool httpd_can_network_connect_db If properly configured, the output should show the following: -nis_enabled --> off - Is it the case that nis_enabled is not disabled? +httpd_can_network_connect_db --> off + Is it the case that httpd_can_network_connect_db is not disabled? - - To ensure that wireless network notification is disabled, run the following command: -$ gsettings get org.gnome.nm-applet suppress-wireless-networks-available -If properly configured, the output should be true. -To ensure that users cannot enable wireless notification, run the following: -$ grep wireless-networks-available /etc/dconf/db/local.d/locks/* -If properly configured, the output should be -/org/gnome/nm-applet/suppress-wireless-networks-available - Is it the case that wireless network notification is enabled and not disabled? + + To check the group ownership of /usr/bin/sudo, +run the command: +$ ls -lL /usr/bin/sudo +If properly configured, the output should indicate the following group-owner: + + Is it the case that /usr/bin/sudo does not have a group owner of <sub idref="var_sudo_dedicated_group" />? + + + + The runtime status of the net.ipv4.conf.all.drop_gratuitous_arp kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.all.drop_gratuitous_arp +1. + + Is it the case that the correct value is not returned? @@ -368772,235 +369090,333 @@ The output has to be exactly as follows: Is it the case that the file does not exist or the content differs? - - To determine how the SSH daemon's X11Forwarding option is set, run the following command: + + Configure the public web server to not have a trusted relationship with +any system resources that is also not accessible to the public. Web +content is not to be shared via Microsoft shares or NFS mounts. -$ sudo grep -i X11Forwarding /etc/ssh/sshd_config +Determine whether the public web server has a two-way trust relationship +with any private asset located within the network. Private web server +resources (e.g. drives, folders, printers, etc.) will not be directly +mapped to or shared with public web servers. + Is it the case that sharing is selected for any web folder, this is a finding. -If a line indicating no is returned, then the required value is set. +If private resources (e.g. drives, partitions, folders/directories, +printers, etc.) are sharedw ith the public web server? + + + + Verify Red Hat Enterprise Linux 8 defines default permissions for all authenticated users in such a way that the user can only read and modify their own files with the following command: - Is it the case that the required value is not set? +# grep -i umask /etc/login.defs + +UMASK + Is it the case that the value for the "UMASK" parameter is not "<sub idref="var_accounts_user_umask" />", or the "UMASK" parameter is missing or is commented out? - - To find world-writable directories that lack the sticky bit, run the following command: -$ sudo find / -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null -fixtext: |- -Configure all world-writable directories to have the sticky bit set to prevent unauthorized and unintended information transferred via shared system resources. + + Verify the nodev option is configured for the /var/log mount point, + run the following command: + $ sudo mount | grep '\s/var/log\s' + . . . /var/log . . . nodev . . . -Set the sticky bit on all world-writable directories using the command, replace "[World-Writable Directory]" with any directory path missing the sticky bit: + Is it the case that the "/var/log" file system does not have the "nodev" option set? + + + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_PAGE_POISONING /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? + + + + To verify that Audit Daemon is configured to record the computer node +name in the audit events, run the following command: +$ sudo grep name_format /etc/audit/auditd.conf +The output should return the following: +name_format = + Is it the case that name_format isn't set to <sub idref="var_auditd_name_format" />? + + + + Verify that Red Hat Enterprise Linux 8 enforces password complexity rules for the root account. -$ chmod a+t [World-Writable Directory] -srg_requirement: -A sticky bit must be set on all Red Hat Enterprise Linux 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. - Is it the case that any world-writable directories are missing the sticky bit? +Check if root user is required to use complex passwords with the following command: + +$ grep enforce_for_root /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + +/etc/security/pwquality.conf:enforce_for_root + Is it the case that "enforce_for_root" is commented or missing? - - The runtime status of the net.ipv6.conf.default.autoconf kernel parameter can be queried + + Verify that the IPSec service uses the system crypto policy. + +If the ipsec service is not installed is not applicable. + +Check to see if the "IPsec" service is active with the following command: + +$ systemctl status ipsec + +ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec +Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled) +Active: inactive (dead) + +If the "IPsec" service is active, check to see if it is using the system crypto policy with the following command: + +$ sudo grep include /etc/ipsec.conf /etc/ipsec.d/*.conf + +/etc/ipsec.conf:include /etc/crypto-policies/back-ends/libreswan.config + Is it the case that the "IPsec" service is active and the ipsec configuration file does not contain does not contain <tt>include /etc/crypto-policies/back-ends/libreswan.config</tt>? + + + + +Run the following command to determine if the cdrecord_read_content SELinux boolean is disabled: +$ getsebool cdrecord_read_content +If properly configured, the output should show the following: +cdrecord_read_content --> off + Is it the case that cdrecord_read_content is not disabled? + + + + The runtime status of the kernel.perf_event_paranoid kernel parameter can be queried by running the following command: -$ sysctl net.ipv6.conf.default.autoconf -0. +$ sysctl kernel.perf_event_paranoid +2. Is it the case that the correct value is not returned? - - Verify the nodev option is configured for the /var/log/audit mount point, + + Verify the nosuid option is configured for the /tmp mount point, run the following command: - $ sudo mount | grep '\s/var/log/audit\s' - . . . /var/log/audit . . . nodev . . . + $ sudo mount | grep '\s/tmp\s' + . . . /tmp . . . nosuid . . . - Is it the case that the "/var/log/audit" file system does not have the "nodev" option set? - - - - Run the following command to ensure postfix routes mail to this system: -$ grep relayhost /etc/postfix/main.cf -If properly configured, the output should show only . - Is it the case that it is not? + Is it the case that the "/tmp" file system does not have the "nosuid" option set? - - Run the following command to determine if the abrt-plugin-sosreport package is installed: -$ rpm -q abrt-plugin-sosreport - Is it the case that the package is installed? + + To check that the screen locks immediately when activated, run the following command: +$ gsettings get org.gnome.desktop.screensaver lock-delay +If properly configured, the output should be 'uint32 '. + Is it the case that the screensaver lock delay is missing, or is set to a value greater than <sub idref="var_screensaver_lock_delay" />? - + -Run the following command to determine if the minidlna_read_generic_user_content SELinux boolean is disabled: -$ getsebool minidlna_read_generic_user_content +Run the following command to determine if the cluster_can_network_connect SELinux boolean is disabled: +$ getsebool cluster_can_network_connect If properly configured, the output should show the following: -minidlna_read_generic_user_content --> off - Is it the case that minidlna_read_generic_user_content is not disabled? +cluster_can_network_connect --> off + Is it the case that cluster_can_network_connect is not disabled? - - Verify Red Hat Enterprise Linux 8 notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command: + + +If the system is configured to prevent the loading of the tipc kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. -$ sudo grep -w space_left_action /etc/audit/auditd.conf +These lines can also instruct the module loading system to ignore the tipc kernel module via blacklist keyword. -space_left_action = +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +$ grep -r tipc /etc/modprobe.conf /etc/modprobe.d + Is it the case that no line is returned? + + + + -If the value of the "space_left_action" is not set to "", or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO. - Is it the case that there is no evidence that real-time alerts are configured on the system? +Run the following command to determine the current status of the +usbguard service: +$ sudo systemctl is-active usbguard +If the service is running, it should return the following: active + Is it the case that the service is not enabled? - - Run the following command to determine if the cronie-anacron package is installed: -$ rpm -q cronie-anacron - Is it the case that the package is installed? + + +Run the following command to determine if the virt_sandbox_use_netlink SELinux boolean is disabled: +$ getsebool virt_sandbox_use_netlink +If properly configured, the output should show the following: +virt_sandbox_use_netlink --> off + Is it the case that virt_sandbox_use_netlink is not disabled? - - To check that the nfs-server service is disabled in system boot configuration, + + To check that the sysstat service is disabled in system boot configuration, run the following command: -$ sudo systemctl is-enabled nfs-server -Output should indicate the nfs-server service has either not been installed, +$ sudo systemctl is-enabled sysstat +Output should indicate the sysstat service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled nfs-server disabled +$ sudo systemctl is-enabled sysstat disabled -Run the following command to verify nfs-server is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active nfs-server +Run the following command to verify sysstat is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active sysstat If the service is not running the command will return the following output: inactive -The service will also be masked, to check that the nfs-server is masked, run the following command: -$ sudo systemctl show nfs-server | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the sysstat is masked, run the following command: +$ sudo systemctl show sysstat | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "nfs-server" is loaded and not masked? + Is it the case that the "sysstat" is loaded and not masked? - - - -Run the following command to determine the current status of the -chronyd service: -$ sudo systemctl is-active chronyd -If the service is running, it should return the following: active - + + Run the following command to determine if the quagga package is installed: +$ rpm -q quagga + Is it the case that the package is installed? + + + + The runtime status of the vm.mmap_min_addr kernel parameter can be queried +by running the following command: +$ sysctl vm.mmap_min_addr +65536. -Run the following command to determine the current status of the -ntpd service: -$ sudo systemctl is-active ntpd -If the service is running, it should return the following: active - Is it the case that ? + Is it the case that the correct value is not returned? - - To ensure that remote access requires credentials, run the following command: -$ gsettings get org.gnome.Vino authentication-methods -If properly configured, the output should be false. -To ensure that users cannot disable credentials for remote access, run the following: -$ grep authentication-methods /etc/dconf/db/local.d/locks/* -If properly configured, the output should be -/org/gnome/Vino/authentication-methods - Is it the case that wireless network notification is enabled and not disabled? + + +Run the following command to determine if the virt_use_execmem SELinux boolean is disabled: +$ getsebool virt_use_execmem +If properly configured, the output should show the following: +virt_use_execmem --> off + Is it the case that virt_use_execmem is not disabled? - - Run the following command to determine if the gssproxy package is installed: -$ rpm -q gssproxy - Is it the case that the package is installed? + + To check the group ownership of /etc/shadow, +run the command: +$ ls -lL /etc/shadow +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/shadow does not have a group owner of root? - - Verify the noexec option is configured for the /var/tmp mount point, - run the following command: - $ sudo mount | grep '\s/var/tmp\s' - . . . /var/tmp . . . noexec . . . - - Is it the case that the "/var/tmp" file system does not have the "noexec" option set? + + To check the permissions of /etc/gshadow-, +run the command: +$ ls -l /etc/gshadow- +If properly configured, the output should indicate the following permissions: +---------- + Is it the case that /etc/gshadow- does not have unix mode ----------? - - To check that the acpid service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled acpid -Output should indicate the acpid service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled acpid disabled - -Run the following command to verify acpid is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active acpid - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the acpid is masked, run the following command: -$ sudo systemctl show acpid | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: + + +Run the following command to determine if the virt_use_samba SELinux boolean is disabled: +$ getsebool virt_use_samba +If properly configured, the output should show the following: +virt_use_samba --> off + Is it the case that virt_use_samba is not disabled? + + + + To ensure the splash screen is configured not to show user name, run the following command: +$ gsettings get org.gnome.desktop.screensaver show-full-name-in-top-bar +If properly configured, the output should be false. +To ensure that users cannot enable user name on the lock screen, run the following: +$ grep show-full-name-in-top-bar /etc/dconf/db/local.d/locks/* +If properly configured, the output should be /org/gnome/desktop/screensaver/show-full-name-in-top-bar + Is it the case that it is not set or configured properly? + + + + To determine if the system is configured to audit calls to the +open_by_handle_at system call, run the following command: +$ sudo grep "open_by_handle_at" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. -LoadState=masked + Is it the case that no line is returned? + + + + -UnitFileState=masked - Is it the case that the "acpid" is loaded and not masked? +Run the following command to determine the current status of the +systemd-journald service: +$ sudo systemctl is-active systemd-journald +If the service is running, it should return the following: active + Is it the case that the systemd-journald service is not running? - - Run the following command to determine if the avahi-autoipd package is installed: -$ rpm -q avahi-autoipd - Is it the case that the package is installed? + + Review the contents of the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf +files to ensure appropriate logging is set. In addition, run the following command: +ls -l /var/log/ +and verify that the log files are logging information + Is it the case that no logging is configured? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_ACPI_CUSTOM_METHOD /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? + + To verify that HBSS ACCM is installed, run the following command(s): +$ sudo ls /opt/McAfee/accm/bin/accm + Is it the case that the HBSS ACCM module is not installed? - - To verify that Linux Audit logging is enabled for the USBGuard daemon, -run the following command: -$ sudo grep AuditBackend /etc/usbguard/usbguard-daemon.conf -The output should be -AuditBackend=LinuxAudit - Is it the case that AuditBackend is not set to LinuxAudit? + + To check the group ownership of /etc/cron.d, +run the command: +$ ls -lL /etc/cron.d +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/cron.d does not have a group owner of root? - - Run the following command to determine if the policycoreutils package is installed: $ rpm -q policycoreutils - Is it the case that the policycoreutils package is not installed? + + +Run the following command to determine if the domain_fd_use SELinux boolean is enabled: +$ getsebool domain_fd_use +If properly configured, the output should show the following: +domain_fd_use --> on + Is it the case that domain_fd_use is not enabled? - - The runtime status of the kernel.dmesg_restrict kernel parameter can be queried -by running the following command: -$ sysctl kernel.dmesg_restrict -1. + + Verify the usrquota option is configured for the /home mount point, + run the following command: + $ sudo mount | grep '\s/home\s' + . . . /home . . . usrquota . . . - Is it the case that the correct value is not returned? + Is it the case that the "/home" file system does not have the "usrquota" option set? - - Verify that yum verifies the signature of packages from a repository prior to install with the following command: + + Run the following command to determine if the geolite2-city package is installed: +$ rpm -q geolite2-city + Is it the case that the package is installed? + + + + To determine how the SSH daemon's GSSAPIAuthentication option is set, run the following command: -$ grep gpgcheck /etc/yum.conf +$ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config -gpgcheck=1 +If a line indicating no is returned, then the required value is set. -If "gpgcheck" is not set to "1", or if the option is missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified. - Is it the case that there is no process to validate certificates that is approved by the organization? + Is it the case that the required value is not set? - - To check the permissions of /boot/grub2/grub.cfg, run the command: -$ sudo ls -lL /boot/grub2/grub.cfg -If properly configured, the output should indicate the following -permissions: -rw------- - Is it the case that it does not? + + To check the group ownership of /etc/gshadow, +run the command: +$ ls -lL /etc/gshadow +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/gshadow does not have a group owner of root? @@ -369019,1676 +369435,1870 @@ offline_credentials_expiration = 1 Is it the case that it does not exist or is not configured properly? - - To determine if !authenticate has not been configured for sudo, run the following command: -$ sudo grep -r \!authenticate /etc/sudoers /etc/sudoers.d/ -The command should return no output. - Is it the case that !authenticate is specified in the sudo config files? + + Run the following command to determine if the rsh-server package is installed: +$ rpm -q rsh-server + Is it the case that the package is installed? - - -Run the following command to determine if the xserver_clients_write_xshm SELinux boolean is disabled: -$ getsebool xserver_clients_write_xshm -If properly configured, the output should show the following: -xserver_clients_write_xshm --> off - Is it the case that xserver_clients_write_xshm is not disabled? + + Inspect the list of enabled firewall ports and verify they are configured correctly by running +the following command: + +$ sudo firewall-cmd --list-all + +Ask the System Administrator for the site or program Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA). Verify the services allowed by the firewall match the PPSM CLSA. + Is it the case that there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), or there are no firewall rules configured? - - To determine if the system is configured to audit unsuccessful calls -to the lsetxattr system call, run the following command: -$ sudo grep "lsetxattr" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + Run the following command to determine if the libreport-plugin-rhtsupport package is installed: +$ rpm -q libreport-plugin-rhtsupport + Is it the case that the package is installed? - - To determine how the SSH daemon's IgnoreUserKnownHosts option is set, run the following command: - -$ sudo grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config + + +To properly set the permissions of /etc/audit/, run the command: +$ sudo chmod 0640 /etc/audit/ -If a line indicating yes is returned, then the required value is set. +To properly set the permissions of /etc/audit/rules.d/, run the command: +$ sudo chmod 0640 /etc/audit/rules.d/ + Is it the case that ? + + + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_SECURITY_YAMA /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? + + + + To determine if the system is configured to audit calls to the +create_module system call, run the following command: +$ sudo grep "create_module" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. - Is it the case that the required value is not set? + Is it the case that no line is returned? - - -Run the following command to determine if the wine_mmap_zero_ignore SELinux boolean is disabled: -$ getsebool wine_mmap_zero_ignore -If properly configured, the output should show the following: -wine_mmap_zero_ignore --> off - Is it the case that wine_mmap_zero_ignore is not disabled? + + To ensure only SNMPv3 or newer is used, run the following command: +$ sudo grep 'rocommunity\|rwcommunity\|com2sec' /etc/snmp/snmpd.conf | grep -v "^#" +There should be no output. + Is it the case that there is output? - + Run the following command to determine the current status of the -syslog-ng service: -$ sudo systemctl is-active syslog-ng +chronyd service: +$ sudo systemctl is-active chronyd If the service is running, it should return the following: active - Is it the case that the "syslog-ng" service is disabled, masked, or not started.? + Is it the case that the chronyd process is not running? - - Run the following command to determine if the abrt package is installed: -$ rpm -q abrt + + Run the following command to determine if the nfs-utils package is installed: +$ rpm -q nfs-utils Is it the case that the package is installed? - - To verify /etc/system-fips exists, run the following command: -ls -l /etc/system-fips -The output should be similar to the following: --rw-r--r--. 1 root root 36 Nov 26 11:31 /etc/system-fips - Is it the case that /etc/system-fips does not exist? - - - - -If the system is configured to prevent the loading of the rds kernel module, -it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. -These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. - -These lines can also instruct the module loading system to ignore the rds kernel module via blacklist keyword. + + The runtime status of the net.ipv6.conf.default.accept_ra_pinfo kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.default.accept_ra_pinfo +0. -Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -$ grep -r rds /etc/modprobe.conf /etc/modprobe.d - Is it the case that no line is returned? + Is it the case that the correct value is not returned? - - -Run the following command to determine if the ftpd_connect_all_unreserved SELinux boolean is disabled: -$ getsebool ftpd_connect_all_unreserved -If properly configured, the output should show the following: -ftpd_connect_all_unreserved --> off - Is it the case that ftpd_connect_all_unreserved is not disabled? + + To check the ownership of /var/log/messages, +run the command: +$ ls -lL /var/log/messages +If properly configured, the output should indicate the following owner: +root + Is it the case that /var/log/messages does not have an owner of root? - - -Run the following command to determine if the httpd_dbus_avahi SELinux boolean is disabled: -$ getsebool httpd_dbus_avahi -If properly configured, the output should show the following: -httpd_dbus_avahi --> off - Is it the case that httpd_dbus_avahi is not disabled? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_COMPAT_VDSO /boot/config.* + + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. + + Is it the case that the kernel was not built with the required value? - + -Run the following command to determine if the abrt_upload_watch_anon_write SELinux boolean is disabled: -$ getsebool abrt_upload_watch_anon_write +Run the following command to determine if the polipo_use_nfs SELinux boolean is disabled: +$ getsebool polipo_use_nfs If properly configured, the output should show the following: -abrt_upload_watch_anon_write --> off - Is it the case that abrt_upload_watch_anon_write is not disabled? +polipo_use_nfs --> off + Is it the case that polipo_use_nfs is not disabled? - - -Run the following command to determine if the httpd_can_check_spam SELinux boolean is disabled: -$ getsebool httpd_can_check_spam -If properly configured, the output should show the following: -httpd_can_check_spam --> off - Is it the case that httpd_can_check_spam is not disabled? + + Run the following command to ensure postfix accepts mail messages from only the local system: +$ grep inet_interfaces /etc/postfix/main.cf +If properly configured, the output should show only . + Is it the case that it does not? - - To verify that execution of the command is being audited, run the following command: -$ sudo grep "path=/usr/sbin/seunshare" /etc/audit/audit.rules /etc/audit/rules.d/* -The output should return something similar to: --a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged - Is it the case that ? + + To determine if the system is configured to audit calls to the +lsetxattr system call, run the following command: +$ sudo grep "lsetxattr" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - Run the following command to determine if the sendmail package is installed: -$ rpm -q sendmail - Is it the case that the package is installed? + + The runtime status of the net.ipv6.conf.all.autoconf kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.all.autoconf +0. + + Is it the case that the correct value is not returned? - + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_SLAB_MERGE_DEFAULT /boot/config.* + + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. + + Is it the case that the kernel was not built with the required value? + + + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_MODULE_SIG_KEY /boot/config.* + + For each kernel installed, a line with value "" should be returned. + + Is it the case that the kernel was not built with the required value? + + + + To determine if the system is configured to audit successful calls +to the chmod system call, run the following command: +$ sudo grep "chmod" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + -Run the following command to determine if the unprivuser_use_svirt SELinux boolean is disabled: -$ getsebool unprivuser_use_svirt +Run the following command to determine if the unconfined_chrome_sandbox_transition SELinux boolean is enabled: +$ getsebool unconfined_chrome_sandbox_transition If properly configured, the output should show the following: -unprivuser_use_svirt --> off - Is it the case that unprivuser_use_svirt is not disabled? +unconfined_chrome_sandbox_transition --> on + Is it the case that unconfined_chrome_sandbox_transition is not enabled? - - Verify the audit system prevents unauthorized changes with the following command: - -$ sudo grep "^\s*[^#]" /etc/audit/audit.rules | tail -1 --e 2 + + To ensure that remote access requires credentials, run the following command: +$ gsettings get org.gnome.Vino authentication-methods +If properly configured, the output should be false. +To ensure that users cannot disable credentials for remote access, run the following: +$ grep authentication-methods /etc/dconf/db/local.d/locks/* +If properly configured, the output should be +/org/gnome/Vino/authentication-methods + Is it the case that wireless network notification is enabled and not disabled? + + + + Verify that Promiscuous mode of an interface is disabled, run the following command: +$ ip link | grep PROMISC + Is it the case that any network device is in promiscuous mode? + + + + - Is it the case that the audit system is not set to be immutable by adding the "-e 2" option to the end of "/etc/audit/audit.rules"? +Run the following command to determine the current status of the +fapolicyd service: +$ sudo systemctl is-active fapolicyd +If the service is running, it should return the following: active + Is it the case that the service is not enabled? - - Verify the system commands contained in the following directories are owned by "root" with the following command: + + Run the following command to verify that SSH client is configured to use 32 bytes of entropy: +grep SSH_USE_STRONG_RNG /etc/profile.d/cc-ssh-strong-rng.csh +It should return the following output: +setenv SSH_USE_STRONG_RNG 32. + Is it the case that SSH client is not configured to use 32 bytes of entropy or more? + + + + Verify Red Hat Enterprise Linux 8 security patches and updates are installed and up to date. +Updates are required to be applied with a frequency determined by organizational policy. -$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin ! -user root -exec ls -l {} \; - Is it the case that any system commands are found to not be owned by root? + +Obtain the list of available package security updates from Red Hat. The URL for updates is https://access.redhat.com/errata-search/. +It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed. + + +Check that the available package security updates have been installed on the system with the following command: + +$ sudo yum history list | more + +Loaded plugins: langpacks, product-id, subscription-manager +ID | Command line | Date and time | Action(s) | Altered +------------------------------------------------------------------------------- +70 | install aide | 2020-03-05 10:58 | Install | 1 +69 | update -y | 2020-03-04 14:34 | Update | 18 EE +68 | install vlc | 2020-02-21 17:12 | Install | 21 +67 | update -y | 2020-02-21 17:04 | Update | 7 EE + + +Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM. + Is it the case that Red Hat Enterprise Linux 8 is in non-compliance with the organizational patching policy? - - If network services are using the xinetd service, this is not applicable. + + Inspect /etc/default/grub for any instances of +systemd.confirm_spawn=(1|yes|true|on) in the kernel boot arguments. +Presence of a systemd.confirm_spawn=(1|yes|true|on) indicates +that interactive boot is enabled at boot time and verify that +GRUB_DISABLE_RECOVERY=true to disable recovery boot. + Is it the case that Interactive boot is enabled at boot time? + + + + +Run the following command to determine if the httpd_can_connect_mythtv SELinux boolean is disabled: +$ getsebool httpd_can_connect_mythtv +If properly configured, the output should show the following: +httpd_can_connect_mythtv --> off + Is it the case that httpd_can_connect_mythtv is not disabled? + + + + Verify the nodev option is configured for the /dev/shm mount point, + run the following command: + $ sudo mount | grep '\s/dev/shm\s' + . . . /dev/shm . . . nodev . . . -To check that the xinetd service is disabled in system boot configuration, + Is it the case that the "/dev/shm" file system does not have the "nodev" option set? + + + + +Run the following command to determine if the httpd_can_check_spam SELinux boolean is disabled: +$ getsebool httpd_can_check_spam +If properly configured, the output should show the following: +httpd_can_check_spam --> off + Is it the case that httpd_can_check_spam is not disabled? + + + + To check that the saslauthd service is disabled in system boot configuration, run the following command: -$ sudo systemctl is-enabled xinetd -Output should indicate the xinetd service has either not been installed, +$ sudo systemctl is-enabled saslauthd +Output should indicate the saslauthd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled xinetd disabled +$ sudo systemctl is-enabled saslauthd disabled -Run the following command to verify xinetd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active xinetd +Run the following command to verify saslauthd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active saslauthd If the service is not running the command will return the following output: inactive -The service will also be masked, to check that the xinetd is masked, run the following command: -$ sudo systemctl show xinetd | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the saslauthd is masked, run the following command: +$ sudo systemctl show saslauthd | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "xinetd" is loaded and not masked? + Is it the case that the "saslauthd" is loaded and not masked? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_SCHED_STACK_END_CHECK /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + + +Run the following command to determine the current status of the +rngd service: +$ sudo systemctl is-active rngd +If the service is running, it should return the following: active + Is it the case that the "rngd" service is disabled, masked, or not started.? - - -Run the following command to determine if the mailman_use_fusefs SELinux boolean is disabled: -$ getsebool mailman_use_fusefs -If properly configured, the output should show the following: -mailman_use_fusefs --> off - Is it the case that mailman_use_fusefs is not disabled? + + To determine that AIDE is configured for FIPS 140-2 file hashing, run the following command: +$ grep sha512 /etc/aide.conf +Verify that the sha512 option is added to the correct ruleset. + Is it the case that the sha512 option is missing or not added to the correct ruleset? - - To ensure root may not directly login to the system over physical consoles, -run the following command: -cat /etc/securetty -If any output is returned, this is a finding. - Is it the case that the /etc/securetty file is not empty? + + To determine if the system is configured to audit calls to the +open system call, run the following command: +$ sudo grep "open" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - To find world-writable files, run the following command: -$ sudo find / -xdev -type f -perm -002 - Is it the case that there is output? + + The runtime status of the net.ipv4.conf.default.log_martians kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.default.log_martians +1. + + Is it the case that the correct value is not returned? - - Inspect each <Directory> instance and verify that either -FollowSymLinks does not exist, or -Options SymLinksIfOwnerMatchDisable is configured properly. - Is it the case that it is not? + + To verify the local initialization files of all local interactive users are group- +owned by the appropriate user, inspect the primary group of the respective +users in /etc/passwd and verify all initialization files under the +respective users home directory. Check the group owner of all local interactive users +initialization files. + Is it the case that they are not? - - To check the group ownership of /boot/efi/EFI/redhat/grub.cfg, -run the command: -$ ls -lL /boot/efi/EFI/redhat/grub.cfg -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /boot/efi/EFI/redhat/grub.cfg does not have a group owner of root? + + The runtime status of the net.ipv6.conf.all.accept_ra_rtr_pref kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.all.accept_ra_rtr_pref +0. + + Is it the case that the correct value is not returned? - - To ensure the MaxAuthTries parameter is set, run the following command: -$ sudo grep MaxAuthTries /etc/ssh/sshd_config -If properly configured, output should be: -MaxAuthTries - Is it the case that it is commented out or not configured properly? + + +Run the following command to determine if the xdm_write_home SELinux boolean is disabled: +$ getsebool xdm_write_home +If properly configured, the output should show the following: +xdm_write_home --> off + Is it the case that xdm_write_home is not disabled? - + -Run the following command to determine if the exim_manage_user_files SELinux boolean is disabled: -$ getsebool exim_manage_user_files +Run the following command to determine if the tor_can_network_relay SELinux boolean is disabled: +$ getsebool tor_can_network_relay If properly configured, the output should show the following: -exim_manage_user_files --> off - Is it the case that exim_manage_user_files is not disabled? +tor_can_network_relay --> off + Is it the case that tor_can_network_relay is not disabled? - - To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -cat /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules -The output has to be exactly as follows: -## Unsuccessful file access (any other opens) This has to go last. --a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access --a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access --a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access --a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access - Is it the case that the file does not exist or the content differs? + + +Run the following command to determine if the httpd_setrlimit SELinux boolean is disabled: +$ getsebool httpd_setrlimit +If properly configured, the output should show the following: +httpd_setrlimit --> off + Is it the case that httpd_setrlimit is not disabled? - - To check the permissions of /etc/motd, -run the command: -$ ls -l /etc/motd -If properly configured, the output should indicate the following permissions: --rw-r--r-- - Is it the case that /etc/motd does not have unix mode -rw-r--r--? + + +Run the following command to determine if the virt_use_sanlock SELinux boolean is disabled: +$ getsebool virt_use_sanlock +If properly configured, the output should show the following: +virt_use_sanlock --> off + Is it the case that virt_use_sanlock is not disabled? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "reboot" command with the following command: + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "mount" command with the following command: -$ sudo auditctl -l | grep reboot +$ sudo auditctl -l | grep mount --a always,exit -F path=/reboot -F perm=x -F auid>=1000 -F auid!=unset -k privileged-reboot +-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount Is it the case that the command does not return a line, or the line is commented out? - - -Run the following command to determine if the samba_enable_home_dirs SELinux boolean is disabled: -$ getsebool samba_enable_home_dirs -If properly configured, the output should show the following: -samba_enable_home_dirs --> off - Is it the case that samba_enable_home_dirs is not disabled? + + Run the following command to determine if the pcsc-lite package is installed: $ rpm -q pcsc-lite + Is it the case that the package is not installed? - - To check if UsePrivilegeSeparation is enabled or set correctly, run the -following command: -$ sudo grep UsePrivilegeSeparation /etc/ssh/sshd_config -If configured properly, output should be . - Is it the case that it is commented out or is not enabled? + + Verify Red Hat Enterprise Linux 8 takes the appropriate action when the audit files have reached maximum size. + +Check that Red Hat Enterprise Linux 8 takes the appropriate action when the audit files have reached maximum size with the following command: + +$ sudo grep max_log_file_action /etc/audit/auditd.conf + +max_log_file_action = + Is it the case that the value of the "max_log_file_action" option is not "ROTATE", "SINGLE", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full. If there is no evidence of appropriate action? - - To verify the LDAP client backend demands a valid certificate from the server in -remote LDAP access sessions, run the following command: -$ sudo grep ldap_tls_reqcert /etc/sssd/sssd.conf + + To verify if CustomLog is configured correctly in +/etc/httpd/conf/httpd.conf, run the following command: +$ grep -i customlog /etc/httpd/conf/httpd.conf The output should return the following: -ldap_tls_reqcert = demand - Is it the case that the TLS reqcert is not set to demand? - - - - To find SUID files, run the following command: -$ sudo find / -xdev -type f -perm -4000 - Is it the case that only authorized files appear in the output of the find command? +CustomLog "logs/access_log" combined + Is it the case that it is not? - - To determine if the system is configured to audit changes to its SELinux -configuration files, run the following command: -$ sudo auditctl -l | grep "dir=/usr/share/selinux" -If the system is configured to watch for changes to its SELinux -configuration, a line should be returned (including -perm=wa indicating permissions that are watched). - Is it the case that the system is not configured to audit attempts to change the MAC policy? + + To verify that McAfee Endpoint Security for Linux is +running, run the following command: +$ sudo ps -ef | grep -i mfetpd + Is it the case that virus scanning software is not running? - - To verify all files and directories in interactive user home directory are -group-owned by a group the user is a member of, run the -following command: -$ sudo ls -lLR /home/USER - Is it the case that the group ownership is incorrect? + + The runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.all.accept_redirects +0. + + Is it the case that the correct value is not returned? - - -If the system is configured to prevent the loading of the iwlmvm kernel module, -it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. -These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. + + Verify the TFTP daemon is configured to operate in secure mode. -These lines can also instruct the module loading system to ignore the iwlmvm kernel module via blacklist keyword. +Check if a TFTP server is installed with the following command: -Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -$ grep -r iwlmvm /etc/modprobe.conf /etc/modprobe.d - Is it the case that no line is returned? - - - - The following command will discover and print world-writable directories that -are not owned by a system account, given the assumption that only system -accounts have a uid lower than 500. Run it once for each local partition PART: -$ sudo find PART -xdev -type d -perm -0002 -uid +499 -print - Is it the case that there is output? +$ rpm -qa | grep tftp + + +If a TFTP server is not installed, this is Not Applicable. + + +If a TFTP server is installed, verify TFTP is configured by with +the -s option by running the following command: + +grep "server_args" /etc/xinetd.d/tftp +server_args = -s + Is it the case that '"server_args" line does not have a "-s" option, and a subdirectory is not assigned'? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_MODULE_SIG /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + To check if RekeyLimit is set correctly, run the following command: +$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/*.conf +If configured properly, output should be +/etc/ssh/ssh_config.d/02-rekey-limit.conf: +RekeyLimit +Check also the main configuration file with the following command: +$ sudo grep RekeyLimit /etc/ssh/ssh_config +The command should not return any output. + Is it the case that it is commented out or is not set? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_PAGE_POISONING_NO_SANITY /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + To check the permissions of /boot/efi/EFI/redhat/grub.cfg, run the command: +$ sudo ls -lL /boot/efi/EFI/redhat/grub.cfg +If properly configured, the output should indicate the following +permissions: -rwx------ + Is it the case that it does not? - - To ensure that remote access connections are encrypted, run the following command: -$ gsettings get org.gnome.Vino require-encrpytion + + To ensure that wireless network notification is disabled, run the following command: +$ gsettings get org.gnome.nm-applet suppress-wireless-networks-available If properly configured, the output should be true. -To ensure that users cannot disable encrypted remote connections, run the following: -$ grep require-encryption /etc/dconf/db/local.d/locks/* +To ensure that users cannot enable wireless notification, run the following: +$ grep wireless-networks-available /etc/dconf/db/local.d/locks/* If properly configured, the output should be -/org/gnome/Vino/require-encryption - Is it the case that remote access connections are not encrypted? +/org/gnome/nm-applet/suppress-wireless-networks-available + Is it the case that wireless network notification is enabled and not disabled? - - The ypbind package can be removed with the following command: $ sudo yum erase ypbind - Is it the case that ? + + To verify insecure file locking has been disabled, run the following command: +$ grep insecure_locks /etc/exports + Is it the case that there is output? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "userhelper" command with the following command: + + The following command will discover and print world-writable directories that +are not group owned by a system account, given the assumption that only system +accounts have a gid lower than 1000. Run it once for each local partition PART: +$ sudo find PART -xdev -type d -perm -0002 -gid +999 -print + Is it the case that there is output? + + + + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to create files using the openat system call with O_CREAT flag. -$ sudo auditctl -l | grep userhelper +If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command: --a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-userhelper +$ sudo grep -r openat /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep openat /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create Is it the case that the command does not return a line, or the line is commented out? - + + Run the following command to determine if the libreport-plugin-logger package is installed: +$ rpm -q libreport-plugin-logger + Is it the case that the package is installed? + + + + These settings can be verified by running the following: +$ gsettings get org.gnome.desktop.media-handling automount-open +If properly configured, the output for automount-openshould be false. +To ensure that users cannot enable automount opening in GNOME3, run the following: +$ grep 'automount-open' /etc/dconf/db/local.d/locks/* +If properly configured, the output for automount-open should be /org/gnome/desktop/media-handling/automount-open + Is it the case that GNOME automounting is not disabled? + + + -Run the following command to determine if the cobbler_can_network_connect SELinux boolean is disabled: -$ getsebool cobbler_can_network_connect +Run the following command to determine if the virt_sandbox_use_audit SELinux boolean is enabled: +$ getsebool virt_sandbox_use_audit If properly configured, the output should show the following: -cobbler_can_network_connect --> off - Is it the case that cobbler_can_network_connect is not disabled? +virt_sandbox_use_audit --> on + Is it the case that virt_sandbox_use_audit is not enabled? - - Verify that rules for unsuccessful calls of the open_by_handle_at syscall are in the order shown below. + + To verify that SSSD is configured to run as user sssd, run the following command: +$ sudo grep -r '\buser\b' /etc/sssd +If configured properly, output should similar to /etc/sssd/conf.d/ospp.conf:user = sssd. +Sanity of SSSD configuration in general can be checked using $ sudo sssctl config-check + Is it the case that it does not exist or is not configured properly? + + + + +To check that the rlogin service is disabled in system boot configuration with xinetd, run the following command: +$ chkconfig rlogin --list +Output should indicate the rlogin service has either not been installed, or has been disabled, as shown in the example below: +$ chkconfig rlogin --list - If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix ".rules" in the directory "/etc/audit/rules.d". - If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, check the order of rules below in "/etc/audit/audit.rules" file. +Note: This output shows SysV services only and does not include native +systemd services. SysV configuration data might be overridden by native +systemd configuration. - -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +If you want to list systemd services use 'systemctl list-unit-files'. +To see services enabled on particular target use +'systemctl list-dependencies [target]'. - If the system is 64 bit then also add the following lines: +rlogin off - -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - Is it the case that the rules are in a different order? +To check that the rlogin socket is disabled in system boot configuration with systemd, run the following command: +$ systemctl is-enabled rlogin +Output should indicate the rlogin socket has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled rlogindisabled + +Run the following command to verify rlogin is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active rlogin + +If the socket is not running the command will return the following output: +inactive + +The socket will also be masked, to check that the rlogin is masked, run the following command: +$ sudo systemctl show rlogin | grep "LoadState\|UnitFileState" + +If the socket is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that service and/or socket are running? - - To check the ownership of /var/log, -run the command: -$ ls -lL /var/log -If properly configured, the output should indicate the following owner: -root - Is it the case that /var/log does not have an owner of root? + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "init" command with the following command: + +$ sudo auditctl -l | grep init + +-a always,exit -F path=/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged-init + Is it the case that the command does not return a line, or the line is commented out? - - To determine if the system is configured to audit calls to the -settimeofday system call, run the following command: -$ sudo grep "settimeofday" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. + + To determine how the SSH daemon's PermitEmptyPasswords option is set, run the following command: - Is it the case that no line is returned? +$ sudo grep -i PermitEmptyPasswords /etc/ssh/sshd_config + +If a line indicating no is returned, then the required value is set. + + Is it the case that the required value is not set? - + + To check that the rhsmcertd service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled rhsmcertd +Output should indicate the rhsmcertd service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled rhsmcertd disabled + +Run the following command to verify rhsmcertd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active rhsmcertd + +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the rhsmcertd is masked, run the following command: +$ sudo systemctl show rhsmcertd | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "rhsmcertd" is loaded and not masked? + + + + To determine how the SSH daemon's Banner option is set, run the following command: + +$ sudo grep -i Banner /etc/ssh/sshd_config + +If a line indicating /etc/issue is returned, then the required value is set. + + Is it the case that the required value is not set? + + + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_RANDOMIZE_BASE /boot/config.* + $ grep CONFIG_BINFMT_MISC /boot/config.* - For each kernel installed, a line with value "y" should be returned. + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. Is it the case that the kernel was not built with the required value? - + + Check whether the maximum time period for existing passwords is restricted to days with the following commands: + +$ sudo awk -F: '$5 > 60 {print $1 " " $5}' /etc/shadow + +$ sudo awk -F: '$5 <= 0 {print $1 " " $5}' /etc/shadow + Is it the case that any results are returned that are not associated with a system account? + + + -Run the following command to determine if the abrt_anon_write SELinux boolean is disabled: -$ getsebool abrt_anon_write +Run the following command to determine if the sge_use_nfs SELinux boolean is disabled: +$ getsebool sge_use_nfs If properly configured, the output should show the following: -abrt_anon_write --> off - Is it the case that abrt_anon_write is not disabled? +sge_use_nfs --> off + Is it the case that sge_use_nfs is not disabled? - - To check the system for the existence of any .netrc files, -run the following command: -$ sudo find /home -xdev -name .netrc - Is it the case that any .netrc files exist? + + Verify the nodev option is configured for the /home mount point, + run the following command: + $ sudo mount | grep '\s/home\s' + . . . /home . . . nodev . . . + + Is it the case that the "/home" file system does not have the "nodev" option set? - - To check the ownership of /etc/cron.allow, -run the command: -$ ls -lL /etc/cron.allow -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/cron.allow does not have an owner of root? + + +If the system is configured to prevent the loading of the dccp kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. + +These lines can also instruct the module loading system to ignore the dccp kernel module via blacklist keyword. + +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +$ grep -r dccp /etc/modprobe.conf /etc/modprobe.d + Is it the case that no line is returned? - - To check the ownership of /boot/efi/EFI/redhat/user.cfg, + + Ensure that Red Hat Enterprise Linux 8 verifies correct operation of security functions. + +Check if "SELinux" is active and in "" mode with the following command: + +$ sudo getenforce + + Is it the case that SELINUX is not set to enforcing? + + + + To check the permissions of /etc/ssh/*.pub, run the command: -$ ls -lL /boot/efi/EFI/redhat/user.cfg -If properly configured, the output should indicate the following owner: -root - Is it the case that /boot/efi/EFI/redhat/user.cfg does not have an owner of root? +$ ls -l /etc/ssh/*.pub +If properly configured, the output should indicate the following permissions: +-rw-r--r-- + Is it the case that /etc/ssh/*.pub does not have unix mode -rw-r--r--? - + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_PAGE_POISONING /boot/config.* + $ grep CONFIG_FORTIFY_SOURCE /boot/config.* For each kernel installed, a line with value "y" should be returned. Is it the case that the kernel was not built with the required value? - - Verify that Red Hat Enterprise Linux 8 set the days of warning before a password expires to - or more for users with a -password: - -$ sudo awk -F: '$6 || $6 == "" {print $1}' /etc/shadow - Is it the case that any results are returned that are not associated with a system account? - - - - -Run the following command to determine if the xdm_exec_bootloader SELinux boolean is disabled: -$ getsebool xdm_exec_bootloader -If properly configured, the output should show the following: -xdm_exec_bootloader --> off - Is it the case that xdm_exec_bootloader is not disabled? - - - - The runtime status of the kernel.randomize_va_space kernel parameter can be queried -by running the following command: -$ sysctl kernel.randomize_va_space -2. + + Verify the nosuid option is configured for the /var/log/audit mount point, + run the following command: + $ sudo mount | grep '\s/var/log/audit\s' + . . . /var/log/audit . . . nosuid . . . - Is it the case that the correct value is not returned? + Is it the case that the "/var/log/audit" file system does not have the "nosuid" option set? - + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_GCC_PLUGIN_STRUCTLEAK /boot/config.* + $ grep CONFIG_REFCOUNT_FULL /boot/config.* For each kernel installed, a line with value "y" should be returned. Is it the case that the kernel was not built with the required value? - - Only FIPS ciphers should be used. To verify that only FIPS-approved -ciphers are in use, run the following command: -$ sudo grep Ciphers /etc/ssh/sshd_config -The output should contain only those ciphers which are FIPS-approved. - Is it the case that FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved? - - - + -Run the following command to determine if the condor_tcp_network_connect SELinux boolean is disabled: -$ getsebool condor_tcp_network_connect +Run the following command to determine if the nfsd_anon_write SELinux boolean is disabled: +$ getsebool nfsd_anon_write If properly configured, the output should show the following: -condor_tcp_network_connect --> off - Is it the case that condor_tcp_network_connect is not disabled? +nfsd_anon_write --> off + Is it the case that nfsd_anon_write is not disabled? - - To determine how the SSH daemon's PermitUserEnvironment option is set, run the following command: + + To verify that USB Human Interface Devices and hubs will be authorized by the USBGuard daemon, +run the following command: +$ sudo grep allow /etc/usbguard/rules.conf +The output lines should include +allow with-interface match-all { 03:*:* 09:00:* } + Is it the case that USB devices of class 3 and 9:00 are not authorized? + + + + +To check that the systemd-journal-remote.socket socket is disabled in system boot configuration with systemd, run the following command: +$ systemctl is-enabled systemd-journal-remote.socket +Output should indicate the systemd-journal-remote.socket socket has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled systemd-journal-remote.socketdisabled -$ sudo grep -i PermitUserEnvironment /etc/ssh/sshd_config +Run the following command to verify systemd-journal-remote.socket is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active systemd-journal-remote.socket -If a line indicating no is returned, then the required value is set. +If the socket is not running the command will return the following output: +inactive - Is it the case that the required value is not set? - - - - Run the following command to determine if the samba package is installed: -$ rpm -q samba - Is it the case that the package is installed? - - - - To determine if the system is configured to audit successful calls -to the open_by_handle_at system call, run the following command: -$ sudo grep "open_by_handle_at" /etc/audit.* -If the system is configured to audit this activity, it will return a line. +The socket will also be masked, to check that the systemd-journal-remote.socket is masked, run the following command: +$ sudo systemctl show systemd-journal-remote.socket | grep "LoadState\|UnitFileState" - Is it the case that no line is returned? +If the socket is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the systemd-journal-remote socket is not masked? - - To determine if the system is configured to audit successful calls -to the setxattr system call, run the following command: -$ sudo grep "setxattr" /etc/audit.* -If the system is configured to audit this activity, it will return a line. + + Verify the noexec option is configured for the /var/tmp mount point, + run the following command: + $ sudo mount | grep '\s/var/tmp\s' + . . . /var/tmp . . . noexec . . . - Is it the case that no line is returned? + Is it the case that the "/var/tmp" file system does not have the "noexec" option set? - - To check the permissions of /etc/audit/rules.d/*.rules, -run the command: -$ ls -l /etc/audit/rules.d/*.rules -If properly configured, the output should indicate the following permissions: --rw-r----- - Is it the case that /etc/audit/rules.d/*.rules does not have unix mode -rw-r-----? + + Inspect /etc/login.defs and ensure that if eihter +SHA_CRYPT_MIN_ROUNDS or SHA_CRYPT_MAX_ROUNDS +are set, they must have the minimum value of 5000. + Is it the case that it does not? - - To determine if the system is configured to audit unsuccessful calls -to the fchownat system call, run the following command: -$ sudo grep "fchownat" /etc/audit.* -If the system is configured to audit this activity, it will return a line. + + To determine how the SSH daemon's PermitRootLogin option is set, run the following command: - Is it the case that no line is returned? +$ sudo grep -i PermitRootLogin /etc/ssh/sshd_config + +If a line indicating prohibit-password is returned, then the required value is set. + Is it the case that it is commented out or not configured properly? - - To determine if the system is configured to audit unsuccessful calls -to the chown system call, run the following command: -$ sudo grep "chown" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + Run the following command to determine if the logrotate package is installed: $ rpm -q logrotate + Is it the case that the package is not installed? - - Verify the nodev option is configured for the /var/tmp mount point, - run the following command: - $ sudo mount | grep '\s/var/tmp\s' - . . . /var/tmp . . . nodev . . . - - Is it the case that the "/var/tmp" file system does not have the "nodev" option set? + + To check the group ownership of /etc/crontab, +run the command: +$ ls -lL /etc/crontab +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/crontab does not have a group owner of root? - - Verify Red Hat Enterprise Linux 8 enables the user to initiate a session lock with the following command: - -$ grep lock-command /etc/tmux.conf - -set -g lock-command vlock + + To verify if the OpenSSH server uses defined Crypto Policy, run: +$ grep 'CRYPTO_POLICY' /etc/crypto-policies/back-ends/opensshserver.config | tail -n 1 +and verify that the line matches +CRYPTO_POLICY='-oCiphers=aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc -oMACs=hmac-sha2-512,hmac-sha2-256 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 -oPubkeyAcceptedKeyTypes=rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256' + Is it the case that Crypto Policy for OpenSSH Server is not configured according to CC requirements? + + + + Verify the audit tools are protected from unauthorized access, deletion, or modification by checking the permissive mode. -Then, verify that the /etc/tmux.conf file can be read by other users than root: +Check the octal permission of each audit tool by running the following command: -$ sudo ls -al /etc/tmux.conf - Is it the case that the "lock-command" is not set in the global settings to call "vlock"? +$ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules + Is it the case that any of these files have more permissive permissions than 0755? - - To ensure all GIDs referenced in /etc/passwd are defined in /etc/group, -run the following command: -$ sudo pwck -qr -There should be no output. - Is it the case that GIDs referenced in /etc/passwd are returned as not defined in /etc/group? + + Run the following command to determine if the sendmail package is installed: +$ rpm -q sendmail + Is it the case that the package is installed? - + -Run the following command to determine if the httpd_can_network_connect SELinux boolean is disabled: -$ getsebool httpd_can_network_connect +Run the following command to determine if the httpd_can_connect_ldap SELinux boolean is disabled: +$ getsebool httpd_can_connect_ldap If properly configured, the output should show the following: -httpd_can_network_connect --> off - Is it the case that httpd_can_network_connect is not disabled? - - - - To verify that the Dracut FIPS module is enabled, run the following command: -grep "add_dracutmodules" /etc/dracut.conf.d/40-fips.conf -The output should look like this: -add_dracutmodules+=" fips " - Is it the case that the Dracut FIPS module is not enabled? +httpd_can_connect_ldap --> off + Is it the case that httpd_can_connect_ldap is not disabled? - - Run the following command to determine if the policycoreutils-python-utils package is installed: $ rpm -q policycoreutils-python-utils - Is it the case that the package is not installed? + + To verify that the audit system collects unauthorized file accesses, run the following commands: +$ sudo grep EACCES /etc/audit/audit.rules +$ sudo grep EPERM /etc/audit/audit.rules + Is it the case that 32-bit and 64-bit system calls to creat, open, openat, open_by_handle_at, truncate, and ftruncate are not audited during EACCES and EPERM? - - -Run the following command to determine if the xguest_mount_media SELinux boolean is disabled: -$ getsebool xguest_mount_media -If properly configured, the output should show the following: -xguest_mount_media --> off - Is it the case that xguest_mount_media is not disabled? + + To check if UsePrivilegeSeparation is enabled or set correctly, run the +following command: +$ sudo grep UsePrivilegeSeparation /etc/ssh/sshd_config +If configured properly, output should be . + Is it the case that it is commented out or is not enabled? - - To verify that USB hubs will be authorized by the USBGuard daemon, -run the following command: -$ sudo grep allow /etc/usbguard/rules.conf -One of the output lines should be -allow with-interface match-all { 09:00:* } - Is it the case that USB devices of class 9 are not authorized? + + Verify that a separate file system/partition has been created for /tmp with the following command: + +$ mountpoint /tmp + + Is it the case that "/tmp is not a mountpoint" is returned? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_STRICT_MODULE_RWX /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + To verify that Samba clients running smbclient must use packet signing, run the following command: +$ grep signing /etc/samba/smb.conf +The output should show: +client signing = mandatory + Is it the case that it is not? - - To verify that null passwords cannot be used, run the following command: -$ sudo awk -F: '!$2 {print $1}' /etc/shadow -If this produces any output, it may be possible to log into accounts -with empty passwords. - Is it the case that Blank or NULL passwords can be used? + + The runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.default.accept_redirects +0. + + Is it the case that the correct value is not returned? - + -Run the following command to determine if the boinc_execmem SELinux boolean is disabled: -$ getsebool boinc_execmem +Run the following command to determine if the mcelog_client SELinux boolean is disabled: +$ getsebool mcelog_client If properly configured, the output should show the following: -boinc_execmem --> off - Is it the case that boinc_execmem is not disabled? +mcelog_client --> off + Is it the case that mcelog_client is not disabled? - - To verify the number of rounds for the password hashing algorithm is configured, run the following command: -$ sudo grep rounds /etc/pam.d/password-auth -The output should show the following match: -password sufficient pam_unix.so sha512 rounds= - Is it the case that rounds is not set to <sub idref="var_password_pam_unix_rounds" /> or is commented out? + + +Run the following command to determine if the cluster_use_execmem SELinux boolean is disabled: +$ getsebool cluster_use_execmem +If properly configured, the output should show the following: +cluster_use_execmem --> off + Is it the case that cluster_use_execmem is not disabled? - - To verify that binaries cannot be directly executed from removable media, run the following command: -$ grep -v noexec /etc/fstab -The resulting output will show partitions which do not have the noexec flag. Verify all partitions -in the output are not removable media. - Is it the case that removable media partitions are present? - - - - To determine if the system is configured to audit successful calls -to the fchownat system call, run the following command: -$ sudo grep "fchownat" /etc/audit.* -If the system is configured to audit this activity, it will return a line. + + Verify that Red Hat Enterprise Linux 8 set the days of warning before a password expires to + or more for users with a +password: - Is it the case that no line is returned? +$ sudo awk -F: '$6 || $6 == "" {print $1}' /etc/shadow + Is it the case that any results are returned that are not associated with a system account? - - Run the following command to determine if the freeradius package is installed: $ rpm -q freeradius - Is it the case that the package is installed? + + +Run the following command to determine if the httpd_mod_auth_pam SELinux boolean is disabled: +$ getsebool httpd_mod_auth_pam +If properly configured, the output should show the following: +httpd_mod_auth_pam --> off + Is it the case that httpd_mod_auth_pam is not disabled? - - Run the following command to determine if the nfs-utils package is installed: -$ rpm -q nfs-utils + + Run the following command to determine if the krb5-workstation package is installed: +$ rpm -q krb5-workstation Is it the case that the package is installed? - - Inspect /etc/audit/audisp-remote.conf and locate the following line to -determine if the system is configured to either send to syslog, switch to single user mode, -or halt when the disk is full: -$ sudo grep -i disk_full_action /etc/audit/audisp-remote.conf -The output should return something similar to: -disk_full_action = single -Acceptable values also include syslog and halt. - Is it the case that the system is not configured to switch to single user mode for corrective action? + + To verify if password complexities are only enforce on local users, run the following command: +$ grep local_users_only /etc/security/pwquality.conf +The output should return local_users_only uncommented. + Is it the case that local_users_only is not uncommented or configured correctly? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chcon" command with the following command: + + To determine how the SSH daemon's AllowTcpForwarding option is set, run the following command: -$ sudo auditctl -l | grep chcon +$ sudo grep -i AllowTcpForwarding /etc/ssh/sshd_config --a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod - Is it the case that the command does not return a line, or the line is commented out? +If a line indicating no is returned, then the required value is set. + Is it the case that The AllowTcpForwarding option exists and is disabled? - - To determine if the system is configured to audit calls to the -chmod system call, run the following command: -$ sudo grep "chmod" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. + + To check which SSH protocol version is allowed, check version of +openssh-server with following command: +$ rpm -qi openssh-server | grep Version +Versions equal to or higher than 7.4 have deprecated the RhostsRSAAuthentication option. +If version is lower than 7.4, run the following command to check configuration: +To determine how the SSH daemon's RhostsRSAAuthentication option is set, run the following command: - Is it the case that no line is returned? - - - - Verify the audit tools are protected from unauthorized access, deletion, or modification by checking the permissive mode. +$ sudo grep -i RhostsRSAAuthentication /etc/ssh/sshd_config -Check the octal permission of each audit tool by running the following command: +If a line indicating no is returned, then the required value is set. -$ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules - Is it the case that any of these files have more permissive permissions than 0755? + Is it the case that the required value is not set? - - To check the group ownership of /etc/gshadow-, -run the command: -$ ls -lL /etc/gshadow- -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/gshadow- does not have a group owner of root? + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "restorecon" command with the following command: + +$ sudo auditctl -l | grep restorecon + +-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -k privileged-restorecon + Is it the case that the command does not return a line, or the line is commented out? - - To verify the openldap-servers package is not installed, run the -following command: -$ rpm -q openldap-servers -The output should show the following: -package openldap-servers is not installed - Is it the case that it does not? + + To check that page poisoning is enabled at boot time, check all boot entries with following command: +sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf +No line should be returned, each line returned is a boot entry that doesn't enable page poisoning. + Is it the case that page allocator poisoning is not enabled? - + -Run the following command to determine if the tmpreaper_use_nfs SELinux boolean is disabled: -$ getsebool tmpreaper_use_nfs +Run the following command to determine if the cluster_manage_all_files SELinux boolean is disabled: +$ getsebool cluster_manage_all_files If properly configured, the output should show the following: -tmpreaper_use_nfs --> off - Is it the case that tmpreaper_use_nfs is not disabled? +cluster_manage_all_files --> off + Is it the case that cluster_manage_all_files is not disabled? - - To determine that AIDE is verifying ACLs, run the following command: -$ grep acl /etc/aide.conf -Verify that the acl option is added to the correct ruleset. - Is it the case that the acl option is missing or not added to the correct ruleset? + + System executables are stored in the following directories by default: +/bin +/sbin +/usr/bin +/usr/sbin +/usr/local/bin +/usr/local/sbin +To find system executables directories that are group-writable or +world-writable, run the following command for each directory DIR +which contains system executables: +$ sudo find -L DIR -perm /022 -type d + Is it the case that any of these files are group-writable or world-writable? - - -Run the following command to determine if the irssi_use_full_network SELinux boolean is disabled: -$ getsebool irssi_use_full_network -If properly configured, the output should show the following: -irssi_use_full_network --> off - Is it the case that irssi_use_full_network is not disabled? + + Verify that authselect is enabled by running +authselect current +If authselect is enabled on the system, the output should show the ID of the profile which is currently in use. + Is it the case that authselect is not used to manage user authentication setup on the system? - - To determine if the system is configured to audit successful calls -to the chmod system call, run the following command: -$ sudo grep "chmod" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + To find the location of the AIDE database file, run the following command: +$ sudo ls -l DBDIR/database_file_name + Is it the case that there is no database file? - + -Run the following command to determine if the smartmon_3ware SELinux boolean is disabled: -$ getsebool smartmon_3ware +Run the following command to determine if the tmpreaper_use_samba SELinux boolean is disabled: +$ getsebool tmpreaper_use_samba If properly configured, the output should show the following: -smartmon_3ware --> off - Is it the case that smartmon_3ware is not disabled? - - - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_HIBERNATION /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? +tmpreaper_use_samba --> off + Is it the case that tmpreaper_use_samba is not disabled? - - The runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter can be queried -by running the following command: -$ sysctl net.ipv6.conf.default.accept_redirects -0. + + Verify that Red Hat Enterprise Linux 8 is configured to take action in the event of allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity with the following command: - Is it the case that the correct value is not returned? - - - - To determine if the system is configured to audit calls to the -fchownat system call, run the following command: -$ sudo grep "fchownat" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. +$ sudo grep admin_space_left_action /etc/audit/auditd.conf - Is it the case that no line is returned? - - - - -To properly set the owner of /var/log/httpd, run the command: -$ sudo chown root /var/log/httpd +admin_space_left_action = single -To properly set the owner of /var/log/httpd/*, run the command: -$ sudo chown root /var/log/httpd/* - Is it the case that ? +If the value of the "admin_space_left_action" is not set to "single", or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO. + Is it the case that there is no evidence that real-time alerts are configured on the system? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_PANIC_ON_OOPS /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + To check the permissions of /etc/cron.daily, +run the command: +$ ls -l /etc/cron.daily +If properly configured, the output should indicate the following permissions: +-rwx------ + Is it the case that /etc/cron.daily does not have unix mode -rwx------? - - Verify that GRUB_DISABLE_RECOVERY is set to true in /etc/default/grub to disable recovery boot. -Run the following command: - -$ sudo grep GRUB_DISABLE_RECOVERY /etc/default/grub - Is it the case that GRUB_DISABLE_RECOVERY is not set to true or is missing? + + +Run the following command to determine if the ssh_chroot_rw_homedirs SELinux boolean is disabled: +$ getsebool ssh_chroot_rw_homedirs +If properly configured, the output should show the following: +ssh_chroot_rw_homedirs --> off + Is it the case that ssh_chroot_rw_homedirs is not disabled? - - Run the following command to determine if the avahi package is installed: -$ rpm -q avahi + + Run the following command to determine if the xinetd package is installed: +$ rpm -q xinetd Is it the case that the package is installed? - - To check that audit is enabled at boot time, check all boot entries with following command: -sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf -No line should be returned, each line returned is a boot entry that doesn't enable audit. - Is it the case that auditing is not enabled at boot time? - - - - Verify Red Hat Enterprise Linux 8 is securely comparing internal information system clocks at a regular interval with an NTP server with the following command: -$ sudo grep maxpoll /etc/ntp.conf /etc/chrony.conf -server [ntp.server.name] iburst maxpoll . - Is it the case that "maxpoll" has not been set to the value of "<sub idref="var_time_service_set_maxpoll" />", is commented out, or is missing? - - - - -Run the following command to determine if the samba_create_home_dirs SELinux boolean is disabled: -$ getsebool samba_create_home_dirs -If properly configured, the output should show the following: -samba_create_home_dirs --> off - Is it the case that samba_create_home_dirs is not disabled? + + The runtime status of the fs.suid_dumpable kernel parameter can be queried +by running the following command: +$ sysctl fs.suid_dumpable +0. + + Is it the case that the correct value is not returned? - - Verify the audit system is configured to take an appropriate action when the internal event queue is full: -$ sudo grep -i overflow_action /etc/audit/auditd.conf - -The output should contain overflow_action = syslog - -If the value of the "overflow_action" option is not set to syslog, -single, halt or the line is commented out, ask the System Administrator -to indicate how the audit logs are off-loaded to a different system or media. - Is it the case that auditd overflow action is not set correctly? + + To verify that only security updates will be automatically installed by dnf-automatic, run the following command: +$ sudo grep upgrade_type /etc/dnf/automatic.conf +The output should return the following: +upgrade_type = security + Is it the case that the upgrade_type is not set to security? - - Verify the umask setting is configured correctly in the /etc/bashrc file with the following command: - -$ sudo grep "umask" /etc/bashrc - -umask - Is it the case that the value for the "umask" parameter is not "<sub idref="var_accounts_user_umask" />", or the "umask" parameter is missing or is commented out? + + To verify that McAfee Runtime Libraries (MFErt) and Linux Agent (MFEcma) +are installed, run the following command(s): +$ rpm -q MFEcma +$ rpm -q MFErt + Is it the case that the HBSS HIPS module is not installed? - - -If the system is configured to prevent the loading of the dccp kernel module, -it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. -These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. + + Inspect the password section of /etc/pam.d/system-auth +and ensure that the pam_unix.so module is configured to use the argument +sha512: -These lines can also instruct the module loading system to ignore the dccp kernel module via blacklist keyword. +$ sudo grep "^password.*pam_unix\.so.*sha512" /etc/pam.d/system-auth -Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -$ grep -r dccp /etc/modprobe.conf /etc/modprobe.d - Is it the case that no line is returned? - - - - Make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf -and /etc/zipl.conf: -find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap -No line should be returned, if a line is returned /boot/bootmap is outdated and needs to be regenerated. - Is it the case that the bootmap is outdated? +password sufficient pam_unix.so sha512 + Is it the case that "sha512" is missing, or is commented out? - + -Run the following command to determine if the haproxy_connect_any SELinux boolean is disabled: -$ getsebool haproxy_connect_any +Run the following command to determine if the zarafa_setrlimit SELinux boolean is disabled: +$ getsebool zarafa_setrlimit If properly configured, the output should show the following: -haproxy_connect_any --> off - Is it the case that haproxy_connect_any is not disabled? +zarafa_setrlimit --> off + Is it the case that zarafa_setrlimit is not disabled? - - -Run the following command to determine if the awstats_purge_apache_log_files SELinux boolean is disabled: -$ getsebool awstats_purge_apache_log_files -If properly configured, the output should show the following: -awstats_purge_apache_log_files --> off - Is it the case that awstats_purge_apache_log_files is not disabled? + + To ensure the gdm package group is removed, run the following command: +$ rpm -qi gdm +The output should be: +package gdm is not installed + Is it the case that gdm has not been removed? - - To check if pam_pwquality.so is enabled in password-auth, run the following command: -$ grep pam_pwquality /etc/pam.d/password-auth -The output should be similar to the following: -password requisite pam_pwquality.so - Is it the case that pam_pwquality.so is not enabled in password-auth? + + To ensure the GUI does not allow user administratrion capabilities to all users, +run the following command: +$ gsettings get org.gnome.desktop.lockdown user-administration-disabled +If properly configured, the output should be true. +To ensure that users cannot enable user administration, run the following: +$ grep user-administration /etc/dconf/db/local.d/locks/* +If properly configured, the output should be +/org/gnome/desktop/lockdown/user-administration-disabled + Is it the case that user administration is not configured or disabled? - + To determine if the system is configured to audit successful calls -to the renameat system call, run the following command: -$ sudo grep "renameat" /etc/audit.* +to the open system call, run the following command: +$ sudo grep "open" /etc/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - Run the following command to determine if the libreport-plugin-rhtsupport package is installed: -$ rpm -q libreport-plugin-rhtsupport - Is it the case that the package is installed? - - - - Run the following command to determine if the rsyslog package is installed: $ rpm -q rsyslog - Is it the case that the package is not installed? - - - - Run the following command to determine open ports: -# ss -6tuln -Run the following command to determine firewall rules: -# ip6tables -L INPUT -v -n -For each port identified in the audit which does not have a firewall -rule, add rule for accepting or denying inbound connections -# ip6tables -A INPUT -p \ --dport \ -m state --state NEW -j ACCEPT - Is it the case that open ports are denied connection? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_PROC_KCORE /boot/config.* + + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. + + Is it the case that the kernel was not built with the required value? - - To check the permissions of /etc/ssh/sshd_config, + + To check the permissions of /boot/efi/EFI/redhat/user.cfg, run the command: -$ ls -l /etc/ssh/sshd_config +$ ls -l /boot/efi/EFI/redhat/user.cfg If properly configured, the output should indicate the following permissions: -rw------- - Is it the case that /etc/ssh/sshd_config does not have unix mode -rw-------? + Is it the case that /boot/efi/EFI/redhat/user.cfg does not have unix mode -rw-------? - - Verify that temporary accounts have been provisioned with an expiration date -of 72 hours. For every temporary account, run the following command to -obtain its account aging and expiration information: -$ sudo chage -l temporary_account_name -Verify each of these accounts has an expiration date set within 72 hours or -as documented. - Is it the case that any temporary accounts have no expiration date set or do not expire within 72 hours? + + To check the permissions of /etc/motd, +run the command: +$ ls -l /etc/motd +If properly configured, the output should indicate the following permissions: +-rw-r--r-- + Is it the case that /etc/motd does not have unix mode -rw-r--r--? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chage" command with the following command: - -$ sudo auditctl -l | grep chage - --a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage - Is it the case that the command does not return a line, or the line is commented out? + + To ensure a login warning banner is enabled, run the following: +$ grep banner-message-enable /etc/dconf/db/gdm.d/* +If properly configured, the output should be true. +To ensure a login warning banner is locked and cannot be changed by a user, run the following: +$ grep banner-message-enable /etc/dconf/db/gdm.d/locks/* +If properly configured, the output should be /org/gnome/login-screen/banner-message-enable. + Is it the case that it is not? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_PAGE_TABLE_ISOLATION /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + To verify the noexec option is configured for all NFS mounts, run the following command: +$ mount | grep nfs +All NFS mounts should show the noexec setting in parentheses. This is not applicable if NFS is +not implemented. + Is it the case that the setting does not show? - - Run the following command to determine if the syslog-ng-core package is installed: $ rpm -q syslog-ng-core - Is it the case that the package is not installed? + + +Run the following command to determine if the pcp_bind_all_unreserved_ports SELinux boolean is disabled: +$ getsebool pcp_bind_all_unreserved_ports +If properly configured, the output should show the following: +pcp_bind_all_unreserved_ports --> off + Is it the case that pcp_bind_all_unreserved_ports is not disabled? - - To verify all files and directories contained in interactive user home -directory, excluding local initialization files, have a mode of 0750, -run the following command: -$ sudo ls -lLR /home/USER - Is it the case that home directory files or folders have incorrect permissions? + + Verify that a separate file system/partition has been created for /usr with the following command: + +$ mountpoint /usr + + Is it the case that "/usr is not a mountpoint" is returned? - - The runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.conf.all.accept_source_route -0. - - Is it the case that the correct value is not returned? + + # grep "^OPTIONS.*-u" /etc/sysconfig/chronyd | grep -v -e '-u\s*chrony\b' +returns no output + Is it the case that chronyd is not running under chrony user account? - + -Run the following command to determine if the httpd_run_stickshift SELinux boolean is disabled: -$ getsebool httpd_run_stickshift +Run the following command to determine if the mock_enable_homedirs SELinux boolean is disabled: +$ getsebool mock_enable_homedirs If properly configured, the output should show the following: -httpd_run_stickshift --> off - Is it the case that httpd_run_stickshift is not disabled? +mock_enable_homedirs --> off + Is it the case that mock_enable_homedirs is not disabled? - - The runtime status of the kernel.pid_max kernel parameter can be queried -by running the following command: -$ sysctl kernel.pid_max -65536. + + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open_by_handle_at system call. - Is it the case that the correct value is not returned? - - - - Run the following command to determine if the logrotate package is installed: $ rpm -q logrotate - Is it the case that the package is not installed? +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: + +$ sudo grep -r open_by_handle_at /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep open_by_handle_at /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access + Is it the case that the command does not return a line, or the line is commented out? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_X86_VSYSCALL_EMULATION /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? + + Inspect each <Directory> instance and verify that either +FollowSymLinks does not exist, or +Options SymLinksIfOwnerMatchDisable is configured properly. + Is it the case that it is not? - - Run the following command to determine if the setroubleshoot-plugins package is installed: -$ rpm -q setroubleshoot-plugins - Is it the case that the package is installed? + + The runtime status of the net.ipv4.tcp_syncookies kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.tcp_syncookies +1. + + Is it the case that the correct value is not returned? - - Run the following command and verify remote server is configured properly: -# grep -E "^(server|pool)" /etc/chrony.conf - Is it the case that a remote time server is not configured? + + To check the ownership of /boot/efi/EFI/redhat/user.cfg, +run the command: +$ ls -lL /boot/efi/EFI/redhat/user.cfg +If properly configured, the output should indicate the following owner: +root + Is it the case that /boot/efi/EFI/redhat/user.cfg does not have an owner of root? - - The runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter can be queried -by running the following command: -$ sysctl net.ipv6.conf.default.accept_source_route -0. - - Is it the case that the correct value is not returned? + + To check the group ownership of /etc/group-, +run the command: +$ ls -lL /etc/group- +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/group- does not have a group owner of root? - + -If the system is configured to prevent the loading of the cramfs kernel module, -it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. -These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. - -These lines can also instruct the module loading system to ignore the cramfs kernel module via blacklist keyword. - -Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -$ grep -r cramfs /etc/modprobe.conf /etc/modprobe.d - Is it the case that no line is returned? +Run the following command to determine if the samba_share_nfs SELinux boolean is disabled: +$ getsebool samba_share_nfs +If properly configured, the output should show the following: +samba_share_nfs --> off + Is it the case that samba_share_nfs is not disabled? - + +To check that the telnet service is disabled in system boot configuration with xinetd, run the following command: +$ chkconfig telnet --list +Output should indicate the telnet service has either not been installed, or has been disabled, as shown in the example below: +$ chkconfig telnet --list -Run the following command to determine the current status of the -rngd service: -$ sudo systemctl is-active rngd -If the service is running, it should return the following: active - Is it the case that the "rngd" service is disabled, masked, or not started.? - - - - Verify that Red Hat Enterprise Linux 8 contains no duplicate User IDs (UIDs) for interactive users. +Note: This output shows SysV services only and does not include native +systemd services. SysV configuration data might be overridden by native +systemd configuration. -Check that the operating system contains no duplicate UIDs for interactive users with the following command: +If you want to list systemd services use 'systemctl list-unit-files'. +To see services enabled on particular target use +'systemctl list-dependencies [target]'. -$ sudo awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd - Is it the case that output is produced and the accounts listed are interactive user accounts? - - - - To check that the smb service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled smb -Output should indicate the smb service has either not been installed, +telnet off + +To check that the telnet socket is disabled in system boot configuration with systemd, run the following command: +$ systemctl is-enabled telnet +Output should indicate the telnet socket has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled smb disabled +$ sudo systemctl is-enabled telnetdisabled -Run the following command to verify smb is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active smb +Run the following command to verify telnet is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active telnet -If the service is not running the command will return the following output: +If the socket is not running the command will return the following output: inactive -The service will also be masked, to check that the smb is masked, run the following command: -$ sudo systemctl show smb | grep "LoadState\|UnitFileState" +The socket will also be masked, to check that the telnet is masked, run the following command: +$ sudo systemctl show telnet | grep "LoadState\|UnitFileState" -If the service is masked the command will return the following outputs: +If the socket is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "smb" is loaded and not masked? + Is it the case that service and/or socket are running? - - To ensure the system is configured to ignore the Ctrl-Alt-Del setting, -enter the following command: -$ sudo grep -i ctrlaltdelburstaction /etc/systemd/system.conf -The output should return: -CtrlAltDelBurstAction=none - Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed more than 7 times in 2 seconds.? + + To determine how the SSH daemon's PermitUserEnvironment option is set, run the following command: + +$ sudo grep -i PermitUserEnvironment /etc/ssh/sshd_config + +If a line indicating no is returned, then the required value is set. + + Is it the case that the required value is not set? - - To obtain a list of all users and the content of their shadow password field, run the command: -$ sudo readarray -t systemaccounts -Verify if all accounts are locked. - Is it the case that system accounts are not locked? + + +Run the following command to determine if the auditadm_exec_content SELinux boolean is enabled: +$ getsebool auditadm_exec_content +If properly configured, the output should show the following: +auditadm_exec_content --> on + Is it the case that auditadm_exec_content is not enabled? - + -Run the following command to determine if the polipo_connect_all_unreserved SELinux boolean is disabled: -$ getsebool polipo_connect_all_unreserved +Run the following command to determine if the samba_portmapper SELinux boolean is disabled: +$ getsebool samba_portmapper If properly configured, the output should show the following: -polipo_connect_all_unreserved --> off - Is it the case that polipo_connect_all_unreserved is not disabled? +samba_portmapper --> off + Is it the case that samba_portmapper is not disabled? - - To check the group ownership of /etc/ssh/*.pub, -run the command: -$ ls -lL /etc/ssh/*.pub -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/ssh/*.pub does not have a group owner of root? + + Verify the nosuid option is configured for the /home mount point, + run the following command: + $ sudo mount | grep '\s/home\s' + . . . /home . . . nosuid . . . + + Is it the case that the "/home" file system does not have the "nosuid" option set? - - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to create files using the open_by_handle_at system call with O_CREAT flag. - -If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r open_by_handle_at /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep open_by_handle_at /etc/audit/audit.rules - -The output should be the following: - --a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - Is it the case that the command does not return a line, or the line is commented out? + + To verify all files and directories in interactive user home directory are +group-owned by a group the user is a member of, run the +following command: +$ sudo ls -lLR /home/USER + Is it the case that the group ownership is incorrect? - - To check that no password hashes are stored in -/etc/passwd, run the following command: -awk '!/\S:x|\*/ {print}' /etc/passwd -If it produces any output, then a password hash is -stored in /etc/passwd. - Is it the case that any stored hashes are found in /etc/passwd? + + To ensure logs are sent to a remote host, examine the file +/etc/rsyslog.conf. +If using UDP, a line similar to the following should be present: + *.* @ +If using TCP, a line similar to the following should be present: + *.* @@ +If using RELP, a line similar to the following should be present: + *.* :omrelp: + Is it the case that no evidence that the audit logs are being off-loaded to another system or media? - - To check if the system login banner is compliant, run the following command: -$ cat /etc/issue.net - Is it the case that it does not display the required banner? + + To determine if the system is configured to audit calls to the +removexattr system call, run the following command: +$ sudo grep "removexattr" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - To verify the boot loader superuser password has been set, run the following command: -$ sudo grep "^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$" /boot/efi/EFI/redhat/user.cfg -The output should be similar to: -GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC -2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0 -916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7 -0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828 - Is it the case that no password is set? + + Run the following command to determine if the iptables package is installed: $ rpm -q iptables + Is it the case that the package is not installed? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_SECURITY_WRITABLE_HOOKS /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? + + To verify that USB Human Interface Devices will be authorized by the USBGuard daemon, +run the following command: +$ sudo grep allow /etc/usbguard/rules.conf +The output lines should include +allow with-interface match-all { 03:*:* } + Is it the case that USB devices of class 3 are not authorized? - + + To find world-writable files, run the following command: +$ sudo find / -xdev -type f -perm -002 + Is it the case that there is output? + + + -Run the following command to determine if the gluster_export_all_rw SELinux boolean is disabled: -$ getsebool gluster_export_all_rw +Run the following command to determine if the xguest_connect_network SELinux boolean is disabled: +$ getsebool xguest_connect_network If properly configured, the output should show the following: -gluster_export_all_rw --> off - Is it the case that gluster_export_all_rw is not disabled? +xguest_connect_network --> off + Is it the case that xguest_connect_network is not disabled? - + + Make sure that the kernel is configured to trust the CPU RNG by following +commands. To check if the option was correctly configured at kernel compile +time, run the following command: +grep -q CONFIG_RANDOM_TRUST_CPU=y /boot/config-`uname -r` +If the command outputs: +CONFIG_RANDOM_TRUST_CPU=y, +it means that the option is compiled into the kernel. Make sure that the +option is not overridden through a boot parameter: +sudo grep 'kernelopts.*random\.trust_cpu=off.*' /boot/grub2/grubenv +The command should not return any output. If the option is not compiled into +the kernel, check that the option is configured through boot parameter. +Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes random.trust_cpu=on, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub +If this option is set to true, then check that a line is output by the following command: +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*random.trust_cpu=on.*' /etc/default/grub +If the recovery is disabled, check the line with +$ sudo grep 'GRUB_CMDLINE_LINUX.*random.trust_cpu=on.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +$ sudo grubby --info=ALL | grep args | grep -v 'random.trust_cpu=on' +The command should not return any output. + Is it the case that the kernel is not configured to trust the CPU RNG? + + + -Run the following command to determine if the httpd_run_preupgrade SELinux boolean is disabled: -$ getsebool httpd_run_preupgrade +Run the following command to determine if the git_session_users SELinux boolean is disabled: +$ getsebool git_session_users If properly configured, the output should show the following: -httpd_run_preupgrade --> off - Is it the case that httpd_run_preupgrade is not disabled? +git_session_users --> off + Is it the case that git_session_users is not disabled? - - The rsh package can be removed with the following command: $ sudo yum erase rsh - Is it the case that ? + + To determine if the users are allowed to run commands as root, run the following commands: +$ sudo grep -PR '^\s*((?!root\b)[\w]+)\s*(\w+)\s*=\s*(.*,)?\s*[^\(\s]' /etc/sudoers /etc/sudoers.d/ +and +$ sudo grep -PR '^\s*((?!root\b)[\w]+)\s*(\w+)\s*=\s*(.*,)?\s*\([\w\s]*\b(root|ALL)\b[\w\s]*\)' /etc/sudoers /etc/sudoers.d/ +Both commands should return no output. + Is it the case that /etc/sudoers file contains rules that allow non-root users to run commands as root? - - Run the following command to determine if the openssh-server package is installed: $ rpm -q openssh-server - Is it the case that the package is installed? + + +Run the following command to determine if the telepathy_tcp_connect_generic_network_ports SELinux boolean is disabled: +$ getsebool telepathy_tcp_connect_generic_network_ports +If properly configured, the output should show the following: +telepathy_tcp_connect_generic_network_ports --> off + Is it the case that telepathy_tcp_connect_generic_network_ports is not disabled? - - To verify that auditing is configured for system administrator actions, run the following command: -$ sudo auditctl -l | grep "watch=/etc/sudoers\|watch=/etc/sudoers.d\|-w /etc/sudoers\|-w /etc/sudoers.d" - Is it the case that there is not output? + + Inspect the mounts configured in /etc/exports. Each mount should specify a value +greater than UID_MAX and GID_MAX as defined in /etc/login.defs. + Is it the case that anonuid or anongid are not set to a value greater than UID_MAX (for anonuid) and GID_MAX (for anongid)? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "newgrp" command with the following command: + + If IPv6 is disabled, this is not applicable. -$ sudo auditctl -l | grep newgrp +Inspect the file /etc/sysconfig/ip6tables to determine +the default policy for the INPUT chain. It should be set to DROP: +$ sudo grep ":INPUT" /etc/sysconfig/ip6tables + Is it the case that the default policy for the INPUT chain is not set to DROP? + + + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-keysign" command with the following command: --a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-newgrp +$ sudo auditctl -l | grep ssh-keysign + +-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-keysign Is it the case that the command does not return a line, or the line is commented out? - - To check that the sshd service is disabled in system boot configuration, + + To verify that the Dracut FIPS module is enabled, run the following command: +grep "add_dracutmodules" /etc/dracut.conf.d/40-fips.conf +The output should look like this: +add_dracutmodules+=" fips " + Is it the case that the Dracut FIPS module is not enabled? + + + + To determine if env_reset has been configured for sudo, run the following command: +$ sudo grep -ri "^[\s]*Defaults.*\benv_reset\b.*" /etc/sudoers /etc/sudoers.d/ +The command should return a matching output. + Is it the case that env_reset is not enabled in sudo? + + + + To verify the assigned home directory of all interactive users is group- +owned by that users primary GID, run the following command: +# ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) + Is it the case that the group ownership is incorrect? + + + + To check that the ypserv service is disabled in system boot configuration, run the following command: -$ sudo systemctl is-enabled sshd -Output should indicate the sshd service has either not been installed, +$ sudo systemctl is-enabled ypserv +Output should indicate the ypserv service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled sshd disabled +$ sudo systemctl is-enabled ypserv disabled -Run the following command to verify sshd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active sshd +Run the following command to verify ypserv is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active ypserv If the service is not running the command will return the following output: inactive -The service will also be masked, to check that the sshd is masked, run the following command: -$ sudo systemctl show sshd | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the ypserv is masked, run the following command: +$ sudo systemctl show ypserv | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "sshd" is loaded and not masked? - - - - These settings can be verified by running the following: -$ gsettings get org.gnome.desktop.media-handling autorun-never -If properly configured, the output for autorun-nevershould be true. -To ensure that users cannot enable autorun in GNOME3, run the following: -$ grep 'autorun-never' /etc/dconf/db/local.d/locks/* -If properly configured, the output for autorun-never should be /org/gnome/desktop/media-handling/autorun-never - Is it the case that GNOME autorun is not disabled? - - - - To determine if the system is configured to audit calls to the -open system call, run the following command: -$ sudo grep "open" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + Is it the case that the "ypserv" is loaded and not masked? - - -Run the following command to determine if the selinuxuser_ping SELinux boolean is enabled: -$ getsebool selinuxuser_ping -If properly configured, the output should show the following: -selinuxuser_ping --> on - Is it the case that selinuxuser_ping is not enabled? + + To verify the system is not configured to use a boot loader on removable media, +check that the grub configuration file has the set root command in each menu +entry with the following commands: +$ sudo grep -cw menuentry /boot/efi/EFI/redhat/grub.cfg +Note that the -c option for the grep command will print +only the count of menuentry occurrences. This number should match +the number of occurrences reported by the following command: +$ sudo grep "set root='hd0" /boot/efi/EFI/redhat/grub.cfg +The output should return something similar to: +set root='hd0,msdos1' +usb0, cd, fd0, etc. are some examples of removeable +media which should not exist in the lines: +set root='hd0,msdos1' + Is it the case that it is not? - - -Run the following command to determine if the logadm_exec_content SELinux boolean is enabled: -$ getsebool logadm_exec_content -If properly configured, the output should show the following: -logadm_exec_content --> on - Is it the case that logadm_exec_content is not enabled? + + Run the following command to determine if the policycoreutils-python-utils package is installed: $ rpm -q policycoreutils-python-utils + Is it the case that the package is not installed? - - To determine if LDAP is being used for authentication, use the following -command: -$ sudo grep -i useldapauth /etc/sysconfig/authconfig -The output should return: -USELDAPAUTH=yes - Is it the case that USELDAPAUTH=yes is not configured correctly in /etc/sysconfig/authconfig? + + To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run: +$ grep -Po '(-oMACs=\S+)' /etc/crypto-policies/back-ends/opensshserver.config +and verify that the line matches: +-oMACS= + Is it the case that Crypto Policy for OpenSSH Server is not configured correctly? - - Verify that the SA and ISSO (at a minimum) are notified when the audit storage volume is full. + + Verify that a separate file system/partition has been created for /var/log/audit with the following command: -Check which action Red Hat Enterprise Linux 8 takes when the audit storage volume is full with the following command: +$ mountpoint /var/log/audit -$ sudo grep max_log_file_action /etc/audit/auditd.conf -max_log_file_action = - Is it the case that the value of the "max_log_file_action" option is set to "ignore", "rotate", or "suspend", or the line is commented out? + Is it the case that "/var/log/audit is not a mountpoint" is returned? - - -Run the following command to determine if the exim_can_connect_db SELinux boolean is disabled: -$ getsebool exim_can_connect_db -If properly configured, the output should show the following: -exim_can_connect_db --> off - Is it the case that exim_can_connect_db is not disabled? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_SLUB_DEBUG /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - To check that the sysstat service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled sysstat -Output should indicate the sysstat service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled sysstat disabled - -Run the following command to verify sysstat is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active sysstat - -If the service is not running the command will return the following output: -inactive + + Storing logs with persistent storage ensures they are available after a reboot or system crash. +Run the command below to verify that logs are being persistently stored to disk. -The service will also be masked, to check that the sysstat is masked, run the following command: -$ sudo systemctl show sysstat | grep "LoadState\|UnitFileState" +grep "^\sStorage" /etc/systemd/journald.conf -If the service is masked the command will return the following outputs: +and it should return -LoadState=masked +Storage=persistent -UnitFileState=masked - Is it the case that the "sysstat" is loaded and not masked? + Is it the case that is commented out or not configured correctly? - - To determine if the system is configured to audit calls to the -rename system call, run the following command: -$ sudo grep "rename" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + To check if authentication is required for single-user mode, run the following command: +$ grep sulogin /usr/lib/systemd/system/rescue.service +The output should be similar to the following, and the line must begin with +ExecStart and /usr/lib/systemd/systemd-sulogin-shell. + ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue + Is it the case that the output is different? - - - -Run the following command to determine the current status of the -ufw service: -$ sudo systemctl is-active ufw -If the service is running, it should return the following: active - Is it the case that the service is not enabled? + + Verify that core dumps are disabled for all users, run the following command: +$ grep core /etc/security/limits.conf +* hard core 0 + Is it the case that the "core" item is missing, commented out, or the value is anything other than "0" and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core"? - - To check that the slapd service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled slapd -Output should indicate the slapd service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled slapd disabled - -Run the following command to verify slapd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active slapd - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the slapd is masked, run the following command: -$ sudo systemctl show slapd | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: - -LoadState=masked - -UnitFileState=masked - Is it the case that the "slapd" is loaded and not masked? + + Inspect /etc/audit/auditd.conf and locate the following line to +determine if the system is configured correctly: +space_left SIZE_in_MB + Is it the case that the system is not configured a specfic size in MB to notify administrators of an issue? - - To check that the httpd service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled httpd -Output should indicate the httpd service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled httpd disabled + + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the unlinkat system call. -Run the following command to verify httpd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active httpd +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -If the service is not running the command will return the following output: -inactive +$ sudo grep -r unlinkat /etc/audit/rules.d -The service will also be masked, to check that the httpd is masked, run the following command: -$ sudo systemctl show httpd | grep "LoadState\|UnitFileState" +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -If the service is masked the command will return the following outputs: +$ sudo grep unlinkat /etc/audit/audit.rules -LoadState=masked +The output should be the following: -UnitFileState=masked - Is it the case that the "httpd" is loaded and not masked? +-a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete +-a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete +-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete +-a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete + Is it the case that the command does not return a line, or the line is commented out? - - -Run the following command to determine if the kerberos_enabled SELinux boolean is enabled: -$ getsebool kerberos_enabled -If properly configured, the output should show the following: -kerberos_enabled --> on - Is it the case that kerberos_enabled is not enabled? + + Run the following command to determine if the iptables-services package is installed: $ rpm -q iptables-services + Is it the case that the iptables-services package is installed? - - To determine if the system is configured to audit successful calls -to the open_by_handle_at system call, run the following command: -$ sudo grep "open_by_handle_at" /etc/audit.* -If the system is configured to audit this activity, it will return a line. + + Verify the operating system audits activities performed during nonlocal +maintenance and diagnostic sessions. Run the following command: +$ sudo auditctl -l | grep sudo.log +-w /var/log/sudo.log -p wa -k maintenance - Is it the case that no line is returned? + Is it the case that Audit rule is not present? - - Run the following command to determine if the tuned package is installed: -$ rpm -q tuned - Is it the case that the package is installed? + + The following command will discover and print any +files on local partitions which do not belong to a valid user. +$ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser + +Either remove all files and directories from the system that do not have a +valid user, or assign a valid user to all unowned files and directories on +the system with the chown command: +$ sudo chown user file + Is it the case that files exist that are not owned by a valid user? - - -Run the following command to determine if the virt_read_qemu_ga_data SELinux boolean is disabled: -$ getsebool virt_read_qemu_ga_data -If properly configured, the output should show the following: -virt_read_qemu_ga_data --> off - Is it the case that virt_read_qemu_ga_data is not disabled? + + Inspect /etc/audit/audisp-remote.conf and locate the following line to +determine if the system is configured to perform a correct action according to the policy: +$ sudo grep -i network_failure_action /etc/audit/audisp-remote.conf +The output should return: +network_failure_action = + Is it the case that the system is not configured to switch to single user mode for corrective action? - - To verify that auditing of privileged command use is configured, run the -following command: -$ sudo grep usernetctl /etc/audit/audit.rules /etc/audit/rules.d/* -It should return a relevant line in the audit rules. - Is it the case that the command does not return a line, or the line is commented out? + + +To properly set the owner of /etc/audit/, run the command: +$ sudo chown root /etc/audit/ + +To properly set the owner of /etc/audit/rules.d/, run the command: +$ sudo chown root /etc/audit/rules.d/ + Is it the case that ? - - To check the group ownership of /var/log/syslog, -run the command: -$ ls -lL /var/log/syslog -If properly configured, the output should indicate the following group-owner: -adm - Is it the case that /var/log/syslog does not have a group owner of adm? + + To verify the operating system implements cryptography to protect the integrity of +remote ldap access sessions, run the following command: +$ sudo grep ldap_tls_cacert /etc/sssd/sssd.conf +The output should return the following with a correctly configured CA cert path: +ldap_tls_cacert /path/to/tls/ca.cert + Is it the case that the TLS CA cert is not configured? - - -Run the following command to determine if the httpd_builtin_scripting SELinux boolean is disabled: -$ getsebool httpd_builtin_scripting -If properly configured, the output should show the following: -httpd_builtin_scripting --> off - Is it the case that httpd_builtin_scripting is not disabled? + + To ensure disable and restart on the login screen are disabled, run the following command: +$ grep disable-restart-buttons /etc/dconf/db/gdm.d/* +The output should be true. +To ensure that users cannot enable disable and restart on the login screen, run the following: +$ grep disable-restart-buttons /etc/dconf/db/gdm.d/locks/* +If properly configured, the output should be /org/gnome/login-screen/disable-restart-buttons + Is it the case that disable-restart-buttons has not been configured or is not disabled? - - Verify the nosuid option is configured for the /var/tmp mount point, - run the following command: - $ sudo mount | grep '\s/var/tmp\s' - . . . /var/tmp . . . nosuid . . . + + The runtime status of the net.ipv6.conf.default.accept_ra_rtr_pref kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.default.accept_ra_rtr_pref +0. - Is it the case that the "/var/tmp" file system does not have the "nosuid" option set? + Is it the case that the correct value is not returned? - - Run the following command to determine if the postfix package is installed: $ rpm -q postfix - Is it the case that the package is not installed? + + To verify if the OpenSSH server uses defined ciphers in the Crypto Policy, run: +$ grep -Po '(-oCiphers=\S+)' /etc/crypto-policies/back-ends/opensshserver.config +and verify that the line matches: +-oCiphers= + Is it the case that Crypto Policy for OpenSSH Server is not configured correctly? - - Verify the operating system is not configured to bypass password requirements for privilege -escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command: -$ sudo grep pam_succeed_if /etc/pam.d/sudo - Is it the case that system is configured to bypass password requirements for privilege escalation? + + Run the following command to determine if the bind package is installed: +$ rpm -q bind + Is it the case that the package is installed? - + + Verify Red Hat Enterprise Linux 8 is configured to lock an account after +unsuccessful logon attempts with the command: + + +$ grep 'deny =' /etc/security/faillock.conf +deny = . + Is it the case that the "deny" option is not set to "<sub idref="var_accounts_passwords_pam_faillock_deny" />" +or less (but not "0"), is missing or commented out? + + + + Verify the assigned home directories of all interactive users on the system exist with the following command: + +$ sudo pwck -r + +user 'mailnull': directory 'var/spool/mqueue' does not exist + +The output should not return any interactive users. + Is it the case that users home directory does not exist? + + + -Run the following command to determine if the httpd_ssi_exec SELinux boolean is disabled: -$ getsebool httpd_ssi_exec +Run the following command to determine if the samba_domain_controller SELinux boolean is disabled: +$ getsebool samba_domain_controller If properly configured, the output should show the following: -httpd_ssi_exec --> off - Is it the case that httpd_ssi_exec is not disabled? +samba_domain_controller --> off + Is it the case that samba_domain_controller is not disabled? - - To ensure that the GPG key is installed, run: -$ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey -The command should return the string below: -gpg(Red Hat, Inc. (release key 2) <security@redhat.com> - Is it the case that the Red Hat GPG Key is not installed? + + Verify it by running the following command: +$ stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules + +/sbin/auditctl 755 +/sbin/aureport 755 +/sbin/ausearch 755 +/sbin/autrace 755 +/sbin/auditd 755 +/sbin/audispd 755 +/sbin/augenrules 755 + + +If the command does not return all the above lines, the missing ones +need to be added. + +Run the following command to correct the permissions of the missing +entries: +$ sudo chmod 0755 [audit_tool] + +Replace "[audit_tool]" with the audit tool that does not have the +correct permissions. + Is it the case that ? - - To check the group ownership of /etc/ssh/*_key, -run the command: -$ ls -lL /etc/ssh/*_key -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/ssh/*_key does not have a group owner of root? + + To determine if the system is configured to audit calls to the +open_by_handle_at system call, run the following command: +$ sudo grep "open_by_handle_at" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - + -Run the following command to determine if the httpd_unified SELinux boolean is disabled: -$ getsebool httpd_unified +Run the following command to determine if the samba_run_unconfined SELinux boolean is disabled: +$ getsebool samba_run_unconfined If properly configured, the output should show the following: -httpd_unified --> off - Is it the case that httpd_unified is not disabled? +samba_run_unconfined --> off + Is it the case that samba_run_unconfined is not disabled? - - Verify the nosuid option is configured for the /var/log/audit mount point, - run the following command: - $ sudo mount | grep '\s/var/log/audit\s' - . . . /var/log/audit . . . nosuid . . . + + The runtime status of the kernel.sysrq kernel parameter can be queried +by running the following command: +$ sysctl kernel.sysrq +0. - Is it the case that the "/var/log/audit" file system does not have the "nosuid" option set? + Is it the case that the correct value is not returned? - + -Run the following command to determine if the ftpd_use_nfs SELinux boolean is disabled: -$ getsebool ftpd_use_nfs +Run the following command to determine if the use_fusefs_home_dirs SELinux boolean is disabled: +$ getsebool use_fusefs_home_dirs If properly configured, the output should show the following: -ftpd_use_nfs --> off - Is it the case that ftpd_use_nfs is not disabled? +use_fusefs_home_dirs --> off + Is it the case that use_fusefs_home_dirs is not disabled? - - -Run the following command to determine if the authlogin_yubikey SELinux boolean is disabled: -$ getsebool authlogin_yubikey -If properly configured, the output should show the following: -authlogin_yubikey --> off - Is it the case that authlogin_yubikey is not disabled? + + To ensure screen locking on smartcard removal is enabled, run the following command: +$ grep removal-action /etc/dconf/db/local.d/* +The output should be 'lock-screen'. +To ensure that users cannot disable screen locking on smartcard removal, run the following: +$ grep removal-action /etc/dconf/db/local.d/locks/* +If properly configured, the output should be /org/gnome/settings-daemon/peripherals/smartcard/removal-action + Is it the case that removal-action has not been configured? - - To check the ownership of /etc/passwd, + + Verify all local interactive users on Red Hat Enterprise Linux 8 are assigned a home +directory upon creation with the following command: +$ grep -i create_home /etc/login.defs +CREATE_HOME yes + Is it the case that the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out? + + + + To check the group ownership of /boot/efi/EFI/redhat/user.cfg, run the command: -$ ls -lL /etc/passwd -If properly configured, the output should indicate the following owner: +$ ls -lL /boot/efi/EFI/redhat/user.cfg +If properly configured, the output should indicate the following group-owner: root - Is it the case that /etc/passwd does not have an owner of root? + Is it the case that /boot/efi/EFI/redhat/user.cfg does not have a group owner of root? - - To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -cat /etc/audit/rules.d/30-ospp-v42-3-access-success.rules -The output has to be exactly as follows: -## Successful file access (any other opens) This has to go last. -## These next two are likely to result in a whole lot of events --a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access --a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access - Is it the case that the file does not exist or the content differs? + + The runtime status of the net.ipv6.conf.default.max_addresses kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.default.max_addresses +1. + + Is it the case that the correct value is not returned? + + + + +Run the following command to determine if the wine_mmap_zero_ignore SELinux boolean is disabled: +$ getsebool wine_mmap_zero_ignore +If properly configured, the output should show the following: +wine_mmap_zero_ignore --> off + Is it the case that wine_mmap_zero_ignore is not disabled? @@ -370701,368 +371311,441 @@ If a line indicating no is returned, then the required value is set. Is it the case that the required value is not set? - - Verify the value of the "minclass" option in "/etc/security/pwquality.conf" with the following command: - -$ grep minclass /etc/security/pwquality.conf - -minclass = - Is it the case that the value of "minclass" is set to less than "<sub idref="var_password_pam_minclass" />" or is commented out? + + Run the following command to determine open ports: +# ss -6tuln +Run the following command to determine firewall rules: +# ip6tables -L INPUT -v -n +For each port identified in the audit which does not have a firewall +rule, add rule for accepting or denying inbound connections +# ip6tables -A INPUT -p \ --dport \ -m state --state NEW -j ACCEPT + Is it the case that open ports are denied connection? - - To determine how the SSH daemon's IgnoreRhosts option is set, run the following command: + + Remote web authors should not be able to upload files to the Document Root +directory structure without virus checking and checking for malicious or mobile +code. + Is it the case that it is not? + + + + Verify that the system is not accepting "rsyslog" messages from other systems unless it is +documented as a log aggregation server. +Display the contents of the rsyslog configuration files: +find /etc -maxdepth 2 -regex '/etc/rsyslog\(\.conf\|\.d\/.*\.conf\)' -exec cat '{}' \; -$ sudo grep -i IgnoreRhosts /etc/ssh/sshd_config +If any of the below lines are found, ask to see the documentation for the system being used +for log aggregation: -If a line indicating yes is returned, then the required value is set. +If using legacy syntax: +$ModLoad imtcp +$InputTCPServerRun port +$ModLoad imudp +$UDPServerRun port +$ModLoad imrelp +$InputRELPServerRun port - Is it the case that the required value is not set? +If using RainerScript syntax: +module(load="imtcp") +module(load="imudp") +input(type="imtcp" port="514") +input(type="imudp" port="514") + + Is it the case that rsyslog accepts remote messages and is not documented as a log aggregation system? - - To verify if GnuTLS uses defined DoD-approved TLS Crypto Policy, run: -$ sudo grep -'+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0' -/etc/crypto-policies/back-ends/gnutls.config and verify that a match exists. - Is it the case that cryptographic policy for gnutls is not configured or is configured incorrectly? + + +Run the following command to determine if the tmpreaper_use_nfs SELinux boolean is disabled: +$ getsebool tmpreaper_use_nfs +If properly configured, the output should show the following: +tmpreaper_use_nfs --> off + Is it the case that tmpreaper_use_nfs is not disabled? - - Run the following command to see what the timeout interval is: -$ sudo grep ClientAliveInterval /etc/ssh/sshd_config -If properly configured, the output should be: -ClientAliveInterval - Is it the case that it is commented out or not configured properly? + + +Run the following command to determine if the abrt_anon_write SELinux boolean is disabled: +$ getsebool abrt_anon_write +If properly configured, the output should show the following: +abrt_anon_write --> off + Is it the case that abrt_anon_write is not disabled? - - To determine if the system is configured to audit calls to the -renameat system call, run the following command: -$ sudo grep "renameat" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: +$ sudo cat /etc/audit/rules.d/11-loginuid.rules +The output has to be exactly as follows: +## Make the loginuid immutable. This prevents tampering with the auid. +--loginuid-immutable + Is it the case that the file does not exist or the content differs? - - The runtime status of the net.ipv4.conf.all.log_martians kernel parameter can be queried + + The runtime status of the net.ipv4.conf.all.arp_filter kernel parameter can be queried by running the following command: -$ sysctl net.ipv4.conf.all.log_martians -1. +$ sysctl net.ipv4.conf.all.arp_filter +. Is it the case that the correct value is not returned? - + -Run the following command to determine if the fcron_crond SELinux boolean is disabled: -$ getsebool fcron_crond -If properly configured, the output should show the following: -fcron_crond --> off - Is it the case that fcron_crond is not disabled? +Run the following command to get the current configured value for secure_mode_insmod +SELinux boolean: +$ getsebool secure_mode_insmod +The expected cofiguration is . +"on" means true, and "off" means false + Is it the case that secure_mode_insmod is not set as expected? - - Ensure that debug-shell service is not enabled with the following command: -sudo grep -L "^options\s+.*\bsystemd.debug-shell=1\b" /boot/loader/entries/*.conf -No line should be returned, each line returned is a boot entry that enables the debug-shell. - Is it the case that the comand returns a line? + + To determine if the system is configured to audit successful calls +to the removexattr system call, run the following command: +$ sudo grep "removexattr" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the ftruncate system call. + + To check that the rpcsvcgssd service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled rpcsvcgssd +Output should indicate the rpcsvcgssd service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled rpcsvcgssd disabled -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: +Run the following command to verify rpcsvcgssd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active rpcsvcgssd -$ sudo grep -r ftruncate /etc/audit/rules.d +If the service is not running the command will return the following output: +inactive -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: +The service will also be masked, to check that the rpcsvcgssd is masked, run the following command: +$ sudo systemctl show rpcsvcgssd | grep "LoadState\|UnitFileState" -$ sudo grep ftruncate /etc/audit/audit.rules +If the service is masked the command will return the following outputs: -The output should be the following: +LoadState=masked --a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - Is it the case that the command does not return a line, or the line is commented out? +UnitFileState=masked + Is it the case that the "rpcsvcgssd" is loaded and not masked? - + -Run the following command to determine if the pcp_read_generic_logs SELinux boolean is disabled: -$ getsebool pcp_read_generic_logs +Run the following command to determine if the nis_enabled SELinux boolean is disabled: +$ getsebool nis_enabled If properly configured, the output should show the following: -pcp_read_generic_logs --> off - Is it the case that pcp_read_generic_logs is not disabled? +nis_enabled --> off + Is it the case that nis_enabled is not disabled? - - -Run the following command to determine if the selinuxuser_use_ssh_chroot SELinux boolean is disabled: -$ getsebool selinuxuser_use_ssh_chroot -If properly configured, the output should show the following: -selinuxuser_use_ssh_chroot --> off - Is it the case that selinuxuser_use_ssh_chroot is not disabled? + + To find SUID files, run the following command: +$ sudo find / -xdev -type f -perm -4000 + Is it the case that only authorized files appear in the output of the find command? - - The group-owner of all log files written by rsyslog should be -root. -These log files are determined by the second part of each Rule line in -/etc/rsyslog.conf and typically all appear in /var/log. -To see the group-owner of a given log file, run the following command: -$ ls -l LOGFILE - Is it the case that the group-owner is not correct? + + To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: +cat /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules +The output has to be exactly as follows: +## Unsuccessful file creation (open with O_CREAT) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create + Is it the case that the file does not exist or the content differs? - - To verify that FIPS mode is enabled properly, run the following command: -fips-mode-setup --check -The output should contain the following: -FIPS mode is enabled. -To verify that the cryptographic policy has been configured correctly, run the -following command: -$ update-crypto-policies --show -The output should return . - Is it the case that FIPS mode is not enabled? + + To ensure that remote access connections are encrypted, run the following command: +$ gsettings get org.gnome.Vino require-encrpytion +If properly configured, the output should be true. +To ensure that users cannot disable encrypted remote connections, run the following: +$ grep require-encryption /etc/dconf/db/local.d/locks/* +If properly configured, the output should be +/org/gnome/Vino/require-encryption + Is it the case that remote access connections are not encrypted? - - The runtime status of the net.ipv6.conf.default.accept_ra_pinfo kernel parameter can be queried -by running the following command: -$ sysctl net.ipv6.conf.default.accept_ra_pinfo -0. - - Is it the case that the correct value is not returned? + + Find the list of alias maps used by the Postfix mail server: +$ sudo postconf alias_maps +Query the Postfix alias maps for an alias for the postmaster user: +$ sudo postmap -q postmaster hash:/etc/aliases +The output should return root. + Is it the case that the alias is not set or is not root? - - To check the group ownership of /etc/at.allow, -run the command: -$ ls -lL /etc/at.allow -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/at.allow does not have a group owner of root? + + To verify that null passwords cannot be used, run the following command: +$ sudo awk -F: '!$2 {print $1}' /etc/shadow +If this produces any output, it may be possible to log into accounts +with empty passwords. + Is it the case that Blank or NULL passwords can be used? - - -Run the following command to determine if the squid_use_tproxy SELinux boolean is disabled: -$ getsebool squid_use_tproxy -If properly configured, the output should show the following: -squid_use_tproxy --> off - Is it the case that squid_use_tproxy is not disabled? + + To determine if the system is configured to audit calls to the +clock_settime system call, run the following command: +$ sudo grep "clock_settime" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - + -Run the following command to determine if the conman_can_network SELinux boolean is disabled: -$ getsebool conman_can_network +Run the following command to determine if the sanlock_use_nfs SELinux boolean is disabled: +$ getsebool sanlock_use_nfs If properly configured, the output should show the following: -conman_can_network --> off - Is it the case that conman_can_network is not disabled? - - - - Verify the nodev option is configured for the /home mount point, - run the following command: - $ sudo mount | grep '\s/home\s' - . . . /home . . . nodev . . . - - Is it the case that the "/home" file system does not have the "nodev" option set? +sanlock_use_nfs --> off + Is it the case that sanlock_use_nfs is not disabled? - - To check the value of the umask, run the following command: -$ grep umask /etc/init.d/functions -The output should show . - Is it the case that it does not? + + To determine if requiretty has been configured for sudo, run the following command: +$ sudo grep -ri "^[\s]*Defaults.*\brequiretty\b.*" /etc/sudoers /etc/sudoers.d/ +The command should return a matching output. + Is it the case that requiretty is not enabled in sudo? - - Run the following command to check if the group exists: -grep /etc/group -The output should contain the following line: -:x: - Is it the case that group exists and has no user members? + + +Run the following command to determine if the httpd_can_connect_ftp SELinux boolean is disabled: +$ getsebool httpd_can_connect_ftp +If properly configured, the output should show the following: +httpd_can_connect_ftp --> off + Is it the case that httpd_can_connect_ftp is not disabled? - + -Run the following command to determine if the cron_system_cronjob_use_shares SELinux boolean is disabled: -$ getsebool cron_system_cronjob_use_shares +Run the following command to determine if the xen_use_nfs SELinux boolean is disabled: +$ getsebool xen_use_nfs If properly configured, the output should show the following: -cron_system_cronjob_use_shares --> off - Is it the case that cron_system_cronjob_use_shares is not disabled? +xen_use_nfs --> off + Is it the case that xen_use_nfs is not disabled? - - Verify Red Hat Enterprise Linux 8 takes action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command: - -$ sudo grep -w space_left /etc/audit/auditd.conf - -space_left = % - Is it the case that the value of the "space_left" keyword is not set to <sub idref="var_auditd_space_left_percentage" />% of the storage volume allocated to audit logs, or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO. If the "space_left" value is not configured to the correct value? + + To obtain a listing of all users, their UIDs, and their shells, run the command: +$ awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd +Identify the system accounts from this listing. These will primarily be the accounts with UID +numbers less than 1000, other than root. + Is it the case that any system account other than root has a login shell? - - Run the following command to determine if the iptables-services package is installed: $ rpm -q iptables-services - Is it the case that the iptables-services package is installed? + + Determine if "sudoers" file restricts sudo access run the following commands: +$ sudo grep -PR '^\s*ALL\s+ALL\=\(ALL\)\s+ALL\s*$' /etc/sudoers /etc/sudoers.d/* +$ sudo grep -PR '^\s*ALL\s+ALL\=\(ALL\:ALL\)\s+ALL\s*$' /etc/sudoers /etc/sudoers.d/* + Is it the case that either of the commands returned a line? - - To check the group ownership of /etc/cron.hourly, -run the command: -$ ls -lL /etc/cron.hourly -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/cron.hourly does not have a group owner of root? + + To determine how the SSH daemon's UsePAM option is set, run the following command: + +$ sudo grep -i UsePAM /etc/ssh/sshd_config + +If a line indicating yes is returned, then the required value is set. + + Is it the case that the required value is not set? - - To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -cat /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules -The output has to be exactly as follows: -## Unsuccessful permission change --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change - Is it the case that the file does not exist or the content differs? + + To ensure that the GUI power settings are not active, run the following command: +$ gsettings get org.gnome.settings-daemon.plugins.power active +If properly configured, the output should be false. +To ensure that users cannot enable the power settings, run the following: +$ grep power /etc/dconf/db/local.d/locks/* +If properly configured, the output should be +/org/gnome/settings-daemon/plugins/power/active + Is it the case that power settings are enabled and are not disabled? - + -Run the following command to determine if the mcelog_server SELinux boolean is disabled: -$ getsebool mcelog_server +Run the following command to determine if the cobbler_anon_write SELinux boolean is disabled: +$ getsebool cobbler_anon_write If properly configured, the output should show the following: -mcelog_server --> off - Is it the case that mcelog_server is not disabled? +cobbler_anon_write --> off + Is it the case that cobbler_anon_write is not disabled? - - -Run the following command to determine if the samba_run_unconfined SELinux boolean is disabled: -$ getsebool samba_run_unconfined -If properly configured, the output should show the following: -samba_run_unconfined --> off - Is it the case that samba_run_unconfined is not disabled? + + To determine if the system is configured to audit calls to the +settimeofday system call, run the following command: +$ sudo grep "settimeofday" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - -Run the following command to determine if the webadm_read_user_files SELinux boolean is disabled: -$ getsebool webadm_read_user_files -If properly configured, the output should show the following: -webadm_read_user_files --> off - Is it the case that webadm_read_user_files is not disabled? + + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes spectre_v2=on, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub +If this option is set to true, then check that a line is output by the following command: +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*spectre_v2=on.*' /etc/default/grub +If the recovery is disabled, check the line with +$ sudo grep 'GRUB_CMDLINE_LINUX.*spectre_v2=on.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +$ sudo grubby --info=ALL | grep args | grep -v 'spectre_v2=on' +The command should not return any output. + Is it the case that spectre_v2 mitigation is not enforced? - + -Run the following command to determine if the abrt_handle_event SELinux boolean is disabled: -$ getsebool abrt_handle_event +Run the following command to determine if the httpd_sys_script_anon_write SELinux boolean is disabled: +$ getsebool httpd_sys_script_anon_write If properly configured, the output should show the following: -abrt_handle_event --> off - Is it the case that abrt_handle_event is not disabled? +httpd_sys_script_anon_write --> off + Is it the case that httpd_sys_script_anon_write is not disabled? - - -Run the following command to determine if the nagios_run_pnp4nagios SELinux boolean is disabled: -$ getsebool nagios_run_pnp4nagios -If properly configured, the output should show the following: -nagios_run_pnp4nagios --> off - Is it the case that nagios_run_pnp4nagios is not disabled? + + Run the following command to determine if the openssh-clients package is installed: $ rpm -q openssh-clients + Is it the case that the package is not installed? - - -Run the following command to determine if the virt_use_samba SELinux boolean is disabled: -$ getsebool virt_use_samba -If properly configured, the output should show the following: -virt_use_samba --> off - Is it the case that virt_use_samba is not disabled? + + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes audit=1, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub +If this option is set to true, then check that a line is output by the following command: +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit=1.*' /etc/default/grub +If the recovery is disabled, check the line with +$ sudo grep 'GRUB_CMDLINE_LINUX.*audit=1.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +$ sudo grubby --info=ALL | grep args | grep -v 'audit=1' +The command should not return any output. + Is it the case that auditing is not enabled at boot time? - - Verify the nosuid option is configured for the /dev/shm mount point, - run the following command: - $ sudo mount | grep '\s/dev/shm\s' - . . . /dev/shm . . . nosuid . . . + + To determine if passwd_timeout has been configured for sudo, run the following command: +$ sudo grep -ri '^Defaults.*passwd_timeout=' /etc/sudoers /etc/sudoers.d/ +The command should return a matching output. + Is it the case that passwd_timeout is not set with the appropriate value for sudo? + + + + To determine if the system is configured to audit successful calls +to the fchmod system call, run the following command: +$ sudo grep "fchmod" /etc/audit.* +If the system is configured to audit this activity, it will return a line. - Is it the case that the "/dev/shm" file system does not have the "nosuid" option set? + Is it the case that no line is returned? - - To verify that is configured -as the smart card driver, run the following command: -$ grep force_card_driver /etc/opensc.conf -The output should return something similar to: -force_card_driver = ; - Is it the case that the smart card driver is not configured correctly? + + +Run the following command to determine if the swift_can_network SELinux boolean is disabled: +$ getsebool swift_can_network +If properly configured, the output should show the following: +swift_can_network --> off + Is it the case that swift_can_network is not disabled? - - Verify Red Hat Enterprise Linux 8 prevents the use of dictionary words for passwords with the following command: - -$ sudo grep dictcheck /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf - -/etc/security/pwquality.conf:dictcheck=1 - Is it the case that "dictcheck" does not have a value other than "0", or is commented out? + + +Run the following command to determine if the zebra_write_config SELinux boolean is disabled: +$ getsebool zebra_write_config +If properly configured, the output should show the following: +zebra_write_config --> off + Is it the case that zebra_write_config is not disabled? - - Verify Red Hat Enterprise Linux 8 defines default permissions for all authenticated users in such a way that the user can only read and modify their own files with the following command: - -# grep -i umask /etc/login.defs - -UMASK - Is it the case that the value for the "UMASK" parameter is not "<sub idref="var_accounts_user_umask" />", or the "UMASK" parameter is missing or is commented out? + + To check the ownership of /etc/cron.weekly, +run the command: +$ ls -lL /etc/cron.weekly +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/cron.weekly does not have an owner of root? - - To ensure that the system prevents messages from being shown when three unsuccessful logon -attempts occur, run the following command: -$ grep silent /etc/security/faillock.conf -The output should show silent. - Is it the case that the system shows messages when three unsuccessful logon attempts occur? + + To verify that packages comprising the available updates will be automatically installed by dnf-automatic, run the following command: +$ sudo grep apply_updates /etc/dnf/automatic.conf +The output should return the following: +apply_updates = yes + Is it the case that apply_updates is not set to yes? - - -Run the following command to determine if the httpd_can_connect_ftp SELinux boolean is disabled: -$ getsebool httpd_can_connect_ftp -If properly configured, the output should show the following: -httpd_can_connect_ftp --> off - Is it the case that httpd_can_connect_ftp is not disabled? + + To determine if the system is configured to audit successful calls +to the fchown system call, run the following command: +$ sudo grep "fchown" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - + -Run the following command to determine if the logging_syslogd_can_sendmail SELinux boolean is disabled: -$ getsebool logging_syslogd_can_sendmail +Run the following command to determine if the mpd_use_nfs SELinux boolean is disabled: +$ getsebool mpd_use_nfs If properly configured, the output should show the following: -logging_syslogd_can_sendmail --> off - Is it the case that logging_syslogd_can_sendmail is not disabled? +mpd_use_nfs --> off + Is it the case that mpd_use_nfs is not disabled? - - Enter the following commands: + + The runtime status of the kernel.perf_event_max_sample_rate kernel parameter can be queried +by running the following command: +$ sysctl kernel.perf_event_max_sample_rate +1. -grep Action /etc/httpd/conf/httpd.conf -grep AddHandler /etc/httpd/conf/httpd.conf - Is it the case that either of these exist and they configure csh, or any other shell as a viewer for documents? + Is it the case that the correct value is not returned? - - To verify that McAfee Endpoint Security for Linux is -running, run the following command: -$ sudo ps -ef | grep -i mfetpd - Is it the case that virus scanning software is not running? + + To determine if the system is configured to audit changes to its network configuration, +run the following command: +auditctl -l | grep -E '(/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)' +If the system is configured to watch for network configuration changes, a line should be returned for +each file specified (and perm=wa should be indicated for each). + Is it the case that the system is not configured to audit changes of the network configuration? + + + + The runtime status of the kernel.core_pattern kernel parameter can be queried +by running the following command: +$ sysctl kernel.core_pattern +|/bin/false. + + Is it the case that the returned line does not have a value of "|/bin/false", or a line is not +returned and the need for core dumps is not documented with the Information +System Security Officer (ISSO) as an operational requirement? + + + + To verify that each web content directory has an index.html file, +run the following command: +$ sudo find `grep -i documentroot /etc/httpd/conf/httpd.conf | awk -F'"' '{print $2}'` -name index.html +The output should return an index.html file for every +DocumentRoot that is set. + Is it the case that it is not? @@ -371074,1552 +371757,1572 @@ $ sudo auditctl -l | grep shutdown Is it the case that the command does not return a line, or the line is commented out? - - Run the following command to determine if the audit package is installed: $ rpm -q audit - Is it the case that the audit package is not installed? + + To determine if the system is configured to audit unsuccessful calls +to the removexattr system call, run the following command: +$ sudo grep "removexattr" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - -Run the following command to determine if the tor_can_network_relay SELinux boolean is disabled: -$ getsebool tor_can_network_relay -If properly configured, the output should show the following: -tor_can_network_relay --> off - Is it the case that tor_can_network_relay is not disabled? + + To determine whether yum has been configured to disable +gpgcheck for any repos, inspect all files in +/etc/yum.repos.d and ensure the following does not appear in any +sections: +gpgcheck=0 +A value of 0 indicates that gpgcheck has been disabled for that repo. + Is it the case that GPG checking is disabled? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "mount" command with the following command: - -$ sudo auditctl -l | grep mount - --a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount - Is it the case that the command does not return a line, or the line is commented out? + + Run the following command to determine if the libcap-ng-utils package is installed: $ rpm -q libcap-ng-utils + Is it the case that the package is not installed? - - To determine how the SSH daemon's Banner option is set, run the following command: - -$ sudo grep -i Banner /etc/ssh/sshd_config - -If a line indicating /etc/issue is returned, then the required value is set. + + To determine if the system is configured to audit calls to the +lremovexattr system call, run the following command: +$ sudo grep "lremovexattr" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. - Is it the case that the required value is not set? + Is it the case that no line is returned? - - Run the following command to see if there are some keytabs -that would potentially allow the use of Kerberos by system daemons. -$ ls -la /etc/*.keytab -The expected result is -ls: cannot access '/etc/*.keytab': No such file or directory - Is it the case that a keytab file is present on the system? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_MODULE_SIG /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - To verify all accounts have unique names, run the following command: -$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d -No output should be returned. - Is it the case that a line is returned? - - - - To determine if NOPASSWD has been configured for the vdsm user for sudo, -run the following command: -$ sudo grep -ri nopasswd /etc/sudoers.d/ -The command should return output only for the vdsm user. - Is it the case that nopasswd is set for any users beyond vdsm? - - - - To check that the atd service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled atd -Output should indicate the atd service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled atd disabled - -Run the following command to verify atd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active atd - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the atd is masked, run the following command: -$ sudo systemctl show atd | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: - -LoadState=masked + + The runtime status of the net.ipv4.ip_local_port_range kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.ip_local_port_range +32768 65535. -UnitFileState=masked - Is it the case that the "atd" is loaded and not masked? + Is it the case that the correct value is not returned? - - Verify that a separate file system/partition has been created for /usr with the following command: + + Run the following command to check for duplicate group names: +Check that the operating system contains no duplicate group names for interactive users by running the following command: -$ mountpoint /usr + cut -d : -f 1 /etc/group | uniq -d - Is it the case that "/usr is not a mountpoint" is returned? - - - - -Run the following command to determine if the user_exec_content SELinux boolean is enabled: -$ getsebool user_exec_content -If properly configured, the output should show the following: -user_exec_content --> on - Is it the case that user_exec_content is not enabled? +If output is produced, this is a finding. +Configure the operating system to contain no duplicate names for groups. +Edit the file "/etc/group" and provide each group that has a duplicate group name with a unique group name. + Is it the case that has duplicate group names? - - Run the following command to determine if the dnf-plugin-subscription-manager package is installed: $ rpm -q dnf-plugin-subscription-manager - Is it the case that the package is not installed? + + To determine if the system is configured to audit successful calls +to the setxattr system call, run the following command: +$ sudo grep "setxattr" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - -Run the following command to determine if the virt_sandbox_use_sys_admin SELinux boolean is disabled: -$ getsebool virt_sandbox_use_sys_admin -If properly configured, the output should show the following: -virt_sandbox_use_sys_admin --> off - Is it the case that virt_sandbox_use_sys_admin is not disabled? + + To verify that CUPS printer browsing is disabled, run the following command: +$ sudo grep "Browsing\|BrowseAllow" /etc/cups/cupsd.conf +The output should return the following: +Browsing Off +BrowseAllow none + Is it the case that printer browsing is not disabled? - - To verify that rsyslog's Forwarding Output Module has CA certificate -configured for its TLS connections to remote server, run the following command: -$ grep DefaultNetstreamDriverCAFile /etc/rsyslog.conf /etc/rsyslog.d/*.conf -The output should include record similar to -global(DefaultNetstreamDriverCAFile="/etc/pki/tls/cert.pem") -where the path to the CA file (/etc/pki/tls/cert.pem in case above) must point to the correct CA certificate. - Is it the case that CA certificate for rsyslog remote logging via TLS is not set? + + To verify the openldap-servers package is not installed, run the +following command: +$ rpm -q openldap-servers +The output should show the following: +package openldap-servers is not installed + Is it the case that it does not? - - To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -cat /etc/audit/rules.d/30-ospp-v42-1-create-success.rules -The output has to be exactly as follows: -## Successful file creation (open with O_CREAT) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create --a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create --a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create - Is it the case that the file does not exist or the content differs? + + Verify Red Hat Enterprise Linux 8 disables core dump backtraces by issuing the following command: + +$ grep -i process /etc/systemd/coredump.conf + +ProcessSizeMax=0 + Is it the case that the "ProcessSizeMax" item is missing, commented out, or the value is anything other than "0" and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned? - - To verify the INACTIVE setting, run the following command: -$ grep "INACTIVE" /etc/default/useradd -The output should indicate the INACTIVE configuration option is set -to an appropriate integer as shown in the example below: -$ grep "INACTIVE" /etc/default/useradd -INACTIVE= - Is it the case that the value of INACTIVE is greater than the expected value or is -1? + + Run the following command to determine if the rsyslog-gnutls package is installed: +$ rpm -q rsyslog-gnutls + Is it the case that the package is installed? - - To ensure LDAP is configured to use TLS for all transactions, run the following command: -$ grep start_tls /etc/pam_ldap.conf -The result should contain: -ssl start_tls - Is it the case that LDAP is not in use, the line is commented out, or not configured correctly? + + To check the group ownership of /etc/ssh/sshd_config, +run the command: +$ ls -lL /etc/ssh/sshd_config +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/ssh/sshd_config does not have a group owner of root? - - Run the following command to determine if the iptables package is installed: $ rpm -q iptables - Is it the case that the package is not installed? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_X86_VSYSCALL_EMULATION /boot/config.* + + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. + + Is it the case that the kernel was not built with the required value? - - To ensure the login screen resets after a specified number of failures, -run the following command: -$ grep allowed-failures /etc/dconf/db/gdm.d/* -The output should be 3 or less. -To ensure that users cannot change or configure the resets after a specified -number of failures on the login screen, run the following: -$ grep allowed-failures /etc/dconf/db/gdm.d/locks/* -If properly configured, the output should be /org/gnome/login-screen/allowed-failures - Is it the case that allowed-failures is not equal to or less than the expected value? + + Make sure that the kernel is not disabling SMEP with the following +commands. +grep -q nosmep /boot/config-`uname -r` +If the command returns a line, it means that SMEP is being disabled. + Is it the case that the kernel is configured to disable SMEP? - - For each private key stored on the system, use the following command: -$ sudo ssh-keygen -y -f /path/to/file -If the contents of the key are displayed, this is a finding. - Is it the case that no ssh private key is accessible without a passcode? + + To check the permissions of /etc/passwd-, +run the command: +$ ls -l /etc/passwd- +If properly configured, the output should indicate the following permissions: +-rw-r--r-- + Is it the case that /etc/passwd- does not have unix mode -rw-r--r--? - - -Run the following command to determine if the cron_userdomain_transition SELinux boolean is enabled: -$ getsebool cron_userdomain_transition -If properly configured, the output should show the following: -cron_userdomain_transition --> on - Is it the case that cron_userdomain_transition is not enabled? + + To obtain a list of all users and the content of their shadow password field, run the command: +$ sudo readarray -t systemaccounts +Verify if all accounts are locked. + Is it the case that system accounts are not locked? - - -To check that the rlogin service is disabled in system boot configuration with xinetd, run the following command: -$ chkconfig rlogin --list -Output should indicate the rlogin service has either not been installed, or has been disabled, as shown in the example below: -$ chkconfig rlogin --list + + Verify Red Hat Enterprise Linux 8 takes the appropriate action when an audit processing failure occurs. -Note: This output shows SysV services only and does not include native -systemd services. SysV configuration data might be overridden by native -systemd configuration. +Check that Red Hat Enterprise Linux 8 takes the appropriate action when an audit processing failure occurs with the following command: -If you want to list systemd services use 'systemctl list-unit-files'. -To see services enabled on particular target use -'systemctl list-dependencies [target]'. +$ sudo grep disk_error_action /etc/audit/auditd.conf -rlogin off +disk_error_action = -To check that the rlogin socket is disabled in system boot configuration with systemd, run the following command: -$ systemctl is-enabled rlogin -Output should indicate the rlogin socket has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled rlogindisabled +If the value of the "disk_error_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit process failure occurs. + Is it the case that there is no evidence of appropriate action? + + + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "pam_timestamp_check" command with the following command: -Run the following command to verify rlogin is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active rlogin +$ sudo auditctl -l | grep pam_timestamp_check -If the socket is not running the command will return the following output: -inactive +-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check + Is it the case that the command does not return a line, or the line is commented out? + + + + Run the following command to determine if the httpd package is installed: +$ rpm -q httpd + Is it the case that the package is installed? + + + + Verify the noexec option is configured for the /dev/shm mount point, + run the following command: + $ sudo mount | grep '\s/dev/shm\s' + . . . /dev/shm . . . noexec . . . -The socket will also be masked, to check that the rlogin is masked, run the following command: -$ sudo systemctl show rlogin | grep "LoadState\|UnitFileState" + Is it the case that the "/dev/shm" file system does not have the "noexec" option set? + + + + To verify that smart cards are enabled in SSSD, run the following command: +$ sudo grep pam_cert_auth /etc/sssd/sssd.conf +If configured properly, output should be +pam_cert_auth = True -If the socket is masked the command will return the following outputs: -LoadState=masked +To verify that smart cards are enabled in PAM files, run the following command: +$ sudo grep -e "auth.*pam_sss\.so.*\(allow_missing_name\|try_cert_auth\)" /etc/pam.d/smartcard-auth /etc/pam.d/system-auth +If configured properly, output should be -UnitFileState=masked - Is it the case that service and/or socket are running? +/etc/pam.d/smartcard-auth:auth sufficient pam_sss.so allow_missing_name +/etc/pam.d/system-auth:auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth + + Is it the case that smart cards are not enabled in SSSD? - - -Run the following command to determine if the httpd_verify_dns SELinux boolean is disabled: -$ getsebool httpd_verify_dns -If properly configured, the output should show the following: -httpd_verify_dns --> off - Is it the case that httpd_verify_dns is not disabled? + + Verify that GRUB_DISABLE_RECOVERY is set to true in /etc/default/grub to disable recovery boot. +Run the following command: + +$ sudo grep GRUB_DISABLE_RECOVERY /etc/default/grub + Is it the case that GRUB_DISABLE_RECOVERY is not set to true or is missing? - - -Run the following command to determine if the authlogin_nsswitch_use_ldap SELinux boolean is disabled: -$ getsebool authlogin_nsswitch_use_ldap -If properly configured, the output should show the following: -authlogin_nsswitch_use_ldap --> off - Is it the case that authlogin_nsswitch_use_ldap is not disabled? + + Run the following command to see if there are some keytabs +that would potentially allow the use of Kerberos by system daemons. +$ ls -la /etc/*.keytab +The expected result is +ls: cannot access '/etc/*.keytab': No such file or directory + Is it the case that a keytab file is present on the system? - - To determine if the system is configured to audit calls to the -open_by_handle_at system call, run the following command: -$ sudo grep "open_by_handle_at" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. + + To determine whether sudo command includes configuration files from the appropriate directory, +run the following command: +$ sudo grep -rP '^[#@]include(dir)?' /etc/sudoers /etc/sudoers.d +If only the line /etc/sudoers:#includedir /etc/sudoers.d is returned, then the drop-in include configuration is set correctly. +Any other line returned is a finding. + Is it the case that the /etc/sudoers doesn't include /etc/sudores.d or includes other directories?? + + + + The runtime status of the kernel.kptr_restrict kernel parameter can be queried +by running the following command: +$ sysctl kernel.kptr_restrict +The output of the command should indicate either: +kernel.kptr_restrict = 1 +or: +kernel.kptr_restrict = 2 +The output of the command should not indicate: +kernel.kptr_restrict = 0 - Is it the case that no line is returned? +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d +The command should not find any assignments other than: +kernel.kptr_restrict = 1 +or: +kernel.kptr_restrict = 2 + +Conflicting assignments are not allowed. + Is it the case that the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0? - + -Run the following command to determine if the xend_run_blktap SELinux boolean is enabled: -$ getsebool xend_run_blktap +Run the following command to determine if the tftp_home_dir SELinux boolean is disabled: +$ getsebool tftp_home_dir If properly configured, the output should show the following: -xend_run_blktap --> on - Is it the case that xend_run_blktap is not enabled? +tftp_home_dir --> off + Is it the case that tftp_home_dir is not disabled? - - Run the following command to determine if the xinetd package is installed: -$ rpm -q xinetd - Is it the case that the package is installed? + + To determine if the system is configured to audit changes to its SELinux +configuration files, run the following command: +$ sudo auditctl -l | grep "dir=/usr/share/selinux" +If the system is configured to watch for changes to its SELinux +configuration, a line should be returned (including +perm=wa indicating permissions that are watched). + Is it the case that the system is not configured to audit attempts to change the MAC policy? - - Verify Red Hat Enterprise Linux 8 takes the appropriate action when an audit processing failure occurs. + + Storing logs remotely protects the integrity of the data from local attacks. +Run the following command to verify that journald is forwarding logs to a remote host. -Check that Red Hat Enterprise Linux 8 takes the appropriate action when an audit processing failure occurs with the following command: +grep "^\sForwardToSyslog" /etc/systemd/journald.conf -$ sudo grep disk_error_action /etc/audit/auditd.conf +and it should return -disk_error_action = HALT +ForwardToSyslog=yes -If the value of the "disk_error_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit process failure occurs. - Is it the case that there is no evidence of appropriate action? - - - - To verify that Audit Daemon is configured to record the computer node -name in the audit events, run the following command: -$ sudo grep name_format /etc/audit/auditd.conf -The output should return the following: -name_format = - Is it the case that name_format isn't set to <sub idref="var_auditd_name_format" />? + Is it the case that is commented out or not configured correctly? - - Run the following command to determine if the vim-enhanced package is installed: $ rpm -q vim-enhanced - Is it the case that the package is not installed? + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfiles" command with the following command: + +$ sudo auditctl -l | grep setfiles + +-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update + Is it the case that the command does not return a line, or the line is commented out? - - -Run the following command to determine if the rsync_anon_write SELinux boolean is disabled: -$ getsebool rsync_anon_write -If properly configured, the output should show the following: -rsync_anon_write --> off - Is it the case that rsync_anon_write is not disabled? + + To verify .netrc file in interactive user home directory is +not group or world accessible", run the following command: +$ sudo ls -lLR /home/USER/.netrc + Is it the case that the group and world permissions are incorrect? - - The runtime status of the net.ipv4.conf.all.forwarding kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.conf.all.forwarding -0. -The ability to forward packets is only appropriate for routers. - Is it the case that IP forwarding value is "1" and the system is not router? + + To ensure that XDMCP is disabled in /etc/gdm/custom.conf, run the following command: +grep -Pzo "\[xdmcp\]\nEnable=false" /etc/gdm/custom.conf +The output should return the following: + +[xdmcp] +Enable=false + + Is it the case that the Enable is not set to false or is missing in the xdmcp section of the /etc/gdm/custom.conf gdm configuration file? - - To determine if the system is configured to audit calls to the -mount system call, run the following command: -$ sudo grep "mount" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. + + To check that the oddjobd service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled oddjobd +Output should indicate the oddjobd service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled oddjobd disabled - Is it the case that no line is returned? +Run the following command to verify oddjobd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active oddjobd + +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the oddjobd is masked, run the following command: +$ sudo systemctl show oddjobd | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "oddjobd" is loaded and not masked? - + -Run the following command to determine if the ftpd_use_passive_mode SELinux boolean is disabled: -$ getsebool ftpd_use_passive_mode +Run the following command to determine if the selinuxuser_execstack SELinux boolean is disabled: +$ getsebool selinuxuser_execstack If properly configured, the output should show the following: -ftpd_use_passive_mode --> off - Is it the case that ftpd_use_passive_mode is not disabled? +selinuxuser_execstack --> off + Is it the case that selinuxuser_execstack is not disabled? - - To verify that the installed operating system is supported, run -the following command: + + Verify users are provided with feedback on when account accesses last occurred with the following command: -$ grep -i "red hat" /etc/redhat-release +$ sudo grep pam_lastlog /etc/pam.d/postlogin -Red Hat Enterprise Linux 8 - Is it the case that the installed operating system is not supported? +session [default=1] pam_lastlog.so showfailed + Is it the case that "pam_lastlog.so" is not properly configured in "/etc/pam.d/postlogin" file? - - -Run the following command to determine if the kdumpgui_run_bootloader SELinux boolean is disabled: -$ getsebool kdumpgui_run_bootloader -If properly configured, the output should show the following: -kdumpgui_run_bootloader --> off - Is it the case that kdumpgui_run_bootloader is not disabled? + + The existence of the file /etc/hosts.equiv or a file named +.rhosts inside a user home directory indicates the presence +of an Rsh trust relationship. + Is it the case that these files exist? - - Run the following command to determine if the McAfeeTP package is installed: $ rpm -q McAfeeTP - Is it the case that the package is not installed? + + +Run the following command to get the current configured value for deny_execmem +SELinux boolean: +$ getsebool deny_execmem +The expected cofiguration is . +"on" means true, and "off" means false + Is it the case that deny_execmem is not set as expected? - - -Run the following command to determine if the secure_mode_policyload SELinux boolean is disabled: -$ getsebool secure_mode_policyload -If properly configured, the output should show the following: -secure_mode_policyload --> off - Is it the case that secure_mode_policyload is not disabled? + + To determine if use_pty has been configured for sudo, run the following command: +$ sudo grep -ri "^[\s]*Defaults.*\buse_pty\b.*" /etc/sudoers /etc/sudoers.d/ +The command should return a matching output. + Is it the case that use_pty is not enabled in sudo? - - -Run the following command to determine if the samba_domain_controller SELinux boolean is disabled: -$ getsebool samba_domain_controller -If properly configured, the output should show the following: -samba_domain_controller --> off - Is it the case that samba_domain_controller is not disabled? + + The runtime status of the net.ipv4.conf.all.route_localnet kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.all.route_localnet +0. + + Is it the case that the correct value is not returned? - - -Run the following command to determine if the squid_connect_any SELinux boolean is disabled: -$ getsebool squid_connect_any -If properly configured, the output should show the following: -squid_connect_any --> off - Is it the case that squid_connect_any is not disabled? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_SLAB_FREELIST_HARDENED /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - + -Run the following command to determine if the fips_mode SELinux boolean is enabled: -$ getsebool fips_mode +Run the following command to determine if the selinuxuser_mysql_connect_enabled SELinux boolean is disabled: +$ getsebool selinuxuser_mysql_connect_enabled If properly configured, the output should show the following: -fips_mode --> on - Is it the case that fips_mode is not enabled? - - - - To determine if the system is configured to audit calls to the -openat system call, run the following command: -$ sudo grep "openat" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? +selinuxuser_mysql_connect_enabled --> off + Is it the case that selinuxuser_mysql_connect_enabled is not disabled? - - Verify the value of the "maxrepeat" option in "/etc/security/pwquality.conf" with the following command: - -$ grep maxrepeat /etc/security/pwquality.conf - -maxrepeat = - Is it the case that the value of "maxrepeat" is set to more than "<sub idref="var_password_pam_maxrepeat" />" or is commented out? + + The group-owner of all log files written by rsyslog should be +root. +These log files are determined by the second part of each Rule line in +/etc/rsyslog.conf and typically all appear in /var/log. +To see the group-owner of a given log file, run the following command: +$ ls -l LOGFILE + Is it the case that the group-owner is not correct? - - The runtime status of the net.ipv4.conf.all.shared_media kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.conf.all.shared_media -0. - - Is it the case that the correct value is not returned? + + +Run the following command to determine if the cvs_read_shadow SELinux boolean is disabled: +$ getsebool cvs_read_shadow +If properly configured, the output should show the following: +cvs_read_shadow --> off + Is it the case that cvs_read_shadow is not disabled? - - To check the ownership of /etc/cron.hourly, -run the command: -$ ls -lL /etc/cron.hourly -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/cron.hourly does not have an owner of root? + + To verify if GnuTLS uses defined DoD-approved TLS Crypto Policy, run: +$ sudo grep +'+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0' +/etc/crypto-policies/back-ends/gnutls.config and verify that a match exists. + Is it the case that cryptographic policy for gnutls is not configured or is configured incorrectly? - - To determine whether OpenSSL is wrapped by a shell function that ensures that every invocation -uses a SP800-90A compliant entropy source, -make sure that the /etc/profile.d/openssl-rand.sh file contents exactly match those -that are included in the rule's description. - Is it the case that there is no <tt>/etc/profile.d/openssl-rand.sh</tt> file, or its contents don't match those in the description? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_ACPI_CUSTOM_METHOD /boot/config.* + + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. + + Is it the case that the kernel was not built with the required value? - - Configure the public web server to not have a trusted relationship with -any system resources that is also not accessible to the public. Web -content is not to be shared via Microsoft shares or NFS mounts. + + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the openat system call. -Determine whether the public web server has a two-way trust relationship -with any private asset located within the network. Private web server -resources (e.g. drives, folders, printers, etc.) will not be directly -mapped to or shared with public web servers. - Is it the case that sharing is selected for any web folder, this is a finding. +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -If private resources (e.g. drives, partitions, folders/directories, -printers, etc.) are sharedw ith the public web server? - - - - Run the following command to determine if the python3-abrt-addon package is installed: -$ rpm -q python3-abrt-addon - Is it the case that the package is installed? - - - - To verify that rsyslog's Forwarding Output Module is configured -to use TLS for logging to remote server, run the following command: -$ grep omfwd /etc/rsyslog.conf /etc/rsyslog.d/*.conf -The output should include record similar to -action(type="omfwd" protocol="tcp" Target="<remote system>" port="6514" - StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name" streamdriver.CheckExtendedKeyPurpose="on") +$ sudo grep -r openat /etc/audit/rules.d -where the <remote system> present in the configuration line above must be a valid IP address or a host name of the remote logging server. - Is it the case that omfwd is not configured with gtls and AuthMode? +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep openat /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access + Is it the case that the command does not return a line, or the line is commented out? - - To check the group ownership of /etc/shadow-, + + To check the permissions of /etc/group, run the command: -$ ls -lL /etc/shadow- -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/shadow- does not have a group owner of root? +$ ls -l /etc/group +If properly configured, the output should indicate the following permissions: +-rw-r--r-- + Is it the case that /etc/group does not have unix mode -rw-r--r--? - - To determine if the system is configured to audit successful calls -to the unlinkat system call, run the following command: -$ sudo grep "unlinkat" /etc/audit.* + + To determine if the system is configured to audit unsuccessful calls +to the fsetxattr system call, run the following command: +$ sudo grep "fsetxattr" /etc/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - Run the following command to determine if the openssh-server package is installed: $ rpm -q openssh-server - Is it the case that the package is not installed? - - - - To verify that McAfee VirusScan Enterprise for Linux is installed -and running, run the following command(s): -$ sudo systemctl status nails -$ rpm -q McAfeeVSEForLinux - Is it the case that virus scanning software is not installed or running? - - - - -Run the following command to determine if the openvpn_enable_homedirs SELinux boolean is disabled: -$ getsebool openvpn_enable_homedirs -If properly configured, the output should show the following: -openvpn_enable_homedirs --> off - Is it the case that openvpn_enable_homedirs is not disabled? + + Run the following command to determine if the setroubleshoot-plugins package is installed: +$ rpm -q setroubleshoot-plugins + Is it the case that the package is installed? - - Verify Red Hat Enterprise Linux 8 limits the number of concurrent sessions to -"" for all -accounts and/or account types with the following command: -$ grep -r -s maxlogins /etc/security/limits.conf /etc/security/limits.d/*.conf -/etc/security/limits.conf:* hard maxlogins 10 -This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains. - Is it the case that the "maxlogins" item is missing, commented out, or the value is set greater -than "<sub idref="var_accounts_max_concurrent_login_sessions" />" and -is not documented with the Information System Security Officer (ISSO) as an -operational requirement for all domains that have the "maxlogins" item -assigned'? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_HARDENED_USERCOPY /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - To ensure the default password is not set, run the following command: -$ sudo grep -v "^#" /etc/snmp/snmpd.conf| grep -E 'public|private' -There should be no output. - Is it the case that the default SNMP passwords public and private have not been changed or removed? + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfacl" command with the following command: + +$ sudo auditctl -l | grep setfacl + +-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod + Is it the case that the command does not return a line, or the line is commented out? - - To verify the boot loader superuser account has been set, run the following -command: -sudo grep -A1 "superusers" /boot/grub2/grub.cfg -The output should show the following: -set superusers="superusers-account" -export superusers -where superusers-account is the actual account name different from common names like root, -admin, or administrator and different from any other existing user name. - Is it the case that superuser account is not set or is set to root, admin, administrator or any other existing user name? + + +Run the following command to determine if the httpd_run_ipa SELinux boolean is disabled: +$ getsebool httpd_run_ipa +If properly configured, the output should show the following: +httpd_run_ipa --> off + Is it the case that httpd_run_ipa is not disabled? - - To verify that Audit Daemon is configured to write logs to the disk, run the -following command: -$ sudo grep write_logs /etc/audit/auditd.conf -The output should return the following: -write_logs = yes - Is it the case that write_logs isn't set to yes? + + These settings can be verified by running the following: +$ gsettings get org.gnome.desktop.media-handling autorun-never +If properly configured, the output for autorun-nevershould be true. +To ensure that users cannot enable autorun in GNOME3, run the following: +$ grep 'autorun-never' /etc/dconf/db/local.d/locks/* +If properly configured, the output for autorun-never should be /org/gnome/desktop/media-handling/autorun-never + Is it the case that GNOME autorun is not disabled? - - To ensure that users cannot change session idle and lock settings, run the following: -$ grep 'idle-delay' /etc/dconf/db/local.d/locks/* -If properly configured, the output should return: -/org/gnome/desktop/session/idle-delay - Is it the case that idle-delay is not locked? + + Run the following command to determine if the pigz package is installed: +$ rpm -q pigz + Is it the case that the package is installed? - - Run the following command to check for duplicate group names: -Check that the operating system contains no duplicate group names for interactive users by running the following command: - - cut -d : -f 3 /etc/group | uniq -d - -If output is produced, this is a finding. -Configure the operating system to contain no duplicate names for groups. -Edit the file "/etc/group" and provide each group that has a duplicate group id with a unique group id. - Is it the case that the system has duplicate group ids? + + To verify the number of rounds for the password hashing algorithm is configured, run the following command: +$ sudo grep rounds /etc/pam.d/system-auth +The output should show the following match: +password sufficient pam_unix.so sha512 rounds= + Is it the case that rounds is not set to <sub idref="var_password_pam_unix_rounds" /> or is commented out? - - The runtime status of the net.ipv6.conf.all.accept_ra_defrtr kernel parameter can be queried -by running the following command: -$ sysctl net.ipv6.conf.all.accept_ra_defrtr -0. + + Query the SA and the Web Manager to determine if a compiler is present on +the server. + Is it the case that the web server is part of an application suite and a comiler is needed +for installation, patching, and upgrading of the suite or if the compiler +is embedded and can't be removed without breaking the suite, document the +installation of the compiler with the ISSO/ISSM and verify that the compiler +is restricted to administrative users only. If documented and restricted to +administrative users, this is not a finding. - Is it the case that the correct value is not returned? +If an undocumented compiler is present, and available to non-administrative +users? - + -Run the following command to determine if the selinuxuser_postgresql_connect_enabled SELinux boolean is disabled: -$ getsebool selinuxuser_postgresql_connect_enabled +Run the following command to determine if the git_system_enable_homedirs SELinux boolean is disabled: +$ getsebool git_system_enable_homedirs If properly configured, the output should show the following: -selinuxuser_postgresql_connect_enabled --> off - Is it the case that selinuxuser_postgresql_connect_enabled is not disabled? +git_system_enable_homedirs --> off + Is it the case that git_system_enable_homedirs is not disabled? - - Run the following command to check for duplicate group names: -Check that the operating system contains no duplicate group names for interactive users by running the following command: + + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog" with the following command: - cut -d : -f 1 /etc/group | uniq -d +$ sudo auditctl -l | grep /var/log/lastlog -If output is produced, this is a finding. -Configure the operating system to contain no duplicate names for groups. -Edit the file "/etc/group" and provide each group that has a duplicate group name with a unique group name. - Is it the case that has duplicate group names? - - - - To verify that the interface(s) follow site policy for zone assignment run the -following command: -$ sudo nmcli -t connection show | awk -F: '{if($4){print $4}}' | while read INT; -do firewall-cmd --get-active-zones | grep -B1 $INT; done -If your have to assign an interface to the appropriate zone run the following command: -$ sudo firewall-cmd --zone= --change-interface= - Is it the case that Your system accepts all incoming packets for unnecessary services and ports? +-w /var/log/lastlog -p wa -k logins + Is it the case that the command does not return a line, or the line is commented out? - - To determine if the system is configured to audit changes to its SELinux -configuration files, run the following command: -$ sudo auditctl -l | grep "dir=/etc/selinux" -If the system is configured to watch for changes to its SELinux -configuration, a line should be returned (including -perm=wa indicating permissions that are watched). - Is it the case that the system is not configured to audit attempts to change the MAC policy? + + Verify that a separate file system/partition has been created for /var/log with the following command: + +$ mountpoint /var/log + + Is it the case that "/var/log is not a mountpoint" is returned? - - To check that page poisoning is enabled at boot time, check all boot entries with following command: -sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf -No line should be returned, each line returned is a boot entry that doesn't enable page poisoning. - Is it the case that page allocator poisoning is not enabled? + + Run the following command to determine if the cups package is installed: +$ rpm -q cups + Is it the case that the package is installed? - - To check if RekeyLimit is set correctly, run the -following command: - -$ sudo grep RekeyLimit /etc/ssh/sshd_config - -If configured properly, output should be -RekeyLimit - Is it the case that it is commented out or is not set? + + To verify that Samba clients using mount.cifs must use packet signing, run the following command: +$ grep sec /etc/fstab +The output should show either krb5i or ntlmv2i in use. + Is it the case that it does not? - - Inspect the mounts configured in /etc/exports. Each mount should specify a value -greater than UID_MAX and GID_MAX as defined in /etc/login.defs. - Is it the case that anonuid or anongid are not set to a value greater than UID_MAX (for anonuid) and GID_MAX (for anongid)? + + Run the following command to see what the max sessions number is: +$ sudo grep MaxSessions /etc/ssh/sshd_config +If properly configured, the output should be: +MaxSessions + Is it the case that MaxSessions is not configured or not configured correctly? - - To determine how the SSH daemon's PubkeyAuthentication option is set, run the following command: + + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to create files using the open system call with O_CREAT flag. -$ sudo grep -i PubkeyAuthentication /etc/ssh/sshd_config +If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command: -If a line indicating no is returned, then the required value is set. +$ sudo grep -r open /etc/audit/rules.d - Is it the case that the required value is not set? - - - - -Run the following command to determine if the ksmtuned_use_nfs SELinux boolean is disabled: -$ getsebool ksmtuned_use_nfs -If properly configured, the output should show the following: -ksmtuned_use_nfs --> off - Is it the case that ksmtuned_use_nfs is not disabled? - - - - -Run the following command to determine if the xguest_connect_network SELinux boolean is disabled: -$ getsebool xguest_connect_network -If properly configured, the output should show the following: -xguest_connect_network --> off - Is it the case that xguest_connect_network is not disabled? - - - - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -$ sudo auditctl -l | grep -E '(/etc/security/opasswd)' +$ sudo grep open /etc/audit/audit.rules --w /etc/security/opasswd -p wa -k identity +The output should be the following: + +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create Is it the case that the command does not return a line, or the line is commented out? - + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_RETPOLINE /boot/config.* + $ grep CONFIG_GCC_PLUGIN_STRUCTLEAK /boot/config.* For each kernel installed, a line with value "y" should be returned. Is it the case that the kernel was not built with the required value? - + -Run the following command to determine if the webadm_manage_user_files SELinux boolean is disabled: -$ getsebool webadm_manage_user_files -If properly configured, the output should show the following: -webadm_manage_user_files --> off - Is it the case that webadm_manage_user_files is not disabled? +To ensure the login warning banner text is properly set, run the following: +$ grep banner-message-text /etc/dconf/db/gdm.d/* +If properly configured, the proper banner text will appear. +To ensure the login warning banner text is locked and cannot be changed by a user, run the following: +$ grep banner-message-text /etc/dconf/db/gdm.d/locks/* +If properly configured, the output should be /org/gnome/login-screen/banner-message-text. + Is it the case that it does not? - - -Verify that the shadow password suite configuration is set to encrypt password with a FIPS 140-2 approved cryptographic hashing algorithm. - -Check the hashing algorithm that is being used to hash passwords with the following command: + + To verify that auditing of privileged command use is configured, run the following command +to search privileged commands in relevant partitions and check if they are covered by auditd +rules: -$ sudo grep -i ENCRYPT_METHOD /etc/login.defs +FILTER_NODEV=$(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) +PARTITIONS=$(findmnt -n -l -k -it $FILTER_NODEV | grep -Pv "noexec|nosuid" | awk '{ print $1 }') +for PARTITION in $PARTITIONS; do + for PRIV_CMD in $(find "${PARTITION}" -xdev -perm /6000 -type f 2>/dev/null); do + grep -qr "${PRIV_CMD}" /etc/audit/rules.d /etc/audit/audit.rules && + printf "OK: ${PRIV_CMD}\n" || printf "WARNING - rule not found for: ${PRIV_CMD}\n" + done +done -ENCRYPT_METHOD - Is it the case that ENCRYPT_METHOD is not set to <sub idref="var_password_hashing_algorithm" />? +The output should not contain any WARNING. + Is it the case that any setuid or setgid programs doesn't have a line in the audit rules? - + -Run the following command to determine if the mcelog_client SELinux boolean is disabled: -$ getsebool mcelog_client +Run the following command to determine if the daemons_use_tty SELinux boolean is disabled: +$ getsebool daemons_use_tty If properly configured, the output should show the following: -mcelog_client --> off - Is it the case that mcelog_client is not disabled? +daemons_use_tty --> off + Is it the case that daemons_use_tty is not disabled? - - -Run the following command to determine if the virt_use_rawip SELinux boolean is disabled: -$ getsebool virt_use_rawip -If properly configured, the output should show the following: -virt_use_rawip --> off - Is it the case that virt_use_rawip is not disabled? + + To check the ownership of /etc/crontab, +run the command: +$ ls -lL /etc/crontab +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/crontab does not have an owner of root? - - Run the following command to determine if the sssd package is installed: $ rpm -q sssd + + Run the following command to determine if the audispd-plugins package is installed: $ rpm -q audispd-plugins Is it the case that the package is not installed? - + -Run the following command to determine if the nagios_run_sudo SELinux boolean is disabled: -$ getsebool nagios_run_sudo +Run the following command to determine if the mcelog_server SELinux boolean is disabled: +$ getsebool mcelog_server If properly configured, the output should show the following: -nagios_run_sudo --> off - Is it the case that nagios_run_sudo is not disabled? +mcelog_server --> off + Is it the case that mcelog_server is not disabled? - - Verify that there are no shosts.equiv files on the system, run the following command: -$ find / -name shosts.equiv - Is it the case that shosts.equiv files exist? + + Verify the umask setting is configured correctly in the /etc/bashrc file with the following command: + +$ sudo grep "umask" /etc/bashrc + +umask + Is it the case that the value for the "umask" parameter is not "<sub idref="var_accounts_user_umask" />", or the "umask" parameter is missing or is commented out? - - -Run the following command to determine if the mozilla_plugin_can_network_connect SELinux boolean is disabled: -$ getsebool mozilla_plugin_can_network_connect -If properly configured, the output should show the following: -mozilla_plugin_can_network_connect --> off - Is it the case that mozilla_plugin_can_network_connect is not disabled? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_PANIC_TIMEOUT /boot/config.* + + For each kernel installed, a line with value "" should be returned. + + Is it the case that the kernel was not built with the required value? - - -To check that the rexec service is disabled in system boot configuration with xinetd, run the following command: -$ chkconfig rexec --list -Output should indicate the rexec service has either not been installed, or has been disabled, as shown in the example below: -$ chkconfig rexec --list - -Note: This output shows SysV services only and does not include native -systemd services. SysV configuration data might be overridden by native -systemd configuration. - -If you want to list systemd services use 'systemctl list-unit-files'. -To see services enabled on particular target use -'systemctl list-dependencies [target]'. - -rexec off - -To check that the rexec socket is disabled in system boot configuration with systemd, run the following command: -$ systemctl is-enabled rexec -Output should indicate the rexec socket has either not been installed, + + To check that the squid service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled squid +Output should indicate the squid service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled rexecdisabled +$ sudo systemctl is-enabled squid disabled -Run the following command to verify rexec is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active rexec +Run the following command to verify squid is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active squid -If the socket is not running the command will return the following output: +If the service is not running the command will return the following output: inactive -The socket will also be masked, to check that the rexec is masked, run the following command: -$ sudo systemctl show rexec | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the squid is masked, run the following command: +$ sudo systemctl show squid | grep "LoadState\|UnitFileState" -If the socket is masked the command will return the following outputs: +If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that service and/or socket are running? + Is it the case that the "squid" is loaded and not masked? - - -Run the following command to determine if the xserver_object_manager SELinux boolean is disabled: -$ getsebool xserver_object_manager -If properly configured, the output should show the following: -xserver_object_manager --> off - Is it the case that xserver_object_manager is not disabled? + + Verify the operating system authenticates the remote logging server for off-loading audit logs with the following command: + +$ sudo grep -i '$ActionSendStreamDriverAuthMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf +The output should be +$/etc/rsyslog.conf:$ActionSendStreamDriverAuthMode x509/name + Is it the case that $ActionSendStreamDriverAuthMode in /etc/rsyslog.conf is not set to x509/name? - - Inspect /proc/cmdline for any instances of selinux=0 -in the kernel boot arguments. Presence of selinux=0 indicates -that SELinux is disabled at boot time. + + Verify the noexec option is configured for the /var/log mount point, + run the following command: + $ sudo mount | grep '\s/var/log\s' + . . . /var/log . . . noexec . . . -If it would be disabled anywhere, make sure to enable it via a -MachineConfig object. - Is it the case that SELinux is disabled at boot time? + Is it the case that the "/var/log" file system does not have the "noexec" option set? - - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the truncate system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r truncate /etc/audit/rules.d + + Verify that Red Hat Enterprise Linux 8 enforces a minimum -character password length with the following command: -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: +$ grep minlen /etc/security/pwquality.conf -$ sudo grep truncate /etc/audit/audit.rules +minlen = + Is it the case that the command does not return a "minlen" value of "<sub idref="var_password_pam_minlen" />" or greater, does not return a line, or the line is commented out? + + + + +Run the following command to determine if the puppetagent_manage_all_files SELinux boolean is disabled: +$ getsebool puppetagent_manage_all_files +If properly configured, the output should show the following: +puppetagent_manage_all_files --> off + Is it the case that puppetagent_manage_all_files is not disabled? + + + + The runtime status of the net.ipv4.ip_forward kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.ip_forward +0. +The ability to forward packets is only appropriate for routers. + Is it the case that the correct value is not returned? + + + + Run the following command to ensure the default FORWARD policy is DROP: +grep ":FORWARD" /etc/sysconfig/iptables +The output should be similar to the following: +$ sudo grep ":FORWARD" /etc/sysconfig/iptables +:FORWARD DROP [0:0 + Is it the case that the default policy for the FORWARD chain is not set to DROP? + + + + Verify the pam_faillock.so module is present in the "/etc/pam.d/password-auth" file: -The output should be the following: +$ sudo grep pam_faillock.so /etc/pam.d/password-auth --a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - Is it the case that the command does not return a line, or the line is commented out? +auth required pam_faillock.so preauth +auth required pam_faillock.so authfail +account required pam_faillock.so + Is it the case that the pam_faillock.so module is not present in the "/etc/pam.d/password-auth" file with the "preauth" line listed before pam_unix.so? - - To verify that BIND uses the system crypto policy, check out that the BIND config file -/etc/named.conf contains the include "/etc/crypto-policies/back-ends/bind.config"; -directive: -$ sudo grep 'include "/etc/crypto-policies/back-ends/bind.config";' /etc/named.conf -Verify that the directive is at the bottom of the options section of the config file. - Is it the case that BIND is installed and the BIND config file doesn't contain the -<pre>include "/etc/crypto-policies/back-ends/bind.config";</pre> directive? + + The runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.icmp_ignore_bogus_error_responses +1. + + Is it the case that the correct value is not returned? - + -Run the following command to determine if the collectd_tcp_network_connect SELinux boolean is disabled: -$ getsebool collectd_tcp_network_connect +Run the following command to determine if the rsync_full_access SELinux boolean is disabled: +$ getsebool rsync_full_access If properly configured, the output should show the following: -collectd_tcp_network_connect --> off - Is it the case that collectd_tcp_network_connect is not disabled? +rsync_full_access --> off + Is it the case that rsync_full_access is not disabled? - - To check the group ownership of /etc/cron.allow, + + To check the ownership of /boot/grub2/user.cfg, run the command: -$ ls -lL /etc/cron.allow -If properly configured, the output should indicate the following group-owner: +$ ls -lL /boot/grub2/user.cfg +If properly configured, the output should indicate the following owner: root - Is it the case that /etc/cron.allow does not have a group owner of root? + Is it the case that /boot/grub2/user.cfg does not have an owner of root? - - -Run the following command to determine if the glance_api_can_network SELinux boolean is disabled: -$ getsebool glance_api_can_network -If properly configured, the output should show the following: -glance_api_can_network --> off - Is it the case that glance_api_can_network is not disabled? + + To check that the ypbind service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled ypbind +Output should indicate the ypbind service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled ypbind disabled + +Run the following command to verify ypbind is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active ypbind + +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the ypbind is masked, run the following command: +$ sudo systemctl show ypbind | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "ypbind" is loaded and not masked? - - The runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter can be queried + + Storing logs with compression can help avoid filling the system disk. +Run the following command to verify that journald is compressing logs. + +grep "^\sCompress" /etc/systemd/journald.conf + +and it should return + +Compress=yes + + Is it the case that is commented out or not configured correctly? + + + + The runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter can be queried by running the following command: -$ sysctl net.ipv4.conf.default.accept_redirects +$ sysctl net.ipv4.conf.all.accept_source_route 0. Is it the case that the correct value is not returned? - - Verify that core dumps are disabled for all users, run the following command: -$ grep core /etc/security/limits.conf -* hard core 0 - Is it the case that the "core" item is missing, commented out, or the value is anything other than "0" and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core"? + + To determine if the system is configured to audit calls to the +lchown system call, run the following command: +$ sudo grep "lchown" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - Run the following command to determine if the vsftpd package is installed: -$ rpm -q vsftpd - Is it the case that the package is installed? + + The rsh package can be removed with the following command: $ sudo yum erase rsh + Is it the case that ? - - Run the following command and verify that time sources are only configured with server directive: -# grep -E "^(server|pool)" /etc/chrony.conf -A line with the appropriate server should be returned, any line returned starting with pool is a finding. - Is it the case that an authoritative remote time server is not configured or configured with pool directive? + + The runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.default.accept_source_route +0. + + Is it the case that the correct value is not returned? - - To verify that auditing of privileged command use is configured, run the -following command: -$ sudo grep '\bat\b' /etc/audit/audit.rules /etc/audit/rules.d/* -It should return a relevant line in the audit rules. - Is it the case that the command does not return a line, or the line is commented out? + + Inspect /etc/audit/auditd.conf and locate the following line to +determine if the system is configured to synchronize audit event data +with the log files on the disk: +$ sudo grep flush /etc/audit/auditd.conf +flush = DATA +Acceptable values are DATA, and SYNC. The setting is +case-insensitive. + Is it the case that auditd is not configured to synchronously write audit event data to disk? - - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes l1tf=, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub -If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*l1tf=.*' /etc/default/grub -If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*l1tf=.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'l1tf=' -The command should not return any output. - Is it the case that l1tf mitigations are not configured appropriately? + + +Run the following command to determine if the tor_bind_all_unreserved_ports SELinux boolean is disabled: +$ getsebool tor_bind_all_unreserved_ports +If properly configured, the output should show the following: +tor_bind_all_unreserved_ports --> off + Is it the case that tor_bind_all_unreserved_ports is not disabled? - + + If FTP services are not installed, this is not applicable. + +To verify this configuration, run the following command: + +grep "banner_file" /etc/vsftpd/vsftpd.conf + + +The output should show the value of banner_file is set to /etc/issue, an example of which is shown below: + +$ sudo grep "banner_file" /etc/vsftpd/vsftpd.conf + +banner_file=/etc/issue + Is it the case that it does not? + + + + Run the following command: +# grep ^\$FileCreateMode /etc/rsyslog.conf /etc/rsyslog.d/*.conf +Verify the output matches: +$FileCreateMode 0640 +Should a site policy dictate less restrictive permissions, ensure to follow +said policy. + Is it the case that $FileCreateMode is not set or is more permissive than 0640? + + + -Run the following command to determine if the xdm_sysadm_login SELinux boolean is disabled: -$ getsebool xdm_sysadm_login +Run the following command to determine if the ftpd_use_fusefs SELinux boolean is disabled: +$ getsebool ftpd_use_fusefs If properly configured, the output should show the following: -xdm_sysadm_login --> off - Is it the case that xdm_sysadm_login is not disabled? +ftpd_use_fusefs --> off + Is it the case that ftpd_use_fusefs is not disabled? - + - -Run the following command to determine the current status of the -postfix service: -$ sudo systemctl is-active postfix -If the service is running, it should return the following: active - Is it the case that the system is not a cross domain solution and the service is not enabled? +Run the following command to determine if the logrotate_use_nfs SELinux boolean is disabled: +$ getsebool logrotate_use_nfs +If properly configured, the output should show the following: +logrotate_use_nfs --> off + Is it the case that logrotate_use_nfs is not disabled? - - To determine if arguments that commands can be executed with are restricted, run the following command: -$ sudo grep -PR '^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+(?:[ \t]+[^,\s]+)+[ \t]*,)*(\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+[ \t]*(?:,|$))' /etc/sudoers /etc/sudoers.d/ -The command should return no output. - Is it the case that /etc/sudoers file contains user specifications that allow execution of commands with any arguments? + + To determine if the system is configured to make login UIDs immutable, run +one of the following commands. +If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), run the following: +sudo grep immutable /etc/audit/rules.d/*.rules +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, run the following command: +sudo grep immutable /etc/audit/audit.rules +The following line should be returned: +--loginuid-immutable + Is it the case that the system is not configured to make login UIDs immutable? - - To check the permissions of /etc/shadow-, -run the command: -$ ls -l /etc/shadow- -If properly configured, the output should indicate the following permissions: ----------- - Is it the case that /etc/shadow- does not have unix mode ----------? + + Run the following command to determine if the aide package is installed: $ rpm -q aide + Is it the case that the package is not installed? - - To check the permissions of /etc/cron.weekly, + + To check the ownership of /etc/passwd, run the command: -$ ls -l /etc/cron.weekly -If properly configured, the output should indicate the following permissions: --rwx------ - Is it the case that /etc/cron.weekly does not have unix mode -rwx------? +$ ls -lL /etc/passwd +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/passwd does not have an owner of root? - + -If the system is configured to prevent the loading of the firewire-core kernel module, -it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. -These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. - -These lines can also instruct the module loading system to ignore the firewire-core kernel module via blacklist keyword. +Run the following command to determine if the openvpn_can_network_connect SELinux boolean is disabled: +$ getsebool openvpn_can_network_connect +If properly configured, the output should show the following: +openvpn_can_network_connect --> off + Is it the case that openvpn_can_network_connect is not disabled? + + + + To determine if the system is configured to audit calls to the +query_module system call, run the following command: +$ sudo grep "query_module" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. -Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -$ grep -r firewire-core /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? - - -Run the following command to determine if the unconfined_mozilla_plugin_transition SELinux boolean is enabled: -$ getsebool unconfined_mozilla_plugin_transition -If properly configured, the output should show the following: -unconfined_mozilla_plugin_transition --> on - Is it the case that unconfined_mozilla_plugin_transition is not enabled? + + If the system does not have SELinux enabled and enforcing a targeted policy, or if the +pam_faillock.so module is not configured for use, this requirement is not applicable. + +Verify the location of the non-default tally directory for the pam_faillock.so module with +the following command: + +$ sudo grep -w dir /etc/security/faillock.conf + +dir = /var/log/faillock + +Check the security context type of the non-default tally directory with the following command: + +$ sudo ls -Zd /var/log/faillock + +unconfined_u:object_r:faillog_t:s0 /var/log/faillock + Is it the case that the security context type of the non-default tally directory is not "faillog_t"? - - To preclude access to the servers root directory, ensure the following -directive is in the httpd.conf file. This entry will also stop users -from setting up .htaccess files which can override security features -configured in /etc/httpd/conf/httpd.conf. -AllowOverride none - Is it the case that it is not? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_DEBUG_WX /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - + -Run the following command to determine if the irc_use_any_tcp_ports SELinux boolean is disabled: -$ getsebool irc_use_any_tcp_ports +Run the following command to determine if the postgresql_selinux_transmit_client_label SELinux boolean is disabled: +$ getsebool postgresql_selinux_transmit_client_label If properly configured, the output should show the following: -irc_use_any_tcp_ports --> off - Is it the case that irc_use_any_tcp_ports is not disabled? +postgresql_selinux_transmit_client_label --> off + Is it the case that postgresql_selinux_transmit_client_label is not disabled? - - The runtime status of the net.ipv4.conf.all.drop_gratuitous_arp kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.conf.all.drop_gratuitous_arp -1. + + Run the following command to determine if the firewalld package is installed: $ rpm -q firewalld + Is it the case that the package is not installed? + + + + +If the system is configured to prevent the loading of the atm kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. - Is it the case that the correct value is not returned? +These lines can also instruct the module loading system to ignore the atm kernel module via blacklist keyword. + +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +$ grep -r atm /etc/modprobe.conf /etc/modprobe.d + Is it the case that no line is returned? - - To verify the nodev option is configured for all NFS mounts, run -the following command: -$ mount | grep nfs -All NFS mounts should show the nodev setting in parentheses. This -is not applicable if NFS is not implemented. - Is it the case that the setting does not show? + + To ensure ClientAliveInterval is set correctly, run the following command: +$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config +If properly configured, the output should be: +ClientAliveCountMax +For SSH earlier than v8.2, a ClientAliveCountMax value of 0 causes a timeout precisely when +the ClientAliveInterval is set. Starting with v8.2, a value of 0 disables the timeout +functionality completely. +If the option is set to a number greater than 0, then the session will be disconnected after +ClientAliveInterval * ClientAliveCountMax seconds without receiving a keep alive message. + Is it the case that it is commented out or not configured properly? - - Verify that Red Hat Enterprise Linux 8 has configured the minimum time period between password changes for each user account is one day or greater with the following command: + + To ensure the user list is disabled, run the following command: +$ grep disable-user-list /etc/dconf/db/gdm.d/* +The output should be true. +To ensure that users cannot enable displaying the user list, run the following: +$ grep disable-user-list /etc/dconf/db/gdm.d/locks/* +If properly configured, the output should be /org/gnome/login-screen/disable-user-list + Is it the case that disable-user-list has not been configured or is not disabled? + + + + To determine if the system is configured to audit successful calls +to the fchownat system call, run the following command: +$ sudo grep "fchownat" /etc/audit.* +If the system is configured to audit this activity, it will return a line. -$ sudo awk -F: '$4 < 1 {print $1 " " $4}' /etc/shadow - Is it the case that any results are returned that are not associated with a system account? + Is it the case that no line is returned? - + -Run the following command to determine if the virt_use_fusefs SELinux boolean is disabled: -$ getsebool virt_use_fusefs -If properly configured, the output should show the following: -virt_use_fusefs --> off - Is it the case that virt_use_fusefs is not disabled? + +Run the following command to determine the current status of the +sssd service: +$ sudo systemctl is-active sssd +If the service is running, it should return the following: active + Is it the case that the service is not enabled? - - -Run the following command to determine if the nfsd_anon_write SELinux boolean is disabled: -$ getsebool nfsd_anon_write -If properly configured, the output should show the following: -nfsd_anon_write --> off - Is it the case that nfsd_anon_write is not disabled? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_SECURITY_WRITABLE_HOOKS /boot/config.* + + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. + + Is it the case that the kernel was not built with the required value? - - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to modify files using the open system call with O_TRUNC_WRITE flag. + + To determine how the SSH daemon's StrictModes option is set, run the following command: -If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command: +$ sudo grep -i StrictModes /etc/ssh/sshd_config -$ sudo grep -r open /etc/audit/rules.d +If a line indicating yes is returned, then the required value is set. -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + Is it the case that the required value is not set? + + + + Verify Red Hat Enterprise Linux 8 enables the user to initiate a session lock with the following command: -$ sudo grep open /etc/audit/audit.rules +$ grep lock-command /etc/tmux.conf -The output should be the following: +set -g lock-command vlock --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - Is it the case that the command does not return a line, or the line is commented out? +Then, verify that the /etc/tmux.conf file can be read by other users than root: + +$ sudo ls -al /etc/tmux.conf + Is it the case that the "lock-command" is not set in the global settings to call "vlock"? - - The runtime status of the net.ipv4.conf.default.send_redirects kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.conf.default.send_redirects -0. + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "usermod" command with the following command: - Is it the case that the correct value is not returned? +$ sudo auditctl -l | grep usermod + +-a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod + Is it the case that the command does not return a line, or the line is commented out? - - These settings can be verified by running the following: -$ gsettings get org.gnome.desktop.media-handling automount-open -If properly configured, the output for automount-openshould be false. -To ensure that users cannot enable automount opening in GNOME3, run the following: -$ grep 'automount-open' /etc/dconf/db/local.d/locks/* -If properly configured, the output for automount-open should be /org/gnome/desktop/media-handling/automount-open - Is it the case that GNOME automounting is not disabled? + + To check the permissions of /etc/cron.d, +run the command: +$ ls -l /etc/cron.d +If properly configured, the output should indicate the following permissions: +-rwx------ + Is it the case that /etc/cron.d does not have unix mode -rwx------? - - The runtime status of the kernel.kptr_restrict kernel parameter can be queried -by running the following command: -$ sysctl kernel.kptr_restrict -The output of the command should indicate either: -kernel.kptr_restrict = 1 -or: -kernel.kptr_restrict = 2 -The output of the command should not indicate: -kernel.kptr_restrict = 0 - -The preferable way how to assure the runtime compliance is to have -correct persistent configuration, and rebooting the system. - -The persistent kernel parameter configuration is performed by specifying the appropriate -assignment in any file located in the /etc/sysctl.d directory. -Verify that there is not any existing incorrect configuration by executing the following command: -$ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d -The command should not find any assignments other than: -kernel.kptr_restrict = 1 -or: -kernel.kptr_restrict = 2 - -Conflicting assignments are not allowed. - Is it the case that the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0? + + To verify that auditing of privileged command use is configured, run the +following command: +$ sudo grep '\bat\b' /etc/audit/audit.rules /etc/audit/rules.d/* +It should return a relevant line in the audit rules. + Is it the case that the command does not return a line, or the line is commented out? - + To determine if the system is configured to audit calls to the -openat system call, run the following command: -$ sudo grep "openat" /etc/audit/audit.* +chmod system call, run the following command: +$ sudo grep "chmod" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - To check the group ownership of /usr/bin/sudo, -run the command: -$ ls -lL /usr/bin/sudo -If properly configured, the output should indicate the following group-owner: - - Is it the case that /usr/bin/sudo does not have a group owner of <sub idref="var_sudo_dedicated_group" />? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_MODULE_SIG_ALL /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - -Run the following command to determine if the sge_domain_can_network_connect SELinux boolean is disabled: -$ getsebool sge_domain_can_network_connect -If properly configured, the output should show the following: -sge_domain_can_network_connect --> off - Is it the case that sge_domain_can_network_connect is not disabled? + + Run the following command to determine if the libpwquality package is installed: +$ rpm -q libpwquality + Is it the case that the package is not installed? - - To verify the number of rounds for the password hashing algorithm is configured, run the following command: -$ sudo grep rounds /etc/pam.d/system-auth -The output should show the following match: -password sufficient pam_unix.so sha512 rounds= - Is it the case that rounds is not set to <sub idref="var_password_pam_unix_rounds" /> or is commented out? + + +Run the following command to determine if the mysql_connect_any SELinux boolean is disabled: +$ getsebool mysql_connect_any +If properly configured, the output should show the following: +mysql_connect_any --> off + Is it the case that mysql_connect_any is not disabled? - - Run the following command to determine if the rsync-daemon package is installed: -$ rpm -q rsync-daemon - Is it the case that the package is installed? + + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes audit_backlog_limit=8192, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub +If this option is set to true, then check that a line is output by the following command: +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit_backlog_limit=8192.*' /etc/default/grub +If the recovery is disabled, check the line with +$ sudo grep 'GRUB_CMDLINE_LINUX.*audit_backlog_limit=8192.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +$ sudo grubby --info=ALL | grep args | grep -v 'audit_backlog_limit=8192' +The command should not return any output. + Is it the case that audit backlog limit is not configured? - - Run the following command to determine if the chrony package is installed: $ rpm -q chrony - Is it the case that the package is not installed? + + To verify that root's primary group is zero run the following command: + + grep '^root:' /etc/passwd | cut -d : -f 4 + +The command should return: + +0 + + Is it the case that root has a primary gid not equal to zero? - - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open_by_handle_at system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: + + Check that AIDE is properly configured to protect the integrity of the +audit tools by running the following command: -$ sudo grep -r open_by_handle_at /etc/audit/rules.d +# sudo cat /etc/aide.conf | grep /usr/sbin/au -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: +/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 +/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 +/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 +/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 +/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 -$ sudo grep open_by_handle_at /etc/audit/audit.rules -The output should be the following: --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - Is it the case that the command does not return a line, or the line is commented out? - - - - To determine how the SSH daemon's X11Forwarding option is set, run the following command: +/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 -$ sudo grep -i X11Forwarding /etc/ssh/sshd_config -If a line indicating yes is returned, then the required value is set. +If AIDE is configured properly to protect the integrity of the audit tools, +all lines listed above will be returned from the command. - Is it the case that the required value is not set? +If one or more lines are missing, this is a finding. + Is it the case that integrity checks of the audit tools are missing or incomplete? - - To determine if env_reset has been configured for sudo, run the following command: -$ sudo grep -ri "^[\s]*Defaults.*\benv_reset\b.*" /etc/sudoers /etc/sudoers.d/ -The command should return a matching output. - Is it the case that env_reset is not enabled in sudo? + + +Run the following command to determine if the use_nfs_home_dirs SELinux boolean is disabled: +$ getsebool use_nfs_home_dirs +If properly configured, the output should show the following: +use_nfs_home_dirs --> off + Is it the case that use_nfs_home_dirs is not disabled? - - Run the following command to determine if the libselinux package is installed: $ rpm -q libselinux - Is it the case that the package is not installed? + + + +Run the following command to determine the current status of the +rsyslog service: +$ sudo systemctl is-active rsyslog +If the service is running, it should return the following: active + Is it the case that the "rsyslog" service is disabled, masked, or not started.? - - These settings can be verified by running the following: -$ gsettings get org.gnome.desktop.thumbnailers disable-all -If properly configured, the output should be true. -To ensure that users cannot how long until the screensaver locks, run the following: -$ grep disable-all /etc/dconf/db/local.d/locks/* -If properly configured, the output should be /org/gnome/desktop/thumbnailers/disable-all - Is it the case that GNOME thumbnailers are not disabled? + + To determine if the system is configured to audit successful calls +to the open system call, run the following command: +$ sudo grep "open" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - Verify that a separate file system/partition has been created for /home with the following command: + + Verify the pam_faillock.so module is present in the "/etc/pam.d/system-auth" file: -$ mountpoint /home +$ sudo grep pam_faillock.so /etc/pam.d/system-auth - Is it the case that "/home is not a mountpoint" is returned? - - - - Verify that only the "root" account has a UID "0" assignment with the -following command: -$ awk -F: '$3 == 0 {print $1}' /etc/passwd -root - Is it the case that any accounts other than "root" have a UID of "0"? - - - - -Run the following command to determine if the mcelog_exec_scripts SELinux boolean is enabled: -$ getsebool mcelog_exec_scripts -If properly configured, the output should show the following: -mcelog_exec_scripts --> on - Is it the case that mcelog_exec_scripts is not enabled? +auth required pam_faillock.so preauth +auth required pam_faillock.so authfail +account required pam_faillock.so + Is it the case that the pam_faillock.so module is not present in the "/etc/pam.d/system-auth" file with the "preauth" line listed before pam_unix.so? - + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_SECURITY /boot/config.* + $ grep CONFIG_SYN_COOKIES /boot/config.* For each kernel installed, a line with value "y" should be returned. Is it the case that the kernel was not built with the required value? - - To check the screensaver mandatory use status, run the following command: -$ gsettings get org.gnome.desktop.screensaver idle-activation-enabled -If properly configured, the output should be true. -To ensure that users cannot disable the screensaver idle inactivity setting, run the following: -$ grep idle-activation-enabled /etc/dconf/db/local.d/locks/* -If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled - Is it the case that idle-activation-enabled is not enabled or configured? + + To check the permissions of /boot/grub2/user.cfg, +run the command: +$ ls -l /boot/grub2/user.cfg +If properly configured, the output should indicate the following permissions: +-rw------- + Is it the case that /boot/grub2/user.cfg does not have unix mode -rw-------? - - Run the following command to determine if the nss-tools package is installed: $ rpm -q nss-tools - Is it the case that the package is not installed? + + To determine if NOEXEC has been configured for sudo, run the following command: +$ sudo grep -ri "^[\s]*Defaults.*\bnoexec\b.*" /etc/sudoers /etc/sudoers.d/ +The command should return a matching output. + Is it the case that noexec is not enabled in sudo? - - Run the following command to verify that the MTA is not listening on -any non-loopback address (127.0.0.1 or ::1). -# ss -lntu | grep -E ':25\s' | grep -E -v '\s(127.0.0.1|::1):25\s' -Nothing should be returned - Is it the case that MTA is listening on any non-loopback address? + + To verify if MaxKeepAliveRequests is configured correctly in +/etc/httpd/conf/httpd.conf, run the following command: +$ grep -i maxkeepaliverequests /etc/httpd/conf/httpd.conf +The command should return the following: +MaxKeepAliveRequests 100 + Is it the case that it is not? - - To check the permissions of /etc/http/conf.modules.d/*, + + To check the ownership of /boot/grub2/grub.cfg, run the command: -$ ls -l /etc/http/conf.modules.d/* -If properly configured, the output should indicate the following permissions: --rw-r----- - Is it the case that /etc/http/conf.modules.d/* does not have unix mode -rw-r-----? +$ ls -lL /boot/grub2/grub.cfg +If properly configured, the output should indicate the following owner: +root + Is it the case that /boot/grub2/grub.cfg does not have an owner of root? - - Verify that Red Hat Enterprise Linux 8 enforces password complexity rules for the root account. - -Check if root user is required to use complex passwords with the following command: - -$ grep enforce_for_root /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf - -/etc/security/pwquality.conf:enforce_for_root - Is it the case that "enforce_for_root" is commented or missing? + + Run the following command to determine if the rsyslog package is installed: $ rpm -q rsyslog + Is it the case that the package is not installed? - - Run the following command: -# grep ^\$FileCreateMode /etc/rsyslog.conf /etc/rsyslog.d/*.conf -Verify the output matches: -$FileCreateMode 0640 -Should a site policy dictate less restrictive permissions, ensure to follow -said policy. - Is it the case that $FileCreateMode is not set or is more permissive than 0640? + + +Run the following command to determine if the gluster_export_all_rw SELinux boolean is disabled: +$ getsebool gluster_export_all_rw +If properly configured, the output should show the following: +gluster_export_all_rw --> off + Is it the case that gluster_export_all_rw is not disabled? - - To check the permissions of /etc/group-, -run the command: -$ ls -l /etc/group- -If properly configured, the output should indicate the following permissions: --rw-r--r-- - Is it the case that /etc/group- does not have unix mode -rw-r--r--? + + Run the following command to determine if the vim-enhanced package is installed: $ rpm -q vim-enhanced + Is it the case that the package is not installed? - - Verify that Red Hat Enterprise Linux 8 enforces password complexity by requiring that at least one upper-case character. - -Check the value for "ucredit" with the following command: + + +If the system is configured to prevent the loading of the firewire-core kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. -$ sudo grep ucredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf +These lines can also instruct the module loading system to ignore the firewire-core kernel module via blacklist keyword. -ucredit = -1 - Is it the case that the value of "ucredit" is a positive number or is commented out? +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +$ grep -r firewire-core /etc/modprobe.conf /etc/modprobe.d + Is it the case that no line is returned? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_COMPAT_BRK /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? + + +Run the following command to determine if the virt_transition_userdomain SELinux boolean is disabled: +$ getsebool virt_transition_userdomain +If properly configured, the output should show the following: +virt_transition_userdomain --> off + Is it the case that virt_transition_userdomain is not disabled? - - To check the group ownership of /var/log, + + To check the group ownership of /etc/cron.hourly, run the command: -$ ls -lL /var/log +$ ls -lL /etc/cron.hourly If properly configured, the output should indicate the following group-owner: root - Is it the case that /var/log does not have a group owner of root? - - - - To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -cat /etc/audit/rules.d/43-module-load.rules -The output has to be exactly as follows: -## These rules watch for kernel module insertion. By monitoring -## the syscall, we do not need any watches on programs. --a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load --a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load --a always,exit -F arch=b32 -S delete_module -F key=module-unload --a always,exit -F arch=b64 -S delete_module -F key=module-unload - Is it the case that the file does not exist or the content differs? + Is it the case that /etc/cron.hourly does not have a group owner of root? - - To ensure LoginGraceTime is set correctly, run the following command: -$ sudo grep LoginGraceTime /etc/ssh/sshd_config -If properly configured, the output should be: -LoginGraceTime -If the option is set to a number greater than 0, then the unauthenticated session will be disconnected -after the configured number seconds. - Is it the case that it is commented out or not configured properly? + + To ensure the user home directory is not group-writable or world-readable, run the following: +# ls -ld /home/USER + Is it the case that the user home directory is group-writable or world-readable? - - Ensure that debug-shell service is not enabled with the following command: -grep systemd\.debug-shell=1 /boot/grub2/grubenv /etc/default/grub -If the command returns a line, it means that debug-shell service is being enabled. - Is it the case that the comand returns a line? + + Verify the operating system is not configured to bypass password requirements for privilege +escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command: +$ sudo grep pam_succeed_if /etc/pam.d/sudo + Is it the case that system is configured to bypass password requirements for privilege escalation? - - To verify that null passwords cannot be used, run the following command: + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "sudo" command with the following command: -$ grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth +$ sudo auditctl -l | grep sudo -If this produces any output, it may be possible to log into accounts -with empty passwords. Remove any instances of the nullok option to -prevent logins with empty passwords. - Is it the case that NULL passwords can be used? +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudo + Is it the case that the command does not return a line, or the line is commented out? - - Run the following command to determine if the dovecot package is installed: -$ rpm -q dovecot - Is it the case that the package is installed? + + Verify Red Hat Enterprise Linux 8 is securely comparing internal information system clocks at a regular interval with an NTP server with the following command: +$ sudo grep maxpoll /etc/ntp.conf /etc/chrony.conf +server [ntp.server.name] iburst maxpoll . + Is it the case that "maxpoll" has not been set to the value of "<sub idref="var_time_service_set_maxpoll" />", is commented out, or is missing? - - To check the permissions of /etc/shadow, -run the command: -$ ls -l /etc/shadow -If properly configured, the output should indicate the following permissions: ----------- - Is it the case that /etc/shadow does not have unix mode ----------? + + +Run the following command to determine if the nfs_export_all_ro SELinux boolean is enabled: +$ getsebool nfs_export_all_ro +If properly configured, the output should show the following: +nfs_export_all_ro --> on + Is it the case that nfs_export_all_ro is not enabled? - - Run the following command to determine if the cups package is installed: -$ rpm -q cups - Is it the case that the package is installed? + + To verify that BIND uses the system crypto policy, check out that the BIND config file +/etc/named.conf contains the include "/etc/crypto-policies/back-ends/bind.config"; +directive: +$ sudo grep 'include "/etc/crypto-policies/back-ends/bind.config";' /etc/named.conf +Verify that the directive is at the bottom of the options section of the config file. + Is it the case that BIND is installed and the BIND config file doesn't contain the +<pre>include "/etc/crypto-policies/back-ends/bind.config";</pre> directive? - - Run the following command to determine if the krb5-server package is installed: $ rpm -q krb5-server + + Run the following command to determine if the abrt-addon-kerneloops package is installed: +$ rpm -q abrt-addon-kerneloops Is it the case that the package is installed? - - To determine if the system is configured to audit successful calls -to the fchmodat system call, run the following command: -$ sudo grep "fchmodat" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? - - - + -Run the following command to determine if the sysadm_exec_content SELinux boolean is enabled: -$ getsebool sysadm_exec_content +Run the following command to determine if the logging_syslogd_can_sendmail SELinux boolean is disabled: +$ getsebool logging_syslogd_can_sendmail If properly configured, the output should show the following: -sysadm_exec_content --> on - Is it the case that sysadm_exec_content is not enabled? +logging_syslogd_can_sendmail --> off + Is it the case that logging_syslogd_can_sendmail is not disabled? - - To verify if CustomLog is configured correctly in -/etc/httpd/conf/httpd.conf, run the following command: -$ grep -i customlog /etc/httpd/conf/httpd.conf -The output should return the following: -CustomLog "logs/access_log" combined - Is it the case that it is not? + + Run the following command to determine if the openssh-server package is installed: $ rpm -q openssh-server + Is it the case that the package is not installed? - + -Run the following command to determine if the httpd_serve_cobbler_files SELinux boolean is disabled: -$ getsebool httpd_serve_cobbler_files +Run the following command to determine if the virt_read_qemu_ga_data SELinux boolean is disabled: +$ getsebool virt_read_qemu_ga_data If properly configured, the output should show the following: -httpd_serve_cobbler_files --> off - Is it the case that httpd_serve_cobbler_files is not disabled? - - - - Locate the directories containing the CGI scripts. These directories should be -language-specific (e.g., PERL, ASP, JS, JSP, etc.). Examine the file permissions -on the directories using the following command: -ls -l directories -Anonymous FTP users must not have access to these directories. - Is it the case that it is not? +virt_read_qemu_ga_data --> off + Is it the case that virt_read_qemu_ga_data is not disabled? - - To verify that McAfee HIPS is installed, run the following command(s): -$ rpm -q MFEhiplsm - Is it the case that the HBSS HIPS module is not installed? + + Inspect the file /etc/sysconfig/iptables to determine +the default policy for the INPUT chain. It should be set to DROP: +$ sudo grep ":INPUT" /etc/sysconfig/iptables + Is it the case that the default policy for the INPUT chain is not set to DROP? - - Inspect the password section of /etc/pam.d/password-auth -and ensure that the pam_unix.so module includes the argument -sha512: -$ grep sha512 /etc/pam.d/password-auth - Is it the case that it does not? + + To verify that the installed operating system is supported, run +the following command: + +$ grep -i "red hat" /etc/redhat-release + +Red Hat Enterprise Linux 8 + Is it the case that the installed operating system is not supported? - + -Run the following command to determine if the samba_share_fusefs SELinux boolean is disabled: -$ getsebool samba_share_fusefs -If properly configured, the output should show the following: -samba_share_fusefs --> off - Is it the case that samba_share_fusefs is not disabled? +To properly set the group owner of /etc/audit/, run the command: +$ sudo chgrp root /etc/audit/ + +To properly set the group owner of /etc/audit/rules.d/, run the command: +$ sudo chgrp root /etc/audit/rules.d/ + Is it the case that ? - - -Run the following command to determine if the httpd_use_gpg SELinux boolean is disabled: -$ getsebool httpd_use_gpg -If properly configured, the output should show the following: -httpd_use_gpg --> off - Is it the case that httpd_use_gpg is not disabled? + + To check if compression is enabled or set correctly, run the +following command: +$ sudo grep Compression /etc/ssh/sshd_config +If configured properly, output should be no or delayed. + Is it the case that it is commented out, or is not set to no or delayed? - + -Run the following command to determine if the tftp_anon_write SELinux boolean is disabled: -$ getsebool tftp_anon_write +Run the following command to determine if the nagios_run_sudo SELinux boolean is disabled: +$ getsebool nagios_run_sudo If properly configured, the output should show the following: -tftp_anon_write --> off - Is it the case that tftp_anon_write is not disabled? +nagios_run_sudo --> off + Is it the case that nagios_run_sudo is not disabled? - + + To determine if the system is configured to audit calls to the +chown system call, run the following command: +$ sudo grep "chown" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + -Run the following command to determine if the httpd_use_nfs SELinux boolean is disabled: -$ getsebool httpd_use_nfs +Run the following command to determine if the httpd_tty_comm SELinux boolean is disabled: +$ getsebool httpd_tty_comm If properly configured, the output should show the following: -httpd_use_nfs --> off - Is it the case that httpd_use_nfs is not disabled? +httpd_tty_comm --> off + Is it the case that httpd_tty_comm is not disabled? - - To check the permissions of /boot/Sysem.map-*, -run the command: -$ ls -l /boot/Sysem.map-* -If properly configured, the output should indicate the following permissions: --rw------- - Is it the case that ? + + To determine if the system is configured to audit unsuccessful calls +to the setxattr system call, run the following command: +$ sudo grep "setxattr" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - + + Verify the "/etc/security/faillock.conf" file is configured to log user name information when unsuccessful logon attempts occur: + +$ sudo grep audit /etc/security/faillock.conf + +audit + Is it the case that the "audit" option is not set, is missing or commented out? + + + -Run the following command to determine if the mpd_use_cifs SELinux boolean is disabled: -$ getsebool mpd_use_cifs +Run the following command to determine if the dhcpc_exec_iptables SELinux boolean is disabled: +$ getsebool dhcpc_exec_iptables If properly configured, the output should show the following: -mpd_use_cifs --> off - Is it the case that mpd_use_cifs is not disabled? +dhcpc_exec_iptables --> off + Is it the case that dhcpc_exec_iptables is not disabled? - - To ensure sshd limits the users who can log in, run the following: -pre>$ sudo grep -rPi '^\h*(allow|deny)(users|groups)\h+\H+(\h+.*)?$' /etc/ssh/sshd_config* -If properly configured, the output should be a list of usernames and/or -groups allowed to log in to this system. - Is it the case that sshd does not limit the users who can log in? + + Inspect all instances of DocumentRoot and Alias. No +robots.txt file should exist. + Is it the case that it is not? - - Run the following command to determine if the openssh-clients package is installed: $ rpm -q openssh-clients - Is it the case that the package is not installed? + + To check the ownership of /etc/group, +run the command: +$ ls -lL /etc/group +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/group does not have an owner of root? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfacl" command with the following command: - -$ sudo auditctl -l | grep setfacl - --a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod - Is it the case that the command does not return a line, or the line is commented out? + + To check that audit is enabled at boot time, check all boot entries with following command: +sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf +No line should be returned, each line returned is a boot entry that doesn't enable audit. + Is it the case that auditing is not enabled at boot time? @@ -372632,83 +373335,84 @@ If the service is running, it should return the following: active Is it the case that ? - - To verify the nosuid option is configured for all NFS mounts, run -the following command: -$ mount | grep nfs -All NFS mounts should show the nosuid setting in parentheses. This -is not applicable if NFS is not implemented. - Is it the case that the setting does not show? - - - - -Run the following command to determine if the xen_use_nfs SELinux boolean is disabled: -$ getsebool xen_use_nfs -If properly configured, the output should show the following: -xen_use_nfs --> off - Is it the case that xen_use_nfs is not disabled? + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chcon" command with the following command: + +$ sudo auditctl -l | grep chcon + +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod + Is it the case that the command does not return a line, or the line is commented out? - - To check the ownership of /etc/motd, -run the command: -$ ls -lL /etc/motd -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/motd does not have an owner of root? + + To verify that there are no .shosts files +on the system, run the following command: +$ sudo find / -name '.shosts' + Is it the case that .shosts files exist? - - To verify that acquiring, saving, and processing core dumps is disabled, run the -following command: -$ systemctl status systemd-coredump.socket -The output should be similar to: -● systemd-coredump.socket - Loaded: masked (Reason: Unit systemd-coredump.socket is masked.) - Active: inactive (dead) ... + + To check that the slapd service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled slapd +Output should indicate the slapd service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled slapd disabled - Is it the case that unit systemd-coredump.socket is not masked or running? - - - - To verify the password reuse setting is compliant, run the following command: -$ grep remember /etc/pam.d/system-auth -The output should show the following at the end of the line: -remember= +Run the following command to verify slapd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active slapd +If the service is not running the command will return the following output: +inactive -In newer systems, the pam_pwhistory PAM module options can also be set in -"/etc/security/pwhistory.conf" file. Use the following command to verify: -$ grep remember /etc/security/pwhistory.conf -remember = +The service will also be masked, to check that the slapd is masked, run the following command: +$ sudo systemctl show slapd | grep "LoadState\|UnitFileState" -The pam_pwhistory remember option must be configured only in one file. - Is it the case that the value of remember is not equal to or greater than the expected value? - - - - Verify it by running the following command: -$ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules +If the service is masked the command will return the following outputs: -/sbin/auditctl root -/sbin/aureport root -/sbin/ausearch root -/sbin/autrace root -/sbin/auditd root -/sbin/audispd root -/sbin/augenrules root +LoadState=masked +UnitFileState=masked + Is it the case that the "slapd" is loaded and not masked? + + + + +Run the following command to determine if the fenced_can_network_connect SELinux boolean is disabled: +$ getsebool fenced_can_network_connect +If properly configured, the output should show the following: +fenced_can_network_connect --> off + Is it the case that fenced_can_network_connect is not disabled? + + + + Verify that local initialization files do not execute world-writable programs with the following command: -If the command does not return all the above lines, the missing ones -need to be added. +Note: The example will be for a system that is configured to create user home directories in the "/home" directory. -Run the following command to correct the permissions of the missing -entries: -$ sudo chown root [audit_tool] +$ sudo find /home -perm -002 -type f -name ".[^.]*" -exec ls -ld {} \; + Is it the case that any local initialization files are found to reference world-writable files? + + + + To determine if the system is configured to audit calls to the +fremovexattr system call, run the following command: +$ sudo grep "fremovexattr" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. -Replace "[audit_tool]" with each audit tool not owned by root. - Is it the case that ? + Is it the case that no line is returned? + + + + Run the following command to determine if the syslog-ng-core package is installed: $ rpm -q syslog-ng-core + Is it the case that the package is not installed? + + + + To ensure write permissions are disabled for group and other + for each element in root's path, run the following command: +# ls -ld DIR + Is it the case that group or other write permissions exist? @@ -372726,185 +373430,213 @@ users must be mapped to the user_u role or the appropriate domain Is it the case that non-admin users are not confined correctly? - + -Run the following command to determine if the ftpd_full_access SELinux boolean is disabled: -$ getsebool ftpd_full_access +Run the following command to determine if the httpd_unified SELinux boolean is disabled: +$ getsebool httpd_unified If properly configured, the output should show the following: -ftpd_full_access --> off - Is it the case that ftpd_full_access is not disabled? - - - - The runtime status of the net.ipv4.conf.all.arp_ignore kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.conf.all.arp_ignore -. - - Is it the case that the correct value is not returned? +httpd_unified --> off + Is it the case that httpd_unified is not disabled? - + -Run the following command to determine if the mysql_connect_any SELinux boolean is disabled: -$ getsebool mysql_connect_any +Run the following command to determine if the mmap_low_allowed SELinux boolean is disabled: +$ getsebool mmap_low_allowed If properly configured, the output should show the following: -mysql_connect_any --> off - Is it the case that mysql_connect_any is not disabled? +mmap_low_allowed --> off + Is it the case that mmap_low_allowed is not disabled? - - To determine if the system is configured to audit successful calls -to the creat system call, run the following command: -$ sudo grep "creat" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation: + sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)' +or if cvtsudoers not supported: + sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \; +If no results are returned, this is a finding. +If conflicting results are returned, this is a finding. +If "Defaults !targetpw" is not defined, this is a finding. +If "Defaults !rootpw" is not defined, this is a finding. +If "Defaults !runaspw" is not defined, this is a finding. + Is it the case that invoke user passwd when using sudo? - - Verify the "/etc/security/faillock.conf" file is configured to log user name information when unsuccessful logon attempts occur: - -$ sudo grep audit /etc/security/faillock.conf - -audit - Is it the case that the "audit" option is not set, is missing or commented out? + + To verify that is configured +as the smart card driver, run the following command: +$ grep force_card_driver /etc/opensc.conf +The output should return something similar to: +force_card_driver = ; + Is it the case that the smart card driver is not configured correctly? - - -Run the following command to determine if the httpd_sys_script_anon_write SELinux boolean is disabled: -$ getsebool httpd_sys_script_anon_write -If properly configured, the output should show the following: -httpd_sys_script_anon_write --> off - Is it the case that httpd_sys_script_anon_write is not disabled? + + To check the ownership of /etc/issue.net, +run the command: +$ ls -lL /etc/issue.net +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/issue.net does not have an owner of root? - - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the unlink system call. + + To check the group ownership of /etc/cron.allow, +run the command: +$ ls -lL /etc/cron.allow +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/cron.allow does not have a group owner of root? + + + + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to modify files using the open system call with O_TRUNC_WRITE flag. -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: +If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command: -$ sudo grep -r unlink /etc/audit/rules.d +$ sudo grep -r open /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -$ sudo grep unlink /etc/audit/audit.rules +$ sudo grep open /etc/audit/audit.rules The output should be the following: --a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete --a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete --a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete --a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create Is it the case that the command does not return a line, or the line is commented out? - + -Run the following command to determine if the pppd_can_insmod SELinux boolean is disabled: -$ getsebool pppd_can_insmod +Run the following command to determine if the openvpn_enable_homedirs SELinux boolean is disabled: +$ getsebool openvpn_enable_homedirs If properly configured, the output should show the following: -pppd_can_insmod --> off - Is it the case that pppd_can_insmod is not disabled? +openvpn_enable_homedirs --> off + Is it the case that openvpn_enable_homedirs is not disabled? - - Verify the pam_faillock.so module is present in the "/etc/pam.d/password-auth" file: - -$ sudo grep pam_faillock.so /etc/pam.d/password-auth + + To determine if the system is configured to audit calls to the +openat system call, run the following command: +$ sudo grep "openat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. -auth required pam_faillock.so preauth -auth required pam_faillock.so authfail -account required pam_faillock.so - Is it the case that the pam_faillock.so module is not present in the "/etc/pam.d/password-auth" file with the "preauth" line listed before pam_unix.so? + Is it the case that no line is returned? - - To ensure the failed password attempt policy is configured correctly, run the following command: - -$ grep fail_interval /etc/security/faillock.conf -The output should show fail_interval = <interval-in-seconds> where interval-in-seconds is or greater. - Is it the case that the "fail_interval" option is not set to "<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />" -or less (but not "0"), the line is commented out, or the line is missing? + + The runtime status of the net.ipv4.conf.all.forwarding kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.all.forwarding +0. +The ability to forward packets is only appropriate for routers. + Is it the case that IP forwarding value is "1" and the system is not router? - - Verify that the default umask for all local interactive users is "077". - -Identify the locations of all local interactive user home directories by looking at the "/etc/passwd" file. + + +Run the following command to determine if the staff_use_svirt SELinux boolean is disabled: +$ getsebool staff_use_svirt +If properly configured, the output should show the following: +staff_use_svirt --> off + Is it the case that staff_use_svirt is not disabled? + + + + Verify Red Hat Enterprise Linux 8 takes action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity with the following command: -Check all local interactive user initialization files for interactive users with the following command: +$ sudo grep -w admin_space_left /etc/audit/auditd.conf -Note: The example is for a system that is configured to create users home directories in the "/home" directory. +admin_space_left = % -# grep -ri umask /home/ +If the value of the "admin_space_left" keyword is not set to % of the storage volume allocated to audit logs, or if the line is commented out, ask the System Administrator to indicate how the system is taking action if the allocated storage is about to reach capacity. + Is it the case that the "admin_space_left" value is not configured to the correct value? + + + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_COMPAT_BRK /boot/config.* + + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. + + Is it the case that the kernel was not built with the required value? + + + + Run the following command to determine if the vsftpd package is installed: +$ rpm -q vsftpd + Is it the case that the package is installed? + + + + To determine if the system is configured to audit unsuccessful calls +to the lremovexattr system call, run the following command: +$ sudo grep "lremovexattr" /etc/audit.* +If the system is configured to audit this activity, it will return a line. -/home/smithj/.bash_history:grep -i umask /etc/bashrc /etc/csh.cshrc /etc/profile -/home/smithj/.bash_history:grep -i umask /etc/login.defs - Is it the case that any local interactive user initialization files are found to have a umask statement that sets a value less restrictive than "077"? + Is it the case that no line is returned? - - To check if authentication is required for emergency mode, run the following command: -$ grep sulogin /usr/lib/systemd/system/emergency.service -The output should be similar to the following, and the line must begin with -ExecStart and /usr/lib/systemd/systemd-sulogin-shell. - ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency + + To check that the sshd service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled sshd +Output should indicate the sshd service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled sshd disabled -Then, check if the emergency target requires the emergency service: -Run the following command: -$ sudo grep Requires /usr/lib/systemd/system/emergency.target -The output should be the following: -Requires=emergency.service +Run the following command to verify sshd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active sshd -Then, check if there is no custom emergency target configured in systemd configuration. -Run the following command: -$ sudo grep -r emergency.target /etc/systemd/system/ -The output should be empty. +If the service is not running the command will return the following output: +inactive -Then, check if there is no custom emergency service configured in systemd configuration. -Run the following command: -$ sudo grep -r emergency.service /etc/systemd/system/ -The output should be empty. - Is it the case that the output is different? - - - - Verify Red Hat Enterprise Linux 8 is configured to limit the "pwquality" retry option to . +The service will also be masked, to check that the sshd is masked, run the following command: +$ sudo systemctl show sshd | grep "LoadState\|UnitFileState" +If the service is masked the command will return the following outputs: -Check for the use of the "pwquality" retry option in the pwquality.conf file with the following command: -$ grep retry /etc/security/pwquality.conf - Is it the case that the value of "retry" is set to "0" or greater than "<sub idref="var_password_pam_retry" />", or is missing? +LoadState=masked + +UnitFileState=masked + Is it the case that the "sshd" is loaded and not masked? - - To determine if the system is configured to audit successful calls -to the open system call, run the following command: -$ sudo grep "open" /etc/audit.* -If the system is configured to audit this activity, it will return a line. + + Verify that a separate file system/partition has been created for /var with the following command: - Is it the case that no line is returned? +$ mountpoint /var + + Is it the case that "/var is not a mountpoint" is returned? - - To check the ownership of /etc/cron.weekly, -run the command: -$ ls -lL /etc/cron.weekly -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/cron.weekly does not have an owner of root? + + Inspect /proc/cmdline for any instances of selinux=0 +in the kernel boot arguments. Presence of selinux=0 indicates +that SELinux is disabled at boot time. + +If it would be disabled anywhere, make sure to enable it via a +MachineConfig object. + Is it the case that SELinux is disabled at boot time? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_LEGACY_VSYSCALL_EMULATE /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? + + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes slub_debug=, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub +If this option is set to true, then check that a line is output by the following command: +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*slub_debug=.*' /etc/default/grub +If the recovery is disabled, check the line with +$ sudo grep 'GRUB_CMDLINE_LINUX.*slub_debug=.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +$ sudo grubby --info=ALL | grep args | grep -v 'slub_debug=' +The command should not return any output. + Is it the case that SLUB/SLAB poisoning is not enabled? @@ -372916,159 +373648,97 @@ gluster_anon_write --> off Is it the case that gluster_anon_write is not disabled? - - -Run the following command to determine if the use_ecryptfs_home_dirs SELinux boolean is disabled: -$ getsebool use_ecryptfs_home_dirs -If properly configured, the output should show the following: -use_ecryptfs_home_dirs --> off - Is it the case that use_ecryptfs_home_dirs is not disabled? + + Verify the audit system is configured to take an appropriate action when the internal event queue is full: +$ sudo grep -i overflow_action /etc/audit/auditd.conf + +The output should contain overflow_action = syslog + +If the value of the "overflow_action" option is not set to syslog, +single, halt or the line is commented out, ask the System Administrator +to indicate how the audit logs are off-loaded to a different system or media. + Is it the case that auditd overflow action is not set correctly? - - -Run the following command to determine if the lsmd_plugin_connect_any SELinux boolean is disabled: -$ getsebool lsmd_plugin_connect_any -If properly configured, the output should show the following: -lsmd_plugin_connect_any --> off - Is it the case that lsmd_plugin_connect_any is not disabled? + + To verify all files and directories in a local interactive user's +home directory have a valid owner, run the following command: +$ sudo ls -lLR /home/USER + Is it the case that the user ownership is incorrect? - + -Run the following command to determine if the httpd_dontaudit_search_dirs SELinux boolean is disabled: -$ getsebool httpd_dontaudit_search_dirs +Run the following command to determine if the httpd_can_network_memcache SELinux boolean is disabled: +$ getsebool httpd_can_network_memcache If properly configured, the output should show the following: -httpd_dontaudit_search_dirs --> off - Is it the case that httpd_dontaudit_search_dirs is not disabled? +httpd_can_network_memcache --> off + Is it the case that httpd_can_network_memcache is not disabled? - + -Run the following command to determine if the virt_transition_userdomain SELinux boolean is disabled: -$ getsebool virt_transition_userdomain +Run the following command to determine if the piranha_lvs_can_network_connect SELinux boolean is disabled: +$ getsebool piranha_lvs_can_network_connect If properly configured, the output should show the following: -virt_transition_userdomain --> off - Is it the case that virt_transition_userdomain is not disabled? - - - - The runtime status of the net.ipv6.conf.default.accept_ra_rtr_pref kernel parameter can be queried -by running the following command: -$ sysctl net.ipv6.conf.default.accept_ra_rtr_pref -0. - - Is it the case that the correct value is not returned? - - - - To verify that audit is configured for OSPP v4.2.1, run the following commands: -for file in "10-base-config" "11-loginuid" "30-ospp-v42" "43-module-load";do diff /etc/audit/rules.d/$file.rules /usr/share/doc/audit*/rules/$file.rules; done - -If the system is configured properly, no lines should be returned. - Is it the case that the files are not there or differ? - - - - -Determine the audit log group by running the following command: - -$ sudo grep -P '^[ ]*log_group[ ]+=.*$' /etc/audit/auditd.conf - -Then, check that all directories within the /var/log/audit directory are owned by the group specified as log_group or by root if the log_group is not specified. -Run the following command: - -$ sudo find /var/log/audit -type d -printf "%p %g\n" - -All listed directories must be owned by the log_group or by root if the log_group is not specified. - Is it the case that there is a directory owned by different group? - - - - Verify the operating system audits activities performed during nonlocal -maintenance and diagnostic sessions. Run the following command: -$ sudo auditctl -l | grep sudo.log --w /var/log/sudo.log -p wa -k maintenance - - Is it the case that Audit rule is not present? - - - - To verify if the OpenSSH server uses defined ciphers in the Crypto Policy, run: -$ grep -Po '(-oCiphers=\S+)' /etc/crypto-policies/back-ends/opensshserver.config -and verify that the line matches: --oCiphers= - Is it the case that Crypto Policy for OpenSSH Server is not configured correctly? - - - - To ensure the tally directory is configured correctly, run the following command: -$ sudo grep 'dir =' /etc/security/faillock.conf -The output should show that dir is set to something other than "/var/run/faillock" - Is it the case that the "dir" option is not set to a non-default documented tally log directory, is missing or commented out? +piranha_lvs_can_network_connect --> off + Is it the case that piranha_lvs_can_network_connect is not disabled? - - To check that all boot entries extend the backlog limit; -Check that all boot entries extend the log events queue: -sudo grep -L "^options\s+.*\baudit_backlog_limit=8192\b" /boot/loader/entries/*.conf -No line should be returned, each line returned is a boot entry that does not extend the log events queue. - Is it the case that audit backlog limit is not configured? + + Run the following command to determine if the openldap-clients package is installed: +$ rpm -q openldap-clients + Is it the case that the package is installed? - + -Run the following command to determine if the httpd_can_network_connect_db SELinux boolean is disabled: -$ getsebool httpd_can_network_connect_db +Run the following command to determine if the selinuxuser_execmod SELinux boolean is enabled: +$ getsebool selinuxuser_execmod If properly configured, the output should show the following: -httpd_can_network_connect_db --> off - Is it the case that httpd_can_network_connect_db is not disabled? - - - - -To properly set the permissions of /etc/audit/, run the command: -$ sudo chmod 0640 /etc/audit/ - -To properly set the permissions of /etc/audit/rules.d/, run the command: -$ sudo chmod 0640 /etc/audit/rules.d/ - Is it the case that ? +selinuxuser_execmod --> on + Is it the case that selinuxuser_execmod is not enabled? - + -Run the following command to determine if the logwatch_can_network_connect_mail SELinux boolean is disabled: -$ getsebool logwatch_can_network_connect_mail +Run the following command to determine if the xguest_exec_content SELinux boolean is disabled: +$ getsebool xguest_exec_content If properly configured, the output should show the following: -logwatch_can_network_connect_mail --> off - Is it the case that logwatch_can_network_connect_mail is not disabled? +xguest_exec_content --> off + Is it the case that xguest_exec_content is not disabled? - - To determine if the system is configured to audit unsuccessful calls -to the lremovexattr system call, run the following command: -$ sudo grep "lremovexattr" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + To check if pam_pwquality.so is enabled in password-auth, run the following command: +$ grep pam_pwquality /etc/pam.d/password-auth +The output should be similar to the following: +password requisite pam_pwquality.so + Is it the case that pam_pwquality.so is not enabled in password-auth? - - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/tallylog" with the following command: - -$ sudo auditctl -l | grep /var/log/tallylog - --w /var/log/tallylog -p wa -k logins - Is it the case that the command does not return a line, or the line is commented out? + + Verify that the system is integrated with a centralized authentication mechanism +such as as Active Directory, Kerberos, Directory Server, etc. that has +automated account mechanisms in place. + Is it the case that the system is not using a centralized authentication mechanism, or it is not automated? - - -Run the following command to determine if the glance_use_execmem SELinux boolean is disabled: -$ getsebool glance_use_execmem -If properly configured, the output should show the following: -glance_use_execmem --> off - Is it the case that glance_use_execmem is not disabled? + + To verify that cryptography policy has been configured correctly, run the +following command: +$ update-crypto-policies --show +The output should return . +Run the command to check if the policy is correctly applied: +$ update-crypto-policies --is-applied +The output should be The configured policy is applied. +Moreover, check if settings for selected crypto policy are as expected. +List all libraries for which it holds that their crypto policies do not have symbolic link in /etc/crypto-policies/back-ends. +$ ls -l /etc/crypto-policies/back-ends/ | grep '^[^l]' | tail -n +2 | awk -F' ' '{print $NF}' | awk -F'.' '{print $1}' | sort +Subsequently, check if matching libraries have drop in files in the /etc/crypto-policies/local.d directory. +$ ls /etc/crypto-policies/local.d/ | awk -F'-' '{print $1}' | uniq | sort +Outputs of two previous commands should match. + Is it the case that cryptographic policy is not configured or is configured incorrectly? @@ -373083,1450 +373753,1251 @@ The output has to be exactly as follows: Is it the case that the file does not exist or the content differs? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-agent" command with the following command: + + Verify that Red Hat Enterprise Linux 8 enforces password complexity by requiring that at least one numeric character be used. -$ sudo auditctl -l | grep ssh-agent +Check the value for "dcredit" with the following command: --a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent - Is it the case that the command does not return a line, or the line is commented out? +$ sudo grep dcredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + +/etc/security/pwquality.conf:dcredit = + Is it the case that the value of "dcredit" is a positive number or is commented out? - + + To verify the assigned home directory of all interactive user home directories +have a mode of 0750 or less permissive, run the following command: +$ sudo ls -l /home +Inspect the output for any directories with incorrect permissions. + Is it the case that they are more permissive? + + + + To determine if the system is configured to audit unsuccessful calls +to the fchmodat system call, run the following command: +$ sudo grep "fchmodat" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + Verify the noexec option is configured for the /tmp mount point, + run the following command: + $ sudo mount | grep '\s/tmp\s' + . . . /tmp . . . noexec . . . + + Is it the case that the "/tmp" file system does not have the "noexec" option set? + + + -Run the following command to determine if the samba_share_nfs SELinux boolean is disabled: -$ getsebool samba_share_nfs -If properly configured, the output should show the following: -samba_share_nfs --> off - Is it the case that samba_share_nfs is not disabled? + +Run the following command to determine the current status of the +nails service: +$ sudo systemctl is-active nails +If the service is running, it should return the following: active + Is it the case that ? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "passwd" command with the following command: + + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/tallylog" with the following command: -$ sudo auditctl -l | grep passwd +$ sudo auditctl -l | grep /var/log/tallylog --a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd +-w /var/log/tallylog -p wa -k logins Is it the case that the command does not return a line, or the line is commented out? - - The runtime status of the net.ipv4.ip_local_port_range kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.ip_local_port_range -32768 65535. + + To determine if the system is configured to audit calls to the +openat system call, run the following command: +$ sudo grep "openat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. - Is it the case that the correct value is not returned? + Is it the case that no line is returned? - + -Run the following command to determine if the virt_use_nfs SELinux boolean is disabled: -$ getsebool virt_use_nfs +Run the following command to determine if the ftpd_use_cifs SELinux boolean is disabled: +$ getsebool ftpd_use_cifs If properly configured, the output should show the following: -virt_use_nfs --> off - Is it the case that virt_use_nfs is not disabled? - - - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_ARM64_SW_TTBR0_PAN /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? +ftpd_use_cifs --> off + Is it the case that ftpd_use_cifs is not disabled? - - The runtime status of the net.ipv6.conf.default.accept_ra kernel parameter can be queried -by running the following command: -$ sysctl net.ipv6.conf.default.accept_ra -0. - - Is it the case that the correct value is not returned? + + +Run the following command to determine if the xdm_exec_bootloader SELinux boolean is disabled: +$ getsebool xdm_exec_bootloader +If properly configured, the output should show the following: +xdm_exec_bootloader --> off + Is it the case that xdm_exec_bootloader is not disabled? - + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_PROC_KCORE /boot/config.* + $ grep CONFIG_GCC_PLUGIN_LATENT_ENTROPY /boot/config.* - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. + For each kernel installed, a line with value "y" should be returned. Is it the case that the kernel was not built with the required value? - - To determine if the system is configured to audit unsuccessful calls -to the removexattr system call, run the following command: -$ sudo grep "removexattr" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes ipv6.disable=1, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub +If this option is set to true, then check that a line is output by the following command: +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub +If the recovery is disabled, check the line with +$ sudo grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +$ sudo grubby --info=ALL | grep args | grep -v 'ipv6.disable=1' +The command should not return any output. + Is it the case that IPv6 is not disabled? - - -Run the following command to determine if the ssh_keysign SELinux boolean is disabled: -$ getsebool ssh_keysign -If properly configured, the output should show the following: -ssh_keysign --> off - Is it the case that ssh_keysign is not disabled? + + Run the following command to determine if the abrt-plugin-rhtsupport package is installed: +$ rpm -q abrt-plugin-rhtsupport + Is it the case that the package is installed? - - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog" with the following command: + + To determine how the SSH daemon's PubkeyAuthentication option is set, run the following command: -$ sudo auditctl -l | grep /var/log/lastlog +$ sudo grep -i PubkeyAuthentication /etc/ssh/sshd_config --w /var/log/lastlog -p wa -k logins - Is it the case that the command does not return a line, or the line is commented out? +If a line indicating yes is returned, then the required value is set. + + Is it the case that the required value is not set? - - -Run the following command to determine if the zebra_write_config SELinux boolean is disabled: -$ getsebool zebra_write_config -If properly configured, the output should show the following: -zebra_write_config --> off - Is it the case that zebra_write_config is not disabled? + + To ensure that users cannot change session idle and lock settings, run the following: +$ grep 'idle-delay' /etc/dconf/db/local.d/locks/* +If properly configured, the output should return: +/org/gnome/desktop/session/idle-delay + Is it the case that idle-delay is not locked? - - -To check that the rsh service is disabled in system boot configuration with xinetd, run the following command: -$ chkconfig rsh --list -Output should indicate the rsh service has either not been installed, or has been disabled, as shown in the example below: -$ chkconfig rsh --list - -Note: This output shows SysV services only and does not include native -systemd services. SysV configuration data might be overridden by native -systemd configuration. - -If you want to list systemd services use 'systemctl list-unit-files'. -To see services enabled on particular target use -'systemctl list-dependencies [target]'. - -rsh off - -To check that the rsh socket is disabled in system boot configuration with systemd, run the following command: -$ systemctl is-enabled rsh -Output should indicate the rsh socket has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled rshdisabled + + Determine where the audit logs are stored with the following command: -Run the following command to verify rsh is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active rsh +$ sudo grep -iw log_file /etc/audit/auditd.conf -If the socket is not running the command will return the following output: -inactive +log_file = /var/log/audit/audit.log -The socket will also be masked, to check that the rsh is masked, run the following command: -$ sudo systemctl show rsh | grep "LoadState\|UnitFileState" +Determine the owner of the audit log directory by using the output of the above command +(default: "/var/log/audit/"). Run the following command with the correct audit log directory +path: -If the socket is masked the command will return the following outputs: +$ sudo ls -ld /var/log/audit -LoadState=masked +drwx------ 2 root root 23 Jun 11 11:56 /var/log/audit -UnitFileState=masked - Is it the case that service and/or socket are running? +The audit log directory must be owned by "root" + Is it the case that the directory is not owned by root? - - To verify that SSSD is configured for PAM services, run the following command: -$ sudo grep services /etc/sssd/sssd.conf -If configured properly, output should be similar to -services = pam - Is it the case that it does not exist or 'pam' is not added to the 'services' option under the 'sssd' section? + + To determine if the system is configured to audit calls to the +delete_module system call, run the following command: +$ sudo grep "delete_module" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - + -Run the following command to determine if the mock_enable_homedirs SELinux boolean is disabled: -$ getsebool mock_enable_homedirs +Run the following command to determine if the condor_tcp_network_connect SELinux boolean is disabled: +$ getsebool condor_tcp_network_connect If properly configured, the output should show the following: -mock_enable_homedirs --> off - Is it the case that mock_enable_homedirs is not disabled? +condor_tcp_network_connect --> off + Is it the case that condor_tcp_network_connect is not disabled? - - -If the system is configured to prevent the loading of the atm kernel module, -it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. -These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. - -These lines can also instruct the module loading system to ignore the atm kernel module via blacklist keyword. - -Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -$ grep -r atm /etc/modprobe.conf /etc/modprobe.d - Is it the case that no line is returned? + + To verify the boot loader superuser account has been set, run the following +command: +sudo grep -A1 "superusers" /boot/efi/EFI/redhat/grub.cfg +The output should show the following: +set superusers="superusers-account" +export superusers +where superusers-account is the actual account name different from common names like root, +admin, or administrator and different from any other existing user name. + Is it the case that superuser account is not set or is set to an existing name or to a common name? - - To ensure the user list is disabled, run the following command: -$ grep disable-user-list /etc/dconf/db/gdm.d/* -The output should be true. -To ensure that users cannot enable displaying the user list, run the following: -$ grep disable-user-list /etc/dconf/db/gdm.d/locks/* -If properly configured, the output should be /org/gnome/login-screen/disable-user-list - Is it the case that disable-user-list has not been configured or is not disabled? + + Run the following command to determine if the net-snmp package is installed: +$ rpm -q net-snmp + Is it the case that the package is installed? - - Run the following command to determine if the abrt-plugin-logger package is installed: -$ rpm -q abrt-plugin-logger - Is it the case that the package is installed? + + To check the permissions of /boot/grub2/grub.cfg, run the command: +$ sudo ls -lL /boot/grub2/grub.cfg +If properly configured, the output should indicate the following +permissions: -rw------- + Is it the case that it does not? - + -Run the following command to determine if the httpd_anon_write SELinux boolean is disabled: -$ getsebool httpd_anon_write +Run the following command to determine if the icecast_use_any_tcp_ports SELinux boolean is disabled: +$ getsebool icecast_use_any_tcp_ports If properly configured, the output should show the following: -httpd_anon_write --> off - Is it the case that httpd_anon_write is not disabled? - - - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_COMPAT_VDSO /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? +icecast_use_any_tcp_ports --> off + Is it the case that icecast_use_any_tcp_ports is not disabled? - - To check the permissions of /boot/efi/EFI/redhat/user.cfg, -run the command: -$ ls -l /boot/efi/EFI/redhat/user.cfg -If properly configured, the output should indicate the following permissions: --rw------- - Is it the case that /boot/efi/EFI/redhat/user.cfg does not have unix mode -rw-------? + + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes mce=0, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub +If this option is set to true, then check that a line is output by the following command: +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*mce=0.*' /etc/default/grub +If the recovery is disabled, check the line with +$ sudo grep 'GRUB_CMDLINE_LINUX.*mce=0.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +$ sudo grubby --info=ALL | grep args | grep -v 'mce=0' +The command should not return any output. + Is it the case that MCE tolerance is not set to zero? - - To check for virtual console entries which permit root login, run the -following command: -$ sudo grep ^vc/[0-9] /etc/securetty -If any output is returned, then root logins over virtual console devices is permitted. - Is it the case that root login over virtual console devices is permitted? + + Run the following command to determine if the mailx package is installed: $ rpm -q mailx + Is it the case that the package is not installed? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "restorecon" command with the following command: - -$ sudo auditctl -l | grep restorecon + + To determine if the system is configured to audit successful calls +to the ftruncate system call, run the following command: +$ sudo grep "ftruncate" /etc/audit.* +If the system is configured to audit this activity, it will return a line. --a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -k privileged-restorecon - Is it the case that the command does not return a line, or the line is commented out? + Is it the case that no line is returned? - - The runtime status of the kernel.yama.ptrace_scope kernel parameter can be queried -by running the following command: -$ sysctl kernel.yama.ptrace_scope -1. - - Is it the case that the correct value is not returned? + + To check for legacy lines in /etc/shadow, run the following command: + grep '^\+' /etc/shadow +The command should not return any output. + Is it the case that the file contains legacy lines? - - To verify if the OpenSSH client uses defined Cipher suite in the Crypto Policy, run: -$ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config -and verify that the line matches: -Ciphers - Is it the case that Crypto Policy for OpenSSH client is not configured correctly? + + +Run the following command to determine if the authlogin_radius SELinux boolean is disabled: +$ getsebool authlogin_radius +If properly configured, the output should show the following: +authlogin_radius --> off + Is it the case that authlogin_radius is not disabled? - - To verify that no .java and .jpp files exist, run the -following command: -find / -name *.java -o -name *.jpp -The output should not return any .java or .jpp files - Is it the case that it is not? + + To check that virtual syscalls are disabled at boot time, check all boot entries with following command: +sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf +No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls. + Is it the case that vsyscalls are enabled? - - + + Verify that Red Hat Enterprise Linux 8 enforces password complexity by requiring that at least one upper-case character. -Run the following command to determine the current status of the -pcscd service: -$ sudo systemctl is-active pcscd -If the service is running, it should return the following: active - Is it the case that the pcscd service is not enabled? +Check the value for "ucredit" with the following command: + +$ sudo grep ucredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + +ucredit = -1 + Is it the case that the value of "ucredit" is a positive number or is commented out? - - To check if only local user are impacted by pam_faillock, run the following command: -$ grep local_users_only /etc/security/faillock.conf -The output should return local_users_only not commented. - Is it the case that local_users_only is not uncommented or configured correctly? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_UNMAP_KERNEL_AT_EL0 /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - To determine if use_pty has been configured for sudo, run the following command: -$ sudo grep -ri "^[\s]*Defaults.*\buse_pty\b.*" /etc/sudoers /etc/sudoers.d/ -The command should return a matching output. - Is it the case that use_pty is not enabled in sudo? + + To determine that periodic AIDE execution has been scheduled, run the following command: + +$ grep aide /etc/crontab +The output should return something similar to the following: +05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost +The email address that the notifications are sent to can be changed by overriding +. + Is it the case that AIDE has not been configured or has not been configured to notify personnel of scan details? - + + Verify Red Hat Enterprise Linux 8 is configured to lock the root account after +unsuccessful logon attempts with the command: + + +$ grep even_deny_root /etc/security/faillock.conf +even_deny_root + Is it the case that the "even_deny_root" option is not set, is missing or commented out? + + + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_BUG /boot/config.* + $ grep CONFIG_DEBUG_FS /boot/config.* - For each kernel installed, a line with value "y" should be returned. + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. Is it the case that the kernel was not built with the required value? - - Verify that Red Hat Enterprise Linux 8 generates an audit record for all uses of the "umount" and system call. -To determine if the system is configured to audit calls to the -"umount" system call, run the following command: -$ sudo grep "umount" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line like the following. --a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k privileged-umount - Is it the case that the command does not return a line, or the line is commented out? + + To determine if the system is configured to audit calls to the +open_by_handle_at system call, run the following command: +$ sudo grep "open_by_handle_at" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-keysign" command with the following command: - -$ sudo auditctl -l | grep ssh-keysign - --a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-keysign - Is it the case that the command does not return a line, or the line is commented out? + + To check the permissions of /etc/cron.weekly, +run the command: +$ ls -l /etc/cron.weekly +If properly configured, the output should indicate the following permissions: +-rwx------ + Is it the case that /etc/cron.weekly does not have unix mode -rwx------? - + -Run the following command to determine if the selinuxuser_execheap SELinux boolean is disabled: -$ getsebool selinuxuser_execheap +Run the following command to determine if the httpd_use_cifs SELinux boolean is disabled: +$ getsebool httpd_use_cifs If properly configured, the output should show the following: -selinuxuser_execheap --> off - Is it the case that selinuxuser_execheap is not disabled? +httpd_use_cifs --> off + Is it the case that httpd_use_cifs is not disabled? - - If the system uses IPv6, this is not applicable. - -If the system is configured to prevent the usage of the ipv6 on -network interfaces, it will contain a line of the form: -net.ipv6.conf.all.disable_ipv6 = 1 -Such lines may be inside any file in the /etc/sysctl.d directory. -This permits insertion of the IPv6 kernel module (which other parts of the -system expect to be present), but otherwise keeps all network interfaces -from using IPv6. Run the following command to search for such lines in all -files in /etc/sysctl.d: -$ grep -r ipv6 /etc/sysctl.d - Is it the case that the ipv6 support is disabled on all network interfaces? + + To check for serial port entries which permit root login, +run the following command: +$ sudo grep ^ttyS/[0-9] /etc/securetty +If any output is returned, then root login over serial ports is permitted. + Is it the case that root login over serial ports is permitted? - - Run the following command to determine open ports: -# ss -4tuln -Run the following command to determine firewall rules: -# iptables -L INPUT -v -n -For each port identified in the audit which does not have a firewall -rule, add rule for accepting or denying inbound connections -# iptables -A INPUT -p --dport -m state --state NEW -j ACCEPT - Is it the case that open ports are denied connection? + + To verify that binaries cannot be directly executed from removable media, run the following command: +$ grep -v noexec /etc/fstab +The resulting output will show partitions which do not have the noexec flag. Verify all partitions +in the output are not removable media. + Is it the case that removable media partitions are present? - + - -Run the following command to determine the current status of the -systemd-journald service: -$ sudo systemctl is-active systemd-journald -If the service is running, it should return the following: active - Is it the case that the systemd-journald service is not running? +Run the following command to determine if the unconfined_login SELinux boolean is enabled: +$ getsebool unconfined_login +If properly configured, the output should show the following: +unconfined_login --> on + Is it the case that unconfined_login is not enabled? - - Review the web site to determine if HTTP and HTTPs are used in accordance with -well known ports (e.g., 80 and 443) or those ports and services as registered -and approved for use by the DoD PPSM. - -To configure firewalld to allow http access, run the following command(s): -firewall-cmd --permanent --add-service=http -Then run the following command to load the newly created rule(s): -firewall-cmd --reload - -To configure firewalld to allow https access, run the following command(s): -firewall-cmd --permanent --add-service=https -Then run the following command to load the newly created rule(s): -firewall-cmd --reload - Is it the case that it is not? + + Run the following command to determine if the tar package is installed: $ rpm -q tar + Is it the case that the package is not installed? - - To determine if requiretty has been configured for sudo, run the following command: -$ sudo grep -ri "^[\s]*Defaults.*\brequiretty\b.*" /etc/sudoers /etc/sudoers.d/ -The command should return a matching output. - Is it the case that requiretty is not enabled in sudo? + + To determine if NOPASSWD has been configured for the vdsm user for sudo, +run the following command: +$ sudo grep -ri nopasswd /etc/sudoers.d/ +The command should return output only for the vdsm user. + Is it the case that nopasswd is set for any users beyond vdsm? - - To check that the snmpd service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled snmpd -Output should indicate the snmpd service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled snmpd disabled - -Run the following command to verify snmpd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active snmpd + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "semanage" command with the following command: -If the service is not running the command will return the following output: -inactive +$ sudo auditctl -l | grep semanage -The service will also be masked, to check that the snmpd is masked, run the following command: -$ sudo systemctl show snmpd | grep "LoadState\|UnitFileState" +-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update + Is it the case that the command does not return a line, or the line is commented out? + + + + +Run the following command to determine if the sysadm_exec_content SELinux boolean is enabled: +$ getsebool sysadm_exec_content +If properly configured, the output should show the following: +sysadm_exec_content --> on + Is it the case that sysadm_exec_content is not enabled? + + + + Open browser window and browse to the appropriate site. Before entry to the +site, you should be presented with the server's PKI credentials. Review +these credentials for authenticity. -If the service is masked the command will return the following outputs: +For DoD, find an entry which cites: -LoadState=masked +Issuer: +CN = +DOD CLASS 3 CA-3 +OU = PKI +OU = DoD +O = U.S. Government +C = US -UnitFileState=masked - Is it the case that the "snmpd" is loaded and not masked? + Is it the case that it is not? - + + Run the following command to determine if the gssproxy package is installed: +$ rpm -q gssproxy + Is it the case that the package is installed? + + + + Run the following command and verify remote server is configured properly: +# grep -E "^(server|pool)" /etc/chrony.conf + Is it the case that a remote time server is not configured? + + + + To verify if SSLVerifyClient is configured correctly in +/etc/httpd/conf/httpd.conf, run the following command: +$ grep -i sslverifyclient /etc/httpd/conf/httpd.conf +The command should return the following: +SSLVerifyClient require + Is it the case that it is not? + + + + +Run the following command to determine if the nagios_run_pnp4nagios SELinux boolean is disabled: +$ getsebool nagios_run_pnp4nagios +If properly configured, the output should show the following: +nagios_run_pnp4nagios --> off + Is it the case that nagios_run_pnp4nagios is not disabled? + + + + The ypbind package can be removed with the following command: $ sudo yum erase ypbind + Is it the case that ? + + + To determine if the system is configured to audit successful calls -to the openat system call, run the following command: -$ sudo grep "openat" /etc/audit.* +to the chown system call, run the following command: +$ sudo grep "chown" /etc/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes spectre_v2=on, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub -If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*spectre_v2=on.*' /etc/default/grub -If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*spectre_v2=on.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'spectre_v2=on' -The command should not return any output. - Is it the case that spectre_v2 mitigation is not enforced? + + To check the password warning age, run the command: +$ grep PASS_WARN_AGE /etc/login.defs +The DoD requirement is 7. + Is it the case that it is not set to the required value? - - Run the following command to determine if the libpwquality package is installed: -$ rpm -q libpwquality - Is it the case that the package is not installed? + + To check the ownership of /etc/cron.d, +run the command: +$ ls -lL /etc/cron.d +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/cron.d does not have an owner of root? - - To verify that cryptography policy has been configured correctly, run the -following command: -$ update-crypto-policies --show -The output should return . -Run the command to check if the policy is correctly applied: -$ update-crypto-policies --is-applied -The output should be The configured policy is applied. -Moreover, check if settings for selected crypto policy are as expected. -List all libraries for which it holds that their crypto policies do not have symbolic link in /etc/crypto-policies/back-ends. -$ ls -l /etc/crypto-policies/back-ends/ | grep '^[^l]' | tail -n +2 | awk -F' ' '{print $NF}' | awk -F'.' '{print $1}' | sort -Subsequently, check if matching libraries have drop in files in the /etc/crypto-policies/local.d directory. -$ ls /etc/crypto-policies/local.d/ | awk -F'-' '{print $1}' | uniq | sort -Outputs of two previous commands should match. - Is it the case that cryptographic policy is not configured or is configured incorrectly? + + +Run the following command to determine if the xserver_object_manager SELinux boolean is disabled: +$ getsebool xserver_object_manager +If properly configured, the output should show the following: +xserver_object_manager --> off + Is it the case that xserver_object_manager is not disabled? - + -Run the following command to determine if the smbd_anon_write SELinux boolean is disabled: -$ getsebool smbd_anon_write +Run the following command to determine if the polipo_connect_all_unreserved SELinux boolean is disabled: +$ getsebool polipo_connect_all_unreserved If properly configured, the output should show the following: -smbd_anon_write --> off - Is it the case that smbd_anon_write is not disabled? +polipo_connect_all_unreserved --> off + Is it the case that polipo_connect_all_unreserved is not disabled? - - To ensure that users cannot change session idle and lock settings, run the following: -$ grep 'lock-delay' /etc/dconf/db/local.d/locks/* -If properly configured, the output should return: -/org/gnome/desktop/screensaver/lock-delay - Is it the case that GNOME3 session settings are not locked or configured properly? + + The runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.default.accept_redirects +0. + + Is it the case that the correct value is not returned? - - Run the following command to determine if the pigz package is installed: -$ rpm -q pigz - Is it the case that the package is installed? + + The tftp package can be removed with the following command: $ sudo yum erase tftp + Is it the case that ? - - To determine how the SSH daemon's PermitRootLogin option is set, run the following command: + + To determine if the system is configured to audit successful calls +to the fremovexattr system call, run the following command: +$ sudo grep "fremovexattr" /etc/audit.* +If the system is configured to audit this activity, it will return a line. -$ sudo grep -i PermitRootLogin /etc/ssh/sshd_config + Is it the case that no line is returned? + + + + -If a line indicating prohibit-password is returned, then the required value is set. - Is it the case that it is commented out or not configured properly? +Run the following command to determine the current status of the +firewalld service: +$ sudo systemctl is-active firewalld +If the service is running, it should return the following: active + Is it the case that the "firewalld" service is disabled, masked, or not started.? - + -Run the following command to determine if the httpd_can_network_memcache SELinux boolean is disabled: -$ getsebool httpd_can_network_memcache +Run the following command to determine if the httpd_use_nfs SELinux boolean is disabled: +$ getsebool httpd_use_nfs If properly configured, the output should show the following: -httpd_can_network_memcache --> off - Is it the case that httpd_can_network_memcache is not disabled? +httpd_use_nfs --> off + Is it the case that httpd_use_nfs is not disabled? - - To ensure screen locking on smartcard removal is enabled, run the following command: -$ grep removal-action /etc/dconf/db/local.d/* -The output should be 'lock-screen'. -To ensure that users cannot disable screen locking on smartcard removal, run the following: -$ grep removal-action /etc/dconf/db/local.d/locks/* -If properly configured, the output should be /org/gnome/settings-daemon/peripherals/smartcard/removal-action - Is it the case that removal-action has not been configured? + + To verify that McAfee HIPS is installed, run the following command(s): +$ rpm -q MFEhiplsm + Is it the case that the HBSS HIPS module is not installed? - + + Verify Red Hat Enterprise Linux 8 disables the chrony daemon from acting as a server with the following command: +$ grep -w port /etc/chrony.conf +port 0 + Is it the case that the "port" option is not set to "0", is commented out, or is missing? + + + -Run the following command to determine if the zarafa_setrlimit SELinux boolean is disabled: -$ getsebool zarafa_setrlimit +Run the following command to determine if the mozilla_plugin_bind_unreserved_ports SELinux boolean is disabled: +$ getsebool mozilla_plugin_bind_unreserved_ports If properly configured, the output should show the following: -zarafa_setrlimit --> off - Is it the case that zarafa_setrlimit is not disabled? +mozilla_plugin_bind_unreserved_ports --> off + Is it the case that mozilla_plugin_bind_unreserved_ports is not disabled? - - Shared libraries are stored in the following directories: -/lib -/lib64 -/usr/lib -/usr/lib64 - -To find shared libraries that are group-writable or world-writable, -run the following command for each directory DIR which contains shared libraries: -$ sudo find -L DIR -perm /022 -type d - Is it the case that any of these files are group-writable or world-writable? + + To check the permissions of /var/log/syslog, +run the command: +$ ls -l /var/log/syslog +If properly configured, the output should indicate the following permissions: +-rw-r----- + Is it the case that /var/log/syslog does not have unix mode -rw-r-----? - - To determine if the system is configured to audit calls to the -fchmod system call, run the following command: -$ sudo grep "fchmod" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + Verify that there are no shosts.equiv files on the system, run the following command: +$ find / -name shosts.equiv + Is it the case that shosts.equiv files exist? - - To check the permissions of /boot/efi/EFI/redhat/grub.cfg, run the command: -$ sudo ls -lL /boot/efi/EFI/redhat/grub.cfg -If properly configured, the output should indicate the following -permissions: -rwx------ - Is it the case that it does not? + + If the system is not using TLS, set the ldap_id_use_start_tls option +in /etc/sssd/sssd.conf to true. + Is it the case that the 'ldap_id_use_start_tls' option is not set to 'true'? - - To determine if the system is configured to audit calls to the -fremovexattr system call, run the following command: -$ sudo grep "fremovexattr" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + Run the following command to determine if the setroubleshoot-server package is installed: +$ rpm -q setroubleshoot-server + Is it the case that the package is installed? - - To check the permissions of /var/log/messages, -run the command: -$ ls -l /var/log/messages -If properly configured, the output should indicate the following permissions: --rw-r----- - Is it the case that /var/log/messages does not have unix mode -rw-r-----? + + To check that SELinux is not disabled at boot time; +Check that no boot entry disables selinux: +sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf +No line should be returned, each line returned is a boot entry that disables SELinux. + Is it the case that SELinux is disabled at boot time? - - To determine if the system is configured to audit unsuccessful calls -to the fremovexattr system call, run the following command: -$ sudo grep "fremovexattr" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + To verify the audispd's syslog plugin is active, run the following command: +$ sudo grep active /etc/audit/plugins.d/syslog.conf +If the plugin is active, the output will show yes. + Is it the case that it is not activated? - - Verify Red Hat Enterprise Linux 8 is configured to lock the root account after -unsuccessful logon attempts with the command: - - -$ grep even_deny_root /etc/security/faillock.conf -even_deny_root - Is it the case that the "even_deny_root" option is not set, is missing or commented out? + + Only FIPS ciphers should be used. To verify that only FIPS-approved +ciphers are in use, run the following command: +$ sudo grep Ciphers /etc/ssh/sshd_config +The output should contain only those ciphers which are FIPS-approved. + Is it the case that FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved? - - Inspect the system to determine if intrusion detection software has been installed. -Verify this intrusion detection software is active. - Is it the case that no host-based intrusion detection tools are installed? + + To determine the status and frequency of logrotate, run the following command: +$ sudo grep logrotate /var/log/cron* +If logrotate is configured properly, output should include references to +/etc/cron.daily. + Is it the case that logrotate is not configured to run daily? - - Verify that Red Hat Enterprise Linux 8 is configured to take action in the event of allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity with the following command: - -$ sudo grep admin_space_left_action /etc/audit/auditd.conf - -admin_space_left_action = single - -If the value of the "admin_space_left_action" is not set to "single", or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO. - Is it the case that there is no evidence that real-time alerts are configured on the system? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_SECURITY /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - Verify the system commands contained in the following directories have mode "755" or less permissive with the following command: - -$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin -perm /022 -exec ls -l {} \; - Is it the case that any system commands are found to be group-writable or world-writable? + + To determine if umask has been configured for sudo with the appropriate value, +run the following command: +$ sudo grep -ri '^Defaults.*umask=' /etc/sudoers /etc/sudoers.d/ +The command should return a matching output. + Is it the case that umask is not set with the appropriate value for sudo? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postqueue" command with the following command: - -$ sudo auditctl -l | grep postqueue - --a always,exit -F path=/usr/bin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postqueue - Is it the case that the command does not return a line, or the line is commented out? + + Run the following command to determine if the audit package is installed: $ rpm -q audit + Is it the case that the audit package is not installed? - - Run the following command to determine if the audispd-plugins package is installed: $ rpm -q audispd-plugins - Is it the case that the package is not installed? + + Run the following command to determine if the openssh-server package is installed: $ rpm -q openssh-server + Is it the case that the package is installed? - - Ensure that Red Hat Enterprise Linux 8 verifies correct operation of security functions. + + If the device or Red Hat Enterprise Linux 8 does not have a camera installed, this requirement is not applicable. -Check if "SELinux" is active and in "" mode with the following command: +This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision. -$ sudo getenforce +This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed. - Is it the case that SELINUX is not set to enforcing? - - - - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes slab_nomerge=yes, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub -If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*slab_nomerge=yes.*' /etc/default/grub -If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*slab_nomerge=yes.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'slab_nomerge=yes' -The command should not return any output. - Is it the case that merging of slabs with similar size is enabled? - - - - Verify the "/etc/security/faillock.conf" file is configured to log user name information when unsuccessful logon attempts occur: +For an external camera, if there is not a method for the operator to manually disconnect the camera at the end of collaborative computing sessions, this is a finding. -$ sudo grep audit /etc/security/faillock.conf +For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding. -audit - Is it the case that the "audit" option is not set, is missing or commented out? - - - - The runtime status of the net.core.bpf_jit_harden kernel parameter can be queried -by running the following command: -$ sysctl net.core.bpf_jit_harden -2. +If the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software with the following commands: - Is it the case that the correct value is not returned? +Verify the operating system disables the ability to load the uvcvideo kernel module. + +$ sudo grep -r uvcvideo /etc/modprobe.d/* | grep "/bin/true" + +install uvcvideo /bin/true + Is it the case that the command does not return any output, or the line is commented out, and the collaborative computing device has not been authorized for use? - - To check the group ownership of /boot/grub2/user.cfg, -run the command: -$ ls -lL /boot/grub2/user.cfg -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /boot/grub2/user.cfg does not have a group owner of root? + + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the rename system call. + +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: + +$ sudo grep -r rename /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep rename /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete +-a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete +-a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete +-a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete + Is it the case that the command does not return a line, or the line is commented out? - + -Run the following command to determine if the puppetagent_manage_all_files SELinux boolean is disabled: -$ getsebool puppetagent_manage_all_files +Run the following command to determine if the gssd_read_tmp SELinux boolean is enabled: +$ getsebool gssd_read_tmp If properly configured, the output should show the following: -puppetagent_manage_all_files --> off - Is it the case that puppetagent_manage_all_files is not disabled? +gssd_read_tmp --> on + Is it the case that gssd_read_tmp is not enabled? - - To check the ownership of /etc/shadow-, -run the command: -$ ls -lL /etc/shadow- -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/shadow- does not have an owner of root? + + To determine if !authenticate has not been configured for sudo, run the following command: +$ sudo grep -r \!authenticate /etc/sudoers /etc/sudoers.d/ +The command should return no output. + Is it the case that !authenticate is specified in the sudo config files? - - -Run the following command to determine if the httpd_can_connect_mythtv SELinux boolean is disabled: -$ getsebool httpd_can_connect_mythtv -If properly configured, the output should show the following: -httpd_can_connect_mythtv --> off - Is it the case that httpd_can_connect_mythtv is not disabled? + + Run the following command to determine if the ypserv package is installed: +$ rpm -q ypserv + Is it the case that the package is installed? - - Run the following command to determine the current status of the logrotate timer: $ sudo systemctl is-active logrotate.timer If the timer is running, it should return the following: active - Is it the case that logrotate timer is not enabled? + + Verify the hidepid=value option is configured for the /proc mount point, + run the following command: + $ sudo mount | grep '\s/proc\s' + . . . /proc . . . hidepid=value . . . + + Is it the case that the "/proc" file system does not have the "hidepid=value" option set? - - Find the list of alias maps used by the Postfix mail server: -$ sudo postconf alias_maps -Query the Postfix alias maps for an alias for the postmaster user: -$ sudo postmap -q postmaster hash:/etc/aliases -The output should return root. - Is it the case that the alias is not set or is not root? + + To check the permissions of /boot/Sysem.map-*, +run the command: +$ ls -l /boot/Sysem.map-* +If properly configured, the output should indicate the following permissions: +-rw------- + Is it the case that ? - + + +Run the following command to determine if the logging_syslogd_run_nagios_plugins SELinux boolean is disabled: +$ getsebool logging_syslogd_run_nagios_plugins +If properly configured, the output should show the following: +logging_syslogd_run_nagios_plugins --> off + Is it the case that logging_syslogd_run_nagios_plugins is not disabled? + + + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_DEBUG_LIST /boot/config.* + $ grep CONFIG_BUG /boot/config.* For each kernel installed, a line with value "y" should be returned. Is it the case that the kernel was not built with the required value? - - -Run the following command to determine if the tmpreaper_use_samba SELinux boolean is disabled: -$ getsebool tmpreaper_use_samba -If properly configured, the output should show the following: -tmpreaper_use_samba --> off - Is it the case that tmpreaper_use_samba is not disabled? + + Verify the nosuid option is configured for the /boot/efi mount point, + run the following command: + $ sudo mount | grep '\s/boot/efi\s' + . . . /boot/efi . . . nosuid . . . + + Is it the case that the "/boot/efi" file system does not have the "nosuid" option set? - - -Run the following command to determine if the pppd_for_user SELinux boolean is disabled: -$ getsebool pppd_for_user -If properly configured, the output should show the following: -pppd_for_user --> off - Is it the case that pppd_for_user is not disabled? + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "passwd" command with the following command: + +$ sudo auditctl -l | grep passwd + +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd + Is it the case that the command does not return a line, or the line is commented out? - - -Run the following command to determine if the gitosis_can_sendmail SELinux boolean is disabled: -$ getsebool gitosis_can_sendmail -If properly configured, the output should show the following: -gitosis_can_sendmail --> off - Is it the case that gitosis_can_sendmail is not disabled? + + To check the ownership of /etc/issue, +run the command: +$ ls -lL /etc/issue +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/issue does not have an owner of root? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_IPV6 /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? + + To check the permissions of /etc/group-, +run the command: +$ ls -l /etc/group- +If properly configured, the output should indicate the following permissions: +-rw-r--r-- + Is it the case that /etc/group- does not have unix mode -rw-r--r--? - - To determine how the SSH daemon's PermitRootLogin option is set, run the following command: - -$ sudo grep -i PermitRootLogin /etc/ssh/sshd_config - -If a line indicating no is returned, then the required value is set. + + Verify the noexec option is configured for the /boot mount point, + run the following command: + $ sudo mount | grep '\s/boot\s' + . . . /boot . . . noexec . . . - Is it the case that the required value is not set? + Is it the case that the "/boot" file system does not have the "noexec" option set? - - Verify the audit tools are group-owned by "root" to prevent any unauthorized access, deletion, or modification. - -Check the group-owner of each audit tool by running the following command: - -$ sudo stat -c "%G %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules + + To determine if the system is configured to audit account changes, +run the following command: +auditctl -l | grep -E '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' +If the system is configured to watch for account changes, lines should be returned for +each file specified (and with perm=wa for each). + Is it the case that the system is not configured to audit account changes? + + + + Verify the grpquota option is configured for the /home mount point, + run the following command: + $ sudo mount | grep '\s/home\s' + . . . /home . . . grpquota . . . -root /sbin/auditctl -root /sbin/aureport -root /sbin/ausearch -root /sbin/autrace -root /sbin/auditd -root /sbin/rsyslogd -root /sbin/augenrules - Is it the case that any audit tools are not group-owned by root? + Is it the case that the "/home" file system does not have the "grpquota" option set? - - To verify that the operating system protects against or limits the effects of DoS -attacks by ensuring implementation of rate-limiting measures -on impacted network interfaces, run the following command: -# grep 'net.ipv4.tcp_invalid_ratelimit' /etc/sysctl.conf /etc/sysctl.d/* -The command should output the following line: -/etc/sysctl.conf:net.ipv4.tcp_invalid_ratelimit = -The file where the line has been found can differ, but it must be either /etc/sysctl.conf -or a file located under the /etc/sysctl.d/ directory. - Is it the case that rate limiting of duplicate TCP acknowledgments is not configured? + + To determine if the system is configured to audit changes to its SELinux +configuration files, run the following command: +$ sudo auditctl -l | grep "dir=/etc/selinux" +If the system is configured to watch for changes to its SELinux +configuration, a line should be returned (including +perm=wa indicating permissions that are watched). + Is it the case that the system is not configured to audit attempts to change the MAC policy? - - Verify it by running the following command: -$ stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules - -/sbin/auditctl 755 -/sbin/aureport 755 -/sbin/ausearch 755 -/sbin/autrace 755 -/sbin/auditd 755 -/sbin/audispd 755 -/sbin/augenrules 755 - - -If the command does not return all the above lines, the missing ones -need to be added. - -Run the following command to correct the permissions of the missing -entries: -$ sudo chmod 0755 [audit_tool] - -Replace "[audit_tool]" with the audit tool that does not have the -correct permissions. - Is it the case that ? + + Verify that DNS servers have been configured properly, perform the following: +$ sudo grep nameserver /etc/resolv.conf + Is it the case that less than two lines are returned that are not commented out? - + + +Run the following command to determine if the httpd_run_preupgrade SELinux boolean is disabled: +$ getsebool httpd_run_preupgrade +If properly configured, the output should show the following: +httpd_run_preupgrade --> off + Is it the case that httpd_run_preupgrade is not disabled? + + + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_DEFAULT_MMAP_MIN_ADDR /boot/config.* + $ grep CONFIG_DEBUG_LIST /boot/config.* - For each kernel installed, a line with value "65536" should be returned. + For each kernel installed, a line with value "y" should be returned. Is it the case that the kernel was not built with the required value? - - Inspect all instances of DocumentRoot and Alias. No -robots.txt file should exist. - Is it the case that it is not? - - - - To check the permissions of /etc/cron.hourly, -run the command: -$ ls -l /etc/cron.hourly -If properly configured, the output should indicate the following permissions: --rwx------ - Is it the case that /etc/cron.hourly does not have unix mode -rwx------? + + +Run the following command to determine if the mcelog_exec_scripts SELinux boolean is enabled: +$ getsebool mcelog_exec_scripts +If properly configured, the output should show the following: +mcelog_exec_scripts --> on + Is it the case that mcelog_exec_scripts is not enabled? - - To determine if the system is configured to audit successful calls -to the fchmod system call, run the following command: -$ sudo grep "fchmod" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + To verify if the mod_perl is installed, run the following command: +$ rpm -qa | grep mod_perl +If the mod_perl module is installed, verify that PerlSwitches -T +is enabled in /etc/httpd/conf.d/perl.conf by running the following +command: +$ grep -i "PerlSwitches -T" /etc/httpd/conf.d/perl.conf +The output should return uncommented: +PerlSwitches -T + Is it the case that it is not? - - To determine how the SSH daemon's LogLevel option is set, run the following command: - -$ sudo grep -i LogLevel /etc/ssh/sshd_config - -If a line indicating INFO is returned, then the required value is set. - - Is it the case that the required value is not set? + + To verify that SSSD's in-memory cache expires after a day, run the following command: +$ sudo grep memcache_timeout /etc/sssd/sssd.conf +If configured properly, output should be memcache_timeout = . + Is it the case that it does not exist or is not configured properly? - - Run the following command to determine if the iptables-services package is installed: $ rpm -q iptables-services - Is it the case that the iptables-services package is not installed? + + Run the following command to check if the line is present: +grep pam_wheel /etc/pam.d/su +The output should contain the following line: +auth required pam_wheel.so use_uid group= + Is it the case that the line is not in the file or it is commented? - - Run the following command to determine if the rsyslog-gnutls package is installed: -$ rpm -q rsyslog-gnutls + + Run the following command to determine if the abrt-plugin-logger package is installed: +$ rpm -q abrt-plugin-logger Is it the case that the package is installed? - - Verify Red Hat Enterprise Linux 8 for PKI-based authentication has valid certificates by constructing a -certification path (which includes status information) to an accepted trust anchor. + + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to modify files using the openat system call with O_TRUNC_WRITE flag. -Check that the system has a valid DoD root CA installed with the following command: - -$ sudo openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem - -Certificate: -Data: -Version: 3 (0x2) -Serial Number: 1 (0x1) -Signature Algorithm: sha256WithRSAEncryption -Issuer: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3 -Validity -Not Before: Mar 20 18:46:41 2012 GMT -Not After : Dec 30 18:46:41 2029 GMT -Subject: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3 -Subject Public Key Info: -Public Key Algorithm: rsaEncryption - Is it the case that root CA file is not a DoD-issued certificate with a valid date and installed in the /etc/sssd/pki/sssd_auth_ca_db.pem location? - - - - To check that the vsftpd service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled vsftpd -Output should indicate the vsftpd service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled vsftpd disabled - -Run the following command to verify vsftpd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active vsftpd +If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command: -If the service is not running the command will return the following output: -inactive +$ sudo grep -r openat /etc/audit/rules.d -The service will also be masked, to check that the vsftpd is masked, run the following command: -$ sudo systemctl show vsftpd | grep "LoadState\|UnitFileState" +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -If the service is masked the command will return the following outputs: +$ sudo grep openat /etc/audit/audit.rules -LoadState=masked +The output should be the following: -UnitFileState=masked - Is it the case that the "vsftpd" is loaded and not masked? - - - - To check that virtual syscalls are disabled at boot time, check all boot entries with following command: -sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf -No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls. - Is it the case that vsyscalls are enabled? +-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + Is it the case that the command does not return a line, or the line is commented out? - - Ensure that CGI backup scripts are not left on the production web server. -This check is limited to CGI/interactive content and not static HTML. - -Search for backup copies of CGI scripts on the web server or ask the Web -Administrator if they keep backup copies of CGI scripts on the web server. - -Common backup file extensions are: *.bak, *.old, *.temp, *.tmp, *.backup, -*.??0. This would also apply to .jsp files. - -On Red Hat Enterprise Linux, run the following commands to find backup -scripts: -find / name "*.bak" -print -find / name "*.*" -print -find / name "*.old" -print - Is it the case that If fileos with these extensions have no relationship with web activity, -such as backup batch file for operating system utility, and they are -not accessible by the web application, this is not a finding. - -If files with these extensions are found in either the document -directory or the home directory of the web server, this is -a finding. + + The following command will discover and print any +files on local partitions which do not belong to a valid group. +$ df --local -P | awk '{if (NR!=1) print $6}' | sudo xargs -I '{}' find '{}' -xdev -nogroup -If files with these extensions are stored in a repository (not in the -document root) as backups for the web server? - - - - Make sure that the kernel is configured to trust the CPU RNG by following -commands. To check if the option was correctly configured at kernel compile -time, run the following command: -grep -q CONFIG_RANDOM_TRUST_CPU=y /boot/config-`uname -r` -If the command outputs: -CONFIG_RANDOM_TRUST_CPU=y, -it means that the option is compiled into the kernel. Make sure that the -option is not overridden through a boot parameter: -sudo grep 'kernelopts.*random\.trust_cpu=off.*' /boot/grub2/grubenv -The command should not return any output. If the option is not compiled into -the kernel, check that the option is configured through boot parameter. -Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes random.trust_cpu=on, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub -If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*random.trust_cpu=on.*' /etc/default/grub -If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*random.trust_cpu=on.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'random.trust_cpu=on' -The command should not return any output. - Is it the case that the kernel is not configured to trust the CPU RNG? - - - - To verify that HBSS ACCM is installed, run the following command(s): -$ sudo ls /opt/McAfee/accm/bin/accm - Is it the case that the HBSS ACCM module is not installed? +Either remove all files and directories from the system that do not have a valid group, +or assign a valid group with the chgrp command: +$ sudo chgrp group file + Is it the case that there is output? - - -Run the following command to determine if the tftp_home_dir SELinux boolean is disabled: -$ getsebool tftp_home_dir -If properly configured, the output should show the following: -tftp_home_dir --> off - Is it the case that tftp_home_dir is not disabled? + + Run the following command to see what the timeout interval is: +$ sudo grep ClientAliveInterval /etc/ssh/sshd_config +If properly configured, the output should be: +ClientAliveInterval + Is it the case that it is commented out or not configured properly? - - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to create files using the openat system call with O_CREAT flag. - -If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r openat /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + + Verify emergency accounts have been provisioned with an expiration date of 72 hours. -$ sudo grep openat /etc/audit/audit.rules +For every emergency account, run the following command to obtain its account aging and expiration information: -The output should be the following: +$ sudo chage -l emergency_account_name --a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - Is it the case that the command does not return a line, or the line is commented out? +Verify each of these accounts has an expiration date set within 72 hours or as documented. + Is it the case that any emergency accounts have no expiration date set or do not expire within 72 hours? - - To check that the named service is disabled in system boot configuration, + + To check that the nfs-server service is disabled in system boot configuration, run the following command: -$ sudo systemctl is-enabled named -Output should indicate the named service has either not been installed, +$ sudo systemctl is-enabled nfs-server +Output should indicate the nfs-server service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled named disabled +$ sudo systemctl is-enabled nfs-server disabled -Run the following command to verify named is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active named +Run the following command to verify nfs-server is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active nfs-server If the service is not running the command will return the following output: inactive -The service will also be masked, to check that the named is masked, run the following command: -$ sudo systemctl show named | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the nfs-server is masked, run the following command: +$ sudo systemctl show nfs-server | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "named" is loaded and not masked? + Is it the case that the "nfs-server" is loaded and not masked? - - To determine if the system is configured to audit successful calls -to the open_by_handle_at system call, run the following command: -$ sudo grep "open_by_handle_at" /etc/audit.* + + Run the following command to determine if the avahi-autoipd package is installed: +$ rpm -q avahi-autoipd + Is it the case that the package is installed? + + + + Run the following command to determine if the krb5-server package is installed: $ rpm -q krb5-server + Is it the case that the package is installed? + + + + To determine if the system is configured to audit calls to the +open system call, run the following command: +$ sudo grep "open" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - To verify that each web content directory exists on separate partitions, -run the following command: -$ grep `grep -i documentroot /etc/httpd/conf/httpd.conf | awk -F'"' '{print $2}'` /etc/fstab -Each of the corresponding DocumentRoot entries should have a -corresponding entry in /etc/fstab. - Is it the case that it is not? + + To ensure the tally directory is configured correctly, run the following command: +$ sudo grep 'dir =' /etc/security/faillock.conf +The output should show that dir is set to something other than "/var/run/faillock" + Is it the case that the "dir" option is not set to a non-default documented tally log directory, is missing or commented out? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chsh" command with the following command: - -$ sudo auditctl -l | grep chsh + + To verify the audispd plugin off-loads audit records onto a different system or +media from the system being audited, run the following command: +$ sudo grep -i remote_server /etc/audit/audisp-remote.conf +The output should return something similar to +remote_server = + Is it the case that audispd is not sending logs to a remote system? + + + + To verify that rsyslog's Forwarding Output Module is configured +to use TLS for logging to remote server, run the following command: +$ grep omfwd /etc/rsyslog.conf /etc/rsyslog.d/*.conf +The output should include record similar to +action(type="omfwd" protocol="tcp" Target="<remote system>" port="6514" + StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name" streamdriver.CheckExtendedKeyPurpose="on") --a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chsh - Is it the case that the command does not return a line, or the line is commented out? +where the <remote system> present in the configuration line above must be a valid IP address or a host name of the remote logging server. + Is it the case that omfwd is not configured with gtls and AuthMode? - - To check the permissions of /etc/crontab, -run the command: -$ ls -l /etc/crontab -If properly configured, the output should indicate the following permissions: --rw------- - Is it the case that /etc/crontab does not have unix mode -rw-------? + + +Run the following command to determine if the httpd_mod_auth_ntlm_winbind SELinux boolean is disabled: +$ getsebool httpd_mod_auth_ntlm_winbind +If properly configured, the output should show the following: +httpd_mod_auth_ntlm_winbind --> off + Is it the case that httpd_mod_auth_ntlm_winbind is not disabled? - - To check the permissions of /var/log/syslog, + + To check the permissions of /var/log/messages, run the command: -$ ls -l /var/log/syslog +$ ls -l /var/log/messages If properly configured, the output should indicate the following permissions: -rw-r----- - Is it the case that /var/log/syslog does not have unix mode -rw-r-----? - - - - Verify the pam_faillock.so module is present in the "/etc/pam.d/system-auth" file: - -$ sudo grep pam_faillock.so /etc/pam.d/system-auth - -auth required pam_faillock.so preauth -auth required pam_faillock.so authfail -account required pam_faillock.so - Is it the case that the pam_faillock.so module is not present in the "/etc/pam.d/system-auth" file with the "preauth" line listed before pam_unix.so? + Is it the case that /var/log/messages does not have unix mode -rw-r-----? - - - -Run the following command to determine the current status of the -chronyd service: -$ sudo systemctl is-active chronyd -If the service is running, it should return the following: active - Is it the case that the chronyd process is not running? + + To determine if the system is configured to audit calls to the +rmdir system call, run the following command: +$ sudo grep "rmdir" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. +To determine if the system is configured to audit calls to the +unlink system call, run the following command: +$ sudo grep "unlink" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. +To determine if the system is configured to audit calls to the +unlinkat system call, run the following command: +$ sudo grep "unlinkat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. +To determine if the system is configured to audit calls to the +rename system call, run the following command: +$ sudo grep "rename" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. +To determine if the system is configured to audit calls to the +renameat system call, run the following command: +$ sudo grep "renameat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? - - -To properly set the owner of /var/log/audit, run the command: -$ sudo chown root /var/log/audit - -To properly set the owner of /var/log/audit/*, run the command: -$ sudo chown root /var/log/audit/* - Is it the case that ? + + Run the following command to determine if the fapolicyd package is installed: $ rpm -q fapolicyd + Is it the case that the fapolicyd package is not installed? - - Check that AIDE is properly configured to protect the integrity of the -audit tools by running the following command: - -# sudo cat /etc/aide.conf | grep /usr/sbin/au - -/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 -/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 -/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 -/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 -/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 - - - -/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 + + To determine how the SSH daemon's PermitRootLogin option is set, run the following command: +$ sudo grep -i PermitRootLogin /etc/ssh/sshd_config -If AIDE is configured properly to protect the integrity of the audit tools, -all lines listed above will be returned from the command. +If a line indicating no is returned, then the required value is set. -If one or more lines are missing, this is a finding. - Is it the case that integrity checks of the audit tools are missing or incomplete? + Is it the case that the required value is not set? - - Verify that a separate file system/partition has been created for /var/tmp with the following command: + + Review the web site to determine if HTTP and HTTPs are used in accordance with +well known ports (e.g., 80 and 443) or those ports and services as registered +and approved for use by the DoD PPSM. -$ mountpoint /var/tmp +To configure firewalld to allow http access, run the following command(s): +firewall-cmd --permanent --add-service=http +Then run the following command to load the newly created rule(s): +firewall-cmd --reload - Is it the case that "/var/tmp is not a mountpoint" is returned? +To configure firewalld to allow https access, run the following command(s): +firewall-cmd --permanent --add-service=https +Then run the following command to load the newly created rule(s): +firewall-cmd --reload + Is it the case that it is not? - - Verify that Red Hat Enterprise Linux 8 does not have unauthorized IP tunnels configured. - - -# yum list installed libreswan -libreswan.x86-64 3.20-5.el7_4 - - -If "libreswan" is installed, check to see if the "IPsec" service is active with the following command: - -# systemctl status ipsec -ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec -Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled) -Active: inactive (dead) - - -If the "IPsec" service is active, check for configured IPsec connections (conn), perform the following: -grep -rni conn /etc/ipsec.conf /etc/ipsec.d/ -Verify any returned results for organizational approval. - Is it the case that the IPSec tunnels are not approved? + + Run the following command to determine if the iprutils package is installed: +$ rpm -q iprutils + Is it the case that the package is installed? - - To determine if the system is configured to audit successful calls -to the lremovexattr system call, run the following command: -$ sudo grep "lremovexattr" /etc/audit.* -If the system is configured to audit this activity, it will return a line. + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postqueue" command with the following command: - Is it the case that no line is returned? +$ sudo auditctl -l | grep postqueue + +-a always,exit -F path=/usr/bin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postqueue + Is it the case that the command does not return a line, or the line is commented out? - - To check that the ypserv service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled ypserv -Output should indicate the ypserv service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled ypserv disabled - -Run the following command to verify ypserv is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active ypserv - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the ypserv is masked, run the following command: -$ sudo systemctl show ypserv | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: - -LoadState=masked - -UnitFileState=masked - Is it the case that the "ypserv" is loaded and not masked? + + The following command will list which files on the system +have file hashes different from what is expected by the RPM database. +$ rpm -Va --noconfig | awk '$1 ~ /..5/ && $2 != "c"' + Is it the case that there is output? - - Verify that all local interactive user initialization file executable search path statements do not contain statements that will reference a working directory other than user home directories with the following commands: + + Run the following command to ensure the TMOUT value is configured for all users +on the system: -$ sudo grep -i path= /home/*/.* +$ sudo grep TMOUT /etc/profile /etc/profile.d/*.sh -/home/[localinteractiveuser]/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin - Is it the case that any local interactive user initialization files have executable search path statements that include directories outside of their home directory and is not documented with the ISSO as an operational requirement? +The output should return the following: +TMOUT= + Is it the case that value of TMOUT is not less than or equal to expected setting? - - Verify Red Hat Enterprise Linux 8 use the "pam_pwhistory.so" module in the /etc/pam.d/system-auth file -and is configured to prohibit password reuse for a minimum of -generations. - -Verify the "/etc/pam.d/system-auth" file with the following command: - -$ grep pam_pwhistory.so /etc/pam.d/system-auth -password pam_pwhistory.so use_authtok remember= - + + To verify whether audispd plugin off-loads audit records onto a different +system or media from the system being audited, run the following command: -Verify the "/etc/security/pwhistory.conf" file using the following command: +$ sudo grep -i remote_server /etc/audit/audisp-remote.conf -$ grep remember /etc/security/pwhistory.conf -remember = +The output should return something similar to where REMOTE_SYSTEM +is an IP address or hostname: +remote_server = REMOTE_SYSTEM -The pam_pwhistory.so "remember" option must be configured only in one file. - Is it the case that the pam_pwhistory.so module is not used, the "remember" module option is not set in -/etc/pam.d/system-auth or in /etc/security/pwhistory.conf, or is set in both files, or is set -with a value less than "<sub idref="var_password_pam_remember" />"? - - - - Verify Red Hat Enterprise Linux 8 disables the chrony daemon from acting as a server with the following command: -$ grep -w port /etc/chrony.conf -port 0 - Is it the case that the "port" option is not set to "0", is commented out, or is missing? - - - - To determine how the SSH daemon's GSSAPIAuthentication option is set, run the following command: +Determine which partition the audit records are being written to with the +following command: -$ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config +$ sudo grep log_file /etc/audit/auditd.conf +log_file = /var/log/audit/audit.log -If a line indicating no is returned, then the required value is set. +Check the size of the partition that audit records are written to with the +following command and verify whether it is sufficiently large: - Is it the case that the required value is not set? +$ sudo df -h /var/log/audit/ +/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit + Is it the case that audispd is not sending logs to a remote system and the local partition has inadequate space? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_STACKPROTECTOR /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + To determine if the system is configured to audit calls to the +init_module system call, run the following command: +$ sudo grep "init_module" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. +To determine if the system is configured to audit calls to the +delete_module system call, run the following command: +$ sudo grep "delete_module" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? - + -Run the following command to determine if the httpd_can_sendmail SELinux boolean is disabled: -$ getsebool httpd_can_sendmail +Run the following command to determine if the selinuxuser_share_music SELinux boolean is disabled: +$ getsebool selinuxuser_share_music If properly configured, the output should show the following: -httpd_can_sendmail --> off - Is it the case that httpd_can_sendmail is not disabled? - - - - The runtime status of the net.ipv6.conf.all.accept_ra_pinfo kernel parameter can be queried -by running the following command: -$ sysctl net.ipv6.conf.all.accept_ra_pinfo -0. - - Is it the case that the correct value is not returned? +selinuxuser_share_music --> off + Is it the case that selinuxuser_share_music is not disabled? - - The runtime status of the kernel.perf_cpu_time_max_percent kernel parameter can be queried -by running the following command: -$ sysctl kernel.perf_cpu_time_max_percent -1. - - Is it the case that the correct value is not returned? + + +Run the following command to determine if the dhcpd_use_ldap SELinux boolean is disabled: +$ getsebool dhcpd_use_ldap +If properly configured, the output should show the following: +dhcpd_use_ldap --> off + Is it the case that dhcpd_use_ldap is not disabled? - - Inspect the file /etc/firewalld/firewalld.conf to determine -the default zone for the firewalld. It should be set to DefaultZone=drop: -$ sudo grep DefaultZone /etc/firewalld/firewalld.conf - Is it the case that the default zone is not set to DROP? + + Run the following command to determine if the abrt-addon-ccpp package is installed: +$ rpm -q abrt-addon-ccpp + Is it the case that the package is installed? - + -Run the following command to determine if the mount_anyfile SELinux boolean is enabled: -$ getsebool mount_anyfile +Run the following command to determine if the rsync_anon_write SELinux boolean is disabled: +$ getsebool rsync_anon_write If properly configured, the output should show the following: -mount_anyfile --> on - Is it the case that mount_anyfile is not enabled? +rsync_anon_write --> off + Is it the case that rsync_anon_write is not disabled? - - To determine if the system is configured to audit attempts to -alter time via the /etc/localtime file, run the following -command: -$ sudo auditctl -l | grep "watch=/etc/localtime" -If the system is configured to audit this activity, it will return a line. - Is it the case that the system is not configured to audit time changes? + + Run the following command to determine if the squid package is installed: +$ rpm -q squid + Is it the case that the package is installed? - + -Run the following command to determine if the ssh_sysadm_login SELinux boolean is disabled: -$ getsebool ssh_sysadm_login +Run the following command to determine if the logwatch_can_network_connect_mail SELinux boolean is disabled: +$ getsebool logwatch_can_network_connect_mail If properly configured, the output should show the following: -ssh_sysadm_login --> off - Is it the case that ssh_sysadm_login is not disabled? +logwatch_can_network_connect_mail --> off + Is it the case that logwatch_can_network_connect_mail is not disabled? - - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the rename system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r rename /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep rename /etc/audit/audit.rules - -The output should be the following: - --a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete --a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete --a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete --a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete - Is it the case that the command does not return a line, or the line is commented out? + + Run the following command to determine the current status of the dnf-automatic timer: $ sudo systemctl is-active dnf-automatic.timer If the timer is running, it should return the following: active + Is it the case that the dnf-automatic.timer is not enabled? - - Verify Red Hat Enterprise Linux 8 audits execution as another user. - -Check if Red Hat Enterprise Linux 8 is configured to audit the execution of the "execve" system call using the following command: - -$ sudo grep execve /etc/audit/audit.rules - -The output should be the following: - --a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation --a always,exit -F arch=b64 -S execve -C euid!=uid -F auid!=unset-k user_emulation - Is it the case that the command does not return all lines, or the lines are commented out? + + To check if the system login banner is compliant, +run the following command: +$ cat /etc/issue + Is it the case that it does not display the required banner? - - To check that the rhnsd service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled rhnsd -Output should indicate the rhnsd service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled rhnsd disabled - -Run the following command to verify rhnsd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active rhnsd - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the rhnsd is masked, run the following command: -$ sudo systemctl show rhnsd | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: - -LoadState=masked - -UnitFileState=masked - Is it the case that the "rhnsd" is loaded and not masked? + + Run the following command to determine if the dnf-automatic package is installed: $ rpm -q dnf-automatic + Is it the case that the package is not installed? - - -Run the following command to determine if the samba_export_all_ro SELinux boolean is disabled: -$ getsebool samba_export_all_ro -If properly configured, the output should show the following: -samba_export_all_ro --> off - Is it the case that samba_export_all_ro is not disabled? + + Ensure there are no unconfined daemons running on the system, +the following command should produce no output: +$ sudo ps -eZ | grep "unconfined_service_t" + Is it the case that There are unconfined daemons running on the system? - - To determine if the system is configured to audit unsuccessful calls -to the setxattr system call, run the following command: -$ sudo grep "setxattr" /etc/audit.* + + To determine if the system is configured to audit calls to the +fsetxattr system call, run the following command: +$ sudo grep "fsetxattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - -Run the following command to determine if the httpd_enable_ftp_server SELinux boolean is disabled: -$ getsebool httpd_enable_ftp_server -If properly configured, the output should show the following: -httpd_enable_ftp_server --> off - Is it the case that httpd_enable_ftp_server is not disabled? - - - - Verify that Red Hat Enterprise Linux 8 enforces password complexity by requiring that at least one special character with the following command: - -$ sudo grep ocredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + + To determine if the system is configured to audit unsuccessful calls +to the fchownat system call, run the following command: +$ sudo grep "fchownat" /etc/audit.* +If the system is configured to audit this activity, it will return a line. -ocredit = - Is it the case that value of "ocredit" is a positive number or is commented out? + Is it the case that no line is returned? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_GCC_PLUGIN_LATENT_ENTROPY /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + To check for virtual console entries which permit root login, run the +following command: +$ sudo grep ^vc/[0-9] /etc/securetty +If any output is returned, then root logins over virtual console devices is permitted. + Is it the case that root login over virtual console devices is permitted? - - Verify the operating system authenticates the remote logging server for off-loading audit logs with the following command: + + Verify Red Hat Enterprise Linux 8 takes action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command: -$ sudo grep -i '$ActionSendStreamDriverAuthMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf -The output should be -$/etc/rsyslog.conf:$ActionSendStreamDriverAuthMode x509/name - Is it the case that $ActionSendStreamDriverAuthMode in /etc/rsyslog.conf is not set to x509/name? +$ sudo grep -w space_left /etc/audit/auditd.conf + +space_left = % + Is it the case that the value of the "space_left" keyword is not set to <sub idref="var_auditd_space_left_percentage" />% of the storage volume allocated to audit logs, or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO. If the "space_left" value is not configured to the correct value? @@ -374542,148 +375013,147 @@ If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HAL Is it the case that there is no evidence of appropriate action? - - The runtime status of the net.ipv6.conf.all.autoconf kernel parameter can be queried -by running the following command: -$ sysctl net.ipv6.conf.all.autoconf -0. - - Is it the case that the correct value is not returned? + + +Run the following command to determine if the nscd_use_shm SELinux boolean is enabled: +$ getsebool nscd_use_shm +If properly configured, the output should show the following: +nscd_use_shm --> on + Is it the case that nscd_use_shm is not enabled? - - To check that the qpidd service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled qpidd -Output should indicate the qpidd service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled qpidd disabled - -Run the following command to verify qpidd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active qpidd - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the qpidd is masked, run the following command: -$ sudo systemctl show qpidd | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: - -LoadState=masked - -UnitFileState=masked - Is it the case that the "qpidd" is loaded and not masked? + + To check the permissions of /etc/http/conf, +run the command: +$ ls -l /etc/http/conf +If properly configured, the output should indicate the following permissions: +-rwxr-x--- + Is it the case that ? - - To check that the cockpit service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled cockpit -Output should indicate the cockpit service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled cockpit disabled - -Run the following command to verify cockpit is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active cockpit - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the cockpit is masked, run the following command: -$ sudo systemctl show cockpit | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: - -LoadState=masked - -UnitFileState=masked - Is it the case that the "cockpit" is loaded and not masked? + + +Run the following command to determine if the virt_use_rawip SELinux boolean is disabled: +$ getsebool virt_use_rawip +If properly configured, the output should show the following: +virt_use_rawip --> off + Is it the case that virt_use_rawip is not disabled? - - Run the following command to determine if the telnet-server package is installed: -$ rpm -q telnet-server - Is it the case that the package is installed? + + To determine if the system is configured to audit calls to the +openat system call, run the following command: +$ sudo grep "openat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - Verify Red Hat Enterprise Linux 8 enables the user to initiate a session lock trhough key bindings with the following commands: + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "pt_chown" command with the following command: -$ grep "lock-session" /etc/tmux.conf +$ sudo auditctl -l | grep pt_chown -bind X lock-session +-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pt_chown + Is it the case that the command does not return a line, or the line is commented out? + + + + To verify that audit is configured for OSPP v4.2.1, run the following commands: +for file in "10-base-config" "11-loginuid" "30-ospp-v42" "43-module-load";do diff /etc/audit/rules.d/$file.rules /usr/share/doc/audit*/rules/$file.rules; done -Then, verify that the /etc/tmux.conf file can be read by other users than root: +If the system is configured properly, no lines should be returned. + Is it the case that the files are not there or differ? + + + + To determine if the system is configured to audit calls to the +umount2 system call, run the following command: +$ sudo grep "umount2" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. -$ sudo ls -al /etc/tmux.conf - Is it the case that the "lock-session" is not bound to a specific key? + Is it the case that no line is returned? - - To ensure the user home directory is not group-writable or world-readable, run the following: -# ls -ld /home/USER - Is it the case that the user home directory is group-writable or world-readable? + + To determine if NOPASSWD has been configured for sudo, run the following command: +$ sudo grep -ri nopasswd /etc/sudoers /etc/sudoers.d/ +The command should return no output. + Is it the case that nopasswd is specified in the sudo config files? - + + To verify that repo_gpgcheck is configured properly, run the following +command: +$ grep repo_gpgcheck /etc/yum.conf +The output should return something similar to: +repo_gpgcheck=1 + Is it the case that gpgcheck is not enabled or configured correctly to verify repository metadata? + + + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_VMAP_STACK /boot/config.* + $ grep CONFIG_MODULE_SIG_FORCE /boot/config.* For each kernel installed, a line with value "y" should be returned. Is it the case that the kernel was not built with the required value? - - To check that the cpupower service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled cpupower -Output should indicate the cpupower service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled cpupower disabled - -Run the following command to verify cpupower is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active cpupower - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the cpupower is masked, run the following command: -$ sudo systemctl show cpupower | grep "LoadState\|UnitFileState" + + To verify that auditing of privileged command use is configured, run the +following command: +$ sudo grep newgidmap /etc/audit/audit.rules /etc/audit/rules.d/* +It should return a relevant line in the audit rules. + Is it the case that the command does not return a line, or the line is commented out? + + + + Verify Red Hat Enterprise Linux 8 for PKI-based authentication has valid certificates by constructing a +certification path (which includes status information) to an accepted trust anchor. -If the service is masked the command will return the following outputs: +Check that the system has a valid DoD root CA installed with the following command: -LoadState=masked +$ sudo openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem -UnitFileState=masked - Is it the case that the "cpupower" is loaded and not masked? - - - - To check for incorrectly labeled device files, run following commands: -$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n" -$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n" -It should produce no output in a well-configured system. - Is it the case that there is output? +Certificate: +Data: +Version: 3 (0x2) +Serial Number: 1 (0x1) +Signature Algorithm: sha256WithRSAEncryption +Issuer: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3 +Validity +Not Before: Mar 20 18:46:41 2012 GMT +Not After : Dec 30 18:46:41 2029 GMT +Subject: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3 +Subject Public Key Info: +Public Key Algorithm: rsaEncryption + Is it the case that root CA file is not a DoD-issued certificate with a valid date and installed in the /etc/sssd/pki/sssd_auth_ca_db.pem location? - - To check the ownership of /etc/group, -run the command: -$ ls -lL /etc/group -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/group does not have an owner of root? + + +Run the following command to determine if the virt_use_usb SELinux boolean is disabled: +$ getsebool virt_use_usb +If properly configured, the output should show the following: +virt_use_usb --> off + Is it the case that virt_use_usb is not disabled? - - Run the following command to ensure that /tmp is configured as a -polyinstantiated directory: -$ sudo grep /tmp /etc/security/namespace.conf -The output should return the following: -/tmp /tmp/tmp-inst/ level root,adm - Is it the case that is not configured? + + To verify the password reuse setting is compliant, run the following command: +$ grep remember /etc/pam.d/system-auth +The output should show the following at the end of the line: +remember= + + +In newer systems, the pam_pwhistory PAM module options can also be set in +"/etc/security/pwhistory.conf" file. Use the following command to verify: +$ grep remember /etc/security/pwhistory.conf +remember = + +The pam_pwhistory remember option must be configured only in one file. + Is it the case that the value of remember is not equal to or greater than the expected value? @@ -374692,136 +375162,249 @@ $ rpm -q dhcp-server Is it the case that the package is installed? - - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes pti=on, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub -If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*pti=on.*' /etc/default/grub -If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*pti=on.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'pti=on' -The command should not return any output. - Is it the case that Kernel page-table isolation is not enabled? + + +Run the following command to determine if the httpd_dbus_avahi SELinux boolean is disabled: +$ getsebool httpd_dbus_avahi +If properly configured, the output should show the following: +httpd_dbus_avahi --> off + Is it the case that httpd_dbus_avahi is not disabled? - - Run the following command to determine if the libcap-ng-utils package is installed: $ rpm -q libcap-ng-utils - Is it the case that the package is not installed? + + +Run the following command to determine if the selinuxuser_execheap SELinux boolean is disabled: +$ getsebool selinuxuser_execheap +If properly configured, the output should show the following: +selinuxuser_execheap --> off + Is it the case that selinuxuser_execheap is not disabled? - - Run the following command to ensure the default FORWARD policy is DROP: -grep ":FORWARD" /etc/sysconfig/iptables -The output should be similar to the following: -$ sudo grep ":FORWARD" /etc/sysconfig/iptables -:FORWARD DROP [0:0 - Is it the case that the default policy for the FORWARD chain is not set to DROP? + + To check the ownership of /etc/shadow-, +run the command: +$ ls -lL /etc/shadow- +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/shadow- does not have an owner of root? - - To check that the rhsmcertd service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled rhsmcertd -Output should indicate the rhsmcertd service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled rhsmcertd disabled - -Run the following command to verify rhsmcertd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active rhsmcertd - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the rhsmcertd is masked, run the following command: -$ sudo systemctl show rhsmcertd | grep "LoadState\|UnitFileState" + + Verify that Red Hat Enterprise Linux 8 disables the use of user namespaces with the following commands: -If the service is masked the command will return the following outputs: +Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. -LoadState=masked +The runtime status of the user.max_user_namespaces kernel parameter can be queried +by running the following command: +$ sysctl user.max_user_namespaces +0. -UnitFileState=masked - Is it the case that the "rhsmcertd" is loaded and not masked? - - - - To check the permissions of /etc/gshadow, -run the command: -$ ls -l /etc/gshadow -If properly configured, the output should indicate the following permissions: ----------- - Is it the case that /etc/gshadow does not have unix mode ----------? + Is it the case that the correct value is not returned? - - To check that the squid service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled squid -Output should indicate the squid service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled squid disabled - -Run the following command to verify squid is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active squid - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the squid is masked, run the following command: -$ sudo systemctl show squid | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: - -LoadState=masked - -UnitFileState=masked - Is it the case that the "squid" is loaded and not masked? + + To verify that Audit Daemon is configured to write logs to the disk, run the +following command: +$ sudo grep write_logs /etc/audit/auditd.conf +The output should return the following: +write_logs = yes + Is it the case that write_logs isn't set to yes? - - Inspect /etc/default/grub for any instances of selinux=0 -in the kernel boot arguments. Presence of selinux=0 indicates -that SELinux is disabled at boot time. - Is it the case that SELinux is disabled at boot time? + + +Run the following command to determine if the spamd_enable_home_dirs SELinux boolean is enabled: +$ getsebool spamd_enable_home_dirs +If properly configured, the output should show the following: +spamd_enable_home_dirs --> on + Is it the case that spamd_enable_home_dirs is not enabled? - + -Run the following command to determine if the httpd_execmem SELinux boolean is disabled: -$ getsebool httpd_execmem +Run the following command to determine if the authlogin_nsswitch_use_ldap SELinux boolean is disabled: +$ getsebool authlogin_nsswitch_use_ldap If properly configured, the output should show the following: -httpd_execmem --> off - Is it the case that httpd_execmem is not disabled? +authlogin_nsswitch_use_ldap --> off + Is it the case that authlogin_nsswitch_use_ldap is not disabled? - - To determine if the system is configured to audit successful calls -to the fchown system call, run the following command: -$ sudo grep "fchown" /etc/audit.* -If the system is configured to audit this activity, it will return a line. + + +Run the following command to determine if the use_samba_home_dirs SELinux boolean is disabled: +$ getsebool use_samba_home_dirs +If properly configured, the output should show the following: +use_samba_home_dirs --> off + Is it the case that use_samba_home_dirs is not disabled? + + + + To determine if negation is used to define commands users are allowed to execute using sudo, run the following command: +$ sudo grep -PR '^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,!\n][^,\n]+,)*\s*(?:\([^\)]+\))?\s*(?!\s*\()(!\S+).*' /etc/sudoers /etc/sudoers.d/ +The command should return no output. + Is it the case that /etc/sudoers file contains rules that define the set of allowed commands using negation? + + + + The runtime status of the net.ipv4.conf.all.shared_media kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.all.shared_media +0. - Is it the case that no line is returned? + Is it the case that the correct value is not returned? - - To check the ownership of /etc/gshadow-, -run the command: -$ ls -lL /etc/gshadow- -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/gshadow- does not have an owner of root? + + To ensure there are no read-write users, run the following command: +$ sudo grep -v "^#" /etc/snmp/snmpd.conf| grep 'rwuser' +There should be no output. + Is it the case that there are users who can write to SNMP values? - - To check the group ownership of /etc/cron.monthly, + + The runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.default.secure_redirects +0. + + Is it the case that the correct value is not returned? + + + + To verify the boot loader superuser account has been set, run the following +command: +sudo grep -A1 "superusers" /boot/grub2/grub.cfg +The output should show the following: +set superusers="superusers-account" +export superusers +where superusers-account is the actual account name different from common names like root, +admin, or administrator and different from any other existing user name. + Is it the case that superuser account is not set or is set to root, admin, administrator or any other existing user name? + + + + Run the following command to check if the group exists: +grep /etc/group +The output should contain the following line: +:x: + Is it the case that group exists and has no user members? + + + + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: + +$ sudo auditctl -l | grep + +-w -p wa -k logins + Is it the case that the command does not return a line, or the line is commented out? + + + + To ensure that users cannot change how long until the screensaver locks, run the following: +$ grep lock-enabled /etc/dconf/db/local.d/locks/* +If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled + Is it the case that screensaver locking is not locked? + + + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "umount" command with the following command: + +$ sudo auditctl -l | grep umount + +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-umount + Is it the case that the command does not return a line, or the line is commented out? + + + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-agent" command with the following command: + +$ sudo auditctl -l | grep ssh-agent + +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent + Is it the case that the command does not return a line, or the line is commented out? + + + + To check for legacy lines in /etc/passwd, run the following command: + grep '^\+' /etc/passwd +The command should not return any output. + Is it the case that the file contains legacy lines? + + + + To verify that a nftables table exists, run the following command: +$ sudo nft list tables +Output should include a list of nftables similar to: + + table inet filter + + Is it the case that a nftables table does not exist? + + + + Run the following command to determine if the postfix package is installed: $ rpm -q postfix + Is it the case that the package is not installed? + + + + + +Run the following command to determine the current status of the +sshd service: +$ sudo systemctl is-active sshd +If the service is running, it should return the following: active + Is it the case that ? + + + + To check the group ownership of /etc/motd, run the command: -$ ls -lL /etc/cron.monthly +$ ls -lL /etc/motd If properly configured, the output should indicate the following group-owner: root - Is it the case that /etc/cron.monthly does not have a group owner of root? + Is it the case that /etc/motd does not have a group owner of root? + + + + Run the following command to determine if the crypto-policies package is installed: $ rpm -q crypto-policies + Is it the case that the package is not installed? + + + + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: + +$ sudo auditctl -l | grep -E '(/etc/gshadow)' + +-w /etc/gshadow -p wa -k identity + +If the command does not return a line, or the line is commented out, this is a finding. + Is it the case that the system is not configured to audit account changes? + + + + Run the following command to determine if the dnf-plugin-subscription-manager package is installed: $ rpm -q dnf-plugin-subscription-manager + Is it the case that the package is not installed? + + + + To check which SSH protocol version is allowed, check version of openssh-server with following command: + +$ rpm -qi openssh-server | grep Version + +Versions equal to or higher than 7.4 only allow Protocol 2. +If version is lower than 7.4, run the following command to check configuration: +$ sudo grep Protocol /etc/ssh/sshd_config +If configured properly, output should be Protocol 2 + Is it the case that it is commented out or is not set correctly to Protocol 2? + + + + To check the permissions of /var/log, +run the command: +$ ls -l /var/log +If properly configured, the output should indicate the following permissions: +drwxr-xr-x + Is it the case that /var/log does not have unix mode drwxr-xr-x? @@ -374844,112 +375427,84 @@ The output should be the following: Is it the case that the command does not return a line, or the line is commented out? - - To check the ownership of /etc/cron.d, -run the command: -$ ls -lL /etc/cron.d -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/cron.d does not have an owner of root? - - - - The runtime status of the net.ipv6.conf.all.accept_ra_rtr_pref kernel parameter can be queried -by running the following command: -$ sysctl net.ipv6.conf.all.accept_ra_rtr_pref -0. + + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the unlink system call. - Is it the case that the correct value is not returned? +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: + +$ sudo grep -r unlink /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep unlink /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete +-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete +-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete +-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete + Is it the case that the command does not return a line, or the line is commented out? - - To check the permissions of /etc/cron.monthly, -run the command: -$ ls -l /etc/cron.monthly -If properly configured, the output should indicate the following permissions: --rwx------ - Is it the case that /etc/cron.monthly does not have unix mode -rwx------? + + Only FIPS-approved MACs should be used. To verify that only FIPS-approved +MACs are in use, run the following command: +$ sudo grep -i macs /etc/ssh/sshd_config +The output should contain only those MACs which are FIPS-approved. Any use of other +ciphers or algorithms will result in the module entering the non-FIPS mode of +operation. + Is it the case that MACs option is commented out or not using FIPS-approved hash algorithms? - - Using a non-privileged account, verify that users cannot modify or change -network settings with the nmcli command with the following command: -$ nmcli general permissions -The output should contain the following: -PERMISSION VALUE -org.freedesktop.NetworkManager.enable-disable-network auth -org.freedesktop.NetworkManager.enable-disable-wifi auth -org.freedesktop.NetworkManager.enable-disable-wwan auth -org.freedesktop.NetworkManager.enable-disable-wimax auth -org.freedesktop.NetworkManager.sleep-wake auth -org.freedesktop.NetworkManager.network-control auth -org.freedesktop.NetworkManager.wifi.share.protected auth -org.freedesktop.NetworkManager.wifi.share.open auth -org.freedesktop.NetworkManager.settings.modify.system auth -org.freedesktop.NetworkManager.settings.modify.own auth -org.freedesktop.NetworkManager.settings.modify.hostname auth -org.freedesktop.NetworkManager.settings.modify.global-dns auth -org.freedesktop.NetworkManager.reload auth -org.freedesktop.NetworkManager.checkpoint-rollback auth -org.freedesktop.NetworkManager.enable-disable-statistics auth -org.freedesktop.NetworkManager.enable-disable-connectivity-check auth -org.freedesktop.NetworkManager.wifi.scan auth + + +If the system is configured to prevent the loading of the rds kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. - Is it the case that non-privileged users can modify or change network settings? +These lines can also instruct the module loading system to ignore the rds kernel module via blacklist keyword. + +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +$ grep -r rds /etc/modprobe.conf /etc/modprobe.d + Is it the case that no line is returned? - - To verify that each web content directory has an index.html file, -run the following command: -$ sudo find `grep -i documentroot /etc/httpd/conf/httpd.conf | awk -F'"' '{print $2}'` -name index.html -The output should return an index.html file for every -DocumentRoot that is set. + + To verify that web content directories should not be shared anonymously over +remote filesystems such as nfs and smb, inspect each instance +of DocumentRoot and serverRoot and verify that no entry in +/etc/fstab exists or no remote filesystem process is running for +any instance. +$ ps -ef | grep "nfs\|smb" Is it the case that it is not? - + -Run the following command to determine if the virt_sandbox_use_mknod SELinux boolean is disabled: -$ getsebool virt_sandbox_use_mknod +Run the following command to determine if the virt_sandbox_use_sys_admin SELinux boolean is disabled: +$ getsebool virt_sandbox_use_sys_admin If properly configured, the output should show the following: -virt_sandbox_use_mknod --> off - Is it the case that virt_sandbox_use_mknod is not disabled? - - - - The runtime status of the net.ipv6.conf.default.accept_ra_defrtr kernel parameter can be queried -by running the following command: -$ sysctl net.ipv6.conf.default.accept_ra_defrtr -0. - - Is it the case that the correct value is not returned? +virt_sandbox_use_sys_admin --> off + Is it the case that virt_sandbox_use_sys_admin is not disabled? - + -Run the following command to determine if the selinuxuser_rw_noexattrfile SELinux boolean is disabled: -$ getsebool selinuxuser_rw_noexattrfile +Run the following command to determine if the spamassassin_can_network SELinux boolean is disabled: +$ getsebool spamassassin_can_network If properly configured, the output should show the following: -selinuxuser_rw_noexattrfile --> off - Is it the case that selinuxuser_rw_noexattrfile is not disabled? - - - - The runtime status of the net.ipv4.conf.all.accept_local kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.conf.all.accept_local -0. - - Is it the case that the correct value is not returned? +spamassassin_can_network --> off + Is it the case that spamassassin_can_network is not disabled? - - Verify the nodev option is configured for the /var mount point, - run the following command: - $ sudo mount | grep '\s/var\s' - . . . /var . . . nodev . . . - - Is it the case that the "/var" file system does not have the "nodev" option set? + + To check the permissions of /etc/cron.hourly, +run the command: +$ ls -l /etc/cron.hourly +If properly configured, the output should indicate the following permissions: +-rwx------ + Is it the case that /etc/cron.hourly does not have unix mode -rwx------? @@ -374961,280 +375516,349 @@ $ sysctl kernel.modules_disabled Is it the case that the correct value is not returned? - - To check if pam_pwquality.so is enabled in system-auth, run the following command: -$ grep pam_pwquality /etc/pam.d/system-auth -The output should be similar to the following: -password requisite pam_pwquality.so - Is it the case that pam_pwquality.so is not enabled in system-auth? + + To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: +cat /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules +The output has to be exactly as follows: +## Successful ownership change +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change +-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change + Is it the case that the file does not exist or the content differs? - + + To determine if LDAP is being used for authentication, use the following +command: +$ sudo grep -i useldapauth /etc/sysconfig/authconfig +The output should return: +USELDAPAUTH=yes + Is it the case that USELDAPAUTH=yes is not configured correctly in /etc/sysconfig/authconfig? + + + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_SECURITY_DMESG_RESTRICT /boot/config.* + $ grep CONFIG_DEBUG_NOTIFIERS /boot/config.* For each kernel installed, a line with value "y" should be returned. Is it the case that the kernel was not built with the required value? - - To check the ownership of /var/log/messages, + + To check the screensaver mandatory use status, run the following command: +$ gsettings get org.gnome.desktop.screensaver idle-activation-enabled +If properly configured, the output should be true. +To ensure that users cannot disable the screensaver idle inactivity setting, run the following: +$ grep idle-activation-enabled /etc/dconf/db/local.d/locks/* +If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled + Is it the case that idle-activation-enabled is not enabled or configured? + + + + +Run the following command to determine if the httpd_verify_dns SELinux boolean is disabled: +$ getsebool httpd_verify_dns +If properly configured, the output should show the following: +httpd_verify_dns --> off + Is it the case that httpd_verify_dns is not disabled? + + + + To check the permissions of /etc/ssh/*_key, run the command: -$ ls -lL /var/log/messages -If properly configured, the output should indicate the following owner: -root - Is it the case that /var/log/messages does not have an owner of root? +$ ls -l /etc/ssh/*_key +If properly configured, the output should indicate the following permissions: +-rw------- + Is it the case that /etc/ssh/*_key does not have unix mode -rw-------? - + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_DEBUG_CREDENTIALS /boot/config.* + $ grep CONFIG_DEFAULT_MMAP_MIN_ADDR /boot/config.* - For each kernel installed, a line with value "y" should be returned. + For each kernel installed, a line with value "65536" should be returned. Is it the case that the kernel was not built with the required value? - - The runtime status of the net.ipv4.conf.default.rp_filter kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.conf.default.rp_filter -1. - - Is it the case that the correct value is not returned? - - - - To ensure the X Windows package group is removed, run the following command: - -$ rpm -qi xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland - -For each package mentioned above you should receive following line: -package <package> is not installed - Is it the case that xorg related packages are not removed and run level is not correctly configured? - - - - To check the ownership of /var/log/syslog, -run the command: -$ ls -lL /var/log/syslog -If properly configured, the output should indicate the following owner: -syslog - Is it the case that /var/log/syslog does not have an owner of syslog? + + +Run the following command to determine if the httpd_manage_ipa SELinux boolean is disabled: +$ getsebool httpd_manage_ipa +If properly configured, the output should show the following: +httpd_manage_ipa --> off + Is it the case that httpd_manage_ipa is not disabled? - + -Run the following command to determine if the httpd_tmp_exec SELinux boolean is disabled: -$ getsebool httpd_tmp_exec +Run the following command to determine if the minidlna_read_generic_user_content SELinux boolean is disabled: +$ getsebool minidlna_read_generic_user_content If properly configured, the output should show the following: -httpd_tmp_exec --> off - Is it the case that httpd_tmp_exec is not disabled? +minidlna_read_generic_user_content --> off + Is it the case that minidlna_read_generic_user_content is not disabled? - - To determine if the system is configured to audit calls to the -setxattr system call, run the following command: -$ sudo grep "setxattr" /etc/audit/audit.* + + To determine if the system is configured to audit successful calls +to the fchmodat system call, run the following command: +$ sudo grep "fchmodat" /etc/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - -Run the following command to determine if the dbadm_exec_content SELinux boolean is enabled: -$ getsebool dbadm_exec_content -If properly configured, the output should show the following: -dbadm_exec_content --> on - Is it the case that dbadm_exec_content is not enabled? + + To check that the avahi-daemon service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled avahi-daemon +Output should indicate the avahi-daemon service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled avahi-daemon disabled + +Run the following command to verify avahi-daemon is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active avahi-daemon + +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the avahi-daemon is masked, run the following command: +$ sudo systemctl show avahi-daemon | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "avahi-daemon" is loaded and not masked? - - The following command will discover and print world-writable directories that -are not group owned by a system account, given the assumption that only system -accounts have a gid lower than 1000. Run it once for each local partition PART: -$ sudo find PART -xdev -type d -perm -0002 -gid +999 -print - Is it the case that there is output? + + Run the following command to verify that the MTA is not listening on +any non-loopback address (127.0.0.1 or ::1). +# ss -lntu | grep -E ':25\s' | grep -E -v '\s(127.0.0.1|::1):25\s' +Nothing should be returned + Is it the case that MTA is listening on any non-loopback address? - - -If the system is configured to prevent the loading of the cfg80211 kernel module, -it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. -These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setsebool" command with the following command: -These lines can also instruct the module loading system to ignore the cfg80211 kernel module via blacklist keyword. +$ sudo auditctl -l | grep setsebool -Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -$ grep -r cfg80211 /etc/modprobe.conf /etc/modprobe.d - Is it the case that no line is returned? +-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged + Is it the case that the command does not return a line, or the line is commented out? - - -Run the following command to determine if the git_cgi_use_nfs SELinux boolean is disabled: -$ getsebool git_cgi_use_nfs -If properly configured, the output should show the following: -git_cgi_use_nfs --> off - Is it the case that git_cgi_use_nfs is not disabled? + + Verify that yum verifies the signature of local packages prior to install with the following command: + +$ grep localpkg_gpgcheck /etc/yum.conf + +localpkg_gpgcheck=1 + +If "localpkg_gpgcheck" is not set to "1", or if the option is missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified. + Is it the case that there is no process to validate certificates for local packages that is approved by the organization? - - To determine if passwd_timeout has been configured for sudo, run the following command: -$ sudo grep -ri '^Defaults.*passwd_timeout=' /etc/sudoers /etc/sudoers.d/ -The command should return a matching output. - Is it the case that passwd_timeout is not set with the appropriate value for sudo? + + +Run the following command to determine if the selinuxuser_tcp_server SELinux boolean is disabled: +$ getsebool selinuxuser_tcp_server +If properly configured, the output should show the following: +selinuxuser_tcp_server --> off + Is it the case that selinuxuser_tcp_server is not disabled? - - The runtime status of the net.ipv6.conf.all.accept_ra kernel parameter can be queried + + The runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter can be queried by running the following command: -$ sysctl net.ipv6.conf.all.accept_ra -0. +$ sysctl net.ipv4.icmp_echo_ignore_broadcasts +1. Is it the case that the correct value is not returned? - - To determine whether yum has been configured to disable -gpgcheck for any repos, inspect all files in -/etc/yum.repos.d and ensure the following does not appear in any -sections: -gpgcheck=0 -A value of 0 indicates that gpgcheck has been disabled for that repo. - Is it the case that GPG checking is disabled? + + Verify that Red Hat Enterprise Linux 8 does not have unauthorized IP tunnels configured. + + +# yum list installed libreswan +libreswan.x86-64 3.20-5.el7_4 + + +If "libreswan" is installed, check to see if the "IPsec" service is active with the following command: + +# systemctl status ipsec +ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec +Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled) +Active: inactive (dead) + + +If the "IPsec" service is active, check for configured IPsec connections (conn), perform the following: +grep -rni conn /etc/ipsec.conf /etc/ipsec.d/ +Verify any returned results for organizational approval. + Is it the case that the IPSec tunnels are not approved? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chacl" command with the following command: + + Verify Red Hat Enterprise Linux 8 prevents the use of dictionary words for passwords with the following command: -$ sudo auditctl -l | grep chacl +$ sudo grep dictcheck /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf --a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod - Is it the case that the command does not return a line, or the line is commented out? +/etc/security/pwquality.conf:dictcheck=1 + Is it the case that "dictcheck" does not have a value other than "0", or is commented out? - - Verify that the system is integrated with a centralized authentication mechanism -such as as Active Directory, Kerberos, Directory Server, etc. that has -automated account mechanisms in place. - Is it the case that the system is not using a centralized authentication mechanism, or it is not automated? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_MODULE_SIG_SHA512 /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - Run the following command to determine if the libreport-plugin-logger package is installed: -$ rpm -q libreport-plugin-logger - Is it the case that the package is installed? + + Verify that temporary accounts have been provisioned with an expiration date +of 72 hours. For every temporary account, run the following command to +obtain its account aging and expiration information: +$ sudo chage -l temporary_account_name +Verify each of these accounts has an expiration date set within 72 hours or +as documented. + Is it the case that any temporary accounts have no expiration date set or do not expire within 72 hours? - - Run the following command to determine if the ntp package is installed: $ rpm -q ntp - Is it the case that the package is not installed? + + To determine if the system is configured to audit calls to the +unlinkat system call, run the following command: +$ sudo grep "unlinkat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_MODIFY_LDT_SYSCALL /boot/config.* + + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. + + Is it the case that the kernel was not built with the required value? + + + -Run the following command to determine if the rsync_export_all_ro SELinux boolean is disabled: -$ getsebool rsync_export_all_ro +Run the following command to determine if the cobbler_can_network_connect SELinux boolean is disabled: +$ getsebool cobbler_can_network_connect If properly configured, the output should show the following: -rsync_export_all_ro --> off - Is it the case that rsync_export_all_ro is not disabled? +cobbler_can_network_connect --> off + Is it the case that cobbler_can_network_connect is not disabled? - - The runtime status of the kernel.sysrq kernel parameter can be queried -by running the following command: -$ sysctl kernel.sysrq -0. + + Verify the nosuid option is configured for the /boot mount point, + run the following command: + $ sudo mount | grep '\s/boot\s' + . . . /boot . . . nosuid . . . - Is it the case that the correct value is not returned? - - - - To verify the assigned home directory of all interactive users is group- -owned by that users primary GID, run the following command: -# ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) - Is it the case that the group ownership is incorrect? - - - - Run the following command to determine if the crypto-policies package is installed: $ rpm -q crypto-policies - Is it the case that the package is not installed? + Is it the case that the "/boot" file system does not have the "nosuid" option set? - - + + Verify that rules for unsuccessful calls of the openat syscall are in the order shown below. -Run the following command to determine the current status of the -nails service: -$ sudo systemctl is-active nails -If the service is running, it should return the following: active - Is it the case that ? + If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix ".rules" in the directory "/etc/audit/rules.d". + If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, check the order of rules below in "/etc/audit/audit.rules" file. + + -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + + If the system is 64 bit then also add the following lines: + + -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + Is it the case that the rules are in a different order? - - -Run the following command to determine if the fenced_can_network_connect SELinux boolean is disabled: -$ getsebool fenced_can_network_connect -If properly configured, the output should show the following: -fenced_can_network_connect --> off - Is it the case that fenced_can_network_connect is not disabled? + + To check the permissions of /etc/gshadow, +run the command: +$ ls -l /etc/gshadow +If properly configured, the output should indicate the following permissions: +---------- + Is it the case that /etc/gshadow does not have unix mode ----------? - - Verify that Red Hat Enterprise Linux 8 enforces a minimum -character password length with the following command: + + Verify the value of the "minclass" option in "/etc/security/pwquality.conf" with the following command: -$ grep minlen /etc/security/pwquality.conf +$ grep minclass /etc/security/pwquality.conf -minlen = - Is it the case that the command does not return a "minlen" value of "<sub idref="var_password_pam_minlen" />" or greater, does not return a line, or the line is commented out? +minclass = + Is it the case that the value of "minclass" is set to less than "<sub idref="var_password_pam_minclass" />" or is commented out? - - To determine if the system is configured to audit successful calls -to the removexattr system call, run the following command: -$ sudo grep "removexattr" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + To check the permissions of /etc/issue.net, +run the command: +$ ls -l /etc/issue.net +If properly configured, the output should indicate the following permissions: +-rw-r--r-- + Is it the case that /etc/issue.net does not have unix mode -rw-r--r--? - + -Run the following command to determine if the sanlock_use_nfs SELinux boolean is disabled: -$ getsebool sanlock_use_nfs +Run the following command to determine if the pcp_read_generic_logs SELinux boolean is disabled: +$ getsebool pcp_read_generic_logs If properly configured, the output should show the following: -sanlock_use_nfs --> off - Is it the case that sanlock_use_nfs is not disabled? +pcp_read_generic_logs --> off + Is it the case that pcp_read_generic_logs is not disabled? - - -Run the following command to determine if the zoneminder_anon_write SELinux boolean is disabled: -$ getsebool zoneminder_anon_write -If properly configured, the output should show the following: -zoneminder_anon_write --> off - Is it the case that zoneminder_anon_write is not disabled? + + The following command will discover and print world-writable directories that +are not owned by a system account, given the assumption that only system +accounts have a uid lower than 500. Run it once for each local partition PART: +$ sudo find PART -xdev -type d -perm -0002 -uid +499 -print + Is it the case that there is output? - + -Run the following command to determine if the httpd_graceful_shutdown SELinux boolean is enabled: -$ getsebool httpd_graceful_shutdown +Run the following command to determine if the git_cgi_use_cifs SELinux boolean is disabled: +$ getsebool git_cgi_use_cifs If properly configured, the output should show the following: -httpd_graceful_shutdown --> on - Is it the case that httpd_graceful_shutdown is not enabled? +git_cgi_use_cifs --> off + Is it the case that git_cgi_use_cifs is not disabled? - - -Run the following command to determine if the httpd_enable_cgi SELinux boolean is disabled: -$ getsebool httpd_enable_cgi -If properly configured, the output should show the following: -httpd_enable_cgi --> off - Is it the case that httpd_enable_cgi is not disabled? + + To ensure the failed password attempt policy is configured correctly, run the following command: + +$ grep fail_interval /etc/security/faillock.conf +The output should show fail_interval = <interval-in-seconds> where interval-in-seconds is or greater. + Is it the case that the "fail_interval" option is not set to "<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />" +or less (but not "0"), the line is commented out, or the line is missing? + + + + The runtime status of the net.ipv4.conf.default.send_redirects kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.default.send_redirects +0. + + Is it the case that the correct value is not returned? @@ -375246,506 +375870,384 @@ $ sudo auditctl -l | grep -E '(/etc/shadow)' Is it the case that command does not return a line, or the line is commented out? - - To check if RekeyLimit is set correctly, run the following command: -$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/*.conf -If configured properly, output should be -/etc/ssh/ssh_config.d/02-rekey-limit.conf: -RekeyLimit -Check also the main configuration file with the following command: -$ sudo grep RekeyLimit /etc/ssh/ssh_config -The command should not return any output. - Is it the case that it is commented out or is not set? - - - - Make sure that the kernel is not disabling SMEP with the following -commands. -grep -q nosmep /boot/config-`uname -r` -If the command returns a line, it means that SMEP is being disabled. - Is it the case that the kernel is configured to disable SMEP? - - - - Verify the noexec option is configured for the /home mount point, - run the following command: - $ sudo mount | grep '\s/home\s' - . . . /home . . . noexec . . . - - Is it the case that the "/home" file system does not have the "noexec" option set? - - - - The runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.conf.all.accept_redirects -0. + + To determine if the system is configured to audit successful calls +to the truncate system call, run the following command: +$ sudo grep "truncate" /etc/audit.* +If the system is configured to audit this activity, it will return a line. - Is it the case that the correct value is not returned? + Is it the case that no line is returned? - + -Run the following command to determine if the postgresql_selinux_transmit_client_label SELinux boolean is disabled: -$ getsebool postgresql_selinux_transmit_client_label +Run the following command to determine if the global_ssp SELinux boolean is disabled: +$ getsebool global_ssp If properly configured, the output should show the following: -postgresql_selinux_transmit_client_label --> off - Is it the case that postgresql_selinux_transmit_client_label is not disabled? +global_ssp --> off + Is it the case that global_ssp is not disabled? - - Determine if "sudoers" file restricts sudo access run the following commands: -$ sudo grep -PR '^\s*ALL\s+ALL\=\(ALL\)\s+ALL\s*$' /etc/sudoers /etc/sudoers.d/* -$ sudo grep -PR '^\s*ALL\s+ALL\=\(ALL\:ALL\)\s+ALL\s*$' /etc/sudoers /etc/sudoers.d/* - Is it the case that either of the commands returned a line? + + To determine if ignore_dot has been configured for sudo, run the following command: +$ sudo grep -ri "^[\s]*Defaults.*\bignore_dot\b.*" /etc/sudoers /etc/sudoers.d/ +The command should return a matching output. + Is it the case that ignore_dot is not enabled in sudo? - - Verify the nosuid option is configured for the /boot/efi mount point, - run the following command: - $ sudo mount | grep '\s/boot/efi\s' - . . . /boot/efi . . . nosuid . . . + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "unix_chkpwd" command with the following command: - Is it the case that the "/boot/efi" file system does not have the "nosuid" option set? - - - - To check if MaxStartups is configured, run the following command: -$ sudo grep MaxStartups /etc/ssh/sshd_config -If configured, this command should output the configuration. - Is it the case that maxstartups is not configured? - - - - To check the group ownership of /etc/crontab, -run the command: -$ ls -lL /etc/crontab -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/crontab does not have a group owner of root? +$ sudo auditctl -l | grep unix_chkpwd + +-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_chkpwd + Is it the case that the command does not return a line, or the line is commented out? - - Query the SA and the Web Manager to determine if a compiler is present on -the server. - Is it the case that the web server is part of an application suite and a comiler is needed -for installation, patching, and upgrading of the suite or if the compiler -is embedded and can't be removed without breaking the suite, document the -installation of the compiler with the ISSO/ISSM and verify that the compiler -is restricted to administrative users only. If documented and restricted to -administrative users, this is not a finding. - -If an undocumented compiler is present, and available to non-administrative -users? + + Run the following command to determine if the rsync-daemon package is installed: +$ rpm -q rsync-daemon + Is it the case that the package is installed? - - In order to be sure that the databases are up-to-date, run the -dconf update -command as the administrator. - Is it the case that The system-wide dconf databases are up-to-date with regards to respective keyfiles? + + Check that the symlink exists and target the correct Kerberos crypto policy, with the following command: +file /etc/krb5.conf.d/crypto-policies +If command ouput shows the following line, Kerberos is configured to use the system-wide crypto policy. +/etc/krb5.conf.d/crypto-policies: symbolic link to /etc/crypto-policies/back-ends/krb5.config + Is it the case that the symlink does not exist or points to a different target? - - Verify that Red Hat Enterprise Linux 8 disables the use of user namespaces with the following commands: + + To determine how the SSH daemon's GSSAPIAuthentication option is set, run the following command: -Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. +$ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config -The runtime status of the user.max_user_namespaces kernel parameter can be queried -by running the following command: -$ sysctl user.max_user_namespaces -0. +If a line indicating yes is returned, then the required value is set. - Is it the case that the correct value is not returned? - - - - -Run the following command to determine if the container_connect_any SELinux boolean is disabled: -$ getsebool container_connect_any -If properly configured, the output should show the following: -container_connect_any --> off - Is it the case that container_connect_any is not disabled? - - - - Run the following command to determine if the cron package is installed: -$ rpm -q cron - Is it the case that the package is installed? - - - - -Run the following command to determine if the selinuxuser_tcp_server SELinux boolean is disabled: -$ getsebool selinuxuser_tcp_server -If properly configured, the output should show the following: -selinuxuser_tcp_server --> off - Is it the case that selinuxuser_tcp_server is not disabled? - - - - Make sure that the kernel is not disabling SMAP with the following -commands. -grep -q nosmap /boot/config-`uname -r` -If the command returns a line, it means that SMAP is being disabled. - Is it the case that the kernel is configured to disable SMAP? + Is it the case that the required value is not set? - - To check that the oddjobd service is disabled in system boot configuration, + + To check that the ntpdate service is disabled in system boot configuration, run the following command: -$ sudo systemctl is-enabled oddjobd -Output should indicate the oddjobd service has either not been installed, +$ sudo systemctl is-enabled ntpdate +Output should indicate the ntpdate service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled oddjobd disabled +$ sudo systemctl is-enabled ntpdate disabled -Run the following command to verify oddjobd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active oddjobd +Run the following command to verify ntpdate is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active ntpdate If the service is not running the command will return the following output: inactive -The service will also be masked, to check that the oddjobd is masked, run the following command: -$ sudo systemctl show oddjobd | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the ntpdate is masked, run the following command: +$ sudo systemctl show ntpdate | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "oddjobd" is loaded and not masked? + Is it the case that the "ntpdate" is loaded and not masked? - - Run the following command to determine if the bind package is installed: -$ rpm -q bind - Is it the case that the package is installed? + + +Run the following command to determine if the ftpd_anon_write SELinux boolean is disabled: +$ getsebool ftpd_anon_write +If properly configured, the output should show the following: +ftpd_anon_write --> off + Is it the case that ftpd_anon_write is not disabled? - - Verify the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command: - -$ grep maxclassrepeat /etc/security/pwquality.conf + + -maxclassrepeat = - Is it the case that the value of "maxclassrepeat" is set to "0", more than "<sub idref="var_password_pam_maxclassrepeat" />" or is commented out? - - - - Run the following command to determine if the tmux package is installed: $ rpm -q tmux - Is it the case that the package is not installed? +Run the following command to determine the current status of the +ufw service: +$ sudo systemctl is-active ufw +If the service is running, it should return the following: active + Is it the case that the service is not enabled? - + -Run the following command to determine if the telepathy_connect_all_ports SELinux boolean is disabled: -$ getsebool telepathy_connect_all_ports +Run the following command to determine if the rsync_client SELinux boolean is disabled: +$ getsebool rsync_client If properly configured, the output should show the following: -telepathy_connect_all_ports --> off - Is it the case that telepathy_connect_all_ports is not disabled? - - - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_RANDOMIZE_MEMORY /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? +rsync_client --> off + Is it the case that rsync_client is not disabled? - - Verify that DNS servers have been configured properly, perform the following: -$ sudo grep nameserver /etc/resolv.conf - Is it the case that less than two lines are returned that are not commented out? - - - - Run the following command to determine if the firewalld package is installed: $ rpm -q firewalld - Is it the case that the package is not installed? + + The file permissions for all log files written by rsyslog should +be set to 640, or more restrictive. These log files are determined by the +second part of each Rule line in /etc/rsyslog.conf and typically +all appear in /var/log. To see the permissions of a given log +file, run the following command: +$ ls -l LOGFILE +The permissions should be 640, or more restrictive. + Is it the case that the permissions are not correct? - - To check that the rsyncd service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled rsyncd -Output should indicate the rsyncd service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled rsyncd disabled - -Run the following command to verify rsyncd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active rsyncd - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the rsyncd is masked, run the following command: -$ sudo systemctl show rsyncd | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: - -LoadState=masked + + The runtime status of the net.ipv6.conf.all.router_solicitations kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.all.router_solicitations +0. -UnitFileState=masked - Is it the case that the "rsyncd" is loaded and not masked? + Is it the case that the correct value is not returned? - - + + The runtime status of the fs.protected_symlinks kernel parameter can be queried +by running the following command: +$ sysctl fs.protected_symlinks +1. -Run the following command to determine the current status of the -sshd service: -$ sudo systemctl is-active sshd -If the service is running, it should return the following: active - Is it the case that sshd service is disabled? + Is it the case that the correct value is not returned? - + -Run the following command to determine if the selinuxuser_mysql_connect_enabled SELinux boolean is disabled: -$ getsebool selinuxuser_mysql_connect_enabled +Run the following command to determine if the xdm_sysadm_login SELinux boolean is disabled: +$ getsebool xdm_sysadm_login If properly configured, the output should show the following: -selinuxuser_mysql_connect_enabled --> off - Is it the case that selinuxuser_mysql_connect_enabled is not disabled? - - - - To ensure the screensaver is configured to be blank, run the following command: -$ gsettings get org.gnome.desktop.screensaver picture-uri -If properly configured, the output should be ''. - -To ensure that users cannot set the screensaver background, run the following: -$ grep picture-uri /etc/dconf/db/local.d/locks/* -If properly configured, the output should be /org/gnome/desktop/screensaver/picture-uri - Is it the case that it is not set or configured properly? - - - - To determine if the system is configured to audit successful calls -to the lsetxattr system call, run the following command: -$ sudo grep "lsetxattr" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? +xdm_sysadm_login --> off + Is it the case that xdm_sysadm_login is not disabled? - - To determine if the system is configured to audit successful calls -to the ftruncate system call, run the following command: -$ sudo grep "ftruncate" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + To check that all boot entries extend the backlog limit; +Check that all boot entries extend the log events queue: +sudo grep -L "^options\s+.*\baudit_backlog_limit=8192\b" /boot/loader/entries/*.conf +No line should be returned, each line returned is a boot entry that does not extend the log events queue. + Is it the case that audit backlog limit is not configured? - - Verify that a separate file system/partition has been created for /tmp with the following command: - -$ mountpoint /tmp + + The runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.all.secure_redirects +0. - Is it the case that "/tmp is not a mountpoint" is returned? + Is it the case that the correct value is not returned? - - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the openat system call. + + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to create files using the open_by_handle_at system call with O_CREAT flag. -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: +If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command: -$ sudo grep -r openat /etc/audit/rules.d +$ sudo grep -r open_by_handle_at /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -$ sudo grep openat /etc/audit/audit.rules +$ sudo grep open_by_handle_at /etc/audit/audit.rules The output should be the following: --a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create Is it the case that the command does not return a line, or the line is commented out? - - To verify that timed logins are disabled, run the following command: -$ grep -Pzoi "^\[daemon]\\ntimedlogin.*" /etc/gdm/custom.conf -The output should show the following: -[daemon] -TimedLoginEnable=false - Is it the case that GDM allows a guest to login without credentials? + + To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: +cat /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules +The output has to be exactly as follows: +## Unsuccessful permission change +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change + Is it the case that the file does not exist or the content differs? - - To check the group ownership of /etc/group, -run the command: -$ ls -lL /etc/group -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/group does not have a group owner of root? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_STRICT_MODULE_RWX /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "usermod" command with the following command: + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "reboot" command with the following command: -$ sudo auditctl -l | grep usermod +$ sudo auditctl -l | grep reboot --a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod +-a always,exit -F path=/reboot -F perm=x -F auid>=1000 -F auid!=unset -k privileged-reboot Is it the case that the command does not return a line, or the line is commented out? - - -Run the following command to determine if the sanlock_use_fusefs SELinux boolean is disabled: -$ getsebool sanlock_use_fusefs -If properly configured, the output should show the following: -sanlock_use_fusefs --> off - Is it the case that sanlock_use_fusefs is not disabled? - - - - To verify that USB Human Interface Devices will be authorized by the USBGuard daemon, -run the following command: -$ sudo grep allow /etc/usbguard/rules.conf -The output lines should include -allow with-interface match-all { 03:*:* } - Is it the case that USB devices of class 3 are not authorized? + + To verify that no .java and .jpp files exist, run the +following command: +find / -name *.java -o -name *.jpp +The output should not return any .java or .jpp files + Is it the case that it is not? - - To check if pam_namespace.so is required for user login, run the following command: -$ grep pam_namespace.so /etc/pam.d/login -The output should return the following uncommented: -session required pam_namespace.so - Is it the case that pam_namespace.so is not required or is commented out? + + +Run the following command to determine if the prosody_bind_http_port SELinux boolean is disabled: +$ getsebool prosody_bind_http_port +If properly configured, the output should show the following: +prosody_bind_http_port --> off + Is it the case that prosody_bind_http_port is not disabled? - + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_MODULE_SIG_KEY /boot/config.* + $ grep CONFIG_PAGE_TABLE_ISOLATION /boot/config.* - For each kernel installed, a line with value "" should be returned. + For each kernel installed, a line with value "y" should be returned. Is it the case that the kernel was not built with the required value? - - The runtime status of the kernel.perf_event_max_sample_rate kernel parameter can be queried -by running the following command: -$ sysctl kernel.perf_event_max_sample_rate -1. - - Is it the case that the correct value is not returned? + + Inspect the file /etc/firewalld/firewalld.conf to determine +the default zone for the firewalld. It should be set to DefaultZone=drop: +$ sudo grep DefaultZone /etc/firewalld/firewalld.conf + Is it the case that the default zone is not set to DROP? - - -Run the following command to determine if the virt_use_usb SELinux boolean is disabled: -$ getsebool virt_use_usb -If properly configured, the output should show the following: -virt_use_usb --> off - Is it the case that virt_use_usb is not disabled? + + To check the permissions of /etc/audit/rules.d/*.rules, +run the command: +$ ls -l /etc/audit/rules.d/*.rules +If properly configured, the output should indicate the following permissions: +-rw-r----- + Is it the case that /etc/audit/rules.d/*.rules does not have unix mode -rw-r-----? - - To determine if the system is configured to audit successful calls -to the openat system call, run the following command: -$ sudo grep "openat" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + +Run the following command to determine if the mpd_use_cifs SELinux boolean is disabled: +$ getsebool mpd_use_cifs +If properly configured, the output should show the following: +mpd_use_cifs --> off + Is it the case that mpd_use_cifs is not disabled? - - Verify the "umask" setting is configured correctly in the "/etc/csh.cshrc" file with the following command: - -$ grep umask /etc/csh.cshrc - -umask 077 -umask 077 - Is it the case that the value for the "umask" parameter is not "<sub idref="var_accounts_user_umask" />", or the "umask" parameter is missing or is commented out? + + To check the permissions of /etc/ssh/sshd_config, +run the command: +$ ls -l /etc/ssh/sshd_config +If properly configured, the output should indicate the following permissions: +-rw------- + Is it the case that /etc/ssh/sshd_config does not have unix mode -rw-------? - - Run the following command to verify that SSH client is configured to use 32 bytes of entropy: -grep SSH_USE_STRONG_RNG /etc/profile.d/cc-ssh-strong-rng.csh -It should return the following output: -setenv SSH_USE_STRONG_RNG 32. - Is it the case that SSH client is not configured to use 32 bytes of entropy or more? + + +Run the following command to determine if the git_system_use_nfs SELinux boolean is disabled: +$ getsebool git_system_use_nfs +If properly configured, the output should show the following: +git_system_use_nfs --> off + Is it the case that git_system_use_nfs is not disabled? - - Run the following command to determine if the pcsc-lite package is installed: $ rpm -q pcsc-lite - Is it the case that the package is not installed? + + Inspect the password section of /etc/pam.d/password-auth +and ensure that the pam_unix.so module includes the argument +sha512: +$ grep sha512 /etc/pam.d/password-auth + Is it the case that it does not? - - First, check whether the password is defined in either /boot/grub2/user.cfg or -/boot/grub2/grub.cfg. -Run the following commands: -$ sudo grep '^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$' /boot/grub2/user.cfg -$ sudo grep '^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$' /boot/grub2/grub.cfg - + + The runtime status of the kernel.panic_on_oops kernel parameter can be queried +by running the following command: +$ sysctl kernel.panic_on_oops +1. -Second, check that a superuser is defined in /boot/grub2/grub.cfg. -$ sudo grep '^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$' /boot/grub2/grub.cfg - Is it the case that it does not produce any output? + Is it the case that the correct value is not returned? - - -Run the following command to determine if the httpd_can_network_connect_cobbler SELinux boolean is disabled: -$ getsebool httpd_can_network_connect_cobbler -If properly configured, the output should show the following: -httpd_can_network_connect_cobbler --> off - Is it the case that httpd_can_network_connect_cobbler is not disabled? + + The runtime status of the kernel.perf_cpu_time_max_percent kernel parameter can be queried +by running the following command: +$ sysctl kernel.perf_cpu_time_max_percent +1. + + Is it the case that the correct value is not returned? - - -Run the following command to determine if the deny_ptrace SELinux boolean is disabled: -$ getsebool deny_ptrace -If properly configured, the output should show the following: -deny_ptrace --> off - Is it the case that deny_ptrace is not disabled? + + To determine if the system is configured to audit unsuccessful calls +to the lchown system call, run the following command: +$ sudo grep "lchown" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - Verify that Red Hat Enterprise Linux 8 is configured to notify the SA and/or ISSO (at a minimum) in the event of an audit processing failure with the following command: + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chacl" command with the following command: -$ sudo grep action_mail_acct /etc/audit/auditd.conf +$ sudo auditctl -l | grep chacl -action_mail_acct = - Is it the case that the value of the "action_mail_acct" keyword is not set to "<sub idref="var_auditd_action_mail_acct" />" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the retuned line is commented out, ask the system administrator to indicate how they and the ISSO are notified of an audit process failure. If there is no evidence of the proper personnel being notified of an audit processing failure? +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod + Is it the case that the command does not return a line, or the line is commented out? - + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_MODULE_SIG_SHA512 /boot/config.* + $ grep CONFIG_BUG_ON_DATA_CORRUPTION /boot/config.* For each kernel installed, a line with value "y" should be returned. Is it the case that the kernel was not built with the required value? - - Run the following command to check the mode of the httpd log -directory: -$ ls -l /var/log/ | grep httpd -Log directory must be mode 0700 or less permissive. - Is it the case that it is more permissive? + + Run the following command to determine if the python3-abrt-addon package is installed: +$ rpm -q python3-abrt-addon + Is it the case that the package is installed? - - Run the following command to determine if the tftp-server package is installed: -$ rpm -q tftp-server - Is it the case that the package is installed? + + Using a non-privileged account, verify that users cannot modify or change +network settings with the nmcli command with the following command: +$ nmcli general permissions +The output should contain the following: +PERMISSION VALUE +org.freedesktop.NetworkManager.enable-disable-network auth +org.freedesktop.NetworkManager.enable-disable-wifi auth +org.freedesktop.NetworkManager.enable-disable-wwan auth +org.freedesktop.NetworkManager.enable-disable-wimax auth +org.freedesktop.NetworkManager.sleep-wake auth +org.freedesktop.NetworkManager.network-control auth +org.freedesktop.NetworkManager.wifi.share.protected auth +org.freedesktop.NetworkManager.wifi.share.open auth +org.freedesktop.NetworkManager.settings.modify.system auth +org.freedesktop.NetworkManager.settings.modify.own auth +org.freedesktop.NetworkManager.settings.modify.hostname auth +org.freedesktop.NetworkManager.settings.modify.global-dns auth +org.freedesktop.NetworkManager.reload auth +org.freedesktop.NetworkManager.checkpoint-rollback auth +org.freedesktop.NetworkManager.enable-disable-statistics auth +org.freedesktop.NetworkManager.enable-disable-connectivity-check auth +org.freedesktop.NetworkManager.wifi.scan auth + + Is it the case that non-privileged users can modify or change network settings? - - To ensure write permissions are disabled for group and other - for each element in root's path, run the following command: -# ls -ld DIR - Is it the case that group or other write permissions exist? + + To verify if LogLevel is configured correctly in +/etc/httpd/conf/httpd.conf, run the following command: +$ grep -i loglevel /etc/httpd/conf/httpd.conf +The command should return the following: +LogLevel warn + Is it the case that it is not? @@ -375759,366 +376261,414 @@ If the command does not return results or an error is returned, ask the SA to in Is it the case that there is no evidence that unauthorized peripherals are being blocked before establishing a connection? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_SYN_COOKIES /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? - - - - To verify that HBSS PA is installed, run the following command(s): -$ sudo ls /opt/McAfee/auditengine/bin/auditmanager - Is it the case that the HBSS PA module is not installed? - - - - Run the following command to determine if the talk-server package is installed: -$ rpm -q talk-server - Is it the case that the package is installed? + + To ensure LDAP is configured to use TLS for all transactions, run the following command: +$ grep start_tls /etc/pam_ldap.conf +The result should contain: +ssl start_tls + Is it the case that LDAP is not in use, the line is commented out, or not configured correctly? - - To check that the rpcsvcgssd service is disabled in system boot configuration, + + To check that the dhcpd service is disabled in system boot configuration, run the following command: -$ sudo systemctl is-enabled rpcsvcgssd -Output should indicate the rpcsvcgssd service has either not been installed, +$ sudo systemctl is-enabled dhcpd +Output should indicate the dhcpd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled rpcsvcgssd disabled +$ sudo systemctl is-enabled dhcpd disabled -Run the following command to verify rpcsvcgssd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active rpcsvcgssd +Run the following command to verify dhcpd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active dhcpd If the service is not running the command will return the following output: inactive -The service will also be masked, to check that the rpcsvcgssd is masked, run the following command: -$ sudo systemctl show rpcsvcgssd | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the dhcpd is masked, run the following command: +$ sudo systemctl show dhcpd | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "rpcsvcgssd" is loaded and not masked? + Is it the case that the "dhcpd" is loaded and not masked? - - Determine if there is a process for the uploading of files to the web site. -This process should include the requirement for the use of a secure encrypted -logon and secure encrypted connection. If the remote users are uploading files -without utilizing approved encryption methods, this is a finding. - Is it the case that it is not? + + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes page_poison=1, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub +If this option is set to true, then check that a line is output by the following command: +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*page_poison=1.*' /etc/default/grub +If the recovery is disabled, check the line with +$ sudo grep 'GRUB_CMDLINE_LINUX.*page_poison=1.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +$ sudo grubby --info=ALL | grep args | grep -v 'page_poison=1' +The command should not return any output. + Is it the case that page allocator poisoning is not enabled? - - Check the root home directory for a .mozilla directory. If -one exists, ensure browsing is limited to local service administration. - Is it the case that this is not the case? + + Run the following command to determine if the nftables package is installed: $ rpm -q nftables + Is it the case that the package is not installed? - - Verify that a separate file system/partition has been created for /var/log with the following command: - -$ mountpoint /var/log - - Is it the case that "/var/log is not a mountpoint" is returned? + + Run the following command to check the mode of the system audit logs: +$ sudo grep -iw log_file /etc/audit/auditd.conf +log_file=/var/log/audit/audit.log +$ sudo stat -c "%n %a" /var/log/audit/* +$ sudo ls -l /var/log/audit +Audit logs must be mode 0640 or less permissive. + Is it the case that any permissions are more permissive? - - To check the ownership of /etc/cron.monthly, -run the command: -$ ls -lL /etc/cron.monthly -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/cron.monthly does not have an owner of root? + + Run the following command to ensure postfix routes mail to this system: +$ grep relayhost /etc/postfix/main.cf +If properly configured, the output should show only . + Is it the case that it is not? - - To verify that Audit Daemon is configured to flush to disk after -every records, run the following command: -$ sudo grep freq /etc/audit/auditd.conf -The output should return the following: -freq = - Is it the case that freq isn't set to <sub idref="var_auditd_freq" />? + + To check the permissions of /etc/at.allow, +run the command: +$ ls -l /etc/at.allow +If properly configured, the output should indicate the following permissions: +-rw------- + Is it the case that /etc/at.allow does not have unix mode -rw-------? - - Verify that a separate file system/partition has been created for /dev/shm with the following command: + + Verify Red Hat Enterprise Linux 8 use the "pam_pwhistory.so" module in the /etc/pam.d/system-auth file +and is configured to prohibit password reuse for a minimum of +generations. -$ mountpoint /dev/shm +Verify the "/etc/pam.d/system-auth" file with the following command: - Is it the case that "/dev/shm is not a mountpoint" is returned? - - - - -Run the following command to determine if the guest_exec_content SELinux boolean is disabled: -$ getsebool guest_exec_content -If properly configured, the output should show the following: -guest_exec_content --> off - Is it the case that guest_exec_content is not disabled? - - - - The document, DoDI 8500.01, establishes the policy on the use of DoD -information systems. It requires the use of a standard Notice and Consent Banner -and standard text to be included in user agreements. The banner should be set -to the following: - Is it the case that it is not display the required banner? - - - - -Run the following command to determine if the git_cgi_use_cifs SELinux boolean is disabled: -$ getsebool git_cgi_use_cifs -If properly configured, the output should show the following: -git_cgi_use_cifs --> off - Is it the case that git_cgi_use_cifs is not disabled? - - - - Verify Red Hat Enterprise Linux 8 enforces a delay of at least seconds between console logon prompts following a failed logon attempt with the following command: +$ grep pam_pwhistory.so /etc/pam.d/system-auth +password pam_pwhistory.so use_authtok remember= -$ sudo grep -i "FAIL_DELAY" /etc/login.defs -FAIL_DELAY - Is it the case that the value of "FAIL_DELAY" is not set to "<sub idref="var_accounts_fail_delay" />" or greater, or the line is commented out? - - - - To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -$ sudo cat /etc/audit/rules.d/11-loginuid.rules -The output has to be exactly as follows: -## Make the loginuid immutable. This prevents tampering with the auid. ---loginuid-immutable - Is it the case that the file does not exist or the content differs? + +Verify the "/etc/security/pwhistory.conf" file using the following command: + +$ grep remember /etc/security/pwhistory.conf +remember = + +The pam_pwhistory.so "remember" option must be configured only in one file. + Is it the case that the pam_pwhistory.so module is not used, the "remember" module option is not set in +/etc/pam.d/system-auth or in /etc/security/pwhistory.conf, or is set in both files, or is set +with a value less than "<sub idref="var_password_pam_remember" />"? - - To determine if the system is configured to audit unsuccessful calls -to the fsetxattr system call, run the following command: -$ sudo grep "fsetxattr" /etc/audit.* + + To determine if the system is configured to audit calls to the +fchownat system call, run the following command: +$ sudo grep "fchownat" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - To ensure that WIFI connections caanot be created, run the following command: -$ gsettings get org.gnome.nm-applet disable-wifi-create -If properly configured, the output should be true. -To ensure that users cannot enable WIFI connection creation, run the following: -$ grep wifi-create /etc/dconf/db/local.d/locks/* -If properly configured, the output should be -/org/gnome/nm-applet/disable-wifi-create - Is it the case that WIFI connections can be created through GNOME? + + The runtime status of the net.ipv6.conf.all.accept_ra_defrtr kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.all.accept_ra_defrtr +0. + + Is it the case that the correct value is not returned? - - To determine if the system is configured to audit calls to the -umount2 system call, run the following command: -$ sudo grep "umount2" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. + + Shared libraries are stored in the following directories: +/lib +/lib64 +/usr/lib +/usr/lib64 - Is it the case that no line is returned? +To find shared libraries that are group-writable or world-writable, +run the following command for each directory DIR which contains shared libraries: +$ sudo find -L DIR -perm /022 -type d + Is it the case that any of these files are group-writable or world-writable? - - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers" with the following command: - -$ sudo auditctl -l | grep /etc/sudoers + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_STRICT_KERNEL_WRX /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? + + + + Verify Red Hat Enterprise Linux 8 enforces a delay of at least seconds between console logon prompts following a failed logon attempt with the following command: --w /etc/sudoers -p wa -k identity - Is it the case that the command does not return a line, or the line is commented out? +$ sudo grep -i "FAIL_DELAY" /etc/login.defs +FAIL_DELAY + Is it the case that the value of "FAIL_DELAY" is not set to "<sub idref="var_accounts_fail_delay" />" or greater, or the line is commented out? - - To check the permissions of /etc/http/conf/*, -run the command: -$ ls -l /etc/http/conf/* -If properly configured, the output should indicate the following permissions: --rw-r----- - Is it the case that /etc/http/conf/* does not have unix mode -rw-r-----? + + To check for legacy lines in /etc/group, run the following command: + grep '^\+' /etc/group +The command should not return any output. + Is it the case that the file contains legacy lines? - + Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes vsyscall=none, +in /etc/default/grub. If it includes slab_nomerge=yes, then the parameter will be configured for newly installed kernels. First check if the GRUB recovery is enabled: $ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*vsyscall=none.*' /etc/default/grub +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*slab_nomerge=yes.*' /etc/default/grub If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*vsyscall=none.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +$ sudo grep 'GRUB_CMDLINE_LINUX.*slab_nomerge=yes.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'vsyscall=none' +$ sudo grubby --info=ALL | grep args | grep -v 'slab_nomerge=yes' The command should not return any output. - Is it the case that vsyscalls are enabled? + Is it the case that merging of slabs with similar size is enabled? - - To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run: -$ grep -Po '(-oMACs=\S+)' /etc/crypto-policies/back-ends/opensshserver.config -and verify that the line matches: --oMACS= - Is it the case that Crypto Policy for OpenSSH Server is not configured correctly? + + + +Run the following command to determine the current status of the +pcscd service: +$ sudo systemctl is-active pcscd +If the service is running, it should return the following: active + Is it the case that the pcscd service is not enabled? - + + To check the ownership of /etc/gshadow-, +run the command: +$ ls -lL /etc/gshadow- +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/gshadow- does not have an owner of root? + + + -Run the following command to determine if the samba_export_all_rw SELinux boolean is disabled: -$ getsebool samba_export_all_rw +Run the following command to determine if the sanlock_use_fusefs SELinux boolean is disabled: +$ getsebool sanlock_use_fusefs If properly configured, the output should show the following: -samba_export_all_rw --> off - Is it the case that samba_export_all_rw is not disabled? +sanlock_use_fusefs --> off + Is it the case that sanlock_use_fusefs is not disabled? - - To determine if the system is configured to audit calls to the -open system call, run the following command: -$ sudo grep "open" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + To verify that timed logins are disabled, run the following command: +$ grep -Pzoi "^\[daemon]\\ntimedlogin.*" /etc/gdm/custom.conf +The output should show the following: +[daemon] +TimedLoginEnable=false + Is it the case that GDM allows a guest to login without credentials? - - -Run the following command to determine if the entropyd_use_audio SELinux boolean is disabled: -$ getsebool entropyd_use_audio -If properly configured, the output should show the following: -entropyd_use_audio --> off - Is it the case that entropyd_use_audio is not disabled? + + To verify all files and directories contained in interactive user home +directory, excluding local initialization files, have a mode of 0750, +run the following command: +$ sudo ls -lLR /home/USER + Is it the case that home directory files or folders have incorrect permissions? - + + To verify the system is not configured to use a boot loader on removable media, +check that the grub configuration file has the set root command in each menu +entry with the following commands: +$ sudo grep -cw menuentry /boot/grub2/grub.cfg +Note that the -c option for the grep command will print +only the count of menuentry occurrences. This number should match +the number of occurrences reported by the following command: +$ sudo grep "set root='hd0" /boot/grub2/grub.cfg +The output should return something similar to: +set root='hd0,msdos1' +usb0, cd, fd0, etc. are some examples of removeable +media which should not exist in the lines: +set root='hd0,msdos1' + Is it the case that it is not? + + + -Run the following command to determine if the daemons_enable_cluster_mode SELinux boolean is disabled: -$ getsebool daemons_enable_cluster_mode +Run the following command to determine if the staff_exec_content SELinux boolean is enabled: +$ getsebool staff_exec_content If properly configured, the output should show the following: -daemons_enable_cluster_mode --> off - Is it the case that daemons_enable_cluster_mode is not disabled? +staff_exec_content --> on + Is it the case that staff_exec_content is not enabled? - - The following command will discover and print any -files on local partitions which do not belong to a valid user. -$ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser - -Either remove all files and directories from the system that do not have a -valid user, or assign a valid user to all unowned files and directories on -the system with the chown command: -$ sudo chown user file - Is it the case that files exist that are not owned by a valid user? + + To view the root user's PATH, run the following command: +$ sudo env | grep PATH +If correctly configured, the PATH must: use vendor default settings, +have no empty entries, and have no entries beginning with a character +other than a slash (/). + Is it the case that any of these conditions are not met? - + + To ensure the default password is not set, run the following command: +$ sudo grep -v "^#" /etc/snmp/snmpd.conf| grep -E 'public|private' +There should be no output. + Is it the case that the default SNMP passwords public and private have not been changed or removed? + + + -Run the following command to determine if the racoon_read_shadow SELinux boolean is disabled: -$ getsebool racoon_read_shadow +Run the following command to determine if the xguest_use_bluetooth SELinux boolean is disabled: +$ getsebool xguest_use_bluetooth If properly configured, the output should show the following: -racoon_read_shadow --> off - Is it the case that racoon_read_shadow is not disabled? +xguest_use_bluetooth --> off + Is it the case that xguest_use_bluetooth is not disabled? - - The runtime status of the kernel.panic_on_oops kernel parameter can be queried -by running the following command: -$ sysctl kernel.panic_on_oops -1. + + To check that the qpidd service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled qpidd +Output should indicate the qpidd service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled qpidd disabled - Is it the case that the correct value is not returned? +Run the following command to verify qpidd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active qpidd + +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the qpidd is masked, run the following command: +$ sudo systemctl show qpidd | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "qpidd" is loaded and not masked? - - -Run the following command to determine if the daemons_dump_core SELinux boolean is disabled: -$ getsebool daemons_dump_core -If properly configured, the output should show the following: -daemons_dump_core --> off - Is it the case that daemons_dump_core is not disabled? + + To determine if the system is configured to audit successful calls +to the open system call, run the following command: +$ sudo grep "open" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - To check that the avahi-daemon service is disabled in system boot configuration, + + Inspect /etc/audit/auditd.conf and locate the following line to +determine how much data the system will retain in each audit log file: +$ sudo grep max_log_file /etc/audit/auditd.conf +max_log_file = 6 + Is it the case that the system audit data threshold has not been properly configured? + + + + To check that the vsftpd service is disabled in system boot configuration, run the following command: -$ sudo systemctl is-enabled avahi-daemon -Output should indicate the avahi-daemon service has either not been installed, +$ sudo systemctl is-enabled vsftpd +Output should indicate the vsftpd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled avahi-daemon disabled +$ sudo systemctl is-enabled vsftpd disabled -Run the following command to verify avahi-daemon is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active avahi-daemon +Run the following command to verify vsftpd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active vsftpd If the service is not running the command will return the following output: inactive -The service will also be masked, to check that the avahi-daemon is masked, run the following command: -$ sudo systemctl show avahi-daemon | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the vsftpd is masked, run the following command: +$ sudo systemctl show vsftpd | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "avahi-daemon" is loaded and not masked? + Is it the case that the "vsftpd" is loaded and not masked? - - -Run the following command to determine if the tor_bind_all_unreserved_ports SELinux boolean is disabled: -$ getsebool tor_bind_all_unreserved_ports -If properly configured, the output should show the following: -tor_bind_all_unreserved_ports --> off - Is it the case that tor_bind_all_unreserved_ports is not disabled? + + The runtime status of the kernel.randomize_va_space kernel parameter can be queried +by running the following command: +$ sysctl kernel.randomize_va_space +2. + + Is it the case that the correct value is not returned? - - To verify if LogLevel is configured correctly in -/etc/httpd/conf/httpd.conf, run the following command: -$ grep -i loglevel /etc/httpd/conf/httpd.conf -The command should return the following: -LogLevel warn - Is it the case that it is not? + + The runtime status of the net.ipv6.conf.default.accept_ra kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.default.accept_ra +0. + + Is it the case that the correct value is not returned? - - Verify the nodev option is configured for the /tmp mount point, - run the following command: - $ sudo mount | grep '\s/tmp\s' - . . . /tmp . . . nodev . . . - - Is it the case that the "/tmp" file system does not have the "nodev" option set? + + To verify the sec option is configured for all NFS mounts, run the following command: +$ mount | grep "sec=" +All NFS mounts should show the sec=krb5:krb5i:krb5p setting in parentheses. +This is not applicable if NFS is not implemented. + Is it the case that the setting is not configured, has the 'sys' option added, or does not have all Kerberos options added? - - To determine if the system is configured to audit calls to the -init_module system call, run the following command: -$ sudo grep "init_module" /etc/audit/audit.* + + To determine if the system is configured to audit successful calls +to the openat system call, run the following command: +$ sudo grep "openat" /etc/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - -Run the following command to determine if the git_system_use_nfs SELinux boolean is disabled: -$ getsebool git_system_use_nfs -If properly configured, the output should show the following: -git_system_use_nfs --> off - Is it the case that git_system_use_nfs is not disabled? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_MODULE_SIG_HASH /boot/config.* + + For each kernel installed, a line with value "" should be returned. + + Is it the case that the kernel was not built with the required value? - - -Run the following command to determine if the sanlock_use_samba SELinux boolean is disabled: -$ getsebool sanlock_use_samba -If properly configured, the output should show the following: -sanlock_use_samba --> off - Is it the case that sanlock_use_samba is not disabled? + + Verify the nosuid option is configured for the /var/log mount point, + run the following command: + $ sudo mount | grep '\s/var/log\s' + . . . /var/log . . . nosuid . . . + + Is it the case that the "/var/log" file system does not have the "nosuid" option set? + + + + To ensure the login screen resets after a specified number of failures, +run the following command: +$ grep allowed-failures /etc/dconf/db/gdm.d/* +The output should be 3 or less. +To ensure that users cannot change or configure the resets after a specified +number of failures on the login screen, run the following: +$ grep allowed-failures /etc/dconf/db/gdm.d/locks/* +If properly configured, the output should be /org/gnome/login-screen/allowed-failures + Is it the case that allowed-failures is not equal to or less than the expected value? + + + + To determine if the system is configured to audit calls to the +setxattr system call, run the following command: +$ sudo grep "setxattr" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? @@ -376128,273 +376678,381 @@ multi-user.target Is it the case that the system default target is not set to "multi-user.target" and the Information System Security Officer (ISSO) lacks a documented requirement for a graphical user interface? - - To determine if the system is configured to audit calls to the -openat system call, run the following command: -$ sudo grep "openat" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. + + To determine how the SSH daemon's IgnoreRhosts option is set, run the following command: - Is it the case that no line is returned? +$ sudo grep -i IgnoreRhosts /etc/ssh/sshd_config + +If a line indicating yes is returned, then the required value is set. + + Is it the case that the required value is not set? - - To check the ownership of /etc/shadow, -run the command: -$ ls -lL /etc/shadow -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/shadow does not have an owner of root? + + Verify Red Hat Enterprise Linux 8 notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command: + +$ sudo grep -w space_left_action /etc/audit/auditd.conf + +space_left_action = + +If the value of the "space_left_action" is not set to "", or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO. + Is it the case that there is no evidence that real-time alerts are configured on the system? - - Check that Red Hat Enterprise Linux 8 has the packages for smart card support installed. + + To determine if the system is configured to audit unsuccessful calls +to the fchown system call, run the following command: +$ sudo grep "fchown" /etc/audit.* +If the system is configured to audit this activity, it will return a line. -Run the following command to determine if the openssl-pkcs11 package is installed: -$ rpm -q openssl-pkcs11 - Is it the case that smartcard software is not installed? + Is it the case that no line is returned? - - Run the following command to determine if the tar package is installed: $ rpm -q tar - Is it the case that the package is not installed? + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "unix_update" command with the following command: + +$ sudo auditctl -l | grep unix_update + +-a always,exit -F path=/usr/bin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_update + Is it the case that the command does not return a line, or the line is commented out? - - -Run the following command to determine if the openshift_use_nfs SELinux boolean is disabled: -$ getsebool openshift_use_nfs -If properly configured, the output should show the following: -openshift_use_nfs --> off - Is it the case that openshift_use_nfs is not disabled? + + Verify the operating system encrypts audit records off-loaded onto a different system +or media from the system being audited with the following commands: + +$ sudo grep -i '$DefaultNetstreamDriver' /etc/rsyslog.conf /etc/rsyslog.d/*.conf + +The output should be: + +/etc/rsyslog.conf:$DefaultNetstreamDriver gtls + Is it the case that rsyslogd DefaultNetstreamDriver not set to gtls? - + -Run the following command to determine if the unconfined_chrome_sandbox_transition SELinux boolean is enabled: -$ getsebool unconfined_chrome_sandbox_transition +Run the following command to determine if the named_tcp_bind_http_port SELinux boolean is disabled: +$ getsebool named_tcp_bind_http_port If properly configured, the output should show the following: -unconfined_chrome_sandbox_transition --> on - Is it the case that unconfined_chrome_sandbox_transition is not enabled? +named_tcp_bind_http_port --> off + Is it the case that named_tcp_bind_http_port is not disabled? - - To verify if the OpenSSL uses defined Crypto Policy, run: -$ grep 'Ciphersuites' /etc/crypto-policies/back-ends/opensslcnf.config | tail -n 1 -and verify that the line matches -Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 - Is it the case that Crypto Policy for OpenSSL is not configured according to CC requirements? + + Run the following command to determine the current status of the logrotate timer: $ sudo systemctl is-active logrotate.timer If the timer is running, it should return the following: active + Is it the case that logrotate timer is not enabled? - - To verify the operating system implements cryptography to protect the integrity of -remote ldap access sessions, run the following command: -$ sudo grep ldap_tls_cacert /etc/sssd/sssd.conf -The output should return the following with a correctly configured CA cert path: -ldap_tls_cacert /path/to/tls/ca.cert - Is it the case that the TLS CA cert is not configured? + + To check that the netconsole service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled netconsole +Output should indicate the netconsole service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled netconsole disabled + +Run the following command to verify netconsole is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active netconsole + +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the netconsole is masked, run the following command: +$ sudo systemctl show netconsole | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "netconsole" is loaded and not masked? - - Run the following command to determine if the quagga package is installed: -$ rpm -q quagga - Is it the case that the package is installed? + + To check if the system motd banner is compliant, +run the following command: +$ cat /etc/motd + Is it the case that it does not display the required banner? - - To determine if the system is configured to audit calls to the -clock_settime system call, run the following command: -$ sudo grep "clock_settime" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. + + +Run the following command to determine if the httpd_dontaudit_search_dirs SELinux boolean is disabled: +$ getsebool httpd_dontaudit_search_dirs +If properly configured, the output should show the following: +httpd_dontaudit_search_dirs --> off + Is it the case that httpd_dontaudit_search_dirs is not disabled? + + + + Run the following command to determine if the sudo package is installed: $ rpm -q sudo + Is it the case that the package is not installed? + + + + +To properly set the owner of /var/log/httpd, run the command: +$ sudo chown root /var/log/httpd - Is it the case that no line is returned? +To properly set the owner of /var/log/httpd/*, run the command: +$ sudo chown root /var/log/httpd/* + Is it the case that ? - - Verify the NX (no-execution) bit flag is set on the system. + + Verify that sshd isn't configured to ignore the system wide cryptographic policy. -Check that the no-execution bit flag is set with the following commands: +Check that the CRYPTO_POLICY variable is not set or is commented out in the +/etc/sysconfig/sshd. -$ sudo dmesg | grep NX +Run the following command: -[ 0.000000] NX (Execute Disable) protection: active +$ sudo grep CRYPTO_POLICY /etc/sysconfig/sshd + Is it the case that the CRYPTO_POLICY variable is set or is not commented out in the /etc/sysconfig/sshd? + + + + Verify the Red Hat Enterprise Linux 8 "fapolicyd" employs a deny-all, permit-by-exception policy. -If "dmesg" does not show "NX (Execute Disable) protection" active, check the cpuinfo settings with the following command: +Check that "fapolicyd" is in enforcement mode with the following command: -$ sudo grep flags /proc/cpuinfo -flags : fpu vme de pse tsc ms nx rdtscp lm constant_ts +$ sudo grep permissive /etc/fapolicyd/fapolicyd.conf -The output should contain the "nx" flag. - Is it the case that NX is disabled? +permissive = 0 + +Check that fapolicyd employs a deny-all policy on system mounts with the following commands: + +For RHEL 8.5 systems and older: +$ sudo tail /etc/fapolicyd/fapolicyd.rules + +For RHEL 8.6 systems and newer: +$ sudo tail /etc/fapolicyd/compiled.rules + +allow exe=/usr/bin/python3.7 : ftype=text/x-python +deny_audit perm=any pattern=ld_so : all +deny perm=any all : all + Is it the case that fapolicyd is not running in enforcement mode with a deny-all, permit-by-exception policy? - - To check the group ownership of /etc/shadow, -run the command: -$ ls -lL /etc/shadow -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/shadow does not have a group owner of root? + + To check if MaxStartups is configured, run the following command: +$ sudo grep MaxStartups /etc/ssh/sshd_config +If configured, this command should output the configuration. + Is it the case that maxstartups is not configured? - + + To verify /etc/system-fips exists, run the following command: +ls -l /etc/system-fips +The output should be similar to the following: +-rw-r--r--. 1 root root 36 Nov 26 11:31 /etc/system-fips + Is it the case that /etc/system-fips does not exist? + + + -Run the following command to determine if the ftpd_anon_write SELinux boolean is disabled: -$ getsebool ftpd_anon_write +Run the following command to determine if the xend_run_blktap SELinux boolean is enabled: +$ getsebool xend_run_blktap If properly configured, the output should show the following: -ftpd_anon_write --> off - Is it the case that ftpd_anon_write is not disabled? +xend_run_blktap --> on + Is it the case that xend_run_blktap is not enabled? - - Verify Red Hat Enterprise Linux 8 disables storing core dumps for all users by issuing the following command: - -$ grep -i storage /etc/systemd/coredump.conf - -Storage=none - Is it the case that Storage is not set to none or is commented out and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned? + + To check the group ownership of /var/log/messages, +run the command: +$ ls -lL /var/log/messages +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /var/log/messages does not have a group owner of root? - - To verify that SSSD is configured to run as user sssd, run the following command: -$ sudo grep -r '\buser\b' /etc/sssd -If configured properly, output should similar to /etc/sssd/conf.d/ospp.conf:user = sssd. -Sanity of SSSD configuration in general can be checked using $ sudo sssctl config-check - Is it the case that it does not exist or is not configured properly? + + Run the following command to ensure that /tmp is configured as a +polyinstantiated directory: +$ sudo grep /tmp /etc/security/namespace.conf +The output should return the following: +/tmp /tmp/tmp-inst/ level root,adm + Is it the case that is not configured? - - To check the group ownership of /etc/passwd, -run the command: -$ ls -lL /etc/passwd -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/passwd does not have a group owner of root? + + To verify that remote access methods are logging to rsyslog, +run the following command: +grep -rE '(auth.\*|authpriv.\*|daemon.\*)' /etc/rsyslog.* +The output should contain auth.*, authpriv.*, and daemon.* +pointing to a log file. + Is it the case that remote access methods are not logging to rsyslog? - - Run the following command to determine if the opensc package is installed: $ rpm -q opensc + + Verify that a separate file system/partition has been created for /var/tmp with the following command: + +$ mountpoint /var/tmp + + Is it the case that "/var/tmp is not a mountpoint" is returned? + + + + Run the following command to determine if the rng-tools package is installed: $ rpm -q rng-tools Is it the case that the package is not installed? - - Run the following command to determine if the abrt-addon-kerneloops package is installed: -$ rpm -q abrt-addon-kerneloops - Is it the case that the package is installed? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_DEVKMEM /boot/config.* + + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. + + Is it the case that the kernel was not built with the required value? - - Verify the nosuid option is configured for the /srv mount point, - run the following command: - $ sudo mount | grep '\s/srv\s' - . . . /srv . . . nosuid . . . + + Verify Red Hat Enterprise Linux 8 enforces 24 hours/1 day as the minimum password lifetime for new user accounts. - Is it the case that the "/srv" file system does not have the "nosuid" option set? +Check for the value of "PASS_MIN_DAYS" in "/etc/login.defs" with the following command: + +$ grep -i pass_min_days /etc/login.defs + +PASS_MIN_DAYS + Is it the case that the "PASS_MIN_DAYS" parameter value is not "<sub idref="var_accounts_minimum_age_login_defs" />" or greater, or is commented out? - - The runtime status of the kernel.perf_event_paranoid kernel parameter can be queried -by running the following command: -$ sysctl kernel.perf_event_paranoid -2. - - Is it the case that the correct value is not returned? + + Verify an anti-virus solution is installed on the system. The anti-virus solution may be +bundled with an approved host-based security solution. + Is it the case that there is no anti-virus solution installed on the system? - - To determine if NOEXEC has been configured for sudo, run the following command: -$ sudo grep -ri "^[\s]*Defaults.*\bnoexec\b.*" /etc/sudoers /etc/sudoers.d/ -The command should return a matching output. - Is it the case that noexec is not enabled in sudo? + + To check the group ownership of /var/log, +run the command: +$ ls -lL /var/log +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /var/log does not have a group owner of root? - - The runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter can be queried -by running the following command: -$ sysctl net.ipv6.conf.all.accept_source_route -0. + + The telnet package can be removed with the following command: $ sudo yum erase telnet + Is it the case that ? + + + + To check that the abrtd service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled abrtd +Output should indicate the abrtd service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled abrtd disabled - Is it the case that the correct value is not returned? +Run the following command to verify abrtd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active abrtd + +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the abrtd is masked, run the following command: +$ sudo systemctl show abrtd | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "abrtd" is loaded and not masked? - - To verify if MaxKeepAliveRequests is configured correctly in -/etc/httpd/conf/httpd.conf, run the following command: -$ grep -i maxkeepaliverequests /etc/httpd/conf/httpd.conf -The command should return the following: -MaxKeepAliveRequests 100 - Is it the case that it is not? + + To determine whether the SSH service is configured to use strong entropy seed, +run $ sudo grep SSH_USE_STRONG_RNG /etc/sysconfig/sshd +If a line indicating that SSH_USE_STRONG_RNG is set to 32 is returned, +then the option is set correctly. + Is it the case that the SSH_USE_STRONG_RNG is not set to 32 in /etc/sysconfig/sshd? - - To verify that the system will shutdown when auditd fails, -run the following command: -$ sudo grep "\-f " /etc/audit/audit.rules -The output should contain: --f - Is it the case that the system is not configured to shutdown on auditd failures? + + To check the ownership of /boot/efi/EFI/redhat/grub.cfg, +run the command: +$ ls -lL /boot/efi/EFI/redhat/grub.cfg +If properly configured, the output should indicate the following owner: +root + Is it the case that /boot/efi/EFI/redhat/grub.cfg does not have an owner of root? - - Verify the noexec option is configured for the /boot mount point, - run the following command: - $ sudo mount | grep '\s/boot\s' - . . . /boot . . . noexec . . . - - Is it the case that the "/boot" file system does not have the "noexec" option set? + + To check the permissions of /etc/shadow, +run the command: +$ ls -l /etc/shadow +If properly configured, the output should indicate the following permissions: +---------- + Is it the case that /etc/shadow does not have unix mode ----------? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postdrop" command with the following command: + + +If the system is configured to prevent the loading of the bluetooth kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. -$ sudo auditctl -l | grep postdrop +These lines can also instruct the module loading system to ignore the bluetooth kernel module via blacklist keyword. --a always,exit -F path=/usr/bin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postdrop - Is it the case that the command does not return a line, or the line is commented out? +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +$ grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d + Is it the case that no line is returned? - + -Run the following command to determine if the rsync_client SELinux boolean is disabled: -$ getsebool rsync_client +Run the following command to determine if the secadm_exec_content SELinux boolean is enabled: +$ getsebool secadm_exec_content If properly configured, the output should show the following: -rsync_client --> off - Is it the case that rsync_client is not disabled? +secadm_exec_content --> on + Is it the case that secadm_exec_content is not enabled? - - To check on the age of McAfee virus definition files, run the following command: -$ sudo cd /opt/NAI/LinuxShield/engine/dat -$ sudo ls -la avvscan.dat avvnames.dat avvclean.dat - Is it the case that signatures are out of date? + + +Run the following command to determine if the ssh_keysign SELinux boolean is disabled: +$ getsebool ssh_keysign +If properly configured, the output should show the following: +ssh_keysign --> off + Is it the case that ssh_keysign is not disabled? - + - -Run the following command to determine the current status of the -crond service: -$ sudo systemctl is-active crond -If the service is running, it should return the following: active - Is it the case that ? +Run the following command to determine if the httpd_ssi_exec SELinux boolean is disabled: +$ getsebool httpd_ssi_exec +If properly configured, the output should show the following: +httpd_ssi_exec --> off + Is it the case that httpd_ssi_exec is not disabled? - - To determine if the system is configured to audit calls to the -open_by_handle_at system call, run the following command: -$ sudo grep "open_by_handle_at" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. + + To check that the zebra service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled zebra +Output should indicate the zebra service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled zebra disabled - Is it the case that no line is returned? - - - - -To properly set the group owner of /etc/audit/, run the command: -$ sudo chgrp root /etc/audit/ +Run the following command to verify zebra is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active zebra -To properly set the group owner of /etc/audit/rules.d/, run the command: -$ sudo chgrp root /etc/audit/rules.d/ - Is it the case that ? +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the zebra is masked, run the following command: +$ sudo systemctl show zebra | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "zebra" is loaded and not masked? @@ -376414,314 +377072,206 @@ The output should be the following: Is it the case that the command does not return all lines, or the lines are commented out? - - -Run the following command to determine if the ftpd_connect_db SELinux boolean is disabled: -$ getsebool ftpd_connect_db -If properly configured, the output should show the following: -ftpd_connect_db --> off - Is it the case that ftpd_connect_db is not disabled? + + To determine if arguments that commands can be executed with are restricted, run the following command: +$ sudo grep -PR '^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+(?:[ \t]+[^,\s]+)+[ \t]*,)*(\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+[ \t]*(?:,|$))' /etc/sudoers /etc/sudoers.d/ +The command should return no output. + Is it the case that /etc/sudoers file contains user specifications that allow execution of commands with any arguments? - - To ensure ClientAliveInterval is set correctly, run the following command: - -$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config - -If properly configured, the output should be: -ClientAliveCountMax 0 - -In this case, the SSH timeout occurs precisely when -the ClientAliveInterval is set. - Is it the case that it is commented out or not configured properly? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_RANDOMIZE_BASE /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - + -Run the following command to determine if the antivirus_can_scan_system SELinux boolean is enabled: -$ getsebool antivirus_can_scan_system +Run the following command to determine if the mpd_enable_homedirs SELinux boolean is disabled: +$ getsebool mpd_enable_homedirs If properly configured, the output should show the following: -antivirus_can_scan_system --> on - Is it the case that antivirus_can_scan_system is not enabled? - - - - Verify the operating system encrypts audit records off-loaded onto a different system -or media from the system being audited with the following commands: - -$ sudo grep -i '$DefaultNetstreamDriver' /etc/rsyslog.conf /etc/rsyslog.d/*.conf - -The output should be: - -/etc/rsyslog.conf:$DefaultNetstreamDriver gtls - Is it the case that rsyslogd DefaultNetstreamDriver not set to gtls? +mpd_enable_homedirs --> off + Is it the case that mpd_enable_homedirs is not disabled? - - Inspect the file /etc/sysconfig/iptables to determine -the default policy for the INPUT chain. It should be set to DROP: -$ sudo grep ":INPUT" /etc/sysconfig/iptables - Is it the case that the default policy for the INPUT chain is not set to DROP? + + To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: +cat /etc/audit/rules.d/43-module-load.rules +The output has to be exactly as follows: +## These rules watch for kernel module insertion. By monitoring +## the syscall, we do not need any watches on programs. +-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load +-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load +-a always,exit -F arch=b32 -S delete_module -F key=module-unload +-a always,exit -F arch=b64 -S delete_module -F key=module-unload + Is it the case that the file does not exist or the content differs? - - To verify that the installed operating system is supported or certified, run -the following command: + + To determine if the system is configured to audit calls to the +init_module system call, run the following command: +$ sudo grep "init_module" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. -The output should contain something similar to: -Red Hat Enterprise Linux 8 - Is it the case that the installed operating system is not FIPS 140-2 certified? + Is it the case that no line is returned? - - Verify the audit logs are owned by "root". First, determine where the audit logs are stored with the following command: -$ sudo grep -iw log_file /etc/audit/auditd.conf -log_file = /var/log/audit/audit.log -Using the location of the audit log file, determine if the audit log is owned by "root" using the following command: -$ sudo stat -c "%n %U" /var/log/audit/audit.log -Audit logs must be owned by user root. -If the log_file isn't defined in /etc/audit/auditd.conf, check all files in /var/log/audit/ directory instead. - Is it the case that the audit log is not owned by root? + + Inspect the system to determine if intrusion detection software has been installed. +Verify this intrusion detection software is active. + Is it the case that no host-based intrusion detection tools are installed? - + -To check that the systemd-journal-remote.socket socket is disabled in system boot configuration with systemd, run the following command: -$ systemctl is-enabled systemd-journal-remote.socket -Output should indicate the systemd-journal-remote.socket socket has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled systemd-journal-remote.socketdisabled - -Run the following command to verify systemd-journal-remote.socket is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active systemd-journal-remote.socket - -If the socket is not running the command will return the following output: -inactive - -The socket will also be masked, to check that the systemd-journal-remote.socket is masked, run the following command: -$ sudo systemctl show systemd-journal-remote.socket | grep "LoadState\|UnitFileState" - -If the socket is masked the command will return the following outputs: - -LoadState=masked - -UnitFileState=masked - Is it the case that the systemd-journal-remote socket is not masked? +Run the following command to determine if the zoneminder_anon_write SELinux boolean is disabled: +$ getsebool zoneminder_anon_write +If properly configured, the output should show the following: +zoneminder_anon_write --> off + Is it the case that zoneminder_anon_write is not disabled? - + -Run the following command to determine if the icecast_use_any_tcp_ports SELinux boolean is disabled: -$ getsebool icecast_use_any_tcp_ports +Run the following command to determine if the guest_exec_content SELinux boolean is disabled: +$ getsebool guest_exec_content If properly configured, the output should show the following: -icecast_use_any_tcp_ports --> off - Is it the case that icecast_use_any_tcp_ports is not disabled? +guest_exec_content --> off + Is it the case that guest_exec_content is not disabled? - - Verify the value of the "difok" option in "/etc/security/pwquality.conf" with the following command: - -$ sudo grep difok /etc/security/pwquality.conf + + +If the system is configured to prevent the loading of the can kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. -difok = - Is it the case that the value of "difok" is set to less than "<sub idref="var_password_pam_difok" />", or is commented out? - - - - Verify the nosuid option is configured for the /boot mount point, - run the following command: - $ sudo mount | grep '\s/boot\s' - . . . /boot . . . nosuid . . . +These lines can also instruct the module loading system to ignore the can kernel module via blacklist keyword. - Is it the case that the "/boot" file system does not have the "nosuid" option set? +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +$ grep -r can /etc/modprobe.conf /etc/modprobe.d + Is it the case that no line is returned? - - To verify if the OpenSSL uses defined TLS Crypto Policy, run: -$ grep -P '^(TLS\.)?MinProtocol' /etc/crypto-policies/back-ends/opensslcnf.config -and verify that the value is -TLSv1.2 - Is it the case that cryptographic policy for openssl is not configured or is configured incorrectly? + + +Run the following command to determine if the neutron_can_network SELinux boolean is disabled: +$ getsebool neutron_can_network +If properly configured, the output should show the following: +neutron_can_network --> off + Is it the case that neutron_can_network is not disabled? - - To check that the psacct service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled psacct -Output should indicate the psacct service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled psacct disabled - -Run the following command to verify psacct is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active psacct - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the psacct is masked, run the following command: -$ sudo systemctl show psacct | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: - -LoadState=masked - -UnitFileState=masked - Is it the case that the "psacct" is loaded and not masked? + + +Run the following command to determine if the httpd_can_network_relay SELinux boolean is disabled: +$ getsebool httpd_can_network_relay +If properly configured, the output should show the following: +httpd_can_network_relay --> off + Is it the case that httpd_can_network_relay is not disabled? - - Verify the system-wide shared library files contained in the following directories have mode "755" or less permissive with the following command: + + -$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec ls -l {} \; - Is it the case that any system-wide shared library file is found to be group-writable or world-writable? +Run the following command to determine the current status of the +cron service: +$ sudo systemctl is-active cron +If the service is running, it should return the following: active + Is it the case that ? - - -Verify that the libuser is set to encrypt password with a FIPS 140-2 approved cryptographic hashing algorithm. - -Check the hashing algorithm that is being used to hash passwords with the following command: + + Verify file systems that are used for removable media are mounted with the "nodev" option with the following command: -$ sudo grep -i crypt_style /etc/libuser.conf +$ sudo more /etc/fstab -crypt_style = sha512 - Is it the case that crypt_style is not set to sha512? +UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0 + Is it the case that a file system found in "/etc/fstab" refers to removable media and it does not have the "nodev" option set? - - Verify that there are no wireless interfaces configured on the system -with the following command: - -Note: This requirement is Not Applicable for systems that do not have physical wireless network radios. + + To verify that acquiring, saving, and processing core dumps is disabled, run the +following command: +$ systemctl status systemd-coredump.socket +The output should be similar to: +● systemd-coredump.socket + Loaded: masked (Reason: Unit systemd-coredump.socket is masked.) + Active: inactive (dead) ... -$ nmcli device status -DEVICE TYPE STATE CONNECTION -virbr0 bridge connected virbr0 -wlp7s0 wifi connected wifiSSID -enp6s0 ethernet disconnected -- -p2p-dev-wlp7s0 wifi-p2p disconnected -- -lo loopback unmanaged -- -virbr0-nic tun unmanaged -- - Is it the case that a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO)? + Is it the case that unit systemd-coredump.socket is not masked or running? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_DEBUG_WX /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + To verify that a remote NTP service is configured for time synchronization, +open the following file: +/etc/ntp.conf +In the file, there should be a section similar to the following: +server ntpserver + Is it the case that this is not the case? - - Verify the nosuid option is configured for the /opt mount point, - run the following command: - $ sudo mount | grep '\s/opt\s' - . . . /opt . . . nosuid . . . - - Is it the case that the "/opt" file system does not have the "nosuid" option set? + + +Run the following command to determine if the daemons_use_tcp_wrapper SELinux boolean is disabled: +$ getsebool daemons_use_tcp_wrapper +If properly configured, the output should show the following: +daemons_use_tcp_wrapper --> off + Is it the case that daemons_use_tcp_wrapper is not disabled? - - Verify Red Hat Enterprise Linux 8 takes the appropriate action when an audit processing failure occurs. + + The file /etc/cron.deny should not exist. +This can be checked by runnig the following -Check that Red Hat Enterprise Linux 8 takes the appropriate action when an audit processing failure occurs with the following command: +stat /etc/cron.deny -$ sudo grep disk_error_action /etc/audit/auditd.conf +and the output should be -disk_error_action = +stat: cannot stat `/etc/cron.deny': No such file or directory -If the value of the "disk_error_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit process failure occurs. - Is it the case that there is no evidence of appropriate action? - - - - -Run the following command to determine if the global_ssp SELinux boolean is disabled: -$ getsebool global_ssp -If properly configured, the output should show the following: -global_ssp --> off - Is it the case that global_ssp is not disabled? + Is it the case that the file /etc/cron.deny exists? - + -Run the following command to determine if the samba_load_libgfapi SELinux boolean is disabled: -$ getsebool samba_load_libgfapi +Run the following command to determine if the awstats_purge_apache_log_files SELinux boolean is disabled: +$ getsebool awstats_purge_apache_log_files If properly configured, the output should show the following: -samba_load_libgfapi --> off - Is it the case that samba_load_libgfapi is not disabled? - - - - -Run the following command to get the current configured value for polyinstantiation_enabled -SELinux boolean: -$ getsebool polyinstantiation_enabled -The expected cofiguration is . -"on" means true, and "off" means false - Is it the case that polyinstantiation_enabled is not set as expected? - - - - To verify if the mod_perl is installed, run the following command: -$ rpm -qa | grep mod_perl -If the mod_perl module is installed, verify that PerlSwitches -T -is enabled in /etc/httpd/conf.d/perl.conf by running the following -command: -$ grep -i "PerlSwitches -T" /etc/httpd/conf.d/perl.conf -The output should return uncommented: -PerlSwitches -T - Is it the case that it is not? +awstats_purge_apache_log_files --> off + Is it the case that awstats_purge_apache_log_files is not disabled? - - Verify that the IPSec service uses the system crypto policy. + + Verify the audit log directories have a correct mode or less permissive mode. -If the ipsec service is not installed is not applicable. +Find the location of the audit logs: -Check to see if the "IPsec" service is active with the following command: +$ sudo grep "^log_file" /etc/audit/auditd.conf -$ systemctl status ipsec -ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec -Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled) -Active: inactive (dead) -If the "IPsec" service is active, check to see if it is using the system crypto policy with the following command: +Run the following command to check the mode of the system audit logs: -$ sudo grep include /etc/ipsec.conf /etc/ipsec.d/*.conf +$ sudo stat -c "%a %n" [audit_log_directory] -/etc/ipsec.conf:include /etc/crypto-policies/back-ends/libreswan.config - Is it the case that the "IPsec" service is active and the ipsec configuration file does not contain does not contain <tt>include /etc/crypto-policies/back-ends/libreswan.config</tt>? - - - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "semanage" command with the following command: +Replace "[audit_log_directory]" to the correct audit log directory path, by default this location is "/var/log/audit". -$ sudo auditctl -l | grep semanage --a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update - Is it the case that the command does not return a line, or the line is commented out? - - - - -Run the following command to determine if the cvs_read_shadow SELinux boolean is disabled: -$ getsebool cvs_read_shadow -If properly configured, the output should show the following: -cvs_read_shadow --> off - Is it the case that cvs_read_shadow is not disabled? +The correct permissions are 0700 + Is it the case that audit logs have a more permissive mode? - - The runtime status of the kernel.unprivileged_bpf_disabled kernel parameter can be queried -by running the following command: -$ sysctl kernel.unprivileged_bpf_disabled -1. + + Verify the noexec option is configured for the /var mount point, + run the following command: + $ sudo mount | grep '\s/var\s' + . . . /var . . . noexec . . . - Is it the case that the correct value is not returned? + Is it the case that the "/var" file system does not have the "noexec" option set? @@ -376741,786 +377291,688 @@ $ grep -r ipv6 /etc/modprobe.conf /etc/modprobe.d Is it the case that the ipv6 kernel module is not disabled? - - To ensure that users cannot disable the screensaver idle inactivity setting, run the following: -$ grep idle-activation-enabled /etc/dconf/db/local.d/locks/* -If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled - Is it the case that idle-activation-enabled is not locked? + + Verify the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command: + +$ grep maxclassrepeat /etc/security/pwquality.conf + +maxclassrepeat = + Is it the case that the value of "maxclassrepeat" is set to "0", more than "<sub idref="var_password_pam_maxclassrepeat" />" or is commented out? - + -Run the following command to determine if the secadm_exec_content SELinux boolean is enabled: -$ getsebool secadm_exec_content +Run the following command to determine if the httpd_graceful_shutdown SELinux boolean is enabled: +$ getsebool httpd_graceful_shutdown If properly configured, the output should show the following: -secadm_exec_content --> on - Is it the case that secadm_exec_content is not enabled? +httpd_graceful_shutdown --> on + Is it the case that httpd_graceful_shutdown is not enabled? - - Determine where the audit logs are stored with the following command: - -$ sudo grep -iw log_file /etc/audit/auditd.conf - -log_file = /var/log/audit/audit.log - -Determine the owner of the audit log directory by using the output of the above command -(default: "/var/log/audit/"). Run the following command with the correct audit log directory -path: - -$ sudo ls -ld /var/log/audit - -drwx------ 2 root root 23 Jun 11 11:56 /var/log/audit + + To verify ExecShield is enabled on 64-bit Red Hat Enterprise Linux 8 systems, +run the following command: +$ dmesg | grep '[NX|DX]*protection' +The output should not contain 'disabled by kernel command line option'. +Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes noexec=off, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub +If this option is set to true, then check that a line is output by the following command: +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*noexec=off.*' /etc/default/grub +If the recovery is disabled, check the line with +$ sudo grep 'GRUB_CMDLINE_LINUX.*noexec=off.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +$ sudo grubby --info=ALL | grep args | grep -v 'noexec=off' +The command should not return any output. + Is it the case that ExecShield is not supported by the hardware, is not enabled, or has been disabled by the kernel configuration.? + + + + Verify the system-wide shared library files contained in the following directories have mode "755" or less permissive with the following command: -The audit log directory must be owned by "root" - Is it the case that the directory is not owned by root? +$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec ls -l {} \; + Is it the case that any system-wide shared library file is found to be group-writable or world-writable? - - -Run the following command to determine if the virt_use_xserver SELinux boolean is disabled: -$ getsebool virt_use_xserver -If properly configured, the output should show the following: -virt_use_xserver --> off - Is it the case that virt_use_xserver is not disabled? + + To determine that AIDE is verifying ACLs, run the following command: +$ grep acl /etc/aide.conf +Verify that the acl option is added to the correct ruleset. + Is it the case that the acl option is missing or not added to the correct ruleset? - - Run the following command to determine if the rsh-server package is installed: -$ rpm -q rsh-server - Is it the case that the package is installed? + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "userhelper" command with the following command: + +$ sudo auditctl -l | grep userhelper + +-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-userhelper + Is it the case that the command does not return a line, or the line is commented out? - - -Run the following command to determine if the git_session_bind_all_unreserved_ports SELinux boolean is disabled: -$ getsebool git_session_bind_all_unreserved_ports -If properly configured, the output should show the following: -git_session_bind_all_unreserved_ports --> off - Is it the case that git_session_bind_all_unreserved_ports is not disabled? + + To check that the rdisc service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled rdisc +Output should indicate the rdisc service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled rdisc disabled + +Run the following command to verify rdisc is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active rdisc + +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the rdisc is masked, run the following command: +$ sudo systemctl show rdisc | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "rdisc" is loaded and not masked? - - To check the permissions of /etc/group, -run the command: -$ ls -l /etc/group -If properly configured, the output should indicate the following permissions: --rw-r--r-- - Is it the case that /etc/group does not have unix mode -rw-r--r--? + + To determine that AIDE is verifying extended file attributes, run the following command: +$ grep xattrs /etc/aide.conf +Verify that the xattrs option is added to the correct ruleset. + Is it the case that the xattrs option is missing or not added to the correct ruleset? - - Verify the nosuid option is configured for the /var/log mount point, - run the following command: - $ sudo mount | grep '\s/var/log\s' - . . . /var/log . . . nosuid . . . - - Is it the case that the "/var/log" file system does not have the "nosuid" option set? + + Check the root home directory for a .mozilla directory. If +one exists, ensure browsing is limited to local service administration. + Is it the case that this is not the case? - - To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -cat /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules -The output has to be exactly as follows: -## Successful file delete --a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete --a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete - Is it the case that the file does not exist or the content differs? + + To determine if the system is configured to audit calls to the +adjtimex system call, run the following command: +$ sudo grep "adjtimex" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - System executables are stored in the following directories by default: -/bin -/sbin -/usr/bin -/usr/local/bin -/usr/local/sbin -/usr/sbin -For each of these directories, run the following command to find files -not owned by root: -$ sudo find -L DIR/ ! -user root -type d -exec chown root {} \; - Is it the case that any system executables directories are found to not be owned by root? + + Verify that Red Hat Enterprise Linux 8 's INACTIVE conforms to site policy (no more than 30 days) with the following command: + +$ sudo awk -F: '$7 > 30 {print $1 " " $7}' /etc/shadow + Is it the case that the value of INACTIVE is greater than the expected value or is -1? - - Verify the audit log directories have a correct mode or less permissive mode. + + -Find the location of the audit logs: -$ sudo grep "^log_file" /etc/audit/auditd.conf +To determine if firewalld is configured to allow access +on port 22/tcp, run the following command(s): + firewall-cmd --list-ports -Run the following command to check the mode of the system audit logs: +to ssh + firewall-cmd --list-services -$ sudo stat -c "%a %n" [audit_log_directory] +If firewalld is configured to allow access through the firewall, something similar to the following will be output: -Replace "[audit_log_directory]" to the correct audit log directory path, by default this location is "/var/log/audit". +If it is a service: +ssh -The correct permissions are 0700 - Is it the case that audit logs have a more permissive mode? +If it is a port: +22/tcp + + Is it the case that sshd service is not enabled in the proper firewalld zone? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_LEGACY_PTYS /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? + + Inspect /etc/default/grub for any instances of selinux=0 +in the kernel boot arguments. Presence of selinux=0 indicates +that SELinux is disabled at boot time. + Is it the case that SELinux is disabled at boot time? - - To check the minimum password length, run the command: -$ grep PASS_MIN_LEN /etc/login.defs -The DoD requirement is 15. - Is it the case that it is not set to the required value? + + +Run the following command to determine if the antivirus_use_jit SELinux boolean is disabled: +$ getsebool antivirus_use_jit +If properly configured, the output should show the following: +antivirus_use_jit --> off + Is it the case that antivirus_use_jit is not disabled? - - To determine whether the SSH service is configured to use strong entropy seed, -run $ sudo grep SSH_USE_STRONG_RNG /etc/sysconfig/sshd -If a line indicating that SSH_USE_STRONG_RNG is set to 32 is returned, -then the option is set correctly. - Is it the case that the SSH_USE_STRONG_RNG is not set to 32 in /etc/sysconfig/sshd? + + +Run the following command to determine if the unconfined_mozilla_plugin_transition SELinux boolean is enabled: +$ getsebool unconfined_mozilla_plugin_transition +If properly configured, the output should show the following: +unconfined_mozilla_plugin_transition --> on + Is it the case that unconfined_mozilla_plugin_transition is not enabled? - - Verify the SELINUX on Red Hat Enterprise Linux 8 is using the policy with the following command: - -$ sestatus | grep policy - -Loaded policy name: - Is it the case that the loaded policy name is not "<sub idref="var_selinux_policy_name" />"? + + To verify the sec option is configured for all NFS mounts, run the following command: +$ grep "sec=" /etc/exports +All configured NFS exports should show the sec=krb5:krb5i:krb5p setting in parentheses. +This is not applicable if NFS is not implemented. + Is it the case that the setting is not configured, has the 'sys' option added, or does not have all Kerberos options added? - - Remote web authors should not be able to upload files to the Document Root -directory structure without virus checking and checking for malicious or mobile -code. - Is it the case that it is not? - - - - To check the permissions of /etc/audit/auditd.conf, -run the command: -$ ls -l /etc/audit/auditd.conf -If properly configured, the output should indicate the following permissions: --rw-r----- - Is it the case that /etc/audit/auditd.conf does not have unix mode -rw-r-----? - - - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_MODULE_SIG_ALL /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? - - - - -Run the following command to determine if the domain_kernel_load_modules SELinux boolean is disabled: -$ getsebool domain_kernel_load_modules -If properly configured, the output should show the following: -domain_kernel_load_modules --> off - Is it the case that domain_kernel_load_modules is not disabled? - - - - To verify that tmux is not listed as allowed shell on the system -run the following command: -$ grep 'tmux$' /etc/shells -The output should be empty. - Is it the case that tmux is listed in /etc/shells? + + To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: +cat /etc/audit/rules.d/30-ospp-v42-3-access-success.rules +The output has to be exactly as follows: +## Successful file access (any other opens) This has to go last. +## These next two are likely to result in a whole lot of events +-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access +-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access + Is it the case that the file does not exist or the content differs? - - To determine if the system is configured to audit calls to the -fchmodat system call, run the following command: -$ sudo grep "fchmodat" /etc/audit/audit.* + + If the system is not configured to audit time changes, this is a finding. +If the system is 64-bit only, this is not applicable +ocil: | +To determine if the system is configured to audit calls to the +stime system call, run the following command: +$ sudo grep "stime" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - - -Run the following command to determine if the git_cgi_enable_homedirs SELinux boolean is disabled: -$ getsebool git_cgi_enable_homedirs -If properly configured, the output should show the following: -git_cgi_enable_homedirs --> off - Is it the case that git_cgi_enable_homedirs is not disabled? + + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: + +$ sudo auditctl -l | grep -E '(/etc/passwd)' + +-w /etc/passwd -p wa -k identity + Is it the case that the command does not return a line, or the line is commented out? - - Verify Red Hat Enterprise Linux 8 takes the appropriate action when the audit storage volume is full. + + Check group owners of the system audit logs. -Check that Red Hat Enterprise Linux 8 takes the appropriate action when the audit storage volume is full with the following command: +First, determine where the audit log file is located. -$ sudo grep disk_full_action /etc/audit/auditd.conf +$ sudo grep -iw ^log_file /etc/audit/auditd.conf +log_file = /var/log/audit/audit.log -disk_full_action = +The log_file option specifies the audit log file path. +If the log_file option isn't defined, check all files within /var/log/audit directory. -If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full. - Is it the case that there is no evidence of appropriate action? + +Then, determine the audit log group by running the following command: +$ sudo grep -P '^[ ]*log_group[ ]+=.*$' /etc/audit/auditd.conf + + +Then, check that the audit log file is owned by the correct group. +Run the following command to display the owner of the audit log file: + +$ sudo stat -c "%n %G" log_file + + +The audit log file must be owned by the log_group or by root if the log_group is not specified. + Is it the case that audit log files are owned by incorrect group? - - The runtime status of the fs.protected_hardlinks kernel parameter can be queried -by running the following command: -$ sysctl fs.protected_hardlinks -1. + + Verify that a separate file system/partition has been created for /srv with the following command: - Is it the case that the correct value is not returned? +$ mountpoint /srv + + Is it the case that "/srv is not a mountpoint" is returned? - + -Run the following command to determine if the mozilla_plugin_bind_unreserved_ports SELinux boolean is disabled: -$ getsebool mozilla_plugin_bind_unreserved_ports +Run the following command to determine if the lsmd_plugin_connect_any SELinux boolean is disabled: +$ getsebool lsmd_plugin_connect_any If properly configured, the output should show the following: -mozilla_plugin_bind_unreserved_ports --> off - Is it the case that mozilla_plugin_bind_unreserved_ports is not disabled? +lsmd_plugin_connect_any --> off + Is it the case that lsmd_plugin_connect_any is not disabled? - - To check the group ownership of /etc/passwd-, + + If the system uses IPv6, this is not applicable. + +If the system is configured to prevent the usage of the ipv6 on +network interfaces, it will contain a line of the form: +net.ipv6.conf.default.disable_ipv6 = 1 +Such lines may be inside any file in the /etc/sysctl.d directory. +This permits insertion of the IPv6 kernel module (which other parts of the +system expect to be present), but otherwise keeps network interfaces +from using IPv6. Run the following command to search for such lines in all +files in /etc/sysctl.d: +$ grep -r ipv6 /etc/sysctl.d + Is it the case that the ipv6 support is disabled by default on network interfaces? + + + + To check the ownership of /etc/motd, run the command: -$ ls -lL /etc/passwd- -If properly configured, the output should indicate the following group-owner: +$ ls -lL /etc/motd +If properly configured, the output should indicate the following owner: root - Is it the case that /etc/passwd- does not have a group owner of root? + Is it the case that /etc/motd does not have an owner of root? - - Storing logs with compression can help avoid filling the system disk. -Run the following command to verify that journald is compressing logs. - -grep "^\sCompress" /etc/systemd/journald.conf - -and it should return + + Verify that Red Hat Enterprise Linux 8 loads the driver with the following command: -Compress=yes +$ grep card_drivers /etc/opensc.conf - Is it the case that is commented out or not configured correctly? - - - - Run the following command to determine if the squid package is installed: -$ rpm -q squid - Is it the case that the package is installed? +card_drivers = ; + Is it the case that "<sub idref="var_smartcard_drivers" />" is not listed as a card driver, or there is no line returned for "card_drivers"? - - To check that the dhcpd service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled dhcpd -Output should indicate the dhcpd service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled dhcpd disabled + + Verify the NX (no-execution) bit flag is set on the system. -Run the following command to verify dhcpd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active dhcpd +Check that the no-execution bit flag is set with the following commands: -If the service is not running the command will return the following output: -inactive +$ sudo dmesg | grep NX -The service will also be masked, to check that the dhcpd is masked, run the following command: -$ sudo systemctl show dhcpd | grep "LoadState\|UnitFileState" +[ 0.000000] NX (Execute Disable) protection: active -If the service is masked the command will return the following outputs: +If "dmesg" does not show "NX (Execute Disable) protection" active, check the cpuinfo settings with the following command: -LoadState=masked +$ sudo grep flags /proc/cpuinfo +flags : fpu vme de pse tsc ms nx rdtscp lm constant_ts -UnitFileState=masked - Is it the case that the "dhcpd" is loaded and not masked? +The output should contain the "nx" flag. + Is it the case that NX is disabled? - - To check that the debug-shell service is disabled in system boot configuration, + + +Run the following command to determine if the httpd_serve_cobbler_files SELinux boolean is disabled: +$ getsebool httpd_serve_cobbler_files +If properly configured, the output should show the following: +httpd_serve_cobbler_files --> off + Is it the case that httpd_serve_cobbler_files is not disabled? + + + + Run the following command to determine if the freeradius package is installed: $ rpm -q freeradius + Is it the case that the package is installed? + + + + To check the permissions of /etc/audit/auditd.conf, +run the command: +$ ls -l /etc/audit/auditd.conf +If properly configured, the output should indicate the following permissions: +-rw-r----- + Is it the case that /etc/audit/auditd.conf does not have unix mode -rw-r-----? + + + + +Run the following command to determine if the ftpd_use_passive_mode SELinux boolean is disabled: +$ getsebool ftpd_use_passive_mode +If properly configured, the output should show the following: +ftpd_use_passive_mode --> off + Is it the case that ftpd_use_passive_mode is not disabled? + + + + To check that the smb service is disabled in system boot configuration, run the following command: -$ sudo systemctl is-enabled debug-shell -Output should indicate the debug-shell service has either not been installed, +$ sudo systemctl is-enabled smb +Output should indicate the smb service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled debug-shell disabled +$ sudo systemctl is-enabled smb disabled -Run the following command to verify debug-shell is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active debug-shell +Run the following command to verify smb is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active smb If the service is not running the command will return the following output: inactive -The service will also be masked, to check that the debug-shell is masked, run the following command: -$ sudo systemctl show debug-shell | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the smb is masked, run the following command: +$ sudo systemctl show smb | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "debug-shell" is loaded and not masked? + Is it the case that the "smb" is loaded and not masked? - + -Run the following command to determine if the postgresql_selinux_unconfined_dbadm SELinux boolean is enabled: -$ getsebool postgresql_selinux_unconfined_dbadm +Run the following command to determine if the cron_userdomain_transition SELinux boolean is enabled: +$ getsebool cron_userdomain_transition If properly configured, the output should show the following: -postgresql_selinux_unconfined_dbadm --> on - Is it the case that postgresql_selinux_unconfined_dbadm is not enabled? +cron_userdomain_transition --> on + Is it the case that cron_userdomain_transition is not enabled? - - To determine if the system is configured to audit calls to the -removexattr system call, run the following command: -$ sudo grep "removexattr" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. + + If IPv6 is disabled, this is not applicable. - Is it the case that no line is returned? - - - - Run the following command to determine if the cyrus-imapd package is installed: -$ rpm -q cyrus-imapd - Is it the case that the package is installed? - - - - To determine if the system is configured to audit successful calls -to the fremovexattr system call, run the following command: -$ sudo grep "fremovexattr" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - - - - To determine if the system is configured to audit calls to the -fsetxattr system call, run the following command: -$ sudo grep "fsetxattr" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? +Run the following command to determine the current status of the +ip6tables service: +$ sudo systemctl is-active ip6tables +If the service is running, it should return the following: active + Is it the case that ? - - The runtime status of the net.ipv6.conf.default.max_addresses kernel parameter can be queried -by running the following command: -$ sysctl net.ipv6.conf.default.max_addresses -1. + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chsh" command with the following command: - Is it the case that the correct value is not returned? - - - - -Run the following command to determine if the nfs_export_all_ro SELinux boolean is enabled: -$ getsebool nfs_export_all_ro -If properly configured, the output should show the following: -nfs_export_all_ro --> on - Is it the case that nfs_export_all_ro is not enabled? +$ sudo auditctl -l | grep chsh + +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chsh + Is it the case that the command does not return a line, or the line is commented out? - - -Run the following command to determine if the httpd_dbus_sssd SELinux boolean is disabled: -$ getsebool httpd_dbus_sssd -If properly configured, the output should show the following: -httpd_dbus_sssd --> off - Is it the case that httpd_dbus_sssd is not disabled? + + Verify the system-wide shared library directories are owned by "root" with the following command: + +$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c "%n %U" '{}' \; + Is it the case that any system-wide shared library directory is not owned by root? - - To verify the audispd plugin off-loads audit records onto a different system or -media from the system being audited, run the following command: -$ sudo grep -i remote_server /etc/audit/audisp-remote.conf -The output should return something similar to -remote_server = - Is it the case that audispd is not sending logs to a remote system? + + Verify the audit logs are owned by "root". First, determine where the audit logs are stored with the following command: +$ sudo grep -iw log_file /etc/audit/auditd.conf +log_file = /var/log/audit/audit.log +Using the location of the audit log file, determine if the audit log is owned by "root" using the following command: +$ sudo stat -c "%n %U" /var/log/audit/audit.log +Audit logs must be owned by user root. +If the log_file isn't defined in /etc/audit/auditd.conf, check all files in /var/log/audit/ directory instead. + Is it the case that the audit log is not owned by root? - - To determine if the system is configured to audit unsuccessful calls -to the fchmod system call, run the following command: -$ sudo grep "fchmod" /etc/audit.* -If the system is configured to audit this activity, it will return a line. + + Verify the nosuid option is configured for the /opt mount point, + run the following command: + $ sudo mount | grep '\s/opt\s' + . . . /opt . . . nosuid . . . - Is it the case that no line is returned? + Is it the case that the "/opt" file system does not have the "nosuid" option set? - - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the unlinkat system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r unlinkat /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep unlinkat /etc/audit/audit.rules - -The output should be the following: + + --a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete --a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete --a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete --a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete - Is it the case that the command does not return a line, or the line is commented out? - - - - To verify that Audit Daemon is configured to include local events, run the -following command: -$ sudo grep local_events /etc/audit/auditd.conf -The output should return the following: -local_events = yes - Is it the case that local_events isn't set to yes? +Run the following command to determine the current status of the +syslog-ng service: +$ sudo systemctl is-active syslog-ng +If the service is running, it should return the following: active + Is it the case that the "syslog-ng" service is disabled, masked, or not started.? - - To verify insecure file locking has been disabled, run the following command: -$ grep insecure_locks /etc/exports - Is it the case that there is output? + + Run the following command to determine if the systemd-journal-remote package is installed: $ rpm -q systemd-journal-remote + Is it the case that the package is not installed? - - To determine if negation is used to define commands users are allowed to execute using sudo, run the following command: -$ sudo grep -PR '^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,!\n][^,\n]+,)*\s*(?:\([^\)]+\))?\s*(?!\s*\()(!\S+).*' /etc/sudoers /etc/sudoers.d/ -The command should return no output. - Is it the case that /etc/sudoers file contains rules that define the set of allowed commands using negation? + + To verify that automatic logins are disabled, run the following command: +$ grep -Pzoi "^\[daemon]\\nautomaticlogin.*" /etc/gdm/custom.conf +The output should show the following: +[daemon] +AutomaticLoginEnable=false + Is it the case that GDM allows users to automatically login? - - Verify that Red Hat Enterprise Linux 8 enforces a -day maximum password lifetime for new user accounts by running the following command: - -$ grep -i pass_max_days /etc/login.defs - -PASS_MAX_DAYS - Is it the case that the "PASS_MAX_DAYS" parameter value is greater than "<sub idref="var_accounts_maximum_age_login_defs" />", or commented out? + + Verify the umask setting is configured correctly in the /etc/profile file +or scripts within /etc/profile.d directory with the following command: +$ grep "umask" /etc/profile* +umask + Is it the case that the value for the "umask" parameter is not "<sub idref="var_accounts_user_umask" />", +or the "umask" parameter is missing or is commented out? - - The runtime status of the net.ipv4.conf.default.shared_media kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.conf.default.shared_media -0. + + To verify that the installed operating system is supported or certified, run +the following command: - Is it the case that the correct value is not returned? +The output should contain something similar to: +Red Hat Enterprise Linux 8 + Is it the case that the installed operating system is not FIPS 140-2 certified? - - Verify the nosuid option is configured for the /var mount point, - run the following command: - $ sudo mount | grep '\s/var\s' - . . . /var . . . nosuid . . . - - Is it the case that the "/var" file system does not have the "nosuid" option set? + + +Run the following command to determine if the mozilla_plugin_use_spice SELinux boolean is disabled: +$ getsebool mozilla_plugin_use_spice +If properly configured, the output should show the following: +mozilla_plugin_use_spice --> off + Is it the case that mozilla_plugin_use_spice is not disabled? - - - -Run the following command to determine the current status of the -sshd service: -$ sudo systemctl is-active sshd -If the service is running, it should return the following: active - Is it the case that ? + + To check the group ownership of /etc/passwd-, +run the command: +$ ls -lL /etc/passwd- +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/passwd- does not have a group owner of root? - - To determine how the SSH daemon's PubkeyAuthentication option is set, run the following command: - -$ sudo grep -i PubkeyAuthentication /etc/ssh/sshd_config - -If a line indicating yes is returned, then the required value is set. + + To determine if the system is configured to audit calls to the +fchmodat system call, run the following command: +$ sudo grep "fchmodat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. - Is it the case that the required value is not set? + Is it the case that no line is returned? - - -Run the following command to determine if the postgresql_selinux_users_ddl SELinux boolean is enabled: -$ getsebool postgresql_selinux_users_ddl -If properly configured, the output should show the following: -postgresql_selinux_users_ddl --> on - Is it the case that postgresql_selinux_users_ddl is not enabled? + + Run the following command to determine if the openscap-scanner package is installed: $ rpm -q openscap-scanner + Is it the case that the package is not installed? - - To ensure that system location tracking is not active, run the following command: -$ gsettings get org.gnome.system.location enabled -$ gsettings get org.gnome.clocks geolocation -If properly configured, the output should be false. -To ensure that users cannot enable system location tracking, run the following: -$ grep location /etc/dconf/db/local.d/locks/* -If properly configured, the output should be -/org/gnome/system/location/enabled and /org/gnome/clocks/geolocation. - Is it the case that geolocation is enabled and not disabled? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_IPV6 /boot/config.* + + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. + + Is it the case that the kernel was not built with the required value? - - To check that the quota_nld service is disabled in system boot configuration, + + To check that the cups service is disabled in system boot configuration, run the following command: -$ sudo systemctl is-enabled quota_nld -Output should indicate the quota_nld service has either not been installed, +$ sudo systemctl is-enabled cups +Output should indicate the cups service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled quota_nld disabled +$ sudo systemctl is-enabled cups disabled -Run the following command to verify quota_nld is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active quota_nld +Run the following command to verify cups is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active cups If the service is not running the command will return the following output: inactive -The service will also be masked, to check that the quota_nld is masked, run the following command: -$ sudo systemctl show quota_nld | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the cups is masked, run the following command: +$ sudo systemctl show cups | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "quota_nld" is loaded and not masked? + Is it the case that the "cups" is loaded and not masked? - - Check to see if Online Certificate Status Protocol (OCSP) -is enabled and using the proper digest value on the system with the following command: -$ sudo grep certificate_verification /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf | grep -v "^#" -If configured properly, output should look like + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "poweroff" command with the following command: - certificate_verification = ocsp_dgst= +$ sudo auditctl -l | grep poweroff - Is it the case that certificate_verification in sssd is not configured? +-a always,exit -F path=/poweroff -F perm=x -F auid>=1000 -F auid!=unset -k privileged-poweroff + Is it the case that the command does not return a line, or the line is commented out? - - The runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter can be queried -by running the following command: -$ sysctl net.ipv6.conf.all.accept_redirects -0. - - Is it the case that the correct value is not returned? + + To verify that the system will shutdown when auditd fails, +run the following command: +$ sudo grep "\-f " /etc/audit/audit.rules +The output should contain: +-f + Is it the case that the system is not configured to shutdown on auditd failures? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "pam_timestamp_check" command with the following command: - -$ sudo auditctl -l | grep pam_timestamp_check - --a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check - Is it the case that the command does not return a line, or the line is commented out? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_SECURITY_DMESG_RESTRICT /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - To determine if the system is configured to audit calls to the -finit_module system call, run the following command: -$ sudo grep "finit_module" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + Only FIPS-approved key exchange algorithms must be used. To verify that only FIPS-approved +key exchange algorithms are in use, run the following command: +$ sudo grep -i kexalgorithms /etc/crypto-policies/back-ends/opensshserver.config +The output should contain only following algorithms (or a subset) in the exact order: +CRYPTO_POLICY='-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512' + Is it the case that KexAlgorithms option is commented out, contains non-approved algorithms, or the FIPS-approved algorithms are not in the exact order? - - To verify if the OpenSSH client uses defined MACs in the Crypto Policy, run: -$ grep -i macs /etc/crypto-policies/back-ends/openssh.config -and verify that the line matches: -MACs - Is it the case that Crypto Policy for OpenSSH client is not configured correctly? + + Verify the nosuid option is configured for the /dev/shm mount point, + run the following command: + $ sudo mount | grep '\s/dev/shm\s' + . . . /dev/shm . . . nosuid . . . + + Is it the case that the "/dev/shm" file system does not have the "nosuid" option set? - - Verify users are provided with feedback on when account accesses last occurred with the following command: + + To determine how the SSH daemon's X11UseLocalhost option is set, run the following command: -$ sudo grep pam_lastlog /etc/pam.d/postlogin +$ sudo grep -i X11UseLocalhost /etc/ssh/sshd_config -session [default=1] pam_lastlog.so showfailed - Is it the case that "pam_lastlog.so" is not properly configured in "/etc/pam.d/postlogin" file? +If a line indicating yes is returned, then the required value is set. + Is it the case that the display proxy is listening on wildcard address? - + -Run the following command to determine if the httpd_read_user_content SELinux boolean is disabled: -$ getsebool httpd_read_user_content +Run the following command to determine if the dbadm_manage_user_files SELinux boolean is disabled: +$ getsebool dbadm_manage_user_files If properly configured, the output should show the following: -httpd_read_user_content --> off - Is it the case that httpd_read_user_content is not disabled? +dbadm_manage_user_files --> off + Is it the case that dbadm_manage_user_files is not disabled? - - To determine if the system is configured to audit calls to the -fchown system call, run the following command: -$ sudo grep "fchown" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. + + Verify the SELINUX on Red Hat Enterprise Linux 8 is using the policy with the following command: - Is it the case that no line is returned? +$ sestatus | grep policy + +Loaded policy name: + Is it the case that the loaded policy name is not "<sub idref="var_selinux_policy_name" />"? - - Verify the system-wide shared library files are group-owned by "root" with the following command: - -$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} \; - Is it the case that any system wide shared library file is returned and is not group-owned by a required system account? + + Run the following command to determine if the cyrus-imapd package is installed: +$ rpm -q cyrus-imapd + Is it the case that the package is installed? - - Verify Red Hat Enterprise Linux 8 security patches and updates are installed and up to date. -Updates are required to be applied with a frequency determined by organizational policy. - - -Obtain the list of available package security updates from Red Hat. The URL for updates is https://access.redhat.com/errata-search/. -It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed. - - -Check that the available package security updates have been installed on the system with the following command: - -$ sudo yum history list | more - -Loaded plugins: langpacks, product-id, subscription-manager -ID | Command line | Date and time | Action(s) | Altered -------------------------------------------------------------------------------- -70 | install aide | 2020-03-05 10:58 | Install | 1 -69 | update -y | 2020-03-04 14:34 | Update | 18 EE -68 | install vlc | 2020-02-21 17:12 | Install | 21 -67 | update -y | 2020-02-21 17:04 | Update | 7 EE - - -Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM. - Is it the case that Red Hat Enterprise Linux 8 is in non-compliance with the organizational patching policy? + + To check the permissions of /etc/shadow-, +run the command: +$ ls -l /etc/shadow- +If properly configured, the output should indicate the following permissions: +---------- + Is it the case that /etc/shadow- does not have unix mode ----------? - - Verify it by running the following command: -$ stat -c "%n %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules - -/sbin/auditctl root -/sbin/aureport root -/sbin/ausearch root -/sbin/autrace root -/sbin/auditd root -/sbin/audispd root -/sbin/augenrules root - - -If the command does not return all the above lines, the missing ones -need to be added. + + To check if RekeyLimit is set correctly, run the +following command: -Run the following command to correct the permissions of the missing -entries: -$ sudo chown :root [audit_tool] +$ sudo grep RekeyLimit /etc/ssh/sshd_config -Replace "[audit_tool]" with each audit tool not group-owned by root. - Is it the case that ? +If configured properly, output should be +RekeyLimit + Is it the case that it is commented out or is not set? - - To check that the nftables service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled nftables -Output should indicate the nftables service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled nftables disabled - -Run the following command to verify nftables is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active nftables - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the nftables is masked, run the following command: -$ sudo systemctl show nftables | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: - -LoadState=masked - -UnitFileState=masked - Is it the case that the "nftables" is loaded and not masked? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_HARDENED_USERCOPY_FALLBACK /boot/config.* + + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. + + Is it the case that the kernel was not built with the required value? - - The runtime status of the kernel.core_uses_pid kernel parameter can be queried -by running the following command: -$ sysctl kernel.core_uses_pid -0. - Is it the case that the returned line does not have a value of 0? + + To verify that DHCP is not being used, examine the following file for each interface: +# /etc/sysconfig/network-scripts/ifcfg-interface +Look for the following: +BOOTPROTO=none +and the following, substituting the appropriate values based on your site's addressing scheme: +NETMASK=255.255.255.0 +IPADDR=192.168.1.2 +GATEWAY=192.168.1.1 + Is it the case that it does not? - + -Run the following command to determine if the antivirus_use_jit SELinux boolean is disabled: -$ getsebool antivirus_use_jit +Run the following command to determine if the samba_enable_home_dirs SELinux boolean is disabled: +$ getsebool samba_enable_home_dirs If properly configured, the output should show the following: -antivirus_use_jit --> off - Is it the case that antivirus_use_jit is not disabled? +samba_enable_home_dirs --> off + Is it the case that samba_enable_home_dirs is not disabled? - - The file /etc/cron.deny should not exist. -This can be checked by runnig the following + + +Run the following command to determine if the selinuxuser_udp_server SELinux boolean is disabled: +$ getsebool selinuxuser_udp_server +If properly configured, the output should show the following: +selinuxuser_udp_server --> off + Is it the case that selinuxuser_udp_server is not disabled? + + + + To check that the bluetooth service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled bluetooth +Output should indicate the bluetooth service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled bluetooth disabled -stat /etc/cron.deny +Run the following command to verify bluetooth is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active bluetooth -and the output should be +If the service is not running the command will return the following output: +inactive -stat: cannot stat `/etc/cron.deny': No such file or directory +The service will also be masked, to check that the bluetooth is masked, run the following command: +$ sudo systemctl show bluetooth | grep "LoadState\|UnitFileState" - Is it the case that the file /etc/cron.deny exists? - - - - Inspect the list of enabled firewall ports and verify they are configured correctly by running -the following command: +If the service is masked the command will return the following outputs: -$ sudo firewall-cmd --list-all +LoadState=masked -Ask the System Administrator for the site or program Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA). Verify the services allowed by the firewall match the PPSM CLSA. - Is it the case that there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), or there are no firewall rules configured? - - - - -Run the following command to determine if the ftpd_use_fusefs SELinux boolean is disabled: -$ getsebool ftpd_use_fusefs -If properly configured, the output should show the following: -ftpd_use_fusefs --> off - Is it the case that ftpd_use_fusefs is not disabled? - - - - To verify the audispd's syslog plugin is active, run the following command: -$ sudo grep active /etc/audit/plugins.d/syslog.conf -If the plugin is active, the output will show yes. - Is it the case that it is not activated? - - - - -Run the following command to determine if the unconfined_login SELinux boolean is enabled: -$ getsebool unconfined_login -If properly configured, the output should show the following: -unconfined_login --> on - Is it the case that unconfined_login is not enabled? - - - - To check for legacy lines in /etc/group, run the following command: - grep '^\+' /etc/group -The command should not return any output. - Is it the case that the file contains legacy lines? - - - - Only FIPS-approved key exchange algorithms must be used. To verify that only FIPS-approved -key exchange algorithms are in use, run the following command: -$ sudo grep -i kexalgorithms /etc/crypto-policies/back-ends/opensshserver.config -The output should contain only following algorithms (or a subset) in the exact order: -CRYPTO_POLICY='-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512' - Is it the case that KexAlgorithms option is commented out, contains non-approved algorithms, or the FIPS-approved algorithms are not in the exact order? +UnitFileState=masked + Is it the case that the "bluetooth" is loaded and not masked? @@ -377550,1814 +378002,1685 @@ $ sudo ps all | grep tmux | grep -v grep Is it the case that the command does not produce output? - - To check the permissions of /etc/issue, -run the command: -$ ls -l /etc/issue -If properly configured, the output should indicate the following permissions: --rw-r--r-- - Is it the case that /etc/issue does not have unix mode -rw-r--r--? - - - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "su" command with the following command: - -$ sudo auditctl -l | grep su - --a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-su - Is it the case that the command does not return a line, or the line is commented out? - - - - To obtain a listing of all users, their UIDs, and their shells, run the command: -$ awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd -Identify the system accounts from this listing. These will primarily be the accounts with UID -numbers less than 1000, other than root. - Is it the case that any system account other than root has a login shell? + + Run the following command to determine if the scap-security-guide package is installed: $ rpm -q scap-security-guide + Is it the case that the package is not installed? - - To determine how the SSH daemon's LogLevel option is set, run the following command: - -$ sudo grep -i LogLevel /etc/ssh/sshd_config - -If a line indicating VERBOSE is returned, then the required value is set. + + Verify the system commands contained in the following directories are owned by "root" with the following command: - Is it the case that the required value is not set? - - - - To verify that there are no .shosts files -on the system, run the following command: -$ sudo find / -name '.shosts' - Is it the case that .shosts files exist? +$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin ! -user root -exec ls -l {} \; + Is it the case that any system commands are found to not be owned by root? - + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_SLUB_DEBUG /boot/config.* + $ grep CONFIG_SLAB_FREELIST_RANDOM /boot/config.* For each kernel installed, a line with value "y" should be returned. Is it the case that the kernel was not built with the required value? - - To determine if the system is configured to audit calls to the -adjtimex system call, run the following command: -$ sudo grep "adjtimex" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? - - - - -Run the following command to determine if the use_samba_home_dirs SELinux boolean is disabled: -$ getsebool use_samba_home_dirs -If properly configured, the output should show the following: -use_samba_home_dirs --> off - Is it the case that use_samba_home_dirs is not disabled? - - - + -Run the following command to determine if the mcelog_foreground SELinux boolean is disabled: -$ getsebool mcelog_foreground +Run the following command to determine if the user_exec_content SELinux boolean is enabled: +$ getsebool user_exec_content If properly configured, the output should show the following: -mcelog_foreground --> off - Is it the case that mcelog_foreground is not disabled? +user_exec_content --> on + Is it the case that user_exec_content is not enabled? - - To ensure there are no read-write users, run the following command: -$ sudo grep -v "^#" /etc/snmp/snmpd.conf| grep 'rwuser' -There should be no output. - Is it the case that there are users who can write to SNMP values? + + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open system call. + +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: + +$ sudo grep -r open /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep open /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access + Is it the case that the command does not return a line, or the line is commented out? - + - -Run the following command to determine the current status of the -firewalld service: -$ sudo systemctl is-active firewalld -If the service is running, it should return the following: active - Is it the case that the "firewalld" service is disabled, masked, or not started.? +Run the following command to determine if the cobbler_use_nfs SELinux boolean is disabled: +$ getsebool cobbler_use_nfs +If properly configured, the output should show the following: +cobbler_use_nfs --> off + Is it the case that cobbler_use_nfs is not disabled? - - Run the following command to determine if the scap-security-guide package is installed: $ rpm -q scap-security-guide - Is it the case that the package is not installed? + + If the system uses IPv6, this is not applicable. + +If the system is configured to prevent the usage of the ipv6 on +network interfaces, it will contain a line of the form: +net.ipv6.conf.all.disable_ipv6 = 1 +Such lines may be inside any file in the /etc/sysctl.d directory. +This permits insertion of the IPv6 kernel module (which other parts of the +system expect to be present), but otherwise keeps all network interfaces +from using IPv6. Run the following command to search for such lines in all +files in /etc/sysctl.d: +$ grep -r ipv6 /etc/sysctl.d + Is it the case that the ipv6 support is disabled on all network interfaces? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_HARDENED_USERCOPY_FALLBACK /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? + + +Run the following command to determine if the httpd_can_sendmail SELinux boolean is disabled: +$ getsebool httpd_can_sendmail +If properly configured, the output should show the following: +httpd_can_sendmail --> off + Is it the case that httpd_can_sendmail is not disabled? - - To check the group ownership of /etc/group-, + + To check the group ownership of /etc/ssh/*_key, run the command: -$ ls -lL /etc/group- +$ ls -lL /etc/ssh/*_key If properly configured, the output should indicate the following group-owner: root - Is it the case that /etc/group- does not have a group owner of root? - - - - To ensure disable and restart on the login screen are disabled, run the following command: -$ grep disable-restart-buttons /etc/dconf/db/gdm.d/* -The output should be true. -To ensure that users cannot enable disable and restart on the login screen, run the following: -$ grep disable-restart-buttons /etc/dconf/db/gdm.d/locks/* -If properly configured, the output should be /org/gnome/login-screen/disable-restart-buttons - Is it the case that disable-restart-buttons has not been configured or is not disabled? + Is it the case that /etc/ssh/*_key does not have a group owner of root? - - To determine how the SSH daemon's StrictModes option is set, run the following command: - -$ sudo grep -i StrictModes /etc/ssh/sshd_config + + Verify that Red Hat Enterprise Linux 8 enforces password complexity by requiring that at least one special character with the following command: -If a line indicating yes is returned, then the required value is set. +$ sudo grep ocredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf - Is it the case that the required value is not set? +ocredit = + Is it the case that value of "ocredit" is a positive number or is commented out? - - To determine if the system is configured to audit calls to the -openat system call, run the following command: -$ sudo grep "openat" /etc/audit/audit.* + + +Run the following command to determine if the httpd_enable_ftp_server SELinux boolean is disabled: +$ getsebool httpd_enable_ftp_server +If properly configured, the output should show the following: +httpd_enable_ftp_server --> off + Is it the case that httpd_enable_ftp_server is not disabled? + + + + To determine if the system is configured to audit unsuccessful calls +to the fremovexattr system call, run the following command: +$ sudo grep "fremovexattr" /etc/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - The file permissions for all log files written by rsyslog should -be set to 640, or more restrictive. These log files are determined by the -second part of each Rule line in /etc/rsyslog.conf and typically -all appear in /var/log. To see the permissions of a given log -file, run the following command: -$ ls -l LOGFILE -The permissions should be 640, or more restrictive. - Is it the case that the permissions are not correct? - - - - To verify if SSLVerifyClient is configured correctly in -/etc/httpd/conf/httpd.conf, run the following command: -$ grep -i sslverifyclient /etc/httpd/conf/httpd.conf -The command should return the following: -SSLVerifyClient require - Is it the case that it is not? + + To verify that clients cannot automatically update DNS records, perform the +following: +$ grep -i dhcp_hostname /etc/sysconfig/network-scripts/ifcfg-* +$ grep -rni "send host-name" /etc/dhclient.conf /etc/dhcp +The output should return no results. + Is it the case that client Dynamic DNS updates are not disabled? - - To check the ownership of /etc/ssh/*_key, -run the command: -$ ls -lL /etc/ssh/*_key -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/ssh/*_key does not have an owner of root? + + To determine if the system is configured to audit calls to the +mount system call, run the following command: +$ sudo grep "mount" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - To verify if the OpenSSH Client uses defined Crypto Policy, run: -$ cat /etc/ssh/ssh_config.d/02-ospp.conf -and verify that the line matches -Match final all -RekeyLimit 512M 1h -GSSAPIAuthentication no -Ciphers aes256-ctr,aes256-cbc,aes128-ctr,aes128-cbc -PubkeyAcceptedKeyTypes ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 -MACs hmac-sha2-512,hmac-sha2-256 -KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1 - Is it the case that Crypto Policy for OpenSSH Client is not configured according to CC requirements? + + Enter the following commands: + +grep Action /etc/httpd/conf/httpd.conf +grep AddHandler /etc/httpd/conf/httpd.conf + Is it the case that either of these exist and they configure csh, or any other shell as a viewer for documents? - - The runtime status of the net.ipv6.conf.default.router_solicitations kernel parameter can be queried + + The runtime status of the net.ipv4.conf.default.shared_media kernel parameter can be queried by running the following command: -$ sysctl net.ipv6.conf.default.router_solicitations +$ sysctl net.ipv4.conf.default.shared_media 0. Is it the case that the correct value is not returned? - - Run the following command to determine if the sssd-ipa package is installed: $ rpm -q sssd-ipa - Is it the case that the package is not installed? - - - - -Run the following command to determine if the ssh_chroot_rw_homedirs SELinux boolean is disabled: -$ getsebool ssh_chroot_rw_homedirs -If properly configured, the output should show the following: -ssh_chroot_rw_homedirs --> off - Is it the case that ssh_chroot_rw_homedirs is not disabled? - - - + -Run the following command to determine if the cdrecord_read_content SELinux boolean is disabled: -$ getsebool cdrecord_read_content +Run the following command to determine if the virt_use_nfs SELinux boolean is disabled: +$ getsebool virt_use_nfs If properly configured, the output should show the following: -cdrecord_read_content --> off - Is it the case that cdrecord_read_content is not disabled? - - - - -If the system is configured to prevent the loading of the can kernel module, -it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. -These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. - -These lines can also instruct the module loading system to ignore the can kernel module via blacklist keyword. - -Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -$ grep -r can /etc/modprobe.conf /etc/modprobe.d - Is it the case that no line is returned? - - - - To check that the saslauthd service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled saslauthd -Output should indicate the saslauthd service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled saslauthd disabled - -Run the following command to verify saslauthd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active saslauthd - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the saslauthd is masked, run the following command: -$ sudo systemctl show saslauthd | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: - -LoadState=masked - -UnitFileState=masked - Is it the case that the "saslauthd" is loaded and not masked? - - - - To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -cat /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules -The output has to be exactly as follows: -## Successful permission change --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change - Is it the case that the file does not exist or the content differs? - - - - To verify all files and directories in a local interactive user's -home directory have a valid owner, run the following command: -$ sudo ls -lLR /home/USER - Is it the case that the user ownership is incorrect? - - - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_DEBUG_SG /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? +virt_use_nfs --> off + Is it the case that virt_use_nfs is not disabled? - - To check that the ntpdate service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled ntpdate -Output should indicate the ntpdate service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled ntpdate disabled - -Run the following command to verify ntpdate is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active ntpdate - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the ntpdate is masked, run the following command: -$ sudo systemctl show ntpdate | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: - -LoadState=masked - -UnitFileState=masked - Is it the case that the "ntpdate" is loaded and not masked? + + To check the group ownership of /etc/issue.net, +run the command: +$ ls -lL /etc/issue.net +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/issue.net does not have a group owner of root? - + -Run the following command to determine if the xguest_use_bluetooth SELinux boolean is disabled: -$ getsebool xguest_use_bluetooth +Run the following command to determine if the httpd_read_user_content SELinux boolean is disabled: +$ getsebool httpd_read_user_content If properly configured, the output should show the following: -xguest_use_bluetooth --> off - Is it the case that xguest_use_bluetooth is not disabled? +httpd_read_user_content --> off + Is it the case that httpd_read_user_content is not disabled? - + To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_SLAB_FREELIST_HARDENED /boot/config.* + $ grep CONFIG_RANDOMIZE_MEMORY /boot/config.* For each kernel installed, a line with value "y" should be returned. Is it the case that the kernel was not built with the required value? - - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: - -$ sudo auditctl -l | grep -E '(/etc/group)' - --w /etc/group -p wa -k identity - Is it the case that the command does not return a line, or the line is commented out? - - - + -Run the following command to determine if the pcp_bind_all_unreserved_ports SELinux boolean is disabled: -$ getsebool pcp_bind_all_unreserved_ports +Run the following command to determine if the zabbix_can_network SELinux boolean is disabled: +$ getsebool zabbix_can_network If properly configured, the output should show the following: -pcp_bind_all_unreserved_ports --> off - Is it the case that pcp_bind_all_unreserved_ports is not disabled? - - - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "gpasswd" command with the following command: - -$ sudo auditctl -l | grep gpasswd - --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd - Is it the case that the command does not return a line, or the line is commented out? - - - - To verify .netrc file in interactive user home directory is -not group or world accessible", run the following command: -$ sudo ls -lLR /home/USER/.netrc - Is it the case that the group and world permissions are incorrect? +zabbix_can_network --> off + Is it the case that zabbix_can_network is not disabled? - - To determine if the system is configured to audit accesses to -/var/log/audit directory, run the following command: -$ sudo grep "dir=/var/log/audit" /etc/audit/audit.rules + + To determine if the system is configured to audit unsuccessful calls +to the lsetxattr system call, run the following command: +$ sudo grep "lsetxattr" /etc/audit.* If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? - - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to modify files using the openat system call with O_TRUNC_WRITE flag. - -If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r openat /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep openat /etc/audit/audit.rules + + To determine how the SSH daemon's Banner option is set, run the following command: -The output should be the following: +$ sudo grep -i Banner /etc/ssh/sshd_config --a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - Is it the case that the command does not return a line, or the line is commented out? - - - - The runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.icmp_echo_ignore_broadcasts -1. +If a line indicating /etc/issue.net is returned, then the required value is set. - Is it the case that the correct value is not returned? - - - - To verify that SSSD expires known SSH host keys, run the following command: -$ sudo grep ssh_known_hosts_timeout /etc/sssd/sssd.conf -If configured properly, output should be -ssh_known_hosts_timeout = - Is it the case that it does not exist or is not configured properly? + Is it the case that the required value is not set? - - To check that the screen locks immediately when activated, run the following command: -$ gsettings get org.gnome.desktop.screensaver lock-delay -If properly configured, the output should be 'uint32 '. - Is it the case that the screensaver lock delay is missing, or is set to a value greater than <sub idref="var_screensaver_lock_delay" />? + + To verify all accounts have unique names, run the following command: +$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d +No output should be returned. + Is it the case that a line is returned? - - Run the following command to determine if the nftables package is installed: $ rpm -q nftables - Is it the case that the package is not installed? + + Run the following command to determine if the talk-server package is installed: +$ rpm -q talk-server + Is it the case that the package is installed? - + -Run the following command to determine if the polipo_session_users SELinux boolean is disabled: -$ getsebool polipo_session_users -If properly configured, the output should show the following: -polipo_session_users --> off - Is it the case that polipo_session_users is not disabled? - - - - To verify that the log_config_module exists in -/etc/httpd/conf/httpd.conf, run the following command: -$ grep log_config_module /etc/httpd/conf/httpd.conf -The output should return: -<IfModule log_config_module> - Is it the case that it is not? + +Run the following command to determine the current status of the +chronyd service: +$ sudo systemctl is-active chronyd +If the service is running, it should return the following: active + + +Run the following command to determine the current status of the +ntpd service: +$ sudo systemctl is-active ntpd +If the service is running, it should return the following: active + Is it the case that ? - + -Run the following command to determine if the spamd_enable_home_dirs SELinux boolean is enabled: -$ getsebool spamd_enable_home_dirs +Run the following command to determine if the selinuxuser_direct_dri_enabled SELinux boolean is disabled: +$ getsebool selinuxuser_direct_dri_enabled If properly configured, the output should show the following: -spamd_enable_home_dirs --> on - Is it the case that spamd_enable_home_dirs is not enabled? +selinuxuser_direct_dri_enabled --> off + Is it the case that selinuxuser_direct_dri_enabled is not disabled? - + To determine if the system is configured to audit calls to the -unlinkat system call, run the following command: -$ sudo grep "unlinkat" /etc/audit/audit.* +fchown system call, run the following command: +$ sudo grep "fchown" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - To check that the netconsole service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled netconsole -Output should indicate the netconsole service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled netconsole disabled - -Run the following command to verify netconsole is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active netconsole - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the netconsole is masked, run the following command: -$ sudo systemctl show netconsole | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: - -LoadState=masked - -UnitFileState=masked - Is it the case that the "netconsole" is loaded and not masked? - - - - To ensure ClientAliveInterval is set correctly, run the following command: -$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config -If properly configured, the output should be: -ClientAliveCountMax -For SSH earlier than v8.2, a ClientAliveCountMax value of 0 causes a timeout precisely when -the ClientAliveInterval is set. Starting with v8.2, a value of 0 disables the timeout -functionality completely. -If the option is set to a number greater than 0, then the session will be disconnected after -ClientAliveInterval * ClientAliveCountMax seconds without receiving a keep alive message. - Is it the case that it is commented out or not configured properly? - - - - To verify that auditing of privileged command use is configured, run the -following command: -$ sudo grep newuidmap /etc/audit/audit.rules /etc/audit/rules.d/* -It should return a relevant line in the audit rules. - Is it the case that the command does not return a line, or the line is commented out? - - - - To check the permissions of /boot/grub2/user.cfg, -run the command: -$ ls -l /boot/grub2/user.cfg -If properly configured, the output should indicate the following permissions: --rw------- - Is it the case that /boot/grub2/user.cfg does not have unix mode -rw-------? + + To verify the LDAP client backend demands a valid certificate from the server in +remote LDAP access sessions, run the following command: +$ sudo grep ldap_tls_reqcert /etc/sssd/sssd.conf +The output should return the following: +ldap_tls_reqcert = demand + Is it the case that the TLS reqcert is not set to demand? - - Inspect the password section of /etc/pam.d/system-auth -and ensure that the pam_unix.so module is configured to use the argument -sha512: + + To verify that TLS is configured properly in +/etc/httpd/conf.modules.d/ssl.conf, run the following command: +$ grep -i "sslengine\|sslprotocol" /etc/httpd/conf.d/ssl.conf +The output should return the following: -$ sudo grep "^password.*pam_unix\.so.*sha512" /etc/pam.d/system-auth +SSLEngine on +SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 -password sufficient pam_unix.so sha512 - Is it the case that "sha512" is missing, or is commented out? + Is it the case that it is not? - - Run the following command to ensure that /var/tmp is configured as a -polyinstantiated directory: -$ sudo grep /var/tmp /etc/security/namespace.conf -The output should return the following: -/var/tmp /var/tmp/tmp-inst/ level root,adm - Is it the case that is not configured? + + The runtime status of the net.ipv6.conf.all.max_addresses kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.all.max_addresses +1. + + Is it the case that the correct value is not returned? - - To verify that DHCP is not being used, examine the following file for each interface: -# /etc/sysconfig/network-scripts/ifcfg-interface -Look for the following: -BOOTPROTO=none -and the following, substituting the appropriate values based on your site's addressing scheme: -NETMASK=255.255.255.0 -IPADDR=192.168.1.2 -GATEWAY=192.168.1.1 - Is it the case that it does not? + + Verify the audit system prevents unauthorized changes with the following command: + +$ sudo grep "^\s*[^#]" /etc/audit/audit.rules | tail -1 +-e 2 + + Is it the case that the audit system is not set to be immutable by adding the "-e 2" option to the end of "/etc/audit/audit.rules"? - + -Run the following command to determine if the xend_run_qemu SELinux boolean is enabled: -$ getsebool xend_run_qemu +Run the following command to determine if the postgresql_selinux_users_ddl SELinux boolean is enabled: +$ getsebool postgresql_selinux_users_ddl If properly configured, the output should show the following: -xend_run_qemu --> on - Is it the case that xend_run_qemu is not enabled? +postgresql_selinux_users_ddl --> on + Is it the case that postgresql_selinux_users_ddl is not enabled? - + -Run the following command to determine if the sge_use_nfs SELinux boolean is disabled: -$ getsebool sge_use_nfs +Run the following command to determine if the logadm_exec_content SELinux boolean is enabled: +$ getsebool logadm_exec_content If properly configured, the output should show the following: -sge_use_nfs --> off - Is it the case that sge_use_nfs is not disabled? +logadm_exec_content --> on + Is it the case that logadm_exec_content is not enabled? - - Run the following command to determine if the setroubleshoot-server package is installed: -$ rpm -q setroubleshoot-server - Is it the case that the package is installed? + + +Run the following command to determine if the ksmtuned_use_nfs SELinux boolean is disabled: +$ getsebool ksmtuned_use_nfs +If properly configured, the output should show the following: +ksmtuned_use_nfs --> off + Is it the case that ksmtuned_use_nfs is not disabled? - - To determine if the system is configured to audit unsuccessful calls -to the fchown system call, run the following command: -$ sudo grep "fchown" /etc/audit.* -If the system is configured to audit this activity, it will return a line. + + Verify the nodev option is configured for the /boot mount point, + run the following command: + $ sudo mount | grep '\s/boot\s' + . . . /boot . . . nodev . . . - Is it the case that no line is returned? + Is it the case that the "/boot" file system does not have the "nodev" option set? - - -Run the following command to determine if the cluster_manage_all_files SELinux boolean is disabled: -$ getsebool cluster_manage_all_files -If properly configured, the output should show the following: -cluster_manage_all_files --> off - Is it the case that cluster_manage_all_files is not disabled? + + Verify that the SA and ISSO (at a minimum) are notified when the audit storage volume is full. + +Check which action Red Hat Enterprise Linux 8 takes when the audit storage volume is full with the following command: + +$ sudo grep max_log_file_action /etc/audit/auditd.conf +max_log_file_action = + Is it the case that the value of the "max_log_file_action" option is set to "ignore", "rotate", or "suspend", or the line is commented out? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "pt_chown" command with the following command: + + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers" with the following command: -$ sudo auditctl -l | grep pt_chown +$ sudo auditctl -l | grep /etc/sudoers --a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pt_chown +-w /etc/sudoers -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? - - Verify the noexec option is configured for the /var/log mount point, + + Verify the noexec option is configured for the /var/log/audit mount point, run the following command: - $ sudo mount | grep '\s/var/log\s' - . . . /var/log . . . noexec . . . + $ sudo mount | grep '\s/var/log/audit\s' + . . . /var/log/audit . . . noexec . . . - Is it the case that the "/var/log" file system does not have the "noexec" option set? + Is it the case that the "/var/log/audit" file system does not have the "noexec" option set? - - Run the following command to determine if the rng-tools package is installed: $ rpm -q rng-tools - Is it the case that the package is not installed? + + To determine if logfile has been configured for sudo, run the following command: +$ sudo grep -ri "^[\s]*Defaults\s*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/ +The command should return a matching output. + Is it the case that logfile is not enabled in sudo? - - Run the following command to check if the line is present: -grep pam_wheel /etc/pam.d/su -The output should contain the following line: -auth required pam_wheel.so use_uid - Is it the case that the line is not in the file or it is commented? + + Verify that a separate file system/partition has been created for /dev/shm with the following command: + +$ mountpoint /dev/shm + + Is it the case that "/dev/shm is not a mountpoint" is returned? - - The file /etc/at.deny should not exist. -This can be checked by running the following + + To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: +cat /etc/audit/rules.d/30-ospp-v42.rules +The output has to be exactly as follows: +## The purpose of these rules is to meet the requirements for Operating +## System Protection Profile (OSPP)v4.2. These rules depends on having +## the following rule files copied to /etc/audit/rules.d: +## +## 10-base-config.rules, 11-loginuid.rules, +## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules, +## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules, +## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules, +## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules, +## 30-ospp-v42-5-perm-change-failed.rules, +## 30-ospp-v42-5-perm-change-success.rules, +## 30-ospp-v42-6-owner-change-failed.rules, +## 30-ospp-v42-6-owner-change-success.rules +## +## original copies may be found in /usr/share/audit/sample-rules/ -stat /etc/at.deny -and the output should be +## User add delete modify. This is covered by pam. However, someone could +## open a file and directly create or modify a user, so we'll watch passwd and +## shadow for writes +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify -stat: cannot stat `/etc/at.deny': No such file or directory +## User enable and disable. This is entirely handled by pam. - Is it the case that the file /etc/at.deny exists? - - - - -Run the following command to determine if the saslauthd_read_shadow SELinux boolean is disabled: -$ getsebool saslauthd_read_shadow -If properly configured, the output should show the following: -saslauthd_read_shadow --> off - Is it the case that saslauthd_read_shadow is not disabled? +## Group add delete modify. This is covered by pam. However, someone could +## open a file and directly create or modify a user, so we'll watch group and +## gshadow for writes +-a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify +-a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify + + +## Use of special rights for config changes. This would be use of setuid +## programs that relate to user accts. This is not all setuid apps because +## requirements are only for ones that affect system configuration. +-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes + +## Privilege escalation via su or sudo. This is entirely handled by pam. + +## Watch for configuration changes to privilege escalation. +-a always,exit -F path=/etc/sudoers -F perm=wa -F key=special-config-changes +-a always,exit -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes + +## Audit log access +-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail +## Attempts to Alter Process and Session Initiation Information +-a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session +-a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session +-a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session + +## Attempts to modify MAC controls +-a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy + +## Software updates. This is entirely handled by rpm. + +## System start and shutdown. This is entirely handled by systemd + +## Kernel Module loading. This is handled in 43-module-load.rules + +## Application invocation. The requirements list an optional requirement +## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to +## state results from that policy. This would be handled entirely by +## that daemon. + Is it the case that the file does not exist or the content differs? - - -Run the following command to determine if the httpd_can_network_relay SELinux boolean is disabled: -$ getsebool httpd_can_network_relay -If properly configured, the output should show the following: -httpd_can_network_relay --> off - Is it the case that httpd_can_network_relay is not disabled? + + Verify Red Hat Enterprise Linux 8 is configured to lock an account until released by an administrator +after unsuccessful logon +attempts with the command: + + +$ grep 'unlock_time =' /etc/security/faillock.conf +unlock_time = + Is it the case that the "unlock_time" option is not set to "<sub idref="var_accounts_passwords_pam_faillock_unlock_time" />", +the line is missing, or commented out? - - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command: + + Verify that Red Hat Enterprise Linux 8 contains no duplicate User IDs (UIDs) for interactive users. -$ sudo auditctl -l | grep/etc/sudoers.d +Check that the operating system contains no duplicate UIDs for interactive users with the following command: --w /etc/sudoers.d/ -p wa -k identity - Is it the case that the command does not return a line, or the line is commented out? +$ sudo awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd + Is it the case that output is produced and the accounts listed are interactive user accounts? - - The runtime status of the kernel.kexec_load_disabled kernel parameter can be queried -by running the following command: -$ sysctl kernel.kexec_load_disabled -1. + + Verify that Red Hat Enterprise Linux 8 enforces password complexity by requiring that at least one lower-case character. - Is it the case that the correct value is not returned? +Check the value for "lcredit" with the following command: + +$ sudo grep lcredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + +/etc/security/pwquality.conf:lcredit = -1 + Is it the case that the value of "lcredit" is a positive number or is commented out? - - Run the following command to determine if the abrt-plugin-rhtsupport package is installed: -$ rpm -q abrt-plugin-rhtsupport - Is it the case that the package is installed? + + +Run the following command to determine if the authlogin_yubikey SELinux boolean is disabled: +$ getsebool authlogin_yubikey +If properly configured, the output should show the following: +authlogin_yubikey --> off + Is it the case that authlogin_yubikey is not disabled? - - To determine how the SSH daemon's GSSAPIAuthentication option is set, run the following command: - -$ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config - -If a line indicating yes is returned, then the required value is set. + + The runtime status of the net.ipv6.conf.default.accept_ra_defrtr kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.default.accept_ra_defrtr +0. - Is it the case that the required value is not set? + Is it the case that the correct value is not returned? - - To verify the local initialization files of all local interactive users are group- -owned by the appropriate user, inspect the primary group of the respective -users in /etc/passwd and verify all initialization files under the -respective users home directory. Check the group owner of all local interactive users -initialization files. - Is it the case that they are not? + + To ensure that WIFI connections caanot be created, run the following command: +$ gsettings get org.gnome.nm-applet disable-wifi-create +If properly configured, the output should be true. +To ensure that users cannot enable WIFI connection creation, run the following: +$ grep wifi-create /etc/dconf/db/local.d/locks/* +If properly configured, the output should be +/org/gnome/nm-applet/disable-wifi-create + Is it the case that WIFI connections can be created through GNOME? - - To ensure smart card authentication on the login screen is enabled, run the following command: -$ grep enable-smartcard-authentication /etc/dconf/db/gdm.d/* -The output should be true. -To ensure that users cannot disable smart card authentication on the login screen, run the following: -$ grep enable-smartcard-authentication /etc/dconf/db/gdm.d/locks/* -If properly configured, the output should be /org/gnome/login-screen/enable-smartcard-authentication - Is it the case that enable-smartcard-authentication has not been configured or is disabled? + + To check the permissions of /etc/http/conf/*, +run the command: +$ ls -l /etc/http/conf/* +If properly configured, the output should indicate the following permissions: +-rw-r----- + Is it the case that /etc/http/conf/* does not have unix mode -rw-r-----? - - To check that the rdisc service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled rdisc -Output should indicate the rdisc service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled rdisc disabled + + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to modify files using the open_by_handle_at system call with O_TRUNC_WRITE flag. -Run the following command to verify rdisc is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active rdisc +If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command: -If the service is not running the command will return the following output: -inactive +$ sudo grep -r open_by_handle_at /etc/audit/rules.d -The service will also be masked, to check that the rdisc is masked, run the following command: -$ sudo systemctl show rdisc | grep "LoadState\|UnitFileState" +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -If the service is masked the command will return the following outputs: +$ sudo grep open_by_handle_at /etc/audit/audit.rules -LoadState=masked +The output should be the following: -UnitFileState=masked - Is it the case that the "rdisc" is loaded and not masked? +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + Is it the case that the command does not return a line, or the line is commented out? - - The following command will list which files on the system have permissions different from what -is expected by the RPM database: -$ rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }' - Is it the case that there is output? + + To check the permissions of /usr/bin/sudo, +run the command: +$ ls -l /usr/bin/sudo +If properly configured, the output should indicate the following permissions: +---s--x--- + Is it the case that /usr/bin/sudo does not have unix mode ---s--x---? - - To check that the bluetooth service is disabled in system boot configuration, + + +Run the following command to determine if the httpd_dbus_sssd SELinux boolean is disabled: +$ getsebool httpd_dbus_sssd +If properly configured, the output should show the following: +httpd_dbus_sssd --> off + Is it the case that httpd_dbus_sssd is not disabled? + + + + Verify the operating system requires re-authentication +when using the "sudo" command to elevate privileges, run the following command: +sudo grep -ri '^Defaults.*timestamp_timeout' /etc/sudoers /etc/sudoers.d +The output should be: +/etc/sudoers:Defaults timestamp_timeout=0 or "timestamp_timeout" is set to a positive number. +If conflicting results are returned, this is a finding. + Is it the case that timestamp_timeout is not set with the appropriate value for sudo? + + + + To check that the snmpd service is disabled in system boot configuration, run the following command: -$ sudo systemctl is-enabled bluetooth -Output should indicate the bluetooth service has either not been installed, +$ sudo systemctl is-enabled snmpd +Output should indicate the snmpd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled bluetooth disabled +$ sudo systemctl is-enabled snmpd disabled -Run the following command to verify bluetooth is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active bluetooth +Run the following command to verify snmpd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active snmpd If the service is not running the command will return the following output: inactive -The service will also be masked, to check that the bluetooth is masked, run the following command: -$ sudo systemctl show bluetooth | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the snmpd is masked, run the following command: +$ sudo systemctl show snmpd | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "bluetooth" is loaded and not masked? + Is it the case that the "snmpd" is loaded and not masked? - - The following command will discover and print any -files on local partitions which do not belong to a valid group. -$ df --local -P | awk '{if (NR!=1) print $6}' | sudo xargs -I '{}' find '{}' -xdev -nogroup + + +If the system is configured to prevent the loading of the iwlwifi kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. -Either remove all files and directories from the system that do not have a valid group, -or assign a valid group with the chgrp command: -$ sudo chgrp group file - Is it the case that there is output? +These lines can also instruct the module loading system to ignore the iwlwifi kernel module via blacklist keyword. + +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +$ grep -r iwlwifi /etc/modprobe.conf /etc/modprobe.d + Is it the case that no line is returned? - - To check the group ownership of /etc/issue.net, + + To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: +cat /etc/audit/rules.d/30-ospp-v42-1-create-success.rules +The output has to be exactly as follows: +## Successful file creation (open with O_CREAT) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create + Is it the case that the file does not exist or the content differs? + + + + To check the permissions of /etc/cron.allow, run the command: -$ ls -lL /etc/issue.net +$ ls -l /etc/cron.allow +If properly configured, the output should indicate the following permissions: +-rw------- + Is it the case that /etc/cron.allow does not have unix mode -rw-------? + + + + To check the system for the existence of any .forward files, +run the following command: +$ sudo find /home -xdev -name .forward + Is it the case that any .forward files exist? + + + + To check the group ownership of /var/log/syslog, +run the command: +$ ls -lL /var/log/syslog If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/issue.net does not have a group owner of root? +adm + Is it the case that /var/log/syslog does not have a group owner of adm? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_SLAB_FREELIST_RANDOM /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + The runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.all.accept_redirects +0. + + Is it the case that the correct value is not returned? - - Verify that authselect is enabled by running -authselect current -If authselect is enabled on the system, the output should show the ID of the profile which is currently in use. - Is it the case that authselect is not used to manage user authentication setup on the system? + + To determine if the system is configured to audit unsuccessful calls +to the fchmod system call, run the following command: +$ sudo grep "fchmod" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - To determine that AIDE is verifying extended file attributes, run the following command: -$ grep xattrs /etc/aide.conf -Verify that the xattrs option is added to the correct ruleset. - Is it the case that the xattrs option is missing or not added to the correct ruleset? + + Verify Red Hat Enterprise Linux 8 disables storing core dumps for all users by issuing the following command: + +$ grep -i storage /etc/systemd/coredump.conf + +Storage=none + Is it the case that Storage is not set to none or is commented out and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned? - + + +Run the following command to determine if the samba_load_libgfapi SELinux boolean is disabled: +$ getsebool samba_load_libgfapi +If properly configured, the output should show the following: +samba_load_libgfapi --> off + Is it the case that samba_load_libgfapi is not disabled? + + + Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes page_poison=1, +in /etc/default/grub. If it includes l1tf=, then the parameter will be configured for newly installed kernels. First check if the GRUB recovery is enabled: $ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*page_poison=1.*' /etc/default/grub +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*l1tf=.*' /etc/default/grub If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*page_poison=1.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +$ sudo grep 'GRUB_CMDLINE_LINUX.*l1tf=.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'page_poison=1' +$ sudo grubby --info=ALL | grep args | grep -v 'l1tf=' The command should not return any output. - Is it the case that page allocator poisoning is not enabled? + Is it the case that l1tf mitigations are not configured appropriately? - - Verify Red Hat Enterprise Linux 8 initiates a session lock after 15 minutes of inactivity. - -Check the value of the system inactivity timeout with the following command: - -$ grep -i lock-after-time /etc/tmux.conf - -set -g lock-after-time 900 - -Then, verify that the /etc/tmux.conf file can be read by other users than root: - -$ sudo ls -al /etc/tmux.conf - Is it the case that "lock-after-time" is not set to "900" or less in the global tmux configuration file to enforce session lock after inactivity? + + To check if the installed Operating System is 64-bit, run the following command: +$ uname -m +The output should be one of the following: x86_64, aarch64, ppc64le or s390x. +If the output is i686 or i386 the operating system is 32-bit. +Check if the installed CPU supports 64-bit operating systems by running the following command: +$ lscpu | grep "CPU op-mode" +If the output contains 64bit, the CPU supports 64-bit operating systems. + Is it the case that the installed operating sytem is 32-bit but the CPU supports operation in 64-bit? - - To check the current idle time-out value, run the following command: -$ gsettings get org.gnome.desktop.session idle-delay -If properly configured, the output should be 'uint32 '. -To ensure that users cannot change the screensaver inactivity timeout setting, run the following: -$ grep idle-delay /etc/dconf/db/local.d/locks/* -If properly configured, the output should be /org/gnome/desktop/session/idle-delay - Is it the case that idle-delay is set to 0 or a value greater than <sub idref="inactivity_timeout_value" />? + + +Run the following command to determine if the haproxy_connect_any SELinux boolean is disabled: +$ getsebool haproxy_connect_any +If properly configured, the output should show the following: +haproxy_connect_any --> off + Is it the case that haproxy_connect_any is not disabled? - - The tftp package can be removed with the following command: $ sudo yum erase tftp - Is it the case that ? + + To check the ownership of /etc/cron.hourly, +run the command: +$ ls -lL /etc/cron.hourly +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/cron.hourly does not have an owner of root? - - Verify the TFTP daemon is configured to operate in secure mode. - -Check if a TFTP server is installed with the following command: - -$ rpm -qa | grep tftp - - -If a TFTP server is not installed, this is Not Applicable. - - -If a TFTP server is installed, verify TFTP is configured by with -the -s option by running the following command: - -grep "server_args" /etc/xinetd.d/tftp -server_args = -s - Is it the case that '"server_args" line does not have a "-s" option, and a subdirectory is not assigned'? + + +Run the following command to determine if the samba_share_fusefs SELinux boolean is disabled: +$ getsebool samba_share_fusefs +If properly configured, the output should show the following: +samba_share_fusefs --> off + Is it the case that samba_share_fusefs is not disabled? - - Verify the operating system encrypts audit records off-loaded onto a different system -or media from the system being audited with the following commands: - -$ sudo grep -i '$ActionSendStreamDriverMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf - -The output should be: - -/etc/rsyslog.conf:$ActionSendStreamDriverMode 1 - Is it the case that rsyslogd ActionSendStreamDriverMode is not set to 1? + + +Run the following command to determine if the sanlock_use_samba SELinux boolean is disabled: +$ getsebool sanlock_use_samba +If properly configured, the output should show the following: +sanlock_use_samba --> off + Is it the case that sanlock_use_samba is not disabled? - - Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation: - sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)' -or if cvtsudoers not supported: - sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \; -If no results are returned, this is a finding. -If conflicting results are returned, this is a finding. -If "Defaults !targetpw" is not defined, this is a finding. -If "Defaults !rootpw" is not defined, this is a finding. -If "Defaults !runaspw" is not defined, this is a finding. - Is it the case that invoke user passwd when using sudo? + + Inspect /etc/audit/auditd.conf and locate the following line to +determine how many logs the system is configured to retain after rotation: +$ sudo grep num_logs /etc/audit/auditd.conf +num_logs = 5 + Is it the case that the system log file retention has not been properly configured? - - Verify the operating system requires re-authentication -when using the "sudo" command to elevate privileges, run the following command: -sudo grep -ri '^Defaults.*timestamp_timeout' /etc/sudoers /etc/sudoers.d -The output should be: -/etc/sudoers:Defaults timestamp_timeout=0 or "timestamp_timeout" is set to a positive number. -If conflicting results are returned, this is a finding. - Is it the case that timestamp_timeout is not set with the appropriate value for sudo? + + To ensure TLS is configured with trust certificates, run the following command: +$ grep cert /etc/nslcd.conf + Is it the case that LDAP is not in use, the line is commented out, or not configured correctly? - - The following command will discover and print world-writable directories that -are not owned by root. Run it once for each local partition PART: -$ sudo find PART -xdev -type d -perm -0002 -uid +0 -print - Is it the case that there are world-writable directories not owned by root? + + Run the following command to determine if the abrt-cli package is installed: +$ rpm -q abrt-cli + Is it the case that the package is installed? - - Inspect /etc/default/grub for any instances of -systemd.confirm_spawn=(1|yes|true|on) in the kernel boot arguments. -Presence of a systemd.confirm_spawn=(1|yes|true|on) indicates -that interactive boot is enabled at boot time and verify that -GRUB_DISABLE_RECOVERY=true to disable recovery boot. - Is it the case that Interactive boot is enabled at boot time? + + Verify Red Hat Enterprise Linux 8 disables network management of the chrony daemon with the following command: +$ grep -w cmdport /etc/chrony.conf +cmdport 0 + Is it the case that the "cmdport" option is not set to "0", is commented out, or is missing? - - -To properly set the owner of /etc/audit/, run the command: -$ sudo chown root /etc/audit/ + + Verify that rules for unsuccessful calls of the open_by_handle_at syscall are in the order shown below. -To properly set the owner of /etc/audit/rules.d/, run the command: -$ sudo chown root /etc/audit/rules.d/ - Is it the case that ? + If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix ".rules" in the directory "/etc/audit/rules.d". + If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, check the order of rules below in "/etc/audit/audit.rules" file. + + -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + + If the system is 64 bit then also add the following lines: + + -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + Is it the case that the rules are in a different order? - - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes iommu=force, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub -If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*iommu=force.*' /etc/default/grub -If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*iommu=force.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'iommu=force' -The command should not return any output. - Is it the case that I/OMMU is not activated? + + +Run the following command to determine if the openshift_use_nfs SELinux boolean is disabled: +$ getsebool openshift_use_nfs +If properly configured, the output should show the following: +openshift_use_nfs --> off + Is it the case that openshift_use_nfs is not disabled? - - To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -cat /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules -The output has to be exactly as follows: -## Successful ownership change --a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change --a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change - Is it the case that the file does not exist or the content differs? + + Run the following command to determine if the abrt-plugin-sosreport package is installed: +$ rpm -q abrt-plugin-sosreport + Is it the case that the package is installed? - - To verify the boot loader superuser account has been set, run the following -command: -sudo grep -A1 "superusers" /boot/efi/EFI/redhat/grub.cfg -The output should show the following: -set superusers="superusers-account" -export superusers -where superusers-account is the actual account name different from common names like root, -admin, or administrator and different from any other existing user name. - Is it the case that superuser account is not set or is set to an existing name or to a common name? + + Run the following command to determine if the cronie-anacron package is installed: +$ rpm -q cronie-anacron + Is it the case that the package is installed? - - Ensure that Red Hat Enterprise Linux 8 does not disable SELinux. + + To determine if the system is configured to audit calls to the +finit_module system call, run the following command: +$ sudo grep "finit_module" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. -Check if "SELinux" is active and in "enforcing" or "permissive" mode with the following command: + Is it the case that no line is returned? + + + + +Run the following command to determine if the domain_kernel_load_modules SELinux boolean is disabled: +$ getsebool domain_kernel_load_modules +If properly configured, the output should show the following: +domain_kernel_load_modules --> off + Is it the case that domain_kernel_load_modules is not disabled? + + + + To determine if the system is configured to audit successful calls +to the lchown system call, run the following command: +$ sudo grep "lchown" /etc/audit.* +If the system is configured to audit this activity, it will return a line. -$ sudo getenforce -Enforcing --OR- -Permissive - Is it the case that SELinux is disabled? + Is it the case that no line is returned? - - To determine if the system is configured to audit account changes, -run the following command: -auditctl -l | grep -E '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' -If the system is configured to watch for account changes, lines should be returned for -each file specified (and with perm=wa for each). - Is it the case that the system is not configured to audit account changes? + + To verify that Audit Daemon is configured to include local events, run the +following command: +$ sudo grep local_events /etc/audit/auditd.conf +The output should return the following: +local_events = yes + Is it the case that local_events isn't set to yes? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_STRICT_KERNEL_WRX /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + The runtime status of the kernel.pid_max kernel parameter can be queried +by running the following command: +$ sysctl kernel.pid_max +65536. + + Is it the case that the correct value is not returned? - - Check that no boot image file is specified in /etc/zipl.conf: -grep -R "^image\s*=" /etc/zipl.conf -No line should be returned, if a line is returned non BLS compliant boot entries are configured for zIPL. - Is it the case that a non BLS boot entry is configured? + + To ensure that system location tracking is not active, run the following command: +$ gsettings get org.gnome.system.location enabled +$ gsettings get org.gnome.clocks geolocation +If properly configured, the output should be false. +To ensure that users cannot enable system location tracking, run the following: +$ grep location /etc/dconf/db/local.d/locks/* +If properly configured, the output should be +/org/gnome/system/location/enabled and /org/gnome/clocks/geolocation. + Is it the case that geolocation is enabled and not disabled? - - -Run the following command to determine if the named_write_master_zones SELinux boolean is disabled: -$ getsebool named_write_master_zones -If properly configured, the output should show the following: -named_write_master_zones --> off - Is it the case that named_write_master_zones is not disabled? + + Verify the "/etc/security/faillock.conf" file is configured to log user name information when unsuccessful logon attempts occur: + +$ sudo grep audit /etc/security/faillock.conf + +audit + Is it the case that the "audit" option is not set, is missing or commented out? - - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes slub_debug=, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub -If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*slub_debug=.*' /etc/default/grub -If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*slub_debug=.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'slub_debug=' -The command should not return any output. - Is it the case that SLUB/SLAB poisoning is not enabled? + + To ensure that the system prevents messages from being shown when three unsuccessful logon +attempts occur, run the following command: +$ grep silent /etc/security/faillock.conf +The output should show silent. + Is it the case that the system shows messages when three unsuccessful logon attempts occur? - + +If the system is configured to prevent the loading of the mac80211 kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. -Run the following command to determine the current status of the -auditd service: -$ sudo systemctl is-active auditd -If the service is running, it should return the following: active - Is it the case that the auditd service is not running? +These lines can also instruct the module loading system to ignore the mac80211 kernel module via blacklist keyword. + +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +$ grep -r mac80211 /etc/modprobe.conf /etc/modprobe.d + Is it the case that no line is returned? - - To determine if ignore_dot has been configured for sudo, run the following command: -$ sudo grep -ri "^[\s]*Defaults.*\bignore_dot\b.*" /etc/sudoers /etc/sudoers.d/ -The command should return a matching output. - Is it the case that ignore_dot is not enabled in sudo? + + +Run the following command to determine if the smartmon_3ware SELinux boolean is disabled: +$ getsebool smartmon_3ware +If properly configured, the output should show the following: +smartmon_3ware --> off + Is it the case that smartmon_3ware is not disabled? - + -Run the following command to determine if the selinuxuser_direct_dri_enabled SELinux boolean is disabled: -$ getsebool selinuxuser_direct_dri_enabled +Run the following command to determine if the conman_can_network SELinux boolean is disabled: +$ getsebool conman_can_network If properly configured, the output should show the following: -selinuxuser_direct_dri_enabled --> off - Is it the case that selinuxuser_direct_dri_enabled is not disabled? +conman_can_network --> off + Is it the case that conman_can_network is not disabled? - + -Run the following command to determine if the httpd_setrlimit SELinux boolean is disabled: -$ getsebool httpd_setrlimit +Run the following command to determine if the glance_use_fusefs SELinux boolean is disabled: +$ getsebool glance_use_fusefs If properly configured, the output should show the following: -httpd_setrlimit --> off - Is it the case that httpd_setrlimit is not disabled? +glance_use_fusefs --> off + Is it the case that glance_use_fusefs is not disabled? - - Verify "firewalld" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands: - -$ sudo firewall-cmd --state + + To verify Certmap is enabled in SSSD, run the following command: +$ sudo cat /etc/sssd/sssd.conf +If configured properly, output should contain section like the following -running +[certmap/testing.test/rule_name] +matchrule =<SAN>.*EDIPI@mil +maprule = (userCertificate;binary={cert!bin}) +domains = testing.test -$ sudo firewall-cmd --get-active-zones + Is it the case that Certmap is not configured in SSSD? + + + + To verify that the DConf User profile is configured correctly, run the following +command: -[custom] -interfaces: ens33 +$ cat /etc/dconf/profile/user +The output should show the following: +user-db:user +system-db:local +system-db:site +system-db:distro + Is it the case that DConf User profile does not exist or is not configured correctly? + + + + Verify Red Hat Enterprise Linux 8 removes all software components after updated versions have been installed. -$ sudo firewall-cmd --info-zone=[custom] | grep target -target: DROP - Is it the case that no zones are active on the interfaces or if the target is set to a different option other than "DROP"? +$ grep clean_requirements_on_remove /etc/yum.conf +clean_requirements_on_remove=1 + Is it the case that '"clean_requirements_on_remove" is not set to "1"'? - - The runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.conf.default.secure_redirects -0. + + +Run the following command to determine if the selinuxuser_ping SELinux boolean is enabled: +$ getsebool selinuxuser_ping +If properly configured, the output should show the following: +selinuxuser_ping --> on + Is it the case that selinuxuser_ping is not enabled? + + + + +Run the following command to determine if the httpd_enable_cgi SELinux boolean is disabled: +$ getsebool httpd_enable_cgi +If properly configured, the output should show the following: +httpd_enable_cgi --> off + Is it the case that httpd_enable_cgi is not disabled? + + + + These settings can be verified by running the following: +$ gsettings get org.gnome.desktop.media-handling automount +If properly configured, the output for automount should be false. +To ensure that users cannot enable automount in GNOME3, run the following: +$ grep 'automount' /etc/dconf/db/local.d/locks/* +If properly configured, the output for automount should be /org/gnome/desktop/media-handling/automount + Is it the case that GNOME automounting is not disabled? + + + + To determine if the system is configured to audit successful calls +to the rename system call, run the following command: +$ sudo grep "rename" /etc/audit.* +If the system is configured to audit this activity, it will return a line. - Is it the case that the correct value is not returned? + Is it the case that no line is returned? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_FORTIFY_SOURCE /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + To check that SLUB/SLAB poisoning is enabled, check all boot entries with following command; +sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf +No line should be returned, each line returned is a boot entry that does not enable poisoning. + Is it the case that SLUB/SLAB poisoning is not enabled? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfiles" command with the following command: + + +Run the following command to determine if the selinuxuser_use_ssh_chroot SELinux boolean is disabled: +$ getsebool selinuxuser_use_ssh_chroot +If properly configured, the output should show the following: +selinuxuser_use_ssh_chroot --> off + Is it the case that selinuxuser_use_ssh_chroot is not disabled? + + + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postdrop" command with the following command: -$ sudo auditctl -l | grep setfiles +$ sudo auditctl -l | grep postdrop --a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update +-a always,exit -F path=/usr/bin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postdrop Is it the case that the command does not return a line, or the line is commented out? - - The owner of all log files written by rsyslog should be + + Verify it by running the following command: +$ stat -c "%n %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules -root. +/sbin/auditctl root +/sbin/aureport root +/sbin/ausearch root +/sbin/autrace root +/sbin/auditd root +/sbin/audispd root +/sbin/augenrules root -These log files are determined by the second part of each Rule line in -/etc/rsyslog.conf and typically all appear in /var/log. -To see the owner of a given log file, run the following command: -$ ls -l LOGFILE - Is it the case that the owner is not correct? - - - - To determine how the SSH daemon's Banner option is set, run the following command: -$ sudo grep -i Banner /etc/ssh/sshd_config +If the command does not return all the above lines, the missing ones +need to be added. -If a line indicating /etc/issue.net is returned, then the required value is set. +Run the following command to correct the permissions of the missing +entries: +$ sudo chown :root [audit_tool] - Is it the case that the required value is not set? +Replace "[audit_tool]" with each audit tool not group-owned by root. + Is it the case that ? - - To check which SSH protocol version is allowed, check version of openssh-server with following command: - -$ rpm -qi openssh-server | grep Version + + The runtime status of the net.core.bpf_jit_harden kernel parameter can be queried +by running the following command: +$ sysctl net.core.bpf_jit_harden +2. -Versions equal to or higher than 7.4 only allow Protocol 2. -If version is lower than 7.4, run the following command to check configuration: -$ sudo grep Protocol /etc/ssh/sshd_config -If configured properly, output should be Protocol 2 - Is it the case that it is commented out or is not set correctly to Protocol 2? + Is it the case that the correct value is not returned? - - Verify the grpquota option is configured for the /home mount point, + + Verify the nosuid option is configured for the /var mount point, run the following command: - $ sudo mount | grep '\s/home\s' - . . . /home . . . grpquota . . . + $ sudo mount | grep '\s/var\s' + . . . /var . . . nosuid . . . - Is it the case that the "/home" file system does not have the "grpquota" option set? - - - - To check the ownership of /etc/gshadow, -run the command: -$ ls -lL /etc/gshadow -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/gshadow does not have an owner of root? - - - - To check that SELinux is not disabled at boot time; -Check that no boot entry disables selinux: -sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf -No line should be returned, each line returned is a boot entry that disables SELinux. - Is it the case that SELinux is disabled at boot time? + Is it the case that the "/var" file system does not have the "nosuid" option set? - - -Run the following command to determine if the git_session_users SELinux boolean is disabled: -$ getsebool git_session_users -If properly configured, the output should show the following: -git_session_users --> off - Is it the case that git_session_users is not disabled? + + To verify that there are no unauthorized local user accounts, run the following command: +$ less /etc/passwd +Inspect the results, and if unauthorized local user accounts exist, remove them by running +the following command: +$ sudo userdel unauthorized_user + Is it the case that there are unauthorized local user accounts on the system? - - Verify the noexec option is configured for the /tmp mount point, - run the following command: - $ sudo mount | grep '\s/tmp\s' - . . . /tmp . . . noexec . . . + + Verify Red Hat Enterprise Linux 8 audits execution as another user. - Is it the case that the "/tmp" file system does not have the "noexec" option set? - - - - +Check if Red Hat Enterprise Linux 8 is configured to audit the execution of the "execve" system call using the following command: -Run the following command to determine the current status of the -fapolicyd service: -$ sudo systemctl is-active fapolicyd -If the service is running, it should return the following: active - Is it the case that the service is not enabled? - - - - -Run the following command to determine if the staff_use_svirt SELinux boolean is disabled: -$ getsebool staff_use_svirt -If properly configured, the output should show the following: -staff_use_svirt --> off - Is it the case that staff_use_svirt is not disabled? +$ sudo grep execve /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation +-a always,exit -F arch=b64 -S execve -C euid!=uid -F auid!=unset-k user_emulation + Is it the case that the command does not return all lines, or the lines are commented out? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_MODULE_SIG_FORCE /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + The runtime status of the net.ipv4.conf.all.log_martians kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.all.log_martians +1. + + Is it the case that the correct value is not returned? - + -Run the following command to determine if the openvpn_can_network_connect SELinux boolean is disabled: -$ getsebool openvpn_can_network_connect +Run the following command to determine if the polipo_session_bind_all_unreserved_ports SELinux boolean is disabled: +$ getsebool polipo_session_bind_all_unreserved_ports If properly configured, the output should show the following: -openvpn_can_network_connect --> off - Is it the case that openvpn_can_network_connect is not disabled? +polipo_session_bind_all_unreserved_ports --> off + Is it the case that polipo_session_bind_all_unreserved_ports is not disabled? - - Run the following command to determine if the geolite2-city package is installed: -$ rpm -q geolite2-city - Is it the case that the package is installed? + + To check the minimum password length, run the command: +$ grep PASS_MIN_LEN /etc/login.defs +The DoD requirement is 15. + Is it the case that it is not set to the required value? - - To determine if the system is configured to audit calls to the -open_by_handle_at system call, run the following command: -$ sudo grep "open_by_handle_at" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + To check if pam_pwquality.so is enabled in system-auth, run the following command: +$ grep pam_pwquality /etc/pam.d/system-auth +The output should be similar to the following: +password requisite pam_pwquality.so + Is it the case that pam_pwquality.so is not enabled in system-auth? - - To determine if the system is configured to audit calls to the -open_by_handle_at system call, run the following command: -$ sudo grep "open_by_handle_at" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + +Run the following command to determine if the unprivuser_use_svirt SELinux boolean is disabled: +$ getsebool unprivuser_use_svirt +If properly configured, the output should show the following: +unprivuser_use_svirt --> off + Is it the case that unprivuser_use_svirt is not disabled? - + -To ensure the login warning banner text is properly set, run the following: -$ grep banner-message-text /etc/dconf/db/gdm.d/* -If properly configured, the proper banner text will appear. -To ensure the login warning banner text is locked and cannot be changed by a user, run the following: -$ grep banner-message-text /etc/dconf/db/gdm.d/locks/* -If properly configured, the output should be /org/gnome/login-screen/banner-message-text. - Is it the case that it does not? +Run the following command to determine if the saslauthd_read_shadow SELinux boolean is disabled: +$ getsebool saslauthd_read_shadow +If properly configured, the output should show the following: +saslauthd_read_shadow --> off + Is it the case that saslauthd_read_shadow is not disabled? - - To check that the abrtd service is disabled in system boot configuration, + + To check that the portreserve service is disabled in system boot configuration, run the following command: -$ sudo systemctl is-enabled abrtd -Output should indicate the abrtd service has either not been installed, +$ sudo systemctl is-enabled portreserve +Output should indicate the portreserve service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled abrtd disabled +$ sudo systemctl is-enabled portreserve disabled -Run the following command to verify abrtd is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active abrtd +Run the following command to verify portreserve is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active portreserve If the service is not running the command will return the following output: inactive -The service will also be masked, to check that the abrtd is masked, run the following command: -$ sudo systemctl show abrtd | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the portreserve is masked, run the following command: +$ sudo systemctl show portreserve | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "abrtd" is loaded and not masked? - - - - -Run the following command to determine if the swift_can_network SELinux boolean is disabled: -$ getsebool swift_can_network -If properly configured, the output should show the following: -swift_can_network --> off - Is it the case that swift_can_network is not disabled? + Is it the case that the "portreserve" is loaded and not masked? - - If the device or Red Hat Enterprise Linux 8 does not have a camera installed, this requirement is not applicable. - -This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision. - -This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed. - -For an external camera, if there is not a method for the operator to manually disconnect the camera at the end of collaborative computing sessions, this is a finding. - -For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding. - -If the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software with the following commands: - -Verify the operating system disables the ability to load the uvcvideo kernel module. - -$ sudo grep -r uvcvideo /etc/modprobe.d/* | grep "/bin/true" + + The runtime status of the net.ipv4.conf.default.rp_filter kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.default.rp_filter +1. -install uvcvideo /bin/true - Is it the case that the command does not return any output, or the line is commented out, and the collaborative computing device has not been authorized for use? - - - - Run the following command to determine if the talk package is installed: -$ rpm -q talk - Is it the case that the package is installed? + Is it the case that the correct value is not returned? - - To check the group ownership of /etc/cron.daily, + + To check the group ownership of /etc/passwd, run the command: -$ ls -lL /etc/cron.daily +$ ls -lL /etc/passwd If properly configured, the output should indicate the following group-owner: root - Is it the case that /etc/cron.daily does not have a group owner of root? + Is it the case that /etc/passwd does not have a group owner of root? - - To verify that a remote NTP service is configured for time synchronization, -open the following file: - -/etc/chrony.conf in the case the system in question is -configured to use the chronyd as the NTP daemon (default setting) -/etc/ntp.conf in the case the system in question is configured -to use the ntpd as the NTP daemon - -In the file, there should be a section similar to the following: -server ntpserver - Is it the case that this is not the case? + + To verify that SSSD expires known SSH host keys, run the following command: +$ sudo grep ssh_known_hosts_timeout /etc/sssd/sssd.conf +If configured properly, output should be +ssh_known_hosts_timeout = + Is it the case that it does not exist or is not configured properly? - - To determine if NOPASSWD or !authenticate have been configured for -sudo, run the following command: -$ sudo grep -ri "nopasswd\|\!authenticate" /etc/sudoers /etc/sudoers.d/ -The command should return no output. - Is it the case that nopasswd and/or !authenticate is enabled in sudo? + + Run the following command to determine if the gnutls-utils package is installed: $ rpm -q gnutls-utils + Is it the case that the package is not installed? - - If the system uses IPv6, this is not applicable. + + +To properly set the owner of /var/log/audit, run the command: +$ sudo chown root /var/log/audit -If the system is configured to prevent the usage of the ipv6 on -network interfaces, it will contain a line of the form: -net.ipv6.conf.default.disable_ipv6 = 1 -Such lines may be inside any file in the /etc/sysctl.d directory. -This permits insertion of the IPv6 kernel module (which other parts of the -system expect to be present), but otherwise keeps network interfaces -from using IPv6. Run the following command to search for such lines in all -files in /etc/sysctl.d: -$ grep -r ipv6 /etc/sysctl.d - Is it the case that the ipv6 support is disabled by default on network interfaces? +To properly set the owner of /var/log/audit/*, run the command: +$ sudo chown root /var/log/audit/* + Is it the case that ? - - -Run the following command to determine if the logging_syslogd_use_tty SELinux boolean is enabled: -$ getsebool logging_syslogd_use_tty -If properly configured, the output should show the following: -logging_syslogd_use_tty --> on - Is it the case that logging_syslogd_use_tty is not enabled? + + Run the following command to determine if the abrt package is installed: +$ rpm -q abrt + Is it the case that the package is installed? - - To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -cat /etc/audit/rules.d/30-ospp-v42.rules -The output has to be exactly as follows: -## The purpose of these rules is to meet the requirements for Operating -## System Protection Profile (OSPP)v4.2. These rules depends on having -## the following rule files copied to /etc/audit/rules.d: -## -## 10-base-config.rules, 11-loginuid.rules, -## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules, -## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules, -## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules, -## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules, -## 30-ospp-v42-5-perm-change-failed.rules, -## 30-ospp-v42-5-perm-change-success.rules, -## 30-ospp-v42-6-owner-change-failed.rules, -## 30-ospp-v42-6-owner-change-success.rules -## -## original copies may be found in /usr/share/audit/sample-rules/ + + The runtime status of the net.ipv4.conf.all.accept_local kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.all.accept_local +0. + Is it the case that the correct value is not returned? + + + + Verify that rules for unsuccessful calls of the open syscall are in the order shown below. -## User add delete modify. This is covered by pam. However, someone could -## open a file and directly create or modify a user, so we'll watch passwd and -## shadow for writes --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify + If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix ".rules" in the directory "/etc/audit/rules.d". + If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, check the order of rules below in "/etc/audit/audit.rules" file. -## User enable and disable. This is entirely handled by pam. + -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access -## Group add delete modify. This is covered by pam. However, someone could -## open a file and directly create or modify a user, so we'll watch group and -## gshadow for writes --a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify --a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify + If the system is 64 bit then also add the following lines: + -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + Is it the case that the rules are in a different order? + + + + To determine if the system is configured to audit successful calls +to the open_by_handle_at system call, run the following command: +$ sudo grep "open_by_handle_at" /etc/audit.* +If the system is configured to audit this activity, it will return a line. -## Use of special rights for config changes. This would be use of setuid -## programs that relate to user accts. This is not all setuid apps because -## requirements are only for ones that affect system configuration. --a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes + Is it the case that no line is returned? + + + + Verify the noexec option is configured for the /home mount point, + run the following command: + $ sudo mount | grep '\s/home\s' + . . . /home . . . noexec . . . -## Privilege escalation via su or sudo. This is entirely handled by pam. + Is it the case that the "/home" file system does not have the "noexec" option set? + + + + Verify that Red Hat Enterprise Linux 8 enforces a -day maximum password lifetime for new user accounts by running the following command: -## Watch for configuration changes to privilege escalation. --a always,exit -F path=/etc/sudoers -F perm=wa -F key=special-config-changes --a always,exit -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes +$ grep -i pass_max_days /etc/login.defs -## Audit log access --a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail -## Attempts to Alter Process and Session Initiation Information --a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session --a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session --a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session +PASS_MAX_DAYS + Is it the case that the "PASS_MAX_DAYS" parameter value is greater than "<sub idref="var_accounts_maximum_age_login_defs" />", or commented out? + + + + To verify the home directory ownership, run the following command: +# ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) + Is it the case that the user ownership is incorrect? + + + + Verify Red Hat Enterprise Linux 8 use the "pam_pwhistory.so" module in the /etc/pam.d/password-auth file +and is configured to prohibit password reuse for a minimum of +generations. -## Attempts to modify MAC controls --a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy +Verify the "/etc/pam.d/password-auth" file with the following command: -## Software updates. This is entirely handled by rpm. +$ grep pam_pwhistory.so /etc/pam.d/password-auth +password pam_pwhistory.so use_authtok remember= -## System start and shutdown. This is entirely handled by systemd -## Kernel Module loading. This is handled in 43-module-load.rules +Verify the "/etc/security/pwhistory.conf" file using the following command: -## Application invocation. The requirements list an optional requirement -## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to -## state results from that policy. This would be handled entirely by -## that daemon. - Is it the case that the file does not exist or the content differs? - - - - To ensure TLS is configured with trust certificates, run the following command: -$ grep cert /etc/nslcd.conf - Is it the case that LDAP is not in use, the line is commented out, or not configured correctly? +$ grep remember /etc/security/pwhistory.conf +remember = + +The pam_pwhistory.so "remember" option must be configured only in one file. + Is it the case that the pam_pwhistory.so module is not used, the "remember" module option is not set in +/etc/pam.d/password-auth or in /etc/security/pwhistory.conf, or is set in both files, or is set +with a value less than "<sub idref="var_password_pam_remember" />"? - - To verify all squashing has been disabled, run the following command: -$ grep all_squash /etc/exports - Is it the case that there is output? + + Ensure that debug-shell service is not enabled with the following command: +sudo grep -L "^options\s+.*\bsystemd.debug-shell=1\b" /boot/loader/entries/*.conf +No line should be returned, each line returned is a boot entry that enables the debug-shell. + Is it the case that the comand returns a line? - - To verify that the audit system collects unauthorized file accesses, run the following commands: -$ sudo grep EACCES /etc/audit/audit.rules -$ sudo grep EPERM /etc/audit/audit.rules - Is it the case that 32-bit and 64-bit system calls to creat, open, openat, open_by_handle_at, truncate, and ftruncate are not audited during EACCES and EPERM? + + Run the following command to determine if the policycoreutils package is installed: $ rpm -q policycoreutils + Is it the case that the policycoreutils package is not installed? - - Verify the noauto option is configured for the /boot mount point, - run the following command: - $ sudo mount | grep '\s/boot\s' - . . . /boot . . . noauto . . . + + To determine if the system is configured to audit calls to the +renameat system call, run the following command: +$ sudo grep "renameat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. - Is it the case that the "/boot" file system does not have the "noauto" option set? - - - - -Run the following command to determine if the httpd_use_cifs SELinux boolean is disabled: -$ getsebool httpd_use_cifs -If properly configured, the output should show the following: -httpd_use_cifs --> off - Is it the case that httpd_use_cifs is not disabled? + Is it the case that no line is returned? - + To determine if the system is configured to audit successful calls -to the unlink system call, run the following command: -$ sudo grep "unlink" /etc/audit.* +to the openat system call, run the following command: +$ sudo grep "openat" /etc/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - Run the following command to determine if the rpcbind package is installed: -$ rpm -q rpcbind - Is it the case that the package is installed? - - - - To determine if the system is configured to audit calls to the -rmdir system call, run the following command: -$ sudo grep "rmdir" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. + + The runtime status of the net.ipv6.conf.all.accept_ra_pinfo kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.all.accept_ra_pinfo +0. - Is it the case that no line is returned? + Is it the case that the correct value is not returned? - + -Run the following command to determine if the dbadm_manage_user_files SELinux boolean is disabled: -$ getsebool dbadm_manage_user_files +Run the following command to determine if the kerberos_enabled SELinux boolean is enabled: +$ getsebool kerberos_enabled If properly configured, the output should show the following: -dbadm_manage_user_files --> off - Is it the case that dbadm_manage_user_files is not disabled? +kerberos_enabled --> on + Is it the case that kerberos_enabled is not enabled? - - If IPv6 is disabled, this is not applicable. + + Verify that there are no wireless interfaces configured on the system +with the following command: -Inspect the file /etc/sysconfig/ip6tables to determine -the default policy for the INPUT chain. It should be set to DROP: -$ sudo grep ":INPUT" /etc/sysconfig/ip6tables - Is it the case that the default policy for the INPUT chain is not set to DROP? +Note: This requirement is Not Applicable for systems that do not have physical wireless network radios. + +$ nmcli device status +DEVICE TYPE STATE CONNECTION +virbr0 bridge connected virbr0 +wlp7s0 wifi connected wifiSSID +enp6s0 ethernet disconnected -- +p2p-dev-wlp7s0 wifi-p2p disconnected -- +lo loopback unmanaged -- +virbr0-nic tun unmanaged -- + Is it the case that a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO)? - + -Run the following command to determine if the gluster_export_all_ro SELinux boolean is disabled: -$ getsebool gluster_export_all_ro -If properly configured, the output should show the following: -gluster_export_all_ro --> off - Is it the case that gluster_export_all_ro is not disabled? + +Run the following command to determine the current status of the +iptables service: +$ sudo systemctl is-active iptables +If the service is running, it should return the following: active + Is it the case that ? - - Verify the nodev option is configured for the /var/log mount point, - run the following command: - $ sudo mount | grep '\s/var/log\s' - . . . /var/log . . . nodev . . . + + Verify file systems that are used for removable media are mounted with the "nosuid" option with the following command: - Is it the case that the "/var/log" file system does not have the "nodev" option set? +$ sudo more /etc/fstab + +UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0 + Is it the case that file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set? - + -Run the following command to determine if the logging_syslogd_run_nagios_plugins SELinux boolean is disabled: -$ getsebool logging_syslogd_run_nagios_plugins +Run the following command to determine if the git_session_bind_all_unreserved_ports SELinux boolean is disabled: +$ getsebool git_session_bind_all_unreserved_ports If properly configured, the output should show the following: -logging_syslogd_run_nagios_plugins --> off - Is it the case that logging_syslogd_run_nagios_plugins is not disabled? +git_session_bind_all_unreserved_ports --> off + Is it the case that git_session_bind_all_unreserved_ports is not disabled? - + -Run the following command to determine if the ftpd_use_cifs SELinux boolean is disabled: -$ getsebool ftpd_use_cifs +Run the following command to determine if the ftpd_full_access SELinux boolean is disabled: +$ getsebool ftpd_full_access If properly configured, the output should show the following: -ftpd_use_cifs --> off - Is it the case that ftpd_use_cifs is not disabled? +ftpd_full_access --> off + Is it the case that ftpd_full_access is not disabled? - - The runtime status of the net.ipv4.conf.all.send_redirects kernel parameter can be queried + + The runtime status of the net.ipv6.conf.default.router_solicitations kernel parameter can be queried by running the following command: -$ sysctl net.ipv4.conf.all.send_redirects +$ sysctl net.ipv6.conf.default.router_solicitations 0. Is it the case that the correct value is not returned? - - To determine how the SSH daemon's PermitEmptyPasswords option is set, run the following command: - -$ sudo grep -i PermitEmptyPasswords /etc/ssh/sshd_config - -If a line indicating no is returned, then the required value is set. - - Is it the case that the required value is not set? + + +Run the following command to determine if the selinuxuser_rw_noexattrfile SELinux boolean is disabled: +$ getsebool selinuxuser_rw_noexattrfile +If properly configured, the output should show the following: +selinuxuser_rw_noexattrfile --> off + Is it the case that selinuxuser_rw_noexattrfile is not disabled? - - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the creat system call. + + To check that the dovecot service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled dovecot +Output should indicate the dovecot service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled dovecot disabled -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: +Run the following command to verify dovecot is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active dovecot -$ sudo grep -r creat /etc/audit/rules.d +If the service is not running the command will return the following output: +inactive -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: +The service will also be masked, to check that the dovecot is masked, run the following command: +$ sudo systemctl show dovecot | grep "LoadState\|UnitFileState" -$ sudo grep creat /etc/audit/audit.rules +If the service is masked the command will return the following outputs: -The output should be the following: +LoadState=masked --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - Is it the case that the command does not return a line, or the line is commented out? - - - - To verify that Samba clients using mount.cifs must use packet signing, run the following command: -$ grep sec /etc/fstab -The output should show either krb5i or ntlmv2i in use. - Is it the case that it does not? +UnitFileState=masked + Is it the case that the "dovecot" is loaded and not masked? - - Verify that Red Hat Enterprise Linux 8 enforces password complexity by requiring that at least one numeric character be used. - -Check the value for "dcredit" with the following command: - -$ sudo grep dcredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf - -/etc/security/pwquality.conf:dcredit = - Is it the case that the value of "dcredit" is a positive number or is commented out? + + Run the following command to check if the line is present: +grep pam_wheel /etc/pam.d/su +The output should contain the following line: +auth required pam_wheel.so use_uid + Is it the case that the line is not in the file or it is commented? - - To check the group ownership of /etc/ssh/sshd_config, -run the command: -$ ls -lL /etc/ssh/sshd_config -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/ssh/sshd_config does not have a group owner of root? + + Run the following command to determine if the samba package is installed: +$ rpm -q samba + Is it the case that the package is installed? - - To verify that a remote NTP service is configured for time synchronization, -open the following file: -/etc/ntp.conf -In the file, there should be a section similar to the following: -server ntpserver - Is it the case that this is not the case? + + +Run the following command to determine if the httpd_use_fusefs SELinux boolean is disabled: +$ getsebool httpd_use_fusefs +If properly configured, the output should show the following: +httpd_use_fusefs --> off + Is it the case that httpd_use_fusefs is not disabled? - - The runtime status of the net.ipv4.conf.all.route_localnet kernel parameter can be queried + + The runtime status of the kernel.core_uses_pid kernel parameter can be queried by running the following command: -$ sysctl net.ipv4.conf.all.route_localnet +$ sysctl kernel.core_uses_pid 0. - - Is it the case that the correct value is not returned? + Is it the case that the returned line does not have a value of 0? - - Verify Red Hat Enterprise Linux 8 disables network management of the chrony daemon with the following command: -$ grep -w cmdport /etc/chrony.conf -cmdport 0 - Is it the case that the "cmdport" option is not set to "0", is commented out, or is missing? + + System executables are stored in the following directories by default: +/bin +/sbin +/usr/bin +/usr/local/bin +/usr/local/sbin +/usr/sbin +For each of these directories, run the following command to find files +not owned by root: +$ sudo find -L DIR/ ! -user root -type d -exec chown root {} \; + Is it the case that any system executables directories are found to not be owned by root? - - To verify that OpenSSL uses the system crypto policy, check out that the OpenSSL config file -/etc/pki/tls/openssl.cnf contains the [ crypto_policy ] section with the -.include /etc/crypto-policies/back-ends/opensslcnf.config directive: - -$ sudo grep '\.include\s* /etc/crypto-policies/back-ends/opensslcnf.config$' /etc/pki/tls/openssl.cnf. - Is it the case that the OpenSSL config file doesn't contain the whole section, -or the section doesn't contain the <pre>.include /etc/crypto-policies/back-ends/opensslcnf.config</pre> directive? + + Run the following command to determine if the iptables-services package is installed: $ rpm -q iptables-services + Is it the case that the iptables-services package is not installed? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "sudo" command with the following command: + + To check that the rsyncd service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled rsyncd +Output should indicate the rsyncd service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled rsyncd disabled -$ sudo auditctl -l | grep sudo +Run the following command to verify rsyncd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active rsyncd --a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudo - Is it the case that the command does not return a line, or the line is commented out? - - - - Run the following command to determine if the dnf-automatic package is installed: $ rpm -q dnf-automatic - Is it the case that the package is not installed? +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the rsyncd is masked, run the following command: +$ sudo systemctl show rsyncd | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "rsyncd" is loaded and not masked? - - To verify the sec option is configured for all NFS mounts, run the following command: -$ mount | grep "sec=" -All NFS mounts should show the sec=krb5:krb5i:krb5p setting in parentheses. -This is not applicable if NFS is not implemented. - Is it the case that the setting is not configured, has the 'sys' option added, or does not have all Kerberos options added? + + Ensure that CGI backup scripts are not left on the production web server. +This check is limited to CGI/interactive content and not static HTML. + +Search for backup copies of CGI scripts on the web server or ask the Web +Administrator if they keep backup copies of CGI scripts on the web server. + +Common backup file extensions are: *.bak, *.old, *.temp, *.tmp, *.backup, +*.??0. This would also apply to .jsp files. + +On Red Hat Enterprise Linux, run the following commands to find backup +scripts: +find / name "*.bak" -print +find / name "*.*" -print +find / name "*.old" -print + Is it the case that If fileos with these extensions have no relationship with web activity, +such as backup batch file for operating system utility, and they are +not accessible by the web application, this is not a finding. + +If files with these extensions are found in either the document +directory or the home directory of the web server, this is +a finding. + +If files with these extensions are stored in a repository (not in the +document root) as backups for the web server? - - -Run the following command to determine if the ksmtuned_use_cifs SELinux boolean is disabled: -$ getsebool ksmtuned_use_cifs -If properly configured, the output should show the following: -ksmtuned_use_cifs --> off - Is it the case that ksmtuned_use_cifs is not disabled? + + To check the group ownership of /etc/ssh/*.pub, +run the command: +$ ls -lL /etc/ssh/*.pub +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/ssh/*.pub does not have a group owner of root? - - To check the permissions of /etc/passwd, -run the command: -$ ls -l /etc/passwd -If properly configured, the output should indicate the following permissions: --rw-r--r-- - Is it the case that /etc/passwd does not have unix mode -rw-r--r--? + + To verify the nodev option is configured for non-root local partitions, run the following command: +$ sudo mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev' +The output shows local non-root partitions mounted without the nodev option, and there should be no output at all. + + Is it the case that some mounts appear among output lines? - - -Run the following command to determine if the httpd_enable_homedirs SELinux boolean is disabled: -$ getsebool httpd_enable_homedirs -If properly configured, the output should show the following: -httpd_enable_homedirs --> off - Is it the case that httpd_enable_homedirs is not disabled? + + To verify if the OpenSSH client uses defined Cipher suite in the Crypto Policy, run: +$ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config +and verify that the line matches: +Ciphers + Is it the case that Crypto Policy for OpenSSH client is not configured correctly? - - Inspect /etc/audit/auditd.conf and locate the following line to -determine how much data the system will retain in each audit log file: -$ sudo grep max_log_file /etc/audit/auditd.conf -max_log_file = 6 - Is it the case that the system audit data threshold has not been properly configured? + + To determine if the system is configured to audit successful calls +to the fsetxattr system call, run the following command: +$ sudo grep "fsetxattr" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - To ensure logs are sent to a remote host, examine the file -/etc/rsyslog.conf. -If using UDP, a line similar to the following should be present: - *.* @ -If using TCP, a line similar to the following should be present: - *.* @@ -If using RELP, a line similar to the following should be present: - *.* :omrelp: - Is it the case that no evidence that the audit logs are being off-loaded to another system or media? + + Verify that Red Hat Enterprise Linux 8 generates an audit record for all uses of the "umount" and system call. +To determine if the system is configured to audit calls to the +"umount" system call, run the following command: +$ sudo grep "umount" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line like the following. +-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k privileged-umount + Is it the case that the command does not return a line, or the line is commented out? - - To check the group ownership of /etc/gshadow, -run the command: -$ ls -lL /etc/gshadow -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/gshadow does not have a group owner of root? + + +Run the following command to determine if the git_cgi_enable_homedirs SELinux boolean is disabled: +$ getsebool git_cgi_enable_homedirs +If properly configured, the output should show the following: +git_cgi_enable_homedirs --> off + Is it the case that git_cgi_enable_homedirs is not disabled? - - To determine if NOPASSWD has been configured for sudo, run the following command: -$ sudo grep -ri nopasswd /etc/sudoers /etc/sudoers.d/ -The command should return no output. - Is it the case that nopasswd is specified in the sudo config files? + + Verify the system commands contained in the following directories are group-owned by "root", or a required system account, with the following command: + +$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -exec ls -l {} \; + Is it the case that any system commands are returned and is not group-owned by a required system account? - - To verify if ErrorLog is configured correctly in + + To verify if LogFormat is configured correctly in /etc/httpd/conf/httpd.conf, run the following command: -$ grep -i errorlog /etc/httpd/conf/httpd.conf -The output should return the following: -ErrorLog "logs/error_log" +$ grep -i logformat /etc/httpd/conf/httpd.conf +The output should contain the following: +LogFormat "a %A %h %H %l %m %s %t %u %U \"%{Referer}i\" \"%{User-Agent}i\"" combined Is it the case that it is not? - - -Run the following command to determine if the selinuxuser_share_music SELinux boolean is disabled: -$ getsebool selinuxuser_share_music -If properly configured, the output should show the following: -selinuxuser_share_music --> off - Is it the case that selinuxuser_share_music is not disabled? + + To verify that the operating system protects against or limits the effects of DoS +attacks by ensuring implementation of rate-limiting measures +on impacted network interfaces, run the following command: +# grep 'net.ipv4.tcp_invalid_ratelimit' /etc/sysctl.conf /etc/sysctl.d/* +The command should output the following line: +/etc/sysctl.conf:net.ipv4.tcp_invalid_ratelimit = +The file where the line has been found can differ, but it must be either /etc/sysctl.conf +or a file located under the /etc/sysctl.d/ directory. + Is it the case that rate limiting of duplicate TCP acknowledgments is not configured? - - Open browser window and browse to the appropriate site. Before entry to the -site, you should be presented with the server's PKI credentials. Review -these credentials for authenticity. + + To determine how the SSH daemon's LogLevel option is set, run the following command: -For DoD, find an entry which cites: +$ sudo grep -i LogLevel /etc/ssh/sshd_config -Issuer: -CN = -DOD CLASS 3 CA-3 -OU = PKI -OU = DoD -O = U.S. Government -C = US +If a line indicating INFO is returned, then the required value is set. - Is it the case that it is not? + Is it the case that the required value is not set? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_MODULE_SIG_HASH /boot/config.* - - For each kernel installed, a line with value "" should be returned. - - Is it the case that the kernel was not built with the required value? + + To verify if the OpenSSL uses defined Crypto Policy, run: +$ grep 'Ciphersuites' /etc/crypto-policies/back-ends/opensslcnf.config | tail -n 1 +and verify that the line matches +Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 + Is it the case that Crypto Policy for OpenSSL is not configured according to CC requirements? + + + + +Run the following command to determine if the exim_read_user_files SELinux boolean is disabled: +$ getsebool exim_read_user_files +If properly configured, the output should show the following: +exim_read_user_files --> off + Is it the case that exim_read_user_files is not disabled? @@ -379367,475 +379690,439 @@ $ rpm -Va | rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0 Is it the case that there is output? - - Inspect /etc/audit/auditd.conf and locate the following line to -determine if the system is configured to synchronize audit event data -with the log files on the disk: -$ sudo grep flush /etc/audit/auditd.conf -flush = DATA -Acceptable values are DATA, and SYNC. The setting is -case-insensitive. - Is it the case that auditd is not configured to synchronously write audit event data to disk? + + Run the following command to determine if the tftp-server package is installed: +$ rpm -q tftp-server + Is it the case that the package is installed? - - Verify that a separate file system/partition has been created for /srv with the following command: - -$ mountpoint /srv + + Verify the nodev option is configured for the /var/log/audit mount point, + run the following command: + $ sudo mount | grep '\s/var/log/audit\s' + . . . /var/log/audit . . . nodev . . . - Is it the case that "/srv is not a mountpoint" is returned? + Is it the case that the "/var/log/audit" file system does not have the "nodev" option set? - + -Run the following command to determine if the virt_sandbox_use_audit SELinux boolean is enabled: -$ getsebool virt_sandbox_use_audit +Run the following command to determine if the deny_ptrace SELinux boolean is disabled: +$ getsebool deny_ptrace If properly configured, the output should show the following: -virt_sandbox_use_audit --> on - Is it the case that virt_sandbox_use_audit is not enabled? +deny_ptrace --> off + Is it the case that deny_ptrace is not disabled? - - Run the following command to ensure the TMOUT value is configured for all users -on the system: - -$ sudo grep TMOUT /etc/profile /etc/profile.d/*.sh - -The output should return the following: -TMOUT= - Is it the case that value of TMOUT is not less than or equal to expected setting? + + +Run the following command to determine if the kdumpgui_run_bootloader SELinux boolean is disabled: +$ getsebool kdumpgui_run_bootloader +If properly configured, the output should show the following: +kdumpgui_run_bootloader --> off + Is it the case that kdumpgui_run_bootloader is not disabled? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "unix_chkpwd" command with the following command: - -$ sudo auditctl -l | grep unix_chkpwd - --a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_chkpwd - Is it the case that the command does not return a line, or the line is commented out? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_KEXEC /boot/config.* + + Configs with value 'n' are not explicitly set in the file, so either commented lines or no + lines should be returned. + + Is it the case that the kernel was not built with the required value? - - Storing logs remotely protects the integrity of the data from local attacks. -Run the following command to verify that journald is forwarding logs to a remote host. - -grep "^\sForwardToSyslog" /etc/systemd/journald.conf + + +Run the following command to determine if the xdm_bind_vnc_tcp_port SELinux boolean is disabled: +$ getsebool xdm_bind_vnc_tcp_port +If properly configured, the output should show the following: +xdm_bind_vnc_tcp_port --> off + Is it the case that xdm_bind_vnc_tcp_port is not disabled? + + + + To determine how the SSH daemon's LogLevel option is set, run the following command: -and it should return +$ sudo grep -i LogLevel /etc/ssh/sshd_config -ForwardToSyslog=yes +If a line indicating VERBOSE is returned, then the required value is set. - Is it the case that is commented out or not configured correctly? - - - - These settings can be verified by running the following: -$ gsettings get org.gnome.desktop.media-handling automount -If properly configured, the output for automount should be false. -To ensure that users cannot enable automount in GNOME3, run the following: -$ grep 'automount' /etc/dconf/db/local.d/locks/* -If properly configured, the output for automount should be /org/gnome/desktop/media-handling/automount - Is it the case that GNOME automounting is not disabled? - - - - Run the following command to determine if the ypserv package is installed: -$ rpm -q ypserv - Is it the case that the package is installed? + Is it the case that the required value is not set? - - Run the following command to determine if the krb5-workstation package is installed: -$ rpm -q krb5-workstation - Is it the case that the package is installed? + + To check if pam_namespace.so is required for user login, run the following command: +$ grep pam_namespace.so /etc/pam.d/login +The output should return the following uncommented: +session required pam_namespace.so + Is it the case that pam_namespace.so is not required or is commented out? - - To check the ownership of /etc/passwd-, -run the command: -$ ls -lL /etc/passwd- -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/passwd- does not have an owner of root? + + +Run the following command to determine if the collectd_tcp_network_connect SELinux boolean is disabled: +$ getsebool collectd_tcp_network_connect +If properly configured, the output should show the following: +collectd_tcp_network_connect --> off + Is it the case that collectd_tcp_network_connect is not disabled? - - To ensure that XDMCP is disabled in /etc/gdm/custom.conf, run the following command: -grep -Pzo "\[xdmcp\]\nEnable=false" /etc/gdm/custom.conf -The output should return the following: - -[xdmcp] -Enable=false - - Is it the case that the Enable is not set to false or is missing in the xdmcp section of the /etc/gdm/custom.conf gdm configuration file? + + +Run the following command to determine if the mozilla_read_content SELinux boolean is disabled: +$ getsebool mozilla_read_content +If properly configured, the output should show the following: +mozilla_read_content --> off + Is it the case that mozilla_read_content is not disabled? - - To verify ExecShield is enabled on 64-bit Red Hat Enterprise Linux 8 systems, -run the following command: -$ dmesg | grep '[NX|DX]*protection' -The output should not contain 'disabled by kernel command line option'. -Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes noexec=off, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub -If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*noexec=off.*' /etc/default/grub -If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*noexec=off.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'noexec=off' -The command should not return any output. - Is it the case that ExecShield is not supported by the hardware, is not enabled, or has been disabled by the kernel configuration.? + + Run the following command to verify that SSH client is configured to use 32 bytes of entropy: +grep SSH_USE_STRONG_RNG /etc/profile.d/cc-ssh-strong-rng.sh +The output should be: +export SSH_USE_STRONG_RNG=32 + Is it the case that SSH client is not configured to use 32 bytes of entropy or more? - - Verify that the interactive user account passwords are using a strong -password hash with the following command: + + To determine how the SSH daemon's X11Forwarding option is set, run the following command: -$ sudo cut -d: -f2 /etc/shadow +$ sudo grep -i X11Forwarding /etc/ssh/sshd_config -$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/ +If a line indicating yes is returned, then the required value is set. -Password hashes ! or * indicate inactive accounts not -available for logon and are not evaluated. - Is it the case that any interactive user password hash does not begin with "$6"? + Is it the case that the required value is not set? - - The runtime status of the fs.protected_symlinks kernel parameter can be queried -by running the following command: -$ sysctl fs.protected_symlinks -1. + + Check that Red Hat Enterprise Linux 8 has the packages for smart card support installed. - Is it the case that the correct value is not returned? +Run the following command to determine if the openssl-pkcs11 package is installed: +$ rpm -q openssl-pkcs11 + Is it the case that smartcard software is not installed? - - To determine if the system is configured to audit successful calls -to the open system call, run the following command: -$ sudo grep "open" /etc/audit.* + + To verify the operating system implements cryptography to protect the integrity of +remote ldap access sessions, run the following command: +$ sudo grep ldap_tls_cacertdir /etc/sssd/sssd.conf +The output should return the following with a correctly configured CA cert path: +ldap_tls_cacertdir /path/to/tls/cacert + Is it the case that the TLS CA cert is not configured? + + + + To determine if the system is configured to audit calls to the +unlink system call, run the following command: +$ sudo grep "unlink" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - To check the permissions of /var/log, + + To check the ownership of /etc/shadow, run the command: -$ ls -l /var/log -If properly configured, the output should indicate the following permissions: -drwxr-xr-x - Is it the case that /var/log does not have unix mode drwxr-xr-x? - - - - To determine if the system is configured to audit changes to its network configuration, -run the following command: -auditctl -l | grep -E '(/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)' -If the system is configured to watch for network configuration changes, a line should be returned for -each file specified (and perm=wa should be indicated for each). - Is it the case that the system is not configured to audit changes of the network configuration? - - - - -Run the following command to determine if the named_tcp_bind_http_port SELinux boolean is disabled: -$ getsebool named_tcp_bind_http_port -If properly configured, the output should show the following: -named_tcp_bind_http_port --> off - Is it the case that named_tcp_bind_http_port is not disabled? +$ ls -lL /etc/shadow +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/shadow does not have an owner of root? - - To determine that periodic AIDE execution has been scheduled, run the following command: - -$ grep aide /etc/crontab -The output should return something similar to the following: -05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost -The email address that the notifications are sent to can be changed by overriding -. - Is it the case that AIDE has not been configured or has not been configured to notify personnel of scan details? + + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes spec_store_bypass_disable=, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub +If this option is set to true, then check that a line is output by the following command: +$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*spec_store_bypass_disable=.*' /etc/default/grub +If the recovery is disabled, check the line with +$ sudo grep 'GRUB_CMDLINE_LINUX.*spec_store_bypass_disable=.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +$ sudo grubby --info=ALL | grep args | grep -v 'spec_store_bypass_disable=' +The command should not return any output. + Is it the case that SSB is not configured appropriately? - + -If the system is configured to prevent the loading of the bluetooth kernel module, +If the system is configured to prevent the loading of the sctp kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. -These lines can also instruct the module loading system to ignore the bluetooth kernel module via blacklist keyword. +These lines can also instruct the module loading system to ignore the sctp kernel module via blacklist keyword. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -$ grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d +$ grep -r sctp /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? - + -Run the following command to determine if the piranha_lvs_can_network_connect SELinux boolean is disabled: -$ getsebool piranha_lvs_can_network_connect +Run the following command to determine if the ksmtuned_use_cifs SELinux boolean is disabled: +$ getsebool ksmtuned_use_cifs If properly configured, the output should show the following: -piranha_lvs_can_network_connect --> off - Is it the case that piranha_lvs_can_network_connect is not disabled? +ksmtuned_use_cifs --> off + Is it the case that ksmtuned_use_cifs is not disabled? - + + To verify all local initialization files for interactive users are owned by the +primary user, run the following command: +$ sudo ls -al /home/USER/.* +The user initialization files should be owned by USER. + Is it the case that they are not? + + + -Run the following command to determine if the selinuxuser_udp_server SELinux boolean is disabled: -$ getsebool selinuxuser_udp_server +Run the following command to determine if the irc_use_any_tcp_ports SELinux boolean is disabled: +$ getsebool irc_use_any_tcp_ports If properly configured, the output should show the following: -selinuxuser_udp_server --> off - Is it the case that selinuxuser_udp_server is not disabled? +irc_use_any_tcp_ports --> off + Is it the case that irc_use_any_tcp_ports is not disabled? - - Verify the hidepid=value option is configured for the /proc mount point, - run the following command: - $ sudo mount | grep '\s/proc\s' - . . . /proc . . . hidepid=value . . . + + Verify the audit tools are group-owned by "root" to prevent any unauthorized access, deletion, or modification. - Is it the case that the "/proc" file system does not have the "hidepid=value" option set? +Check the group-owner of each audit tool by running the following command: + +$ sudo stat -c "%G %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules + +root /sbin/auditctl +root /sbin/aureport +root /sbin/ausearch +root /sbin/autrace +root /sbin/auditd +root /sbin/rsyslogd +root /sbin/augenrules + Is it the case that any audit tools are not group-owned by root? - - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to create files using the open system call with O_CREAT flag. + + The runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.default.accept_source_route +0. -If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command: + Is it the case that the correct value is not returned? + + + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_ARM64_SW_TTBR0_PAN /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? + + + + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the ftruncate system call. -$ sudo grep -r open /etc/audit/rules.d +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: + +$ sudo grep -r ftruncate /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -$ sudo grep open /etc/audit/audit.rules +$ sudo grep ftruncate /etc/audit/audit.rules The output should be the following: --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? - - -Run the following command to determine if the httpd_tty_comm SELinux boolean is disabled: -$ getsebool httpd_tty_comm -If properly configured, the output should show the following: -httpd_tty_comm --> off - Is it the case that httpd_tty_comm is not disabled? - - - - To check the group ownership of /etc/cron.d, -run the command: -$ ls -lL /etc/cron.d -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/cron.d does not have a group owner of root? + + Run the following command to determine open ports: +# ss -4tuln +Run the following command to determine firewall rules: +# iptables -L INPUT -v -n +For each port identified in the audit which does not have a firewall +rule, add rule for accepting or denying inbound connections +# iptables -A INPUT -p --dport -m state --state NEW -j ACCEPT + Is it the case that open ports are denied connection? - - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: - -$ sudo auditctl -l | grep -E '(/etc/passwd)' - --w /etc/passwd -p wa -k identity - Is it the case that the command does not return a line, or the line is commented out? + + Run the following command to determine if the nginx package is installed: +$ rpm -q nginx + Is it the case that the package is installed? - + -If the system is configured to prevent the loading of the usb-storage kernel module, +If the system is configured to prevent the loading of the cfg80211 kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. -These lines can also instruct the module loading system to ignore the usb-storage kernel module via blacklist keyword. +These lines can also instruct the module loading system to ignore the cfg80211 kernel module via blacklist keyword. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d +$ grep -r cfg80211 /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? - - To check the system for the existence of any .forward files, -run the following command: -$ sudo find /home -xdev -name .forward - Is it the case that any .forward files exist? + + Run the following command to determine if the cron package is installed: +$ rpm -q cron + Is it the case that the package is installed? - - Verify Red Hat Enterprise Linux 8 takes the appropriate action when the audit files have reached maximum size. - -Check that Red Hat Enterprise Linux 8 takes the appropriate action when the audit files have reached maximum size with the following command: - -$ sudo grep max_log_file_action /etc/audit/auditd.conf - -max_log_file_action = - Is it the case that the value of the "max_log_file_action" option is not "ROTATE", "SINGLE", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full. If there is no evidence of appropriate action? + + Run the following command to determine if the tmux package is installed: $ rpm -q tmux + Is it the case that the package is not installed? - - To check the ownership of /etc/issue, + + To check the permissions of /etc/http/conf.modules.d/*, run the command: -$ ls -lL /etc/issue -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/issue does not have an owner of root? +$ ls -l /etc/http/conf.modules.d/* +If properly configured, the output should indicate the following permissions: +-rw-r----- + Is it the case that /etc/http/conf.modules.d/* does not have unix mode -rw-r-----? - - To check the group ownership of /boot/grub2/grub.cfg, + + To check the group ownership of /etc/shadow-, run the command: -$ ls -lL /boot/grub2/grub.cfg +$ ls -lL /etc/shadow- If properly configured, the output should indicate the following group-owner: root - Is it the case that /boot/grub2/grub.cfg does not have a group owner of root? + Is it the case that /etc/shadow- does not have a group owner of root? - - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes audit_backlog_limit=8192, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub -If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit_backlog_limit=8192.*' /etc/default/grub -If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*audit_backlog_limit=8192.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'audit_backlog_limit=8192' -The command should not return any output. - Is it the case that audit backlog limit is not configured? + + To determine if the system is configured to audit calls to the +rmdir system call, run the following command: +$ sudo grep "rmdir" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - To check that the certmonger service is disabled in system boot configuration, + + +Run the following command to determine if the login_console_enabled SELinux boolean is enabled: +$ getsebool login_console_enabled +If properly configured, the output should show the following: +login_console_enabled --> on + Is it the case that login_console_enabled is not enabled? + + + + Verify that the interactive user account passwords last change time is not in the future +The following command should return no output +$ sudo expiration=$(cat /etc/shadow|awk -F ':' '{print $3}'); +for edate in ${expiration[@]}; do if [[ $edate > $(( $(date +%s)/86400 )) ]]; +then echo "Expiry date in future"; +fi; done + Is it the case that any interactive user password that has last change time in the future? + + + + To determine if the system is configured to audit successful calls +to the unlinkat system call, run the following command: +$ sudo grep "unlinkat" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + If network services are using the xinetd service, this is not applicable. + +To check that the xinetd service is disabled in system boot configuration, run the following command: -$ sudo systemctl is-enabled certmonger -Output should indicate the certmonger service has either not been installed, +$ sudo systemctl is-enabled xinetd +Output should indicate the xinetd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled certmonger disabled +$ sudo systemctl is-enabled xinetd disabled -Run the following command to verify certmonger is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active certmonger +Run the following command to verify xinetd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active xinetd If the service is not running the command will return the following output: inactive -The service will also be masked, to check that the certmonger is masked, run the following command: -$ sudo systemctl show certmonger | grep "LoadState\|UnitFileState" +The service will also be masked, to check that the xinetd is masked, run the following command: +$ sudo systemctl show xinetd | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked - Is it the case that the "certmonger" is loaded and not masked? - - - - To determine if the system is configured to audit unsuccessful calls -to the lchown system call, run the following command: -$ sudo grep "lchown" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? - - - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "crontab" command with the following command: - -$ sudo auditctl -l | grep crontab - --a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab - Is it the case that the command does not return a line, or the line is commented out? + Is it the case that the "xinetd" is loaded and not masked? - - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes ipv6.disable=1, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub -If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub -If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'ipv6.disable=1' -The command should not return any output. - Is it the case that IPv6 is not disabled? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_PAGE_POISONING_ZERO /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - Run the following command to determine if the gnutls-utils package is installed: $ rpm -q gnutls-utils - Is it the case that the package is not installed? + + To check the ownership of /etc/ssh/*_key, +run the command: +$ ls -lL /etc/ssh/*_key +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/ssh/*_key does not have an owner of root? - - Run the following command to determine the current status of the dnf-automatic timer: $ sudo systemctl is-active dnf-automatic.timer If the timer is running, it should return the following: active - Is it the case that the dnf-automatic.timer is not enabled? + + The runtime status of the net.ipv6.conf.all.forwarding kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.all.forwarding +0. +The ability to forward packets is only appropriate for routers. + Is it the case that IP forwarding value is "1" and the system is not router? - - To ensure the system is configured to ignore the Ctrl-Alt-Del sequence, + + To check that the nftables service is disabled in system boot configuration, run the following command: -$ gsettings get org.gnome.settings-daemon.plugins.media-keys logout -$ grep logout /etc/dconf/db/local.d/locks/* -If properly configured, the output should be -/org/gnome/settings-daemon/plugins/media-keys/logout - Is it the case that GNOME3 is configured to reboot when Ctrl-Alt-Del is pressed? - - - - -Run the following command to determine if the exim_read_user_files SELinux boolean is disabled: -$ getsebool exim_read_user_files -If properly configured, the output should show the following: -exim_read_user_files --> off - Is it the case that exim_read_user_files is not disabled? - - - - +$ sudo systemctl is-enabled nftables +Output should indicate the nftables service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled nftables disabled -Run the following command to determine the current status of the -rsyslog service: -$ sudo systemctl is-active rsyslog -If the service is running, it should return the following: active - Is it the case that the "rsyslog" service is disabled, masked, or not started.? - - - - Verify the "/etc/security/faillock.conf" file is configured use a non-default faillock directory to ensure contents persist after reboot: +Run the following command to verify nftables is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active nftables -$ sudo grep 'dir =' /etc/security/faillock.conf +If the service is not running the command will return the following output: +inactive -dir = /var/log/faillock - Is it the case that the "dir" option is not set to a non-default documented tally log directory, is missing or commented out? - - - - Verify Red Hat Enterprise Linux 8 enforces 24 hours/1 day as the minimum password lifetime for new user accounts. +The service will also be masked, to check that the nftables is masked, run the following command: +$ sudo systemctl show nftables | grep "LoadState\|UnitFileState" -Check for the value of "PASS_MIN_DAYS" in "/etc/login.defs" with the following command: +If the service is masked the command will return the following outputs: -$ grep -i pass_min_days /etc/login.defs +LoadState=masked -PASS_MIN_DAYS - Is it the case that the "PASS_MIN_DAYS" parameter value is not "<sub idref="var_accounts_minimum_age_login_defs" />" or greater, or is commented out? +UnitFileState=masked + Is it the case that the "nftables" is loaded and not masked? - - To check the group ownership of /etc/cron.weekly, -run the command: -$ ls -lL /etc/cron.weekly -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /etc/cron.weekly does not have a group owner of root? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_STACKPROTECTOR_STRONG /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? @@ -379847,199 +380134,128 @@ postfix_local_write_mail_spool --> on Is it the case that postfix_local_write_mail_spool is not enabled? - - Run the following command to determine if the geolite2-country package is installed: -$ rpm -q geolite2-country - Is it the case that the package is installed? - - - - Verify that interactive users on the system have a home directory assigned with the following command: - -$ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd - -Inspect the output and verify that all interactive users (normally users with a UID greater than 1000) have a home directory defined. - Is it the case that users home directory is not defined? + + To verify if ErrorLog is configured correctly in +/etc/httpd/conf/httpd.conf, run the following command: +$ grep -i errorlog /etc/httpd/conf/httpd.conf +The output should return the following: +ErrorLog "logs/error_log" + Is it the case that it is not? - - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes audit=1, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub -If this option is set to true, then check that a line is output by the following command: -$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit=1.*' /etc/default/grub -If the recovery is disabled, check the line with -$ sudo grep 'GRUB_CMDLINE_LINUX.*audit=1.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -$ sudo grubby --info=ALL | grep args | grep -v 'audit=1' -The command should not return any output. - Is it the case that auditing is not enabled at boot time? + + Run the following command to determine if the rpcbind package is installed: +$ rpm -q rpcbind + Is it the case that the package is installed? - + -Run the following command to determine if the fenced_can_ssh SELinux boolean is disabled: -$ getsebool fenced_can_ssh +Run the following command to determine if the virt_use_comm SELinux boolean is disabled: +$ getsebool virt_use_comm If properly configured, the output should show the following: -fenced_can_ssh --> off - Is it the case that fenced_can_ssh is not disabled? - - - - To determine if the system is configured to audit calls to the -open system call, run the following command: -$ sudo grep "open" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? +virt_use_comm --> off + Is it the case that virt_use_comm is not disabled? - - If FTP services are not installed, this is not applicable. - -To verify this configuration, run the following command: - -grep "banner_file" /etc/vsftpd/vsftpd.conf + + To check that the atd service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled atd +Output should indicate the atd service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled atd disabled +Run the following command to verify atd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active atd -The output should show the value of banner_file is set to /etc/issue, an example of which is shown below: +If the service is not running the command will return the following output: +inactive -$ sudo grep "banner_file" /etc/vsftpd/vsftpd.conf +The service will also be masked, to check that the atd is masked, run the following command: +$ sudo systemctl show atd | grep "LoadState\|UnitFileState" -banner_file=/etc/issue - Is it the case that it does not? - - - - Verify Red Hat Enterprise Linux 8 disables core dump backtraces by issuing the following command: +If the service is masked the command will return the following outputs: -$ grep -i process /etc/systemd/coredump.conf +LoadState=masked -ProcessSizeMax=0 - Is it the case that the "ProcessSizeMax" item is missing, commented out, or the value is anything other than "0" and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned? +UnitFileState=masked + Is it the case that the "atd" is loaded and not masked? - - Run the following command to determine if the systemd-journal-remote package is installed: $ rpm -q systemd-journal-remote - Is it the case that the package is not installed? + + To check the group ownership of /etc/group, +run the command: +$ ls -lL /etc/group +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/group does not have a group owner of root? - - -If the system is configured to prevent the loading of the sctp kernel module, -it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. -These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. - -These lines can also instruct the module loading system to ignore the sctp kernel module via blacklist keyword. - -Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -$ grep -r sctp /etc/modprobe.conf /etc/modprobe.d - Is it the case that no line is returned? + + Verify Red Hat Enterprise Linux 8 limits the number of concurrent sessions to +"" for all +accounts and/or account types with the following command: +$ grep -r -s maxlogins /etc/security/limits.conf /etc/security/limits.d/*.conf +/etc/security/limits.conf:* hard maxlogins 10 +This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains. + Is it the case that the "maxlogins" item is missing, commented out, or the value is set greater +than "<sub idref="var_accounts_max_concurrent_login_sessions" />" and +is not documented with the Information System Security Officer (ISSO) as an +operational requirement for all domains that have the "maxlogins" item +assigned'? - + -Run the following command to determine if the git_system_enable_homedirs SELinux boolean is disabled: -$ getsebool git_system_enable_homedirs +Run the following command to determine if the puppetmaster_use_db SELinux boolean is disabled: +$ getsebool puppetmaster_use_db If properly configured, the output should show the following: -git_system_enable_homedirs --> off - Is it the case that git_system_enable_homedirs is not disabled? +puppetmaster_use_db --> off + Is it the case that puppetmaster_use_db is not disabled? - - Verify that Red Hat Enterprise Linux 8 enforces password complexity by requiring that at least one lower-case character. - -Check the value for "lcredit" with the following command: - -$ sudo grep lcredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf - -/etc/security/pwquality.conf:lcredit = -1 - Is it the case that the value of "lcredit" is a positive number or is commented out? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_RETPOLINE /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - -Run the following command to determine if the gpg_web_anon_write SELinux boolean is disabled: -$ getsebool gpg_web_anon_write -If properly configured, the output should show the following: -gpg_web_anon_write --> off - Is it the case that gpg_web_anon_write is not disabled? + + Interview the SA or web administrator to see where the public web server +is logically located in the data center. Review the site network diagram +to see how the web server is connected to the LAN. Visually check the web +server hardware connections to see if it conforms to the site network +diagram. + Is it the case that the web server is not isolated in an accredited DoD DMZ Extension? - - Run the following command to determine if the aide package is installed: $ rpm -q aide - Is it the case that the package is not installed? + + To check the value of the umask, run the following command: +$ grep umask /etc/init.d/functions +The output should show . + Is it the case that it does not? - + -Run the following command to determine if the xdm_write_home SELinux boolean is disabled: -$ getsebool xdm_write_home +Run the following command to determine if the fcron_crond SELinux boolean is disabled: +$ getsebool fcron_crond If properly configured, the output should show the following: -xdm_write_home --> off - Is it the case that xdm_write_home is not disabled? - - - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "kmod" command with the following command: - -$ sudo auditctl -l | grep kmod - --a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-kmod - Is it the case that the command does not return a line, or the line is commented out? - - - - Verify that Promiscuous mode of an interface is disabled, run the following command: -$ ip link | grep PROMISC - Is it the case that any network device is in promiscuous mode? - - - - To check the permissions of /etc/http/conf, -run the command: -$ ls -l /etc/http/conf -If properly configured, the output should indicate the following permissions: --rwxr-x--- - Is it the case that ? - - - - To ensure the GUI does not allow user administratrion capabilities to all users, -run the following command: -$ gsettings get org.gnome.desktop.lockdown user-administration-disabled -If properly configured, the output should be true. -To ensure that users cannot enable user administration, run the following: -$ grep user-administration /etc/dconf/db/local.d/locks/* -If properly configured, the output should be -/org/gnome/desktop/lockdown/user-administration-disabled - Is it the case that user administration is not configured or disabled? +fcron_crond --> off + Is it the case that fcron_crond is not disabled? - - Verify that rules for unsuccessful calls of the openat syscall are in the order shown below. - - If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix ".rules" in the directory "/etc/audit/rules.d". - If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, check the order of rules below in "/etc/audit/audit.rules" file. - - -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - - If the system is 64 bit then also add the following lines: - - -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access - Is it the case that the rules are in a different order? + + +Run the following command to determine if the virt_use_fusefs SELinux boolean is disabled: +$ getsebool virt_use_fusefs +If properly configured, the output should show the following: +virt_use_fusefs --> off + Is it the case that virt_use_fusefs is not disabled? @@ -380067,1027 +380283,811 @@ UnitFileState=masked Is it the case that the "tftp" is loaded and not masked? - - To determine whether sudo command includes configuration files from the appropriate directory, -run the following command: -$ sudo grep -rP '^[#@]include(dir)?' /etc/sudoers /etc/sudoers.d -If only the line /etc/sudoers:#includedir /etc/sudoers.d is returned, then the drop-in include configuration is set correctly. -Any other line returned is a finding. - Is it the case that the /etc/sudoers doesn't include /etc/sudores.d or includes other directories?? + + To check the group ownership of /etc/cron.daily, +run the command: +$ ls -lL /etc/cron.daily +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/cron.daily does not have a group owner of root? - - -Run the following command to determine if the openvpn_run_unconfined SELinux boolean is disabled: -$ getsebool openvpn_run_unconfined -If properly configured, the output should show the following: -openvpn_run_unconfined --> off - Is it the case that openvpn_run_unconfined is not disabled? + + Run the following command and verify that time sources are only configured with server directive: +# grep -E "^(server|pool)" /etc/chrony.conf +A line with the appropriate server should be returned, any line returned starting with pool is a finding. + Is it the case that an authoritative remote time server is not configured or configured with pool directive? - - Verify Red Hat Enterprise Linux 8 removes all software components after updated versions have been installed. + + To check that the httpd service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled httpd +Output should indicate the httpd service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled httpd disabled +Run the following command to verify httpd is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active httpd -$ grep clean_requirements_on_remove /etc/yum.conf -clean_requirements_on_remove=1 - Is it the case that '"clean_requirements_on_remove" is not set to "1"'? - - - - To verify that auditing of privileged command use is configured, run the following command -to search privileged commands in relevant partitions and check if they are covered by auditd -rules: +If the service is not running the command will return the following output: +inactive -FILTER_NODEV=$(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) -PARTITIONS=$(findmnt -n -l -k -it $FILTER_NODEV | grep -Pv "noexec|nosuid" | awk '{ print $1 }') -for PARTITION in $PARTITIONS; do - for PRIV_CMD in $(find "${PARTITION}" -xdev -perm /6000 -type f 2>/dev/null); do - grep -qr "${PRIV_CMD}" /etc/audit/rules.d /etc/audit/audit.rules && - printf "OK: ${PRIV_CMD}\n" || printf "WARNING - rule not found for: ${PRIV_CMD}\n" - done -done +The service will also be masked, to check that the httpd is masked, run the following command: +$ sudo systemctl show httpd | grep "LoadState\|UnitFileState" -The output should not contain any WARNING. - Is it the case that any setuid or setgid programs doesn't have a line in the audit rules? +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "httpd" is loaded and not masked? - - The runtime status of the net.ipv4.conf.default.log_martians kernel parameter can be queried + + The runtime status of the kernel.kexec_load_disabled kernel parameter can be queried by running the following command: -$ sysctl net.ipv4.conf.default.log_martians +$ sysctl kernel.kexec_load_disabled 1. Is it the case that the correct value is not returned? - - Verify that the system is not accepting "rsyslog" messages from other systems unless it is -documented as a log aggregation server. -Display the contents of the rsyslog configuration files: -find /etc -maxdepth 2 -regex '/etc/rsyslog\(\.conf\|\.d\/.*\.conf\)' -exec cat '{}' \; - -If any of the below lines are found, ask to see the documentation for the system being used -for log aggregation: - -If using legacy syntax: -$ModLoad imtcp -$InputTCPServerRun port -$ModLoad imudp -$UDPServerRun port -$ModLoad imrelp -$InputRELPServerRun port - -If using RainerScript syntax: -module(load="imtcp") -module(load="imudp") -input(type="imtcp" port="514") -input(type="imudp" port="514") + + The runtime status of the net.ipv4.conf.all.send_redirects kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.all.send_redirects +0. - Is it the case that rsyslog accepts remote messages and is not documented as a log aggregation system? - - - - To check for legacy lines in /etc/shadow, run the following command: - grep '^\+' /etc/shadow -The command should not return any output. - Is it the case that the file contains legacy lines? - - - - Run the following command to determine if the openldap-clients package is installed: -$ rpm -q openldap-clients - Is it the case that the package is installed? - - - - -Run the following command to determine if the httpd_use_openstack SELinux boolean is disabled: -$ getsebool httpd_use_openstack -If properly configured, the output should show the following: -httpd_use_openstack --> off - Is it the case that httpd_use_openstack is not disabled? - - - - To verify the assigned home directory of all interactive user home directories -have a mode of 0750 or less permissive, run the following command: -$ sudo ls -l /home -Inspect the output for any directories with incorrect permissions. - Is it the case that they are more permissive? - - - - To verify that kernel parameter 'crypto.fips_enabled' is set properly, run the following command: -sysctl crypto.fips_enabled -The output should contain the following: -crypto.fips_enabled = 1 - Is it the case that crypto.fips_enabled is not 1? + Is it the case that the correct value is not returned? - - System executables are stored in the following directories by default: -/bin -/sbin -/usr/bin -/usr/sbin -/usr/local/bin -/usr/local/sbin -To find system executables directories that are group-writable or -world-writable, run the following command for each directory DIR -which contains system executables: -$ sudo find -L DIR -perm /022 -type d - Is it the case that any of these files are group-writable or world-writable? + + To check the group ownership of /etc/issue, +run the command: +$ ls -lL /etc/issue +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/issue does not have a group owner of root? - + -Run the following command to determine if the cron_can_relabel SELinux boolean is disabled: -$ getsebool cron_can_relabel +Run the following command to determine if the httpd_anon_write SELinux boolean is disabled: +$ getsebool httpd_anon_write If properly configured, the output should show the following: -cron_can_relabel --> off - Is it the case that cron_can_relabel is not disabled? - - - - To check the permissions of /etc/cron.d, -run the command: -$ ls -l /etc/cron.d -If properly configured, the output should indicate the following permissions: --rwx------ - Is it the case that /etc/cron.d does not have unix mode -rwx------? - - - - Verify "nftables" is configured to allow rate limits on any connection to the system with the following command: - -Verify "firewalld" has "nftables" set as the default backend: - -$ sudo grep -i firewallbackend /etc/firewalld/firewalld.conf - -# FirewallBackend -FirewallBackend=nftables - Is it the case that the "nftables" is not set as the "firewallbackend"? - - - - If the system does not have SELinux enabled and enforcing a targeted policy, or if the -pam_faillock.so module is not configured for use, this requirement is not applicable. - -Verify the location of the non-default tally directory for the pam_faillock.so module with -the following command: - -$ sudo grep -w dir /etc/security/faillock.conf - -dir = /var/log/faillock - -Check the security context type of the non-default tally directory with the following command: - -$ sudo ls -Zd /var/log/faillock - -unconfined_u:object_r:faillog_t:s0 /var/log/faillock - Is it the case that the security context type of the non-default tally directory is not "faillog_t"? - - - - The reviewed should make a note of the name of the account being used for -the web service. This information may be needed later in the SRR. There -may also be other server services running related to the web server in -support of a particular web application, these passwords must be entrusted -to the SA or Web Manager as well. - -Query the SA or Web Manager to determine if they have the web service -password(s). - -NOTE: For installations that run as a service, or without a password, -the SA or Web Manager having an Admin account on the system would meet -the intent of this check. - Is it the case that the web server password(s) are not entrusted to the SA or Web Manager? +httpd_anon_write --> off + Is it the case that httpd_anon_write is not disabled? - + -Run the following command to determine if the mozilla_plugin_use_gps SELinux boolean is disabled: -$ getsebool mozilla_plugin_use_gps +Run the following command to determine if the named_write_master_zones SELinux boolean is disabled: +$ getsebool named_write_master_zones If properly configured, the output should show the following: -mozilla_plugin_use_gps --> off - Is it the case that mozilla_plugin_use_gps is not disabled? - - - - To check the ownership of /etc/ssh/*.pub, -run the command: -$ ls -lL /etc/ssh/*.pub -If properly configured, the output should indicate the following owner: -root - Is it the case that /etc/ssh/*.pub does not have an owner of root? - - - - To check the permissions of /etc/gshadow-, -run the command: -$ ls -l /etc/gshadow- -If properly configured, the output should indicate the following permissions: ----------- - Is it the case that /etc/gshadow- does not have unix mode ----------? - - - - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r open /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep open /etc/audit/audit.rules - -The output should be the following: - --a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access - Is it the case that the command does not return a line, or the line is commented out? +named_write_master_zones --> off + Is it the case that named_write_master_zones is not disabled? - - -Run the following command to determine if the zoneminder_run_sudo SELinux boolean is disabled: -$ getsebool zoneminder_run_sudo -If properly configured, the output should show the following: -zoneminder_run_sudo --> off - Is it the case that zoneminder_run_sudo is not disabled? + + These settings can be verified by running the following: +$ gsettings get org.gnome.desktop.thumbnailers disable-all +If properly configured, the output should be true. +To ensure that users cannot how long until the screensaver locks, run the following: +$ grep disable-all /etc/dconf/db/local.d/locks/* +If properly configured, the output should be /org/gnome/desktop/thumbnailers/disable-all + Is it the case that GNOME thumbnailers are not disabled? - - Verify file systems that are used for removable media are mounted with the "nosuid" option with the following command: - -$ sudo more /etc/fstab + + The runtime status of the net.ipv4.tcp_rfc1337 kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.tcp_rfc1337 +1. -UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0 - Is it the case that file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set? + Is it the case that the correct value is not returned? - - -Run the following command to determine if the polipo_use_cifs SELinux boolean is disabled: -$ getsebool polipo_use_cifs -If properly configured, the output should show the following: -polipo_use_cifs --> off - Is it the case that polipo_use_cifs is not disabled? + + To check that no password hashes are stored in +/etc/passwd, run the following command: +awk '!/\S:x|\*/ {print}' /etc/passwd +If it produces any output, then a password hash is +stored in /etc/passwd. + Is it the case that any stored hashes are found in /etc/passwd? - + To verify that auditing of privileged command use is configured, run the following command: -$ sudo grep newgidmap /etc/audit/audit.rules /etc/audit/rules.d/* +$ sudo grep newuidmap /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that the command does not return a line, or the line is commented out? - - To determine if umask has been configured for sudo with the appropriate value, + + Verify that cron is logging to rsyslog, run the following command: -$ sudo grep -ri '^Defaults.*umask=' /etc/sudoers /etc/sudoers.d/ -The command should return a matching output. - Is it the case that umask is not set with the appropriate value for sudo? +grep -rni "cron\.\*" /etc/rsyslog.* +cron.* /var/log/cron + Is it the case that cron is not logging to rsyslog? - + + To check the group ownership of /etc/cron.monthly, +run the command: +$ ls -lL /etc/cron.monthly +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/cron.monthly does not have a group owner of root? + + + - -Run the following command to determine the current status of the -usbguard service: -$ sudo systemctl is-active usbguard -If the service is running, it should return the following: active - Is it the case that the service is not enabled? +Run the following command to determine if the cron_can_relabel SELinux boolean is disabled: +$ getsebool cron_can_relabel +If properly configured, the output should show the following: +cron_can_relabel --> off + Is it the case that cron_can_relabel is not disabled? - - Verify that the system backups user data. - Is it the case that it is not? + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "kmod" command with the following command: + +$ sudo auditctl -l | grep kmod + +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-kmod + Is it the case that the command does not return a line, or the line is commented out? - + -Run the following command to determine if the httpd_use_fusefs SELinux boolean is disabled: -$ getsebool httpd_use_fusefs +Run the following command to determine if the logging_syslogd_use_tty SELinux boolean is enabled: +$ getsebool logging_syslogd_use_tty If properly configured, the output should show the following: -httpd_use_fusefs --> off - Is it the case that httpd_use_fusefs is not disabled? +logging_syslogd_use_tty --> on + Is it the case that logging_syslogd_use_tty is not enabled? - + + To verify that HBSS PA is installed, run the following command(s): +$ sudo ls /opt/McAfee/auditengine/bin/auditmanager + Is it the case that the HBSS PA module is not installed? + + + -Run the following command to determine if the use_nfs_home_dirs SELinux boolean is disabled: -$ getsebool use_nfs_home_dirs +Run the following command to determine if the tftp_anon_write SELinux boolean is disabled: +$ getsebool tftp_anon_write If properly configured, the output should show the following: -use_nfs_home_dirs --> off - Is it the case that use_nfs_home_dirs is not disabled? +tftp_anon_write --> off + Is it the case that tftp_anon_write is not disabled? - - To verify the system is not configured to use a boot loader on removable media, -check that the grub configuration file has the set root command in each menu -entry with the following commands: -$ sudo grep -cw menuentry /boot/grub2/grub.cfg -Note that the -c option for the grep command will print -only the count of menuentry occurrences. This number should match -the number of occurrences reported by the following command: -$ sudo grep "set root='hd0" /boot/grub2/grub.cfg -The output should return something similar to: -set root='hd0,msdos1' -usb0, cd, fd0, etc. are some examples of removeable -media which should not exist in the lines: -set root='hd0,msdos1' - Is it the case that it is not? + + +Run the following command to determine if the xserver_clients_write_xshm SELinux boolean is disabled: +$ getsebool xserver_clients_write_xshm +If properly configured, the output should show the following: +xserver_clients_write_xshm --> off + Is it the case that xserver_clients_write_xshm is not disabled? - - To check if authentication is required for single-user mode, run the following command: -$ grep sulogin /usr/lib/systemd/system/rescue.service -The output should be similar to the following, and the line must begin with -ExecStart and /usr/lib/systemd/systemd-sulogin-shell. - ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue - Is it the case that the output is different? + + +Run the following command to determine if the postgresql_can_rsync SELinux boolean is disabled: +$ getsebool postgresql_can_rsync +If properly configured, the output should show the following: +postgresql_can_rsync --> off + Is it the case that postgresql_can_rsync is not disabled? - - The existence of the file /etc/hosts.equiv or a file named -.rhosts inside a user home directory indicates the presence -of an Rsh trust relationship. - Is it the case that these files exist? + + To determine if NOPASSWD or !authenticate have been configured for +sudo, run the following command: +$ sudo grep -ri "nopasswd\|\!authenticate" /etc/sudoers /etc/sudoers.d/ +The command should return no output. + Is it the case that nopasswd and/or !authenticate is enabled in sudo? - - To verify all local initialization files for interactive users are owned by the -primary user, run the following command: -$ sudo ls -al /home/USER/.* -The user initialization files should be owned by USER. - Is it the case that they are not? + + To ensure sshd limits the users who can log in, run the following: +pre>$ sudo grep -rPi '^\h*(allow|deny)(users|groups)\h+\H+(\h+.*)?$' /etc/ssh/sshd_config* +If properly configured, the output should be a list of usernames and/or +groups allowed to log in to this system. + Is it the case that sshd does not limit the users who can log in? - - To determine how the SSH daemon's AllowTcpForwarding option is set, run the following command: + + To check that the mdmonitor service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled mdmonitor +Output should indicate the mdmonitor service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled mdmonitor disabled -$ sudo grep -i AllowTcpForwarding /etc/ssh/sshd_config +Run the following command to verify mdmonitor is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active mdmonitor -If a line indicating no is returned, then the required value is set. - Is it the case that The AllowTcpForwarding option exists and is disabled? - - - - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: +If the service is not running the command will return the following output: +inactive -$ sudo auditctl -l | grep +The service will also be masked, to check that the mdmonitor is masked, run the following command: +$ sudo systemctl show mdmonitor | grep "LoadState\|UnitFileState" --w -p wa -k logins - Is it the case that the command does not return a line, or the line is commented out? +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "mdmonitor" is loaded and not masked? - - To ensure the system is configured to mask the Ctrl-Alt-Del sequence, Check -that the ctrl-alt-del.target is masked and not active with the following -command: -sudo systemctl status ctrl-alt-del.target -The output should indicate that the target is masked and not active. It -might resemble following output: -ctrl-alt-del.target -Loaded: masked (/dev/null; bad) -Active: inactive (dead) - Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed? + + Run the following command to determine if the sssd-ipa package is installed: $ rpm -q sssd-ipa + Is it the case that the package is not installed? - - The runtime status of the net.ipv4.tcp_rfc1337 kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.tcp_rfc1337 -1. - - Is it the case that the correct value is not returned? + + To verify the INACTIVE setting, run the following command: +$ grep "INACTIVE" /etc/default/useradd +The output should indicate the INACTIVE configuration option is set +to an appropriate integer as shown in the example below: +$ grep "INACTIVE" /etc/default/useradd +INACTIVE= + Is it the case that the value of INACTIVE is greater than the expected value or is -1? - + + Run the following command to check the mode of the httpd log +directory: +$ ls -l /var/log/ | grep httpd +Log directory must be mode 0700 or less permissive. + Is it the case that it is more permissive? + + + -Run the following command to determine if the daemons_use_tty SELinux boolean is disabled: -$ getsebool daemons_use_tty +Run the following command to determine if the varnishd_connect_any SELinux boolean is disabled: +$ getsebool varnishd_connect_any If properly configured, the output should show the following: -daemons_use_tty --> off - Is it the case that daemons_use_tty is not disabled? +varnishd_connect_any --> off + Is it the case that varnishd_connect_any is not disabled? - - The runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.icmp_ignore_bogus_error_responses -1. + + Verify the nodev option is configured for the /var mount point, + run the following command: + $ sudo mount | grep '\s/var\s' + . . . /var . . . nodev . . . - Is it the case that the correct value is not returned? - - - - To determine the status and frequency of logrotate, run the following command: -$ sudo grep logrotate /var/log/cron* -If logrotate is configured properly, output should include references to -/etc/cron.daily. - Is it the case that logrotate is not configured to run daily? + Is it the case that the "/var" file system does not have the "nodev" option set? - + -Run the following command to determine if the dbadm_read_user_files SELinux boolean is disabled: -$ getsebool dbadm_read_user_files +Run the following command to determine if the smbd_anon_write SELinux boolean is disabled: +$ getsebool smbd_anon_write If properly configured, the output should show the following: -dbadm_read_user_files --> off - Is it the case that dbadm_read_user_files is not disabled? +smbd_anon_write --> off + Is it the case that smbd_anon_write is not disabled? - - Storing logs with persistent storage ensures they are available after a reboot or system crash. -Run the command below to verify that logs are being persistently stored to disk. + + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the truncate system call. -grep "^\sStorage" /etc/systemd/journald.conf +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -and it should return +$ sudo grep -r truncate /etc/audit/rules.d -Storage=persistent +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - Is it the case that is commented out or not configured correctly? - - - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_BINFMT_MISC /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? +$ sudo grep truncate /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access + Is it the case that the command does not return a line, or the line is commented out? - - -Run the following command to determine if the mpd_enable_homedirs SELinux boolean is disabled: -$ getsebool mpd_enable_homedirs -If properly configured, the output should show the following: -mpd_enable_homedirs --> off - Is it the case that mpd_enable_homedirs is not disabled? + + Verify the system-wide shared library files are group-owned by "root" with the following command: + +$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} \; + Is it the case that any system wide shared library file is returned and is not group-owned by a required system account? - - Verify the system-wide shared library directories are owned by "root" with the following command: + + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command: -$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c "%n %U" '{}' \; - Is it the case that any system-wide shared library directory is not owned by root? +$ sudo auditctl -l | grep/etc/sudoers.d + +-w /etc/sudoers.d/ -p wa -k identity + Is it the case that the command does not return a line, or the line is commented out? - - Verify Red Hat Enterprise Linux 8 takes action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity with the following command: + + Verify "nftables" is configured to allow rate limits on any connection to the system with the following command: -$ sudo grep -w admin_space_left /etc/audit/auditd.conf +Verify "firewalld" has "nftables" set as the default backend: -admin_space_left = % +$ sudo grep -i firewallbackend /etc/firewalld/firewalld.conf -If the value of the "admin_space_left" keyword is not set to % of the storage volume allocated to audit logs, or if the line is commented out, ask the System Administrator to indicate how the system is taking action if the allocated storage is about to reach capacity. - Is it the case that the "admin_space_left" value is not configured to the correct value? +# FirewallBackend +FirewallBackend=nftables + Is it the case that the "nftables" is not set as the "firewallbackend"? - - To determine if the system is configured to audit calls to the -open system call, run the following command: -$ sudo grep "open" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. + + Verify the site's network diagram and visually check the web server, to +ensure that the private web server is located on a separate controlled +access subnet and is not part of the public DMZ that houses the public +web servers. - Is it the case that no line is returned? +In addition, the private web server needs to be isolated via a controlled +access mechanism from the local general population lan. + Is it the case that the private web server is not on a separate controlled access subnet? - + -Run the following command to determine if the domain_fd_use SELinux boolean is enabled: -$ getsebool domain_fd_use +Run the following command to determine if the mozilla_plugin_use_gps SELinux boolean is disabled: +$ getsebool mozilla_plugin_use_gps If properly configured, the output should show the following: -domain_fd_use --> on - Is it the case that domain_fd_use is not enabled? - - - - To check the group ownership of /var/log/messages, -run the command: -$ ls -lL /var/log/messages -If properly configured, the output should indicate the following group-owner: -root - Is it the case that /var/log/messages does not have a group owner of root? +mozilla_plugin_use_gps --> off + Is it the case that mozilla_plugin_use_gps is not disabled? - - To determine how the SSH daemon's KerberosAuthentication option is set, run the following command: - -$ sudo grep -i KerberosAuthentication /etc/ssh/sshd_config + + To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: +cat /etc/audit/rules.d/10-base-config.rules +The output has to be exactly as follows: +## First rule - delete all +-D -If a line indicating no is returned, then the required value is set. +## Increase the buffers to survive stress events. +## Make this bigger for busy systems +-b 8192 - Is it the case that the required value is not set? - - - - To check the permissions of /etc/at.allow, -run the command: -$ ls -l /etc/at.allow -If properly configured, the output should indicate the following permissions: --rw------- - Is it the case that /etc/at.allow does not have unix mode -rw-------? - - - - Verify the noexec option is configured for the /var mount point, - run the following command: - $ sudo mount | grep '\s/var\s' - . . . /var . . . noexec . . . +## This determine how long to wait in burst of events +--backlog_wait_time 60000 - Is it the case that the "/var" file system does not have the "noexec" option set? +## Set failure mode to syslog +-f 1 + Is it the case that the file does not exist or the content differs? - - To verify that root's primary group is zero run the following command: - - grep '^root:' /etc/passwd | cut -d : -f 4 - -The command should return: - -0 - - Is it the case that root has a primary gid not equal to zero? + + To ensure the system is configured to ignore the Ctrl-Alt-Del sequence, +run the following command: +$ gsettings get org.gnome.settings-daemon.plugins.media-keys logout +$ grep logout /etc/dconf/db/local.d/locks/* +If properly configured, the output should be +/org/gnome/settings-daemon/plugins/media-keys/logout + Is it the case that GNOME3 is configured to reboot when Ctrl-Alt-Del is pressed? - - To verify that repo_gpgcheck is configured properly, run the following -command: -$ grep repo_gpgcheck /etc/yum.conf -The output should return something similar to: -repo_gpgcheck=1 - Is it the case that gpgcheck is not enabled or configured correctly to verify repository metadata? + + Run the following command to determine if the chrony package is installed: $ rpm -q chrony + Is it the case that the package is not installed? - + -Run the following command to determine if the mmap_low_allowed SELinux boolean is disabled: -$ getsebool mmap_low_allowed +Run the following command to determine if the entropyd_use_audio SELinux boolean is disabled: +$ getsebool entropyd_use_audio If properly configured, the output should show the following: -mmap_low_allowed --> off - Is it the case that mmap_low_allowed is not disabled? +entropyd_use_audio --> off + Is it the case that entropyd_use_audio is not disabled? - - Run the following command to determine if the openscap-scanner package is installed: $ rpm -q openscap-scanner - Is it the case that the package is not installed? + + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: + +$ sudo auditctl -l | grep -E '(/etc/security/opasswd)' + +-w /etc/security/opasswd -p wa -k identity + Is it the case that the command does not return a line, or the line is commented out? - - Run the following command to determine if the sudo package is installed: $ rpm -q sudo - Is it the case that the package is not installed? + + To check the ownership of /etc/group-, +run the command: +$ ls -lL /etc/group- +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/group- does not have an owner of root? - - To determine if the system is configured to audit successful calls -to the open system call, run the following command: -$ sudo grep "open" /etc/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + The following command will discover and print world-writable directories that +are not owned by root. Run it once for each local partition PART: +$ sudo find PART -xdev -type d -perm -0002 -uid +0 -print + Is it the case that there are world-writable directories not owned by root? - - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setsebool" command with the following command: + + To verify that a remote NTP service is configured for time synchronization, +open the following file: -$ sudo auditctl -l | grep setsebool +/etc/chrony.conf in the case the system in question is +configured to use the chronyd as the NTP daemon (default setting) +/etc/ntp.conf in the case the system in question is configured +to use the ntpd as the NTP daemon --a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged - Is it the case that the command does not return a line, or the line is commented out? +In the file, there should be a section similar to the following: +server ntpserver + Is it the case that this is not the case? - - The runtime status of the fs.suid_dumpable kernel parameter can be queried + + The runtime status of the kernel.unprivileged_bpf_disabled kernel parameter can be queried by running the following command: -$ sysctl fs.suid_dumpable -0. +$ sysctl kernel.unprivileged_bpf_disabled +1. Is it the case that the correct value is not returned? - - To determine that AIDE is configured for FIPS 140-2 file hashing, run the following command: -$ grep sha512 /etc/aide.conf -Verify that the sha512 option is added to the correct ruleset. - Is it the case that the sha512 option is missing or not added to the correct ruleset? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_DEBUG_CREDENTIALS /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - Ensure there are no unconfined daemons running on the system, -the following command should produce no output: -$ sudo ps -eZ | grep "unconfined_service_t" - Is it the case that There are unconfined daemons running on the system? + + +Run the following command to determine if the ftpd_connect_db SELinux boolean is disabled: +$ getsebool ftpd_connect_db +If properly configured, the output should show the following: +ftpd_connect_db --> off + Is it the case that ftpd_connect_db is not disabled? - - To determine if the system is configured to audit calls to the -lchown system call, run the following command: -$ sudo grep "lchown" /etc/audit/audit.* -If the system is configured to audit this activity, it will return a line. - - Is it the case that no line is returned? + + To check the ownership of /etc/ssh/*.pub, +run the command: +$ ls -lL /etc/ssh/*.pub +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/ssh/*.pub does not have an owner of root? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_SLAB_MERGE_DEFAULT /boot/config.* - - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - - Is it the case that the kernel was not built with the required value? + + To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: +cat /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules +The output has to be exactly as follows: +## Successful file modifications (open for write or truncate) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification + Is it the case that the file does not exist or the content differs? - - To check that the kdump service is disabled in system boot configuration, -run the following command: -$ sudo systemctl is-enabled kdump -Output should indicate the kdump service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -$ sudo systemctl is-enabled kdump disabled - -Run the following command to verify kdump is not active (i.e. not running) through current runtime configuration: -$ sudo systemctl is-active kdump - -If the service is not running the command will return the following output: -inactive - -The service will also be masked, to check that the kdump is masked, run the following command: -$ sudo systemctl show kdump | grep "LoadState\|UnitFileState" - -If the service is masked the command will return the following outputs: - -LoadState=masked + + +Run the following command to determine if the httpd_run_stickshift SELinux boolean is disabled: +$ getsebool httpd_run_stickshift +If properly configured, the output should show the following: +httpd_run_stickshift --> off + Is it the case that httpd_run_stickshift is not disabled? + + + + To determine if the system is configured to audit unsuccessful calls +to the chmod system call, run the following command: +$ sudo grep "chmod" /etc/audit.* +If the system is configured to audit this activity, it will return a line. -UnitFileState=masked - Is it the case that the "kdump" is loaded and not masked? + Is it the case that no line is returned? - - Verify Red Hat Enterprise Linux 8 is configured to lock an account after -unsuccessful logon attempts with the command: + + Verify that a separate file system/partition has been created for /boot with the following command: +$ mountpoint /boot -$ grep 'deny =' /etc/security/faillock.conf -deny = . - Is it the case that the "deny" option is not set to "<sub idref="var_accounts_passwords_pam_faillock_deny" />" -or less (but not "0"), is missing or commented out? + Is it the case that "/boot is not a mountpoint" is returned? - - Verify that the files and directories of each instance of Alias, -ScriptAlias, and ScriptAliasMatch that exist -have the correct file and directory permissions applied. - Is it the case that it is not? + + +Run the following command to determine if the gpg_web_anon_write SELinux boolean is disabled: +$ getsebool gpg_web_anon_write +If properly configured, the output should show the following: +gpg_web_anon_write --> off + Is it the case that gpg_web_anon_write is not disabled? - - To check the permissions of /etc/http/conf.d/*, -run the command: -$ ls -l /etc/http/conf.d/* -If properly configured, the output should indicate the following permissions: --rw-r----- - Is it the case that /etc/http/conf.d/* does not have unix mode -rw-r-----? + + +Run the following command to determine if the boinc_execmem SELinux boolean is disabled: +$ getsebool boinc_execmem +If properly configured, the output should show the following: +boinc_execmem --> off + Is it the case that boinc_execmem is not disabled? - + + Run the following command to determine if the rear package is installed: $ rpm -q rear + Is it the case that the package is not installed? + + + -Run the following command to determine if the nfs_export_all_rw SELinux boolean is enabled: -$ getsebool nfs_export_all_rw +Run the following command to determine if the squid_use_tproxy SELinux boolean is disabled: +$ getsebool squid_use_tproxy If properly configured, the output should show the following: -nfs_export_all_rw --> on - Is it the case that nfs_export_all_rw is not enabled? +squid_use_tproxy --> off + Is it the case that squid_use_tproxy is not disabled? - - To verify that all user initialization files have a mode of 0740 or -less permissive, run the following command: -$ sudo find /home -type f -name '\.*' \( -perm -0002 -o -perm -0020 \) -There should be no output. - Is it the case that they are not 0740 or more permissive? + + For each private key stored on the system, use the following command: +$ sudo ssh-keygen -y -f /path/to/file +If the contents of the key are displayed, this is a finding. + Is it the case that no ssh private key is accessible without a passcode? - - Verify the nodev option is configured for the /dev/shm mount point, - run the following command: - $ sudo mount | grep '\s/dev/shm\s' - . . . /dev/shm . . . nodev . . . - - Is it the case that the "/dev/shm" file system does not have the "nodev" option set? + + To determine the config value the kernel was built with, run the following command: + $ grep CONFIG_SCHED_STACK_END_CHECK /boot/config.* + + For each kernel installed, a line with value "y" should be returned. + + Is it the case that the kernel was not built with the required value? - - -Run the following command to get the current configured value for deny_execmem -SELinux boolean: -$ getsebool deny_execmem -The expected cofiguration is . -"on" means true, and "off" means false - Is it the case that deny_execmem is not set as expected? + + To determine if the system is configured to audit calls to the +openat system call, run the following command: +$ sudo grep "openat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? - - To determine if the system is configured to audit successful calls -to the rename system call, run the following command: -$ sudo grep "rename" /etc/audit.* + + To determine if the system is configured to audit calls to the +fchmod system call, run the following command: +$ sudo grep "fchmod" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - Run the following command to check the mode of the system audit logs: -$ sudo grep -iw log_file /etc/audit/auditd.conf -log_file=/var/log/audit/audit.log -$ sudo stat -c "%n %a" /var/log/audit/* -$ sudo ls -l /var/log/audit -Audit logs must be mode 0640 or less permissive. - Is it the case that any permissions are more permissive? + + Run the following command to determine if the geolite2-country package is installed: +$ rpm -q geolite2-country + Is it the case that the package is installed? - - Run the following command to determine if the rear package is installed: $ rpm -q rear - Is it the case that the package is not installed? + + To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: +cat /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules +The output has to be exactly as follows: +## Successful permission change +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + Is it the case that the file does not exist or the content differs? - + -Run the following command to determine if the httpd_can_connect_ldap SELinux boolean is disabled: -$ getsebool httpd_can_connect_ldap +Run the following command to determine if the samba_create_home_dirs SELinux boolean is disabled: +$ getsebool samba_create_home_dirs If properly configured, the output should show the following: -httpd_can_connect_ldap --> off - Is it the case that httpd_can_connect_ldap is not disabled? +samba_create_home_dirs --> off + Is it the case that samba_create_home_dirs is not disabled? - - The runtime status of the net.ipv4.tcp_syncookies kernel parameter can be queried -by running the following command: -$ sysctl net.ipv4.tcp_syncookies -1. + + +Determine the audit log group by running the following command: - Is it the case that the correct value is not returned? - - - - Check group owners of the system audit logs. +$ sudo grep -P '^[ ]*log_group[ ]+=.*$' /etc/audit/auditd.conf -First, determine where the audit log file is located. +Then, check that all directories within the /var/log/audit directory are owned by the group specified as log_group or by root if the log_group is not specified. +Run the following command: -$ sudo grep -iw ^log_file /etc/audit/auditd.conf -log_file = /var/log/audit/audit.log +$ sudo find /var/log/audit -type d -printf "%p %g\n" -The log_file option specifies the audit log file path. -If the log_file option isn't defined, check all files within /var/log/audit directory. +All listed directories must be owned by the log_group or by root if the log_group is not specified. + Is it the case that there is a directory owned by different group? + + + + +Run the following command to determine if the mailman_use_fusefs SELinux boolean is disabled: +$ getsebool mailman_use_fusefs +If properly configured, the output should show the following: +mailman_use_fusefs --> off + Is it the case that mailman_use_fusefs is not disabled? + + + + +To check that the rsh service is disabled in system boot configuration with xinetd, run the following command: +$ chkconfig rsh --list +Output should indicate the rsh service has either not been installed, or has been disabled, as shown in the example below: +$ chkconfig rsh --list +Note: This output shows SysV services only and does not include native +systemd services. SysV configuration data might be overridden by native +systemd configuration. -Then, determine the audit log group by running the following command: -$ sudo grep -P '^[ ]*log_group[ ]+=.*$' /etc/audit/auditd.conf +If you want to list systemd services use 'systemctl list-unit-files'. +To see services enabled on particular target use +'systemctl list-dependencies [target]'. +rsh off -Then, check that the audit log file is owned by the correct group. -Run the following command to display the owner of the audit log file: +To check that the rsh socket is disabled in system boot configuration with systemd, run the following command: +$ systemctl is-enabled rsh +Output should indicate the rsh socket has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled rshdisabled -$ sudo stat -c "%n %G" log_file +Run the following command to verify rsh is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active rsh +If the socket is not running the command will return the following output: +inactive -The audit log file must be owned by the log_group or by root if the log_group is not specified. - Is it the case that audit log files are owned by incorrect group? - - - - # grep "^OPTIONS.*-u" /etc/sysconfig/chronyd | grep -v -e '-u\s*chrony\b' -returns no output - Is it the case that chronyd is not running under chrony user account? - - - - The runtime status of the net.ipv4.conf.all.rp_filter parameter can be queried -by running the following command: -$ sysctl net.ipv4.conf.all.rp_filter -The output of the command should indicate either: -net.ipv4.conf.all.rp_filter = 1 -or: -net.ipv4.conf.all.rp_filter = 2 -The output of the command should not indicate: -net.ipv4.conf.all.rp_filter = 0 +The socket will also be masked, to check that the rsh is masked, run the following command: +$ sudo systemctl show rsh | grep "LoadState\|UnitFileState" -The preferable way how to assure the runtime compliance is to have -correct persistent configuration, and rebooting the system. +If the socket is masked the command will return the following outputs: -The persistent sysctl parameter configuration is performed by specifying the appropriate -assignment in any file located in the /etc/sysctl.d directory. -Verify that there is not any existing incorrect configuration by executing the following command: -$ grep -r '^\s*net.ipv4.conf.all.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d -The command should not find any assignments other than: -net.ipv4.conf.all.rp_filter = 1 -or: -net.ipv4.conf.all.rp_filter = 2 +LoadState=masked -Conflicting assignments are not allowed. - Is it the case that the net.ipv4.conf.all.rp_filter is not set to 1 or 2 or is configured to be 0? +UnitFileState=masked + Is it the case that service and/or socket are running? - + -Run the following command to determine if the httpd_use_sasl SELinux boolean is disabled: -$ getsebool httpd_use_sasl +Run the following command to determine if the sge_domain_can_network_connect SELinux boolean is disabled: +$ getsebool sge_domain_can_network_connect If properly configured, the output should show the following: -httpd_use_sasl --> off - Is it the case that httpd_use_sasl is not disabled? - - - - Run the following command to determine if the mailx package is installed: $ rpm -q mailx - Is it the case that the package is not installed? - - - - Inspect /etc/audit/auditd.conf and locate the following line to -determine how many logs the system is configured to retain after rotation: -$ sudo grep num_logs /etc/audit/auditd.conf -num_logs = 5 - Is it the case that the system log file retention has not been properly configured? +sge_domain_can_network_connect --> off + Is it the case that sge_domain_can_network_connect is not disabled? - - To check the permissions of /etc/ssh/*.pub, -run the command: -$ ls -l /etc/ssh/*.pub -If properly configured, the output should indicate the following permissions: --rw-r--r-- - Is it the case that /etc/ssh/*.pub does not have unix mode -rw-r--r--? + + +Run the following command to determine if the httpd_tmp_exec SELinux boolean is disabled: +$ getsebool httpd_tmp_exec +If properly configured, the output should show the following: +httpd_tmp_exec --> off + Is it the case that httpd_tmp_exec is not disabled? - + To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -cat /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules +cat /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules The output has to be exactly as follows: -## Unsuccessful file creation (open with O_CREAT) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +## Successful file delete +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete +-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete Is it the case that the file does not exist or the content differs? - - To determine the config value the kernel was built with, run the following command: - $ grep CONFIG_SECCOMP_FILTER /boot/config.* - - For each kernel installed, a line with value "y" should be returned. - - Is it the case that the kernel was not built with the required value? + + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "sudoedit" command with the following command: + +$ sudo auditctl -l | grep sudoedit + +-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudoedit + Is it the case that the command does not return a line, or the line is commented out? - - Verify that cron is logging to rsyslog, -run the following command: -grep -rni "cron\.\*" /etc/rsyslog.* -cron.* /var/log/cron - Is it the case that cron is not logging to rsyslog? + + +Run the following command to determine if the gitosis_can_sendmail SELinux boolean is disabled: +$ getsebool gitosis_can_sendmail +If properly configured, the output should show the following: +gitosis_can_sendmail --> off + Is it the case that gitosis_can_sendmail is not disabled? - - To verify that smart cards are enabled in SSSD, run the following command: -$ sudo grep pam_cert_auth /etc/sssd/sssd.conf -If configured properly, output should be -pam_cert_auth = True - - -To verify that smart cards are enabled in PAM files, run the following command: -$ sudo grep -e "auth.*pam_sss\.so.*\(allow_missing_name\|try_cert_auth\)" /etc/pam.d/smartcard-auth /etc/pam.d/system-auth -If configured properly, output should be - -/etc/pam.d/smartcard-auth:auth sufficient pam_sss.so allow_missing_name -/etc/pam.d/system-auth:auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth - - Is it the case that smart cards are not enabled in SSSD? + + To ensure that users cannot change session idle and lock settings, run the following: +$ grep 'lock-delay' /etc/dconf/db/local.d/locks/* +If properly configured, the output should return: +/org/gnome/desktop/screensaver/lock-delay + Is it the case that GNOME3 session settings are not locked or configured properly? - - The runtime status of the vm.mmap_min_addr kernel parameter can be queried -by running the following command: -$ sysctl vm.mmap_min_addr -65536. + + To determine how the SSH daemon's KerberosAuthentication option is set, run the following command: - Is it the case that the correct value is not returned? +$ sudo grep -i KerberosAuthentication /etc/ssh/sshd_config + +If a line indicating no is returned, then the required value is set. + + Is it the case that the required value is not set? - - The runtime status of the net.ipv6.conf.all.router_solicitations kernel parameter can be queried -by running the following command: -$ sysctl net.ipv6.conf.all.router_solicitations -0. - - Is it the case that the correct value is not returned? + + To check the group ownership of /boot/grub2/user.cfg, +run the command: +$ ls -lL /boot/grub2/user.cfg +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /boot/grub2/user.cfg does not have a group owner of root? - - To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -cat /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules -The output has to be exactly as follows: -## Successful file modifications (open for write or truncate) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification - Is it the case that the file does not exist or the content differs? + + To check for incorrectly labeled device files, run following commands: +$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n" +$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n" +It should produce no output in a well-configured system. + Is it the case that there is output? - + To determine if the system is configured to audit successful calls -to the fsetxattr system call, run the following command: -$ sudo grep "fsetxattr" /etc/audit.* +to the lremovexattr system call, run the following command: +$ sudo grep "lremovexattr" /etc/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - - To verify if LogFormat is configured correctly in -/etc/httpd/conf/httpd.conf, run the following command: -$ grep -i logformat /etc/httpd/conf/httpd.conf -The output should contain the following: -LogFormat "a %A %h %H %l %m %s %t %u %U \"%{Referer}i\" \"%{User-Agent}i\"" combined - Is it the case that it is not? - - - + -Run the following command to determine if the zabbix_can_network SELinux boolean is disabled: -$ getsebool zabbix_can_network +Run the following command to determine if the virt_sandbox_use_all_caps SELinux boolean is disabled: +$ getsebool virt_sandbox_use_all_caps If properly configured, the output should show the following: -zabbix_can_network --> off - Is it the case that zabbix_can_network is not disabled? - - - - Inspect /etc/audit/auditd.conf and locate the following line to -determine if the system is configured correctly: -space_left SIZE_in_MB - Is it the case that the system is not configured a specfic size in MB to notify administrators of an issue? - - - - To check the ownership of /boot/grub2/grub.cfg, -run the command: -$ ls -lL /boot/grub2/grub.cfg -If properly configured, the output should indicate the following owner: -root - Is it the case that /boot/grub2/grub.cfg does not have an owner of root? +virt_sandbox_use_all_caps --> off + Is it the case that virt_sandbox_use_all_caps is not disabled? - - Find if logging is applied to the FTP daemon. + + To check that the certmonger service is disabled in system boot configuration, +run the following command: +$ sudo systemctl is-enabled certmonger +Output should indicate the certmonger service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ sudo systemctl is-enabled certmonger disabled -Procedures: +Run the following command to verify certmonger is not active (i.e. not running) through current runtime configuration: +$ sudo systemctl is-active certmonger -If vsftpd is started by xinetd the following command will indicate the xinetd.d startup file: -$ grep vsftpd /etc/xinetd.d/* -$ grep server_args vsftpd xinetd.d startup file -This will indicate the vsftpd config file used when starting through xinetd. -If the server_args line is missing or does not include the vsftpd configuration file, then the default config file (/etc/vsftpd/vsftpd.conf) is used. -$ sudo grep xferlog_enable vsftpd config file - Is it the case that xferlog_enable is missing, or is not set to yes? - - - - Run the following command to determine if the abrt-addon-ccpp package is installed: -$ rpm -q abrt-addon-ccpp - Is it the case that the package is installed? +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the certmonger is masked, run the following command: +$ sudo systemctl show certmonger | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the "certmonger" is loaded and not masked? - + Script combine_ovals.py from SCAP Security Guide ssg: [0, 1, 71], python: 3.10.12 5.11 - 2023-11-20T00:06:14 + 2023-11-21T00:06:13 diff --git a/ssg-rhel8-guide-stig.html b/ssg-rhel8-guide-stig.html index 90e94b2..f17e792 100644 --- a/ssg-rhel8-guide-stig.html +++ b/ssg-rhel8-guide-stig.html @@ -64,7 +64,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleDISA STIG for Red Hat Enterprise Linux 8
Profile IDxccdf_org.ssgproject.content_profile_stig

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:8.0
  • cpe:/o:redhat:enterprise_linux:8.1
  • cpe:/o:redhat:enterprise_linux:8.10
  • cpe:/o:redhat:enterprise_linux:8.2
  • cpe:/o:redhat:enterprise_linux:8.3
  • cpe:/o:redhat:enterprise_linux:8.4
  • cpe:/o:redhat:enterprise_linux:8.5
  • cpe:/o:redhat:enterprise_linux:8.6
  • cpe:/o:redhat:enterprise_linux:8.7
  • cpe:/o:redhat:enterprise_linux:8.8
  • cpe:/o:redhat:enterprise_linux:8.9
  • cpe:/o:redhat:enterprise_linux:8

Revision History

Current version: 0.1.71

  • draft - (as of 2023-11-20) + (as of 2023-11-21)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Base Services
    2. Application Whitelisting Daemon
    3. FTP Server
    4. Kerberos
    5. Mail Server Software
    6. NFS and RPC
    7. Network Time Protocol
    8. Obsolete Services
    9. Hardware RNG Entropy Gatherer Daemon
    10. SSH Server
    11. System Security Services Daemon
    12. USBGuard daemon
    13. X Window System

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 8   Group contains 106 groups and 410 rules
Group   @@ -109,20 +109,12 @@ 
 $ sudo yum install aide

Rationale:

The AIDE package must be installed if it is to be available for integrity checking.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-80844-4

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule

Remediation script:   (show)

Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

+package --add=aide
+
Remediation script:   (show)


 [[packages]]
 name = "aide"
 version = "*"
-
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
-    yum install -y "aide"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include install_aide
 
 class install_aide {
@@ -148,8 +140,16 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

-package --add=aide
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+    yum install -y "aide"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi

Rule   Build and Test AIDE Database   [ref]

Run the following command to generate a new database: @@ -172,20 +172,7 @@ If this check produces any unexpected output, investigate.

Rationale:

For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-80675-2

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
-    yum install -y "aide"
-fi
-
-/usr/sbin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Build and Test AIDE Database - Ensure AIDE Is Installed
   ansible.builtin.package:
     name: '{{ item }}'
     state: present
@@ -265,6 +252,19 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+    yum install -y "aide"
+fi
+
+/usr/sbin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi

Rule   Configure AIDE to Verify the Audit Tools   [ref]

The operating system file integrity tool must be configured to protect the integrity of the audit tools.

Rationale:

Protecting the integrity of the tools used for auditing purposes is a @@ -287,68 +287,7 @@ manipulated, or replaced. An example is a checksum hash of the file or files.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-85964-5

References:  - CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, RHEL-08-030650, SV-230475r880722_rule

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
-    yum install -y "aide"
-fi
-
-
-
-
-
-
-
-
-
-
-if grep -i '^.*/usr/sbin/auditctl.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/auditctl.*#/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/auditd.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/auditd.*#/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/ausearch.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/ausearch.*#/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/aureport.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/aureport.*#/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/autrace.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/autrace.*#/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/augenrules.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/augenrules.*#/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/rsyslogd.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/rsyslogd.*#/usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Ensure aide is installed
+            CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, RHEL-08-030650, SV-230475r880722_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Ensure aide is installed
   package:
     name: '{{ item }}'
     state: present
@@ -426,6 +365,67 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+    yum install -y "aide"
+fi
+
+
+
+
+
+
+
+
+
+
+if grep -i '^.*/usr/sbin/auditctl.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/auditctl.*#/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/auditd.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/auditd.*#/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/ausearch.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/ausearch.*#/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/aureport.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/aureport.*#/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/autrace.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/autrace.*#/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/augenrules.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/augenrules.*#/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/rsyslogd.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/rsyslogd.*#/usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi

Rule   Configure Notification of Post-AIDE Scan Details   [ref]

AIDE should notify appropriate personnel of the details of a scan after the scan has been run. @@ -445,36 +445,7 @@ Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-82891-3

References:  - BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-08-010360, SV-230263r902716_rule

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
-    yum install -y "aide"
-fi
-var_aide_scan_notification_email='root@localhost'
-
-
-
-CRONTAB=/etc/crontab
-CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly'
-
-# NOTE: on some platforms, /etc/crontab may not exist
-if [ -f /etc/crontab ]; then
-	CRONTAB_EXIST=/etc/crontab
-fi
-
-if [ -f /var/spool/cron/root ]; then
-	VARSPOOL=/var/spool/cron/root
-fi
-
-if ! grep -qR '^.*/usr/sbin/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*.*@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then
-	echo "0 5 * * * root /usr/sbin/aide  --check | /bin/mail -s \"\$(hostname) - AIDE Integrity Check\" $var_aide_scan_notification_email" >> $CRONTAB
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: XCCDF Value var_aide_scan_notification_email # promote to variable
   set_fact:
     var_aide_scan_notification_email: !!str root@localhost
   tags:
@@ -520,6 +491,35 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+    yum install -y "aide"
+fi
+var_aide_scan_notification_email='root@localhost'
+
+
+
+CRONTAB=/etc/crontab
+CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly'
+
+# NOTE: on some platforms, /etc/crontab may not exist
+if [ -f /etc/crontab ]; then
+	CRONTAB_EXIST=/etc/crontab
+fi
+
+if [ -f /var/spool/cron/root ]; then
+	VARSPOOL=/var/spool/cron/root
+fi
+
+if ! grep -qR '^.*/usr/sbin/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*.*@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then
+	echo "0 5 * * * root /usr/sbin/aide  --check | /bin/mail -s \"\$(hostname) - AIDE Integrity Check\" $var_aide_scan_notification_email" >> $CRONTAB
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi

Rule   Configure AIDE to Verify Access Control Lists (ACLs)   [ref]

By default, the acl option is added to the FIPSR ruleset in AIDE. @@ -534,37 +534,7 @@ /etc/aide.conf

Rationale:

ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools.

Severity: 
low
Identifiers and References

Identifiers:  CCE-84220-3

References:  - BP28(R51), 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, CCI-000366, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227, RHEL-08-040310, SV-230552r880724_rule

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
-    yum install -y "aide"
-fi
-
-aide_conf="/etc/aide.conf"
-
-groups=$(LC_ALL=C grep "^[A-Z][A-Za-z_]*" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u)
-
-for group in $groups
-do
-	config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ')
-
-	if ! [[ $config = *acl* ]]
-	then
-		if [[ -z $config ]]
-		then
-			config="acl"
-		else
-			config=$config"+acl"
-		fi
-	fi
-	sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf
-done
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather list of packages
   package_facts:
     manager: auto
   when:
@@ -625,21 +595,7 @@
   - low_severity
   - no_reboot_needed
   - restrict_strategy
-

Rule   - Configure AIDE to Verify Extended Attributes -   [ref]

By default, the xattrs option is added to the FIPSR ruleset in AIDE. -If using a custom ruleset or the xattrs option is missing, add xattrs -to the appropriate ruleset. -For example, add xattrs to the following line in /etc/aide.conf: -

FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
-AIDE rules can be configured in multiple ways; this is merely one example that is already -configured by default. - -The remediation provided with this rule adds xattrs to all rule sets available in -/etc/aide.conf

Rationale:

Extended attributes in file systems are used to contain arbitrary data and file metadata -with security implications.

Severity: 
low
Identifiers and References

Identifiers:  - CCE-83733-6

References:  - BP28(R51), 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, CCI-000366, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227, RHEL-08-040300, SV-230551r627750_rule

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 if ! rpm -q --quiet "aide" ; then
@@ -654,13 +610,13 @@
 do
 	config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ')
 
-	if ! [[ $config = *xattrs* ]]
+	if ! [[ $config = *acl* ]]
 	then
 		if [[ -z $config ]]
 		then
-			config="xattrs"
+			config="acl"
 		else
-			config=$config"+xattrs"
+			config=$config"+acl"
 		fi
 	fi
 	sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf
@@ -669,7 +625,21 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather list of packages
+

Rule   + Configure AIDE to Verify Extended Attributes +   [ref]

By default, the xattrs option is added to the FIPSR ruleset in AIDE. +If using a custom ruleset or the xattrs option is missing, add xattrs +to the appropriate ruleset. +For example, add xattrs to the following line in /etc/aide.conf: +

FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
+AIDE rules can be configured in multiple ways; this is merely one example that is already +configured by default. + +The remediation provided with this rule adds xattrs to all rule sets available in +/etc/aide.conf

Rationale:

Extended attributes in file systems are used to contain arbitrary data and file metadata +with security implications.

Severity: 
low
Identifiers and References

Identifiers:  + CCE-83733-6

References:  + BP28(R51), 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, CCI-000366, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227, RHEL-08-040300, SV-230551r627750_rule

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather list of packages
   package_facts:
     manager: auto
   when:
@@ -730,6 +700,36 @@
   - low_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+    yum install -y "aide"
+fi
+
+aide_conf="/etc/aide.conf"
+
+groups=$(LC_ALL=C grep "^[A-Z][A-Za-z_]*" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u)
+
+for group in $groups
+do
+	config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ')
+
+	if ! [[ $config = *xattrs* ]]
+	then
+		if [[ -z $config ]]
+		then
+			config="xattrs"
+		else
+			config=$config"+xattrs"
+		fi
+	fi
+	sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf
+done
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi

Rule   Audit Tools Must Be Group-owned by Root   [ref]

Red Hat Enterprise Linux 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. @@ -739,21 +739,7 @@ Audit tools must have the correct group owner.

Rationale:

Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-86239-1

References:  - CCI-001493, CCI-001494, CCI-001495, AU-9, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, RHEL-08-030640, SV-230474r627750_rule

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-chgrp 0 /sbin/auditctl
-chgrp 0 /sbin/aureport
-chgrp 0 /sbin/ausearch
-chgrp 0 /sbin/autrace
-chgrp 0 /sbin/auditd
-chgrp 0 /sbin/rsyslogd
-chgrp 0 /sbin/augenrules
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Test for existence /sbin/auditctl
+            CCI-001493, CCI-001494, CCI-001495, AU-9, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, RHEL-08-030640, SV-230474r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Test for existence /sbin/auditctl
   stat:
     path: /sbin/auditctl
   register: file_exists
@@ -990,6 +976,20 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+chgrp 0 /sbin/auditctl
+chgrp 0 /sbin/aureport
+chgrp 0 /sbin/ausearch
+chgrp 0 /sbin/autrace
+chgrp 0 /sbin/auditd
+chgrp 0 /sbin/rsyslogd
+chgrp 0 /sbin/augenrules
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi

Rule   Audit Tools Must Be Owned by Root   [ref]

Red Hat Enterprise Linux 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. @@ -999,21 +999,7 @@ Audit tools must have the correct owner.

Rationale:

Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-86259-9

References:  - CCI-001493, CCI-001494, CCI-001495, AU-9, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, RHEL-08-030630, SV-230473r744008_rule

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-chown 0 /sbin/auditctl
-chown 0 /sbin/aureport
-chown 0 /sbin/ausearch
-chown 0 /sbin/autrace
-chown 0 /sbin/auditd
-chown 0 /sbin/rsyslogd
-chown 0 /sbin/augenrules
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Test for existence /sbin/auditctl
+            CCI-001493, CCI-001494, CCI-001495, AU-9, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, RHEL-08-030630, SV-230473r744008_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Test for existence /sbin/auditctl
   stat:
     path: /sbin/auditctl
   register: file_exists
@@ -1250,6 +1236,20 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+chown 0 /sbin/auditctl
+chown 0 /sbin/aureport
+chown 0 /sbin/ausearch
+chown 0 /sbin/autrace
+chown 0 /sbin/auditd
+chown 0 /sbin/rsyslogd
+chown 0 /sbin/augenrules
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi

Rule   Audit Tools Must Have a Mode of 0755 or Less Permissive   [ref]

Red Hat Enterprise Linux 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. @@ -1259,27 +1259,7 @@ Audit tools must have a mode of 0755 or less permissive.

Rationale:

Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-86227-6

References:  - CCI-001493, AU-9, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, RHEL-08-030620, SV-230472r627750_rule

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-chmod u-s,g-ws,o-wt /sbin/auditctl
-
-chmod u-s,g-ws,o-wt /sbin/aureport
-
-chmod u-s,g-ws,o-wt /sbin/ausearch
-
-chmod u-s,g-ws,o-wt /sbin/autrace
-
-chmod u-s,g-ws,o-wt /sbin/auditd
-
-chmod u-s,g-ws,o-wt /sbin/rsyslogd
-
-chmod u-s,g-ws,o-wt /sbin/augenrules
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Test for existence /sbin/auditctl
+            CCI-001493, AU-9, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, RHEL-08-030620, SV-230472r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Test for existence /sbin/auditctl
   stat:
     path: /sbin/auditctl
   register: file_exists
@@ -1516,6 +1496,26 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+chmod u-s,g-ws,o-wt /sbin/auditctl
+
+chmod u-s,g-ws,o-wt /sbin/aureport
+
+chmod u-s,g-ws,o-wt /sbin/ausearch
+
+chmod u-s,g-ws,o-wt /sbin/autrace
+
+chmod u-s,g-ws,o-wt /sbin/auditd
+
+chmod u-s,g-ws,o-wt /sbin/rsyslogd
+
+chmod u-s,g-ws,o-wt /sbin/augenrules
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Group   Federal Information Processing Standard (FIPS)   Group contains 3 rules

[ref]   @@ -1553,19 +1553,7 @@ standards approved by the federal government since this provides assurance they have been tested and validated.

Severity: 
high
Identifiers and References

Identifiers:  CCE-82155-3

References:  - CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, RHEL-08-010020, SV-230223r928585_rule

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ); then
-
-fips-mode-setup --enable
-FIPS_CONF="/etc/dracut.conf.d/40-fips.conf"
-if ! grep "^add_dracutmodules+=\" fips \"" $FIPS_CONF; then
-    echo "add_dracutmodules+=\" fips \"" >> $FIPS_CONF
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:medium
Disruption:medium
Reboot:true
Strategy:restrict
- name: Check to see the current status of FIPS mode
+            CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, RHEL-08-010020, SV-230223r928585_rule
Remediation Ansible snippet:   (show)

Complexity:medium
Disruption:medium
Reboot:true
Strategy:restrict
- name: Check to see the current status of FIPS mode
   command: /usr/bin/fips-mode-setup --check
   register: is_fips_enabled
   changed_when: false
@@ -1631,6 +1619,18 @@
   - medium_disruption
   - reboot_required
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ); then
+
+fips-mode-setup --enable
+FIPS_CONF="/etc/dracut.conf.d/40-fips.conf"
+if ! grep "^add_dracutmodules+=\" fips \"" $FIPS_CONF; then
+    echo "add_dracutmodules+=\" fips \"" >> $FIPS_CONF
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Enable FIPS Mode
                                   [ref]

@@ -1649,33 +1649,7 @@
 standards approved by the federal government since this provides assurance they have been tested
 and validated.
Severity: 
high
Identifiers and References
Identifiers: 
             CCE-80942-6
References: 
-            CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, RHEL-08-010020, SV-230223r928585_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-var_system_crypto_policy='FIPS'
-
-
-fips-mode-setup --enable
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
-	echo "$stderr_of_call" >&2
-	echo "Make sure that the script is installed on the remediated system." >&2
-	echo "See output of the 'dnf provides update-crypto-policies' command" >&2
-	echo "to see what package to (re)install" >&2
-
-	false  # end with an error code
-elif test "$rc" != 0; then
-	echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
-	false  # end with an error code
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:medium
Disruption:medium
Reboot:true
Strategy:restrict
- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str FIPS
   tags:
@@ -1781,6 +1755,32 @@
   - medium_disruption
   - reboot_required
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+var_system_crypto_policy='FIPS'
+
+
+fips-mode-setup --enable
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+	echo "$stderr_of_call" >&2
+	echo "Make sure that the script is installed on the remediated system." >&2
+	echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+	echo "to see what package to (re)install" >&2
+
+	false  # end with an error code
+elif test "$rc" != 0; then
+	echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+	false  # end with an error code
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Set kernel parameter 'crypto.fips_enabled' to 1
                                   [ref]
System running in FIPS mode is indicated by kernel parameter
@@ -1877,25 +1877,27 @@
 the applications that run on that operating system. Use of weak or untested encryption algorithms
 undermines the purposes of utilizing encryption to protect data.
Severity: 
high
Identifiers and References
Identifiers: 
             CCE-80935-0
References: 
-            164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, 2.2.7, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r928585_rule
Remediation Shell script:   (show)


-var_system_crypto_policy='FIPS'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
-	echo "$stderr_of_call" >&2
-	echo "Make sure that the script is installed on the remediated system." >&2
-	echo "See output of the 'dnf provides update-crypto-policies' command" >&2
-	echo "to see what package to (re)install" >&2
-
-	false  # end with an error code
-elif test "$rc" != 0; then
-	echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
-	false  # end with an error code
-fi
-
Remediation Ansible snippet:   (show)

Remediation script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str FIPS
   tags:
@@ -1944,26 +1946,24 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-
Remediation script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
+
Remediation Shell script:   (show)


+var_system_crypto_policy='FIPS'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+	echo "$stderr_of_call" >&2
+	echo "Make sure that the script is installed on the remediated system." >&2
+	echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+	echo "to see what package to (re)install" >&2
+
+	false  # end with an error code
+elif test "$rc" != 0; then
+	echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+	false  # end with an error code
+fi
 
Rule  
                                 Configure GnuTLS library to use DoD-approved TLS Encryption
                                   [ref]
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -1977,29 +1977,7 @@
 library violate expectations, and makes system configuration more
 fragmented.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-84254-2
References: 
-            CCI-001453, AC-17(2), SRG-OS-000250-GPOS-00093, SRG-OS-000423-GPOS-00187, RHEL-08-010295, SV-230256r877394_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict

-CONF_FILE=/etc/crypto-policies/back-ends/gnutls.config
-correct_value='+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0'
-
-grep -q ${correct_value} ${CONF_FILE}
-
-if [[ $? -ne 0 ]]; then
-    # We need to get the existing value, using PCRE to maintain same regex
-    existing_value=$(grep -Po '(\+VERS-ALL(?::-VERS-[A-Z]+\d\.\d)+)' ${CONF_FILE})
-
-    if [[ ! -z ${existing_value} ]]; then
-        # replace existing_value with correct_value
-        sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE}
-    else
-        # ***NOTE*** #
-        # This probably means this file is not here or it's been modified
-        # unintentionally.
-        # ********** #
-        # echo correct_value to end
-        echo ${correct_value} >> ${CONF_FILE}
-    fi
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: 'Configure GnuTLS library to use DoD-approved TLS Encryption: set_fact'
+            CCI-001453, AC-17(2), SRG-OS-000250-GPOS-00093, SRG-OS-000423-GPOS-00187, RHEL-08-010295, SV-230256r877394_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: 'Configure GnuTLS library to use DoD-approved TLS Encryption: set_fact'
   set_fact:
     path: /etc/crypto-policies/back-ends/gnutls.config
     correct_value: +VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0
@@ -2080,6 +2058,28 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict

+CONF_FILE=/etc/crypto-policies/back-ends/gnutls.config
+correct_value='+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0'
+
+grep -q ${correct_value} ${CONF_FILE}
+
+if [[ $? -ne 0 ]]; then
+    # We need to get the existing value, using PCRE to maintain same regex
+    existing_value=$(grep -Po '(\+VERS-ALL(?::-VERS-[A-Z]+\d\.\d)+)' ${CONF_FILE})
+
+    if [[ ! -z ${existing_value} ]]; then
+        # replace existing_value with correct_value
+        sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE}
+    else
+        # ***NOTE*** #
+        # This probably means this file is not here or it's been modified
+        # unintentionally.
+        # ********** #
+        # echo correct_value to end
+        echo ${correct_value} >> ${CONF_FILE}
+    fi
+fi
 
Rule  
                                 Configure Kerberos to use System Crypto Policy
                                   [ref]
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -2090,10 +2090,7 @@
 If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings.
Rationale:
Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
 and makes system configuration more fragmented.
Severity: 
high
Identifiers and References
Identifiers: 
             CCE-80936-8
References: 
-            0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061, RHEL-08-010020, SV-230223r928585_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:configure

-rm -f /etc/krb5.conf.d/crypto-policies
-ln -s /etc/crypto-policies/back-ends/krb5.config /etc/krb5.conf.d/crypto-policies
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:configure
- name: Configure Kerberos to use System Crypto Policy
+            0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061, RHEL-08-010020, SV-230223r928585_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:configure
- name: Configure Kerberos to use System Crypto Policy
   file:
     src: /etc/crypto-policies/back-ends/krb5.config
     path: /etc/krb5.conf.d/crypto-policies
@@ -2110,6 +2107,9 @@
   - low_complexity
   - low_disruption
   - reboot_required
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:configure

+rm -f /etc/krb5.conf.d/crypto-policies
+ln -s /etc/crypto-policies/back-ends/krb5.config /etc/krb5.conf.d/crypto-policies
 
Rule  
                                 Configure Libreswan to use System Crypto Policy
                                   [ref]
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -2124,18 +2124,7 @@
 service violate expectations, and makes system configuration more
 fragmented.
Severity: 
high
Identifiers and References
Identifiers: 
             CCE-80937-6
References: 
-            CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, Req-2.2, SRG-OS-000033-GPOS-00014, RHEL-08-010020, SV-230223r928585_rule
Remediation Shell script:   (show)


-function remediate_libreswan_crypto_policy() {
-    CONFIG_FILE="/etc/ipsec.conf"
-    if ! grep -qP "^\s*include\s+/etc/crypto-policies/back-ends/libreswan.config\s*(?:#.*)?$" "$CONFIG_FILE" ; then
-        # the file might not end with a new line
-        echo -e '\ninclude /etc/crypto-policies/back-ends/libreswan.config' >> "$CONFIG_FILE"
-    fi
-    return 0
-}
-
-remediate_libreswan_crypto_policy
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Configure Libreswan to use System Crypto Policy
+            CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, Req-2.2, SRG-OS-000033-GPOS-00014, RHEL-08-010020, SV-230223r928585_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Configure Libreswan to use System Crypto Policy
   lineinfile:
     path: /etc/ipsec.conf
     line: include /etc/crypto-policies/back-ends/libreswan.config
@@ -2155,6 +2144,17 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)


+function remediate_libreswan_crypto_policy() {
+    CONFIG_FILE="/etc/ipsec.conf"
+    if ! grep -qP "^\s*include\s+/etc/crypto-policies/back-ends/libreswan.config\s*(?:#.*)?$" "$CONFIG_FILE" ; then
+        # the file might not end with a new line
+        echo -e '\ninclude /etc/crypto-policies/back-ends/libreswan.config' >> "$CONFIG_FILE"
+    fi
+    return 0
+}
+
+remediate_libreswan_crypto_policy
 
Rule  
                                 Configure OpenSSL library to use System Crypto Policy
                                   [ref]
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -2166,37 +2166,7 @@
 if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config directive.
Rationale:
Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
 and makes system configuration more fragmented.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-80938-4
References: 
-            CCI-001453, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), Req-2.2, SRG-OS-000250-GPOS-00093, RHEL-08-010293, SV-230254r877394_rule
Remediation Shell script:   (show)


-OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]'
-OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]'
-
-OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config'
-
-OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*(?:=\s*)?/etc/crypto-policies/back-ends/opensslcnf.config$'
-
-
-
-  
-
-
-function remediate_openssl_crypto_policy() {
-	CONFIG_FILE=/etc/pki/tls/openssl.cnf
-	if test -f "$CONFIG_FILE"; then
-		if ! grep -q "^\\s*$OPENSSL_CRYPTO_POLICY_SECTION_REGEX" "$CONFIG_FILE"; then
-			printf '\n%s\n\n%s' "$OPENSSL_CRYPTO_POLICY_SECTION" "$OPENSSL_CRYPTO_POLICY_INCLUSION" >> "$CONFIG_FILE"
-			return 0
-		elif ! grep -q "^\\s*$OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX" "$CONFIG_FILE"; then
-			sed -i "s|$OPENSSL_CRYPTO_POLICY_SECTION_REGEX|&\\n\\n$OPENSSL_CRYPTO_POLICY_INCLUSION\\n|" "$CONFIG_FILE"
-			return 0
-		fi
-	else
-		echo "Aborting remediation as '$CONFIG_FILE' was not even found." >&2
-		return 1
-	fi
-}
-
-remediate_openssl_crypto_policy
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Configure OpenSSL library to use System Crypto Policy - Search for crypto_policy
+            CCI-001453, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), Req-2.2, SRG-OS-000250-GPOS-00093, RHEL-08-010293, SV-230254r877394_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Configure OpenSSL library to use System Crypto Policy - Search for crypto_policy
     Section
   ansible.builtin.find:
     paths: /etc/pki/tls
@@ -2300,6 +2270,36 @@
   - medium_severity
   - no_reboot_needed
   - unknown_strategy
+
Remediation Shell script:   (show)


+OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]'
+OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]'
+
+OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config'
+
+OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*(?:=\s*)?/etc/crypto-policies/back-ends/opensslcnf.config$'
+
+
+
+  
+
+
+function remediate_openssl_crypto_policy() {
+	CONFIG_FILE=/etc/pki/tls/openssl.cnf
+	if test -f "$CONFIG_FILE"; then
+		if ! grep -q "^\\s*$OPENSSL_CRYPTO_POLICY_SECTION_REGEX" "$CONFIG_FILE"; then
+			printf '\n%s\n\n%s' "$OPENSSL_CRYPTO_POLICY_SECTION" "$OPENSSL_CRYPTO_POLICY_INCLUSION" >> "$CONFIG_FILE"
+			return 0
+		elif ! grep -q "^\\s*$OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX" "$CONFIG_FILE"; then
+			sed -i "s|$OPENSSL_CRYPTO_POLICY_SECTION_REGEX|&\\n\\n$OPENSSL_CRYPTO_POLICY_INCLUSION\\n|" "$CONFIG_FILE"
+			return 0
+		fi
+	else
+		echo "Aborting remediation as '$CONFIG_FILE' was not even found." >&2
+		return 1
+	fi
+}
+
+remediate_openssl_crypto_policy
 
Rule  
                                 Configure OpenSSL library to use TLS Encryption
                                   [ref]
Crypto Policies are means of enforcing certain cryptographic settings for
@@ -2341,11 +2341,7 @@
 in the /etc/sysconfig/sshd.
Rationale:
Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
 and makes system configuration more fragmented.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-80939-2
References: 
-            CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, 2.2.7, SRG-OS-000250-GPOS-00093, RHEL-08-010287, 5.2.14, SV-244526r877394_rule
Remediation Shell script:   (show)


-SSH_CONF="/etc/sysconfig/sshd"
-
-sed -i "/^\s*CRYPTO_POLICY.*$/Id" $SSH_CONF
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: Configure SSH to use System Crypto Policy
   lineinfile:
     dest: /etc/sysconfig/sshd
     state: absent
@@ -2366,6 +2362,10 @@
   - medium_disruption
   - medium_severity
   - reboot_required
+
Remediation Shell script:   (show)


+SSH_CONF="/etc/sysconfig/sshd"
+
+sed -i "/^\s*CRYPTO_POLICY.*$/Id" $SSH_CONF
 
Rule  
                                 Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config
                                   [ref]
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -2398,25 +2398,7 @@
 weakest” orientation, the system will automatically attempt to use the
 strongest cipher for securing SSH connections.
Severity: 
high
Identifiers and References
Identifiers: 
             CCE-85902-5
References: 
-            CCI-000068, CCI-000877, CCI-001453, CCI-002418, CCI-002890, CCI-003123, AC-17(2), SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000423-GPOS-00187, RHEL-08-010020, SV-230223r928585_rule
Remediation Shell script:   (show)


-sshd_approved_ciphers='aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com'
-
-
-if [ -e "/etc/crypto-policies/back-ends/openssh.config" ] ; then
-    
-    LC_ALL=C sed -i "/^.*Ciphers\s\+/d" "/etc/crypto-policies/back-ends/openssh.config"
-else
-    touch "/etc/crypto-policies/back-ends/openssh.config"
-fi
-# make sure file has newline at the end
-sed -i -e '$a\' "/etc/crypto-policies/back-ends/openssh.config"
-
-cp "/etc/crypto-policies/back-ends/openssh.config" "/etc/crypto-policies/back-ends/openssh.config.bak"
-# Insert at the end of the file
-printf '%s\n' "Ciphers ${sshd_approved_ciphers}" >> "/etc/crypto-policies/back-ends/openssh.config"
-# Clean up after ourselves.
-rm "/etc/crypto-policies/back-ends/openssh.config.bak"
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: XCCDF Value sshd_approved_ciphers # promote to variable
   set_fact:
     sshd_approved_ciphers: !!str aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
   tags:
@@ -2460,6 +2442,24 @@
   - low_disruption
   - reboot_required
   - restrict_strategy
+
Remediation Shell script:   (show)


+sshd_approved_ciphers='aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com'
+
+
+if [ -e "/etc/crypto-policies/back-ends/openssh.config" ] ; then
+    
+    LC_ALL=C sed -i "/^.*Ciphers\s\+/d" "/etc/crypto-policies/back-ends/openssh.config"
+else
+    touch "/etc/crypto-policies/back-ends/openssh.config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/crypto-policies/back-ends/openssh.config"
+
+cp "/etc/crypto-policies/back-ends/openssh.config" "/etc/crypto-policies/back-ends/openssh.config.bak"
+# Insert at the end of the file
+printf '%s\n' "Ciphers ${sshd_approved_ciphers}" >> "/etc/crypto-policies/back-ends/openssh.config"
+# Clean up after ourselves.
+rm "/etc/crypto-policies/back-ends/openssh.config.bak"
 
Rule  
                                 Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config
                                   [ref]
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -2492,38 +2492,7 @@
 weakest” orientation, the system will automatically attempt to use the
 strongest cipher for securing SSH connections.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-85897-7
References: 
-            CCI-000877, CCI-001453, AC-17(2), SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, RHEL-08-010291, SV-230252r917873_rule
Remediation Shell script:   (show)


-sshd_approved_ciphers='aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com'
-
-
-CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
-correct_value="-oCiphers=${sshd_approved_ciphers}"
-
-# Test if file exists
-test -f ${CONF_FILE} || touch ${CONF_FILE}
-
-# Ensure CRYPTO_POLICY is not commented out
-sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE}
-
-grep -q "'${correct_value}'" ${CONF_FILE}
-
-if [[ $? -ne 0 ]]; then
-    # We need to get the existing value, using PCRE to maintain same regex
-    existing_value=$(grep -Po '(-oCiphers=\S+)' ${CONF_FILE})
-
-    if [[ ! -z ${existing_value} ]]; then
-        # replace existing_value with correct_value
-        sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE}
-    else
-        # ***NOTE*** #
-        # This probably means this file is not here or it's been modified
-        # unintentionally.
-        # ********** #
-        # echo correct_value to end
-        echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE}
-    fi
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: XCCDF Value sshd_approved_ciphers # promote to variable
+            CCI-000877, CCI-001453, AC-17(2), SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, RHEL-08-010291, SV-230252r917873_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: XCCDF Value sshd_approved_ciphers # promote to variable
   set_fact:
     sshd_approved_ciphers: !!str aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
   tags:
@@ -2610,6 +2579,37 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
+
Remediation Shell script:   (show)


+sshd_approved_ciphers='aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com'
+
+
+CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
+correct_value="-oCiphers=${sshd_approved_ciphers}"
+
+# Test if file exists
+test -f ${CONF_FILE} || touch ${CONF_FILE}
+
+# Ensure CRYPTO_POLICY is not commented out
+sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE}
+
+grep -q "'${correct_value}'" ${CONF_FILE}
+
+if [[ $? -ne 0 ]]; then
+    # We need to get the existing value, using PCRE to maintain same regex
+    existing_value=$(grep -Po '(-oCiphers=\S+)' ${CONF_FILE})
+
+    if [[ ! -z ${existing_value} ]]; then
+        # replace existing_value with correct_value
+        sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE}
+    else
+        # ***NOTE*** #
+        # This probably means this file is not here or it's been modified
+        # unintentionally.
+        # ********** #
+        # echo correct_value to end
+        echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE}
+    fi
+fi
 
Rule  
                                 Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config
                                   [ref]
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -2640,25 +2640,7 @@
 client violate expectations, and makes system configuration more
 fragmented.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-85870-4
References: 
-            CCI-000877, CCI-001453, AC-17(2), SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, RHEL-08-010020, SV-230223r928585_rule
Remediation Shell script:   (show)


-sshd_approved_macs='hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com'
-
-
-if [ -e "/etc/crypto-policies/back-ends/openssh.config" ] ; then
-    
-    LC_ALL=C sed -i "/^.*MACs\s\+/d" "/etc/crypto-policies/back-ends/openssh.config"
-else
-    touch "/etc/crypto-policies/back-ends/openssh.config"
-fi
-# make sure file has newline at the end
-sed -i -e '$a\' "/etc/crypto-policies/back-ends/openssh.config"
-
-cp "/etc/crypto-policies/back-ends/openssh.config" "/etc/crypto-policies/back-ends/openssh.config.bak"
-# Insert at the end of the file
-printf '%s\n' "MACs ${sshd_approved_macs}" >> "/etc/crypto-policies/back-ends/openssh.config"
-# Clean up after ourselves.
-rm "/etc/crypto-policies/back-ends/openssh.config.bak"
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: XCCDF Value sshd_approved_macs # promote to variable
+            CCI-000877, CCI-001453, AC-17(2), SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, RHEL-08-010020, SV-230223r928585_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: XCCDF Value sshd_approved_macs # promote to variable
   set_fact:
     sshd_approved_macs: !!str hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
   tags:
@@ -2702,6 +2684,24 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
+
Remediation Shell script:   (show)


+sshd_approved_macs='hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com'
+
+
+if [ -e "/etc/crypto-policies/back-ends/openssh.config" ] ; then
+    
+    LC_ALL=C sed -i "/^.*MACs\s\+/d" "/etc/crypto-policies/back-ends/openssh.config"
+else
+    touch "/etc/crypto-policies/back-ends/openssh.config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/crypto-policies/back-ends/openssh.config"
+
+cp "/etc/crypto-policies/back-ends/openssh.config" "/etc/crypto-policies/back-ends/openssh.config.bak"
+# Insert at the end of the file
+printf '%s\n' "MACs ${sshd_approved_macs}" >> "/etc/crypto-policies/back-ends/openssh.config"
+# Clean up after ourselves.
+rm "/etc/crypto-policies/back-ends/openssh.config.bak"
 
Rule  
                                 Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config
                                   [ref]
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -2732,38 +2732,7 @@
 server violate expectations, and makes system configuration more
 fragmented.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-85899-3
References: 
-            CCI-000877, CCI-001453, AC-17(2), SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, RHEL-08-010290, SV-230251r917870_rule
Remediation Shell script:   (show)


-sshd_approved_macs='hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com'
-
-
-CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
-correct_value="-oMACs=${sshd_approved_macs}"
-
-# Test if file exists
-test -f ${CONF_FILE} || touch ${CONF_FILE}
-
-# Ensure CRYPTO_POLICY is not commented out
-sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE}
-
-grep -q "'${correct_value}'" ${CONF_FILE}
-
-if [[ $? -ne 0 ]]; then
-    # We need to get the existing value, using PCRE to maintain same regex
-    existing_value=$(grep -Po '(-oMACs=\S+)' ${CONF_FILE})
-
-    if [[ ! -z ${existing_value} ]]; then
-        # replace existing_value with correct_value
-        sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE}
-    else
-        # ***NOTE*** #
-        # This probably means this file is not here or it's been modified
-        # unintentionally.
-        # ********** #
-        # echo correct_value to end
-        echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE}
-    fi
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: XCCDF Value sshd_approved_macs # promote to variable
+            CCI-000877, CCI-001453, AC-17(2), SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, RHEL-08-010290, SV-230251r917870_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: XCCDF Value sshd_approved_macs # promote to variable
   set_fact:
     sshd_approved_macs: !!str hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
   tags:
@@ -2850,6 +2819,37 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
+
Remediation Shell script:   (show)


+sshd_approved_macs='hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com'
+
+
+CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
+correct_value="-oMACs=${sshd_approved_macs}"
+
+# Test if file exists
+test -f ${CONF_FILE} || touch ${CONF_FILE}
+
+# Ensure CRYPTO_POLICY is not commented out
+sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE}
+
+grep -q "'${correct_value}'" ${CONF_FILE}
+
+if [[ $? -ne 0 ]]; then
+    # We need to get the existing value, using PCRE to maintain same regex
+    existing_value=$(grep -Po '(-oMACs=\S+)' ${CONF_FILE})
+
+    if [[ ! -z ${existing_value} ]]; then
+        # replace existing_value with correct_value
+        sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE}
+    else
+        # ***NOTE*** #
+        # This probably means this file is not here or it's been modified
+        # unintentionally.
+        # ********** #
+        # echo correct_value to end
+        echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE}
+    fi
+fi
 
Group  
                 Operating System Vendor Support and Certification
                           Group contains  1 rule
[ref]  
@@ -2976,12 +2976,12 @@
 setting of more restrictive mount options, and also helps ensure that
 users cannot trivially fill partitions used for log or audit data storage.
Severity: 
low
Identifiers and References

Identifiers:  CCE-81044-0

References:  - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010800, 1.1.7.1, SV-230328r902723_rule

Remediation script:   (show)


+            BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010800, 1.1.7.1, SV-230328r902723_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

+part /home
+
Remediation script:   (show)


 [[customizations.filesystem]]
 mountpoint = "/home"
 size = 1073741824
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

-part /home
 
Rule  
                                 Ensure /tmp Located On Separate Partition
                                   [ref]
The /tmp directory is a world-writable directory used
@@ -2990,12 +2990,12 @@
 Placing /tmp in its own partition enables the setting of more
 restrictive mount options, which can help protect programs which use it.
Severity: 
low
Identifiers and References
Identifiers: 
             CCE-80851-9
References: 
-            BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010543, 1.1.2.1, SV-230295r627750_rule
Remediation script:   (show)

Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

+part /tmp
+
Remediation script:   (show)


 [[customizations.filesystem]]
 mountpoint = "/tmp"
 size = 1073741824
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

-part /tmp
 
Rule  
                                 Ensure /var Located On Separate Partition
                                   [ref]
The /var directory is used by daemons and other system
@@ -3006,12 +3006,12 @@
 It is not uncommon for the /var directory to contain
 world-writable directories installed by other software packages.
Severity: 
low
Identifiers and References
Identifiers: 
             CCE-80852-7
References: 
-            BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010540, 1.1.3.1, SV-230292r902718_rule
Remediation script:   (show)

Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

+part /var
+
Remediation script:   (show)


 [[customizations.filesystem]]
 mountpoint = "/var"
 size = 3221225472
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

-part /var
 
Rule  
                                 Ensure /var/log Located On Separate Partition
                                   [ref]
System logs are stored in the /var/log directory.
@@ -3021,12 +3021,12 @@
 enables better separation between log files
 and other files in /var/.
Severity: 
low
Identifiers and References
Identifiers: 
             CCE-80853-5
References: 
-            BP28(R12), BP28(R47), 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010541, 1.1.5.1, SV-230293r902720_rule
Remediation script:   (show)

Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

+part /var/log
+
Remediation script:   (show)


 [[customizations.filesystem]]
 mountpoint = "/var/log"
 size = 5368709120
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

-part /var/log
 
Rule  
                                 Ensure /var/log/audit Located On Separate Partition
                                   [ref]
Audit logs are stored in the /var/log/audit directory.
@@ -3040,12 +3040,12 @@
 auditing cannot be halted due to the partition running out
 of space.
Severity: 
low
Identifiers and References
Identifiers: 
             CCE-80854-3
References: 
-            BP28(R43), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001849, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, FMT_SMF_EXT.1, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, SRG-APP-000357-CTR-000800, RHEL-08-010542, 1.1.6.1, SV-230294r627750_rule
Remediation script:   (show)

Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

+part /var/log/audit
+
Remediation script:   (show)


 [[customizations.filesystem]]
 mountpoint = "/var/log/audit"
 size = 10737418240
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

-part /var/log/audit
 
Rule  
                                 Ensure /var/tmp Located On Separate Partition
                                   [ref]
The /var/tmp directory is a world-writable directory used
@@ -3054,12 +3054,12 @@
 Placing /var/tmp in its own partition enables the setting of more
 restrictive mount options, which can help protect programs which use it.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-82730-3
References: 
-            BP28(R12), SRG-OS-000480-GPOS-00227, RHEL-08-010544, 1.1.4.1, SV-244529r902737_rule
Remediation script:   (show)

Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

+part /var/tmp
+
Remediation script:   (show)


 [[customizations.filesystem]]
 mountpoint = "/var/tmp"
 size = 1073741824
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

-part /var/tmp
 
Group  
                 GNOME Desktop Environment
                           Group contains 3 groups and 10 rules
[ref]  
@@ -3102,68 +3102,7 @@
 with physical access to the system to quickly enumerate known user accounts
 without logging in.
Severity: 
medium
Identifiers and References

Identifiers:  CCE-86195-5

References:  - CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, RHEL-08-020032, 1.8.3, SV-244536r743857_rule

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# Check for setting in any of the DConf db directories
-# If files contain ibus or distro, ignore them.
-# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \
-                                | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings"
-DBDIR="/etc/dconf/db/gdm.d"
-
-mkdir -p "${DBDIR}"
-
-# Comment out the configurations in databases different from the target one
-if [ "${#SETTINGSFILES[@]}" -ne 0 ]
-then
-    if grep -q "^\\s*disable-user-list\\s*=" "${SETTINGSFILES[@]}"
-    then
-        
-        sed -Ei "s/(^\s*)disable-user-list(\s*=)/#\1disable-user-list\2/g" "${SETTINGSFILES[@]}"
-    fi
-fi
-
-[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
-if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}"
-then
-    printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
-fi
-
-escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
-if grep -q "^\\s*disable-user-list\\s*=" "${DCONFFILE}"
-then
-        sed -i "s/\\s*disable-user-list\\s*=\\s*.*/disable-user-list=${escaped_value}/g" "${DCONFFILE}"
-    else
-        sed -i "\\|\\[org/gnome/login-screen\\]|a\\disable-user-list=${escaped_value}" "${DCONFFILE}"
-fi
-
-dconf update
-# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/login-screen/disable-user-list$" "/etc/dconf/db/" \
-            | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1)
-LOCKSFOLDER="/etc/dconf/db/gdm.d/locks"
-
-mkdir -p "${LOCKSFOLDER}"
-
-# Comment out the configurations in databases different from the target one
-if [[ ! -z "${LOCKFILES}" ]]
-then
-    sed -i -E "s|^/org/gnome/login-screen/disable-user-list$|#&|" "${LOCKFILES[@]}"
-fi
-
-if ! grep -qr "^/org/gnome/login-screen/disable-user-list$" /etc/dconf/db/gdm.d/
-then
-    echo "/org/gnome/login-screen/disable-user-list" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock"
-fi
-
-dconf update
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
+            CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, RHEL-08-020032, 1.8.3, SV-244536r743857_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -3238,77 +3177,60 @@
   - medium_severity
   - no_reboot_needed
   - unknown_strategy
-
Rule  
-                                Enable the GNOME3 Screen Locking On Smartcard Removal
-                                  [ref]
In the default graphical environment, screen locking on smartcard removal
-can be enabled by setting removal-action
-to 'lock-screen'.
-


-To enable, add or edit removal-action to
-/etc/dconf/db/local.d/00-security-settings. For example:
-
[org/gnome/settings-daemon/peripherals/smartcard]
-removal-action='lock-screen'

-Once the setting has been added, add a lock to
-/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
-For example:
-
/org/gnome/settings-daemon/peripherals/smartcard/removal-action

-After the settings have been set, run dconf update.
Rationale:
Locking the screen automatically when removing the smartcard can
-prevent undesired access to system.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-83910-0
References: 
-            CCI-000056, CCI-000058, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, RHEL-08-020050, SV-230351r792899_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
 
 # Check for setting in any of the DConf db directories
 # If files contain ibus or distro, ignore them.
 # The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/settings-daemon/peripherals/smartcard\\]" "/etc/dconf/db/" \
-                                | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
-DBDIR="/etc/dconf/db/local.d"
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \
+                                | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1)
+DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings"
+DBDIR="/etc/dconf/db/gdm.d"
 
 mkdir -p "${DBDIR}"
 
 # Comment out the configurations in databases different from the target one
 if [ "${#SETTINGSFILES[@]}" -ne 0 ]
 then
-    if grep -q "^\\s*removal-action\\s*=" "${SETTINGSFILES[@]}"
+    if grep -q "^\\s*disable-user-list\\s*=" "${SETTINGSFILES[@]}"
     then
         
-        sed -Ei "s/(^\s*)removal-action(\s*=)/#\1removal-action\2/g" "${SETTINGSFILES[@]}"
+        sed -Ei "s/(^\s*)disable-user-list(\s*=)/#\1disable-user-list\2/g" "${SETTINGSFILES[@]}"
     fi
 fi
 
 [ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
-if ! grep -q "\\[org/gnome/settings-daemon/peripherals/smartcard\\]" "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}"
 then
-    printf '%s\n' "[org/gnome/settings-daemon/peripherals/smartcard]" >> ${DCONFFILE}
+    printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
 fi
 
-escaped_value="$(sed -e 's/\\/\\\\/g' <<< "'lock-screen'")"
-if grep -q "^\\s*removal-action\\s*=" "${DCONFFILE}"
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
+if grep -q "^\\s*disable-user-list\\s*=" "${DCONFFILE}"
 then
-        sed -i "s/\\s*removal-action\\s*=\\s*.*/removal-action=${escaped_value}/g" "${DCONFFILE}"
+        sed -i "s/\\s*disable-user-list\\s*=\\s*.*/disable-user-list=${escaped_value}/g" "${DCONFFILE}"
     else
-        sed -i "\\|\\[org/gnome/settings-daemon/peripherals/smartcard\\]|a\\removal-action=${escaped_value}" "${DCONFFILE}"
+        sed -i "\\|\\[org/gnome/login-screen\\]|a\\disable-user-list=${escaped_value}" "${DCONFFILE}"
 fi
 
 dconf update
 # Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$" "/etc/dconf/db/" \
-            | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
-LOCKSFOLDER="/etc/dconf/db/local.d/locks"
+LOCKFILES=$(grep -r "^/org/gnome/login-screen/disable-user-list$" "/etc/dconf/db/" \
+            | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1)
+LOCKSFOLDER="/etc/dconf/db/gdm.d/locks"
 
 mkdir -p "${LOCKSFOLDER}"
 
 # Comment out the configurations in databases different from the target one
 if [[ ! -z "${LOCKFILES}" ]]
 then
-    sed -i -E "s|^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$|#&|" "${LOCKFILES[@]}"
+    sed -i -E "s|^/org/gnome/login-screen/disable-user-list$|#&|" "${LOCKFILES[@]}"
 fi
 
-if ! grep -qr "^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$" /etc/dconf/db/local.d/
+if ! grep -qr "^/org/gnome/login-screen/disable-user-list$" /etc/dconf/db/gdm.d/
 then
-    echo "/org/gnome/settings-daemon/peripherals/smartcard/removal-action" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
+    echo "/org/gnome/login-screen/disable-user-list" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock"
 fi
 
 dconf update
@@ -3316,7 +3238,24 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
+
Rule  
+                                Enable the GNOME3 Screen Locking On Smartcard Removal
+                                  [ref]
In the default graphical environment, screen locking on smartcard removal
+can be enabled by setting removal-action
+to 'lock-screen'.
+


+To enable, add or edit removal-action to
+/etc/dconf/db/local.d/00-security-settings. For example:
+
[org/gnome/settings-daemon/peripherals/smartcard]
+removal-action='lock-screen'

+Once the setting has been added, add a lock to
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+For example:
+
/org/gnome/settings-daemon/peripherals/smartcard/removal-action

+After the settings have been set, run dconf update.
Rationale:
Locking the screen automatically when removing the smartcard can
+prevent undesired access to system.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-83910-0
References: 
+            CCI-000056, CCI-000058, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, RHEL-08-020050, SV-230351r792899_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -3468,6 +3407,67 @@
   - medium_severity
   - no_reboot_needed
   - unknown_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# Check for setting in any of the DConf db directories
+# If files contain ibus or distro, ignore them.
+# The assignment assumes that individual filenames don't contain :
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/settings-daemon/peripherals/smartcard\\]" "/etc/dconf/db/" \
+                                | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
+DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
+DBDIR="/etc/dconf/db/local.d"
+
+mkdir -p "${DBDIR}"
+
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
+then
+    if grep -q "^\\s*removal-action\\s*=" "${SETTINGSFILES[@]}"
+    then
+        
+        sed -Ei "s/(^\s*)removal-action(\s*=)/#\1removal-action\2/g" "${SETTINGSFILES[@]}"
+    fi
+fi
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/settings-daemon/peripherals/smartcard\\]" "${DCONFFILE}"
+then
+    printf '%s\n' "[org/gnome/settings-daemon/peripherals/smartcard]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "'lock-screen'")"
+if grep -q "^\\s*removal-action\\s*=" "${DCONFFILE}"
+then
+        sed -i "s/\\s*removal-action\\s*=\\s*.*/removal-action=${escaped_value}/g" "${DCONFFILE}"
+    else
+        sed -i "\\|\\[org/gnome/settings-daemon/peripherals/smartcard\\]|a\\removal-action=${escaped_value}" "${DCONFFILE}"
+fi
+
+dconf update
+# Check for setting in any of the DConf db directories
+LOCKFILES=$(grep -r "^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$" "/etc/dconf/db/" \
+            | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
+LOCKSFOLDER="/etc/dconf/db/local.d/locks"
+
+mkdir -p "${LOCKSFOLDER}"
+
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+    sed -i -E "s|^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$" /etc/dconf/db/local.d/
+then
+    echo "/org/gnome/settings-daemon/peripherals/smartcard/removal-action" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
+fi
+
+dconf update
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Disable GDM Automatic Login
                                   [ref]
The GNOME Display Manager (GDM) can allow users to automatically login without
@@ -3479,24 +3479,7 @@
 AutomaticLoginEnable=false
Rationale:
Failure to restrict system access to authenticated users negatively impacts operating
 system security.
Severity: 
high
Identifiers and References
Identifiers: 
             CCE-80823-8
References: 
-            11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.1, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(a), AC-6(1), CM-7(b), PR.IP-1, FIA_UAU.1, 8.3.1, SRG-OS-000480-GPOS-00229, RHEL-08-010820, SV-230329r877377_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-if rpm --quiet -q gdm
-then
-	if ! grep -q "^AutomaticLoginEnable=" /etc/gdm/custom.conf
-	then
-		sed -i "/^\[daemon\]/a \
-		AutomaticLoginEnable=False" /etc/gdm/custom.conf
-	else
-		sed -i "s/^AutomaticLoginEnable=.*/AutomaticLoginEnable=False/g" /etc/gdm/custom.conf
-	fi
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -3539,6 +3522,23 @@
   - medium_disruption
   - no_reboot_needed
   - unknown_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+if rpm --quiet -q gdm
+then
+	if ! grep -q "^AutomaticLoginEnable=" /etc/gdm/custom.conf
+	then
+		sed -i "/^\[daemon\]/a \
+		AutomaticLoginEnable=False" /etc/gdm/custom.conf
+	else
+		sed -i "s/^AutomaticLoginEnable=.*/AutomaticLoginEnable=False/g" /etc/gdm/custom.conf
+	fi
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 Configure GNOME Screen Locking
                           Group contains 6 rules
[ref]  
@@ -3574,52 +3574,7 @@
 system session prior to vacating the vicinity, GNOME3 can be configured to identify when
 a user's session has idled and take action to initiate a session lock.
Severity: 
medium
Identifiers and References

Identifiers:  CCE-80775-0

References:  - 1, 12, 15, 16, 5.5.5, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000057, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-11(a), CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, 8.2.8, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, RHEL-08-020060, SV-230352r646876_rule

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-inactivity_timeout_value='900'
-
-
-# Check for setting in any of the DConf db directories
-# If files contain ibus or distro, ignore them.
-# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/session\\]" "/etc/dconf/db/" \
-                                | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
-DBDIR="/etc/dconf/db/local.d"
-
-mkdir -p "${DBDIR}"
-
-# Comment out the configurations in databases different from the target one
-if [ "${#SETTINGSFILES[@]}" -ne 0 ]
-then
-    if grep -q "^\\s*idle-delay\\s*=" "${SETTINGSFILES[@]}"
-    then
-        
-        sed -Ei "s/(^\s*)idle-delay(\s*=)/#\1idle-delay\2/g" "${SETTINGSFILES[@]}"
-    fi
-fi
-
-[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
-if ! grep -q "\\[org/gnome/desktop/session\\]" "${DCONFFILE}"
-then
-    printf '%s\n' "[org/gnome/desktop/session]" >> ${DCONFFILE}
-fi
-
-escaped_value="$(sed -e 's/\\/\\\\/g' <<< "uint32 ${inactivity_timeout_value}")"
-if grep -q "^\\s*idle-delay\\s*=" "${DCONFFILE}"
-then
-        sed -i "s/\\s*idle-delay\\s*=\\s*.*/idle-delay=${escaped_value}/g" "${DCONFFILE}"
-    else
-        sed -i "\\|\\[org/gnome/desktop/session\\]|a\\idle-delay=${escaped_value}" "${DCONFFILE}"
-fi
-
-dconf update
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
+            1, 12, 15, 16, 5.5.5, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000057, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-11(a), CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, 8.2.8, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, RHEL-08-020060, SV-230352r646876_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -3690,27 +3645,16 @@
   - medium_severity
   - no_reboot_needed
   - unknown_strategy
-
Rule  
-                                Set GNOME3 Screensaver Lock Delay After Activation Period
-                                  [ref]
To activate the locking delay of the screensaver in the GNOME3 desktop when
-the screensaver is activated, add or set lock-delay to uint32 5 in
-/etc/dconf/db/local.d/00-security-settings. For example:
-
[org/gnome/desktop/screensaver]
-lock-delay=uint32 5
-

-After the settings have been set, run dconf update.
Rationale:
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
-of the information system but does not want to logout because of the temporary nature of the absense.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80776-8
References: 
-            1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000056, CCI-000057, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-11(a), CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, 8.2.8, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, RHEL-08-020031, SV-244535r743854_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
 
-var_screensaver_lock_delay='5'
+inactivity_timeout_value='900'
 
 
 # Check for setting in any of the DConf db directories
 # If files contain ibus or distro, ignore them.
 # The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/session\\]" "/etc/dconf/db/" \
                                 | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
 DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
 DBDIR="/etc/dconf/db/local.d"
@@ -3720,25 +3664,25 @@
 # Comment out the configurations in databases different from the target one
 if [ "${#SETTINGSFILES[@]}" -ne 0 ]
 then
-    if grep -q "^\\s*lock-delay\\s*=" "${SETTINGSFILES[@]}"
+    if grep -q "^\\s*idle-delay\\s*=" "${SETTINGSFILES[@]}"
     then
         
-        sed -Ei "s/(^\s*)lock-delay(\s*=)/#\1lock-delay\2/g" "${SETTINGSFILES[@]}"
+        sed -Ei "s/(^\s*)idle-delay(\s*=)/#\1idle-delay\2/g" "${SETTINGSFILES[@]}"
     fi
 fi
 
 [ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
-if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/desktop/session\\]" "${DCONFFILE}"
 then
-    printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE}
+    printf '%s\n' "[org/gnome/desktop/session]" >> ${DCONFFILE}
 fi
 
-escaped_value="$(sed -e 's/\\/\\\\/g' <<< "uint32 ${var_screensaver_lock_delay}")"
-if grep -q "^\\s*lock-delay\\s*=" "${DCONFFILE}"
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "uint32 ${inactivity_timeout_value}")"
+if grep -q "^\\s*idle-delay\\s*=" "${DCONFFILE}"
 then
-        sed -i "s/\\s*lock-delay\\s*=\\s*.*/lock-delay=${escaped_value}/g" "${DCONFFILE}"
+        sed -i "s/\\s*idle-delay\\s*=\\s*.*/idle-delay=${escaped_value}/g" "${DCONFFILE}"
     else
-        sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\lock-delay=${escaped_value}" "${DCONFFILE}"
+        sed -i "\\|\\[org/gnome/desktop/session\\]|a\\idle-delay=${escaped_value}" "${DCONFFILE}"
 fi
 
 dconf update
@@ -3746,7 +3690,18 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
+
Rule  
+                                Set GNOME3 Screensaver Lock Delay After Activation Period
+                                  [ref]
To activate the locking delay of the screensaver in the GNOME3 desktop when
+the screensaver is activated, add or set lock-delay to uint32 5 in
+/etc/dconf/db/local.d/00-security-settings. For example:
+
[org/gnome/desktop/screensaver]
+lock-delay=uint32 5
+

+After the settings have been set, run dconf update.
Rationale:
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
+of the information system but does not want to logout because of the temporary nature of the absense.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80776-8
References: 
+            1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000056, CCI-000057, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-11(a), CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, 8.2.8, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, RHEL-08-020031, SV-244535r743854_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -3814,25 +3769,12 @@
   - medium_severity
   - no_reboot_needed
   - unknown_strategy
-
Rule  
-                                Enable GNOME3 Screensaver Lock After Idle Period
-                                  [ref]

-To activate locking of the screensaver in the GNOME3 desktop when it is activated,
-add or set lock-enabled to true in
-/etc/dconf/db/local.d/00-security-settings. For example:
-
[org/gnome/desktop/screensaver]
-lock-enabled=true
-

-Once the settings have been added, add a lock to
-/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
-For example:
-
/org/gnome/desktop/screensaver/lock-enabled

-After the settings have been set, run dconf update.
Rationale:
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
-of the information system but does not want to logout because of the temporary nature of the absense.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80777-6
References: 
-            1, 12, 15, 16, 5.5.5, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000056, CCI-000058, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, 8.2.8, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, RHEL-08-020030, SV-230347r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
 
+var_screensaver_lock_delay='5'
+
+
 # Check for setting in any of the DConf db directories
 # If files contain ibus or distro, ignore them.
 # The assignment assumes that individual filenames don't contain :
@@ -3846,10 +3788,10 @@
 # Comment out the configurations in databases different from the target one
 if [ "${#SETTINGSFILES[@]}" -ne 0 ]
 then
-    if grep -q "^\\s*lock-enabled\\s*=" "${SETTINGSFILES[@]}"
+    if grep -q "^\\s*lock-delay\\s*=" "${SETTINGSFILES[@]}"
     then
         
-        sed -Ei "s/(^\s*)lock-enabled(\s*=)/#\1lock-enabled\2/g" "${SETTINGSFILES[@]}"
+        sed -Ei "s/(^\s*)lock-delay(\s*=)/#\1lock-delay\2/g" "${SETTINGSFILES[@]}"
     fi
 fi
 
@@ -3859,31 +3801,12 @@
     printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE}
 fi
 
-escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
-if grep -q "^\\s*lock-enabled\\s*=" "${DCONFFILE}"
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "uint32 ${var_screensaver_lock_delay}")"
+if grep -q "^\\s*lock-delay\\s*=" "${DCONFFILE}"
 then
-        sed -i "s/\\s*lock-enabled\\s*=\\s*.*/lock-enabled=${escaped_value}/g" "${DCONFFILE}"
+        sed -i "s/\\s*lock-delay\\s*=\\s*.*/lock-delay=${escaped_value}/g" "${DCONFFILE}"
     else
-        sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\lock-enabled=${escaped_value}" "${DCONFFILE}"
-fi
-
-dconf update
-# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-enabled$" "/etc/dconf/db/" \
-            | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
-LOCKSFOLDER="/etc/dconf/db/local.d/locks"
-
-mkdir -p "${LOCKSFOLDER}"
-
-# Comment out the configurations in databases different from the target one
-if [[ ! -z "${LOCKFILES}" ]]
-then
-    sed -i -E "s|^/org/gnome/desktop/screensaver/lock-enabled$|#&|" "${LOCKFILES[@]}"
-fi
-
-if ! grep -qr "^/org/gnome/desktop/screensaver/lock-enabled$" /etc/dconf/db/local.d/
-then
-    echo "/org/gnome/desktop/screensaver/lock-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
+        sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\lock-delay=${escaped_value}" "${DCONFFILE}"
 fi
 
 dconf update
@@ -3891,7 +3814,23 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
+
Rule  
+                                Enable GNOME3 Screensaver Lock After Idle Period
+                                  [ref]

+To activate locking of the screensaver in the GNOME3 desktop when it is activated,
+add or set lock-enabled to true in
+/etc/dconf/db/local.d/00-security-settings. For example:
+
[org/gnome/desktop/screensaver]
+lock-enabled=true
+

+Once the settings have been added, add a lock to
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+For example:
+
/org/gnome/desktop/screensaver/lock-enabled

+After the settings have been set, run dconf update.
Rationale:
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
+of the information system but does not want to logout because of the temporary nature of the absense.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80777-6
References: 
+            1, 12, 15, 16, 5.5.5, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000056, CCI-000058, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, 8.2.8, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, RHEL-08-020030, SV-230347r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -4096,6 +4035,67 @@
   - medium_severity
   - no_reboot_needed
   - unknown_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# Check for setting in any of the DConf db directories
+# If files contain ibus or distro, ignore them.
+# The assignment assumes that individual filenames don't contain :
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \
+                                | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
+DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
+DBDIR="/etc/dconf/db/local.d"
+
+mkdir -p "${DBDIR}"
+
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
+then
+    if grep -q "^\\s*lock-enabled\\s*=" "${SETTINGSFILES[@]}"
+    then
+        
+        sed -Ei "s/(^\s*)lock-enabled(\s*=)/#\1lock-enabled\2/g" "${SETTINGSFILES[@]}"
+    fi
+fi
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}"
+then
+    printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
+if grep -q "^\\s*lock-enabled\\s*=" "${DCONFFILE}"
+then
+        sed -i "s/\\s*lock-enabled\\s*=\\s*.*/lock-enabled=${escaped_value}/g" "${DCONFFILE}"
+    else
+        sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\lock-enabled=${escaped_value}" "${DCONFFILE}"
+fi
+
+dconf update
+# Check for setting in any of the DConf db directories
+LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-enabled$" "/etc/dconf/db/" \
+            | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
+LOCKSFOLDER="/etc/dconf/db/local.d/locks"
+
+mkdir -p "${LOCKSFOLDER}"
+
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+    sed -i -E "s|^/org/gnome/desktop/screensaver/lock-enabled$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/desktop/screensaver/lock-enabled$" /etc/dconf/db/local.d/
+then
+    echo "/org/gnome/desktop/screensaver/lock-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
+fi
+
+dconf update
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period
                                   [ref]
If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
@@ -4106,7 +4106,61 @@
 After the settings have been set, run dconf update.
Rationale:
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
 of the information system but does not want to logout because of the temporary nature of the absense.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-87261-4
References: 
-            1, 12, 15, 16, 5.5.5, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000056, CCI-000057, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, RHEL-08-020082, SV-244539r743866_rule
Remediation Shell script:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
+  package_facts:
+    manager: auto
+  tags:
+  - CCE-87261-4
+  - CJIS-5.5.5
+  - DISA-STIG-RHEL-08-020082
+  - NIST-800-171-3.1.10
+  - NIST-800-53-CM-6(a)
+  - PCI-DSS-Req-8.1.8
+  - dconf_gnome_screensaver_lock_locked
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - unknown_strategy
+
+- name: Prevent user modification of GNOME Screensaver lock-enabled
+  lineinfile:
+    path: /etc/dconf/db/local.d/locks/00-security-settings-lock
+    regexp: ^/org/gnome/desktop/screensaver/lock-enabled$
+    line: /org/gnome/desktop/screensaver/lock-enabled
+    create: true
+  when: '"gdm" in ansible_facts.packages'
+  tags:
+  - CCE-87261-4
+  - CJIS-5.5.5
+  - DISA-STIG-RHEL-08-020082
+  - NIST-800-171-3.1.10
+  - NIST-800-53-CM-6(a)
+  - PCI-DSS-Req-8.1.8
+  - dconf_gnome_screensaver_lock_locked
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - unknown_strategy
+
+- name: Dconf Update
+  command: dconf update
+  when: '"gdm" in ansible_facts.packages'
+  tags:
+  - CCE-87261-4
+  - CJIS-5.5.5
+  - DISA-STIG-RHEL-08-020082
+  - NIST-800-171-3.1.10
+  - NIST-800-53-CM-6(a)
+  - PCI-DSS-Req-8.1.8
+  - dconf_gnome_screensaver_lock_locked
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - unknown_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if rpm --quiet -q gdm; then
 
 # Check for setting in any of the DConf db directories
@@ -4132,60 +4186,6 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
-  package_facts:
-    manager: auto
-  tags:
-  - CCE-87261-4
-  - CJIS-5.5.5
-  - DISA-STIG-RHEL-08-020082
-  - NIST-800-171-3.1.10
-  - NIST-800-53-CM-6(a)
-  - PCI-DSS-Req-8.1.8
-  - dconf_gnome_screensaver_lock_locked
-  - low_complexity
-  - medium_disruption
-  - medium_severity
-  - no_reboot_needed
-  - unknown_strategy
-
-- name: Prevent user modification of GNOME Screensaver lock-enabled
-  lineinfile:
-    path: /etc/dconf/db/local.d/locks/00-security-settings-lock
-    regexp: ^/org/gnome/desktop/screensaver/lock-enabled$
-    line: /org/gnome/desktop/screensaver/lock-enabled
-    create: true
-  when: '"gdm" in ansible_facts.packages'
-  tags:
-  - CCE-87261-4
-  - CJIS-5.5.5
-  - DISA-STIG-RHEL-08-020082
-  - NIST-800-171-3.1.10
-  - NIST-800-53-CM-6(a)
-  - PCI-DSS-Req-8.1.8
-  - dconf_gnome_screensaver_lock_locked
-  - low_complexity
-  - medium_disruption
-  - medium_severity
-  - no_reboot_needed
-  - unknown_strategy
-
-- name: Dconf Update
-  command: dconf update
-  when: '"gdm" in ansible_facts.packages'
-  tags:
-  - CCE-87261-4
-  - CJIS-5.5.5
-  - DISA-STIG-RHEL-08-020082
-  - NIST-800-171-3.1.10
-  - NIST-800-53-CM-6(a)
-  - PCI-DSS-Req-8.1.8
-  - dconf_gnome_screensaver_lock_locked
-  - low_complexity
-  - medium_disruption
-  - medium_severity
-  - no_reboot_needed
-  - unknown_strategy
 
Rule  
                                 Ensure Users Cannot Change GNOME3 Screensaver Settings
                                   [ref]
If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
@@ -4199,33 +4199,7 @@
 GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the
 session lock. As such, users should not be allowed to change session settings.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-80780-0
References: 
-            1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000057, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, RHEL-08-020080, SV-230354r743990_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-delay$" "/etc/dconf/db/" \
-            | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
-LOCKSFOLDER="/etc/dconf/db/local.d/locks"
-
-mkdir -p "${LOCKSFOLDER}"
-
-# Comment out the configurations in databases different from the target one
-if [[ ! -z "${LOCKFILES}" ]]
-then
-    sed -i -E "s|^/org/gnome/desktop/screensaver/lock-delay$|#&|" "${LOCKFILES[@]}"
-fi
-
-if ! grep -qr "^/org/gnome/desktop/screensaver/lock-delay$" /etc/dconf/db/local.d/
-then
-    echo "/org/gnome/desktop/screensaver/lock-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
-fi
-
-dconf update
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -4277,24 +4251,11 @@
   - medium_severity
   - no_reboot_needed
   - unknown_strategy
-
Rule  
-                                Ensure Users Cannot Change GNOME3 Session Idle Settings
-                                  [ref]
If not already configured, ensure that users cannot change GNOME3 session idle settings
-by adding /org/gnome/desktop/session/idle-delay
-to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
-For example:
-
/org/gnome/desktop/session/idle-delay

-After the settings have been set, run dconf update.
Rationale:
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
-physical vicinity of the information system but does not logout because of the temporary nature of the absence.
-Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,
-GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the
-session lock. As such, users should not be allowed to change session settings.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80781-8
References: 
-            1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000057, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, 8.2.8, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, RHEL-08-020081, SV-244538r743863_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
 
 # Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/desktop/session/idle-delay$" "/etc/dconf/db/" \
+LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-delay$" "/etc/dconf/db/" \
             | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
 LOCKSFOLDER="/etc/dconf/db/local.d/locks"
 
@@ -4303,12 +4264,12 @@
 # Comment out the configurations in databases different from the target one
 if [[ ! -z "${LOCKFILES}" ]]
 then
-    sed -i -E "s|^/org/gnome/desktop/session/idle-delay$|#&|" "${LOCKFILES[@]}"
+    sed -i -E "s|^/org/gnome/desktop/screensaver/lock-delay$|#&|" "${LOCKFILES[@]}"
 fi
 
-if ! grep -qr "^/org/gnome/desktop/session/idle-delay$" /etc/dconf/db/local.d/
+if ! grep -qr "^/org/gnome/desktop/screensaver/lock-delay$" /etc/dconf/db/local.d/
 then
-    echo "/org/gnome/desktop/session/idle-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
+    echo "/org/gnome/desktop/screensaver/lock-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
 fi
 
 dconf update
@@ -4316,7 +4277,20 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
+
Rule  
+                                Ensure Users Cannot Change GNOME3 Session Idle Settings
+                                  [ref]
If not already configured, ensure that users cannot change GNOME3 session idle settings
+by adding /org/gnome/desktop/session/idle-delay
+to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+For example:
+
/org/gnome/desktop/session/idle-delay

+After the settings have been set, run dconf update.
Rationale:
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
+physical vicinity of the information system but does not logout because of the temporary nature of the absence.
+Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,
+GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the
+session lock. As such, users should not be allowed to change session settings.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80781-8
References: 
+            1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000057, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, 8.2.8, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, RHEL-08-020081, SV-244538r743863_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -4374,6 +4348,32 @@
   - medium_severity
   - no_reboot_needed
   - unknown_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# Check for setting in any of the DConf db directories
+LOCKFILES=$(grep -r "^/org/gnome/desktop/session/idle-delay$" "/etc/dconf/db/" \
+            | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
+LOCKSFOLDER="/etc/dconf/db/local.d/locks"
+
+mkdir -p "${LOCKSFOLDER}"
+
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+    sed -i -E "s|^/org/gnome/desktop/session/idle-delay$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/desktop/session/idle-delay$" /etc/dconf/db/local.d/
+then
+    echo "/org/gnome/desktop/session/idle-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
+fi
+
+dconf update
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 GNOME System Settings
                           Group contains  1 rule
[ref]  
@@ -4402,68 +4402,7 @@
 the case of mixed OS environment, this can create the risk of short-term
 loss of availability of systems due to unintentional reboot.
Severity: 
high
Identifiers and References

Identifiers:  CCE-84028-0

References:  - 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.2, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), CM-7(b), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-08-040171, SV-230530r646883_rule

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# Check for setting in any of the DConf db directories
-# If files contain ibus or distro, ignore them.
-# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/settings-daemon/plugins/media-keys\\]" "/etc/dconf/db/" \
-                                | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
-DBDIR="/etc/dconf/db/local.d"
-
-mkdir -p "${DBDIR}"
-
-# Comment out the configurations in databases different from the target one
-if [ "${#SETTINGSFILES[@]}" -ne 0 ]
-then
-    if grep -q "^\\s*logout\\s*=" "${SETTINGSFILES[@]}"
-    then
-        
-        sed -Ei "s/(^\s*)logout(\s*=)/#\1logout\2/g" "${SETTINGSFILES[@]}"
-    fi
-fi
-
-[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
-if ! grep -q "\\[org/gnome/settings-daemon/plugins/media-keys\\]" "${DCONFFILE}"
-then
-    printf '%s\n' "[org/gnome/settings-daemon/plugins/media-keys]" >> ${DCONFFILE}
-fi
-
-escaped_value="$(sed -e 's/\\/\\\\/g' <<< "''")"
-if grep -q "^\\s*logout\\s*=" "${DCONFFILE}"
-then
-        sed -i "s/\\s*logout\\s*=\\s*.*/logout=${escaped_value}/g" "${DCONFFILE}"
-    else
-        sed -i "\\|\\[org/gnome/settings-daemon/plugins/media-keys\\]|a\\logout=${escaped_value}" "${DCONFFILE}"
-fi
-
-dconf update
-# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/settings-daemon/plugins/media-keys/logout$" "/etc/dconf/db/" \
-            | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
-LOCKSFOLDER="/etc/dconf/db/local.d/locks"
-
-mkdir -p "${LOCKSFOLDER}"
-
-# Comment out the configurations in databases different from the target one
-if [[ ! -z "${LOCKFILES}" ]]
-then
-    sed -i -E "s|^/org/gnome/settings-daemon/plugins/media-keys/logout$|#&|" "${LOCKFILES[@]}"
-fi
-
-if ! grep -qr "^/org/gnome/settings-daemon/plugins/media-keys/logout$" /etc/dconf/db/local.d/
-then
-    echo "/org/gnome/settings-daemon/plugins/media-keys/logout" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
-fi
-
-dconf update
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
+            12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.2, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), CM-7(b), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-08-040171, SV-230530r646883_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -4546,6 +4485,67 @@
   - medium_disruption
   - no_reboot_needed
   - unknown_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# Check for setting in any of the DConf db directories
+# If files contain ibus or distro, ignore them.
+# The assignment assumes that individual filenames don't contain :
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/settings-daemon/plugins/media-keys\\]" "/etc/dconf/db/" \
+                                | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
+DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
+DBDIR="/etc/dconf/db/local.d"
+
+mkdir -p "${DBDIR}"
+
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
+then
+    if grep -q "^\\s*logout\\s*=" "${SETTINGSFILES[@]}"
+    then
+        
+        sed -Ei "s/(^\s*)logout(\s*=)/#\1logout\2/g" "${SETTINGSFILES[@]}"
+    fi
+fi
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/settings-daemon/plugins/media-keys\\]" "${DCONFFILE}"
+then
+    printf '%s\n' "[org/gnome/settings-daemon/plugins/media-keys]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "''")"
+if grep -q "^\\s*logout\\s*=" "${DCONFFILE}"
+then
+        sed -i "s/\\s*logout\\s*=\\s*.*/logout=${escaped_value}/g" "${DCONFFILE}"
+    else
+        sed -i "\\|\\[org/gnome/settings-daemon/plugins/media-keys\\]|a\\logout=${escaped_value}" "${DCONFFILE}"
+fi
+
+dconf update
+# Check for setting in any of the DConf db directories
+LOCKFILES=$(grep -r "^/org/gnome/settings-daemon/plugins/media-keys/logout$" "/etc/dconf/db/" \
+            | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
+LOCKSFOLDER="/etc/dconf/db/local.d/locks"
+
+mkdir -p "${LOCKSFOLDER}"
+
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+    sed -i -E "s|^/org/gnome/settings-daemon/plugins/media-keys/logout$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/settings-daemon/plugins/media-keys/logout$" /etc/dconf/db/local.d/
+then
+    echo "/org/gnome/settings-daemon/plugins/media-keys/logout" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
+fi
+
+dconf update
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 Sudo
                           Group contains 6 rules
[ref]  
@@ -4566,22 +4566,7 @@
 When operating systems provide the capability to escalate a functional capability, it
 is critical that the user re-authenticate.
Severity: 
medium
Identifiers and References

Identifiers:  CCE-82202-3

References:  - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, RHEL-08-010381, SV-230272r854027_rule

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

-for f in /etc/sudoers /etc/sudoers.d/* ; do
-  if [ ! -e "$f" ] ; then
-    continue
-  fi
-  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
-  if ! test -z "$matching_list"; then
-    while IFS= read -r entry; do
-      # comment out "!authenticate" matches to preserve user data
-      sed -i "s/^${entry}$/# &/g" $f
-    done <<< "$matching_list"
-
-    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
-  fi
-done
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Find /etc/sudoers.d/ files
+            BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, RHEL-08-010381, SV-230272r854027_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -4618,6 +4603,21 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_no_authenticate
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

+for f in /etc/sudoers /etc/sudoers.d/* ; do
+  if [ ! -e "$f" ] ; then
+    continue
+  fi
+  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
+  if ! test -z "$matching_list"; then
+    while IFS= read -r entry; do
+      # comment out "!authenticate" matches to preserve user data
+      sed -i "s/^${entry}$/# &/g" $f
+    done <<< "$matching_list"
+
+    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
+  fi
+done
 
Rule  
                                 Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
                                   [ref]
The sudo NOPASSWD tag, when specified, allows a user to execute
@@ -4632,22 +4632,7 @@
 When operating systems provide the capability to escalate a functional capability, it
 is critical that the user re-authenticate.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-82197-5
References: 
-            BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, RHEL-08-010380, SV-230271r854026_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

-for f in /etc/sudoers /etc/sudoers.d/* ; do
-  if [ ! -e "$f" ] ; then
-    continue
-  fi
-  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
-  if ! test -z "$matching_list"; then
-    while IFS= read -r entry; do
-      # comment out "NOPASSWD" matches to preserve user data
-      sed -i "s/^${entry}$/# &/g" $f
-    done <<< "$matching_list"
-
-    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
-  fi
-done
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -4684,6 +4669,21 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_nopasswd
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

+for f in /etc/sudoers /etc/sudoers.d/* ; do
+  if [ ! -e "$f" ] ; then
+    continue
+  fi
+  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
+  if ! test -z "$matching_list"; then
+    while IFS= read -r entry; do
+      # comment out "NOPASSWD" matches to preserve user data
+      sed -i "s/^${entry}$/# &/g" $f
+    done <<< "$matching_list"
+
+    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
+  fi
+done
 
Rule  
                                 Require Re-Authentication When Using the sudo Command
                                   [ref]
The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits.
@@ -4699,46 +4699,7 @@
 When operating systems provide the capability to escalate a functional capability, it
 is critical that the user re-authenticate.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-87838-9
References: 
-            CCI-002038, IA-11, 2.2.6, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, RHEL-08-010384, 5.3.5, 5.3.6, SV-237643r861088_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
-if rpm --quiet -q sudo; then
-
-var_sudo_timestamp_timeout='0'
-
-
-if grep -Px '^[\s]*Defaults.*timestamp_timeout[\s]*=.*' /etc/sudoers.d/*; then
-    find /etc/sudoers.d/ -type f -exec sed -Ei "/^[[:blank:]]*Defaults.*timestamp_timeout[[:blank:]]*=.*/d" {} \;
-fi
-
-if /usr/sbin/visudo -qcf /etc/sudoers; then
-    cp /etc/sudoers /etc/sudoers.bak
-    if ! grep -P '^[\s]*Defaults.*timestamp_timeout[\s]*=[\s]*[-]?\w+.*$' /etc/sudoers; then
-        # sudoers file doesn't define Option timestamp_timeout
-        echo "Defaults timestamp_timeout=${var_sudo_timestamp_timeout}" >> /etc/sudoers
-    else
-        # sudoers file defines Option timestamp_timeout, remediate if appropriate value is not set
-        if ! grep -P "^[\s]*Defaults.*timestamp_timeout[\s]*=[\s]*${var_sudo_timestamp_timeout}.*$" /etc/sudoers; then
-            
-            sed -Ei "s/(^[[:blank:]]*Defaults.*timestamp_timeout[[:blank:]]*=)[[:blank:]]*[-]?\w+(.*$)/\1${var_sudo_timestamp_timeout}\2/" /etc/sudoers
-        fi
-    fi
-    
-    # Check validity of sudoers and cleanup bak
-    if /usr/sbin/visudo -qcf /etc/sudoers; then
-        rm -f /etc/sudoers.bak
-    else
-        echo "Fail to validate remediated /etc/sudoers, reverting to original file."
-        mv /etc/sudoers.bak /etc/sudoers
-        false
-    fi
-else
-    echo "Skipping remediation, /etc/sudoers failed to validate"
-    false
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+            CCI-002038, IA-11, 2.2.6, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, RHEL-08-010384, 5.3.5, 5.3.6, SV-237643r861088_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -4838,6 +4799,45 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_require_reauthentication
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+if rpm --quiet -q sudo; then
+
+var_sudo_timestamp_timeout='0'
+
+
+if grep -Px '^[\s]*Defaults.*timestamp_timeout[\s]*=.*' /etc/sudoers.d/*; then
+    find /etc/sudoers.d/ -type f -exec sed -Ei "/^[[:blank:]]*Defaults.*timestamp_timeout[[:blank:]]*=.*/d" {} \;
+fi
+
+if /usr/sbin/visudo -qcf /etc/sudoers; then
+    cp /etc/sudoers /etc/sudoers.bak
+    if ! grep -P '^[\s]*Defaults.*timestamp_timeout[\s]*=[\s]*[-]?\w+.*$' /etc/sudoers; then
+        # sudoers file doesn't define Option timestamp_timeout
+        echo "Defaults timestamp_timeout=${var_sudo_timestamp_timeout}" >> /etc/sudoers
+    else
+        # sudoers file defines Option timestamp_timeout, remediate if appropriate value is not set
+        if ! grep -P "^[\s]*Defaults.*timestamp_timeout[\s]*=[\s]*${var_sudo_timestamp_timeout}.*$" /etc/sudoers; then
+            
+            sed -Ei "s/(^[[:blank:]]*Defaults.*timestamp_timeout[[:blank:]]*=)[[:blank:]]*[-]?\w+(.*$)/\1${var_sudo_timestamp_timeout}\2/" /etc/sudoers
+        fi
+    fi
+    
+    # Check validity of sudoers and cleanup bak
+    if /usr/sbin/visudo -qcf /etc/sudoers; then
+        rm -f /etc/sudoers.bak
+    else
+        echo "Fail to validate remediated /etc/sudoers, reverting to original file."
+        mv /etc/sudoers.bak /etc/sudoers
+        false
+    fi
+else
+    echo "Skipping remediation, /etc/sudoers failed to validate"
+    false
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 The operating system must restrict privilege elevation to authorized personnel
                                   [ref]
The sudo command allows a user to execute programs with elevated
@@ -4866,27 +4866,7 @@
 Use of these configuration options makes it easier for one compromised accound to be used to
 compromise other accounts.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-86377-9
References: 
-            CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010379, SV-251711r833385_rule
Remediation Shell script:   (show)


-sudoers_config_file="/etc/sudoers"
-sudoers_config_dir="/etc/sudoers.d"
-sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file")
-if [ "$sudoers_includedir_count" -gt 1 ]; then
-    sed -i "/#includedir/d" "$sudoers_config_file"
-    echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
-elif [ "$sudoers_includedir_count" -eq 0 ]; then
-    echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
-else
-    if ! grep -q "^#includedir /etc/sudoers.d" "$sudoers_config_file"; then
-        sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" "$sudoers_config_file"
-    fi
-fi
-
-sed -Ei "/^#include\s/d; /^@includedir\s/d" "$sudoers_config_file"
-
-if grep -Pr "^[#@]include(dir)?\s" "$sudoers_config_dir" ; then
-    sed -Ei "/^[#@]include(dir)?\s/d" "$sudoers_config_dir"/*
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Check for duplicate values
+            CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010379, SV-251711r833385_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Check for duplicate values
   lineinfile:
     path: /etc/sudoers
     create: false
@@ -5003,6 +4983,26 @@
   - medium_severity
   - no_reboot_needed
   - sudoers_default_includedir
+
Remediation Shell script:   (show)


+sudoers_config_file="/etc/sudoers"
+sudoers_config_dir="/etc/sudoers.d"
+sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file")
+if [ "$sudoers_includedir_count" -gt 1 ]; then
+    sed -i "/#includedir/d" "$sudoers_config_file"
+    echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
+elif [ "$sudoers_includedir_count" -eq 0 ]; then
+    echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
+else
+    if ! grep -q "^#includedir /etc/sudoers.d" "$sudoers_config_file"; then
+        sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" "$sudoers_config_file"
+    fi
+fi
+
+sed -Ei "/^#include\s/d; /^@includedir\s/d" "$sudoers_config_file"
+
+if grep -Pr "^[#@]include(dir)?\s" "$sudoers_config_dir" ; then
+    sed -Ei "/^[#@]include(dir)?\s/d" "$sudoers_config_dir"/*
+fi
 
Rule  
                                 Ensure invoking users password for privilege escalation when using sudo
                                   [ref]
The sudoers security policy requires that users authenticate themselves before they can use sudo.
@@ -5019,75 +5019,7 @@
       /etc/sudoers:Defaults !runaspw 
Rationale:
If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt
 the invoking user for the "root" user password.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-83422-6
References: 
-            CCI-000366, CCI-002227, CM-6(b), CM-6.1(iv), SRG-OS-000480-GPOS-00227, RHEL-08-010383, SV-237642r880727_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if rpm --quiet -q sudo; then
-
-if grep -x '^Defaults targetpw$' /etc/sudoers; then
-    sed -i "/Defaults targetpw/d" /etc/sudoers \;
-fi
-if grep -x '^Defaults targetpw$' /etc/sudoers.d/*; then
-    find /etc/sudoers.d/ -type f -exec sed -i "/Defaults targetpw/d" {} \;
-fi
-if grep -x '^Defaults rootpw$' /etc/sudoers; then
-    sed -i "/Defaults rootpw/d" /etc/sudoers \;
-fi
-if grep -x '^Defaults rootpw$' /etc/sudoers.d/*; then
-    find /etc/sudoers.d/ -type f -exec sed -i "/Defaults rootpw/d" {} \;
-fi
-if grep -x '^Defaults runaspw$' /etc/sudoers; then
-    sed -i "/Defaults runaspw/d" /etc/sudoers \;
-fi
-if grep -x '^Defaults runaspw$' /etc/sudoers.d/*; then
-    find /etc/sudoers.d/ -type f -exec sed -i "/Defaults runaspw/d" {} \;
-fi
-
-if [ -e "/etc/sudoers" ] ; then
-    
-    LC_ALL=C sed -i "/Defaults !targetpw/d" "/etc/sudoers"
-else
-    touch "/etc/sudoers"
-fi
-# make sure file has newline at the end
-sed -i -e '$a\' "/etc/sudoers"
-
-cp "/etc/sudoers" "/etc/sudoers.bak"
-# Insert at the end of the file
-printf '%s\n' "Defaults !targetpw" >> "/etc/sudoers"
-# Clean up after ourselves.
-rm "/etc/sudoers.bak"
-if [ -e "/etc/sudoers" ] ; then
-    
-    LC_ALL=C sed -i "/Defaults !rootpw/d" "/etc/sudoers"
-else
-    touch "/etc/sudoers"
-fi
-# make sure file has newline at the end
-sed -i -e '$a\' "/etc/sudoers"
-
-cp "/etc/sudoers" "/etc/sudoers.bak"
-# Insert at the end of the file
-printf '%s\n' "Defaults !rootpw" >> "/etc/sudoers"
-# Clean up after ourselves.
-rm "/etc/sudoers.bak"
-if [ -e "/etc/sudoers" ] ; then
-    
-    LC_ALL=C sed -i "/Defaults !runaspw/d" "/etc/sudoers"
-else
-    touch "/etc/sudoers"
-fi
-# make sure file has newline at the end
-sed -i -e '$a\' "/etc/sudoers"
-
-cp "/etc/sudoers" "/etc/sudoers.bak"
-# Insert at the end of the file
-printf '%s\n' "Defaults !runaspw" >> "/etc/sudoers"
-# Clean up after ourselves.
-rm "/etc/sudoers.bak"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+            CCI-000366, CCI-002227, CM-6(b), CM-6.1(iv), SRG-OS-000480-GPOS-00227, RHEL-08-010383, SV-237642r880727_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -5464,6 +5396,74 @@
   - no_reboot_needed
   - restrict_strategy
   - sudoers_validate_passwd
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if rpm --quiet -q sudo; then
+
+if grep -x '^Defaults targetpw$' /etc/sudoers; then
+    sed -i "/Defaults targetpw/d" /etc/sudoers \;
+fi
+if grep -x '^Defaults targetpw$' /etc/sudoers.d/*; then
+    find /etc/sudoers.d/ -type f -exec sed -i "/Defaults targetpw/d" {} \;
+fi
+if grep -x '^Defaults rootpw$' /etc/sudoers; then
+    sed -i "/Defaults rootpw/d" /etc/sudoers \;
+fi
+if grep -x '^Defaults rootpw$' /etc/sudoers.d/*; then
+    find /etc/sudoers.d/ -type f -exec sed -i "/Defaults rootpw/d" {} \;
+fi
+if grep -x '^Defaults runaspw$' /etc/sudoers; then
+    sed -i "/Defaults runaspw/d" /etc/sudoers \;
+fi
+if grep -x '^Defaults runaspw$' /etc/sudoers.d/*; then
+    find /etc/sudoers.d/ -type f -exec sed -i "/Defaults runaspw/d" {} \;
+fi
+
+if [ -e "/etc/sudoers" ] ; then
+    
+    LC_ALL=C sed -i "/Defaults !targetpw/d" "/etc/sudoers"
+else
+    touch "/etc/sudoers"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/sudoers"
+
+cp "/etc/sudoers" "/etc/sudoers.bak"
+# Insert at the end of the file
+printf '%s\n' "Defaults !targetpw" >> "/etc/sudoers"
+# Clean up after ourselves.
+rm "/etc/sudoers.bak"
+if [ -e "/etc/sudoers" ] ; then
+    
+    LC_ALL=C sed -i "/Defaults !rootpw/d" "/etc/sudoers"
+else
+    touch "/etc/sudoers"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/sudoers"
+
+cp "/etc/sudoers" "/etc/sudoers.bak"
+# Insert at the end of the file
+printf '%s\n' "Defaults !rootpw" >> "/etc/sudoers"
+# Clean up after ourselves.
+rm "/etc/sudoers.bak"
+if [ -e "/etc/sudoers" ] ; then
+    
+    LC_ALL=C sed -i "/Defaults !runaspw/d" "/etc/sudoers"
+else
+    touch "/etc/sudoers"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/sudoers"
+
+cp "/etc/sudoers" "/etc/sudoers.bak"
+# Insert at the end of the file
+printf '%s\n' "Defaults !runaspw" >> "/etc/sudoers"
+# Clean up after ourselves.
+rm "/etc/sudoers.bak"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 System Tooling / Utilities
                           Group contains 12 rules
[ref]  
@@ -5475,20 +5475,12 @@
 $ sudo yum install rng-tools

Rationale:

rng-tools provides hardware random number generator tools, such as those used in the formation of x509/PKI certificates.

Severity: 
low
Identifiers and References

Identifiers:  CCE-82968-9

References:  - CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010472, SV-244527r743830_rule

Remediation script:   (show)


+            CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010472, SV-244527r743830_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

+package --add=rng-tools
+
Remediation script:   (show)


 [[packages]]
 name = "rng-tools"
 version = "*"
-
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "rng-tools" ; then
-    yum install -y "rng-tools"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include install_rng-tools
 
 class install_rng-tools {
@@ -5510,8 +5502,16 @@
   - low_severity
   - no_reboot_needed
   - package_rng-tools_installed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

-package --add=rng-tools
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "rng-tools" ; then
+    yum install -y "rng-tools"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Uninstall abrt-addon-ccpp Package
                                   [ref]
The abrt-addon-ccpp package can be removed with the following command:
@@ -5519,18 +5519,8 @@
 $ sudo yum erase abrt-addon-ccpp
Rationale:
abrt-addon-ccpp contains hooks for C/C++ crashed programs and abrt's
 C/C++ analyzer plugin.
Severity: 
low
Identifiers and References
Identifiers: 
             CCE-82919-2
References: 
-            CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-# CAUTION: This remediation script will remove abrt-addon-ccpp
-#	   from the system, and may remove any packages
-#	   that depend on abrt-addon-ccpp. Execute this
-#	   remediation AFTER testing on a non-production
-#	   system!
-
-if rpm -q --quiet "abrt-addon-ccpp" ; then
-
-    yum remove -y "abrt-addon-ccpp"
-
-fi
+            CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+package --remove=abrt-addon-ccpp
 
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_abrt-addon-ccpp
 
 class remove_abrt-addon-ccpp {
@@ -5551,27 +5541,27 @@
   - low_severity
   - no_reboot_needed
   - package_abrt-addon-ccpp_removed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-package --remove=abrt-addon-ccpp
-
Rule  
-                                Uninstall abrt-addon-kerneloops Package
-                                  [ref]
The abrt-addon-kerneloops package can be removed with the following command:
-
-$ sudo yum erase abrt-addon-kerneloops
Rationale:
abrt-addon-kerneloops contains plugins for collecting kernel crash information and
-reporter plugin which sends this information to a specified server, usually to kerneloops.org.
Severity: 
low
Identifiers and References
Identifiers: 
-            CCE-82926-7
References: 
-            CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-# CAUTION: This remediation script will remove abrt-addon-kerneloops
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+# CAUTION: This remediation script will remove abrt-addon-ccpp
 #	   from the system, and may remove any packages
-#	   that depend on abrt-addon-kerneloops. Execute this
+#	   that depend on abrt-addon-ccpp. Execute this
 #	   remediation AFTER testing on a non-production
 #	   system!
 
-if rpm -q --quiet "abrt-addon-kerneloops" ; then
+if rpm -q --quiet "abrt-addon-ccpp" ; then
 
-    yum remove -y "abrt-addon-kerneloops"
+    yum remove -y "abrt-addon-ccpp"
 
 fi
+
Rule  
+                                Uninstall abrt-addon-kerneloops Package
+                                  [ref]
The abrt-addon-kerneloops package can be removed with the following command:
+
+$ sudo yum erase abrt-addon-kerneloops
Rationale:
abrt-addon-kerneloops contains plugins for collecting kernel crash information and
+reporter plugin which sends this information to a specified server, usually to kerneloops.org.
Severity: 
low
Identifiers and References
Identifiers: 
+            CCE-82926-7
References: 
+            CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+package --remove=abrt-addon-kerneloops
 
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_abrt-addon-kerneloops
 
 class remove_abrt-addon-kerneloops {
@@ -5592,27 +5582,27 @@
   - low_severity
   - no_reboot_needed
   - package_abrt-addon-kerneloops_removed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-package --remove=abrt-addon-kerneloops
-
Rule  
-                                Uninstall abrt-cli Package
-                                  [ref]
The abrt-cli package can be removed with the following command:
-
-$ sudo yum erase abrt-cli
Rationale:
abrt-cli contains a command line client for controlling abrt daemon
-over sockets.
Severity: 
low
Identifiers and References
Identifiers: 
-            CCE-82907-7
References: 
-            CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-# CAUTION: This remediation script will remove abrt-cli
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+# CAUTION: This remediation script will remove abrt-addon-kerneloops
 #	   from the system, and may remove any packages
-#	   that depend on abrt-cli. Execute this
+#	   that depend on abrt-addon-kerneloops. Execute this
 #	   remediation AFTER testing on a non-production
 #	   system!
 
-if rpm -q --quiet "abrt-cli" ; then
+if rpm -q --quiet "abrt-addon-kerneloops" ; then
 
-    yum remove -y "abrt-cli"
+    yum remove -y "abrt-addon-kerneloops"
 
 fi
+
Rule  
+                                Uninstall abrt-cli Package
+                                  [ref]
The abrt-cli package can be removed with the following command:
+
+$ sudo yum erase abrt-cli
Rationale:
abrt-cli contains a command line client for controlling abrt daemon
+over sockets.
Severity: 
low
Identifiers and References
Identifiers: 
+            CCE-82907-7
References: 
+            CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+package --remove=abrt-cli
 
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_abrt-cli
 
 class remove_abrt-cli {
@@ -5633,26 +5623,26 @@
   - low_severity
   - no_reboot_needed
   - package_abrt-cli_removed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-package --remove=abrt-cli
-
Rule  
-                                Uninstall abrt-plugin-sosreport Package
-                                  [ref]
The abrt-plugin-sosreport package can be removed with the following command:
-
-$ sudo yum erase abrt-plugin-sosreport
Rationale:
abrt-plugin-sosreport provides a plugin to include an sosreport in an ABRT report.
Severity: 
low
Identifiers and References
Identifiers: 
-            CCE-82910-1
References: 
-            CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-# CAUTION: This remediation script will remove abrt-plugin-sosreport
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+# CAUTION: This remediation script will remove abrt-cli
 #	   from the system, and may remove any packages
-#	   that depend on abrt-plugin-sosreport. Execute this
+#	   that depend on abrt-cli. Execute this
 #	   remediation AFTER testing on a non-production
 #	   system!
 
-if rpm -q --quiet "abrt-plugin-sosreport" ; then
+if rpm -q --quiet "abrt-cli" ; then
 
-    yum remove -y "abrt-plugin-sosreport"
+    yum remove -y "abrt-cli"
 
 fi
+
Rule  
+                                Uninstall abrt-plugin-sosreport Package
+                                  [ref]
The abrt-plugin-sosreport package can be removed with the following command:
+
+$ sudo yum erase abrt-plugin-sosreport
Rationale:
abrt-plugin-sosreport provides a plugin to include an sosreport in an ABRT report.
Severity: 
low
Identifiers and References
Identifiers: 
+            CCE-82910-1
References: 
+            CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+package --remove=abrt-plugin-sosreport
 
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_abrt-plugin-sosreport
 
 class remove_abrt-plugin-sosreport {
@@ -5673,8 +5663,18 @@
   - low_severity
   - no_reboot_needed
   - package_abrt-plugin-sosreport_removed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-package --remove=abrt-plugin-sosreport
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+# CAUTION: This remediation script will remove abrt-plugin-sosreport
+#	   from the system, and may remove any packages
+#	   that depend on abrt-plugin-sosreport. Execute this
+#	   remediation AFTER testing on a non-production
+#	   system!
+
+if rpm -q --quiet "abrt-plugin-sosreport" ; then
+
+    yum remove -y "abrt-plugin-sosreport"
+
+fi
 
Rule  
                                 Uninstall gssproxy Package
                                   [ref]
The gssproxy package can be removed with the following command:
@@ -5683,26 +5683,14 @@
                                         This rule is disabled on Red Hat Virtualization Hosts and Managers, it will report not applicable.
 RHV uses NFS storage, which has dependency on gssproxy.
Rationale:
gssproxy is a proxy for GSS API credential handling.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-82943-2
References: 
-            CCI-000381, CCI-000366, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040370, SV-230559r646887_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-# CAUTION: This remediation script will remove gssproxy
-#	   from the system, and may remove any packages
-#	   that depend on gssproxy. Execute this
-#	   remediation AFTER testing on a non-production
-#	   system!
-
-if rpm -q --quiet "gssproxy" ; then
-
-    yum remove -y "gssproxy"
-
-fi
-
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_gssproxy
+            CCI-000381, CCI-000366, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040370, SV-230559r646887_rule
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_gssproxy
 
 class remove_gssproxy {
   package { 'gssproxy':
     ensure => 'purged',
   }
 }
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Ensure gssproxy is removed
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Ensure gssproxy is removed
   package:
     name: gssproxy
     state: absent
@@ -5715,25 +5703,27 @@
   - medium_severity
   - no_reboot_needed
   - package_gssproxy_removed
-
Rule  
-                                Uninstall iprutils Package
-                                  [ref]
The iprutils package can be removed with the following command:
-
-$ sudo yum erase iprutils
Rationale:
iprutils provides a suite of utlilities to manage and configure SCSI devices
-supported by the ipr SCSI storage device driver.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-82946-5
References: 
-            CCI-000366, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040380, SV-230560r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-# CAUTION: This remediation script will remove iprutils
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+# CAUTION: This remediation script will remove gssproxy
 #	   from the system, and may remove any packages
-#	   that depend on iprutils. Execute this
+#	   that depend on gssproxy. Execute this
 #	   remediation AFTER testing on a non-production
 #	   system!
 
-if rpm -q --quiet "iprutils" ; then
+if rpm -q --quiet "gssproxy" ; then
 
-    yum remove -y "iprutils"
+    yum remove -y "gssproxy"
 
 fi
+
Rule  
+                                Uninstall iprutils Package
+                                  [ref]
The iprutils package can be removed with the following command:
+
+$ sudo yum erase iprutils
Rationale:
iprutils provides a suite of utlilities to manage and configure SCSI devices
+supported by the ipr SCSI storage device driver.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-82946-5
References: 
+            CCI-000366, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040380, SV-230560r627750_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+package --remove=iprutils
 
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_iprutils
 
 class remove_iprutils {
@@ -5754,8 +5744,18 @@
   - medium_severity
   - no_reboot_needed
   - package_iprutils_removed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-package --remove=iprutils
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+# CAUTION: This remediation script will remove iprutils
+#	   from the system, and may remove any packages
+#	   that depend on iprutils. Execute this
+#	   remediation AFTER testing on a non-production
+#	   system!
+
+if rpm -q --quiet "iprutils" ; then
+
+    yum remove -y "iprutils"
+
+fi
 
Rule  
                                 Uninstall krb5-workstation Package
                                   [ref]
The krb5-workstation package can be removed with the following command:
@@ -5765,18 +5765,8 @@
 RHV hosts require ipa-client package, which has dependency on krb5-workstation.
Rationale:
Kerberos is a network authentication system. The krb5-workstation package contains the basic
 Kerberos programs (kinit, klist, kdestroy, kpasswd).
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-82931-7
References: 
-            CCI-000803, SRG-OS-000095-GPOS-00049, SRG-OS-000120-GPOS-00061, RHEL-08-010162, SV-230239r646864_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-# CAUTION: This remediation script will remove krb5-workstation
-#	   from the system, and may remove any packages
-#	   that depend on krb5-workstation. Execute this
-#	   remediation AFTER testing on a non-production
-#	   system!
-
-if rpm -q --quiet "krb5-workstation" ; then
-
-    yum remove -y "krb5-workstation"
-
-fi
+            CCI-000803, SRG-OS-000095-GPOS-00049, SRG-OS-000120-GPOS-00061, RHEL-08-010162, SV-230239r646864_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+package --remove=krb5-workstation
 
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_krb5-workstation
 
 class remove_krb5-workstation {
@@ -5797,27 +5787,27 @@
   - medium_severity
   - no_reboot_needed
   - package_krb5-workstation_removed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-package --remove=krb5-workstation
-
Rule  
-                                Uninstall libreport-plugin-logger Package
-                                  [ref]
The libreport-plugin-logger package can be removed with the following command:
-
-$ sudo yum erase libreport-plugin-logger
Rationale:
libreport-plugin-logger is a ABRT plugin to report bugs into the
-Red Hat Support system.
Severity: 
low
Identifiers and References
Identifiers: 
-            CCE-89201-8
References: 
-            CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-# CAUTION: This remediation script will remove libreport-plugin-logger
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+# CAUTION: This remediation script will remove krb5-workstation
 #	   from the system, and may remove any packages
-#	   that depend on libreport-plugin-logger. Execute this
+#	   that depend on krb5-workstation. Execute this
 #	   remediation AFTER testing on a non-production
 #	   system!
 
-if rpm -q --quiet "libreport-plugin-logger" ; then
+if rpm -q --quiet "krb5-workstation" ; then
 
-    yum remove -y "libreport-plugin-logger"
+    yum remove -y "krb5-workstation"
 
 fi
+
Rule  
+                                Uninstall libreport-plugin-logger Package
+                                  [ref]
The libreport-plugin-logger package can be removed with the following command:
+
+$ sudo yum erase libreport-plugin-logger
Rationale:
libreport-plugin-logger is a ABRT plugin to report bugs into the
+Red Hat Support system.
Severity: 
low
Identifiers and References
Identifiers: 
+            CCE-89201-8
References: 
+            CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+package --remove=libreport-plugin-logger
 
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_libreport-plugin-logger
 
 class remove_libreport-plugin-logger {
@@ -5838,27 +5828,27 @@
   - low_severity
   - no_reboot_needed
   - package_libreport-plugin-logger_removed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-package --remove=libreport-plugin-logger
-
Rule  
-                                Uninstall libreport-plugin-rhtsupport Package
-                                  [ref]
The libreport-plugin-rhtsupport package can be removed with the following command:
-
-$ sudo yum erase libreport-plugin-rhtsupport
Rationale:
libreport-plugin-rhtsupport is a ABRT plugin to report bugs into the
-Red Hat Support system.
Severity: 
low
Identifiers and References
Identifiers: 
-            CCE-88955-0
References: 
-            CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-# CAUTION: This remediation script will remove libreport-plugin-rhtsupport
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+# CAUTION: This remediation script will remove libreport-plugin-logger
 #	   from the system, and may remove any packages
-#	   that depend on libreport-plugin-rhtsupport. Execute this
+#	   that depend on libreport-plugin-logger. Execute this
 #	   remediation AFTER testing on a non-production
 #	   system!
 
-if rpm -q --quiet "libreport-plugin-rhtsupport" ; then
+if rpm -q --quiet "libreport-plugin-logger" ; then
 
-    yum remove -y "libreport-plugin-rhtsupport"
+    yum remove -y "libreport-plugin-logger"
 
 fi
+
Rule  
+                                Uninstall libreport-plugin-rhtsupport Package
+                                  [ref]
The libreport-plugin-rhtsupport package can be removed with the following command:
+
+$ sudo yum erase libreport-plugin-rhtsupport
Rationale:
libreport-plugin-rhtsupport is a ABRT plugin to report bugs into the
+Red Hat Support system.
Severity: 
low
Identifiers and References
Identifiers: 
+            CCE-88955-0
References: 
+            CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+package --remove=libreport-plugin-rhtsupport
 
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_libreport-plugin-rhtsupport
 
 class remove_libreport-plugin-rhtsupport {
@@ -5879,27 +5869,27 @@
   - low_severity
   - no_reboot_needed
   - package_libreport-plugin-rhtsupport_removed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-package --remove=libreport-plugin-rhtsupport
-
Rule  
-                                Uninstall python3-abrt-addon Package
-                                  [ref]
The python3-abrt-addon package can be removed with the following command:
-
-$ sudo yum erase python3-abrt-addon
Rationale:
python3-abrt-addon contains python hook and python analyzer
-plugin for handling uncaught exceptions in python programs.
Severity: 
low
Identifiers and References
Identifiers: 
-            CCE-86084-1
References: 
-            CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-# CAUTION: This remediation script will remove python3-abrt-addon
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+# CAUTION: This remediation script will remove libreport-plugin-rhtsupport
 #	   from the system, and may remove any packages
-#	   that depend on python3-abrt-addon. Execute this
+#	   that depend on libreport-plugin-rhtsupport. Execute this
 #	   remediation AFTER testing on a non-production
 #	   system!
 
-if rpm -q --quiet "python3-abrt-addon" ; then
+if rpm -q --quiet "libreport-plugin-rhtsupport" ; then
 
-    yum remove -y "python3-abrt-addon"
+    yum remove -y "libreport-plugin-rhtsupport"
 
 fi
+
Rule  
+                                Uninstall python3-abrt-addon Package
+                                  [ref]
The python3-abrt-addon package can be removed with the following command:
+
+$ sudo yum erase python3-abrt-addon
Rationale:
python3-abrt-addon contains python hook and python analyzer
+plugin for handling uncaught exceptions in python programs.
Severity: 
low
Identifiers and References
Identifiers: 
+            CCE-86084-1
References: 
+            CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+package --remove=python3-abrt-addon
 
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_python3-abrt-addon
 
 class remove_python3-abrt-addon {
@@ -5920,8 +5910,18 @@
   - low_severity
   - no_reboot_needed
   - package_python3-abrt-addon_removed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-package --remove=python3-abrt-addon
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+# CAUTION: This remediation script will remove python3-abrt-addon
+#	   from the system, and may remove any packages
+#	   that depend on python3-abrt-addon. Execute this
+#	   remediation AFTER testing on a non-production
+#	   system!
+
+if rpm -q --quiet "python3-abrt-addon" ; then
+
+    yum remove -y "python3-abrt-addon"
+
+fi
 
Rule  
                                 Uninstall tuned Package
                                   [ref]
The tuned package can be removed with the following command:
@@ -5933,18 +5933,8 @@
 on that information, components will then be put into lower or higher power savings
 modes to adapt to the current usage.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-82904-4
References: 
-            CCI-000366, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040390, SV-230561r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-# CAUTION: This remediation script will remove tuned
-#	   from the system, and may remove any packages
-#	   that depend on tuned. Execute this
-#	   remediation AFTER testing on a non-production
-#	   system!
-
-if rpm -q --quiet "tuned" ; then
-
-    yum remove -y "tuned"
-
-fi
+            CCI-000366, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040390, SV-230561r627750_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+package --remove=tuned
 
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_tuned
 
 class remove_tuned {
@@ -5965,8 +5955,18 @@
   - medium_severity
   - no_reboot_needed
   - package_tuned_removed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-package --remove=tuned
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+# CAUTION: This remediation script will remove tuned
+#	   from the system, and may remove any packages
+#	   that depend on tuned. Execute this
+#	   remediation AFTER testing on a non-production
+#	   system!
+
+if rpm -q --quiet "tuned" ; then
+
+    yum remove -y "tuned"
+
+fi
 
Group  
                 Updating Software
                           Group contains 6 rules
[ref]  
@@ -5990,20 +5990,7 @@
 to 1 in /etc/yum.conf.
Rationale:

Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries.

Severity: 
low
Identifiers and References

Identifiers:  CCE-82476-3

References:  - 18, 20, 4, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, 3.4.8, CCI-002617, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, SI-2(6), CM-11(a), CM-11(b), CM-6(a), ID.RA-1, PR.IP-12, SRG-OS-000437-GPOS-00194, RHEL-08-010440, SV-230281r854034_rule

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if rpm --quiet -q yum; then
-
-if grep --silent ^clean_requirements_on_remove /etc/yum.conf ; then
-        sed -i "s/^clean_requirements_on_remove.*/clean_requirements_on_remove=1/g" /etc/yum.conf
-else
-        echo -e "\n# Set clean_requirements_on_remove to 1 per security requirements" >> /etc/yum.conf
-        echo "clean_requirements_on_remove=1" >> /etc/yum.conf
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+            18, 20, 4, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, 3.4.8, CCI-002617, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, SI-2(6), CM-11(a), CM-11(b), CM-6(a), ID.RA-1, PR.IP-12, SRG-OS-000437-GPOS-00194, RHEL-08-010440, SV-230281r854034_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -6044,6 +6031,19 @@
   - low_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if rpm --quiet -q yum; then
+
+if grep --silent ^clean_requirements_on_remove /etc/yum.conf ; then
+        sed -i "s/^clean_requirements_on_remove.*/clean_requirements_on_remove=1/g" /etc/yum.conf
+else
+        echo -e "\n# Set clean_requirements_on_remove to 1 per security requirements" >> /etc/yum.conf
+        echo "clean_requirements_on_remove=1" >> /etc/yum.conf
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Ensure gpgcheck Enabled In Main yum Configuration
                                   [ref]
The gpgcheck option controls whether
@@ -6066,35 +6066,7 @@
 this requirement. Certificates used to verify the software must be from an
 approved Certificate Authority (CA).
Severity: 
high
Identifiers and References
Identifiers: 
             CCE-80790-9
References: 
-            BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, 6.3.3, SRG-OS-000366-GPOS-00153, RHEL-08-010370, 1.2.3, SV-230264r880711_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if rpm --quiet -q yum; then
-
-# Strip any search characters in the key arg so that the key can be replaced without
-# adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^gpgcheck")
-
-# shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "1"
-
-# If the key exists, change it. Otherwise, add it to the config_file.
-# We search for the key string followed by a word boundary (matched by \>),
-# so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^gpgcheck\\>" "/etc/yum.conf"; then
-    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^gpgcheck\\>.*/$escaped_formatted_output/gi" "/etc/yum.conf"
-else
-    if [[ -s "/etc/yum.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/yum.conf" || true)" ]]; then
-        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/yum.conf"
-    fi
-    cce="CCE-80790-9"
-    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/yum.conf" >> "/etc/yum.conf"
-    printf '%s\n' "$formatted_output" >> "/etc/yum.conf"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -6151,23 +6123,12 @@
   - low_complexity
   - medium_disruption
   - no_reboot_needed
-
Rule  
-                                Ensure gpgcheck Enabled for Local Packages
-                                  [ref]
yum should be configured to verify the signature(s) of local packages
-prior to installation. To configure yum to verify signatures of local
-packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.
Rationale:
Changes to any software components can have significant effects to the overall security
-of the operating system. This requirement ensures the software has not been tampered and
-has been provided by a trusted vendor.
-


-Accordingly, patches, service packs, device drivers, or operating system components must
-be signed with a certificate recognized and approved by the organization.
Severity: 
high
Identifiers and References
Identifiers: 
-            CCE-80791-7
References: 
-            BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, RHEL-08-010371, SV-230265r877463_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if rpm --quiet -q yum; then
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^localpkg_gpgcheck")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^gpgcheck")
 
 # shellcheck disable=SC2059
 printf -v formatted_output "%s = %s" "$stripped_key" "1"
@@ -6175,14 +6136,14 @@
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^localpkg_gpgcheck\\>" "/etc/yum.conf"; then
+if LC_ALL=C grep -q -m 1 -i -e "^gpgcheck\\>" "/etc/yum.conf"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^localpkg_gpgcheck\\>.*/$escaped_formatted_output/gi" "/etc/yum.conf"
+    LC_ALL=C sed -i --follow-symlinks "s/^gpgcheck\\>.*/$escaped_formatted_output/gi" "/etc/yum.conf"
 else
     if [[ -s "/etc/yum.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/yum.conf" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/yum.conf"
     fi
-    cce="CCE-80791-7"
+    cce="CCE-80790-9"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/yum.conf" >> "/etc/yum.conf"
     printf '%s\n' "$formatted_output" >> "/etc/yum.conf"
 fi
@@ -6190,7 +6151,18 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
+
Rule  
+                                Ensure gpgcheck Enabled for Local Packages
+                                  [ref]
yum should be configured to verify the signature(s) of local packages
+prior to installation. To configure yum to verify signatures of local
+packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.
Rationale:
Changes to any software components can have significant effects to the overall security
+of the operating system. This requirement ensures the software has not been tampered and
+has been provided by a trusted vendor.
+


+Accordingly, patches, service packs, device drivers, or operating system components must
+be signed with a certificate recognized and approved by the organization.
Severity: 
high
Identifiers and References
Identifiers: 
+            CCE-80791-7
References: 
+            BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, RHEL-08-010371, SV-230265r877463_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -6249,6 +6221,34 @@
   - medium_disruption
   - no_reboot_needed
   - unknown_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if rpm --quiet -q yum; then
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^localpkg_gpgcheck")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "1"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^localpkg_gpgcheck\\>" "/etc/yum.conf"; then
+    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+    LC_ALL=C sed -i --follow-symlinks "s/^localpkg_gpgcheck\\>.*/$escaped_formatted_output/gi" "/etc/yum.conf"
+else
+    if [[ -s "/etc/yum.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/yum.conf" || true)" ]]; then
+        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/yum.conf"
+    fi
+    cce="CCE-80791-7"
+    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/yum.conf" >> "/etc/yum.conf"
+    printf '%s\n' "$formatted_output" >> "/etc/yum.conf"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Ensure gpgcheck Enabled for All yum Package Repositories
                                   [ref]
To ensure signature checking is not disabled for
@@ -6260,9 +6260,7 @@
 requirement. Certificates used to verify the software must be from an
 approved Certificate Authority (CA)."
Severity: 
high
Identifiers and References
Identifiers: 
             CCE-80792-5
References: 
-            BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, 6.3.3, SRG-OS-000366-GPOS-00153, RHEL-08-010370, SV-230264r880711_rule
Remediation Shell script:   (show)


-sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/yum.repos.d/*
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:enable
- name: Grep for yum repo section names
   shell: |
     set -o pipefail
     grep -HEr '^\[.+\]' -r /etc/yum.repos.d/
@@ -6323,6 +6321,8 @@
   - low_complexity
   - medium_disruption
   - no_reboot_needed
+
Remediation Shell script:   (show)


+sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/yum.repos.d/*
 
Rule  
                                 Ensure Red Hat GPG Key Installed
                                   [ref]
To ensure the system can cryptographically verify base software packages
@@ -6346,34 +6346,7 @@
 The Red Hat GPG key is necessary to cryptographically verify packages are
 from Red Hat.
Severity: 
high
Identifiers and References
Identifiers: 
             CCE-80795-8
References: 
-            BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, 6.3.3, SRG-OS-000366-GPOS-00153, RHEL-08-010019, 1.2.2, SV-256973r902752_rule
Remediation Shell script:   (show)

# The two fingerprints below are retrieved from https://access.redhat.com/security/team/key
-readonly REDHAT_RELEASE_FINGERPRINT="567E347AD0044ADE55BA8A5F199E2F91FD431D51"
-readonly REDHAT_AUXILIARY_FINGERPRINT="6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
-
-# Location of the key we would like to import (once it's integrity verified)
-readonly REDHAT_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
-
-RPM_GPG_DIR_PERMS=$(stat -c %a "$(dirname "$REDHAT_RELEASE_KEY")")
-
-# Verify /etc/pki/rpm-gpg directory permissions are safe
-if [ "${RPM_GPG_DIR_PERMS}" -le "755" ]
-then
-  # If they are safe, try to obtain fingerprints from the key file
-  # (to ensure there won't be e.g. CRC error).
-
-  readarray -t GPG_OUT < <(gpg --show-keys --with-fingerprint --with-colons "$REDHAT_RELEASE_KEY" | grep -A1 "^pub" | grep "^fpr" | cut -d ":" -f 10)
-
-  GPG_RESULT=$?
-  # No CRC error, safe to proceed
-  if [ "${GPG_RESULT}" -eq "0" ]
-  then
-    echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || {
-      # If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it
-      rpm --import "${REDHAT_RELEASE_KEY}"
-    }
-  fi
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:medium
Disruption:medium
Reboot:false
Strategy:restrict
- name: Read permission of GPG key directory
   stat:
     path: /etc/pki/rpm-gpg/
   register: gpg_key_directory_permission
@@ -6495,6 +6468,33 @@
   - medium_disruption
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

# The two fingerprints below are retrieved from https://access.redhat.com/security/team/key
+readonly REDHAT_RELEASE_FINGERPRINT="567E347AD0044ADE55BA8A5F199E2F91FD431D51"
+readonly REDHAT_AUXILIARY_FINGERPRINT="6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
+
+# Location of the key we would like to import (once it's integrity verified)
+readonly REDHAT_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
+
+RPM_GPG_DIR_PERMS=$(stat -c %a "$(dirname "$REDHAT_RELEASE_KEY")")
+
+# Verify /etc/pki/rpm-gpg directory permissions are safe
+if [ "${RPM_GPG_DIR_PERMS}" -le "755" ]
+then
+  # If they are safe, try to obtain fingerprints from the key file
+  # (to ensure there won't be e.g. CRC error).
+
+  readarray -t GPG_OUT < <(gpg --show-keys --with-fingerprint --with-colons "$REDHAT_RELEASE_KEY" | grep -A1 "^pub" | grep "^fpr" | cut -d ":" -f 10)
+
+  GPG_RESULT=$?
+  # No CRC error, safe to proceed
+  if [ "${GPG_RESULT}" -eq "0" ]
+  then
+    echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || {
+      # If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it
+      rpm --import "${REDHAT_RELEASE_KEY}"
+    }
+  fi
+fi
 
Rule  
                                 Ensure Software Patches Installed
                                   [ref]

@@ -6513,10 +6513,7 @@
 users may take advantage of weaknesses in the unpatched software. The
 lack of prompt attention to patching could result in a system compromise.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-80865-9
References: 
-            BP28(R08), 18, 20, 4, 5.10.4.1, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, CCI-000366, CCI-001227, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, SI-2(5), SI-2(c), CM-6(a), ID.RA-1, PR.IP-12, FMT_MOF_EXT.1, Req-6.2, 6.3.3, SRG-OS-000480-GPOS-00227, RHEL-08-010010, 1.9, SV-230222r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:high
Reboot:true
Strategy:patch

-
-yum -y update
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:true
Strategy:patch
- name: Security patches are up to date
   package:
     name: '*'
     state: latest
@@ -6536,6 +6533,9 @@
   - reboot_required
   - security_patches_up_to_date
   - skip_ansible_lint
+
Remediation Shell script:   (show)

Complexity:low
Disruption:high
Reboot:true
Strategy:patch

+
+yum -y update
 
Group  
                 Account and Access Control
                           Group contains 18 groups and 79 rules
[ref]  
@@ -6594,68 +6594,7 @@
 For U.S. Government systems, system use notifications are required only for access via login interfaces
 with human users and are not required when such human interfaces do not exist.
Severity: 
medium
Identifiers and References

Identifiers:  CCE-80768-5

References:  - 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(b), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, RHEL-08-010049, 1.8.2, SV-244519r743806_rule

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm; then
-
-# Check for setting in any of the DConf db directories
-# If files contain ibus or distro, ignore them.
-# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \
-                                | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings"
-DBDIR="/etc/dconf/db/gdm.d"
-
-mkdir -p "${DBDIR}"
-
-# Comment out the configurations in databases different from the target one
-if [ "${#SETTINGSFILES[@]}" -ne 0 ]
-then
-    if grep -q "^\\s*banner-message-enable\\s*=" "${SETTINGSFILES[@]}"
-    then
-        
-        sed -Ei "s/(^\s*)banner-message-enable(\s*=)/#\1banner-message-enable\2/g" "${SETTINGSFILES[@]}"
-    fi
-fi
-
-[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
-if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}"
-then
-    printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
-fi
-
-escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
-if grep -q "^\\s*banner-message-enable\\s*=" "${DCONFFILE}"
-then
-        sed -i "s/\\s*banner-message-enable\\s*=\\s*.*/banner-message-enable=${escaped_value}/g" "${DCONFFILE}"
-    else
-        sed -i "\\|\\[org/gnome/login-screen\\]|a\\banner-message-enable=${escaped_value}" "${DCONFFILE}"
-fi
-
-dconf update
-# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/login-screen/banner-message-enable$" "/etc/dconf/db/" \
-            | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1)
-LOCKSFOLDER="/etc/dconf/db/gdm.d/locks"
-
-mkdir -p "${LOCKSFOLDER}"
-
-# Comment out the configurations in databases different from the target one
-if [[ ! -z "${LOCKFILES}" ]]
-then
-    sed -i -E "s|^/org/gnome/login-screen/banner-message-enable$|#&|" "${LOCKFILES[@]}"
-fi
-
-if ! grep -qr "^/org/gnome/login-screen/banner-message-enable$" /etc/dconf/db/gdm.d/
-then
-    echo "/org/gnome/login-screen/banner-message-enable" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock"
-fi
-
-dconf update
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
+            1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(b), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, RHEL-08-010049, 1.8.2, SV-244519r743806_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -6732,50 +6671,9 @@
   - medium_severity
   - no_reboot_needed
   - unknown_strategy
-
Rule  
-                                Set the GNOME3 Login Warning Banner Text
-                                  [ref]
In the default graphical environment, configuring the login warning banner text
-in the GNOME Display Manager's login screen can be configured on the login
-screen by setting banner-message-text to 'APPROVED_BANNER'
-where APPROVED_BANNER is the approved banner for your environment.
-


-To enable, add or edit banner-message-text to
-
-/etc/dconf/db/gdm.d/00-security-settings. For example:
-
[org/gnome/login-screen]
-banner-message-text='APPROVED_BANNER'

-Once the setting has been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
-For example:
-
/org/gnome/login-screen/banner-message-text

-
-After the settings have been set, run dconf update.
-When entering a warning banner that spans several lines, remember
-to begin and end the string with ' and use \n for new lines.
Rationale:
An appropriate warning message reinforces policy awareness during the logon
-process and facilitates possible legal action against attackers.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80770-1
References: 
-            1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, RHEL-08-010050, 1.8.2, SV-230226r743916_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if rpm --quiet -q gdm; then
 
-login_banner_text='^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$'
-
-
-# Multiple regexes transform the banner regex into a usable banner
-# 0 - Remove anchors around the banner text
-login_banner_text=$(echo "$login_banner_text" | sed 's/^\^\(.*\)\$$/\1/g')
-# 1 - Keep only the first banners if there are multiple
-#    (dod_banners contains the long and short banner)
-login_banner_text=$(echo "$login_banner_text" | sed 's/^(\(.*\.\)|.*)$/\1/g')
-# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
-login_banner_text=$(echo "$login_banner_text" | sed 's/\[\\s\\n\]+/ /g')
-# 3 - Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*")
-login_banner_text=$(echo "$login_banner_text" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/(n)*/g')
-# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example).
-login_banner_text=$(echo "$login_banner_text" | sed 's/\\//g')
-# 5 - Removes the newline "token." (Transforms them into newline escape sequences "\n").
-#    ( Needs to be done after 4, otherwise the escapce sequence will become just "n".
-login_banner_text=$(echo "$login_banner_text" | sed 's/(n)\*/\\n/g')
-
 # Check for setting in any of the DConf db directories
 # If files contain ibus or distro, ignore them.
 # The assignment assumes that individual filenames don't contain :
@@ -6789,10 +6687,10 @@
 # Comment out the configurations in databases different from the target one
 if [ "${#SETTINGSFILES[@]}" -ne 0 ]
 then
-    if grep -q "^\\s*banner-message-text\\s*=" "${SETTINGSFILES[@]}"
+    if grep -q "^\\s*banner-message-enable\\s*=" "${SETTINGSFILES[@]}"
     then
         
-        sed -Ei "s/(^\s*)banner-message-text(\s*=)/#\1banner-message-text\2/g" "${SETTINGSFILES[@]}"
+        sed -Ei "s/(^\s*)banner-message-enable(\s*=)/#\1banner-message-enable\2/g" "${SETTINGSFILES[@]}"
     fi
 fi
 
@@ -6802,17 +6700,17 @@
     printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
 fi
 
-escaped_value="$(sed -e 's/\\/\\\\/g' <<< "'${login_banner_text}'")"
-if grep -q "^\\s*banner-message-text\\s*=" "${DCONFFILE}"
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
+if grep -q "^\\s*banner-message-enable\\s*=" "${DCONFFILE}"
 then
-        sed -i "s/\\s*banner-message-text\\s*=\\s*.*/banner-message-text=${escaped_value}/g" "${DCONFFILE}"
+        sed -i "s/\\s*banner-message-enable\\s*=\\s*.*/banner-message-enable=${escaped_value}/g" "${DCONFFILE}"
     else
-        sed -i "\\|\\[org/gnome/login-screen\\]|a\\banner-message-text=${escaped_value}" "${DCONFFILE}"
+        sed -i "\\|\\[org/gnome/login-screen\\]|a\\banner-message-enable=${escaped_value}" "${DCONFFILE}"
 fi
 
 dconf update
 # Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/login-screen/banner-message-text$" "/etc/dconf/db/" \
+LOCKFILES=$(grep -r "^/org/gnome/login-screen/banner-message-enable$" "/etc/dconf/db/" \
             | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1)
 LOCKSFOLDER="/etc/dconf/db/gdm.d/locks"
 
@@ -6821,12 +6719,12 @@
 # Comment out the configurations in databases different from the target one
 if [[ ! -z "${LOCKFILES}" ]]
 then
-    sed -i -E "s|^/org/gnome/login-screen/banner-message-text$|#&|" "${LOCKFILES[@]}"
+    sed -i -E "s|^/org/gnome/login-screen/banner-message-enable$|#&|" "${LOCKFILES[@]}"
 fi
 
-if ! grep -qr "^/org/gnome/login-screen/banner-message-text$" /etc/dconf/db/gdm.d/
+if ! grep -qr "^/org/gnome/login-screen/banner-message-enable$" /etc/dconf/db/gdm.d/
 then
-    echo "/org/gnome/login-screen/banner-message-text" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock"
+    echo "/org/gnome/login-screen/banner-message-enable" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock"
 fi
 
 dconf update
@@ -6834,7 +6732,29 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
+
Rule  
+                                Set the GNOME3 Login Warning Banner Text
+                                  [ref]
In the default graphical environment, configuring the login warning banner text
+in the GNOME Display Manager's login screen can be configured on the login
+screen by setting banner-message-text to 'APPROVED_BANNER'
+where APPROVED_BANNER is the approved banner for your environment.
+


+To enable, add or edit banner-message-text to
+
+/etc/dconf/db/gdm.d/00-security-settings. For example:
+
[org/gnome/login-screen]
+banner-message-text='APPROVED_BANNER'

+Once the setting has been added, add a lock to
+/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+For example:
+
/org/gnome/login-screen/banner-message-text

+
+After the settings have been set, run dconf update.
+When entering a warning banner that spans several lines, remember
+to begin and end the string with ' and use \n for new lines.
Rationale:
An appropriate warning message reinforces policy awareness during the logon
+process and facilitates possible legal action against attackers.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80770-1
References: 
+            1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, RHEL-08-010050, 1.8.2, SV-230226r743916_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -6963,6 +6883,86 @@
   - medium_severity
   - no_reboot_needed
   - unknown_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm; then
+
+login_banner_text='^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$'
+
+
+# Multiple regexes transform the banner regex into a usable banner
+# 0 - Remove anchors around the banner text
+login_banner_text=$(echo "$login_banner_text" | sed 's/^\^\(.*\)\$$/\1/g')
+# 1 - Keep only the first banners if there are multiple
+#    (dod_banners contains the long and short banner)
+login_banner_text=$(echo "$login_banner_text" | sed 's/^(\(.*\.\)|.*)$/\1/g')
+# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
+login_banner_text=$(echo "$login_banner_text" | sed 's/\[\\s\\n\]+/ /g')
+# 3 - Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*")
+login_banner_text=$(echo "$login_banner_text" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/(n)*/g')
+# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example).
+login_banner_text=$(echo "$login_banner_text" | sed 's/\\//g')
+# 5 - Removes the newline "token." (Transforms them into newline escape sequences "\n").
+#    ( Needs to be done after 4, otherwise the escapce sequence will become just "n".
+login_banner_text=$(echo "$login_banner_text" | sed 's/(n)\*/\\n/g')
+
+# Check for setting in any of the DConf db directories
+# If files contain ibus or distro, ignore them.
+# The assignment assumes that individual filenames don't contain :
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \
+                                | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1)
+DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings"
+DBDIR="/etc/dconf/db/gdm.d"
+
+mkdir -p "${DBDIR}"
+
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
+then
+    if grep -q "^\\s*banner-message-text\\s*=" "${SETTINGSFILES[@]}"
+    then
+        
+        sed -Ei "s/(^\s*)banner-message-text(\s*=)/#\1banner-message-text\2/g" "${SETTINGSFILES[@]}"
+    fi
+fi
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}"
+then
+    printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "'${login_banner_text}'")"
+if grep -q "^\\s*banner-message-text\\s*=" "${DCONFFILE}"
+then
+        sed -i "s/\\s*banner-message-text\\s*=\\s*.*/banner-message-text=${escaped_value}/g" "${DCONFFILE}"
+    else
+        sed -i "\\|\\[org/gnome/login-screen\\]|a\\banner-message-text=${escaped_value}" "${DCONFFILE}"
+fi
+
+dconf update
+# Check for setting in any of the DConf db directories
+LOCKFILES=$(grep -r "^/org/gnome/login-screen/banner-message-text$" "/etc/dconf/db/" \
+            | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1)
+LOCKSFOLDER="/etc/dconf/db/gdm.d/locks"
+
+mkdir -p "${LOCKSFOLDER}"
+
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+    sed -i -E "s|^/org/gnome/login-screen/banner-message-text$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/login-screen/banner-message-text$" /etc/dconf/db/gdm.d/
+then
+    echo "/org/gnome/login-screen/banner-message-text" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock"
+fi
+
+dconf update
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Modify the System Login Banner
                                   [ref]

@@ -7005,7 +7005,32 @@
 with human users and are not required when such human interfaces do not
 exist.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-80763-6
References: 
-            1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, RHEL-08-010060, 1.7.2, SV-230227r627750_rule
Remediation Shell script:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: XCCDF Value login_banner_text # promote to variable
+  set_fact:
+    login_banner_text: !!str ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$
+  tags:
+    - always
+
+- name: Modify the System Login Banner - Ensure Correct Banner
+  copy:
+    dest: /etc/issue
+    content: '{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$",
+      "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
+      "\n") | regex_replace("\\", "") | wordwrap() }}'
+  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  tags:
+  - CCE-80763-6
+  - DISA-STIG-RHEL-08-010060
+  - NIST-800-171-3.1.9
+  - NIST-800-53-AC-8(a)
+  - NIST-800-53-AC-8(c)
+  - banner_etc_issue
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - unknown_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 login_banner_text='^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$'
@@ -7031,31 +7056,6 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: XCCDF Value login_banner_text # promote to variable
-  set_fact:
-    login_banner_text: !!str ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$
-  tags:
-    - always
-
-- name: Modify the System Login Banner - Ensure Correct Banner
-  copy:
-    dest: /etc/issue
-    content: '{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$",
-      "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
-      "\n") | regex_replace("\\", "") | wordwrap() }}'
-  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  tags:
-  - CCE-80763-6
-  - DISA-STIG-RHEL-08-010060
-  - NIST-800-171-3.1.9
-  - NIST-800-53-AC-8(a)
-  - NIST-800-53-AC-8(c)
-  - banner_etc_issue
-  - low_complexity
-  - medium_disruption
-  - medium_severity
-  - no_reboot_needed
-  - unknown_strategy
 
Group  
                 Protect Accounts by Configuring PAM
                           Group contains 4 groups and 31 rules
[ref]  
@@ -7185,201 +7185,7 @@
 updated.
Rationale:

Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-83478-8

References:  - 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000200, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(e), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.5, 8.3.7, SRG-OS-000077-GPOS-00045, RHEL-08-020220, 5.5.3, SV-230368r902759_rule

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if rpm --quiet -q pam; then
-
-var_password_pam_remember='5'
-var_password_pam_remember_control_flag='requisite,required'
-
-
-var_password_pam_remember_control_flag="$(echo $var_password_pam_remember_control_flag | cut -d \, -f 1)"
-
-if [ -f /usr/bin/authselect ]; then
-    if authselect list-features minimal | grep -q with-pwhistory; then
-        if ! authselect check; then
-        echo "
-        authselect integrity check failed. Remediation aborted!
-        This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
-        It is not recommended to manually edit the PAM files when authselect tool is available.
-        In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
-        exit 1
-        fi
-        authselect enable-feature with-pwhistory
-
-        authselect apply-changes -b
-    else
-        
-        if ! authselect check; then
-        echo "
-        authselect integrity check failed. Remediation aborted!
-        This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
-        It is not recommended to manually edit the PAM files when authselect tool is available.
-        In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
-        exit 1
-        fi
-
-        CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
-        # If not already in use, a custom profile is created preserving the enabled features.
-        if [[ ! $CURRENT_PROFILE == custom/* ]]; then
-            ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
-            authselect create-profile hardening -b $CURRENT_PROFILE
-            CURRENT_PROFILE="custom/hardening"
-            
-            authselect apply-changes -b --backup=before-hardening-custom-profile
-            authselect select $CURRENT_PROFILE
-            for feature in $ENABLED_FEATURES; do
-                authselect enable-feature $feature;
-            done
-            
-            authselect apply-changes -b --backup=after-hardening-custom-profile
-        fi
-        PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth")
-        PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
-
-        authselect apply-changes -b
-        if ! grep -qP '^\s*password\s+'"$var_password_pam_remember_control_flag"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then
-            # Line matching group + control + module was not found. Check group + module.
-            if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
-                # The control is updated only if one single line matches.
-                sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "$PAM_FILE_PATH"
-            else
-                LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
-                if [ ! -z $LAST_MATCH_LINE ]; then
-                    sed -i --follow-symlinks $LAST_MATCH_LINE' a password     '"$var_password_pam_remember_control_flag"'    pam_pwhistory.so' "$PAM_FILE_PATH"
-                else
-                    echo 'password    '"$var_password_pam_remember_control_flag"'    pam_pwhistory.so' >> "$PAM_FILE_PATH"
-                fi
-            fi
-        fi
-    fi
-else
-    if ! grep -qP '^\s*password\s+'"$var_password_pam_remember_control_flag"'\s+pam_pwhistory.so\s*.*' "/etc/pam.d/password-auth"; then
-        # Line matching group + control + module was not found. Check group + module.
-        if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "/etc/pam.d/password-auth")" -eq 1 ]; then
-            # The control is updated only if one single line matches.
-            sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "/etc/pam.d/password-auth"
-        else
-            LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "/etc/pam.d/password-auth" | tail -n 1 | cut -d: -f 1)
-            if [ ! -z $LAST_MATCH_LINE ]; then
-                sed -i --follow-symlinks $LAST_MATCH_LINE' a password     '"$var_password_pam_remember_control_flag"'    pam_pwhistory.so' "/etc/pam.d/password-auth"
-            else
-                echo 'password    '"$var_password_pam_remember_control_flag"'    pam_pwhistory.so' >> "/etc/pam.d/password-auth"
-            fi
-        fi
-    fi
-fi
-
-PWHISTORY_CONF="/etc/security/pwhistory.conf"
-if [ -f $PWHISTORY_CONF ]; then
-    regex="^\s*remember\s*="
-    line="remember = $var_password_pam_remember"
-    if ! grep -q $regex $PWHISTORY_CONF; then
-        echo $line >> $PWHISTORY_CONF
-    else
-        sed -i --follow-symlinks 's|^\s*\(remember\s*=\s*\)\(\S\+\)|\1'"$var_password_pam_remember"'|g' $PWHISTORY_CONF
-    fi
-    if [ -e "/etc/pam.d/password-auth" ] ; then
-        PAM_FILE_PATH="/etc/pam.d/password-auth"
-        if [ -f /usr/bin/authselect ]; then
-            
-            if ! authselect check; then
-            echo "
-            authselect integrity check failed. Remediation aborted!
-            This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
-            It is not recommended to manually edit the PAM files when authselect tool is available.
-            In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
-            exit 1
-            fi
-
-            CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
-            # If not already in use, a custom profile is created preserving the enabled features.
-            if [[ ! $CURRENT_PROFILE == custom/* ]]; then
-                ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
-                authselect create-profile hardening -b $CURRENT_PROFILE
-                CURRENT_PROFILE="custom/hardening"
-                
-                authselect apply-changes -b --backup=before-hardening-custom-profile
-                authselect select $CURRENT_PROFILE
-                for feature in $ENABLED_FEATURES; do
-                    authselect enable-feature $feature;
-                done
-                
-                authselect apply-changes -b --backup=after-hardening-custom-profile
-            fi
-            PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth")
-            PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
-
-            authselect apply-changes -b
-        fi
-        
-    if grep -qP '^\s*password\s.*\bpam_pwhistory.so\s.*\bremember\b' "$PAM_FILE_PATH"; then
-        sed -i -E --follow-symlinks 's/(.*password.*pam_pwhistory.so.*)\bremember\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
-    fi
-        if [ -f /usr/bin/authselect ]; then
-            
-            authselect apply-changes -b
-        fi
-    else
-        echo "/etc/pam.d/password-auth was not found" >&2
-    fi
-else
-    PAM_FILE_PATH="/etc/pam.d/password-auth"
-    if [ -f /usr/bin/authselect ]; then
-        
-        if ! authselect check; then
-        echo "
-        authselect integrity check failed. Remediation aborted!
-        This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
-        It is not recommended to manually edit the PAM files when authselect tool is available.
-        In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
-        exit 1
-        fi
-
-        CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
-        # If not already in use, a custom profile is created preserving the enabled features.
-        if [[ ! $CURRENT_PROFILE == custom/* ]]; then
-            ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
-            authselect create-profile hardening -b $CURRENT_PROFILE
-            CURRENT_PROFILE="custom/hardening"
-            
-            authselect apply-changes -b --backup=before-hardening-custom-profile
-            authselect select $CURRENT_PROFILE
-            for feature in $ENABLED_FEATURES; do
-                authselect enable-feature $feature;
-            done
-            
-            authselect apply-changes -b --backup=after-hardening-custom-profile
-        fi
-        PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth")
-        PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
-
-        authselect apply-changes -b
-    fi
-    if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then
-        # Line matching group + control + module was not found. Check group + module.
-        if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
-            # The control is updated only if one single line matches.
-            sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH"
-        else
-            echo 'password    '"requisite"'    pam_pwhistory.so' >> "$PAM_FILE_PATH"
-        fi
-    fi
-    # Check the option
-    if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*\sremember\b' "$PAM_FILE_PATH"; then
-        sed -i -E --follow-symlinks '/\s*password\s+'"requisite"'\s+pam_pwhistory.so.*/ s/$/ remember='"$var_password_pam_remember"'/' "$PAM_FILE_PATH"
-    else
-        sed -i -E --follow-symlinks 's/(\s*password\s+'"requisite"'\s+pam_pwhistory.so\s+.*)('"remember"'=)[[:alnum:]]+\s*(.*)/\1\2'"$var_password_pam_remember"' \3/' "$PAM_FILE_PATH"
-    fi
-    if [ -f /usr/bin/authselect ]; then
-        
-        authselect apply-changes -b
-    fi
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
- name: Gather the package facts
+            1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000200, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(e), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.5, 8.3.7, SRG-OS-000077-GPOS-00045, RHEL-08-020220, 5.5.3, SV-230368r902759_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -8236,35 +8042,7 @@
   - medium_disruption
   - medium_severity
   - no_reboot_needed
-
Rule  
-                                Limit Password Reuse: system-auth
-                                  [ref]
Do not allow users to reuse recent passwords. This can be accomplished by using the
-remember option for the pam_pwhistory PAM module.
-


-
-On systems with newer versions of authselect, the pam_pwhistory PAM module
-can be enabled via authselect feature:
-
authselect enable-feature with-pwhistory

-
-Otherwise, it should be enabled using an authselect custom profile.
-


-Newer systems also have the /etc/security/pwhistory.conf file for setting
-pam_pwhistory module options. This file should be used whenever available.
-Otherwise, the pam_pwhistory module options can be set in PAM files.
-


-The value for remember option must be equal or greater than
-5
Warning: 
-                                        If the system relies on authselect tool to manage PAM settings, the remediation
-will also use authselect tool. However, if any manual modification was made in
-PAM files, the authselect integrity check will fail and the remediation will be
-aborted in order to preserve intentional changes. In this case, an informative message will
-be shown in the remediation report.
Warning: 
-                                        Newer versions of authselect contain an authselect feature to easily and properly
-enable pam_pwhistory.so module. If this feature is not yet available in your
-system, an authselect custom profile must be used to avoid integrity issues in PAM files.
Rationale:
Preventing re-use of previous passwords helps ensure that a compromised password is not
-re-used by a user.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-83480-4
References: 
-            1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000200, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(e), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.5, 8.3.7, SRG-OS-000077-GPOS-00045, RHEL-08-020221, 5.5.3, SV-251717r902749_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if rpm --quiet -q pam; then
 
 var_password_pam_remember='5'
@@ -8312,7 +8090,7 @@
             
             authselect apply-changes -b --backup=after-hardening-custom-profile
         fi
-        PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth")
+        PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth")
         PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
 
         authselect apply-changes -b
@@ -8332,17 +8110,17 @@
         fi
     fi
 else
-    if ! grep -qP '^\s*password\s+'"$var_password_pam_remember_control_flag"'\s+pam_pwhistory.so\s*.*' "/etc/pam.d/system-auth"; then
+    if ! grep -qP '^\s*password\s+'"$var_password_pam_remember_control_flag"'\s+pam_pwhistory.so\s*.*' "/etc/pam.d/password-auth"; then
         # Line matching group + control + module was not found. Check group + module.
-        if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "/etc/pam.d/system-auth")" -eq 1 ]; then
+        if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "/etc/pam.d/password-auth")" -eq 1 ]; then
             # The control is updated only if one single line matches.
-            sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "/etc/pam.d/system-auth"
+            sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "/etc/pam.d/password-auth"
         else
-            LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "/etc/pam.d/system-auth" | tail -n 1 | cut -d: -f 1)
+            LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "/etc/pam.d/password-auth" | tail -n 1 | cut -d: -f 1)
             if [ ! -z $LAST_MATCH_LINE ]; then
-                sed -i --follow-symlinks $LAST_MATCH_LINE' a password     '"$var_password_pam_remember_control_flag"'    pam_pwhistory.so' "/etc/pam.d/system-auth"
+                sed -i --follow-symlinks $LAST_MATCH_LINE' a password     '"$var_password_pam_remember_control_flag"'    pam_pwhistory.so' "/etc/pam.d/password-auth"
             else
-                echo 'password    '"$var_password_pam_remember_control_flag"'    pam_pwhistory.so' >> "/etc/pam.d/system-auth"
+                echo 'password    '"$var_password_pam_remember_control_flag"'    pam_pwhistory.so' >> "/etc/pam.d/password-auth"
             fi
         fi
     fi
@@ -8357,8 +8135,8 @@
     else
         sed -i --follow-symlinks 's|^\s*\(remember\s*=\s*\)\(\S\+\)|\1'"$var_password_pam_remember"'|g' $PWHISTORY_CONF
     fi
-    if [ -e "/etc/pam.d/system-auth" ] ; then
-        PAM_FILE_PATH="/etc/pam.d/system-auth"
+    if [ -e "/etc/pam.d/password-auth" ] ; then
+        PAM_FILE_PATH="/etc/pam.d/password-auth"
         if [ -f /usr/bin/authselect ]; then
             
             if ! authselect check; then
@@ -8385,7 +8163,7 @@
                 
                 authselect apply-changes -b --backup=after-hardening-custom-profile
             fi
-            PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth")
+            PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth")
             PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
 
             authselect apply-changes -b
@@ -8399,10 +8177,10 @@
             authselect apply-changes -b
         fi
     else
-        echo "/etc/pam.d/system-auth was not found" >&2
+        echo "/etc/pam.d/password-auth was not found" >&2
     fi
 else
-    PAM_FILE_PATH="/etc/pam.d/system-auth"
+    PAM_FILE_PATH="/etc/pam.d/password-auth"
     if [ -f /usr/bin/authselect ]; then
         
         if ! authselect check; then
@@ -8429,7 +8207,7 @@
             
             authselect apply-changes -b --backup=after-hardening-custom-profile
         fi
-        PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth")
+        PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth")
         PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
 
         authselect apply-changes -b
@@ -8458,7 +8236,35 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
- name: Gather the package facts
+
Rule  
+                                Limit Password Reuse: system-auth
+                                  [ref]
Do not allow users to reuse recent passwords. This can be accomplished by using the
+remember option for the pam_pwhistory PAM module.
+


+
+On systems with newer versions of authselect, the pam_pwhistory PAM module
+can be enabled via authselect feature:
+
authselect enable-feature with-pwhistory

+
+Otherwise, it should be enabled using an authselect custom profile.
+


+Newer systems also have the /etc/security/pwhistory.conf file for setting
+pam_pwhistory module options. This file should be used whenever available.
+Otherwise, the pam_pwhistory module options can be set in PAM files.
+


+The value for remember option must be equal or greater than
+5
Warning: 
+                                        If the system relies on authselect tool to manage PAM settings, the remediation
+will also use authselect tool. However, if any manual modification was made in
+PAM files, the authselect integrity check will fail and the remediation will be
+aborted in order to preserve intentional changes. In this case, an informative message will
+be shown in the remediation report.
Warning: 
+                                        Newer versions of authselect contain an authselect feature to easily and properly
+enable pam_pwhistory.so module. If this feature is not yet available in your
+system, an authselect custom profile must be used to avoid integrity issues in PAM files.
Rationale:
Preventing re-use of previous passwords helps ensure that a compromised password is not
+re-used by a user.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-83480-4
References: 
+            1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000200, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(e), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.5, 8.3.7, SRG-OS-000077-GPOS-00045, RHEL-08-020221, 5.5.3, SV-251717r902749_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -9314,109 +9120,205 @@
   - medium_disruption
   - medium_severity
   - no_reboot_needed
-
Rule  
-                                Account Lockouts Must Be Logged
-                                  [ref]
PAM faillock locks an account due to excessive password failures, this event must be logged.
Rationale:
Without auditing of these events it may be harder or impossible to identify what an attacker did after an attack.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-86099-9
References: 
-            CCI-000044, AC-7 (a), SRG-OS-000021-GPOS-00005, RHEL-08-020021, SV-230343r743981_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.2"; printf "%s\n%s" "$expected" "$real" | sort -VC; }; then
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if rpm --quiet -q pam; then
+
+var_password_pam_remember='5'
+var_password_pam_remember_control_flag='requisite,required'
+
+
+var_password_pam_remember_control_flag="$(echo $var_password_pam_remember_control_flag | cut -d \, -f 1)"
 
 if [ -f /usr/bin/authselect ]; then
-    if ! authselect check; then
-echo "
-authselect integrity check failed. Remediation aborted!
-This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
-It is not recommended to manually edit the PAM files when authselect tool is available.
-In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
-exit 1
-fi
-authselect enable-feature with-faillock
+    if authselect list-features minimal | grep -q with-pwhistory; then
+        if ! authselect check; then
+        echo "
+        authselect integrity check failed. Remediation aborted!
+        This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
+        It is not recommended to manually edit the PAM files when authselect tool is available.
+        In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
+        exit 1
+        fi
+        authselect enable-feature with-pwhistory
 
-authselect apply-changes -b
+        authselect apply-changes -b
+    else
+        
+        if ! authselect check; then
+        echo "
+        authselect integrity check failed. Remediation aborted!
+        This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
+        It is not recommended to manually edit the PAM files when authselect tool is available.
+        In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
+        exit 1
+        fi
+
+        CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
+        # If not already in use, a custom profile is created preserving the enabled features.
+        if [[ ! $CURRENT_PROFILE == custom/* ]]; then
+            ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
+            authselect create-profile hardening -b $CURRENT_PROFILE
+            CURRENT_PROFILE="custom/hardening"
+            
+            authselect apply-changes -b --backup=before-hardening-custom-profile
+            authselect select $CURRENT_PROFILE
+            for feature in $ENABLED_FEATURES; do
+                authselect enable-feature $feature;
+            done
+            
+            authselect apply-changes -b --backup=after-hardening-custom-profile
+        fi
+        PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth")
+        PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
+
+        authselect apply-changes -b
+        if ! grep -qP '^\s*password\s+'"$var_password_pam_remember_control_flag"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then
+            # Line matching group + control + module was not found. Check group + module.
+            if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
+                # The control is updated only if one single line matches.
+                sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "$PAM_FILE_PATH"
+            else
+                LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
+                if [ ! -z $LAST_MATCH_LINE ]; then
+                    sed -i --follow-symlinks $LAST_MATCH_LINE' a password     '"$var_password_pam_remember_control_flag"'    pam_pwhistory.so' "$PAM_FILE_PATH"
+                else
+                    echo 'password    '"$var_password_pam_remember_control_flag"'    pam_pwhistory.so' >> "$PAM_FILE_PATH"
+                fi
+            fi
+        fi
+    fi
 else
-    
-AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
-for pam_file in "${AUTH_FILES[@]}"
-do
-    if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
-        sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth        required      pam_faillock.so preauth silent' "$pam_file"
-        sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth        required      pam_faillock.so authfail' "$pam_file"
-        sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account     required      pam_faillock.so' "$pam_file"
+    if ! grep -qP '^\s*password\s+'"$var_password_pam_remember_control_flag"'\s+pam_pwhistory.so\s*.*' "/etc/pam.d/system-auth"; then
+        # Line matching group + control + module was not found. Check group + module.
+        if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "/etc/pam.d/system-auth")" -eq 1 ]; then
+            # The control is updated only if one single line matches.
+            sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "/etc/pam.d/system-auth"
+        else
+            LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "/etc/pam.d/system-auth" | tail -n 1 | cut -d: -f 1)
+            if [ ! -z $LAST_MATCH_LINE ]; then
+                sed -i --follow-symlinks $LAST_MATCH_LINE' a password     '"$var_password_pam_remember_control_flag"'    pam_pwhistory.so' "/etc/pam.d/system-auth"
+            else
+                echo 'password    '"$var_password_pam_remember_control_flag"'    pam_pwhistory.so' >> "/etc/pam.d/system-auth"
+            fi
+        fi
     fi
-    sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required     \3/g' "$pam_file"
-done
-
 fi
 
-AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
-
-FAILLOCK_CONF="/etc/security/faillock.conf"
-if [ -f $FAILLOCK_CONF ]; then
-    regex="^\s*audit"
-    line="audit"
-    if ! grep -q $regex $FAILLOCK_CONF; then
-        echo $line >> $FAILLOCK_CONF
+PWHISTORY_CONF="/etc/security/pwhistory.conf"
+if [ -f $PWHISTORY_CONF ]; then
+    regex="^\s*remember\s*="
+    line="remember = $var_password_pam_remember"
+    if ! grep -q $regex $PWHISTORY_CONF; then
+        echo $line >> $PWHISTORY_CONF
+    else
+        sed -i --follow-symlinks 's|^\s*\(remember\s*=\s*\)\(\S\+\)|\1'"$var_password_pam_remember"'|g' $PWHISTORY_CONF
     fi
-    for pam_file in "${AUTH_FILES[@]}"
-    do
-        if [ -e "$pam_file" ] ; then
-            PAM_FILE_PATH="$pam_file"
-            if [ -f /usr/bin/authselect ]; then
+    if [ -e "/etc/pam.d/system-auth" ] ; then
+        PAM_FILE_PATH="/etc/pam.d/system-auth"
+        if [ -f /usr/bin/authselect ]; then
+            
+            if ! authselect check; then
+            echo "
+            authselect integrity check failed. Remediation aborted!
+            This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
+            It is not recommended to manually edit the PAM files when authselect tool is available.
+            In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
+            exit 1
+            fi
+
+            CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
+            # If not already in use, a custom profile is created preserving the enabled features.
+            if [[ ! $CURRENT_PROFILE == custom/* ]]; then
+                ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
+                authselect create-profile hardening -b $CURRENT_PROFILE
+                CURRENT_PROFILE="custom/hardening"
                 
-                if ! authselect check; then
-                echo "
-                authselect integrity check failed. Remediation aborted!
-                This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
-                It is not recommended to manually edit the PAM files when authselect tool is available.
-                In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
-                exit 1
-                fi
+                authselect apply-changes -b --backup=before-hardening-custom-profile
+                authselect select $CURRENT_PROFILE
+                for feature in $ENABLED_FEATURES; do
+                    authselect enable-feature $feature;
+                done
+                
+                authselect apply-changes -b --backup=after-hardening-custom-profile
+            fi
+            PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth")
+            PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
 
-                CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
-                # If not already in use, a custom profile is created preserving the enabled features.
-                if [[ ! $CURRENT_PROFILE == custom/* ]]; then
-                    ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
-                    authselect create-profile hardening -b $CURRENT_PROFILE
-                    CURRENT_PROFILE="custom/hardening"
-                    
-                    authselect apply-changes -b --backup=before-hardening-custom-profile
-                    authselect select $CURRENT_PROFILE
-                    for feature in $ENABLED_FEATURES; do
-                        authselect enable-feature $feature;
-                    done
-                    
-                    authselect apply-changes -b --backup=after-hardening-custom-profile
-                fi
-                PAM_FILE_NAME=$(basename "$pam_file")
-                PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
+            authselect apply-changes -b
+        fi
+        
+    if grep -qP '^\s*password\s.*\bpam_pwhistory.so\s.*\bremember\b' "$PAM_FILE_PATH"; then
+        sed -i -E --follow-symlinks 's/(.*password.*pam_pwhistory.so.*)\bremember\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+    fi
+        if [ -f /usr/bin/authselect ]; then
+            
+            authselect apply-changes -b
+        fi
+    else
+        echo "/etc/pam.d/system-auth was not found" >&2
+    fi
+else
+    PAM_FILE_PATH="/etc/pam.d/system-auth"
+    if [ -f /usr/bin/authselect ]; then
+        
+        if ! authselect check; then
+        echo "
+        authselect integrity check failed. Remediation aborted!
+        This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
+        It is not recommended to manually edit the PAM files when authselect tool is available.
+        In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
+        exit 1
+        fi
 
-                authselect apply-changes -b
-            fi
+        CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
+        # If not already in use, a custom profile is created preserving the enabled features.
+        if [[ ! $CURRENT_PROFILE == custom/* ]]; then
+            ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
+            authselect create-profile hardening -b $CURRENT_PROFILE
+            CURRENT_PROFILE="custom/hardening"
             
-        if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\baudit\b' "$PAM_FILE_PATH"; then
-            sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\baudit\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+            authselect apply-changes -b --backup=before-hardening-custom-profile
+            authselect select $CURRENT_PROFILE
+            for feature in $ENABLED_FEATURES; do
+                authselect enable-feature $feature;
+            done
+            
+            authselect apply-changes -b --backup=after-hardening-custom-profile
         fi
-            if [ -f /usr/bin/authselect ]; then
-                
-                authselect apply-changes -b
-            fi
+        PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth")
+        PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
+
+        authselect apply-changes -b
+    fi
+    if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then
+        # Line matching group + control + module was not found. Check group + module.
+        if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
+            # The control is updated only if one single line matches.
+            sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH"
         else
-            echo "$pam_file was not found" >&2
-        fi
-    done
-else
-    for pam_file in "${AUTH_FILES[@]}"
-    do
-        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*audit' "$pam_file"; then
-            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ audit/' "$pam_file"
+            echo 'password    '"requisite"'    pam_pwhistory.so' >> "$PAM_FILE_PATH"
         fi
-    done
+    fi
+    # Check the option
+    if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*\sremember\b' "$PAM_FILE_PATH"; then
+        sed -i -E --follow-symlinks '/\s*password\s+'"requisite"'\s+pam_pwhistory.so.*/ s/$/ remember='"$var_password_pam_remember"'/' "$PAM_FILE_PATH"
+    else
+        sed -i -E --follow-symlinks 's/(\s*password\s+'"requisite"'\s+pam_pwhistory.so\s+.*)('"remember"'=)[[:alnum:]]+\s*(.*)/\1\2'"$var_password_pam_remember"' \3/' "$PAM_FILE_PATH"
+    fi
+    if [ -f /usr/bin/authselect ]; then
+        
+        authselect apply-changes -b
+    fi
 fi
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Account Lockouts Must Be Logged - Check if system relies on authselect tool
+
Rule  
+                                Account Lockouts Must Be Logged
+                                  [ref]
PAM faillock locks an account due to excessive password failures, this event must be logged.
Rationale:
Without auditing of these events it may be harder or impossible to identify what an attacker did after an attack.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-86099-9
References: 
+            CCI-000044, AC-7 (a), SRG-OS-000021-GPOS-00005, RHEL-08-020021, SV-230343r743981_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Account Lockouts Must Be Logged - Check if system relies on authselect tool
   ansible.builtin.stat:
     path: /usr/bin/authselect
   register: result_authselect_present
@@ -9997,37 +9899,8 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Lock Accounts After Failed Password Attempts
-                                  [ref]
This rule configures the system to lock out accounts after a number of incorrect login attempts
-using pam_faillock.so.
-pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
-defined to work as expected.
-
-Ensure that the file /etc/security/faillock.conf contains the following entry:
-deny = <count>
-Where count should be less than or equal to 
-3 and greater than 0.
-
-
-In order to avoid errors when manually editing these files, it is
-recommended to use the appropriate tools, such as authselect or authconfig,
-depending on the OS version.
Warning: 
-                                        If the system relies on authselect tool to manage PAM settings, the remediation
-will also use authselect tool. However, if any manual modification was made in
-PAM files, the authselect integrity check will fail and the remediation will be
-aborted in order to preserve intentional changes. In this case, an informative message will
-be shown in the remediation report.
-If the system supports the /etc/security/faillock.conf file, the pam_faillock
-parameters should be defined in faillock.conf file.
Rationale:
By limiting the number of failed logon attempts, the risk of unauthorized system access via
-user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking
-the account.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80667-9
References: 
-            BP28(R18), 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, Req-8.1.6, 8.3.4, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, RHEL-08-020011, 5.4.2, 5.5.2, SV-230333r743966_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if rpm --quiet -q pam; then
-
-var_accounts_passwords_pam_faillock_deny='3'
-
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.2"; printf "%s\n%s" "$expected" "$real" | sort -VC; }; then
 
 if [ -f /usr/bin/authselect ]; then
     if ! authselect check; then
@@ -10060,12 +9933,10 @@
 
 FAILLOCK_CONF="/etc/security/faillock.conf"
 if [ -f $FAILLOCK_CONF ]; then
-    regex="^\s*deny\s*="
-    line="deny = $var_accounts_passwords_pam_faillock_deny"
+    regex="^\s*audit"
+    line="audit"
     if ! grep -q $regex $FAILLOCK_CONF; then
         echo $line >> $FAILLOCK_CONF
-    else
-        sed -i --follow-symlinks 's|^\s*\(deny\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_deny"'|g' $FAILLOCK_CONF
     fi
     for pam_file in "${AUTH_FILES[@]}"
     do
@@ -10103,8 +9974,8 @@
                 authselect apply-changes -b
             fi
             
-        if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bdeny\b' "$PAM_FILE_PATH"; then
-            sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bdeny\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+        if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\baudit\b' "$PAM_FILE_PATH"; then
+            sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\baudit\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
         fi
             if [ -f /usr/bin/authselect ]; then
                 
@@ -10117,12 +9988,8 @@
 else
     for pam_file in "${AUTH_FILES[@]}"
     do
-        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' "$pam_file"; then
-            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
-            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
-        else
-            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file"
-            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file"
+        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*audit' "$pam_file"; then
+            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ audit/' "$pam_file"
         fi
     done
 fi
@@ -10130,7 +9997,33 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Lock Accounts After Failed Password Attempts
+                                  [ref]
This rule configures the system to lock out accounts after a number of incorrect login attempts
+using pam_faillock.so.
+pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
+defined to work as expected.
+
+Ensure that the file /etc/security/faillock.conf contains the following entry:
+deny = <count>
+Where count should be less than or equal to 
+3 and greater than 0.
+
+
+In order to avoid errors when manually editing these files, it is
+recommended to use the appropriate tools, such as authselect or authconfig,
+depending on the OS version.
Warning: 
+                                        If the system relies on authselect tool to manage PAM settings, the remediation
+will also use authselect tool. However, if any manual modification was made in
+PAM files, the authselect integrity check will fail and the remediation will be
+aborted in order to preserve intentional changes. In this case, an informative message will
+be shown in the remediation report.
+If the system supports the /etc/security/faillock.conf file, the pam_faillock
+parameters should be defined in faillock.conf file.
Rationale:
By limiting the number of failed logon attempts, the risk of unauthorized system access via
+user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking
+the account.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80667-9
References: 
+            BP28(R18), 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, Req-8.1.6, 8.3.4, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, RHEL-08-020011, 5.4.2, 5.5.2, SV-230333r743966_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -10819,28 +10712,12 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Configure the root Account for Failed Password Attempts
-                                  [ref]
This rule configures the system to lock out the root account after a number of
-incorrect login attempts using pam_faillock.so.
-
-pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
-defined to work as expected. In order to avoid errors when manually editing these files, it is
-recommended to use the appropriate tools, such as authselect or authconfig,
-depending on the OS version.
Warning: 
-                                        If the system relies on authselect tool to manage PAM settings, the remediation
-will also use authselect tool. However, if any manual modification was made in
-PAM files, the authselect integrity check will fail and the remediation will be
-aborted in order to preserve intentional changes. In this case, an informative message will
-be shown in the remediation report.
-If the system supports the /etc/security/faillock.conf file, the pam_faillock
-parameters should be defined in faillock.conf file.
Rationale:
By limiting the number of failed logon attempts, the risk of unauthorized system access via
-user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking
-the account.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80668-7
References: 
-            BP28(R18), 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-002238, CCI-000044, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), IA-5(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, RHEL-08-020023, SV-230345r743984_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if rpm --quiet -q pam; then
 
+var_accounts_passwords_pam_faillock_deny='3'
+
+
 if [ -f /usr/bin/authselect ]; then
     if ! authselect check; then
 echo "
@@ -10872,10 +10749,12 @@
 
 FAILLOCK_CONF="/etc/security/faillock.conf"
 if [ -f $FAILLOCK_CONF ]; then
-    regex="^\s*even_deny_root"
-    line="even_deny_root"
+    regex="^\s*deny\s*="
+    line="deny = $var_accounts_passwords_pam_faillock_deny"
     if ! grep -q $regex $FAILLOCK_CONF; then
         echo $line >> $FAILLOCK_CONF
+    else
+        sed -i --follow-symlinks 's|^\s*\(deny\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_deny"'|g' $FAILLOCK_CONF
     fi
     for pam_file in "${AUTH_FILES[@]}"
     do
@@ -10913,8 +10792,8 @@
                 authselect apply-changes -b
             fi
             
-        if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\beven_deny_root\b' "$PAM_FILE_PATH"; then
-            sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\beven_deny_root\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+        if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bdeny\b' "$PAM_FILE_PATH"; then
+            sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bdeny\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
         fi
             if [ -f /usr/bin/authselect ]; then
                 
@@ -10927,9 +10806,12 @@
 else
     for pam_file in "${AUTH_FILES[@]}"
     do
-        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*even_deny_root' "$pam_file"; then
-            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ even_deny_root/' "$pam_file"
-            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ even_deny_root/' "$pam_file"
+        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' "$pam_file"; then
+            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
+            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
+        else
+            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file"
+            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file"
         fi
     done
 fi
@@ -10937,7 +10819,26 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Configure the root Account for Failed Password Attempts
+                                  [ref]
This rule configures the system to lock out the root account after a number of
+incorrect login attempts using pam_faillock.so.
+
+pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
+defined to work as expected. In order to avoid errors when manually editing these files, it is
+recommended to use the appropriate tools, such as authselect or authconfig,
+depending on the OS version.
Warning: 
+                                        If the system relies on authselect tool to manage PAM settings, the remediation
+will also use authselect tool. However, if any manual modification was made in
+PAM files, the authselect integrity check will fail and the remediation will be
+aborted in order to preserve intentional changes. In this case, an informative message will
+be shown in the remediation report.
+If the system supports the /etc/security/faillock.conf file, the pam_faillock
+parameters should be defined in faillock.conf file.
Rationale:
By limiting the number of failed logon attempts, the risk of unauthorized system access via
+user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking
+the account.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80668-7
References: 
+            BP28(R18), 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-002238, CCI-000044, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), IA-5(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, RHEL-08-020023, SV-230345r743984_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -11570,36 +11471,9 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Lock Accounts Must Persist
-                                  [ref]
This rule ensures that the system lock out accounts using pam_faillock.so persist
-after system reboot. From "pam_faillock" man pages:
-
Note that the default directory that "pam_faillock" uses is usually cleared on system
-boot so the access will be reenabled after system reboot. If that is undesirable, a different
-tally directory must be set with the "dir" option.

-
-pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
-defined to work as expected. In order to avoid errors when manually editing these files, it is
-recommended to use the appropriate tools, such as authselect or authconfig,
-depending on the OS version.
-
-The chosen profile expects the directory to be /var/log/faillock.
Warning: 
-                                        If the system relies on authselect tool to manage PAM settings, the remediation
-will also use authselect tool. However, if any manual modification was made in
-PAM files, the authselect integrity check will fail and the remediation will be
-aborted in order to preserve intentional changes. In this case, an informative message will
-be shown in the remediation report.
-If the system supports the /etc/security/faillock.conf file, the pam_faillock
-parameters should be defined in faillock.conf file.
Rationale:
Locking out user accounts after a number of incorrect attempts prevents direct password
-guessing attacks. In combination with the silent option, user enumeration attacks
-are also mitigated.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-86067-6
References: 
-            CCI-000044, CCI-002238, AC-7(b), AC-7(a), AC-7.1(ii), SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128, RHEL-08-020016, RHEL-08-020017, SV-230338r627750_rule, SV-230339r743975_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if rpm --quiet -q pam; then
 
-var_accounts_passwords_pam_faillock_dir='/var/log/faillock'
-
-
 if [ -f /usr/bin/authselect ]; then
     if ! authselect check; then
 echo "
@@ -11631,12 +11505,10 @@
 
 FAILLOCK_CONF="/etc/security/faillock.conf"
 if [ -f $FAILLOCK_CONF ]; then
-    regex="^\s*dir\s*="
-    line="dir = $var_accounts_passwords_pam_faillock_dir"
+    regex="^\s*even_deny_root"
+    line="even_deny_root"
     if ! grep -q $regex $FAILLOCK_CONF; then
         echo $line >> $FAILLOCK_CONF
-    else
-        sed -i --follow-symlinks 's|^\s*\(dir\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_dir"'|g' $FAILLOCK_CONF
     fi
     for pam_file in "${AUTH_FILES[@]}"
     do
@@ -11674,8 +11546,8 @@
                 authselect apply-changes -b
             fi
             
-        if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bdir\b' "$PAM_FILE_PATH"; then
-            sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bdir\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+        if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\beven_deny_root\b' "$PAM_FILE_PATH"; then
+            sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\beven_deny_root\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
         fi
             if [ -f /usr/bin/authselect ]; then
                 
@@ -11688,34 +11560,41 @@
 else
     for pam_file in "${AUTH_FILES[@]}"
     do
-        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*dir' "$pam_file"; then
-            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ dir='"$var_accounts_passwords_pam_faillock_dir"'/' "$pam_file"
-            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ dir='"$var_accounts_passwords_pam_faillock_dir"'/' "$pam_file"
-        else
-            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"dir"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_dir"'\3/' "$pam_file"
-            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"dir"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_dir"'\3/' "$pam_file"
+        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*even_deny_root' "$pam_file"; then
+            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ even_deny_root/' "$pam_file"
+            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ even_deny_root/' "$pam_file"
         fi
     done
 fi
 
-if ! rpm -q --quiet "python3-libselinux" ; then
-    yum install -y "python3-libselinux"
-fi
-if ! rpm -q --quiet "python3-policycoreutils" ; then
-    yum install -y "python3-policycoreutils"
-fi
-if ! rpm -q --quiet "policycoreutils-python-utils" ; then
-    yum install -y "policycoreutils-python-utils"
-fi
-
-mkdir -p "$var_accounts_passwords_pam_faillock_dir"
-semanage fcontext -a -t faillog_t "$var_accounts_passwords_pam_faillock_dir(/.*)?"
-restorecon -R -v "$var_accounts_passwords_pam_faillock_dir"
-
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Gather the package facts
+
Rule  
+                                Lock Accounts Must Persist
+                                  [ref]
This rule ensures that the system lock out accounts using pam_faillock.so persist
+after system reboot. From "pam_faillock" man pages:
+
Note that the default directory that "pam_faillock" uses is usually cleared on system
+boot so the access will be reenabled after system reboot. If that is undesirable, a different
+tally directory must be set with the "dir" option.

+
+pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
+defined to work as expected. In order to avoid errors when manually editing these files, it is
+recommended to use the appropriate tools, such as authselect or authconfig,
+depending on the OS version.
+
+The chosen profile expects the directory to be /var/log/faillock.
Warning: 
+                                        If the system relies on authselect tool to manage PAM settings, the remediation
+will also use authselect tool. However, if any manual modification was made in
+PAM files, the authselect integrity check will fail and the remediation will be
+aborted in order to preserve intentional changes. In this case, an informative message will
+be shown in the remediation report.
+If the system supports the /etc/security/faillock.conf file, the pam_faillock
+parameters should be defined in faillock.conf file.
Rationale:
Locking out user accounts after a number of incorrect attempts prevents direct password
+guessing attacks. In combination with the silent option, user enumeration attacks
+are also mitigated.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-86067-6
References: 
+            CCI-000044, CCI-002238, AC-7(b), AC-7(a), AC-7.1(ii), SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128, RHEL-08-020016, RHEL-08-020017, SV-230338r627750_rule, SV-230339r743975_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -12450,33 +12329,10 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-
Rule  
-                                Set Interval For Counting Failed Password Attempts
-                                  [ref]
Utilizing pam_faillock.so, the fail_interval directive configures the system
-to lock out an account after a number of incorrect login attempts within a specified time
-period.
-
-Ensure that the file /etc/security/faillock.conf contains the following entry:
-fail_interval = <interval-in-seconds> where interval-in-seconds is 900 or greater.
-
-
-In order to avoid errors when manually editing these files, it is
-recommended to use the appropriate tools, such as authselect or authconfig,
-depending on the OS version.
Warning: 
-                                        If the system relies on authselect tool to manage PAM settings, the remediation
-will also use authselect tool. However, if any manual modification was made in
-PAM files, the authselect integrity check will fail and the remediation will be
-aborted in order to preserve intentional changes. In this case, an informative message will
-be shown in the remediation report.
-If the system supports the /etc/security/faillock.conf file, the pam_faillock
-parameters should be defined in faillock.conf file.
Rationale:
By limiting the number of failed logon attempts the risk of unauthorized system
-access via user password guessing, otherwise known as brute-forcing, is reduced.
-Limits are imposed by locking the account.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80669-5
References: 
-            BP28(R18), 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, RHEL-08-020012, RHEL-08-020013, SV-230334r627750_rule, SV-230335r743969_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
# Remediation is applicable only in certain platforms
 if rpm --quiet -q pam; then
 
-var_accounts_passwords_pam_faillock_fail_interval='900'
+var_accounts_passwords_pam_faillock_dir='/var/log/faillock'
 
 
 if [ -f /usr/bin/authselect ]; then
@@ -12510,12 +12366,12 @@
 
 FAILLOCK_CONF="/etc/security/faillock.conf"
 if [ -f $FAILLOCK_CONF ]; then
-    regex="^\s*fail_interval\s*="
-    line="fail_interval = $var_accounts_passwords_pam_faillock_fail_interval"
+    regex="^\s*dir\s*="
+    line="dir = $var_accounts_passwords_pam_faillock_dir"
     if ! grep -q $regex $FAILLOCK_CONF; then
         echo $line >> $FAILLOCK_CONF
     else
-        sed -i --follow-symlinks 's|^\s*\(fail_interval\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_fail_interval"'|g' $FAILLOCK_CONF
+        sed -i --follow-symlinks 's|^\s*\(dir\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_dir"'|g' $FAILLOCK_CONF
     fi
     for pam_file in "${AUTH_FILES[@]}"
     do
@@ -12553,8 +12409,8 @@
                 authselect apply-changes -b
             fi
             
-        if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bfail_interval\b' "$PAM_FILE_PATH"; then
-            sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bfail_interval\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+        if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bdir\b' "$PAM_FILE_PATH"; then
+            sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bdir\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
         fi
             if [ -f /usr/bin/authselect ]; then
                 
@@ -12567,20 +12423,57 @@
 else
     for pam_file in "${AUTH_FILES[@]}"
     do
-        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*fail_interval' "$pam_file"; then
-            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file"
-            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file"
+        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*dir' "$pam_file"; then
+            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ dir='"$var_accounts_passwords_pam_faillock_dir"'/' "$pam_file"
+            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ dir='"$var_accounts_passwords_pam_faillock_dir"'/' "$pam_file"
         else
-            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"fail_interval"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file"
-            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"fail_interval"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file"
+            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"dir"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_dir"'\3/' "$pam_file"
+            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"dir"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_dir"'\3/' "$pam_file"
         fi
     done
 fi
 
+if ! rpm -q --quiet "python3-libselinux" ; then
+    yum install -y "python3-libselinux"
+fi
+if ! rpm -q --quiet "python3-policycoreutils" ; then
+    yum install -y "python3-policycoreutils"
+fi
+if ! rpm -q --quiet "policycoreutils-python-utils" ; then
+    yum install -y "policycoreutils-python-utils"
+fi
+
+mkdir -p "$var_accounts_passwords_pam_faillock_dir"
+semanage fcontext -a -t faillog_t "$var_accounts_passwords_pam_faillock_dir(/.*)?"
+restorecon -R -v "$var_accounts_passwords_pam_faillock_dir"
+
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Set Interval For Counting Failed Password Attempts
+                                  [ref]
Utilizing pam_faillock.so, the fail_interval directive configures the system
+to lock out an account after a number of incorrect login attempts within a specified time
+period.
+
+Ensure that the file /etc/security/faillock.conf contains the following entry:
+fail_interval = <interval-in-seconds> where interval-in-seconds is 900 or greater.
+
+
+In order to avoid errors when manually editing these files, it is
+recommended to use the appropriate tools, such as authselect or authconfig,
+depending on the OS version.
Warning: 
+                                        If the system relies on authselect tool to manage PAM settings, the remediation
+will also use authselect tool. However, if any manual modification was made in
+PAM files, the authselect integrity check will fail and the remediation will be
+aborted in order to preserve intentional changes. In this case, an informative message will
+be shown in the remediation report.
+If the system supports the /etc/security/faillock.conf file, the pam_faillock
+parameters should be defined in faillock.conf file.
Rationale:
By limiting the number of failed logon attempts the risk of unauthorized system
+access via user password guessing, otherwise known as brute-forcing, is reduced.
+Limits are imposed by locking the account.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80669-5
References: 
+            BP28(R18), 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, RHEL-08-020012, RHEL-08-020013, SV-230334r627750_rule, SV-230335r743969_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -13248,30 +13141,12 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Do Not Show System Messages When Unsuccessful Logon Attempts Occur
-                                  [ref]
This rule ensures the system prevents informative messages from being presented to the user
-pertaining to logon information after a number of incorrect login attempts using
-pam_faillock.so.
-
-pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
-defined to work as expected. In order to avoid errors when manually editing these files, it is
-recommended to use the appropriate tools, such as authselect or authconfig,
-depending on the OS version.
Warning: 
-                                        If the system relies on authselect tool to manage PAM settings, the remediation
-will also use authselect tool. However, if any manual modification was made in
-PAM files, the authselect integrity check will fail and the remediation will be
-aborted in order to preserve intentional changes. In this case, an informative message will
-be shown in the remediation report.
-If the system supports the /etc/security/faillock.conf file, the pam_faillock
-parameters should be defined in faillock.conf file.
Rationale:
The pam_faillock module without the silent option will leak information about the existence or
-non-existence of a user account in the system because the failures are not recorded for unknown
-users. The message about the user account being locked is never displayed for non-existing user
-accounts allowing the adversary to infer that a particular account exists or not on the system.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-87096-4
References: 
-            CCI-002238, CCI-000044, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, RHEL-08-020018, RHEL-08-020019, SV-230340r627750_rule, SV-230341r743978_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if rpm --quiet -q pam; then
 
+var_accounts_passwords_pam_faillock_fail_interval='900'
+
+
 if [ -f /usr/bin/authselect ]; then
     if ! authselect check; then
 echo "
@@ -13300,18 +13175,72 @@
 fi
 
 AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+
 FAILLOCK_CONF="/etc/security/faillock.conf"
 if [ -f $FAILLOCK_CONF ]; then
-    regex="^\s*silent"
-    line="silent"
+    regex="^\s*fail_interval\s*="
+    line="fail_interval = $var_accounts_passwords_pam_faillock_fail_interval"
     if ! grep -q $regex $FAILLOCK_CONF; then
         echo $line >> $FAILLOCK_CONF
+    else
+        sed -i --follow-symlinks 's|^\s*\(fail_interval\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_fail_interval"'|g' $FAILLOCK_CONF
     fi
+    for pam_file in "${AUTH_FILES[@]}"
+    do
+        if [ -e "$pam_file" ] ; then
+            PAM_FILE_PATH="$pam_file"
+            if [ -f /usr/bin/authselect ]; then
+                
+                if ! authselect check; then
+                echo "
+                authselect integrity check failed. Remediation aborted!
+                This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
+                It is not recommended to manually edit the PAM files when authselect tool is available.
+                In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
+                exit 1
+                fi
+
+                CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
+                # If not already in use, a custom profile is created preserving the enabled features.
+                if [[ ! $CURRENT_PROFILE == custom/* ]]; then
+                    ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
+                    authselect create-profile hardening -b $CURRENT_PROFILE
+                    CURRENT_PROFILE="custom/hardening"
+                    
+                    authselect apply-changes -b --backup=before-hardening-custom-profile
+                    authselect select $CURRENT_PROFILE
+                    for feature in $ENABLED_FEATURES; do
+                        authselect enable-feature $feature;
+                    done
+                    
+                    authselect apply-changes -b --backup=after-hardening-custom-profile
+                fi
+                PAM_FILE_NAME=$(basename "$pam_file")
+                PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
+
+                authselect apply-changes -b
+            fi
+            
+        if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bfail_interval\b' "$PAM_FILE_PATH"; then
+            sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bfail_interval\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+        fi
+            if [ -f /usr/bin/authselect ]; then
+                
+                authselect apply-changes -b
+            fi
+        else
+            echo "$pam_file was not found" >&2
+        fi
+    done
 else
     for pam_file in "${AUTH_FILES[@]}"
     do
-        if ! grep -qE '^\s*auth.*pam_faillock\.so\s*preauth.*silent' "$pam_file"; then
-            sed -i --follow-symlinks '/^\s*auth.*pam_faillock\.so.*preauth/ s/$/ silent/' "$pam_file"
+        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*fail_interval' "$pam_file"; then
+            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file"
+            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file"
+        else
+            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"fail_interval"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file"
+            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"fail_interval"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file"
         fi
     done
 fi
@@ -13319,7 +13248,28 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Do Not Show System Messages When Unsuccessful Logon Attempts Occur
+                                  [ref]
This rule ensures the system prevents informative messages from being presented to the user
+pertaining to logon information after a number of incorrect login attempts using
+pam_faillock.so.
+
+pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
+defined to work as expected. In order to avoid errors when manually editing these files, it is
+recommended to use the appropriate tools, such as authselect or authconfig,
+depending on the OS version.
Warning: 
+                                        If the system relies on authselect tool to manage PAM settings, the remediation
+will also use authselect tool. However, if any manual modification was made in
+PAM files, the authselect integrity check will fail and the remediation will be
+aborted in order to preserve intentional changes. In this case, an informative message will
+be shown in the remediation report.
+If the system supports the /etc/security/faillock.conf file, the pam_faillock
+parameters should be defined in faillock.conf file.
Rationale:
The pam_faillock module without the silent option will leak information about the existence or
+non-existence of a user account in the system because the failures are not recorded for unknown
+users. The message about the user account being locked is never displayed for non-existing user
+accounts allowing the adversary to infer that a particular account exists or not on the system.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-87096-4
References: 
+            CCI-002238, CCI-000044, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, RHEL-08-020018, RHEL-08-020019, SV-230340r627750_rule, SV-230341r743978_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -13549,46 +13499,9 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Set Lockout Time for Failed Password Attempts
-                                  [ref]
This rule configures the system to lock out accounts during a specified time period after a
-number of incorrect login attempts using pam_faillock.so.
-
-
-Ensure that the file /etc/security/faillock.conf contains the following entry:
-unlock_time=<interval-in-seconds> where
-interval-in-seconds is 0 or greater.
-
-
-pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
-defined to work as expected. In order to avoid any errors when manually editing these files,
-it is recommended to use the appropriate tools, such as authselect or authconfig,
-depending on the OS version.
-
-If unlock_time is set to 0, manual intervention by an administrator is required
-to unlock a user. This should be done using the faillock tool.
Warning: 
-                                        If the system supports the new /etc/security/faillock.conf file but the
-pam_faillock.so parameters are defined directly in /etc/pam.d/system-auth and
-/etc/pam.d/password-auth, the remediation will migrate the unlock_time parameter
-to /etc/security/faillock.conf to ensure compatibility with authselect tool.
-The parameters deny and fail_interval, if used, also have to be migrated
-by their respective remediation.
Warning: 
-                                        If the system relies on authselect tool to manage PAM settings, the remediation
-will also use authselect tool. However, if any manual modification was made in
-PAM files, the authselect integrity check will fail and the remediation will be
-aborted in order to preserve intentional changes. In this case, an informative message will
-be shown in the remediation report.
-If the system supports the /etc/security/faillock.conf file, the pam_faillock
-parameters should be defined in faillock.conf file.
Rationale:
By limiting the number of failed logon attempts the risk of unauthorized system
-access via user password guessing, otherwise known as brute-forcing, is reduced.
-Limits are imposed by locking the account.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80670-3
References: 
-            BP28(R18), 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), PR.AC-7, FIA_AFL.1, Req-8.1.7, 8.3.4, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, RHEL-08-020014, RHEL-08-020015, 5.5.2, SV-230336r627750_rule, SV-230337r743972_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if rpm --quiet -q pam; then
 
-var_accounts_passwords_pam_faillock_unlock_time='0'
-
-
 if [ -f /usr/bin/authselect ]; then
     if ! authselect check; then
 echo "
@@ -13617,72 +13530,18 @@
 fi
 
 AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
-
 FAILLOCK_CONF="/etc/security/faillock.conf"
 if [ -f $FAILLOCK_CONF ]; then
-    regex="^\s*unlock_time\s*="
-    line="unlock_time = $var_accounts_passwords_pam_faillock_unlock_time"
+    regex="^\s*silent"
+    line="silent"
     if ! grep -q $regex $FAILLOCK_CONF; then
         echo $line >> $FAILLOCK_CONF
-    else
-        sed -i --follow-symlinks 's|^\s*\(unlock_time\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_unlock_time"'|g' $FAILLOCK_CONF
     fi
-    for pam_file in "${AUTH_FILES[@]}"
-    do
-        if [ -e "$pam_file" ] ; then
-            PAM_FILE_PATH="$pam_file"
-            if [ -f /usr/bin/authselect ]; then
-                
-                if ! authselect check; then
-                echo "
-                authselect integrity check failed. Remediation aborted!
-                This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
-                It is not recommended to manually edit the PAM files when authselect tool is available.
-                In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
-                exit 1
-                fi
-
-                CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
-                # If not already in use, a custom profile is created preserving the enabled features.
-                if [[ ! $CURRENT_PROFILE == custom/* ]]; then
-                    ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
-                    authselect create-profile hardening -b $CURRENT_PROFILE
-                    CURRENT_PROFILE="custom/hardening"
-                    
-                    authselect apply-changes -b --backup=before-hardening-custom-profile
-                    authselect select $CURRENT_PROFILE
-                    for feature in $ENABLED_FEATURES; do
-                        authselect enable-feature $feature;
-                    done
-                    
-                    authselect apply-changes -b --backup=after-hardening-custom-profile
-                fi
-                PAM_FILE_NAME=$(basename "$pam_file")
-                PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
-
-                authselect apply-changes -b
-            fi
-            
-        if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bunlock_time\b' "$PAM_FILE_PATH"; then
-            sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bunlock_time\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
-        fi
-            if [ -f /usr/bin/authselect ]; then
-                
-                authselect apply-changes -b
-            fi
-        else
-            echo "$pam_file was not found" >&2
-        fi
-    done
 else
     for pam_file in "${AUTH_FILES[@]}"
     do
-        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*unlock_time' "$pam_file"; then
-            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
-            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
-        else
-            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"unlock_time"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file"
-            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"unlock_time"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file"
+        if ! grep -qE '^\s*auth.*pam_faillock\.so\s*preauth.*silent' "$pam_file"; then
+            sed -i --follow-symlinks '/^\s*auth.*pam_faillock\.so.*preauth/ s/$/ silent/' "$pam_file"
         fi
     done
 fi
@@ -13690,7 +13549,41 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Set Lockout Time for Failed Password Attempts
+                                  [ref]
This rule configures the system to lock out accounts during a specified time period after a
+number of incorrect login attempts using pam_faillock.so.
+
+
+Ensure that the file /etc/security/faillock.conf contains the following entry:
+unlock_time=<interval-in-seconds> where
+interval-in-seconds is 0 or greater.
+
+
+pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
+defined to work as expected. In order to avoid any errors when manually editing these files,
+it is recommended to use the appropriate tools, such as authselect or authconfig,
+depending on the OS version.
+
+If unlock_time is set to 0, manual intervention by an administrator is required
+to unlock a user. This should be done using the faillock tool.
Warning: 
+                                        If the system supports the new /etc/security/faillock.conf file but the
+pam_faillock.so parameters are defined directly in /etc/pam.d/system-auth and
+/etc/pam.d/password-auth, the remediation will migrate the unlock_time parameter
+to /etc/security/faillock.conf to ensure compatibility with authselect tool.
+The parameters deny and fail_interval, if used, also have to be migrated
+by their respective remediation.
Warning: 
+                                        If the system relies on authselect tool to manage PAM settings, the remediation
+will also use authselect tool. However, if any manual modification was made in
+PAM files, the authselect integrity check will fail and the remediation will be
+aborted in order to preserve intentional changes. In this case, an informative message will
+be shown in the remediation report.
+If the system supports the /etc/security/faillock.conf file, the pam_faillock
+parameters should be defined in faillock.conf file.
Rationale:
By limiting the number of failed logon attempts the risk of unauthorized system
+access via user password guessing, otherwise known as brute-forcing, is reduced.
+Limits are imposed by locking the account.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80670-3
References: 
+            BP28(R18), 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), PR.AC-7, FIA_AFL.1, Req-8.1.7, 8.3.4, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, RHEL-08-020014, RHEL-08-020015, 5.5.2, SV-230336r627750_rule, SV-230337r743972_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -14389,6 +14282,113 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if rpm --quiet -q pam; then
+
+var_accounts_passwords_pam_faillock_unlock_time='0'
+
+
+if [ -f /usr/bin/authselect ]; then
+    if ! authselect check; then
+echo "
+authselect integrity check failed. Remediation aborted!
+This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
+It is not recommended to manually edit the PAM files when authselect tool is available.
+In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
+exit 1
+fi
+authselect enable-feature with-faillock
+
+authselect apply-changes -b
+else
+    
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+for pam_file in "${AUTH_FILES[@]}"
+do
+    if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
+        sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth        required      pam_faillock.so preauth silent' "$pam_file"
+        sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth        required      pam_faillock.so authfail' "$pam_file"
+        sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account     required      pam_faillock.so' "$pam_file"
+    fi
+    sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required     \3/g' "$pam_file"
+done
+
+fi
+
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+
+FAILLOCK_CONF="/etc/security/faillock.conf"
+if [ -f $FAILLOCK_CONF ]; then
+    regex="^\s*unlock_time\s*="
+    line="unlock_time = $var_accounts_passwords_pam_faillock_unlock_time"
+    if ! grep -q $regex $FAILLOCK_CONF; then
+        echo $line >> $FAILLOCK_CONF
+    else
+        sed -i --follow-symlinks 's|^\s*\(unlock_time\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_unlock_time"'|g' $FAILLOCK_CONF
+    fi
+    for pam_file in "${AUTH_FILES[@]}"
+    do
+        if [ -e "$pam_file" ] ; then
+            PAM_FILE_PATH="$pam_file"
+            if [ -f /usr/bin/authselect ]; then
+                
+                if ! authselect check; then
+                echo "
+                authselect integrity check failed. Remediation aborted!
+                This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
+                It is not recommended to manually edit the PAM files when authselect tool is available.
+                In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
+                exit 1
+                fi
+
+                CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
+                # If not already in use, a custom profile is created preserving the enabled features.
+                if [[ ! $CURRENT_PROFILE == custom/* ]]; then
+                    ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
+                    authselect create-profile hardening -b $CURRENT_PROFILE
+                    CURRENT_PROFILE="custom/hardening"
+                    
+                    authselect apply-changes -b --backup=before-hardening-custom-profile
+                    authselect select $CURRENT_PROFILE
+                    for feature in $ENABLED_FEATURES; do
+                        authselect enable-feature $feature;
+                    done
+                    
+                    authselect apply-changes -b --backup=after-hardening-custom-profile
+                fi
+                PAM_FILE_NAME=$(basename "$pam_file")
+                PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
+
+                authselect apply-changes -b
+            fi
+            
+        if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bunlock_time\b' "$PAM_FILE_PATH"; then
+            sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bunlock_time\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+        fi
+            if [ -f /usr/bin/authselect ]; then
+                
+                authselect apply-changes -b
+            fi
+        else
+            echo "$pam_file was not found" >&2
+        fi
+    done
+else
+    for pam_file in "${AUTH_FILES[@]}"
+    do
+        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*unlock_time' "$pam_file"; then
+            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
+            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
+        else
+            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"unlock_time"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file"
+            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"unlock_time"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file"
+        fi
+    done
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 Set Password Quality Requirements
                           Group contains 1 group and 13 rules
[ref]  
@@ -14440,42 +14440,7 @@
 Requiring digits makes password guessing attacks more difficult by ensuring a larger
 search space.
Severity: 
medium
Identifiers and References

Identifiers:  CCE-80653-9

References:  - BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000194, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, 8.3.6, SRG-OS-000071-GPOS-00039, RHEL-08-020130, SV-230359r858775_rule

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
-if rpm --quiet -q pam; then
-
-var_password_pam_dcredit='-1'
-
-
-
-
-
-
-# Strip any search characters in the key arg so that the key can be replaced without
-# adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^dcredit")
-
-# shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_dcredit"
-
-# If the key exists, change it. Otherwise, add it to the config_file.
-# We search for the key string followed by a word boundary (matched by \>),
-# so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^dcredit\\>" "/etc/security/pwquality.conf"; then
-    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^dcredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
-else
-    if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
-        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
-    fi
-    cce="CCE-80653-9"
-    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
-    printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+            BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000194, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, 8.3.6, SRG-OS-000071-GPOS-00039, RHEL-08-020130, SV-230359r858775_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -14522,23 +14487,10 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words
-                                  [ref]
The pam_pwquality module's dictcheck check if passwords contains dictionary words. When
-dictcheck is set to 1 passwords will be checked for dictionary words.
Rationale:
Use of a complex password helps to increase the time and resources required to compromise the password.
-Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at
-guessing and brute-force attacks.
-


-Password complexity is one factor of several that determines how long it takes to crack a password. The more
-complex the password, the greater the number of possible combinations that need to be tested before the
-password is compromised.
-


-Passwords with dictionary words may be more vulnerable to password-guessing attacks.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-86233-4
References: 
-            CCI-000366, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), SRG-OS-000480-GPOS-00225, RHEL-08-020300, SV-230377r858789_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
 if rpm --quiet -q pam; then
 
-var_password_pam_dictcheck='1'
+var_password_pam_dcredit='-1'
 
 
 
@@ -14547,22 +14499,22 @@
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^dictcheck")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^dcredit")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_dictcheck"
+printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_dcredit"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^dictcheck\\>" "/etc/security/pwquality.conf"; then
+if LC_ALL=C grep -q -m 1 -i -e "^dcredit\\>" "/etc/security/pwquality.conf"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^dictcheck\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+    LC_ALL=C sed -i --follow-symlinks "s/^dcredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
 else
     if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
     fi
-    cce="CCE-86233-4"
+    cce="CCE-80653-9"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
     printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
 fi
@@ -14570,7 +14522,20 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words
+                                  [ref]
The pam_pwquality module's dictcheck check if passwords contains dictionary words. When
+dictcheck is set to 1 passwords will be checked for dictionary words.
Rationale:
Use of a complex password helps to increase the time and resources required to compromise the password.
+Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at
+guessing and brute-force attacks.
+


+Password complexity is one factor of several that determines how long it takes to crack a password. The more
+complex the password, the greater the number of possible combinations that need to be tested before the
+password is compromised.
+


+Passwords with dictionary words may be more vulnerable to password-guessing attacks.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-86233-4
References: 
+            CCI-000366, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), SRG-OS-000480-GPOS-00225, RHEL-08-020300, SV-230377r858789_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -14613,31 +14578,10 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Ensure PAM Enforces Password Requirements - Minimum Different Characters
-                                  [ref]
The pam_pwquality module's difok parameter sets the number of characters
-in a password that must not be present in and old password during a password change.
-


-Modify the difok setting in /etc/security/pwquality.conf
-to equal 8 to require differing characters
-when changing passwords.
Rationale:
Use of a complex password helps to increase the time and resources
-required to compromise the password. Password complexity, or strength,
-is a measure of the effectiveness of a password in resisting attempts
-at guessing and brute–force attacks.
-


-Password complexity is one factor of several that determines how long
-it takes to crack a password. The more complex the password, the
-greater the number of possible combinations that need to be tested
-before the password is compromised.
-


-Requiring a minimum number of different characters during password changes ensures that
-newly changed passwords should not resemble previously compromised ones.
-Note that passwords which are changed on compromised systems will still be compromised, however.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80654-7
References: 
-            1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(b), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, RHEL-08-020170, SV-230363r858783_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
 if rpm --quiet -q pam; then
 
-var_password_pam_difok='8'
+var_password_pam_dictcheck='1'
 
 
 
@@ -14646,22 +14590,22 @@
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^difok")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^dictcheck")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_difok"
+printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_dictcheck"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^difok\\>" "/etc/security/pwquality.conf"; then
+if LC_ALL=C grep -q -m 1 -i -e "^dictcheck\\>" "/etc/security/pwquality.conf"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^difok\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+    LC_ALL=C sed -i --follow-symlinks "s/^dictcheck\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
 else
     if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
     fi
-    cce="CCE-80654-7"
+    cce="CCE-86233-4"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
     printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
 fi
@@ -14669,7 +14613,28 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Ensure PAM Enforces Password Requirements - Minimum Different Characters
+                                  [ref]
The pam_pwquality module's difok parameter sets the number of characters
+in a password that must not be present in and old password during a password change.
+


+Modify the difok setting in /etc/security/pwquality.conf
+to equal 8 to require differing characters
+when changing passwords.
Rationale:
Use of a complex password helps to increase the time and resources
+required to compromise the password. Password complexity, or strength,
+is a measure of the effectiveness of a password in resisting attempts
+at guessing and brute–force attacks.
+


+Password complexity is one factor of several that determines how long
+it takes to crack a password. The more complex the password, the
+greater the number of possible combinations that need to be tested
+before the password is compromised.
+


+Requiring a minimum number of different characters during password changes ensures that
+newly changed passwords should not resemble previously compromised ones.
+Note that passwords which are changed on compromised systems will still be compromised, however.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80654-7
References: 
+            1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(b), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, RHEL-08-020170, SV-230363r858783_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -14714,27 +14679,10 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
-                                  [ref]
The pam_pwquality module's lcredit parameter controls requirements for
-usage of lowercase letters in a password. When set to a negative number, any password will be required to
-contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional
-length credit for each lowercase character. Modify the lcredit setting in
-/etc/security/pwquality.conf to require the use of a lowercase character in passwords.
Rationale:
Use of a complex password helps to increase the time and resources required
-to compromise the password. Password complexity, or strength, is a measure of
-the effectiveness of a password in resisting attempts at guessing and brute-force
-attacks.
-

-Password complexity is one factor of several that determines how long it takes
-to crack a password. The more complex the password, the greater the number of
-possble combinations that need to be tested before the password is compromised.
-Requiring a minimum number of lowercase characters makes password guessing attacks
-more difficult by ensuring a larger search space.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80655-4
References: 
-            BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000193, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, 8.3.6, SRG-OS-000070-GPOS-00038, RHEL-08-020120, SV-230358r858773_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
 if rpm --quiet -q pam; then
 
-var_password_pam_lcredit='-1'
+var_password_pam_difok='8'
 
 
 
@@ -14743,22 +14691,22 @@
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^lcredit")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^difok")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_lcredit"
+printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_difok"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^lcredit\\>" "/etc/security/pwquality.conf"; then
+if LC_ALL=C grep -q -m 1 -i -e "^difok\\>" "/etc/security/pwquality.conf"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^lcredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+    LC_ALL=C sed -i --follow-symlinks "s/^difok\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
 else
     if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
     fi
-    cce="CCE-80655-4"
+    cce="CCE-80654-7"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
     printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
 fi
@@ -14766,7 +14714,24 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
+                                  [ref]
The pam_pwquality module's lcredit parameter controls requirements for
+usage of lowercase letters in a password. When set to a negative number, any password will be required to
+contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional
+length credit for each lowercase character. Modify the lcredit setting in
+/etc/security/pwquality.conf to require the use of a lowercase character in passwords.
Rationale:
Use of a complex password helps to increase the time and resources required
+to compromise the password. Password complexity, or strength, is a measure of
+the effectiveness of a password in resisting attempts at guessing and brute-force
+attacks.
+

+Password complexity is one factor of several that determines how long it takes
+to crack a password. The more complex the password, the greater the number of
+possble combinations that need to be tested before the password is compromised.
+Requiring a minimum number of lowercase characters makes password guessing attacks
+more difficult by ensuring a larger search space.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80655-4
References: 
+            BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000193, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, 8.3.6, SRG-OS-000070-GPOS-00038, RHEL-08-020120, SV-230358r858773_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -14813,24 +14778,10 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class
-                                  [ref]
The pam_pwquality module's maxclassrepeat parameter controls requirements for
-consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords
-which contain more than that number of consecutive characters from the same character class. Modify the
-maxclassrepeat setting in /etc/security/pwquality.conf to equal 4
-to prevent a run of (4 + 1) or more identical characters.
Rationale:
Use of a complex password helps to increase the time and resources required to compromise the password.
-Password complexity, or strength, is a measure of the effectiveness of a password in resisting
-attempts at guessing and brute-force attacks.
-

-Password complexity is one factor of several that determines how long it takes to crack a password. The
-more complex a password, the greater the number of possible combinations that need to be tested before the
-password is compromised.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-81034-1
References: 
-            1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, RHEL-08-020140, SV-230360r858777_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
 if rpm --quiet -q pam; then
 
-var_password_pam_maxclassrepeat='4'
+var_password_pam_lcredit='-1'
 
 
 
@@ -14839,22 +14790,22 @@
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^maxclassrepeat")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^lcredit")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_maxclassrepeat"
+printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_lcredit"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^maxclassrepeat\\>" "/etc/security/pwquality.conf"; then
+if LC_ALL=C grep -q -m 1 -i -e "^lcredit\\>" "/etc/security/pwquality.conf"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^maxclassrepeat\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+    LC_ALL=C sed -i --follow-symlinks "s/^lcredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
 else
     if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
     fi
-    cce="CCE-81034-1"
+    cce="CCE-80655-4"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
     printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
 fi
@@ -14862,7 +14813,21 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class
+                                  [ref]
The pam_pwquality module's maxclassrepeat parameter controls requirements for
+consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords
+which contain more than that number of consecutive characters from the same character class. Modify the
+maxclassrepeat setting in /etc/security/pwquality.conf to equal 4
+to prevent a run of (4 + 1) or more identical characters.
Rationale:
Use of a complex password helps to increase the time and resources required to compromise the password.
+Password complexity, or strength, is a measure of the effectiveness of a password in resisting
+attempts at guessing and brute-force attacks.
+

+Password complexity is one factor of several that determines how long it takes to crack a password. The
+more complex a password, the greater the number of possible combinations that need to be tested before the
+password is compromised.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-81034-1
References: 
+            1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, RHEL-08-020140, SV-230360r858777_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -14906,26 +14871,10 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Set Password Maximum Consecutive Repeating Characters
-                                  [ref]
The pam_pwquality module's maxrepeat parameter controls requirements for
-consecutive repeating characters. When set to a positive number, it will reject passwords
-which contain more than that number of consecutive characters. Modify the maxrepeat setting
-in /etc/security/pwquality.conf to equal 3 to prevent a
-run of (3 + 1) or more identical characters.
Rationale:
Use of a complex password helps to increase the time and resources required to compromise the password.
-Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at
-guessing and brute-force attacks.
-


-Password complexity is one factor of several that determines how long it takes to crack a password. The more
-complex the password, the greater the number of possible combinations that need to be tested before the
-password is compromised.
-


-Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-82066-2
References: 
-            1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, RHEL-08-020150, SV-230361r858779_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
 if rpm --quiet -q pam; then
 
-var_password_pam_maxrepeat='3'
+var_password_pam_maxclassrepeat='4'
 
 
 
@@ -14934,22 +14883,22 @@
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^maxrepeat")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^maxclassrepeat")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_maxrepeat"
+printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_maxclassrepeat"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^maxrepeat\\>" "/etc/security/pwquality.conf"; then
+if LC_ALL=C grep -q -m 1 -i -e "^maxclassrepeat\\>" "/etc/security/pwquality.conf"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^maxrepeat\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+    LC_ALL=C sed -i --follow-symlinks "s/^maxclassrepeat\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
 else
     if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
     fi
-    cce="CCE-82066-2"
+    cce="CCE-81034-1"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
     printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
 fi
@@ -14957,7 +14906,23 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Set Password Maximum Consecutive Repeating Characters
+                                  [ref]
The pam_pwquality module's maxrepeat parameter controls requirements for
+consecutive repeating characters. When set to a positive number, it will reject passwords
+which contain more than that number of consecutive characters. Modify the maxrepeat setting
+in /etc/security/pwquality.conf to equal 3 to prevent a
+run of (3 + 1) or more identical characters.
Rationale:
Use of a complex password helps to increase the time and resources required to compromise the password.
+Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at
+guessing and brute-force attacks.
+


+Password complexity is one factor of several that determines how long it takes to crack a password. The more
+complex the password, the greater the number of possible combinations that need to be tested before the
+password is compromised.
+


+Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-82066-2
References: 
+            1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, RHEL-08-020150, SV-230361r858779_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -14998,38 +14963,10 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Ensure PAM Enforces Password Requirements - Minimum Different Categories
-                                  [ref]
The pam_pwquality module's minclass parameter controls
-requirements for usage of different character classes, or types, of character
-that must exist in a password before it is considered valid. For example,
-setting this value to three (3) requires that any password must have characters
-from at least three different categories in order to be approved. The default
-value is zero (0), meaning there are no required classes. There are four
-categories available:
-
-* Upper-case characters
-* Lower-case characters
-* Digits
-* Special characters (for example, punctuation)
-

-Modify the minclass setting in /etc/security/pwquality.conf entry
-to require 4
-differing categories of characters when changing passwords.
Rationale:
Use of a complex password helps to increase the time and resources required to compromise the password.
-Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
-at guessing and brute-force attacks.
-


-Password complexity is one factor of several that determines how long it takes to crack a password. The
-more complex the password, the greater the number of possible combinations that need to be tested before
-the password is compromised.
-


-Requiring a minimum number of character categories makes password guessing attacks more difficult
-by ensuring a larger search space.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-82046-4
References: 
-            1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, RHEL-08-020160, 5.5.1, SV-230362r858781_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
 if rpm --quiet -q pam; then
 
-var_password_pam_minclass='4'
+var_password_pam_maxrepeat='3'
 
 
 
@@ -15038,22 +14975,22 @@
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^minclass")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^maxrepeat")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_minclass"
+printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_maxrepeat"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^minclass\\>" "/etc/security/pwquality.conf"; then
+if LC_ALL=C grep -q -m 1 -i -e "^maxrepeat\\>" "/etc/security/pwquality.conf"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^minclass\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+    LC_ALL=C sed -i --follow-symlinks "s/^maxrepeat\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
 else
     if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
     fi
-    cce="CCE-82046-4"
+    cce="CCE-82066-2"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
     printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
 fi
@@ -15061,7 +14998,35 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Ensure PAM Enforces Password Requirements - Minimum Different Categories
+                                  [ref]
The pam_pwquality module's minclass parameter controls
+requirements for usage of different character classes, or types, of character
+that must exist in a password before it is considered valid. For example,
+setting this value to three (3) requires that any password must have characters
+from at least three different categories in order to be approved. The default
+value is zero (0), meaning there are no required classes. There are four
+categories available:
+
+* Upper-case characters
+* Lower-case characters
+* Digits
+* Special characters (for example, punctuation)
+

+Modify the minclass setting in /etc/security/pwquality.conf entry
+to require 4
+differing categories of characters when changing passwords.
Rationale:
Use of a complex password helps to increase the time and resources required to compromise the password.
+Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
+at guessing and brute-force attacks.
+


+Password complexity is one factor of several that determines how long it takes to crack a password. The
+more complex the password, the greater the number of possible combinations that need to be tested before
+the password is compromised.
+


+Requiring a minimum number of character categories makes password guessing attacks more difficult
+by ensuring a larger search space.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-82046-4
References: 
+            1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, RHEL-08-020160, 5.5.1, SV-230362r858781_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -15104,24 +15069,10 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Ensure PAM Enforces Password Requirements - Minimum Length
-                                  [ref]
The pam_pwquality module's minlen parameter controls requirements for
-minimum characters required in a password. Add minlen=15
-after pam_pwquality to set minimum password length requirements.
Rationale:
The shorter the password, the lower the number of possible combinations
-that need to be tested before the password is compromised.
-

-Password complexity, or strength, is a measure of the effectiveness of a
-password in resisting attempts at guessing and brute-force attacks.
-Password length is one factor of several that helps to determine strength
-and how long it takes to crack a password. Use of more characters in a password
-helps to exponentially increase the time and/or resources required to
-compromise the password.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80656-2
References: 
-            BP28(R18), 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000205, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, 8.3.6, SRG-OS-000078-GPOS-00046, RHEL-08-020230, 5.5.1, SV-230369r858785_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
 if rpm --quiet -q pam; then
 
-var_password_pam_minlen='15'
+var_password_pam_minclass='4'
 
 
 
@@ -15130,22 +15081,22 @@
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^minlen")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^minclass")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_minlen"
+printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_minclass"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^minlen\\>" "/etc/security/pwquality.conf"; then
+if LC_ALL=C grep -q -m 1 -i -e "^minclass\\>" "/etc/security/pwquality.conf"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^minlen\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+    LC_ALL=C sed -i --follow-symlinks "s/^minclass\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
 else
     if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
     fi
-    cce="CCE-80656-2"
+    cce="CCE-82046-4"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
     printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
 fi
@@ -15153,7 +15104,21 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Ensure PAM Enforces Password Requirements - Minimum Length
+                                  [ref]
The pam_pwquality module's minlen parameter controls requirements for
+minimum characters required in a password. Add minlen=15
+after pam_pwquality to set minimum password length requirements.
Rationale:
The shorter the password, the lower the number of possible combinations
+that need to be tested before the password is compromised.
+

+Password complexity, or strength, is a measure of the effectiveness of a
+password in resisting attempts at guessing and brute-force attacks.
+Password length is one factor of several that helps to determine strength
+and how long it takes to crack a password. Use of more characters in a password
+helps to exponentially increase the time and/or resources required to
+compromise the password.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80656-2
References: 
+            BP28(R18), 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000205, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, 8.3.6, SRG-OS-000078-GPOS-00046, RHEL-08-020230, 5.5.1, SV-230369r858785_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -15202,29 +15167,10 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Ensure PAM Enforces Password Requirements - Minimum Special Characters
-                                  [ref]
The pam_pwquality module's ocredit= parameter controls requirements for
-usage of special (or "other") characters in a password. When set to a negative number,
-any password will be required to contain that many special characters.
-When set to a positive number, pam_pwquality will grant +1
-additional length credit for each special character. Modify the ocredit setting
-in /etc/security/pwquality.conf to equal -1
-to require use of a special character in passwords.
Rationale:
Use of a complex password helps to increase the time and resources required
-to compromise the password. Password complexity, or strength, is a measure of
-the effectiveness of a password in resisting attempts at guessing and brute-force
-attacks.
-


-Password complexity is one factor of several that determines how long it takes
-to crack a password. The more complex the password, the greater the number of
-possible combinations that need to be tested before the password is compromised.
-Requiring a minimum number of special characters makes password guessing attacks
-more difficult by ensuring a larger search space.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80663-8
References: 
-            BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-001619, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, SRG-OS-000266-GPOS-00101, RHEL-08-020280, SV-230375r858787_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
 if rpm --quiet -q pam; then
 
-var_password_pam_ocredit='-1'
+var_password_pam_minlen='15'
 
 
 
@@ -15233,22 +15179,22 @@
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^ocredit")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^minlen")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_ocredit"
+printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_minlen"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^ocredit\\>" "/etc/security/pwquality.conf"; then
+if LC_ALL=C grep -q -m 1 -i -e "^minlen\\>" "/etc/security/pwquality.conf"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^ocredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+    LC_ALL=C sed -i --follow-symlinks "s/^minlen\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
 else
     if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
     fi
-    cce="CCE-80663-8"
+    cce="CCE-80656-2"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
     printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
 fi
@@ -15256,7 +15202,26 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Ensure PAM Enforces Password Requirements - Minimum Special Characters
+                                  [ref]
The pam_pwquality module's ocredit= parameter controls requirements for
+usage of special (or "other") characters in a password. When set to a negative number,
+any password will be required to contain that many special characters.
+When set to a positive number, pam_pwquality will grant +1
+additional length credit for each special character. Modify the ocredit setting
+in /etc/security/pwquality.conf to equal -1
+to require use of a special character in passwords.
Rationale:
Use of a complex password helps to increase the time and resources required
+to compromise the password. Password complexity, or strength, is a measure of
+the effectiveness of a password in resisting attempts at guessing and brute-force
+attacks.
+


+Password complexity is one factor of several that determines how long it takes
+to crack a password. The more complex the password, the greater the number of
+possible combinations that need to be tested before the password is compromised.
+Requiring a minimum number of special characters makes password guessing attacks
+more difficult by ensuring a larger search space.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80663-8
References: 
+            BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-001619, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, SRG-OS-000266-GPOS-00101, RHEL-08-020280, SV-230375r858787_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -15299,76 +15264,50 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Ensure PAM password complexity module is enabled in password-auth
-                                  [ref]
To enable PAM password complexity in password-auth file:
-Edit the password section in
-/etc/pam.d/password-auth to show
-password    requisite                                    pam_pwquality.so.
Rationale:
Enabling PAM password complexity permits to enforce strong passwords and consequently
-makes the system less prone to dictionary attacks.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-85877-9
References: 
-            CCI-000366, SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038, SRG-OS-000480-GPOS-00227, RHEL-08-020100, SV-230356r902728_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
 if rpm --quiet -q pam; then
 
-if [ -e "/etc/pam.d/password-auth" ] ; then
-    PAM_FILE_PATH="/etc/pam.d/password-auth"
-    if [ -f /usr/bin/authselect ]; then
-        
-        if ! authselect check; then
-        echo "
-        authselect integrity check failed. Remediation aborted!
-        This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
-        It is not recommended to manually edit the PAM files when authselect tool is available.
-        In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
-        exit 1
-        fi
+var_password_pam_ocredit='-1'
 
-        CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
-        # If not already in use, a custom profile is created preserving the enabled features.
-        if [[ ! $CURRENT_PROFILE == custom/* ]]; then
-            ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
-            authselect create-profile hardening -b $CURRENT_PROFILE
-            CURRENT_PROFILE="custom/hardening"
-            
-            authselect apply-changes -b --backup=before-hardening-custom-profile
-            authselect select $CURRENT_PROFILE
-            for feature in $ENABLED_FEATURES; do
-                authselect enable-feature $feature;
-            done
-            
-            authselect apply-changes -b --backup=after-hardening-custom-profile
-        fi
-        PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth")
-        PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
 
-        authselect apply-changes -b
-    fi
-    if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwquality.so\s*.*' "$PAM_FILE_PATH"; then
-    # Line matching group + control + module was not found. Check group + module.
-    if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwquality.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
-        # The control is updated only if one single line matches.
-        sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwquality.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH"
-    else
-        LAST_MATCH_LINE=$(grep -nP "^account.*required.*pam_permit\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
-        if [ ! -z $LAST_MATCH_LINE ]; then
-            sed -i --follow-symlinks $LAST_MATCH_LINE' a password     '"requisite"'    pam_pwquality.so' "$PAM_FILE_PATH"
-        else
-            echo 'password    '"requisite"'    pam_pwquality.so' >> "$PAM_FILE_PATH"
-        fi
-    fi
-fi
-    if [ -f /usr/bin/authselect ]; then
-        
-        authselect apply-changes -b
-    fi
+
+
+
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^ocredit")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_ocredit"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^ocredit\\>" "/etc/security/pwquality.conf"; then
+    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+    LC_ALL=C sed -i --follow-symlinks "s/^ocredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
 else
-    echo "/etc/pam.d/password-auth was not found" >&2
+    if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
+        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
+    fi
+    cce="CCE-80663-8"
+    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
+    printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
 fi
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
- name: Gather the package facts
+
Rule  
+                                Ensure PAM password complexity module is enabled in password-auth
+                                  [ref]
To enable PAM password complexity in password-auth file:
+Edit the password section in
+/etc/pam.d/password-auth to show
+password    requisite                                    pam_pwquality.so.
Rationale:
Enabling PAM password complexity permits to enforce strong passwords and consequently
+makes the system less prone to dictionary attacks.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-85877-9
References: 
+            CCI-000366, SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038, SRG-OS-000480-GPOS-00227, RHEL-08-020100, SV-230356r902728_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -15626,19 +15565,11 @@
   - medium_disruption
   - medium_severity
   - no_reboot_needed
-
Rule  
-                                Ensure PAM password complexity module is enabled in system-auth
-                                  [ref]
To enable PAM password complexity in system-auth file:
-Edit the password section in
-/etc/pam.d/system-auth to show
-password    requisite                                    pam_pwquality.so.
Rationale:
Enabling PAM password complexity permits to enforce strong passwords and consequently
-makes the system less prone to dictionary attacks.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-85872-0
References: 
-            CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-020101, SV-251713r902740_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if rpm --quiet -q pam; then
 
-if [ -e "/etc/pam.d/system-auth" ] ; then
-    PAM_FILE_PATH="/etc/pam.d/system-auth"
+if [ -e "/etc/pam.d/password-auth" ] ; then
+    PAM_FILE_PATH="/etc/pam.d/password-auth"
     if [ -f /usr/bin/authselect ]; then
         
         if ! authselect check; then
@@ -15665,7 +15596,7 @@
             
             authselect apply-changes -b --backup=after-hardening-custom-profile
         fi
-        PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth")
+        PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth")
         PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
 
         authselect apply-changes -b
@@ -15689,13 +15620,21 @@
         authselect apply-changes -b
     fi
 else
-    echo "/etc/pam.d/system-auth was not found" >&2
+    echo "/etc/pam.d/password-auth was not found" >&2
 fi
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
- name: Gather the package facts
+
Rule  
+                                Ensure PAM password complexity module is enabled in system-auth
+                                  [ref]
To enable PAM password complexity in system-auth file:
+Edit the password section in
+/etc/pam.d/system-auth to show
+password    requisite                                    pam_pwquality.so.
Rationale:
Enabling PAM password complexity permits to enforce strong passwords and consequently
+makes the system less prone to dictionary attacks.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-85872-0
References: 
+            CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-020101, SV-251713r902740_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -15953,93 +15892,10 @@
   - medium_disruption
   - medium_severity
   - no_reboot_needed
-
Rule  
-                                Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
-                                  [ref]
To configure the number of retry prompts that are permitted per-session:
-
-Edit the /etc/security/pwquality.conf to include
-
-retry=3, or a lower value if site
-policy is more restrictive. The DoD requirement is a maximum of 3 prompts
-per session.
Rationale:
Setting the password retry prompts that are permitted on a per-session basis to a low value
-requires some software, such as SSH, to re-connect. This can slow down and
-draw additional attention to some types of password-guessing attacks. Note that this
-is different from account lockout, which is provided by the pam_faillock module.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80664-6
References: 
-            1, 11, 12, 15, 16, 3, 5, 9, 5.5.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000192, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, PR.IP-1, FMT_MOF_EXT.1, SRG-OS-000069-GPOS-00037, SRG-OS-000480-GPOS-00227, RHEL-08-020104, 5.5.1, SV-251716r858737_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if rpm --quiet -q pam; then
 
-var_password_pam_retry='3'
-
-
-# Strip any search characters in the key arg so that the key can be replaced without
-# adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^retry")
-
-# shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_retry"
-
-# If the key exists, change it. Otherwise, add it to the config_file.
-# We search for the key string followed by a word boundary (matched by \>),
-# so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^retry\\>" "/etc/security/pwquality.conf"; then
-    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^retry\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
-else
-    if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
-        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
-    fi
-    cce="CCE-80664-6"
-    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
-    printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
-fi
-	
-		if [ -e "/etc/pam.d/password-auth" ] ; then
-    PAM_FILE_PATH="/etc/pam.d/password-auth"
-    if [ -f /usr/bin/authselect ]; then
-        
-        if ! authselect check; then
-        echo "
-        authselect integrity check failed. Remediation aborted!
-        This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
-        It is not recommended to manually edit the PAM files when authselect tool is available.
-        In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
-        exit 1
-        fi
-
-        CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
-        # If not already in use, a custom profile is created preserving the enabled features.
-        if [[ ! $CURRENT_PROFILE == custom/* ]]; then
-            ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
-            authselect create-profile hardening -b $CURRENT_PROFILE
-            CURRENT_PROFILE="custom/hardening"
-            
-            authselect apply-changes -b --backup=before-hardening-custom-profile
-            authselect select $CURRENT_PROFILE
-            for feature in $ENABLED_FEATURES; do
-                authselect enable-feature $feature;
-            done
-            
-            authselect apply-changes -b --backup=after-hardening-custom-profile
-        fi
-        PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth")
-        PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
-
-        authselect apply-changes -b
-    fi
-    
-if grep -qP '^\s*password\s+'".*"'\s+pam_pwquality.so\s.*\bretry\b' "$PAM_FILE_PATH"; then
-    sed -i -E --follow-symlinks 's/(.*password.*'".*"'.*pam_pwquality.so.*)\sretry=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
-fi
-    if [ -f /usr/bin/authselect ]; then
-        
-        authselect apply-changes -b
-    fi
-else
-    echo "/etc/pam.d/password-auth was not found" >&2
-fi
-	
-		if [ -e "/etc/pam.d/system-auth" ] ; then
+if [ -e "/etc/pam.d/system-auth" ] ; then
     PAM_FILE_PATH="/etc/pam.d/system-auth"
     if [ -f /usr/bin/authselect ]; then
         
@@ -16072,9 +15928,19 @@
 
         authselect apply-changes -b
     fi
-    
-if grep -qP '^\s*password\s+'".*"'\s+pam_pwquality.so\s.*\bretry\b' "$PAM_FILE_PATH"; then
-    sed -i -E --follow-symlinks 's/(.*password.*'".*"'.*pam_pwquality.so.*)\sretry=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+    if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwquality.so\s*.*' "$PAM_FILE_PATH"; then
+    # Line matching group + control + module was not found. Check group + module.
+    if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwquality.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
+        # The control is updated only if one single line matches.
+        sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwquality.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH"
+    else
+        LAST_MATCH_LINE=$(grep -nP "^account.*required.*pam_permit\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
+        if [ ! -z $LAST_MATCH_LINE ]; then
+            sed -i --follow-symlinks $LAST_MATCH_LINE' a password     '"requisite"'    pam_pwquality.so' "$PAM_FILE_PATH"
+        else
+            echo 'password    '"requisite"'    pam_pwquality.so' >> "$PAM_FILE_PATH"
+        fi
+    fi
 fi
     if [ -f /usr/bin/authselect ]; then
         
@@ -16087,7 +15953,20 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
- name: Gather the package facts
+
Rule  
+                                Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
+                                  [ref]
To configure the number of retry prompts that are permitted per-session:
+
+Edit the /etc/security/pwquality.conf to include
+
+retry=3, or a lower value if site
+policy is more restrictive. The DoD requirement is a maximum of 3 prompts
+per session.
Rationale:
Setting the password retry prompts that are permitted on a per-session basis to a low value
+requires some software, such as SSH, to re-connect. This can slow down and
+draw additional attention to some types of password-guessing attacks. Note that this
+is different from account lockout, which is provided by the pam_faillock module.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80664-6
References: 
+            1, 11, 12, 15, 16, 3, 5, 9, 5.5.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000192, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, PR.IP-1, FMT_MOF_EXT.1, SRG-OS-000069-GPOS-00037, SRG-OS-000480-GPOS-00227, RHEL-08-020104, 5.5.1, SV-251716r858737_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -16545,56 +16424,142 @@
   - medium_disruption
   - medium_severity
   - no_reboot_needed
-
Rule  
-                                Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
-                                  [ref]
The pam_pwquality module's ucredit= parameter controls requirements for
-usage of uppercase letters in a password. When set to a negative number, any password will be required to
-contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional
-length credit for each uppercase character. Modify the ucredit setting in
-/etc/security/pwquality.conf to require the use of an uppercase character in passwords.
Rationale:
Use of a complex password helps to increase the time and resources required to compromise the password.
-Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
-at guessing and brute-force attacks.
-


-Password complexity is one factor of several that determines how long it takes to crack a password. The more
-complex the password, the greater the number of possible combinations that need to be tested before
-the password is compromised.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80665-3
References: 
-            BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000192, CCI-000193, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038, RHEL-08-020110, SV-230357r858771_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if rpm --quiet -q pam; then
 
-var_password_pam_ucredit='-1'
-
-
-
-
+var_password_pam_retry='3'
 
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^ucredit")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^retry")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_ucredit"
+printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_retry"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^ucredit\\>" "/etc/security/pwquality.conf"; then
+if LC_ALL=C grep -q -m 1 -i -e "^retry\\>" "/etc/security/pwquality.conf"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^ucredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+    LC_ALL=C sed -i --follow-symlinks "s/^retry\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
 else
     if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
     fi
-    cce="CCE-80665-3"
+    cce="CCE-80664-6"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
     printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
 fi
+	
+		if [ -e "/etc/pam.d/password-auth" ] ; then
+    PAM_FILE_PATH="/etc/pam.d/password-auth"
+    if [ -f /usr/bin/authselect ]; then
+        
+        if ! authselect check; then
+        echo "
+        authselect integrity check failed. Remediation aborted!
+        This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
+        It is not recommended to manually edit the PAM files when authselect tool is available.
+        In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
+        exit 1
+        fi
+
+        CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
+        # If not already in use, a custom profile is created preserving the enabled features.
+        if [[ ! $CURRENT_PROFILE == custom/* ]]; then
+            ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
+            authselect create-profile hardening -b $CURRENT_PROFILE
+            CURRENT_PROFILE="custom/hardening"
+            
+            authselect apply-changes -b --backup=before-hardening-custom-profile
+            authselect select $CURRENT_PROFILE
+            for feature in $ENABLED_FEATURES; do
+                authselect enable-feature $feature;
+            done
+            
+            authselect apply-changes -b --backup=after-hardening-custom-profile
+        fi
+        PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth")
+        PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
+
+        authselect apply-changes -b
+    fi
+    
+if grep -qP '^\s*password\s+'".*"'\s+pam_pwquality.so\s.*\bretry\b' "$PAM_FILE_PATH"; then
+    sed -i -E --follow-symlinks 's/(.*password.*'".*"'.*pam_pwquality.so.*)\sretry=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+fi
+    if [ -f /usr/bin/authselect ]; then
+        
+        authselect apply-changes -b
+    fi
+else
+    echo "/etc/pam.d/password-auth was not found" >&2
+fi
+	
+		if [ -e "/etc/pam.d/system-auth" ] ; then
+    PAM_FILE_PATH="/etc/pam.d/system-auth"
+    if [ -f /usr/bin/authselect ]; then
+        
+        if ! authselect check; then
+        echo "
+        authselect integrity check failed. Remediation aborted!
+        This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
+        It is not recommended to manually edit the PAM files when authselect tool is available.
+        In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
+        exit 1
+        fi
+
+        CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
+        # If not already in use, a custom profile is created preserving the enabled features.
+        if [[ ! $CURRENT_PROFILE == custom/* ]]; then
+            ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
+            authselect create-profile hardening -b $CURRENT_PROFILE
+            CURRENT_PROFILE="custom/hardening"
+            
+            authselect apply-changes -b --backup=before-hardening-custom-profile
+            authselect select $CURRENT_PROFILE
+            for feature in $ENABLED_FEATURES; do
+                authselect enable-feature $feature;
+            done
+            
+            authselect apply-changes -b --backup=after-hardening-custom-profile
+        fi
+        PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth")
+        PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
+
+        authselect apply-changes -b
+    fi
+    
+if grep -qP '^\s*password\s+'".*"'\s+pam_pwquality.so\s.*\bretry\b' "$PAM_FILE_PATH"; then
+    sed -i -E --follow-symlinks 's/(.*password.*'".*"'.*pam_pwquality.so.*)\sretry=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+fi
+    if [ -f /usr/bin/authselect ]; then
+        
+        authselect apply-changes -b
+    fi
+else
+    echo "/etc/pam.d/system-auth was not found" >&2
+fi
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
+                                  [ref]
The pam_pwquality module's ucredit= parameter controls requirements for
+usage of uppercase letters in a password. When set to a negative number, any password will be required to
+contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional
+length credit for each uppercase character. Modify the ucredit setting in
+/etc/security/pwquality.conf to require the use of an uppercase character in passwords.
Rationale:
Use of a complex password helps to increase the time and resources required to compromise the password.
+Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
+at guessing and brute-force attacks.
+


+Password complexity is one factor of several that determines how long it takes to crack a password. The more
+complex the password, the greater the number of possible combinations that need to be tested before
+the password is compromised.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80665-3
References: 
+            BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000192, CCI-000193, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038, RHEL-08-020110, SV-230357r858771_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -16639,6 +16604,41 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+if rpm --quiet -q pam; then
+
+var_password_pam_ucredit='-1'
+
+
+
+
+
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^ucredit")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_ucredit"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^ucredit\\>" "/etc/security/pwquality.conf"; then
+    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+    LC_ALL=C sed -i --follow-symlinks "s/^ucredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+else
+    if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
+        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
+    fi
+    cce="CCE-80665-3"
+    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
+    printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 Set Password Hashing Algorithm
                           Group contains 4 rules
[ref]  
@@ -16654,23 +16654,7 @@
 


 Using a stronger hashing algorithm makes password cracking attacks more difficult.
Severity: 
medium
Identifiers and References

Identifiers:  CCE-80892-3

References:  - BP28(R32), 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, CCI-000196, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, 8.3.2, SRG-OS-000073-GPOS-00041, RHEL-08-010110, 5.5.4, SV-230231r877397_rule

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if rpm --quiet -q shadow-utils; then
-
-var_password_hashing_algorithm='SHA512'
-
-
-if grep --silent ^ENCRYPT_METHOD /etc/login.defs ; then
-	sed -i "s/^ENCRYPT_METHOD .*/ENCRYPT_METHOD $var_password_hashing_algorithm/g" /etc/login.defs
-else
-	echo "" >> /etc/login.defs
-	echo "ENCRYPT_METHOD $var_password_hashing_algorithm" >> /etc/login.defs
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+            BP28(R32), 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, CCI-000196, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, 8.3.2, SRG-OS-000073-GPOS-00041, RHEL-08-010110, 5.5.4, SV-230231r877397_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -16719,6 +16703,22 @@
   - no_reboot_needed
   - restrict_strategy
   - set_password_hashing_algorithm_logindefs
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if rpm --quiet -q shadow-utils; then
+
+var_password_hashing_algorithm='SHA512'
+
+
+if grep --silent ^ENCRYPT_METHOD /etc/login.defs ; then
+	sed -i "s/^ENCRYPT_METHOD .*/ENCRYPT_METHOD $var_password_hashing_algorithm/g" /etc/login.defs
+else
+	echo "" >> /etc/login.defs
+	echo "ENCRYPT_METHOD $var_password_hashing_algorithm" >> /etc/login.defs
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Set PAM''s Password Hashing Algorithm - password-auth
                                   [ref]
The PAM system service can be configured to only store encrypted
@@ -16746,67 +16746,7 @@
 of a strong hashing algorithm that makes password cracking attacks more
 difficult.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-85945-4
References: 
-            BP28(R32), 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, CCI-000196, CCI-000803, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061, RHEL-08-010160, 5.5.4, SV-230237r809276_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if rpm --quiet -q pam; then
-
-if [ -e "/etc/pam.d/password-auth" ] ; then
-    PAM_FILE_PATH="/etc/pam.d/password-auth"
-    if [ -f /usr/bin/authselect ]; then
-        
-        if ! authselect check; then
-        echo "
-        authselect integrity check failed. Remediation aborted!
-        This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
-        It is not recommended to manually edit the PAM files when authselect tool is available.
-        In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
-        exit 1
-        fi
-
-        CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
-        # If not already in use, a custom profile is created preserving the enabled features.
-        if [[ ! $CURRENT_PROFILE == custom/* ]]; then
-            ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
-            authselect create-profile hardening -b $CURRENT_PROFILE
-            CURRENT_PROFILE="custom/hardening"
-            
-            authselect apply-changes -b --backup=before-hardening-custom-profile
-            authselect select $CURRENT_PROFILE
-            for feature in $ENABLED_FEATURES; do
-                authselect enable-feature $feature;
-            done
-            
-            authselect apply-changes -b --backup=after-hardening-custom-profile
-        fi
-        PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth")
-        PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
-
-        authselect apply-changes -b
-    fi
-    if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*' "$PAM_FILE_PATH"; then
-            # Line matching group + control + module was not found. Check group + module.
-            if [ "$(grep -cP '^\s*password\s+.*\s+pam_unix.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
-                # The control is updated only if one single line matches.
-                sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_unix.so.*)/\1'"sufficient"' \2/' "$PAM_FILE_PATH"
-            else
-                echo 'password    '"sufficient"'    pam_unix.so' >> "$PAM_FILE_PATH"
-            fi
-        fi
-        # Check the option
-        if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*\ssha512\b' "$PAM_FILE_PATH"; then
-            sed -i -E --follow-symlinks '/\s*password\s+'"sufficient"'\s+pam_unix.so.*/ s/$/ sha512/' "$PAM_FILE_PATH"
-        fi
-    if [ -f /usr/bin/authselect ]; then
-        
-        authselect apply-changes -b
-    fi
-else
-    echo "/etc/pam.d/password-auth was not found" >&2
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -17102,38 +17042,11 @@
   - medium_severity
   - no_reboot_needed
   - set_password_hashing_algorithm_passwordauth
-
Rule  
-                                Set PAM''s Password Hashing Algorithm
-                                  [ref]
The PAM system service can be configured to only store encrypted
-representations of passwords. In "/etc/pam.d/system-auth", the
-password section of the file controls which PAM modules execute
-during a password change. Set the pam_unix.so module in the
-password section to include the argument sha512, as shown
-below:
-

-
-
password    sufficient    pam_unix.so sha512 other arguments...

-
-

-This will help ensure when local users change their passwords, hashes for
-the new passwords will be generated using the SHA-512 algorithm. This is
-the default.
Rationale:
Passwords need to be protected at all times, and encryption is the standard
-method for protecting passwords. If passwords are not encrypted, they can
-be plainly read (i.e., clear text) and easily compromised. Passwords that
-are encrypted with a weak algorithm are no more protected than if they are
-kepy in plain text.
-


-This setting ensures user and group account administration utilities are
-configured to store only encrypted representations of passwords.
-Additionally, the crypt_style configuration option ensures the use
-of a strong hashing algorithm that makes password cracking attacks more
-difficult.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80893-1
References: 
-            BP28(R32), 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, CCI-000196, CCI-000803, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, 8.3.2, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061, RHEL-08-010159, 5.5.4, SV-244524r809331_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if rpm --quiet -q pam; then
 
-if [ -e "/etc/pam.d/system-auth" ] ; then
-    PAM_FILE_PATH="/etc/pam.d/system-auth"
+if [ -e "/etc/pam.d/password-auth" ] ; then
+    PAM_FILE_PATH="/etc/pam.d/password-auth"
     if [ -f /usr/bin/authselect ]; then
         
         if ! authselect check; then
@@ -17160,7 +17073,7 @@
             
             authselect apply-changes -b --backup=after-hardening-custom-profile
         fi
-        PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth")
+        PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth")
         PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
 
         authselect apply-changes -b
@@ -17183,13 +17096,40 @@
         authselect apply-changes -b
     fi
 else
-    echo "/etc/pam.d/system-auth was not found" >&2
+    echo "/etc/pam.d/password-auth was not found" >&2
 fi
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
- name: Gather the package facts
+
Rule  
+                                Set PAM''s Password Hashing Algorithm
+                                  [ref]
The PAM system service can be configured to only store encrypted
+representations of passwords. In "/etc/pam.d/system-auth", the
+password section of the file controls which PAM modules execute
+during a password change. Set the pam_unix.so module in the
+password section to include the argument sha512, as shown
+below:
+

+
+
password    sufficient    pam_unix.so sha512 other arguments...

+
+

+This will help ensure when local users change their passwords, hashes for
+the new passwords will be generated using the SHA-512 algorithm. This is
+the default.
Rationale:
Passwords need to be protected at all times, and encryption is the standard
+method for protecting passwords. If passwords are not encrypted, they can
+be plainly read (i.e., clear text) and easily compromised. Passwords that
+are encrypted with a weak algorithm are no more protected than if they are
+kepy in plain text.
+


+This setting ensures user and group account administration utilities are
+configured to store only encrypted representations of passwords.
+Additionally, the crypt_style configuration option ensures the use
+of a strong hashing algorithm that makes password cracking attacks more
+difficult.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80893-1
References: 
+            BP28(R32), 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, CCI-000196, CCI-000803, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, 8.3.2, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061, RHEL-08-010159, 5.5.4, SV-244524r809331_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -17483,6 +17423,66 @@
   - medium_severity
   - no_reboot_needed
   - set_password_hashing_algorithm_systemauth
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if rpm --quiet -q pam; then
+
+if [ -e "/etc/pam.d/system-auth" ] ; then
+    PAM_FILE_PATH="/etc/pam.d/system-auth"
+    if [ -f /usr/bin/authselect ]; then
+        
+        if ! authselect check; then
+        echo "
+        authselect integrity check failed. Remediation aborted!
+        This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
+        It is not recommended to manually edit the PAM files when authselect tool is available.
+        In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
+        exit 1
+        fi
+
+        CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
+        # If not already in use, a custom profile is created preserving the enabled features.
+        if [[ ! $CURRENT_PROFILE == custom/* ]]; then
+            ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
+            authselect create-profile hardening -b $CURRENT_PROFILE
+            CURRENT_PROFILE="custom/hardening"
+            
+            authselect apply-changes -b --backup=before-hardening-custom-profile
+            authselect select $CURRENT_PROFILE
+            for feature in $ENABLED_FEATURES; do
+                authselect enable-feature $feature;
+            done
+            
+            authselect apply-changes -b --backup=after-hardening-custom-profile
+        fi
+        PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth")
+        PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
+
+        authselect apply-changes -b
+    fi
+    if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*' "$PAM_FILE_PATH"; then
+            # Line matching group + control + module was not found. Check group + module.
+            if [ "$(grep -cP '^\s*password\s+.*\s+pam_unix.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
+                # The control is updated only if one single line matches.
+                sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_unix.so.*)/\1'"sufficient"' \2/' "$PAM_FILE_PATH"
+            else
+                echo 'password    '"sufficient"'    pam_unix.so' >> "$PAM_FILE_PATH"
+            fi
+        fi
+        # Check the option
+        if ! grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s*.*\ssha512\b' "$PAM_FILE_PATH"; then
+            sed -i -E --follow-symlinks '/\s*password\s+'"sufficient"'\s+pam_unix.so.*/ s/$/ sha512/' "$PAM_FILE_PATH"
+        fi
+    if [ -f /usr/bin/authselect ]; then
+        
+        authselect apply-changes -b
+    fi
+else
+    echo "/etc/pam.d/system-auth was not found" >&2
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Set Password Hashing Rounds in /etc/login.defs
                                   [ref]
In /etc/login.defs, ensure SHA_CRYPT_MIN_ROUNDS and
@@ -17499,23 +17499,7 @@
 


 Using more hashing rounds makes password cracking attacks more difficult.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-89707-4
References: 
-            BP28(R68), CCI-000196, CCI-000803, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061, RHEL-08-010130, SV-230233r880705_rule
Remediation Shell script:   (show)


-if [ -e "/etc/login.defs" ] ; then
-    
-    LC_ALL=C sed -i "/^\s*SHA_CRYPT_MIN_ROUNDS\s*/Id" "/etc/login.defs"
-else
-    printf '%s\n' "Path '/etc/login.defs' wasn't found on this system. Refusing to continue." >&2
-    return 1
-fi
-# make sure file has newline at the end
-sed -i -e '$a\' "/etc/login.defs"
-
-cp "/etc/login.defs" "/etc/login.defs.bak"
-# Insert at the end of the file
-printf '%s\n' "SHA_CRYPT_MIN_ROUNDS 5000" >> "/etc/login.defs"
-# Clean up after ourselves.
-rm "/etc/login.defs.bak"
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Set Password Hashing Rounds in /etc/login.defs - Ensure SHA_CRYPT_MIN_ROUNDS
+            BP28(R68), CCI-000196, CCI-000803, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061, RHEL-08-010130, SV-230233r880705_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Set Password Hashing Rounds in /etc/login.defs - Ensure SHA_CRYPT_MIN_ROUNDS
     has Minimum Value of 5000
   ansible.builtin.replace:
     path: /etc/login.defs
@@ -17548,6 +17532,22 @@
   - no_reboot_needed
   - restrict_strategy
   - set_password_hashing_min_rounds_logindefs
+
Remediation Shell script:   (show)


+if [ -e "/etc/login.defs" ] ; then
+    
+    LC_ALL=C sed -i "/^\s*SHA_CRYPT_MIN_ROUNDS\s*/Id" "/etc/login.defs"
+else
+    printf '%s\n' "Path '/etc/login.defs' wasn't found on this system. Refusing to continue." >&2
+    return 1
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/login.defs"
+
+cp "/etc/login.defs" "/etc/login.defs.bak"
+# Insert at the end of the file
+printf '%s\n' "SHA_CRYPT_MIN_ROUNDS 5000" >> "/etc/login.defs"
+# Clean up after ourselves.
+rm "/etc/login.defs.bak"
 
Rule  
                                 Disallow Configuration to Bypass Password Requirements for Privilege Escalation
                                   [ref]
Verify the operating system is not configured to bypass password requirements for privilege
@@ -17557,15 +17557,7 @@
 have authorization. When operating systems provide the capability to escalate a functional
 capability, it is critical the user re-authenticate.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-86319-1
References: 
-            CCI-002038, IA-11, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, RHEL-08-010385, SV-251712r854083_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if rpm --quiet -q pam; then
-
-sed -i '/pam_succeed_if/d' /etc/pam.d/sudo
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+            CCI-002038, IA-11, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, RHEL-08-010385, SV-251712r854083_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -17596,6 +17588,14 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if rpm --quiet -q pam; then
+
+sed -i '/pam_succeed_if/d' /etc/pam.d/sudo
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Ensure PAM Displays Last Logon/Access Notification
                                   [ref]
To configure the system to notify users of last logon/access using pam_lastlog,
@@ -17617,264 +17617,7 @@
 account allows the user to determine if any unauthorized activity has occurred and gives them
 an opportunity to notify administrators.
Severity: 
low
Identifiers and References
Identifiers: 
             CCE-80788-3
References: 
-            1, 12, 15, 16, 5.5.2, DSS05.04, DSS05.10, DSS06.10, CCI-000052, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0582, 0584, 05885, 0586, 0846, 0957, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-9, AC-9(1), PR.AC-7, Req-10.2.4, 10.2.1.4, SRG-OS-000480-GPOS-00227, RHEL-08-020340, SV-230381r858726_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if rpm --quiet -q pam; then
-
-if [ -f /usr/bin/authselect ]; then
-    if authselect list-features minimal | grep -q with-silent-lastlog; then
-        if ! authselect check; then
-        echo "
-        authselect integrity check failed. Remediation aborted!
-        This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
-        It is not recommended to manually edit the PAM files when authselect tool is available.
-        In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
-        exit 1
-        fi
-        authselect disable-feature with-silent-lastlog
-
-        authselect apply-changes -b
-    else
-        
-        if ! authselect check; then
-        echo "
-        authselect integrity check failed. Remediation aborted!
-        This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
-        It is not recommended to manually edit the PAM files when authselect tool is available.
-        In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
-        exit 1
-        fi
-
-        CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
-        # If not already in use, a custom profile is created preserving the enabled features.
-        if [[ ! $CURRENT_PROFILE == custom/* ]]; then
-            ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
-            authselect create-profile hardening -b $CURRENT_PROFILE
-            CURRENT_PROFILE="custom/hardening"
-            
-            authselect apply-changes -b --backup=before-hardening-custom-profile
-            authselect select $CURRENT_PROFILE
-            for feature in $ENABLED_FEATURES; do
-                authselect enable-feature $feature;
-            done
-            
-            authselect apply-changes -b --backup=after-hardening-custom-profile
-        fi
-        PAM_FILE_NAME=$(basename "/etc/pam.d/postlogin")
-        PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
-
-        authselect apply-changes -b
-        if [ -e "$PAM_FILE_PATH" ] ; then
-            PAM_FILE_PATH="$PAM_FILE_PATH"
-            if [ -f /usr/bin/authselect ]; then
-                
-                if ! authselect check; then
-                echo "
-                authselect integrity check failed. Remediation aborted!
-                This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
-                It is not recommended to manually edit the PAM files when authselect tool is available.
-                In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
-                exit 1
-                fi
-
-                CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
-                # If not already in use, a custom profile is created preserving the enabled features.
-                if [[ ! $CURRENT_PROFILE == custom/* ]]; then
-                    ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
-                    authselect create-profile hardening -b $CURRENT_PROFILE
-                    CURRENT_PROFILE="custom/hardening"
-                    
-                    authselect apply-changes -b --backup=before-hardening-custom-profile
-                    authselect select $CURRENT_PROFILE
-                    for feature in $ENABLED_FEATURES; do
-                        authselect enable-feature $feature;
-                    done
-                    
-                    authselect apply-changes -b --backup=after-hardening-custom-profile
-                fi
-                PAM_FILE_NAME=$(basename "$PAM_FILE_PATH")
-                PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
-
-                authselect apply-changes -b
-            fi
-            if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*' "$PAM_FILE_PATH"; then
-                    # Line matching group + control + module was not found. Check group + module.
-                    if [ "$(grep -cP '^\s*session\s+.*\s+pam_lastlog.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
-                        # The control is updated only if one single line matches.
-                        sed -i -E --follow-symlinks 's/^(\s*session\s+).*(\bpam_lastlog.so.*)/\1'"\[default=1\]"' \2/' "$PAM_FILE_PATH"
-                    else
-                        LAST_MATCH_LINE=$(grep -nP "^\s*session\s+.*pam_succeed_if\.so.*" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
-                        if [ ! -z $LAST_MATCH_LINE ]; then
-                            sed -i --follow-symlinks $LAST_MATCH_LINE' a session     '"\[default=1\]"'    pam_lastlog.so' "$PAM_FILE_PATH"
-                        else
-                            echo 'session    '"\[default=1\]"'    pam_lastlog.so' >> "$PAM_FILE_PATH"
-                        fi
-                    fi
-                fi
-                # Check the option
-                if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*\sshowfailed\b' "$PAM_FILE_PATH"; then
-                    sed -i -E --follow-symlinks '/\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so.*/ s/$/ showfailed/' "$PAM_FILE_PATH"
-                fi
-            if [ -f /usr/bin/authselect ]; then
-                
-                authselect apply-changes -b
-            fi
-        else
-            echo "$PAM_FILE_PATH was not found" >&2
-        fi
-        if [ -e "$PAM_FILE_PATH" ] ; then
-            PAM_FILE_PATH="$PAM_FILE_PATH"
-            if [ -f /usr/bin/authselect ]; then
-                
-                if ! authselect check; then
-                echo "
-                authselect integrity check failed. Remediation aborted!
-                This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
-                It is not recommended to manually edit the PAM files when authselect tool is available.
-                In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
-                exit 1
-                fi
-
-                CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
-                # If not already in use, a custom profile is created preserving the enabled features.
-                if [[ ! $CURRENT_PROFILE == custom/* ]]; then
-                    ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
-                    authselect create-profile hardening -b $CURRENT_PROFILE
-                    CURRENT_PROFILE="custom/hardening"
-                    
-                    authselect apply-changes -b --backup=before-hardening-custom-profile
-                    authselect select $CURRENT_PROFILE
-                    for feature in $ENABLED_FEATURES; do
-                        authselect enable-feature $feature;
-                    done
-                    
-                    authselect apply-changes -b --backup=after-hardening-custom-profile
-                fi
-                PAM_FILE_NAME=$(basename "$PAM_FILE_PATH")
-                PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
-
-                authselect apply-changes -b
-            fi
-            
-        if grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s.*\bsilent\b' "$PAM_FILE_PATH"; then
-            sed -i -E --follow-symlinks 's/(.*session.*'"\[default=1\]"'.*pam_lastlog.so.*)\ssilent=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
-        fi
-            if [ -f /usr/bin/authselect ]; then
-                
-                authselect apply-changes -b
-            fi
-        else
-            echo "$PAM_FILE_PATH was not found" >&2
-        fi
-    fi
-else
-    if [ -e "/etc/pam.d/postlogin" ] ; then
-            PAM_FILE_PATH="/etc/pam.d/postlogin"
-            if [ -f /usr/bin/authselect ]; then
-                
-                if ! authselect check; then
-                echo "
-                authselect integrity check failed. Remediation aborted!
-                This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
-                It is not recommended to manually edit the PAM files when authselect tool is available.
-                In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
-                exit 1
-                fi
-
-                CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
-                # If not already in use, a custom profile is created preserving the enabled features.
-                if [[ ! $CURRENT_PROFILE == custom/* ]]; then
-                    ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
-                    authselect create-profile hardening -b $CURRENT_PROFILE
-                    CURRENT_PROFILE="custom/hardening"
-                    
-                    authselect apply-changes -b --backup=before-hardening-custom-profile
-                    authselect select $CURRENT_PROFILE
-                    for feature in $ENABLED_FEATURES; do
-                        authselect enable-feature $feature;
-                    done
-                    
-                    authselect apply-changes -b --backup=after-hardening-custom-profile
-                fi
-                PAM_FILE_NAME=$(basename "/etc/pam.d/postlogin")
-                PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
-
-                authselect apply-changes -b
-            fi
-            if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*' "$PAM_FILE_PATH"; then
-                    # Line matching group + control + module was not found. Check group + module.
-                    if [ "$(grep -cP '^\s*session\s+.*\s+pam_lastlog.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
-                        # The control is updated only if one single line matches.
-                        sed -i -E --follow-symlinks 's/^(\s*session\s+).*(\bpam_lastlog.so.*)/\1'"\[default=1\]"' \2/' "$PAM_FILE_PATH"
-                    else
-                        LAST_MATCH_LINE=$(grep -nP "^\s*session\s+.*pam_succeed_if\.so.*" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
-                        if [ ! -z $LAST_MATCH_LINE ]; then
-                            sed -i --follow-symlinks $LAST_MATCH_LINE' a session     '"\[default=1\]"'    pam_lastlog.so' "$PAM_FILE_PATH"
-                        else
-                            echo 'session    '"\[default=1\]"'    pam_lastlog.so' >> "$PAM_FILE_PATH"
-                        fi
-                    fi
-                fi
-                # Check the option
-                if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*\sshowfailed\b' "$PAM_FILE_PATH"; then
-                    sed -i -E --follow-symlinks '/\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so.*/ s/$/ showfailed/' "$PAM_FILE_PATH"
-                fi
-            if [ -f /usr/bin/authselect ]; then
-                
-                authselect apply-changes -b
-            fi
-        else
-            echo "/etc/pam.d/postlogin was not found" >&2
-        fi
-    if [ -e "/etc/pam.d/postlogin" ] ; then
-            PAM_FILE_PATH="/etc/pam.d/postlogin"
-            if [ -f /usr/bin/authselect ]; then
-                
-                if ! authselect check; then
-                echo "
-                authselect integrity check failed. Remediation aborted!
-                This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
-                It is not recommended to manually edit the PAM files when authselect tool is available.
-                In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
-                exit 1
-                fi
-
-                CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
-                # If not already in use, a custom profile is created preserving the enabled features.
-                if [[ ! $CURRENT_PROFILE == custom/* ]]; then
-                    ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
-                    authselect create-profile hardening -b $CURRENT_PROFILE
-                    CURRENT_PROFILE="custom/hardening"
-                    
-                    authselect apply-changes -b --backup=before-hardening-custom-profile
-                    authselect select $CURRENT_PROFILE
-                    for feature in $ENABLED_FEATURES; do
-                        authselect enable-feature $feature;
-                    done
-                    
-                    authselect apply-changes -b --backup=after-hardening-custom-profile
-                fi
-                PAM_FILE_NAME=$(basename "/etc/pam.d/postlogin")
-                PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
-
-                authselect apply-changes -b
-            fi
-            
-        if grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s.*\bsilent\b' "$PAM_FILE_PATH"; then
-            sed -i -E --follow-symlinks 's/(.*session.*'"\[default=1\]"'.*pam_lastlog.so.*)\ssilent=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
-        fi
-            if [ -f /usr/bin/authselect ]; then
-                
-                authselect apply-changes -b
-            fi
-        else
-            echo "/etc/pam.d/postlogin was not found" >&2
-        fi
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -18260,174 +18003,414 @@
   - low_disruption
   - low_severity
   - no_reboot_needed
-
Group  
-                Protect Physical Console Access
-                          Group contains 3 groups and 14 rules
[ref]  
-                        It is impossible to fully protect a system from an
-attacker with physical access, so securing the space in which the
-system is located should be considered a necessary step. However,
-there are some steps which, if taken, make it more difficult for an
-attacker to quickly or undetectably modify a system from its
-console.
Group  
-                Configure Screen Locking
-                          Group contains 2 groups and 8 rules
[ref]  
-                        When a user must temporarily leave an account
-logged-in, screen locking should be employed to prevent passersby
-from abusing the account. User education and training is
-particularly important for screen locking to be effective, and policies
-can be implemented to reinforce this.
-


-Automatic screen locking is only meant as a safeguard for
-those cases where a user forgot to lock the screen.
Group  
-                Configure Console Screen Locking
-                          Group contains 6 rules
[ref]  
-                        A console screen locking mechanism is a temporary action taken when a user
-stops work and moves away from the immediate physical vicinity of the
-information system but does not logout because of the temporary nature of
-the absence. Rather than relying on the user to manually lock their
-operation system session prior to vacating the vicinity, operating systems
-need to be able to identify when a user's session has idled and take action
-to initiate the session lock.
Rule  
-                                Install the tmux Package
-                                  [ref]
To enable console screen locking, install the tmux package.
-A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
-The session lock is implemented at the point where session activity can be determined.
-Rather than be forced to wait for a period of time to expire before the user session can be locked, Red Hat Enterprise Linux 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
-Instruct users to begin new terminal sessions with the following command:
-
$ tmux

-The console can now be locked with the following key combination:
-
ctrl+b :lock-session
Rationale:
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
-physical vicinity of the information system but does not logout because of the temporary nature of the absence.
-Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity,
-operating systems need to be able to identify when a user's session has idled and take action to initiate the
-session lock.
-


-The tmux package allows for a session lock to be implemented and configured.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80644-8
References: 
-            1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000058, CCI-000056, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_SMF_EXT.1, FMT_MOF_EXT.1, FTA_SSL.1, SRG-OS-000030-GPOS-00011, SRG-OS-000028-GPOS-00009, RHEL-08-020039, SV-244537r743860_rule
Remediation script:   (show)


-[[packages]]
-name = "tmux"
-version = "*"
-
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "tmux" ; then
-    yum install -y "tmux"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include install_tmux
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if rpm --quiet -q pam; then
 
-class install_tmux {
-  package { 'tmux':
-    ensure => 'installed',
-  }
-}
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
- name: Ensure tmux is installed
-  package:
-    name: tmux
-    state: present
-  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  tags:
-  - CCE-80644-8
-  - DISA-STIG-RHEL-08-020039
-  - NIST-800-171-3.1.10
-  - NIST-800-53-CM-6(a)
-  - enable_strategy
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - no_reboot_needed
-  - package_tmux_installed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

-package --add=tmux
-
Rule  
-                                Support session locking with tmux (not enforcing)
-                                  [ref]
The tmux terminal multiplexer is used to implement
-automatic session locking. It should be started from
-/etc/bashrc or drop-in files within /etc/profile.d/.
Warning: 
-                                        This rule configures Tmux to be executed in a way that exiting Tmux
-drops the user into a regular shell instead of logging them out, therefore the session locking mechanism is not enforced on the user.
Rationale:
Unlike bash itself, the tmux terminal multiplexer
-provides a mechanism to lock sessions after period of inactivity.
-A session lock is a temporary action taken when a user stops work and moves away from the
-immediate physical vicinity of the information system but does not want to
-log out because of the temporary nature of the absence.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-90782-4
References: 
-            CCI-000056, CCI-000058, SRG-OS-000031-GPOS-00012, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, RHEL-08-020041, SV-230349r917920_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then
+if [ -f /usr/bin/authselect ]; then
+    if authselect list-features minimal | grep -q with-silent-lastlog; then
+        if ! authselect check; then
+        echo "
+        authselect integrity check failed. Remediation aborted!
+        This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
+        It is not recommended to manually edit the PAM files when authselect tool is available.
+        In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
+        exit 1
+        fi
+        authselect disable-feature with-silent-lastlog
 
-if ! grep -x '  case "$name" in (sshd|login) tmux ;; esac' /etc/bashrc /etc/profile.d/*.sh; then
-    cat >> /etc/profile.d/tmux.sh <<'EOF'
-if [ "$PS1" ]; then
-  parent=$(ps -o ppid= -p $$)
-  name=$(ps -o comm= -p $parent)
-  case "$name" in (sshd|login) tmux ;; esac
-fi
-EOF
-    chmod 0644 /etc/profile.d/tmux.sh
-fi
+        authselect apply-changes -b
+    else
+        
+        if ! authselect check; then
+        echo "
+        authselect integrity check failed. Remediation aborted!
+        This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
+        It is not recommended to manually edit the PAM files when authselect tool is available.
+        In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
+        exit 1
+        fi
 
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Gather the package facts
-  package_facts:
-    manager: auto
-  tags:
-  - CCE-90782-4
-  - DISA-STIG-RHEL-08-020041
-  - configure_bashrc_tmux
-  - configure_strategy
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - no_reboot_needed
+        CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
+        # If not already in use, a custom profile is created preserving the enabled features.
+        if [[ ! $CURRENT_PROFILE == custom/* ]]; then
+            ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
+            authselect create-profile hardening -b $CURRENT_PROFILE
+            CURRENT_PROFILE="custom/hardening"
+            
+            authselect apply-changes -b --backup=before-hardening-custom-profile
+            authselect select $CURRENT_PROFILE
+            for feature in $ENABLED_FEATURES; do
+                authselect enable-feature $feature;
+            done
+            
+            authselect apply-changes -b --backup=after-hardening-custom-profile
+        fi
+        PAM_FILE_NAME=$(basename "/etc/pam.d/postlogin")
+        PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
 
-- name: 'Support session locking with tmux (not enforcing): Determine if the Tmux
-    launch script is present in /etc/bashrc'
-  ansible.builtin.find:
-    paths: /etc
-    patterns: bashrc
-    contains: .*case "$name" in (sshd|login) tmux ;; esac.*
-  register: tmux_in_bashrc
-  when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  - '"tmux" in ansible_facts.packages'
-  tags:
-  - CCE-90782-4
-  - DISA-STIG-RHEL-08-020041
-  - configure_bashrc_tmux
-  - configure_strategy
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - no_reboot_needed
+        authselect apply-changes -b
+        if [ -e "$PAM_FILE_PATH" ] ; then
+            PAM_FILE_PATH="$PAM_FILE_PATH"
+            if [ -f /usr/bin/authselect ]; then
+                
+                if ! authselect check; then
+                echo "
+                authselect integrity check failed. Remediation aborted!
+                This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
+                It is not recommended to manually edit the PAM files when authselect tool is available.
+                In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
+                exit 1
+                fi
 
-- name: 'Support session locking with tmux (not enforcing): Determine if the Tmux
-    launch script is present in /etc/profile.d/*.sh'
-  ansible.builtin.find:
-    paths: /etc/profile.d
-    patterns: '*.sh'
-    contains: .*case "$name" in (sshd|login) tmux ;; esac.*
-  register: tmux_in_profile_d
-  when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  - '"tmux" in ansible_facts.packages'
-  tags:
-  - CCE-90782-4
-  - DISA-STIG-RHEL-08-020041
-  - configure_bashrc_tmux
-  - configure_strategy
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - no_reboot_needed
+                CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
+                # If not already in use, a custom profile is created preserving the enabled features.
+                if [[ ! $CURRENT_PROFILE == custom/* ]]; then
+                    ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
+                    authselect create-profile hardening -b $CURRENT_PROFILE
+                    CURRENT_PROFILE="custom/hardening"
+                    
+                    authselect apply-changes -b --backup=before-hardening-custom-profile
+                    authselect select $CURRENT_PROFILE
+                    for feature in $ENABLED_FEATURES; do
+                        authselect enable-feature $feature;
+                    done
+                    
+                    authselect apply-changes -b --backup=after-hardening-custom-profile
+                fi
+                PAM_FILE_NAME=$(basename "$PAM_FILE_PATH")
+                PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
 
-- name: 'Support session locking with tmux (not enforcing): Insert the correct script
-    into /etc/profile.d/tmux.sh'
-  ansible.builtin.blockinfile:
+                authselect apply-changes -b
+            fi
+            if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*' "$PAM_FILE_PATH"; then
+                    # Line matching group + control + module was not found. Check group + module.
+                    if [ "$(grep -cP '^\s*session\s+.*\s+pam_lastlog.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
+                        # The control is updated only if one single line matches.
+                        sed -i -E --follow-symlinks 's/^(\s*session\s+).*(\bpam_lastlog.so.*)/\1'"\[default=1\]"' \2/' "$PAM_FILE_PATH"
+                    else
+                        LAST_MATCH_LINE=$(grep -nP "^\s*session\s+.*pam_succeed_if\.so.*" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
+                        if [ ! -z $LAST_MATCH_LINE ]; then
+                            sed -i --follow-symlinks $LAST_MATCH_LINE' a session     '"\[default=1\]"'    pam_lastlog.so' "$PAM_FILE_PATH"
+                        else
+                            echo 'session    '"\[default=1\]"'    pam_lastlog.so' >> "$PAM_FILE_PATH"
+                        fi
+                    fi
+                fi
+                # Check the option
+                if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*\sshowfailed\b' "$PAM_FILE_PATH"; then
+                    sed -i -E --follow-symlinks '/\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so.*/ s/$/ showfailed/' "$PAM_FILE_PATH"
+                fi
+            if [ -f /usr/bin/authselect ]; then
+                
+                authselect apply-changes -b
+            fi
+        else
+            echo "$PAM_FILE_PATH was not found" >&2
+        fi
+        if [ -e "$PAM_FILE_PATH" ] ; then
+            PAM_FILE_PATH="$PAM_FILE_PATH"
+            if [ -f /usr/bin/authselect ]; then
+                
+                if ! authselect check; then
+                echo "
+                authselect integrity check failed. Remediation aborted!
+                This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
+                It is not recommended to manually edit the PAM files when authselect tool is available.
+                In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
+                exit 1
+                fi
+
+                CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
+                # If not already in use, a custom profile is created preserving the enabled features.
+                if [[ ! $CURRENT_PROFILE == custom/* ]]; then
+                    ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
+                    authselect create-profile hardening -b $CURRENT_PROFILE
+                    CURRENT_PROFILE="custom/hardening"
+                    
+                    authselect apply-changes -b --backup=before-hardening-custom-profile
+                    authselect select $CURRENT_PROFILE
+                    for feature in $ENABLED_FEATURES; do
+                        authselect enable-feature $feature;
+                    done
+                    
+                    authselect apply-changes -b --backup=after-hardening-custom-profile
+                fi
+                PAM_FILE_NAME=$(basename "$PAM_FILE_PATH")
+                PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
+
+                authselect apply-changes -b
+            fi
+            
+        if grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s.*\bsilent\b' "$PAM_FILE_PATH"; then
+            sed -i -E --follow-symlinks 's/(.*session.*'"\[default=1\]"'.*pam_lastlog.so.*)\ssilent=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+        fi
+            if [ -f /usr/bin/authselect ]; then
+                
+                authselect apply-changes -b
+            fi
+        else
+            echo "$PAM_FILE_PATH was not found" >&2
+        fi
+    fi
+else
+    if [ -e "/etc/pam.d/postlogin" ] ; then
+            PAM_FILE_PATH="/etc/pam.d/postlogin"
+            if [ -f /usr/bin/authselect ]; then
+                
+                if ! authselect check; then
+                echo "
+                authselect integrity check failed. Remediation aborted!
+                This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
+                It is not recommended to manually edit the PAM files when authselect tool is available.
+                In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
+                exit 1
+                fi
+
+                CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
+                # If not already in use, a custom profile is created preserving the enabled features.
+                if [[ ! $CURRENT_PROFILE == custom/* ]]; then
+                    ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
+                    authselect create-profile hardening -b $CURRENT_PROFILE
+                    CURRENT_PROFILE="custom/hardening"
+                    
+                    authselect apply-changes -b --backup=before-hardening-custom-profile
+                    authselect select $CURRENT_PROFILE
+                    for feature in $ENABLED_FEATURES; do
+                        authselect enable-feature $feature;
+                    done
+                    
+                    authselect apply-changes -b --backup=after-hardening-custom-profile
+                fi
+                PAM_FILE_NAME=$(basename "/etc/pam.d/postlogin")
+                PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
+
+                authselect apply-changes -b
+            fi
+            if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*' "$PAM_FILE_PATH"; then
+                    # Line matching group + control + module was not found. Check group + module.
+                    if [ "$(grep -cP '^\s*session\s+.*\s+pam_lastlog.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
+                        # The control is updated only if one single line matches.
+                        sed -i -E --follow-symlinks 's/^(\s*session\s+).*(\bpam_lastlog.so.*)/\1'"\[default=1\]"' \2/' "$PAM_FILE_PATH"
+                    else
+                        LAST_MATCH_LINE=$(grep -nP "^\s*session\s+.*pam_succeed_if\.so.*" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
+                        if [ ! -z $LAST_MATCH_LINE ]; then
+                            sed -i --follow-symlinks $LAST_MATCH_LINE' a session     '"\[default=1\]"'    pam_lastlog.so' "$PAM_FILE_PATH"
+                        else
+                            echo 'session    '"\[default=1\]"'    pam_lastlog.so' >> "$PAM_FILE_PATH"
+                        fi
+                    fi
+                fi
+                # Check the option
+                if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*\sshowfailed\b' "$PAM_FILE_PATH"; then
+                    sed -i -E --follow-symlinks '/\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so.*/ s/$/ showfailed/' "$PAM_FILE_PATH"
+                fi
+            if [ -f /usr/bin/authselect ]; then
+                
+                authselect apply-changes -b
+            fi
+        else
+            echo "/etc/pam.d/postlogin was not found" >&2
+        fi
+    if [ -e "/etc/pam.d/postlogin" ] ; then
+            PAM_FILE_PATH="/etc/pam.d/postlogin"
+            if [ -f /usr/bin/authselect ]; then
+                
+                if ! authselect check; then
+                echo "
+                authselect integrity check failed. Remediation aborted!
+                This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
+                It is not recommended to manually edit the PAM files when authselect tool is available.
+                In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
+                exit 1
+                fi
+
+                CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
+                # If not already in use, a custom profile is created preserving the enabled features.
+                if [[ ! $CURRENT_PROFILE == custom/* ]]; then
+                    ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
+                    authselect create-profile hardening -b $CURRENT_PROFILE
+                    CURRENT_PROFILE="custom/hardening"
+                    
+                    authselect apply-changes -b --backup=before-hardening-custom-profile
+                    authselect select $CURRENT_PROFILE
+                    for feature in $ENABLED_FEATURES; do
+                        authselect enable-feature $feature;
+                    done
+                    
+                    authselect apply-changes -b --backup=after-hardening-custom-profile
+                fi
+                PAM_FILE_NAME=$(basename "/etc/pam.d/postlogin")
+                PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
+
+                authselect apply-changes -b
+            fi
+            
+        if grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s.*\bsilent\b' "$PAM_FILE_PATH"; then
+            sed -i -E --follow-symlinks 's/(.*session.*'"\[default=1\]"'.*pam_lastlog.so.*)\ssilent=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+        fi
+            if [ -f /usr/bin/authselect ]; then
+                
+                authselect apply-changes -b
+            fi
+        else
+            echo "/etc/pam.d/postlogin was not found" >&2
+        fi
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
Group  
+                Protect Physical Console Access
+                          Group contains 3 groups and 14 rules
[ref]  
+                        It is impossible to fully protect a system from an
+attacker with physical access, so securing the space in which the
+system is located should be considered a necessary step. However,
+there are some steps which, if taken, make it more difficult for an
+attacker to quickly or undetectably modify a system from its
+console.
Group  
+                Configure Screen Locking
+                          Group contains 2 groups and 8 rules
[ref]  
+                        When a user must temporarily leave an account
+logged-in, screen locking should be employed to prevent passersby
+from abusing the account. User education and training is
+particularly important for screen locking to be effective, and policies
+can be implemented to reinforce this.
+


+Automatic screen locking is only meant as a safeguard for
+those cases where a user forgot to lock the screen.
Group  
+                Configure Console Screen Locking
+                          Group contains 6 rules
[ref]  
+                        A console screen locking mechanism is a temporary action taken when a user
+stops work and moves away from the immediate physical vicinity of the
+information system but does not logout because of the temporary nature of
+the absence. Rather than relying on the user to manually lock their
+operation system session prior to vacating the vicinity, operating systems
+need to be able to identify when a user's session has idled and take action
+to initiate the session lock.
Rule  
+                                Install the tmux Package
+                                  [ref]
To enable console screen locking, install the tmux package.
+A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
+The session lock is implemented at the point where session activity can be determined.
+Rather than be forced to wait for a period of time to expire before the user session can be locked, Red Hat Enterprise Linux 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
+Instruct users to begin new terminal sessions with the following command:
+
$ tmux

+The console can now be locked with the following key combination:
+
ctrl+b :lock-session
Rationale:
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
+physical vicinity of the information system but does not logout because of the temporary nature of the absence.
+Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity,
+operating systems need to be able to identify when a user's session has idled and take action to initiate the
+session lock.
+


+The tmux package allows for a session lock to be implemented and configured.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80644-8
References: 
+            1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000058, CCI-000056, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_SMF_EXT.1, FMT_MOF_EXT.1, FTA_SSL.1, SRG-OS-000030-GPOS-00011, SRG-OS-000028-GPOS-00009, RHEL-08-020039, SV-244537r743860_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

+package --add=tmux
+
Remediation script:   (show)


+[[packages]]
+name = "tmux"
+version = "*"
+
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include install_tmux
+
+class install_tmux {
+  package { 'tmux':
+    ensure => 'installed',
+  }
+}
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
- name: Ensure tmux is installed
+  package:
+    name: tmux
+    state: present
+  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  tags:
+  - CCE-80644-8
+  - DISA-STIG-RHEL-08-020039
+  - NIST-800-171-3.1.10
+  - NIST-800-53-CM-6(a)
+  - enable_strategy
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - package_tmux_installed
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "tmux" ; then
+    yum install -y "tmux"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
Rule  
+                                Support session locking with tmux (not enforcing)
+                                  [ref]
The tmux terminal multiplexer is used to implement
+automatic session locking. It should be started from
+/etc/bashrc or drop-in files within /etc/profile.d/.
Warning: 
+                                        This rule configures Tmux to be executed in a way that exiting Tmux
+drops the user into a regular shell instead of logging them out, therefore the session locking mechanism is not enforced on the user.
Rationale:
Unlike bash itself, the tmux terminal multiplexer
+provides a mechanism to lock sessions after period of inactivity.
+A session lock is a temporary action taken when a user stops work and moves away from the
+immediate physical vicinity of the information system but does not want to
+log out because of the temporary nature of the absence.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-90782-4
References: 
+            CCI-000056, CCI-000058, SRG-OS-000031-GPOS-00012, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, RHEL-08-020041, SV-230349r917920_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Gather the package facts
+  package_facts:
+    manager: auto
+  tags:
+  - CCE-90782-4
+  - DISA-STIG-RHEL-08-020041
+  - configure_bashrc_tmux
+  - configure_strategy
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+
+- name: 'Support session locking with tmux (not enforcing): Determine if the Tmux
+    launch script is present in /etc/bashrc'
+  ansible.builtin.find:
+    paths: /etc
+    patterns: bashrc
+    contains: .*case "$name" in (sshd|login) tmux ;; esac.*
+  register: tmux_in_bashrc
+  when:
+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - '"tmux" in ansible_facts.packages'
+  tags:
+  - CCE-90782-4
+  - DISA-STIG-RHEL-08-020041
+  - configure_bashrc_tmux
+  - configure_strategy
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+
+- name: 'Support session locking with tmux (not enforcing): Determine if the Tmux
+    launch script is present in /etc/profile.d/*.sh'
+  ansible.builtin.find:
+    paths: /etc/profile.d
+    patterns: '*.sh'
+    contains: .*case "$name" in (sshd|login) tmux ;; esac.*
+  register: tmux_in_profile_d
+  when:
+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - '"tmux" in ansible_facts.packages'
+  tags:
+  - CCE-90782-4
+  - DISA-STIG-RHEL-08-020041
+  - configure_bashrc_tmux
+  - configure_strategy
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+
+- name: 'Support session locking with tmux (not enforcing): Insert the correct script
+    into /etc/profile.d/tmux.sh'
+  ansible.builtin.blockinfile:
     path: /etc/profile.d/tmux.sh
     block: |
       if [ "$PS1" ]; then
@@ -18450,6 +18433,23 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then
+
+if ! grep -x '  case "$name" in (sshd|login) tmux ;; esac' /etc/bashrc /etc/profile.d/*.sh; then
+    cat >> /etc/profile.d/tmux.sh <<'EOF'
+if [ "$PS1" ]; then
+  parent=$(ps -o ppid= -p $$)
+  name=$(ps -o comm= -p $parent)
+  case "$name" in (sshd|login) tmux ;; esac
+fi
+EOF
+    chmod 0644 /etc/profile.d/tmux.sh
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Configure tmux to lock session after inactivity
                                   [ref]
To enable console screen locking in tmux terminal multiplexer
@@ -18458,22 +18458,7 @@
 or equal to 900 in /etc/tmux.conf.
Rationale:
Locking the session after a period of inactivity limits the
 potential exposure if the session is left unattended.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-82199-1
References: 
-            CCI-000057, CCI-000060, FMT_SMF_EXT.1, FMT_MOF_EXT.1, FTA_SSL.1, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, RHEL-08-020070, SV-230353r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then
-
-tmux_conf="/etc/tmux.conf"
-
-if grep -qP '^\s*set\s+-g\s+lock-after-time' "$tmux_conf" ; then
-    sed -i 's/^\s*set\s\+-g\s\+lock-after-time.*$/set -g lock-after-time 900/' "$tmux_conf"
-else
-    echo "set -g lock-after-time 900" >> "$tmux_conf"
-fi
-chmod 0644 "$tmux_conf"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+            CCI-000057, CCI-000060, FMT_SMF_EXT.1, FMT_MOF_EXT.1, FTA_SSL.1, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, RHEL-08-020070, SV-230353r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -18529,6 +18514,21 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then
+
+tmux_conf="/etc/tmux.conf"
+
+if grep -qP '^\s*set\s+-g\s+lock-after-time' "$tmux_conf" ; then
+    sed -i 's/^\s*set\s\+-g\s\+lock-after-time.*$/set -g lock-after-time 900/' "$tmux_conf"
+else
+    echo "set -g lock-after-time 900" >> "$tmux_conf"
+fi
+chmod 0644 "$tmux_conf"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Configure the tmux Lock Command
                                   [ref]
To enable console screen locking in tmux terminal multiplexer,
@@ -18541,22 +18541,7 @@
 However, the session lock is implemented by an external command. The tmux
 default configuration does not contain an effective session lock.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-80940-0
References: 
-            CCI-000056, CCI-000058, AC-11(a), AC-11(b), CM-6(a), FMT_SMF_EXT.1, FMT_MOF_EXT.1, FTA_SSL.1, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, RHEL-08-020040, SV-230348r902725_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then
-
-tmux_conf="/etc/tmux.conf"
-
-if grep -qP '^\s*set\s+-g\s+lock-command' "$tmux_conf" ; then
-    sed -i 's/^\s*set\s\+-g\s\+lock-command.*$/set -g lock-command vlock/' "$tmux_conf"
-else
-    echo "set -g lock-command vlock" >> "$tmux_conf"
-fi
-chmod 0644 "$tmux_conf"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+            CCI-000056, CCI-000058, AC-11(a), AC-11(b), CM-6(a), FMT_SMF_EXT.1, FMT_MOF_EXT.1, FTA_SSL.1, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, RHEL-08-020040, SV-230348r902725_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -18618,6 +18603,21 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then
+
+tmux_conf="/etc/tmux.conf"
+
+if grep -qP '^\s*set\s+-g\s+lock-command' "$tmux_conf" ; then
+    sed -i 's/^\s*set\s\+-g\s\+lock-command.*$/set -g lock-command vlock/' "$tmux_conf"
+else
+    echo "set -g lock-command vlock" >> "$tmux_conf"
+fi
+chmod 0644 "$tmux_conf"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Configure the tmux lock session key binding
                                   [ref]
To set a key binding for the screen locking in tmux terminal multiplexer,
@@ -18629,20 +18629,7 @@
 However, the session lock is implemented by an external command. The tmux
 default configuration does not contain an effective session lock.
Severity: 
low
Identifiers and References
Identifiers: 
             CCE-86135-1
References: 
-            CCI-000056, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, RHEL-08-020040, SV-230348r902725_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then
-
-tmux_conf="/etc/tmux.conf"
-
-if ! grep -qP '^\s*bind\s+\w\s+lock-session' "$tmux_conf" ; then
-    echo "bind X lock-session" >> "$tmux_conf"
-fi
-chmod 0644 "$tmux_conf"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Gather the package facts
+            CCI-000056, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, RHEL-08-020040, SV-230348r902725_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -18719,6 +18706,19 @@
   - low_disruption
   - low_severity
   - no_reboot_needed
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then
+
+tmux_conf="/etc/tmux.conf"
+
+if ! grep -qP '^\s*bind\s+\w\s+lock-session' "$tmux_conf" ; then
+    echo "bind X lock-session" >> "$tmux_conf"
+fi
+chmod 0644 "$tmux_conf"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Prevent user from disabling the screen lock
                                   [ref]
The tmux terminal multiplexer is used to implement
@@ -18727,17 +18727,7 @@
 prevents malicious program running as user
 from lowering security by disabling the screen lock.
Severity: 
low
Identifiers and References
Identifiers: 
             CCE-82361-7
References: 
-            CCI-000056, CCI-000058, CM-6, FMT_SMF_EXT.1, FMT_MOF_EXT.1, FTA_SSL.1, SRG-OS-000324-GPOS-00125, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, RHEL-08-020042, SV-230350r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if grep -q 'tmux\s*$' /etc/shells ; then
-	sed -i '/tmux\s*$/d' /etc/shells
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation script:   (show)

Remediation script:   (show)

---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 spec:
@@ -18751,6 +18741,16 @@
         mode: 0644
         path: /etc/shells
         overwrite: true
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if grep -q 'tmux\s*$' /etc/shells ; then
+	sed -i '/tmux\s*$/d' /etc/shells
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 Hardware Tokens for Authentication
                           Group contains 2 rules
[ref]  
@@ -18775,20 +18775,12 @@
 as the U.S. Government Personal Identity Verification card and the DoD Common
 Access Card.
Severity: 
medium
Identifiers and References

Identifiers:  CCE-80846-9

References:  - CCI-001954, CCI-001953, 1382, 1384, 1386, CM-6(a), SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, RHEL-08-010410, SV-230275r854030_rule

Remediation script:   (show)


+            CCI-001954, CCI-001953, 1382, 1384, 1386, CM-6(a), SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, RHEL-08-010410, SV-230275r854030_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

+package --add=opensc
+
Remediation script:   (show)


 [[packages]]
 name = "opensc"
 version = "*"
-
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "opensc" ; then
-    yum install -y "opensc"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include install_opensc
 
 class install_opensc {
@@ -18811,8 +18803,16 @@
   - medium_severity
   - no_reboot_needed
   - package_opensc_installed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

-package --add=opensc
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "opensc" ; then
+    yum install -y "opensc"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Install Smart Card Packages For Multifactor Authentication
                                   [ref]
Configure the operating system to implement multifactor authentication by
@@ -18831,20 +18831,12 @@
 as the U.S. Government Personal Identity Verification card and the DoD Common
 Access Card.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-84029-8
References: 
-            CCI-000765, CCI-001948, CCI-001953, CCI-001954, CM-6(a), Req-8.3, SRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000377-GPOS-00162, RHEL-08-010390, SV-230273r854028_rule
Remediation script:   (show)

Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

+package --add=openssl-pkcs11
+
Remediation script:   (show)


 [[packages]]
 name = "openssl-pkcs11"
 version = "*"
-
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ! grep -q s390x /proc/sys/kernel/osrelease; }; then
-
-if ! rpm -q --quiet "openssl-pkcs11" ; then
-    yum install -y "openssl-pkcs11"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include install_openssl-pkcs11
 
 class install_openssl-pkcs11 {
@@ -18870,8 +18862,16 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

-package --add=openssl-pkcs11
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ! grep -q s390x /proc/sys/kernel/osrelease; }; then
+
+if ! rpm -q --quiet "openssl-pkcs11" ; then
+    yum install -y "openssl-pkcs11"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Disable debug-shell SystemD Service
                                   [ref]
SystemD's debug-shell service is intended to
@@ -18891,26 +18891,17 @@
             3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), CM-6, FIA_UAU.1, SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227, RHEL-08-040180, SV-230532r627750_rule
Remediation script:   (show)


 [customizations.services]
 disabled = ["debug-shell"]
-
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'debug-shell.service'
-"$SYSTEMCTL_EXEC" disable 'debug-shell.service'
-"$SYSTEMCTL_EXEC" mask 'debug-shell.service'
-# Disable socket activation if we have a unit file for it
-if "$SYSTEMCTL_EXEC" -q list-unit-files debug-shell.socket; then
-    "$SYSTEMCTL_EXEC" stop 'debug-shell.socket'
-    "$SYSTEMCTL_EXEC" mask 'debug-shell.socket'
-fi
-# The service may not be running because it has been started and failed,
-# so let's reset the state so OVAL checks pass.
-# Service should be 'inactive', not 'failed' after reboot though.
-"$SYSTEMCTL_EXEC" reset-failed 'debug-shell.service' || true
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
+
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - enabled: false
+        name: debug-shell.service
 
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include disable_debug-shell
 
 class disable_debug-shell {
@@ -18988,17 +18979,26 @@
   - medium_severity
   - no_reboot_needed
   - service_debug-shell_disabled
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - enabled: false
-        name: debug-shell.service
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" stop 'debug-shell.service'
+"$SYSTEMCTL_EXEC" disable 'debug-shell.service'
+"$SYSTEMCTL_EXEC" mask 'debug-shell.service'
+# Disable socket activation if we have a unit file for it
+if "$SYSTEMCTL_EXEC" -q list-unit-files debug-shell.socket; then
+    "$SYSTEMCTL_EXEC" stop 'debug-shell.socket'
+    "$SYSTEMCTL_EXEC" mask 'debug-shell.socket'
+fi
+# The service may not be running because it has been started and failed,
+# so let's reset the state so OVAL checks pass.
+# Service should be 'inactive', not 'failed' after reboot though.
+"$SYSTEMCTL_EXEC" reset-failed 'debug-shell.service' || true
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Disable Ctrl-Alt-Del Burst Action
                                   [ref]
By default, SystemD will reboot the system if the Ctrl-Alt-Del
@@ -19017,34 +19017,20 @@
 the case of mixed OS environment, this can create the risk of short-term
 loss of availability of systems due to unintentional reboot.
Severity: 
high
Identifiers and References
Identifiers: 
             CCE-80784-2
References: 
-            12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), CM-6(a), PR.AC-4, PR.DS-5, FAU_GEN.1.2, SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227, RHEL-08-040172, SV-230531r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q systemd; }; then
-
-# Strip any search characters in the key arg so that the key can be replaced without
-# adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^CtrlAltDelBurstAction=")
-
-# shellcheck disable=SC2059
-printf -v formatted_output "%s=%s" "$stripped_key" "none"
-
-# If the key exists, change it. Otherwise, add it to the config_file.
-# We search for the key string followed by a word boundary (matched by \>),
-# so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^CtrlAltDelBurstAction=\\>" "/etc/systemd/system.conf"; then
-    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^CtrlAltDelBurstAction=\\>.*/$escaped_formatted_output/gi" "/etc/systemd/system.conf"
-else
-    if [[ -s "/etc/systemd/system.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/systemd/system.conf" || true)" ]]; then
-        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/systemd/system.conf"
-    fi
-    cce="CCE-80784-2"
-    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/systemd/system.conf" >> "/etc/systemd/system.conf"
-    printf '%s\n' "$formatted_output" >> "/etc/systemd/system.conf"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
+            12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), CM-6(a), PR.AC-4, PR.DS-5, FAU_GEN.1.2, SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227, RHEL-08-040172, SV-230531r627750_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,CtrlAltDelBurstAction%3Dnone
+        mode: 0644
+        path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf
+        overwrite: true
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Gather the package facts
   package_facts:
     manager: auto
@@ -19085,20 +19071,34 @@
   - low_complexity
   - low_disruption
   - no_reboot_needed
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,CtrlAltDelBurstAction%3Dnone
-        mode: 0644
-        path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf
-        overwrite: true
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q systemd; }; then
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^CtrlAltDelBurstAction=")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s=%s" "$stripped_key" "none"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^CtrlAltDelBurstAction=\\>" "/etc/systemd/system.conf"; then
+    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+    LC_ALL=C sed -i --follow-symlinks "s/^CtrlAltDelBurstAction=\\>.*/$escaped_formatted_output/gi" "/etc/systemd/system.conf"
+else
+    if [[ -s "/etc/systemd/system.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/systemd/system.conf" || true)" ]]; then
+        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/systemd/system.conf"
+    fi
+    cce="CCE-80784-2"
+    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/systemd/system.conf" >> "/etc/systemd/system.conf"
+    printf '%s\n' "$formatted_output" >> "/etc/systemd/system.conf"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Disable Ctrl-Alt-Del Reboot Activation
                                   [ref]
By default, SystemD will reboot the system if the Ctrl-Alt-Del
@@ -19117,15 +19117,17 @@
 the case of mixed OS environment, this can create the risk of short-term
 loss of availability of systems due to unintentional reboot.
Severity: 
high
Identifiers and References
Identifiers: 
             CCE-80785-9
References: 
-            12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, FAU_GEN.1.2, SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227, RHEL-08-040170, SV-230529r833338_rule
Remediation Shell script:   (show)

Remediation script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: ctrl-alt-del.target
+        mask: true
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Disable Ctrl-Alt-Del Reboot Activation
   systemd:
     name: ctrl-alt-del.target
@@ -19145,17 +19147,15 @@
   - low_complexity
   - low_disruption
   - no_reboot_needed
-
Remediation script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: ctrl-alt-del.target
-        mask: true
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+systemctl disable --now ctrl-alt-del.target
+systemctl mask --now ctrl-alt-del.target
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Configure Logind to terminate idle sessions after certain time of inactivity
                                   [ref]
To configure logind service to terminate inactive user sessions
@@ -19166,32 +19166,7 @@
 opportunity for unauthorized personnel to take control of a management
 session enabled on the console or console port that has been let unattended.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-90784-0
References: 
-            BP28(R29), 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.5.6, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.11, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CM-6(a), AC-17(a), AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, FMT_SMF_EXT.1.1, Req-8.1.8, SRG-OS-000163-GPOS-00072, RHEL-08-020035, SV-257258r917891_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ( grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.7"; printf "%s\n%s" "$expected" "$real" | sort -VC; } && grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="9.0"; [[ "$real" != "$expected" ]]; } ) || grep -qP "^ID=[\"']?ol[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.7"; printf "%s\n%s" "$expected" "$real" | sort -VC; }; }; then
-
-var_logind_session_timeout='300'
-
-
-
-# Try find '[Login]' and 'StopIdleSessionSec' in '/etc/systemd/logind.conf', if it exists, set
-# to '$var_logind_session_timeout', if it isn't here, add it, if '[Login]' doesn't exist, add it there
-if grep -qzosP '[[:space:]]*\[Login]([^\n\[]*\n+)+?[[:space:]]*StopIdleSessionSec' '/etc/systemd/logind.conf'; then
-    
-    sed -i "s/StopIdleSessionSec[^(\n)]*/StopIdleSessionSec=$var_logind_session_timeout/" '/etc/systemd/logind.conf'
-elif grep -qs '[[:space:]]*\[Login]' '/etc/systemd/logind.conf'; then
-    sed -i "/[[:space:]]*\[Login]/a StopIdleSessionSec=$var_logind_session_timeout" '/etc/systemd/logind.conf'
-else
-    if test -d "/etc/systemd"; then
-        printf '%s\n' '[Login]' "StopIdleSessionSec=$var_logind_session_timeout" >> '/etc/systemd/logind.conf'
-    else
-        echo "Config file directory '/etc/systemd' doesnt exist, not remediating, assuming non-applicability." >&2
-    fi
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: XCCDF Value var_logind_session_timeout # promote to variable
   set_fact:
     var_logind_session_timeout: !!str 300
   tags:
@@ -19231,6 +19206,31 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ( grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.7"; printf "%s\n%s" "$expected" "$real" | sort -VC; } && grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="9.0"; [[ "$real" != "$expected" ]]; } ) || grep -qP "^ID=[\"']?ol[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.7"; printf "%s\n%s" "$expected" "$real" | sort -VC; }; }; then
+
+var_logind_session_timeout='300'
+
+
+
+# Try find '[Login]' and 'StopIdleSessionSec' in '/etc/systemd/logind.conf', if it exists, set
+# to '$var_logind_session_timeout', if it isn't here, add it, if '[Login]' doesn't exist, add it there
+if grep -qzosP '[[:space:]]*\[Login]([^\n\[]*\n+)+?[[:space:]]*StopIdleSessionSec' '/etc/systemd/logind.conf'; then
+    
+    sed -i "s/StopIdleSessionSec[^(\n)]*/StopIdleSessionSec=$var_logind_session_timeout/" '/etc/systemd/logind.conf'
+elif grep -qs '[[:space:]]*\[Login]' '/etc/systemd/logind.conf'; then
+    sed -i "/[[:space:]]*\[Login]/a StopIdleSessionSec=$var_logind_session_timeout" '/etc/systemd/logind.conf'
+else
+    if test -d "/etc/systemd"; then
+        printf '%s\n' '[Login]' "StopIdleSessionSec=$var_logind_session_timeout" >> '/etc/systemd/logind.conf'
+    else
+        echo "Config file directory '/etc/systemd' doesnt exist, not remediating, assuming non-applicability." >&2
+    fi
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Require Authentication for Emergency Systemd Target
                                   [ref]
Emergency mode is intended as a system recovery
@@ -19242,25 +19242,7 @@
 on the machine and gaining root access. Such accesses are further prevented
 by configuring the bootloader password.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-82186-8
References: 
-            1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-2, AC-3, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010152, 1.4.3, SV-244523r743818_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-service_file="/usr/lib/systemd/system/emergency.service"
-
-
-sulogin="/usr/lib/systemd/systemd-sulogin-shell emergency"
-
-
-if grep "^ExecStart=.*" "$service_file" ; then
-    sed -i "s%^ExecStart=.*%ExecStart=-$sulogin%" "$service_file"
-else
-    echo "ExecStart=-$sulogin" >> "$service_file"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Require emergency mode password
   lineinfile:
     create: true
     dest: /usr/lib/systemd/system/emergency.service
@@ -19281,23 +19263,14 @@
   - no_reboot_needed
   - require_emergency_target_auth
   - restrict_strategy
-
Rule  
-                                Require Authentication for Single User Mode
-                                  [ref]
Single-user mode is intended as a system recovery
-method, providing a single user root access to the system by
-providing a boot option at startup.
-


-By default, single-user mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/rescue.service.
Rationale:
This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80855-0
References: 
-            1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-2, AC-3, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010151, 1.4.3, SV-230236r743928_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-service_file="/usr/lib/systemd/system/rescue.service"
+service_file="/usr/lib/systemd/system/emergency.service"
+
+
+sulogin="/usr/lib/systemd/systemd-sulogin-shell emergency"
 
-sulogin="/usr/lib/systemd/systemd-sulogin-shell rescue"
 
 if grep "^ExecStart=.*" "$service_file" ; then
     sed -i "s%^ExecStart=.*%ExecStart=-$sulogin%" "$service_file"
@@ -19308,7 +19281,18 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Require single user mode password
+
Rule  
+                                Require Authentication for Single User Mode
+                                  [ref]
Single-user mode is intended as a system recovery
+method, providing a single user root access to the system by
+providing a boot option at startup.
+


+By default, single-user mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/rescue.service.
Rationale:
This prevents attackers with physical access from trivially bypassing security
+on the machine and gaining root access. Such accesses are further prevented
+by configuring the bootloader password.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80855-0
References: 
+            1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-2, AC-3, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010151, 1.4.3, SV-230236r743928_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Require single user mode password
   lineinfile:
     create: true
     dest: /usr/lib/systemd/system/rescue.service
@@ -19329,6 +19313,22 @@
   - no_reboot_needed
   - require_singleuser_auth
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+service_file="/usr/lib/systemd/system/rescue.service"
+
+sulogin="/usr/lib/systemd/systemd-sulogin-shell rescue"
+
+if grep "^ExecStart=.*" "$service_file" ; then
+    sed -i "s%^ExecStart=.*%ExecStart=-$sulogin%" "$service_file"
+else
+    echo "ExecStart=-$sulogin" >> "$service_file"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 Protect Accounts by Restricting Password-Based Login
                           Group contains 4 groups and 13 rules
[ref]  
@@ -19373,38 +19373,7 @@
 Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.
 Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.
Severity: 
medium
Identifiers and References

Identifiers:  CCE-80954-1

References:  - 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.6.2.1.1, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.6, CCI-000017, CCI-000795, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, IA-4(e), AC-2(3), CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, Req-8.1.4, 8.2.6, SRG-OS-000118-GPOS-00060, RHEL-08-020260, 5.6.1.4, SV-230373r627750_rule

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if rpm --quiet -q shadow-utils; then
-
-var_account_disable_post_pw_expiration='35'
-
-
-# Strip any search characters in the key arg so that the key can be replaced without
-# adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^INACTIVE")
-
-# shellcheck disable=SC2059
-printf -v formatted_output "%s=%s" "$stripped_key" "$var_account_disable_post_pw_expiration"
-
-# If the key exists, change it. Otherwise, add it to the config_file.
-# We search for the key string followed by a word boundary (matched by \>),
-# so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^INACTIVE\\>" "/etc/default/useradd"; then
-    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^INACTIVE\\>.*/$escaped_formatted_output/gi" "/etc/default/useradd"
-else
-    if [[ -s "/etc/default/useradd" ]] && [[ -n "$(tail -c 1 -- "/etc/default/useradd" || true)" ]]; then
-        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/default/useradd"
-    fi
-    cce="CCE-80954-1"
-    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/default/useradd" >> "/etc/default/useradd"
-    printf '%s\n' "$formatted_output" >> "/etc/default/useradd"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+            1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.6.2.1.1, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.6, CCI-000017, CCI-000795, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, IA-4(e), AC-2(3), CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, Req-8.1.4, 8.2.6, SRG-OS-000118-GPOS-00060, RHEL-08-020260, 5.6.1.4, SV-230373r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -19452,6 +19421,37 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if rpm --quiet -q shadow-utils; then
+
+var_account_disable_post_pw_expiration='35'
+
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^INACTIVE")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s=%s" "$stripped_key" "$var_account_disable_post_pw_expiration"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^INACTIVE\\>" "/etc/default/useradd"; then
+    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+    LC_ALL=C sed -i --follow-symlinks "s/^INACTIVE\\>.*/$escaped_formatted_output/gi" "/etc/default/useradd"
+else
+    if [[ -s "/etc/default/useradd" ]] && [[ -n "$(tail -c 1 -- "/etc/default/useradd" || true)" ]]; then
+        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/default/useradd"
+    fi
+    cce="CCE-80954-1"
+    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/default/useradd" >> "/etc/default/useradd"
+    printf '%s\n' "$formatted_output" >> "/etc/default/useradd"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Assign Expiration Date to Temporary Accounts
                                   [ref]
Temporary accounts are established as part of normal account activation
@@ -19517,22 +19517,7 @@
 increases the risk of users writing down the password in a convenient
 location subject to physical compromise.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-80647-1
References: 
-            BP28(R18), 1, 12, 15, 16, 5, 5.6.2.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.6, CCI-000199, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(d), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.4, 8.3.9, SRG-OS-000076-GPOS-00044, RHEL-08-020200, 5.6.1.1, SV-230366r646878_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if rpm --quiet -q shadow-utils; then
-
-var_accounts_maximum_age_login_defs='60'
-
-
-grep -q ^PASS_MAX_DAYS /etc/login.defs && \
-  sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS     $var_accounts_maximum_age_login_defs/g" /etc/login.defs
-if ! [ $? -eq 0 ]; then
-    echo "PASS_MAX_DAYS      $var_accounts_maximum_age_login_defs" >> /etc/login.defs
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -19580,6 +19565,21 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if rpm --quiet -q shadow-utils; then
+
+var_accounts_maximum_age_login_defs='60'
+
+
+grep -q ^PASS_MAX_DAYS /etc/login.defs && \
+  sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS     $var_accounts_maximum_age_login_defs/g" /etc/login.defs
+if ! [ $? -eq 0 ]; then
+    echo "PASS_MAX_DAYS      $var_accounts_maximum_age_login_defs" >> /etc/login.defs
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Set Password Minimum Age
                                   [ref]
To specify password minimum age for new accounts,
@@ -19597,22 +19597,7 @@
 Setting the minimum password age protects against users cycling back to a
 favorite password after satisfying the password reuse requirement.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-80648-9
References: 
-            1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000198, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(d), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000075-GPOS-00043, RHEL-08-020190, 5.6.1.2, SV-230365r858727_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if rpm --quiet -q shadow-utils; then
-
-var_accounts_minimum_age_login_defs='1'
-
-
-grep -q ^PASS_MIN_DAYS /etc/login.defs && \
-  sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS     $var_accounts_minimum_age_login_defs/g" /etc/login.defs
-if ! [ $? -eq 0 ]; then
-    echo "PASS_MIN_DAYS      $var_accounts_minimum_age_login_defs" >> /etc/login.defs
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -19656,6 +19641,21 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if rpm --quiet -q shadow-utils; then
+
+var_accounts_minimum_age_login_defs='1'
+
+
+grep -q ^PASS_MIN_DAYS /etc/login.defs && \
+  sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS     $var_accounts_minimum_age_login_defs/g" /etc/login.defs
+if ! [ $? -eq 0 ]; then
+    echo "PASS_MIN_DAYS      $var_accounts_minimum_age_login_defs" >> /etc/login.defs
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Set Password Minimum Length in login.defs
                                   [ref]
To specify password length requirements for new accounts, edit the file
@@ -19675,23 +19675,7 @@
 must be carefully weighed against usability problems, support costs, or counterproductive
 behavior that may result.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-80652-1
References: 
-            BP28(R18), 1, 12, 15, 16, 5, 5.6.2.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.7, CCI-000205, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(a), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000078-GPOS-00046, RHEL-08-020231, SV-230370r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if rpm --quiet -q shadow-utils; then
-
-var_accounts_password_minlen_login_defs='15'
-
-
-grep -q ^PASS_MIN_LEN /etc/login.defs && \
-sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs/g" /etc/login.defs
-if ! [ $? -eq 0 ]
-then
-  echo -e "PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs" >> /etc/login.defs
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -19736,6 +19720,22 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if rpm --quiet -q shadow-utils; then
+
+var_accounts_password_minlen_login_defs='15'
+
+
+grep -q ^PASS_MIN_LEN /etc/login.defs && \
+sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs/g" /etc/login.defs
+if ! [ $? -eq 0 ]
+then
+  echo -e "PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs" >> /etc/login.defs
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Set Existing Passwords Maximum Age
                                   [ref]
Configure non-compliant accounts to enforce a 60-day maximum password lifetime
@@ -19746,16 +19746,7 @@
 passwords, there is the risk that the operating system passwords could be
 compromised.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-82473-0
References: 
-            CCI-000199, IA-5(f), IA-5(1)(d), CM-6(a), 8.3.9, SRG-OS-000076-GPOS-00044, RHEL-08-020210, 5.6.1.1, SV-230367r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

-var_accounts_maximum_age_login_defs='60'
-
-
-while IFS= read -r i; do
-    
-    chage -M $var_accounts_maximum_age_login_defs $i
-
-done <   <(awk -v var="$var_accounts_maximum_age_login_defs" -F: '(/^[^:]+:[^!*]/ && ($5 > var || $5 == "")) {print $1}' /etc/shadow)
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: XCCDF Value var_accounts_maximum_age_login_defs # promote to variable
+            CCI-000199, IA-5(f), IA-5(1)(d), CM-6(a), 8.3.9, SRG-OS-000076-GPOS-00044, RHEL-08-020210, 5.6.1.1, SV-230367r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: XCCDF Value var_accounts_maximum_age_login_defs # promote to variable
   set_fact:
     var_accounts_maximum_age_login_defs: !!str 60
   tags:
@@ -19799,6 +19790,15 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

+var_accounts_maximum_age_login_defs='60'
+
+
+while IFS= read -r i; do
+    
+    chage -M $var_accounts_maximum_age_login_defs $i
+
+done <   <(awk -v var="$var_accounts_maximum_age_login_defs" -F: '(/^[^:]+:[^!*]/ && ($5 > var || $5 == "")) {print $1}' /etc/shadow)
 
Rule  
                                 Set Existing Passwords Minimum Age
                                   [ref]
Configure non-compliant accounts to enforce a 24 hours/1 day minimum password
@@ -19809,16 +19809,7 @@
 password could be repeatedly changed in a short period of time to defeat the
 organization's policy regarding password reuse.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-82472-2
References: 
-            CCI-000198, IA-5(f), IA-5(1)(d), CM-6(a), SRG-OS-000075-GPOS-00043, RHEL-08-020180, 5.6.1.2, SV-230364r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

-var_accounts_minimum_age_login_defs='1'
-
-
-while IFS= read -r i; do
-    
-    chage -m $var_accounts_minimum_age_login_defs $i
-
-done <   <(awk -v var="$var_accounts_minimum_age_login_defs" -F: '(/^[^:]+:[^!*]/ && ($4 < var || $4 == "")) {print $1}' /etc/shadow)
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: XCCDF Value var_accounts_minimum_age_login_defs # promote to variable
+            CCI-000198, IA-5(f), IA-5(1)(d), CM-6(a), SRG-OS-000075-GPOS-00043, RHEL-08-020180, 5.6.1.2, SV-230364r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: XCCDF Value var_accounts_minimum_age_login_defs # promote to variable
   set_fact:
     var_accounts_minimum_age_login_defs: !!str 1
   tags:
@@ -19858,6 +19849,15 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

+var_accounts_minimum_age_login_defs='1'
+
+
+while IFS= read -r i; do
+    
+    chage -m $var_accounts_minimum_age_login_defs $i
+
+done <   <(awk -v var="$var_accounts_minimum_age_login_defs" -F: '(/^[^:]+:[^!*]/ && ($4 < var || $4 == "")) {print $1}' /etc/shadow)
 
Group  
                 Verify Proper Storage and Existence of Password
 Hashes
@@ -19912,43 +19912,25 @@
 run commands with the privileges of that account. Accounts with
 empty passwords should never be used in operational environments.
Severity: 
high
Identifiers and References

Identifiers:  CCE-80841-0

References:  - 1, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, 3.1.1, 3.1.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-5(1)(a), IA-5(c), CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, FIA_UAU.1, Req-8.2.3, 8.3.1, SRG-OS-000480-GPOS-00227, RHEL-08-020331, RHEL-08-020332, 5.4.1, SV-244540r743869_rule, SV-244541r743872_rule

Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if [ -f /usr/bin/authselect ]; then
-    if ! authselect check; then
-echo "
-authselect integrity check failed. Remediation aborted!
-This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
-It is not recommended to manually edit the PAM files when authselect tool is available.
-In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
-exit 1
-fi
-authselect enable-feature without-nullok
-
-authselect apply-changes -b
-else
-    
-if grep -qP '^\s*auth\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/system-auth"; then
-    sed -i -E --follow-symlinks 's/(.*auth.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/system-auth"
-fi
-    
-if grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/system-auth"; then
-    sed -i -E --follow-symlinks 's/(.*password.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/system-auth"
-fi
-    
-if grep -qP '^\s*auth\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/password-auth"; then
-    sed -i -E --follow-symlinks 's/(.*auth.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/password-auth"
-fi
-    
-if grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/password-auth"; then
-    sed -i -E --follow-symlinks 's/(.*password.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/password-auth"
-fi
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
+            1, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, 3.1.1, 3.1.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-5(1)(a), IA-5(c), CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, FIA_UAU.1, Req-8.2.3, 8.3.1, SRG-OS-000480-GPOS-00227, RHEL-08-020331, RHEL-08-020332, 5.4.1, SV-244540r743869_rule, SV-244541r743872_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
@@ -20076,25 +20058,43 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -f /usr/bin/authselect ]; then
+    if ! authselect check; then
+echo "
+authselect integrity check failed. Remediation aborted!
+This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
+It is not recommended to manually edit the PAM files when authselect tool is available.
+In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
+exit 1
+fi
+authselect enable-feature without-nullok
+
+authselect apply-changes -b
+else
+    
+if grep -qP '^\s*auth\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/system-auth"; then
+    sed -i -E --follow-symlinks 's/(.*auth.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/system-auth"
+fi
+    
+if grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/system-auth"; then
+    sed -i -E --follow-symlinks 's/(.*password.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/system-auth"
+fi
+    
+if grep -qP '^\s*auth\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/password-auth"; then
+    sed -i -E --follow-symlinks 's/(.*auth.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/password-auth"
+fi
+    
+if grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/password-auth"; then
+    sed -i -E --follow-symlinks 's/(.*password.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/password-auth"
+fi
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Ensure There Are No Accounts With Blank or Null Passwords
                                   [ref]
Check the "/etc/shadow" file for blank passwords with the
@@ -20111,20 +20111,7 @@
 run commands with the privileges of that account. Accounts with
 empty passwords should never be used in operational environments.
Severity: 
high
Identifiers and References
Identifiers: 
             CCE-85953-8
References: 
-            CCI-000366, CM-6(b), CM-6.1(iv), 2.2.2, SRG-OS-000480-GPOS-00227, RHEL-08-010121, 6.2.1, SV-251706r809342_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-readarray -t users_with_empty_pass < <(sudo awk -F: '!$2 {print $1}' /etc/shadow)
-
-for user_with_empty_pass in "${users_with_empty_pass[@]}"
-do
-    passwd -l $user_with_empty_pass
-done
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Collect users with no password
+            CCI-000366, CM-6(b), CM-6.1(iv), 2.2.2, SRG-OS-000480-GPOS-00227, RHEL-08-010121, 6.2.1, SV-251706r809342_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Collect users with no password
   command: |
     awk -F: '!$2 {print $1}' /etc/shadow
   register: users_nopasswd
@@ -20161,6 +20148,19 @@
   - no_empty_passwords_etc_shadow
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+readarray -t users_with_empty_pass < <(sudo awk -F: '!$2 {print $1}' /etc/shadow)
+
+for user_with_empty_pass in "${users_with_empty_pass[@]}"
+do
+    passwd -l $user_with_empty_pass
+done
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 Restrict Root Logins
                           Group contains  1 rule
[ref]  
@@ -20197,8 +20197,7 @@
 sudo is recommended to afford multiple system administrators
 access to root privileges in an accountable manner.
Severity: 
high
Identifiers and References

Identifiers:  CCE-80649-7

References:  - 1, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, 3.1.1, 3.1.5, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-2, AC-6(5), IA-4(b), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, Req-8.5, 8.2.1, SRG-OS-000480-GPOS-00227, RHEL-08-040200, 6.2.8, SV-230534r627750_rule

Remediation Shell script:   (show)

awk -F: '$3 == 0 && $1 != "root" { print $1 }' /etc/passwd | xargs --no-run-if-empty --max-lines=1 passwd -l
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Get all /etc/passwd file entries
+            1, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, 3.1.1, 3.1.5, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-2, AC-6(5), IA-4(b), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, Req-8.5, 8.2.1, SRG-OS-000480-GPOS-00227, RHEL-08-040200, 6.2.8, SV-230534r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Get all /etc/passwd file entries
   getent:
     database: passwd
     split: ':'
@@ -20240,6 +20239,7 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

awk -F: '$3 == 0 && $1 != "root" { print $1 }' /etc/passwd | xargs --no-run-if-empty --max-lines=1 passwd -l
 
Rule  
                                 Ensure All Accounts on the System Have Unique User IDs
                                   [ref]
Change user IDs (UIDs), or delete accounts, so each has a unique name.
Warning: 
@@ -20303,26 +20303,7 @@
 A misconfigured umask value could result in files with excessive permissions that can be read or
 written to by unauthorized users.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-81036-6
References: 
-            BP28(R35), 18, APO13.01, BAI03.01, BAI03.02, BAI03.03, CCI-000366, 4.3.4.3.3, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6(1), CM-6(a), PR.IP-2, SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227, RHEL-08-020353, 5.6.5, SV-230385r792902_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if rpm --quiet -q bash; then
-
-var_accounts_user_umask='077'
-
-
-
-
-
-
-grep -q "^\s*umask" /etc/bashrc && \
-  sed -i -E -e "s/^(\s*umask).*/\1 $var_accounts_user_umask/g" /etc/bashrc
-if ! [ $? -eq 0 ]; then
-    echo "umask $var_accounts_user_umask" >> /etc/bashrc
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -20402,6 +20383,25 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if rpm --quiet -q bash; then
+
+var_accounts_user_umask='077'
+
+
+
+
+
+
+grep -q "^\s*umask" /etc/bashrc && \
+  sed -i -E -e "s/^(\s*umask).*/\1 $var_accounts_user_umask/g" /etc/bashrc
+if ! [ $? -eq 0 ]; then
+    echo "umask $var_accounts_user_umask" >> /etc/bashrc
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Ensure the Default C Shell Umask is Set Correctly
                                   [ref]
To ensure the default umask for users of the C shell is set properly,
@@ -20410,16 +20410,7 @@
 A misconfigured umask value could result in files with excessive permissions that can be read or
 written to by unauthorized users.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-81037-4
References: 
-            18, APO13.01, BAI03.01, BAI03.02, BAI03.03, CCI-000366, 4.3.4.3.3, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6(1), CM-6(a), PR.IP-2, SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227, RHEL-08-020353, SV-230385r792902_rule
Remediation Shell script:   (show)


-var_accounts_user_umask='077'
-
-
-grep -q "^\s*umask" /etc/csh.cshrc && \
-  sed -i -E -e "s/^(\s*umask).*/\1 $var_accounts_user_umask/g" /etc/csh.cshrc
-if ! [ $? -eq 0 ]; then
-    echo "umask $var_accounts_user_umask" >> /etc/csh.cshrc
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: XCCDF Value var_accounts_user_umask # promote to variable
   set_fact:
     var_accounts_user_umask: !!str 077
   tags:
@@ -20480,6 +20471,15 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)


+var_accounts_user_umask='077'
+
+
+grep -q "^\s*umask" /etc/csh.cshrc && \
+  sed -i -E -e "s/^(\s*umask).*/\1 $var_accounts_user_umask/g" /etc/csh.cshrc
+if ! [ $? -eq 0 ]; then
+    echo "umask $var_accounts_user_umask" >> /etc/csh.cshrc
+fi
 
Rule  
                                 Ensure the Default Umask is Set Correctly in login.defs
                                   [ref]
To ensure the default umask controlled by /etc/login.defs is set properly,
@@ -20488,38 +20488,7 @@
 A misconfigured umask value could result in files with excessive permissions that can be read and
 written to by unauthorized users.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-82888-9
References: 
-            BP28(R35), 11, 18, 3, 9, APO13.01, BAI03.01, BAI03.02, BAI03.03, BAI10.01, BAI10.02, BAI10.03, BAI10.05, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.1.1, A.14.2.1, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.5, A.6.1.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6(1), CM-6(a), PR.IP-1, PR.IP-2, SRG-OS-000480-GPOS-00228, RHEL-08-020351, 5.6.5, SV-230383r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if rpm --quiet -q shadow-utils; then
-
-var_accounts_user_umask='077'
-
-
-# Strip any search characters in the key arg so that the key can be replaced without
-# adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^UMASK")
-
-# shellcheck disable=SC2059
-printf -v formatted_output "%s %s" "$stripped_key" "$var_accounts_user_umask"
-
-# If the key exists, change it. Otherwise, add it to the config_file.
-# We search for the key string followed by a word boundary (matched by \>),
-# so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^UMASK\\>" "/etc/login.defs"; then
-    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^UMASK\\>.*/$escaped_formatted_output/gi" "/etc/login.defs"
-else
-    if [[ -s "/etc/login.defs" ]] && [[ -n "$(tail -c 1 -- "/etc/login.defs" || true)" ]]; then
-        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/login.defs"
-    fi
-    cce="CCE-82888-9"
-    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/login.defs" >> "/etc/login.defs"
-    printf '%s\n' "$formatted_output" >> "/etc/login.defs"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -20599,6 +20568,37 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if rpm --quiet -q shadow-utils; then
+
+var_accounts_user_umask='077'
+
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^UMASK")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s %s" "$stripped_key" "$var_accounts_user_umask"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^UMASK\\>" "/etc/login.defs"; then
+    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+    LC_ALL=C sed -i --follow-symlinks "s/^UMASK\\>.*/$escaped_formatted_output/gi" "/etc/login.defs"
+else
+    if [[ -s "/etc/login.defs" ]] && [[ -n "$(tail -c 1 -- "/etc/login.defs" || true)" ]]; then
+        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/login.defs"
+    fi
+    cce="CCE-82888-9"
+    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/login.defs" >> "/etc/login.defs"
+    printf '%s\n' "$formatted_output" >> "/etc/login.defs"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Ensure the Default Umask is Set Correctly in /etc/profile
                                   [ref]
To ensure the default umask controlled by /etc/profile is set properly,
@@ -20611,20 +20611,7 @@
 A misconfigured umask value could result in files with excessive permissions that can be read or
 written to by unauthorized users.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-81035-8
References: 
-            BP28(R35), 18, APO13.01, BAI03.01, BAI03.02, BAI03.03, CCI-000366, 4.3.4.3.3, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6(1), CM-6(a), PR.IP-2, SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227, RHEL-08-020353, 5.6.5, SV-230385r792902_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

-var_accounts_user_umask='077'
-
-
-readarray -t profile_files < <(find /etc/profile.d/ -type f -name '*.sh' -or -name 'sh.local')
-
-for file in "${profile_files[@]}" /etc/profile; do
-  grep -qE '^[^#]*umask' "$file" && sed -i -E "s/^(\s*umask\s*)[0-7]+/\1$var_accounts_user_umask/g" "$file"
-done
-
-if ! grep -qrE '^[^#]*umask' /etc/profile*; then
-  echo "umask $var_accounts_user_umask" >> /etc/profile
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: XCCDF Value var_accounts_user_umask # promote to variable
   set_fact:
     var_accounts_user_umask: !!str 077
   tags:
@@ -20711,6 +20698,19 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

+var_accounts_user_umask='077'
+
+
+readarray -t profile_files < <(find /etc/profile.d/ -type f -name '*.sh' -or -name 'sh.local')
+
+for file in "${profile_files[@]}" /etc/profile; do
+  grep -qE '^[^#]*umask' "$file" && sed -i -E "s/^(\s*umask\s*)[0-7]+/\1$var_accounts_user_umask/g" "$file"
+done
+
+if ! grep -qrE '^[^#]*umask' /etc/profile*; then
+  echo "umask $var_accounts_user_umask" >> /etc/profile
+fi
 
Rule  
                                 Ensure the Default Umask is Set Correctly For Interactive Users
                                   [ref]
Remove the UMASK environment variable from all interactive users initialization files.
Rationale:
The umask controls the default access mode assigned to newly created files. A
@@ -20720,15 +20720,7 @@
 applies to the globally configured system defaults and the local interactive
 user defaults for each account on the system.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-84044-7
References: 
-            CCI-000366, CCI-001814, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00228, RHEL-08-020352, SV-230384r858732_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

-while IFS= read -r dir; do
-    while IFS= read -r -d '' file; do
-        if [ "$(basename $file)" != ".bash_history" ]; then
-            sed -i 's/^\(\s*umask\s*\)/#\1/g' "$file"
-        fi
-    done <   <(find $dir -maxdepth 1 -type f -name ".*" -print0)
-done <   <(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6}' /etc/passwd)
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Ensure interactive local users are the owners of their respective initialization
+            CCI-000366, CCI-001814, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00228, RHEL-08-020352, SV-230384r858732_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Ensure interactive local users are the owners of their respective initialization
     files
   ansible.builtin.shell:
     cmd: |-
@@ -20748,6 +20740,14 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

+while IFS= read -r dir; do
+    while IFS= read -r -d '' file; do
+        if [ "$(basename $file)" != ".bash_history" ]; then
+            sed -i 's/^\(\s*umask\s*\)/#\1/g' "$file"
+        fi
+    done <   <(find $dir -maxdepth 1 -type f -name ".*" -print0)
+done <   <(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6}' /etc/passwd)
 
Rule  
                                 Ensure Home Directories are Created for New Users
                                   [ref]
All local interactive user accounts, upon creation, should be assigned a home directory.
@@ -20758,37 +20758,7 @@
 
CREATE_HOME yes
Rationale:
If local interactive users are not assigned a valid home directory, there is no place
 for the storage and control of files they should own.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-83789-8
References: 
-            CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010760, SV-230324r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if rpm --quiet -q shadow-utils; then
-
-if [ -e "/etc/login.defs" ] ; then
-    
-    LC_ALL=C sed -i "/^\s*CREATE_HOME\s\+/Id" "/etc/login.defs"
-else
-    touch "/etc/login.defs"
-fi
-# make sure file has newline at the end
-sed -i -e '$a\' "/etc/login.defs"
-
-cp "/etc/login.defs" "/etc/login.defs.bak"
-# Insert before the line matching the regex '^\s*CREATE_HOME'.
-line_number="$(LC_ALL=C grep -n "^\s*CREATE_HOME" "/etc/login.defs.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^\s*CREATE_HOME', insert at
-    # the end of the file.
-    printf '%s\n' "CREATE_HOME yes" >> "/etc/login.defs"
-else
-    head -n "$(( line_number - 1 ))" "/etc/login.defs.bak" > "/etc/login.defs"
-    printf '%s\n' "CREATE_HOME yes" >> "/etc/login.defs"
-    tail -n "+$(( line_number ))" "/etc/login.defs.bak" >> "/etc/login.defs"
-fi
-# Clean up after ourselves.
-rm "/etc/login.defs.bak"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+            CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010760, SV-230324r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -20839,45 +20809,44 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Ensure the Logon Failure Delay is Set Correctly in login.defs
-                                  [ref]
To ensure the logon failure delay controlled by /etc/login.defs is set properly,
-add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows:
-
FAIL_DELAY 4
Rationale:
Increasing the time between a failed authentication attempt and re-prompting to
-enter credentials helps to slow a single-threaded brute force attack.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-84037-1
References: 
-            11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-7(b), CM-6(a), PR.IP-1, SRG-OS-000480-GPOS-00226, RHEL-08-020310, SV-230378r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if rpm --quiet -q shadow-utils; then
 
-var_accounts_fail_delay='4'
-
-
-# Strip any search characters in the key arg so that the key can be replaced without
-# adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^FAIL_DELAY")
-
-# shellcheck disable=SC2059
-printf -v formatted_output "%s %s" "$stripped_key" "$var_accounts_fail_delay"
+if [ -e "/etc/login.defs" ] ; then
+    
+    LC_ALL=C sed -i "/^\s*CREATE_HOME\s\+/Id" "/etc/login.defs"
+else
+    touch "/etc/login.defs"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/login.defs"
 
-# If the key exists, change it. Otherwise, add it to the config_file.
-# We search for the key string followed by a word boundary (matched by \>),
-# so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^FAIL_DELAY\\>" "/etc/login.defs"; then
-    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^FAIL_DELAY\\>.*/$escaped_formatted_output/gi" "/etc/login.defs"
+cp "/etc/login.defs" "/etc/login.defs.bak"
+# Insert before the line matching the regex '^\s*CREATE_HOME'.
+line_number="$(LC_ALL=C grep -n "^\s*CREATE_HOME" "/etc/login.defs.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+    # There was no match of '^\s*CREATE_HOME', insert at
+    # the end of the file.
+    printf '%s\n' "CREATE_HOME yes" >> "/etc/login.defs"
 else
-    if [[ -s "/etc/login.defs" ]] && [[ -n "$(tail -c 1 -- "/etc/login.defs" || true)" ]]; then
-        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/login.defs"
-    fi
-    cce="CCE-84037-1"
-    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/login.defs" >> "/etc/login.defs"
-    printf '%s\n' "$formatted_output" >> "/etc/login.defs"
+    head -n "$(( line_number - 1 ))" "/etc/login.defs.bak" > "/etc/login.defs"
+    printf '%s\n' "CREATE_HOME yes" >> "/etc/login.defs"
+    tail -n "+$(( line_number ))" "/etc/login.defs.bak" >> "/etc/login.defs"
 fi
+# Clean up after ourselves.
+rm "/etc/login.defs.bak"
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Ensure the Logon Failure Delay is Set Correctly in login.defs
+                                  [ref]
To ensure the logon failure delay controlled by /etc/login.defs is set properly,
+add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows:
+
FAIL_DELAY 4
Rationale:
Increasing the time between a failed authentication attempt and re-prompting to
+enter credentials helps to slow a single-threaded brute force attack.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-84037-1
References: 
+            11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-7(b), CM-6(a), PR.IP-1, SRG-OS-000480-GPOS-00226, RHEL-08-020310, SV-230378r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -20915,6 +20884,37 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if rpm --quiet -q shadow-utils; then
+
+var_accounts_fail_delay='4'
+
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^FAIL_DELAY")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s %s" "$stripped_key" "$var_accounts_fail_delay"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^FAIL_DELAY\\>" "/etc/login.defs"; then
+    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+    LC_ALL=C sed -i --follow-symlinks "s/^FAIL_DELAY\\>.*/$escaped_formatted_output/gi" "/etc/login.defs"
+else
+    if [[ -s "/etc/login.defs" ]] && [[ -n "$(tail -c 1 -- "/etc/login.defs" || true)" ]]; then
+        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/login.defs"
+    fi
+    cce="CCE-84037-1"
+    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/login.defs" >> "/etc/login.defs"
+    printf '%s\n' "$formatted_output" >> "/etc/login.defs"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Limit the Number of Concurrent Login Sessions Allowed Per User
                                   [ref]
Limiting the number of allowed users and sessions per user can limit risks related to Denial of
@@ -20926,24 +20926,7 @@
 problems caused by excessive logins. Automated login processes operating improperly or
 maliciously may result in an exceptional number of simultaneous login sessions.
Severity: 
low
Identifiers and References
Identifiers: 
             CCE-80955-8
References: 
-            14, 15, 18, 9, 5.5.2.2, DSS01.05, DSS05.02, CCI-000054, 4.3.3.4, SR 3.1, SR 3.8, A.13.1.1, A.13.1.3, A.13.2.1, A.14.1.2, A.14.1.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, AC-10, CM-6(a), PR.AC-5, SRG-OS-000027-GPOS-00008, RHEL-08-020024, SV-230346r877399_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if rpm --quiet -q pam; then
-
-var_accounts_max_concurrent_login_sessions='10'
-
-
-if grep -q '^[^#]*\<maxlogins\>' /etc/security/limits.d/*.conf; then
-	sed -i "/^[^#]*\<maxlogins\>/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.d/*.conf
-elif grep -q '^[^#]*\<maxlogins\>' /etc/security/limits.conf; then
-	sed -i "/^[^#]*\<maxlogins\>/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.conf
-else
-	echo "*	hard	maxlogins	$var_accounts_max_concurrent_login_sessions" >> /etc/security/limits.conf
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+            14, 15, 18, 9, 5.5.2.2, DSS01.05, DSS05.02, CCI-000054, 4.3.3.4, SR 3.1, SR 3.8, A.13.1.1, A.13.1.3, A.13.2.1, A.14.1.2, A.14.1.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, AC-10, CM-6(a), PR.AC-5, SRG-OS-000027-GPOS-00008, RHEL-08-020024, SV-230346r877399_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -21031,6 +21014,23 @@
   - low_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if rpm --quiet -q pam; then
+
+var_accounts_max_concurrent_login_sessions='10'
+
+
+if grep -q '^[^#]*\<maxlogins\>' /etc/security/limits.d/*.conf; then
+	sed -i "/^[^#]*\<maxlogins\>/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.d/*.conf
+elif grep -q '^[^#]*\<maxlogins\>' /etc/security/limits.conf; then
+	sed -i "/^[^#]*\<maxlogins\>/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.conf
+else
+	echo "*	hard	maxlogins	$var_accounts_max_concurrent_login_sessions" >> /etc/security/limits.conf
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 User Initialization Files Must Not Run World-Writable Programs
                                   [ref]
Set the mode on files being executed by the user initialization files with the
@@ -21078,14 +21078,7 @@
 /tmp or /.
Rationale:
If local interactive users are not assigned a valid home directory, there is no
 place for the storage and control of files they should own.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-84036-3
References: 
-            CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010720, SV-230320r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

-for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1 }' /etc/passwd); do
-    # This follows the same logic of evaluation of home directories as used in OVAL.
-    if ! grep -q $user /etc/passwd | cut -d: -f6 | grep '^\/\w*\/\w\{1,\}'; then
-        sed -i "s/\($user:x:[0-9]*:[0-9]*:.*:\).*\(:.*\)$/\1\/home\/$user\2/g" /etc/passwd;
-    fi
-done
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Get all local users from /etc/passwd
+            CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010720, SV-230320r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Get all local users from /etc/passwd
   ansible.builtin.getent:
     database: passwd
     split: ':'
@@ -21131,6 +21124,13 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

+for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1 }' /etc/passwd); do
+    # This follows the same logic of evaluation of home directories as used in OVAL.
+    if ! grep -q $user /etc/passwd | cut -d: -f6 | grep '^\/\w*\/\w\{1,\}'; then
+        sed -i "s/\($user:x:[0-9]*:[0-9]*:.*:\).*\(:.*\)$/\1\/home\/$user\2/g" /etc/passwd;
+    fi
+done
 
Rule  
                                 All Interactive Users Home Directories Must Exist
                                   [ref]
Create home directories to all local interactive users that currently do not
@@ -21142,11 +21142,7 @@
 able to access their logon configuration files, and it may give them visibility
 to system files they normally would not be able to access.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-83424-2
References: 
-            CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010750, 6.2.9, SV-230323r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

-for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1}' /etc/passwd); do
-    mkhomedir_helper $user 0077;
-done
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Get all local users from /etc/passwd
+            CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010750, 6.2.9, SV-230323r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Get all local users from /etc/passwd
   ansible.builtin.getent:
     database: passwd
     split: ':'
@@ -21190,6 +21186,10 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

+for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1}' /etc/passwd); do
+    mkhomedir_helper $user 0077;
+done
 
Rule  
                                 All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group
                                   [ref]
Change the group of a local interactive users files and directories to a
@@ -21204,16 +21204,7 @@
 of folders or files in their respective home directories.
Rationale:
If a local interactive users files are group-owned by a group of which the
 user is not a member, unintended users may be able to access them.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-86534-5
References: 
-            CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010741, SV-244532r743845_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

-for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1 }' /etc/passwd); do
-    home_dir=$(getent passwd $user | cut -d: -f6)
-    group=$(getent passwd $user | cut -d: -f4)
-    # Only update the group-ownership when necessary. This will avoid changing the inode timestamp
-    # when the group is already defined as expected, therefore not impacting in possible integrity
-    # check systems that also check inodes timestamps.
-    find $home_dir -not -group $group -exec chgrp -f $group {} \;
-done
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Get all local users from /etc/passwd
+            CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010741, SV-244532r743845_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Get all local users from /etc/passwd
   ansible.builtin.getent:
     database: passwd
     split: ':'
@@ -21275,6 +21266,15 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

+for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1 }' /etc/passwd); do
+    home_dir=$(getent passwd $user | cut -d: -f6)
+    group=$(getent passwd $user | cut -d: -f4)
+    # Only update the group-ownership when necessary. This will avoid changing the inode timestamp
+    # when the group is already defined as expected, therefore not impacting in possible integrity
+    # check systems that also check inodes timestamps.
+    find $home_dir -not -group $group -exec chgrp -f $group {} \;
+done
 
Rule  
                                 All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive
                                   [ref]
Set the mode on files and directories in the local interactive user home
@@ -21283,14 +21283,7 @@
 Files that begin with a "." are excluded from this requirement.
Rationale:
If a local interactive user files have excessive permissions, unintended users
 may be able to access or modify them.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-85888-6
References: 
-            CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010731, SV-244531r743842_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

-for home_dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 }' /etc/passwd); do
-    # Only update the permissions when necessary. This will avoid changing the inode timestamp when
-    # the permission is already defined as expected, therefore not impacting in possible integrity
-    # check systems that also check inodes timestamps.
-    find "$home_dir" -perm /7027 -exec chmod u-s,g-w-s,o=- {} \;
-done
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Get all local users from /etc/passwd
+            CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010731, SV-244531r743842_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Get all local users from /etc/passwd
   ansible.builtin.getent:
     database: passwd
     split: ':'
@@ -21353,6 +21346,13 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

+for home_dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 }' /etc/passwd); do
+    # Only update the permissions when necessary. This will avoid changing the inode timestamp when
+    # the permission is already defined as expected, therefore not impacting in possible integrity
+    # check systems that also check inodes timestamps.
+    find "$home_dir" -perm /7027 -exec chmod u-s,g-w-s,o=- {} \;
+done
 
Rule  
                                 All Interactive User Home Directories Must Be Group-Owned By The Primary Group
                                   [ref]
Change the group owner of interactive users home directory to the
@@ -21370,9 +21370,7 @@
 access to the users files, and users that share the same group may not be
 able to access files that they legitimately should.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-83434-1
References: 
-            CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010740, 6.2.10, SV-230322r880717_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

-awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chgrp -f " $4" "$6) }' /etc/passwd
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Get all local users from /etc/passwd
+            CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010740, 6.2.10, SV-230322r880717_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Get all local users from /etc/passwd
   ansible.builtin.getent:
     database: passwd
     split: ':'
@@ -21434,6 +21432,8 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

+awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chgrp -f " $4" "$6) }' /etc/passwd
 
Rule  
                                 Ensure All User Initialization Files Have Mode 0740 Or Less Permissive
                                   [ref]
Set the mode of the user initialization files to 0740 with the
@@ -21442,28 +21442,7 @@
 upon logon. Malicious modification of these files could compromise accounts upon
 logon.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-84043-9
References: 
-            CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010770, SV-230325r917879_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

-var_user_initialization_files_regex='^(\.bashrc|\.zshrc|\.cshrc|\.profile|\.bash_login|\.bash_profile)$'
-
-
-readarray -t interactive_users < <(awk -F: '$3>=1000   {print $1}' /etc/passwd)
-readarray -t interactive_users_home < <(awk -F: '$3>=1000   {print $6}' /etc/passwd)
-readarray -t interactive_users_shell < <(awk -F: '$3>=1000   {print $7}' /etc/passwd)
-
-USERS_IGNORED_REGEX='nobody|nfsnobody'
-
-for (( i=0; i<"${#interactive_users[@]}"; i++ )); do
-    if ! grep -qP "$USERS_IGNORED_REGEX" <<< "${interactive_users[$i]}" && \
-        [ "${interactive_users_shell[$i]}" != "/sbin/nologin" ]; then
-        
-        readarray -t init_files < <(find "${interactive_users_home[$i]}" -maxdepth 1 \
-            -exec basename {} \; | grep -P "$var_user_initialization_files_regex")
-        for file in "${init_files[@]}"; do
-            chmod u-s,g-wxs,o= "${interactive_users_home[$i]}/$file"
-        done
-    fi
-done
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: XCCDF Value var_user_initialization_files_regex # promote to variable
+            CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010770, SV-230325r917879_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: XCCDF Value var_user_initialization_files_regex # promote to variable
   set_fact:
     var_user_initialization_files_regex: !!str ^(\.bashrc|\.zshrc|\.cshrc|\.profile|\.bash_login|\.bash_profile)$
   tags:
@@ -21522,6 +21501,27 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

+var_user_initialization_files_regex='^(\.bashrc|\.zshrc|\.cshrc|\.profile|\.bash_login|\.bash_profile)$'
+
+
+readarray -t interactive_users < <(awk -F: '$3>=1000   {print $1}' /etc/passwd)
+readarray -t interactive_users_home < <(awk -F: '$3>=1000   {print $6}' /etc/passwd)
+readarray -t interactive_users_shell < <(awk -F: '$3>=1000   {print $7}' /etc/passwd)
+
+USERS_IGNORED_REGEX='nobody|nfsnobody'
+
+for (( i=0; i<"${#interactive_users[@]}"; i++ )); do
+    if ! grep -qP "$USERS_IGNORED_REGEX" <<< "${interactive_users[$i]}" && \
+        [ "${interactive_users_shell[$i]}" != "/sbin/nologin" ]; then
+        
+        readarray -t init_files < <(find "${interactive_users_home[$i]}" -maxdepth 1 \
+            -exec basename {} \; | grep -P "$var_user_initialization_files_regex")
+        for file in "${init_files[@]}"; do
+            chmod u-s,g-wxs,o= "${interactive_users_home[$i]}/$file"
+        done
+    fi
+done
 
Rule  
                                 All Interactive User Home Directories Must Have mode 0750 Or Less Permissive
                                   [ref]
Change the mode of interactive users home directories to 0750. To
@@ -21530,14 +21530,7 @@
 
$ sudo chmod 0750 /home/USER
Rationale:
Excessive permissions on local interactive user home directories may allow
 unauthorized access to user files by other users.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-84038-9
References: 
-            CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010730, 6.2.11, SV-230321r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

-for home_dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 }' /etc/passwd); do
-    # Only update the permissions when necessary. This will avoid changing the inode timestamp when
-    # the permission is already defined as expected, therefore not impacting in possible integrity
-    # check systems that also check inodes timestamps.
-    find "$home_dir" -maxdepth 0 -perm /7027 -exec chmod u-s,g-w-s,o=- {} \;
-done
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Get all local users from /etc/passwd
+            CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010730, 6.2.11, SV-230321r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Get all local users from /etc/passwd
   ansible.builtin.getent:
     database: passwd
     split: ':'
@@ -21600,6 +21593,13 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

+for home_dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 }' /etc/passwd); do
+    # Only update the permissions when necessary. This will avoid changing the inode timestamp when
+    # the permission is already defined as expected, therefore not impacting in possible integrity
+    # check systems that also check inodes timestamps.
+    find "$home_dir" -maxdepth 0 -perm /7027 -exec chmod u-s,g-w-s,o=- {} \;
+done
 
Rule  
                                 Enable authselect
                                   [ref]
Configure user authentication setup to use the authselect tool.
@@ -21615,20 +21615,7 @@
 That way, it avoids potential breakage of configuration, as it ships several tested profiles
 that are well tested and supported to solve different use-cases.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-88248-0
References: 
-            BP28(R31), CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), AC-3, FIA_UAU.1, FIA_AFL.1, SRG-OS-000480-GPOS-00227, 1.2.3
Remediation Shell script:   (show)


-var_authselect_profile='sssd'
-
-
-authselect select "$var_authselect_profile"
-
-if test "$?" -ne 0; then
-    if rpm --quiet --verify pam; then
-        authselect select --force "$var_authselect_profile"
-    else
-	echo "Files in the 'pam' package have been altered, so the authselect configuration won't be forced" >&2
-    fi
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
- name: XCCDF Value var_authselect_profile # promote to variable
+            BP28(R31), CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), AC-3, FIA_UAU.1, FIA_AFL.1, SRG-OS-000480-GPOS-00227, 1.2.3
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
- name: XCCDF Value var_authselect_profile # promote to variable
   set_fact:
     var_authselect_profile: !!str sssd
   tags:
@@ -21698,6 +21685,19 @@
   - medium_disruption
   - medium_severity
   - no_reboot_needed
+
Remediation Shell script:   (show)


+var_authselect_profile='sssd'
+
+
+authselect select "$var_authselect_profile"
+
+if test "$?" -ne 0; then
+    if rpm --quiet --verify pam; then
+        authselect select --force "$var_authselect_profile"
+    else
+	echo "Files in the 'pam' package have been altered, so the authselect configuration won't be forced" >&2
+    fi
+fi
 
Group  
                 System Accounting with auditd
                           Group contains 10 groups and 86 rules
[ref]  
@@ -21852,334 +21852,7 @@
 can facilitate the identification of patterns of abuse among both authorized and
 unauthorized users.
Severity: 
medium
Identifiers and References

Identifiers:  CCE-80685-1

References:  - BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, RHEL-08-030490, 4.1.3.9, SV-230456r810462_rule

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
-
-# First perform the remediation of the syscall rule
-# Retrieve hardware architecture of the underlying system
-[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
-
-for ARCH in "${RULE_ARCHS[@]}"
-do
-	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
-	OTHER_FILTERS=""
-	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-	SYSCALL="chmod"
-	KEY="perm_mod"
-	SYSCALL_GROUPING="chmod fchmod fchmodat"
-
-	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
-	unset syscall_a
-unset syscall_grouping
-unset syscall_string
-unset syscall
-unset file_to_edit
-unset rule_to_edit
-unset rule_syscalls_to_edit
-unset other_string
-unset auid_string
-unset full_rule
-
-# Load macro arguments into arrays
-read -a syscall_a <<< $SYSCALL
-read -a syscall_grouping <<< $SYSCALL_GROUPING
-
-# Create a list of audit *.rules files that should be inspected for presence and correctness
-# of a particular audit rule. The scheme is as follows:
-#
-# -----------------------------------------------------------------------------------------
-#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
-# -----------------------------------------------------------------------------------------
-#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
-# -----------------------------------------------------------------------------------------
-#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
-#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
-# -----------------------------------------------------------------------------------------
-#
-files_to_inspect=()
-
-# If audit tool is 'augenrules', then check if the audit rule is defined
-# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
-# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
-default_file="/etc/audit/rules.d/$KEY.rules"
-# As other_filters may include paths, lets use a different delimiter for it
-# The "F" script expression tells sed to print the filenames where the expressions matched
-readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
-# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
-if [ ${#files_to_inspect[@]} -eq "0" ]
-then
-    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
-    files_to_inspect=("$file_to_inspect")
-    if [ ! -e "$file_to_inspect" ]
-    then
-        touch "$file_to_inspect"
-        chmod 0640 "$file_to_inspect"
-    fi
-fi
-
-# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
-skip=1
-
-for audit_file in "${files_to_inspect[@]}"
-do
-    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
-    # i.e, collect rules that match:
-    # * the action, list and arch, (2-nd argument)
-    # * the other filters, (3-rd argument)
-    # * the auid filters, (4-rd argument)
-    readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
-
-    candidate_rules=()
-    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
-    for s_rule in "${similar_rules[@]}"
-    do
-        # Strip all the options and fields we know of,
-        # than check if there was any field left over
-        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
-        grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
-    done
-
-    if [[ ${#syscall_a[@]} -ge 1 ]]
-    then
-        # Check if the syscall we want is present in any of the similar existing rules
-        for rule in "${candidate_rules[@]}"
-        do
-            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
-            all_syscalls_found=0
-            for syscall in "${syscall_a[@]}"
-            do
-                grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
-                   # A syscall was not found in the candidate rule
-                   all_syscalls_found=1
-                   }
-            done
-            if [[ $all_syscalls_found -eq 0 ]]
-            then
-                # We found a rule with all the syscall(s) we want; skip rest of macro
-                skip=0
-                break
-            fi
-
-            # Check if this rule can be grouped with our target syscall and keep track of it
-            for syscall_g in "${syscall_grouping[@]}"
-            do
-                if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
-                then
-                    file_to_edit=${audit_file}
-                    rule_to_edit=${rule}
-                    rule_syscalls_to_edit=${rule_syscalls}
-                fi
-            done
-        done
-    else
-        # If there is any candidate rule, it is compliant; skip rest of macro
-        if [ "${#candidate_rules[@]}" -gt 0 ]
-        then
-            skip=0
-        fi
-    fi
-
-    if [ "$skip" -eq 0 ]; then
-        break
-    fi
-done
-
-if [ "$skip" -ne 0 ]; then
-    # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
-    # At this point we know if we need to either append the $full_rule or group
-    # the syscall together with an exsiting rule
-
-    # Append the full_rule if it cannot be grouped to any other rule
-    if [ -z ${rule_to_edit+x} ]
-    then
-        # Build full_rule while avoid adding double spaces when other_filters is empty
-        if [ "${#syscall_a[@]}" -gt 0 ]
-        then
-            syscall_string=""
-            for syscall in "${syscall_a[@]}"
-            do
-                syscall_string+=" -S $syscall"
-            done
-        fi
-        other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
-        auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
-        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
-        echo "$full_rule" >> "$default_file"
-        chmod o-rwx ${default_file}
-    else
-        # Check if the syscalls are declared as a comma separated list or
-        # as multiple -S parameters
-        if grep -q -- "," <<< "${rule_syscalls_to_edit}"
-        then
-            delimiter=","
-        else
-            delimiter=" -S "
-        fi
-        new_grouped_syscalls="${rule_syscalls_to_edit}"
-        for syscall in "${syscall_a[@]}"
-        do
-            grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
-               # A syscall was not found in the candidate rule
-               new_grouped_syscalls+="${delimiter}${syscall}"
-               }
-        done
-
-        # Group the syscall in the rule
-        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
-    fi
-fi
-	unset syscall_a
-unset syscall_grouping
-unset syscall_string
-unset syscall
-unset file_to_edit
-unset rule_to_edit
-unset rule_syscalls_to_edit
-unset other_string
-unset auid_string
-unset full_rule
-
-# Load macro arguments into arrays
-read -a syscall_a <<< $SYSCALL
-read -a syscall_grouping <<< $SYSCALL_GROUPING
-
-# Create a list of audit *.rules files that should be inspected for presence and correctness
-# of a particular audit rule. The scheme is as follows:
-#
-# -----------------------------------------------------------------------------------------
-#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
-# -----------------------------------------------------------------------------------------
-#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
-# -----------------------------------------------------------------------------------------
-#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
-#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
-# -----------------------------------------------------------------------------------------
-#
-files_to_inspect=()
-
-
-# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
-# file to the list of files to be inspected
-default_file="/etc/audit/audit.rules"
-files_to_inspect+=('/etc/audit/audit.rules' )
-
-# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
-skip=1
-
-for audit_file in "${files_to_inspect[@]}"
-do
-    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
-    # i.e, collect rules that match:
-    # * the action, list and arch, (2-nd argument)
-    # * the other filters, (3-rd argument)
-    # * the auid filters, (4-rd argument)
-    readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
-
-    candidate_rules=()
-    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
-    for s_rule in "${similar_rules[@]}"
-    do
-        # Strip all the options and fields we know of,
-        # than check if there was any field left over
-        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
-        grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
-    done
-
-    if [[ ${#syscall_a[@]} -ge 1 ]]
-    then
-        # Check if the syscall we want is present in any of the similar existing rules
-        for rule in "${candidate_rules[@]}"
-        do
-            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
-            all_syscalls_found=0
-            for syscall in "${syscall_a[@]}"
-            do
-                grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
-                   # A syscall was not found in the candidate rule
-                   all_syscalls_found=1
-                   }
-            done
-            if [[ $all_syscalls_found -eq 0 ]]
-            then
-                # We found a rule with all the syscall(s) we want; skip rest of macro
-                skip=0
-                break
-            fi
-
-            # Check if this rule can be grouped with our target syscall and keep track of it
-            for syscall_g in "${syscall_grouping[@]}"
-            do
-                if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
-                then
-                    file_to_edit=${audit_file}
-                    rule_to_edit=${rule}
-                    rule_syscalls_to_edit=${rule_syscalls}
-                fi
-            done
-        done
-    else
-        # If there is any candidate rule, it is compliant; skip rest of macro
-        if [ "${#candidate_rules[@]}" -gt 0 ]
-        then
-            skip=0
-        fi
-    fi
-
-    if [ "$skip" -eq 0 ]; then
-        break
-    fi
-done
-
-if [ "$skip" -ne 0 ]; then
-    # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
-    # At this point we know if we need to either append the $full_rule or group
-    # the syscall together with an exsiting rule
-
-    # Append the full_rule if it cannot be grouped to any other rule
-    if [ -z ${rule_to_edit+x} ]
-    then
-        # Build full_rule while avoid adding double spaces when other_filters is empty
-        if [ "${#syscall_a[@]}" -gt 0 ]
-        then
-            syscall_string=""
-            for syscall in "${syscall_a[@]}"
-            do
-                syscall_string+=" -S $syscall"
-            done
-        fi
-        other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
-        auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
-        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
-        echo "$full_rule" >> "$default_file"
-        chmod o-rwx ${default_file}
-    else
-        # Check if the syscalls are declared as a comma separated list or
-        # as multiple -S parameters
-        if grep -q -- "," <<< "${rule_syscalls_to_edit}"
-        then
-            delimiter=","
-        else
-            delimiter=" -S "
-        fi
-        new_grouped_syscalls="${rule_syscalls_to_edit}"
-        for syscall in "${syscall_a[@]}"
-        do
-            grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
-               # A syscall was not found in the candidate rule
-               new_grouped_syscalls+="${delimiter}${syscall}"
-               }
-        done
-
-        # Group the syscall in the rule
-        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
-    fi
-fi
-done
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, RHEL-08-030490, 4.1.3.9, SV-230456r810462_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -22519,31 +22192,7 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-
Rule  
-                                Record Events that Modify the System's Discretionary Access Controls - chown
-                                  [ref]
At a minimum, the audit system should collect file permission
-changes for all users and root. If the auditd daemon is configured to
-use the augenrules program to read audit rules during daemon startup
-(the default), add the following line to a file with suffix .rules in
-the directory /etc/audit/rules.d:
-
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

-If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
-
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

-If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
Warning: 
-                                        Note that these rules can be configured in a
-number of ways while still achieving the desired effect.  Here the system calls
-have been placed independent of other system calls.  Grouping these system
-calls with others as identifying earlier in this guide is more efficient.
Rationale:
The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80686-9
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, RHEL-08-030480, 4.1.3.9, SV-230455r810459_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
 
 # First perform the remediation of the syscall rule
@@ -22555,9 +22204,9 @@
 	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
 	OTHER_FILTERS=""
 	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-	SYSCALL="chown"
+	SYSCALL="chmod"
 	KEY="perm_mod"
-	SYSCALL_GROUPING="chown fchown fchownat lchown"
+	SYSCALL_GROUPING="chmod fchmod fchmodat"
 
 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 	unset syscall_a
@@ -22870,7 +22519,31 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Record Events that Modify the System's Discretionary Access Controls - chown
+                                  [ref]
At a minimum, the audit system should collect file permission
+changes for all users and root. If the auditd daemon is configured to
+use the augenrules program to read audit rules during daemon startup
+(the default), add the following line to a file with suffix .rules in
+the directory /etc/audit/rules.d:
+
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

+If the system is 64 bit then also add the following line:
+
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

+If the system is 64 bit then also add the following line:
+
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
Warning: 
+                                        Note that these rules can be configured in a
+number of ways while still achieving the desired effect.  Here the system calls
+have been placed independent of other system calls.  Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
Rationale:
The changing of file permissions could indicate that a user is attempting to
+gain access to information that would otherwise be disallowed. Auditing DAC modifications
+can facilitate the identification of patterns of abuse among both authorized and
+unauthorized users.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80686-9
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, RHEL-08-030480, 4.1.3.9, SV-230455r810459_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -23214,32 +22887,8 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-
Rule  
-                                Record Events that Modify the System's Discretionary Access Controls - fchmod
-                                  [ref]
At a minimum, the audit system should collect file permission
-changes for all users and root. If the auditd daemon is configured to
-use the augenrules program to read audit rules during daemon startup
-(the default), add the following line to a file with suffix .rules in
-the directory /etc/audit/rules.d:
-
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
-
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

-If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
Warning: 
-                                        Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.
Rationale:
The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80687-7
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, RHEL-08-030490, 4.1.3.9, SV-230456r810462_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system
@@ -23250,9 +22899,9 @@
 	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
 	OTHER_FILTERS=""
 	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-	SYSCALL="fchmod"
+	SYSCALL="chown"
 	KEY="perm_mod"
-	SYSCALL_GROUPING="chmod fchmod fchmodat"
+	SYSCALL_GROUPING="chown fchown fchownat lchown"
 
 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 	unset syscall_a
@@ -23565,7 +23214,31 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Record Events that Modify the System's Discretionary Access Controls - fchmod
+                                  [ref]
At a minimum, the audit system should collect file permission
+changes for all users and root. If the auditd daemon is configured to
+use the augenrules program to read audit rules during daemon startup
+(the default), add the following line to a file with suffix .rules in
+the directory /etc/audit/rules.d:
+
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

+If the system is 64 bit then also add the following line:
+
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

+If the system is 64 bit then also add the following line:
+
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
Warning: 
+                                        Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
Rationale:
The changing of file permissions could indicate that a user is attempting to
+gain access to information that would otherwise be disallowed. Auditing DAC modifications
+can facilitate the identification of patterns of abuse among both authorized and
+unauthorized users.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80687-7
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, RHEL-08-030490, 4.1.3.9, SV-230456r810462_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -23902,31 +23575,7 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-
Rule  
-                                Record Events that Modify the System's Discretionary Access Controls - fchmodat
-                                  [ref]
At a minimum, the audit system should collect file permission
-changes for all users and root. If the auditd daemon is configured to
-use the augenrules program to read audit rules during daemon startup
-(the default), add the following line to a file with suffix .rules in
-the directory /etc/audit/rules.d:
-
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

-If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
-
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

-If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
Warning: 
-                                        Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.
Rationale:
The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80688-5
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, RHEL-08-030490, 4.1.3.9, SV-230456r810462_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 # First perform the remediation of the syscall rule
@@ -23938,7 +23587,7 @@
 	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
 	OTHER_FILTERS=""
 	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-	SYSCALL="fchmodat"
+	SYSCALL="fchmod"
 	KEY="perm_mod"
 	SYSCALL_GROUPING="chmod fchmod fchmodat"
 
@@ -24253,7 +23902,31 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Record Events that Modify the System's Discretionary Access Controls - fchmodat
+                                  [ref]
At a minimum, the audit system should collect file permission
+changes for all users and root. If the auditd daemon is configured to
+use the augenrules program to read audit rules during daemon startup
+(the default), add the following line to a file with suffix .rules in
+the directory /etc/audit/rules.d:
+
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

+If the system is 64 bit then also add the following line:
+
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

+If the system is 64 bit then also add the following line:
+
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
Warning: 
+                                        Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
Rationale:
The changing of file permissions could indicate that a user is attempting to
+gain access to information that would otherwise be disallowed. Auditing DAC modifications
+can facilitate the identification of patterns of abuse among both authorized and
+unauthorized users.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80688-5
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, RHEL-08-030490, 4.1.3.9, SV-230456r810462_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -24590,34 +24263,7 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-
Rule  
-                                Record Events that Modify the System's Discretionary Access Controls - fchown
-                                  [ref]
At a minimum, the audit system should collect file permission
-changes for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-.rules in the directory /etc/audit/rules.d:
-
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
-
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Warning: 
-                                        Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.
Rationale:
The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80689-3
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, RHEL-08-030480, 4.1.3.9, SV-230455r810459_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 # First perform the remediation of the syscall rule
@@ -24629,9 +24275,9 @@
 	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
 	OTHER_FILTERS=""
 	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-	SYSCALL="fchown"
+	SYSCALL="fchmodat"
 	KEY="perm_mod"
-	SYSCALL_GROUPING="chown fchown fchownat lchown"
+	SYSCALL_GROUPING="chmod fchmod fchmodat"
 
 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 	unset syscall_a
@@ -24944,7 +24590,34 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Record Events that Modify the System's Discretionary Access Controls - fchown
+                                  [ref]
At a minimum, the audit system should collect file permission
+changes for all users and root. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following line to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

+
+If the system is 64 bit then also add the following line:
+
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

+
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

+
+If the system is 64 bit then also add the following line:
+
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Warning: 
+                                        Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
Rationale:
The changing of file permissions could indicate that a user is attempting to
+gain access to information that would otherwise be disallowed. Auditing DAC modifications
+can facilitate the identification of patterns of abuse among both authorized and
+unauthorized users.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80689-3
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, RHEL-08-030480, 4.1.3.9, SV-230455r810459_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -25285,31 +24958,7 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-
Rule  
-                                Record Events that Modify the System's Discretionary Access Controls - fchownat
-                                  [ref]
At a minimum, the audit system should collect file permission
-changes for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-.rules in the directory /etc/audit/rules.d:
-
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

-If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
-
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

-If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
Warning: 
-                                        Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.
Rationale:
The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80690-1
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, RHEL-08-030480, 4.1.3.9, SV-230455r810459_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 # First perform the remediation of the syscall rule
@@ -25321,7 +24970,7 @@
 	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
 	OTHER_FILTERS=""
 	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-	SYSCALL="fchownat"
+	SYSCALL="fchown"
 	KEY="perm_mod"
 	SYSCALL_GROUPING="chown fchown fchownat lchown"
 
@@ -25636,7 +25285,31 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Record Events that Modify the System's Discretionary Access Controls - fchownat
+                                  [ref]
At a minimum, the audit system should collect file permission
+changes for all users and root. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following line to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

+If the system is 64 bit then also add the following line:
+
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

+If the system is 64 bit then also add the following line:
+
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
Warning: 
+                                        Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
Rationale:
The changing of file permissions could indicate that a user is attempting to
+gain access to information that would otherwise be disallowed. Auditing DAC modifications
+can facilitate the identification of patterns of abuse among both authorized and
+unauthorized users.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80690-1
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, RHEL-08-030480, 4.1.3.9, SV-230455r810459_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -25977,40 +25650,7 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-
Rule  
-                                Record Events that Modify the System's Discretionary Access Controls - fremovexattr
-                                  [ref]
At a minimum, the audit system should collect file permission
-changes for all users and root.
-


-If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-.rules in the directory /etc/audit/rules.d:
-
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod

-


-If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod

-


-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
-
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod

-


-If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
Warning: 
-                                        Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.
Rationale:
The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80691-9
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000064-GPOS-00033, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000499-CTR-001255, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 # First perform the remediation of the syscall rule
@@ -26022,328 +25662,9 @@
 	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
 	OTHER_FILTERS=""
 	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-	SYSCALL="fremovexattr"
+	SYSCALL="fchownat"
 	KEY="perm_mod"
-	SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr"
-
-	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
-	unset syscall_a
-unset syscall_grouping
-unset syscall_string
-unset syscall
-unset file_to_edit
-unset rule_to_edit
-unset rule_syscalls_to_edit
-unset other_string
-unset auid_string
-unset full_rule
-
-# Load macro arguments into arrays
-read -a syscall_a <<< $SYSCALL
-read -a syscall_grouping <<< $SYSCALL_GROUPING
-
-# Create a list of audit *.rules files that should be inspected for presence and correctness
-# of a particular audit rule. The scheme is as follows:
-#
-# -----------------------------------------------------------------------------------------
-#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
-# -----------------------------------------------------------------------------------------
-#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
-# -----------------------------------------------------------------------------------------
-#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
-#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
-# -----------------------------------------------------------------------------------------
-#
-files_to_inspect=()
-
-# If audit tool is 'augenrules', then check if the audit rule is defined
-# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
-# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
-default_file="/etc/audit/rules.d/$KEY.rules"
-# As other_filters may include paths, lets use a different delimiter for it
-# The "F" script expression tells sed to print the filenames where the expressions matched
-readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
-# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
-if [ ${#files_to_inspect[@]} -eq "0" ]
-then
-    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
-    files_to_inspect=("$file_to_inspect")
-    if [ ! -e "$file_to_inspect" ]
-    then
-        touch "$file_to_inspect"
-        chmod 0640 "$file_to_inspect"
-    fi
-fi
-
-# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
-skip=1
-
-for audit_file in "${files_to_inspect[@]}"
-do
-    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
-    # i.e, collect rules that match:
-    # * the action, list and arch, (2-nd argument)
-    # * the other filters, (3-rd argument)
-    # * the auid filters, (4-rd argument)
-    readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
-
-    candidate_rules=()
-    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
-    for s_rule in "${similar_rules[@]}"
-    do
-        # Strip all the options and fields we know of,
-        # than check if there was any field left over
-        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
-        grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
-    done
-
-    if [[ ${#syscall_a[@]} -ge 1 ]]
-    then
-        # Check if the syscall we want is present in any of the similar existing rules
-        for rule in "${candidate_rules[@]}"
-        do
-            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
-            all_syscalls_found=0
-            for syscall in "${syscall_a[@]}"
-            do
-                grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
-                   # A syscall was not found in the candidate rule
-                   all_syscalls_found=1
-                   }
-            done
-            if [[ $all_syscalls_found -eq 0 ]]
-            then
-                # We found a rule with all the syscall(s) we want; skip rest of macro
-                skip=0
-                break
-            fi
-
-            # Check if this rule can be grouped with our target syscall and keep track of it
-            for syscall_g in "${syscall_grouping[@]}"
-            do
-                if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
-                then
-                    file_to_edit=${audit_file}
-                    rule_to_edit=${rule}
-                    rule_syscalls_to_edit=${rule_syscalls}
-                fi
-            done
-        done
-    else
-        # If there is any candidate rule, it is compliant; skip rest of macro
-        if [ "${#candidate_rules[@]}" -gt 0 ]
-        then
-            skip=0
-        fi
-    fi
-
-    if [ "$skip" -eq 0 ]; then
-        break
-    fi
-done
-
-if [ "$skip" -ne 0 ]; then
-    # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
-    # At this point we know if we need to either append the $full_rule or group
-    # the syscall together with an exsiting rule
-
-    # Append the full_rule if it cannot be grouped to any other rule
-    if [ -z ${rule_to_edit+x} ]
-    then
-        # Build full_rule while avoid adding double spaces when other_filters is empty
-        if [ "${#syscall_a[@]}" -gt 0 ]
-        then
-            syscall_string=""
-            for syscall in "${syscall_a[@]}"
-            do
-                syscall_string+=" -S $syscall"
-            done
-        fi
-        other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
-        auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
-        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
-        echo "$full_rule" >> "$default_file"
-        chmod o-rwx ${default_file}
-    else
-        # Check if the syscalls are declared as a comma separated list or
-        # as multiple -S parameters
-        if grep -q -- "," <<< "${rule_syscalls_to_edit}"
-        then
-            delimiter=","
-        else
-            delimiter=" -S "
-        fi
-        new_grouped_syscalls="${rule_syscalls_to_edit}"
-        for syscall in "${syscall_a[@]}"
-        do
-            grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
-               # A syscall was not found in the candidate rule
-               new_grouped_syscalls+="${delimiter}${syscall}"
-               }
-        done
-
-        # Group the syscall in the rule
-        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
-    fi
-fi
-	unset syscall_a
-unset syscall_grouping
-unset syscall_string
-unset syscall
-unset file_to_edit
-unset rule_to_edit
-unset rule_syscalls_to_edit
-unset other_string
-unset auid_string
-unset full_rule
-
-# Load macro arguments into arrays
-read -a syscall_a <<< $SYSCALL
-read -a syscall_grouping <<< $SYSCALL_GROUPING
-
-# Create a list of audit *.rules files that should be inspected for presence and correctness
-# of a particular audit rule. The scheme is as follows:
-#
-# -----------------------------------------------------------------------------------------
-#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
-# -----------------------------------------------------------------------------------------
-#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
-# -----------------------------------------------------------------------------------------
-#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
-#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
-# -----------------------------------------------------------------------------------------
-#
-files_to_inspect=()
-
-
-# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
-# file to the list of files to be inspected
-default_file="/etc/audit/audit.rules"
-files_to_inspect+=('/etc/audit/audit.rules' )
-
-# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
-skip=1
-
-for audit_file in "${files_to_inspect[@]}"
-do
-    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
-    # i.e, collect rules that match:
-    # * the action, list and arch, (2-nd argument)
-    # * the other filters, (3-rd argument)
-    # * the auid filters, (4-rd argument)
-    readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
-
-    candidate_rules=()
-    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
-    for s_rule in "${similar_rules[@]}"
-    do
-        # Strip all the options and fields we know of,
-        # than check if there was any field left over
-        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
-        grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
-    done
-
-    if [[ ${#syscall_a[@]} -ge 1 ]]
-    then
-        # Check if the syscall we want is present in any of the similar existing rules
-        for rule in "${candidate_rules[@]}"
-        do
-            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
-            all_syscalls_found=0
-            for syscall in "${syscall_a[@]}"
-            do
-                grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
-                   # A syscall was not found in the candidate rule
-                   all_syscalls_found=1
-                   }
-            done
-            if [[ $all_syscalls_found -eq 0 ]]
-            then
-                # We found a rule with all the syscall(s) we want; skip rest of macro
-                skip=0
-                break
-            fi
-
-            # Check if this rule can be grouped with our target syscall and keep track of it
-            for syscall_g in "${syscall_grouping[@]}"
-            do
-                if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
-                then
-                    file_to_edit=${audit_file}
-                    rule_to_edit=${rule}
-                    rule_syscalls_to_edit=${rule_syscalls}
-                fi
-            done
-        done
-    else
-        # If there is any candidate rule, it is compliant; skip rest of macro
-        if [ "${#candidate_rules[@]}" -gt 0 ]
-        then
-            skip=0
-        fi
-    fi
-
-    if [ "$skip" -eq 0 ]; then
-        break
-    fi
-done
-
-if [ "$skip" -ne 0 ]; then
-    # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
-    # At this point we know if we need to either append the $full_rule or group
-    # the syscall together with an exsiting rule
-
-    # Append the full_rule if it cannot be grouped to any other rule
-    if [ -z ${rule_to_edit+x} ]
-    then
-        # Build full_rule while avoid adding double spaces when other_filters is empty
-        if [ "${#syscall_a[@]}" -gt 0 ]
-        then
-            syscall_string=""
-            for syscall in "${syscall_a[@]}"
-            do
-                syscall_string+=" -S $syscall"
-            done
-        fi
-        other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
-        auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
-        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
-        echo "$full_rule" >> "$default_file"
-        chmod o-rwx ${default_file}
-    else
-        # Check if the syscalls are declared as a comma separated list or
-        # as multiple -S parameters
-        if grep -q -- "," <<< "${rule_syscalls_to_edit}"
-        then
-            delimiter=","
-        else
-            delimiter=" -S "
-        fi
-        new_grouped_syscalls="${rule_syscalls_to_edit}"
-        for syscall in "${syscall_a[@]}"
-        do
-            grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
-               # A syscall was not found in the candidate rule
-               new_grouped_syscalls+="${delimiter}${syscall}"
-               }
-        done
-
-        # Group the syscall in the rule
-        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
-    fi
-fi
-done
-
-
-
-for ARCH in "${RULE_ARCHS[@]}"
-do
-	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
-	OTHER_FILTERS=""
-	AUID_FILTERS="-F auid=0"
-	SYSCALL="fremovexattr"
-	KEY="perm_mod"
-	SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr"
+	SYSCALL_GROUPING="chown fchown fchownat lchown"
 
 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 	unset syscall_a
@@ -26656,7 +25977,40 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Record Events that Modify the System's Discretionary Access Controls - fremovexattr
+                                  [ref]
At a minimum, the audit system should collect file permission
+changes for all users and root.
+


+If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following line to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod

+


+If the system is 64 bit then also add the following line:
+
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod

+


+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod

+


+If the system is 64 bit then also add the following line:
+
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
Warning: 
+                                        Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
Rationale:
The changing of file permissions could indicate that a user is attempting to
+gain access to information that would otherwise be disallowed. Auditing DAC modifications
+can facilitate the identification of patterns of abuse among both authorized and
+unauthorized users.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80691-9
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000064-GPOS-00033, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000499-CTR-001255, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -27261,35 +26615,7 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-
Rule  
-                                Record Events that Modify the System's Discretionary Access Controls - fsetxattr
-                                  [ref]
At a minimum, the audit system should collect file permission
-changes for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-.rules in the directory /etc/audit/rules.d:
-
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod

-If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
-
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod

-If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
Warning: 
-                                        Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.
Rationale:
The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80692-7
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000064-GPOS-00033, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 # First perform the remediation of the syscall rule
@@ -27301,7 +26627,7 @@
 	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
 	OTHER_FILTERS=""
 	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-	SYSCALL="fsetxattr"
+	SYSCALL="fremovexattr"
 	KEY="perm_mod"
 	SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr"
 
@@ -27620,7 +26946,7 @@
 	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
 	OTHER_FILTERS=""
 	AUID_FILTERS="-F auid=0"
-	SYSCALL="fsetxattr"
+	SYSCALL="fremovexattr"
 	KEY="perm_mod"
 	SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr"
 
@@ -27935,7 +27261,35 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Record Events that Modify the System's Discretionary Access Controls - fsetxattr
+                                  [ref]
At a minimum, the audit system should collect file permission
+changes for all users and root. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following line to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod

+If the system is 64 bit then also add the following line:
+
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod

+If the system is 64 bit then also add the following line:
+
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
Warning: 
+                                        Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
Rationale:
The changing of file permissions could indicate that a user is attempting to
+gain access to information that would otherwise be disallowed. Auditing DAC modifications
+can facilitate the identification of patterns of abuse among both authorized and
+unauthorized users.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80692-7
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000064-GPOS-00033, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -28540,32 +27894,8 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-
Rule  
-                                Record Events that Modify the System's Discretionary Access Controls - lchown
-                                  [ref]
At a minimum, the audit system should collect file permission
-changes for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-.rules in the directory /etc/audit/rules.d:
-
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
-
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

-If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Warning: 
-                                        Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.
Rationale:
The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80693-5
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, RHEL-08-030480, 4.1.3.9, SV-230455r810459_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system
@@ -28576,9 +27906,328 @@
 	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
 	OTHER_FILTERS=""
 	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-	SYSCALL="lchown"
+	SYSCALL="fsetxattr"
 	KEY="perm_mod"
-	SYSCALL_GROUPING="chown fchown fchownat lchown"
+	SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr"
+
+	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+	unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
+# -----------------------------------------------------------------------------------------
+#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
+# -----------------------------------------------------------------------------------------
+#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
+#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+    files_to_inspect=("$file_to_inspect")
+    if [ ! -e "$file_to_inspect" ]
+    then
+        touch "$file_to_inspect"
+        chmod 0640 "$file_to_inspect"
+    fi
+fi
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+    # i.e, collect rules that match:
+    # * the action, list and arch, (2-nd argument)
+    # * the other filters, (3-rd argument)
+    # * the auid filters, (4-rd argument)
+    readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+    candidate_rules=()
+    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+    for s_rule in "${similar_rules[@]}"
+    do
+        # Strip all the options and fields we know of,
+        # than check if there was any field left over
+        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+        grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+    done
+
+    if [[ ${#syscall_a[@]} -ge 1 ]]
+    then
+        # Check if the syscall we want is present in any of the similar existing rules
+        for rule in "${candidate_rules[@]}"
+        do
+            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+            all_syscalls_found=0
+            for syscall in "${syscall_a[@]}"
+            do
+                grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+                   # A syscall was not found in the candidate rule
+                   all_syscalls_found=1
+                   }
+            done
+            if [[ $all_syscalls_found -eq 0 ]]
+            then
+                # We found a rule with all the syscall(s) we want; skip rest of macro
+                skip=0
+                break
+            fi
+
+            # Check if this rule can be grouped with our target syscall and keep track of it
+            for syscall_g in "${syscall_grouping[@]}"
+            do
+                if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+                then
+                    file_to_edit=${audit_file}
+                    rule_to_edit=${rule}
+                    rule_syscalls_to_edit=${rule_syscalls}
+                fi
+            done
+        done
+    else
+        # If there is any candidate rule, it is compliant; skip rest of macro
+        if [ "${#candidate_rules[@]}" -gt 0 ]
+        then
+            skip=0
+        fi
+    fi
+
+    if [ "$skip" -eq 0 ]; then
+        break
+    fi
+done
+
+if [ "$skip" -ne 0 ]; then
+    # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+    # At this point we know if we need to either append the $full_rule or group
+    # the syscall together with an exsiting rule
+
+    # Append the full_rule if it cannot be grouped to any other rule
+    if [ -z ${rule_to_edit+x} ]
+    then
+        # Build full_rule while avoid adding double spaces when other_filters is empty
+        if [ "${#syscall_a[@]}" -gt 0 ]
+        then
+            syscall_string=""
+            for syscall in "${syscall_a[@]}"
+            do
+                syscall_string+=" -S $syscall"
+            done
+        fi
+        other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+        auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+        echo "$full_rule" >> "$default_file"
+        chmod o-rwx ${default_file}
+    else
+        # Check if the syscalls are declared as a comma separated list or
+        # as multiple -S parameters
+        if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+        then
+            delimiter=","
+        else
+            delimiter=" -S "
+        fi
+        new_grouped_syscalls="${rule_syscalls_to_edit}"
+        for syscall in "${syscall_a[@]}"
+        do
+            grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+               # A syscall was not found in the candidate rule
+               new_grouped_syscalls+="${delimiter}${syscall}"
+               }
+        done
+
+        # Group the syscall in the rule
+        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+    fi
+fi
+	unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
+# -----------------------------------------------------------------------------------------
+#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
+# -----------------------------------------------------------------------------------------
+#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
+#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+    # i.e, collect rules that match:
+    # * the action, list and arch, (2-nd argument)
+    # * the other filters, (3-rd argument)
+    # * the auid filters, (4-rd argument)
+    readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+    candidate_rules=()
+    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+    for s_rule in "${similar_rules[@]}"
+    do
+        # Strip all the options and fields we know of,
+        # than check if there was any field left over
+        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+        grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+    done
+
+    if [[ ${#syscall_a[@]} -ge 1 ]]
+    then
+        # Check if the syscall we want is present in any of the similar existing rules
+        for rule in "${candidate_rules[@]}"
+        do
+            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+            all_syscalls_found=0
+            for syscall in "${syscall_a[@]}"
+            do
+                grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+                   # A syscall was not found in the candidate rule
+                   all_syscalls_found=1
+                   }
+            done
+            if [[ $all_syscalls_found -eq 0 ]]
+            then
+                # We found a rule with all the syscall(s) we want; skip rest of macro
+                skip=0
+                break
+            fi
+
+            # Check if this rule can be grouped with our target syscall and keep track of it
+            for syscall_g in "${syscall_grouping[@]}"
+            do
+                if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+                then
+                    file_to_edit=${audit_file}
+                    rule_to_edit=${rule}
+                    rule_syscalls_to_edit=${rule_syscalls}
+                fi
+            done
+        done
+    else
+        # If there is any candidate rule, it is compliant; skip rest of macro
+        if [ "${#candidate_rules[@]}" -gt 0 ]
+        then
+            skip=0
+        fi
+    fi
+
+    if [ "$skip" -eq 0 ]; then
+        break
+    fi
+done
+
+if [ "$skip" -ne 0 ]; then
+    # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+    # At this point we know if we need to either append the $full_rule or group
+    # the syscall together with an exsiting rule
+
+    # Append the full_rule if it cannot be grouped to any other rule
+    if [ -z ${rule_to_edit+x} ]
+    then
+        # Build full_rule while avoid adding double spaces when other_filters is empty
+        if [ "${#syscall_a[@]}" -gt 0 ]
+        then
+            syscall_string=""
+            for syscall in "${syscall_a[@]}"
+            do
+                syscall_string+=" -S $syscall"
+            done
+        fi
+        other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+        auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+        echo "$full_rule" >> "$default_file"
+        chmod o-rwx ${default_file}
+    else
+        # Check if the syscalls are declared as a comma separated list or
+        # as multiple -S parameters
+        if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+        then
+            delimiter=","
+        else
+            delimiter=" -S "
+        fi
+        new_grouped_syscalls="${rule_syscalls_to_edit}"
+        for syscall in "${syscall_a[@]}"
+        do
+            grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+               # A syscall was not found in the candidate rule
+               new_grouped_syscalls+="${delimiter}${syscall}"
+               }
+        done
+
+        # Group the syscall in the rule
+        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+    fi
+fi
+done
+
+
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+	OTHER_FILTERS=""
+	AUID_FILTERS="-F auid=0"
+	SYSCALL="fsetxattr"
+	KEY="perm_mod"
+	SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr"
 
 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 	unset syscall_a
@@ -28891,7 +28540,31 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Record Events that Modify the System's Discretionary Access Controls - lchown
+                                  [ref]
At a minimum, the audit system should collect file permission
+changes for all users and root. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following line to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

+If the system is 64 bit then also add the following line:
+
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

+If the system is 64 bit then also add the following line:
+
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Warning: 
+                                        Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
Rationale:
The changing of file permissions could indicate that a user is attempting to
+gain access to information that would otherwise be disallowed. Auditing DAC modifications
+can facilitate the identification of patterns of abuse among both authorized and
+unauthorized users.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80693-5
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, RHEL-08-030480, 4.1.3.9, SV-230455r810459_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -29235,41 +28908,8 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-
Rule  
-                                Record Events that Modify the System's Discretionary Access Controls - lremovexattr
-                                  [ref]
At a minimum, the audit system should collect file permission
-changes for all users and root.
-


-If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-.rules in the directory /etc/audit/rules.d:
-
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod

-


-If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod

-


-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
-
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod

-


-If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
Warning: 
-                                        Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.
Rationale:
The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80694-3
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system
@@ -29280,328 +28920,9 @@
 	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
 	OTHER_FILTERS=""
 	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-	SYSCALL="lremovexattr"
-	KEY="perm_mod"
-	SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr"
-
-	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
-	unset syscall_a
-unset syscall_grouping
-unset syscall_string
-unset syscall
-unset file_to_edit
-unset rule_to_edit
-unset rule_syscalls_to_edit
-unset other_string
-unset auid_string
-unset full_rule
-
-# Load macro arguments into arrays
-read -a syscall_a <<< $SYSCALL
-read -a syscall_grouping <<< $SYSCALL_GROUPING
-
-# Create a list of audit *.rules files that should be inspected for presence and correctness
-# of a particular audit rule. The scheme is as follows:
-#
-# -----------------------------------------------------------------------------------------
-#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
-# -----------------------------------------------------------------------------------------
-#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
-# -----------------------------------------------------------------------------------------
-#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
-#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
-# -----------------------------------------------------------------------------------------
-#
-files_to_inspect=()
-
-# If audit tool is 'augenrules', then check if the audit rule is defined
-# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
-# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
-default_file="/etc/audit/rules.d/$KEY.rules"
-# As other_filters may include paths, lets use a different delimiter for it
-# The "F" script expression tells sed to print the filenames where the expressions matched
-readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
-# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
-if [ ${#files_to_inspect[@]} -eq "0" ]
-then
-    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
-    files_to_inspect=("$file_to_inspect")
-    if [ ! -e "$file_to_inspect" ]
-    then
-        touch "$file_to_inspect"
-        chmod 0640 "$file_to_inspect"
-    fi
-fi
-
-# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
-skip=1
-
-for audit_file in "${files_to_inspect[@]}"
-do
-    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
-    # i.e, collect rules that match:
-    # * the action, list and arch, (2-nd argument)
-    # * the other filters, (3-rd argument)
-    # * the auid filters, (4-rd argument)
-    readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
-
-    candidate_rules=()
-    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
-    for s_rule in "${similar_rules[@]}"
-    do
-        # Strip all the options and fields we know of,
-        # than check if there was any field left over
-        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
-        grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
-    done
-
-    if [[ ${#syscall_a[@]} -ge 1 ]]
-    then
-        # Check if the syscall we want is present in any of the similar existing rules
-        for rule in "${candidate_rules[@]}"
-        do
-            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
-            all_syscalls_found=0
-            for syscall in "${syscall_a[@]}"
-            do
-                grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
-                   # A syscall was not found in the candidate rule
-                   all_syscalls_found=1
-                   }
-            done
-            if [[ $all_syscalls_found -eq 0 ]]
-            then
-                # We found a rule with all the syscall(s) we want; skip rest of macro
-                skip=0
-                break
-            fi
-
-            # Check if this rule can be grouped with our target syscall and keep track of it
-            for syscall_g in "${syscall_grouping[@]}"
-            do
-                if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
-                then
-                    file_to_edit=${audit_file}
-                    rule_to_edit=${rule}
-                    rule_syscalls_to_edit=${rule_syscalls}
-                fi
-            done
-        done
-    else
-        # If there is any candidate rule, it is compliant; skip rest of macro
-        if [ "${#candidate_rules[@]}" -gt 0 ]
-        then
-            skip=0
-        fi
-    fi
-
-    if [ "$skip" -eq 0 ]; then
-        break
-    fi
-done
-
-if [ "$skip" -ne 0 ]; then
-    # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
-    # At this point we know if we need to either append the $full_rule or group
-    # the syscall together with an exsiting rule
-
-    # Append the full_rule if it cannot be grouped to any other rule
-    if [ -z ${rule_to_edit+x} ]
-    then
-        # Build full_rule while avoid adding double spaces when other_filters is empty
-        if [ "${#syscall_a[@]}" -gt 0 ]
-        then
-            syscall_string=""
-            for syscall in "${syscall_a[@]}"
-            do
-                syscall_string+=" -S $syscall"
-            done
-        fi
-        other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
-        auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
-        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
-        echo "$full_rule" >> "$default_file"
-        chmod o-rwx ${default_file}
-    else
-        # Check if the syscalls are declared as a comma separated list or
-        # as multiple -S parameters
-        if grep -q -- "," <<< "${rule_syscalls_to_edit}"
-        then
-            delimiter=","
-        else
-            delimiter=" -S "
-        fi
-        new_grouped_syscalls="${rule_syscalls_to_edit}"
-        for syscall in "${syscall_a[@]}"
-        do
-            grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
-               # A syscall was not found in the candidate rule
-               new_grouped_syscalls+="${delimiter}${syscall}"
-               }
-        done
-
-        # Group the syscall in the rule
-        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
-    fi
-fi
-	unset syscall_a
-unset syscall_grouping
-unset syscall_string
-unset syscall
-unset file_to_edit
-unset rule_to_edit
-unset rule_syscalls_to_edit
-unset other_string
-unset auid_string
-unset full_rule
-
-# Load macro arguments into arrays
-read -a syscall_a <<< $SYSCALL
-read -a syscall_grouping <<< $SYSCALL_GROUPING
-
-# Create a list of audit *.rules files that should be inspected for presence and correctness
-# of a particular audit rule. The scheme is as follows:
-#
-# -----------------------------------------------------------------------------------------
-#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
-# -----------------------------------------------------------------------------------------
-#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
-# -----------------------------------------------------------------------------------------
-#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
-#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
-# -----------------------------------------------------------------------------------------
-#
-files_to_inspect=()
-
-
-# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
-# file to the list of files to be inspected
-default_file="/etc/audit/audit.rules"
-files_to_inspect+=('/etc/audit/audit.rules' )
-
-# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
-skip=1
-
-for audit_file in "${files_to_inspect[@]}"
-do
-    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
-    # i.e, collect rules that match:
-    # * the action, list and arch, (2-nd argument)
-    # * the other filters, (3-rd argument)
-    # * the auid filters, (4-rd argument)
-    readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
-
-    candidate_rules=()
-    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
-    for s_rule in "${similar_rules[@]}"
-    do
-        # Strip all the options and fields we know of,
-        # than check if there was any field left over
-        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
-        grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
-    done
-
-    if [[ ${#syscall_a[@]} -ge 1 ]]
-    then
-        # Check if the syscall we want is present in any of the similar existing rules
-        for rule in "${candidate_rules[@]}"
-        do
-            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
-            all_syscalls_found=0
-            for syscall in "${syscall_a[@]}"
-            do
-                grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
-                   # A syscall was not found in the candidate rule
-                   all_syscalls_found=1
-                   }
-            done
-            if [[ $all_syscalls_found -eq 0 ]]
-            then
-                # We found a rule with all the syscall(s) we want; skip rest of macro
-                skip=0
-                break
-            fi
-
-            # Check if this rule can be grouped with our target syscall and keep track of it
-            for syscall_g in "${syscall_grouping[@]}"
-            do
-                if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
-                then
-                    file_to_edit=${audit_file}
-                    rule_to_edit=${rule}
-                    rule_syscalls_to_edit=${rule_syscalls}
-                fi
-            done
-        done
-    else
-        # If there is any candidate rule, it is compliant; skip rest of macro
-        if [ "${#candidate_rules[@]}" -gt 0 ]
-        then
-            skip=0
-        fi
-    fi
-
-    if [ "$skip" -eq 0 ]; then
-        break
-    fi
-done
-
-if [ "$skip" -ne 0 ]; then
-    # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
-    # At this point we know if we need to either append the $full_rule or group
-    # the syscall together with an exsiting rule
-
-    # Append the full_rule if it cannot be grouped to any other rule
-    if [ -z ${rule_to_edit+x} ]
-    then
-        # Build full_rule while avoid adding double spaces when other_filters is empty
-        if [ "${#syscall_a[@]}" -gt 0 ]
-        then
-            syscall_string=""
-            for syscall in "${syscall_a[@]}"
-            do
-                syscall_string+=" -S $syscall"
-            done
-        fi
-        other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
-        auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
-        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
-        echo "$full_rule" >> "$default_file"
-        chmod o-rwx ${default_file}
-    else
-        # Check if the syscalls are declared as a comma separated list or
-        # as multiple -S parameters
-        if grep -q -- "," <<< "${rule_syscalls_to_edit}"
-        then
-            delimiter=","
-        else
-            delimiter=" -S "
-        fi
-        new_grouped_syscalls="${rule_syscalls_to_edit}"
-        for syscall in "${syscall_a[@]}"
-        do
-            grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
-               # A syscall was not found in the candidate rule
-               new_grouped_syscalls+="${delimiter}${syscall}"
-               }
-        done
-
-        # Group the syscall in the rule
-        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
-    fi
-fi
-done
-
-
-
-for ARCH in "${RULE_ARCHS[@]}"
-do
-	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
-	OTHER_FILTERS=""
-	AUID_FILTERS="-F auid=0"
-	SYSCALL="lremovexattr"
+	SYSCALL="lchown"
 	KEY="perm_mod"
-	SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr"
+	SYSCALL_GROUPING="chown fchown fchownat lchown"
 
 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 	unset syscall_a
@@ -29914,7 +29235,40 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Record Events that Modify the System's Discretionary Access Controls - lremovexattr
+                                  [ref]
At a minimum, the audit system should collect file permission
+changes for all users and root.
+


+If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following line to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod

+


+If the system is 64 bit then also add the following line:
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod

+


+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod

+


+If the system is 64 bit then also add the following line:
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
Warning: 
+                                        Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
Rationale:
The changing of file permissions could indicate that a user is attempting to
+gain access to information that would otherwise be disallowed. Auditing DAC modifications
+can facilitate the identification of patterns of abuse among both authorized and
+unauthorized users.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80694-3
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -30519,35 +29873,7 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-
Rule  
-                                Record Events that Modify the System's Discretionary Access Controls - lsetxattr
-                                  [ref]
At a minimum, the audit system should collect file permission
-changes for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-.rules in the directory /etc/audit/rules.d:
-
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod

-If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
-
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod

-If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
Warning: 
-                                        Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.
Rationale:
The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80695-0
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000064-GPOS-00033, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 # First perform the remediation of the syscall rule
@@ -30559,7 +29885,7 @@
 	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
 	OTHER_FILTERS=""
 	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-	SYSCALL="lsetxattr"
+	SYSCALL="lremovexattr"
 	KEY="perm_mod"
 	SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr"
 
@@ -30878,7 +30204,7 @@
 	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
 	OTHER_FILTERS=""
 	AUID_FILTERS="-F auid=0"
-	SYSCALL="lsetxattr"
+	SYSCALL="lremovexattr"
 	KEY="perm_mod"
 	SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr"
 
@@ -31193,7 +30519,35 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Record Events that Modify the System's Discretionary Access Controls - lsetxattr
+                                  [ref]
At a minimum, the audit system should collect file permission
+changes for all users and root. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following line to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod

+If the system is 64 bit then also add the following line:
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod

+If the system is 64 bit then also add the following line:
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
Warning: 
+                                        Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
Rationale:
The changing of file permissions could indicate that a user is attempting to
+gain access to information that would otherwise be disallowed. Auditing DAC modifications
+can facilitate the identification of patterns of abuse among both authorized and
+unauthorized users.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80695-0
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000064-GPOS-00033, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -31798,39 +31152,7 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-
Rule  
-                                Record Events that Modify the System's Discretionary Access Controls - removexattr
-                                  [ref]
At a minimum, the audit system should collect file permission
-changes for all users and root.
-


-If the auditd daemon is configured to use the augenrules
-program to read audit rules during daemon startup (the default), add the
-following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod

-


-If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod

-


-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
-
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod

-


-If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
Warning: 
-                                        Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.
Rationale:
The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80696-8
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 # First perform the remediation of the syscall rule
@@ -31842,7 +31164,7 @@
 	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
 	OTHER_FILTERS=""
 	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-	SYSCALL="removexattr"
+	SYSCALL="lsetxattr"
 	KEY="perm_mod"
 	SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr"
 
@@ -32161,7 +31483,7 @@
 	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
 	OTHER_FILTERS=""
 	AUID_FILTERS="-F auid=0"
-	SYSCALL="removexattr"
+	SYSCALL="lsetxattr"
 	KEY="perm_mod"
 	SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr"
 
@@ -32476,7 +31798,39 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Record Events that Modify the System's Discretionary Access Controls - removexattr
+                                  [ref]
At a minimum, the audit system should collect file permission
+changes for all users and root.
+


+If the auditd daemon is configured to use the augenrules
+program to read audit rules during daemon startup (the default), add the
+following line to a file with suffix .rules in the directory /etc/audit/rules.d:
+
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod

+


+If the system is 64 bit then also add the following line:
+
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod

+


+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod

+


+If the system is 64 bit then also add the following line:
+
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
Warning: 
+                                        Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
Rationale:
The changing of file permissions could indicate that a user is attempting to
+gain access to information that would otherwise be disallowed. Auditing DAC modifications
+can facilitate the identification of patterns of abuse among both authorized and
+unauthorized users.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80696-8
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -33081,35 +32435,7 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-
Rule  
-                                Record Events that Modify the System's Discretionary Access Controls - setxattr
-                                  [ref]
At a minimum, the audit system should collect file permission
-changes for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-.rules in the directory /etc/audit/rules.d:
-
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod

-If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
-
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod

-If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
Warning: 
-                                        Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.
Rationale:
The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80697-6
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 # First perform the remediation of the syscall rule
@@ -33121,7 +32447,7 @@
 	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
 	OTHER_FILTERS=""
 	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-	SYSCALL="setxattr"
+	SYSCALL="removexattr"
 	KEY="perm_mod"
 	SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr"
 
@@ -33440,7 +32766,7 @@
 	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
 	OTHER_FILTERS=""
 	AUID_FILTERS="-F auid=0"
-	SYSCALL="setxattr"
+	SYSCALL="removexattr"
 	KEY="perm_mod"
 	SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr"
 
@@ -33755,7 +33081,35 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Record Events that Modify the System's Discretionary Access Controls - setxattr
+                                  [ref]
At a minimum, the audit system should collect file permission
+changes for all users and root. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following line to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod

+If the system is 64 bit then also add the following line:
+
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod

+If the system is 64 bit then also add the following line:
+
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
Warning: 
+                                        Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
Rationale:
The changing of file permissions could indicate that a user is attempting to
+gain access to information that would otherwise be disallowed. Auditing DAC modifications
+can facilitate the identification of patterns of abuse among both authorized and
+unauthorized users.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80697-6
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -34360,198 +33714,24 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-
Group  
-                Record Execution Attempts to Run ACL Privileged Commands
-                          Group contains 2 rules
[ref]  
-                        At a minimum, the audit system should collect the execution of
-ACL privileged commands for all users and root.
Rule  
-                                Record Any Attempts to Run chacl
-                                  [ref]
At a minimum, the audit system should collect any execution attempt
-of the chacl command for all users and root. If the auditd
-daemon is configured to use the augenrules program to read audit rules
-during daemon startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d:
-
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file:
-
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Without generating audit records that are specific to the security and
-mission needs of the organization, it would be difficult to establish,
-correlate, and investigate the events relating to an incident or identify
-those responsible for one.
-Audit records can be generated from various components within the
-information system (e.g., module or policy filter).
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-89446-9
References: 
-            CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, RHEL-08-030570, 4.1.3.17, SV-230464r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
-ACTION_ARCH_FILTERS="-a always,exit"
-OTHER_FILTERS="-F path=/usr/bin/chacl -F perm=x"
-AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-SYSCALL=""
-KEY="privileged"
-SYSCALL_GROUPING=""
-# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
-unset syscall_a
-unset syscall_grouping
-unset syscall_string
-unset syscall
-unset file_to_edit
-unset rule_to_edit
-unset rule_syscalls_to_edit
-unset other_string
-unset auid_string
-unset full_rule
-
-# Load macro arguments into arrays
-read -a syscall_a <<< $SYSCALL
-read -a syscall_grouping <<< $SYSCALL_GROUPING
-
-# Create a list of audit *.rules files that should be inspected for presence and correctness
-# of a particular audit rule. The scheme is as follows:
-#
-# -----------------------------------------------------------------------------------------
-#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
-# -----------------------------------------------------------------------------------------
-#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
-# -----------------------------------------------------------------------------------------
-#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
-#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
-# -----------------------------------------------------------------------------------------
-#
-files_to_inspect=()
-
-# If audit tool is 'augenrules', then check if the audit rule is defined
-# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
-# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
-default_file="/etc/audit/rules.d/$KEY.rules"
-# As other_filters may include paths, lets use a different delimiter for it
-# The "F" script expression tells sed to print the filenames where the expressions matched
-readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
-# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
-if [ ${#files_to_inspect[@]} -eq "0" ]
-then
-    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
-    files_to_inspect=("$file_to_inspect")
-    if [ ! -e "$file_to_inspect" ]
-    then
-        touch "$file_to_inspect"
-        chmod 0640 "$file_to_inspect"
-    fi
-fi
-
-# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
-skip=1
+# First perform the remediation of the syscall rule
+# Retrieve hardware architecture of the underlying system
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
 
-for audit_file in "${files_to_inspect[@]}"
+for ARCH in "${RULE_ARCHS[@]}"
 do
-    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
-    # i.e, collect rules that match:
-    # * the action, list and arch, (2-nd argument)
-    # * the other filters, (3-rd argument)
-    # * the auid filters, (4-rd argument)
-    readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
-
-    candidate_rules=()
-    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
-    for s_rule in "${similar_rules[@]}"
-    do
-        # Strip all the options and fields we know of,
-        # than check if there was any field left over
-        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
-        grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
-    done
-
-    if [[ ${#syscall_a[@]} -ge 1 ]]
-    then
-        # Check if the syscall we want is present in any of the similar existing rules
-        for rule in "${candidate_rules[@]}"
-        do
-            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
-            all_syscalls_found=0
-            for syscall in "${syscall_a[@]}"
-            do
-                grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
-                   # A syscall was not found in the candidate rule
-                   all_syscalls_found=1
-                   }
-            done
-            if [[ $all_syscalls_found -eq 0 ]]
-            then
-                # We found a rule with all the syscall(s) we want; skip rest of macro
-                skip=0
-                break
-            fi
-
-            # Check if this rule can be grouped with our target syscall and keep track of it
-            for syscall_g in "${syscall_grouping[@]}"
-            do
-                if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
-                then
-                    file_to_edit=${audit_file}
-                    rule_to_edit=${rule}
-                    rule_syscalls_to_edit=${rule_syscalls}
-                fi
-            done
-        done
-    else
-        # If there is any candidate rule, it is compliant; skip rest of macro
-        if [ "${#candidate_rules[@]}" -gt 0 ]
-        then
-            skip=0
-        fi
-    fi
-
-    if [ "$skip" -eq 0 ]; then
-        break
-    fi
-done
-
-if [ "$skip" -ne 0 ]; then
-    # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
-    # At this point we know if we need to either append the $full_rule or group
-    # the syscall together with an exsiting rule
-
-    # Append the full_rule if it cannot be grouped to any other rule
-    if [ -z ${rule_to_edit+x} ]
-    then
-        # Build full_rule while avoid adding double spaces when other_filters is empty
-        if [ "${#syscall_a[@]}" -gt 0 ]
-        then
-            syscall_string=""
-            for syscall in "${syscall_a[@]}"
-            do
-                syscall_string+=" -S $syscall"
-            done
-        fi
-        other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
-        auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
-        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
-        echo "$full_rule" >> "$default_file"
-        chmod o-rwx ${default_file}
-    else
-        # Check if the syscalls are declared as a comma separated list or
-        # as multiple -S parameters
-        if grep -q -- "," <<< "${rule_syscalls_to_edit}"
-        then
-            delimiter=","
-        else
-            delimiter=" -S "
-        fi
-        new_grouped_syscalls="${rule_syscalls_to_edit}"
-        for syscall in "${syscall_a[@]}"
-        do
-            grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
-               # A syscall was not found in the candidate rule
-               new_grouped_syscalls+="${delimiter}${syscall}"
-               }
-        done
+	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+	OTHER_FILTERS=""
+	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+	SYSCALL="setxattr"
+	KEY="perm_mod"
+	SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr"
 
-        # Group the syscall in the rule
-        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
-    fi
-fi
-unset syscall_a
+	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+	unset syscall_a
 unset syscall_grouping
 unset syscall_string
 unset syscall
@@ -34580,11 +33760,24 @@
 #
 files_to_inspect=()
 
-
-# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
-# file to the list of files to be inspected
-default_file="/etc/audit/audit.rules"
-files_to_inspect+=('/etc/audit/audit.rules' )
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+    files_to_inspect=("$file_to_inspect")
+    if [ ! -e "$file_to_inspect" ]
+    then
+        touch "$file_to_inspect"
+        chmod 0640 "$file_to_inspect"
+    fi
+fi
 
 # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
 skip=1
@@ -34697,182 +33890,167 @@
         sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
     fi
 fi
+	unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
 
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
-  package_facts:
-    manager: auto
-  tags:
-  - CCE-89446-9
-  - DISA-STIG-RHEL-08-030570
-  - audit_rules_execution_chacl
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - no_reboot_needed
-  - restrict_strategy
-
-- name: Perform remediation of Audit rules for /usr/bin/chacl
-  block:
-
-  - name: Declare list of syscalls
-    set_fact:
-      syscalls: []
-      syscall_grouping: []
-
-  - name: Check existence of  in /etc/audit/rules.d/
-    find:
-      paths: /etc/audit/rules.d
-      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
-      patterns: '*.rules'
-    register: find_command
-    loop: '{{ (syscall_grouping + syscalls) | unique }}'
-
-  - name: Reset syscalls found per file
-    set_fact:
-      syscalls_per_file: {}
-      found_paths_dict: {}
-
-  - name: Declare syscalls found per file
-    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
-      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
-    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
 
-  - name: Declare files where syscalls were found
-    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
-      | map(attribute='path') | list }}"
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
+# -----------------------------------------------------------------------------------------
+#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
+# -----------------------------------------------------------------------------------------
+#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
+#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
 
-  - name: Count occurrences of syscalls in paths
-    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
-      0) }) }}"
-    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
-      | list }}'
 
-  - name: Get path with most syscalls
-    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
-      | last).key }}"
-    when: found_paths | length >= 1
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
 
-  - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
-    set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
-    when: found_paths | length == 0
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
 
-  - name: Declare found syscalls
-    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
-      | list }}"
+for audit_file in "${files_to_inspect[@]}"
+do
+    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+    # i.e, collect rules that match:
+    # * the action, list and arch, (2-nd argument)
+    # * the other filters, (3-rd argument)
+    # * the auid filters, (4-rd argument)
+    readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
 
-  - name: Declare missing syscalls
-    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+    candidate_rules=()
+    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+    for s_rule in "${similar_rules[@]}"
+    do
+        # Strip all the options and fields we know of,
+        # than check if there was any field left over
+        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+        grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+    done
 
-  - name: Replace the audit rule in {{ audit_file }}
-    lineinfile:
-      path: '{{ audit_file }}'
-      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
-        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chacl -F perm=x -F
-        auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
-      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
-      backrefs: true
-      state: present
-    when: syscalls_found | length > 0 and missing_syscalls | length > 0
+    if [[ ${#syscall_a[@]} -ge 1 ]]
+    then
+        # Check if the syscall we want is present in any of the similar existing rules
+        for rule in "${candidate_rules[@]}"
+        do
+            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+            all_syscalls_found=0
+            for syscall in "${syscall_a[@]}"
+            do
+                grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+                   # A syscall was not found in the candidate rule
+                   all_syscalls_found=1
+                   }
+            done
+            if [[ $all_syscalls_found -eq 0 ]]
+            then
+                # We found a rule with all the syscall(s) we want; skip rest of macro
+                skip=0
+                break
+            fi
 
-  - name: Add the audit rule to {{ audit_file }}
-    lineinfile:
-      path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chacl -F perm=x
-        -F auid>=1000 -F auid!=unset -F key=privileged
-      create: true
-      mode: o-rwx
-      state: present
-    when: syscalls_found | length == 0
+            # Check if this rule can be grouped with our target syscall and keep track of it
+            for syscall_g in "${syscall_grouping[@]}"
+            do
+                if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+                then
+                    file_to_edit=${audit_file}
+                    rule_to_edit=${rule}
+                    rule_syscalls_to_edit=${rule_syscalls}
+                fi
+            done
+        done
+    else
+        # If there is any candidate rule, it is compliant; skip rest of macro
+        if [ "${#candidate_rules[@]}" -gt 0 ]
+        then
+            skip=0
+        fi
+    fi
 
-  - name: Declare list of syscalls
-    set_fact:
-      syscalls: []
-      syscall_grouping: []
+    if [ "$skip" -eq 0 ]; then
+        break
+    fi
+done
 
-  - name: Check existence of  in /etc/audit/audit.rules
-    find:
-      paths: /etc/audit
-      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
-      patterns: audit.rules
-    register: find_command
-    loop: '{{ (syscall_grouping + syscalls) | unique }}'
+if [ "$skip" -ne 0 ]; then
+    # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+    # At this point we know if we need to either append the $full_rule or group
+    # the syscall together with an exsiting rule
 
-  - name: Set path to /etc/audit/audit.rules
-    set_fact: audit_file="/etc/audit/audit.rules"
+    # Append the full_rule if it cannot be grouped to any other rule
+    if [ -z ${rule_to_edit+x} ]
+    then
+        # Build full_rule while avoid adding double spaces when other_filters is empty
+        if [ "${#syscall_a[@]}" -gt 0 ]
+        then
+            syscall_string=""
+            for syscall in "${syscall_a[@]}"
+            do
+                syscall_string+=" -S $syscall"
+            done
+        fi
+        other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+        auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+        echo "$full_rule" >> "$default_file"
+        chmod o-rwx ${default_file}
+    else
+        # Check if the syscalls are declared as a comma separated list or
+        # as multiple -S parameters
+        if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+        then
+            delimiter=","
+        else
+            delimiter=" -S "
+        fi
+        new_grouped_syscalls="${rule_syscalls_to_edit}"
+        for syscall in "${syscall_a[@]}"
+        do
+            grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+               # A syscall was not found in the candidate rule
+               new_grouped_syscalls+="${delimiter}${syscall}"
+               }
+        done
 
-  - name: Declare found syscalls
-    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
-      | list }}"
+        # Group the syscall in the rule
+        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+    fi
+fi
+done
 
-  - name: Declare missing syscalls
-    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
 
-  - name: Replace the audit rule in {{ audit_file }}
-    lineinfile:
-      path: '{{ audit_file }}'
-      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
-        -S |,)\w+)+)( -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset
-        (?:-k |-F key=)\w+)
-      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
-      backrefs: true
-      state: present
-    when: syscalls_found | length > 0 and missing_syscalls | length > 0
 
-  - name: Add the audit rule to {{ audit_file }}
-    lineinfile:
-      path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chacl -F perm=x
-        -F auid>=1000 -F auid!=unset -F key=privileged
-      create: true
-      mode: o-rwx
-      state: present
-    when: syscalls_found | length == 0
-  when:
-  - '"audit" in ansible_facts.packages'
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  tags:
-  - CCE-89446-9
-  - DISA-STIG-RHEL-08-030570
-  - audit_rules_execution_chacl
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - no_reboot_needed
-  - restrict_strategy
-
Rule  
-                                Record Any Attempts to Run setfacl
-                                  [ref]
At a minimum, the audit system should collect any execution attempt
-of the setfacl command for all users and root. If the auditd
-daemon is configured to use the augenrules program to read audit rules
-during daemon startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d:
-
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file:
-
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Without generating audit records that are specific to the security and
-mission needs of the organization, it would be difficult to establish,
-correlate, and investigate the events relating to an incident or identify
-those responsible for one.
-Audit records can be generated from various components within the
-information system (e.g., module or policy filter).
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-88437-9
References: 
-            CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000495-CTR-001235, RHEL-08-030330, 4.1.3.16, SV-230435r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+for ARCH in "${RULE_ARCHS[@]}"
+do
+	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+	OTHER_FILTERS=""
+	AUID_FILTERS="-F auid=0"
+	SYSCALL="setxattr"
+	KEY="perm_mod"
+	SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr"
 
-ACTION_ARCH_FILTERS="-a always,exit"
-OTHER_FILTERS="-F path=/usr/bin/setfacl -F perm=x"
-AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-SYSCALL=""
-KEY="privileged"
-SYSCALL_GROUPING=""
-# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
-unset syscall_a
+	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+	unset syscall_a
 unset syscall_grouping
 unset syscall_string
 unset syscall
@@ -35031,7 +34209,7 @@
         sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
     fi
 fi
-unset syscall_a
+	unset syscall_a
 unset syscall_grouping
 unset syscall_string
 unset syscall
@@ -35177,24 +34355,47 @@
         sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
     fi
 fi
+done
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Group  
+                Record Execution Attempts to Run ACL Privileged Commands
+                          Group contains 2 rules
[ref]  
+                        At a minimum, the audit system should collect the execution of
+ACL privileged commands for all users and root.
Rule  
+                                Record Any Attempts to Run chacl
+                                  [ref]
At a minimum, the audit system should collect any execution attempt
+of the chacl command for all users and root. If the auditd
+daemon is configured to use the augenrules program to read audit rules
+during daemon startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file:
+
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Without generating audit records that are specific to the security and
+mission needs of the organization, it would be difficult to establish,
+correlate, and investigate the events relating to an incident or identify
+those responsible for one.
+Audit records can be generated from various components within the
+information system (e.g., module or policy filter).
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-89446-9
References: 
+            CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, RHEL-08-030570, 4.1.3.17, SV-230464r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
-  - CCE-88437-9
-  - DISA-STIG-RHEL-08-030330
-  - audit_rules_execution_setfacl
+  - CCE-89446-9
+  - DISA-STIG-RHEL-08-030570
+  - audit_rules_execution_chacl
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
 
-- name: Perform remediation of Audit rules for /usr/bin/setfacl
+- name: Perform remediation of Audit rules for /usr/bin/chacl
   block:
 
   - name: Declare list of syscalls
@@ -35206,7 +34407,7 @@
     find:
       paths: /etc/audit/rules.d
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: '*.rules'
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -35251,8 +34452,8 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
-        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/setfacl -F perm=x
-        -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
+        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chacl -F perm=x -F
+        auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
       state: present
@@ -35261,7 +34462,7 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/setfacl -F perm=x
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chacl -F perm=x
         -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
@@ -35277,7 +34478,7 @@
     find:
       paths: /etc/audit
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: audit.rules
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -35296,7 +34497,7 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
-        -S |,)\w+)+)( -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset
+        -S |,)\w+)+)( -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset
         (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
@@ -35306,7 +34507,7 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/setfacl -F perm=x
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chacl -F perm=x
         -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
@@ -35316,45 +34517,19 @@
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
-  - CCE-88437-9
-  - DISA-STIG-RHEL-08-030330
-  - audit_rules_execution_setfacl
+  - CCE-89446-9
+  - DISA-STIG-RHEL-08-030570
+  - audit_rules_execution_chacl
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Group  
-                Record Execution Attempts to Run SELinux Privileged Commands
-                          Group contains 4 rules
[ref]  
-                        At a minimum, the audit system should collect the execution of
-SELinux privileged commands for all users and root.
Rule  
-                                Record Any Attempts to Run chcon
-                                  [ref]
At a minimum, the audit system should collect any execution attempt
-of the chcon command for all users and root. If the auditd
-daemon is configured to use the augenrules program to read audit rules
-during daemon startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d:
-
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file:
-
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-


-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80698-4
References: 
-            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, RHEL-08-030260, 4.1.3.15, SV-230419r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 ACTION_ARCH_FILTERS="-a always,exit"
-OTHER_FILTERS="-F path=/usr/bin/chcon -F perm=x"
+OTHER_FILTERS="-F path=/usr/bin/chacl -F perm=x"
 AUID_FILTERS="-F auid>=1000 -F auid!=unset"
 SYSCALL=""
 KEY="privileged"
@@ -35669,25 +34844,38 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Record Any Attempts to Run setfacl
+                                  [ref]
At a minimum, the audit system should collect any execution attempt
+of the setfacl command for all users and root. If the auditd
+daemon is configured to use the augenrules program to read audit rules
+during daemon startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file:
+
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Without generating audit records that are specific to the security and
+mission needs of the organization, it would be difficult to establish,
+correlate, and investigate the events relating to an incident or identify
+those responsible for one.
+Audit records can be generated from various components within the
+information system (e.g., module or policy filter).
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-88437-9
References: 
+            CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000495-CTR-001235, RHEL-08-030330, 4.1.3.16, SV-230435r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
-  - CCE-80698-4
-  - DISA-STIG-RHEL-08-030260
-  - NIST-800-171-3.1.7
-  - NIST-800-53-AC-6(9)
-  - NIST-800-53-AU-12(c)
-  - NIST-800-53-AU-2(d)
-  - NIST-800-53-CM-6(a)
-  - audit_rules_execution_chcon
+  - CCE-88437-9
+  - DISA-STIG-RHEL-08-030330
+  - audit_rules_execution_setfacl
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
 
-- name: Perform remediation of Audit rules for /usr/bin/chcon
+- name: Perform remediation of Audit rules for /usr/bin/setfacl
   block:
 
   - name: Declare list of syscalls
@@ -35699,7 +34887,7 @@
     find:
       paths: /etc/audit/rules.d
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: '*.rules'
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -35744,8 +34932,8 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
-        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chcon -F perm=x -F
-        auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
+        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/setfacl -F perm=x
+        -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
       state: present
@@ -35754,7 +34942,7 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chcon -F perm=x
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/setfacl -F perm=x
         -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
@@ -35770,7 +34958,7 @@
     find:
       paths: /etc/audit
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: audit.rules
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -35789,7 +34977,7 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
-        -S |,)\w+)+)( -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset
+        -S |,)\w+)+)( -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset
         (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
@@ -35799,7 +34987,7 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chcon -F perm=x
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/setfacl -F perm=x
         -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
@@ -35809,46 +34997,19 @@
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
-  - CCE-80698-4
-  - DISA-STIG-RHEL-08-030260
-  - NIST-800-171-3.1.7
-  - NIST-800-53-AC-6(9)
-  - NIST-800-53-AU-12(c)
-  - NIST-800-53-AU-2(d)
-  - NIST-800-53-CM-6(a)
-  - audit_rules_execution_chcon
+  - CCE-88437-9
+  - DISA-STIG-RHEL-08-030330
+  - audit_rules_execution_setfacl
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Record Any Attempts to Run semanage
-                                  [ref]
At a minimum, the audit system should collect any execution attempt
-of the semanage command for all users and root. If the auditd
-daemon is configured to use the augenrules program to read audit rules
-during daemon startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d:
-
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file:
-
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-


-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80700-8
References: 
-            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, RHEL-08-030313, SV-230429r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 ACTION_ARCH_FILTERS="-a always,exit"
-OTHER_FILTERS="-F path=/usr/sbin/semanage -F perm=x"
+OTHER_FILTERS="-F path=/usr/bin/setfacl -F perm=x"
 AUID_FILTERS="-F auid>=1000 -F auid!=unset"
 SYSCALL=""
 KEY="privileged"
@@ -36163,26 +35324,51 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Group  
+                Record Execution Attempts to Run SELinux Privileged Commands
+                          Group contains 4 rules
[ref]  
+                        At a minimum, the audit system should collect the execution of
+SELinux privileged commands for all users and root.
Rule  
+                                Record Any Attempts to Run chcon
+                                  [ref]
At a minimum, the audit system should collect any execution attempt
+of the chcon command for all users and root. If the auditd
+daemon is configured to use the augenrules program to read audit rules
+during daemon startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file:
+
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
+


+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80698-4
References: 
+            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, RHEL-08-030260, 4.1.3.15, SV-230419r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
-  - CCE-80700-8
-  - DISA-STIG-RHEL-08-030313
+  - CCE-80698-4
+  - DISA-STIG-RHEL-08-030260
   - NIST-800-171-3.1.7
-  - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
   - NIST-800-53-AU-12(c)
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
-  - audit_rules_execution_semanage
+  - audit_rules_execution_chcon
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
 
-- name: Perform remediation of Audit rules for /usr/sbin/semanage
+- name: Perform remediation of Audit rules for /usr/bin/chcon
   block:
 
   - name: Declare list of syscalls
@@ -36194,7 +35380,7 @@
     find:
       paths: /etc/audit/rules.d
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: '*.rules'
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -36239,8 +35425,8 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
-        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/semanage -F perm=x
-        -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
+        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chcon -F perm=x -F
+        auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
       state: present
@@ -36249,8 +35435,8 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/semanage -F
-        perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chcon -F perm=x
+        -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
       state: present
@@ -36265,7 +35451,7 @@
     find:
       paths: /etc/audit
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: audit.rules
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -36284,7 +35470,7 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
-        -S |,)\w+)+)( -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset
+        -S |,)\w+)+)( -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset
         (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
@@ -36294,8 +35480,8 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/semanage -F
-        perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chcon -F perm=x
+        -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
       state: present
@@ -36304,47 +35490,24 @@
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
-  - CCE-80700-8
-  - DISA-STIG-RHEL-08-030313
+  - CCE-80698-4
+  - DISA-STIG-RHEL-08-030260
   - NIST-800-171-3.1.7
-  - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
   - NIST-800-53-AU-12(c)
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
-  - audit_rules_execution_semanage
+  - audit_rules_execution_chcon
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Record Any Attempts to Run setfiles
-                                  [ref]
At a minimum, the audit system should collect any execution attempt
-of the setfiles command for all users and root. If the auditd
-daemon is configured to use the augenrules program to read audit rules
-during daemon startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d:
-
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file:
-
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-


-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-82280-9
References: 
-            CCI-000169, CCI-000172, CCI-002884, AU-2(d), AU-12(c), AC-6(9), CM-6(a), SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, RHEL-08-030314, SV-230430r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 ACTION_ARCH_FILTERS="-a always,exit"
-OTHER_FILTERS="-F path=/usr/sbin/setfiles -F perm=x"
+OTHER_FILTERS="-F path=/usr/bin/chcon -F perm=x"
 AUID_FILTERS="-F auid>=1000 -F auid!=unset"
 SYSCALL=""
 KEY="privileged"
@@ -36659,24 +35822,48 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Record Any Attempts to Run semanage
+                                  [ref]
At a minimum, the audit system should collect any execution attempt
+of the semanage command for all users and root. If the auditd
+daemon is configured to use the augenrules program to read audit rules
+during daemon startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file:
+
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
+


+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80700-8
References: 
+            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, RHEL-08-030313, SV-230429r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
-  - CCE-82280-9
-  - DISA-STIG-RHEL-08-030314
+  - CCE-80700-8
+  - DISA-STIG-RHEL-08-030313
+  - NIST-800-171-3.1.7
+  - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
   - NIST-800-53-AU-12(c)
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
-  - audit_rules_execution_setfiles
+  - audit_rules_execution_semanage
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
 
-- name: Perform remediation of Audit rules for /usr/sbin/setfiles
+- name: Perform remediation of Audit rules for /usr/sbin/semanage
   block:
 
   - name: Declare list of syscalls
@@ -36688,7 +35875,7 @@
     find:
       paths: /etc/audit/rules.d
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: '*.rules'
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -36733,7 +35920,7 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
-        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/setfiles -F perm=x
+        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/semanage -F perm=x
         -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
@@ -36743,7 +35930,7 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/setfiles -F
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/semanage -F
         perm=x -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
@@ -36759,7 +35946,7 @@
     find:
       paths: /etc/audit
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: audit.rules
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -36778,7 +35965,7 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
-        -S |,)\w+)+)( -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset
+        -S |,)\w+)+)( -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset
         (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
@@ -36788,7 +35975,7 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/setfiles -F
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/semanage -F
         perm=x -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
@@ -36798,45 +35985,25 @@
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
-  - CCE-82280-9
-  - DISA-STIG-RHEL-08-030314
+  - CCE-80700-8
+  - DISA-STIG-RHEL-08-030313
+  - NIST-800-171-3.1.7
+  - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
   - NIST-800-53-AU-12(c)
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
-  - audit_rules_execution_setfiles
+  - audit_rules_execution_semanage
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Record Any Attempts to Run setsebool
-                                  [ref]
At a minimum, the audit system should collect any execution attempt
-of the setsebool command for all users and root. If the auditd
-daemon is configured to use the augenrules program to read audit rules
-during daemon startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d:
-
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file:
-
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-


-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80701-6
References: 
-            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, RHEL-08-030316, SV-230432r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 ACTION_ARCH_FILTERS="-a always,exit"
-OTHER_FILTERS="-F path=/usr/sbin/setsebool -F perm=x"
+OTHER_FILTERS="-F path=/usr/sbin/semanage -F perm=x"
 AUID_FILTERS="-F auid>=1000 -F auid!=unset"
 SYSCALL=""
 KEY="privileged"
@@ -37151,25 +36318,46 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Record Any Attempts to Run setfiles
+                                  [ref]
At a minimum, the audit system should collect any execution attempt
+of the setfiles command for all users and root. If the auditd
+daemon is configured to use the augenrules program to read audit rules
+during daemon startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file:
+
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
+


+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-82280-9
References: 
+            CCI-000169, CCI-000172, CCI-002884, AU-2(d), AU-12(c), AC-6(9), CM-6(a), SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, RHEL-08-030314, SV-230430r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
-  - CCE-80701-6
-  - DISA-STIG-RHEL-08-030316
-  - NIST-800-171-3.1.7
+  - CCE-82280-9
+  - DISA-STIG-RHEL-08-030314
   - NIST-800-53-AC-6(9)
   - NIST-800-53-AU-12(c)
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
-  - audit_rules_execution_setsebool
+  - audit_rules_execution_setfiles
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
 
-- name: Perform remediation of Audit rules for /usr/sbin/setsebool
+- name: Perform remediation of Audit rules for /usr/sbin/setfiles
   block:
 
   - name: Declare list of syscalls
@@ -37181,7 +36369,7 @@
     find:
       paths: /etc/audit/rules.d
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: '*.rules'
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -37226,7 +36414,7 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
-        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/setsebool -F perm=x
+        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/setfiles -F perm=x
         -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
@@ -37236,7 +36424,7 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/setsebool -F
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/setfiles -F
         perm=x -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
@@ -37252,7 +36440,7 @@
     find:
       paths: /etc/audit
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: audit.rules
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -37271,7 +36459,7 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
-        -S |,)\w+)+)( -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset
+        -S |,)\w+)+)( -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset
         (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
@@ -37281,7 +36469,7 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/setsebool -F
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/setfiles -F
         perm=x -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
@@ -37291,67 +36479,29 @@
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
-  - CCE-80701-6
-  - DISA-STIG-RHEL-08-030316
-  - NIST-800-171-3.1.7
+  - CCE-82280-9
+  - DISA-STIG-RHEL-08-030314
   - NIST-800-53-AC-6(9)
   - NIST-800-53-AU-12(c)
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
-  - audit_rules_execution_setsebool
+  - audit_rules_execution_setfiles
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Group  
-                Record File Deletion Events by User
-                          Group contains 5 rules
[ref]  
-                        At a minimum, the audit system should collect file deletion events
-for all users and root. If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix .rules in the
-directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
-appropriate for your system:
-
-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
-appropriate for your system:
-
-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete
Rule  
-                                Ensure auditd Collects File Deletion Events by User - rename
-                                  [ref]
At a minimum, the audit system should collect file deletion events
-for all users and root. If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix .rules in the
-directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
-appropriate for your system:
-
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
-appropriate for your system:
-
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
Rationale:
Auditing file deletions will create an audit trail for files that are removed
-from the system. The audit trail could aid in system troubleshooting, as well as, detecting
-malicious processes that attempt to delete log files to conceal their presence.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80703-2
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, RHEL-08-030361, 4.1.3.13, SV-230439r810465_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
-
-# First perform the remediation of the syscall rule
-# Retrieve hardware architecture of the underlying system
-[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
-for ARCH in "${RULE_ARCHS[@]}"
-do
-	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
-	OTHER_FILTERS=""
-	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-	SYSCALL="rename"
-	KEY="delete"
-	SYSCALL_GROUPING="unlink unlinkat rename renameat rmdir"
-	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
-	unset syscall_a
+ACTION_ARCH_FILTERS="-a always,exit"
+OTHER_FILTERS="-F path=/usr/sbin/setfiles -F perm=x"
+AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+SYSCALL=""
+KEY="privileged"
+SYSCALL_GROUPING=""
+# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+unset syscall_a
 unset syscall_grouping
 unset syscall_string
 unset syscall
@@ -37510,7 +36660,7 @@
         sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
     fi
 fi
-	unset syscall_a
+unset syscall_a
 unset syscall_grouping
 unset syscall_string
 unset syscall
@@ -37656,224 +36806,63 @@
         sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
     fi
 fi
-done
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Record Any Attempts to Run setsebool
+                                  [ref]
At a minimum, the audit system should collect any execution attempt
+of the setsebool command for all users and root. If the auditd
+daemon is configured to use the augenrules program to read audit rules
+during daemon startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file:
+
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
+


+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80701-6
References: 
+            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, RHEL-08-030316, SV-230432r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
-  - CCE-80703-2
-  - DISA-STIG-RHEL-08-030361
-  - NIST-800-171-3.1.7
-  - NIST-800-53-AU-12(c)
-  - NIST-800-53-AU-2(d)
-  - NIST-800-53-CM-6(a)
-  - PCI-DSS-Req-10.2.7
-  - PCI-DSSv4-10.2.1.7
-  - audit_rules_file_deletion_events_rename
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - reboot_required
-  - restrict_strategy
-
-- name: Set architecture for audit rename tasks
-  set_fact:
-    audit_arch: b64
-  when:
-  - '"audit" in ansible_facts.packages'
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  - not ( ansible_architecture == "aarch64" )
-  - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
-    == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
-  tags:
-  - CCE-80703-2
-  - DISA-STIG-RHEL-08-030361
-  - NIST-800-171-3.1.7
-  - NIST-800-53-AU-12(c)
-  - NIST-800-53-AU-2(d)
-  - NIST-800-53-CM-6(a)
-  - PCI-DSS-Req-10.2.7
-  - PCI-DSSv4-10.2.1.7
-  - audit_rules_file_deletion_events_rename
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - reboot_required
-  - restrict_strategy
-
-- name: Perform remediation of Audit rules for rename for 32bit platform
-  block:
-
-  - name: Declare list of syscalls
-    set_fact:
-      syscalls:
-      - rename
-      syscall_grouping:
-      - unlink
-      - unlinkat
-      - rename
-      - renameat
-      - rmdir
-
-  - name: Check existence of rename in /etc/audit/rules.d/
-    find:
-      paths: /etc/audit/rules.d
-      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
-        |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
-      patterns: '*.rules'
-    register: find_command
-    loop: '{{ (syscall_grouping + syscalls) | unique }}'
-
-  - name: Reset syscalls found per file
-    set_fact:
-      syscalls_per_file: {}
-      found_paths_dict: {}
-
-  - name: Declare syscalls found per file
-    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
-      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
-    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
-
-  - name: Declare files where syscalls were found
-    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
-      | map(attribute='path') | list }}"
-
-  - name: Count occurrences of syscalls in paths
-    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
-      0) }) }}"
-    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
-      | list }}'
-
-  - name: Get path with most syscalls
-    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
-      | last).key }}"
-    when: found_paths | length >= 1
-
-  - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules
-    set_fact: audit_file="/etc/audit/rules.d/delete.rules"
-    when: found_paths | length == 0
-
-  - name: Declare found syscalls
-    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
-      | list }}"
-
-  - name: Declare missing syscalls
-    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
-
-  - name: Replace the audit rule in {{ audit_file }}
-    lineinfile:
-      path: '{{ audit_file }}'
-      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
-        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
-        |-F key=)\w+)
-      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
-      backrefs: true
-      state: present
-    when: syscalls_found | length > 0 and missing_syscalls | length > 0
-
-  - name: Add the audit rule to {{ audit_file }}
-    lineinfile:
-      path: '{{ audit_file }}'
-      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-        -F auid!=unset -F key=delete
-      create: true
-      mode: o-rwx
-      state: present
-    when: syscalls_found | length == 0
-
-  - name: Declare list of syscalls
-    set_fact:
-      syscalls:
-      - rename
-      syscall_grouping:
-      - unlink
-      - unlinkat
-      - rename
-      - renameat
-      - rmdir
-
-  - name: Check existence of rename in /etc/audit/audit.rules
-    find:
-      paths: /etc/audit
-      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
-        |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
-      patterns: audit.rules
-    register: find_command
-    loop: '{{ (syscall_grouping + syscalls) | unique }}'
-
-  - name: Set path to /etc/audit/audit.rules
-    set_fact: audit_file="/etc/audit/audit.rules"
-
-  - name: Declare found syscalls
-    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
-      | list }}"
-
-  - name: Declare missing syscalls
-    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
-
-  - name: Replace the audit rule in {{ audit_file }}
-    lineinfile:
-      path: '{{ audit_file }}'
-      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
-        join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
-        key=)\w+)
-      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
-      backrefs: true
-      state: present
-    when: syscalls_found | length > 0 and missing_syscalls | length > 0
-
-  - name: Add the audit rule to {{ audit_file }}
-    lineinfile:
-      path: '{{ audit_file }}'
-      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-        -F auid!=unset -F key=delete
-      create: true
-      mode: o-rwx
-      state: present
-    when: syscalls_found | length == 0
-  when:
-  - '"audit" in ansible_facts.packages'
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  - not ( ansible_architecture == "aarch64" )
-  tags:
-  - CCE-80703-2
-  - DISA-STIG-RHEL-08-030361
+  - CCE-80701-6
+  - DISA-STIG-RHEL-08-030316
   - NIST-800-171-3.1.7
+  - NIST-800-53-AC-6(9)
   - NIST-800-53-AU-12(c)
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
-  - PCI-DSS-Req-10.2.7
-  - PCI-DSSv4-10.2.1.7
-  - audit_rules_file_deletion_events_rename
+  - audit_rules_execution_setsebool
   - low_complexity
   - low_disruption
   - medium_severity
-  - reboot_required
+  - no_reboot_needed
   - restrict_strategy
 
-- name: Perform remediation of Audit rules for rename for 64bit platform
+- name: Perform remediation of Audit rules for /usr/sbin/setsebool
   block:
 
   - name: Declare list of syscalls
     set_fact:
-      syscalls:
-      - rename
-      syscall_grouping:
-      - unlink
-      - unlinkat
-      - rename
-      - renameat
-      - rmdir
+      syscalls: []
+      syscall_grouping: []
 
-  - name: Check existence of rename in /etc/audit/rules.d/
+  - name: Check existence of  in /etc/audit/rules.d/
     find:
       paths: /etc/audit/rules.d
-      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
-        |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
+        path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: '*.rules'
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -37903,8 +36892,8 @@
       | last).key }}"
     when: found_paths | length >= 1
 
-  - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules
-    set_fact: audit_file="/etc/audit/rules.d/delete.rules"
+  - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
+    set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
     when: found_paths | length == 0
 
   - name: Declare found syscalls
@@ -37917,9 +36906,9 @@
   - name: Replace the audit rule in {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
-        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
-        |-F key=)\w+)
+      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/setsebool -F perm=x
+        -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
       state: present
@@ -37928,8 +36917,8 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-        -F auid!=unset -F key=delete
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/setsebool -F
+        perm=x -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
       state: present
@@ -37937,20 +36926,14 @@
 
   - name: Declare list of syscalls
     set_fact:
-      syscalls:
-      - rename
-      syscall_grouping:
-      - unlink
-      - unlinkat
-      - rename
-      - renameat
-      - rmdir
+      syscalls: []
+      syscall_grouping: []
 
-  - name: Check existence of rename in /etc/audit/audit.rules
+  - name: Check existence of  in /etc/audit/audit.rules
     find:
       paths: /etc/audit
-      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
-        |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
+        path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: audit.rules
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -37968,9 +36951,9 @@
   - name: Replace the audit rule in {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
-        join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
-        key=)\w+)
+      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
+        -S |,)\w+)+)( -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset
+        (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
       state: present
@@ -37979,8 +36962,8 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-        -F auid!=unset -F key=delete
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/setsebool -F
+        perm=x -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
       state: present
@@ -37988,57 +36971,31 @@
   when:
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  - not ( ansible_architecture == "aarch64" )
-  - audit_arch == "b64"
   tags:
-  - CCE-80703-2
-  - DISA-STIG-RHEL-08-030361
+  - CCE-80701-6
+  - DISA-STIG-RHEL-08-030316
   - NIST-800-171-3.1.7
+  - NIST-800-53-AC-6(9)
   - NIST-800-53-AU-12(c)
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
-  - PCI-DSS-Req-10.2.7
-  - PCI-DSSv4-10.2.1.7
-  - audit_rules_file_deletion_events_rename
+  - audit_rules_execution_setsebool
   - low_complexity
   - low_disruption
   - medium_severity
-  - reboot_required
+  - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Ensure auditd Collects File Deletion Events by User - renameat
-                                  [ref]
At a minimum, the audit system should collect file deletion events
-for all users and root. If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix .rules in the
-directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
-appropriate for your system:
-
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
-appropriate for your system:
-
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
Rationale:
Auditing file deletions will create an audit trail for files that are removed
-from the system. The audit trail could aid in system troubleshooting, as well as, detecting
-malicious processes that attempt to delete log files to conceal their presence.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80704-0
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, RHEL-08-030361, 4.1.3.13, SV-230439r810465_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
-# First perform the remediation of the syscall rule
-# Retrieve hardware architecture of the underlying system
-[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
-
-for ARCH in "${RULE_ARCHS[@]}"
-do
-	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
-	OTHER_FILTERS=""
-	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-	SYSCALL="renameat"
-	KEY="delete"
-	SYSCALL_GROUPING="unlink unlinkat rename renameat rmdir"
-	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
-	unset syscall_a
+ACTION_ARCH_FILTERS="-a always,exit"
+OTHER_FILTERS="-F path=/usr/sbin/setsebool -F perm=x"
+AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+SYSCALL=""
+KEY="privileged"
+SYSCALL_GROUPING=""
+# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+unset syscall_a
 unset syscall_grouping
 unset syscall_string
 unset syscall
@@ -38197,7 +37154,7 @@
         sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
     fi
 fi
-	unset syscall_a
+unset syscall_a
 unset syscall_grouping
 unset syscall_string
 unset syscall
@@ -38343,16 +37300,46 @@
         sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
     fi
 fi
-done
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Group  
+                Record File Deletion Events by User
+                          Group contains 5 rules
[ref]  
+                        At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+
-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+
-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete
Rule  
+                                Ensure auditd Collects File Deletion Events by User - rename
+                                  [ref]
At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
Rationale:
Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80703-2
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, RHEL-08-030361, 4.1.3.13, SV-230439r810465_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
-  - CCE-80704-0
+  - CCE-80703-2
   - DISA-STIG-RHEL-08-030361
   - NIST-800-171-3.1.7
   - NIST-800-53-AU-12(c)
@@ -38360,23 +37347,24 @@
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.7
   - PCI-DSSv4-10.2.1.7
-  - audit_rules_file_deletion_events_renameat
+  - audit_rules_file_deletion_events_rename
   - low_complexity
   - low_disruption
   - medium_severity
   - reboot_required
   - restrict_strategy
 
-- name: Set architecture for audit renameat tasks
+- name: Set architecture for audit rename tasks
   set_fact:
     audit_arch: b64
   when:
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - not ( ansible_architecture == "aarch64" )
   - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
     == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
   tags:
-  - CCE-80704-0
+  - CCE-80703-2
   - DISA-STIG-RHEL-08-030361
   - NIST-800-171-3.1.7
   - NIST-800-53-AU-12(c)
@@ -38384,20 +37372,20 @@
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.7
   - PCI-DSSv4-10.2.1.7
-  - audit_rules_file_deletion_events_renameat
+  - audit_rules_file_deletion_events_rename
   - low_complexity
   - low_disruption
   - medium_severity
   - reboot_required
   - restrict_strategy
 
-- name: Perform remediation of Audit rules for renameat for 32bit platform
+- name: Perform remediation of Audit rules for rename for 32bit platform
   block:
 
   - name: Declare list of syscalls
     set_fact:
       syscalls:
-      - renameat
+      - rename
       syscall_grouping:
       - unlink
       - unlinkat
@@ -38405,7 +37393,7 @@
       - renameat
       - rmdir
 
-  - name: Check existence of renameat in /etc/audit/rules.d/
+  - name: Check existence of rename in /etc/audit/rules.d/
     find:
       paths: /etc/audit/rules.d
       contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
@@ -38474,7 +37462,7 @@
   - name: Declare list of syscalls
     set_fact:
       syscalls:
-      - renameat
+      - rename
       syscall_grouping:
       - unlink
       - unlinkat
@@ -38482,7 +37470,7 @@
       - renameat
       - rmdir
 
-  - name: Check existence of renameat in /etc/audit/audit.rules
+  - name: Check existence of rename in /etc/audit/audit.rules
     find:
       paths: /etc/audit
       contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
@@ -38524,8 +37512,9 @@
   when:
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - not ( ansible_architecture == "aarch64" )
   tags:
-  - CCE-80704-0
+  - CCE-80703-2
   - DISA-STIG-RHEL-08-030361
   - NIST-800-171-3.1.7
   - NIST-800-53-AU-12(c)
@@ -38533,20 +37522,20 @@
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.7
   - PCI-DSSv4-10.2.1.7
-  - audit_rules_file_deletion_events_renameat
+  - audit_rules_file_deletion_events_rename
   - low_complexity
   - low_disruption
   - medium_severity
   - reboot_required
   - restrict_strategy
 
-- name: Perform remediation of Audit rules for renameat for 64bit platform
+- name: Perform remediation of Audit rules for rename for 64bit platform
   block:
 
   - name: Declare list of syscalls
     set_fact:
       syscalls:
-      - renameat
+      - rename
       syscall_grouping:
       - unlink
       - unlinkat
@@ -38554,7 +37543,7 @@
       - renameat
       - rmdir
 
-  - name: Check existence of renameat in /etc/audit/rules.d/
+  - name: Check existence of rename in /etc/audit/rules.d/
     find:
       paths: /etc/audit/rules.d
       contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
@@ -38623,7 +37612,7 @@
   - name: Declare list of syscalls
     set_fact:
       syscalls:
-      - renameat
+      - rename
       syscall_grouping:
       - unlink
       - unlinkat
@@ -38631,7 +37620,7 @@
       - renameat
       - rmdir
 
-  - name: Check existence of renameat in /etc/audit/audit.rules
+  - name: Check existence of rename in /etc/audit/audit.rules
     find:
       paths: /etc/audit
       contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
@@ -38673,9 +37662,10 @@
   when:
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - not ( ansible_architecture == "aarch64" )
   - audit_arch == "b64"
   tags:
-  - CCE-80704-0
+  - CCE-80703-2
   - DISA-STIG-RHEL-08-030361
   - NIST-800-171-3.1.7
   - NIST-800-53-AU-12(c)
@@ -38683,30 +37673,13 @@
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.7
   - PCI-DSSv4-10.2.1.7
-  - audit_rules_file_deletion_events_renameat
+  - audit_rules_file_deletion_events_rename
   - low_complexity
   - low_disruption
   - medium_severity
   - reboot_required
   - restrict_strategy
-
Rule  
-                                Ensure auditd Collects File Deletion Events by User - rmdir
-                                  [ref]
At a minimum, the audit system should collect file deletion events
-for all users and root. If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix .rules in the
-directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
-appropriate for your system:
-
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
-appropriate for your system:
-
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
Rationale:
Auditing file deletions will create an audit trail for files that are removed
-from the system. The audit trail could aid in system troubleshooting, as well as, detecting
-malicious processes that attempt to delete log files to conceal their presence.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80705-7
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, RHEL-08-030361, 4.1.14, SV-230439r810465_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
 
 # First perform the remediation of the syscall rule
@@ -38718,7 +37691,7 @@
 	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
 	OTHER_FILTERS=""
 	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-	SYSCALL="rmdir"
+	SYSCALL="rename"
 	KEY="delete"
 	SYSCALL_GROUPING="unlink unlinkat rename renameat rmdir"
 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
@@ -39032,11 +38005,28 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Ensure auditd Collects File Deletion Events by User - renameat
+                                  [ref]
At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
Rationale:
Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80704-0
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, RHEL-08-030361, 4.1.3.13, SV-230439r810465_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
-  - CCE-80705-7
+  - CCE-80704-0
   - DISA-STIG-RHEL-08-030361
   - NIST-800-171-3.1.7
   - NIST-800-53-AU-12(c)
@@ -39044,24 +38034,23 @@
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.7
   - PCI-DSSv4-10.2.1.7
-  - audit_rules_file_deletion_events_rmdir
+  - audit_rules_file_deletion_events_renameat
   - low_complexity
   - low_disruption
   - medium_severity
   - reboot_required
   - restrict_strategy
 
-- name: Set architecture for audit rmdir tasks
+- name: Set architecture for audit renameat tasks
   set_fact:
     audit_arch: b64
   when:
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  - not ( ansible_architecture == "aarch64" )
   - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
     == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
   tags:
-  - CCE-80705-7
+  - CCE-80704-0
   - DISA-STIG-RHEL-08-030361
   - NIST-800-171-3.1.7
   - NIST-800-53-AU-12(c)
@@ -39069,20 +38058,20 @@
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.7
   - PCI-DSSv4-10.2.1.7
-  - audit_rules_file_deletion_events_rmdir
+  - audit_rules_file_deletion_events_renameat
   - low_complexity
   - low_disruption
   - medium_severity
   - reboot_required
   - restrict_strategy
 
-- name: Perform remediation of Audit rules for rmdir for 32bit platform
+- name: Perform remediation of Audit rules for renameat for 32bit platform
   block:
 
   - name: Declare list of syscalls
     set_fact:
       syscalls:
-      - rmdir
+      - renameat
       syscall_grouping:
       - unlink
       - unlinkat
@@ -39090,7 +38079,7 @@
       - renameat
       - rmdir
 
-  - name: Check existence of rmdir in /etc/audit/rules.d/
+  - name: Check existence of renameat in /etc/audit/rules.d/
     find:
       paths: /etc/audit/rules.d
       contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
@@ -39159,7 +38148,7 @@
   - name: Declare list of syscalls
     set_fact:
       syscalls:
-      - rmdir
+      - renameat
       syscall_grouping:
       - unlink
       - unlinkat
@@ -39167,7 +38156,7 @@
       - renameat
       - rmdir
 
-  - name: Check existence of rmdir in /etc/audit/audit.rules
+  - name: Check existence of renameat in /etc/audit/audit.rules
     find:
       paths: /etc/audit
       contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
@@ -39209,9 +38198,8 @@
   when:
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  - not ( ansible_architecture == "aarch64" )
   tags:
-  - CCE-80705-7
+  - CCE-80704-0
   - DISA-STIG-RHEL-08-030361
   - NIST-800-171-3.1.7
   - NIST-800-53-AU-12(c)
@@ -39219,20 +38207,20 @@
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.7
   - PCI-DSSv4-10.2.1.7
-  - audit_rules_file_deletion_events_rmdir
+  - audit_rules_file_deletion_events_renameat
   - low_complexity
   - low_disruption
   - medium_severity
   - reboot_required
   - restrict_strategy
 
-- name: Perform remediation of Audit rules for rmdir for 64bit platform
+- name: Perform remediation of Audit rules for renameat for 64bit platform
   block:
 
   - name: Declare list of syscalls
     set_fact:
       syscalls:
-      - rmdir
+      - renameat
       syscall_grouping:
       - unlink
       - unlinkat
@@ -39240,7 +38228,7 @@
       - renameat
       - rmdir
 
-  - name: Check existence of rmdir in /etc/audit/rules.d/
+  - name: Check existence of renameat in /etc/audit/rules.d/
     find:
       paths: /etc/audit/rules.d
       contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
@@ -39309,7 +38297,7 @@
   - name: Declare list of syscalls
     set_fact:
       syscalls:
-      - rmdir
+      - renameat
       syscall_grouping:
       - unlink
       - unlinkat
@@ -39317,7 +38305,7 @@
       - renameat
       - rmdir
 
-  - name: Check existence of rmdir in /etc/audit/audit.rules
+  - name: Check existence of renameat in /etc/audit/audit.rules
     find:
       paths: /etc/audit
       contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
@@ -39359,10 +38347,9 @@
   when:
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  - not ( ansible_architecture == "aarch64" )
   - audit_arch == "b64"
   tags:
-  - CCE-80705-7
+  - CCE-80704-0
   - DISA-STIG-RHEL-08-030361
   - NIST-800-171-3.1.7
   - NIST-800-53-AU-12(c)
@@ -39370,31 +38357,14 @@
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.7
   - PCI-DSSv4-10.2.1.7
-  - audit_rules_file_deletion_events_rmdir
+  - audit_rules_file_deletion_events_renameat
   - low_complexity
   - low_disruption
   - medium_severity
   - reboot_required
   - restrict_strategy
-
At a minimum, the audit system should collect file deletion events
-for all users and root. If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix .rules in the
-directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
-appropriate for your system:
-
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
-appropriate for your system:
-
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
Rationale:
Auditing file deletions will create an audit trail for files that are removed
-from the system. The audit trail could aid in system troubleshooting, as well as, detecting
-malicious processes that attempt to delete log files to conceal their presence.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80706-5
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, RHEL-08-030361, 4.1.3.13, SV-230439r810465_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system
@@ -39405,7 +38375,7 @@
 	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
 	OTHER_FILTERS=""
 	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-	SYSCALL="unlink"
+	SYSCALL="renameat"
 	KEY="delete"
 	SYSCALL_GROUPING="unlink unlinkat rename renameat rmdir"
 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
@@ -39719,11 +38689,28 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Ensure auditd Collects File Deletion Events by User - rmdir
+                                  [ref]
At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
Rationale:
Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80705-7
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, RHEL-08-030361, 4.1.14, SV-230439r810465_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
-  - CCE-80706-5
+  - CCE-80705-7
   - DISA-STIG-RHEL-08-030361
   - NIST-800-171-3.1.7
   - NIST-800-53-AU-12(c)
@@ -39731,14 +38718,14 @@
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.7
   - PCI-DSSv4-10.2.1.7
-  - audit_rules_file_deletion_events_unlink
+  - audit_rules_file_deletion_events_rmdir
   - low_complexity
   - low_disruption
   - medium_severity
   - reboot_required
   - restrict_strategy
 
-- name: Set architecture for audit unlink tasks
+- name: Set architecture for audit rmdir tasks
   set_fact:
     audit_arch: b64
   when:
@@ -39748,7 +38735,7 @@
   - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
     == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
   tags:
-  - CCE-80706-5
+  - CCE-80705-7
   - DISA-STIG-RHEL-08-030361
   - NIST-800-171-3.1.7
   - NIST-800-53-AU-12(c)
@@ -39756,20 +38743,20 @@
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.7
   - PCI-DSSv4-10.2.1.7
-  - audit_rules_file_deletion_events_unlink
+  - audit_rules_file_deletion_events_rmdir
   - low_complexity
   - low_disruption
   - medium_severity
   - reboot_required
   - restrict_strategy
 
-- name: Perform remediation of Audit rules for unlink for 32bit platform
+- name: Perform remediation of Audit rules for rmdir for 32bit platform
   block:
 
   - name: Declare list of syscalls
     set_fact:
       syscalls:
-      - unlink
+      - rmdir
       syscall_grouping:
       - unlink
       - unlinkat
@@ -39777,7 +38764,7 @@
       - renameat
       - rmdir
 
-  - name: Check existence of unlink in /etc/audit/rules.d/
+  - name: Check existence of rmdir in /etc/audit/rules.d/
     find:
       paths: /etc/audit/rules.d
       contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
@@ -39846,7 +38833,7 @@
   - name: Declare list of syscalls
     set_fact:
       syscalls:
-      - unlink
+      - rmdir
       syscall_grouping:
       - unlink
       - unlinkat
@@ -39854,7 +38841,7 @@
       - renameat
       - rmdir
 
-  - name: Check existence of unlink in /etc/audit/audit.rules
+  - name: Check existence of rmdir in /etc/audit/audit.rules
     find:
       paths: /etc/audit
       contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
@@ -39898,7 +38885,7 @@
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   - not ( ansible_architecture == "aarch64" )
   tags:
-  - CCE-80706-5
+  - CCE-80705-7
   - DISA-STIG-RHEL-08-030361
   - NIST-800-171-3.1.7
   - NIST-800-53-AU-12(c)
@@ -39906,20 +38893,20 @@
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.7
   - PCI-DSSv4-10.2.1.7
-  - audit_rules_file_deletion_events_unlink
+  - audit_rules_file_deletion_events_rmdir
   - low_complexity
   - low_disruption
   - medium_severity
   - reboot_required
   - restrict_strategy
 
-- name: Perform remediation of Audit rules for unlink for 64bit platform
+- name: Perform remediation of Audit rules for rmdir for 64bit platform
   block:
 
   - name: Declare list of syscalls
     set_fact:
       syscalls:
-      - unlink
+      - rmdir
       syscall_grouping:
       - unlink
       - unlinkat
@@ -39927,7 +38914,7 @@
       - renameat
       - rmdir
 
-  - name: Check existence of unlink in /etc/audit/rules.d/
+  - name: Check existence of rmdir in /etc/audit/rules.d/
     find:
       paths: /etc/audit/rules.d
       contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
@@ -39996,7 +38983,7 @@
   - name: Declare list of syscalls
     set_fact:
       syscalls:
-      - unlink
+      - rmdir
       syscall_grouping:
       - unlink
       - unlinkat
@@ -40004,7 +38991,7 @@
       - renameat
       - rmdir
 
-  - name: Check existence of unlink in /etc/audit/audit.rules
+  - name: Check existence of rmdir in /etc/audit/audit.rules
     find:
       paths: /etc/audit
       contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
@@ -40049,7 +39036,7 @@
   - not ( ansible_architecture == "aarch64" )
   - audit_arch == "b64"
   tags:
-  - CCE-80706-5
+  - CCE-80705-7
   - DISA-STIG-RHEL-08-030361
   - NIST-800-171-3.1.7
   - NIST-800-53-AU-12(c)
@@ -40057,31 +39044,14 @@
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.7
   - PCI-DSSv4-10.2.1.7
-  - audit_rules_file_deletion_events_unlink
+  - audit_rules_file_deletion_events_rmdir
   - low_complexity
   - low_disruption
   - medium_severity
   - reboot_required
   - restrict_strategy
-
Rule  
-                                Ensure auditd Collects File Deletion Events by User - unlinkat
-                                  [ref]
At a minimum, the audit system should collect file deletion events
-for all users and root. If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix .rules in the
-directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
-appropriate for your system:
-
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
-appropriate for your system:
-
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
Rationale:
Auditing file deletions will create an audit trail for files that are removed
-from the system. The audit trail could aid in system troubleshooting, as well as, detecting
-malicious processes that attempt to delete log files to conceal their presence.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80707-3
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, RHEL-08-030361, 4.1.3.13, SV-230439r810465_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system
@@ -40092,7 +39062,7 @@
 	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
 	OTHER_FILTERS=""
 	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-	SYSCALL="unlinkat"
+	SYSCALL="rmdir"
 	KEY="delete"
 	SYSCALL_GROUPING="unlink unlinkat rename renameat rmdir"
 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
@@ -40406,11 +39376,28 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
Rationale:
Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80706-5
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, RHEL-08-030361, 4.1.3.13, SV-230439r810465_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
-  - CCE-80707-3
+  - CCE-80706-5
   - DISA-STIG-RHEL-08-030361
   - NIST-800-171-3.1.7
   - NIST-800-53-AU-12(c)
@@ -40418,23 +39405,24 @@
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.7
   - PCI-DSSv4-10.2.1.7
-  - audit_rules_file_deletion_events_unlinkat
+  - audit_rules_file_deletion_events_unlink
   - low_complexity
   - low_disruption
   - medium_severity
   - reboot_required
   - restrict_strategy
 
-- name: Set architecture for audit unlinkat tasks
+- name: Set architecture for audit unlink tasks
   set_fact:
     audit_arch: b64
   when:
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - not ( ansible_architecture == "aarch64" )
   - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
     == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
   tags:
-  - CCE-80707-3
+  - CCE-80706-5
   - DISA-STIG-RHEL-08-030361
   - NIST-800-171-3.1.7
   - NIST-800-53-AU-12(c)
@@ -40442,20 +39430,20 @@
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.7
   - PCI-DSSv4-10.2.1.7
-  - audit_rules_file_deletion_events_unlinkat
+  - audit_rules_file_deletion_events_unlink
   - low_complexity
   - low_disruption
   - medium_severity
   - reboot_required
   - restrict_strategy
 
-- name: Perform remediation of Audit rules for unlinkat for 32bit platform
+- name: Perform remediation of Audit rules for unlink for 32bit platform
   block:
 
   - name: Declare list of syscalls
     set_fact:
       syscalls:
-      - unlinkat
+      - unlink
       syscall_grouping:
       - unlink
       - unlinkat
@@ -40463,7 +39451,7 @@
       - renameat
       - rmdir
 
-  - name: Check existence of unlinkat in /etc/audit/rules.d/
+  - name: Check existence of unlink in /etc/audit/rules.d/
     find:
       paths: /etc/audit/rules.d
       contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
@@ -40532,7 +39520,7 @@
   - name: Declare list of syscalls
     set_fact:
       syscalls:
-      - unlinkat
+      - unlink
       syscall_grouping:
       - unlink
       - unlinkat
@@ -40540,7 +39528,7 @@
       - renameat
       - rmdir
 
-  - name: Check existence of unlinkat in /etc/audit/audit.rules
+  - name: Check existence of unlink in /etc/audit/audit.rules
     find:
       paths: /etc/audit
       contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
@@ -40582,8 +39570,9 @@
   when:
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - not ( ansible_architecture == "aarch64" )
   tags:
-  - CCE-80707-3
+  - CCE-80706-5
   - DISA-STIG-RHEL-08-030361
   - NIST-800-171-3.1.7
   - NIST-800-53-AU-12(c)
@@ -40591,20 +39580,20 @@
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.7
   - PCI-DSSv4-10.2.1.7
-  - audit_rules_file_deletion_events_unlinkat
+  - audit_rules_file_deletion_events_unlink
   - low_complexity
   - low_disruption
   - medium_severity
   - reboot_required
   - restrict_strategy
 
-- name: Perform remediation of Audit rules for unlinkat for 64bit platform
+- name: Perform remediation of Audit rules for unlink for 64bit platform
   block:
 
   - name: Declare list of syscalls
     set_fact:
       syscalls:
-      - unlinkat
+      - unlink
       syscall_grouping:
       - unlink
       - unlinkat
@@ -40612,7 +39601,7 @@
       - renameat
       - rmdir
 
-  - name: Check existence of unlinkat in /etc/audit/rules.d/
+  - name: Check existence of unlink in /etc/audit/rules.d/
     find:
       paths: /etc/audit/rules.d
       contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
@@ -40681,7 +39670,7 @@
   - name: Declare list of syscalls
     set_fact:
       syscalls:
-      - unlinkat
+      - unlink
       syscall_grouping:
       - unlink
       - unlinkat
@@ -40689,7 +39678,7 @@
       - renameat
       - rmdir
 
-  - name: Check existence of unlinkat in /etc/audit/audit.rules
+  - name: Check existence of unlink in /etc/audit/audit.rules
     find:
       paths: /etc/audit
       contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
@@ -40731,9 +39720,10 @@
   when:
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - not ( ansible_architecture == "aarch64" )
   - audit_arch == "b64"
   tags:
-  - CCE-80707-3
+  - CCE-80706-5
   - DISA-STIG-RHEL-08-030361
   - NIST-800-171-3.1.7
   - NIST-800-53-AU-12(c)
@@ -40741,72 +39731,27 @@
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.7
   - PCI-DSSv4-10.2.1.7
-  - audit_rules_file_deletion_events_unlinkat
+  - audit_rules_file_deletion_events_unlink
   - low_complexity
   - low_disruption
   - medium_severity
   - reboot_required
   - restrict_strategy
-
Group  
-                Record Unauthorized Access Attempts Events to Files (unsuccessful)
-                          Group contains 6 rules
[ref]  
-                        At a minimum, the audit system should collect unauthorized file
-accesses for all users and root. Note that the "-F arch=b32" lines should be
-present even on a 64 bit system. These commands identify system calls for
-auditing. Even if the system is 64 bit it can still execute 32 bit system
-calls. Additionally, these rules can be configured in a number of ways while
-still achieving the desired effect. An example of this is that the "-S" calls
-could be split up and placed on separate lines, however, this is less efficient.
-Add the following to /etc/audit/audit.rules:
-
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-    -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-If your system is 64 bit then these lines should be duplicated and the
-arch=b32 replaced with arch=b64 as follows:
-
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-    -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Rule  
-                                Record Unsuccessful Access Attempts to Files - creat
-                                  [ref]
At a minimum, the audit system should collect unauthorized file
-accesses for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d:
-
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file:
-
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Warning: 
-                                        Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.
Rationale:
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80751-1
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-APP-000495-CTR-001235, RHEL-08-030420, 4.1.3.7, SV-230449r810455_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system
 [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
 
-AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-SYSCALL="creat"
-KEY="access"
-SYSCALL_GROUPING="creat ftruncate truncate open openat open_by_handle_at"
-
 for ARCH in "${RULE_ARCHS[@]}"
 do
 	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
-	OTHER_FILTERS="-F exit=-EACCES"
+	OTHER_FILTERS=""
+	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+	SYSCALL="unlink"
+	KEY="delete"
+	SYSCALL_GROUPING="unlink unlinkat rename renameat rmdir"
 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 	unset syscall_a
 unset syscall_grouping
@@ -41115,10 +40060,382 @@
 fi
 done
 
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
Rule  
+                                Ensure auditd Collects File Deletion Events by User - unlinkat
+                                  [ref]
At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
Rationale:
Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80707-3
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, RHEL-08-030361, 4.1.3.13, SV-230439r810465_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+  package_facts:
+    manager: auto
+  tags:
+  - CCE-80707-3
+  - DISA-STIG-RHEL-08-030361
+  - NIST-800-171-3.1.7
+  - NIST-800-53-AU-12(c)
+  - NIST-800-53-AU-2(d)
+  - NIST-800-53-CM-6(a)
+  - PCI-DSS-Req-10.2.7
+  - PCI-DSSv4-10.2.1.7
+  - audit_rules_file_deletion_events_unlinkat
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - reboot_required
+  - restrict_strategy
+
+- name: Set architecture for audit unlinkat tasks
+  set_fact:
+    audit_arch: b64
+  when:
+  - '"audit" in ansible_facts.packages'
+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+    == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
+  tags:
+  - CCE-80707-3
+  - DISA-STIG-RHEL-08-030361
+  - NIST-800-171-3.1.7
+  - NIST-800-53-AU-12(c)
+  - NIST-800-53-AU-2(d)
+  - NIST-800-53-CM-6(a)
+  - PCI-DSS-Req-10.2.7
+  - PCI-DSSv4-10.2.1.7
+  - audit_rules_file_deletion_events_unlinkat
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - reboot_required
+  - restrict_strategy
+
+- name: Perform remediation of Audit rules for unlinkat for 32bit platform
+  block:
+
+  - name: Declare list of syscalls
+    set_fact:
+      syscalls:
+      - unlinkat
+      syscall_grouping:
+      - unlink
+      - unlinkat
+      - rename
+      - renameat
+      - rmdir
+
+  - name: Check existence of unlinkat in /etc/audit/rules.d/
+    find:
+      paths: /etc/audit/rules.d
+      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+        |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+      patterns: '*.rules'
+    register: find_command
+    loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+  - name: Reset syscalls found per file
+    set_fact:
+      syscalls_per_file: {}
+      found_paths_dict: {}
+
+  - name: Declare syscalls found per file
+    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+  - name: Declare files where syscalls were found
+    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+      | map(attribute='path') | list }}"
+
+  - name: Count occurrences of syscalls in paths
+    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+      0) }) }}"
+    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+      | list }}'
+
+  - name: Get path with most syscalls
+    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+      | last).key }}"
+    when: found_paths | length >= 1
+
+  - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules
+    set_fact: audit_file="/etc/audit/rules.d/delete.rules"
+    when: found_paths | length == 0
+
+  - name: Declare found syscalls
+    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+      | list }}"
+
+  - name: Declare missing syscalls
+    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+  - name: Replace the audit rule in {{ audit_file }}
+    lineinfile:
+      path: '{{ audit_file }}'
+      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+        |-F key=)\w+)
+      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+      backrefs: true
+      state: present
+    when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+  - name: Add the audit rule to {{ audit_file }}
+    lineinfile:
+      path: '{{ audit_file }}'
+      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+        -F auid!=unset -F key=delete
+      create: true
+      mode: o-rwx
+      state: present
+    when: syscalls_found | length == 0
+
+  - name: Declare list of syscalls
+    set_fact:
+      syscalls:
+      - unlinkat
+      syscall_grouping:
+      - unlink
+      - unlinkat
+      - rename
+      - renameat
+      - rmdir
+
+  - name: Check existence of unlinkat in /etc/audit/audit.rules
+    find:
+      paths: /etc/audit
+      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+        |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+      patterns: audit.rules
+    register: find_command
+    loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+  - name: Set path to /etc/audit/audit.rules
+    set_fact: audit_file="/etc/audit/audit.rules"
+
+  - name: Declare found syscalls
+    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+      | list }}"
+
+  - name: Declare missing syscalls
+    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+  - name: Replace the audit rule in {{ audit_file }}
+    lineinfile:
+      path: '{{ audit_file }}'
+      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+        join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+        key=)\w+)
+      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+      backrefs: true
+      state: present
+    when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+  - name: Add the audit rule to {{ audit_file }}
+    lineinfile:
+      path: '{{ audit_file }}'
+      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+        -F auid!=unset -F key=delete
+      create: true
+      mode: o-rwx
+      state: present
+    when: syscalls_found | length == 0
+  when:
+  - '"audit" in ansible_facts.packages'
+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  tags:
+  - CCE-80707-3
+  - DISA-STIG-RHEL-08-030361
+  - NIST-800-171-3.1.7
+  - NIST-800-53-AU-12(c)
+  - NIST-800-53-AU-2(d)
+  - NIST-800-53-CM-6(a)
+  - PCI-DSS-Req-10.2.7
+  - PCI-DSSv4-10.2.1.7
+  - audit_rules_file_deletion_events_unlinkat
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - reboot_required
+  - restrict_strategy
+
+- name: Perform remediation of Audit rules for unlinkat for 64bit platform
+  block:
+
+  - name: Declare list of syscalls
+    set_fact:
+      syscalls:
+      - unlinkat
+      syscall_grouping:
+      - unlink
+      - unlinkat
+      - rename
+      - renameat
+      - rmdir
+
+  - name: Check existence of unlinkat in /etc/audit/rules.d/
+    find:
+      paths: /etc/audit/rules.d
+      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+        |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+      patterns: '*.rules'
+    register: find_command
+    loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+  - name: Reset syscalls found per file
+    set_fact:
+      syscalls_per_file: {}
+      found_paths_dict: {}
+
+  - name: Declare syscalls found per file
+    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+  - name: Declare files where syscalls were found
+    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+      | map(attribute='path') | list }}"
+
+  - name: Count occurrences of syscalls in paths
+    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+      0) }) }}"
+    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+      | list }}'
+
+  - name: Get path with most syscalls
+    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+      | last).key }}"
+    when: found_paths | length >= 1
+
+  - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules
+    set_fact: audit_file="/etc/audit/rules.d/delete.rules"
+    when: found_paths | length == 0
+
+  - name: Declare found syscalls
+    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+      | list }}"
+
+  - name: Declare missing syscalls
+    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+  - name: Replace the audit rule in {{ audit_file }}
+    lineinfile:
+      path: '{{ audit_file }}'
+      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+        |-F key=)\w+)
+      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+      backrefs: true
+      state: present
+    when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+  - name: Add the audit rule to {{ audit_file }}
+    lineinfile:
+      path: '{{ audit_file }}'
+      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+        -F auid!=unset -F key=delete
+      create: true
+      mode: o-rwx
+      state: present
+    when: syscalls_found | length == 0
+
+  - name: Declare list of syscalls
+    set_fact:
+      syscalls:
+      - unlinkat
+      syscall_grouping:
+      - unlink
+      - unlinkat
+      - rename
+      - renameat
+      - rmdir
+
+  - name: Check existence of unlinkat in /etc/audit/audit.rules
+    find:
+      paths: /etc/audit
+      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+        |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+      patterns: audit.rules
+    register: find_command
+    loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+  - name: Set path to /etc/audit/audit.rules
+    set_fact: audit_file="/etc/audit/audit.rules"
+
+  - name: Declare found syscalls
+    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+      | list }}"
+
+  - name: Declare missing syscalls
+    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+  - name: Replace the audit rule in {{ audit_file }}
+    lineinfile:
+      path: '{{ audit_file }}'
+      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+        join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+        key=)\w+)
+      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+      backrefs: true
+      state: present
+    when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+  - name: Add the audit rule to {{ audit_file }}
+    lineinfile:
+      path: '{{ audit_file }}'
+      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+        -F auid!=unset -F key=delete
+      create: true
+      mode: o-rwx
+      state: present
+    when: syscalls_found | length == 0
+  when:
+  - '"audit" in ansible_facts.packages'
+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - audit_arch == "b64"
+  tags:
+  - CCE-80707-3
+  - DISA-STIG-RHEL-08-030361
+  - NIST-800-171-3.1.7
+  - NIST-800-53-AU-12(c)
+  - NIST-800-53-AU-2(d)
+  - NIST-800-53-CM-6(a)
+  - PCI-DSS-Req-10.2.7
+  - PCI-DSSv4-10.2.1.7
+  - audit_rules_file_deletion_events_unlinkat
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - reboot_required
+  - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+
+# First perform the remediation of the syscall rule
+# Retrieve hardware architecture of the underlying system
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
 for ARCH in "${RULE_ARCHS[@]}"
 do
 	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
-	OTHER_FILTERS="-F exit=-EPERM"
+	OTHER_FILTERS=""
+	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+	SYSCALL="unlinkat"
+	KEY="delete"
+	SYSCALL_GROUPING="unlink unlinkat rename renameat rmdir"
 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 	unset syscall_a
 unset syscall_grouping
@@ -41430,7 +40747,51 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Group  
+                Record Unauthorized Access Attempts Events to Files (unsuccessful)
+                          Group contains 6 rules
[ref]  
+                        At a minimum, the audit system should collect unauthorized file
+accesses for all users and root. Note that the "-F arch=b32" lines should be
+present even on a 64 bit system. These commands identify system calls for
+auditing. Even if the system is 64 bit it can still execute 32 bit system
+calls. Additionally, these rules can be configured in a number of ways while
+still achieving the desired effect. An example of this is that the "-S" calls
+could be split up and placed on separate lines, however, this is less efficient.
+Add the following to /etc/audit/audit.rules:
+
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+    -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

+If your system is 64 bit then these lines should be duplicated and the
+arch=b32 replaced with arch=b64 as follows:
+
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+    -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Rule  
+                                Record Unsuccessful Access Attempts to Files - creat
+                                  [ref]
At a minimum, the audit system should collect unauthorized file
+accesses for all users and root. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file:
+
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Warning: 
+                                        Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
Rationale:
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80751-1
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-APP-000495-CTR-001235, RHEL-08-030420, 4.1.3.7, SV-230449r810455_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -42083,46 +41444,15 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-
Rule  
-                                Record Unsuccessful Access Attempts to Files - ftruncate
-                                  [ref]
At a minimum, the audit system should collect unauthorized file
-accesses for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d:
-
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file:
-
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Warning: 
-                                        Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.
Rationale:
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80752-9
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-APP-000495-CTR-001235, RHEL-08-030420, 4.1.3.7, SV-230449r810455_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system
 [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
 
 AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-SYSCALL="ftruncate"
+SYSCALL="creat"
 KEY="access"
 SYSCALL_GROUPING="creat ftruncate truncate open openat open_by_handle_at"
 
@@ -42753,7 +42083,38 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Record Unsuccessful Access Attempts to Files - ftruncate
+                                  [ref]
At a minimum, the audit system should collect unauthorized file
+accesses for all users and root. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

+
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file:
+
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Warning: 
+                                        Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
Rationale:
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80752-9
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-APP-000495-CTR-001235, RHEL-08-030420, 4.1.3.7, SV-230449r810455_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -43401,46 +42762,15 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-
Rule  
-                                Record Unsuccessful Access Attempts to Files - open
-                                  [ref]
At a minimum, the audit system should collect unauthorized file
-accesses for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d:
-
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file:
-
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Warning: 
-                                        Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.
Rationale:
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80753-7
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-APP-000495-CTR-001235, RHEL-08-030420, 4.1.3.7, SV-230449r810455_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system
 [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
 
 AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-SYSCALL="open"
+SYSCALL="ftruncate"
 KEY="access"
 SYSCALL_GROUPING="creat ftruncate truncate open openat open_by_handle_at"
 
@@ -44071,7 +43401,38 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Record Unsuccessful Access Attempts to Files - open
+                                  [ref]
At a minimum, the audit system should collect unauthorized file
+accesses for all users and root. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

+
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file:
+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Warning: 
+                                        Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
Rationale:
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80753-7
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-APP-000495-CTR-001235, RHEL-08-030420, 4.1.3.7, SV-230449r810455_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -44724,43 +44085,15 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-
Rule  
-                                Record Unsuccessful Access Attempts to Files - open_by_handle_at
-                                  [ref]
At a minimum, the audit system should collect unauthorized file
-accesses for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d:
-
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file:
-
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Warning: 
-                                        Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.
Rationale:
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80755-2
References: 
-            1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-APP-000495-CTR-001235, RHEL-08-030420, 4.1.10, SV-230449r810455_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system
 [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
 
 AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-SYSCALL="open_by_handle_at"
+SYSCALL="open"
 KEY="access"
 SYSCALL_GROUPING="creat ftruncate truncate open openat open_by_handle_at"
 
@@ -45391,7 +44724,35 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Record Unsuccessful Access Attempts to Files - open_by_handle_at
+                                  [ref]
At a minimum, the audit system should collect unauthorized file
+accesses for all users and root. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file:
+
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Warning: 
+                                        Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
Rationale:
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80755-2
References: 
+            1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-APP-000495-CTR-001235, RHEL-08-030420, 4.1.10, SV-230449r810455_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -46041,38 +45402,7 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-
Rule  
-                                Record Unsuccessful Access Attempts to Files - openat
-                                  [ref]
At a minimum, the audit system should collect unauthorized file
-accesses for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d:
-
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file:
-
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Warning: 
-                                        Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.
Rationale:
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80754-5
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-APP-000495-CTR-001235, RHEL-08-030420, 4.1.3.7, SV-230449r810455_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 # First perform the remediation of the syscall rule
@@ -46080,7 +45410,7 @@
 [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
 
 AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-SYSCALL="openat"
+SYSCALL="open_by_handle_at"
 KEY="access"
 SYSCALL_GROUPING="creat ftruncate truncate open openat open_by_handle_at"
 
@@ -46711,7 +46041,38 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Record Unsuccessful Access Attempts to Files - openat
+                                  [ref]
At a minimum, the audit system should collect unauthorized file
+accesses for all users and root. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

+
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file:
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Warning: 
+                                        Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
Rationale:
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80754-5
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-APP-000495-CTR-001235, RHEL-08-030420, 4.1.3.7, SV-230449r810455_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -47359,38 +46720,7 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-
Rule  
-                                Record Unsuccessful Access Attempts to Files - truncate
-                                  [ref]
At a minimum, the audit system should collect unauthorized file
-accesses for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d:
-
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file:
-
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Warning: 
-                                        Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.
Rationale:
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80756-0
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-APP-000495-CTR-001235, RHEL-08-030420, 4.1.3.7, SV-230449r810455_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 # First perform the remediation of the syscall rule
@@ -47398,7 +46728,7 @@
 [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
 
 AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-SYSCALL="truncate"
+SYSCALL="openat"
 KEY="access"
 SYSCALL_GROUPING="creat ftruncate truncate open openat open_by_handle_at"
 
@@ -48029,7 +47359,38 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Record Unsuccessful Access Attempts to Files - truncate
+                                  [ref]
At a minimum, the audit system should collect unauthorized file
+accesses for all users and root. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

+
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file:
+
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Warning: 
+                                        Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
Rationale:
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80756-0
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-APP-000495-CTR-001235, RHEL-08-030420, 4.1.3.7, SV-230449r810455_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -48677,58 +48038,334 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-
Group  
-                Record Information on Kernel Modules Loading and Unloading
-                          Group contains 3 rules
[ref]  
-                        To capture kernel module loading and unloading events, use following lines, setting ARCH to
-either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-
--a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules
-

+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
-Place to add the lines depends on a way auditd daemon is configured. If it is configured
-to use the augenrules program (the default), add the lines to a file with suffix
-.rules in the directory /etc/audit/rules.d.
+# First perform the remediation of the syscall rule
+# Retrieve hardware architecture of the underlying system
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
 
-If the auditd daemon is configured to use the auditctl utility,
-add the lines to file /etc/audit/audit.rules.
Rule  
-                                Ensure auditd Collects Information on Kernel Module Unloading - delete_module
-                                  [ref]
To capture kernel module unloading events, use following line, setting ARCH to
-either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
+AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+SYSCALL="truncate"
+KEY="access"
+SYSCALL_GROUPING="creat ftruncate truncate open openat open_by_handle_at"
 
-
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules

+for ARCH in "${RULE_ARCHS[@]}"
+do
+	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+	OTHER_FILTERS="-F exit=-EACCES"
+	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+	unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
 
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
 
-Place to add the line depends on a way auditd daemon is configured. If it is configured
-to use the augenrules program (the default), add the line to a file with suffix
-.rules in the directory /etc/audit/rules.d.
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
+# -----------------------------------------------------------------------------------------
+#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
+# -----------------------------------------------------------------------------------------
+#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
+#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
 
-If the auditd daemon is configured to use the auditctl utility,
-add the line to file /etc/audit/audit.rules.
Rationale:
The removal of kernel modules can be used to alter the behavior of
-the kernel and potentially introduce malicious code into kernel space. It is important
-to have an audit trail of modules that have been introduced into the kernel.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80711-5
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, SRG-APP-000495-CTR-001235, SRG-APP-000504-CTR-001280, RHEL-08-030390, 4.1.3.19, SV-230446r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+    files_to_inspect=("$file_to_inspect")
+    if [ ! -e "$file_to_inspect" ]
+    then
+        touch "$file_to_inspect"
+        chmod 0640 "$file_to_inspect"
+    fi
+fi
 
-# First perform the remediation of the syscall rule
-# Retrieve hardware architecture of the underlying system
-# Note: 32-bit and 64-bit kernel syscall numbers not always line up =>
-#       it's required on a 64-bit system to check also for the presence
-#       of 32-bit's equivalent of the corresponding rule.
-#       (See `man 7 audit.rules` for details )
-[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+    # i.e, collect rules that match:
+    # * the action, list and arch, (2-nd argument)
+    # * the other filters, (3-rd argument)
+    # * the auid filters, (4-rd argument)
+    readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+    candidate_rules=()
+    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+    for s_rule in "${similar_rules[@]}"
+    do
+        # Strip all the options and fields we know of,
+        # than check if there was any field left over
+        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+        grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+    done
+
+    if [[ ${#syscall_a[@]} -ge 1 ]]
+    then
+        # Check if the syscall we want is present in any of the similar existing rules
+        for rule in "${candidate_rules[@]}"
+        do
+            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+            all_syscalls_found=0
+            for syscall in "${syscall_a[@]}"
+            do
+                grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+                   # A syscall was not found in the candidate rule
+                   all_syscalls_found=1
+                   }
+            done
+            if [[ $all_syscalls_found -eq 0 ]]
+            then
+                # We found a rule with all the syscall(s) we want; skip rest of macro
+                skip=0
+                break
+            fi
+
+            # Check if this rule can be grouped with our target syscall and keep track of it
+            for syscall_g in "${syscall_grouping[@]}"
+            do
+                if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+                then
+                    file_to_edit=${audit_file}
+                    rule_to_edit=${rule}
+                    rule_syscalls_to_edit=${rule_syscalls}
+                fi
+            done
+        done
+    else
+        # If there is any candidate rule, it is compliant; skip rest of macro
+        if [ "${#candidate_rules[@]}" -gt 0 ]
+        then
+            skip=0
+        fi
+    fi
+
+    if [ "$skip" -eq 0 ]; then
+        break
+    fi
+done
+
+if [ "$skip" -ne 0 ]; then
+    # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+    # At this point we know if we need to either append the $full_rule or group
+    # the syscall together with an exsiting rule
+
+    # Append the full_rule if it cannot be grouped to any other rule
+    if [ -z ${rule_to_edit+x} ]
+    then
+        # Build full_rule while avoid adding double spaces when other_filters is empty
+        if [ "${#syscall_a[@]}" -gt 0 ]
+        then
+            syscall_string=""
+            for syscall in "${syscall_a[@]}"
+            do
+                syscall_string+=" -S $syscall"
+            done
+        fi
+        other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+        auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+        echo "$full_rule" >> "$default_file"
+        chmod o-rwx ${default_file}
+    else
+        # Check if the syscalls are declared as a comma separated list or
+        # as multiple -S parameters
+        if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+        then
+            delimiter=","
+        else
+            delimiter=" -S "
+        fi
+        new_grouped_syscalls="${rule_syscalls_to_edit}"
+        for syscall in "${syscall_a[@]}"
+        do
+            grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+               # A syscall was not found in the candidate rule
+               new_grouped_syscalls+="${delimiter}${syscall}"
+               }
+        done
+
+        # Group the syscall in the rule
+        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+    fi
+fi
+	unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
+# -----------------------------------------------------------------------------------------
+#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
+# -----------------------------------------------------------------------------------------
+#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
+#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+    # i.e, collect rules that match:
+    # * the action, list and arch, (2-nd argument)
+    # * the other filters, (3-rd argument)
+    # * the auid filters, (4-rd argument)
+    readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+    candidate_rules=()
+    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+    for s_rule in "${similar_rules[@]}"
+    do
+        # Strip all the options and fields we know of,
+        # than check if there was any field left over
+        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+        grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+    done
+
+    if [[ ${#syscall_a[@]} -ge 1 ]]
+    then
+        # Check if the syscall we want is present in any of the similar existing rules
+        for rule in "${candidate_rules[@]}"
+        do
+            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+            all_syscalls_found=0
+            for syscall in "${syscall_a[@]}"
+            do
+                grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+                   # A syscall was not found in the candidate rule
+                   all_syscalls_found=1
+                   }
+            done
+            if [[ $all_syscalls_found -eq 0 ]]
+            then
+                # We found a rule with all the syscall(s) we want; skip rest of macro
+                skip=0
+                break
+            fi
+
+            # Check if this rule can be grouped with our target syscall and keep track of it
+            for syscall_g in "${syscall_grouping[@]}"
+            do
+                if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+                then
+                    file_to_edit=${audit_file}
+                    rule_to_edit=${rule}
+                    rule_syscalls_to_edit=${rule_syscalls}
+                fi
+            done
+        done
+    else
+        # If there is any candidate rule, it is compliant; skip rest of macro
+        if [ "${#candidate_rules[@]}" -gt 0 ]
+        then
+            skip=0
+        fi
+    fi
+
+    if [ "$skip" -eq 0 ]; then
+        break
+    fi
+done
+
+if [ "$skip" -ne 0 ]; then
+    # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+    # At this point we know if we need to either append the $full_rule or group
+    # the syscall together with an exsiting rule
+
+    # Append the full_rule if it cannot be grouped to any other rule
+    if [ -z ${rule_to_edit+x} ]
+    then
+        # Build full_rule while avoid adding double spaces when other_filters is empty
+        if [ "${#syscall_a[@]}" -gt 0 ]
+        then
+            syscall_string=""
+            for syscall in "${syscall_a[@]}"
+            do
+                syscall_string+=" -S $syscall"
+            done
+        fi
+        other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+        auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+        echo "$full_rule" >> "$default_file"
+        chmod o-rwx ${default_file}
+    else
+        # Check if the syscalls are declared as a comma separated list or
+        # as multiple -S parameters
+        if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+        then
+            delimiter=","
+        else
+            delimiter=" -S "
+        fi
+        new_grouped_syscalls="${rule_syscalls_to_edit}"
+        for syscall in "${syscall_a[@]}"
+        do
+            grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+               # A syscall was not found in the candidate rule
+               new_grouped_syscalls+="${delimiter}${syscall}"
+               }
+        done
+
+        # Group the syscall in the rule
+        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+    fi
+fi
+done
 
 for ARCH in "${RULE_ARCHS[@]}"
 do
 	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
-	OTHER_FILTERS=""
-	
-	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-	
-	SYSCALL="delete_module"
-	KEY="modules"
-	SYSCALL_GROUPING="delete_module"
+	OTHER_FILTERS="-F exit=-EPERM"
 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 	unset syscall_a
 unset syscall_grouping
@@ -49040,6 +48677,51 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
+
Group  
+                Record Information on Kernel Modules Loading and Unloading
+                          Group contains 3 rules
[ref]  
+                        To capture kernel module loading and unloading events, use following lines, setting ARCH to
+either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
+
+-a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules
+

+
+Place to add the lines depends on a way auditd daemon is configured. If it is configured
+to use the augenrules program (the default), add the lines to a file with suffix
+.rules in the directory /etc/audit/rules.d.
+
+If the auditd daemon is configured to use the auditctl utility,
+add the lines to file /etc/audit/audit.rules.
Rule  
+                                Ensure auditd Collects Information on Kernel Module Unloading - delete_module
+                                  [ref]
To capture kernel module unloading events, use following line, setting ARCH to
+either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
+
+
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules

+
+
+Place to add the line depends on a way auditd daemon is configured. If it is configured
+to use the augenrules program (the default), add the line to a file with suffix
+.rules in the directory /etc/audit/rules.d.
+
+If the auditd daemon is configured to use the auditctl utility,
+add the line to file /etc/audit/audit.rules.
Rationale:
The removal of kernel modules can be used to alter the behavior of
+the kernel and potentially introduce malicious code into kernel space. It is important
+to have an audit trail of modules that have been introduced into the kernel.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80711-5
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, SRG-APP-000495-CTR-001235, SRG-APP-000504-CTR-001280, RHEL-08-030390, 4.1.3.19, SV-230446r627750_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A
+        mode: 0600
+        path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules
+        overwrite: true
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Gather the package facts
   package_facts:
     manager: auto
@@ -49361,38 +49043,7 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A
-        mode: 0600
-        path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules
-        overwrite: true
-
Rule  
-                                Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
-                                  [ref]
If the auditd daemon is configured to use the augenrules program
-to read audit rules during daemon startup (the default), add the following lines to a file
-with suffix .rules in the directory /etc/audit/rules.d to capture kernel module
-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-
-
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules

-    If the auditd daemon is configured to use the auditctl utility to read audit
-rules during daemon startup, add the following lines to /etc/audit/audit.rules file
-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
-b64 as appropriate for your system:
-
-
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
Rationale:
The addition/removal of kernel modules can be used to alter the behavior of
-the kernel and potentially introduce malicious code into kernel space. It is important
-to have an audit trail of modules that have been introduced into the kernel.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80712-3
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, SRG-APP-000495-CTR-001235, SRG-APP-000504-CTR-001280, RHEL-08-030360, 4.1.3.19, SV-230438r810464_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 # First perform the remediation of the syscall rule
@@ -49410,9 +49061,9 @@
 	
 	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
 	
-	SYSCALL="finit_module"
+	SYSCALL="delete_module"
 	KEY="modules"
-	SYSCALL_GROUPING="init_module finit_module"
+	SYSCALL_GROUPING="delete_module"
 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 	unset syscall_a
 unset syscall_grouping
@@ -49724,6 +49375,37 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
+
Rule  
+                                Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
+                                  [ref]
If the auditd daemon is configured to use the augenrules program
+to read audit rules during daemon startup (the default), add the following lines to a file
+with suffix .rules in the directory /etc/audit/rules.d to capture kernel module
+loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
+
+
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules

+    If the auditd daemon is configured to use the auditctl utility to read audit
+rules during daemon startup, add the following lines to /etc/audit/audit.rules file
+in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
+b64 as appropriate for your system:
+
+
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
Rationale:
The addition/removal of kernel modules can be used to alter the behavior of
+the kernel and potentially introduce malicious code into kernel space. It is important
+to have an audit trail of modules that have been introduced into the kernel.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80712-3
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, SRG-APP-000495-CTR-001235, SRG-APP-000504-CTR-001280, RHEL-08-030360, 4.1.3.19, SV-230438r810464_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20finit_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20finit_module%20-k%20module-change%0A
+        mode: 0600
+        path: /etc/audit/rules.d/75-kernel-module-loading-finit.rules
+        overwrite: true
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Gather the package facts
   package_facts:
     manager: auto
@@ -50053,38 +49735,7 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20finit_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20finit_module%20-k%20module-change%0A
-        mode: 0600
-        path: /etc/audit/rules.d/75-kernel-module-loading-finit.rules
-        overwrite: true
-
Rule  
-                                Ensure auditd Collects Information on Kernel Module Loading - init_module
-                                  [ref]
To capture kernel module loading events, use following line, setting ARCH to
-either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-
-
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules

-
-
-Place to add the line depends on a way auditd daemon is configured. If it is configured
-to use the augenrules program (the default), add the line to a file with suffix
-.rules in the directory /etc/audit/rules.d.
-
-If the auditd daemon is configured to use the auditctl utility,
-add the line to file /etc/audit/audit.rules.
Rationale:
The addition of kernel modules can be used to alter the behavior of
-the kernel and potentially introduce malicious code into kernel space. It is important
-to have an audit trail of modules that have been introduced into the kernel.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80713-1
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, SRG-APP-000495-CTR-001235, SRG-APP-000504-CTR-001280, RHEL-08-030360, 4.1.3.19, SV-230438r810464_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 # First perform the remediation of the syscall rule
@@ -50102,7 +49753,7 @@
 	
 	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
 	
-	SYSCALL="init_module"
+	SYSCALL="finit_module"
 	KEY="modules"
 	SYSCALL_GROUPING="init_module finit_module"
 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
@@ -50416,6 +50067,37 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
+
Rule  
+                                Ensure auditd Collects Information on Kernel Module Loading - init_module
+                                  [ref]
To capture kernel module loading events, use following line, setting ARCH to
+either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
+
+
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules

+
+
+Place to add the line depends on a way auditd daemon is configured. If it is configured
+to use the augenrules program (the default), add the line to a file with suffix
+.rules in the directory /etc/audit/rules.d.
+
+If the auditd daemon is configured to use the auditctl utility,
+add the line to file /etc/audit/audit.rules.
Rationale:
The addition of kernel modules can be used to alter the behavior of
+the kernel and potentially introduce malicious code into kernel space. It is important
+to have an audit trail of modules that have been introduced into the kernel.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80713-1
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, SRG-APP-000495-CTR-001235, SRG-APP-000504-CTR-001280, RHEL-08-030360, 4.1.3.19, SV-230438r810464_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20init_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20init_module%20-k%20module-change%0A
+        mode: 0600
+        path: /etc/audit/rules.d/75-kernel-module-loading-init.rules
+        overwrite: true
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Gather the package facts
   package_facts:
     manager: auto
@@ -50745,199 +50427,373 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20init_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20init_module%20-k%20module-change%0A
-        mode: 0600
-        path: /etc/audit/rules.d/75-kernel-module-loading-init.rules
-        overwrite: true
-
Group  
-                Record Attempts to Alter Logon and Logout Events
-                          Group contains 2 rules
[ref]  
-                        The audit system already collects login information for all users
-and root. If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix .rules in the
-directory /etc/audit/rules.d in order to watch for attempted manual
-edits of files involved in storing logon events:
-
-w /var/log/tallylog -p wa -k logins
--w /var/log/faillock -p wa -k logins
--w /var/log/lastlog -p wa -k logins

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file in order to watch for unattempted manual
-edits of files involved in storing logon events:
-
-w /var/log/tallylog -p wa -k logins
--w /var/log/faillock -p wa -k logins
--w /var/log/lastlog -p wa -k logins
Rule  
-                                Record Attempts to Alter Logon and Logout Events - faillock
-                                  [ref]
The audit system already collects login information for all users
-and root. If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix .rules in the
-directory /etc/audit/rules.d in order to watch for attempted manual
-edits of files involved in storing logon events:
-
-w /var/log/faillock -p wa -k logins

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file in order to watch for unattempted manual
-edits of files involved in storing logon events:
-
-w /var/log/faillock -p wa -k logins
Rationale:
Manual editing of these files may indicate nefarious activity, such
-as an attacker attempting to remove evidence of an intrusion.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80718-0
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.3, 10.2.1.3, SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218, SRG-APP-000503-CTR-001275, SRG-APP-000506-CTR-001290, RHEL-08-030590, 4.1.3.12, SV-230466r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
-# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+# First perform the remediation of the syscall rule
+# Retrieve hardware architecture of the underlying system
+# Note: 32-bit and 64-bit kernel syscall numbers not always line up =>
+#       it's required on a 64-bit system to check also for the presence
+#       of 32-bit's equivalent of the corresponding rule.
+#       (See `man 7 audit.rules` for details )
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
 
+for ARCH in "${RULE_ARCHS[@]}"
+do
+	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+	OTHER_FILTERS=""
+	
+	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+	
+	SYSCALL="init_module"
+	KEY="modules"
+	SYSCALL_GROUPING="init_module finit_module"
+	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+	unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
 
-var_accounts_passwords_pam_faillock_dir='/var/log/faillock'
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
 
 # Create a list of audit *.rules files that should be inspected for presence and correctness
 # of a particular audit rule. The scheme is as follows:
 #
 # -----------------------------------------------------------------------------------------
-# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
+#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
 # -----------------------------------------------------------------------------------------
-#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
+#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
 # -----------------------------------------------------------------------------------------
-# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
-# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
+#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
+#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
 # -----------------------------------------------------------------------------------------
+#
 files_to_inspect=()
 
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+    files_to_inspect=("$file_to_inspect")
+    if [ ! -e "$file_to_inspect" ]
+    then
+        touch "$file_to_inspect"
+        chmod 0640 "$file_to_inspect"
+    fi
+fi
 
-# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
-# into the list of files to be inspected
-files_to_inspect+=('/etc/audit/audit.rules')
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
 
-# Finally perform the inspection and possible subsequent audit rule
-# correction for each of the files previously identified for inspection
-for audit_rules_file in "${files_to_inspect[@]}"
+for audit_file in "${files_to_inspect[@]}"
 do
-    # Check if audit watch file system object rule for given path already present
-    if grep -q -P -- "^[\s]*-w[\s]+${var_accounts_passwords_pam_faillock_dir}" "$audit_rules_file"
-    then
-        # Rule is found => verify yet if existing rule definition contains
-        # all of the required access type bits
+    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+    # i.e, collect rules that match:
+    # * the action, list and arch, (2-nd argument)
+    # * the other filters, (3-rd argument)
+    # * the auid filters, (4-rd argument)
+    readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
 
-        # Define BRE whitespace class shortcut
-        sp="[[:space:]]"
-        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+${var_accounts_passwords_pam_faillock_dir} $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
-        # Split required access bits string into characters array
-        # (to check bit's presence for one bit at a time)
-        for access_bit in $(echo "wa" | grep -o .)
+    candidate_rules=()
+    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+    for s_rule in "${similar_rules[@]}"
+    do
+        # Strip all the options and fields we know of,
+        # than check if there was any field left over
+        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+        grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+    done
+
+    if [[ ${#syscall_a[@]} -ge 1 ]]
+    then
+        # Check if the syscall we want is present in any of the similar existing rules
+        for rule in "${candidate_rules[@]}"
         do
-            # For each from the required access bits (e.g. 'w', 'a') check
-            # if they are already present in current access bits for rule.
-            # If not, append that bit at the end
-            if ! grep -q "$access_bit" <<< "$current_access_bits"
+            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+            all_syscalls_found=0
+            for syscall in "${syscall_a[@]}"
+            do
+                grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+                   # A syscall was not found in the candidate rule
+                   all_syscalls_found=1
+                   }
+            done
+            if [[ $all_syscalls_found -eq 0 ]]
             then
-                # Concatenate the existing mask with the missing bit
-                current_access_bits="$current_access_bits$access_bit"
+                # We found a rule with all the syscall(s) we want; skip rest of macro
+                skip=0
+                break
             fi
+
+            # Check if this rule can be grouped with our target syscall and keep track of it
+            for syscall_g in "${syscall_grouping[@]}"
+            do
+                if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+                then
+                    file_to_edit=${audit_file}
+                    rule_to_edit=${rule}
+                    rule_syscalls_to_edit=${rule_syscalls}
+                fi
+            done
         done
-        # Propagate the updated rule's access bits (original + the required
-        # ones) back into the /etc/audit/audit.rules file for that rule
-        sed -i "s#\($sp*-w$sp\+${var_accounts_passwords_pam_faillock_dir}$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
     else
-        # Rule isn't present yet. Append it at the end of $audit_rules_file file
-        # with proper key
+        # If there is any candidate rule, it is compliant; skip rest of macro
+        if [ "${#candidate_rules[@]}" -gt 0 ]
+        then
+            skip=0
+        fi
+    fi
 
-        echo "-w ${var_accounts_passwords_pam_faillock_dir} -p wa -k logins" >> "$audit_rules_file"
+    if [ "$skip" -eq 0 ]; then
+        break
     fi
 done
+
+if [ "$skip" -ne 0 ]; then
+    # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+    # At this point we know if we need to either append the $full_rule or group
+    # the syscall together with an exsiting rule
+
+    # Append the full_rule if it cannot be grouped to any other rule
+    if [ -z ${rule_to_edit+x} ]
+    then
+        # Build full_rule while avoid adding double spaces when other_filters is empty
+        if [ "${#syscall_a[@]}" -gt 0 ]
+        then
+            syscall_string=""
+            for syscall in "${syscall_a[@]}"
+            do
+                syscall_string+=" -S $syscall"
+            done
+        fi
+        other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+        auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+        echo "$full_rule" >> "$default_file"
+        chmod o-rwx ${default_file}
+    else
+        # Check if the syscalls are declared as a comma separated list or
+        # as multiple -S parameters
+        if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+        then
+            delimiter=","
+        else
+            delimiter=" -S "
+        fi
+        new_grouped_syscalls="${rule_syscalls_to_edit}"
+        for syscall in "${syscall_a[@]}"
+        do
+            grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+               # A syscall was not found in the candidate rule
+               new_grouped_syscalls+="${delimiter}${syscall}"
+               }
+        done
+
+        # Group the syscall in the rule
+        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+    fi
+fi
+	unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
 # Create a list of audit *.rules files that should be inspected for presence and correctness
 # of a particular audit rule. The scheme is as follows:
 #
 # -----------------------------------------------------------------------------------------
-# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
+#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
 # -----------------------------------------------------------------------------------------
-#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
+#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
 # -----------------------------------------------------------------------------------------
-# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
-# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
+#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
+#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
 # -----------------------------------------------------------------------------------------
+#
 files_to_inspect=()
 
-# If the audit is 'augenrules', then check if rule is already defined
-# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
-# If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection.
-readarray -t matches < <(grep -HP "[\s]*-w[\s]+${var_accounts_passwords_pam_faillock_dir}" /etc/audit/rules.d/*.rules)
 
-# For each of the matched entries
-for match in "${matches[@]}"
-do
-    # Extract filepath from the match
-    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
-    # Append that path into list of files for inspection
-    files_to_inspect+=("$rulesd_audit_file")
-done
-# Case when particular audit rule isn't defined yet
-if [ "${#files_to_inspect[@]}" -eq "0" ]
-then
-    # Append '/etc/audit/rules.d/logins.rules' into list of files for inspection
-    key_rule_file="/etc/audit/rules.d/logins.rules"
-    # If the logins.rules file doesn't exist yet, create it with correct permissions
-    if [ ! -e "$key_rule_file" ]
-    then
-        touch "$key_rule_file"
-        chmod 0640 "$key_rule_file"
-    fi
-    files_to_inspect+=("$key_rule_file")
-fi
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
 
-# Finally perform the inspection and possible subsequent audit rule
-# correction for each of the files previously identified for inspection
-for audit_rules_file in "${files_to_inspect[@]}"
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
 do
-    # Check if audit watch file system object rule for given path already present
-    if grep -q -P -- "^[\s]*-w[\s]+${var_accounts_passwords_pam_faillock_dir}" "$audit_rules_file"
-    then
-        # Rule is found => verify yet if existing rule definition contains
-        # all of the required access type bits
+    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+    # i.e, collect rules that match:
+    # * the action, list and arch, (2-nd argument)
+    # * the other filters, (3-rd argument)
+    # * the auid filters, (4-rd argument)
+    readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
 
-        # Define BRE whitespace class shortcut
-        sp="[[:space:]]"
-        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+${var_accounts_passwords_pam_faillock_dir} $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
-        # Split required access bits string into characters array
-        # (to check bit's presence for one bit at a time)
-        for access_bit in $(echo "wa" | grep -o .)
-        do
-            # For each from the required access bits (e.g. 'w', 'a') check
-            # if they are already present in current access bits for rule.
-            # If not, append that bit at the end
-            if ! grep -q "$access_bit" <<< "$current_access_bits"
-            then
-                # Concatenate the existing mask with the missing bit
-                current_access_bits="$current_access_bits$access_bit"
-            fi
-        done
-        # Propagate the updated rule's access bits (original + the required
-        # ones) back into the /etc/audit/audit.rules file for that rule
-        sed -i "s#\($sp*-w$sp\+${var_accounts_passwords_pam_faillock_dir}$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
-    else
-        # Rule isn't present yet. Append it at the end of $audit_rules_file file
-        # with proper key
+    candidate_rules=()
+    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+    for s_rule in "${similar_rules[@]}"
+    do
+        # Strip all the options and fields we know of,
+        # than check if there was any field left over
+        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+        grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+    done
 
-        echo "-w ${var_accounts_passwords_pam_faillock_dir} -p wa -k logins" >> "$audit_rules_file"
-    fi
+    if [[ ${#syscall_a[@]} -ge 1 ]]
+    then
+        # Check if the syscall we want is present in any of the similar existing rules
+        for rule in "${candidate_rules[@]}"
+        do
+            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+            all_syscalls_found=0
+            for syscall in "${syscall_a[@]}"
+            do
+                grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+                   # A syscall was not found in the candidate rule
+                   all_syscalls_found=1
+                   }
+            done
+            if [[ $all_syscalls_found -eq 0 ]]
+            then
+                # We found a rule with all the syscall(s) we want; skip rest of macro
+                skip=0
+                break
+            fi
+
+            # Check if this rule can be grouped with our target syscall and keep track of it
+            for syscall_g in "${syscall_grouping[@]}"
+            do
+                if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+                then
+                    file_to_edit=${audit_file}
+                    rule_to_edit=${rule}
+                    rule_syscalls_to_edit=${rule_syscalls}
+                fi
+            done
+        done
+    else
+        # If there is any candidate rule, it is compliant; skip rest of macro
+        if [ "${#candidate_rules[@]}" -gt 0 ]
+        then
+            skip=0
+        fi
+    fi
+
+    if [ "$skip" -eq 0 ]; then
+        break
+    fi
+done
+
+if [ "$skip" -ne 0 ]; then
+    # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+    # At this point we know if we need to either append the $full_rule or group
+    # the syscall together with an exsiting rule
+
+    # Append the full_rule if it cannot be grouped to any other rule
+    if [ -z ${rule_to_edit+x} ]
+    then
+        # Build full_rule while avoid adding double spaces when other_filters is empty
+        if [ "${#syscall_a[@]}" -gt 0 ]
+        then
+            syscall_string=""
+            for syscall in "${syscall_a[@]}"
+            do
+                syscall_string+=" -S $syscall"
+            done
+        fi
+        other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+        auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+        echo "$full_rule" >> "$default_file"
+        chmod o-rwx ${default_file}
+    else
+        # Check if the syscalls are declared as a comma separated list or
+        # as multiple -S parameters
+        if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+        then
+            delimiter=","
+        else
+            delimiter=" -S "
+        fi
+        new_grouped_syscalls="${rule_syscalls_to_edit}"
+        for syscall in "${syscall_a[@]}"
+        do
+            grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+               # A syscall was not found in the candidate rule
+               new_grouped_syscalls+="${delimiter}${syscall}"
+               }
+        done
+
+        # Group the syscall in the rule
+        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+    fi
+fi
 done
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Group  
+                Record Attempts to Alter Logon and Logout Events
+                          Group contains 2 rules
[ref]  
+                        The audit system already collects login information for all users
+and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following lines to a file with suffix .rules in the
+directory /etc/audit/rules.d in order to watch for attempted manual
+edits of files involved in storing logon events:
+
-w /var/log/tallylog -p wa -k logins
+-w /var/log/faillock -p wa -k logins
+-w /var/log/lastlog -p wa -k logins

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file in order to watch for unattempted manual
+edits of files involved in storing logon events:
+
-w /var/log/tallylog -p wa -k logins
+-w /var/log/faillock -p wa -k logins
+-w /var/log/lastlog -p wa -k logins
Rule  
+                                Record Attempts to Alter Logon and Logout Events - faillock
+                                  [ref]
The audit system already collects login information for all users
+and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following lines to a file with suffix .rules in the
+directory /etc/audit/rules.d in order to watch for attempted manual
+edits of files involved in storing logon events:
+
-w /var/log/faillock -p wa -k logins

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file in order to watch for unattempted manual
+edits of files involved in storing logon events:
+
-w /var/log/faillock -p wa -k logins
Rationale:
Manual editing of these files may indicate nefarious activity, such
+as an attacker attempting to remove evidence of an intrusion.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80718-0
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.3, 10.2.1.3, SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218, SRG-APP-000503-CTR-001275, SRG-APP-000506-CTR-001290, RHEL-08-030590, 4.1.3.12, SV-230466r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -51152,28 +51008,14 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-
Rule  
-                                Record Attempts to Alter Logon and Logout Events - lastlog
-                                  [ref]
The audit system already collects login information for all users
-and root. If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix .rules in the
-directory /etc/audit/rules.d in order to watch for attempted manual
-edits of files involved in storing logon events:
-
-w /var/log/lastlog -p wa -k logins

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file in order to watch for unattempted manual
-edits of files involved in storing logon events:
-
-w /var/log/lastlog -p wa -k logins
Rationale:
Manual editing of these files may indicate nefarious activity, such
-as an attacker attempting to remove evidence of an intrusion.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80719-8
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.3, 10.2.1.3, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000470-GPOS-00214, SRG-APP-000495-CTR-001235, SRG-APP-000503-CTR-001275, SRG-APP-000506-CTR-001290, RHEL-08-030600, 4.1.3.12, SV-230467r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 
 
+var_accounts_passwords_pam_faillock_dir='/var/log/faillock'
+
 # Create a list of audit *.rules files that should be inspected for presence and correctness
 # of a particular audit rule. The scheme is as follows:
 #
@@ -51197,7 +51039,7 @@
 for audit_rules_file in "${files_to_inspect[@]}"
 do
     # Check if audit watch file system object rule for given path already present
-    if grep -q -P -- "^[\s]*-w[\s]+/var/log/lastlog" "$audit_rules_file"
+    if grep -q -P -- "^[\s]*-w[\s]+${var_accounts_passwords_pam_faillock_dir}" "$audit_rules_file"
     then
         # Rule is found => verify yet if existing rule definition contains
         # all of the required access type bits
@@ -51205,7 +51047,7 @@
         # Define BRE whitespace class shortcut
         sp="[[:space:]]"
         # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/lastlog $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+${var_accounts_passwords_pam_faillock_dir} $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
         # Split required access bits string into characters array
         # (to check bit's presence for one bit at a time)
         for access_bit in $(echo "wa" | grep -o .)
@@ -51221,12 +51063,12 @@
         done
         # Propagate the updated rule's access bits (original + the required
         # ones) back into the /etc/audit/audit.rules file for that rule
-        sed -i "s#\($sp*-w$sp\+/var/log/lastlog$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+        sed -i "s#\($sp*-w$sp\+${var_accounts_passwords_pam_faillock_dir}$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
     else
         # Rule isn't present yet. Append it at the end of $audit_rules_file file
         # with proper key
 
-        echo "-w /var/log/lastlog -p wa -k logins" >> "$audit_rules_file"
+        echo "-w ${var_accounts_passwords_pam_faillock_dir} -p wa -k logins" >> "$audit_rules_file"
     fi
 done
 # Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -51245,7 +51087,7 @@
 # If the audit is 'augenrules', then check if rule is already defined
 # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
 # If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection.
-readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/log/lastlog" /etc/audit/rules.d/*.rules)
+readarray -t matches < <(grep -HP "[\s]*-w[\s]+${var_accounts_passwords_pam_faillock_dir}" /etc/audit/rules.d/*.rules)
 
 # For each of the matched entries
 for match in "${matches[@]}"
@@ -51274,7 +51116,7 @@
 for audit_rules_file in "${files_to_inspect[@]}"
 do
     # Check if audit watch file system object rule for given path already present
-    if grep -q -P -- "^[\s]*-w[\s]+/var/log/lastlog" "$audit_rules_file"
+    if grep -q -P -- "^[\s]*-w[\s]+${var_accounts_passwords_pam_faillock_dir}" "$audit_rules_file"
     then
         # Rule is found => verify yet if existing rule definition contains
         # all of the required access type bits
@@ -51282,7 +51124,7 @@
         # Define BRE whitespace class shortcut
         sp="[[:space:]]"
         # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/lastlog $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+${var_accounts_passwords_pam_faillock_dir} $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
         # Split required access bits string into characters array
         # (to check bit's presence for one bit at a time)
         for access_bit in $(echo "wa" | grep -o .)
@@ -51298,19 +51140,35 @@
         done
         # Propagate the updated rule's access bits (original + the required
         # ones) back into the /etc/audit/audit.rules file for that rule
-        sed -i "s#\($sp*-w$sp\+/var/log/lastlog$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+        sed -i "s#\($sp*-w$sp\+${var_accounts_passwords_pam_faillock_dir}$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
     else
         # Rule isn't present yet. Append it at the end of $audit_rules_file file
         # with proper key
 
-        echo "-w /var/log/lastlog -p wa -k logins" >> "$audit_rules_file"
+        echo "-w ${var_accounts_passwords_pam_faillock_dir} -p wa -k logins" >> "$audit_rules_file"
     fi
 done
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Record Attempts to Alter Logon and Logout Events - lastlog
+                                  [ref]
The audit system already collects login information for all users
+and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following lines to a file with suffix .rules in the
+directory /etc/audit/rules.d in order to watch for attempted manual
+edits of files involved in storing logon events:
+
-w /var/log/lastlog -p wa -k logins

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file in order to watch for unattempted manual
+edits of files involved in storing logon events:
+
-w /var/log/lastlog -p wa -k logins
Rationale:
Manual editing of these files may indicate nefarious activity, such
+as an attacker attempting to remove evidence of an intrusion.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80719-8
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.3, 10.2.1.3, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000470-GPOS-00214, SRG-APP-000495-CTR-001235, SRG-APP-000503-CTR-001275, SRG-APP-000506-CTR-001290, RHEL-08-030600, 4.1.3.12, SV-230467r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -51518,6 +51376,148 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+
+# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
+# -----------------------------------------------------------------------------------------
+#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
+# -----------------------------------------------------------------------------------------
+# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
+# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
+# -----------------------------------------------------------------------------------------
+files_to_inspect=()
+
+
+# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# into the list of files to be inspected
+files_to_inspect+=('/etc/audit/audit.rules')
+
+# Finally perform the inspection and possible subsequent audit rule
+# correction for each of the files previously identified for inspection
+for audit_rules_file in "${files_to_inspect[@]}"
+do
+    # Check if audit watch file system object rule for given path already present
+    if grep -q -P -- "^[\s]*-w[\s]+/var/log/lastlog" "$audit_rules_file"
+    then
+        # Rule is found => verify yet if existing rule definition contains
+        # all of the required access type bits
+
+        # Define BRE whitespace class shortcut
+        sp="[[:space:]]"
+        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/lastlog $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+        # Split required access bits string into characters array
+        # (to check bit's presence for one bit at a time)
+        for access_bit in $(echo "wa" | grep -o .)
+        do
+            # For each from the required access bits (e.g. 'w', 'a') check
+            # if they are already present in current access bits for rule.
+            # If not, append that bit at the end
+            if ! grep -q "$access_bit" <<< "$current_access_bits"
+            then
+                # Concatenate the existing mask with the missing bit
+                current_access_bits="$current_access_bits$access_bit"
+            fi
+        done
+        # Propagate the updated rule's access bits (original + the required
+        # ones) back into the /etc/audit/audit.rules file for that rule
+        sed -i "s#\($sp*-w$sp\+/var/log/lastlog$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+    else
+        # Rule isn't present yet. Append it at the end of $audit_rules_file file
+        # with proper key
+
+        echo "-w /var/log/lastlog -p wa -k logins" >> "$audit_rules_file"
+    fi
+done
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
+# -----------------------------------------------------------------------------------------
+#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
+# -----------------------------------------------------------------------------------------
+# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
+# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
+# -----------------------------------------------------------------------------------------
+files_to_inspect=()
+
+# If the audit is 'augenrules', then check if rule is already defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
+# If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection.
+readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/log/lastlog" /etc/audit/rules.d/*.rules)
+
+# For each of the matched entries
+for match in "${matches[@]}"
+do
+    # Extract filepath from the match
+    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
+    # Append that path into list of files for inspection
+    files_to_inspect+=("$rulesd_audit_file")
+done
+# Case when particular audit rule isn't defined yet
+if [ "${#files_to_inspect[@]}" -eq "0" ]
+then
+    # Append '/etc/audit/rules.d/logins.rules' into list of files for inspection
+    key_rule_file="/etc/audit/rules.d/logins.rules"
+    # If the logins.rules file doesn't exist yet, create it with correct permissions
+    if [ ! -e "$key_rule_file" ]
+    then
+        touch "$key_rule_file"
+        chmod 0640 "$key_rule_file"
+    fi
+    files_to_inspect+=("$key_rule_file")
+fi
+
+# Finally perform the inspection and possible subsequent audit rule
+# correction for each of the files previously identified for inspection
+for audit_rules_file in "${files_to_inspect[@]}"
+do
+    # Check if audit watch file system object rule for given path already present
+    if grep -q -P -- "^[\s]*-w[\s]+/var/log/lastlog" "$audit_rules_file"
+    then
+        # Rule is found => verify yet if existing rule definition contains
+        # all of the required access type bits
+
+        # Define BRE whitespace class shortcut
+        sp="[[:space:]]"
+        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/lastlog $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+        # Split required access bits string into characters array
+        # (to check bit's presence for one bit at a time)
+        for access_bit in $(echo "wa" | grep -o .)
+        do
+            # For each from the required access bits (e.g. 'w', 'a') check
+            # if they are already present in current access bits for rule.
+            # If not, append that bit at the end
+            if ! grep -q "$access_bit" <<< "$current_access_bits"
+            then
+                # Concatenate the existing mask with the missing bit
+                current_access_bits="$current_access_bits$access_bit"
+            fi
+        done
+        # Propagate the updated rule's access bits (original + the required
+        # ones) back into the /etc/audit/audit.rules file for that rule
+        sed -i "s#\($sp*-w$sp\+/var/log/lastlog$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+    else
+        # Rule isn't present yet. Append it at the end of $audit_rules_file file
+        # with proper key
+
+        echo "-w /var/log/lastlog -p wa -k logins" >> "$audit_rules_file"
+    fi
+done
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 Record Information on the Use of Privileged Commands
                           Group contains 20 rules
[ref]  
@@ -51544,7 +51544,162 @@
 limited capability. As such, motivation exists to monitor these programs for
 unusual activity.
Severity: 
medium
Identifiers and References

Identifiers:  CCE-80725-5

References:  - 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, RHEL-08-030250, SV-230418r627750_rule

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, RHEL-08-030250, SV-230418r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+  package_facts:
+    manager: auto
+  tags:
+  - CCE-80725-5
+  - DISA-STIG-RHEL-08-030250
+  - NIST-800-171-3.1.7
+  - NIST-800-53-AC-2(4)
+  - NIST-800-53-AC-6(9)
+  - NIST-800-53-AU-12(c)
+  - NIST-800-53-AU-2(d)
+  - NIST-800-53-CM-6(a)
+  - audit_rules_privileged_commands_chage
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - restrict_strategy
+
+- name: Perform remediation of Audit rules for /usr/bin/chage
+  block:
+
+  - name: Declare list of syscalls
+    set_fact:
+      syscalls: []
+      syscall_grouping: []
+
+  - name: Check existence of  in /etc/audit/rules.d/
+    find:
+      paths: /etc/audit/rules.d
+      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
+        path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+      patterns: '*.rules'
+    register: find_command
+    loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+  - name: Reset syscalls found per file
+    set_fact:
+      syscalls_per_file: {}
+      found_paths_dict: {}
+
+  - name: Declare syscalls found per file
+    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+  - name: Declare files where syscalls were found
+    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+      | map(attribute='path') | list }}"
+
+  - name: Count occurrences of syscalls in paths
+    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+      0) }) }}"
+    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+      | list }}'
+
+  - name: Get path with most syscalls
+    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+      | last).key }}"
+    when: found_paths | length >= 1
+
+  - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
+    set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
+    when: found_paths | length == 0
+
+  - name: Declare found syscalls
+    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+      | list }}"
+
+  - name: Declare missing syscalls
+    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+  - name: Replace the audit rule in {{ audit_file }}
+    lineinfile:
+      path: '{{ audit_file }}'
+      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chage -F perm=x -F
+        auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
+      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+      backrefs: true
+      state: present
+    when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+  - name: Add the audit rule to {{ audit_file }}
+    lineinfile:
+      path: '{{ audit_file }}'
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chage -F perm=x
+        -F auid>=1000 -F auid!=unset -F key=privileged
+      create: true
+      mode: o-rwx
+      state: present
+    when: syscalls_found | length == 0
+
+  - name: Declare list of syscalls
+    set_fact:
+      syscalls: []
+      syscall_grouping: []
+
+  - name: Check existence of  in /etc/audit/audit.rules
+    find:
+      paths: /etc/audit
+      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
+        path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+      patterns: audit.rules
+    register: find_command
+    loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+  - name: Set path to /etc/audit/audit.rules
+    set_fact: audit_file="/etc/audit/audit.rules"
+
+  - name: Declare found syscalls
+    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+      | list }}"
+
+  - name: Declare missing syscalls
+    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+  - name: Replace the audit rule in {{ audit_file }}
+    lineinfile:
+      path: '{{ audit_file }}'
+      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
+        -S |,)\w+)+)( -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset
+        (?:-k |-F key=)\w+)
+      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+      backrefs: true
+      state: present
+    when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+  - name: Add the audit rule to {{ audit_file }}
+    lineinfile:
+      path: '{{ audit_file }}'
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chage -F perm=x
+        -F auid>=1000 -F auid!=unset -F key=privileged
+      create: true
+      mode: o-rwx
+      state: present
+    when: syscalls_found | length == 0
+  when:
+  - '"audit" in ansible_facts.packages'
+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  tags:
+  - CCE-80725-5
+  - DISA-STIG-RHEL-08-030250
+  - NIST-800-171-3.1.7
+  - NIST-800-53-AC-2(4)
+  - NIST-800-53-AC-6(9)
+  - NIST-800-53-AU-12(c)
+  - NIST-800-53-AU-2(d)
+  - NIST-800-53-CM-6(a)
+  - audit_rules_privileged_commands_chage
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 ACTION_ARCH_FILTERS="-a always,exit"
@@ -51863,26 +52018,48 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Ensure auditd Collects Information on the Use of Privileged Commands - chsh
+                                  [ref]
At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
+


+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80726-3
References: 
+            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000495-CTR-001235, RHEL-08-030410, SV-230448r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
-  - CCE-80725-5
-  - DISA-STIG-RHEL-08-030250
+  - CCE-80726-3
+  - DISA-STIG-RHEL-08-030410
   - NIST-800-171-3.1.7
   - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
   - NIST-800-53-AU-12(c)
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
-  - audit_rules_privileged_commands_chage
+  - audit_rules_privileged_commands_chsh
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
 
-- name: Perform remediation of Audit rules for /usr/bin/chage
+- name: Perform remediation of Audit rules for /usr/bin/chsh
   block:
 
   - name: Declare list of syscalls
@@ -51894,7 +52071,7 @@
     find:
       paths: /etc/audit/rules.d
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: '*.rules'
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -51939,7 +52116,7 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
-        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chage -F perm=x -F
+        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chsh -F perm=x -F
         auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
@@ -51949,7 +52126,7 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chage -F perm=x
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chsh -F perm=x
         -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
@@ -51965,7 +52142,7 @@
     find:
       paths: /etc/audit
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: audit.rules
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -51984,7 +52161,7 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
-        -S |,)\w+)+)( -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset
+        -S |,)\w+)+)( -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset
         (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
@@ -51994,7 +52171,7 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chage -F perm=x
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chsh -F perm=x
         -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
@@ -52004,43 +52181,21 @@
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
-  - CCE-80725-5
-  - DISA-STIG-RHEL-08-030250
+  - CCE-80726-3
+  - DISA-STIG-RHEL-08-030410
   - NIST-800-171-3.1.7
   - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
   - NIST-800-53-AU-12(c)
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
-  - audit_rules_privileged_commands_chage
+  - audit_rules_privileged_commands_chsh
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Ensure auditd Collects Information on the Use of Privileged Commands - chsh
-                                  [ref]
At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the auditd daemon is
-configured to use the augenrules program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix .rules in the directory /etc/audit/rules.d:
-
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add a line of the following
-form to /etc/audit/audit.rules:
-
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-


-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80726-3
References: 
-            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000495-CTR-001235, RHEL-08-030410, SV-230448r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 ACTION_ARCH_FILTERS="-a always,exit"
@@ -52359,26 +52514,47 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Ensure auditd Collects Information on the Use of Privileged Commands - crontab
+                                  [ref]
At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
+


+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80727-1
References: 
+            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000495-CTR-001235, RHEL-08-030400, SV-230447r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
-  - CCE-80726-3
-  - DISA-STIG-RHEL-08-030410
+  - CCE-80727-1
+  - DISA-STIG-RHEL-08-030400
   - NIST-800-171-3.1.7
-  - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
   - NIST-800-53-AU-12(c)
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
-  - audit_rules_privileged_commands_chsh
+  - audit_rules_privileged_commands_crontab
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
 
-- name: Perform remediation of Audit rules for /usr/bin/chsh
+- name: Perform remediation of Audit rules for /usr/bin/crontab
   block:
 
   - name: Declare list of syscalls
@@ -52390,7 +52566,7 @@
     find:
       paths: /etc/audit/rules.d
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: '*.rules'
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -52435,8 +52611,8 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
-        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chsh -F perm=x -F
-        auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
+        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/crontab -F perm=x
+        -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
       state: present
@@ -52445,7 +52621,7 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chsh -F perm=x
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/crontab -F perm=x
         -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
@@ -52461,7 +52637,7 @@
     find:
       paths: /etc/audit
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: audit.rules
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -52480,7 +52656,7 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
-        -S |,)\w+)+)( -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset
+        -S |,)\w+)+)( -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset
         (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
@@ -52490,7 +52666,7 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chsh -F perm=x
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/crontab -F perm=x
         -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
@@ -52500,43 +52676,20 @@
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
-  - CCE-80726-3
-  - DISA-STIG-RHEL-08-030410
+  - CCE-80727-1
+  - DISA-STIG-RHEL-08-030400
   - NIST-800-171-3.1.7
-  - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
   - NIST-800-53-AU-12(c)
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
-  - audit_rules_privileged_commands_chsh
+  - audit_rules_privileged_commands_crontab
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Ensure auditd Collects Information on the Use of Privileged Commands - crontab
-                                  [ref]
At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the auditd daemon is
-configured to use the augenrules program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix .rules in the directory /etc/audit/rules.d:
-
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add a line of the following
-form to /etc/audit/audit.rules:
-
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-


-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80727-1
References: 
-            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000495-CTR-001235, RHEL-08-030400, SV-230447r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 ACTION_ARCH_FILTERS="-a always,exit"
@@ -52855,25 +53008,48 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd
+                                  [ref]
At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
+


+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80728-9
References: 
+            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, RHEL-08-030370, SV-230444r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
-  - CCE-80727-1
-  - DISA-STIG-RHEL-08-030400
+  - CCE-80728-9
+  - DISA-STIG-RHEL-08-030370
   - NIST-800-171-3.1.7
+  - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
   - NIST-800-53-AU-12(c)
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
-  - audit_rules_privileged_commands_crontab
+  - audit_rules_privileged_commands_gpasswd
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
 
-- name: Perform remediation of Audit rules for /usr/bin/crontab
+- name: Perform remediation of Audit rules for /usr/bin/gpasswd
   block:
 
   - name: Declare list of syscalls
@@ -52885,7 +53061,7 @@
     find:
       paths: /etc/audit/rules.d
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: '*.rules'
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -52930,7 +53106,7 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
-        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/crontab -F perm=x
+        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/gpasswd -F perm=x
         -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
@@ -52940,7 +53116,7 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/crontab -F perm=x
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/gpasswd -F perm=x
         -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
@@ -52956,7 +53132,7 @@
     find:
       paths: /etc/audit
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: audit.rules
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -52975,7 +53151,7 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
-        -S |,)\w+)+)( -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset
+        -S |,)\w+)+)( -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset
         (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
@@ -52985,7 +53161,7 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/crontab -F perm=x
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/gpasswd -F perm=x
         -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
@@ -52995,42 +53171,21 @@
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
-  - CCE-80727-1
-  - DISA-STIG-RHEL-08-030400
+  - CCE-80728-9
+  - DISA-STIG-RHEL-08-030370
   - NIST-800-171-3.1.7
+  - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
   - NIST-800-53-AU-12(c)
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
-  - audit_rules_privileged_commands_crontab
+  - audit_rules_privileged_commands_gpasswd
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd
-                                  [ref]
At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the auditd daemon is
-configured to use the augenrules program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix .rules in the directory /etc/audit/rules.d:
-
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add a line of the following
-form to /etc/audit/audit.rules:
-
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-


-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80728-9
References: 
-            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, RHEL-08-030370, SV-230444r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 ACTION_ARCH_FILTERS="-a always,exit"
@@ -53349,161 +53504,6 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
-  package_facts:
-    manager: auto
-  tags:
-  - CCE-80728-9
-  - DISA-STIG-RHEL-08-030370
-  - NIST-800-171-3.1.7
-  - NIST-800-53-AC-2(4)
-  - NIST-800-53-AC-6(9)
-  - NIST-800-53-AU-12(c)
-  - NIST-800-53-AU-2(d)
-  - NIST-800-53-CM-6(a)
-  - audit_rules_privileged_commands_gpasswd
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - no_reboot_needed
-  - restrict_strategy
-
-- name: Perform remediation of Audit rules for /usr/bin/gpasswd
-  block:
-
-  - name: Declare list of syscalls
-    set_fact:
-      syscalls: []
-      syscall_grouping: []
-
-  - name: Check existence of  in /etc/audit/rules.d/
-    find:
-      paths: /etc/audit/rules.d
-      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
-      patterns: '*.rules'
-    register: find_command
-    loop: '{{ (syscall_grouping + syscalls) | unique }}'
-
-  - name: Reset syscalls found per file
-    set_fact:
-      syscalls_per_file: {}
-      found_paths_dict: {}
-
-  - name: Declare syscalls found per file
-    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
-      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
-    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
-
-  - name: Declare files where syscalls were found
-    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
-      | map(attribute='path') | list }}"
-
-  - name: Count occurrences of syscalls in paths
-    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
-      0) }) }}"
-    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
-      | list }}'
-
-  - name: Get path with most syscalls
-    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
-      | last).key }}"
-    when: found_paths | length >= 1
-
-  - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
-    set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
-    when: found_paths | length == 0
-
-  - name: Declare found syscalls
-    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
-      | list }}"
-
-  - name: Declare missing syscalls
-    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
-
-  - name: Replace the audit rule in {{ audit_file }}
-    lineinfile:
-      path: '{{ audit_file }}'
-      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
-        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/gpasswd -F perm=x
-        -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
-      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
-      backrefs: true
-      state: present
-    when: syscalls_found | length > 0 and missing_syscalls | length > 0
-
-  - name: Add the audit rule to {{ audit_file }}
-    lineinfile:
-      path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/gpasswd -F perm=x
-        -F auid>=1000 -F auid!=unset -F key=privileged
-      create: true
-      mode: o-rwx
-      state: present
-    when: syscalls_found | length == 0
-
-  - name: Declare list of syscalls
-    set_fact:
-      syscalls: []
-      syscall_grouping: []
-
-  - name: Check existence of  in /etc/audit/audit.rules
-    find:
-      paths: /etc/audit
-      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
-      patterns: audit.rules
-    register: find_command
-    loop: '{{ (syscall_grouping + syscalls) | unique }}'
-
-  - name: Set path to /etc/audit/audit.rules
-    set_fact: audit_file="/etc/audit/audit.rules"
-
-  - name: Declare found syscalls
-    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
-      | list }}"
-
-  - name: Declare missing syscalls
-    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
-
-  - name: Replace the audit rule in {{ audit_file }}
-    lineinfile:
-      path: '{{ audit_file }}'
-      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
-        -S |,)\w+)+)( -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset
-        (?:-k |-F key=)\w+)
-      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
-      backrefs: true
-      state: present
-    when: syscalls_found | length > 0 and missing_syscalls | length > 0
-
-  - name: Add the audit rule to {{ audit_file }}
-    lineinfile:
-      path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/gpasswd -F perm=x
-        -F auid>=1000 -F auid!=unset -F key=privileged
-      create: true
-      mode: o-rwx
-      state: present
-    when: syscalls_found | length == 0
-  when:
-  - '"audit" in ansible_facts.packages'
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  tags:
-  - CCE-80728-9
-  - DISA-STIG-RHEL-08-030370
-  - NIST-800-171-3.1.7
-  - NIST-800-53-AC-2(4)
-  - NIST-800-53-AC-6(9)
-  - NIST-800-53-AU-12(c)
-  - NIST-800-53-AU-2(d)
-  - NIST-800-53-CM-6(a)
-  - audit_rules_privileged_commands_gpasswd
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - no_reboot_needed
-  - restrict_strategy
 
Rule  
                                 Ensure auditd Collects Information on the Use of Privileged Commands - kmod
                                   [ref]
At a minimum, the audit system should collect the execution of
@@ -53523,147 +53523,7 @@
 Audit records can be generated from various components within the
 information system (e.g., module or policy filter).
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-89455-0
References: 
-            BP28(R73), CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, AU-3, AU-3.1, AU-12(a), AU-12.1(ii), AU-12.1(iv)AU-12(c), MA-4(1)(a), SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, SRG-APP-000495-CTR-001235, SRG-APP-000504-CTR-001280, RHEL-08-030580, 4.1.3.19, SV-230465r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
-
-# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
-# Create a list of audit *.rules files that should be inspected for presence and correctness
-# of a particular audit rule. The scheme is as follows:
-#
-# -----------------------------------------------------------------------------------------
-# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
-# -----------------------------------------------------------------------------------------
-#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
-# -----------------------------------------------------------------------------------------
-# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
-# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
-# -----------------------------------------------------------------------------------------
-files_to_inspect=()
-
-
-# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
-# into the list of files to be inspected
-files_to_inspect+=('/etc/audit/audit.rules')
-
-# Finally perform the inspection and possible subsequent audit rule
-# correction for each of the files previously identified for inspection
-for audit_rules_file in "${files_to_inspect[@]}"
-do
-    # Check if audit watch file system object rule for given path already present
-    if grep -q -P -- "^[\s]*-w[\s]+/usr/bin/kmod" "$audit_rules_file"
-    then
-        # Rule is found => verify yet if existing rule definition contains
-        # all of the required access type bits
-
-        # Define BRE whitespace class shortcut
-        sp="[[:space:]]"
-        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/usr/bin/kmod $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
-        # Split required access bits string into characters array
-        # (to check bit's presence for one bit at a time)
-        for access_bit in $(echo "x" | grep -o .)
-        do
-            # For each from the required access bits (e.g. 'w', 'a') check
-            # if they are already present in current access bits for rule.
-            # If not, append that bit at the end
-            if ! grep -q "$access_bit" <<< "$current_access_bits"
-            then
-                # Concatenate the existing mask with the missing bit
-                current_access_bits="$current_access_bits$access_bit"
-            fi
-        done
-        # Propagate the updated rule's access bits (original + the required
-        # ones) back into the /etc/audit/audit.rules file for that rule
-        sed -i "s#\($sp*-w$sp\+/usr/bin/kmod$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
-    else
-        # Rule isn't present yet. Append it at the end of $audit_rules_file file
-        # with proper key
-
-        echo "-w /usr/bin/kmod -p x -k modules" >> "$audit_rules_file"
-    fi
-done
-# Create a list of audit *.rules files that should be inspected for presence and correctness
-# of a particular audit rule. The scheme is as follows:
-#
-# -----------------------------------------------------------------------------------------
-# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
-# -----------------------------------------------------------------------------------------
-#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
-# -----------------------------------------------------------------------------------------
-# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
-# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
-# -----------------------------------------------------------------------------------------
-files_to_inspect=()
-
-# If the audit is 'augenrules', then check if rule is already defined
-# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
-# If rule isn't defined, add '/etc/audit/rules.d/modules.rules' to list of files for inspection.
-readarray -t matches < <(grep -HP "[\s]*-w[\s]+/usr/bin/kmod" /etc/audit/rules.d/*.rules)
-
-# For each of the matched entries
-for match in "${matches[@]}"
-do
-    # Extract filepath from the match
-    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
-    # Append that path into list of files for inspection
-    files_to_inspect+=("$rulesd_audit_file")
-done
-# Case when particular audit rule isn't defined yet
-if [ "${#files_to_inspect[@]}" -eq "0" ]
-then
-    # Append '/etc/audit/rules.d/modules.rules' into list of files for inspection
-    key_rule_file="/etc/audit/rules.d/modules.rules"
-    # If the modules.rules file doesn't exist yet, create it with correct permissions
-    if [ ! -e "$key_rule_file" ]
-    then
-        touch "$key_rule_file"
-        chmod 0640 "$key_rule_file"
-    fi
-    files_to_inspect+=("$key_rule_file")
-fi
-
-# Finally perform the inspection and possible subsequent audit rule
-# correction for each of the files previously identified for inspection
-for audit_rules_file in "${files_to_inspect[@]}"
-do
-    # Check if audit watch file system object rule for given path already present
-    if grep -q -P -- "^[\s]*-w[\s]+/usr/bin/kmod" "$audit_rules_file"
-    then
-        # Rule is found => verify yet if existing rule definition contains
-        # all of the required access type bits
-
-        # Define BRE whitespace class shortcut
-        sp="[[:space:]]"
-        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/usr/bin/kmod $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
-        # Split required access bits string into characters array
-        # (to check bit's presence for one bit at a time)
-        for access_bit in $(echo "x" | grep -o .)
-        do
-            # For each from the required access bits (e.g. 'w', 'a') check
-            # if they are already present in current access bits for rule.
-            # If not, append that bit at the end
-            if ! grep -q "$access_bit" <<< "$current_access_bits"
-            then
-                # Concatenate the existing mask with the missing bit
-                current_access_bits="$current_access_bits$access_bit"
-            fi
-        done
-        # Propagate the updated rule's access bits (original + the required
-        # ones) back into the /etc/audit/audit.rules file for that rule
-        sed -i "s#\($sp*-w$sp\+/usr/bin/kmod$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
-    else
-        # Rule isn't present yet. Append it at the end of $audit_rules_file file
-        # with proper key
-
-        echo "-w /usr/bin/kmod -p x -k modules" >> "$audit_rules_file"
-    fi
-done
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -53863,6 +53723,146 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+
+# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
+# -----------------------------------------------------------------------------------------
+#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
+# -----------------------------------------------------------------------------------------
+# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
+# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
+# -----------------------------------------------------------------------------------------
+files_to_inspect=()
+
+
+# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# into the list of files to be inspected
+files_to_inspect+=('/etc/audit/audit.rules')
+
+# Finally perform the inspection and possible subsequent audit rule
+# correction for each of the files previously identified for inspection
+for audit_rules_file in "${files_to_inspect[@]}"
+do
+    # Check if audit watch file system object rule for given path already present
+    if grep -q -P -- "^[\s]*-w[\s]+/usr/bin/kmod" "$audit_rules_file"
+    then
+        # Rule is found => verify yet if existing rule definition contains
+        # all of the required access type bits
+
+        # Define BRE whitespace class shortcut
+        sp="[[:space:]]"
+        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/usr/bin/kmod $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+        # Split required access bits string into characters array
+        # (to check bit's presence for one bit at a time)
+        for access_bit in $(echo "x" | grep -o .)
+        do
+            # For each from the required access bits (e.g. 'w', 'a') check
+            # if they are already present in current access bits for rule.
+            # If not, append that bit at the end
+            if ! grep -q "$access_bit" <<< "$current_access_bits"
+            then
+                # Concatenate the existing mask with the missing bit
+                current_access_bits="$current_access_bits$access_bit"
+            fi
+        done
+        # Propagate the updated rule's access bits (original + the required
+        # ones) back into the /etc/audit/audit.rules file for that rule
+        sed -i "s#\($sp*-w$sp\+/usr/bin/kmod$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+    else
+        # Rule isn't present yet. Append it at the end of $audit_rules_file file
+        # with proper key
+
+        echo "-w /usr/bin/kmod -p x -k modules" >> "$audit_rules_file"
+    fi
+done
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
+# -----------------------------------------------------------------------------------------
+#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
+# -----------------------------------------------------------------------------------------
+# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
+# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
+# -----------------------------------------------------------------------------------------
+files_to_inspect=()
+
+# If the audit is 'augenrules', then check if rule is already defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
+# If rule isn't defined, add '/etc/audit/rules.d/modules.rules' to list of files for inspection.
+readarray -t matches < <(grep -HP "[\s]*-w[\s]+/usr/bin/kmod" /etc/audit/rules.d/*.rules)
+
+# For each of the matched entries
+for match in "${matches[@]}"
+do
+    # Extract filepath from the match
+    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
+    # Append that path into list of files for inspection
+    files_to_inspect+=("$rulesd_audit_file")
+done
+# Case when particular audit rule isn't defined yet
+if [ "${#files_to_inspect[@]}" -eq "0" ]
+then
+    # Append '/etc/audit/rules.d/modules.rules' into list of files for inspection
+    key_rule_file="/etc/audit/rules.d/modules.rules"
+    # If the modules.rules file doesn't exist yet, create it with correct permissions
+    if [ ! -e "$key_rule_file" ]
+    then
+        touch "$key_rule_file"
+        chmod 0640 "$key_rule_file"
+    fi
+    files_to_inspect+=("$key_rule_file")
+fi
+
+# Finally perform the inspection and possible subsequent audit rule
+# correction for each of the files previously identified for inspection
+for audit_rules_file in "${files_to_inspect[@]}"
+do
+    # Check if audit watch file system object rule for given path already present
+    if grep -q -P -- "^[\s]*-w[\s]+/usr/bin/kmod" "$audit_rules_file"
+    then
+        # Rule is found => verify yet if existing rule definition contains
+        # all of the required access type bits
+
+        # Define BRE whitespace class shortcut
+        sp="[[:space:]]"
+        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/usr/bin/kmod $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+        # Split required access bits string into characters array
+        # (to check bit's presence for one bit at a time)
+        for access_bit in $(echo "x" | grep -o .)
+        do
+            # For each from the required access bits (e.g. 'w', 'a') check
+            # if they are already present in current access bits for rule.
+            # If not, append that bit at the end
+            if ! grep -q "$access_bit" <<< "$current_access_bits"
+            then
+                # Concatenate the existing mask with the missing bit
+                current_access_bits="$current_access_bits$access_bit"
+            fi
+        done
+        # Propagate the updated rule's access bits (original + the required
+        # ones) back into the /etc/audit/audit.rules file for that rule
+        sed -i "s#\($sp*-w$sp\+/usr/bin/kmod$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+    else
+        # Rule isn't present yet. Append it at the end of $audit_rules_file file
+        # with proper key
+
+        echo "-w /usr/bin/kmod -p x -k modules" >> "$audit_rules_file"
+    fi
+done
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Ensure auditd Collects Information on the Use of Privileged Commands - mount
                                   [ref]
At a minimum, the audit system should collect the execution of
@@ -53885,7 +53885,158 @@
 limited capability. As such, motivation exists to monitor these programs for
 unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-80989-7
References: 
-            CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, AU-2(d), AU-12(c), AC-6(9), CM-6(a), FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, RHEL-08-030300, SV-230423r627750_rule
Remediation Shell script:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+  package_facts:
+    manager: auto
+  tags:
+  - CCE-80989-7
+  - DISA-STIG-RHEL-08-030300
+  - NIST-800-53-AC-6(9)
+  - NIST-800-53-AU-12(c)
+  - NIST-800-53-AU-2(d)
+  - NIST-800-53-CM-6(a)
+  - audit_rules_privileged_commands_mount
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - restrict_strategy
+
+- name: Perform remediation of Audit rules for /usr/bin/mount
+  block:
+
+  - name: Declare list of syscalls
+    set_fact:
+      syscalls: []
+      syscall_grouping: []
+
+  - name: Check existence of  in /etc/audit/rules.d/
+    find:
+      paths: /etc/audit/rules.d
+      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
+        path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+      patterns: '*.rules'
+    register: find_command
+    loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+  - name: Reset syscalls found per file
+    set_fact:
+      syscalls_per_file: {}
+      found_paths_dict: {}
+
+  - name: Declare syscalls found per file
+    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+  - name: Declare files where syscalls were found
+    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+      | map(attribute='path') | list }}"
+
+  - name: Count occurrences of syscalls in paths
+    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+      0) }) }}"
+    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+      | list }}'
+
+  - name: Get path with most syscalls
+    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+      | last).key }}"
+    when: found_paths | length >= 1
+
+  - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
+    set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
+    when: found_paths | length == 0
+
+  - name: Declare found syscalls
+    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+      | list }}"
+
+  - name: Declare missing syscalls
+    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+  - name: Replace the audit rule in {{ audit_file }}
+    lineinfile:
+      path: '{{ audit_file }}'
+      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/mount -F perm=x -F
+        auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
+      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+      backrefs: true
+      state: present
+    when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+  - name: Add the audit rule to {{ audit_file }}
+    lineinfile:
+      path: '{{ audit_file }}'
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/mount -F perm=x
+        -F auid>=1000 -F auid!=unset -F key=privileged
+      create: true
+      mode: o-rwx
+      state: present
+    when: syscalls_found | length == 0
+
+  - name: Declare list of syscalls
+    set_fact:
+      syscalls: []
+      syscall_grouping: []
+
+  - name: Check existence of  in /etc/audit/audit.rules
+    find:
+      paths: /etc/audit
+      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
+        path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+      patterns: audit.rules
+    register: find_command
+    loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+  - name: Set path to /etc/audit/audit.rules
+    set_fact: audit_file="/etc/audit/audit.rules"
+
+  - name: Declare found syscalls
+    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+      | list }}"
+
+  - name: Declare missing syscalls
+    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+  - name: Replace the audit rule in {{ audit_file }}
+    lineinfile:
+      path: '{{ audit_file }}'
+      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
+        -S |,)\w+)+)( -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset
+        (?:-k |-F key=)\w+)
+      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+      backrefs: true
+      state: present
+    when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+  - name: Add the audit rule to {{ audit_file }}
+    lineinfile:
+      path: '{{ audit_file }}'
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/mount -F perm=x
+        -F auid>=1000 -F auid!=unset -F key=privileged
+      create: true
+      mode: o-rwx
+      state: present
+    when: syscalls_found | length == 0
+  when:
+  - '"audit" in ansible_facts.packages'
+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  tags:
+  - CCE-80989-7
+  - DISA-STIG-RHEL-08-030300
+  - NIST-800-53-AC-6(9)
+  - NIST-800-53-AU-12(c)
+  - NIST-800-53-AU-2(d)
+  - NIST-800-53-CM-6(a)
+  - audit_rules_privileged_commands_mount
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 ACTION_ARCH_FILTERS="-a always,exit"
@@ -54204,24 +54355,48 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Ensure auditd Collects Information on the Use of Privileged Commands - newgrp
+                                  [ref]
At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
+


+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80729-7
References: 
+            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000169, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, RHEL-08-030350, SV-230437r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
-  - CCE-80989-7
-  - DISA-STIG-RHEL-08-030300
+  - CCE-80729-7
+  - DISA-STIG-RHEL-08-030350
+  - NIST-800-171-3.1.7
+  - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
   - NIST-800-53-AU-12(c)
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
-  - audit_rules_privileged_commands_mount
+  - audit_rules_privileged_commands_newgrp
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
 
-- name: Perform remediation of Audit rules for /usr/bin/mount
+- name: Perform remediation of Audit rules for /usr/bin/newgrp
   block:
 
   - name: Declare list of syscalls
@@ -54233,7 +54408,7 @@
     find:
       paths: /etc/audit/rules.d
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: '*.rules'
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -54278,7 +54453,7 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
-        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/mount -F perm=x -F
+        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/newgrp -F perm=x -F
         auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
@@ -54288,7 +54463,7 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/mount -F perm=x
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/newgrp -F perm=x
         -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
@@ -54304,7 +54479,7 @@
     find:
       paths: /etc/audit
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: audit.rules
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -54323,7 +54498,7 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
-        -S |,)\w+)+)( -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset
+        -S |,)\w+)+)( -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset
         (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
@@ -54333,7 +54508,7 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/mount -F perm=x
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/newgrp -F perm=x
         -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
@@ -54343,41 +54518,21 @@
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
-  - CCE-80989-7
-  - DISA-STIG-RHEL-08-030300
+  - CCE-80729-7
+  - DISA-STIG-RHEL-08-030350
+  - NIST-800-171-3.1.7
+  - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
   - NIST-800-53-AU-12(c)
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
-  - audit_rules_privileged_commands_mount
+  - audit_rules_privileged_commands_newgrp
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Ensure auditd Collects Information on the Use of Privileged Commands - newgrp
-                                  [ref]
At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the auditd daemon is
-configured to use the augenrules program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix .rules in the directory /etc/audit/rules.d:
-
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add a line of the following
-form to /etc/audit/audit.rules:
-
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-


-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80729-7
References: 
-            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000169, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, RHEL-08-030350, SV-230437r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 ACTION_ARCH_FILTERS="-a always,exit"
@@ -54696,26 +54851,49 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
+                                  [ref]
At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+
-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+
-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
+


+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80730-5
References: 
+            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, RHEL-08-030340, SV-230436r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
-  - CCE-80729-7
-  - DISA-STIG-RHEL-08-030350
+  - CCE-80730-5
+  - DISA-STIG-RHEL-08-030340
   - NIST-800-171-3.1.7
-  - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
   - NIST-800-53-AU-12(c)
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
-  - audit_rules_privileged_commands_newgrp
+  - audit_rules_privileged_commands_pam_timestamp_check
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
 
-- name: Perform remediation of Audit rules for /usr/bin/newgrp
+- name: Perform remediation of Audit rules for /usr/sbin/pam_timestamp_check
   block:
 
   - name: Declare list of syscalls
@@ -54727,7 +54905,8 @@
     find:
       paths: /etc/audit/rules.d
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset
+        (-k\s+|-F\s+key=)\S+\s*$
       patterns: '*.rules'
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -54772,8 +54951,8 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
-        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/newgrp -F perm=x -F
-        auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
+        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/pam_timestamp_check
+        -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
       state: present
@@ -54782,8 +54961,8 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/newgrp -F perm=x
-        -F auid>=1000 -F auid!=unset -F key=privileged
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/pam_timestamp_check
+        -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
       state: present
@@ -54798,7 +54977,8 @@
     find:
       paths: /etc/audit
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset
+        (-k\s+|-F\s+key=)\S+\s*$
       patterns: audit.rules
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -54817,8 +54997,8 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
-        -S |,)\w+)+)( -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset
-        (?:-k |-F key=)\w+)
+        -S |,)\w+)+)( -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000
+        -F auid!=unset (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
       state: present
@@ -54827,8 +55007,8 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/newgrp -F perm=x
-        -F auid>=1000 -F auid!=unset -F key=privileged
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/pam_timestamp_check
+        -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
       state: present
@@ -54837,45 +55017,20 @@
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
-  - CCE-80729-7
-  - DISA-STIG-RHEL-08-030350
+  - CCE-80730-5
+  - DISA-STIG-RHEL-08-030340
   - NIST-800-171-3.1.7
-  - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
   - NIST-800-53-AU-12(c)
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
-  - audit_rules_privileged_commands_newgrp
+  - audit_rules_privileged_commands_pam_timestamp_check
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
-                                  [ref]
At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the auditd daemon is
-configured to use the augenrules program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix .rules in the directory /etc/audit/rules.d:
-
-a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add a line of the following
-form to /etc/audit/audit.rules:
-
-a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-


-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80730-5
References: 
-            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, RHEL-08-030340, SV-230436r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 ACTION_ARCH_FILTERS="-a always,exit"
@@ -55194,25 +55349,48 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Ensure auditd Collects Information on the Use of Privileged Commands - passwd
+                                  [ref]
At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
+


+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80731-3
References: 
+            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, RHEL-08-030290, SV-230422r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
-  - CCE-80730-5
-  - DISA-STIG-RHEL-08-030340
+  - CCE-80731-3
+  - DISA-STIG-RHEL-08-030290
   - NIST-800-171-3.1.7
+  - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
   - NIST-800-53-AU-12(c)
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
-  - audit_rules_privileged_commands_pam_timestamp_check
+  - audit_rules_privileged_commands_passwd
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
 
-- name: Perform remediation of Audit rules for /usr/sbin/pam_timestamp_check
+- name: Perform remediation of Audit rules for /usr/bin/passwd
   block:
 
   - name: Declare list of syscalls
@@ -55224,8 +55402,7 @@
     find:
       paths: /etc/audit/rules.d
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset
-        (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: '*.rules'
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -55270,8 +55447,8 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
-        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/pam_timestamp_check
-        -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
+        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/passwd -F perm=x -F
+        auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
       state: present
@@ -55280,8 +55457,8 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/pam_timestamp_check
-        -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/passwd -F perm=x
+        -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
       state: present
@@ -55296,8 +55473,7 @@
     find:
       paths: /etc/audit
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset
-        (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: audit.rules
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -55316,8 +55492,8 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
-        -S |,)\w+)+)( -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000
-        -F auid!=unset (?:-k |-F key=)\w+)
+        -S |,)\w+)+)( -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset
+        (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
       state: present
@@ -55326,8 +55502,8 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/pam_timestamp_check
-        -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/passwd -F perm=x
+        -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
       state: present
@@ -55336,42 +55512,21 @@
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
-  - CCE-80730-5
-  - DISA-STIG-RHEL-08-030340
+  - CCE-80731-3
+  - DISA-STIG-RHEL-08-030290
   - NIST-800-171-3.1.7
+  - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
   - NIST-800-53-AU-12(c)
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
-  - audit_rules_privileged_commands_pam_timestamp_check
+  - audit_rules_privileged_commands_passwd
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Ensure auditd Collects Information on the Use of Privileged Commands - passwd
-                                  [ref]
At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the auditd daemon is
-configured to use the augenrules program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix .rules in the directory /etc/audit/rules.d:
-
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add a line of the following
-form to /etc/audit/audit.rules:
-
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-


-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80731-3
References: 
-            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, RHEL-08-030290, SV-230422r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 ACTION_ARCH_FILTERS="-a always,exit"
@@ -55690,26 +55845,47 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
+                                  [ref]
At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
+


+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80732-1
References: 
+            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000495-CTR-001235, RHEL-08-030311, SV-230427r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
-  - CCE-80731-3
-  - DISA-STIG-RHEL-08-030290
+  - CCE-80732-1
+  - DISA-STIG-RHEL-08-030311
   - NIST-800-171-3.1.7
-  - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
   - NIST-800-53-AU-12(c)
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
-  - audit_rules_privileged_commands_passwd
+  - audit_rules_privileged_commands_postdrop
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
 
-- name: Perform remediation of Audit rules for /usr/bin/passwd
+- name: Perform remediation of Audit rules for /usr/sbin/postdrop
   block:
 
   - name: Declare list of syscalls
@@ -55721,7 +55897,7 @@
     find:
       paths: /etc/audit/rules.d
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: '*.rules'
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -55766,8 +55942,8 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
-        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/passwd -F perm=x -F
-        auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
+        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/postdrop -F perm=x
+        -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
       state: present
@@ -55776,8 +55952,8 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/passwd -F perm=x
-        -F auid>=1000 -F auid!=unset -F key=privileged
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/postdrop -F
+        perm=x -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
       state: present
@@ -55792,7 +55968,7 @@
     find:
       paths: /etc/audit
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: audit.rules
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -55811,7 +55987,7 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
-        -S |,)\w+)+)( -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset
+        -S |,)\w+)+)( -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset
         (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
@@ -55821,8 +55997,8 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/passwd -F perm=x
-        -F auid>=1000 -F auid!=unset -F key=privileged
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/postdrop -F
+        perm=x -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
       state: present
@@ -55831,43 +56007,20 @@
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
-  - CCE-80731-3
-  - DISA-STIG-RHEL-08-030290
+  - CCE-80732-1
+  - DISA-STIG-RHEL-08-030311
   - NIST-800-171-3.1.7
-  - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
   - NIST-800-53-AU-12(c)
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
-  - audit_rules_privileged_commands_passwd
+  - audit_rules_privileged_commands_postdrop
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
-                                  [ref]
At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the auditd daemon is
-configured to use the augenrules program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix .rules in the directory /etc/audit/rules.d:
-
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add a line of the following
-form to /etc/audit/audit.rules:
-
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-


-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80732-1
References: 
-            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000495-CTR-001235, RHEL-08-030311, SV-230427r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 ACTION_ARCH_FILTERS="-a always,exit"
@@ -56186,25 +56339,47 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
+                                  [ref]
At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
+


+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80733-9
References: 
+            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000495-CTR-001235, RHEL-08-030312, SV-230428r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
-  - CCE-80732-1
-  - DISA-STIG-RHEL-08-030311
+  - CCE-80733-9
+  - DISA-STIG-RHEL-08-030312
   - NIST-800-171-3.1.7
   - NIST-800-53-AC-6(9)
   - NIST-800-53-AU-12(c)
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
-  - audit_rules_privileged_commands_postdrop
+  - audit_rules_privileged_commands_postqueue
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
 
-- name: Perform remediation of Audit rules for /usr/sbin/postdrop
+- name: Perform remediation of Audit rules for /usr/sbin/postqueue
   block:
 
   - name: Declare list of syscalls
@@ -56216,7 +56391,7 @@
     find:
       paths: /etc/audit/rules.d
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: '*.rules'
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -56261,7 +56436,7 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
-        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/postdrop -F perm=x
+        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/postqueue -F perm=x
         -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
@@ -56271,7 +56446,7 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/postdrop -F
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/postqueue -F
         perm=x -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
@@ -56287,7 +56462,7 @@
     find:
       paths: /etc/audit
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: audit.rules
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -56306,7 +56481,7 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
-        -S |,)\w+)+)( -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset
+        -S |,)\w+)+)( -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset
         (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
@@ -56316,7 +56491,7 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/postdrop -F
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/postqueue -F
         perm=x -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
@@ -56326,42 +56501,20 @@
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
-  - CCE-80732-1
-  - DISA-STIG-RHEL-08-030311
+  - CCE-80733-9
+  - DISA-STIG-RHEL-08-030312
   - NIST-800-171-3.1.7
   - NIST-800-53-AC-6(9)
   - NIST-800-53-AU-12(c)
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
-  - audit_rules_privileged_commands_postdrop
+  - audit_rules_privileged_commands_postqueue
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
-                                  [ref]
At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the auditd daemon is
-configured to use the augenrules program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix .rules in the directory /etc/audit/rules.d:
-
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add a line of the following
-form to /etc/audit/audit.rules:
-
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-


-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80733-9
References: 
-            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000495-CTR-001235, RHEL-08-030312, SV-230428r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 ACTION_ARCH_FILTERS="-a always,exit"
@@ -56680,25 +56833,39 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Record Any Attempts to Run ssh-agent
+                                  [ref]
At a minimum, the audit system should collect any execution attempt
+of the ssh-agent command for all users and root. If the auditd
+daemon is configured to use the augenrules program to read audit rules
+during daemon startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file:
+
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
Rationale:
Without generating audit records that are specific to the security and
+mission needs of the organization, it would be difficult to establish,
+correlate, and investigate the events relating to an incident or identify
+those responsible for one.
+
+Audit records can be generated from various components within the
+information system (e.g., module or policy filter).
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-85944-7
References: 
+            CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000495-CTR-001235, RHEL-08-030280, SV-230421r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
-  - CCE-80733-9
-  - DISA-STIG-RHEL-08-030312
-  - NIST-800-171-3.1.7
-  - NIST-800-53-AC-6(9)
-  - NIST-800-53-AU-12(c)
-  - NIST-800-53-AU-2(d)
-  - NIST-800-53-CM-6(a)
-  - audit_rules_privileged_commands_postqueue
+  - CCE-85944-7
+  - DISA-STIG-RHEL-08-030280
+  - audit_rules_privileged_commands_ssh_agent
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
 
-- name: Perform remediation of Audit rules for /usr/sbin/postqueue
+- name: Perform remediation of Audit rules for /usr/bin/ssh-agent
   block:
 
   - name: Declare list of syscalls
@@ -56710,7 +56877,7 @@
     find:
       paths: /etc/audit/rules.d
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: '*.rules'
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -56755,7 +56922,7 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
-        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/postqueue -F perm=x
+        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/ssh-agent -F perm=x
         -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
@@ -56765,7 +56932,7 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/postqueue -F
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/ssh-agent -F
         perm=x -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
@@ -56781,7 +56948,7 @@
     find:
       paths: /etc/audit
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: audit.rules
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -56800,7 +56967,7 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
-        -S |,)\w+)+)( -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset
+        -S |,)\w+)+)( -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset
         (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
@@ -56810,7 +56977,7 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/postqueue -F
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/ssh-agent -F
         perm=x -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
@@ -56820,39 +56987,15 @@
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
-  - CCE-80733-9
-  - DISA-STIG-RHEL-08-030312
-  - NIST-800-171-3.1.7
-  - NIST-800-53-AC-6(9)
-  - NIST-800-53-AU-12(c)
-  - NIST-800-53-AU-2(d)
-  - NIST-800-53-CM-6(a)
-  - audit_rules_privileged_commands_postqueue
+  - CCE-85944-7
+  - DISA-STIG-RHEL-08-030280
+  - audit_rules_privileged_commands_ssh_agent
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Record Any Attempts to Run ssh-agent
-                                  [ref]
At a minimum, the audit system should collect any execution attempt
-of the ssh-agent command for all users and root. If the auditd
-daemon is configured to use the augenrules program to read audit rules
-during daemon startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d:
-
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file:
-
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
Rationale:
Without generating audit records that are specific to the security and
-mission needs of the organization, it would be difficult to establish,
-correlate, and investigate the events relating to an incident or identify
-those responsible for one.
-
-Audit records can be generated from various components within the
-information system (e.g., module or policy filter).
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-85944-7
References: 
-            CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000495-CTR-001235, RHEL-08-030280, SV-230421r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 ACTION_ARCH_FILTERS="-a always,exit"
@@ -57171,20 +57314,47 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
+                                  [ref]
At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
+


+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80735-4
References: 
+            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, RHEL-08-030320, SV-230434r744002_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
-  - CCE-85944-7
-  - DISA-STIG-RHEL-08-030280
-  - audit_rules_privileged_commands_ssh_agent
+  - CCE-80735-4
+  - DISA-STIG-RHEL-08-030320
+  - NIST-800-171-3.1.7
+  - NIST-800-53-AC-6(9)
+  - NIST-800-53-AU-12(c)
+  - NIST-800-53-AU-2(d)
+  - NIST-800-53-CM-6(a)
+  - audit_rules_privileged_commands_ssh_keysign
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
 
-- name: Perform remediation of Audit rules for /usr/bin/ssh-agent
+- name: Perform remediation of Audit rules for /usr/libexec/openssh/ssh-keysign
   block:
 
   - name: Declare list of syscalls
@@ -57196,7 +57366,8 @@
     find:
       paths: /etc/audit/rules.d
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset
+        (-k\s+|-F\s+key=)\S+\s*$
       patterns: '*.rules'
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -57241,8 +57412,8 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
-        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/ssh-agent -F perm=x
-        -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
+        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/libexec/openssh/ssh-keysign
+        -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
       state: present
@@ -57251,8 +57422,8 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/ssh-agent -F
-        perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/libexec/openssh/ssh-keysign
+        -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
       state: present
@@ -57267,7 +57438,8 @@
     find:
       paths: /etc/audit
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset
+        (-k\s+|-F\s+key=)\S+\s*$
       patterns: audit.rules
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -57286,8 +57458,8 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
-        -S |,)\w+)+)( -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset
-        (?:-k |-F key=)\w+)
+        -S |,)\w+)+)( -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000
+        -F auid!=unset (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
       state: present
@@ -57296,8 +57468,8 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/ssh-agent -F
-        perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/libexec/openssh/ssh-keysign
+        -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
       state: present
@@ -57306,37 +57478,20 @@
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
-  - CCE-85944-7
-  - DISA-STIG-RHEL-08-030280
-  - audit_rules_privileged_commands_ssh_agent
+  - CCE-80735-4
+  - DISA-STIG-RHEL-08-030320
+  - NIST-800-171-3.1.7
+  - NIST-800-53-AC-6(9)
+  - NIST-800-53-AU-12(c)
+  - NIST-800-53-AU-2(d)
+  - NIST-800-53-CM-6(a)
+  - audit_rules_privileged_commands_ssh_keysign
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
-                                  [ref]
At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the auditd daemon is
-configured to use the augenrules program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix .rules in the directory /etc/audit/rules.d:
-
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add a line of the following
-form to /etc/audit/audit.rules:
-
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-


-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80735-4
References: 
-            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, RHEL-08-030320, SV-230434r744002_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 ACTION_ARCH_FILTERS="-a always,exit"
@@ -57655,25 +57810,47 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Ensure auditd Collects Information on the Use of Privileged Commands - su
+                                  [ref]
At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
+


+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80736-2
References: 
+            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-0003, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, RHEL-08-030190, SV-230412r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
-  - CCE-80735-4
-  - DISA-STIG-RHEL-08-030320
+  - CCE-80736-2
+  - DISA-STIG-RHEL-08-030190
   - NIST-800-171-3.1.7
   - NIST-800-53-AC-6(9)
   - NIST-800-53-AU-12(c)
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
-  - audit_rules_privileged_commands_ssh_keysign
+  - audit_rules_privileged_commands_su
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
 
-- name: Perform remediation of Audit rules for /usr/libexec/openssh/ssh-keysign
+- name: Perform remediation of Audit rules for /usr/bin/su
   block:
 
   - name: Declare list of syscalls
@@ -57685,8 +57862,7 @@
     find:
       paths: /etc/audit/rules.d
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset
-        (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: '*.rules'
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -57731,8 +57907,8 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
-        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/libexec/openssh/ssh-keysign
-        -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
+        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/su -F perm=x -F auid>=1000
+        -F auid!=unset (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
       state: present
@@ -57741,8 +57917,8 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/libexec/openssh/ssh-keysign
-        -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/su -F perm=x
+        -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
       state: present
@@ -57757,8 +57933,7 @@
     find:
       paths: /etc/audit
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset
-        (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: audit.rules
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -57777,8 +57952,8 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
-        -S |,)\w+)+)( -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000
-        -F auid!=unset (?:-k |-F key=)\w+)
+        -S |,)\w+)+)( -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset (?:-k
+        |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
       state: present
@@ -57787,8 +57962,8 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/libexec/openssh/ssh-keysign
-        -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/su -F perm=x
+        -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
       state: present
@@ -57797,42 +57972,20 @@
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
-  - CCE-80735-4
-  - DISA-STIG-RHEL-08-030320
+  - CCE-80736-2
+  - DISA-STIG-RHEL-08-030190
   - NIST-800-171-3.1.7
   - NIST-800-53-AC-6(9)
   - NIST-800-53-AU-12(c)
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
-  - audit_rules_privileged_commands_ssh_keysign
+  - audit_rules_privileged_commands_su
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Ensure auditd Collects Information on the Use of Privileged Commands - su
-                                  [ref]
At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the auditd daemon is
-configured to use the augenrules program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix .rules in the directory /etc/audit/rules.d:
-
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add a line of the following
-form to /etc/audit/audit.rules:
-
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-


-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80736-2
References: 
-            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-0003, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, RHEL-08-030190, SV-230412r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 ACTION_ARCH_FILTERS="-a always,exit"
@@ -58151,25 +58304,47 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Ensure auditd Collects Information on the Use of Privileged Commands - sudo
+                                  [ref]
At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
+


+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80737-0
References: 
+            BP28(R19), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, RHEL-08-030550, SV-230462r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
-  - CCE-80736-2
-  - DISA-STIG-RHEL-08-030190
+  - CCE-80737-0
+  - DISA-STIG-RHEL-08-030550
   - NIST-800-171-3.1.7
   - NIST-800-53-AC-6(9)
   - NIST-800-53-AU-12(c)
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
-  - audit_rules_privileged_commands_su
+  - audit_rules_privileged_commands_sudo
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
 
-- name: Perform remediation of Audit rules for /usr/bin/su
+- name: Perform remediation of Audit rules for /usr/bin/sudo
   block:
 
   - name: Declare list of syscalls
@@ -58181,7 +58356,7 @@
     find:
       paths: /etc/audit/rules.d
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: '*.rules'
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -58226,8 +58401,8 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
-        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/su -F perm=x -F auid>=1000
-        -F auid!=unset (?:-k |-F key=)\w+)
+        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/sudo -F perm=x -F
+        auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
       state: present
@@ -58236,7 +58411,7 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/su -F perm=x
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/sudo -F perm=x
         -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
@@ -58252,7 +58427,7 @@
     find:
       paths: /etc/audit
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: audit.rules
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -58271,8 +58446,8 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
-        -S |,)\w+)+)( -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset (?:-k
-        |-F key=)\w+)
+        -S |,)\w+)+)( -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset
+        (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
       state: present
@@ -58281,7 +58456,7 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/su -F perm=x
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/sudo -F perm=x
         -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
@@ -58291,42 +58466,20 @@
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
-  - CCE-80736-2
-  - DISA-STIG-RHEL-08-030190
+  - CCE-80737-0
+  - DISA-STIG-RHEL-08-030550
   - NIST-800-171-3.1.7
   - NIST-800-53-AC-6(9)
   - NIST-800-53-AU-12(c)
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
-  - audit_rules_privileged_commands_su
+  - audit_rules_privileged_commands_sudo
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Ensure auditd Collects Information on the Use of Privileged Commands - sudo
-                                  [ref]
At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the auditd daemon is
-configured to use the augenrules program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix .rules in the directory /etc/audit/rules.d:
-
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add a line of the following
-form to /etc/audit/audit.rules:
-
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-


-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80737-0
References: 
-            BP28(R19), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, RHEL-08-030550, SV-230462r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 ACTION_ARCH_FILTERS="-a always,exit"
@@ -58645,25 +58798,47 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Ensure auditd Collects Information on the Use of Privileged Commands - umount
+                                  [ref]
At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
+


+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80739-6
References: 
+            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000169, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, RHEL-08-030301, SV-230424r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
-  - CCE-80737-0
-  - DISA-STIG-RHEL-08-030550
+  - CCE-80739-6
+  - DISA-STIG-RHEL-08-030301
   - NIST-800-171-3.1.7
   - NIST-800-53-AC-6(9)
   - NIST-800-53-AU-12(c)
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
-  - audit_rules_privileged_commands_sudo
+  - audit_rules_privileged_commands_umount
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
 
-- name: Perform remediation of Audit rules for /usr/bin/sudo
+- name: Perform remediation of Audit rules for /usr/bin/umount
   block:
 
   - name: Declare list of syscalls
@@ -58675,7 +58850,7 @@
     find:
       paths: /etc/audit/rules.d
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: '*.rules'
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -58720,7 +58895,7 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
-        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/sudo -F perm=x -F
+        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/umount -F perm=x -F
         auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
@@ -58730,7 +58905,7 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/sudo -F perm=x
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/umount -F perm=x
         -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
@@ -58746,7 +58921,7 @@
     find:
       paths: /etc/audit
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: audit.rules
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -58765,7 +58940,7 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
-        -S |,)\w+)+)( -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset
+        -S |,)\w+)+)( -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset
         (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
@@ -58775,7 +58950,7 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/sudo -F perm=x
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/umount -F perm=x
         -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
@@ -58785,42 +58960,20 @@
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
-  - CCE-80737-0
-  - DISA-STIG-RHEL-08-030550
+  - CCE-80739-6
+  - DISA-STIG-RHEL-08-030301
   - NIST-800-171-3.1.7
   - NIST-800-53-AC-6(9)
   - NIST-800-53-AU-12(c)
   - NIST-800-53-AU-2(d)
   - NIST-800-53-CM-6(a)
-  - audit_rules_privileged_commands_sudo
+  - audit_rules_privileged_commands_umount
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Ensure auditd Collects Information on the Use of Privileged Commands - umount
-                                  [ref]
At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the auditd daemon is
-configured to use the augenrules program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix .rules in the directory /etc/audit/rules.d:
-
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add a line of the following
-form to /etc/audit/audit.rules:
-
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-


-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80739-6
References: 
-            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000169, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, RHEL-08-030301, SV-230424r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 ACTION_ARCH_FILTERS="-a always,exit"
@@ -59139,25 +59292,54 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd
+                                  [ref]
At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
+


+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80740-4
References: 
+            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R6.5, AC-2(4), AU-2(d), AU-3, AU-3.1, AU-12(a), AU-12(c), AU-12.1(ii), AU-12.1(iv), AC-6(9), CM-6(a), MA-4(1)(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, RHEL-08-030317, SV-230433r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
-  - CCE-80739-6
-  - DISA-STIG-RHEL-08-030301
+  - CCE-80740-4
+  - DISA-STIG-RHEL-08-030317
   - NIST-800-171-3.1.7
+  - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
+  - NIST-800-53-AU-12(a)
   - NIST-800-53-AU-12(c)
+  - NIST-800-53-AU-12.1(ii)
+  - NIST-800-53-AU-12.1(iv)
   - NIST-800-53-AU-2(d)
+  - NIST-800-53-AU-3
+  - NIST-800-53-AU-3.1
   - NIST-800-53-CM-6(a)
-  - audit_rules_privileged_commands_umount
+  - NIST-800-53-MA-4(1)(a)
+  - audit_rules_privileged_commands_unix_chkpwd
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
 
-- name: Perform remediation of Audit rules for /usr/bin/umount
+- name: Perform remediation of Audit rules for /usr/sbin/unix_chkpwd
   block:
 
   - name: Declare list of syscalls
@@ -59169,7 +59351,7 @@
     find:
       paths: /etc/audit/rules.d
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: '*.rules'
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -59214,8 +59396,8 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
-        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/umount -F perm=x -F
-        auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
+        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/unix_chkpwd -F perm=x
+        -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
       state: present
@@ -59224,8 +59406,8 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/umount -F perm=x
-        -F auid>=1000 -F auid!=unset -F key=privileged
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/unix_chkpwd
+        -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
       state: present
@@ -59240,7 +59422,7 @@
     find:
       paths: /etc/audit
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: audit.rules
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -59259,7 +59441,7 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
-        -S |,)\w+)+)( -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset
+        -S |,)\w+)+)( -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset
         (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
@@ -59269,8 +59451,8 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/umount -F perm=x
-        -F auid>=1000 -F auid!=unset -F key=privileged
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/unix_chkpwd
+        -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
       state: present
@@ -59279,42 +59461,27 @@
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
-  - CCE-80739-6
-  - DISA-STIG-RHEL-08-030301
+  - CCE-80740-4
+  - DISA-STIG-RHEL-08-030317
   - NIST-800-171-3.1.7
+  - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
+  - NIST-800-53-AU-12(a)
   - NIST-800-53-AU-12(c)
+  - NIST-800-53-AU-12.1(ii)
+  - NIST-800-53-AU-12.1(iv)
   - NIST-800-53-AU-2(d)
+  - NIST-800-53-AU-3
+  - NIST-800-53-AU-3.1
   - NIST-800-53-CM-6(a)
-  - audit_rules_privileged_commands_umount
+  - NIST-800-53-MA-4(1)(a)
+  - audit_rules_privileged_commands_unix_chkpwd
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd
-                                  [ref]
At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the auditd daemon is
-configured to use the augenrules program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix .rules in the directory /etc/audit/rules.d:
-
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add a line of the following
-form to /etc/audit/audit.rules:
-
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-


-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80740-4
References: 
-            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R6.5, AC-2(4), AU-2(d), AU-3, AU-3.1, AU-12(a), AU-12(c), AU-12.1(ii), AU-12.1(iv), AC-6(9), CM-6(a), MA-4(1)(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, RHEL-08-030317, SV-230433r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 ACTION_ARCH_FILTERS="-a always,exit"
@@ -59633,32 +59800,42 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Ensure auditd Collects Information on the Use of Privileged Commands - unix_update
+                                  [ref]
At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
+


+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-89480-8
References: 
+            CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000495-CTR-001235, RHEL-08-030310, SV-230426r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
-  - CCE-80740-4
-  - DISA-STIG-RHEL-08-030317
-  - NIST-800-171-3.1.7
-  - NIST-800-53-AC-2(4)
-  - NIST-800-53-AC-6(9)
-  - NIST-800-53-AU-12(a)
-  - NIST-800-53-AU-12(c)
-  - NIST-800-53-AU-12.1(ii)
-  - NIST-800-53-AU-12.1(iv)
-  - NIST-800-53-AU-2(d)
-  - NIST-800-53-AU-3
-  - NIST-800-53-AU-3.1
-  - NIST-800-53-CM-6(a)
-  - NIST-800-53-MA-4(1)(a)
-  - audit_rules_privileged_commands_unix_chkpwd
+  - CCE-89480-8
+  - DISA-STIG-RHEL-08-030310
+  - audit_rules_privileged_commands_unix_update
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
 
-- name: Perform remediation of Audit rules for /usr/sbin/unix_chkpwd
+- name: Perform remediation of Audit rules for /usr/sbin/unix_update
   block:
 
   - name: Declare list of syscalls
@@ -59670,7 +59847,7 @@
     find:
       paths: /etc/audit/rules.d
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: '*.rules'
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -59715,7 +59892,7 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
-        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/unix_chkpwd -F perm=x
+        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/unix_update -F perm=x
         -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
@@ -59725,7 +59902,7 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/unix_chkpwd
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/unix_update
         -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
@@ -59741,7 +59918,7 @@
     find:
       paths: /etc/audit
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: audit.rules
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -59760,7 +59937,7 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
-        -S |,)\w+)+)( -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset
+        -S |,)\w+)+)( -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset
         (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
@@ -59770,7 +59947,7 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/unix_chkpwd
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/unix_update
         -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
@@ -59780,49 +59957,15 @@
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
-  - CCE-80740-4
-  - DISA-STIG-RHEL-08-030317
-  - NIST-800-171-3.1.7
-  - NIST-800-53-AC-2(4)
-  - NIST-800-53-AC-6(9)
-  - NIST-800-53-AU-12(a)
-  - NIST-800-53-AU-12(c)
-  - NIST-800-53-AU-12.1(ii)
-  - NIST-800-53-AU-12.1(iv)
-  - NIST-800-53-AU-2(d)
-  - NIST-800-53-AU-3
-  - NIST-800-53-AU-3.1
-  - NIST-800-53-CM-6(a)
-  - NIST-800-53-MA-4(1)(a)
-  - audit_rules_privileged_commands_unix_chkpwd
+  - CCE-89480-8
+  - DISA-STIG-RHEL-08-030310
+  - audit_rules_privileged_commands_unix_update
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Ensure auditd Collects Information on the Use of Privileged Commands - unix_update
-                                  [ref]
At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the auditd daemon is
-configured to use the augenrules program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix .rules in the directory /etc/audit/rules.d:
-
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add a line of the following
-form to /etc/audit/audit.rules:
-
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-


-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-89480-8
References: 
-            CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000495-CTR-001235, RHEL-08-030310, SV-230426r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 ACTION_ARCH_FILTERS="-a always,exit"
@@ -60141,20 +60284,47 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Ensure auditd Collects Information on the Use of Privileged Commands - userhelper
+                                  [ref]
At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
+


+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80741-2
References: 
+            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000495-CTR-001235, RHEL-08-030315, SV-230431r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
-  - CCE-89480-8
-  - DISA-STIG-RHEL-08-030310
-  - audit_rules_privileged_commands_unix_update
+  - CCE-80741-2
+  - DISA-STIG-RHEL-08-030315
+  - NIST-800-171-3.1.7
+  - NIST-800-53-AC-6(9)
+  - NIST-800-53-AU-12(c)
+  - NIST-800-53-AU-2(d)
+  - NIST-800-53-CM-6(a)
+  - audit_rules_privileged_commands_userhelper
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
 
-- name: Perform remediation of Audit rules for /usr/sbin/unix_update
+- name: Perform remediation of Audit rules for /usr/sbin/userhelper
   block:
 
   - name: Declare list of syscalls
@@ -60166,7 +60336,7 @@
     find:
       paths: /etc/audit/rules.d
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: '*.rules'
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -60211,7 +60381,7 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
-        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/unix_update -F perm=x
+        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/userhelper -F perm=x
         -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
@@ -60221,7 +60391,7 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/unix_update
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/userhelper
         -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
@@ -60237,7 +60407,7 @@
     find:
       paths: /etc/audit
       contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+        path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
       patterns: audit.rules
     register: find_command
     loop: '{{ (syscall_grouping + syscalls) | unique }}'
@@ -60256,7 +60426,7 @@
     lineinfile:
       path: '{{ audit_file }}'
       regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
-        -S |,)\w+)+)( -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset
+        -S |,)\w+)+)( -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset
         (?:-k |-F key=)\w+)
       line: \1\2\3{{ missing_syscalls | join("\3") }}\4
       backrefs: true
@@ -60266,7 +60436,7 @@
   - name: Add the audit rule to {{ audit_file }}
     lineinfile:
       path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/unix_update
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/userhelper
         -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
       create: true
       mode: o-rwx
@@ -60276,37 +60446,20 @@
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
-  - CCE-89480-8
-  - DISA-STIG-RHEL-08-030310
-  - audit_rules_privileged_commands_unix_update
+  - CCE-80741-2
+  - DISA-STIG-RHEL-08-030315
+  - NIST-800-171-3.1.7
+  - NIST-800-53-AC-6(9)
+  - NIST-800-53-AU-12(c)
+  - NIST-800-53-AU-2(d)
+  - NIST-800-53-CM-6(a)
+  - audit_rules_privileged_commands_userhelper
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Ensure auditd Collects Information on the Use of Privileged Commands - userhelper
-                                  [ref]
At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the auditd daemon is
-configured to use the augenrules program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix .rules in the directory /etc/audit/rules.d:
-
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add a line of the following
-form to /etc/audit/audit.rules:
-
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-


-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80741-2
References: 
-            1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000495-CTR-001235, RHEL-08-030315, SV-230431r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 ACTION_ARCH_FILTERS="-a always,exit"
@@ -60625,159 +60778,6 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
-  package_facts:
-    manager: auto
-  tags:
-  - CCE-80741-2
-  - DISA-STIG-RHEL-08-030315
-  - NIST-800-171-3.1.7
-  - NIST-800-53-AC-6(9)
-  - NIST-800-53-AU-12(c)
-  - NIST-800-53-AU-2(d)
-  - NIST-800-53-CM-6(a)
-  - audit_rules_privileged_commands_userhelper
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - no_reboot_needed
-  - restrict_strategy
-
-- name: Perform remediation of Audit rules for /usr/sbin/userhelper
-  block:
-
-  - name: Declare list of syscalls
-    set_fact:
-      syscalls: []
-      syscall_grouping: []
-
-  - name: Check existence of  in /etc/audit/rules.d/
-    find:
-      paths: /etc/audit/rules.d
-      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
-      patterns: '*.rules'
-    register: find_command
-    loop: '{{ (syscall_grouping + syscalls) | unique }}'
-
-  - name: Reset syscalls found per file
-    set_fact:
-      syscalls_per_file: {}
-      found_paths_dict: {}
-
-  - name: Declare syscalls found per file
-    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
-      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
-    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
-
-  - name: Declare files where syscalls were found
-    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
-      | map(attribute='path') | list }}"
-
-  - name: Count occurrences of syscalls in paths
-    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
-      0) }) }}"
-    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
-      | list }}'
-
-  - name: Get path with most syscalls
-    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
-      | last).key }}"
-    when: found_paths | length >= 1
-
-  - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
-    set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
-    when: found_paths | length == 0
-
-  - name: Declare found syscalls
-    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
-      | list }}"
-
-  - name: Declare missing syscalls
-    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
-
-  - name: Replace the audit rule in {{ audit_file }}
-    lineinfile:
-      path: '{{ audit_file }}'
-      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
-        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/userhelper -F perm=x
-        -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
-      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
-      backrefs: true
-      state: present
-    when: syscalls_found | length > 0 and missing_syscalls | length > 0
-
-  - name: Add the audit rule to {{ audit_file }}
-    lineinfile:
-      path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/userhelper
-        -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-      create: true
-      mode: o-rwx
-      state: present
-    when: syscalls_found | length == 0
-
-  - name: Declare list of syscalls
-    set_fact:
-      syscalls: []
-      syscall_grouping: []
-
-  - name: Check existence of  in /etc/audit/audit.rules
-    find:
-      paths: /etc/audit
-      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
-      patterns: audit.rules
-    register: find_command
-    loop: '{{ (syscall_grouping + syscalls) | unique }}'
-
-  - name: Set path to /etc/audit/audit.rules
-    set_fact: audit_file="/etc/audit/audit.rules"
-
-  - name: Declare found syscalls
-    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
-      | list }}"
-
-  - name: Declare missing syscalls
-    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
-
-  - name: Replace the audit rule in {{ audit_file }}
-    lineinfile:
-      path: '{{ audit_file }}'
-      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
-        -S |,)\w+)+)( -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset
-        (?:-k |-F key=)\w+)
-      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
-      backrefs: true
-      state: present
-    when: syscalls_found | length > 0 and missing_syscalls | length > 0
-
-  - name: Add the audit rule to {{ audit_file }}
-    lineinfile:
-      path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/userhelper
-        -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-      create: true
-      mode: o-rwx
-      state: present
-    when: syscalls_found | length == 0
-  when:
-  - '"audit" in ansible_facts.packages'
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  tags:
-  - CCE-80741-2
-  - DISA-STIG-RHEL-08-030315
-  - NIST-800-171-3.1.7
-  - NIST-800-53-AC-6(9)
-  - NIST-800-53-AU-12(c)
-  - NIST-800-53-AU-2(d)
-  - NIST-800-53-CM-6(a)
-  - audit_rules_privileged_commands_userhelper
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - no_reboot_needed
-  - restrict_strategy
 
Rule  
                                 Ensure auditd Collects Information on the Use of Privileged Commands - usermod
                                   [ref]
At a minimum, the audit system should collect the execution of
@@ -60800,7 +60800,150 @@
 limited capability. As such, motivation exists to monitor these programs for
 unusual activity.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-86027-0
References: 
-            CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, RHEL-08-030560, 4.1.3.18, SV-230463r627750_rule
Remediation Shell script:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+  package_facts:
+    manager: auto
+  tags:
+  - CCE-86027-0
+  - DISA-STIG-RHEL-08-030560
+  - audit_rules_privileged_commands_usermod
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - restrict_strategy
+
+- name: Perform remediation of Audit rules for /usr/sbin/usermod
+  block:
+
+  - name: Declare list of syscalls
+    set_fact:
+      syscalls: []
+      syscall_grouping: []
+
+  - name: Check existence of  in /etc/audit/rules.d/
+    find:
+      paths: /etc/audit/rules.d
+      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
+        path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+      patterns: '*.rules'
+    register: find_command
+    loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+  - name: Reset syscalls found per file
+    set_fact:
+      syscalls_per_file: {}
+      found_paths_dict: {}
+
+  - name: Declare syscalls found per file
+    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+  - name: Declare files where syscalls were found
+    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+      | map(attribute='path') | list }}"
+
+  - name: Count occurrences of syscalls in paths
+    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+      0) }) }}"
+    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+      | list }}'
+
+  - name: Get path with most syscalls
+    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+      | last).key }}"
+    when: found_paths | length >= 1
+
+  - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
+    set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
+    when: found_paths | length == 0
+
+  - name: Declare found syscalls
+    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+      | list }}"
+
+  - name: Declare missing syscalls
+    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+  - name: Replace the audit rule in {{ audit_file }}
+    lineinfile:
+      path: '{{ audit_file }}'
+      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/usermod -F perm=x
+        -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
+      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+      backrefs: true
+      state: present
+    when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+  - name: Add the audit rule to {{ audit_file }}
+    lineinfile:
+      path: '{{ audit_file }}'
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/usermod -F
+        perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+      create: true
+      mode: o-rwx
+      state: present
+    when: syscalls_found | length == 0
+
+  - name: Declare list of syscalls
+    set_fact:
+      syscalls: []
+      syscall_grouping: []
+
+  - name: Check existence of  in /etc/audit/audit.rules
+    find:
+      paths: /etc/audit
+      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
+        path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+      patterns: audit.rules
+    register: find_command
+    loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+  - name: Set path to /etc/audit/audit.rules
+    set_fact: audit_file="/etc/audit/audit.rules"
+
+  - name: Declare found syscalls
+    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+      | list }}"
+
+  - name: Declare missing syscalls
+    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+  - name: Replace the audit rule in {{ audit_file }}
+    lineinfile:
+      path: '{{ audit_file }}'
+      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
+        -S |,)\w+)+)( -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset
+        (?:-k |-F key=)\w+)
+      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+      backrefs: true
+      state: present
+    when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+  - name: Add the audit rule to {{ audit_file }}
+    lineinfile:
+      path: '{{ audit_file }}'
+      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/usermod -F
+        perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+      create: true
+      mode: o-rwx
+      state: present
+    when: syscalls_found | length == 0
+  when:
+  - '"audit" in ansible_facts.packages'
+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  tags:
+  - CCE-86027-0
+  - DISA-STIG-RHEL-08-030560
+  - audit_rules_privileged_commands_usermod
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 ACTION_ARCH_FILTERS="-a always,exit"
@@ -61119,149 +61262,6 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
-  package_facts:
-    manager: auto
-  tags:
-  - CCE-86027-0
-  - DISA-STIG-RHEL-08-030560
-  - audit_rules_privileged_commands_usermod
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - no_reboot_needed
-  - restrict_strategy
-
-- name: Perform remediation of Audit rules for /usr/sbin/usermod
-  block:
-
-  - name: Declare list of syscalls
-    set_fact:
-      syscalls: []
-      syscall_grouping: []
-
-  - name: Check existence of  in /etc/audit/rules.d/
-    find:
-      paths: /etc/audit/rules.d
-      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
-      patterns: '*.rules'
-    register: find_command
-    loop: '{{ (syscall_grouping + syscalls) | unique }}'
-
-  - name: Reset syscalls found per file
-    set_fact:
-      syscalls_per_file: {}
-      found_paths_dict: {}
-
-  - name: Declare syscalls found per file
-    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
-      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
-    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
-
-  - name: Declare files where syscalls were found
-    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
-      | map(attribute='path') | list }}"
-
-  - name: Count occurrences of syscalls in paths
-    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
-      0) }) }}"
-    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
-      | list }}'
-
-  - name: Get path with most syscalls
-    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
-      | last).key }}"
-    when: found_paths | length >= 1
-
-  - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
-    set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
-    when: found_paths | length == 0
-
-  - name: Declare found syscalls
-    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
-      | list }}"
-
-  - name: Declare missing syscalls
-    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
-
-  - name: Replace the audit rule in {{ audit_file }}
-    lineinfile:
-      path: '{{ audit_file }}'
-      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
-        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/usermod -F perm=x
-        -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
-      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
-      backrefs: true
-      state: present
-    when: syscalls_found | length > 0 and missing_syscalls | length > 0
-
-  - name: Add the audit rule to {{ audit_file }}
-    lineinfile:
-      path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/usermod -F
-        perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-      create: true
-      mode: o-rwx
-      state: present
-    when: syscalls_found | length == 0
-
-  - name: Declare list of syscalls
-    set_fact:
-      syscalls: []
-      syscall_grouping: []
-
-  - name: Check existence of  in /etc/audit/audit.rules
-    find:
-      paths: /etc/audit
-      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
-        path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
-      patterns: audit.rules
-    register: find_command
-    loop: '{{ (syscall_grouping + syscalls) | unique }}'
-
-  - name: Set path to /etc/audit/audit.rules
-    set_fact: audit_file="/etc/audit/audit.rules"
-
-  - name: Declare found syscalls
-    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
-      | list }}"
-
-  - name: Declare missing syscalls
-    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
-
-  - name: Replace the audit rule in {{ audit_file }}
-    lineinfile:
-      path: '{{ audit_file }}'
-      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
-        -S |,)\w+)+)( -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset
-        (?:-k |-F key=)\w+)
-      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
-      backrefs: true
-      state: present
-    when: syscalls_found | length > 0 and missing_syscalls | length > 0
-
-  - name: Add the audit rule to {{ audit_file }}
-    lineinfile:
-      path: '{{ audit_file }}'
-      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/usermod -F
-        perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-      create: true
-      mode: o-rwx
-      state: present
-    when: syscalls_found | length == 0
-  when:
-  - '"audit" in ansible_facts.packages'
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  tags:
-  - CCE-86027-0
-  - DISA-STIG-RHEL-08-030560
-  - audit_rules_privileged_commands_usermod
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - no_reboot_needed
-  - restrict_strategy
 
Rule  
                                 Make the auditd Configuration Immutable
                                   [ref]
If the auditd daemon is configured to use the
@@ -61280,35 +61280,20 @@
 problematic if legitimate changes are needed during system
 operation.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-80708-1
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.4.3, CCI-000162, CCI-000163, CCI-000164, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.310(a)(2)(iv), 164.312(d), 164.310(d)(2)(iii), 164.312(b), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.2, 10.3.2, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-APP-000119-CTR-000245, SRG-APP-000120-CTR-000250, RHEL-08-030121, 4.1.3.20, SV-230402r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
-
-# Traverse all of:
-#
-# /etc/audit/audit.rules,			(for auditctl case)
-# /etc/audit/rules.d/*.rules			(for augenrules case)
-#
-# files to check if '-e .*' setting is present in that '*.rules' file already.
-# If found, delete such occurrence since auditctl(8) manual page instructs the
-# '-e 2' rule should be placed as the last rule in the configuration
-find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';'
-
-# Append '-e 2' requirement at the end of both:
-# * /etc/audit/audit.rules file 		(for auditctl case)
-# * /etc/audit/rules.d/immutable.rules		(for augenrules case)
-
-for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules"
-do
-	echo '' >> $AUDIT_FILE
-	echo '# Set the audit.rules configuration immutable per security requirements' >> $AUDIT_FILE
-	echo '# Reboot is required to change audit rules once this setting is applied' >> $AUDIT_FILE
-	echo '-e 2' >> $AUDIT_FILE
-	chmod o-rwx $AUDIT_FILE
-done
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.4.3, CCI-000162, CCI-000163, CCI-000164, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.310(a)(2)(iv), 164.312(d), 164.310(d)(2)(iii), 164.312(b), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.2, 10.3.2, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-APP-000119-CTR-000245, SRG-APP-000120-CTR-000250, RHEL-08-030121, 4.1.3.20, SV-230402r627750_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,-e%202%0A
+        mode: 0600
+        path: /etc/audit/rules.d/90-immutable.rules
+        overwrite: true
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
@@ -61409,20 +61394,35 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-e%202%0A
-        mode: 0600
-        path: /etc/audit/rules.d/90-immutable.rules
-        overwrite: true
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+
+# Traverse all of:
+#
+# /etc/audit/audit.rules,			(for auditctl case)
+# /etc/audit/rules.d/*.rules			(for augenrules case)
+#
+# files to check if '-e .*' setting is present in that '*.rules' file already.
+# If found, delete such occurrence since auditctl(8) manual page instructs the
+# '-e 2' rule should be placed as the last rule in the configuration
+find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';'
+
+# Append '-e 2' requirement at the end of both:
+# * /etc/audit/audit.rules file 		(for auditctl case)
+# * /etc/audit/rules.d/immutable.rules		(for augenrules case)
+
+for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules"
+do
+	echo '' >> $AUDIT_FILE
+	echo '# Set the audit.rules configuration immutable per security requirements' >> $AUDIT_FILE
+	echo '# Reboot is required to change audit rules once this setting is applied' >> $AUDIT_FILE
+	echo '-e 2' >> $AUDIT_FILE
+	chmod o-rwx $AUDIT_FILE
+done
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Configure immutable Audit login UIDs
                                   [ref]
Configure kernel to prevent modification of login UIDs once they are set.
@@ -61441,30 +61441,7 @@
 
--loginuid-immutable
Rationale:
If modification of login UIDs is not prevented, they can be changed by unprivileged users and
 make auditing complicated or impossible.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-90783-2
References: 
-            CCI-000162, CCI-000163, CCI-000164, SRG-OS-000462-GPOS-00206, SRG-OS-000475-GPOS-00220, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, RHEL-08-030122, SV-230403r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
-
-# in case auditctl is used
-if grep -q '^\s*ExecStartPost=-/sbin/auditctl' /usr/lib/systemd/system/auditd.service; then
-  if ! grep -q '^\s*--loginuid-immutable\s*$' /etc/audit/audit.rules; then
-    echo "--loginuid-immutable" >> /etc/audit/audit.rules
-  fi
-else
-  immutable_found=0
-  while IFS= read -r -d '' f; do
-    if grep -q '^\s*--loginuid-immutable\s*$' "$f"; then
-      immutable_found=1
-    fi
-  done <    <(find /etc/audit/rules.d -maxdepth 1 -name '*.rules' -print0)
-  if [ $immutable_found -eq 0 ]; then
-    echo "--loginuid-immutable" >> /etc/audit/rules.d/immutable.rules
-  fi
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -61548,6 +61525,29 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+
+# in case auditctl is used
+if grep -q '^\s*ExecStartPost=-/sbin/auditctl' /usr/lib/systemd/system/auditd.service; then
+  if ! grep -q '^\s*--loginuid-immutable\s*$' /etc/audit/audit.rules; then
+    echo "--loginuid-immutable" >> /etc/audit/audit.rules
+  fi
+else
+  immutable_found=0
+  while IFS= read -r -d '' f; do
+    if grep -q '^\s*--loginuid-immutable\s*$' "$f"; then
+      immutable_found=1
+    fi
+  done <    <(find /etc/audit/rules.d -maxdepth 1 -name '*.rules' -print0)
+  if [ $immutable_found -eq 0 ]; then
+    echo "--loginuid-immutable" >> /etc/audit/rules.d/immutable.rules
+  fi
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Ensure auditd Collects Information on Exporting to Media (successful)
                                   [ref]
At a minimum, the audit system should collect media exportation
@@ -61566,51 +61566,380 @@
 trail should be created each time a filesystem is mounted to help identify and guard against information
 loss.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-80722-2
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000495-CTR-001235, RHEL-08-030302, 4.1.3.10, SV-230425r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000495-CTR-001235, RHEL-08-030302, 4.1.3.10, SV-230425r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+  package_facts:
+    manager: auto
+  tags:
+  - CCE-80722-2
+  - CJIS-5.4.1.1
+  - DISA-STIG-RHEL-08-030302
+  - NIST-800-171-3.1.7
+  - NIST-800-53-AC-6(9)
+  - NIST-800-53-AU-12(c)
+  - NIST-800-53-AU-2(d)
+  - NIST-800-53-CM-6(a)
+  - PCI-DSS-Req-10.2.7
+  - PCI-DSSv4-10.2.1.7
+  - audit_rules_media_export
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - reboot_required
+  - restrict_strategy
 
-# First perform the remediation of the syscall rule
-# Retrieve hardware architecture of the underlying system
-[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+- name: Set architecture for audit mount tasks
+  set_fact:
+    audit_arch: b64
+  when:
+  - '"audit" in ansible_facts.packages'
+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+    == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
+  tags:
+  - CCE-80722-2
+  - CJIS-5.4.1.1
+  - DISA-STIG-RHEL-08-030302
+  - NIST-800-171-3.1.7
+  - NIST-800-53-AC-6(9)
+  - NIST-800-53-AU-12(c)
+  - NIST-800-53-AU-2(d)
+  - NIST-800-53-CM-6(a)
+  - PCI-DSS-Req-10.2.7
+  - PCI-DSSv4-10.2.1.7
+  - audit_rules_media_export
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - reboot_required
+  - restrict_strategy
 
-for ARCH in "${RULE_ARCHS[@]}"
-do
-	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
-	OTHER_FILTERS=""
-	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-	SYSCALL="mount"
-	KEY="perm_mod"
-	SYSCALL_GROUPING=""
+- name: Perform remediation of Audit rules for mount for 32bit platform
+  block:
 
-	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
-	unset syscall_a
-unset syscall_grouping
-unset syscall_string
-unset syscall
-unset file_to_edit
-unset rule_to_edit
-unset rule_syscalls_to_edit
-unset other_string
-unset auid_string
-unset full_rule
+  - name: Declare list of syscalls
+    set_fact:
+      syscalls:
+      - mount
+      syscall_grouping: []
 
-# Load macro arguments into arrays
-read -a syscall_a <<< $SYSCALL
-read -a syscall_grouping <<< $SYSCALL_GROUPING
+  - name: Check existence of mount in /etc/audit/rules.d/
+    find:
+      paths: /etc/audit/rules.d
+      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+        |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+      patterns: '*.rules'
+    register: find_command
+    loop: '{{ (syscall_grouping + syscalls) | unique }}'
 
-# Create a list of audit *.rules files that should be inspected for presence and correctness
-# of a particular audit rule. The scheme is as follows:
-#
-# -----------------------------------------------------------------------------------------
-#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
-# -----------------------------------------------------------------------------------------
-#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
-# -----------------------------------------------------------------------------------------
-#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
-#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
-# -----------------------------------------------------------------------------------------
-#
-files_to_inspect=()
+  - name: Reset syscalls found per file
+    set_fact:
+      syscalls_per_file: {}
+      found_paths_dict: {}
+
+  - name: Declare syscalls found per file
+    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+  - name: Declare files where syscalls were found
+    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+      | map(attribute='path') | list }}"
+
+  - name: Count occurrences of syscalls in paths
+    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+      0) }) }}"
+    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+      | list }}'
+
+  - name: Get path with most syscalls
+    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+      | last).key }}"
+    when: found_paths | length >= 1
+
+  - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+    set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+    when: found_paths | length == 0
+
+  - name: Declare found syscalls
+    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+      | list }}"
+
+  - name: Declare missing syscalls
+    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+  - name: Replace the audit rule in {{ audit_file }}
+    lineinfile:
+      path: '{{ audit_file }}'
+      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+        |-F key=)\w+)
+      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+      backrefs: true
+      state: present
+    when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+  - name: Add the audit rule to {{ audit_file }}
+    lineinfile:
+      path: '{{ audit_file }}'
+      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+        -F auid!=unset -F key=perm_mod
+      create: true
+      mode: o-rwx
+      state: present
+    when: syscalls_found | length == 0
+
+  - name: Declare list of syscalls
+    set_fact:
+      syscalls:
+      - mount
+      syscall_grouping: []
+
+  - name: Check existence of mount in /etc/audit/audit.rules
+    find:
+      paths: /etc/audit
+      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+        |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+      patterns: audit.rules
+    register: find_command
+    loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+  - name: Set path to /etc/audit/audit.rules
+    set_fact: audit_file="/etc/audit/audit.rules"
+
+  - name: Declare found syscalls
+    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+      | list }}"
+
+  - name: Declare missing syscalls
+    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+  - name: Replace the audit rule in {{ audit_file }}
+    lineinfile:
+      path: '{{ audit_file }}'
+      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+        join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+        key=)\w+)
+      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+      backrefs: true
+      state: present
+    when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+  - name: Add the audit rule to {{ audit_file }}
+    lineinfile:
+      path: '{{ audit_file }}'
+      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+        -F auid!=unset -F key=perm_mod
+      create: true
+      mode: o-rwx
+      state: present
+    when: syscalls_found | length == 0
+  when:
+  - '"audit" in ansible_facts.packages'
+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  tags:
+  - CCE-80722-2
+  - CJIS-5.4.1.1
+  - DISA-STIG-RHEL-08-030302
+  - NIST-800-171-3.1.7
+  - NIST-800-53-AC-6(9)
+  - NIST-800-53-AU-12(c)
+  - NIST-800-53-AU-2(d)
+  - NIST-800-53-CM-6(a)
+  - PCI-DSS-Req-10.2.7
+  - PCI-DSSv4-10.2.1.7
+  - audit_rules_media_export
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - reboot_required
+  - restrict_strategy
+
+- name: Perform remediation of Audit rules for mount for 64bit platform
+  block:
+
+  - name: Declare list of syscalls
+    set_fact:
+      syscalls:
+      - mount
+      syscall_grouping: []
+
+  - name: Check existence of mount in /etc/audit/rules.d/
+    find:
+      paths: /etc/audit/rules.d
+      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+        |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+      patterns: '*.rules'
+    register: find_command
+    loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+  - name: Reset syscalls found per file
+    set_fact:
+      syscalls_per_file: {}
+      found_paths_dict: {}
+
+  - name: Declare syscalls found per file
+    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+  - name: Declare files where syscalls were found
+    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+      | map(attribute='path') | list }}"
+
+  - name: Count occurrences of syscalls in paths
+    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+      0) }) }}"
+    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+      | list }}'
+
+  - name: Get path with most syscalls
+    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+      | last).key }}"
+    when: found_paths | length >= 1
+
+  - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+    set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+    when: found_paths | length == 0
+
+  - name: Declare found syscalls
+    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+      | list }}"
+
+  - name: Declare missing syscalls
+    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+  - name: Replace the audit rule in {{ audit_file }}
+    lineinfile:
+      path: '{{ audit_file }}'
+      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+        |-F key=)\w+)
+      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+      backrefs: true
+      state: present
+    when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+  - name: Add the audit rule to {{ audit_file }}
+    lineinfile:
+      path: '{{ audit_file }}'
+      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+        -F auid!=unset -F key=perm_mod
+      create: true
+      mode: o-rwx
+      state: present
+    when: syscalls_found | length == 0
+
+  - name: Declare list of syscalls
+    set_fact:
+      syscalls:
+      - mount
+      syscall_grouping: []
+
+  - name: Check existence of mount in /etc/audit/audit.rules
+    find:
+      paths: /etc/audit
+      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+        |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+      patterns: audit.rules
+    register: find_command
+    loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+  - name: Set path to /etc/audit/audit.rules
+    set_fact: audit_file="/etc/audit/audit.rules"
+
+  - name: Declare found syscalls
+    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+      | list }}"
+
+  - name: Declare missing syscalls
+    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+  - name: Replace the audit rule in {{ audit_file }}
+    lineinfile:
+      path: '{{ audit_file }}'
+      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+        join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+        key=)\w+)
+      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+      backrefs: true
+      state: present
+    when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+  - name: Add the audit rule to {{ audit_file }}
+    lineinfile:
+      path: '{{ audit_file }}'
+      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+        -F auid!=unset -F key=perm_mod
+      create: true
+      mode: o-rwx
+      state: present
+    when: syscalls_found | length == 0
+  when:
+  - '"audit" in ansible_facts.packages'
+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - audit_arch == "b64"
+  tags:
+  - CCE-80722-2
+  - CJIS-5.4.1.1
+  - DISA-STIG-RHEL-08-030302
+  - NIST-800-171-3.1.7
+  - NIST-800-53-AC-6(9)
+  - NIST-800-53-AU-12(c)
+  - NIST-800-53-AU-2(d)
+  - NIST-800-53-CM-6(a)
+  - PCI-DSS-Req-10.2.7
+  - PCI-DSSv4-10.2.1.7
+  - audit_rules_media_export
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - reboot_required
+  - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+
+# First perform the remediation of the syscall rule
+# Retrieve hardware architecture of the underlying system
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+	OTHER_FILTERS=""
+	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+	SYSCALL="mount"
+	KEY="perm_mod"
+	SYSCALL_GROUPING=""
+
+	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+	unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
+# -----------------------------------------------------------------------------------------
+#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
+# -----------------------------------------------------------------------------------------
+#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
+#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
 
 # If audit tool is 'augenrules', then check if the audit rule is defined
 # If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
@@ -61893,353 +62222,176 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Ensure auditd Collects System Administrator Actions - /etc/sudoers
+                                  [ref]
At a minimum, the audit system should collect administrator actions
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the default),
+add the following line to a file with suffix .rules in the directory
+/etc/audit/rules.d:
+
-w /etc/sudoers -p wa -k actions

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+
-w /etc/sudoers -p wa -k actions
Rationale:
The actions taken by system administrators should be audited to keep a record
+of what was executed on the system, as well as, for accountability purposes.
+Editing the sudoers file may be sign of an attacker trying to
+establish persistent methods to a system, auditing the editing of the sudoers
+files mitigates this risk.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-90175-1
References: 
+            CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-002130, CCI-002132, CCI-002884, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275, RHEL-08-030171, SV-230409r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
-  - CCE-80722-2
-  - CJIS-5.4.1.1
-  - DISA-STIG-RHEL-08-030302
-  - NIST-800-171-3.1.7
-  - NIST-800-53-AC-6(9)
-  - NIST-800-53-AU-12(c)
-  - NIST-800-53-AU-2(d)
-  - NIST-800-53-CM-6(a)
-  - PCI-DSS-Req-10.2.7
-  - PCI-DSSv4-10.2.1.7
-  - audit_rules_media_export
+  - CCE-90175-1
+  - DISA-STIG-RHEL-08-030171
+  - audit_rules_sudoers
   - low_complexity
   - low_disruption
   - medium_severity
-  - reboot_required
+  - no_reboot_needed
   - restrict_strategy
 
-- name: Set architecture for audit mount tasks
-  set_fact:
-    audit_arch: b64
+- name: Check if watch rule for /etc/sudoers already exists in /etc/audit/rules.d/
+  find:
+    paths: /etc/audit/rules.d
+    contains: ^\s*-w\s+/etc/sudoers\s+-p\s+wa(\s|$)+
+    patterns: '*.rules'
+  register: find_existing_watch_rules_d
   when:
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
-    == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
   tags:
-  - CCE-80722-2
-  - CJIS-5.4.1.1
-  - DISA-STIG-RHEL-08-030302
-  - NIST-800-171-3.1.7
-  - NIST-800-53-AC-6(9)
-  - NIST-800-53-AU-12(c)
-  - NIST-800-53-AU-2(d)
-  - NIST-800-53-CM-6(a)
-  - PCI-DSS-Req-10.2.7
-  - PCI-DSSv4-10.2.1.7
-  - audit_rules_media_export
+  - CCE-90175-1
+  - DISA-STIG-RHEL-08-030171
+  - audit_rules_sudoers
   - low_complexity
   - low_disruption
   - medium_severity
-  - reboot_required
+  - no_reboot_needed
   - restrict_strategy
 
-- name: Perform remediation of Audit rules for mount for 32bit platform
-  block:
-
-  - name: Declare list of syscalls
-    set_fact:
-      syscalls:
-      - mount
-      syscall_grouping: []
-
-  - name: Check existence of mount in /etc/audit/rules.d/
-    find:
-      paths: /etc/audit/rules.d
-      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
-        |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
-      patterns: '*.rules'
-    register: find_command
-    loop: '{{ (syscall_grouping + syscalls) | unique }}'
-
-  - name: Reset syscalls found per file
-    set_fact:
-      syscalls_per_file: {}
-      found_paths_dict: {}
-
-  - name: Declare syscalls found per file
-    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
-      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
-    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
-
-  - name: Declare files where syscalls were found
-    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
-      | map(attribute='path') | list }}"
-
-  - name: Count occurrences of syscalls in paths
-    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
-      0) }) }}"
-    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
-      | list }}'
-
-  - name: Get path with most syscalls
-    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
-      | last).key }}"
-    when: found_paths | length >= 1
-
-  - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
-    set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
-    when: found_paths | length == 0
-
-  - name: Declare found syscalls
-    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
-      | list }}"
-
-  - name: Declare missing syscalls
-    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
-
-  - name: Replace the audit rule in {{ audit_file }}
-    lineinfile:
-      path: '{{ audit_file }}'
-      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
-        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
-        |-F key=)\w+)
-      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
-      backrefs: true
-      state: present
-    when: syscalls_found | length > 0 and missing_syscalls | length > 0
-
-  - name: Add the audit rule to {{ audit_file }}
-    lineinfile:
-      path: '{{ audit_file }}'
-      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-        -F auid!=unset -F key=perm_mod
-      create: true
-      mode: o-rwx
-      state: present
-    when: syscalls_found | length == 0
-
-  - name: Declare list of syscalls
-    set_fact:
-      syscalls:
-      - mount
-      syscall_grouping: []
-
-  - name: Check existence of mount in /etc/audit/audit.rules
-    find:
-      paths: /etc/audit
-      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
-        |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
-      patterns: audit.rules
-    register: find_command
-    loop: '{{ (syscall_grouping + syscalls) | unique }}'
-
-  - name: Set path to /etc/audit/audit.rules
-    set_fact: audit_file="/etc/audit/audit.rules"
-
-  - name: Declare found syscalls
-    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
-      | list }}"
-
-  - name: Declare missing syscalls
-    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
-
-  - name: Replace the audit rule in {{ audit_file }}
-    lineinfile:
-      path: '{{ audit_file }}'
-      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
-        join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
-        key=)\w+)
-      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
-      backrefs: true
-      state: present
-    when: syscalls_found | length > 0 and missing_syscalls | length > 0
-
-  - name: Add the audit rule to {{ audit_file }}
-    lineinfile:
-      path: '{{ audit_file }}'
-      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-        -F auid!=unset -F key=perm_mod
-      create: true
-      mode: o-rwx
-      state: present
-    when: syscalls_found | length == 0
+- name: Search /etc/audit/rules.d for other rules with specified key actions
+  find:
+    paths: /etc/audit/rules.d
+    contains: ^.*(?:-F key=|-k\s+)actions$
+    patterns: '*.rules'
+  register: find_watch_key
   when:
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
+    == 0
   tags:
-  - CCE-80722-2
-  - CJIS-5.4.1.1
-  - DISA-STIG-RHEL-08-030302
-  - NIST-800-171-3.1.7
-  - NIST-800-53-AC-6(9)
-  - NIST-800-53-AU-12(c)
-  - NIST-800-53-AU-2(d)
-  - NIST-800-53-CM-6(a)
-  - PCI-DSS-Req-10.2.7
-  - PCI-DSSv4-10.2.1.7
-  - audit_rules_media_export
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - reboot_required
-  - restrict_strategy
-
-- name: Perform remediation of Audit rules for mount for 64bit platform
-  block:
-
-  - name: Declare list of syscalls
-    set_fact:
-      syscalls:
-      - mount
-      syscall_grouping: []
-
-  - name: Check existence of mount in /etc/audit/rules.d/
-    find:
-      paths: /etc/audit/rules.d
-      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
-        |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
-      patterns: '*.rules'
-    register: find_command
-    loop: '{{ (syscall_grouping + syscalls) | unique }}'
-
-  - name: Reset syscalls found per file
-    set_fact:
-      syscalls_per_file: {}
-      found_paths_dict: {}
-
-  - name: Declare syscalls found per file
-    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
-      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
-    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
-
-  - name: Declare files where syscalls were found
-    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
-      | map(attribute='path') | list }}"
-
-  - name: Count occurrences of syscalls in paths
-    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
-      0) }) }}"
-    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
-      | list }}'
-
-  - name: Get path with most syscalls
-    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
-      | last).key }}"
-    when: found_paths | length >= 1
-
-  - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
-    set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
-    when: found_paths | length == 0
-
-  - name: Declare found syscalls
-    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
-      | list }}"
-
-  - name: Declare missing syscalls
-    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
-
-  - name: Replace the audit rule in {{ audit_file }}
-    lineinfile:
-      path: '{{ audit_file }}'
-      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
-        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
-        |-F key=)\w+)
-      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
-      backrefs: true
-      state: present
-    when: syscalls_found | length > 0 and missing_syscalls | length > 0
-
-  - name: Add the audit rule to {{ audit_file }}
-    lineinfile:
-      path: '{{ audit_file }}'
-      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-        -F auid!=unset -F key=perm_mod
-      create: true
-      mode: o-rwx
-      state: present
-    when: syscalls_found | length == 0
-
-  - name: Declare list of syscalls
-    set_fact:
-      syscalls:
-      - mount
-      syscall_grouping: []
-
-  - name: Check existence of mount in /etc/audit/audit.rules
-    find:
-      paths: /etc/audit
-      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
-        |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
-      patterns: audit.rules
-    register: find_command
-    loop: '{{ (syscall_grouping + syscalls) | unique }}'
+  - CCE-90175-1
+  - DISA-STIG-RHEL-08-030171
+  - audit_rules_sudoers
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - restrict_strategy
 
-  - name: Set path to /etc/audit/audit.rules
-    set_fact: audit_file="/etc/audit/audit.rules"
+- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule
+  set_fact:
+    all_files:
+    - /etc/audit/rules.d/actions.rules
+  when:
+  - '"audit" in ansible_facts.packages'
+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
+    is defined and find_existing_watch_rules_d.matched == 0
+  tags:
+  - CCE-90175-1
+  - DISA-STIG-RHEL-08-030171
+  - audit_rules_sudoers
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - restrict_strategy
 
-  - name: Declare found syscalls
-    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
-      | list }}"
+- name: Use matched file as the recipient for the rule
+  set_fact:
+    all_files:
+    - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
+  when:
+  - '"audit" in ansible_facts.packages'
+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
+    is defined and find_existing_watch_rules_d.matched == 0
+  tags:
+  - CCE-90175-1
+  - DISA-STIG-RHEL-08-030171
+  - audit_rules_sudoers
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - restrict_strategy
 
-  - name: Declare missing syscalls
-    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+- name: Add watch rule for /etc/sudoers in /etc/audit/rules.d/
+  lineinfile:
+    path: '{{ all_files[0] }}'
+    line: -w /etc/sudoers -p wa -k actions
+    create: true
+    mode: '0640'
+  when:
+  - '"audit" in ansible_facts.packages'
+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
+    == 0
+  tags:
+  - CCE-90175-1
+  - DISA-STIG-RHEL-08-030171
+  - audit_rules_sudoers
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - restrict_strategy
 
-  - name: Replace the audit rule in {{ audit_file }}
-    lineinfile:
-      path: '{{ audit_file }}'
-      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
-        join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
-        key=)\w+)
-      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
-      backrefs: true
-      state: present
-    when: syscalls_found | length > 0 and missing_syscalls | length > 0
+- name: Check if watch rule for /etc/sudoers already exists in /etc/audit/audit.rules
+  find:
+    paths: /etc/audit/
+    contains: ^\s*-w\s+/etc/sudoers\s+-p\s+wa(\s|$)+
+    patterns: audit.rules
+  register: find_existing_watch_audit_rules
+  when:
+  - '"audit" in ansible_facts.packages'
+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  tags:
+  - CCE-90175-1
+  - DISA-STIG-RHEL-08-030171
+  - audit_rules_sudoers
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - restrict_strategy
 
-  - name: Add the audit rule to {{ audit_file }}
-    lineinfile:
-      path: '{{ audit_file }}'
-      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-        -F auid!=unset -F key=perm_mod
-      create: true
-      mode: o-rwx
-      state: present
-    when: syscalls_found | length == 0
+- name: Add watch rule for /etc/sudoers in /etc/audit/audit.rules
+  lineinfile:
+    line: -w /etc/sudoers -p wa -k actions
+    state: present
+    dest: /etc/audit/audit.rules
+    create: true
+    mode: '0640'
   when:
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  - audit_arch == "b64"
+  - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
+    == 0
   tags:
-  - CCE-80722-2
-  - CJIS-5.4.1.1
-  - DISA-STIG-RHEL-08-030302
-  - NIST-800-171-3.1.7
-  - NIST-800-53-AC-6(9)
-  - NIST-800-53-AU-12(c)
-  - NIST-800-53-AU-2(d)
-  - NIST-800-53-CM-6(a)
-  - PCI-DSS-Req-10.2.7
-  - PCI-DSSv4-10.2.1.7
-  - audit_rules_media_export
+  - CCE-90175-1
+  - DISA-STIG-RHEL-08-030171
+  - audit_rules_sudoers
   - low_complexity
   - low_disruption
   - medium_severity
-  - reboot_required
+  - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Ensure auditd Collects System Administrator Actions - /etc/sudoers
-                                  [ref]
At a minimum, the audit system should collect administrator actions
-for all users and root. If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the default),
-add the following line to a file with suffix .rules in the directory
-/etc/audit/rules.d:
-
-w /etc/sudoers -p wa -k actions

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
-
-w /etc/sudoers -p wa -k actions
Rationale:
The actions taken by system administrators should be audited to keep a record
-of what was executed on the system, as well as, for accountability purposes.
-Editing the sudoers file may be sign of an attacker trying to
-establish persistent methods to a system, auditing the editing of the sudoers
-files mitigates this risk.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-90175-1
References: 
-            CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-002130, CCI-002132, CCI-002884, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275, RHEL-08-030171, SV-230409r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
@@ -62379,32 +62531,49 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
+                                  [ref]
At a minimum, the audit system should collect administrator actions
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the default),
+add the following line to a file with suffix .rules in the directory
+/etc/audit/rules.d:
+
-w /etc/sudoers.d/ -p wa -k actions

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+
-w /etc/sudoers.d/ -p wa -k actions
Rationale:
The actions taken by system administrators should be audited to keep a record
+of what was executed on the system, as well as, for accountability purposes.
+Editing the sudoers file may be sign of an attacker trying to
+establish persistent methods to a system, auditing the editing of the sudoers
+files mitigates this risk.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-89497-2
References: 
+            CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-002130, CCI-002132, CCI-002884, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275, RHEL-08-030172, SV-230410r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
-  - CCE-90175-1
-  - DISA-STIG-RHEL-08-030171
-  - audit_rules_sudoers
+  - CCE-89497-2
+  - DISA-STIG-RHEL-08-030172
+  - audit_rules_sudoers_d
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
 
-- name: Check if watch rule for /etc/sudoers already exists in /etc/audit/rules.d/
+- name: Check if watch rule for /etc/sudoers.d/ already exists in /etc/audit/rules.d/
   find:
     paths: /etc/audit/rules.d
-    contains: ^\s*-w\s+/etc/sudoers\s+-p\s+wa(\s|$)+
+    contains: ^\s*-w\s+/etc/sudoers.d/\s+-p\s+wa(\s|$)+
     patterns: '*.rules'
   register: find_existing_watch_rules_d
   when:
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
-  - CCE-90175-1
-  - DISA-STIG-RHEL-08-030171
-  - audit_rules_sudoers
+  - CCE-89497-2
+  - DISA-STIG-RHEL-08-030172
+  - audit_rules_sudoers_d
   - low_complexity
   - low_disruption
   - medium_severity
@@ -62423,9 +62592,9 @@
   - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
     == 0
   tags:
-  - CCE-90175-1
-  - DISA-STIG-RHEL-08-030171
-  - audit_rules_sudoers
+  - CCE-89497-2
+  - DISA-STIG-RHEL-08-030172
+  - audit_rules_sudoers_d
   - low_complexity
   - low_disruption
   - medium_severity
@@ -62442,9 +62611,9 @@
   - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
     is defined and find_existing_watch_rules_d.matched == 0
   tags:
-  - CCE-90175-1
-  - DISA-STIG-RHEL-08-030171
-  - audit_rules_sudoers
+  - CCE-89497-2
+  - DISA-STIG-RHEL-08-030172
+  - audit_rules_sudoers_d
   - low_complexity
   - low_disruption
   - medium_severity
@@ -62461,19 +62630,19 @@
   - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
     is defined and find_existing_watch_rules_d.matched == 0
   tags:
-  - CCE-90175-1
-  - DISA-STIG-RHEL-08-030171
-  - audit_rules_sudoers
+  - CCE-89497-2
+  - DISA-STIG-RHEL-08-030172
+  - audit_rules_sudoers_d
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
 
-- name: Add watch rule for /etc/sudoers in /etc/audit/rules.d/
+- name: Add watch rule for /etc/sudoers.d/ in /etc/audit/rules.d/
   lineinfile:
     path: '{{ all_files[0] }}'
-    line: -w /etc/sudoers -p wa -k actions
+    line: -w /etc/sudoers.d/ -p wa -k actions
     create: true
     mode: '0640'
   when:
@@ -62482,37 +62651,37 @@
   - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
     == 0
   tags:
-  - CCE-90175-1
-  - DISA-STIG-RHEL-08-030171
-  - audit_rules_sudoers
+  - CCE-89497-2
+  - DISA-STIG-RHEL-08-030172
+  - audit_rules_sudoers_d
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
 
-- name: Check if watch rule for /etc/sudoers already exists in /etc/audit/audit.rules
+- name: Check if watch rule for /etc/sudoers.d/ already exists in /etc/audit/audit.rules
   find:
     paths: /etc/audit/
-    contains: ^\s*-w\s+/etc/sudoers\s+-p\s+wa(\s|$)+
+    contains: ^\s*-w\s+/etc/sudoers.d/\s+-p\s+wa(\s|$)+
     patterns: audit.rules
   register: find_existing_watch_audit_rules
   when:
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
-  - CCE-90175-1
-  - DISA-STIG-RHEL-08-030171
-  - audit_rules_sudoers
+  - CCE-89497-2
+  - DISA-STIG-RHEL-08-030172
+  - audit_rules_sudoers_d
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
 
-- name: Add watch rule for /etc/sudoers in /etc/audit/audit.rules
+- name: Add watch rule for /etc/sudoers.d/ in /etc/audit/audit.rules
   lineinfile:
-    line: -w /etc/sudoers -p wa -k actions
+    line: -w /etc/sudoers.d/ -p wa -k actions
     state: present
     dest: /etc/audit/audit.rules
     create: true
@@ -62523,32 +62692,15 @@
   - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
     == 0
   tags:
-  - CCE-90175-1
-  - DISA-STIG-RHEL-08-030171
-  - audit_rules_sudoers
+  - CCE-89497-2
+  - DISA-STIG-RHEL-08-030172
+  - audit_rules_sudoers_d
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
-                                  [ref]
At a minimum, the audit system should collect administrator actions
-for all users and root. If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the default),
-add the following line to a file with suffix .rules in the directory
-/etc/audit/rules.d:
-
-w /etc/sudoers.d/ -p wa -k actions

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
-
-w /etc/sudoers.d/ -p wa -k actions
Rationale:
The actions taken by system administrators should be audited to keep a record
-of what was executed on the system, as well as, for accountability purposes.
-Editing the sudoers file may be sign of an attacker trying to
-establish persistent methods to a system, auditing the editing of the sudoers
-files mitigates this risk.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-89497-2
References: 
-            CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-002130, CCI-002132, CCI-002884, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275, RHEL-08-030172, SV-230410r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
@@ -62688,188 +62840,231 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Record Events When Privileged Executables Are Run
+                                  [ref]
Verify the system generates an audit record when privileged functions are executed.
+
+If audit is using the "auditctl" tool to load the rules, run the following command:
+
+
$ sudo grep execve /etc/audit/audit.rules

+
+If audit is using the "augenrules" tool to load the rules, run the following command:
+
+
$ sudo grep -r execve /etc/audit/rules.d

+
+
+
-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid

+
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid

+
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid

+
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid

+
+
+If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding.
+If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.
Warning: 
+                                        Note that these rules can be configured in a
+number of ways while still achieving the desired effect.
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have
+compromised information system accounts, is a serious and ongoing concern
+and can have significant adverse impacts on organizations. Auditing the use
+of privileged functions is one way to detect such misuse and identify the
+risk from insider threats and the advanced persistent threat.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-83556-1
References: 
+            CCI-001814, CCI-001882, CCI-001889, CCI-001880, CCI-001881, CCI-001878, CCI-001879, CCI-001875, CCI-001877, CCI-001914, CCI-002233, CCI-002234, CM-5(1), AU-7(a), AU-7(b), AU-8(b), AU-12(3), AC-6(9), 10.2.1.2, SRG-OS-000326-GPOS-00126, SRG-OS-000327-GPOS-00127, SRG-APP-000343-CTR-000780, SRG-APP-000381-CTR-000905, RHEL-08-030000, SV-230386r854037_rule
Remediation script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db32%20-S%20execve%20-C%20uid%21%3Deuid%20-F%20euid%3D0%20-k%20execpriv%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20execve%20-C%20uid%21%3Deuid%20-F%20euid%3D0%20-k%20execpriv%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20execve%20-C%20gid%21%3Degid%20-F%20egid%3D0%20-k%20execpriv%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20execve%20-C%20gid%21%3Degid%20-F%20egid%3D0%20-k%20execpriv%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-audit-suid-privilege-function.rules
+        overwrite: true
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
-  - CCE-89497-2
-  - DISA-STIG-RHEL-08-030172
-  - audit_rules_sudoers_d
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - no_reboot_needed
-  - restrict_strategy
-
-- name: Check if watch rule for /etc/sudoers.d/ already exists in /etc/audit/rules.d/
-  find:
-    paths: /etc/audit/rules.d
-    contains: ^\s*-w\s+/etc/sudoers.d/\s+-p\s+wa(\s|$)+
-    patterns: '*.rules'
-  register: find_existing_watch_rules_d
-  when:
-  - '"audit" in ansible_facts.packages'
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  tags:
-  - CCE-89497-2
-  - DISA-STIG-RHEL-08-030172
-  - audit_rules_sudoers_d
+  - CCE-83556-1
+  - DISA-STIG-RHEL-08-030000
+  - NIST-800-53-AC-6(9)
+  - NIST-800-53-AU-12(3)
+  - NIST-800-53-AU-7(a)
+  - NIST-800-53-AU-7(b)
+  - NIST-800-53-AU-8(b)
+  - NIST-800-53-CM-5(1)
+  - PCI-DSSv4-10.2.1.2
+  - audit_rules_suid_privilege_function
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
 
-- name: Search /etc/audit/rules.d for other rules with specified key actions
-  find:
-    paths: /etc/audit/rules.d
-    contains: ^.*(?:-F key=|-k\s+)actions$
-    patterns: '*.rules'
-  register: find_watch_key
+- name: Service facts
+  ansible.builtin.service_facts: null
   when:
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
-    == 0
   tags:
-  - CCE-89497-2
-  - DISA-STIG-RHEL-08-030172
-  - audit_rules_sudoers_d
+  - CCE-83556-1
+  - DISA-STIG-RHEL-08-030000
+  - NIST-800-53-AC-6(9)
+  - NIST-800-53-AU-12(3)
+  - NIST-800-53-AU-7(a)
+  - NIST-800-53-AU-7(b)
+  - NIST-800-53-AU-8(b)
+  - NIST-800-53-CM-5(1)
+  - PCI-DSSv4-10.2.1.2
+  - audit_rules_suid_privilege_function
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
 
-- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule
-  set_fact:
-    all_files:
-    - /etc/audit/rules.d/actions.rules
+- name: Check the rules script being used
+  ansible.builtin.command: grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service
+  register: check_rules_scripts_result
+  changed_when: false
+  failed_when: false
   when:
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
-    is defined and find_existing_watch_rules_d.matched == 0
   tags:
-  - CCE-89497-2
-  - DISA-STIG-RHEL-08-030172
-  - audit_rules_sudoers_d
+  - CCE-83556-1
+  - DISA-STIG-RHEL-08-030000
+  - NIST-800-53-AC-6(9)
+  - NIST-800-53-AU-12(3)
+  - NIST-800-53-AU-7(a)
+  - NIST-800-53-AU-7(b)
+  - NIST-800-53-AU-8(b)
+  - NIST-800-53-CM-5(1)
+  - PCI-DSSv4-10.2.1.2
+  - audit_rules_suid_privilege_function
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
 
-- name: Use matched file as the recipient for the rule
-  set_fact:
-    all_files:
-    - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
+- name: Set suid_audit_rules fact
+  ansible.builtin.set_fact:
+    suid_audit_rules:
+    - rule: -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
+      regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
+    - rule: -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid
+      regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
+    - rule: -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
+      regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
+    - rule: -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
+      regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
   when:
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
-    is defined and find_existing_watch_rules_d.matched == 0
   tags:
-  - CCE-89497-2
-  - DISA-STIG-RHEL-08-030172
-  - audit_rules_sudoers_d
+  - CCE-83556-1
+  - DISA-STIG-RHEL-08-030000
+  - NIST-800-53-AC-6(9)
+  - NIST-800-53-AU-12(3)
+  - NIST-800-53-AU-7(a)
+  - NIST-800-53-AU-7(b)
+  - NIST-800-53-AU-8(b)
+  - NIST-800-53-CM-5(1)
+  - PCI-DSSv4-10.2.1.2
+  - audit_rules_suid_privilege_function
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
 
-- name: Add watch rule for /etc/sudoers.d/ in /etc/audit/rules.d/
-  lineinfile:
-    path: '{{ all_files[0] }}'
-    line: -w /etc/sudoers.d/ -p wa -k actions
+- name: Update /etc/audit/rules.d/privileged.rules to audit privileged functions
+  ansible.builtin.lineinfile:
+    path: /etc/audit/rules.d/privileged.rules
+    line: '{{  item.rule  }}'
+    regexp: '{{ item.regex }}'
     create: true
-    mode: '0640'
   when:
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
-    == 0
+  - '"auditd.service" in ansible_facts.services'
+  - '"augenrules" in check_rules_scripts_result.stdout'
+  register: augenrules_audit_rules_privilege_function_update_result
+  with_items: '{{ suid_audit_rules }}'
   tags:
-  - CCE-89497-2
-  - DISA-STIG-RHEL-08-030172
-  - audit_rules_sudoers_d
+  - CCE-83556-1
+  - DISA-STIG-RHEL-08-030000
+  - NIST-800-53-AC-6(9)
+  - NIST-800-53-AU-12(3)
+  - NIST-800-53-AU-7(a)
+  - NIST-800-53-AU-7(b)
+  - NIST-800-53-AU-8(b)
+  - NIST-800-53-CM-5(1)
+  - PCI-DSSv4-10.2.1.2
+  - audit_rules_suid_privilege_function
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
 
-- name: Check if watch rule for /etc/sudoers.d/ already exists in /etc/audit/audit.rules
-  find:
-    paths: /etc/audit/
-    contains: ^\s*-w\s+/etc/sudoers.d/\s+-p\s+wa(\s|$)+
-    patterns: audit.rules
-  register: find_existing_watch_audit_rules
+- name: Update Update /etc/audit/audit.rules to audit privileged functions
+  ansible.builtin.lineinfile:
+    path: /etc/audit/audit.rules
+    line: '{{  item.rule  }}'
+    regexp: '{{ item.regex }}'
+    create: true
   when:
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - '"auditd.service" in ansible_facts.services'
+  - '"auditctl" in check_rules_scripts_result.stdout'
+  register: auditctl_audit_rules_privilege_function_update_result
+  with_items: '{{ suid_audit_rules }}'
   tags:
-  - CCE-89497-2
-  - DISA-STIG-RHEL-08-030172
-  - audit_rules_sudoers_d
+  - CCE-83556-1
+  - DISA-STIG-RHEL-08-030000
+  - NIST-800-53-AC-6(9)
+  - NIST-800-53-AU-12(3)
+  - NIST-800-53-AU-7(a)
+  - NIST-800-53-AU-7(b)
+  - NIST-800-53-AU-8(b)
+  - NIST-800-53-CM-5(1)
+  - PCI-DSSv4-10.2.1.2
+  - audit_rules_suid_privilege_function
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
 
-- name: Add watch rule for /etc/sudoers.d/ in /etc/audit/audit.rules
-  lineinfile:
-    line: -w /etc/sudoers.d/ -p wa -k actions
-    state: present
-    dest: /etc/audit/audit.rules
-    create: true
-    mode: '0640'
+- name: Restart Auditd
+  ansible.builtin.command: /usr/sbin/service auditd restart
   when:
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
-    == 0
+  - (augenrules_audit_rules_privilege_function_update_result.changed or auditctl_audit_rules_privilege_function_update_result.changed)
+  - ansible_facts.services["auditd.service"].state == "running"
   tags:
-  - CCE-89497-2
-  - DISA-STIG-RHEL-08-030172
-  - audit_rules_sudoers_d
+  - CCE-83556-1
+  - DISA-STIG-RHEL-08-030000
+  - NIST-800-53-AC-6(9)
+  - NIST-800-53-AU-12(3)
+  - NIST-800-53-AU-7(a)
+  - NIST-800-53-AU-7(b)
+  - NIST-800-53-AU-8(b)
+  - NIST-800-53-CM-5(1)
+  - PCI-DSSv4-10.2.1.2
+  - audit_rules_suid_privilege_function
   - low_complexity
   - low_disruption
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Rule  
-                                Record Events When Privileged Executables Are Run
-                                  [ref]
Verify the system generates an audit record when privileged functions are executed.
-
-If audit is using the "auditctl" tool to load the rules, run the following command:
-
-
$ sudo grep execve /etc/audit/audit.rules

-
-If audit is using the "augenrules" tool to load the rules, run the following command:
-
-
$ sudo grep -r execve /etc/audit/rules.d

-
-
-
-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid

-
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid

-
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid

-
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid

-
-
-If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding.
-If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.
Warning: 
-                                        Note that these rules can be configured in a
-number of ways while still achieving the desired effect.
Rationale:
Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have
-compromised information system accounts, is a serious and ongoing concern
-and can have significant adverse impacts on organizations. Auditing the use
-of privileged functions is one way to detect such misuse and identify the
-risk from insider threats and the advanced persistent threat.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-83556-1
References: 
-            CCI-001814, CCI-001882, CCI-001889, CCI-001880, CCI-001881, CCI-001878, CCI-001879, CCI-001875, CCI-001877, CCI-001914, CCI-002233, CCI-002234, CM-5(1), AU-7(a), AU-7(b), AU-8(b), AU-12(3), AC-6(9), 10.2.1.2, SRG-OS-000326-GPOS-00126, SRG-OS-000327-GPOS-00127, SRG-APP-000343-CTR-000780, SRG-APP-000381-CTR-000905, RHEL-08-030000, SV-230386r854037_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 # First perform the remediation of the syscall rule
@@ -63515,221 +63710,251 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Record Events that Modify User/Group Information - /etc/group
+                                  [ref]
If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following lines to a file with suffix .rules in the
+directory /etc/audit/rules.d, in order to capture events that modify
+account changes:
+


+
-w /etc/group -p wa -k audit_rules_usergroup_modification

+


+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file, in order to capture events that modify
+account changes:
+


+
-w /etc/group -p wa -k audit_rules_usergroup_modification
Rationale:
In addition to auditing new user and group accounts, these watches
+will alert the system administrator(s) to any modifications. Any unexpected
+users, groups, or modifications should be investigated for legitimacy.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80758-6
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, 10.2.1.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275, RHEL-08-030170, 4.1.3.8, SV-230408r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
-  - CCE-83556-1
-  - DISA-STIG-RHEL-08-030000
+  - CCE-80758-6
+  - CJIS-5.4.1.1
+  - DISA-STIG-RHEL-08-030170
+  - NIST-800-171-3.1.7
+  - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
-  - NIST-800-53-AU-12(3)
-  - NIST-800-53-AU-7(a)
-  - NIST-800-53-AU-7(b)
-  - NIST-800-53-AU-8(b)
-  - NIST-800-53-CM-5(1)
-  - PCI-DSSv4-10.2.1.2
-  - audit_rules_suid_privilege_function
+  - NIST-800-53-AU-12(c)
+  - NIST-800-53-AU-2(d)
+  - NIST-800-53-CM-6(a)
+  - PCI-DSS-Req-10.2.5
+  - PCI-DSSv4-10.2.1.5
+  - audit_rules_usergroup_modification_group
   - low_complexity
   - low_disruption
   - medium_severity
-  - no_reboot_needed
+  - reboot_required
   - restrict_strategy
 
-- name: Service facts
-  ansible.builtin.service_facts: null
+- name: Check if watch rule for /etc/group already exists in /etc/audit/rules.d/
+  find:
+    paths: /etc/audit/rules.d
+    contains: ^\s*-w\s+/etc/group\s+-p\s+wa(\s|$)+
+    patterns: '*.rules'
+  register: find_existing_watch_rules_d
   when:
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
-  - CCE-83556-1
-  - DISA-STIG-RHEL-08-030000
+  - CCE-80758-6
+  - CJIS-5.4.1.1
+  - DISA-STIG-RHEL-08-030170
+  - NIST-800-171-3.1.7
+  - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
-  - NIST-800-53-AU-12(3)
-  - NIST-800-53-AU-7(a)
-  - NIST-800-53-AU-7(b)
-  - NIST-800-53-AU-8(b)
-  - NIST-800-53-CM-5(1)
-  - PCI-DSSv4-10.2.1.2
-  - audit_rules_suid_privilege_function
+  - NIST-800-53-AU-12(c)
+  - NIST-800-53-AU-2(d)
+  - NIST-800-53-CM-6(a)
+  - PCI-DSS-Req-10.2.5
+  - PCI-DSSv4-10.2.1.5
+  - audit_rules_usergroup_modification_group
   - low_complexity
   - low_disruption
   - medium_severity
-  - no_reboot_needed
+  - reboot_required
   - restrict_strategy
 
-- name: Check the rules script being used
-  ansible.builtin.command: grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service
-  register: check_rules_scripts_result
-  changed_when: false
-  failed_when: false
+- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_usergroup_modification
+  find:
+    paths: /etc/audit/rules.d
+    contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$
+    patterns: '*.rules'
+  register: find_watch_key
   when:
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
+    == 0
   tags:
-  - CCE-83556-1
-  - DISA-STIG-RHEL-08-030000
+  - CCE-80758-6
+  - CJIS-5.4.1.1
+  - DISA-STIG-RHEL-08-030170
+  - NIST-800-171-3.1.7
+  - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
-  - NIST-800-53-AU-12(3)
-  - NIST-800-53-AU-7(a)
-  - NIST-800-53-AU-7(b)
-  - NIST-800-53-AU-8(b)
-  - NIST-800-53-CM-5(1)
-  - PCI-DSSv4-10.2.1.2
-  - audit_rules_suid_privilege_function
+  - NIST-800-53-AU-12(c)
+  - NIST-800-53-AU-2(d)
+  - NIST-800-53-CM-6(a)
+  - PCI-DSS-Req-10.2.5
+  - PCI-DSSv4-10.2.1.5
+  - audit_rules_usergroup_modification_group
   - low_complexity
   - low_disruption
   - medium_severity
-  - no_reboot_needed
+  - reboot_required
   - restrict_strategy
 
-- name: Set suid_audit_rules fact
-  ansible.builtin.set_fact:
-    suid_audit_rules:
-    - rule: -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
-      regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
-    - rule: -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid
-      regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
-    - rule: -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
-      regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
-    - rule: -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
-      regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
+- name: Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules as the recipient
+    for the rule
+  set_fact:
+    all_files:
+    - /etc/audit/rules.d/audit_rules_usergroup_modification.rules
   when:
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
+    is defined and find_existing_watch_rules_d.matched == 0
   tags:
-  - CCE-83556-1
-  - DISA-STIG-RHEL-08-030000
+  - CCE-80758-6
+  - CJIS-5.4.1.1
+  - DISA-STIG-RHEL-08-030170
+  - NIST-800-171-3.1.7
+  - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
-  - NIST-800-53-AU-12(3)
-  - NIST-800-53-AU-7(a)
-  - NIST-800-53-AU-7(b)
-  - NIST-800-53-AU-8(b)
-  - NIST-800-53-CM-5(1)
-  - PCI-DSSv4-10.2.1.2
-  - audit_rules_suid_privilege_function
+  - NIST-800-53-AU-12(c)
+  - NIST-800-53-AU-2(d)
+  - NIST-800-53-CM-6(a)
+  - PCI-DSS-Req-10.2.5
+  - PCI-DSSv4-10.2.1.5
+  - audit_rules_usergroup_modification_group
   - low_complexity
   - low_disruption
   - medium_severity
-  - no_reboot_needed
+  - reboot_required
   - restrict_strategy
 
-- name: Update /etc/audit/rules.d/privileged.rules to audit privileged functions
-  ansible.builtin.lineinfile:
-    path: /etc/audit/rules.d/privileged.rules
-    line: '{{  item.rule  }}'
-    regexp: '{{ item.regex }}'
-    create: true
+- name: Use matched file as the recipient for the rule
+  set_fact:
+    all_files:
+    - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
   when:
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  - '"auditd.service" in ansible_facts.services'
-  - '"augenrules" in check_rules_scripts_result.stdout'
-  register: augenrules_audit_rules_privilege_function_update_result
-  with_items: '{{ suid_audit_rules }}'
+  - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
+    is defined and find_existing_watch_rules_d.matched == 0
   tags:
-  - CCE-83556-1
-  - DISA-STIG-RHEL-08-030000
+  - CCE-80758-6
+  - CJIS-5.4.1.1
+  - DISA-STIG-RHEL-08-030170
+  - NIST-800-171-3.1.7
+  - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
-  - NIST-800-53-AU-12(3)
-  - NIST-800-53-AU-7(a)
-  - NIST-800-53-AU-7(b)
-  - NIST-800-53-AU-8(b)
-  - NIST-800-53-CM-5(1)
-  - PCI-DSSv4-10.2.1.2
-  - audit_rules_suid_privilege_function
+  - NIST-800-53-AU-12(c)
+  - NIST-800-53-AU-2(d)
+  - NIST-800-53-CM-6(a)
+  - PCI-DSS-Req-10.2.5
+  - PCI-DSSv4-10.2.1.5
+  - audit_rules_usergroup_modification_group
   - low_complexity
   - low_disruption
   - medium_severity
-  - no_reboot_needed
+  - reboot_required
   - restrict_strategy
 
-- name: Update Update /etc/audit/audit.rules to audit privileged functions
-  ansible.builtin.lineinfile:
-    path: /etc/audit/audit.rules
-    line: '{{  item.rule  }}'
-    regexp: '{{ item.regex }}'
+- name: Add watch rule for /etc/group in /etc/audit/rules.d/
+  lineinfile:
+    path: '{{ all_files[0] }}'
+    line: -w /etc/group -p wa -k audit_rules_usergroup_modification
     create: true
+    mode: '0640'
   when:
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  - '"auditd.service" in ansible_facts.services'
-  - '"auditctl" in check_rules_scripts_result.stdout'
-  register: auditctl_audit_rules_privilege_function_update_result
-  with_items: '{{ suid_audit_rules }}'
+  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
+    == 0
   tags:
-  - CCE-83556-1
-  - DISA-STIG-RHEL-08-030000
+  - CCE-80758-6
+  - CJIS-5.4.1.1
+  - DISA-STIG-RHEL-08-030170
+  - NIST-800-171-3.1.7
+  - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
-  - NIST-800-53-AU-12(3)
-  - NIST-800-53-AU-7(a)
-  - NIST-800-53-AU-7(b)
-  - NIST-800-53-AU-8(b)
-  - NIST-800-53-CM-5(1)
-  - PCI-DSSv4-10.2.1.2
-  - audit_rules_suid_privilege_function
+  - NIST-800-53-AU-12(c)
+  - NIST-800-53-AU-2(d)
+  - NIST-800-53-CM-6(a)
+  - PCI-DSS-Req-10.2.5
+  - PCI-DSSv4-10.2.1.5
+  - audit_rules_usergroup_modification_group
   - low_complexity
   - low_disruption
   - medium_severity
-  - no_reboot_needed
+  - reboot_required
   - restrict_strategy
 
-- name: Restart Auditd
-  ansible.builtin.command: /usr/sbin/service auditd restart
+- name: Check if watch rule for /etc/group already exists in /etc/audit/audit.rules
+  find:
+    paths: /etc/audit/
+    contains: ^\s*-w\s+/etc/group\s+-p\s+wa(\s|$)+
+    patterns: audit.rules
+  register: find_existing_watch_audit_rules
   when:
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  - (augenrules_audit_rules_privilege_function_update_result.changed or auditctl_audit_rules_privilege_function_update_result.changed)
-  - ansible_facts.services["auditd.service"].state == "running"
   tags:
-  - CCE-83556-1
-  - DISA-STIG-RHEL-08-030000
+  - CCE-80758-6
+  - CJIS-5.4.1.1
+  - DISA-STIG-RHEL-08-030170
+  - NIST-800-171-3.1.7
+  - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
-  - NIST-800-53-AU-12(3)
-  - NIST-800-53-AU-7(a)
-  - NIST-800-53-AU-7(b)
-  - NIST-800-53-AU-8(b)
-  - NIST-800-53-CM-5(1)
-  - PCI-DSSv4-10.2.1.2
-  - audit_rules_suid_privilege_function
+  - NIST-800-53-AU-12(c)
+  - NIST-800-53-AU-2(d)
+  - NIST-800-53-CM-6(a)
+  - PCI-DSS-Req-10.2.5
+  - PCI-DSSv4-10.2.1.5
+  - audit_rules_usergroup_modification_group
   - low_complexity
   - low_disruption
   - medium_severity
-  - no_reboot_needed
+  - reboot_required
   - restrict_strategy
-
Remediation script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db32%20-S%20execve%20-C%20uid%21%3Deuid%20-F%20euid%3D0%20-k%20execpriv%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20execve%20-C%20uid%21%3Deuid%20-F%20euid%3D0%20-k%20execpriv%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20execve%20-C%20gid%21%3Degid%20-F%20egid%3D0%20-k%20execpriv%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20execve%20-C%20gid%21%3Degid%20-F%20egid%3D0%20-k%20execpriv%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-audit-suid-privilege-function.rules
-        overwrite: true
-
Rule  
-                                Record Events that Modify User/Group Information - /etc/group
-                                  [ref]
If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix .rules in the
-directory /etc/audit/rules.d, in order to capture events that modify
-account changes:
-


-
-w /etc/group -p wa -k audit_rules_usergroup_modification

-


-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file, in order to capture events that modify
-account changes:
-


-
-w /etc/group -p wa -k audit_rules_usergroup_modification
Rationale:
In addition to auditing new user and group accounts, these watches
-will alert the system administrator(s) to any modifications. Any unexpected
-users, groups, or modifications should be investigated for legitimacy.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80758-6
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, 10.2.1.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275, RHEL-08-030170, 4.1.3.8, SV-230408r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
+- name: Add watch rule for /etc/group in /etc/audit/audit.rules
+  lineinfile:
+    line: -w /etc/group -p wa -k audit_rules_usergroup_modification
+    state: present
+    dest: /etc/audit/audit.rules
+    create: true
+    mode: '0640'
+  when:
+  - '"audit" in ansible_facts.packages'
+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
+    == 0
+  tags:
+  - CCE-80758-6
+  - CJIS-5.4.1.1
+  - DISA-STIG-RHEL-08-030170
+  - NIST-800-171-3.1.7
+  - NIST-800-53-AC-2(4)
+  - NIST-800-53-AC-6(9)
+  - NIST-800-53-AU-12(c)
+  - NIST-800-53-AU-2(d)
+  - NIST-800-53-CM-6(a)
+  - PCI-DSS-Req-10.2.5
+  - PCI-DSSv4-10.2.1.5
+  - audit_rules_usergroup_modification_group
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - reboot_required
+  - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
@@ -63870,13 +64095,32 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Record Events that Modify User/Group Information - /etc/gshadow
+                                  [ref]
If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following lines to a file with suffix .rules in the
+directory /etc/audit/rules.d, in order to capture events that modify
+account changes:
+


+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

+


+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file, in order to capture events that modify
+account changes:
+


+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
Rationale:
In addition to auditing new user and group accounts, these watches
+will alert the system administrator(s) to any modifications. Any unexpected
+users, groups, or modifications should be investigated for legitimacy.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80759-4
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, 10.2.1.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275, RHEL-08-030160, 4.1.3.8, SV-230407r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
-  - CCE-80758-6
+  - CCE-80759-4
   - CJIS-5.4.1.1
-  - DISA-STIG-RHEL-08-030170
+  - DISA-STIG-RHEL-08-030160
   - NIST-800-171-3.1.7
   - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
@@ -63885,26 +64129,26 @@
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.5
   - PCI-DSSv4-10.2.1.5
-  - audit_rules_usergroup_modification_group
+  - audit_rules_usergroup_modification_gshadow
   - low_complexity
   - low_disruption
   - medium_severity
   - reboot_required
   - restrict_strategy
 
-- name: Check if watch rule for /etc/group already exists in /etc/audit/rules.d/
+- name: Check if watch rule for /etc/gshadow already exists in /etc/audit/rules.d/
   find:
     paths: /etc/audit/rules.d
-    contains: ^\s*-w\s+/etc/group\s+-p\s+wa(\s|$)+
+    contains: ^\s*-w\s+/etc/gshadow\s+-p\s+wa(\s|$)+
     patterns: '*.rules'
   register: find_existing_watch_rules_d
   when:
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
-  - CCE-80758-6
+  - CCE-80759-4
   - CJIS-5.4.1.1
-  - DISA-STIG-RHEL-08-030170
+  - DISA-STIG-RHEL-08-030160
   - NIST-800-171-3.1.7
   - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
@@ -63913,7 +64157,7 @@
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.5
   - PCI-DSSv4-10.2.1.5
-  - audit_rules_usergroup_modification_group
+  - audit_rules_usergroup_modification_gshadow
   - low_complexity
   - low_disruption
   - medium_severity
@@ -63932,9 +64176,9 @@
   - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
     == 0
   tags:
-  - CCE-80758-6
+  - CCE-80759-4
   - CJIS-5.4.1.1
-  - DISA-STIG-RHEL-08-030170
+  - DISA-STIG-RHEL-08-030160
   - NIST-800-171-3.1.7
   - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
@@ -63943,7 +64187,7 @@
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.5
   - PCI-DSSv4-10.2.1.5
-  - audit_rules_usergroup_modification_group
+  - audit_rules_usergroup_modification_gshadow
   - low_complexity
   - low_disruption
   - medium_severity
@@ -63961,9 +64205,9 @@
   - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
     is defined and find_existing_watch_rules_d.matched == 0
   tags:
-  - CCE-80758-6
+  - CCE-80759-4
   - CJIS-5.4.1.1
-  - DISA-STIG-RHEL-08-030170
+  - DISA-STIG-RHEL-08-030160
   - NIST-800-171-3.1.7
   - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
@@ -63972,7 +64216,7 @@
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.5
   - PCI-DSSv4-10.2.1.5
-  - audit_rules_usergroup_modification_group
+  - audit_rules_usergroup_modification_gshadow
   - low_complexity
   - low_disruption
   - medium_severity
@@ -63989,9 +64233,9 @@
   - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
     is defined and find_existing_watch_rules_d.matched == 0
   tags:
-  - CCE-80758-6
+  - CCE-80759-4
   - CJIS-5.4.1.1
-  - DISA-STIG-RHEL-08-030170
+  - DISA-STIG-RHEL-08-030160
   - NIST-800-171-3.1.7
   - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
@@ -64000,17 +64244,17 @@
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.5
   - PCI-DSSv4-10.2.1.5
-  - audit_rules_usergroup_modification_group
+  - audit_rules_usergroup_modification_gshadow
   - low_complexity
   - low_disruption
   - medium_severity
   - reboot_required
   - restrict_strategy
 
-- name: Add watch rule for /etc/group in /etc/audit/rules.d/
+- name: Add watch rule for /etc/gshadow in /etc/audit/rules.d/
   lineinfile:
     path: '{{ all_files[0] }}'
-    line: -w /etc/group -p wa -k audit_rules_usergroup_modification
+    line: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification
     create: true
     mode: '0640'
   when:
@@ -64019,9 +64263,9 @@
   - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
     == 0
   tags:
-  - CCE-80758-6
+  - CCE-80759-4
   - CJIS-5.4.1.1
-  - DISA-STIG-RHEL-08-030170
+  - DISA-STIG-RHEL-08-030160
   - NIST-800-171-3.1.7
   - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
@@ -64030,26 +64274,26 @@
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.5
   - PCI-DSSv4-10.2.1.5
-  - audit_rules_usergroup_modification_group
+  - audit_rules_usergroup_modification_gshadow
   - low_complexity
   - low_disruption
   - medium_severity
   - reboot_required
   - restrict_strategy
 
-- name: Check if watch rule for /etc/group already exists in /etc/audit/audit.rules
+- name: Check if watch rule for /etc/gshadow already exists in /etc/audit/audit.rules
   find:
     paths: /etc/audit/
-    contains: ^\s*-w\s+/etc/group\s+-p\s+wa(\s|$)+
+    contains: ^\s*-w\s+/etc/gshadow\s+-p\s+wa(\s|$)+
     patterns: audit.rules
   register: find_existing_watch_audit_rules
   when:
   - '"audit" in ansible_facts.packages'
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
-  - CCE-80758-6
+  - CCE-80759-4
   - CJIS-5.4.1.1
-  - DISA-STIG-RHEL-08-030170
+  - DISA-STIG-RHEL-08-030160
   - NIST-800-171-3.1.7
   - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
@@ -64058,16 +64302,16 @@
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.5
   - PCI-DSSv4-10.2.1.5
-  - audit_rules_usergroup_modification_group
+  - audit_rules_usergroup_modification_gshadow
   - low_complexity
   - low_disruption
   - medium_severity
   - reboot_required
   - restrict_strategy
 
-- name: Add watch rule for /etc/group in /etc/audit/audit.rules
+- name: Add watch rule for /etc/gshadow in /etc/audit/audit.rules
   lineinfile:
-    line: -w /etc/group -p wa -k audit_rules_usergroup_modification
+    line: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification
     state: present
     dest: /etc/audit/audit.rules
     create: true
@@ -64078,9 +64322,9 @@
   - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
     == 0
   tags:
-  - CCE-80758-6
+  - CCE-80759-4
   - CJIS-5.4.1.1
-  - DISA-STIG-RHEL-08-030170
+  - DISA-STIG-RHEL-08-030160
   - NIST-800-171-3.1.7
   - NIST-800-53-AC-2(4)
   - NIST-800-53-AC-6(9)
@@ -64089,32 +64333,13 @@
   - NIST-800-53-CM-6(a)
   - PCI-DSS-Req-10.2.5
   - PCI-DSSv4-10.2.1.5
-  - audit_rules_usergroup_modification_group
+  - audit_rules_usergroup_modification_gshadow
   - low_complexity
   - low_disruption
   - medium_severity
   - reboot_required
   - restrict_strategy
-
Rule  
-                                Record Events that Modify User/Group Information - /etc/gshadow
-                                  [ref]
If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix .rules in the
-directory /etc/audit/rules.d, in order to capture events that modify
-account changes:
-


-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

-


-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file, in order to capture events that modify
-account changes:
-


-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
Rationale:
In addition to auditing new user and group accounts, these watches
-will alert the system administrator(s) to any modifications. Any unexpected
-users, groups, or modifications should be investigated for legitimacy.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80759-4
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, 10.2.1.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275, RHEL-08-030160, 4.1.3.8, SV-230407r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
@@ -64190,392 +64415,7 @@
 # If the audit is 'augenrules', then check if rule is already defined
 # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
 # If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection.
-readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/gshadow" /etc/audit/rules.d/*.rules)
-
-# For each of the matched entries
-for match in "${matches[@]}"
-do
-    # Extract filepath from the match
-    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
-    # Append that path into list of files for inspection
-    files_to_inspect+=("$rulesd_audit_file")
-done
-# Case when particular audit rule isn't defined yet
-if [ "${#files_to_inspect[@]}" -eq "0" ]
-then
-    # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection
-    key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules"
-    # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions
-    if [ ! -e "$key_rule_file" ]
-    then
-        touch "$key_rule_file"
-        chmod 0640 "$key_rule_file"
-    fi
-    files_to_inspect+=("$key_rule_file")
-fi
-
-# Finally perform the inspection and possible subsequent audit rule
-# correction for each of the files previously identified for inspection
-for audit_rules_file in "${files_to_inspect[@]}"
-do
-    # Check if audit watch file system object rule for given path already present
-    if grep -q -P -- "^[\s]*-w[\s]+/etc/gshadow" "$audit_rules_file"
-    then
-        # Rule is found => verify yet if existing rule definition contains
-        # all of the required access type bits
-
-        # Define BRE whitespace class shortcut
-        sp="[[:space:]]"
-        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/gshadow $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
-        # Split required access bits string into characters array
-        # (to check bit's presence for one bit at a time)
-        for access_bit in $(echo "wa" | grep -o .)
-        do
-            # For each from the required access bits (e.g. 'w', 'a') check
-            # if they are already present in current access bits for rule.
-            # If not, append that bit at the end
-            if ! grep -q "$access_bit" <<< "$current_access_bits"
-            then
-                # Concatenate the existing mask with the missing bit
-                current_access_bits="$current_access_bits$access_bit"
-            fi
-        done
-        # Propagate the updated rule's access bits (original + the required
-        # ones) back into the /etc/audit/audit.rules file for that rule
-        sed -i "s#\($sp*-w$sp\+/etc/gshadow$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
-    else
-        # Rule isn't present yet. Append it at the end of $audit_rules_file file
-        # with proper key
-
-        echo "-w /etc/gshadow -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file"
-    fi
-done
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
-  package_facts:
-    manager: auto
-  tags:
-  - CCE-80759-4
-  - CJIS-5.4.1.1
-  - DISA-STIG-RHEL-08-030160
-  - NIST-800-171-3.1.7
-  - NIST-800-53-AC-2(4)
-  - NIST-800-53-AC-6(9)
-  - NIST-800-53-AU-12(c)
-  - NIST-800-53-AU-2(d)
-  - NIST-800-53-CM-6(a)
-  - PCI-DSS-Req-10.2.5
-  - PCI-DSSv4-10.2.1.5
-  - audit_rules_usergroup_modification_gshadow
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - reboot_required
-  - restrict_strategy
-
-- name: Check if watch rule for /etc/gshadow already exists in /etc/audit/rules.d/
-  find:
-    paths: /etc/audit/rules.d
-    contains: ^\s*-w\s+/etc/gshadow\s+-p\s+wa(\s|$)+
-    patterns: '*.rules'
-  register: find_existing_watch_rules_d
-  when:
-  - '"audit" in ansible_facts.packages'
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  tags:
-  - CCE-80759-4
-  - CJIS-5.4.1.1
-  - DISA-STIG-RHEL-08-030160
-  - NIST-800-171-3.1.7
-  - NIST-800-53-AC-2(4)
-  - NIST-800-53-AC-6(9)
-  - NIST-800-53-AU-12(c)
-  - NIST-800-53-AU-2(d)
-  - NIST-800-53-CM-6(a)
-  - PCI-DSS-Req-10.2.5
-  - PCI-DSSv4-10.2.1.5
-  - audit_rules_usergroup_modification_gshadow
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - reboot_required
-  - restrict_strategy
-
-- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_usergroup_modification
-  find:
-    paths: /etc/audit/rules.d
-    contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$
-    patterns: '*.rules'
-  register: find_watch_key
-  when:
-  - '"audit" in ansible_facts.packages'
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
-    == 0
-  tags:
-  - CCE-80759-4
-  - CJIS-5.4.1.1
-  - DISA-STIG-RHEL-08-030160
-  - NIST-800-171-3.1.7
-  - NIST-800-53-AC-2(4)
-  - NIST-800-53-AC-6(9)
-  - NIST-800-53-AU-12(c)
-  - NIST-800-53-AU-2(d)
-  - NIST-800-53-CM-6(a)
-  - PCI-DSS-Req-10.2.5
-  - PCI-DSSv4-10.2.1.5
-  - audit_rules_usergroup_modification_gshadow
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - reboot_required
-  - restrict_strategy
-
-- name: Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules as the recipient
-    for the rule
-  set_fact:
-    all_files:
-    - /etc/audit/rules.d/audit_rules_usergroup_modification.rules
-  when:
-  - '"audit" in ansible_facts.packages'
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
-    is defined and find_existing_watch_rules_d.matched == 0
-  tags:
-  - CCE-80759-4
-  - CJIS-5.4.1.1
-  - DISA-STIG-RHEL-08-030160
-  - NIST-800-171-3.1.7
-  - NIST-800-53-AC-2(4)
-  - NIST-800-53-AC-6(9)
-  - NIST-800-53-AU-12(c)
-  - NIST-800-53-AU-2(d)
-  - NIST-800-53-CM-6(a)
-  - PCI-DSS-Req-10.2.5
-  - PCI-DSSv4-10.2.1.5
-  - audit_rules_usergroup_modification_gshadow
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - reboot_required
-  - restrict_strategy
-
-- name: Use matched file as the recipient for the rule
-  set_fact:
-    all_files:
-    - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
-  when:
-  - '"audit" in ansible_facts.packages'
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
-    is defined and find_existing_watch_rules_d.matched == 0
-  tags:
-  - CCE-80759-4
-  - CJIS-5.4.1.1
-  - DISA-STIG-RHEL-08-030160
-  - NIST-800-171-3.1.7
-  - NIST-800-53-AC-2(4)
-  - NIST-800-53-AC-6(9)
-  - NIST-800-53-AU-12(c)
-  - NIST-800-53-AU-2(d)
-  - NIST-800-53-CM-6(a)
-  - PCI-DSS-Req-10.2.5
-  - PCI-DSSv4-10.2.1.5
-  - audit_rules_usergroup_modification_gshadow
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - reboot_required
-  - restrict_strategy
-
-- name: Add watch rule for /etc/gshadow in /etc/audit/rules.d/
-  lineinfile:
-    path: '{{ all_files[0] }}'
-    line: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-    create: true
-    mode: '0640'
-  when:
-  - '"audit" in ansible_facts.packages'
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
-    == 0
-  tags:
-  - CCE-80759-4
-  - CJIS-5.4.1.1
-  - DISA-STIG-RHEL-08-030160
-  - NIST-800-171-3.1.7
-  - NIST-800-53-AC-2(4)
-  - NIST-800-53-AC-6(9)
-  - NIST-800-53-AU-12(c)
-  - NIST-800-53-AU-2(d)
-  - NIST-800-53-CM-6(a)
-  - PCI-DSS-Req-10.2.5
-  - PCI-DSSv4-10.2.1.5
-  - audit_rules_usergroup_modification_gshadow
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - reboot_required
-  - restrict_strategy
-
-- name: Check if watch rule for /etc/gshadow already exists in /etc/audit/audit.rules
-  find:
-    paths: /etc/audit/
-    contains: ^\s*-w\s+/etc/gshadow\s+-p\s+wa(\s|$)+
-    patterns: audit.rules
-  register: find_existing_watch_audit_rules
-  when:
-  - '"audit" in ansible_facts.packages'
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  tags:
-  - CCE-80759-4
-  - CJIS-5.4.1.1
-  - DISA-STIG-RHEL-08-030160
-  - NIST-800-171-3.1.7
-  - NIST-800-53-AC-2(4)
-  - NIST-800-53-AC-6(9)
-  - NIST-800-53-AU-12(c)
-  - NIST-800-53-AU-2(d)
-  - NIST-800-53-CM-6(a)
-  - PCI-DSS-Req-10.2.5
-  - PCI-DSSv4-10.2.1.5
-  - audit_rules_usergroup_modification_gshadow
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - reboot_required
-  - restrict_strategy
-
-- name: Add watch rule for /etc/gshadow in /etc/audit/audit.rules
-  lineinfile:
-    line: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-    state: present
-    dest: /etc/audit/audit.rules
-    create: true
-    mode: '0640'
-  when:
-  - '"audit" in ansible_facts.packages'
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
-    == 0
-  tags:
-  - CCE-80759-4
-  - CJIS-5.4.1.1
-  - DISA-STIG-RHEL-08-030160
-  - NIST-800-171-3.1.7
-  - NIST-800-53-AC-2(4)
-  - NIST-800-53-AC-6(9)
-  - NIST-800-53-AU-12(c)
-  - NIST-800-53-AU-2(d)
-  - NIST-800-53-CM-6(a)
-  - PCI-DSS-Req-10.2.5
-  - PCI-DSSv4-10.2.1.5
-  - audit_rules_usergroup_modification_gshadow
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - reboot_required
-  - restrict_strategy
-
Rule  
-                                Record Events that Modify User/Group Information - /etc/security/opasswd
-                                  [ref]
If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix .rules in the
-directory /etc/audit/rules.d, in order to capture events that modify
-account changes:
-


-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

-


-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file, in order to capture events that modify
-account changes:
-


-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
Rationale:
In addition to auditing new user and group accounts, these watches
-will alert the system administrator(s) to any modifications. Any unexpected
-users, groups, or modifications should be investigated for legitimacy.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80760-2
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, 10.2.1.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000503-CTR-001275, RHEL-08-030140, 4.1.3.8, SV-230405r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
-
-# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
-
-# Create a list of audit *.rules files that should be inspected for presence and correctness
-# of a particular audit rule. The scheme is as follows:
-#
-# -----------------------------------------------------------------------------------------
-# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
-# -----------------------------------------------------------------------------------------
-#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
-# -----------------------------------------------------------------------------------------
-# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
-# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
-# -----------------------------------------------------------------------------------------
-files_to_inspect=()
-
-
-# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
-# into the list of files to be inspected
-files_to_inspect+=('/etc/audit/audit.rules')
-
-# Finally perform the inspection and possible subsequent audit rule
-# correction for each of the files previously identified for inspection
-for audit_rules_file in "${files_to_inspect[@]}"
-do
-    # Check if audit watch file system object rule for given path already present
-    if grep -q -P -- "^[\s]*-w[\s]+/etc/security/opasswd" "$audit_rules_file"
-    then
-        # Rule is found => verify yet if existing rule definition contains
-        # all of the required access type bits
-
-        # Define BRE whitespace class shortcut
-        sp="[[:space:]]"
-        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/security/opasswd $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
-        # Split required access bits string into characters array
-        # (to check bit's presence for one bit at a time)
-        for access_bit in $(echo "wa" | grep -o .)
-        do
-            # For each from the required access bits (e.g. 'w', 'a') check
-            # if they are already present in current access bits for rule.
-            # If not, append that bit at the end
-            if ! grep -q "$access_bit" <<< "$current_access_bits"
-            then
-                # Concatenate the existing mask with the missing bit
-                current_access_bits="$current_access_bits$access_bit"
-            fi
-        done
-        # Propagate the updated rule's access bits (original + the required
-        # ones) back into the /etc/audit/audit.rules file for that rule
-        sed -i "s#\($sp*-w$sp\+/etc/security/opasswd$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
-    else
-        # Rule isn't present yet. Append it at the end of $audit_rules_file file
-        # with proper key
-
-        echo "-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file"
-    fi
-done
-# Create a list of audit *.rules files that should be inspected for presence and correctness
-# of a particular audit rule. The scheme is as follows:
-#
-# -----------------------------------------------------------------------------------------
-# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
-# -----------------------------------------------------------------------------------------
-#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
-# -----------------------------------------------------------------------------------------
-# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
-# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
-# -----------------------------------------------------------------------------------------
-files_to_inspect=()
-
-# If the audit is 'augenrules', then check if rule is already defined
-# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
-# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection.
-readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/security/opasswd" /etc/audit/rules.d/*.rules)
+readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/gshadow" /etc/audit/rules.d/*.rules)
 
 # For each of the matched entries
 for match in "${matches[@]}"
@@ -64604,7 +64444,7 @@
 for audit_rules_file in "${files_to_inspect[@]}"
 do
     # Check if audit watch file system object rule for given path already present
-    if grep -q -P -- "^[\s]*-w[\s]+/etc/security/opasswd" "$audit_rules_file"
+    if grep -q -P -- "^[\s]*-w[\s]+/etc/gshadow" "$audit_rules_file"
     then
         # Rule is found => verify yet if existing rule definition contains
         # all of the required access type bits
@@ -64612,7 +64452,7 @@
         # Define BRE whitespace class shortcut
         sp="[[:space:]]"
         # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/security/opasswd $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/gshadow $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
         # Split required access bits string into characters array
         # (to check bit's presence for one bit at a time)
         for access_bit in $(echo "wa" | grep -o .)
@@ -64628,19 +64468,38 @@
         done
         # Propagate the updated rule's access bits (original + the required
         # ones) back into the /etc/audit/audit.rules file for that rule
-        sed -i "s#\($sp*-w$sp\+/etc/security/opasswd$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+        sed -i "s#\($sp*-w$sp\+/etc/gshadow$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
     else
         # Rule isn't present yet. Append it at the end of $audit_rules_file file
         # with proper key
 
-        echo "-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file"
+        echo "-w /etc/gshadow -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file"
     fi
 done
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Record Events that Modify User/Group Information - /etc/security/opasswd
+                                  [ref]
If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following lines to a file with suffix .rules in the
+directory /etc/audit/rules.d, in order to capture events that modify
+account changes:
+


+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

+


+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file, in order to capture events that modify
+account changes:
+


+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
Rationale:
In addition to auditing new user and group accounts, these watches
+will alert the system administrator(s) to any modifications. Any unexpected
+users, groups, or modifications should be investigated for legitimacy.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80760-2
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, 10.2.1.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000503-CTR-001275, RHEL-08-030140, 4.1.3.8, SV-230405r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -64865,26 +64724,7 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-
Rule  
-                                Record Events that Modify User/Group Information - /etc/passwd
-                                  [ref]
If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix .rules in the
-directory /etc/audit/rules.d, in order to capture events that modify
-account changes:
-


-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification

-


-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file, in order to capture events that modify
-account changes:
-


-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
Rationale:
In addition to auditing new user and group accounts, these watches
-will alert the system administrator(s) to any modifications. Any unexpected
-users, groups, or modifications should be investigated for legitimacy.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80761-0
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, 10.2.1.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275, RHEL-08-030150, 4.1.3.8, SV-230406r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
@@ -64912,7 +64752,7 @@
 for audit_rules_file in "${files_to_inspect[@]}"
 do
     # Check if audit watch file system object rule for given path already present
-    if grep -q -P -- "^[\s]*-w[\s]+/etc/passwd" "$audit_rules_file"
+    if grep -q -P -- "^[\s]*-w[\s]+/etc/security/opasswd" "$audit_rules_file"
     then
         # Rule is found => verify yet if existing rule definition contains
         # all of the required access type bits
@@ -64920,7 +64760,7 @@
         # Define BRE whitespace class shortcut
         sp="[[:space:]]"
         # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/passwd $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/security/opasswd $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
         # Split required access bits string into characters array
         # (to check bit's presence for one bit at a time)
         for access_bit in $(echo "wa" | grep -o .)
@@ -64936,12 +64776,12 @@
         done
         # Propagate the updated rule's access bits (original + the required
         # ones) back into the /etc/audit/audit.rules file for that rule
-        sed -i "s#\($sp*-w$sp\+/etc/passwd$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+        sed -i "s#\($sp*-w$sp\+/etc/security/opasswd$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
     else
         # Rule isn't present yet. Append it at the end of $audit_rules_file file
         # with proper key
 
-        echo "-w /etc/passwd -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file"
+        echo "-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file"
     fi
 done
 # Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -64960,7 +64800,7 @@
 # If the audit is 'augenrules', then check if rule is already defined
 # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
 # If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection.
-readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/passwd" /etc/audit/rules.d/*.rules)
+readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/security/opasswd" /etc/audit/rules.d/*.rules)
 
 # For each of the matched entries
 for match in "${matches[@]}"
@@ -64989,7 +64829,7 @@
 for audit_rules_file in "${files_to_inspect[@]}"
 do
     # Check if audit watch file system object rule for given path already present
-    if grep -q -P -- "^[\s]*-w[\s]+/etc/passwd" "$audit_rules_file"
+    if grep -q -P -- "^[\s]*-w[\s]+/etc/security/opasswd" "$audit_rules_file"
     then
         # Rule is found => verify yet if existing rule definition contains
         # all of the required access type bits
@@ -64997,7 +64837,7 @@
         # Define BRE whitespace class shortcut
         sp="[[:space:]]"
         # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/passwd $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/security/opasswd $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
         # Split required access bits string into characters array
         # (to check bit's presence for one bit at a time)
         for access_bit in $(echo "wa" | grep -o .)
@@ -65013,19 +64853,38 @@
         done
         # Propagate the updated rule's access bits (original + the required
         # ones) back into the /etc/audit/audit.rules file for that rule
-        sed -i "s#\($sp*-w$sp\+/etc/passwd$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+        sed -i "s#\($sp*-w$sp\+/etc/security/opasswd$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
     else
         # Rule isn't present yet. Append it at the end of $audit_rules_file file
         # with proper key
 
-        echo "-w /etc/passwd -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file"
+        echo "-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file"
     fi
 done
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Record Events that Modify User/Group Information - /etc/passwd
+                                  [ref]
If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following lines to a file with suffix .rules in the
+directory /etc/audit/rules.d, in order to capture events that modify
+account changes:
+


+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification

+


+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file, in order to capture events that modify
+account changes:
+


+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
Rationale:
In addition to auditing new user and group accounts, these watches
+will alert the system administrator(s) to any modifications. Any unexpected
+users, groups, or modifications should be investigated for legitimacy.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80761-0
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, 10.2.1.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275, RHEL-08-030150, 4.1.3.8, SV-230406r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -65250,26 +65109,7 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-
Rule  
-                                Record Events that Modify User/Group Information - /etc/shadow
-                                  [ref]
If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix .rules in the
-directory /etc/audit/rules.d, in order to capture events that modify
-account changes:
-


-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification

-


-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file, in order to capture events that modify
-account changes:
-


-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
Rationale:
In addition to auditing new user and group accounts, these watches
-will alert the system administrator(s) to any modifications. Any unexpected
-users, groups, or modifications should be investigated for legitimacy.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80762-8
References: 
-            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, 10.2.1.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275, RHEL-08-030130, 4.1.3.8, SV-230404r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
@@ -65297,7 +65137,7 @@
 for audit_rules_file in "${files_to_inspect[@]}"
 do
     # Check if audit watch file system object rule for given path already present
-    if grep -q -P -- "^[\s]*-w[\s]+/etc/shadow" "$audit_rules_file"
+    if grep -q -P -- "^[\s]*-w[\s]+/etc/passwd" "$audit_rules_file"
     then
         # Rule is found => verify yet if existing rule definition contains
         # all of the required access type bits
@@ -65305,7 +65145,7 @@
         # Define BRE whitespace class shortcut
         sp="[[:space:]]"
         # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/shadow $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/passwd $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
         # Split required access bits string into characters array
         # (to check bit's presence for one bit at a time)
         for access_bit in $(echo "wa" | grep -o .)
@@ -65321,12 +65161,12 @@
         done
         # Propagate the updated rule's access bits (original + the required
         # ones) back into the /etc/audit/audit.rules file for that rule
-        sed -i "s#\($sp*-w$sp\+/etc/shadow$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+        sed -i "s#\($sp*-w$sp\+/etc/passwd$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
     else
         # Rule isn't present yet. Append it at the end of $audit_rules_file file
         # with proper key
 
-        echo "-w /etc/shadow -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file"
+        echo "-w /etc/passwd -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file"
     fi
 done
 # Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -65345,7 +65185,7 @@
 # If the audit is 'augenrules', then check if rule is already defined
 # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
 # If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection.
-readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/shadow" /etc/audit/rules.d/*.rules)
+readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/passwd" /etc/audit/rules.d/*.rules)
 
 # For each of the matched entries
 for match in "${matches[@]}"
@@ -65374,7 +65214,7 @@
 for audit_rules_file in "${files_to_inspect[@]}"
 do
     # Check if audit watch file system object rule for given path already present
-    if grep -q -P -- "^[\s]*-w[\s]+/etc/shadow" "$audit_rules_file"
+    if grep -q -P -- "^[\s]*-w[\s]+/etc/passwd" "$audit_rules_file"
     then
         # Rule is found => verify yet if existing rule definition contains
         # all of the required access type bits
@@ -65382,7 +65222,7 @@
         # Define BRE whitespace class shortcut
         sp="[[:space:]]"
         # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/shadow $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/passwd $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
         # Split required access bits string into characters array
         # (to check bit's presence for one bit at a time)
         for access_bit in $(echo "wa" | grep -o .)
@@ -65398,19 +65238,38 @@
         done
         # Propagate the updated rule's access bits (original + the required
         # ones) back into the /etc/audit/audit.rules file for that rule
-        sed -i "s#\($sp*-w$sp\+/etc/shadow$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+        sed -i "s#\($sp*-w$sp\+/etc/passwd$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
     else
         # Rule isn't present yet. Append it at the end of $audit_rules_file file
         # with proper key
 
-        echo "-w /etc/shadow -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file"
+        echo "-w /etc/passwd -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file"
     fi
 done
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Rule  
+                                Record Events that Modify User/Group Information - /etc/shadow
+                                  [ref]
If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following lines to a file with suffix .rules in the
+directory /etc/audit/rules.d, in order to capture events that modify
+account changes:
+


+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification

+


+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file, in order to capture events that modify
+account changes:
+


+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
Rationale:
In addition to auditing new user and group accounts, these watches
+will alert the system administrator(s) to any modifications. Any unexpected
+users, groups, or modifications should be investigated for legitimacy.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80762-8
References: 
+            BP28(R73), 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, 10.2.1.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275, RHEL-08-030130, 4.1.3.8, SV-230404r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -65635,6 +65494,147 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+
+# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
+# -----------------------------------------------------------------------------------------
+#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
+# -----------------------------------------------------------------------------------------
+# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
+# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
+# -----------------------------------------------------------------------------------------
+files_to_inspect=()
+
+
+# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# into the list of files to be inspected
+files_to_inspect+=('/etc/audit/audit.rules')
+
+# Finally perform the inspection and possible subsequent audit rule
+# correction for each of the files previously identified for inspection
+for audit_rules_file in "${files_to_inspect[@]}"
+do
+    # Check if audit watch file system object rule for given path already present
+    if grep -q -P -- "^[\s]*-w[\s]+/etc/shadow" "$audit_rules_file"
+    then
+        # Rule is found => verify yet if existing rule definition contains
+        # all of the required access type bits
+
+        # Define BRE whitespace class shortcut
+        sp="[[:space:]]"
+        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/shadow $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+        # Split required access bits string into characters array
+        # (to check bit's presence for one bit at a time)
+        for access_bit in $(echo "wa" | grep -o .)
+        do
+            # For each from the required access bits (e.g. 'w', 'a') check
+            # if they are already present in current access bits for rule.
+            # If not, append that bit at the end
+            if ! grep -q "$access_bit" <<< "$current_access_bits"
+            then
+                # Concatenate the existing mask with the missing bit
+                current_access_bits="$current_access_bits$access_bit"
+            fi
+        done
+        # Propagate the updated rule's access bits (original + the required
+        # ones) back into the /etc/audit/audit.rules file for that rule
+        sed -i "s#\($sp*-w$sp\+/etc/shadow$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+    else
+        # Rule isn't present yet. Append it at the end of $audit_rules_file file
+        # with proper key
+
+        echo "-w /etc/shadow -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file"
+    fi
+done
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
+# -----------------------------------------------------------------------------------------
+#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
+# -----------------------------------------------------------------------------------------
+# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
+# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
+# -----------------------------------------------------------------------------------------
+files_to_inspect=()
+
+# If the audit is 'augenrules', then check if rule is already defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
+# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection.
+readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/shadow" /etc/audit/rules.d/*.rules)
+
+# For each of the matched entries
+for match in "${matches[@]}"
+do
+    # Extract filepath from the match
+    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
+    # Append that path into list of files for inspection
+    files_to_inspect+=("$rulesd_audit_file")
+done
+# Case when particular audit rule isn't defined yet
+if [ "${#files_to_inspect[@]}" -eq "0" ]
+then
+    # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection
+    key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules"
+    # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions
+    if [ ! -e "$key_rule_file" ]
+    then
+        touch "$key_rule_file"
+        chmod 0640 "$key_rule_file"
+    fi
+    files_to_inspect+=("$key_rule_file")
+fi
+
+# Finally perform the inspection and possible subsequent audit rule
+# correction for each of the files previously identified for inspection
+for audit_rules_file in "${files_to_inspect[@]}"
+do
+    # Check if audit watch file system object rule for given path already present
+    if grep -q -P -- "^[\s]*-w[\s]+/etc/shadow" "$audit_rules_file"
+    then
+        # Rule is found => verify yet if existing rule definition contains
+        # all of the required access type bits
+
+        # Define BRE whitespace class shortcut
+        sp="[[:space:]]"
+        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/shadow $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+        # Split required access bits string into characters array
+        # (to check bit's presence for one bit at a time)
+        for access_bit in $(echo "wa" | grep -o .)
+        do
+            # For each from the required access bits (e.g. 'w', 'a') check
+            # if they are already present in current access bits for rule.
+            # If not, append that bit at the end
+            if ! grep -q "$access_bit" <<< "$current_access_bits"
+            then
+                # Concatenate the existing mask with the missing bit
+                current_access_bits="$current_access_bits$access_bit"
+            fi
+        done
+        # Propagate the updated rule's access bits (original + the required
+        # ones) back into the /etc/audit/audit.rules file for that rule
+        sed -i "s#\($sp*-w$sp\+/etc/shadow$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+    else
+        # Rule isn't present yet. Append it at the end of $audit_rules_file file
+        # with proper key
+
+        echo "-w /etc/shadow -p wa -k audit_rules_usergroup_modification" >> "$audit_rules_file"
+    fi
+done
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 System Audit Directories Must Be Group Owned By Root
                                   [ref]
All audit directories must be group owned by root user. By default, the path for audit log is 
/var/log/audit/
.
@@ -65646,27 +65646,7 @@
 group account, change the group ownership of the audit directories to this specific group.
Rationale:
Unauthorized disclosure of audit records can reveal system and configuration data to
 attackers, thus compromising its confidentiality.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-88225-8
References: 
-            1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.1, CCI-000162, CCI-000163, CCI-000164, CCI-001314, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), AU-9(4), DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.1, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084, RHEL-08-030110, SV-230400r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
-
-if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then
-  GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
-else
-  GROUP=root
-fi
-if LC_ALL=C grep -iw ^log_file /etc/audit/auditd.conf; then
-  DIR=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ' | rev | cut -d"/" -f2- | rev)
-else
-  DIR="/var/log/audit"
-fi
-
-
-find ${DIR} -type d -exec chgrp ${GROUP} {} \;
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -65736,29 +65716,35 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-
Rule  
-                                System Audit Directories Must Be Owned By Root
-                                  [ref]
All audit directories must be owned by root user. By default, the path for audit log is 
/var/log/audit/
.
-
-To properly set the owner of /var/log/audit, run the command:
-
$ sudo chown root /var/log/audit 
Rationale:
Unauthorized disclosure of audit records can reveal system and configuration data to
-attackers, thus compromising its confidentiality.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-88226-6
References: 
-            1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.1, CCI-000162, CCI-000163, CCI-000164, CCI-001314, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), AU-9(4), DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.1, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084, RHEL-08-030100, SV-230399r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
+if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then
+  GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
+else
+  GROUP=root
+fi
 if LC_ALL=C grep -iw ^log_file /etc/audit/auditd.conf; then
-    FILE=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
-    LOGPATH="$(dirname "$FILE")"
-    chown root $LOGPATH
+  DIR=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ' | rev | cut -d"/" -f2- | rev)
 else
-    chown root /var/log/audit
+  DIR="/var/log/audit"
 fi
 
+
+find ${DIR} -type d -exec chgrp ${GROUP} {} \;
+
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Gather the package facts
+
Rule  
+                                System Audit Directories Must Be Owned By Root
+                                  [ref]
All audit directories must be owned by root user. By default, the path for audit log is 
/var/log/audit/
.
+
+To properly set the owner of /var/log/audit, run the command:
+
$ sudo chown root /var/log/audit 
Rationale:
Unauthorized disclosure of audit records can reveal system and configuration data to
+attackers, thus compromising its confidentiality.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-88226-6
References: 
+            1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.1, CCI-000162, CCI-000163, CCI-000164, CCI-001314, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), AU-9(4), DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.1, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084, RHEL-08-030100, SV-230399r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -65825,6 +65811,20 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+
+if LC_ALL=C grep -iw ^log_file /etc/audit/auditd.conf; then
+    FILE=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
+    LOGPATH="$(dirname "$FILE")"
+    chown root $LOGPATH
+else
+    chown root /var/log/audit
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 System Audit Logs Must Have Mode 0750 or Less Permissive
                                   [ref]

@@ -65925,22 +65925,7 @@
 
$ sudo chmod 0600 audit_log_file

 By default, audit_log_file is "/var/log/audit/audit.log".
Rationale:
If users can write to audit logs, audit trails can be modified or destroyed.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-80819-6
References: 
-            1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.1, CCI-000162, CCI-000163, CCI-000164, CCI-001314, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), AU-9(4), DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5, 10.3.1, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084, SRG-APP-000118-CTR-000240, RHEL-08-030070, SV-230396r902733_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
-
-if LC_ALL=C grep -iw ^log_file /etc/audit/auditd.conf; then
-    FILE=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
-else
-    FILE="/var/log/audit/audit.log"
-fi
-
-
-chmod 0600 $FILE
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -66080,6 +66065,21 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+
+if LC_ALL=C grep -iw ^log_file /etc/audit/auditd.conf; then
+    FILE=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
+else
+    FILE="/var/log/audit/audit.log"
+fi
+
+
+chmod 0600 $FILE
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 Configure auditd Data Retention
                           Group contains 10 rules
[ref]  
@@ -66129,71 +66129,47 @@
 Determine which partition the audit records are being written to with the
 following command:
 
-
$ sudo grep log_file /etc/audit/auditd.conf
-log_file = /var/log/audit/audit.log

-
-Check the size of the partition that audit records are written to with the
-following command:
-
-
$ sudo df -h /var/log/audit/
-/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit
Rationale:

Information stored in one location is vulnerable to accidental or incidental -deletion or alteration. Off-loading is a common process in information -systems with limited audit storage capacity.

Severity: 
medium
Identifiers and References

Identifiers:  - CCE-84005-8

References:  - CCI-001849, SRG-OS-000341-GPOS-00132, SRG-OS-000342-GPOS-00133, RHEL-08-030660, SV-230476r877391_rule

Rule   - Configure auditd Disk Error Action on Disk Error -   [ref]

The auditd service can be configured to take an action -when there is a disk error. -Edit the file /etc/audit/auditd.conf. Add or modify the following line, -substituting ACTION appropriately: -

disk_error_action = ACTION
-Set this value to single to cause the system to switch to single-user -mode for corrective action. Acceptable values also include syslog, -exec, single, and halt. For certain systems, the need for availability -outweighs the need to log all actions, and a different setting should be -determined. Details regarding all possible values for ACTION are described in the -auditd.conf man page.

Rationale:

Taking appropriate action in case of disk errors will minimize the possibility of -losing audit records.

Severity: 
medium
Identifiers and References

Identifiers:  - CCE-84046-2

References:  - 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, CCI-000140, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, SRG-OS-000047-GPOS-00023, SRG-APP-000098-CTR-000185, SRG-APP-000099-CTR-000190, SRG-APP-000100-CTR-000195, SRG-APP-000100-CTR-000200, SRG-APP-000109-CTR-000215, SRG-APP-000290-CTR-000670, SRG-APP-000357-CTR-000800, RHEL-08-030040, SV-230390r627750_rule

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
-
-var_auditd_disk_error_action='syslog|single|halt'
-
-
-#
-# If disk_error_action present in /etc/audit/auditd.conf, change value
-# to var_auditd_disk_error_action, else
-# add "disk_error_action = $var_auditd_disk_error_action" to /etc/audit/auditd.conf
-#
-var_auditd_disk_error_action="$(echo $var_auditd_disk_error_action | cut -d \| -f 1)"
-
-# Strip any search characters in the key arg so that the key can be replaced without
-# adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^disk_error_action")
-
-# shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_disk_error_action"
-
-# If the key exists, change it. Otherwise, add it to the config_file.
-# We search for the key string followed by a word boundary (matched by \>),
-# so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^disk_error_action\\>" "/etc/audit/auditd.conf"; then
-    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^disk_error_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf"
-else
-    if [[ -s "/etc/audit/auditd.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/audit/auditd.conf" || true)" ]]; then
-        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/audit/auditd.conf"
-    fi
-    cce="CCE-84046-2"
-    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/audit/auditd.conf" >> "/etc/audit/auditd.conf"
-    printf '%s\n' "$formatted_output" >> "/etc/audit/auditd.conf"
-fi
+
$ sudo grep log_file /etc/audit/auditd.conf
+log_file = /var/log/audit/audit.log

 
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+Check the size of the partition that audit records are written to with the
+following command:
+
+
$ sudo df -h /var/log/audit/
+/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit
Rationale:

Information stored in one location is vulnerable to accidental or incidental +deletion or alteration. Off-loading is a common process in information +systems with limited audit storage capacity.

Severity: 
medium
Identifiers and References

Identifiers:  + CCE-84005-8

References:  + CCI-001849, SRG-OS-000341-GPOS-00132, SRG-OS-000342-GPOS-00133, RHEL-08-030660, SV-230476r877391_rule

Rule   + Configure auditd Disk Error Action on Disk Error +   [ref]

The auditd service can be configured to take an action +when there is a disk error. +Edit the file /etc/audit/auditd.conf. Add or modify the following line, +substituting ACTION appropriately: +

disk_error_action = ACTION
+Set this value to single to cause the system to switch to single-user +mode for corrective action. Acceptable values also include syslog, +exec, single, and halt. For certain systems, the need for availability +outweighs the need to log all actions, and a different setting should be +determined. Details regarding all possible values for ACTION are described in the +auditd.conf man page.

Rationale:

Taking appropriate action in case of disk errors will minimize the possibility of +losing audit records.

Severity: 
medium
Identifiers and References

Identifiers:  + CCE-84046-2

References:  + 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, CCI-000140, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, SRG-OS-000047-GPOS-00023, SRG-APP-000098-CTR-000185, SRG-APP-000099-CTR-000190, SRG-APP-000100-CTR-000195, SRG-APP-000100-CTR-000200, SRG-APP-000109-CTR-000215, SRG-APP-000290-CTR-000670, SRG-APP-000357-CTR-000800, RHEL-08-030040, SV-230390r627750_rule

Remediation script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
+        mode: 0640
+        path: /etc/audit/auditd.conf
+        overwrite: true
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -66240,64 +66216,37 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Remediation script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
-        mode: 0640
-        path: /etc/audit/auditd.conf
-        overwrite: true
-

Rule   - Configure auditd Disk Full Action when Disk Space Is Full -   [ref]

The auditd service can be configured to take an action -when disk space is running low but prior to running out of space completely. -Edit the file /etc/audit/auditd.conf. Add or modify the following line, -substituting ACTION appropriately: -

disk_full_action = ACTION
-Set this value to single to cause the system to switch to single-user -mode for corrective action. Acceptable values also include syslog, - -exec, - -single, and halt. For certain systems, the need for availability -outweighs the need to log all actions, and a different setting should be -determined. Details regarding all possible values for ACTION are described in the -auditd.conf man page.

Rationale:

Taking appropriate action in case of a filled audit storage volume will minimize -the possibility of losing audit records.

Severity: 
medium
Identifiers and References

Identifiers:  - CCE-84045-4

References:  - 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, CCI-000140, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, SRG-OS-000047-GPOS-00023, RHEL-08-030060, SV-230392r627750_rule

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
-var_auditd_disk_full_action='syslog|single|halt'
+var_auditd_disk_error_action='syslog|single|halt'
 
 
-var_auditd_disk_full_action="$(echo $var_auditd_disk_full_action | cut -d \| -f 1)"
+#
+# If disk_error_action present in /etc/audit/auditd.conf, change value
+# to var_auditd_disk_error_action, else
+# add "disk_error_action = $var_auditd_disk_error_action" to /etc/audit/auditd.conf
+#
+var_auditd_disk_error_action="$(echo $var_auditd_disk_error_action | cut -d \| -f 1)"
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^disk_full_action")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^disk_error_action")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_disk_full_action"
+printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_disk_error_action"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^disk_full_action\\>" "/etc/audit/auditd.conf"; then
+if LC_ALL=C grep -q -m 1 -i -e "^disk_error_action\\>" "/etc/audit/auditd.conf"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^disk_full_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf"
+    LC_ALL=C sed -i --follow-symlinks "s/^disk_error_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf"
 else
     if [[ -s "/etc/audit/auditd.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/audit/auditd.conf" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/audit/auditd.conf"
     fi
-    cce="CCE-84045-4"
+    cce="CCE-84046-2"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/audit/auditd.conf" >> "/etc/audit/auditd.conf"
     printf '%s\n' "$formatted_output" >> "/etc/audit/auditd.conf"
 fi
@@ -66305,7 +66254,39 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+

Rule   + Configure auditd Disk Full Action when Disk Space Is Full +   [ref]

The auditd service can be configured to take an action +when disk space is running low but prior to running out of space completely. +Edit the file /etc/audit/auditd.conf. Add or modify the following line, +substituting ACTION appropriately: +

disk_full_action = ACTION
+Set this value to single to cause the system to switch to single-user +mode for corrective action. Acceptable values also include syslog, + +exec, + +single, and halt. For certain systems, the need for availability +outweighs the need to log all actions, and a different setting should be +determined. Details regarding all possible values for ACTION are described in the +auditd.conf man page.

Rationale:

Taking appropriate action in case of a filled audit storage volume will minimize +the possibility of losing audit records.

Severity: 
medium
Identifiers and References

Identifiers:  + CCE-84045-4

References:  + 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, CCI-000140, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, SRG-OS-000047-GPOS-00023, RHEL-08-030060, SV-230392r627750_rule

Remediation script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
+        mode: 0640
+        path: /etc/audit/auditd.conf
+        overwrite: true
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -66352,63 +66333,49 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Remediation script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
-        mode: 0640
-        path: /etc/audit/auditd.conf
-        overwrite: true
-

Rule   - Configure auditd mail_acct Action on Low Disk Space -   [ref]

The auditd service can be configured to send email to -a designated account in certain situations. Add or correct the following line -in /etc/audit/auditd.conf to ensure that administrators are notified -via email for those situations: -

action_mail_acct = root

Rationale:

Email sent to the root account is typically aliased to the -administrators of the system, who can take appropriate action.

Severity: 
medium
Identifiers and References

Identifiers:  - CCE-80678-6

References:  - 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-000139, CCI-001855, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, CIP-003-8 R1.3, CIP-003-8 R3, CIP-003-8 R3.1, CIP-003-8 R3.2, CIP-003-8 R3.3, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-5(1), AU-5(a), AU-5(2), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7.a, SRG-OS-000046-GPOS-00022, SRG-OS-000343-GPOS-00134, RHEL-08-030020, 4.1.2.3, SV-230388r627750_rule

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
-var_auditd_action_mail_acct='root'
+var_auditd_disk_full_action='syslog|single|halt'
 
 
-AUDITCONFIG=/etc/audit/auditd.conf
+var_auditd_disk_full_action="$(echo $var_auditd_disk_full_action | cut -d \| -f 1)"
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^action_mail_acct")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^disk_full_action")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_action_mail_acct"
+printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_disk_full_action"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^action_mail_acct\\>" "$AUDITCONFIG"; then
+if LC_ALL=C grep -q -m 1 -i -e "^disk_full_action\\>" "/etc/audit/auditd.conf"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^action_mail_acct\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
+    LC_ALL=C sed -i --follow-symlinks "s/^disk_full_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf"
 else
-    if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then
-        LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG"
+    if [[ -s "/etc/audit/auditd.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/audit/auditd.conf" || true)" ]]; then
+        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/audit/auditd.conf"
     fi
-    cce="CCE-80678-6"
-    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG"
-    printf '%s\n' "$formatted_output" >> "$AUDITCONFIG"
+    cce="CCE-84045-4"
+    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/audit/auditd.conf" >> "/etc/audit/auditd.conf"
+    printf '%s\n' "$formatted_output" >> "/etc/audit/auditd.conf"
 fi
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+

Rule   + Configure auditd mail_acct Action on Low Disk Space +   [ref]

The auditd service can be configured to send email to +a designated account in certain situations. Add or correct the following line +in /etc/audit/auditd.conf to ensure that administrators are notified +via email for those situations: +

action_mail_acct = root

Rationale:

Email sent to the root account is typically aliased to the +administrators of the system, who can take appropriate action.

Severity: 
medium
Identifiers and References

Identifiers:  + CCE-80678-6

References:  + 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-000139, CCI-001855, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, CIP-003-8 R1.3, CIP-003-8 R3, CIP-003-8 R3.1, CIP-003-8 R3.2, CIP-003-8 R3.3, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-5(1), AU-5(a), AU-5(2), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7.a, SRG-OS-000046-GPOS-00022, SRG-OS-000343-GPOS-00134, RHEL-08-030020, 4.1.2.3, SV-230388r627750_rule

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -66458,53 +66425,32 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

Rule   - Configure auditd space_left Action on Low Disk Space -   [ref]

The auditd service can be configured to take an action -when disk space starts to run low. -Edit the file /etc/audit/auditd.conf. Modify the following line, -substituting ACTION appropriately: -

space_left_action = ACTION
-Possible values for ACTION are described in the auditd.conf man page. -These include: -
  • syslog
  • email
  • exec
  • suspend
  • single
  • halt
-Set this to email (instead of the default, -which is suspend) as it is more likely to get prompt attention. Acceptable values -also include suspend, single, and halt.

Rationale:

Notifying administrators of an impending disk space problem may -allow them to take corrective action prior to any disruption.

Severity: 
medium
Identifiers and References

Identifiers:  - CCE-80684-4

References:  - 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-001855, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, 10.5.1, SRG-OS-000343-GPOS-00134, RHEL-08-030731, 4.1.2.3, SV-244543r877389_rule

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
-var_auditd_space_left_action='email'
-
+var_auditd_action_mail_acct='root'
 
-#
-# If space_left_action present in /etc/audit/auditd.conf, change value
-# to var_auditd_space_left_action, else
-# add "space_left_action = $var_auditd_space_left_action" to /etc/audit/auditd.conf
-#
 
 AUDITCONFIG=/etc/audit/auditd.conf
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^space_left_action")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^action_mail_acct")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_space_left_action"
+printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_action_mail_acct"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^space_left_action\\>" "$AUDITCONFIG"; then
+if LC_ALL=C grep -q -m 1 -i -e "^action_mail_acct\\>" "$AUDITCONFIG"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^space_left_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
+    LC_ALL=C sed -i --follow-symlinks "s/^action_mail_acct\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
 else
     if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG"
     fi
-    cce="CCE-80684-4"
+    cce="CCE-80678-6"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG"
     printf '%s\n' "$formatted_output" >> "$AUDITCONFIG"
 fi
@@ -66512,7 +66458,36 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+

Rule   + Configure auditd space_left Action on Low Disk Space +   [ref]

The auditd service can be configured to take an action +when disk space starts to run low. +Edit the file /etc/audit/auditd.conf. Modify the following line, +substituting ACTION appropriately: +

space_left_action = ACTION
+Possible values for ACTION are described in the auditd.conf man page. +These include: +
  • syslog
  • email
  • exec
  • suspend
  • single
  • halt
+Set this to email (instead of the default, +which is suspend) as it is more likely to get prompt attention. Acceptable values +also include suspend, single, and halt.

Rationale:

Notifying administrators of an impending disk space problem may +allow them to take corrective action prior to any disruption.

Severity: 
medium
Identifiers and References

Identifiers:  + CCE-80684-4

References:  + 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-001855, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, 10.5.1, SRG-OS-000343-GPOS-00134, RHEL-08-030731, 4.1.2.3, SV-244543r877389_rule

Remediation script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
+        mode: 0640
+        path: /etc/audit/auditd.conf
+        overwrite: true
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -66567,20 +66542,45 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Remediation script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
-        mode: 0640
-        path: /etc/audit/auditd.conf
-        overwrite: true
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+
+var_auditd_space_left_action='email'
+
+
+#
+# If space_left_action present in /etc/audit/auditd.conf, change value
+# to var_auditd_space_left_action, else
+# add "space_left_action = $var_auditd_space_left_action" to /etc/audit/auditd.conf
+#
+
+AUDITCONFIG=/etc/audit/auditd.conf
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^space_left_action")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_space_left_action"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^space_left_action\\>" "$AUDITCONFIG"; then
+    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+    LC_ALL=C sed -i --follow-symlinks "s/^space_left_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
+else
+    if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then
+        LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG"
+    fi
+    cce="CCE-80684-4"
+    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG"
+    printf '%s\n' "$formatted_output" >> "$AUDITCONFIG"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi

Rule   Configure auditd space_left on Low Disk Space   [ref]

The auditd service can be configured to take an action @@ -66592,20 +66592,7 @@ notify the user of an issue.

Rationale:

Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-86055-1

References:  - 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, CCI-001855, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, SRG-OS-000343-GPOS-00134, RHEL-08-030730, SV-230483r877389_rule

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
-
-var_auditd_space_left_percentage='25'
-
-
-grep -q "^space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \
-  sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left_percentage%/g" /etc/audit/auditd.conf || \
-  echo "space_left = $var_auditd_space_left_percentage%" >> /etc/audit/auditd.conf
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -66654,34 +66641,40 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

Rule   - Include Local Events in Audit Logs -   [ref]

To configure Audit daemon to include local events in Audit logs, set -local_events to yes in /etc/audit/auditd.conf. -This is the default setting.

Rationale:

If option local_events isn't set to yes only events from -network will be aggregated.

Severity: 
medium
Identifiers and References

Identifiers:  - CCE-82233-8

References:  - CCI-000366, CM-6, FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000480-GPOS-00227, RHEL-08-030061, SV-230393r627750_rule

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
-if [ -e "/etc/audit/auditd.conf" ] ; then
-    
-    LC_ALL=C sed -i "/^\s*local_events\s*=\s*/Id" "/etc/audit/auditd.conf"
-else
-    touch "/etc/audit/auditd.conf"
-fi
-# make sure file has newline at the end
-sed -i -e '$a\' "/etc/audit/auditd.conf"
+var_auditd_space_left_percentage='25'
 
-cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak"
-# Insert at the end of the file
-printf '%s\n' "local_events = yes" >> "/etc/audit/auditd.conf"
-# Clean up after ourselves.
-rm "/etc/audit/auditd.conf.bak"
+
+grep -q "^space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \
+  sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left_percentage%/g" /etc/audit/auditd.conf || \
+  echo "space_left = $var_auditd_space_left_percentage%" >> /etc/audit/auditd.conf
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
+

Rule   + Include Local Events in Audit Logs +   [ref]

To configure Audit daemon to include local events in Audit logs, set +local_events to yes in /etc/audit/auditd.conf. +This is the default setting.

Rationale:

If option local_events isn't set to yes only events from +network will be aggregated.

Severity: 
medium
Identifiers and References

Identifiers:  + CCE-82233-8

References:  + CCI-000366, CM-6, FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000480-GPOS-00227, RHEL-08-030061, SV-230393r627750_rule

Remediation script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
+        mode: 0640
+        path: /etc/audit/auditd.conf
+        overwrite: true
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
@@ -66737,34 +66730,12 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Remediation script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
-        mode: 0640
-        path: /etc/audit/auditd.conf
-        overwrite: true
-

Rule   - Resolve information before writing to audit logs -   [ref]

To configure Audit daemon to resolve all uid, gid, syscall, -architecture, and socket address information before writing the -events to disk, set log_format to ENRICHED -in /etc/audit/auditd.conf.

Rationale:

If option log_format isn't set to ENRICHED, the -audit records will be stored in a format exactly as the kernel sends them.

Severity: 
low
Identifiers and References

Identifiers:  - CCE-82201-5

References:  - CCI-000366, CM-6, AU-3, FAU_GEN.1.2, SRG-OS-000255-GPOS-00096, SRG-OS-000480-GPOS-00227, SRG-APP-000096-CTR-000175, SRG-APP-000097-CTR-000180, SRG-APP-000098-CTR-000185, SRG-APP-000099-CTR-000190, SRG-APP-000100-CTR-000195, SRG-APP-000100-CTR-000200, SRG-APP-000109-CTR-000215, SRG-APP-000290-CTR-000670, SRG-APP-000357-CTR-000800, RHEL-08-030063, SV-230395r627750_rule

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 if [ -e "/etc/audit/auditd.conf" ] ; then
     
-    LC_ALL=C sed -i "/^\s*log_format\s*=\s*/Id" "/etc/audit/auditd.conf"
+    LC_ALL=C sed -i "/^\s*local_events\s*=\s*/Id" "/etc/audit/auditd.conf"
 else
     touch "/etc/audit/auditd.conf"
 fi
@@ -66773,13 +66744,35 @@
 
 cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak"
 # Insert at the end of the file
-printf '%s\n' "log_format = ENRICHED" >> "/etc/audit/auditd.conf"
+printf '%s\n' "local_events = yes" >> "/etc/audit/auditd.conf"
 # Clean up after ourselves.
 rm "/etc/audit/auditd.conf.bak"
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
+

Rule   + Resolve information before writing to audit logs +   [ref]

To configure Audit daemon to resolve all uid, gid, syscall, +architecture, and socket address information before writing the +events to disk, set log_format to ENRICHED +in /etc/audit/auditd.conf.

Rationale:

If option log_format isn't set to ENRICHED, the +audit records will be stored in a format exactly as the kernel sends them.

Severity: 
low
Identifiers and References

Identifiers:  + CCE-82201-5

References:  + CCI-000366, CM-6, AU-3, FAU_GEN.1.2, SRG-OS-000255-GPOS-00096, SRG-OS-000480-GPOS-00227, SRG-APP-000096-CTR-000175, SRG-APP-000097-CTR-000180, SRG-APP-000098-CTR-000185, SRG-APP-000099-CTR-000190, SRG-APP-000100-CTR-000195, SRG-APP-000100-CTR-000200, SRG-APP-000109-CTR-000215, SRG-APP-000290-CTR-000670, SRG-APP-000357-CTR-000800, RHEL-08-030063, SV-230395r627750_rule

Remediation script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
+        mode: 0640
+        path: /etc/audit/auditd.conf
+        overwrite: true
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
@@ -66837,7 +66830,39 @@
   - low_severity
   - no_reboot_needed
   - restrict_strategy
-
Remediation script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
---
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+
+if [ -e "/etc/audit/auditd.conf" ] ; then
+    
+    LC_ALL=C sed -i "/^\s*log_format\s*=\s*/Id" "/etc/audit/auditd.conf"
+else
+    touch "/etc/audit/auditd.conf"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/audit/auditd.conf"
+
+cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak"
+# Insert at the end of the file
+printf '%s\n' "log_format = ENRICHED" >> "/etc/audit/auditd.conf"
+# Clean up after ourselves.
+rm "/etc/audit/auditd.conf.bak"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+

Rule   + Set type of computer node name logging in audit logs +   [ref]

To configure Audit daemon to use a unique identifier +as computer node name in the audit events, +set name_format to hostname|fqd|numeric +in /etc/audit/auditd.conf.

Warning:  + Whenever the variable 
var_auditd_name_format
uses a multiple value option, for example +
A|B|C
, the first value will be used when remediating this rule.
Rationale:

If option name_format is left at its default value of +none, audit events from different computers may be hard +to distinguish.

Severity: 
medium
Identifiers and References

Identifiers:  + CCE-82897-0

References:  + CCI-001851, CM-6, AU-3, FAU_GEN.1.2, SRG-OS-000039-GPOS-00017, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224, RHEL-08-030062, SV-230394r877390_rule

Remediation script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 spec:
@@ -66851,18 +66876,88 @@
         mode: 0640
         path: /etc/audit/auditd.conf
         overwrite: true
-

Rule   - Set type of computer node name logging in audit logs -   [ref]

To configure Audit daemon to use a unique identifier -as computer node name in the audit events, -set name_format to hostname|fqd|numeric -in /etc/audit/auditd.conf.

Warning:  - Whenever the variable 
var_auditd_name_format
uses a multiple value option, for example -
A|B|C
, the first value will be used when remediating this rule.
Rationale:

If option name_format is left at its default value of -none, audit events from different computers may be hard -to distinguish.

Severity: 
medium
Identifiers and References

Identifiers:  - CCE-82897-0

References:  - CCI-001851, CM-6, AU-3, FAU_GEN.1.2, SRG-OS-000039-GPOS-00017, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224, RHEL-08-030062, SV-230394r877390_rule

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
# Remediation is applicable only in certain platforms
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+  package_facts:
+    manager: auto
+  tags:
+  - CCE-82897-0
+  - DISA-STIG-RHEL-08-030062
+  - NIST-800-53-AU-3
+  - NIST-800-53-CM-6
+  - auditd_name_format
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - restrict_strategy
+- name: XCCDF Value var_auditd_name_format # promote to variable
+  set_fact:
+    var_auditd_name_format: !!str hostname|fqd|numeric
+  tags:
+    - always
+
+- name: Set type of computer node name logging in audit logs - Define Value to Be
+    Used in the Remediation
+  ansible.builtin.set_fact: auditd_name_format_split="{{ var_auditd_name_format.split('|')[0]
+    }}"
+  when:
+  - '"audit" in ansible_facts.packages'
+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  tags:
+  - CCE-82897-0
+  - DISA-STIG-RHEL-08-030062
+  - NIST-800-53-AU-3
+  - NIST-800-53-CM-6
+  - auditd_name_format
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - restrict_strategy
+
+- name: Set type of computer node name logging in audit logs
+  block:
+
+  - name: Check for duplicate values
+    lineinfile:
+      path: /etc/audit/auditd.conf
+      create: true
+      regexp: (?i)^\s*name_format\s*=\s*
+      state: absent
+    check_mode: true
+    changed_when: false
+    register: dupes
+
+  - name: Deduplicate values from /etc/audit/auditd.conf
+    lineinfile:
+      path: /etc/audit/auditd.conf
+      create: true
+      regexp: (?i)^\s*name_format\s*=\s*
+      state: absent
+    when: dupes.found is defined and dupes.found > 1
+
+  - name: Insert correct line to /etc/audit/auditd.conf
+    lineinfile:
+      path: /etc/audit/auditd.conf
+      create: true
+      regexp: (?i)^\s*name_format\s*=\s*
+      line: name_format = {{ auditd_name_format_split }}
+      state: present
+  when:
+  - '"audit" in ansible_facts.packages'
+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  tags:
+  - CCE-82897-0
+  - DISA-STIG-RHEL-08-030062
+  - NIST-800-53-AU-3
+  - NIST-800-53-CM-6
+  - auditd_name_format
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - restrict_strategy
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
 
 var_auditd_name_format='hostname|fqd|numeric'
@@ -66888,101 +66983,6 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
-  package_facts:
-    manager: auto
-  tags:
-  - CCE-82897-0
-  - DISA-STIG-RHEL-08-030062
-  - NIST-800-53-AU-3
-  - NIST-800-53-CM-6
-  - auditd_name_format
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - no_reboot_needed
-  - restrict_strategy
-- name: XCCDF Value var_auditd_name_format # promote to variable
-  set_fact:
-    var_auditd_name_format: !!str hostname|fqd|numeric
-  tags:
-    - always
-
-- name: Set type of computer node name logging in audit logs - Define Value to Be
-    Used in the Remediation
-  ansible.builtin.set_fact: auditd_name_format_split="{{ var_auditd_name_format.split('|')[0]
-    }}"
-  when:
-  - '"audit" in ansible_facts.packages'
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  tags:
-  - CCE-82897-0
-  - DISA-STIG-RHEL-08-030062
-  - NIST-800-53-AU-3
-  - NIST-800-53-CM-6
-  - auditd_name_format
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - no_reboot_needed
-  - restrict_strategy
-
-- name: Set type of computer node name logging in audit logs
-  block:
-
-  - name: Check for duplicate values
-    lineinfile:
-      path: /etc/audit/auditd.conf
-      create: true
-      regexp: (?i)^\s*name_format\s*=\s*
-      state: absent
-    check_mode: true
-    changed_when: false
-    register: dupes
-
-  - name: Deduplicate values from /etc/audit/auditd.conf
-    lineinfile:
-      path: /etc/audit/auditd.conf
-      create: true
-      regexp: (?i)^\s*name_format\s*=\s*
-      state: absent
-    when: dupes.found is defined and dupes.found > 1
-
-  - name: Insert correct line to /etc/audit/auditd.conf
-    lineinfile:
-      path: /etc/audit/auditd.conf
-      create: true
-      regexp: (?i)^\s*name_format\s*=\s*
-      line: name_format = {{ auditd_name_format_split }}
-      state: present
-  when:
-  - '"audit" in ansible_facts.packages'
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  tags:
-  - CCE-82897-0
-  - DISA-STIG-RHEL-08-030062
-  - NIST-800-53-AU-3
-  - NIST-800-53-CM-6
-  - auditd_name_format
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - no_reboot_needed
-  - restrict_strategy
-
Remediation script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
-        mode: 0640
-        path: /etc/audit/auditd.conf
-        overwrite: true

Rule   Appropriate Action Must be Setup When the Internal Audit Event Queue is Full   [ref]

The audit system should have an action setup in the event the internal event queue becomes full. @@ -66990,28 +66990,7 @@ to one of the following values: syslog, single, halt.

Rationale:

The audit system should have an action setup in the event the internal event queue becomes full so that no data is lost.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-85889-4

References:  - CCI-001851, AU-4(1), SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224, RHEL-08-030700, SV-230480r877390_rule

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
-
-if [ -e "/etc/audit/auditd.conf" ] ; then
-    
-    LC_ALL=C sed -i "/^\s*overflow_action\s*=\s*/Id" "/etc/audit/auditd.conf"
-else
-    touch "/etc/audit/auditd.conf"
-fi
-# make sure file has newline at the end
-sed -i -e '$a\' "/etc/audit/auditd.conf"
-
-cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak"
-# Insert at the end of the file
-printf '%s\n' "overflow_action = syslog" >> "/etc/audit/auditd.conf"
-# Clean up after ourselves.
-rm "/etc/audit/auditd.conf.bak"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+            CCI-001851, AU-4(1), SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224, RHEL-08-030700, SV-230480r877390_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -67066,24 +67045,37 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+
+if [ -e "/etc/audit/auditd.conf" ] ; then
+    
+    LC_ALL=C sed -i "/^\s*overflow_action\s*=\s*/Id" "/etc/audit/auditd.conf"
+else
+    touch "/etc/audit/auditd.conf"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/audit/auditd.conf"
+
+cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak"
+# Insert at the end of the file
+printf '%s\n' "overflow_action = syslog" >> "/etc/audit/auditd.conf"
+# Clean up after ourselves.
+rm "/etc/audit/auditd.conf.bak"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi

Rule   Ensure the audit Subsystem is Installed   [ref]

The audit package should be installed.

Rationale:

The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-81043-2

References:  - BP28(R33), BP28(R73), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, Req-10.1, 10.2.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, RHEL-08-030180, 4.1.1.1, SV-230411r744000_rule

Remediation script:   (show)

Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

+package --add=audit
+
Remediation script:   (show)


 [[packages]]
 name = "audit"
 version = "*"
-
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "audit" ; then
-    yum install -y "audit"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include install_audit
 
 class install_audit {
@@ -67114,8 +67106,16 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

-package --add=audit
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "audit" ; then
+    yum install -y "audit"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi

Rule   Enable auditd Service   [ref]

The auditd service is an essential userspace component of @@ -67135,17 +67135,17 @@ BP28(R33), BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, 10.2.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-APP-000095-CTR-000170, SRG-APP-000409-CTR-000990, SRG-APP-000508-CTR-001300, SRG-APP-000510-CTR-001310, RHEL-08-030181, 4.1.1.2, SV-244542r818838_rule

Remediation script:   (show)


 [customizations.services]
 enabled = ["auditd"]
-
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q audit; }; then
-
-SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" unmask 'auditd.service'
-"$SYSTEMCTL_EXEC" start 'auditd.service'
-"$SYSTEMCTL_EXEC" enable 'auditd.service'
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
+
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: auditd.service
+        enabled: true
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include enable_auditd
 
 class enable_auditd {
@@ -67224,17 +67224,17 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: auditd.service
-        enabled: true
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q audit; }; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" unmask 'auditd.service'
+"$SYSTEMCTL_EXEC" start 'auditd.service'
+"$SYSTEMCTL_EXEC" enable 'auditd.service'
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi

Rule   Enable Auditing for Processes Which Start Prior to the Audit Daemon   [ref]

To ensure all processes can be audited, even those which start @@ -67252,15 +67252,7 @@ CCE-80825-3

References:  1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.02, DSS05.03, DSS05.04, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, CCI-001464, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(1), AU-14(1), AU-10, CM-6(a), IR-5(1), DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.3, 10.7.3, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000254-GPOS-00095, RHEL-08-030601, 4.1.1.3, SV-230468r792904_rule

Remediation script:   (show)

[customizations.kernel]
 append = "audit=1"
-
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then
-
-grubby --update-kernel=ALL --args=audit=1 --env=/boot/grub2/grubenv
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:medium
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Remediation Ansible snippet:   (show)

Complexity:medium
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -67305,6 +67297,14 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then
+
+grubby --update-kernel=ALL --args=audit=1 --env=/boot/grub2/grubenv
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi

Rule   Extend Audit Backlog Limit for the Audit Daemon   [ref]

To improve the kernel capacity to queue all log events, even those which occurred @@ -67322,15 +67322,7 @@ CCE-80943-4

References:  CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001849, CCI-002884, CM-6(a), FAU_STG.1, FAU_STG.3, 10.7.2, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000254-GPOS-00095, SRG-OS-000341-GPOS-00132, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030602, 4.1.1.4, SV-230469r877391_rule

Remediation script:   (show)

[customizations.kernel]
 append = "audit_backlog_limit=8192"
-
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then
-
-grubby --update-kernel=ALL --args=audit_backlog_limit=8192 --env=/boot/grub2/grubenv
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:medium
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Remediation Ansible snippet:   (show)

Complexity:medium
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -67361,6 +67353,14 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then
+
+grubby --update-kernel=ALL --args=audit_backlog_limit=8192 --env=/boot/grub2/grubenv
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Group   GRUB2 bootloader configuration   Group contains 2 groups and 6 rules

[ref]   @@ -67491,15 +67491,7 @@ CCE-82194-2

References:  BP28(R8), CCI-000381, SI-16, SRG-OS-000433-GPOS-00193, SRG-OS-000095-GPOS-00049, RHEL-08-040004, SV-230491r818842_rule

Remediation script:   (show)

[customizations.kernel]
 append = "pti=on"
-
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-grubby --update-kernel=ALL --args=pti=on --env=/boot/grub2/grubenv
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:medium
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Remediation Ansible snippet:   (show)

Complexity:medium
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -67528,6 +67520,14 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+grubby --update-kernel=ALL --args=pti=on --env=/boot/grub2/grubenv
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi

Rule   Disable vsyscalls   [ref]

To disable use of virtual syscalls, @@ -67543,15 +67543,7 @@ CCE-80946-7

References:  CCI-001084, CM-7(a), FPT_ASLR_EXT.1, SRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068, RHEL-08-010422, SV-230278r792886_rule

Remediation script:   (show)

[customizations.kernel]
 append = "vsyscall=none"
-
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-grubby --update-kernel=ALL --args=vsyscall=none --env=/boot/grub2/grubenv
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:medium
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Remediation Ansible snippet:   (show)

Complexity:medium
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -67580,6 +67572,14 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+grubby --update-kernel=ALL --args=vsyscall=none --env=/boot/grub2/grubenv
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Group   Configure Syslog   Group contains 2 groups and 9 rules

[ref]   @@ -67654,30 +67654,7 @@ configuration, user authentication, and other such information. Audit records should be protected from unauthorized access.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-86339-9

References:  - CCI-001851, AU-4(1), SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224, RHEL-08-030720, SV-230482r877390_rule

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-sed -i '/^.*\$ActionSendStreamDriverAuthMode.*/d' /etc/rsyslog.conf /etc/rsyslog.d/*.conf 2> /dev/null
-
-if [ -e "/etc/rsyslog.d/stream_driver_auth.conf" ] ; then
-    
-    LC_ALL=C sed -i "/^\s*\$ActionSendStreamDriverAuthMode /Id" "/etc/rsyslog.d/stream_driver_auth.conf"
-else
-    touch "/etc/rsyslog.d/stream_driver_auth.conf"
-fi
-# make sure file has newline at the end
-sed -i -e '$a\' "/etc/rsyslog.d/stream_driver_auth.conf"
-
-cp "/etc/rsyslog.d/stream_driver_auth.conf" "/etc/rsyslog.d/stream_driver_auth.conf.bak"
-# Insert at the end of the file
-printf '%s\n' "\$ActionSendStreamDriverAuthMode x509/name" >> "/etc/rsyslog.d/stream_driver_auth.conf"
-# Clean up after ourselves.
-rm "/etc/rsyslog.d/stream_driver_auth.conf.bak"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Ensure Rsyslog Authenticates Off-Loaded Audit Records
+            CCI-001851, AU-4(1), SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224, RHEL-08-030720, SV-230482r877390_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Ensure Rsyslog Authenticates Off-Loaded Audit Records
   block:
 
   - name: Deduplicate values from /etc/rsyslog.conf
@@ -67728,40 +67705,42 @@
   - medium_severity
   - no_reboot_needed
   - rsyslog_encrypt_offload_actionsendstreamdriverauthmode
-
Rule  
-                                Ensure Rsyslog Encrypts Off-Loaded Audit Records
-                                  [ref]
Rsyslogd is a system utility providing support for message logging. Support
-for both internet and UNIX domain sockets enables this utility to support both local
-and remote logging.  Couple this utility with gnutls (which is a secure communications
-library implementing the SSL, TLS and DTLS protocols), and you have a method to securely
-encrypt and off-load auditing.
-
-When using rsyslogd to off-load logs off a encrpytion system must be used.
Rationale:
The audit records generated by Rsyslog contain valuable information regarding system
-configuration, user authentication, and other such information. Audit records should be
-protected from unauthorized access.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-86098-1
References: 
-            CCI-001851, AU-4(1), SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224, RHEL-08-030710, SV-230481r877390_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-if [ -e "/etc/rsyslog.d/encrypt.conf" ] ; then
+sed -i '/^.*\$ActionSendStreamDriverAuthMode.*/d' /etc/rsyslog.conf /etc/rsyslog.d/*.conf 2> /dev/null
+
+if [ -e "/etc/rsyslog.d/stream_driver_auth.conf" ] ; then
     
-    LC_ALL=C sed -i "/^\s*\$ActionSendStreamDriverMode /Id" "/etc/rsyslog.d/encrypt.conf"
+    LC_ALL=C sed -i "/^\s*\$ActionSendStreamDriverAuthMode /Id" "/etc/rsyslog.d/stream_driver_auth.conf"
 else
-    touch "/etc/rsyslog.d/encrypt.conf"
+    touch "/etc/rsyslog.d/stream_driver_auth.conf"
 fi
 # make sure file has newline at the end
-sed -i -e '$a\' "/etc/rsyslog.d/encrypt.conf"
+sed -i -e '$a\' "/etc/rsyslog.d/stream_driver_auth.conf"
 
-cp "/etc/rsyslog.d/encrypt.conf" "/etc/rsyslog.d/encrypt.conf.bak"
+cp "/etc/rsyslog.d/stream_driver_auth.conf" "/etc/rsyslog.d/stream_driver_auth.conf.bak"
 # Insert at the end of the file
-printf '%s\n' "\$ActionSendStreamDriverMode 1" >> "/etc/rsyslog.d/encrypt.conf"
+printf '%s\n' "\$ActionSendStreamDriverAuthMode x509/name" >> "/etc/rsyslog.d/stream_driver_auth.conf"
 # Clean up after ourselves.
-rm "/etc/rsyslog.d/encrypt.conf.bak"
+rm "/etc/rsyslog.d/stream_driver_auth.conf.bak"
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Ensure Rsyslog Encrypts Off-Loaded Audit Records
+
Rule  
+                                Ensure Rsyslog Encrypts Off-Loaded Audit Records
+                                  [ref]
Rsyslogd is a system utility providing support for message logging. Support
+for both internet and UNIX domain sockets enables this utility to support both local
+and remote logging.  Couple this utility with gnutls (which is a secure communications
+library implementing the SSL, TLS and DTLS protocols), and you have a method to securely
+encrypt and off-load auditing.
+
+When using rsyslogd to off-load logs off a encrpytion system must be used.
Rationale:
The audit records generated by Rsyslog contain valuable information regarding system
+configuration, user authentication, and other such information. Audit records should be
+protected from unauthorized access.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-86098-1
References: 
+            CCI-001851, AU-4(1), SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224, RHEL-08-030710, SV-230481r877390_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Ensure Rsyslog Encrypts Off-Loaded Audit Records
   block:
 
   - name: Deduplicate values from /etc/rsyslog.conf
@@ -67812,24 +67791,12 @@
   - medium_severity
   - no_reboot_needed
   - rsyslog_encrypt_offload_actionsendstreamdrivermode
-
Rule  
-                                Ensure Rsyslog Encrypts Off-Loaded Audit Records
-                                  [ref]
Rsyslogd is a system utility providing support for message logging. Support
-for both internet and UNIX domain sockets enables this utility to support both local
-and remote logging.  Couple this utility with gnutls (which is a secure communications
-library implementing the SSL, TLS and DTLS protocols), and you have a method to securely
-encrypt and off-load auditing.
-
-When using rsyslogd to off-load logs off an encryption system must be used.
Rationale:
The audit records generated by Rsyslog contain valuable information regarding system
-configuration, user authentication, and other such information. Audit records should be
-protected from unauthorized access.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-85992-6
References: 
-            CCI-001851, AU-4(1), SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224, RHEL-08-030710, SV-230481r877390_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 if [ -e "/etc/rsyslog.d/encrypt.conf" ] ; then
     
-    LC_ALL=C sed -i "/^\s*\$DefaultNetstreamDriver /Id" "/etc/rsyslog.d/encrypt.conf"
+    LC_ALL=C sed -i "/^\s*\$ActionSendStreamDriverMode /Id" "/etc/rsyslog.d/encrypt.conf"
 else
     touch "/etc/rsyslog.d/encrypt.conf"
 fi
@@ -67838,14 +67805,26 @@
 
 cp "/etc/rsyslog.d/encrypt.conf" "/etc/rsyslog.d/encrypt.conf.bak"
 # Insert at the end of the file
-printf '%s\n' "\$DefaultNetstreamDriver gtls" >> "/etc/rsyslog.d/encrypt.conf"
+printf '%s\n' "\$ActionSendStreamDriverMode 1" >> "/etc/rsyslog.d/encrypt.conf"
 # Clean up after ourselves.
 rm "/etc/rsyslog.d/encrypt.conf.bak"
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Ensure Rsyslog Encrypts Off-Loaded Audit Records
+
Rule  
+                                Ensure Rsyslog Encrypts Off-Loaded Audit Records
+                                  [ref]
Rsyslogd is a system utility providing support for message logging. Support
+for both internet and UNIX domain sockets enables this utility to support both local
+and remote logging.  Couple this utility with gnutls (which is a secure communications
+library implementing the SSL, TLS and DTLS protocols), and you have a method to securely
+encrypt and off-load auditing.
+
+When using rsyslogd to off-load logs off an encryption system must be used.
Rationale:
The audit records generated by Rsyslog contain valuable information regarding system
+configuration, user authentication, and other such information. Audit records should be
+protected from unauthorized access.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-85992-6
References: 
+            CCI-001851, AU-4(1), SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224, RHEL-08-030710, SV-230481r877390_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Ensure Rsyslog Encrypts Off-Loaded Audit Records
   block:
 
   - name: Deduplicate values from /etc/rsyslog.conf
@@ -67896,6 +67875,27 @@
   - medium_severity
   - no_reboot_needed
   - rsyslog_encrypt_offload_defaultnetstreamdriver
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -e "/etc/rsyslog.d/encrypt.conf" ] ; then
+    
+    LC_ALL=C sed -i "/^\s*\$DefaultNetstreamDriver /Id" "/etc/rsyslog.d/encrypt.conf"
+else
+    touch "/etc/rsyslog.d/encrypt.conf"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/rsyslog.d/encrypt.conf"
+
+cp "/etc/rsyslog.d/encrypt.conf" "/etc/rsyslog.d/encrypt.conf.bak"
+# Insert at the end of the file
+printf '%s\n' "\$DefaultNetstreamDriver gtls" >> "/etc/rsyslog.d/encrypt.conf"
+# Clean up after ourselves.
+rm "/etc/rsyslog.d/encrypt.conf.bak"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Ensure remote access methods are monitored in Rsyslog
                                   [ref]
Logging of remote access methods must be implemented to help identify cyber
@@ -67911,37 +67911,7 @@
 cyber attacks and ensure ongoing compliance with organizational policies
 surrounding the use of remote access methods.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-83426-7
References: 
-            CCI-000067, AC-17(1), SRG-OS-000032-GPOS-00013, RHEL-08-010070, SV-230228r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-declare -A REMOTE_METHODS=( ['auth.*']='^[^#]*auth\.\*.*$' ['authpriv.*']='^[^#]*authpriv\.\*.*$' ['daemon.*']='^[^#]*daemon\.\*.*$' )
-
-if [[ ! -f /etc/rsyslog.conf ]]; then
-	# Something is not right, create the file
-	touch /etc/rsyslog.conf
-fi
-
-APPEND_LINE=$(sed -rn '/^\S+\s+\/var\/log\/secure$/p' /etc/rsyslog.conf)
-
-# Loop through the remote methods associative array
-for K in "${!REMOTE_METHODS[@]}"
-do
-	# Check to see if selector/value exists
-	if ! grep -rq "${REMOTE_METHODS[$K]}" /etc/rsyslog.*; then
-		# Make sure we have a line to insert after, otherwise append to end
-		if [[ ! -z ${APPEND_LINE} ]]; then
-			# Add selector to file
-			sed -r -i "0,/^(\S+\s+\/var\/log\/secure$)/s//\1\n${K} \/var\/log\/secure/" /etc/rsyslog.conf
-		else
-			echo "${K} /var/log/secure" >> /etc/rsyslog.conf
-		fi
-	fi
-done
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
- name: 'Ensure remote access methods are monitored in Rsyslog: Set facts'
+            CCI-000067, AC-17(1), SRG-OS-000032-GPOS-00013, RHEL-08-010070, SV-230228r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
- name: 'Ensure remote access methods are monitored in Rsyslog: Set facts'
   set_fact:
     conf_files:
     - /etc/rsyslog.conf
@@ -68060,6 +68030,36 @@
   - medium_severity
   - no_reboot_needed
   - rsyslog_remote_access_monitoring
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+declare -A REMOTE_METHODS=( ['auth.*']='^[^#]*auth\.\*.*$' ['authpriv.*']='^[^#]*authpriv\.\*.*$' ['daemon.*']='^[^#]*daemon\.\*.*$' )
+
+if [[ ! -f /etc/rsyslog.conf ]]; then
+	# Something is not right, create the file
+	touch /etc/rsyslog.conf
+fi
+
+APPEND_LINE=$(sed -rn '/^\S+\s+\/var\/log\/secure$/p' /etc/rsyslog.conf)
+
+# Loop through the remote methods associative array
+for K in "${!REMOTE_METHODS[@]}"
+do
+	# Check to see if selector/value exists
+	if ! grep -rq "${REMOTE_METHODS[$K]}" /etc/rsyslog.*; then
+		# Make sure we have a line to insert after, otherwise append to end
+		if [[ ! -z ${APPEND_LINE} ]]; then
+			# Add selector to file
+			sed -r -i "0,/^(\S+\s+\/var\/log\/secure$)/s//\1\n${K} \/var\/log\/secure/" /etc/rsyslog.conf
+		else
+			echo "${K} /var/log/secure" >> /etc/rsyslog.conf
+		fi
+	fi
+done
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 Rsyslog Logs Sent To Remote Host
                           Group contains  1 rule
[ref]  
@@ -68124,7 +68124,32 @@
 to a remote loghost also provides system administrators with a centralized
 place to view the status of multiple hosts within the enterprise.
Severity: 
medium
Identifiers and References

Identifiers:  CCE-80863-4

References:  - BP28(R7), NT28(R43), NT12(R5), 1, 13, 14, 15, 16, 2, 3, 5, 6, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001348, CCI-000136, CCI-001851, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.308(a)(8), 164.310(d)(2)(iii), 164.312(b), 164.314(a)(2)(i)(C), 164.314(a)(2)(iii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 7.1, SR 7.2, 0988, 1405, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.17.2.1, CIP-003-8 R5.2, CIP-004-6 R3.3, CM-6(a), AU-4(1), AU-9(2), PR.DS-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000479-GPOS-00224, SRG-OS-000480-GPOS-00227, SRG-OS-000342-GPOS-00133, RHEL-08-030690, 4.2.1.6, SV-230479r917883_rule

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+            BP28(R7), NT28(R43), NT12(R5), 1, 13, 14, 15, 16, 2, 3, 5, 6, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001348, CCI-000136, CCI-001851, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.308(a)(8), 164.310(d)(2)(iii), 164.312(b), 164.314(a)(2)(i)(C), 164.314(a)(2)(iii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 7.1, SR 7.2, 0988, 1405, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.17.2.1, CIP-003-8 R5.2, CIP-004-6 R3.3, CM-6(a), AU-4(1), AU-9(2), PR.DS-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000479-GPOS-00224, SRG-OS-000480-GPOS-00227, SRG-OS-000342-GPOS-00133, RHEL-08-030690, 4.2.1.6, SV-230479r917883_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: XCCDF Value rsyslog_remote_loghost_address # promote to variable
+  set_fact:
+    rsyslog_remote_loghost_address: !!str logcollector
+  tags:
+    - always
+
+- name: Set rsyslog remote loghost
+  lineinfile:
+    dest: /etc/rsyslog.conf
+    regexp: ^\*\.\*
+    line: '*.* @@{{ rsyslog_remote_loghost_address }}'
+    create: true
+  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  tags:
+  - CCE-80863-4
+  - DISA-STIG-RHEL-08-030690
+  - NIST-800-53-AU-4(1)
+  - NIST-800-53-AU-9(2)
+  - NIST-800-53-CM-6(a)
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - restrict_strategy
+  - rsyslog_remote_loghost
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 rsyslog_remote_loghost_address='logcollector'
@@ -68155,31 +68180,6 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: XCCDF Value rsyslog_remote_loghost_address # promote to variable
-  set_fact:
-    rsyslog_remote_loghost_address: !!str logcollector
-  tags:
-    - always
-
-- name: Set rsyslog remote loghost
-  lineinfile:
-    dest: /etc/rsyslog.conf
-    regexp: ^\*\.\*
-    line: '*.* @@{{ rsyslog_remote_loghost_address }}'
-    create: true
-  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  tags:
-  - CCE-80863-4
-  - DISA-STIG-RHEL-08-030690
-  - NIST-800-53-AU-4(1)
-  - NIST-800-53-AU-9(2)
-  - NIST-800-53-CM-6(a)
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - no_reboot_needed
-  - restrict_strategy
-  - rsyslog_remote_loghost
 
Rule  
                                 Ensure rsyslog-gnutls is installed
                                   [ref]
TLS protocol support for rsyslog is installed.
@@ -68189,20 +68189,12 @@
 $ sudo yum install rsyslog-gnutls
Rationale:
The rsyslog-gnutls package provides Transport Layer Security (TLS) support
 for the rsyslog daemon, which enables secure remote logging.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-82859-0
References: 
-            BP28(R43), CCI-000366, FTP_ITC_EXT.1.1, SRG-OS-000480-GPOS-00227, SRG-OS-000120-GPOS-00061, RHEL-08-030680, SV-230478r744011_rule
Remediation script:   (show)

Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

+package --add=rsyslog-gnutls
+
Remediation script:   (show)


 [[packages]]
 name = "rsyslog-gnutls"
 version = "*"
-
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "rsyslog-gnutls" ; then
-    yum install -y "rsyslog-gnutls"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include install_rsyslog-gnutls
 
 class install_rsyslog-gnutls {
@@ -68224,27 +68216,27 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog-gnutls_installed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

-package --add=rsyslog-gnutls
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "rsyslog-gnutls" ; then
+    yum install -y "rsyslog-gnutls"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Ensure rsyslog is Installed
                                   [ref]
Rsyslog is installed by default. The rsyslog package can be installed with the following command: 
 $ sudo yum install rsyslog
Rationale:
The rsyslog package provides the rsyslog daemon, which provides
 system logging services.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-80847-7
References: 
-            1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227, RHEL-08-030670, 4.2.1.1, SV-230477r627750_rule
Remediation script:   (show)

Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

+package --add=rsyslog
+
Remediation script:   (show)


 [[packages]]
 name = "rsyslog"
 version = "*"
-
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "rsyslog" ; then
-    yum install -y "rsyslog"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include install_rsyslog
 
 class install_rsyslog {
@@ -68267,8 +68259,16 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

-package --add=rsyslog
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "rsyslog" ; then
+    yum install -y "rsyslog"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Enable rsyslog Service
                                   [ref]
The rsyslog service provides syslog-style logging by default on Red Hat Enterprise Linux 8.
@@ -68280,18 +68280,7 @@
             1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227, RHEL-08-010561, 4.2.1.2, SV-230298r627750_rule
Remediation script:   (show)


 [customizations.services]
 enabled = ["rsyslog"]
-
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" unmask 'rsyslog.service'
-"$SYSTEMCTL_EXEC" start 'rsyslog.service'
-"$SYSTEMCTL_EXEC" enable 'rsyslog.service'
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include enable_rsyslog
+
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include enable_rsyslog
 
 class enable_rsyslog {
   service {'rsyslog':
@@ -68299,7 +68288,7 @@
     ensure => 'running',
   }
 }
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
- name: Enable service rsyslog
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -68326,6 +68315,17 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" unmask 'rsyslog.service'
+"$SYSTEMCTL_EXEC" start 'rsyslog.service'
+"$SYSTEMCTL_EXEC" enable 'rsyslog.service'
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 Network Configuration and Firewalls
                           Group contains 11 groups and 31 rules
[ref]  
@@ -68437,20 +68437,12 @@
 Red Hat Enterprise Linux 8 functionality (e.g., SSH) must be capable of taking enforcement action if the audit reveals unauthorized activity.
 Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets)."
Severity: 
medium
Identifiers and References

Identifiers:  CCE-82998-6

References:  - CCI-002314, CM-6(a), FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000298-GPOS-00116, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00232, RHEL-08-040100, 3.4.1.1, SV-230505r854048_rule

Remediation script:   (show)


+            CCI-002314, CM-6(a), FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000298-GPOS-00116, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00232, RHEL-08-040100, 3.4.1.1, SV-230505r854048_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

+package --add=firewalld
+
Remediation script:   (show)


 [[packages]]
 name = "firewalld"
 version = "*"
-
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "firewalld" ; then
-    yum install -y "firewalld"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include install_firewalld
 
 class install_firewalld {
@@ -68473,8 +68465,16 @@
   - medium_severity
   - no_reboot_needed
   - package_firewalld_installed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

-package --add=firewalld
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "firewalld" ; then
+    yum install -y "firewalld"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Verify firewalld Enabled
                                   [ref]

@@ -68486,18 +68486,7 @@
             11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.3, 3.4.7, CCI-000366, CCI-000382, CCI-002314, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4, CIP-003-8 R5, CIP-004-6 R3, AC-4, CM-7(b), CA-3(5), SC-7(21), CM-6(a), PR.IP-1, FMT_SMF_EXT.1, 1.2.1, SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00231, SRG-OS-000480-GPOS-00232, RHEL-08-040101, 3.4.1.4, SV-244544r854073_rule
Remediation script:   (show)


 [customizations.services]
 enabled = ["firewalld"]
-
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q firewalld; }; then
-
-SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" unmask 'firewalld.service'
-"$SYSTEMCTL_EXEC" start 'firewalld.service'
-"$SYSTEMCTL_EXEC" enable 'firewalld.service'
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include enable_firewalld
+
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include enable_firewalld
 
 class enable_firewalld {
   service {'firewalld':
@@ -68505,7 +68494,7 @@
     ensure => 'running',
   }
 }
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
- name: Gather the package facts
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -68561,6 +68550,17 @@
   - medium_severity
   - no_reboot_needed
   - service_firewalld_enabled
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q firewalld; }; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" unmask 'firewalld.service'
+"$SYSTEMCTL_EXEC" start 'firewalld.service'
+"$SYSTEMCTL_EXEC" enable 'firewalld.service'
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 Strengthen the Default Ruleset
                           Group contains 3 rules
[ref]  
@@ -68631,37 +68631,7 @@
                                   [ref]
Firewalld can be configured with many backends, such as nftables.
Rationale:
Nftables is modern kernel module for controling network connections coming into a system.
 Utilizing the limit statement in "nftables" can help to mitigate DoS attacks.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-86506-3
References: 
-            CCI-002385, SC-5, SRG-OS-000420-GPOS-00186, RHEL-08-040150, SV-230525r902735_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q firewalld; }; then
-
-if [ -e "/etc/firewalld/firewalld.conf" ] ; then
-    
-    LC_ALL=C sed -i "/^\s*FirewallBackend\s*=\s*/d" "/etc/firewalld/firewalld.conf"
-else
-    touch "/etc/firewalld/firewalld.conf"
-fi
-# make sure file has newline at the end
-sed -i -e '$a\' "/etc/firewalld/firewalld.conf"
-
-cp "/etc/firewalld/firewalld.conf" "/etc/firewalld/firewalld.conf.bak"
-# Insert before the line matching the regex '^#\s*FirewallBackend'.
-line_number="$(LC_ALL=C grep -n "^#\s*FirewallBackend" "/etc/firewalld/firewalld.conf.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^#\s*FirewallBackend', insert at
-    # the end of the file.
-    printf '%s\n' "FirewallBackend=nftables" >> "/etc/firewalld/firewalld.conf"
-else
-    head -n "$(( line_number - 1 ))" "/etc/firewalld/firewalld.conf.bak" > "/etc/firewalld/firewalld.conf"
-    printf '%s\n' "FirewallBackend=nftables" >> "/etc/firewalld/firewalld.conf"
-    tail -n "+$(( line_number ))" "/etc/firewalld/firewalld.conf.bak" >> "/etc/firewalld/firewalld.conf"
-fi
-# Clean up after ourselves.
-rm "/etc/firewalld/firewalld.conf.bak"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+            CCI-002385, SC-5, SRG-OS-000420-GPOS-00186, RHEL-08-040150, SV-230525r902735_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -68719,6 +68689,36 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q firewalld; }; then
+
+if [ -e "/etc/firewalld/firewalld.conf" ] ; then
+    
+    LC_ALL=C sed -i "/^\s*FirewallBackend\s*=\s*/d" "/etc/firewalld/firewalld.conf"
+else
+    touch "/etc/firewalld/firewalld.conf"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/firewalld/firewalld.conf"
+
+cp "/etc/firewalld/firewalld.conf" "/etc/firewalld/firewalld.conf.bak"
+# Insert before the line matching the regex '^#\s*FirewallBackend'.
+line_number="$(LC_ALL=C grep -n "^#\s*FirewallBackend" "/etc/firewalld/firewalld.conf.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+    # There was no match of '^#\s*FirewallBackend', insert at
+    # the end of the file.
+    printf '%s\n' "FirewallBackend=nftables" >> "/etc/firewalld/firewalld.conf"
+else
+    head -n "$(( line_number - 1 ))" "/etc/firewalld/firewalld.conf.bak" > "/etc/firewalld/firewalld.conf"
+    printf '%s\n' "FirewallBackend=nftables" >> "/etc/firewalld/firewalld.conf"
+    tail -n "+$(( line_number ))" "/etc/firewalld/firewalld.conf.bak" >> "/etc/firewalld/firewalld.conf"
+fi
+# Clean up after ourselves.
+rm "/etc/firewalld/firewalld.conf.bak"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 IPv6
                           Group contains 1 group and 7 rules
[ref]  
@@ -68739,68 +68739,21 @@
                                   [ref]
To set the runtime status of the net.ipv6.conf.all.accept_ra kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.accept_ra=0

 To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.accept_ra = 0
Rationale:
An illicit router advertisement message could result in a man-in-the-middle attack.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-81006-9
References: 
-            11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040261, 3.3.9, SV-230541r858812_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-# Comment out any occurrences of net.ipv6.conf.all.accept_ra from /etc/sysctl.d/*.conf files
-
-for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
-
-  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_ra.*$' $f | uniq )
-  if ! test -z "$matching_list"; then
-    while IFS= read -r entry; do
-      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
-      # comment out "net.ipv6.conf.all.accept_ra" matches to preserve user data
-      sed -i "s/^${escaped_entry}$/# &/g" $f
-    done <<< "$matching_list"
-  fi
-done
-
-#
-# Set sysctl config file which to save the desired value
-#
-
-SYSCONFIG_FILE="/etc/sysctl.conf"
-
-sysctl_net_ipv6_conf_all_accept_ra_value='0'
-
-
-#
-# Set runtime for net.ipv6.conf.all.accept_ra
-#
-/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra="$sysctl_net_ipv6_conf_all_accept_ra_value"
-
-#
-# If net.ipv6.conf.all.accept_ra present in /etc/sysctl.conf, change value to appropriate value
-#	else, add "net.ipv6.conf.all.accept_ra = value" to /etc/sysctl.conf
-#
-
-# Strip any search characters in the key arg so that the key can be replaced without
-# adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_ra")
-
-# shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_ra_value"
-
-# If the key exists, change it. Otherwise, add it to the config_file.
-# We search for the key string followed by a word boundary (matched by \>),
-# so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_ra\\>" "${SYSCONFIG_FILE}"; then
-    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_ra\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
-else
-    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
-        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
-    fi
-    cce="CCE-81006-9"
-    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
-    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
+            11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040261, 3.3.9, SV-230541r858812_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,net.ipv6.conf.all.accept_ra%3D0%0A
+        mode: 0644
+        path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_all_accept_ra.conf
+        overwrite: true
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
   find:
     paths:
     - /etc/sysctl.d/
@@ -68872,37 +68825,18 @@
   - medium_severity
   - reboot_required
   - sysctl_net_ipv6_conf_all_accept_ra
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv6.conf.all.accept_ra%3D0%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_all_accept_ra.conf
-        overwrite: true
-
Rule  
-                                Disable Accepting ICMP Redirects for All IPv6 Interfaces
-                                  [ref]
To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0

-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.accept_redirects = 0
Rationale:
An illicit ICMP redirect message could result in a man-in-the-middle attack.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-81009-3
References: 
-            BP28(R22), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040280, 3.3.2, SV-230544r858820_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-# Comment out any occurrences of net.ipv6.conf.all.accept_redirects from /etc/sysctl.d/*.conf files
+# Comment out any occurrences of net.ipv6.conf.all.accept_ra from /etc/sysctl.d/*.conf files
 
 for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
 
-  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_redirects.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_ra.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
       escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
-      # comment out "net.ipv6.conf.all.accept_redirects" matches to preserve user data
+      # comment out "net.ipv6.conf.all.accept_ra" matches to preserve user data
       sed -i "s/^${escaped_entry}$/# &/g" $f
     done <<< "$matching_list"
   fi
@@ -68914,37 +68848,37 @@
 
 SYSCONFIG_FILE="/etc/sysctl.conf"
 
-sysctl_net_ipv6_conf_all_accept_redirects_value='0'
+sysctl_net_ipv6_conf_all_accept_ra_value='0'
 
 
 #
-# Set runtime for net.ipv6.conf.all.accept_redirects
+# Set runtime for net.ipv6.conf.all.accept_ra
 #
-/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_redirects="$sysctl_net_ipv6_conf_all_accept_redirects_value"
+/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra="$sysctl_net_ipv6_conf_all_accept_ra_value"
 
 #
-# If net.ipv6.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value
-#	else, add "net.ipv6.conf.all.accept_redirects = value" to /etc/sysctl.conf
+# If net.ipv6.conf.all.accept_ra present in /etc/sysctl.conf, change value to appropriate value
+#	else, add "net.ipv6.conf.all.accept_ra = value" to /etc/sysctl.conf
 #
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_redirects")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_ra")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_redirects_value"
+printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_ra_value"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_redirects\\>" "${SYSCONFIG_FILE}"; then
+if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_ra\\>" "${SYSCONFIG_FILE}"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_ra\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
 else
     if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
     fi
-    cce="CCE-81009-3"
+    cce="CCE-81006-9"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
     printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
 fi
@@ -68952,7 +68886,26 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
+
Rule  
+                                Disable Accepting ICMP Redirects for All IPv6 Interfaces
+                                  [ref]
To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0

+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.accept_redirects = 0
Rationale:
An illicit ICMP redirect message could result in a man-in-the-middle attack.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-81009-3
References: 
+            BP28(R22), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040280, 3.3.2, SV-230544r858820_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,net.ipv6.conf.all.accept_redirects%3D0%0A
+        mode: 0644
+        path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_all_accept_redirects.conf
+        overwrite: true
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
   find:
     paths:
     - /etc/sysctl.d/
@@ -69031,44 +68984,18 @@
   - medium_severity
   - reboot_required
   - sysctl_net_ipv6_conf_all_accept_redirects
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv6.conf.all.accept_redirects%3D0%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_all_accept_redirects.conf
-        overwrite: true
-
Rule  
-                                Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
-                                  [ref]
To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0

-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.accept_source_route = 0
Rationale:
Source-routed packets allow the source of the packet to suggest routers
-forward the packet along a different path than configured on the router, which can
-be used to bypass network security measures. This requirement applies only to the
-forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
-the system is functioning as a router.
-


-Accepting source-routed packets in the IPv6 protocol has few legitimate
-uses. It should be disabled unless it is absolutely required.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-81013-5
References: 
-            BP28(R22), 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040240, 3.3.1, SV-230538r858801_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-# Comment out any occurrences of net.ipv6.conf.all.accept_source_route from /etc/sysctl.d/*.conf files
+# Comment out any occurrences of net.ipv6.conf.all.accept_redirects from /etc/sysctl.d/*.conf files
 
 for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
 
-  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_source_route.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_redirects.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
       escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
-      # comment out "net.ipv6.conf.all.accept_source_route" matches to preserve user data
+      # comment out "net.ipv6.conf.all.accept_redirects" matches to preserve user data
       sed -i "s/^${escaped_entry}$/# &/g" $f
     done <<< "$matching_list"
   fi
@@ -69080,37 +69007,37 @@
 
 SYSCONFIG_FILE="/etc/sysctl.conf"
 
-sysctl_net_ipv6_conf_all_accept_source_route_value='0'
+sysctl_net_ipv6_conf_all_accept_redirects_value='0'
 
 
 #
-# Set runtime for net.ipv6.conf.all.accept_source_route
+# Set runtime for net.ipv6.conf.all.accept_redirects
 #
-/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_source_route="$sysctl_net_ipv6_conf_all_accept_source_route_value"
+/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_redirects="$sysctl_net_ipv6_conf_all_accept_redirects_value"
 
 #
-# If net.ipv6.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value
-#	else, add "net.ipv6.conf.all.accept_source_route = value" to /etc/sysctl.conf
+# If net.ipv6.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value
+#	else, add "net.ipv6.conf.all.accept_redirects = value" to /etc/sysctl.conf
 #
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_source_route")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_redirects")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_source_route_value"
+printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_redirects_value"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_source_route\\>" "${SYSCONFIG_FILE}"; then
+if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_redirects\\>" "${SYSCONFIG_FILE}"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
 else
     if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
     fi
-    cce="CCE-81013-5"
+    cce="CCE-81009-3"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
     printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
 fi
@@ -69118,7 +69045,33 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
+
Rule  
+                                Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
+                                  [ref]
To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0

+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.accept_source_route = 0
Rationale:
Source-routed packets allow the source of the packet to suggest routers
+forward the packet along a different path than configured on the router, which can
+be used to bypass network security measures. This requirement applies only to the
+forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
+the system is functioning as a router.
+


+Accepting source-routed packets in the IPv6 protocol has few legitimate
+uses. It should be disabled unless it is absolutely required.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-81013-5
References: 
+            BP28(R22), 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040240, 3.3.1, SV-230538r858801_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,net.ipv6.conf.all.accept_source_route%3D0%0A
+        mode: 0644
+        path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_all_accept_source_route.conf
+        overwrite: true
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
   find:
     paths:
     - /etc/sysctl.d/
@@ -69191,39 +69144,18 @@
   - medium_severity
   - reboot_required
   - sysctl_net_ipv6_conf_all_accept_source_route
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv6.conf.all.accept_source_route%3D0%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_all_accept_source_route.conf
-        overwrite: true
-
Rule  
-                                Disable Kernel Parameter for IPv6 Forwarding
-                                  [ref]
To set the runtime status of the net.ipv6.conf.all.forwarding kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.forwarding=0

-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.forwarding = 0
Rationale:
IP forwarding permits the kernel to forward packets from one network
-interface to another. The ability to forward packets between two networks is
-only appropriate for systems acting as routers.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-82863-2
References: 
-            1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040260, 3.2.1, SV-230540r858810_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-# Comment out any occurrences of net.ipv6.conf.all.forwarding from /etc/sysctl.d/*.conf files
+# Comment out any occurrences of net.ipv6.conf.all.accept_source_route from /etc/sysctl.d/*.conf files
 
 for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
 
-  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.forwarding.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_source_route.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
       escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
-      # comment out "net.ipv6.conf.all.forwarding" matches to preserve user data
+      # comment out "net.ipv6.conf.all.accept_source_route" matches to preserve user data
       sed -i "s/^${escaped_entry}$/# &/g" $f
     done <<< "$matching_list"
   fi
@@ -69235,37 +69167,37 @@
 
 SYSCONFIG_FILE="/etc/sysctl.conf"
 
-sysctl_net_ipv6_conf_all_forwarding_value='0'
+sysctl_net_ipv6_conf_all_accept_source_route_value='0'
 
 
 #
-# Set runtime for net.ipv6.conf.all.forwarding
+# Set runtime for net.ipv6.conf.all.accept_source_route
 #
-/sbin/sysctl -q -n -w net.ipv6.conf.all.forwarding="$sysctl_net_ipv6_conf_all_forwarding_value"
+/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_source_route="$sysctl_net_ipv6_conf_all_accept_source_route_value"
 
 #
-# If net.ipv6.conf.all.forwarding present in /etc/sysctl.conf, change value to appropriate value
-#	else, add "net.ipv6.conf.all.forwarding = value" to /etc/sysctl.conf
+# If net.ipv6.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value
+#	else, add "net.ipv6.conf.all.accept_source_route = value" to /etc/sysctl.conf
 #
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.forwarding")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_source_route")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_forwarding_value"
+printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_source_route_value"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.forwarding\\>" "${SYSCONFIG_FILE}"; then
+if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_source_route\\>" "${SYSCONFIG_FILE}"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.forwarding\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
 else
     if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
     fi
-    cce="CCE-82863-2"
+    cce="CCE-81013-5"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
     printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
 fi
@@ -69273,7 +69205,14 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
+
Rule  
+                                Disable Kernel Parameter for IPv6 Forwarding
+                                  [ref]
To set the runtime status of the net.ipv6.conf.all.forwarding kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.forwarding=0

+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.forwarding = 0
Rationale:
IP forwarding permits the kernel to forward packets from one network
+interface to another. The ability to forward packets between two networks is
+only appropriate for systems acting as routers.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-82863-2
References: 
+            1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040260, 3.2.1, SV-230540r858810_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
   find:
     paths:
     - /etc/sysctl.d/
@@ -69348,23 +69287,18 @@
   - medium_severity
   - reboot_required
   - sysctl_net_ipv6_conf_all_forwarding
-
Rule  
-                                Disable Accepting Router Advertisements on all IPv6 Interfaces by Default
-                                  [ref]
To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0

-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.default.accept_ra = 0
Rationale:
An illicit router advertisement message could result in a man-in-the-middle attack.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-81007-7
References: 
-            11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040262, 3.3.9, SV-230542r858814_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-# Comment out any occurrences of net.ipv6.conf.default.accept_ra from /etc/sysctl.d/*.conf files
+# Comment out any occurrences of net.ipv6.conf.all.forwarding from /etc/sysctl.d/*.conf files
 
 for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
 
-  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_ra.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.forwarding.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
       escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
-      # comment out "net.ipv6.conf.default.accept_ra" matches to preserve user data
+      # comment out "net.ipv6.conf.all.forwarding" matches to preserve user data
       sed -i "s/^${escaped_entry}$/# &/g" $f
     done <<< "$matching_list"
   fi
@@ -69376,37 +69310,37 @@
 
 SYSCONFIG_FILE="/etc/sysctl.conf"
 
-sysctl_net_ipv6_conf_default_accept_ra_value='0'
+sysctl_net_ipv6_conf_all_forwarding_value='0'
 
 
 #
-# Set runtime for net.ipv6.conf.default.accept_ra
+# Set runtime for net.ipv6.conf.all.forwarding
 #
-/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra="$sysctl_net_ipv6_conf_default_accept_ra_value"
+/sbin/sysctl -q -n -w net.ipv6.conf.all.forwarding="$sysctl_net_ipv6_conf_all_forwarding_value"
 
 #
-# If net.ipv6.conf.default.accept_ra present in /etc/sysctl.conf, change value to appropriate value
-#	else, add "net.ipv6.conf.default.accept_ra = value" to /etc/sysctl.conf
+# If net.ipv6.conf.all.forwarding present in /etc/sysctl.conf, change value to appropriate value
+#	else, add "net.ipv6.conf.all.forwarding = value" to /etc/sysctl.conf
 #
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_ra")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.forwarding")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_ra_value"
+printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_forwarding_value"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_ra\\>" "${SYSCONFIG_FILE}"; then
+if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.forwarding\\>" "${SYSCONFIG_FILE}"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_ra\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.forwarding\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
 else
     if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
     fi
-    cce="CCE-81007-7"
+    cce="CCE-82863-2"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
     printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
 fi
@@ -69414,7 +69348,26 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
+
Rule  
+                                Disable Accepting Router Advertisements on all IPv6 Interfaces by Default
+                                  [ref]
To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0

+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.default.accept_ra = 0
Rationale:
An illicit router advertisement message could result in a man-in-the-middle attack.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-81007-7
References: 
+            11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040262, 3.3.9, SV-230542r858814_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,net.ipv6.conf.default.accept_ra%3D0%0A
+        mode: 0644
+        path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_ra.conf
+        overwrite: true
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
   find:
     paths:
     - /etc/sysctl.d/
@@ -69487,37 +69440,18 @@
   - medium_severity
   - reboot_required
   - sysctl_net_ipv6_conf_default_accept_ra
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv6.conf.default.accept_ra%3D0%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_ra.conf
-        overwrite: true
-
Rule  
-                                Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces
-                                  [ref]
To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0

-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.default.accept_redirects = 0
Rationale:
An illicit ICMP redirect message could result in a man-in-the-middle attack.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-81010-1
References: 
-            BP28(R22), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040210, 3.3.2, SV-230535r858793_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-# Comment out any occurrences of net.ipv6.conf.default.accept_redirects from /etc/sysctl.d/*.conf files
+# Comment out any occurrences of net.ipv6.conf.default.accept_ra from /etc/sysctl.d/*.conf files
 
 for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
 
-  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_redirects.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_ra.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
       escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
-      # comment out "net.ipv6.conf.default.accept_redirects" matches to preserve user data
+      # comment out "net.ipv6.conf.default.accept_ra" matches to preserve user data
       sed -i "s/^${escaped_entry}$/# &/g" $f
     done <<< "$matching_list"
   fi
@@ -69529,37 +69463,37 @@
 
 SYSCONFIG_FILE="/etc/sysctl.conf"
 
-sysctl_net_ipv6_conf_default_accept_redirects_value='0'
+sysctl_net_ipv6_conf_default_accept_ra_value='0'
 
 
 #
-# Set runtime for net.ipv6.conf.default.accept_redirects
+# Set runtime for net.ipv6.conf.default.accept_ra
 #
-/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_redirects="$sysctl_net_ipv6_conf_default_accept_redirects_value"
+/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra="$sysctl_net_ipv6_conf_default_accept_ra_value"
 
 #
-# If net.ipv6.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value
-#	else, add "net.ipv6.conf.default.accept_redirects = value" to /etc/sysctl.conf
+# If net.ipv6.conf.default.accept_ra present in /etc/sysctl.conf, change value to appropriate value
+#	else, add "net.ipv6.conf.default.accept_ra = value" to /etc/sysctl.conf
 #
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_redirects")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_ra")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_redirects_value"
+printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_ra_value"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_redirects\\>" "${SYSCONFIG_FILE}"; then
+if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_ra\\>" "${SYSCONFIG_FILE}"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_ra\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
 else
     if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
     fi
-    cce="CCE-81010-1"
+    cce="CCE-81007-7"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
     printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
 fi
@@ -69567,7 +69501,26 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
+
Rule  
+                                Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces
+                                  [ref]
To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0

+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.default.accept_redirects = 0
Rationale:
An illicit ICMP redirect message could result in a man-in-the-middle attack.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-81010-1
References: 
+            BP28(R22), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040210, 3.3.2, SV-230535r858793_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,net.ipv6.conf.default.accept_redirects%20%3D%200%0A
+        mode: 0644
+        path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_redirects.conf
+        overwrite: true
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
   find:
     paths:
     - /etc/sysctl.d/
@@ -69640,44 +69593,18 @@
   - medium_severity
   - reboot_required
   - sysctl_net_ipv6_conf_default_accept_redirects
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv6.conf.default.accept_redirects%20%3D%200%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_redirects.conf
-        overwrite: true
-
Rule  
-                                Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default
-                                  [ref]
To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0

-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.default.accept_source_route = 0
Rationale:
Source-routed packets allow the source of the packet to suggest routers
-forward the packet along a different path than configured on the router, which can
-be used to bypass network security measures. This requirement applies only to the
-forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
-the system is functioning as a router.
-
-Accepting source-routed packets in the IPv6 protocol has few legitimate
-uses. It should be disabled unless it is absolutely required.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-81015-0
References: 
-            BP28(R22), 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, Req-1.4.3, 1.4.2, SRG-OS-000480-GPOS-00227, RHEL-08-040250, 3.3.1, SV-230539r861085_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-# Comment out any occurrences of net.ipv6.conf.default.accept_source_route from /etc/sysctl.d/*.conf files
+# Comment out any occurrences of net.ipv6.conf.default.accept_redirects from /etc/sysctl.d/*.conf files
 
 for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
 
-  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_source_route.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_redirects.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
       escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
-      # comment out "net.ipv6.conf.default.accept_source_route" matches to preserve user data
+      # comment out "net.ipv6.conf.default.accept_redirects" matches to preserve user data
       sed -i "s/^${escaped_entry}$/# &/g" $f
     done <<< "$matching_list"
   fi
@@ -69689,37 +69616,37 @@
 
 SYSCONFIG_FILE="/etc/sysctl.conf"
 
-sysctl_net_ipv6_conf_default_accept_source_route_value='0'
+sysctl_net_ipv6_conf_default_accept_redirects_value='0'
 
 
 #
-# Set runtime for net.ipv6.conf.default.accept_source_route
+# Set runtime for net.ipv6.conf.default.accept_redirects
 #
-/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_source_route="$sysctl_net_ipv6_conf_default_accept_source_route_value"
+/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_redirects="$sysctl_net_ipv6_conf_default_accept_redirects_value"
 
 #
-# If net.ipv6.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value
-#	else, add "net.ipv6.conf.default.accept_source_route = value" to /etc/sysctl.conf
+# If net.ipv6.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value
+#	else, add "net.ipv6.conf.default.accept_redirects = value" to /etc/sysctl.conf
 #
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_source_route")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_redirects")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_source_route_value"
+printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_redirects_value"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_source_route\\>" "${SYSCONFIG_FILE}"; then
+if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_redirects\\>" "${SYSCONFIG_FILE}"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
 else
     if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
     fi
-    cce="CCE-81015-0"
+    cce="CCE-81010-1"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
     printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
 fi
@@ -69727,7 +69654,33 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
+
Rule  
+                                Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default
+                                  [ref]
To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0

+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.default.accept_source_route = 0
Rationale:
Source-routed packets allow the source of the packet to suggest routers
+forward the packet along a different path than configured on the router, which can
+be used to bypass network security measures. This requirement applies only to the
+forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
+the system is functioning as a router.
+
+Accepting source-routed packets in the IPv6 protocol has few legitimate
+uses. It should be disabled unless it is absolutely required.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-81015-0
References: 
+            BP28(R22), 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, Req-1.4.3, 1.4.2, SRG-OS-000480-GPOS-00227, RHEL-08-040250, 3.3.1, SV-230539r861085_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,net.ipv6.conf.default.accept_source_route%3D0%0A
+        mode: 0644
+        path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_source_route.conf
+        overwrite: true
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
   find:
     paths:
     - /etc/sysctl.d/
@@ -69812,53 +69765,18 @@
   - medium_severity
   - reboot_required
   - sysctl_net_ipv6_conf_default_accept_source_route
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv6.conf.default.accept_source_route%3D0%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_source_route.conf
-        overwrite: true
-
Group  
-                Kernel Parameters Which Affect Networking
-                          Group contains 2 groups and 9 rules
[ref]  
-                        The sysctl utility is used to set
-parameters which affect the operation of the Linux kernel. Kernel parameters
-which affect networking and have security implications are described here.
Group  
-                Network Related Kernel Runtime Parameters for Hosts and Routers
-                          Group contains 7 rules
[ref]  
-                        Certain kernel parameters should be set for systems which are
-acting as either hosts or routers to improve the system's ability defend
-against certain types of IPv4 protocol attacks.
Rule  
-                                Disable Accepting ICMP Redirects for All IPv4 Interfaces
-                                  [ref]
To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0

-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.accept_redirects = 0
Rationale:
ICMP redirect messages are used by routers to inform hosts that a more
-direct route exists for a particular destination. These messages modify the
-host's route table and are unauthenticated. An illicit ICMP redirect
-message could result in a man-in-the-middle attack.
-

-This feature of the IPv4 protocol has few legitimate uses. It should be
-disabled unless absolutely required."
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80917-8
References: 
-            BP28(R22), 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, 5.10.1.1, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000366, CCI-001503, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040279, 3.3.2, SV-244553r858818_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-# Comment out any occurrences of net.ipv4.conf.all.accept_redirects from /etc/sysctl.d/*.conf files
+# Comment out any occurrences of net.ipv6.conf.default.accept_source_route from /etc/sysctl.d/*.conf files
 
 for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
 
-  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.accept_redirects.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_source_route.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
       escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
-      # comment out "net.ipv4.conf.all.accept_redirects" matches to preserve user data
+      # comment out "net.ipv6.conf.default.accept_source_route" matches to preserve user data
       sed -i "s/^${escaped_entry}$/# &/g" $f
     done <<< "$matching_list"
   fi
@@ -69870,37 +69788,37 @@
 
 SYSCONFIG_FILE="/etc/sysctl.conf"
 
-sysctl_net_ipv4_conf_all_accept_redirects_value='0'
+sysctl_net_ipv6_conf_default_accept_source_route_value='0'
 
 
 #
-# Set runtime for net.ipv4.conf.all.accept_redirects
+# Set runtime for net.ipv6.conf.default.accept_source_route
 #
-/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_redirects="$sysctl_net_ipv4_conf_all_accept_redirects_value"
+/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_source_route="$sysctl_net_ipv6_conf_default_accept_source_route_value"
 
 #
-# If net.ipv4.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value
-#	else, add "net.ipv4.conf.all.accept_redirects = value" to /etc/sysctl.conf
+# If net.ipv6.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value
+#	else, add "net.ipv6.conf.default.accept_source_route = value" to /etc/sysctl.conf
 #
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.accept_redirects")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_source_route")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_accept_redirects_value"
+printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_source_route_value"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.accept_redirects\\>" "${SYSCONFIG_FILE}"; then
+if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_source_route\\>" "${SYSCONFIG_FILE}"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
 else
     if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
     fi
-    cce="CCE-80917-8"
+    cce="CCE-81015-0"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
     printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
 fi
@@ -69908,7 +69826,42 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
+
Group  
+                Kernel Parameters Which Affect Networking
+                          Group contains 2 groups and 9 rules
[ref]  
+                        The sysctl utility is used to set
+parameters which affect the operation of the Linux kernel. Kernel parameters
+which affect networking and have security implications are described here.
Group  
+                Network Related Kernel Runtime Parameters for Hosts and Routers
+                          Group contains 7 rules
[ref]  
+                        Certain kernel parameters should be set for systems which are
+acting as either hosts or routers to improve the system's ability defend
+against certain types of IPv4 protocol attacks.
Rule  
+                                Disable Accepting ICMP Redirects for All IPv4 Interfaces
+                                  [ref]
To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0

+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.accept_redirects = 0
Rationale:
ICMP redirect messages are used by routers to inform hosts that a more
+direct route exists for a particular destination. These messages modify the
+host's route table and are unauthenticated. An illicit ICMP redirect
+message could result in a man-in-the-middle attack.
+

+This feature of the IPv4 protocol has few legitimate uses. It should be
+disabled unless absolutely required."
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80917-8
References: 
+            BP28(R22), 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, 5.10.1.1, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000366, CCI-001503, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040279, 3.3.2, SV-244553r858818_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,net.ipv4.conf.all.accept_redirects%3D0%0A
+        mode: 0644
+        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_accept_redirects.conf
+        overwrite: true
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
   find:
     paths:
     - /etc/sysctl.d/
@@ -69987,44 +69940,18 @@
   - medium_severity
   - reboot_required
   - sysctl_net_ipv4_conf_all_accept_redirects
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv4.conf.all.accept_redirects%3D0%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_accept_redirects.conf
-        overwrite: true
-
Rule  
-                                Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
-                                  [ref]
To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0

-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.accept_source_route = 0
Rationale:
Source-routed packets allow the source of the packet to suggest routers
-forward the packet along a different path than configured on the router,
-which can be used to bypass network security measures. This requirement
-applies only to the forwarding of source-routerd traffic, such as when IPv4
-forwarding is enabled and the system is functioning as a router.
-


-Accepting source-routed packets in the IPv4 protocol has few legitimate
-uses. It should be disabled unless it is absolutely required.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-81011-9
References: 
-            BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040239, 3.3.1, SV-244551r858799_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-# Comment out any occurrences of net.ipv4.conf.all.accept_source_route from /etc/sysctl.d/*.conf files
+# Comment out any occurrences of net.ipv4.conf.all.accept_redirects from /etc/sysctl.d/*.conf files
 
 for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
 
-  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.accept_source_route.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.accept_redirects.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
       escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
-      # comment out "net.ipv4.conf.all.accept_source_route" matches to preserve user data
+      # comment out "net.ipv4.conf.all.accept_redirects" matches to preserve user data
       sed -i "s/^${escaped_entry}$/# &/g" $f
     done <<< "$matching_list"
   fi
@@ -70036,37 +69963,37 @@
 
 SYSCONFIG_FILE="/etc/sysctl.conf"
 
-sysctl_net_ipv4_conf_all_accept_source_route_value='0'
+sysctl_net_ipv4_conf_all_accept_redirects_value='0'
 
 
 #
-# Set runtime for net.ipv4.conf.all.accept_source_route
+# Set runtime for net.ipv4.conf.all.accept_redirects
 #
-/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_source_route="$sysctl_net_ipv4_conf_all_accept_source_route_value"
+/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_redirects="$sysctl_net_ipv4_conf_all_accept_redirects_value"
 
 #
-# If net.ipv4.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value
-#	else, add "net.ipv4.conf.all.accept_source_route = value" to /etc/sysctl.conf
+# If net.ipv4.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value
+#	else, add "net.ipv4.conf.all.accept_redirects = value" to /etc/sysctl.conf
 #
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.accept_source_route")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.accept_redirects")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_accept_source_route_value"
+printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_accept_redirects_value"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.accept_source_route\\>" "${SYSCONFIG_FILE}"; then
+if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.accept_redirects\\>" "${SYSCONFIG_FILE}"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
 else
     if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
     fi
-    cce="CCE-81011-9"
+    cce="CCE-80917-8"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
     printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
 fi
@@ -70074,7 +70001,33 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
+
Rule  
+                                Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
+                                  [ref]
To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0

+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.accept_source_route = 0
Rationale:
Source-routed packets allow the source of the packet to suggest routers
+forward the packet along a different path than configured on the router,
+which can be used to bypass network security measures. This requirement
+applies only to the forwarding of source-routerd traffic, such as when IPv4
+forwarding is enabled and the system is functioning as a router.
+


+Accepting source-routed packets in the IPv4 protocol has few legitimate
+uses. It should be disabled unless it is absolutely required.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-81011-9
References: 
+            BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040239, 3.3.1, SV-244551r858799_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,net.ipv4.conf.all.accept_source_route%3D0%0A
+        mode: 0644
+        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_accept_source_route.conf
+        overwrite: true
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
   find:
     paths:
     - /etc/sysctl.d/
@@ -70153,44 +70106,18 @@
   - medium_severity
   - reboot_required
   - sysctl_net_ipv4_conf_all_accept_source_route
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv4.conf.all.accept_source_route%3D0%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_accept_source_route.conf
-        overwrite: true
-
Rule  
-                                Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces
-                                  [ref]
To set the runtime status of the net.ipv4.conf.all.forwarding kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.forwarding=0

-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.forwarding = 0
Warning: 
-                                        There might be cases when certain applications can systematically override this option.
-One such case is Libvirt; a toolkit for managing of virtualization platforms.
-By default, Libvirt requires IP forwarding to be enabled to facilitate
-network communication between the virtualization host and guest
-machines. It enables IP forwarding after every reboot.
Rationale:
IP forwarding permits the kernel to forward packets from one network
-interface to another. The ability to forward packets between two networks is
-only appropriate for systems acting as routers.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-86220-1
References: 
-            CCI-000366, CM-6(b), SRG-OS-000480-GPOS-00227, RHEL-08-040259, SV-250317r858808_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-# Comment out any occurrences of net.ipv4.conf.all.forwarding from /etc/sysctl.d/*.conf files
+# Comment out any occurrences of net.ipv4.conf.all.accept_source_route from /etc/sysctl.d/*.conf files
 
 for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
 
-  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.forwarding.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.accept_source_route.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
       escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
-      # comment out "net.ipv4.conf.all.forwarding" matches to preserve user data
+      # comment out "net.ipv4.conf.all.accept_source_route" matches to preserve user data
       sed -i "s/^${escaped_entry}$/# &/g" $f
     done <<< "$matching_list"
   fi
@@ -70202,37 +70129,37 @@
 
 SYSCONFIG_FILE="/etc/sysctl.conf"
 
-sysctl_net_ipv4_conf_all_forwarding_value='0'
+sysctl_net_ipv4_conf_all_accept_source_route_value='0'
 
 
 #
-# Set runtime for net.ipv4.conf.all.forwarding
+# Set runtime for net.ipv4.conf.all.accept_source_route
 #
-/sbin/sysctl -q -n -w net.ipv4.conf.all.forwarding="$sysctl_net_ipv4_conf_all_forwarding_value"
+/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_source_route="$sysctl_net_ipv4_conf_all_accept_source_route_value"
 
 #
-# If net.ipv4.conf.all.forwarding present in /etc/sysctl.conf, change value to appropriate value
-#	else, add "net.ipv4.conf.all.forwarding = value" to /etc/sysctl.conf
+# If net.ipv4.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value
+#	else, add "net.ipv4.conf.all.accept_source_route = value" to /etc/sysctl.conf
 #
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.forwarding")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.accept_source_route")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_forwarding_value"
+printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_accept_source_route_value"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.forwarding\\>" "${SYSCONFIG_FILE}"; then
+if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.accept_source_route\\>" "${SYSCONFIG_FILE}"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.forwarding\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
 else
     if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
     fi
-    cce="CCE-86220-1"
+    cce="CCE-81011-9"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
     printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
 fi
@@ -70240,7 +70167,19 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
+
Rule  
+                                Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces
+                                  [ref]
To set the runtime status of the net.ipv4.conf.all.forwarding kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.forwarding=0

+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.forwarding = 0
Warning: 
+                                        There might be cases when certain applications can systematically override this option.
+One such case is Libvirt; a toolkit for managing of virtualization platforms.
+By default, Libvirt requires IP forwarding to be enabled to facilitate
+network communication between the virtualization host and guest
+machines. It enables IP forwarding after every reboot.
Rationale:
IP forwarding permits the kernel to forward packets from one network
+interface to another. The ability to forward packets between two networks is
+only appropriate for systems acting as routers.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-86220-1
References: 
+            CCI-000366, CM-6(b), SRG-OS-000480-GPOS-00227, RHEL-08-040259, SV-250317r858808_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
   find:
     paths:
     - /etc/sysctl.d/
@@ -70303,27 +70242,18 @@
   - medium_severity
   - reboot_required
   - sysctl_net_ipv4_conf_all_forwarding
-
Rule  
-                                Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
-                                  [ref]
To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1

-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.rp_filter = 1
Rationale:
Enabling reverse path filtering drops packets with source addresses
-that should not have been able to be received on the interface they were
-received on. It should not be used on systems which are routers for
-complicated networks, but is helpful for end hosts and routers serving small
-networks.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-81021-8
References: 
-            BP28(R22), 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, Req-1.4.3, 1.4.3, SRG-OS-000480-GPOS-00227, RHEL-08-040285, 3.3.7, SV-230549r858830_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-# Comment out any occurrences of net.ipv4.conf.all.rp_filter from /etc/sysctl.d/*.conf files
+# Comment out any occurrences of net.ipv4.conf.all.forwarding from /etc/sysctl.d/*.conf files
 
 for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
 
-  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.rp_filter.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.forwarding.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
       escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
-      # comment out "net.ipv4.conf.all.rp_filter" matches to preserve user data
+      # comment out "net.ipv4.conf.all.forwarding" matches to preserve user data
       sed -i "s/^${escaped_entry}$/# &/g" $f
     done <<< "$matching_list"
   fi
@@ -70335,37 +70265,37 @@
 
 SYSCONFIG_FILE="/etc/sysctl.conf"
 
-sysctl_net_ipv4_conf_all_rp_filter_value='1'
+sysctl_net_ipv4_conf_all_forwarding_value='0'
 
 
 #
-# Set runtime for net.ipv4.conf.all.rp_filter
+# Set runtime for net.ipv4.conf.all.forwarding
 #
-/sbin/sysctl -q -n -w net.ipv4.conf.all.rp_filter="$sysctl_net_ipv4_conf_all_rp_filter_value"
+/sbin/sysctl -q -n -w net.ipv4.conf.all.forwarding="$sysctl_net_ipv4_conf_all_forwarding_value"
 
 #
-# If net.ipv4.conf.all.rp_filter present in /etc/sysctl.conf, change value to appropriate value
-#	else, add "net.ipv4.conf.all.rp_filter = value" to /etc/sysctl.conf
+# If net.ipv4.conf.all.forwarding present in /etc/sysctl.conf, change value to appropriate value
+#	else, add "net.ipv4.conf.all.forwarding = value" to /etc/sysctl.conf
 #
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.rp_filter")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.forwarding")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_rp_filter_value"
+printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_forwarding_value"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.rp_filter\\>" "${SYSCONFIG_FILE}"; then
+if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.forwarding\\>" "${SYSCONFIG_FILE}"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.rp_filter\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.forwarding\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
 else
     if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
     fi
-    cce="CCE-81021-8"
+    cce="CCE-86220-1"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
     printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
 fi
@@ -70373,7 +70303,30 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
+
Rule  
+                                Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
+                                  [ref]
To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1

+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.rp_filter = 1
Rationale:
Enabling reverse path filtering drops packets with source addresses
+that should not have been able to be received on the interface they were
+received on. It should not be used on systems which are routers for
+complicated networks, but is helpful for end hosts and routers serving small
+networks.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-81021-8
References: 
+            BP28(R22), 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, Req-1.4.3, 1.4.3, SRG-OS-000480-GPOS-00227, RHEL-08-040285, 3.3.7, SV-230549r858830_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,net.ipv4.conf.all.rp_filter%3D1%0A
+        mode: 0644
+        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_rp_filter.conf
+        overwrite: true
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
   find:
     paths:
     - /etc/sysctl.d/
@@ -70454,42 +70407,18 @@
   - medium_severity
   - reboot_required
   - sysctl_net_ipv4_conf_all_rp_filter
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv4.conf.all.rp_filter%3D1%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_rp_filter.conf
-        overwrite: true
-
Rule  
-                                Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
-                                  [ref]
To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0

-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.default.accept_redirects = 0
Rationale:
ICMP redirect messages are used by routers to inform hosts that a more
-direct route exists for a particular destination. These messages modify the
-host's route table and are unauthenticated. An illicit ICMP redirect
-message could result in a man-in-the-middle attack.
-
This feature of the IPv4 protocol has few legitimate uses. It should
-be disabled unless absolutely required.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80919-4
References: 
-            BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.4.3, 1.4.3, SRG-OS-000480-GPOS-00227, RHEL-08-040209, 3.3.2, SV-244550r858791_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-# Comment out any occurrences of net.ipv4.conf.default.accept_redirects from /etc/sysctl.d/*.conf files
+# Comment out any occurrences of net.ipv4.conf.all.rp_filter from /etc/sysctl.d/*.conf files
 
 for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
 
-  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.accept_redirects.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.rp_filter.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
       escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
-      # comment out "net.ipv4.conf.default.accept_redirects" matches to preserve user data
+      # comment out "net.ipv4.conf.all.rp_filter" matches to preserve user data
       sed -i "s/^${escaped_entry}$/# &/g" $f
     done <<< "$matching_list"
   fi
@@ -70501,37 +70430,37 @@
 
 SYSCONFIG_FILE="/etc/sysctl.conf"
 
-sysctl_net_ipv4_conf_default_accept_redirects_value='0'
+sysctl_net_ipv4_conf_all_rp_filter_value='1'
 
 
 #
-# Set runtime for net.ipv4.conf.default.accept_redirects
+# Set runtime for net.ipv4.conf.all.rp_filter
 #
-/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_redirects="$sysctl_net_ipv4_conf_default_accept_redirects_value"
+/sbin/sysctl -q -n -w net.ipv4.conf.all.rp_filter="$sysctl_net_ipv4_conf_all_rp_filter_value"
 
 #
-# If net.ipv4.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value
-#	else, add "net.ipv4.conf.default.accept_redirects = value" to /etc/sysctl.conf
+# If net.ipv4.conf.all.rp_filter present in /etc/sysctl.conf, change value to appropriate value
+#	else, add "net.ipv4.conf.all.rp_filter = value" to /etc/sysctl.conf
 #
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.accept_redirects")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.rp_filter")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_accept_redirects_value"
+printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_rp_filter_value"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.accept_redirects\\>" "${SYSCONFIG_FILE}"; then
+if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.rp_filter\\>" "${SYSCONFIG_FILE}"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.rp_filter\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
 else
     if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
     fi
-    cce="CCE-80919-4"
+    cce="CCE-81021-8"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
     printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
 fi
@@ -70539,7 +70468,31 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
+
Rule  
+                                Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
+                                  [ref]
To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0

+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.default.accept_redirects = 0
Rationale:
ICMP redirect messages are used by routers to inform hosts that a more
+direct route exists for a particular destination. These messages modify the
+host's route table and are unauthenticated. An illicit ICMP redirect
+message could result in a man-in-the-middle attack.
+
This feature of the IPv4 protocol has few legitimate uses. It should
+be disabled unless absolutely required.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80919-4
References: 
+            BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.4.3, 1.4.3, SRG-OS-000480-GPOS-00227, RHEL-08-040209, 3.3.2, SV-244550r858791_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,net.ipv4.conf.default.accept_redirects%3D0%0A
+        mode: 0644
+        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_accept_redirects.conf
+        overwrite: true
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
   find:
     paths:
     - /etc/sysctl.d/
@@ -70600,68 +70553,42 @@
     - always
 
 - name: Ensure sysctl net.ipv4.conf.default.accept_redirects is set
-  sysctl:
-    name: net.ipv4.conf.default.accept_redirects
-    value: '{{ sysctl_net_ipv4_conf_default_accept_redirects_value }}'
-    sysctl_file: /etc/sysctl.conf
-    state: present
-    reload: true
-  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  tags:
-  - CCE-80919-4
-  - CJIS-5.10.1.1
-  - DISA-STIG-RHEL-08-040209
-  - NIST-800-171-3.1.20
-  - NIST-800-53-CM-6(a)
-  - NIST-800-53-CM-7(a)
-  - NIST-800-53-CM-7(b)
-  - NIST-800-53-SC-7(a)
-  - PCI-DSS-Req-1.4.3
-  - PCI-DSSv4-1.4.3
-  - disable_strategy
-  - low_complexity
-  - medium_disruption
-  - medium_severity
-  - reboot_required
-  - sysctl_net_ipv4_conf_default_accept_redirects
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv4.conf.default.accept_redirects%3D0%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_accept_redirects.conf
-        overwrite: true
-
Rule  
-                                Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
-                                  [ref]
To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0

-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.default.accept_source_route = 0
Rationale:
Source-routed packets allow the source of the packet to suggest routers
-forward the packet along a different path than configured on the router,
-which can be used to bypass network security measures.
-

-Accepting source-routed packets in the IPv4 protocol has few legitimate
-uses. It should be disabled unless it is absolutely required, such as when
-IPv4 forwarding is enabled and the system is legitimately functioning as a
-router.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80920-2
References: 
-            BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040249, 3.3.1, SV-244552r858803_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+  sysctl:
+    name: net.ipv4.conf.default.accept_redirects
+    value: '{{ sysctl_net_ipv4_conf_default_accept_redirects_value }}'
+    sysctl_file: /etc/sysctl.conf
+    state: present
+    reload: true
+  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  tags:
+  - CCE-80919-4
+  - CJIS-5.10.1.1
+  - DISA-STIG-RHEL-08-040209
+  - NIST-800-171-3.1.20
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-CM-7(a)
+  - NIST-800-53-CM-7(b)
+  - NIST-800-53-SC-7(a)
+  - PCI-DSS-Req-1.4.3
+  - PCI-DSSv4-1.4.3
+  - disable_strategy
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - reboot_required
+  - sysctl_net_ipv4_conf_default_accept_redirects
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-# Comment out any occurrences of net.ipv4.conf.default.accept_source_route from /etc/sysctl.d/*.conf files
+# Comment out any occurrences of net.ipv4.conf.default.accept_redirects from /etc/sysctl.d/*.conf files
 
 for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
 
-  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.accept_source_route.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.accept_redirects.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
       escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
-      # comment out "net.ipv4.conf.default.accept_source_route" matches to preserve user data
+      # comment out "net.ipv4.conf.default.accept_redirects" matches to preserve user data
       sed -i "s/^${escaped_entry}$/# &/g" $f
     done <<< "$matching_list"
   fi
@@ -70673,37 +70600,37 @@
 
 SYSCONFIG_FILE="/etc/sysctl.conf"
 
-sysctl_net_ipv4_conf_default_accept_source_route_value='0'
+sysctl_net_ipv4_conf_default_accept_redirects_value='0'
 
 
 #
-# Set runtime for net.ipv4.conf.default.accept_source_route
+# Set runtime for net.ipv4.conf.default.accept_redirects
 #
-/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_source_route="$sysctl_net_ipv4_conf_default_accept_source_route_value"
+/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_redirects="$sysctl_net_ipv4_conf_default_accept_redirects_value"
 
 #
-# If net.ipv4.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value
-#	else, add "net.ipv4.conf.default.accept_source_route = value" to /etc/sysctl.conf
+# If net.ipv4.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value
+#	else, add "net.ipv4.conf.default.accept_redirects = value" to /etc/sysctl.conf
 #
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.accept_source_route")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.accept_redirects")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_accept_source_route_value"
+printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_accept_redirects_value"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.accept_source_route\\>" "${SYSCONFIG_FILE}"; then
+if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.accept_redirects\\>" "${SYSCONFIG_FILE}"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
 else
     if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
     fi
-    cce="CCE-80920-2"
+    cce="CCE-80919-4"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
     printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
 fi
@@ -70711,7 +70638,33 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
+
Rule  
+                                Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
+                                  [ref]
To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0

+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.default.accept_source_route = 0
Rationale:
Source-routed packets allow the source of the packet to suggest routers
+forward the packet along a different path than configured on the router,
+which can be used to bypass network security measures.
+

+Accepting source-routed packets in the IPv4 protocol has few legitimate
+uses. It should be disabled unless it is absolutely required, such as when
+IPv4 forwarding is enabled and the system is legitimately functioning as a
+router.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80920-2
References: 
+            BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040249, 3.3.1, SV-244552r858803_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,net.ipv4.conf.default.accept_source_route%3D0%0A
+        mode: 0644
+        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_accept_source_route.conf
+        overwrite: true
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
   find:
     paths:
     - /etc/sysctl.d/
@@ -70790,41 +70743,18 @@
   - medium_severity
   - reboot_required
   - sysctl_net_ipv4_conf_default_accept_source_route
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv4.conf.default.accept_source_route%3D0%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_accept_source_route.conf
-        overwrite: true
-
Rule  
-                                Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
-                                  [ref]
To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.icmp_echo_ignore_broadcasts = 1
Rationale:
Responding to broadcast (ICMP) echoes facilitates network mapping
-and provides a vector for amplification attacks.
-

-Ignoring ICMP echo requests (pings) sent to broadcast or multicast
-addresses makes the system slightly more difficult to enumerate on the network.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80922-8
References: 
-            1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.4.3, 1.4.2, SRG-OS-000480-GPOS-00227, RHEL-08-040230, 3.3.5, SV-230537r858797_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-# Comment out any occurrences of net.ipv4.icmp_echo_ignore_broadcasts from /etc/sysctl.d/*.conf files
+# Comment out any occurrences of net.ipv4.conf.default.accept_source_route from /etc/sysctl.d/*.conf files
 
 for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
 
-  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.icmp_echo_ignore_broadcasts.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.accept_source_route.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
       escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
-      # comment out "net.ipv4.icmp_echo_ignore_broadcasts" matches to preserve user data
+      # comment out "net.ipv4.conf.default.accept_source_route" matches to preserve user data
       sed -i "s/^${escaped_entry}$/# &/g" $f
     done <<< "$matching_list"
   fi
@@ -70836,37 +70766,37 @@
 
 SYSCONFIG_FILE="/etc/sysctl.conf"
 
-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value='1'
+sysctl_net_ipv4_conf_default_accept_source_route_value='0'
 
 
 #
-# Set runtime for net.ipv4.icmp_echo_ignore_broadcasts
+# Set runtime for net.ipv4.conf.default.accept_source_route
 #
-/sbin/sysctl -q -n -w net.ipv4.icmp_echo_ignore_broadcasts="$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value"
+/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_source_route="$sysctl_net_ipv4_conf_default_accept_source_route_value"
 
 #
-# If net.ipv4.icmp_echo_ignore_broadcasts present in /etc/sysctl.conf, change value to appropriate value
-#	else, add "net.ipv4.icmp_echo_ignore_broadcasts = value" to /etc/sysctl.conf
+# If net.ipv4.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value
+#	else, add "net.ipv4.conf.default.accept_source_route = value" to /etc/sysctl.conf
 #
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.icmp_echo_ignore_broadcasts")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.accept_source_route")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value"
+printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_accept_source_route_value"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.icmp_echo_ignore_broadcasts\\>" "${SYSCONFIG_FILE}"; then
+if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.accept_source_route\\>" "${SYSCONFIG_FILE}"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.icmp_echo_ignore_broadcasts\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
 else
     if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
     fi
-    cce="CCE-80922-8"
+    cce="CCE-80920-2"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
     printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
 fi
@@ -70874,7 +70804,30 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
+
Rule  
+                                Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
+                                  [ref]
To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.icmp_echo_ignore_broadcasts = 1
Rationale:
Responding to broadcast (ICMP) echoes facilitates network mapping
+and provides a vector for amplification attacks.
+

+Ignoring ICMP echo requests (pings) sent to broadcast or multicast
+addresses makes the system slightly more difficult to enumerate on the network.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80922-8
References: 
+            1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.4.3, 1.4.2, SRG-OS-000480-GPOS-00227, RHEL-08-040230, 3.3.5, SV-230537r858797_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,net.ipv4.icmp_echo_ignore_broadcasts%3D1%0A
+        mode: 0644
+        path: /etc/sysctl.d/75-sysctl_net_ipv4_icmp_echo_ignore_broadcasts.conf
+        overwrite: true
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
   find:
     paths:
     - /etc/sysctl.d/
@@ -70956,46 +70909,18 @@
   - medium_severity
   - reboot_required
   - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv4.icmp_echo_ignore_broadcasts%3D1%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv4_icmp_echo_ignore_broadcasts.conf
-        overwrite: true
-
Group  
-                Network Parameters for Hosts Only
-                          Group contains 2 rules
[ref]  
-                        If the system is not going to be used as a router, then setting certain
-kernel parameters ensure that the host will not perform routing
-of network traffic.
Rule  
-                                Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
-                                  [ref]
To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0

-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.send_redirects = 0
Rationale:
ICMP redirect messages are used by routers to inform hosts that a more
-direct route exists for a particular destination. These messages contain information
-from the system's route table possibly revealing portions of the network topology.
-

-The ability to send ICMP redirects is only appropriate for systems acting as routers.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80918-6
References: 
-            BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, 1.4.5, SRG-OS-000480-GPOS-00227, RHEL-08-040220, 3.2.2, SV-230536r858795_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-# Comment out any occurrences of net.ipv4.conf.all.send_redirects from /etc/sysctl.d/*.conf files
+# Comment out any occurrences of net.ipv4.icmp_echo_ignore_broadcasts from /etc/sysctl.d/*.conf files
 
 for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
 
-  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.send_redirects.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.icmp_echo_ignore_broadcasts.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
       escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
-      # comment out "net.ipv4.conf.all.send_redirects" matches to preserve user data
+      # comment out "net.ipv4.icmp_echo_ignore_broadcasts" matches to preserve user data
       sed -i "s/^${escaped_entry}$/# &/g" $f
     done <<< "$matching_list"
   fi
@@ -71007,35 +70932,37 @@
 
 SYSCONFIG_FILE="/etc/sysctl.conf"
 
+sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value='1'
+
 
 #
-# Set runtime for net.ipv4.conf.all.send_redirects
+# Set runtime for net.ipv4.icmp_echo_ignore_broadcasts
 #
-/sbin/sysctl -q -n -w net.ipv4.conf.all.send_redirects="0"
+/sbin/sysctl -q -n -w net.ipv4.icmp_echo_ignore_broadcasts="$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value"
 
 #
-# If net.ipv4.conf.all.send_redirects present in /etc/sysctl.conf, change value to "0"
-#	else, add "net.ipv4.conf.all.send_redirects = 0" to /etc/sysctl.conf
+# If net.ipv4.icmp_echo_ignore_broadcasts present in /etc/sysctl.conf, change value to appropriate value
+#	else, add "net.ipv4.icmp_echo_ignore_broadcasts = value" to /etc/sysctl.conf
 #
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.send_redirects")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.icmp_echo_ignore_broadcasts")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "0"
+printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.send_redirects\\>" "${SYSCONFIG_FILE}"; then
+if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.icmp_echo_ignore_broadcasts\\>" "${SYSCONFIG_FILE}"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.send_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.icmp_echo_ignore_broadcasts\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
 else
     if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
     fi
-    cce="CCE-80918-6"
+    cce="CCE-80922-8"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
     printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
 fi
@@ -71043,6 +70970,34 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
+
Group  
+                Network Parameters for Hosts Only
+                          Group contains 2 rules
[ref]  
+                        If the system is not going to be used as a router, then setting certain
+kernel parameters ensure that the host will not perform routing
+of network traffic.
Rule  
+                                Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
+                                  [ref]
To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0

+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.send_redirects = 0
Rationale:
ICMP redirect messages are used by routers to inform hosts that a more
+direct route exists for a particular destination. These messages contain information
+from the system's route table possibly revealing portions of the network topology.
+

+The ability to send ICMP redirects is only appropriate for systems acting as routers.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80918-6
References: 
+            BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, 1.4.5, SRG-OS-000480-GPOS-00227, RHEL-08-040220, 3.2.2, SV-230536r858795_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,net.ipv4.conf.all.send_redirects%3D0%0A
+        mode: 0644
+        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_send_redirects.conf
+        overwrite: true
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
   find:
     paths:
@@ -71123,41 +71078,18 @@
   - medium_severity
   - reboot_required
   - sysctl_net_ipv4_conf_all_send_redirects
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv4.conf.all.send_redirects%3D0%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_send_redirects.conf
-        overwrite: true
-
Rule  
-                                Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
-                                  [ref]
To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0

-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.default.send_redirects = 0
Rationale:
ICMP redirect messages are used by routers to inform hosts that a more
-direct route exists for a particular destination. These messages contain information
-from the system's route table possibly revealing portions of the network topology.
-

-The ability to send ICMP redirects is only appropriate for systems acting as routers.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80921-0
References: 
-            BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, 1.4.5, SRG-OS-000480-GPOS-00227, RHEL-08-040270, 3.2.2, SV-230543r858816_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-# Comment out any occurrences of net.ipv4.conf.default.send_redirects from /etc/sysctl.d/*.conf files
+# Comment out any occurrences of net.ipv4.conf.all.send_redirects from /etc/sysctl.d/*.conf files
 
 for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
 
-  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.send_redirects.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.send_redirects.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
       escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
-      # comment out "net.ipv4.conf.default.send_redirects" matches to preserve user data
+      # comment out "net.ipv4.conf.all.send_redirects" matches to preserve user data
       sed -i "s/^${escaped_entry}$/# &/g" $f
     done <<< "$matching_list"
   fi
@@ -71171,18 +71103,18 @@
 
 
 #
-# Set runtime for net.ipv4.conf.default.send_redirects
+# Set runtime for net.ipv4.conf.all.send_redirects
 #
-/sbin/sysctl -q -n -w net.ipv4.conf.default.send_redirects="0"
+/sbin/sysctl -q -n -w net.ipv4.conf.all.send_redirects="0"
 
 #
-# If net.ipv4.conf.default.send_redirects present in /etc/sysctl.conf, change value to "0"
-#	else, add "net.ipv4.conf.default.send_redirects = 0" to /etc/sysctl.conf
+# If net.ipv4.conf.all.send_redirects present in /etc/sysctl.conf, change value to "0"
+#	else, add "net.ipv4.conf.all.send_redirects = 0" to /etc/sysctl.conf
 #
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.send_redirects")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.send_redirects")
 
 # shellcheck disable=SC2059
 printf -v formatted_output "%s = %s" "$stripped_key" "0"
@@ -71190,14 +71122,14 @@
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.send_redirects\\>" "${SYSCONFIG_FILE}"; then
+if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.send_redirects\\>" "${SYSCONFIG_FILE}"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.send_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.send_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
 else
     if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
     fi
-    cce="CCE-80921-0"
+    cce="CCE-80918-6"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
     printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
 fi
@@ -71205,6 +71137,29 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
+
Rule  
+                                Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
+                                  [ref]
To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0

+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.default.send_redirects = 0
Rationale:
ICMP redirect messages are used by routers to inform hosts that a more
+direct route exists for a particular destination. These messages contain information
+from the system's route table possibly revealing portions of the network topology.
+

+The ability to send ICMP redirects is only appropriate for systems acting as routers.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80921-0
References: 
+            BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, 1.4.5, SRG-OS-000480-GPOS-00227, RHEL-08-040270, 3.2.2, SV-230543r858816_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,net.ipv4.conf.default.send_redirects%3D0%0A
+        mode: 0644
+        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_send_redirects.conf
+        overwrite: true
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
   find:
     paths:
@@ -71285,20 +71240,65 @@
   - medium_severity
   - reboot_required
   - sysctl_net_ipv4_conf_default_send_redirects
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv4.conf.default.send_redirects%3D0%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_send_redirects.conf
-        overwrite: true
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+# Comment out any occurrences of net.ipv4.conf.default.send_redirects from /etc/sysctl.d/*.conf files
+
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
+
+  matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.send_redirects.*$' $f | uniq )
+  if ! test -z "$matching_list"; then
+    while IFS= read -r entry; do
+      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
+      # comment out "net.ipv4.conf.default.send_redirects" matches to preserve user data
+      sed -i "s/^${escaped_entry}$/# &/g" $f
+    done <<< "$matching_list"
+  fi
+done
+
+#
+# Set sysctl config file which to save the desired value
+#
+
+SYSCONFIG_FILE="/etc/sysctl.conf"
+
+
+#
+# Set runtime for net.ipv4.conf.default.send_redirects
+#
+/sbin/sysctl -q -n -w net.ipv4.conf.default.send_redirects="0"
+
+#
+# If net.ipv4.conf.default.send_redirects present in /etc/sysctl.conf, change value to "0"
+#	else, add "net.ipv4.conf.default.send_redirects = 0" to /etc/sysctl.conf
+#
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.send_redirects")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "0"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.send_redirects\\>" "${SYSCONFIG_FILE}"; then
+    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+    LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.send_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+else
+    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
+        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
+    fi
+    cce="CCE-80921-0"
+    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
+    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 Uncommon Network Protocols
                           Group contains 5 rules
[ref]  
@@ -71323,24 +71323,20 @@
 
blacklist atm
Rationale:
Disabling ATM protects the system against exploitation of any
 flaws in its implementation.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-82028-2
References: 
-            CCI-000381, CCI-000366, AC-18, FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040021, SV-230494r792911_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if LC_ALL=C grep -q -m 1 "^install atm" /etc/modprobe.d/atm.conf ; then
-	
-	sed -i 's#^install atm.*#install atm /bin/true#g' /etc/modprobe.d/atm.conf
-else
-	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/atm.conf
-	echo "install atm /bin/true" >> /etc/modprobe.d/atm.conf
-fi
-
-if ! LC_ALL=C grep -q -m 1 "^blacklist atm$" /etc/modprobe.d/atm.conf ; then
-	echo "blacklist atm" >> /etc/modprobe.d/atm.conf
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
+            CCI-000381, CCI-000366, AC-18, FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040021, SV-230494r792911_rule
Remediation script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,install%20atm%20/bin/true%0Ablacklist%20atm%0A
+        mode: 0644
+        path: /etc/modprobe.d/atm.conf
+        overwrite: true
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: Ensure kernel module 'atm' is disabled
   lineinfile:
     create: true
@@ -71376,20 +71372,24 @@
   - medium_disruption
   - medium_severity
   - reboot_required
-
Remediation script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,install%20atm%20/bin/true%0Ablacklist%20atm%0A
-        mode: 0644
-        path: /etc/modprobe.d/atm.conf
-        overwrite: true
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if LC_ALL=C grep -q -m 1 "^install atm" /etc/modprobe.d/atm.conf ; then
+	
+	sed -i 's#^install atm.*#install atm /bin/true#g' /etc/modprobe.d/atm.conf
+else
+	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/atm.conf
+	echo "install atm /bin/true" >> /etc/modprobe.d/atm.conf
+fi
+
+if ! LC_ALL=C grep -q -m 1 "^blacklist atm$" /etc/modprobe.d/atm.conf ; then
+	echo "blacklist atm" >> /etc/modprobe.d/atm.conf
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Disable CAN Support
                                   [ref]
The Controller Area Network (CAN) is a serial communications
@@ -71405,24 +71405,20 @@
 
blacklist can
Rationale:
Disabling CAN protects the system against exploitation of any
 flaws in its implementation.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-82059-7
References: 
-            CCI-000381, CCI-000366, AC-18, FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040022, SV-230495r792914_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if LC_ALL=C grep -q -m 1 "^install can" /etc/modprobe.d/can.conf ; then
-	
-	sed -i 's#^install can.*#install can /bin/true#g' /etc/modprobe.d/can.conf
-else
-	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/can.conf
-	echo "install can /bin/true" >> /etc/modprobe.d/can.conf
-fi
-
-if ! LC_ALL=C grep -q -m 1 "^blacklist can$" /etc/modprobe.d/can.conf ; then
-	echo "blacklist can" >> /etc/modprobe.d/can.conf
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
+            CCI-000381, CCI-000366, AC-18, FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040022, SV-230495r792914_rule
Remediation script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,install%20can%20/bin/true%0Ablacklist%20can%0A
+        mode: 0644
+        path: /etc/modprobe.d/can.conf
+        overwrite: true
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: Ensure kernel module 'can' is disabled
   lineinfile:
     create: true
@@ -71458,20 +71454,24 @@
   - medium_disruption
   - medium_severity
   - reboot_required
-
Remediation script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,install%20can%20/bin/true%0Ablacklist%20can%0A
-        mode: 0644
-        path: /etc/modprobe.d/can.conf
-        overwrite: true
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if LC_ALL=C grep -q -m 1 "^install can" /etc/modprobe.d/can.conf ; then
+	
+	sed -i 's#^install can.*#install can /bin/true#g' /etc/modprobe.d/can.conf
+else
+	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/can.conf
+	echo "install can /bin/true" >> /etc/modprobe.d/can.conf
+fi
+
+if ! LC_ALL=C grep -q -m 1 "^blacklist can$" /etc/modprobe.d/can.conf ; then
+	echo "blacklist can" >> /etc/modprobe.d/can.conf
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Disable IEEE 1394 (FireWire) Support
                                   [ref]
The IEEE 1394 (FireWire) is a serial bus standard for
@@ -71486,24 +71486,20 @@
 
blacklist firewire-core
Rationale:
Disabling FireWire protects the system against exploitation of any
 flaws in its implementation.
Severity: 
low
Identifiers and References
Identifiers: 
             CCE-82005-0
References: 
-            CCI-000381, AC-18, FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049, RHEL-08-040026, SV-230499r792924_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if LC_ALL=C grep -q -m 1 "^install firewire-core" /etc/modprobe.d/firewire-core.conf ; then
-	
-	sed -i 's#^install firewire-core.*#install firewire-core /bin/true#g' /etc/modprobe.d/firewire-core.conf
-else
-	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/firewire-core.conf
-	echo "install firewire-core /bin/true" >> /etc/modprobe.d/firewire-core.conf
-fi
-
-if ! LC_ALL=C grep -q -m 1 "^blacklist firewire-core$" /etc/modprobe.d/firewire-core.conf ; then
-	echo "blacklist firewire-core" >> /etc/modprobe.d/firewire-core.conf
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
+            CCI-000381, AC-18, FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049, RHEL-08-040026, SV-230499r792924_rule
Remediation script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,install%20firewire-core%20/bin/true%0Ablacklist%20firewire-core%0A
+        mode: 0644
+        path: /etc/modprobe.d/firewire-core.conf
+        overwrite: true
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: Ensure kernel module 'firewire-core' is disabled
   lineinfile:
     create: true
@@ -71539,20 +71535,24 @@
   - low_severity
   - medium_disruption
   - reboot_required
-
Remediation script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,install%20firewire-core%20/bin/true%0Ablacklist%20firewire-core%0A
-        mode: 0644
-        path: /etc/modprobe.d/firewire-core.conf
-        overwrite: true
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if LC_ALL=C grep -q -m 1 "^install firewire-core" /etc/modprobe.d/firewire-core.conf ; then
+	
+	sed -i 's#^install firewire-core.*#install firewire-core /bin/true#g' /etc/modprobe.d/firewire-core.conf
+else
+	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/firewire-core.conf
+	echo "install firewire-core /bin/true" >> /etc/modprobe.d/firewire-core.conf
+fi
+
+if ! LC_ALL=C grep -q -m 1 "^blacklist firewire-core$" /etc/modprobe.d/firewire-core.conf ; then
+	echo "blacklist firewire-core" >> /etc/modprobe.d/firewire-core.conf
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Disable SCTP Support
                                   [ref]
The Stream Control Transmission Protocol (SCTP) is a
@@ -71569,24 +71569,20 @@
 
blacklist sctp
Rationale:
Disabling SCTP protects
 the system against exploitation of any flaws in its implementation.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-80834-5
References: 
-            11, 14, 3, 9, 5.10.1, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, CCI-000381, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, Req-1.4.2, 1.4.2, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040023, 3.1.2, SV-230496r792917_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if LC_ALL=C grep -q -m 1 "^install sctp" /etc/modprobe.d/sctp.conf ; then
-	
-	sed -i 's#^install sctp.*#install sctp /bin/true#g' /etc/modprobe.d/sctp.conf
-else
-	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/sctp.conf
-	echo "install sctp /bin/true" >> /etc/modprobe.d/sctp.conf
-fi
-
-if ! LC_ALL=C grep -q -m 1 "^blacklist sctp$" /etc/modprobe.d/sctp.conf ; then
-	echo "blacklist sctp" >> /etc/modprobe.d/sctp.conf
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
+            11, 14, 3, 9, 5.10.1, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, CCI-000381, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, Req-1.4.2, 1.4.2, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040023, 3.1.2, SV-230496r792917_rule
Remediation script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,install%20sctp%20/bin/true%0Ablacklist%20sctp%0A
+        mode: 0644
+        path: /etc/modprobe.d/sctp.conf
+        overwrite: true
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: Ensure kernel module 'sctp' is disabled
   lineinfile:
     create: true
@@ -71634,20 +71630,24 @@
   - medium_disruption
   - medium_severity
   - reboot_required
-
Remediation script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,install%20sctp%20/bin/true%0Ablacklist%20sctp%0A
-        mode: 0644
-        path: /etc/modprobe.d/sctp.conf
-        overwrite: true
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if LC_ALL=C grep -q -m 1 "^install sctp" /etc/modprobe.d/sctp.conf ; then
+	
+	sed -i 's#^install sctp.*#install sctp /bin/true#g' /etc/modprobe.d/sctp.conf
+else
+	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/sctp.conf
+	echo "install sctp /bin/true" >> /etc/modprobe.d/sctp.conf
+fi
+
+if ! LC_ALL=C grep -q -m 1 "^blacklist sctp$" /etc/modprobe.d/sctp.conf ; then
+	echo "blacklist sctp" >> /etc/modprobe.d/sctp.conf
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Disable TIPC Support
                                   [ref]
The Transparent Inter-Process Communication (TIPC) protocol
@@ -71667,24 +71667,20 @@
 the tipc kernel module will be loaded.
Rationale:
Disabling TIPC protects
 the system against exploitation of any flaws in its implementation.
Severity: 
low
Identifiers and References
Identifiers: 
             CCE-82297-3
References: 
-            11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049, RHEL-08-040024, SV-230497r792920_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if LC_ALL=C grep -q -m 1 "^install tipc" /etc/modprobe.d/tipc.conf ; then
-	
-	sed -i 's#^install tipc.*#install tipc /bin/true#g' /etc/modprobe.d/tipc.conf
-else
-	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/tipc.conf
-	echo "install tipc /bin/true" >> /etc/modprobe.d/tipc.conf
-fi
-
-if ! LC_ALL=C grep -q -m 1 "^blacklist tipc$" /etc/modprobe.d/tipc.conf ; then
-	echo "blacklist tipc" >> /etc/modprobe.d/tipc.conf
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
+            11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049, RHEL-08-040024, SV-230497r792920_rule
Remediation script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,install%20tipc%20/bin/true%0Ablacklist%20tipc%0A
+        mode: 0644
+        path: /etc/modprobe.d/tipc.conf
+        overwrite: true
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: Ensure kernel module 'tipc' is disabled
   lineinfile:
     create: true
@@ -71724,20 +71720,24 @@
   - low_severity
   - medium_disruption
   - reboot_required
-
Remediation script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,install%20tipc%20/bin/true%0Ablacklist%20tipc%0A
-        mode: 0644
-        path: /etc/modprobe.d/tipc.conf
-        overwrite: true
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if LC_ALL=C grep -q -m 1 "^install tipc" /etc/modprobe.d/tipc.conf ; then
+	
+	sed -i 's#^install tipc.*#install tipc /bin/true#g' /etc/modprobe.d/tipc.conf
+else
+	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/tipc.conf
+	echo "install tipc /bin/true" >> /etc/modprobe.d/tipc.conf
+fi
+
+if ! LC_ALL=C grep -q -m 1 "^blacklist tipc$" /etc/modprobe.d/tipc.conf ; then
+	echo "blacklist tipc" >> /etc/modprobe.d/tipc.conf
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 Wireless Networking
                           Group contains 1 group and 2 rules
[ref]  
@@ -71771,24 +71771,20 @@
 from loading the kernel module provides an additional safeguard against its
 activation.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-80832-9
References: 
-            11, 12, 14, 15, 3, 8, 9, 5.13.1.3, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 3.1.16, CCI-000085, CCI-001443, CCI-001444, CCI-001551, CCI-002418, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000095-GPOS-00049, SRG-OS-000300-GPOS-00118, RHEL-08-040111, SV-230507r833336_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if LC_ALL=C grep -q -m 1 "^install bluetooth" /etc/modprobe.d/bluetooth.conf ; then
-	
-	sed -i 's#^install bluetooth.*#install bluetooth /bin/true#g' /etc/modprobe.d/bluetooth.conf
-else
-	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/bluetooth.conf
-	echo "install bluetooth /bin/true" >> /etc/modprobe.d/bluetooth.conf
-fi
-
-if ! LC_ALL=C grep -q -m 1 "^blacklist bluetooth$" /etc/modprobe.d/bluetooth.conf ; then
-	echo "blacklist bluetooth" >> /etc/modprobe.d/bluetooth.conf
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
+            11, 12, 14, 15, 3, 8, 9, 5.13.1.3, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 3.1.16, CCI-000085, CCI-001443, CCI-001444, CCI-001551, CCI-002418, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000095-GPOS-00049, SRG-OS-000300-GPOS-00118, RHEL-08-040111, SV-230507r833336_rule
Remediation script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,install%20bluetooth%20/bin/true%0Ablacklist%20bluetooth%0A
+        mode: 0644
+        path: /etc/modprobe.d/bluetooth.conf
+        overwrite: true
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: Ensure kernel module 'bluetooth' is disabled
   lineinfile:
     create: true
@@ -71838,20 +71834,24 @@
   - medium_disruption
   - medium_severity
   - reboot_required
-
Remediation script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,install%20bluetooth%20/bin/true%0Ablacklist%20bluetooth%0A
-        mode: 0644
-        path: /etc/modprobe.d/bluetooth.conf
-        overwrite: true
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if LC_ALL=C grep -q -m 1 "^install bluetooth" /etc/modprobe.d/bluetooth.conf ; then
+	
+	sed -i 's#^install bluetooth.*#install bluetooth /bin/true#g' /etc/modprobe.d/bluetooth.conf
+else
+	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/bluetooth.conf
+	echo "install bluetooth /bin/true" >> /etc/modprobe.d/bluetooth.conf
+fi
+
+if ! LC_ALL=C grep -q -m 1 "^blacklist bluetooth$" /etc/modprobe.d/bluetooth.conf ; then
+	echo "blacklist bluetooth" >> /etc/modprobe.d/bluetooth.conf
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Deactivate Wireless Network Interfaces
                                   [ref]
Deactivating wireless network interfaces should prevent normal usage of the wireless
@@ -71867,13 +71867,7 @@
 serve to create a man-in-the-middle attack or be used to create a denial of
 service to valid network resources.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-83501-7
References: 
-            11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 3.1.16, CCI-000085, CCI-002418, CCI-002421, CCI-001443, CCI-001444, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 1315, 1319, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.3.3, 1.3.3, 2.3, SRG-OS-000299-GPOS-00117, SRG-OS-000300-GPOS-00118, SRG-OS-000424-GPOS-00188, SRG-OS-000481-GPOS-000481, RHEL-08-040110, 3.1.4, SV-230506r627750_rule
Remediation Shell script:   (show)


-if ! rpm -q --quiet "NetworkManager" ; then
-    yum install -y "NetworkManager"
-fi
-
-nmcli radio all off
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -71944,6 +71938,12 @@
   - no_reboot_needed
   - unknown_strategy
   - wireless_disable_interfaces
+
Remediation Shell script:   (show)


+if ! rpm -q --quiet "NetworkManager" ; then
+    yum install -y "NetworkManager"
+fi
+
+nmcli radio all off
 
Rule  
                                 Configure Multiple DNS Servers in /etc/resolv.conf
                                   [ref]

@@ -71990,17 +71990,7 @@
 tools must be documented with the Information Systems Security Manager (ISSM) and restricted
 to only authorized personnel.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-82283-3
References: 
-            1, 11, 14, 3, 9, APO11.06, APO12.06, BAI03.10, BAI09.01, BAI09.02, BAI09.03, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.05, DSS04.05, DSS05.02, DSS05.05, DSS06.06, CCI-000366, 4.2.3.4, 4.3.3.3.7, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, SR 7.8, A.11.1.2, A.11.2.4, A.11.2.5, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.16.1.6, A.8.1.1, A.8.1.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), CM-7(2), MA-3, DE.DP-5, ID.AM-1, PR.IP-1, PR.MA-1, PR.PT-3, 1.4.5, SRG-OS-000480-GPOS-00227, RHEL-08-040330, SV-230554r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-for interface in $(ip link show | grep -E '^[0-9]' | cut -d ":" -f 2); do
-    ip link set dev $interface multicast off promisc off
-done
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Ensure System is Not Acting as a Network Sniffer - Gather network interfaces
   ansible.builtin.command:
     cmd: ip link show
   register: network_interfaces
@@ -72043,6 +72033,16 @@
   - network_sniffer_disabled
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+for interface in $(ip link show | grep -E '^[0-9]' | cut -d ":" -f 2); do
+    ip link set dev $interface multicast off promisc off
+done
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 File Permissions and Masks
                           Group contains 10 groups and 68 rules
[ref]  
@@ -72082,8 +72082,7 @@
 messages in the system and should only be accessed by authorized
 personnel.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-83659-3
References: 
-            CCI-001314, SRG-OS-000206-GPOS-00084, SRG-APP-000118-CTR-000240, RHEL-08-010260, SV-230250r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
find -H /var/log/ -maxdepth 1 -type d -exec chgrp 0 {} \;
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Ensure group owner on /var/log/
+            CCI-001314, SRG-OS-000206-GPOS-00084, SRG-APP-000118-CTR-000240, RHEL-08-010260, SV-230250r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Ensure group owner on /var/log/
   file:
     path: /var/log/
     state: directory
@@ -72097,13 +72096,13 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
find -H /var/log/ -maxdepth 1 -type d -exec chgrp 0 {} \;
 
Rule  
                                 Verify Group Who Owns /var/log/messages File
                                   [ref]
 To properly set the group owner of /var/log/messages, run the command: 
$ sudo chgrp root /var/log/messages
Rationale:
The /var/log/messages file contains logs of error messages in
 the system and should only be accessed by authorized personnel.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-83660-1
References: 
-            CCI-001314, SRG-OS-000206-GPOS-00084, RHEL-08-010230, SV-230247r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
chgrp 0 /var/log/messages
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Test for existence /var/log/messages
+            CCI-001314, SRG-OS-000206-GPOS-00084, RHEL-08-010230, SV-230247r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Test for existence /var/log/messages
   stat:
     path: /var/log/messages
   register: file_exists
@@ -72131,14 +72130,14 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
chgrp 0 /var/log/messages
 
Rule  
                                 Verify User Who Owns /var/log Directory
                                   [ref]
 To properly set the owner of /var/log, run the command: 
$ sudo chown root /var/log 
Rationale:
The /var/log directory contains files with logs of error
 messages in the system and should only be accessed by authorized
 personnel.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-83661-9
References: 
-            CCI-001314, SRG-OS-000206-GPOS-00084, SRG-APP-000118-CTR-000240, RHEL-08-010250, SV-230249r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
find -H /var/log/ -maxdepth 1 -type d -exec chown 0 {} \;
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Ensure owner on directory /var/log/
+            CCI-001314, SRG-OS-000206-GPOS-00084, SRG-APP-000118-CTR-000240, RHEL-08-010250, SV-230249r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Ensure owner on directory /var/log/
   file:
     path: /var/log/
     state: directory
@@ -72152,13 +72151,13 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
find -H /var/log/ -maxdepth 1 -type d -exec chown 0 {} \;
 
Rule  
                                 Verify User Who Owns /var/log/messages File
                                   [ref]
 To properly set the owner of /var/log/messages, run the command: 
$ sudo chown root /var/log/messages 
Rationale:
The /var/log/messages file contains logs of error messages in
 the system and should only be accessed by authorized personnel.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-83662-7
References: 
-            CCI-001314, SRG-OS-000206-GPOS-00084, RHEL-08-010220, SV-230246r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
chown 0 /var/log/messages
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Test for existence /var/log/messages
+            CCI-001314, SRG-OS-000206-GPOS-00084, RHEL-08-010220, SV-230246r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Test for existence /var/log/messages
   stat:
     path: /var/log/messages
   register: file_exists
@@ -72186,6 +72185,7 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
chown 0 /var/log/messages
 
Rule  
                                 Verify Permissions on /var/log Directory
                                   [ref]

@@ -72194,13 +72194,7 @@
 messages in the system and should only be accessed by authorized
 personnel.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-83663-5
References: 
-            CCI-001314, SRG-OS-000206-GPOS-00084, SRG-APP-000118-CTR-000240, RHEL-08-010240, SV-230248r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure

-
-
-
-
-find -H /var/log/ -maxdepth 1 -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \;
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Find /var/log/ file(s)
+            CCI-001314, SRG-OS-000206-GPOS-00084, SRG-APP-000118-CTR-000240, RHEL-08-010240, SV-230248r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Find /var/log/ file(s)
   command: 'find -H /var/log/ -maxdepth 1 -perm /u+s,g+ws,o+wt  -type d '
   register: files_found
   changed_when: false
@@ -72232,6 +72226,12 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure

+
+
+
+
+find -H /var/log/ -maxdepth 1 -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \;
 
Rule  
                                 Verify Permissions on /var/log/messages File
                                   [ref]

@@ -72239,13 +72239,7 @@
 
$ sudo chmod 0640 /var/log/messages
Rationale:
The /var/log/messages file contains logs of error messages in
 the system and should only be accessed by authorized personnel.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-83665-0
References: 
-            CCI-001314, SRG-OS-000206-GPOS-00084, RHEL-08-010210, SV-230245r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure

-
-
-
-
-chmod u-xs,g-xws,o-xwrt /var/log/messages
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Test for existence /var/log/messages
+            CCI-001314, SRG-OS-000206-GPOS-00084, RHEL-08-010210, SV-230245r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Test for existence /var/log/messages
   stat:
     path: /var/log/messages
   register: file_exists
@@ -72273,6 +72267,12 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure

+
+
+
+
+chmod u-xs,g-xws,o-xwrt /var/log/messages
 
Group  
                 Verify File Permissions Within Some Important Directories
                           Group contains 9 rules
[ref]  
@@ -72300,11 +72300,7 @@
 runtime. Proper ownership of library directories is necessary to protect
 the integrity of the system.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-85894-4
References: 
-            CCI-001499, CM-5(6), CM-5(6).1, SRG-OS-000259-GPOS-00100, RHEL-08-010351, SV-251709r810014_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
find -H /lib/  -type d -exec chgrp 0 {} \;
-find -H /lib64/  -type d -exec chgrp 0 {} \;
-find -H /usr/lib/  -type d -exec chgrp 0 {} \;
-find -H /usr/lib64/  -type d -exec chgrp 0 {} \;
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Ensure group owner on /lib/ recursively
+            CCI-001499, CM-5(6), CM-5(6).1, SRG-OS-000259-GPOS-00100, RHEL-08-010351, SV-251709r810014_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Ensure group owner on /lib/ recursively
   file:
     path: /lib/
     state: directory
@@ -72375,6 +72371,10 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
find -H /lib/  -type d -exec chgrp 0 {} \;
+find -H /lib64/  -type d -exec chgrp 0 {} \;
+find -H /usr/lib/  -type d -exec chgrp 0 {} \;
+find -H /usr/lib64/  -type d -exec chgrp 0 {} \;
 
Rule  
                                 Verify that Shared Library Directories Have Root Ownership
                                   [ref]
System-wide shared library files, which are linked to executables
@@ -72395,11 +72395,7 @@
 runtime. Proper ownership of library directories is necessary to protect
 the integrity of the system.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-89021-0
References: 
-            CCI-001499, CM-5(6), CM-5(6).1, SRG-OS-000259-GPOS-00100, RHEL-08-010341, SV-251708r810012_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
find -H /lib/  -type d -exec chown 0 {} \;
-find -H /lib64/  -type d -exec chown 0 {} \;
-find -H /usr/lib/  -type d -exec chown 0 {} \;
-find -H /usr/lib64/  -type d -exec chown 0 {} \;
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Ensure owner on directory /lib/ recursively
+            CCI-001499, CM-5(6), CM-5(6).1, SRG-OS-000259-GPOS-00100, RHEL-08-010341, SV-251708r810012_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Ensure owner on directory /lib/ recursively
   file:
     path: /lib/
     state: directory
@@ -72470,6 +72466,10 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
find -H /lib/  -type d -exec chown 0 {} \;
+find -H /lib64/  -type d -exec chown 0 {} \;
+find -H /usr/lib/  -type d -exec chown 0 {} \;
+find -H /usr/lib64/  -type d -exec chown 0 {} \;
 
Rule  
                                 Verify that Shared Library Directories Have Restrictive Permissions
                                   [ref]
System-wide shared library directories, which contain are linked to executables
@@ -72495,19 +72495,7 @@
 individuals must be allowed to obtain access to information system components for purposes
 of initiating changes, including upgrades and modifications.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-88692-9
References: 
-            CCI-001499, CIP-003-8 R6, CM-5, CM-5(6), CM-5(6).1, SRG-OS-000259-GPOS-00100, RHEL-08-010331, SV-251707r809345_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure

-
-
-
-
-find -H /lib/  -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \;
-
-find -H /lib64/  -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \;
-
-find -H /usr/lib/  -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \;
-
-find -H /usr/lib64/  -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \;
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Find /lib/ file(s) recursively
+            CCI-001499, CIP-003-8 R6, CM-5, CM-5(6), CM-5(6).1, SRG-OS-000259-GPOS-00100, RHEL-08-010331, SV-251707r809345_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Find /lib/ file(s) recursively
   command: 'find -H /lib/  -perm /g+w,o+w  -type d '
   register: files_found
   changed_when: false
@@ -72662,6 +72650,18 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure

+
+
+
+
+find -H /lib/  -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \;
+
+find -H /lib64/  -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \;
+
+find -H /usr/lib/  -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \;
+
+find -H /usr/lib64/  -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \;
 
Rule  
                                 Verify that system commands files are group owned by root or a system account
                                   [ref]
System commands files are stored in the following directories by default:
@@ -72688,12 +72688,7 @@
 allowed to obtain access to information system components for purposes
 of initiating changes, including upgrades and modifications.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-86519-6
References: 
-            CCI-001499, CM-5(6), CM-5(6).1, SRG-OS-000259-GPOS-00100, RHEL-08-010320, SV-230259r792864_rule
Remediation Shell script:   (show)


-for SYSCMDFILES in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin
-do
-   find -L $SYSCMDFILES \! -group root -type f -exec chgrp root '{}' \;
-done
-
Remediation Ansible snippet:   (show)

Complexity:medium
Disruption:medium
Reboot:false
Strategy:restrict
- name: Retrieve the system command files and set their group ownership to root
+            CCI-001499, CM-5(6), CM-5(6).1, SRG-OS-000259-GPOS-00100, RHEL-08-010320, SV-230259r792864_rule
Remediation Ansible snippet:   (show)

Complexity:medium
Disruption:medium
Reboot:false
Strategy:restrict
- name: Retrieve the system command files and set their group ownership to root
   command: find -L {{ item }}  ! -group root -type f -exec chgrp root '{}' \;
   with_items:
   - /bin
@@ -72716,6 +72711,11 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)


+for SYSCMDFILES in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin
+do
+   find -L $SYSCMDFILES \! -group root -type f -exec chgrp root '{}' \;
+done
 
Rule  
                                 Verify that System Executables Have Root Ownership
                                   [ref]
System executables are stored in the following directories by default:
@@ -72734,15 +72734,7 @@
 and restrictive permissions are necessary to ensure that their
 execution of these programs cannot be co-opted.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-80806-3
References: 
-            12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001499, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-5(6), CM-5(6).1, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000259-GPOS-00100, RHEL-08-010310, SV-230258r627750_rule
Remediation Shell script:   (show)

find /bin/ \
-/usr/bin/ \
-/usr/local/bin/ \
-/sbin/ \
-/usr/sbin/ \
-/usr/local/sbin/ \
-/usr/libexec \
-\! -user root -execdir chown root {} \;
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:medium
Disruption:medium
Reboot:false
Strategy:restrict
- name: Read list of system executables without root ownership
   command: find /bin/ /usr/bin/ /usr/local/bin/ /sbin/ /usr/sbin/ /usr/local/sbin/
     /usr/libexec \! -user root
   register: no_root_system_executables
@@ -72782,6 +72774,14 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

find /bin/ \
+/usr/bin/ \
+/usr/local/bin/ \
+/sbin/ \
+/usr/sbin/ \
+/usr/local/sbin/ \
+/usr/libexec \
+\! -user root -execdir chown root {} \;
 
Rule  
                                 Verify that Shared Library Files Have Root Ownership
                                   [ref]
System-wide shared library files, which are linked to executables
@@ -72801,15 +72801,7 @@
 space of processes (including privileged ones) or of the kernel itself at
 runtime. Proper ownership is necessary to protect the integrity of the system.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-80807-1
References: 
-            12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001499, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-5(6), CM-5(6).1, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000259-GPOS-00100, RHEL-08-010340, SV-230261r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure

-find /lib/  -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \;
-
-find /lib64/  -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \;
-
-find /usr/lib/  -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \;
-
-find /usr/lib64/  -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \;
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Find /lib/ file(s) matching ^.*$ recursively
   command: find -H /lib/  -type f ! -uid 0 -regex "^.*$"
   register: files_found
   changed_when: false
@@ -72972,6 +72964,14 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure

+find /lib/  -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \;
+
+find /lib64/  -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \;
+
+find /usr/lib/  -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \;
+
+find /usr/lib64/  -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \;
 
Rule  
                                 Verify that System Executables Have Restrictive Permissions
                                   [ref]
System executables are stored in the following directories by default:
@@ -72990,11 +72990,7 @@
 and restrictive permissions are necessary to ensure execution of these programs
 cannot be co-opted.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-80809-7
References: 
-            12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001499, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-5(6), CM-5(6).1, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000259-GPOS-00100, RHEL-08-010300, SV-230257r792862_rule
Remediation Shell script:   (show)

DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec"
-for dirPath in $DIRS; do
-	find "$dirPath" -perm /022 -exec chmod go-w '{}' \;
-done
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:medium
Disruption:medium
Reboot:false
Strategy:restrict
- name: Read list of world and group writable system executables
   ansible.builtin.command: find /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin
     /usr/libexec -perm /022 -type f
   register: world_writable_library_files
@@ -73035,6 +73031,10 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec"
+for dirPath in $DIRS; do
+	find "$dirPath" -perm /022 -exec chmod go-w '{}' \;
+done
 
Rule  
                                 Verify that Shared Library Files Have Restrictive Permissions
                                   [ref]
System-wide shared library files, which are linked to executables
@@ -73054,19 +73054,7 @@
 space of processes (including privileged ones) or of the kernel itself at
 runtime. Restrictive permissions are necessary to protect the integrity of the system.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-80815-4
References: 
-            12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001499, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), CM-5(6), CM-5(6).1, AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000259-GPOS-00100, RHEL-08-010330, SV-230260r792867_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure

-
-
-
-
-find -H /lib/  -perm /g+w,o+w  -type f -regex '^.*$' -exec chmod g-w,o-w {} \;
-
-find -H /lib64/  -perm /g+w,o+w  -type f -regex '^.*$' -exec chmod g-w,o-w {} \;
-
-find -H /usr/lib/  -perm /g+w,o+w  -type f -regex '^.*$' -exec chmod g-w,o-w {} \;
-
-find -H /usr/lib64/  -perm /g+w,o+w  -type f -regex '^.*$' -exec chmod g-w,o-w {} \;
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Find /lib/ file(s) recursively
   command: find -H /lib/  -perm /g+w,o+w  -type f -regex "^.*$"
   register: files_found
   changed_when: false
@@ -73229,6 +73217,18 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure

+
+
+
+
+find -H /lib/  -perm /g+w,o+w  -type f -regex '^.*$' -exec chmod g-w,o-w {} \;
+
+find -H /lib64/  -perm /g+w,o+w  -type f -regex '^.*$' -exec chmod g-w,o-w {} \;
+
+find -H /usr/lib/  -perm /g+w,o+w  -type f -regex '^.*$' -exec chmod g-w,o-w {} \;
+
+find -H /usr/lib64/  -perm /g+w,o+w  -type f -regex '^.*$' -exec chmod g-w,o-w {} \;
 
Rule  
                                 Verify the system-wide library files in directories
 "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.
@@ -73252,15 +73252,7 @@
 and authorized individuals must be allowed to obtain access to information system components
 for purposes of initiating changes, including upgrades and modifications.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-86523-8
References: 
-            CCI-001499, CM-5(6), CM-5(6).1, SRG-OS-000259-GPOS-00100, RHEL-08-010350, SV-230262r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure

-find /lib/  -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \;
-
-find /lib64/  -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \;
-
-find /usr/lib/  -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \;
-
-find /usr/lib64/  -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \;
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Find /lib/ file(s) matching ^.*$ recursively
+            CCI-001499, CM-5(6), CM-5(6).1, SRG-OS-000259-GPOS-00100, RHEL-08-010350, SV-230262r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Find /lib/ file(s) matching ^.*$ recursively
   command: find -H /lib/  -type f ! -group 0 -regex "^.*$"
   register: files_found
   changed_when: false
@@ -73407,6 +73399,14 @@
   - medium_severity
   - no_reboot_needed
   - root_permissions_syslibrary_files
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure

+find /lib/  -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \;
+
+find /lib64/  -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \;
+
+find /usr/lib/  -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \;
+
+find /usr/lib64/  -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \;
 
Rule  
                                 Ensure All World-Writable Directories Are Owned by root User
                                   [ref]
All directories in local partitions which are world-writable should be owned by root.
@@ -73415,16 +73415,7 @@
 owner of that directory to remove or replace any files that may be placed in the directory by
 other users.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-83375-6
References: 
-            BP28(R40), CCI-000366, SRG-OS-000480-GPOS-00227, SRG-OS-000138-GPOS-00069, RHEL-08-010700, SV-230318r743960_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:restrict

-# At least under containerized env /proc can have files w/o possilibity to
-# modify even as root. And touching /proc is not good idea anyways.
-find / -path /proc -prune -o \
-    -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs \
-    -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 \
-    -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs \
-    -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs \
-    -not -fstype fuse.sshfs -type d -perm -0002 -uid +0 -exec chown root {} \;
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:restrict
- name: Ensure All World-Writable Directories Are Owned by root User - Define Excluded
+            BP28(R40), CCI-000366, SRG-OS-000480-GPOS-00227, SRG-OS-000138-GPOS-00069, RHEL-08-010700, SV-230318r743960_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:restrict
- name: Ensure All World-Writable Directories Are Owned by root User - Define Excluded
     (Non-Local) File Systems and Paths
   ansible.builtin.set_fact:
     excluded_fstypes:
@@ -73593,6 +73584,15 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:restrict

+# At least under containerized env /proc can have files w/o possilibity to
+# modify even as root. And touching /proc is not good idea anyways.
+find / -path /proc -prune -o \
+    -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs \
+    -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 \
+    -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs \
+    -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs \
+    -not -fstype fuse.sshfs -type d -perm -0002 -uid +0 -exec chown root {} \;
 
Rule  
                                 Verify that All World-Writable Directories Have Sticky Bits Set
                                   [ref]
When the so-called 'sticky bit' is set on a directory,
@@ -73617,11 +73617,7 @@
 system, by users for temporary file storage (such as /tmp), and
 for directories requiring global read/write access.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-80783-4
References: 
-            BP28(R40), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001090, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, 2.2.6, SRG-OS-000138-GPOS-00069, RHEL-08-010190, 6.1.2, SV-230243r792857_rule
Remediation Shell script:   (show)

df --local -P | awk '{if (NR!=1) print $6}' \
-| xargs -I '$6' find '$6' -xdev -type d \
-\( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \
--exec chmod a+t {} +
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Define Excluded
     (Non-Local) File Systems and Paths
   ansible.builtin.set_fact:
     excluded_fstypes:
@@ -73817,6 +73813,10 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

df --local -P | awk '{if (NR!=1) print $6}' \
+| xargs -I '$6' find '$6' -xdev -type d \
+\( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \
+-exec chmod a+t {} +
 
Rule  
                                 Ensure All World-Writable Directories Are Group Owned by a System Account
                                   [ref]
All directories in local partitions which are
@@ -73840,13 +73840,7 @@
 correlate, and investigate the events relating to an incident or identify
 those responsible for one.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-85871-2
References: 
-            CCI-000171, AU-12(b), SRG-OS-000063-GPOS-00032, RHEL-08-030610, SV-230471r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure

-
-
-
-
-chmod u-xs,g-xws,o-xwrt /etc/audit/auditd.conf
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Test for existence /etc/audit/auditd.conf
+            CCI-000171, AU-12(b), SRG-OS-000063-GPOS-00032, RHEL-08-030610, SV-230471r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Test for existence /etc/audit/auditd.conf
   stat:
     path: /etc/audit/auditd.conf
   register: file_exists
@@ -73876,6 +73870,12 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure

+
+
+
+
+chmod u-xs,g-xws,o-xwrt /etc/audit/auditd.conf
 
Rule  
                                 Verify Permissions on /etc/audit/rules.d/*.rules
                                   [ref]

@@ -73887,13 +73887,7 @@
 correlate, and investigate the events relating to an incident or identify
 those responsible for one.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-85875-3
References: 
-            CCI-000171, AU-12(b), SRG-OS-000063-GPOS-00032, RHEL-08-030610, SV-230471r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure

-
-
-
-
-find -H /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt  -type f -regex '^.*rules$' -exec chmod u-xs,g-xws,o-xwrt {} \;
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Find /etc/audit/rules.d/ file(s)
+            CCI-000171, AU-12(b), SRG-OS-000063-GPOS-00032, RHEL-08-030610, SV-230471r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Find /etc/audit/rules.d/ file(s)
   command: find -H /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt  -type
     f -regex "^.*rules$"
   register: files_found
@@ -73928,6 +73922,12 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure

+
+
+
+
+find -H /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt  -type f -regex '^.*rules$' -exec chmod u-xs,g-xws,o-xwrt {} \;
 
Rule  
                                 Ensure All Files Are Owned by a Group
                                   [ref]
If any files are not owned by a group, then the
@@ -73980,65 +73980,20 @@
 based on insecure file system accessed by privileged programs, avoiding an
 exploitation vector exploiting unsafe use of open() or creat().
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-81027-5
References: 
-            BP28(R23), CCI-002165, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125, RHEL-08-010374, SV-230268r858754_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-# Comment out any occurrences of fs.protected_hardlinks from /etc/sysctl.d/*.conf files
-
-for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
-
-  matching_list=$(grep -P '^(?!#).*[\s]*fs.protected_hardlinks.*$' $f | uniq )
-  if ! test -z "$matching_list"; then
-    while IFS= read -r entry; do
-      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
-      # comment out "fs.protected_hardlinks" matches to preserve user data
-      sed -i "s/^${escaped_entry}$/# &/g" $f
-    done <<< "$matching_list"
-  fi
-done
-
-#
-# Set sysctl config file which to save the desired value
-#
-
-SYSCONFIG_FILE="/etc/sysctl.conf"
-
-
-#
-# Set runtime for fs.protected_hardlinks
-#
-/sbin/sysctl -q -n -w fs.protected_hardlinks="1"
-
-#
-# If fs.protected_hardlinks present in /etc/sysctl.conf, change value to "1"
-#	else, add "fs.protected_hardlinks = 1" to /etc/sysctl.conf
-#
-
-# Strip any search characters in the key arg so that the key can be replaced without
-# adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^fs.protected_hardlinks")
-
-# shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "1"
-
-# If the key exists, change it. Otherwise, add it to the config_file.
-# We search for the key string followed by a word boundary (matched by \>),
-# so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^fs.protected_hardlinks\\>" "${SYSCONFIG_FILE}"; then
-    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^fs.protected_hardlinks\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
-else
-    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
-        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
-    fi
-    cce="CCE-81027-5"
-    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
-    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
+            BP28(R23), CCI-002165, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125, RHEL-08-010374, SV-230268r858754_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,fs.protected_hardlinks%3D1%0A
+        mode: 0644
+        path: /etc/sysctl.d/75-sysctl_fs_protected_hardlinks.conf
+        overwrite: true
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
   find:
     paths:
@@ -74100,42 +74055,18 @@
   - medium_severity
   - reboot_required
   - sysctl_fs_protected_hardlinks
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,fs.protected_hardlinks%3D1%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_fs_protected_hardlinks.conf
-        overwrite: true
-
To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: 
$ sudo sysctl -w fs.protected_symlinks=1

-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
fs.protected_symlinks = 1
Rationale:
By enabling this kernel parameter, symbolic links are permitted to be followed
-only when outside a sticky world-writable directory, or when the UID of the
-link and follower match, or when the directory owner matches the symlink's owner.
-Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system
-accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of
-open() or creat().
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-81030-9
References: 
-            BP28(R23), CCI-002165, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125, RHEL-08-010373, SV-230267r858751_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-# Comment out any occurrences of fs.protected_symlinks from /etc/sysctl.d/*.conf files
+# Comment out any occurrences of fs.protected_hardlinks from /etc/sysctl.d/*.conf files
 
 for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
 
-  matching_list=$(grep -P '^(?!#).*[\s]*fs.protected_symlinks.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]*fs.protected_hardlinks.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
       escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
-      # comment out "fs.protected_symlinks" matches to preserve user data
+      # comment out "fs.protected_hardlinks" matches to preserve user data
       sed -i "s/^${escaped_entry}$/# &/g" $f
     done <<< "$matching_list"
   fi
@@ -74149,18 +74080,18 @@
 
 
 #
-# Set runtime for fs.protected_symlinks
+# Set runtime for fs.protected_hardlinks
 #
-/sbin/sysctl -q -n -w fs.protected_symlinks="1"
+/sbin/sysctl -q -n -w fs.protected_hardlinks="1"
 
 #
-# If fs.protected_symlinks present in /etc/sysctl.conf, change value to "1"
-#	else, add "fs.protected_symlinks = 1" to /etc/sysctl.conf
+# If fs.protected_hardlinks present in /etc/sysctl.conf, change value to "1"
+#	else, add "fs.protected_hardlinks = 1" to /etc/sysctl.conf
 #
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^fs.protected_symlinks")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^fs.protected_hardlinks")
 
 # shellcheck disable=SC2059
 printf -v formatted_output "%s = %s" "$stripped_key" "1"
@@ -74168,14 +74099,14 @@
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^fs.protected_symlinks\\>" "${SYSCONFIG_FILE}"; then
+if LC_ALL=C grep -q -m 1 -i -e "^fs.protected_hardlinks\\>" "${SYSCONFIG_FILE}"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^fs.protected_symlinks\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+    LC_ALL=C sed -i --follow-symlinks "s/^fs.protected_hardlinks\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
 else
     if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
     fi
-    cce="CCE-81030-9"
+    cce="CCE-81027-5"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
     printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
 fi
@@ -74183,6 +74114,30 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
+
To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: 
$ sudo sysctl -w fs.protected_symlinks=1

+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
fs.protected_symlinks = 1
Rationale:
By enabling this kernel parameter, symbolic links are permitted to be followed
+only when outside a sticky world-writable directory, or when the UID of the
+link and follower match, or when the directory owner matches the symlink's owner.
+Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system
+accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of
+open() or creat().
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-81030-9
References: 
+            BP28(R23), CCI-002165, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125, RHEL-08-010373, SV-230267r858751_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,fs.protected_symlinks%3D1%0A
+        mode: 0644
+        path: /etc/sysctl.d/75-sysctl_fs_protected_symlinks.conf
+        overwrite: true
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
   find:
     paths:
@@ -74244,20 +74199,65 @@
   - medium_severity
   - reboot_required
   - sysctl_fs_protected_symlinks
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,fs.protected_symlinks%3D1%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_fs_protected_symlinks.conf
-        overwrite: true
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+# Comment out any occurrences of fs.protected_symlinks from /etc/sysctl.d/*.conf files
+
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
+
+  matching_list=$(grep -P '^(?!#).*[\s]*fs.protected_symlinks.*$' $f | uniq )
+  if ! test -z "$matching_list"; then
+    while IFS= read -r entry; do
+      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
+      # comment out "fs.protected_symlinks" matches to preserve user data
+      sed -i "s/^${escaped_entry}$/# &/g" $f
+    done <<< "$matching_list"
+  fi
+done
+
+#
+# Set sysctl config file which to save the desired value
+#
+
+SYSCONFIG_FILE="/etc/sysctl.conf"
+
+
+#
+# Set runtime for fs.protected_symlinks
+#
+/sbin/sysctl -q -n -w fs.protected_symlinks="1"
+
+#
+# If fs.protected_symlinks present in /etc/sysctl.conf, change value to "1"
+#	else, add "fs.protected_symlinks = 1" to /etc/sysctl.conf
+#
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^fs.protected_symlinks")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "1"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^fs.protected_symlinks\\>" "${SYSCONFIG_FILE}"; then
+    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+    LC_ALL=C sed -i --follow-symlinks "s/^fs.protected_symlinks\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+else
+    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
+        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
+    fi
+    cce="CCE-81030-9"
+    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
+    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 Restrict Dynamic Mounting and Unmounting of
 Filesystems
@@ -74294,26 +74294,17 @@
             1, 12, 15, 16, 5, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.4.6, CCI-000366, CCI-000778, CCI-001958, 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, RHEL-08-040070, 1.1.9, SV-230502r627750_rule
Remediation script:   (show)


 [customizations.services]
 disabled = ["autofs"]
-
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'autofs.service'
-"$SYSTEMCTL_EXEC" disable 'autofs.service'
-"$SYSTEMCTL_EXEC" mask 'autofs.service'
-# Disable socket activation if we have a unit file for it
-if "$SYSTEMCTL_EXEC" -q list-unit-files autofs.socket; then
-    "$SYSTEMCTL_EXEC" stop 'autofs.socket'
-    "$SYSTEMCTL_EXEC" mask 'autofs.socket'
-fi
-# The service may not be running because it has been started and failed,
-# so let's reset the state so OVAL checks pass.
-# Service should be 'inactive', not 'failed' after reboot though.
-"$SYSTEMCTL_EXEC" reset-failed 'autofs.service' || true
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
+
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - enabled: false
+        name: autofs.service
 
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include disable_autofs
 
 class disable_autofs {
@@ -74400,17 +74391,26 @@
   - medium_severity
   - no_reboot_needed
   - service_autofs_disabled
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - enabled: false
-        name: autofs.service
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" stop 'autofs.service'
+"$SYSTEMCTL_EXEC" disable 'autofs.service'
+"$SYSTEMCTL_EXEC" mask 'autofs.service'
+# Disable socket activation if we have a unit file for it
+if "$SYSTEMCTL_EXEC" -q list-unit-files autofs.socket; then
+    "$SYSTEMCTL_EXEC" stop 'autofs.socket'
+    "$SYSTEMCTL_EXEC" mask 'autofs.socket'
+fi
+# The service may not be running because it has been started and failed,
+# so let's reset the state so OVAL checks pass.
+# Service should be 'inactive', not 'failed' after reboot though.
+"$SYSTEMCTL_EXEC" reset-failed 'autofs.service' || true
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Disable Mounting of cramfs
                                   [ref]

@@ -74430,24 +74430,20 @@
 decompress the image.
Rationale:
Removing support for unneeded filesystem types reduces the local attack surface
 of the server.
Severity: 
low
Identifiers and References
Identifiers: 
             CCE-81031-7
References: 
-            11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000095-GPOS-00049, RHEL-08-040025, 1.1.1.1, SV-230498r792922_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if LC_ALL=C grep -q -m 1 "^install cramfs" /etc/modprobe.d/cramfs.conf ; then
-	
-	sed -i 's#^install cramfs.*#install cramfs /bin/true#g' /etc/modprobe.d/cramfs.conf
-else
-	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/cramfs.conf
-	echo "install cramfs /bin/true" >> /etc/modprobe.d/cramfs.conf
-fi
-
-if ! LC_ALL=C grep -q -m 1 "^blacklist cramfs$" /etc/modprobe.d/cramfs.conf ; then
-	echo "blacklist cramfs" >> /etc/modprobe.d/cramfs.conf
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
+            11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000095-GPOS-00049, RHEL-08-040025, 1.1.1.1, SV-230498r792922_rule
Remediation script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,install%20cramfs%20/bin/true%0Ablacklist%20cramfs%0A
+        mode: 0644
+        path: /etc/modprobe.d/cramfs.conf
+        overwrite: true
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: Ensure kernel module 'cramfs' is disabled
   lineinfile:
     create: true
@@ -74489,20 +74485,24 @@
   - low_severity
   - medium_disruption
   - reboot_required
-
Remediation script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,install%20cramfs%20/bin/true%0Ablacklist%20cramfs%0A
-        mode: 0644
-        path: /etc/modprobe.d/cramfs.conf
-        overwrite: true
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if LC_ALL=C grep -q -m 1 "^install cramfs" /etc/modprobe.d/cramfs.conf ; then
+	
+	sed -i 's#^install cramfs.*#install cramfs /bin/true#g' /etc/modprobe.d/cramfs.conf
+else
+	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/cramfs.conf
+	echo "install cramfs /bin/true" >> /etc/modprobe.d/cramfs.conf
+fi
+
+if ! LC_ALL=C grep -q -m 1 "^blacklist cramfs$" /etc/modprobe.d/cramfs.conf ; then
+	echo "blacklist cramfs" >> /etc/modprobe.d/cramfs.conf
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Disable Modprobe Loading of USB Storage Driver
                                   [ref]
To prevent USB storage devices from being used, configure the kernel module loading system
@@ -74521,24 +74521,20 @@
 insmod program to load the module manually.
Rationale:
USB storage devices such as thumb drives can be used to introduce
 malicious software.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-80835-2
References: 
-            1, 12, 15, 16, 5, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.21, CCI-000366, CCI-000778, CCI-001958, 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, 3.4.2, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, RHEL-08-040080, 1.1.10, SV-230503r809319_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if LC_ALL=C grep -q -m 1 "^install usb-storage" /etc/modprobe.d/usb-storage.conf ; then
-	
-	sed -i 's#^install usb-storage.*#install usb-storage /bin/true#g' /etc/modprobe.d/usb-storage.conf
-else
-	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/usb-storage.conf
-	echo "install usb-storage /bin/true" >> /etc/modprobe.d/usb-storage.conf
-fi
-
-if ! LC_ALL=C grep -q -m 1 "^blacklist usb-storage$" /etc/modprobe.d/usb-storage.conf ; then
-	echo "blacklist usb-storage" >> /etc/modprobe.d/usb-storage.conf
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
+            1, 12, 15, 16, 5, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.21, CCI-000366, CCI-000778, CCI-001958, 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, 3.4.2, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, RHEL-08-040080, 1.1.10, SV-230503r809319_rule
Remediation script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,install%20usb-storage%20/bin/true%0Ablacklist%20usb-storage%0A
+        mode: 0644
+        path: /etc/modprobe.d/usb-storage.conf
+        overwrite: true
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: Ensure kernel module 'usb-storage' is disabled
   lineinfile:
     create: true
@@ -74584,20 +74580,24 @@
   - medium_disruption
   - medium_severity
   - reboot_required
-
Remediation script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,install%20usb-storage%20/bin/true%0Ablacklist%20usb-storage%0A
-        mode: 0644
-        path: /etc/modprobe.d/usb-storage.conf
-        overwrite: true
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if LC_ALL=C grep -q -m 1 "^install usb-storage" /etc/modprobe.d/usb-storage.conf ; then
+	
+	sed -i 's#^install usb-storage.*#install usb-storage /bin/true#g' /etc/modprobe.d/usb-storage.conf
+else
+	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/usb-storage.conf
+	echo "install usb-storage /bin/true" >> /etc/modprobe.d/usb-storage.conf
+fi
+
+if ! LC_ALL=C grep -q -m 1 "^blacklist usb-storage$" /etc/modprobe.d/usb-storage.conf ; then
+	echo "blacklist usb-storage" >> /etc/modprobe.d/usb-storage.conf
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 Restrict Partition Mount Options
                           Group contains 23 rules
[ref]  
@@ -74614,54 +74614,7 @@
 /boot/efi.
Rationale:
The presence of SUID and SGID executables should be tightly controlled. Users
 should not be able to execute SUID or SGID binaries from boot partitions.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-86038-7
References: 
-            CCI-000366, CM-6(b), CM-6.1(iv), SRG-OS-000480-GPOS-00227, RHEL-08-010572, SV-244530r809336_rule
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && [ -d /sys/firmware/efi ] ); then
-
-function perform_remediation {
-    
-        mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/boot/efi")"
-
-    grep "$mount_point_match_regexp" -q /etc/fstab \
-        || { echo "The mount point '/boot/efi' is not even in /etc/fstab, so we can't set up mount options" >&2;
-                echo "Not remediating, because there is no record of /boot/efi in /etc/fstab" >&2; return 1; }
-    
-
-
-    mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /boot/efi)"
-
-    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
-    if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
-        # runtime opts without some automatic kernel/userspace-added defaults
-        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
-                    | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
-        [ "$previous_mount_opts" ] && previous_mount_opts+=","
-        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
-        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
-        fs_type=""
-        if [  "$fs_type" == "iso9660" ] ; then
-            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
-        fi
-        echo " /boot/efi  defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
-    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
-    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then
-        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
-        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
-    fi
-
-
-    if mkdir -p "/boot/efi"; then
-        if mountpoint -q "/boot/efi"; then
-            mount -o remount --target "/boot/efi"
-        fi
-    fi
-}
-
-perform_remediation
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: 'Add nosuid Option to /boot/efi: Check information associated to mountpoint'
+            CCI-000366, CM-6(b), CM-6.1(iv), SRG-OS-000480-GPOS-00227, RHEL-08-010572, SV-244530r809336_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: 'Add nosuid Option to /boot/efi: Check information associated to mountpoint'
   command: findmnt --fstab '/boot/efi'
   register: device_name
   failed_when: device_name.rc > 1
@@ -74778,30 +74731,20 @@
   - medium_severity
   - mount_option_boot_efi_nosuid
   - no_reboot_needed
-
Rule  
-                                Add nosuid Option to /boot
-                                  [ref]
The nosuid mount option can be used to prevent
-execution of setuid programs in /boot. The SUID and SGID permissions
-should not be required on the boot partition.
-Add the nosuid option to the fourth column of
-/etc/fstab for the line which controls mounting of
-/boot.
Rationale:
The presence of SUID and SGID executables should be tightly controlled. Users
-should not be able to execute SUID or SGID binaries from boot partitions.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-81033-3
References: 
-            BP28(R12), CCI-000366, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227, RHEL-08-010571, SV-230300r743959_rule
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && [ -d /sys/firmware/efi ] ); then
 
 function perform_remediation {
     
-        mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/boot")"
+        mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/boot/efi")"
 
     grep "$mount_point_match_regexp" -q /etc/fstab \
-        || { echo "The mount point '/boot' is not even in /etc/fstab, so we can't set up mount options" >&2;
-                echo "Not remediating, because there is no record of /boot in /etc/fstab" >&2; return 1; }
+        || { echo "The mount point '/boot/efi' is not even in /etc/fstab, so we can't set up mount options" >&2;
+                echo "Not remediating, because there is no record of /boot/efi in /etc/fstab" >&2; return 1; }
     
 
 
-    mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /boot)"
+    mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /boot/efi)"
 
     # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
     if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
@@ -74815,7 +74758,7 @@
         if [  "$fs_type" == "iso9660" ] ; then
             previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
         fi
-        echo " /boot  defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
+        echo " /boot/efi  defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
     elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then
         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
@@ -74823,9 +74766,9 @@
     fi
 
 
-    if mkdir -p "/boot"; then
-        if mountpoint -q "/boot"; then
-            mount -o remount --target "/boot"
+    if mkdir -p "/boot/efi"; then
+        if mountpoint -q "/boot/efi"; then
+            mount -o remount --target "/boot/efi"
         fi
     fi
 }
@@ -74835,6 +74778,18 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
+
Rule  
+                                Add nosuid Option to /boot
+                                  [ref]
The nosuid mount option can be used to prevent
+execution of setuid programs in /boot. The SUID and SGID permissions
+should not be required on the boot partition.
+Add the nosuid option to the fourth column of
+/etc/fstab for the line which controls mounting of
+/boot.
Rationale:
The presence of SUID and SGID executables should be tightly controlled. Users
+should not be able to execute SUID or SGID binaries from boot partitions.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-81033-3
References: 
+            BP28(R12), CCI-000366, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227, RHEL-08-010571, SV-230300r743959_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

+part /boot --mountoptions="nosuid"
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: 'Add nosuid Option to /boot: Check information associated to mountpoint'
   command: findmnt --fstab '/boot'
   register: device_name
@@ -74965,8 +74920,53 @@
   - medium_severity
   - mount_option_boot_nosuid
   - no_reboot_needed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

-part /boot --mountoptions="nosuid"
+
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+function perform_remediation {
+    
+        mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/boot")"
+
+    grep "$mount_point_match_regexp" -q /etc/fstab \
+        || { echo "The mount point '/boot' is not even in /etc/fstab, so we can't set up mount options" >&2;
+                echo "Not remediating, because there is no record of /boot in /etc/fstab" >&2; return 1; }
+    
+
+
+    mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /boot)"
+
+    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
+    if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
+        # runtime opts without some automatic kernel/userspace-added defaults
+        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
+                    | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
+        [ "$previous_mount_opts" ] && previous_mount_opts+=","
+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
+        fs_type=""
+        if [  "$fs_type" == "iso9660" ] ; then
+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
+        fi
+        echo " /boot  defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
+    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
+    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then
+        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
+        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
+    fi
+
+
+    if mkdir -p "/boot"; then
+        if mountpoint -q "/boot"; then
+            mount -o remount --target "/boot"
+        fi
+    fi
+}
+
+perform_remediation
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Add nodev Option to /dev/shm
                                   [ref]
The nodev mount option can be used to prevent creation of device
@@ -74977,7 +74977,137 @@
 /dev/shm.
Rationale:
The only legitimate location for device files is the /dev directory
 located on the root partition. The only exception to this is chroot jails.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-80837-8
References: 
-            11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040120, 1.1.8.1, SV-230508r854049_rule
Remediation Shell script:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: 'Add nodev Option to /dev/shm: Check information associated to mountpoint'
+  command: findmnt  '/dev/shm'
+  register: device_name
+  failed_when: device_name.rc > 1
+  changed_when: false
+  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  tags:
+  - CCE-80837-8
+  - DISA-STIG-RHEL-08-040120
+  - NIST-800-53-AC-6
+  - NIST-800-53-AC-6(1)
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-CM-7(a)
+  - NIST-800-53-CM-7(b)
+  - NIST-800-53-MP-7
+  - configure_strategy
+  - high_disruption
+  - low_complexity
+  - medium_severity
+  - mount_option_dev_shm_nodev
+  - no_reboot_needed
+
+- name: 'Add nodev Option to /dev/shm: Create mount_info dictionary variable'
+  set_fact:
+    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
+  with_together:
+  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
+  - '{{ device_name.stdout_lines[1].split() | list }}'
+  when:
+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - device_name.stdout is defined and device_name.stdout_lines is defined
+  - (device_name.stdout | length > 0)
+  tags:
+  - CCE-80837-8
+  - DISA-STIG-RHEL-08-040120
+  - NIST-800-53-AC-6
+  - NIST-800-53-AC-6(1)
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-CM-7(a)
+  - NIST-800-53-CM-7(b)
+  - NIST-800-53-MP-7
+  - configure_strategy
+  - high_disruption
+  - low_complexity
+  - medium_severity
+  - mount_option_dev_shm_nodev
+  - no_reboot_needed
+
+- name: 'Add nodev Option to /dev/shm: If /dev/shm not mounted, craft mount_info manually'
+  set_fact:
+    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
+  with_together:
+  - - target
+    - source
+    - fstype
+    - options
+  - - /dev/shm
+    - tmpfs
+    - tmpfs
+    - defaults
+  when:
+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - ("" | length == 0)
+  - (device_name.stdout | length == 0)
+  tags:
+  - CCE-80837-8
+  - DISA-STIG-RHEL-08-040120
+  - NIST-800-53-AC-6
+  - NIST-800-53-AC-6(1)
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-CM-7(a)
+  - NIST-800-53-CM-7(b)
+  - NIST-800-53-MP-7
+  - configure_strategy
+  - high_disruption
+  - low_complexity
+  - medium_severity
+  - mount_option_dev_shm_nodev
+  - no_reboot_needed
+
+- name: 'Add nodev Option to /dev/shm: Make sure nodev option is part of the to /dev/shm
+    options'
+  set_fact:
+    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
+      }) }}'
+  when:
+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - mount_info is defined and "nodev" not in mount_info.options
+  tags:
+  - CCE-80837-8
+  - DISA-STIG-RHEL-08-040120
+  - NIST-800-53-AC-6
+  - NIST-800-53-AC-6(1)
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-CM-7(a)
+  - NIST-800-53-CM-7(b)
+  - NIST-800-53-MP-7
+  - configure_strategy
+  - high_disruption
+  - low_complexity
+  - medium_severity
+  - mount_option_dev_shm_nodev
+  - no_reboot_needed
+
+- name: 'Add nodev Option to /dev/shm: Ensure /dev/shm is mounted with nodev option'
+  mount:
+    path: /dev/shm
+    src: '{{ mount_info.source }}'
+    opts: '{{ mount_info.options }}'
+    state: mounted
+    fstype: '{{ mount_info.fstype }}'
+  when:
+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" |
+    length == 0)
+  tags:
+  - CCE-80837-8
+  - DISA-STIG-RHEL-08-040120
+  - NIST-800-53-AC-6
+  - NIST-800-53-AC-6(1)
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-CM-7(a)
+  - NIST-800-53-CM-7(b)
+  - NIST-800-53-MP-7
+  - configure_strategy
+  - high_disruption
+  - low_complexity
+  - medium_severity
+  - mount_option_dev_shm_nodev
+  - no_reboot_needed
+
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 function perform_remediation {
@@ -75018,136 +75148,6 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: 'Add nodev Option to /dev/shm: Check information associated to mountpoint'
-  command: findmnt  '/dev/shm'
-  register: device_name
-  failed_when: device_name.rc > 1
-  changed_when: false
-  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  tags:
-  - CCE-80837-8
-  - DISA-STIG-RHEL-08-040120
-  - NIST-800-53-AC-6
-  - NIST-800-53-AC-6(1)
-  - NIST-800-53-CM-6(a)
-  - NIST-800-53-CM-7(a)
-  - NIST-800-53-CM-7(b)
-  - NIST-800-53-MP-7
-  - configure_strategy
-  - high_disruption
-  - low_complexity
-  - medium_severity
-  - mount_option_dev_shm_nodev
-  - no_reboot_needed
-
-- name: 'Add nodev Option to /dev/shm: Create mount_info dictionary variable'
-  set_fact:
-    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
-  with_together:
-  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
-  - '{{ device_name.stdout_lines[1].split() | list }}'
-  when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  - device_name.stdout is defined and device_name.stdout_lines is defined
-  - (device_name.stdout | length > 0)
-  tags:
-  - CCE-80837-8
-  - DISA-STIG-RHEL-08-040120
-  - NIST-800-53-AC-6
-  - NIST-800-53-AC-6(1)
-  - NIST-800-53-CM-6(a)
-  - NIST-800-53-CM-7(a)
-  - NIST-800-53-CM-7(b)
-  - NIST-800-53-MP-7
-  - configure_strategy
-  - high_disruption
-  - low_complexity
-  - medium_severity
-  - mount_option_dev_shm_nodev
-  - no_reboot_needed
-
-- name: 'Add nodev Option to /dev/shm: If /dev/shm not mounted, craft mount_info manually'
-  set_fact:
-    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
-  with_together:
-  - - target
-    - source
-    - fstype
-    - options
-  - - /dev/shm
-    - tmpfs
-    - tmpfs
-    - defaults
-  when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  - ("" | length == 0)
-  - (device_name.stdout | length == 0)
-  tags:
-  - CCE-80837-8
-  - DISA-STIG-RHEL-08-040120
-  - NIST-800-53-AC-6
-  - NIST-800-53-AC-6(1)
-  - NIST-800-53-CM-6(a)
-  - NIST-800-53-CM-7(a)
-  - NIST-800-53-CM-7(b)
-  - NIST-800-53-MP-7
-  - configure_strategy
-  - high_disruption
-  - low_complexity
-  - medium_severity
-  - mount_option_dev_shm_nodev
-  - no_reboot_needed
-
-- name: 'Add nodev Option to /dev/shm: Make sure nodev option is part of the to /dev/shm
-    options'
-  set_fact:
-    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
-      }) }}'
-  when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  - mount_info is defined and "nodev" not in mount_info.options
-  tags:
-  - CCE-80837-8
-  - DISA-STIG-RHEL-08-040120
-  - NIST-800-53-AC-6
-  - NIST-800-53-AC-6(1)
-  - NIST-800-53-CM-6(a)
-  - NIST-800-53-CM-7(a)
-  - NIST-800-53-CM-7(b)
-  - NIST-800-53-MP-7
-  - configure_strategy
-  - high_disruption
-  - low_complexity
-  - medium_severity
-  - mount_option_dev_shm_nodev
-  - no_reboot_needed
-
-- name: 'Add nodev Option to /dev/shm: Ensure /dev/shm is mounted with nodev option'
-  mount:
-    path: /dev/shm
-    src: '{{ mount_info.source }}'
-    opts: '{{ mount_info.options }}'
-    state: mounted
-    fstype: '{{ mount_info.fstype }}'
-  when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" |
-    length == 0)
-  tags:
-  - CCE-80837-8
-  - DISA-STIG-RHEL-08-040120
-  - NIST-800-53-AC-6
-  - NIST-800-53-AC-6(1)
-  - NIST-800-53-CM-6(a)
-  - NIST-800-53-CM-7(a)
-  - NIST-800-53-CM-7(b)
-  - NIST-800-53-MP-7
-  - configure_strategy
-  - high_disruption
-  - low_complexity
-  - medium_severity
-  - mount_option_dev_shm_nodev
-  - no_reboot_needed
 
Rule  
                                 Add noexec Option to /dev/shm
                                   [ref]
The noexec mount option can be used to prevent binaries
@@ -75159,48 +75159,7 @@
 /dev/shm.
Rationale:
Allowing users to execute binaries from world-writable directories
 such as /dev/shm can expose the system to potential compromise.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-80838-6
References: 
-            11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040122, 1.1.8.2, SV-230510r854051_rule
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-function perform_remediation {
-    
-
-
-    mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /dev/shm)"
-
-    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
-    if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
-        # runtime opts without some automatic kernel/userspace-added defaults
-        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
-                    | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
-        [ "$previous_mount_opts" ] && previous_mount_opts+=","
-        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
-        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
-        fs_type="tmpfs"
-        if [  "$fs_type" == "iso9660" ] ; then
-            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
-        fi
-        echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
-    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
-    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then
-        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
-        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
-    fi
-
-
-    if mkdir -p "/dev/shm"; then
-        if mountpoint -q "/dev/shm"; then
-            mount -o remount --target "/dev/shm"
-        fi
-    fi
-}
-
-perform_remediation
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: 'Add noexec Option to /dev/shm: Check information associated to mountpoint'
   command: findmnt  '/dev/shm'
   register: device_name
   failed_when: device_name.rc > 1
@@ -75331,17 +75290,7 @@
   - medium_severity
   - mount_option_dev_shm_noexec
   - no_reboot_needed
-
Rule  
-                                Add nosuid Option to /dev/shm
-                                  [ref]
The nosuid mount option can be used to prevent execution
-of setuid programs in /dev/shm.  The SUID and SGID permissions should not
-be required in these world-writable directories.
-Add the nosuid option to the fourth column of
-/etc/fstab for the line which controls mounting of
-/dev/shm.
Rationale:
The presence of SUID and SGID executables should be tightly controlled. Users
-should not be able to execute SUID or SGID binaries from temporary storage partitions.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80839-4
References: 
-            11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040121, 1.1.8.3, SV-230509r854050_rule
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 function perform_remediation {
@@ -75354,7 +75303,7 @@
     if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
         # runtime opts without some automatic kernel/userspace-added defaults
         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
-                    | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
+                    | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
         [ "$previous_mount_opts" ] && previous_mount_opts+=","
         # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
         # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
@@ -75362,11 +75311,11 @@
         if [  "$fs_type" == "iso9660" ] ; then
             previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
         fi
-        echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
+        echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
-    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then
+    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then
         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
-        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
+        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
     fi
 
 
@@ -75382,7 +75331,17 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: 'Add nosuid Option to /dev/shm: Check information associated to mountpoint'
+
Rule  
+                                Add nosuid Option to /dev/shm
+                                  [ref]
The nosuid mount option can be used to prevent execution
+of setuid programs in /dev/shm.  The SUID and SGID permissions should not
+be required in these world-writable directories.
+Add the nosuid option to the fourth column of
+/etc/fstab for the line which controls mounting of
+/dev/shm.
Rationale:
The presence of SUID and SGID executables should be tightly controlled. Users
+should not be able to execute SUID or SGID binaries from temporary storage partitions.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80839-4
References: 
+            11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040121, 1.1.8.3, SV-230509r854050_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: 'Add nosuid Option to /dev/shm: Check information associated to mountpoint'
   command: findmnt  '/dev/shm'
   register: device_name
   failed_when: device_name.rc > 1
@@ -75513,54 +75472,38 @@
   - medium_severity
   - mount_option_dev_shm_nosuid
   - no_reboot_needed
-
Rule  
-                                Add noexec Option to /home
-                                  [ref]
The noexec mount option can be used to prevent binaries from being
-executed out of /home.
-Add the noexec option to the fourth column of
-/etc/fstab for the line which controls mounting of
-/home.
Rationale:
The /home directory contains data of individual users. Binaries in
-this directory should not be considered as trusted and users should not be
-able to execute them.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-83328-5
References: 
-            BP28(R12), CCI-000366, CM-6(b), SRG-OS-000480-GPOS-00227, RHEL-08-010590, SV-230302r627750_rule
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 function perform_remediation {
     
-        mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/home")"
-
-    grep "$mount_point_match_regexp" -q /etc/fstab \
-        || { echo "The mount point '/home' is not even in /etc/fstab, so we can't set up mount options" >&2;
-                echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; }
-    
 
 
-    mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /home)"
+    mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /dev/shm)"
 
     # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
     if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
         # runtime opts without some automatic kernel/userspace-added defaults
         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
-                    | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
+                    | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
         [ "$previous_mount_opts" ] && previous_mount_opts+=","
         # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
         # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
-        fs_type=""
+        fs_type="tmpfs"
         if [  "$fs_type" == "iso9660" ] ; then
             previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
         fi
-        echo " /home  defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
+        echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
-    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then
+    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then
         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
-        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
+        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
     fi
 
 
-    if mkdir -p "/home"; then
-        if mountpoint -q "/home"; then
-            mount -o remount --target "/home"
+    if mkdir -p "/dev/shm"; then
+        if mountpoint -q "/dev/shm"; then
+            mount -o remount --target "/dev/shm"
         fi
     fi
 }
@@ -75570,6 +75513,18 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
+
Rule  
+                                Add noexec Option to /home
+                                  [ref]
The noexec mount option can be used to prevent binaries from being
+executed out of /home.
+Add the noexec option to the fourth column of
+/etc/fstab for the line which controls mounting of
+/home.
Rationale:
The /home directory contains data of individual users. Binaries in
+this directory should not be considered as trusted and users should not be
+able to execute them.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-83328-5
References: 
+            BP28(R12), CCI-000366, CM-6(b), SRG-OS-000480-GPOS-00227, RHEL-08-010590, SV-230302r627750_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

+part /home --mountoptions="noexec"
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: 'Add noexec Option to /home: Check information associated to mountpoint'
   command: findmnt --fstab '/home'
   register: device_name
@@ -75675,20 +75630,8 @@
   - medium_severity
   - mount_option_home_noexec
   - no_reboot_needed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

-part /home --mountoptions="noexec"
-
Rule  
-                                Add nosuid Option to /home
-                                  [ref]
The nosuid mount option can be used to prevent
-execution of setuid programs in /home. The SUID and SGID permissions
-should not be required in these user data directories.
-Add the nosuid option to the fourth column of
-/etc/fstab for the line which controls mounting of
-/home.
Rationale:
The presence of SUID and SGID executables should be tightly controlled. Users
-should not be able to execute SUID or SGID binaries from user home directory partitions.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-81050-7
References: 
-            BP28(R28), 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227, RHEL-08-010570, 1.1.7.3, SV-230299r627750_rule
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); then
+
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 function perform_remediation {
     
@@ -75706,7 +75649,7 @@
     if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
         # runtime opts without some automatic kernel/userspace-added defaults
         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
-                    | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
+                    | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
         [ "$previous_mount_opts" ] && previous_mount_opts+=","
         # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
         # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
@@ -75714,11 +75657,11 @@
         if [  "$fs_type" == "iso9660" ] ; then
             previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
         fi
-        echo " /home  defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
+        echo " /home  defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
-    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then
+    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then
         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
-        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
+        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
     fi
 
 
@@ -75734,6 +75677,18 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
+
Rule  
+                                Add nosuid Option to /home
+                                  [ref]
The nosuid mount option can be used to prevent
+execution of setuid programs in /home. The SUID and SGID permissions
+should not be required in these user data directories.
+Add the nosuid option to the fourth column of
+/etc/fstab for the line which controls mounting of
+/home.
Rationale:
The presence of SUID and SGID executables should be tightly controlled. Users
+should not be able to execute SUID or SGID binaries from user home directory partitions.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-81050-7
References: 
+            BP28(R28), 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227, RHEL-08-010570, 1.1.7.3, SV-230299r627750_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

+part /home --mountoptions="nosuid"
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: 'Add nosuid Option to /home: Check information associated to mountpoint'
   command: findmnt --fstab '/home'
   register: device_name
@@ -75869,8 +75824,53 @@
   - medium_severity
   - mount_option_home_nosuid
   - no_reboot_needed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

-part /home --mountoptions="nosuid"
+
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); then
+
+function perform_remediation {
+    
+        mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/home")"
+
+    grep "$mount_point_match_regexp" -q /etc/fstab \
+        || { echo "The mount point '/home' is not even in /etc/fstab, so we can't set up mount options" >&2;
+                echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; }
+    
+
+
+    mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /home)"
+
+    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
+    if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
+        # runtime opts without some automatic kernel/userspace-added defaults
+        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
+                    | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
+        [ "$previous_mount_opts" ] && previous_mount_opts+=","
+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
+        fs_type=""
+        if [  "$fs_type" == "iso9660" ] ; then
+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
+        fi
+        echo " /home  defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
+    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
+    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then
+        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
+        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
+    fi
+
+
+    if mkdir -p "/home"; then
+        if mountpoint -q "/home"; then
+            mount -o remount --target "/home"
+        fi
+    fi
+}
+
+perform_remediation
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Add nodev Option to Non-Root Local Partitions
                                   [ref]
The nodev mount option prevents files from being interpreted as
@@ -75886,7 +75886,35 @@
 The only exception to this is chroot jails, for which it is not advised
 to set nodev on these filesystems.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-82069-6
References: 
-            BP28(R12), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-3, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227, RHEL-08-010580, SV-230301r627750_rule
Remediation Shell script:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: Ensure non-root local partitions are mounted with nodev option
+  mount:
+    path: '{{ item.mount }}'
+    src: '{{ item.device }}'
+    opts: '{{ item.options }},nodev'
+    state: mounted
+    fstype: '{{ item.fstype }}'
+  when:
+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+  - item.mount is match('/\w')
+  - item.options is not search('nodev')
+  with_items:
+  - '{{ ansible_facts.mounts }}'
+  tags:
+  - CCE-82069-6
+  - DISA-STIG-RHEL-08-010580
+  - NIST-800-53-AC-6
+  - NIST-800-53-AC-6(1)
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-CM-7(a)
+  - NIST-800-53-CM-7(b)
+  - NIST-800-53-MP-7
+  - configure_strategy
+  - high_disruption
+  - low_complexity
+  - medium_severity
+  - mount_option_nodev_nonroot_local_partitions
+  - no_reboot_needed
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 MOUNT_OPTION="nodev"
@@ -75936,34 +75964,6 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: Ensure non-root local partitions are mounted with nodev option
-  mount:
-    path: '{{ item.mount }}'
-    src: '{{ item.device }}'
-    opts: '{{ item.options }},nodev'
-    state: mounted
-    fstype: '{{ item.fstype }}'
-  when:
-  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-  - item.mount is match('/\w')
-  - item.options is not search('nodev')
-  with_items:
-  - '{{ ansible_facts.mounts }}'
-  tags:
-  - CCE-82069-6
-  - DISA-STIG-RHEL-08-010580
-  - NIST-800-53-AC-6
-  - NIST-800-53-AC-6(1)
-  - NIST-800-53-CM-6(a)
-  - NIST-800-53-CM-7(a)
-  - NIST-800-53-CM-7(b)
-  - NIST-800-53-MP-7
-  - configure_strategy
-  - high_disruption
-  - low_complexity
-  - medium_severity
-  - mount_option_nodev_nonroot_local_partitions
-  - no_reboot_needed
 
Rule  
                                 Add nodev Option to Removable Media Partitions
                                   [ref]
The nodev mount option prevents files from being
@@ -75979,26 +75979,7 @@
 not advised to set nodev on partitions which contain their root
 filesystems.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-82742-8
References: 
-            11, 12, 13, 14, 16, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.06, DSS05.07, DSS06.03, DSS06.06, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.7.1.1, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, A.9.2.1, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.AC-3, PR.AC-6, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-010600, 1.1.18, SV-230303r627750_rule
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-var_removable_partition='(N/A)'
-
-
-device_regex="^\s*$var_removable_partition\s\+"
-mount_option="nodev"
-
-if grep -q $device_regex /etc/fstab ; then
-    previous_opts=$(grep $device_regex /etc/fstab | awk '{print $4}')
-    sed -i "s|\($device_regex.*$previous_opts\)|\1,$mount_option|" /etc/fstab
-else
-    echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: XCCDF Value var_removable_partition # promote to variable
   set_fact:
     var_removable_partition: !!str (N/A)
   tags:
@@ -76026,26 +76007,14 @@
   - medium_severity
   - mount_option_nodev_removable_partitions
   - no_reboot_needed
-
Rule  
-                                Add noexec Option to Removable Media Partitions
-                                  [ref]
The noexec mount option prevents the direct execution of binaries
-on the mounted filesystem. Preventing the direct execution of binaries from
-removable media (such as a USB key) provides a defense against malicious
-software that may be present on such untrusted media.
-Add the noexec option to the fourth column of
-/etc/fstab for the line which controls mounting of
-
-    any removable media partitions.
Rationale:
Allowing users to execute binaries from removable media such as USB keys exposes
-the system to potential compromise.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-82746-9
References: 
-            11, 12, 13, 14, 16, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.06, DSS05.07, DSS06.03, DSS06.06, CCI-000087, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.7.1.1, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, A.9.2.1, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.AC-3, PR.AC-6, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-010610, 1.1.20, SV-230304r627750_rule
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 var_removable_partition='(N/A)'
 
 
 device_regex="^\s*$var_removable_partition\s\+"
-mount_option="noexec"
+mount_option="nodev"
 
 if grep -q $device_regex /etc/fstab ; then
     previous_opts=$(grep $device_regex /etc/fstab | awk '{print $4}')
@@ -76057,7 +76026,19 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: XCCDF Value var_removable_partition # promote to variable
+
Rule  
+                                Add noexec Option to Removable Media Partitions
+                                  [ref]
The noexec mount option prevents the direct execution of binaries
+on the mounted filesystem. Preventing the direct execution of binaries from
+removable media (such as a USB key) provides a defense against malicious
+software that may be present on such untrusted media.
+Add the noexec option to the fourth column of
+/etc/fstab for the line which controls mounting of
+
+    any removable media partitions.
Rationale:
Allowing users to execute binaries from removable media such as USB keys exposes
+the system to potential compromise.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-82746-9
References: 
+            11, 12, 13, 14, 16, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.06, DSS05.07, DSS06.03, DSS06.06, CCI-000087, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.7.1.1, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, A.9.2.1, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.AC-3, PR.AC-6, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-010610, 1.1.20, SV-230304r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: XCCDF Value var_removable_partition # promote to variable
   set_fact:
     var_removable_partition: !!str (N/A)
   tags:
@@ -76085,28 +76066,14 @@
   - medium_severity
   - mount_option_noexec_removable_partitions
   - no_reboot_needed
-
Rule  
-                                Add nosuid Option to Removable Media Partitions
-                                  [ref]
The nosuid mount option prevents set-user-identifier (SUID)
-and set-group-identifier (SGID) permissions from taking effect. These permissions
-allow users to execute binaries with the same permissions as the owner and group
-of the file respectively. Users should not be allowed to introduce SUID and SGID
-files into the system via partitions mounted from removeable media.
-Add the nosuid option to the fourth column of
-/etc/fstab for the line which controls mounting of
-
-    any removable media partitions.
Rationale:
The presence of SUID and SGID executables should be tightly controlled. Allowing
-users to introduce SUID or SGID binaries from partitions mounted off of
-removable media would allow them to introduce their own highly-privileged programs.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-82744-4
References: 
-            11, 12, 13, 14, 15, 16, 18, 3, 5, 8, 9, APO01.06, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.06, DSS05.07, DSS06.02, DSS06.03, DSS06.06, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.11.2.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.AC-3, PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-010620, 1.1.19, SV-230305r627750_rule
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 var_removable_partition='(N/A)'
 
 
 device_regex="^\s*$var_removable_partition\s\+"
-mount_option="nosuid"
+mount_option="noexec"
 
 if grep -q $device_regex /etc/fstab ; then
     previous_opts=$(grep $device_regex /etc/fstab | awk '{print $4}')
@@ -76118,7 +76085,21 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: XCCDF Value var_removable_partition # promote to variable
+
Rule  
+                                Add nosuid Option to Removable Media Partitions
+                                  [ref]
The nosuid mount option prevents set-user-identifier (SUID)
+and set-group-identifier (SGID) permissions from taking effect. These permissions
+allow users to execute binaries with the same permissions as the owner and group
+of the file respectively. Users should not be allowed to introduce SUID and SGID
+files into the system via partitions mounted from removeable media.
+Add the nosuid option to the fourth column of
+/etc/fstab for the line which controls mounting of
+
+    any removable media partitions.
Rationale:
The presence of SUID and SGID executables should be tightly controlled. Allowing
+users to introduce SUID or SGID binaries from partitions mounted off of
+removable media would allow them to introduce their own highly-privileged programs.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-82744-4
References: 
+            11, 12, 13, 14, 15, 16, 18, 3, 5, 8, 9, APO01.06, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.06, DSS05.07, DSS06.02, DSS06.03, DSS06.06, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.11.2.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.AC-3, PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-010620, 1.1.19, SV-230305r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: XCCDF Value var_removable_partition # promote to variable
   set_fact:
     var_removable_partition: !!str (N/A)
   tags:
@@ -76146,6 +76127,25 @@
   - medium_severity
   - mount_option_nosuid_removable_partitions
   - no_reboot_needed
+
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+var_removable_partition='(N/A)'
+
+
+device_regex="^\s*$var_removable_partition\s\+"
+mount_option="nosuid"
+
+if grep -q $device_regex /etc/fstab ; then
+    previous_opts=$(grep $device_regex /etc/fstab | awk '{print $4}')
+    sed -i "s|\($device_regex.*$previous_opts\)|\1,$mount_option|" /etc/fstab
+else
+    echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Add nodev Option to /tmp
                                   [ref]
The nodev mount option can be used to prevent device files from
@@ -76156,53 +76156,8 @@
 /tmp.
Rationale:
The only legitimate location for device files is the /dev directory
 located on the root partition. The only exception to this is chroot jails.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-82623-0
References: 
-            BP28(R12), 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040123, 1.1.2.2, SV-230511r854052_rule
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/tmp" > /dev/null || findmnt --fstab "/tmp" > /dev/null ); then
-
-function perform_remediation {
-    
-        mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/tmp")"
-
-    grep "$mount_point_match_regexp" -q /etc/fstab \
-        || { echo "The mount point '/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2;
-                echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; }
-    
-
-
-    mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /tmp)"
-
-    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
-    if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
-        # runtime opts without some automatic kernel/userspace-added defaults
-        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
-                    | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")
-        [ "$previous_mount_opts" ] && previous_mount_opts+=","
-        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
-        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
-        fs_type=""
-        if [  "$fs_type" == "iso9660" ] ; then
-            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
-        fi
-        echo " /tmp  defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab
-    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
-    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then
-        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
-        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab
-    fi
-
-
-    if mkdir -p "/tmp"; then
-        if mountpoint -q "/tmp"; then
-            mount -o remount --target "/tmp"
-        fi
-    fi
-}
-
-perform_remediation
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
+            BP28(R12), 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040123, 1.1.2.2, SV-230511r854052_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

+part /tmp --mountoptions="nodev"
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: 'Add nodev Option to /tmp: Check information associated to mountpoint'
   command: findmnt --fstab '/tmp'
   register: device_name
@@ -76337,19 +76292,7 @@
   - medium_severity
   - mount_option_tmp_nodev
   - no_reboot_needed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

-part /tmp --mountoptions="nodev"
-
Rule  
-                                Add noexec Option to /tmp
-                                  [ref]
The noexec mount option can be used to prevent binaries
-from being executed out of /tmp.
-Add the noexec option to the fourth column of
-/etc/fstab for the line which controls mounting of
-/tmp.
Rationale:
Allowing users to execute binaries from world-writable directories
-such as /tmp should never be necessary in normal operation and
-can expose the system to potential compromise.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-82139-7
References: 
-            BP28(R12), 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040125, 1.1.2.3, SV-230513r854054_rule
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
 if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/tmp" > /dev/null || findmnt --fstab "/tmp" > /dev/null ); then
 
 function perform_remediation {
@@ -76368,7 +76311,7 @@
     if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
         # runtime opts without some automatic kernel/userspace-added defaults
         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
-                    | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
+                    | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")
         [ "$previous_mount_opts" ] && previous_mount_opts+=","
         # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
         # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
@@ -76376,11 +76319,11 @@
         if [  "$fs_type" == "iso9660" ] ; then
             previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
         fi
-        echo " /tmp  defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
+        echo " /tmp  defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab
     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
-    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then
+    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then
         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
-        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
+        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab
     fi
 
 
@@ -76396,6 +76339,18 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
+
Rule  
+                                Add noexec Option to /tmp
+                                  [ref]
The noexec mount option can be used to prevent binaries
+from being executed out of /tmp.
+Add the noexec option to the fourth column of
+/etc/fstab for the line which controls mounting of
+/tmp.
Rationale:
Allowing users to execute binaries from world-writable directories
+such as /tmp should never be necessary in normal operation and
+can expose the system to potential compromise.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-82139-7
References: 
+            BP28(R12), 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040125, 1.1.2.3, SV-230513r854054_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

+part /tmp --mountoptions="noexec"
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: 'Add noexec Option to /tmp: Check information associated to mountpoint'
   command: findmnt --fstab '/tmp'
   register: device_name
@@ -76531,19 +76486,7 @@
   - medium_severity
   - mount_option_tmp_noexec
   - no_reboot_needed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

-part /tmp --mountoptions="noexec"
-
Rule  
-                                Add nosuid Option to /tmp
-                                  [ref]
The nosuid mount option can be used to prevent
-execution of setuid programs in /tmp. The SUID and SGID permissions
-should not be required in these world-writable directories.
-Add the nosuid option to the fourth column of
-/etc/fstab for the line which controls mounting of
-/tmp.
Rationale:
The presence of SUID and SGID executables should be tightly controlled. Users
-should not be able to execute SUID or SGID binaries from temporary storage partitions.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-82140-5
References: 
-            BP28(R12), 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040124, 1.1.2.4, SV-230512r854053_rule
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
 if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/tmp" > /dev/null || findmnt --fstab "/tmp" > /dev/null ); then
 
 function perform_remediation {
@@ -76562,7 +76505,7 @@
     if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
         # runtime opts without some automatic kernel/userspace-added defaults
         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
-                    | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
+                    | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
         [ "$previous_mount_opts" ] && previous_mount_opts+=","
         # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
         # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
@@ -76570,11 +76513,11 @@
         if [  "$fs_type" == "iso9660" ] ; then
             previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
         fi
-        echo " /tmp  defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
+        echo " /tmp  defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
-    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then
+    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then
         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
-        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
+        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
     fi
 
 
@@ -76590,6 +76533,18 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
+
Rule  
+                                Add nosuid Option to /tmp
+                                  [ref]
The nosuid mount option can be used to prevent
+execution of setuid programs in /tmp. The SUID and SGID permissions
+should not be required in these world-writable directories.
+Add the nosuid option to the fourth column of
+/etc/fstab for the line which controls mounting of
+/tmp.
Rationale:
The presence of SUID and SGID executables should be tightly controlled. Users
+should not be able to execute SUID or SGID binaries from temporary storage partitions.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-82140-5
References: 
+            BP28(R12), 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040124, 1.1.2.4, SV-230512r854053_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

+part /tmp --mountoptions="nosuid"
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: 'Add nosuid Option to /tmp: Check information associated to mountpoint'
   command: findmnt --fstab '/tmp'
   register: device_name
@@ -76725,40 +76680,26 @@
   - medium_severity
   - mount_option_tmp_nosuid
   - no_reboot_needed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

-part /tmp --mountoptions="nosuid"
-
Rule  
-                                Add nodev Option to /var/log/audit
-                                  [ref]
The nodev mount option can be used to prevent device files from
-being created in /var/log/audit.
-Legitimate character and block devices should exist only in
-the /dev directory on the root partition or within chroot
-jails built for system services.
-Add the nodev option to the fourth column of
-/etc/fstab for the line which controls mounting of
-/var/log/audit.
Rationale:
The only legitimate location for device files is the /dev directory
-located on the root partition. The only exception to this is chroot jails.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-82080-3
References: 
-            CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040129, 1.1.6.3, SV-230517r854058_rule
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log/audit" > /dev/null || findmnt --fstab "/var/log/audit" > /dev/null ); then
+
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/tmp" > /dev/null || findmnt --fstab "/tmp" > /dev/null ); then
 
 function perform_remediation {
     
-        mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log/audit")"
+        mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/tmp")"
 
     grep "$mount_point_match_regexp" -q /etc/fstab \
-        || { echo "The mount point '/var/log/audit' is not even in /etc/fstab, so we can't set up mount options" >&2;
-                echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; }
+        || { echo "The mount point '/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2;
+                echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; }
     
 
 
-    mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log/audit)"
+    mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /tmp)"
 
     # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
     if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
         # runtime opts without some automatic kernel/userspace-added defaults
         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
-                    | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")
+                    | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
         [ "$previous_mount_opts" ] && previous_mount_opts+=","
         # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
         # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
@@ -76766,17 +76707,17 @@
         if [  "$fs_type" == "iso9660" ] ; then
             previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
         fi
-        echo " /var/log/audit  defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab
+        echo " /tmp  defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
-    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then
+    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then
         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
-        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab
+        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
     fi
 
 
-    if mkdir -p "/var/log/audit"; then
-        if mountpoint -q "/var/log/audit"; then
-            mount -o remount --target "/var/log/audit"
+    if mkdir -p "/tmp"; then
+        if mountpoint -q "/tmp"; then
+            mount -o remount --target "/tmp"
         fi
     fi
 }
@@ -76786,6 +76727,20 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
+
Rule  
+                                Add nodev Option to /var/log/audit
+                                  [ref]
The nodev mount option can be used to prevent device files from
+being created in /var/log/audit.
+Legitimate character and block devices should exist only in
+the /dev directory on the root partition or within chroot
+jails built for system services.
+Add the nodev option to the fourth column of
+/etc/fstab for the line which controls mounting of
+/var/log/audit.
Rationale:
The only legitimate location for device files is the /dev directory
+located on the root partition. The only exception to this is chroot jails.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-82080-3
References: 
+            CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040129, 1.1.6.3, SV-230517r854058_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

+part /var/log/audit --mountoptions="nodev"
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: 'Add nodev Option to /var/log/audit: Check information associated to mountpoint'
   command: findmnt --fstab '/var/log/audit'
   register: device_name
@@ -76924,19 +76879,7 @@
   - medium_severity
   - mount_option_var_log_audit_nodev
   - no_reboot_needed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

-part /var/log/audit --mountoptions="nodev"
-
Rule  
-                                Add noexec Option to /var/log/audit
-                                  [ref]
The noexec mount option can be used to prevent binaries
-from being executed out of /var/log/audit.
-Add the noexec option to the fourth column of
-/etc/fstab for the line which controls mounting of
-/var/log/audit.
Rationale:
Allowing users to execute binaries from directories containing audit log files
-such as /var/log/audit should never be necessary in normal operation and
-can expose the system to potential compromise.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-82975-4
References: 
-            CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040131, 1.1.6.2, SV-230519r854060_rule
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
 if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log/audit" > /dev/null || findmnt --fstab "/var/log/audit" > /dev/null ); then
 
 function perform_remediation {
@@ -76955,7 +76898,7 @@
     if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
         # runtime opts without some automatic kernel/userspace-added defaults
         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
-                    | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
+                    | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")
         [ "$previous_mount_opts" ] && previous_mount_opts+=","
         # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
         # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
@@ -76963,11 +76906,11 @@
         if [  "$fs_type" == "iso9660" ] ; then
             previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
         fi
-        echo " /var/log/audit  defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
+        echo " /var/log/audit  defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab
     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
-    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then
+    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then
         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
-        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
+        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab
     fi
 
 
@@ -76983,6 +76926,18 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
+
Rule  
+                                Add noexec Option to /var/log/audit
+                                  [ref]
The noexec mount option can be used to prevent binaries
+from being executed out of /var/log/audit.
+Add the noexec option to the fourth column of
+/etc/fstab for the line which controls mounting of
+/var/log/audit.
Rationale:
Allowing users to execute binaries from directories containing audit log files
+such as /var/log/audit should never be necessary in normal operation and
+can expose the system to potential compromise.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-82975-4
References: 
+            CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040131, 1.1.6.2, SV-230519r854060_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

+part /var/log/audit --mountoptions="noexec"
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: 'Add noexec Option to /var/log/audit: Check information associated to mountpoint'
   command: findmnt --fstab '/var/log/audit'
   register: device_name
@@ -77121,20 +77076,7 @@
   - medium_severity
   - mount_option_var_log_audit_noexec
   - no_reboot_needed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

-part /var/log/audit --mountoptions="noexec"
-
Rule  
-                                Add nosuid Option to /var/log/audit
-                                  [ref]
The nosuid mount option can be used to prevent
-execution of setuid programs in /var/log/audit. The SUID and SGID permissions
-should not be required in directories containing audit log files.
-Add the nosuid option to the fourth column of
-/etc/fstab for the line which controls mounting of
-/var/log/audit.
Rationale:
The presence of SUID and SGID executables should be tightly controlled. Users
-should not be able to execute SUID or SGID binaries from partitions
-designated for audit log files.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-82921-8
References: 
-            CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040130, 1.1.6.4, SV-230518r854059_rule
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
 if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log/audit" > /dev/null || findmnt --fstab "/var/log/audit" > /dev/null ); then
 
 function perform_remediation {
@@ -77153,7 +77095,7 @@
     if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
         # runtime opts without some automatic kernel/userspace-added defaults
         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
-                    | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
+                    | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
         [ "$previous_mount_opts" ] && previous_mount_opts+=","
         # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
         # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
@@ -77161,11 +77103,11 @@
         if [  "$fs_type" == "iso9660" ] ; then
             previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
         fi
-        echo " /var/log/audit  defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
+        echo " /var/log/audit  defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
-    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then
+    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then
         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
-        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
+        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
     fi
 
 
@@ -77181,6 +77123,19 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
+
Rule  
+                                Add nosuid Option to /var/log/audit
+                                  [ref]
The nosuid mount option can be used to prevent
+execution of setuid programs in /var/log/audit. The SUID and SGID permissions
+should not be required in directories containing audit log files.
+Add the nosuid option to the fourth column of
+/etc/fstab for the line which controls mounting of
+/var/log/audit.
Rationale:
The presence of SUID and SGID executables should be tightly controlled. Users
+should not be able to execute SUID or SGID binaries from partitions
+designated for audit log files.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-82921-8
References: 
+            CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040130, 1.1.6.4, SV-230518r854059_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

+part /var/log/audit --mountoptions="nosuid"
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: 'Add nosuid Option to /var/log/audit: Check information associated to mountpoint'
   command: findmnt --fstab '/var/log/audit'
   register: device_name
@@ -77319,8 +77274,53 @@
   - medium_severity
   - mount_option_var_log_audit_nosuid
   - no_reboot_needed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

-part /var/log/audit --mountoptions="nosuid"
+
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log/audit" > /dev/null || findmnt --fstab "/var/log/audit" > /dev/null ); then
+
+function perform_remediation {
+    
+        mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log/audit")"
+
+    grep "$mount_point_match_regexp" -q /etc/fstab \
+        || { echo "The mount point '/var/log/audit' is not even in /etc/fstab, so we can't set up mount options" >&2;
+                echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; }
+    
+
+
+    mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log/audit)"
+
+    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
+    if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
+        # runtime opts without some automatic kernel/userspace-added defaults
+        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
+                    | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
+        [ "$previous_mount_opts" ] && previous_mount_opts+=","
+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
+        fs_type=""
+        if [  "$fs_type" == "iso9660" ] ; then
+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
+        fi
+        echo " /var/log/audit  defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
+    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
+    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then
+        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
+        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
+    fi
+
+
+    if mkdir -p "/var/log/audit"; then
+        if mountpoint -q "/var/log/audit"; then
+            mount -o remount --target "/var/log/audit"
+        fi
+    fi
+}
+
+perform_remediation
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Add nodev Option to /var/log
                                   [ref]
The nodev mount option can be used to prevent device files from
@@ -77333,7 +77333,145 @@
 /var/log.
Rationale:
The only legitimate location for device files is the /dev directory
 located on the root partition. The only exception to this is chroot jails.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-82077-9
References: 
-            CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040126, 1.1.5.2, SV-230514r854055_rule
Remediation Shell script:   (show)

Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

+part /var/log --mountoptions="nodev"
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: 'Add nodev Option to /var/log: Check information associated to mountpoint'
+  command: findmnt --fstab '/var/log'
+  register: device_name
+  failed_when: device_name.rc > 1
+  changed_when: false
+  when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
+    "container"] and "/var/log" in ansible_mounts | map(attribute="mount") | list
+    )
+  tags:
+  - CCE-82077-9
+  - DISA-STIG-RHEL-08-040126
+  - NIST-800-53-AC-6
+  - NIST-800-53-AC-6(1)
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-CM-7(a)
+  - NIST-800-53-CM-7(b)
+  - NIST-800-53-MP-7
+  - configure_strategy
+  - high_disruption
+  - low_complexity
+  - medium_severity
+  - mount_option_var_log_nodev
+  - no_reboot_needed
+
+- name: 'Add nodev Option to /var/log: Create mount_info dictionary variable'
+  set_fact:
+    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
+  with_together:
+  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
+  - '{{ device_name.stdout_lines[1].split() | list }}'
+  when:
+  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+    and "/var/log" in ansible_mounts | map(attribute="mount") | list )
+  - device_name.stdout is defined and device_name.stdout_lines is defined
+  - (device_name.stdout | length > 0)
+  tags:
+  - CCE-82077-9
+  - DISA-STIG-RHEL-08-040126
+  - NIST-800-53-AC-6
+  - NIST-800-53-AC-6(1)
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-CM-7(a)
+  - NIST-800-53-CM-7(b)
+  - NIST-800-53-MP-7
+  - configure_strategy
+  - high_disruption
+  - low_complexity
+  - medium_severity
+  - mount_option_var_log_nodev
+  - no_reboot_needed
+
+- name: 'Add nodev Option to /var/log: If /var/log not mounted, craft mount_info manually'
+  set_fact:
+    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
+  with_together:
+  - - target
+    - source
+    - fstype
+    - options
+  - - /var/log
+    - ''
+    - ''
+    - defaults
+  when:
+  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+    and "/var/log" in ansible_mounts | map(attribute="mount") | list )
+  - ("--fstab" | length == 0)
+  - (device_name.stdout | length == 0)
+  tags:
+  - CCE-82077-9
+  - DISA-STIG-RHEL-08-040126
+  - NIST-800-53-AC-6
+  - NIST-800-53-AC-6(1)
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-CM-7(a)
+  - NIST-800-53-CM-7(b)
+  - NIST-800-53-MP-7
+  - configure_strategy
+  - high_disruption
+  - low_complexity
+  - medium_severity
+  - mount_option_var_log_nodev
+  - no_reboot_needed
+
+- name: 'Add nodev Option to /var/log: Make sure nodev option is part of the to /var/log
+    options'
+  set_fact:
+    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
+      }) }}'
+  when:
+  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+    and "/var/log" in ansible_mounts | map(attribute="mount") | list )
+  - mount_info is defined and "nodev" not in mount_info.options
+  tags:
+  - CCE-82077-9
+  - DISA-STIG-RHEL-08-040126
+  - NIST-800-53-AC-6
+  - NIST-800-53-AC-6(1)
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-CM-7(a)
+  - NIST-800-53-CM-7(b)
+  - NIST-800-53-MP-7
+  - configure_strategy
+  - high_disruption
+  - low_complexity
+  - medium_severity
+  - mount_option_var_log_nodev
+  - no_reboot_needed
+
+- name: 'Add nodev Option to /var/log: Ensure /var/log is mounted with nodev option'
+  mount:
+    path: /var/log
+    src: '{{ mount_info.source }}'
+    opts: '{{ mount_info.options }}'
+    state: mounted
+    fstype: '{{ mount_info.fstype }}'
+  when:
+  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+    and "/var/log" in ansible_mounts | map(attribute="mount") | list )
+  - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
+    | length == 0)
+  tags:
+  - CCE-82077-9
+  - DISA-STIG-RHEL-08-040126
+  - NIST-800-53-AC-6
+  - NIST-800-53-AC-6(1)
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-CM-7(a)
+  - NIST-800-53-CM-7(b)
+  - NIST-800-53-MP-7
+  - configure_strategy
+  - high_disruption
+  - low_complexity
+  - medium_severity
+  - mount_option_var_log_nodev
+  - no_reboot_needed
+
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
 if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log" > /dev/null || findmnt --fstab "/var/log" > /dev/null ); then
 
 function perform_remediation {
@@ -77380,144 +77518,6 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: 'Add nodev Option to /var/log: Check information associated to mountpoint'
-  command: findmnt --fstab '/var/log'
-  register: device_name
-  failed_when: device_name.rc > 1
-  changed_when: false
-  when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
-    "container"] and "/var/log" in ansible_mounts | map(attribute="mount") | list
-    )
-  tags:
-  - CCE-82077-9
-  - DISA-STIG-RHEL-08-040126
-  - NIST-800-53-AC-6
-  - NIST-800-53-AC-6(1)
-  - NIST-800-53-CM-6(a)
-  - NIST-800-53-CM-7(a)
-  - NIST-800-53-CM-7(b)
-  - NIST-800-53-MP-7
-  - configure_strategy
-  - high_disruption
-  - low_complexity
-  - medium_severity
-  - mount_option_var_log_nodev
-  - no_reboot_needed
-
-- name: 'Add nodev Option to /var/log: Create mount_info dictionary variable'
-  set_fact:
-    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
-  with_together:
-  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
-  - '{{ device_name.stdout_lines[1].split() | list }}'
-  when:
-  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-    and "/var/log" in ansible_mounts | map(attribute="mount") | list )
-  - device_name.stdout is defined and device_name.stdout_lines is defined
-  - (device_name.stdout | length > 0)
-  tags:
-  - CCE-82077-9
-  - DISA-STIG-RHEL-08-040126
-  - NIST-800-53-AC-6
-  - NIST-800-53-AC-6(1)
-  - NIST-800-53-CM-6(a)
-  - NIST-800-53-CM-7(a)
-  - NIST-800-53-CM-7(b)
-  - NIST-800-53-MP-7
-  - configure_strategy
-  - high_disruption
-  - low_complexity
-  - medium_severity
-  - mount_option_var_log_nodev
-  - no_reboot_needed
-
-- name: 'Add nodev Option to /var/log: If /var/log not mounted, craft mount_info manually'
-  set_fact:
-    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
-  with_together:
-  - - target
-    - source
-    - fstype
-    - options
-  - - /var/log
-    - ''
-    - ''
-    - defaults
-  when:
-  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-    and "/var/log" in ansible_mounts | map(attribute="mount") | list )
-  - ("--fstab" | length == 0)
-  - (device_name.stdout | length == 0)
-  tags:
-  - CCE-82077-9
-  - DISA-STIG-RHEL-08-040126
-  - NIST-800-53-AC-6
-  - NIST-800-53-AC-6(1)
-  - NIST-800-53-CM-6(a)
-  - NIST-800-53-CM-7(a)
-  - NIST-800-53-CM-7(b)
-  - NIST-800-53-MP-7
-  - configure_strategy
-  - high_disruption
-  - low_complexity
-  - medium_severity
-  - mount_option_var_log_nodev
-  - no_reboot_needed
-
-- name: 'Add nodev Option to /var/log: Make sure nodev option is part of the to /var/log
-    options'
-  set_fact:
-    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
-      }) }}'
-  when:
-  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-    and "/var/log" in ansible_mounts | map(attribute="mount") | list )
-  - mount_info is defined and "nodev" not in mount_info.options
-  tags:
-  - CCE-82077-9
-  - DISA-STIG-RHEL-08-040126
-  - NIST-800-53-AC-6
-  - NIST-800-53-AC-6(1)
-  - NIST-800-53-CM-6(a)
-  - NIST-800-53-CM-7(a)
-  - NIST-800-53-CM-7(b)
-  - NIST-800-53-MP-7
-  - configure_strategy
-  - high_disruption
-  - low_complexity
-  - medium_severity
-  - mount_option_var_log_nodev
-  - no_reboot_needed
-
-- name: 'Add nodev Option to /var/log: Ensure /var/log is mounted with nodev option'
-  mount:
-    path: /var/log
-    src: '{{ mount_info.source }}'
-    opts: '{{ mount_info.options }}'
-    state: mounted
-    fstype: '{{ mount_info.fstype }}'
-  when:
-  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
-    and "/var/log" in ansible_mounts | map(attribute="mount") | list )
-  - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
-    | length == 0)
-  tags:
-  - CCE-82077-9
-  - DISA-STIG-RHEL-08-040126
-  - NIST-800-53-AC-6
-  - NIST-800-53-AC-6(1)
-  - NIST-800-53-CM-6(a)
-  - NIST-800-53-CM-7(a)
-  - NIST-800-53-CM-7(b)
-  - NIST-800-53-MP-7
-  - configure_strategy
-  - high_disruption
-  - low_complexity
-  - medium_severity
-  - mount_option_var_log_nodev
-  - no_reboot_needed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

-part /var/log --mountoptions="nodev"
 
Rule  
                                 Add noexec Option to /var/log
                                   [ref]
The noexec mount option can be used to prevent binaries
@@ -77528,53 +77528,8 @@
 such as /var/log should never be necessary in normal operation and
 can expose the system to potential compromise.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-82008-4
References: 
-            BP28(R12), CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040128, 1.1.5.3, SV-230516r854057_rule
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log" > /dev/null || findmnt --fstab "/var/log" > /dev/null ); then
-
-function perform_remediation {
-    
-        mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log")"
-
-    grep "$mount_point_match_regexp" -q /etc/fstab \
-        || { echo "The mount point '/var/log' is not even in /etc/fstab, so we can't set up mount options" >&2;
-                echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; }
-    
-
-
-    mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log)"
-
-    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
-    if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
-        # runtime opts without some automatic kernel/userspace-added defaults
-        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
-                    | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
-        [ "$previous_mount_opts" ] && previous_mount_opts+=","
-        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
-        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
-        fs_type=""
-        if [  "$fs_type" == "iso9660" ] ; then
-            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
-        fi
-        echo " /var/log  defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
-    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
-    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then
-        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
-        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
-    fi
-
-
-    if mkdir -p "/var/log"; then
-        if mountpoint -q "/var/log"; then
-            mount -o remount --target "/var/log"
-        fi
-    fi
-}
-
-perform_remediation
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
+            BP28(R12), CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040128, 1.1.5.3, SV-230516r854057_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

+part /var/log --mountoptions="noexec"
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: 'Add noexec Option to /var/log: Check information associated to mountpoint'
   command: findmnt --fstab '/var/log'
   register: device_name
@@ -77712,20 +77667,7 @@
   - medium_severity
   - mount_option_var_log_noexec
   - no_reboot_needed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

-part /var/log --mountoptions="noexec"
-
Rule  
-                                Add nosuid Option to /var/log
-                                  [ref]
The nosuid mount option can be used to prevent
-execution of setuid programs in /var/log. The SUID and SGID permissions
-should not be required in directories containing log files.
-Add the nosuid option to the fourth column of
-/etc/fstab for the line which controls mounting of
-/var/log.
Rationale:
The presence of SUID and SGID executables should be tightly controlled. Users
-should not be able to execute SUID or SGID binaries from partitions
-designated for log files.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-82065-4
References: 
-            BP28(R12), CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040127, 1.1.5.4, SV-230515r854056_rule
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
 if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log" > /dev/null || findmnt --fstab "/var/log" > /dev/null ); then
 
 function perform_remediation {
@@ -77744,7 +77686,7 @@
     if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
         # runtime opts without some automatic kernel/userspace-added defaults
         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
-                    | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
+                    | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
         [ "$previous_mount_opts" ] && previous_mount_opts+=","
         # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
         # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
@@ -77752,11 +77694,11 @@
         if [  "$fs_type" == "iso9660" ] ; then
             previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
         fi
-        echo " /var/log  defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
+        echo " /var/log  defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
-    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then
+    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then
         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
-        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
+        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
     fi
 
 
@@ -77772,6 +77714,19 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
+
Rule  
+                                Add nosuid Option to /var/log
+                                  [ref]
The nosuid mount option can be used to prevent
+execution of setuid programs in /var/log. The SUID and SGID permissions
+should not be required in directories containing log files.
+Add the nosuid option to the fourth column of
+/etc/fstab for the line which controls mounting of
+/var/log.
Rationale:
The presence of SUID and SGID executables should be tightly controlled. Users
+should not be able to execute SUID or SGID binaries from partitions
+designated for log files.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-82065-4
References: 
+            BP28(R12), CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040127, 1.1.5.4, SV-230515r854056_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

+part /var/log --mountoptions="nosuid"
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: 'Add nosuid Option to /var/log: Check information associated to mountpoint'
   command: findmnt --fstab '/var/log'
   register: device_name
@@ -77909,38 +77864,26 @@
   - medium_severity
   - mount_option_var_log_nosuid
   - no_reboot_needed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

-part /var/log --mountoptions="nosuid"
-
Rule  
-                                Add nodev Option to /var/tmp
-                                  [ref]
The nodev mount option can be used to prevent device files from
-being created in /var/tmp. Legitimate character and block devices
-should not exist within temporary directories like /var/tmp.
-Add the nodev option to the fourth column of
-/etc/fstab for the line which controls mounting of
-/var/tmp.
Rationale:
The only legitimate location for device files is the /dev directory
-located on the root partition. The only exception to this is chroot jails.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-82068-8
References: 
-            BP28(R12), CCI-001764, SRG-OS-000368-GPOS-00154, RHEL-08-040132, 1.1.4.4, SV-230520r854061_rule
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/tmp" > /dev/null || findmnt --fstab "/var/tmp" > /dev/null ); then
+
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log" > /dev/null || findmnt --fstab "/var/log" > /dev/null ); then
 
 function perform_remediation {
     
-        mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/tmp")"
+        mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log")"
 
     grep "$mount_point_match_regexp" -q /etc/fstab \
-        || { echo "The mount point '/var/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2;
-                echo "Not remediating, because there is no record of /var/tmp in /etc/fstab" >&2; return 1; }
+        || { echo "The mount point '/var/log' is not even in /etc/fstab, so we can't set up mount options" >&2;
+                echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; }
     
 
 
-    mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/tmp)"
+    mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log)"
 
     # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
     if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
         # runtime opts without some automatic kernel/userspace-added defaults
         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
-                    | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")
+                    | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
         [ "$previous_mount_opts" ] && previous_mount_opts+=","
         # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
         # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
@@ -77948,17 +77891,17 @@
         if [  "$fs_type" == "iso9660" ] ; then
             previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
         fi
-        echo " /var/tmp  defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab
+        echo " /var/log  defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
-    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then
+    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then
         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
-        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab
+        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
     fi
 
 
-    if mkdir -p "/var/tmp"; then
-        if mountpoint -q "/var/tmp"; then
-            mount -o remount --target "/var/tmp"
+    if mkdir -p "/var/log"; then
+        if mountpoint -q "/var/log"; then
+            mount -o remount --target "/var/log"
         fi
     fi
 }
@@ -77968,6 +77911,18 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
+
Rule  
+                                Add nodev Option to /var/tmp
+                                  [ref]
The nodev mount option can be used to prevent device files from
+being created in /var/tmp. Legitimate character and block devices
+should not exist within temporary directories like /var/tmp.
+Add the nodev option to the fourth column of
+/etc/fstab for the line which controls mounting of
+/var/tmp.
Rationale:
The only legitimate location for device files is the /dev directory
+located on the root partition. The only exception to this is chroot jails.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-82068-8
References: 
+            BP28(R12), CCI-001764, SRG-OS-000368-GPOS-00154, RHEL-08-040132, 1.1.4.4, SV-230520r854061_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

+part /var/tmp --mountoptions="nodev"
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: 'Add nodev Option to /var/tmp: Check information associated to mountpoint'
   command: findmnt --fstab '/var/tmp'
   register: device_name
@@ -78074,19 +78029,7 @@
   - medium_severity
   - mount_option_var_tmp_nodev
   - no_reboot_needed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

-part /var/tmp --mountoptions="nodev"
-
Rule  
-                                Add noexec Option to /var/tmp
-                                  [ref]
The noexec mount option can be used to prevent binaries
-from being executed out of /var/tmp.
-Add the noexec option to the fourth column of
-/etc/fstab for the line which controls mounting of
-/var/tmp.
Rationale:
Allowing users to execute binaries from world-writable directories
-such as /var/tmp should never be necessary in normal operation and
-can expose the system to potential compromise.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-82151-2
References: 
-            BP28(R12), CCI-001764, SRG-OS-000368-GPOS-00154, RHEL-08-040134, 1.1.4.2, SV-230522r854063_rule
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
 if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/tmp" > /dev/null || findmnt --fstab "/var/tmp" > /dev/null ); then
 
 function perform_remediation {
@@ -78105,7 +78048,7 @@
     if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
         # runtime opts without some automatic kernel/userspace-added defaults
         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
-                    | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
+                    | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")
         [ "$previous_mount_opts" ] && previous_mount_opts+=","
         # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
         # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
@@ -78113,11 +78056,11 @@
         if [  "$fs_type" == "iso9660" ] ; then
             previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
         fi
-        echo " /var/tmp  defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
+        echo " /var/tmp  defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab
     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
-    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then
+    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then
         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
-        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
+        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab
     fi
 
 
@@ -78133,6 +78076,18 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
+
Rule  
+                                Add noexec Option to /var/tmp
+                                  [ref]
The noexec mount option can be used to prevent binaries
+from being executed out of /var/tmp.
+Add the noexec option to the fourth column of
+/etc/fstab for the line which controls mounting of
+/var/tmp.
Rationale:
Allowing users to execute binaries from world-writable directories
+such as /var/tmp should never be necessary in normal operation and
+can expose the system to potential compromise.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-82151-2
References: 
+            BP28(R12), CCI-001764, SRG-OS-000368-GPOS-00154, RHEL-08-040134, 1.1.4.2, SV-230522r854063_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

+part /var/tmp --mountoptions="noexec"
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: 'Add noexec Option to /var/tmp: Check information associated to mountpoint'
   command: findmnt --fstab '/var/tmp'
   register: device_name
@@ -78240,19 +78195,7 @@
   - medium_severity
   - mount_option_var_tmp_noexec
   - no_reboot_needed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

-part /var/tmp --mountoptions="noexec"
-
Rule  
-                                Add nosuid Option to /var/tmp
-                                  [ref]
The nosuid mount option can be used to prevent
-execution of setuid programs in /var/tmp. The SUID and SGID permissions
-should not be required in these world-writable directories.
-Add the nosuid option to the fourth column of
-/etc/fstab for the line which controls mounting of
-/var/tmp.
Rationale:
The presence of SUID and SGID executables should be tightly controlled. Users
-should not be able to execute SUID or SGID binaries from temporary storage partitions.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-82154-6
References: 
-            BP28(R12), CCI-001764, SRG-OS-000368-GPOS-00154, RHEL-08-040133, 1.1.4.3, SV-230521r854062_rule
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
 if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/tmp" > /dev/null || findmnt --fstab "/var/tmp" > /dev/null ); then
 
 function perform_remediation {
@@ -78271,7 +78214,7 @@
     if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
         # runtime opts without some automatic kernel/userspace-added defaults
         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
-                    | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
+                    | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
         [ "$previous_mount_opts" ] && previous_mount_opts+=","
         # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
         # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
@@ -78279,11 +78222,11 @@
         if [  "$fs_type" == "iso9660" ] ; then
             previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
         fi
-        echo " /var/tmp  defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
+        echo " /var/tmp  defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
-    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then
+    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then
         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
-        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
+        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
     fi
 
 
@@ -78299,6 +78242,18 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
+
Rule  
+                                Add nosuid Option to /var/tmp
+                                  [ref]
The nosuid mount option can be used to prevent
+execution of setuid programs in /var/tmp. The SUID and SGID permissions
+should not be required in these world-writable directories.
+Add the nosuid option to the fourth column of
+/etc/fstab for the line which controls mounting of
+/var/tmp.
Rationale:
The presence of SUID and SGID executables should be tightly controlled. Users
+should not be able to execute SUID or SGID binaries from temporary storage partitions.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-82154-6
References: 
+            BP28(R12), CCI-001764, SRG-OS-000368-GPOS-00154, RHEL-08-040133, 1.1.4.3, SV-230521r854062_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

+part /var/tmp --mountoptions="nosuid"
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: 'Add nosuid Option to /var/tmp: Check information associated to mountpoint'
   command: findmnt --fstab '/var/tmp'
   register: device_name
@@ -78406,8 +78361,53 @@
   - medium_severity
   - mount_option_var_tmp_nosuid
   - no_reboot_needed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

-part /var/tmp --mountoptions="nosuid"
+
Remediation Shell script:   (show)

Reboot:false
# Remediation is applicable only in certain platforms
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/tmp" > /dev/null || findmnt --fstab "/var/tmp" > /dev/null ); then
+
+function perform_remediation {
+    
+        mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/tmp")"
+
+    grep "$mount_point_match_regexp" -q /etc/fstab \
+        || { echo "The mount point '/var/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2;
+                echo "Not remediating, because there is no record of /var/tmp in /etc/fstab" >&2; return 1; }
+    
+
+
+    mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/tmp)"
+
+    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
+    if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
+        # runtime opts without some automatic kernel/userspace-added defaults
+        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
+                    | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
+        [ "$previous_mount_opts" ] && previous_mount_opts+=","
+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
+        fs_type=""
+        if [  "$fs_type" == "iso9660" ] ; then
+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
+        fi
+        echo " /var/tmp  defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
+    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
+    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then
+        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
+        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
+    fi
+
+
+    if mkdir -p "/var/tmp"; then
+        if mountpoint -q "/var/tmp"; then
+            mount -o remount --target "/var/tmp"
+        fi
+    fi
+}
+
+perform_remediation
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 Restrict Programs from Dangerous Execution Patterns
                           Group contains 4 groups and 18 rules
[ref]  
@@ -78444,21 +78444,7 @@
 terminates an application. The memory image could contain sensitive data
 and is generally useful only for developers trying to debug problems.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-82881-4
References: 
-            CCI-000366, SC-7(10), FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-010672, SV-230312r833308_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-SOCKET_NAME="systemd-coredump.socket"
-SYSTEMCTL_EXEC='/usr/bin/systemctl'
-
-if "$SYSTEMCTL_EXEC" -q list-unit-files --type socket | grep -q "$SOCKET_NAME"; then
-    "$SYSTEMCTL_EXEC" stop "$SOCKET_NAME"
-    "$SYSTEMCTL_EXEC" mask "$SOCKET_NAME"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Disable acquiring, saving, and processing core dumps - Collect systemd Socket
+            CCI-000366, SC-7(10), FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-010672, SV-230312r833308_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Disable acquiring, saving, and processing core dumps - Collect systemd Socket
     Units Present in the System
   ansible.builtin.command:
     cmd: systemctl -q list-unit-files --type socket
@@ -78496,6 +78482,20 @@
   - medium_severity
   - no_reboot_needed
   - service_systemd-coredump_disabled
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+SOCKET_NAME="systemd-coredump.socket"
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+
+if "$SYSTEMCTL_EXEC" -q list-unit-files --type socket | grep -q "$SOCKET_NAME"; then
+    "$SYSTEMCTL_EXEC" stop "$SOCKET_NAME"
+    "$SYSTEMCTL_EXEC" mask "$SOCKET_NAME"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Disable core dump backtraces
                                   [ref]
The ProcessSizeMax option in [Coredump] section
@@ -78515,27 +78515,20 @@
 debuging. Permitting temporary enablement of core dumps during such situations
 should be reviewed through local needs and policy.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-82251-0
References: 
-            CCI-000366, CM-6, FMT_SMF_EXT.1, Req-3.2, 3.3.1, SRG-OS-000480-GPOS-00227, RHEL-08-010675, 1.5.2, SV-230315r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
-if rpm --quiet -q systemd; then
-
-if [ -e "/etc/systemd/coredump.conf" ] ; then
-    
-    LC_ALL=C sed -i "/^\s*ProcessSizeMax\s*=\s*/Id" "/etc/systemd/coredump.conf"
-else
-    touch "/etc/systemd/coredump.conf"
-fi
-# make sure file has newline at the end
-sed -i -e '$a\' "/etc/systemd/coredump.conf"
-
-cp "/etc/systemd/coredump.conf" "/etc/systemd/coredump.conf.bak"
-# Insert at the end of the file
-printf '%s\n' "ProcessSizeMax=0" >> "/etc/systemd/coredump.conf"
-# Clean up after ourselves.
-rm "/etc/systemd/coredump.conf.bak"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
+            CCI-000366, CM-6, FMT_SMF_EXT.1, Req-3.2, 3.3.1, SRG-OS-000480-GPOS-00227, RHEL-08-010675, 1.5.2, SV-230315r627750_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20%20This%20file%20is%20part%20of%20systemd.%0A%23%0A%23%20%20systemd%20is%20free%20software%3B%20you%20can%20redistribute%20it%20and/or%20modify%20it%0A%23%20%20under%20the%20terms%20of%20the%20GNU%20Lesser%20General%20Public%20License%20as%20published%20by%0A%23%20%20the%20Free%20Software%20Foundation%3B%20either%20version%202.1%20of%20the%20License%2C%20or%0A%23%20%20%28at%20your%20option%29%20any%20later%20version.%0A%23%0A%23%20Entries%20in%20this%20file%20show%20the%20compile%20time%20defaults.%0A%23%20You%20can%20change%20settings%20by%20editing%20this%20file.%0A%23%20Defaults%20can%20be%20restored%20by%20simply%20deleting%20this%20file.%0A%23%0A%23%20See%20coredump.conf%285%29%20for%20details.%0A%0A%5BCoredump%5D%0A%23Storage%3Dexternal%0A%23Compress%3Dyes%0A%23ProcessSizeMax%3D2G%0A%23ExternalSizeMax%3D2G%0A%23JournalSizeMax%3D767M%0A%23MaxUse%3D%0A%23KeepFree%3D%0AStorage%3Dnone%0AProcessSizeMax%3D0%0A
+        mode: 0644
+        path: /etc/systemd/coredump.conf
+        overwrite: true
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
@@ -78593,40 +78586,12 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20%20This%20file%20is%20part%20of%20systemd.%0A%23%0A%23%20%20systemd%20is%20free%20software%3B%20you%20can%20redistribute%20it%20and/or%20modify%20it%0A%23%20%20under%20the%20terms%20of%20the%20GNU%20Lesser%20General%20Public%20License%20as%20published%20by%0A%23%20%20the%20Free%20Software%20Foundation%3B%20either%20version%202.1%20of%20the%20License%2C%20or%0A%23%20%20%28at%20your%20option%29%20any%20later%20version.%0A%23%0A%23%20Entries%20in%20this%20file%20show%20the%20compile%20time%20defaults.%0A%23%20You%20can%20change%20settings%20by%20editing%20this%20file.%0A%23%20Defaults%20can%20be%20restored%20by%20simply%20deleting%20this%20file.%0A%23%0A%23%20See%20coredump.conf%285%29%20for%20details.%0A%0A%5BCoredump%5D%0A%23Storage%3Dexternal%0A%23Compress%3Dyes%0A%23ProcessSizeMax%3D2G%0A%23ExternalSizeMax%3D2G%0A%23JournalSizeMax%3D767M%0A%23MaxUse%3D%0A%23KeepFree%3D%0AStorage%3Dnone%0AProcessSizeMax%3D0%0A
-        mode: 0644
-        path: /etc/systemd/coredump.conf
-        overwrite: true
-
Rule  
-                                Disable storing core dump
-                                  [ref]
The Storage option in [Coredump] sectionof /etc/systemd/coredump.conf
-can be set to none to disable storing core dumps permanently.
Warning: 
-                                        If the /etc/systemd/coredump.conf file
-does not already contain the [Coredump] section,
-the value will not be configured correctly.
Rationale:
A core dump includes a memory image taken at the time the operating system
-terminates an application. The memory image could contain sensitive data
-and is generally useful only for developers or system operators trying to
-debug problems. Enabling core dumps on production systems is not recommended,
-however there may be overriding operational requirements to enable advanced
-debuging. Permitting temporary enablement of core dumps during such situations
-should be reviewed through local needs and policy.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-82252-8
References: 
-            CCI-000366, CM-6, FMT_SMF_EXT.1, Req-3.2, 3.3.1, SRG-OS-000480-GPOS-00227, RHEL-08-010674, 1.5.1, SV-230314r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
 if rpm --quiet -q systemd; then
 
 if [ -e "/etc/systemd/coredump.conf" ] ; then
     
-    LC_ALL=C sed -i "/^\s*Storage\s*=\s*/Id" "/etc/systemd/coredump.conf"
+    LC_ALL=C sed -i "/^\s*ProcessSizeMax\s*=\s*/Id" "/etc/systemd/coredump.conf"
 else
     touch "/etc/systemd/coredump.conf"
 fi
@@ -78635,13 +78600,41 @@
 
 cp "/etc/systemd/coredump.conf" "/etc/systemd/coredump.conf.bak"
 # Insert at the end of the file
-printf '%s\n' "Storage=none" >> "/etc/systemd/coredump.conf"
+printf '%s\n' "ProcessSizeMax=0" >> "/etc/systemd/coredump.conf"
 # Clean up after ourselves.
 rm "/etc/systemd/coredump.conf.bak"
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
+
Rule  
+                                Disable storing core dump
+                                  [ref]
The Storage option in [Coredump] sectionof /etc/systemd/coredump.conf
+can be set to none to disable storing core dumps permanently.
Warning: 
+                                        If the /etc/systemd/coredump.conf file
+does not already contain the [Coredump] section,
+the value will not be configured correctly.
Rationale:
A core dump includes a memory image taken at the time the operating system
+terminates an application. The memory image could contain sensitive data
+and is generally useful only for developers or system operators trying to
+debug problems. Enabling core dumps on production systems is not recommended,
+however there may be overriding operational requirements to enable advanced
+debuging. Permitting temporary enablement of core dumps during such situations
+should be reviewed through local needs and policy.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-82252-8
References: 
+            CCI-000366, CM-6, FMT_SMF_EXT.1, Req-3.2, 3.3.1, SRG-OS-000480-GPOS-00227, RHEL-08-010674, 1.5.1, SV-230314r627750_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20%20This%20file%20is%20part%20of%20systemd.%0A%23%0A%23%20%20systemd%20is%20free%20software%3B%20you%20can%20redistribute%20it%20and/or%20modify%20it%0A%23%20%20under%20the%20terms%20of%20the%20GNU%20Lesser%20General%20Public%20License%20as%20published%20by%0A%23%20%20the%20Free%20Software%20Foundation%3B%20either%20version%202.1%20of%20the%20License%2C%20or%0A%23%20%20%28at%20your%20option%29%20any%20later%20version.%0A%23%0A%23%20Entries%20in%20this%20file%20show%20the%20compile%20time%20defaults.%0A%23%20You%20can%20change%20settings%20by%20editing%20this%20file.%0A%23%20Defaults%20can%20be%20restored%20by%20simply%20deleting%20this%20file.%0A%23%0A%23%20See%20coredump.conf%285%29%20for%20details.%0A%0A%5BCoredump%5D%0A%23Storage%3Dexternal%0A%23Compress%3Dyes%0A%23ProcessSizeMax%3D2G%0A%23ExternalSizeMax%3D2G%0A%23JournalSizeMax%3D767M%0A%23MaxUse%3D%0A%23KeepFree%3D%0AStorage%3Dnone%0AProcessSizeMax%3D0%0A
+        mode: 0644
+        path: /etc/systemd/coredump.conf
+        overwrite: true
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
@@ -78699,7 +78692,37 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Remediation script:   (show)

---
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+if rpm --quiet -q systemd; then
+
+if [ -e "/etc/systemd/coredump.conf" ] ; then
+    
+    LC_ALL=C sed -i "/^\s*Storage\s*=\s*/Id" "/etc/systemd/coredump.conf"
+else
+    touch "/etc/systemd/coredump.conf"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/systemd/coredump.conf"
+
+cp "/etc/systemd/coredump.conf" "/etc/systemd/coredump.conf.bak"
+# Insert at the end of the file
+printf '%s\n' "Storage=none" >> "/etc/systemd/coredump.conf"
+# Clean up after ourselves.
+rm "/etc/systemd/coredump.conf.bak"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
Rule  
+                                Disable Core Dumps for All Users
+                                  [ref]
To disable core dumps for all users, add the following line to
+/etc/security/limits.conf, or to a file within the
+/etc/security/limits.d/ directory:
+
*     hard   core    0
Rationale:
A core dump includes a memory image taken at the time the operating system
+terminates an application. The memory image could contain sensitive data and is generally useful
+only for developers trying to debug problems.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-81038-2
References: 
+            1, 12, 13, 15, 16, 2, 7, 8, APO13.01, BAI04.04, DSS01.03, DSS03.05, DSS05.07, CCI-000366, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.17.2.1, CM-6, SC-7(10), DE.CM-1, PR.DS-4, 3.3.1, SRG-OS-000480-GPOS-00227, RHEL-08-010673, 1.6.1, SV-230313r627750_rule
Remediation script:   (show)

---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 spec:
@@ -78709,37 +78732,10 @@
     storage:
       files:
       - contents:
-          source: data:,%23%20%20This%20file%20is%20part%20of%20systemd.%0A%23%0A%23%20%20systemd%20is%20free%20software%3B%20you%20can%20redistribute%20it%20and/or%20modify%20it%0A%23%20%20under%20the%20terms%20of%20the%20GNU%20Lesser%20General%20Public%20License%20as%20published%20by%0A%23%20%20the%20Free%20Software%20Foundation%3B%20either%20version%202.1%20of%20the%20License%2C%20or%0A%23%20%20%28at%20your%20option%29%20any%20later%20version.%0A%23%0A%23%20Entries%20in%20this%20file%20show%20the%20compile%20time%20defaults.%0A%23%20You%20can%20change%20settings%20by%20editing%20this%20file.%0A%23%20Defaults%20can%20be%20restored%20by%20simply%20deleting%20this%20file.%0A%23%0A%23%20See%20coredump.conf%285%29%20for%20details.%0A%0A%5BCoredump%5D%0A%23Storage%3Dexternal%0A%23Compress%3Dyes%0A%23ProcessSizeMax%3D2G%0A%23ExternalSizeMax%3D2G%0A%23JournalSizeMax%3D767M%0A%23MaxUse%3D%0A%23KeepFree%3D%0AStorage%3Dnone%0AProcessSizeMax%3D0%0A
+          source: data:,%2A%20%20%20%20%20hard%20%20%20core%20%20%20%200
         mode: 0644
-        path: /etc/systemd/coredump.conf
+        path: /etc/security/limits.d/75-disable_users_coredumps.conf
         overwrite: true
-
Rule  
-                                Disable Core Dumps for All Users
-                                  [ref]
To disable core dumps for all users, add the following line to
-/etc/security/limits.conf, or to a file within the
-/etc/security/limits.d/ directory:
-
*     hard   core    0
Rationale:
A core dump includes a memory image taken at the time the operating system
-terminates an application. The memory image could contain sensitive data and is generally useful
-only for developers trying to debug problems.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-81038-2
References: 
-            1, 12, 13, 15, 16, 2, 7, 8, APO13.01, BAI04.04, DSS01.03, DSS03.05, DSS05.07, CCI-000366, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.17.2.1, CM-6, SC-7(10), DE.CM-1, PR.DS-4, 3.3.1, SRG-OS-000480-GPOS-00227, RHEL-08-010673, 1.6.1, SV-230313r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if rpm --quiet -q pam; then
-
-SECURITY_LIMITS_FILE="/etc/security/limits.conf"
-
-if grep -qE '^\s*\*\s+hard\s+core' $SECURITY_LIMITS_FILE; then
-        sed -ri 's/(hard\s+core\s+)[[:digit:]]+/\1 0/' $SECURITY_LIMITS_FILE
-else
-        echo "*     hard   core    0" >> $SECURITY_LIMITS_FILE
-fi
-
-if ls /etc/security/limits.d/*.conf > /dev/null; then
-        sed -ri '/^\s*\*\s+hard\s+core/d' /etc/security/limits.d/*.conf
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
@@ -78775,20 +78771,24 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%2A%20%20%20%20%20hard%20%20%20core%20%20%20%200
-        mode: 0644
-        path: /etc/security/limits.d/75-disable_users_coredumps.conf
-        overwrite: true
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if rpm --quiet -q pam; then
+
+SECURITY_LIMITS_FILE="/etc/security/limits.conf"
+
+if grep -qE '^\s*\*\s+hard\s+core' $SECURITY_LIMITS_FILE; then
+        sed -ri 's/(hard\s+core\s+)[[:digit:]]+/\1 0/' $SECURITY_LIMITS_FILE
+else
+        echo "*     hard   core    0" >> $SECURITY_LIMITS_FILE
+fi
+
+if ls /etc/security/limits.d/*.conf > /dev/null; then
+        sed -ri '/^\s*\*\s+hard\s+core/d' /etc/security/limits.d/*.conf
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 Enable ExecShield
                           Group contains 2 rules
[ref]  
@@ -78809,68 +78809,21 @@
 be compromised. This option disallow any program without the CAP_SYSLOG capability
 to get the addresses of kernel pointers by replacing them with 0.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-80915-2
References: 
-            BP28(R23), CCI-002824, CCI-000366, CIP-002-5 R1.1, CIP-002-5 R1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 4.1, CIP-004-6 4.2, CIP-004-6 R2.2.3, CIP-004-6 R2.2.4, CIP-004-6 R2.3, CIP-004-6 R4, CIP-005-6 R1, CIP-005-6 R1.1, CIP-005-6 R1.2, CIP-007-3 R3, CIP-007-3 R3.1, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R8.4, CIP-009-6 R.1.1, CIP-009-6 R4, SC-30, SC-30(2), SC-30(5), CM-6(a), SRG-OS-000132-GPOS-00067, SRG-OS-000433-GPOS-00192, SRG-OS-000480-GPOS-00227, RHEL-08-040283, SV-230547r858826_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-# Comment out any occurrences of kernel.kptr_restrict from /etc/sysctl.d/*.conf files
-
-for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
-
-  matching_list=$(grep -P '^(?!#).*[\s]*kernel.kptr_restrict.*$' $f | uniq )
-  if ! test -z "$matching_list"; then
-    while IFS= read -r entry; do
-      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
-      # comment out "kernel.kptr_restrict" matches to preserve user data
-      sed -i "s/^${escaped_entry}$/# &/g" $f
-    done <<< "$matching_list"
-  fi
-done
-
-#
-# Set sysctl config file which to save the desired value
-#
-
-SYSCONFIG_FILE="/etc/sysctl.conf"
-
-sysctl_kernel_kptr_restrict_value='1'
-
-
-#
-# Set runtime for kernel.kptr_restrict
-#
-/sbin/sysctl -q -n -w kernel.kptr_restrict="$sysctl_kernel_kptr_restrict_value"
-
-#
-# If kernel.kptr_restrict present in /etc/sysctl.conf, change value to appropriate value
-#	else, add "kernel.kptr_restrict = value" to /etc/sysctl.conf
-#
-
-# Strip any search characters in the key arg so that the key can be replaced without
-# adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.kptr_restrict")
-
-# shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_kernel_kptr_restrict_value"
-
-# If the key exists, change it. Otherwise, add it to the config_file.
-# We search for the key string followed by a word boundary (matched by \>),
-# so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^kernel.kptr_restrict\\>" "${SYSCONFIG_FILE}"; then
-    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^kernel.kptr_restrict\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
-else
-    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
-        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
-    fi
-    cce="CCE-80915-2"
-    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
-    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
+            BP28(R23), CCI-002824, CCI-000366, CIP-002-5 R1.1, CIP-002-5 R1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 4.1, CIP-004-6 4.2, CIP-004-6 R2.2.3, CIP-004-6 R2.2.4, CIP-004-6 R2.3, CIP-004-6 R4, CIP-005-6 R1, CIP-005-6 R1.1, CIP-005-6 R1.2, CIP-007-3 R3, CIP-007-3 R3.1, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R8.4, CIP-009-6 R.1.1, CIP-009-6 R4, SC-30, SC-30(2), SC-30(5), CM-6(a), SRG-OS-000132-GPOS-00067, SRG-OS-000433-GPOS-00192, SRG-OS-000480-GPOS-00227, RHEL-08-040283, SV-230547r858826_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,kernel.kptr_restrict%3D1%0A
+        mode: 0644
+        path: /etc/sysctl.d/75-sysctl_kernel_kptr_restrict.conf
+        overwrite: true
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
   find:
     paths:
     - /etc/sysctl.d/
@@ -78942,42 +78895,18 @@
   - medium_severity
   - reboot_required
   - sysctl_kernel_kptr_restrict
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,kernel.kptr_restrict%3D1%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_kernel_kptr_restrict.conf
-        overwrite: true
-
Rule  
-                                Enable Randomized Layout of Virtual Address Space
-                                  [ref]
To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: 
$ sudo sysctl -w kernel.randomize_va_space=2

-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.randomize_va_space = 2
Rationale:
Address space layout randomization (ASLR) makes it more difficult for an
-attacker to predict the location of attack code they have introduced into a
-process's address space during an attempt at exploitation. Additionally,
-ASLR makes it more difficult for an attacker to know the location of
-existing code in order to re-purpose it using return oriented programming
-(ROP) techniques.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80916-0
References: 
-            BP28(R23), 3.1.7, CCI-000366, CCI-002824, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), CIP-002-5 R1.1, CIP-002-5 R1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 4.1, CIP-004-6 4.2, CIP-004-6 R2.2.3, CIP-004-6 R2.2.4, CIP-004-6 R2.3, CIP-004-6 R4, CIP-005-6 R1, CIP-005-6 R1.1, CIP-005-6 R1.2, CIP-007-3 R3, CIP-007-3 R3.1, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R8.4, CIP-009-6 R.1.1, CIP-009-6 R4, SC-30, SC-30(2), CM-6(a), Req-2.2.1, 3.3.1, SRG-OS-000433-GPOS-00193, SRG-OS-000480-GPOS-00227, SRG-APP-000450-CTR-001105, RHEL-08-010430, 1.5.3, SV-230280r858767_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-# Comment out any occurrences of kernel.randomize_va_space from /etc/sysctl.d/*.conf files
+# Comment out any occurrences of kernel.kptr_restrict from /etc/sysctl.d/*.conf files
 
 for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
 
-  matching_list=$(grep -P '^(?!#).*[\s]*kernel.randomize_va_space.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]*kernel.kptr_restrict.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
       escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
-      # comment out "kernel.randomize_va_space" matches to preserve user data
+      # comment out "kernel.kptr_restrict" matches to preserve user data
       sed -i "s/^${escaped_entry}$/# &/g" $f
     done <<< "$matching_list"
   fi
@@ -78989,35 +78918,37 @@
 
 SYSCONFIG_FILE="/etc/sysctl.conf"
 
+sysctl_kernel_kptr_restrict_value='1'
+
 
 #
-# Set runtime for kernel.randomize_va_space
+# Set runtime for kernel.kptr_restrict
 #
-/sbin/sysctl -q -n -w kernel.randomize_va_space="2"
+/sbin/sysctl -q -n -w kernel.kptr_restrict="$sysctl_kernel_kptr_restrict_value"
 
 #
-# If kernel.randomize_va_space present in /etc/sysctl.conf, change value to "2"
-#	else, add "kernel.randomize_va_space = 2" to /etc/sysctl.conf
+# If kernel.kptr_restrict present in /etc/sysctl.conf, change value to appropriate value
+#	else, add "kernel.kptr_restrict = value" to /etc/sysctl.conf
 #
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.randomize_va_space")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.kptr_restrict")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "2"
+printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_kernel_kptr_restrict_value"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^kernel.randomize_va_space\\>" "${SYSCONFIG_FILE}"; then
+if LC_ALL=C grep -q -m 1 -i -e "^kernel.kptr_restrict\\>" "${SYSCONFIG_FILE}"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^kernel.randomize_va_space\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+    LC_ALL=C sed -i --follow-symlinks "s/^kernel.kptr_restrict\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
 else
     if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
     fi
-    cce="CCE-80916-0"
+    cce="CCE-80915-2"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
     printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
 fi
@@ -79025,6 +78956,30 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
+
Rule  
+                                Enable Randomized Layout of Virtual Address Space
+                                  [ref]
To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: 
$ sudo sysctl -w kernel.randomize_va_space=2

+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.randomize_va_space = 2
Rationale:
Address space layout randomization (ASLR) makes it more difficult for an
+attacker to predict the location of attack code they have introduced into a
+process's address space during an attempt at exploitation. Additionally,
+ASLR makes it more difficult for an attacker to know the location of
+existing code in order to re-purpose it using return oriented programming
+(ROP) techniques.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80916-0
References: 
+            BP28(R23), 3.1.7, CCI-000366, CCI-002824, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), CIP-002-5 R1.1, CIP-002-5 R1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 4.1, CIP-004-6 4.2, CIP-004-6 R2.2.3, CIP-004-6 R2.2.4, CIP-004-6 R2.3, CIP-004-6 R4, CIP-005-6 R1, CIP-005-6 R1.1, CIP-005-6 R1.2, CIP-007-3 R3, CIP-007-3 R3.1, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R8.4, CIP-009-6 R.1.1, CIP-009-6 R4, SC-30, SC-30(2), CM-6(a), Req-2.2.1, 3.3.1, SRG-OS-000433-GPOS-00193, SRG-OS-000480-GPOS-00227, SRG-APP-000450-CTR-001105, RHEL-08-010430, 1.5.3, SV-230280r858767_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,kernel.randomize_va_space%3D2%0A
+        mode: 0644
+        path: /etc/sysctl.d/75-sysctl_kernel_randomize_va_space.conf
+        overwrite: true
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
   find:
     paths:
@@ -79098,20 +79053,65 @@
   - medium_severity
   - reboot_required
   - sysctl_kernel_randomize_va_space
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,kernel.randomize_va_space%3D2%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_kernel_randomize_va_space.conf
-        overwrite: true
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+# Comment out any occurrences of kernel.randomize_va_space from /etc/sysctl.d/*.conf files
+
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
+
+  matching_list=$(grep -P '^(?!#).*[\s]*kernel.randomize_va_space.*$' $f | uniq )
+  if ! test -z "$matching_list"; then
+    while IFS= read -r entry; do
+      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
+      # comment out "kernel.randomize_va_space" matches to preserve user data
+      sed -i "s/^${escaped_entry}$/# &/g" $f
+    done <<< "$matching_list"
+  fi
+done
+
+#
+# Set sysctl config file which to save the desired value
+#
+
+SYSCONFIG_FILE="/etc/sysctl.conf"
+
+
+#
+# Set runtime for kernel.randomize_va_space
+#
+/sbin/sysctl -q -n -w kernel.randomize_va_space="2"
+
+#
+# If kernel.randomize_va_space present in /etc/sysctl.conf, change value to "2"
+#	else, add "kernel.randomize_va_space = 2" to /etc/sysctl.conf
+#
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.randomize_va_space")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "2"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^kernel.randomize_va_space\\>" "${SYSCONFIG_FILE}"; then
+    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+    LC_ALL=C sed -i --follow-symlinks "s/^kernel.randomize_va_space\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+else
+    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
+        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
+    fi
+    cce="CCE-80916-0"
+    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
+    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 Enable Execute Disable (XD) or No Execute (NX) Support on
 x86 Systems
@@ -79158,15 +79158,7 @@
             CCE-80944-2
References: 
             BP28(R8), CCI-001084, CM-6(a), SRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068, RHEL-08-010421, SV-230277r792884_rule
Remediation script:   (show)

[customizations.kernel]
 append = "page_poison=1"
-
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then
-
-grubby --update-kernel=ALL --args=page_poison=1 --env=/boot/grub2/grubenv
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:medium
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Remediation Ansible snippet:   (show)

Complexity:medium
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -79195,6 +79187,14 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then
+
+grubby --update-kernel=ALL --args=page_poison=1 --env=/boot/grub2/grubenv
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Enable SLUB/SLAB allocator poisoning
                                   [ref]
To enable poisoning of SLUB/SLAB objects,
@@ -79213,19 +79213,7 @@
             CCE-80945-9
References: 
             BP28(R8), CCI-001084, CM-6(a), SRG-OS-000433-GPOS-00192, SRG-OS-000134-GPOS-00068, RHEL-08-010423, SV-230279r792888_rule
Remediation script:   (show)

[customizations.kernel]
 append = "slub_debug=P"
-
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then
-
-var_slub_debug_options='P'
-
-
-
-grubby --update-kernel=ALL --args=slub_debug=$var_slub_debug_options --env=/boot/grub2/grubenv
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:medium
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
+
Remediation Ansible snippet:   (show)

Complexity:medium
Disruption:low
Reboot:true
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -79260,29 +79248,37 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-
Rule  
-                                Disable the uvcvideo module
-                                  [ref]
If the device contains a camera it should be covered or disabled when not in use.
Rationale:
Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information.
-Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure participants actually carry out the disconnect activity without having to go through complex and tedious procedures.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-86960-2
References: 
-            CCI-000381, CM-7 (a), CM-7 (5) (b), SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155, RHEL-08-040020, SV-230493r809316_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then
 
-if LC_ALL=C grep -q -m 1 "^install uvcvideo" /etc/modprobe.d/uvcvideo.conf ; then
-	
-	sed -i 's#^install uvcvideo.*#install uvcvideo /bin/true#g' /etc/modprobe.d/uvcvideo.conf
-else
-	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/uvcvideo.conf
-	echo "install uvcvideo /bin/true" >> /etc/modprobe.d/uvcvideo.conf
-fi
+var_slub_debug_options='P'
 
-if ! LC_ALL=C grep -q -m 1 "^blacklist uvcvideo$" /etc/modprobe.d/uvcvideo.conf ; then
-	echo "blacklist uvcvideo" >> /etc/modprobe.d/uvcvideo.conf
-fi
+
+
+grubby --update-kernel=ALL --args=slub_debug=$var_slub_debug_options --env=/boot/grub2/grubenv
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
+
Rule  
+                                Disable the uvcvideo module
+                                  [ref]
If the device contains a camera it should be covered or disabled when not in use.
Rationale:
Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information.
+Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure participants actually carry out the disconnect activity without having to go through complex and tedious procedures.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-86960-2
References: 
+            CCI-000381, CM-7 (a), CM-7 (5) (b), SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155, RHEL-08-040020, SV-230493r809316_rule
Remediation script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,install%20uvcvideo%20/bin/true%0Ablacklist%20uvcvideo%0A
+        mode: 0644
+        path: /etc/modprobe.d/uvcvideo.conf
+        overwrite: true
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: Ensure kernel module 'uvcvideo' is disabled
   lineinfile:
     create: true
@@ -79320,7 +79316,32 @@
   - medium_disruption
   - medium_severity
   - reboot_required
-
Remediation script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
---
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if LC_ALL=C grep -q -m 1 "^install uvcvideo" /etc/modprobe.d/uvcvideo.conf ; then
+	
+	sed -i 's#^install uvcvideo.*#install uvcvideo /bin/true#g' /etc/modprobe.d/uvcvideo.conf
+else
+	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/uvcvideo.conf
+	echo "install uvcvideo /bin/true" >> /etc/modprobe.d/uvcvideo.conf
+fi
+
+if ! LC_ALL=C grep -q -m 1 "^blacklist uvcvideo$" /etc/modprobe.d/uvcvideo.conf ; then
+	echo "blacklist uvcvideo" >> /etc/modprobe.d/uvcvideo.conf
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
Rule  
+                                Disable storing core dumps
+                                  [ref]
To set the runtime status of the kernel.core_pattern kernel parameter, run the following command: 
$ sudo sysctl -w kernel.core_pattern=|/bin/false

+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.core_pattern = |/bin/false
Rationale:
A core dump includes a memory image taken at the time the operating system
+terminates an application. The memory image could contain sensitive data and is generally useful
+only for developers trying to debug problems.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-82215-5
References: 
+            CCI-000366, SC-7(10), FMT_SMF_EXT.1, 3.3.1, SRG-OS-000480-GPOS-00227, RHEL-08-010671, SV-230311r858769_rule
Remediation script:   (show)

---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 spec:
@@ -79330,76 +79351,10 @@
     storage:
       files:
       - contents:
-          source: data:,install%20uvcvideo%20/bin/true%0Ablacklist%20uvcvideo%0A
+          source: data:,kernel.core_pattern%20%3D%20%7C/bin/false%0A
         mode: 0644
-        path: /etc/modprobe.d/uvcvideo.conf
+        path: /etc/sysctl.d/75-sysctl_kernel_core_pattern.conf
         overwrite: true
-
Rule  
-                                Disable storing core dumps
-                                  [ref]
To set the runtime status of the kernel.core_pattern kernel parameter, run the following command: 
$ sudo sysctl -w kernel.core_pattern=|/bin/false

-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.core_pattern = |/bin/false
Rationale:
A core dump includes a memory image taken at the time the operating system
-terminates an application. The memory image could contain sensitive data and is generally useful
-only for developers trying to debug problems.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-82215-5
References: 
-            CCI-000366, SC-7(10), FMT_SMF_EXT.1, 3.3.1, SRG-OS-000480-GPOS-00227, RHEL-08-010671, SV-230311r858769_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-# Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf files
-
-for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
-
-  matching_list=$(grep -P '^(?!#).*[\s]*kernel.core_pattern.*$' $f | uniq )
-  if ! test -z "$matching_list"; then
-    while IFS= read -r entry; do
-      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
-      # comment out "kernel.core_pattern" matches to preserve user data
-      sed -i "s/^${escaped_entry}$/# &/g" $f
-    done <<< "$matching_list"
-  fi
-done
-
-#
-# Set sysctl config file which to save the desired value
-#
-
-SYSCONFIG_FILE="/etc/sysctl.conf"
-
-
-#
-# Set runtime for kernel.core_pattern
-#
-/sbin/sysctl -q -n -w kernel.core_pattern="|/bin/false"
-
-#
-# If kernel.core_pattern present in /etc/sysctl.conf, change value to "|/bin/false"
-#	else, add "kernel.core_pattern = |/bin/false" to /etc/sysctl.conf
-#
-
-# Strip any search characters in the key arg so that the key can be replaced without
-# adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.core_pattern")
-
-# shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "|/bin/false"
-
-# If the key exists, change it. Otherwise, add it to the config_file.
-# We search for the key string followed by a word boundary (matched by \>),
-# so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^kernel.core_pattern\\>" "${SYSCONFIG_FILE}"; then
-    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^kernel.core_pattern\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
-else
-    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
-        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
-    fi
-    cce="CCE-82215-5"
-    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
-    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
   find:
     paths:
@@ -79461,38 +79416,18 @@
   - medium_severity
   - reboot_required
   - sysctl_kernel_core_pattern
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,kernel.core_pattern%20%3D%20%7C/bin/false%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_kernel_core_pattern.conf
-        overwrite: true
-
Rule  
-                                Restrict Access to Kernel Message Buffer
-                                  [ref]
To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: 
$ sudo sysctl -w kernel.dmesg_restrict=1

-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.dmesg_restrict = 1
Rationale:
Unprivileged access to the kernel syslog can expose sensitive kernel
-address information.
Severity: 
low
Identifiers and References
Identifiers: 
-            CCE-80913-7
References: 
-            BP28(R23), 3.1.5, CCI-001090, CCI-001314, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), SI-11(a), SI-11(b), SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069, SRG-APP-000243-CTR-000600, RHEL-08-010375, SV-230269r858756_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-# Comment out any occurrences of kernel.dmesg_restrict from /etc/sysctl.d/*.conf files
+# Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf files
 
 for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
 
-  matching_list=$(grep -P '^(?!#).*[\s]*kernel.dmesg_restrict.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]*kernel.core_pattern.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
       escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
-      # comment out "kernel.dmesg_restrict" matches to preserve user data
+      # comment out "kernel.core_pattern" matches to preserve user data
       sed -i "s/^${escaped_entry}$/# &/g" $f
     done <<< "$matching_list"
   fi
@@ -79506,33 +79441,33 @@
 
 
 #
-# Set runtime for kernel.dmesg_restrict
+# Set runtime for kernel.core_pattern
 #
-/sbin/sysctl -q -n -w kernel.dmesg_restrict="1"
+/sbin/sysctl -q -n -w kernel.core_pattern="|/bin/false"
 
 #
-# If kernel.dmesg_restrict present in /etc/sysctl.conf, change value to "1"
-#	else, add "kernel.dmesg_restrict = 1" to /etc/sysctl.conf
+# If kernel.core_pattern present in /etc/sysctl.conf, change value to "|/bin/false"
+#	else, add "kernel.core_pattern = |/bin/false" to /etc/sysctl.conf
 #
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.dmesg_restrict")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.core_pattern")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "1"
+printf -v formatted_output "%s = %s" "$stripped_key" "|/bin/false"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^kernel.dmesg_restrict\\>" "${SYSCONFIG_FILE}"; then
+if LC_ALL=C grep -q -m 1 -i -e "^kernel.core_pattern\\>" "${SYSCONFIG_FILE}"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^kernel.dmesg_restrict\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+    LC_ALL=C sed -i --follow-symlinks "s/^kernel.core_pattern\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
 else
     if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
     fi
-    cce="CCE-80913-7"
+    cce="CCE-82215-5"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
     printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
 fi
@@ -79540,6 +79475,26 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
+
Rule  
+                                Restrict Access to Kernel Message Buffer
+                                  [ref]
To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: 
$ sudo sysctl -w kernel.dmesg_restrict=1

+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.dmesg_restrict = 1
Rationale:
Unprivileged access to the kernel syslog can expose sensitive kernel
+address information.
Severity: 
low
Identifiers and References
Identifiers: 
+            CCE-80913-7
References: 
+            BP28(R23), 3.1.5, CCI-001090, CCI-001314, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), SI-11(a), SI-11(b), SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069, SRG-APP-000243-CTR-000600, RHEL-08-010375, SV-230269r858756_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,kernel.dmesg_restrict%3D1%0A
+        mode: 0644
+        path: /etc/sysctl.d/75-sysctl_kernel_dmesg_restrict.conf
+        overwrite: true
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
   find:
     paths:
@@ -79604,39 +79559,18 @@
   - medium_disruption
   - reboot_required
   - sysctl_kernel_dmesg_restrict
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,kernel.dmesg_restrict%3D1%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_kernel_dmesg_restrict.conf
-        overwrite: true
-
Rule  
-                                Disable Kernel Image Loading
-                                  [ref]
To set the runtime status of the kernel.kexec_load_disabled kernel parameter, run the following command: 
$ sudo sysctl -w kernel.kexec_load_disabled=1

-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.kexec_load_disabled = 1
Rationale:
Disabling kexec_load allows greater control of the kernel memory.
-It makes it impossible to load another kernel image after it has been disabled.
-
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80952-5
References: 
-            CCI-001749, CM-6, SRG-OS-000480-GPOS-00227, SRG-OS-000366-GPOS-00153, RHEL-08-010372, SV-230266r877463_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-# Comment out any occurrences of kernel.kexec_load_disabled from /etc/sysctl.d/*.conf files
+# Comment out any occurrences of kernel.dmesg_restrict from /etc/sysctl.d/*.conf files
 
 for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
 
-  matching_list=$(grep -P '^(?!#).*[\s]*kernel.kexec_load_disabled.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]*kernel.dmesg_restrict.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
       escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
-      # comment out "kernel.kexec_load_disabled" matches to preserve user data
+      # comment out "kernel.dmesg_restrict" matches to preserve user data
       sed -i "s/^${escaped_entry}$/# &/g" $f
     done <<< "$matching_list"
   fi
@@ -79650,18 +79584,18 @@
 
 
 #
-# Set runtime for kernel.kexec_load_disabled
+# Set runtime for kernel.dmesg_restrict
 #
-/sbin/sysctl -q -n -w kernel.kexec_load_disabled="1"
+/sbin/sysctl -q -n -w kernel.dmesg_restrict="1"
 
 #
-# If kernel.kexec_load_disabled present in /etc/sysctl.conf, change value to "1"
-#	else, add "kernel.kexec_load_disabled = 1" to /etc/sysctl.conf
+# If kernel.dmesg_restrict present in /etc/sysctl.conf, change value to "1"
+#	else, add "kernel.dmesg_restrict = 1" to /etc/sysctl.conf
 #
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.kexec_load_disabled")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.dmesg_restrict")
 
 # shellcheck disable=SC2059
 printf -v formatted_output "%s = %s" "$stripped_key" "1"
@@ -79669,14 +79603,14 @@
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^kernel.kexec_load_disabled\\>" "${SYSCONFIG_FILE}"; then
+if LC_ALL=C grep -q -m 1 -i -e "^kernel.dmesg_restrict\\>" "${SYSCONFIG_FILE}"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^kernel.kexec_load_disabled\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+    LC_ALL=C sed -i --follow-symlinks "s/^kernel.dmesg_restrict\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
 else
     if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
     fi
-    cce="CCE-80952-5"
+    cce="CCE-80913-7"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
     printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
 fi
@@ -79684,6 +79618,27 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
+
Rule  
+                                Disable Kernel Image Loading
+                                  [ref]
To set the runtime status of the kernel.kexec_load_disabled kernel parameter, run the following command: 
$ sudo sysctl -w kernel.kexec_load_disabled=1

+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.kexec_load_disabled = 1
Rationale:
Disabling kexec_load allows greater control of the kernel memory.
+It makes it impossible to load another kernel image after it has been disabled.
+
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80952-5
References: 
+            CCI-001749, CM-6, SRG-OS-000480-GPOS-00227, SRG-OS-000366-GPOS-00153, RHEL-08-010372, SV-230266r877463_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,kernel.kexec_load_disabled%3D1%0A
+        mode: 0644
+        path: /etc/sysctl.d/75-sysctl_kernel_kexec_load_disabled.conf
+        overwrite: true
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
   find:
     paths:
@@ -79742,37 +79697,18 @@
   - medium_severity
   - reboot_required
   - sysctl_kernel_kexec_load_disabled
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,kernel.kexec_load_disabled%3D1%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_kernel_kexec_load_disabled.conf
-        overwrite: true
-
Rule  
-                                Disallow kernel profiling by unprivileged users
-                                  [ref]
To set the runtime status of the kernel.perf_event_paranoid kernel parameter, run the following command: 
$ sudo sysctl -w kernel.perf_event_paranoid=2

-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.perf_event_paranoid = 2
Rationale:
Kernel profiling can reveal sensitive information about kernel behaviour.
Severity: 
low
Identifiers and References
Identifiers: 
-            CCE-81054-9
References: 
-            BP28(R23), CCI-001090, AC-6, FMT_SMF_EXT.1, SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069, SRG-APP-000243-CTR-000600, RHEL-08-010376, SV-230270r858758_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-# Comment out any occurrences of kernel.perf_event_paranoid from /etc/sysctl.d/*.conf files
+# Comment out any occurrences of kernel.kexec_load_disabled from /etc/sysctl.d/*.conf files
 
 for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
 
-  matching_list=$(grep -P '^(?!#).*[\s]*kernel.perf_event_paranoid.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]*kernel.kexec_load_disabled.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
       escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
-      # comment out "kernel.perf_event_paranoid" matches to preserve user data
+      # comment out "kernel.kexec_load_disabled" matches to preserve user data
       sed -i "s/^${escaped_entry}$/# &/g" $f
     done <<< "$matching_list"
   fi
@@ -79786,33 +79722,33 @@
 
 
 #
-# Set runtime for kernel.perf_event_paranoid
+# Set runtime for kernel.kexec_load_disabled
 #
-/sbin/sysctl -q -n -w kernel.perf_event_paranoid="2"
+/sbin/sysctl -q -n -w kernel.kexec_load_disabled="1"
 
 #
-# If kernel.perf_event_paranoid present in /etc/sysctl.conf, change value to "2"
-#	else, add "kernel.perf_event_paranoid = 2" to /etc/sysctl.conf
+# If kernel.kexec_load_disabled present in /etc/sysctl.conf, change value to "1"
+#	else, add "kernel.kexec_load_disabled = 1" to /etc/sysctl.conf
 #
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.perf_event_paranoid")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.kexec_load_disabled")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "2"
+printf -v formatted_output "%s = %s" "$stripped_key" "1"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^kernel.perf_event_paranoid\\>" "${SYSCONFIG_FILE}"; then
+if LC_ALL=C grep -q -m 1 -i -e "^kernel.kexec_load_disabled\\>" "${SYSCONFIG_FILE}"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^kernel.perf_event_paranoid\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+    LC_ALL=C sed -i --follow-symlinks "s/^kernel.kexec_load_disabled\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
 else
     if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
     fi
-    cce="CCE-81054-9"
+    cce="CCE-80952-5"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
     printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
 fi
@@ -79820,6 +79756,25 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
+
Rule  
+                                Disallow kernel profiling by unprivileged users
+                                  [ref]
To set the runtime status of the kernel.perf_event_paranoid kernel parameter, run the following command: 
$ sudo sysctl -w kernel.perf_event_paranoid=2

+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.perf_event_paranoid = 2
Rationale:
Kernel profiling can reveal sensitive information about kernel behaviour.
Severity: 
low
Identifiers and References
Identifiers: 
+            CCE-81054-9
References: 
+            BP28(R23), CCI-001090, AC-6, FMT_SMF_EXT.1, SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069, SRG-APP-000243-CTR-000600, RHEL-08-010376, SV-230270r858758_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,kernel.perf_event_paranoid%3D2%0A
+        mode: 0644
+        path: /etc/sysctl.d/75-sysctl_kernel_perf_event_paranoid.conf
+        overwrite: true
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
   find:
     paths:
@@ -79878,38 +79833,18 @@
   - medium_disruption
   - reboot_required
   - sysctl_kernel_perf_event_paranoid
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,kernel.perf_event_paranoid%3D2%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_kernel_perf_event_paranoid.conf
-        overwrite: true
-
Rule  
-                                Disable Access to Network bpf() Syscall From Unprivileged Processes
-                                  [ref]
To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command: 
$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1

-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.unprivileged_bpf_disabled = 1
Rationale:
Loading and accessing the packet filters programs and maps using the bpf()
-syscall has the potential of revealing sensitive information about the kernel state.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-82974-7
References: 
-            BP28(R9), CCI-000366, AC-6, SC-7(10), FMT_SMF_EXT.1, SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227, RHEL-08-040281, SV-230545r858822_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-# Comment out any occurrences of kernel.unprivileged_bpf_disabled from /etc/sysctl.d/*.conf files
+# Comment out any occurrences of kernel.perf_event_paranoid from /etc/sysctl.d/*.conf files
 
 for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
 
-  matching_list=$(grep -P '^(?!#).*[\s]*kernel.unprivileged_bpf_disabled.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]*kernel.perf_event_paranoid.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
       escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
-      # comment out "kernel.unprivileged_bpf_disabled" matches to preserve user data
+      # comment out "kernel.perf_event_paranoid" matches to preserve user data
       sed -i "s/^${escaped_entry}$/# &/g" $f
     done <<< "$matching_list"
   fi
@@ -79923,33 +79858,33 @@
 
 
 #
-# Set runtime for kernel.unprivileged_bpf_disabled
+# Set runtime for kernel.perf_event_paranoid
 #
-/sbin/sysctl -q -n -w kernel.unprivileged_bpf_disabled="1"
+/sbin/sysctl -q -n -w kernel.perf_event_paranoid="2"
 
 #
-# If kernel.unprivileged_bpf_disabled present in /etc/sysctl.conf, change value to "1"
-#	else, add "kernel.unprivileged_bpf_disabled = 1" to /etc/sysctl.conf
+# If kernel.perf_event_paranoid present in /etc/sysctl.conf, change value to "2"
+#	else, add "kernel.perf_event_paranoid = 2" to /etc/sysctl.conf
 #
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.unprivileged_bpf_disabled")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.perf_event_paranoid")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "1"
+printf -v formatted_output "%s = %s" "$stripped_key" "2"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^kernel.unprivileged_bpf_disabled\\>" "${SYSCONFIG_FILE}"; then
+if LC_ALL=C grep -q -m 1 -i -e "^kernel.perf_event_paranoid\\>" "${SYSCONFIG_FILE}"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^kernel.unprivileged_bpf_disabled\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+    LC_ALL=C sed -i --follow-symlinks "s/^kernel.perf_event_paranoid\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
 else
     if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
     fi
-    cce="CCE-82974-7"
+    cce="CCE-81054-9"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
     printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
 fi
@@ -79957,6 +79892,26 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
+
Rule  
+                                Disable Access to Network bpf() Syscall From Unprivileged Processes
+                                  [ref]
To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command: 
$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1

+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.unprivileged_bpf_disabled = 1
Rationale:
Loading and accessing the packet filters programs and maps using the bpf()
+syscall has the potential of revealing sensitive information about the kernel state.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-82974-7
References: 
+            BP28(R9), CCI-000366, AC-6, SC-7(10), FMT_SMF_EXT.1, SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227, RHEL-08-040281, SV-230545r858822_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,kernel.unprivileged_bpf_disabled%3D1%0A
+        mode: 0644
+        path: /etc/sysctl.d/75-sysctl_kernel_unprivileged_bpf_disabled.conf
+        overwrite: true
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
   find:
     paths:
@@ -80019,41 +79974,18 @@
   - medium_severity
   - reboot_required
   - sysctl_kernel_unprivileged_bpf_disabled
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,kernel.unprivileged_bpf_disabled%3D1%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_kernel_unprivileged_bpf_disabled.conf
-        overwrite: true
-
Rule  
-                                Restrict usage of ptrace to descendant processes
-                                  [ref]
To set the runtime status of the kernel.yama.ptrace_scope kernel parameter, run the following command: 
$ sudo sysctl -w kernel.yama.ptrace_scope=1

-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.yama.ptrace_scope = 1
Rationale:
Unrestricted usage of ptrace allows compromised binaries to run ptrace
-on another processes of the user. Like this, the attacker can steal
-sensitive information from the target processes (e.g. SSH sessions, web browser, ...)
-without any additional assistance from the user (i.e. without resorting to phishing).
-
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80953-3
References: 
-            BP28(R25), CCI-000366, SC-7(10), SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227, RHEL-08-040282, SV-230546r858824_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-# Comment out any occurrences of kernel.yama.ptrace_scope from /etc/sysctl.d/*.conf files
+# Comment out any occurrences of kernel.unprivileged_bpf_disabled from /etc/sysctl.d/*.conf files
 
 for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
 
-  matching_list=$(grep -P '^(?!#).*[\s]*kernel.yama.ptrace_scope.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]*kernel.unprivileged_bpf_disabled.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
       escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
-      # comment out "kernel.yama.ptrace_scope" matches to preserve user data
+      # comment out "kernel.unprivileged_bpf_disabled" matches to preserve user data
       sed -i "s/^${escaped_entry}$/# &/g" $f
     done <<< "$matching_list"
   fi
@@ -80067,18 +79999,18 @@
 
 
 #
-# Set runtime for kernel.yama.ptrace_scope
+# Set runtime for kernel.unprivileged_bpf_disabled
 #
-/sbin/sysctl -q -n -w kernel.yama.ptrace_scope="1"
+/sbin/sysctl -q -n -w kernel.unprivileged_bpf_disabled="1"
 
 #
-# If kernel.yama.ptrace_scope present in /etc/sysctl.conf, change value to "1"
-#	else, add "kernel.yama.ptrace_scope = 1" to /etc/sysctl.conf
+# If kernel.unprivileged_bpf_disabled present in /etc/sysctl.conf, change value to "1"
+#	else, add "kernel.unprivileged_bpf_disabled = 1" to /etc/sysctl.conf
 #
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.yama.ptrace_scope")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.unprivileged_bpf_disabled")
 
 # shellcheck disable=SC2059
 printf -v formatted_output "%s = %s" "$stripped_key" "1"
@@ -80086,14 +80018,14 @@
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^kernel.yama.ptrace_scope\\>" "${SYSCONFIG_FILE}"; then
+if LC_ALL=C grep -q -m 1 -i -e "^kernel.unprivileged_bpf_disabled\\>" "${SYSCONFIG_FILE}"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^kernel.yama.ptrace_scope\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+    LC_ALL=C sed -i --follow-symlinks "s/^kernel.unprivileged_bpf_disabled\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
 else
     if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
     fi
-    cce="CCE-80953-3"
+    cce="CCE-82974-7"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
     printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
 fi
@@ -80101,6 +80033,29 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
+
Rule  
+                                Restrict usage of ptrace to descendant processes
+                                  [ref]
To set the runtime status of the kernel.yama.ptrace_scope kernel parameter, run the following command: 
$ sudo sysctl -w kernel.yama.ptrace_scope=1

+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.yama.ptrace_scope = 1
Rationale:
Unrestricted usage of ptrace allows compromised binaries to run ptrace
+on another processes of the user. Like this, the attacker can steal
+sensitive information from the target processes (e.g. SSH sessions, web browser, ...)
+without any additional assistance from the user (i.e. without resorting to phishing).
+
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80953-3
References: 
+            BP28(R25), CCI-000366, SC-7(10), SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227, RHEL-08-040282, SV-230546r858824_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,kernel.yama.ptrace_scope%3D1%0A
+        mode: 0644
+        path: /etc/sysctl.d/75-sysctl_kernel_yama_ptrace_scope.conf
+        overwrite: true
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
   find:
     paths:
@@ -80159,39 +80114,18 @@
   - medium_severity
   - reboot_required
   - sysctl_kernel_yama_ptrace_scope
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,kernel.yama.ptrace_scope%3D1%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_kernel_yama_ptrace_scope.conf
-        overwrite: true
-
Rule  
-                                Harden the operation of the BPF just-in-time compiler
-                                  [ref]
To set the runtime status of the net.core.bpf_jit_harden kernel parameter, run the following command: 
$ sudo sysctl -w net.core.bpf_jit_harden=2

-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.core.bpf_jit_harden = 2
Rationale:
When hardened, the extended Berkeley Packet Filter just-in-time compiler
-will randomize any kernel addresses in the BPF programs and maps,
-and will not expose the JIT addresses in /proc/kallsyms.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-82934-1
References: 
-            BP28(R12), CCI-000366, CM-6, SC-7(10), FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-040286, SV-244554r858832_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-# Comment out any occurrences of net.core.bpf_jit_harden from /etc/sysctl.d/*.conf files
+# Comment out any occurrences of kernel.yama.ptrace_scope from /etc/sysctl.d/*.conf files
 
 for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
 
-  matching_list=$(grep -P '^(?!#).*[\s]*net.core.bpf_jit_harden.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]*kernel.yama.ptrace_scope.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
       escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
-      # comment out "net.core.bpf_jit_harden" matches to preserve user data
+      # comment out "kernel.yama.ptrace_scope" matches to preserve user data
       sed -i "s/^${escaped_entry}$/# &/g" $f
     done <<< "$matching_list"
   fi
@@ -80205,33 +80139,33 @@
 
 
 #
-# Set runtime for net.core.bpf_jit_harden
+# Set runtime for kernel.yama.ptrace_scope
 #
-/sbin/sysctl -q -n -w net.core.bpf_jit_harden="2"
+/sbin/sysctl -q -n -w kernel.yama.ptrace_scope="1"
 
 #
-# If net.core.bpf_jit_harden present in /etc/sysctl.conf, change value to "2"
-#	else, add "net.core.bpf_jit_harden = 2" to /etc/sysctl.conf
+# If kernel.yama.ptrace_scope present in /etc/sysctl.conf, change value to "1"
+#	else, add "kernel.yama.ptrace_scope = 1" to /etc/sysctl.conf
 #
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.core.bpf_jit_harden")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.yama.ptrace_scope")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "2"
+printf -v formatted_output "%s = %s" "$stripped_key" "1"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^net.core.bpf_jit_harden\\>" "${SYSCONFIG_FILE}"; then
+if LC_ALL=C grep -q -m 1 -i -e "^kernel.yama.ptrace_scope\\>" "${SYSCONFIG_FILE}"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^net.core.bpf_jit_harden\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+    LC_ALL=C sed -i --follow-symlinks "s/^kernel.yama.ptrace_scope\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
 else
     if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
     fi
-    cce="CCE-82934-1"
+    cce="CCE-80953-3"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
     printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
 fi
@@ -80239,6 +80173,27 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
+
Rule  
+                                Harden the operation of the BPF just-in-time compiler
+                                  [ref]
To set the runtime status of the net.core.bpf_jit_harden kernel parameter, run the following command: 
$ sudo sysctl -w net.core.bpf_jit_harden=2

+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.core.bpf_jit_harden = 2
Rationale:
When hardened, the extended Berkeley Packet Filter just-in-time compiler
+will randomize any kernel addresses in the BPF programs and maps,
+and will not expose the JIT addresses in /proc/kallsyms.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-82934-1
References: 
+            BP28(R12), CCI-000366, CM-6, SC-7(10), FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-040286, SV-244554r858832_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,net.core.bpf_jit_harden%3D2%0A
+        mode: 0644
+        path: /etc/sysctl.d/75-sysctl_net_core_bpf_jit_harden.conf
+        overwrite: true
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
   find:
     paths:
@@ -80300,51 +80255,18 @@
   - medium_severity
   - reboot_required
   - sysctl_net_core_bpf_jit_harden
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.core.bpf_jit_harden%3D2%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_core_bpf_jit_harden.conf
-        overwrite: true
-
Rule  
-                                Disable the use of user namespaces
-                                  [ref]
To set the runtime status of the user.max_user_namespaces kernel parameter,
-run the following command:
-
$ sudo sysctl -w user.max_user_namespaces=0

-
-To make sure that the setting is persistent,
-add the following line to a file in the directory /etc/sysctl.d:
-
user.max_user_namespaces = 0

-When containers are deployed on the machine, the value should be set
-to large non-zero value.
Warning: 
-                                        This configuration baseline was created to deploy the base operating system for general purpose
-workloads. When the operating system is configured for certain purposes, such as to host Linux Containers,
-it is expected that user.max_user_namespaces will be enabled.
Rationale:
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or system objectives.
-These unnecessary capabilities or services are often overlooked and therefore may remain unsecured.
-They increase the risk to the platform by providing additional attack vectors.
-User namespaces are used primarily for Linux containers. The value 0
-disallows the use of user namespaces.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-82211-4
References: 
-            CCI-000366, SC-39, CM-6(a), FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-040284, SV-230548r858828_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-# Comment out any occurrences of user.max_user_namespaces from /etc/sysctl.d/*.conf files
+# Comment out any occurrences of net.core.bpf_jit_harden from /etc/sysctl.d/*.conf files
 
 for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
 
-  matching_list=$(grep -P '^(?!#).*[\s]*user.max_user_namespaces.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]*net.core.bpf_jit_harden.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
       escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
-      # comment out "user.max_user_namespaces" matches to preserve user data
+      # comment out "net.core.bpf_jit_harden" matches to preserve user data
       sed -i "s/^${escaped_entry}$/# &/g" $f
     done <<< "$matching_list"
   fi
@@ -80358,33 +80280,33 @@
 
 
 #
-# Set runtime for user.max_user_namespaces
+# Set runtime for net.core.bpf_jit_harden
 #
-/sbin/sysctl -q -n -w user.max_user_namespaces="0"
+/sbin/sysctl -q -n -w net.core.bpf_jit_harden="2"
 
 #
-# If user.max_user_namespaces present in /etc/sysctl.conf, change value to "0"
-#	else, add "user.max_user_namespaces = 0" to /etc/sysctl.conf
+# If net.core.bpf_jit_harden present in /etc/sysctl.conf, change value to "2"
+#	else, add "net.core.bpf_jit_harden = 2" to /etc/sysctl.conf
 #
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^user.max_user_namespaces")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.core.bpf_jit_harden")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "0"
+printf -v formatted_output "%s = %s" "$stripped_key" "2"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^user.max_user_namespaces\\>" "${SYSCONFIG_FILE}"; then
+if LC_ALL=C grep -q -m 1 -i -e "^net.core.bpf_jit_harden\\>" "${SYSCONFIG_FILE}"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^user.max_user_namespaces\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+    LC_ALL=C sed -i --follow-symlinks "s/^net.core.bpf_jit_harden\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
 else
     if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
     fi
-    cce="CCE-82211-4"
+    cce="CCE-82934-1"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
     printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
 fi
@@ -80392,6 +80314,39 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
+
Rule  
+                                Disable the use of user namespaces
+                                  [ref]
To set the runtime status of the user.max_user_namespaces kernel parameter,
+run the following command:
+
$ sudo sysctl -w user.max_user_namespaces=0

+
+To make sure that the setting is persistent,
+add the following line to a file in the directory /etc/sysctl.d:
+
user.max_user_namespaces = 0

+When containers are deployed on the machine, the value should be set
+to large non-zero value.
Warning: 
+                                        This configuration baseline was created to deploy the base operating system for general purpose
+workloads. When the operating system is configured for certain purposes, such as to host Linux Containers,
+it is expected that user.max_user_namespaces will be enabled.
Rationale:
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or system objectives.
+These unnecessary capabilities or services are often overlooked and therefore may remain unsecured.
+They increase the risk to the platform by providing additional attack vectors.
+User namespaces are used primarily for Linux containers. The value 0
+disallows the use of user namespaces.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-82211-4
References: 
+            CCI-000366, SC-39, CM-6(a), FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-040284, SV-230548r858828_rule
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,user.max_user_namespaces%20%3D%200%0A
+        mode: 0644
+        path: /etc/sysctl.d/75-sysctl_user_max_user_namespaces.conf
+        overwrite: true
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: List /etc/sysctl.d/*.conf files
   find:
     paths:
@@ -80453,20 +80408,65 @@
   - medium_severity
   - reboot_required
   - sysctl_user_max_user_namespaces
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,user.max_user_namespaces%20%3D%200%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_user_max_user_namespaces.conf
-        overwrite: true
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+# Comment out any occurrences of user.max_user_namespaces from /etc/sysctl.d/*.conf files
+
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
+
+  matching_list=$(grep -P '^(?!#).*[\s]*user.max_user_namespaces.*$' $f | uniq )
+  if ! test -z "$matching_list"; then
+    while IFS= read -r entry; do
+      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
+      # comment out "user.max_user_namespaces" matches to preserve user data
+      sed -i "s/^${escaped_entry}$/# &/g" $f
+    done <<< "$matching_list"
+  fi
+done
+
+#
+# Set sysctl config file which to save the desired value
+#
+
+SYSCONFIG_FILE="/etc/sysctl.conf"
+
+
+#
+# Set runtime for user.max_user_namespaces
+#
+/sbin/sysctl -q -n -w user.max_user_namespaces="0"
+
+#
+# If user.max_user_namespaces present in /etc/sysctl.conf, change value to "0"
+#	else, add "user.max_user_namespaces = 0" to /etc/sysctl.conf
+#
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^user.max_user_namespaces")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "0"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^user.max_user_namespaces\\>" "${SYSCONFIG_FILE}"; then
+    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+    LC_ALL=C sed -i --follow-symlinks "s/^user.max_user_namespaces\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+else
+    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
+        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
+    fi
+    cce="CCE-82211-4"
+    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
+    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 SELinux
                           Group contains 4 rules
[ref]  
@@ -80509,20 +80509,12 @@
 to load SELinux policies, setfiles to label filesystems, newrole to
 switch roles, and so on.
Severity: 
low
Identifiers and References
Identifiers: 
             CCE-82976-2
References: 
-            CCI-001084, SRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068, RHEL-08-010171, SV-230241r627750_rule
Remediation script:   (show)


+            CCI-001084, SRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068, RHEL-08-010171, SV-230241r627750_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

+package --add=policycoreutils
+
Remediation script:   (show)


 [[packages]]
 name = "policycoreutils"
 version = "*"
-
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "policycoreutils" ; then
-    yum install -y "policycoreutils"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include install_policycoreutils
 
 class install_policycoreutils {
@@ -80544,8 +80536,16 @@
   - low_severity
   - no_reboot_needed
   - package_policycoreutils_installed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

-package --add=policycoreutils
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "policycoreutils" ; then
+    yum install -y "policycoreutils"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Configure SELinux Policy
                                   [ref]
The SELinux targeted policy is appropriate for
@@ -80565,31 +80565,7 @@
 is completed, the system should be reconfigured to
 targeted.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-80868-3
References: 
-            BP28(R66), 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, CCI-002165, CCI-002696, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5, AC-3, AC-3(3)(a), AU-9, SC-7(21), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, 1.2.6, SRG-OS-000445-GPOS-00199, SRG-APP-000233-CTR-000585, RHEL-08-010450, 1.6.1.3, SV-230282r854035_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-var_selinux_policy_name='targeted'
-
-
-if [ -e "/etc/selinux/config" ] ; then
-    
-    LC_ALL=C sed -i "/^SELINUXTYPE=/Id" "/etc/selinux/config"
-else
-    touch "/etc/selinux/config"
-fi
-# make sure file has newline at the end
-sed -i -e '$a\' "/etc/selinux/config"
-
-cp "/etc/selinux/config" "/etc/selinux/config.bak"
-# Insert at the end of the file
-printf '%s\n' "SELINUXTYPE=$var_selinux_policy_name" >> "/etc/selinux/config"
-# Clean up after ourselves.
-rm "/etc/selinux/config.bak"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: XCCDF Value var_selinux_policy_name # promote to variable
+            BP28(R66), 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, CCI-002165, CCI-002696, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5, AC-3, AC-3(3)(a), AU-9, SC-7(21), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, 1.2.6, SRG-OS-000445-GPOS-00199, SRG-APP-000233-CTR-000585, RHEL-08-010450, 1.6.1.3, SV-230282r854035_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: XCCDF Value var_selinux_policy_name # promote to variable
   set_fact:
     var_selinux_policy_name: !!str targeted
   tags:
@@ -80640,25 +80616,15 @@
   - reboot_required
   - restrict_strategy
   - selinux_policytype
-
Rule  
-                                Ensure SELinux State is Enforcing
-                                  [ref]
The SELinux state should be set to enforcing at
-system boot time.  In the file /etc/selinux/config, add or correct the
-following line to configure the system to boot into enforcing mode:
-
SELINUX=enforcing
Rationale:
Setting the SELinux state to enforcing ensures SELinux is able to confine
-potentially compromised processes to the security policy, which is designed to
-prevent them from causing damage to the system or further elevating their
-privileges.
Severity: 
high
Identifiers and References
Identifiers: 
-            CCE-80869-1
References: 
-            BP28(R4), BP28(R66), 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, CCI-001084, CCI-002165, CCI-002696, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5, AC-3, AC-3(3)(a), AU-9, SC-7(21), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, SRG-OS-000445-GPOS-00199, SRG-OS-000134-GPOS-00068, RHEL-08-010170, 1.6.1.5, SV-230240r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-var_selinux_state='enforcing'
+var_selinux_policy_name='targeted'
 
 
 if [ -e "/etc/selinux/config" ] ; then
     
-    LC_ALL=C sed -i "/^SELINUX=/Id" "/etc/selinux/config"
+    LC_ALL=C sed -i "/^SELINUXTYPE=/Id" "/etc/selinux/config"
 else
     touch "/etc/selinux/config"
 fi
@@ -80667,17 +80633,24 @@
 
 cp "/etc/selinux/config" "/etc/selinux/config.bak"
 # Insert at the end of the file
-printf '%s\n' "SELINUX=$var_selinux_state" >> "/etc/selinux/config"
+printf '%s\n' "SELINUXTYPE=$var_selinux_policy_name" >> "/etc/selinux/config"
 # Clean up after ourselves.
 rm "/etc/selinux/config.bak"
 
-fixfiles onboot
-fixfiles -f relabel
-
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: XCCDF Value var_selinux_state # promote to variable
+
Rule  
+                                Ensure SELinux State is Enforcing
+                                  [ref]
The SELinux state should be set to enforcing at
+system boot time.  In the file /etc/selinux/config, add or correct the
+following line to configure the system to boot into enforcing mode:
+
SELINUX=enforcing
Rationale:
Setting the SELinux state to enforcing ensures SELinux is able to confine
+potentially compromised processes to the security policy, which is designed to
+prevent them from causing damage to the system or further elevating their
+privileges.
Severity: 
high
Identifiers and References
Identifiers: 
+            CCE-80869-1
References: 
+            BP28(R4), BP28(R66), 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, CCI-001084, CCI-002165, CCI-002696, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5, AC-3, AC-3(3)(a), AU-9, SC-7(21), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, SRG-OS-000445-GPOS-00199, SRG-OS-000134-GPOS-00068, RHEL-08-010170, 1.6.1.5, SV-230240r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: XCCDF Value var_selinux_state # promote to variable
   set_fact:
     var_selinux_state: !!str enforcing
   tags:
@@ -80727,6 +80700,33 @@
   - no_reboot_needed
   - restrict_strategy
   - selinux_state
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+var_selinux_state='enforcing'
+
+
+if [ -e "/etc/selinux/config" ] ; then
+    
+    LC_ALL=C sed -i "/^SELINUX=/Id" "/etc/selinux/config"
+else
+    touch "/etc/selinux/config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/selinux/config"
+
+cp "/etc/selinux/config" "/etc/selinux/config.bak"
+# Insert at the end of the file
+printf '%s\n' "SELINUX=$var_selinux_state" >> "/etc/selinux/config"
+# Clean up after ourselves.
+rm "/etc/selinux/config.bak"
+
+fixfiles onboot
+fixfiles -f relabel
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Map System Users To The Appropriate SELinux Role
                                   [ref]
Configure the operating system to prevent non-privileged users from executing
@@ -80782,18 +80782,8 @@
 vulnerabilities in software executing on the system, as well as sensitive
 information from within a process's address space or registers.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-80948-3
References: 
-            CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-# CAUTION: This remediation script will remove abrt
-#	   from the system, and may remove any packages
-#	   that depend on abrt. Execute this
-#	   remediation AFTER testing on a non-production
-#	   system!
-
-if rpm -q --quiet "abrt" ; then
-
-    yum remove -y "abrt"
-
-fi
+            CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+package --remove=abrt
 
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_abrt
 
 class remove_abrt {
@@ -80814,8 +80804,18 @@
   - medium_severity
   - no_reboot_needed
   - package_abrt_removed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-package --remove=abrt
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+# CAUTION: This remediation script will remove abrt
+#	   from the system, and may remove any packages
+#	   that depend on abrt. Execute this
+#	   remediation AFTER testing on a non-production
+#	   system!
+
+if rpm -q --quiet "abrt" ; then
+
+    yum remove -y "abrt"
+
+fi
 
Rule  
                                 Disable KDump Kernel Crash Analyzer (kdump)
                                   [ref]
The kdump service provides a kernel crash dump analyzer. It uses the kexec
@@ -80829,30 +80829,26 @@
 on the target file system partition. Unless the system is used for kernel
 development or testing, there is little need to run the kdump service.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-80878-2
References: 
-            11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000366, CCI-001665, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, FMT_SMF_EXT.1.1, SRG-OS-000269-GPOS-00103, SRG-OS-000480-GPOS-00227, RHEL-08-010670, SV-230310r627750_rule
Remediation script:   (show)

Remediation Anaconda snippet:   (show)


+kdump --disable
+
Remediation script:   (show)


 [customizations.services]
 disabled = ["kdump"]
-
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop 'kdump.service'
-"$SYSTEMCTL_EXEC" disable 'kdump.service'
-"$SYSTEMCTL_EXEC" mask 'kdump.service'
-# Disable socket activation if we have a unit file for it
-if "$SYSTEMCTL_EXEC" -q list-unit-files kdump.socket; then
-    "$SYSTEMCTL_EXEC" stop 'kdump.socket'
-    "$SYSTEMCTL_EXEC" mask 'kdump.socket'
-fi
-# The service may not be running because it has been started and failed,
-# so let's reset the state so OVAL checks pass.
-# Service should be 'inactive', not 'failed' after reboot though.
-"$SYSTEMCTL_EXEC" reset-failed 'kdump.service' || true
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include disable_kdump
+
Remediation script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: kdump.service
+        enabled: false
+        mask: true
+      - name: kdump.socket
+        enabled: false
+        mask: true
+
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include disable_kdump
 
 class disable_kdump {
   service {'kdump':
@@ -80860,7 +80856,7 @@
     ensure => 'stopped',
   }
 }
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Block Disable service kdump
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Block Disable service kdump
   block:
 
   - name: Disable service kdump
@@ -80932,22 +80928,26 @@
   - medium_severity
   - no_reboot_needed
   - service_kdump_disabled
-
Remediation Anaconda snippet:   (show)


-kdump --disable
-
Remediation script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: kdump.service
-        enabled: false
-        mask: true
-      - name: kdump.socket
-        enabled: false
-        mask: true
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" stop 'kdump.service'
+"$SYSTEMCTL_EXEC" disable 'kdump.service'
+"$SYSTEMCTL_EXEC" mask 'kdump.service'
+# Disable socket activation if we have a unit file for it
+if "$SYSTEMCTL_EXEC" -q list-unit-files kdump.socket; then
+    "$SYSTEMCTL_EXEC" stop 'kdump.socket'
+    "$SYSTEMCTL_EXEC" mask 'kdump.socket'
+fi
+# The service may not be running because it has been started and failed,
+# so let's reset the state so OVAL checks pass.
+# Service should be 'inactive', not 'failed' after reboot though.
+"$SYSTEMCTL_EXEC" reset-failed 'kdump.service' || true
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 Application Whitelisting Daemon
                           Group contains 3 rules
[ref]  
@@ -80961,20 +80961,12 @@
 $ sudo yum install fapolicyd
Rationale:
fapolicyd (File Access Policy Daemon)
 implements application whitelisting to decide file access rights.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-82191-8
References: 
-            CCI-001764, CCI-001774, CM-6(a), SI-4(22), SRG-OS-000370-GPOS-00155, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00230, RHEL-08-040135, SV-230523r854064_rule
Remediation script:   (show)


+            CCI-001764, CCI-001774, CM-6(a), SI-4(22), SRG-OS-000370-GPOS-00155, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00230, RHEL-08-040135, SV-230523r854064_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

+package --add=fapolicyd
+
Remediation script:   (show)


 [[packages]]
 name = "fapolicyd"
 version = "*"
-
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "fapolicyd" ; then
-    yum install -y "fapolicyd"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include install_fapolicyd
 
 class install_fapolicyd {
@@ -80998,8 +80990,16 @@
   - medium_severity
   - no_reboot_needed
   - package_fapolicyd_installed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

-package --add=fapolicyd
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "fapolicyd" ; then
+    yum install -y "fapolicyd"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Enable the File Access Policy Service
                                   [ref]
The File Access Policy service should be enabled.
@@ -81011,18 +81011,7 @@
             CCI-001764, CCI-001774, CM-6(a), SI-4(22), FMT_SMF_EXT.1, SRG-OS-000370-GPOS-00155, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00230, RHEL-08-040136, SV-244545r854074_rule
Remediation script:   (show)


 [customizations.services]
 enabled = ["fapolicyd"]
-
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" unmask 'fapolicyd.service'
-"$SYSTEMCTL_EXEC" start 'fapolicyd.service'
-"$SYSTEMCTL_EXEC" enable 'fapolicyd.service'
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include enable_fapolicyd
+
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include enable_fapolicyd
 
 class enable_fapolicyd {
   service {'fapolicyd':
@@ -81030,7 +81019,7 @@
     ensure => 'running',
   }
 }
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
- name: Enable service fapolicyd
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
- name: Enable service fapolicyd
   block:
 
   - name: Gather the package facts
@@ -81057,6 +81046,17 @@
   - medium_severity
   - no_reboot_needed
   - service_fapolicyd_enabled
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" unmask 'fapolicyd.service'
+"$SYSTEMCTL_EXEC" start 'fapolicyd.service'
+"$SYSTEMCTL_EXEC" enable 'fapolicyd.service'
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs.
                                   [ref]
The Fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and to prevent unauthorized software from running.
Rationale:
Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software.
@@ -81066,38 +81066,7 @@
 Improper configuration may render the system non-functional.
 The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-86478-5
References: 
-            CCI-001764, CM-7 (2), CM-7 (5) (b), CM-6 b, SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155, SRG-OS-000480-GPOS-00232, RHEL-08-040137, SV-244546r858730_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-cat > /etc/fapolicyd/rules.d/99-deny-everything.rules << EOF
-# Red Hat KCS 7003854 (https://access.redhat.com/solutions/7003854)
-deny perm=any all : all
-EOF
-
-chmod 644 /etc/fapolicyd/rules.d/99-deny-everything.rules
-chgrp fapolicyd /etc/fapolicyd/rules.d/99-deny-everything.rules
-
-if [ -e "/etc/fapolicyd/fapolicyd.conf" ] ; then
-    
-    LC_ALL=C sed -i "/^\s*permissive\s*=\s*/Id" "/etc/fapolicyd/fapolicyd.conf"
-else
-    touch "/etc/fapolicyd/fapolicyd.conf"
-fi
-# make sure file has newline at the end
-sed -i -e '$a\' "/etc/fapolicyd/fapolicyd.conf"
-
-cp "/etc/fapolicyd/fapolicyd.conf" "/etc/fapolicyd/fapolicyd.conf.bak"
-# Insert at the end of the file
-printf '%s\n' "permissive = 0" >> "/etc/fapolicyd/fapolicyd.conf"
-# Clean up after ourselves.
-rm "/etc/fapolicyd/fapolicyd.conf.bak"
-
-systemctl restart fapolicyd
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy
+            CCI-001764, CM-7 (2), CM-7 (5) (b), CM-6 b, SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155, SRG-OS-000480-GPOS-00232, RHEL-08-040137, SV-244546r858730_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy
     to Allow the Execution of Authorized Software Programs. - Ensure a Final Rule
     Denying Everything
   ansible.builtin.copy:
@@ -81167,6 +81136,37 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+cat > /etc/fapolicyd/rules.d/99-deny-everything.rules << EOF
+# Red Hat KCS 7003854 (https://access.redhat.com/solutions/7003854)
+deny perm=any all : all
+EOF
+
+chmod 644 /etc/fapolicyd/rules.d/99-deny-everything.rules
+chgrp fapolicyd /etc/fapolicyd/rules.d/99-deny-everything.rules
+
+if [ -e "/etc/fapolicyd/fapolicyd.conf" ] ; then
+    
+    LC_ALL=C sed -i "/^\s*permissive\s*=\s*/Id" "/etc/fapolicyd/fapolicyd.conf"
+else
+    touch "/etc/fapolicyd/fapolicyd.conf"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/fapolicyd/fapolicyd.conf"
+
+cp "/etc/fapolicyd/fapolicyd.conf" "/etc/fapolicyd/fapolicyd.conf.bak"
+# Insert at the end of the file
+printf '%s\n' "permissive = 0" >> "/etc/fapolicyd/fapolicyd.conf"
+# Clean up after ourselves.
+rm "/etc/fapolicyd/fapolicyd.conf.bak"
+
+systemctl restart fapolicyd
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 FTP Server
                           Group contains  1 group and 1 rule
[ref]  
@@ -81188,18 +81188,8 @@
                                   [ref]
The vsftpd package can be removed with the following command: 
 $ sudo yum erase vsftpd
Rationale:
Removing the vsftpd package decreases the risk of its
 accidental activation.
Severity: 
high
Identifiers and References
Identifiers: 
             CCE-82414-4
References: 
-            11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000197, CCI-000366, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c), IA-5(1).1(v), CM-7, CM-7.1(ii), PR.IP-1, PR.PT-3, SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040360, 2.2.8, SV-230558r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-# CAUTION: This remediation script will remove vsftpd
-#	   from the system, and may remove any packages
-#	   that depend on vsftpd. Execute this
-#	   remediation AFTER testing on a non-production
-#	   system!
-
-if rpm -q --quiet "vsftpd" ; then
-
-    yum remove -y "vsftpd"
-
-fi
+            11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000197, CCI-000366, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c), IA-5(1).1(v), CM-7, CM-7.1(ii), PR.IP-1, PR.PT-3, SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040360, 2.2.8, SV-230558r627750_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+package --remove=vsftpd
 
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_vsftpd
 
 class remove_vsftpd {
@@ -81227,8 +81217,18 @@
   - low_disruption
   - no_reboot_needed
   - package_vsftpd_removed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-package --remove=vsftpd
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+# CAUTION: This remediation script will remove vsftpd
+#	   from the system, and may remove any packages
+#	   that depend on vsftpd. Execute this
+#	   remediation AFTER testing on a non-production
+#	   system!
+
+if rpm -q --quiet "vsftpd" ; then
+
+    yum remove -y "vsftpd"
+
+fi
 
Group  
                 Kerberos
                           Group contains 2 rules
[ref]  
@@ -81250,24 +81250,8 @@
 surface of the system.  While this software is clearly essential on an KDC
 server, it is not necessary on typical desktop or workstation systems.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-85887-8
References: 
-            CCI-000803, IA-7, IA-7.1, SRG-OS-000120-GPOS-00061, RHEL-08-010163, SV-237640r646890_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-# CAUTION: This remediation script will remove krb5-server
-#	   from the system, and may remove any packages
-#	   that depend on krb5-server. Execute this
-#	   remediation AFTER testing on a non-production
-#	   system!
-
-if rpm -q --quiet "krb5-server" ; then
-
-    yum remove -y "krb5-server"
-
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
+            CCI-000803, IA-7, IA-7.1, SRG-OS-000120-GPOS-00061, RHEL-08-010163, SV-237640r646890_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+package --remove=krb5-server
 
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_krb5-server
 
 class remove_krb5-server {
@@ -81291,8 +81275,24 @@
   - medium_severity
   - no_reboot_needed
   - package_krb5-server_removed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-package --remove=krb5-server
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+# CAUTION: This remediation script will remove krb5-server
+#	   from the system, and may remove any packages
+#	   that depend on krb5-server. Execute this
+#	   remediation AFTER testing on a non-production
+#	   system!
+
+if rpm -q --quiet "krb5-server" ; then
+
+    yum remove -y "krb5-server"
+
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Disable Kerberos by removing host keytab
                                   [ref]
Kerberos is not an approved key distribution method for
@@ -81300,15 +81300,7 @@
 remove the Kerberos keytab files, especially
 /etc/krb5.keytab.
Rationale:
The key derivation function (KDF) in Kerberos is not FIPS compatible.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-82175-1
References: 
-            CCI-000803, 0418, 1055, 1402, FTP_ITC_EXT.1, SRG-OS-000120-GPOS-00061, RHEL-08-010161, SV-230238r646862_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-rm -f /etc/*.keytab
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Find keytab files
+            CCI-000803, 0418, 1055, 1402, FTP_ITC_EXT.1, SRG-OS-000120-GPOS-00061, RHEL-08-010161, SV-230238r646862_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Find keytab files
   find:
     paths: /etc/
     patterns: '*.keytab'
@@ -81339,6 +81331,14 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+rm -f /etc/*.keytab
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 Mail Server Software
                           Group contains 4 groups and 5 rules
[ref]  
@@ -81380,32 +81380,7 @@
 Audit processing failures include software/hardware errors, failures in the audit capturing
 mechanisms, and audit storage capacity being reached or exceeded.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-89063-2
References: 
-            CCI-000139, AU-5(a), AU-5.1(ii), SRG-OS-000046-GPOS-00022, RHEL-08-030030, SV-230389r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if [ -e "/etc/aliases" ] ; then
-    
-    LC_ALL=C sed -i "/^\s*postmaster\s*:\s*/Id" "/etc/aliases"
-else
-    touch "/etc/aliases"
-fi
-# make sure file has newline at the end
-sed -i -e '$a\' "/etc/aliases"
-
-cp "/etc/aliases" "/etc/aliases.bak"
-# Insert at the end of the file
-printf '%s\n' "postmaster: root" >> "/etc/aliases"
-# Clean up after ourselves.
-rm "/etc/aliases.bak"
-
-if [ -f /usr/bin/newaliases ]; then
-    newaliases
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Configure System to Forward All Mail From Postmaster to The Root Account
+            CCI-000139, AU-5(a), AU-5.1(ii), SRG-OS-000046-GPOS-00022, RHEL-08-030030, SV-230389r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Configure System to Forward All Mail From Postmaster to The Root Account
   block:
 
   - name: Check for duplicate values
@@ -81480,6 +81455,31 @@
   - medium_severity
   - no_reboot_needed
   - postfix_client_configure_mail_alias_postmaster
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -e "/etc/aliases" ] ; then
+    
+    LC_ALL=C sed -i "/^\s*postmaster\s*:\s*/Id" "/etc/aliases"
+else
+    touch "/etc/aliases"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/aliases"
+
+cp "/etc/aliases" "/etc/aliases.bak"
+# Insert at the end of the file
+printf '%s\n' "postmaster: root" >> "/etc/aliases"
+# Clean up after ourselves.
+rm "/etc/aliases.bak"
+
+if [ -f /usr/bin/newaliases ]; then
+    newaliases
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 Configure Operating System to Protect Mail Server
                           Group contains  2 groups and 1 rule
[ref]  
@@ -81506,19 +81506,7 @@
 host as a mail relay for the purpose of sending spam or other unauthorized
 activity.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-84054-6
References: 
-            CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-040290, SV-230550r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q postfix; then
-
-if ! grep -q ^smtpd_client_restrictions /etc/postfix/main.cf; then
-	echo "smtpd_client_restrictions = permit_mynetworks,reject" >> /etc/postfix/main.cf
-else
-	sed -i "s/^smtpd_client_restrictions.*/smtpd_client_restrictions = permit_mynetworks,reject/g" /etc/postfix/main.cf
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+            CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-040290, SV-230550r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -81571,6 +81559,18 @@
   - no_reboot_needed
   - postfix_prevent_unrestricted_relay
   - restrict_strategy
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q postfix; then
+
+if ! grep -q ^smtpd_client_restrictions /etc/postfix/main.cf; then
+	echo "smtpd_client_restrictions = permit_mynetworks,reject" >> /etc/postfix/main.cf
+else
+	sed -i "s/^smtpd_client_restrictions.*/smtpd_client_restrictions = permit_mynetworks,reject/g" /etc/postfix/main.cf
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 The mailx Package Is Installed
                                   [ref]
A mail server is required for sending emails.
@@ -81579,20 +81579,12 @@
 $ sudo yum install mailx
Rationale:
Emails can be used to notify designated personnel about important
 system events such as failures or warnings.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-87036-0
References: 
-            CCI-001744, CM-3(5), SRG-OS-000363-GPOS-00150, RHEL-08-010358, SV-256974r902755_rule
Remediation script:   (show)

Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

+package --add=mailx
+
Remediation script:   (show)


 [[packages]]
 name = "mailx"
 version = "*"
-
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "mailx" ; then
-    yum install -y "mailx"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include install_mailx
 
 class install_mailx {
@@ -81615,8 +81607,16 @@
   - medium_severity
   - no_reboot_needed
   - package_mailx_installed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

-package --add=mailx
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "mailx" ; then
+    yum install -y "mailx"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 The Postfix package is installed
                                   [ref]
A mail server is required for sending emails.
@@ -81625,20 +81625,12 @@
 $ sudo yum install postfix
Rationale:
Emails can be used to notify designated personnel about important
 system events such as failures or warnings.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-85983-5
References: 
-            SRG-OS-000046-GPOS-00022, RHEL-08-030030, SV-230389r627750_rule
Remediation script:   (show)

Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

+package --add=postfix
+
Remediation script:   (show)


 [[packages]]
 name = "postfix"
 version = "*"
-
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "postfix" ; then
-    yum install -y "postfix"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include install_postfix
 
 class install_postfix {
@@ -81660,8 +81652,16 @@
   - medium_severity
   - no_reboot_needed
   - package_postfix_installed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

-package --add=postfix
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "postfix" ; then
+    yum install -y "postfix"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Uninstall Sendmail Package
                                   [ref]
Sendmail is not the default mail transfer agent and is
@@ -81672,24 +81672,8 @@
 its design prevents it from being effectively contained by SELinux.  Postfix
 should be used instead.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-81039-0
References: 
-            BP28(R1), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, SRG-OS-000095-GPOS-00049, RHEL-08-040002, SV-230489r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-# CAUTION: This remediation script will remove sendmail
-#	   from the system, and may remove any packages
-#	   that depend on sendmail. Execute this
-#	   remediation AFTER testing on a non-production
-#	   system!
-
-if rpm -q --quiet "sendmail" ; then
-
-    yum remove -y "sendmail"
-
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
+            BP28(R1), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, SRG-OS-000095-GPOS-00049, RHEL-08-040002, SV-230489r627750_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+package --remove=sendmail
 
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_sendmail
 
 class remove_sendmail {
@@ -81714,8 +81698,24 @@
   - medium_severity
   - no_reboot_needed
   - package_sendmail_removed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-package --remove=sendmail
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+# CAUTION: This remediation script will remove sendmail
+#	   from the system, and may remove any packages
+#	   that depend on sendmail. Execute this
+#	   remediation AFTER testing on a non-production
+#	   system!
+
+if rpm -q --quiet "sendmail" ; then
+
+    yum remove -y "sendmail"
+
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 NFS and RPC
                           Group contains 2 groups and 3 rules
[ref]  
@@ -81747,40 +81747,7 @@
 any NFS mounts.
Rationale:
Legitimate device files should only exist in the /dev directory. NFS mounts
 should not present device files to users.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-84052-0
References: 
-            11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CM-6(a), MP-2, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-010640, SV-230307r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-vfstype_points=()
-readarray -t vfstype_points < <(grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | awk '{print $2}')
-
-for vfstype_point in "${vfstype_points[@]}"
-do
-    mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" ${vfstype_point//\\/\\\\})"
-
-    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
-    if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
-        # runtime opts without some automatic kernel/userspace-added defaults
-        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
-                    | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")
-        [ "$previous_mount_opts" ] && previous_mount_opts+=","
-        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
-        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
-        fs_type="nfs4"
-        if [  "$fs_type" == "iso9660" ] ; then
-            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
-        fi
-        echo " ${vfstype_point//\\/\\\\} nfs4 defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab
-    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
-    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then
-        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
-        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab
-    fi
-done
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
- name: Get nfs and nfs4 mount points, that don't have nodev
+            11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CM-6(a), MP-2, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-010640, SV-230307r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
- name: Get nfs and nfs4 mount points, that don't have nodev
   command: findmnt --fstab --types nfs,nfs4 -O nonodev -n -P
   register: points_register
   check_mode: false
@@ -81821,15 +81788,7 @@
   - medium_severity
   - mount_option_nodev_remote_filesystems
   - no_reboot_needed
-
Rule  
-                                Mount Remote Filesystems with noexec
-                                  [ref]
Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of
-any NFS mounts.
Rationale:
The noexec mount option causes the system not to execute binary files. This option must be used
-for mounting any file system not containing approved binary files as they may be incompatible. Executing
-files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized
-administrative access.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-84050-4
References: 
-            12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6, AC-6(8), AC-6(10), CM-6(a), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-08-010630, SV-230306r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 vfstype_points=()
@@ -81843,7 +81802,7 @@
     if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
         # runtime opts without some automatic kernel/userspace-added defaults
         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
-                    | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
+                    | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")
         [ "$previous_mount_opts" ] && previous_mount_opts+=","
         # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
         # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
@@ -81851,18 +81810,26 @@
         if [  "$fs_type" == "iso9660" ] ; then
             previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
         fi
-        echo " ${vfstype_point//\\/\\\\} nfs4 defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
+        echo " ${vfstype_point//\\/\\\\} nfs4 defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab
     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
-    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then
+    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then
         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
-        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
+        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab
     fi
 done
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
- name: Get nfs and nfs4 mount points, that don't have noexec
+
Rule  
+                                Mount Remote Filesystems with noexec
+                                  [ref]
Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of
+any NFS mounts.
Rationale:
The noexec mount option causes the system not to execute binary files. This option must be used
+for mounting any file system not containing approved binary files as they may be incompatible. Executing
+files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized
+administrative access.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-84050-4
References: 
+            12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6, AC-6(8), AC-6(10), CM-6(a), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-08-010630, SV-230306r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
- name: Get nfs and nfs4 mount points, that don't have noexec
   command: findmnt --fstab --types nfs,nfs4 -O nonoexec -n -P
   register: points_register
   check_mode: false
@@ -81907,13 +81874,7 @@
   - medium_severity
   - mount_option_noexec_remote_filesystems
   - no_reboot_needed
-
Rule  
-                                Mount Remote Filesystems with nosuid
-                                  [ref]
Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of
-any NFS mounts.
Rationale:
NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables
-should be installed to their default location on the local filesystem.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-84053-8
References: 
-            12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6, AC-6(1), CM6(a), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-08-010650, SV-230308r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 vfstype_points=()
@@ -81927,7 +81888,7 @@
     if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
         # runtime opts without some automatic kernel/userspace-added defaults
         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
-                    | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
+                    | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
         [ "$previous_mount_opts" ] && previous_mount_opts+=","
         # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
         # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
@@ -81935,18 +81896,24 @@
         if [  "$fs_type" == "iso9660" ] ; then
             previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
         fi
-        echo " ${vfstype_point//\\/\\\\} nfs4 defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
+        echo " ${vfstype_point//\\/\\\\} nfs4 defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
     # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
-    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then
+    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then
         previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
-        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
+        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
     fi
 done
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
- name: Get nfs and nfs4 mount points, that don't have nosuid
+
Rule  
+                                Mount Remote Filesystems with nosuid
+                                  [ref]
Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of
+any NFS mounts.
Rationale:
NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables
+should be installed to their default location on the local filesystem.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-84053-8
References: 
+            12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6, AC-6(1), CM6(a), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-08-010650, SV-230308r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
- name: Get nfs and nfs4 mount points, that don't have nosuid
   command: findmnt --fstab --types nfs,nfs4 -O nonosuid -n -P
   register: points_register
   check_mode: false
@@ -81989,6 +81956,39 @@
   - medium_severity
   - mount_option_nosuid_remote_filesystems
   - no_reboot_needed
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+vfstype_points=()
+readarray -t vfstype_points < <(grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | awk '{print $2}')
+
+for vfstype_point in "${vfstype_points[@]}"
+do
+    mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" ${vfstype_point//\\/\\\\})"
+
+    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
+    if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
+        # runtime opts without some automatic kernel/userspace-added defaults
+        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
+                    | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
+        [ "$previous_mount_opts" ] && previous_mount_opts+=","
+        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
+        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
+        fs_type="nfs4"
+        if [  "$fs_type" == "iso9660" ] ; then
+            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
+        fi
+        echo " ${vfstype_point//\\/\\\\} nfs4 defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
+    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
+    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then
+        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
+        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
+    fi
+done
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 Network Time Protocol
                           Group contains 4 rules
[ref]  
@@ -82058,34 +82058,30 @@
 Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component.
 To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.
Severity: 
low
Identifiers and References
Identifiers: 
             CCE-82988-7
References: 
-            CCI-000381, AU-8(1), AU-12(1), FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049, RHEL-08-030741, SV-230485r928590_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-# Strip any search characters in the key arg so that the key can be replaced without
-# adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^port")
-
-# shellcheck disable=SC2059
-printf -v formatted_output "%s %s" "$stripped_key" "0"
-
-# If the key exists, change it. Otherwise, add it to the config_file.
-# We search for the key string followed by a word boundary (matched by \>),
-# so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^port\\>" "/etc/chrony.conf"; then
-    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^port\\>.*/$escaped_formatted_output/gi" "/etc/chrony.conf"
-else
-    if [[ -s "/etc/chrony.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/chrony.conf" || true)" ]]; then
-        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/chrony.conf"
-    fi
-    cce="CCE-82988-7"
-    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/chrony.conf" >> "/etc/chrony.conf"
-    printf '%s\n' "$formatted_output" >> "/etc/chrony.conf"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
+            CCI-000381, AU-8(1), AU-12(1), FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049, RHEL-08-030741, SV-230485r928590_rule
Remediation script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }}
+        mode: 420
+        overwrite: true
+        path: /etc/chrony.conf
+      - contents:
+          source: data:,
+        mode: 420
+        overwrite: true
+        path: /etc/chrony.d/.mco-keep
+      - contents:
+          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }}
+        mode: 420
+        overwrite: true
+        path: /etc/chrony.d/ntp-server.conf
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Disable chrony daemon from acting as server
   block:
 
@@ -82126,43 +82122,12 @@
   - low_severity
   - no_reboot_needed
   - restrict_strategy
-
Remediation script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }}
-        mode: 420
-        overwrite: true
-        path: /etc/chrony.conf
-      - contents:
-          source: data:,
-        mode: 420
-        overwrite: true
-        path: /etc/chrony.d/.mco-keep
-      - contents:
-          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }}
-        mode: 420
-        overwrite: true
-        path: /etc/chrony.d/ntp-server.conf
-
Rule  
-                                Disable network management of chrony daemon
-                                  [ref]
The cmdport option in /etc/chrony.conf can be set to
-0 to stop chrony daemon from listening on the UDP port 323
-for management connections made by chronyc.
Rationale:
Minimizing the exposure of the server functionality of the chrony
-daemon diminishes the attack surface.
Severity: 
low
Identifiers and References
Identifiers: 
-            CCE-82840-0
References: 
-            CCI-000381, CM-7(1), FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049, RHEL-08-030742, SV-230486r928593_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^cmdport")
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^port")
 
 # shellcheck disable=SC2059
 printf -v formatted_output "%s %s" "$stripped_key" "0"
@@ -82170,14 +82135,14 @@
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),
 # so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^cmdport\\>" "/etc/chrony.conf"; then
+if LC_ALL=C grep -q -m 1 -i -e "^port\\>" "/etc/chrony.conf"; then
     escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^cmdport\\>.*/$escaped_formatted_output/gi" "/etc/chrony.conf"
+    LC_ALL=C sed -i --follow-symlinks "s/^port\\>.*/$escaped_formatted_output/gi" "/etc/chrony.conf"
 else
     if [[ -s "/etc/chrony.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/chrony.conf" || true)" ]]; then
         LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/chrony.conf"
     fi
-    cce="CCE-82840-0"
+    cce="CCE-82988-7"
     printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/chrony.conf" >> "/etc/chrony.conf"
     printf '%s\n' "$formatted_output" >> "/etc/chrony.conf"
 fi
@@ -82185,6 +82150,37 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
+
Rule  
+                                Disable network management of chrony daemon
+                                  [ref]
The cmdport option in /etc/chrony.conf can be set to
+0 to stop chrony daemon from listening on the UDP port 323
+for management connections made by chronyc.
Rationale:
Minimizing the exposure of the server functionality of the chrony
+daemon diminishes the attack surface.
Severity: 
low
Identifiers and References
Identifiers: 
+            CCE-82840-0
References: 
+            CCI-000381, CM-7(1), FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049, RHEL-08-030742, SV-230486r928593_rule
Remediation script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }}
+        mode: 420
+        overwrite: true
+        path: /etc/chrony.conf
+      - contents:
+          source: data:,
+        mode: 420
+        overwrite: true
+        path: /etc/chrony.d/.mco-keep
+      - contents:
+          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }}
+        mode: 420
+        overwrite: true
+        path: /etc/chrony.d/ntp-server.conf
 
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Disable network management of chrony daemon
   block:
 
@@ -82224,7 +82220,50 @@
   - low_severity
   - no_reboot_needed
   - restrict_strategy
-
Remediation script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
---
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^cmdport")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s %s" "$stripped_key" "0"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^cmdport\\>" "/etc/chrony.conf"; then
+    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+    LC_ALL=C sed -i --follow-symlinks "s/^cmdport\\>.*/$escaped_formatted_output/gi" "/etc/chrony.conf"
+else
+    if [[ -s "/etc/chrony.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/chrony.conf" || true)" ]]; then
+        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/chrony.conf"
+    fi
+    cce="CCE-82840-0"
+    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/chrony.conf" >> "/etc/chrony.conf"
+    printf '%s\n' "$formatted_output" >> "/etc/chrony.conf"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
Rule  
+                                Configure Time Service Maxpoll Interval
+                                  [ref]
The maxpoll should be configured to
+16 in /etc/ntp.conf or
+/etc/chrony.conf to continuously poll time servers. To configure
+maxpoll in /etc/ntp.conf or /etc/chrony.conf
+add the following after each `server`, `pool` or `peer` entry:
+
maxpoll 16

+to 
server
 directives. If using chrony any 
pool
 directives
+should be configured too.
+If no server or pool directives are configured, the rule evaluates
+to pass.
Rationale:
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.
+Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.
+Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-84059-5
References: 
+            1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001891, CCI-002046, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), AU-8(1)(b), AU-12(1), PR.PT-1, SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144, SRG-OS-000359-GPOS-00146, RHEL-08-030740, SV-230484r877038_rule
Remediation script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 spec:
@@ -82248,60 +82287,7 @@
         mode: 420
         overwrite: true
         path: /etc/chrony.d/ntp-server.conf
-
Rule  
-                                Configure Time Service Maxpoll Interval
-                                  [ref]
The maxpoll should be configured to
-16 in /etc/ntp.conf or
-/etc/chrony.conf to continuously poll time servers. To configure
-maxpoll in /etc/ntp.conf or /etc/chrony.conf
-add the following after each `server`, `pool` or `peer` entry:
-
maxpoll 16

-to 
server
 directives. If using chrony any 
pool
 directives
-should be configured too.
-If no server or pool directives are configured, the rule evaluates
-to pass.
Rationale:
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.
-Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.
-Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-84059-5
References: 
-            1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001891, CCI-002046, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), AU-8(1)(b), AU-12(1), PR.PT-1, SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144, SRG-OS-000359-GPOS-00146, RHEL-08-030740, SV-230484r877038_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ( rpm --quiet -q chrony || rpm --quiet -q ntp ); }; then
-
-var_time_service_set_maxpoll='16'
-
-
-
-
-pof="/usr/sbin/pidof"
-
-
-CONFIG_FILES="/etc/ntp.conf"
-$pof ntpd || {
-    CHRONY_NAME=/etc/chrony.conf
-    CHRONY_PATH=${CHRONY_NAME%%.*}
-    CONFIG_FILES=$(find ${CHRONY_PATH}.* -type f -name '*.conf')
-}
-
-# get list of ntp files
-
-for config_file in $CONFIG_FILES; do
-    # Set maxpoll values to var_time_service_set_maxpoll
-    sed -i "s/^\(\(server\|pool\|peer\).*maxpoll\) [0-9][0-9]*\(.*\)$/\1 $var_time_service_set_maxpoll \3/" "$config_file"
-done
-
-
-
-
-for config_file in $CONFIG_FILES; do
-    # Add maxpoll to server, pool or peer entries without maxpoll
-    grep "^\(server\|pool\|peer\)" "$config_file" | grep -v maxpoll | while read -r line ; do
-        sed -i "s/$line/& maxpoll $var_time_service_set_maxpoll/" "$config_file"
-    done
-done
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -82493,30 +82479,44 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-
Remediation script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }}
-        mode: 420
-        overwrite: true
-        path: /etc/chrony.conf
-      - contents:
-          source: data:,
-        mode: 420
-        overwrite: true
-        path: /etc/chrony.d/.mco-keep
-      - contents:
-          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }}
-        mode: 420
-        overwrite: true
-        path: /etc/chrony.d/ntp-server.conf
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ( rpm --quiet -q chrony || rpm --quiet -q ntp ); }; then
+
+var_time_service_set_maxpoll='16'
+
+
+
+
+pof="/usr/sbin/pidof"
+
+
+CONFIG_FILES="/etc/ntp.conf"
+$pof ntpd || {
+    CHRONY_NAME=/etc/chrony.conf
+    CHRONY_PATH=${CHRONY_NAME%%.*}
+    CONFIG_FILES=$(find ${CHRONY_PATH}.* -type f -name '*.conf')
+}
+
+# get list of ntp files
+
+for config_file in $CONFIG_FILES; do
+    # Set maxpoll values to var_time_service_set_maxpoll
+    sed -i "s/^\(\(server\|pool\|peer\).*maxpoll\) [0-9][0-9]*\(.*\)$/\1 $var_time_service_set_maxpoll \3/" "$config_file"
+done
+
+
+
+
+for config_file in $CONFIG_FILES; do
+    # Add maxpoll to server, pool or peer entries without maxpoll
+    grep "^\(server\|pool\|peer\)" "$config_file" | grep -v maxpoll | while read -r line ; do
+        sed -i "s/$line/& maxpoll $var_time_service_set_maxpoll/" "$config_file"
+    done
+done
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Ensure Chrony is only configured with the server directive
                                   [ref]
Check that Chrony only has time sources configured with the server directive.
Warning: 
@@ -82557,18 +82557,8 @@
 network services. Removing it decreases the risk of those services' accidental (or intentional)
 activation.
Severity: 
high
Identifiers and References
Identifiers: 
             CCE-82184-3
References: 
-            BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000381, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, 2.2.4, SRG-OS-000095-GPOS-00049, RHEL-08-040010, SV-230492r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-# CAUTION: This remediation script will remove rsh-server
-#	   from the system, and may remove any packages
-#	   that depend on rsh-server. Execute this
-#	   remediation AFTER testing on a non-production
-#	   system!
-
-if rpm -q --quiet "rsh-server" ; then
-
-    yum remove -y "rsh-server"
-
-fi
+            BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000381, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, 2.2.4, SRG-OS-000095-GPOS-00049, RHEL-08-040010, SV-230492r627750_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+package --remove=rsh-server
 
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_rsh-server
 
 class remove_rsh-server {
@@ -82594,8 +82584,18 @@
   - low_disruption
   - no_reboot_needed
   - package_rsh-server_removed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-package --remove=rsh-server
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+# CAUTION: This remediation script will remove rsh-server
+#	   from the system, and may remove any packages
+#	   that depend on rsh-server. Execute this
+#	   remediation AFTER testing on a non-production
+#	   system!
+
+if rpm -q --quiet "rsh-server" ; then
+
+    yum remove -y "rsh-server"
+
+fi
 
Rule  
                                 Remove Host-Based Authentication Files
                                   [ref]
The shosts.equiv file lists remote hosts and users that are trusted by the local
@@ -82605,16 +82605,7 @@
 as it does not require interactive identification and authentication of a connection request,
 or for the use of two-factor authentication.
Severity: 
high
Identifiers and References
Identifiers: 
             CCE-84055-3
References: 
-            CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010460, SV-230283r627750_rule
Remediation Shell script:   (show)


-# Identify local mounts
-MOUNT_LIST=$(df --local | awk '{ print $6 }')
-
-# Find file on each listed mount point
-for cur_mount in ${MOUNT_LIST}
-do
-	find ${cur_mount} -xdev -type f -name "shosts.equiv" -exec rm -f {} \;
-done
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Remove Host-Based Authentication Files - Define Excluded (Non-Local) File
+            CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010460, SV-230283r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Remove Host-Based Authentication Files - Define Excluded (Non-Local) File
     Systems and Paths
   ansible.builtin.set_fact:
     excluded_fstypes:
@@ -82782,6 +82773,15 @@
   - no_host_based_files
   - no_reboot_needed
   - restrict_strategy
+
Remediation Shell script:   (show)


+# Identify local mounts
+MOUNT_LIST=$(df --local | awk '{ print $6 }')
+
+# Find file on each listed mount point
+for cur_mount in ${MOUNT_LIST}
+do
+	find ${cur_mount} -xdev -type f -name "shosts.equiv" -exec rm -f {} \;
+done
 
Rule  
                                 Remove User Host-Based Authentication Files
                                   [ref]
The ~/.shosts (in each user's home directory) files
@@ -82794,16 +82794,7 @@
 require interactive identification and authentication of a connection request,
 or for the use of two-factor authentication.
Severity: 
high
Identifiers and References
Identifiers: 
             CCE-84056-1
References: 
-            CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010470, SV-230284r627750_rule
Remediation Shell script:   (show)


-# Identify local mounts
-MOUNT_LIST=$(df --local | awk '{ print $6 }')
-
-# Find file on each listed mount point
-for cur_mount in ${MOUNT_LIST}
-do
-	find ${cur_mount} -xdev -type f -name ".shosts" -exec rm -f {} \;
-done
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Remove User Host-Based Authentication Files - Define Excluded (Non-Local)
+            CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010470, SV-230284r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Remove User Host-Based Authentication Files - Define Excluded (Non-Local)
     File Systems and Paths
   ansible.builtin.set_fact:
     excluded_fstypes:
@@ -82971,6 +82962,15 @@
   - no_reboot_needed
   - no_user_host_based_files
   - restrict_strategy
+
Remediation Shell script:   (show)


+# Identify local mounts
+MOUNT_LIST=$(df --local | awk '{ print $6 }')
+
+# Find file on each listed mount point
+for cur_mount in ${MOUNT_LIST}
+do
+	find ${cur_mount} -xdev -type f -name ".shosts" -exec rm -f {} \;
+done
 
Group  
                 Telnet
                           Group contains  1 rule
[ref]  
@@ -82995,18 +82995,8 @@
 Removing the telnet-server package decreases the risk of the
 telnet service's accidental (or intentional) activation.
Severity: 
high
Identifiers and References
Identifiers: 
             CCE-82182-7
References: 
-            BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000381, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, Req-2.2.2, 2.2.4, SRG-OS-000095-GPOS-00049, RHEL-08-040000, 2.2.16, SV-230487r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-# CAUTION: This remediation script will remove telnet-server
-#	   from the system, and may remove any packages
-#	   that depend on telnet-server. Execute this
-#	   remediation AFTER testing on a non-production
-#	   system!
-
-if rpm -q --quiet "telnet-server" ; then
-
-    yum remove -y "telnet-server"
-
-fi
+            BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000381, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, Req-2.2.2, 2.2.4, SRG-OS-000095-GPOS-00049, RHEL-08-040000, 2.2.16, SV-230487r627750_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+package --remove=telnet-server
 
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_telnet-server
 
 class remove_telnet-server {
@@ -83032,8 +83022,18 @@
   - low_disruption
   - no_reboot_needed
   - package_telnet-server_removed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-package --remove=telnet-server
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+# CAUTION: This remediation script will remove telnet-server
+#	   from the system, and may remove any packages
+#	   that depend on telnet-server. Execute this
+#	   remediation AFTER testing on a non-production
+#	   system!
+
+if rpm -q --quiet "telnet-server" ; then
+
+    yum remove -y "telnet-server"
+
+fi
 
Group  
                 TFTP Server
                           Group contains 2 rules
[ref]  
@@ -83053,18 +83053,8 @@
 Securty Manager (ISSM), restricted to only authorized personnel, and have
 access control rules established.
Severity: 
high
Identifiers and References
Identifiers: 
             CCE-82436-7
References: 
-            BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000318, CCI-000366, CCI-000368, CCI-001812, CCI-001813, CCI-001814, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, 2.2.4, SRG-OS-000480-GPOS-00227, RHEL-08-040190, 2.2.9, SV-230533r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-# CAUTION: This remediation script will remove tftp-server
-#	   from the system, and may remove any packages
-#	   that depend on tftp-server. Execute this
-#	   remediation AFTER testing on a non-production
-#	   system!
-
-if rpm -q --quiet "tftp-server" ; then
-
-    yum remove -y "tftp-server"
-
-fi
+            BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000318, CCI-000366, CCI-000368, CCI-001812, CCI-001813, CCI-001814, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, 2.2.4, SRG-OS-000480-GPOS-00227, RHEL-08-040190, 2.2.9, SV-230533r627750_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+package --remove=tftp-server
 
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_tftp-server
 
 class remove_tftp-server {
@@ -83089,8 +83079,18 @@
   - low_disruption
   - no_reboot_needed
   - package_tftp-server_removed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

-package --remove=tftp-server
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+# CAUTION: This remediation script will remove tftp-server
+#	   from the system, and may remove any packages
+#	   that depend on tftp-server. Execute this
+#	   remediation AFTER testing on a non-production
+#	   system!
+
+if rpm -q --quiet "tftp-server" ; then
+
+    yum remove -y "tftp-server"
+
+fi
 
Rule  
                                 Ensure tftp Daemon Uses Secure Mode
                                   [ref]
If running the Trivial File Transfer Protocol (TFTP) service is necessary,
@@ -83101,22 +83101,7 @@
 given directory. Serving files from an intentionally-specified directory
 reduces the risk of sharing files which should remain private.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-82434-2
References: 
-            11, 12, 13, 14, 15, 16, 18, 3, 5, 8, 9, APO01.06, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(b), AC-6, CM-7(a), PR.AC-3, PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040350, SV-230557r627750_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if rpm --quiet -q tftp-server; then
-
-var_tftpd_secure_directory='/var/lib/tftpboot'
-
-
-if grep -q 'server_args' /etc/xinetd.d/tftp; then
-    sed -i -E "s;^([[:blank:]]*server_args[[:blank:]]+=[[:blank:]]+.*?)(-s[[:blank:]]+[[:graph:]]+)*(.*)$;\1 -s $var_tftpd_secure_directory \3;" /etc/xinetd.d/tftp
-else
-    echo "server_args = -s $var_tftpd_secure_directory" >> /etc/xinetd.d/tftp
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -83201,6 +83186,21 @@
   - medium_severity
   - no_reboot_needed
   - tftpd_uses_secure_mode
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if rpm --quiet -q tftp-server; then
+
+var_tftpd_secure_directory='/var/lib/tftpboot'
+
+
+if grep -q 'server_args' /etc/xinetd.d/tftp; then
+    sed -i -E "s;^([[:blank:]]*server_args[[:blank:]]+=[[:blank:]]+.*?)(-s[[:blank:]]+[[:graph:]]+)*(.*)$;\1 -s $var_tftpd_secure_directory \3;" /etc/xinetd.d/tftp
+else
+    echo "server_args = -s $var_tftpd_secure_directory" >> /etc/xinetd.d/tftp
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 Hardware RNG Entropy Gatherer Daemon
                           Group contains  1 rule
[ref]  
@@ -83218,18 +83218,7 @@
             CCI-000366, FCS_RBG_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-010471, SV-230285r928587_rule
Remediation script:   (show)


 [customizations.services]
 enabled = ["rngd"]
-
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.3"; printf "%s\n%s" "$real" "$expected" | sort -VC; }; }; then
-
-SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" unmask 'rngd.service'
-"$SYSTEMCTL_EXEC" start 'rngd.service'
-"$SYSTEMCTL_EXEC" enable 'rngd.service'
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include enable_rngd
+
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include enable_rngd
 
 class enable_rngd {
   service {'rngd':
@@ -83237,7 +83226,7 @@
     ensure => 'running',
   }
 }
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
- name: Enable service rngd
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
- name: Enable service rngd
   block:
 
   - name: Gather the package facts
@@ -83265,6 +83254,17 @@
   - low_severity
   - no_reboot_needed
   - service_rngd_enabled
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.3"; printf "%s\n%s" "$real" "$expected" | sort -VC; }; }; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" unmask 'rngd.service'
+"$SYSTEMCTL_EXEC" start 'rngd.service'
+"$SYSTEMCTL_EXEC" enable 'rngd.service'
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 SSH Server
                           Group contains 2 groups and 21 rules
[ref]  
@@ -83319,32 +83319,7 @@
 a keep alive message.
Rationale:
This ensures a user login will be terminated as soon as the ClientAliveInterval
 is reached.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-80907-9
References: 
-            BP28(R32), 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.5.6, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.11, CCI-000879, CCI-001133, CCI-002361, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, Req-8.1.8, 8.2.8, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, RHEL-08-010200, 5.2.20, SV-230244r917867_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-var_sshd_set_keepalive='1'
-
-
-if [ -e "/etc/ssh/sshd_config" ] ; then
-    
-    LC_ALL=C sed -i "/^\s*ClientAliveCountMax\s\+/Id" "/etc/ssh/sshd_config"
-else
-    touch "/etc/ssh/sshd_config"
-fi
-# make sure file has newline at the end
-sed -i -e '$a\' "/etc/ssh/sshd_config"
-
-cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert at the beginning of the file
-printf '%s\n' "ClientAliveCountMax $var_sshd_set_keepalive" > "/etc/ssh/sshd_config"
-cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-# Clean up after ourselves.
-rm "/etc/ssh/sshd_config.bak"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: XCCDF Value var_sshd_set_keepalive # promote to variable
+            BP28(R32), 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.5.6, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.11, CCI-000879, CCI-001133, CCI-002361, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, Req-8.1.8, 8.2.8, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, RHEL-08-010200, 5.2.20, SV-230244r917867_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: XCCDF Value var_sshd_set_keepalive # promote to variable
   set_fact:
     var_sshd_set_keepalive: !!str 1
   tags:
@@ -83399,6 +83374,31 @@
   - no_reboot_needed
   - restrict_strategy
   - sshd_set_keepalive
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+var_sshd_set_keepalive='1'
+
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+    
+    LC_ALL=C sed -i "/^\s*ClientAliveCountMax\s\+/Id" "/etc/ssh/sshd_config"
+else
+    touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert at the beginning of the file
+printf '%s\n' "ClientAliveCountMax $var_sshd_set_keepalive" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Set SSH Client Alive Interval
                                   [ref]
SSH allows administrators to set a network responsiveness timeout interval.
@@ -83421,32 +83421,7 @@
 opportunity for unauthorized personnel to take control of a management session
 enabled on the console or console port that has been let unattended.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-80906-1
References: 
-            BP28(R29), 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.5.6, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.11, CCI-000879, CCI-001133, CCI-002361, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CM-6(a), AC-17(a), AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, Req-8.1.8, 8.2.8, SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000395-GPOS-00175, RHEL-08-010201, 5.2.20, SV-244525r917886_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.5"; printf "%s\n%s" "$real" "$expected" | sort -VC; }; }; then
-
-sshd_idle_timeout_value='600'
-
-
-if [ -e "/etc/ssh/sshd_config" ] ; then
-    
-    LC_ALL=C sed -i "/^\s*ClientAliveInterval\s\+/Id" "/etc/ssh/sshd_config"
-else
-    touch "/etc/ssh/sshd_config"
-fi
-# make sure file has newline at the end
-sed -i -e '$a\' "/etc/ssh/sshd_config"
-
-cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert at the beginning of the file
-printf '%s\n' "ClientAliveInterval $sshd_idle_timeout_value" > "/etc/ssh/sshd_config"
-cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-# Clean up after ourselves.
-rm "/etc/ssh/sshd_config.bak"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: XCCDF Value sshd_idle_timeout_value # promote to variable
   set_fact:
     sshd_idle_timeout_value: !!str 600
   tags:
@@ -83506,31 +83481,15 @@
   - no_reboot_needed
   - restrict_strategy
   - sshd_set_idle_timeout
-
Rule  
-                                Disable SSH Access via Empty Passwords
-                                  [ref]
Disallow SSH login with empty passwords.
-The default SSH configuration disables logins with empty passwords. The appropriate
-configuration is used if no value is set for PermitEmptyPasswords.
-

-To explicitly disallow SSH login from accounts with empty passwords,
-add or correct the following line in
-
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.5"; printf "%s\n%s" "$real" "$expected" | sort -VC; }; }; then
 
-/etc/ssh/sshd_config:
+sshd_idle_timeout_value='600'
 
-

-
PermitEmptyPasswords no

-Any accounts with empty passwords should be disabled immediately, and PAM configuration
-should prevent users from being able to assign themselves empty passwords.
Rationale:
Configuring this setting for the SSH daemon provides additional assurance
-that remote login via SSH will require a password, even in the event of
-misconfiguration elsewhere.
Severity: 
high
Identifiers and References
Identifiers: 
-            CCE-80896-4
References: 
-            NT007(R17), 11, 12, 13, 14, 15, 16, 18, 3, 5, 9, 5.5.6, APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, 3.1.1, 3.1.5, CCI-000366, CCI-000766, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3, FIA_UAU.1, Req-2.2.4, 2.2.6, SRG-OS-000106-GPOS-00053, SRG-OS-000480-GPOS-00229, SRG-OS-000480-GPOS-00227, RHEL-08-020330, 5.2.9, SV-230380r858715_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
     
-    LC_ALL=C sed -i "/^\s*PermitEmptyPasswords\s\+/Id" "/etc/ssh/sshd_config"
+    LC_ALL=C sed -i "/^\s*ClientAliveInterval\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"
 fi
@@ -83539,7 +83498,7 @@
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
 # Insert at the beginning of the file
-printf '%s\n' "PermitEmptyPasswords no" > "/etc/ssh/sshd_config"
+printf '%s\n' "ClientAliveInterval $sshd_idle_timeout_value" > "/etc/ssh/sshd_config"
 cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
@@ -83547,7 +83506,26 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Disable SSH Access via Empty Passwords
+
Rule  
+                                Disable SSH Access via Empty Passwords
+                                  [ref]
Disallow SSH login with empty passwords.
+The default SSH configuration disables logins with empty passwords. The appropriate
+configuration is used if no value is set for PermitEmptyPasswords.
+

+To explicitly disallow SSH login from accounts with empty passwords,
+add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+

+
PermitEmptyPasswords no

+Any accounts with empty passwords should be disabled immediately, and PAM configuration
+should prevent users from being able to assign themselves empty passwords.
Rationale:
Configuring this setting for the SSH daemon provides additional assurance
+that remote login via SSH will require a password, even in the event of
+misconfiguration elsewhere.
Severity: 
high
Identifiers and References
Identifiers: 
+            CCE-80896-4
References: 
+            NT007(R17), 11, 12, 13, 14, 15, 16, 18, 3, 5, 9, 5.5.6, APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, 3.1.1, 3.1.5, CCI-000366, CCI-000766, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3, FIA_UAU.1, Req-2.2.4, 2.2.6, SRG-OS-000106-GPOS-00053, SRG-OS-000480-GPOS-00229, SRG-OS-000480-GPOS-00227, RHEL-08-020330, 5.2.9, SV-230380r858715_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Disable SSH Access via Empty Passwords
   block:
 
   - name: Check for duplicate values
@@ -83596,29 +83574,12 @@
   - no_reboot_needed
   - restrict_strategy
   - sshd_disable_empty_passwords
-
Rule  
-                                Disable GSSAPI Authentication
-                                  [ref]
Unless needed, SSH should not permit extraneous or unnecessary
-authentication mechanisms like GSSAPI.
-

-The default SSH configuration disallows authentications based on GSSAPI. The appropriate
-configuration is used if no value is set for GSSAPIAuthentication.
-

-To explicitly disable GSSAPI authentication, add or correct the following line in
-
-
-/etc/ssh/sshd_config:
-
-
GSSAPIAuthentication no
Rationale:
GSSAPI authentication is used to provide additional authentication mechanisms to
-applications. Allowing GSSAPI authentication through SSH exposes the system's
-GSSAPI to remote hosts, increasing the attack surface of the system.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80897-2
References: 
-            11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000318, CCI-000368, CCI-001812, CCI-001813, CCI-001814, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, 0418, 1055, 1402, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-7(a), CM-7(b), CM-6(a), AC-17(a), PR.IP-1, FTP_ITC_EXT.1, FCS_SSH_EXT.1.2, SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227, RHEL-08-010522, SV-244528r858709_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
     
-    LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config"
+    LC_ALL=C sed -i "/^\s*PermitEmptyPasswords\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"
 fi
@@ -83627,7 +83588,7 @@
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
 # Insert at the beginning of the file
-printf '%s\n' "GSSAPIAuthentication no" > "/etc/ssh/sshd_config"
+printf '%s\n' "PermitEmptyPasswords no" > "/etc/ssh/sshd_config"
 cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
@@ -83635,7 +83596,24 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Disable GSSAPI Authentication
+
Rule  
+                                Disable GSSAPI Authentication
+                                  [ref]
Unless needed, SSH should not permit extraneous or unnecessary
+authentication mechanisms like GSSAPI.
+

+The default SSH configuration disallows authentications based on GSSAPI. The appropriate
+configuration is used if no value is set for GSSAPIAuthentication.
+

+To explicitly disable GSSAPI authentication, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+
GSSAPIAuthentication no
Rationale:
GSSAPI authentication is used to provide additional authentication mechanisms to
+applications. Allowing GSSAPI authentication through SSH exposes the system's
+GSSAPI to remote hosts, increasing the attack surface of the system.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80897-2
References: 
+            11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000318, CCI-000368, CCI-001812, CCI-001813, CCI-001814, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, 0418, 1055, 1402, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-7(a), CM-7(b), CM-6(a), AC-17(a), PR.IP-1, FTP_ITC_EXT.1, FCS_SSH_EXT.1.2, SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227, RHEL-08-010522, SV-244528r858709_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Disable GSSAPI Authentication
   block:
 
   - name: Check for duplicate values
@@ -83680,30 +83658,12 @@
   - no_reboot_needed
   - restrict_strategy
   - sshd_disable_gssapi_auth
-
Rule  
-                                Disable Kerberos Authentication
-                                  [ref]
Unless needed, SSH should not permit extraneous or unnecessary
-authentication mechanisms like Kerberos.
-

-The default SSH configuration disallows authentication validation through Kerberos.
-The appropriate configuration is used if no value is set for KerberosAuthentication.
-

-To explicitly disable Kerberos authentication, add or correct the following line in
-
-
-/etc/ssh/sshd_config:
-
-
KerberosAuthentication no
Rationale:
Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos
-is enabled through SSH, the SSH daemon provides a means of access to the
-system's Kerberos implementation.
-Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80898-0
References: 
-            11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000318, CCI-000368, CCI-001812, CCI-001813, CCI-001814, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, FTP_ITC_EXT.1, FCS_SSH_EXT.1.2, SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227, RHEL-08-010521, SV-230291r858707_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
     
-    LC_ALL=C sed -i "/^\s*KerberosAuthentication\s\+/Id" "/etc/ssh/sshd_config"
+    LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"
 fi
@@ -83712,7 +83672,7 @@
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
 # Insert at the beginning of the file
-printf '%s\n' "KerberosAuthentication no" > "/etc/ssh/sshd_config"
+printf '%s\n' "GSSAPIAuthentication no" > "/etc/ssh/sshd_config"
 cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
@@ -83720,7 +83680,25 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Disable Kerberos Authentication
+
Rule  
+                                Disable Kerberos Authentication
+                                  [ref]
Unless needed, SSH should not permit extraneous or unnecessary
+authentication mechanisms like Kerberos.
+

+The default SSH configuration disallows authentication validation through Kerberos.
+The appropriate configuration is used if no value is set for KerberosAuthentication.
+

+To explicitly disable Kerberos authentication, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+
KerberosAuthentication no
Rationale:
Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos
+is enabled through SSH, the SSH daemon provides a means of access to the
+system's Kerberos implementation.
+Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80898-0
References: 
+            11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000318, CCI-000368, CCI-001812, CCI-001813, CCI-001814, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, FTP_ITC_EXT.1, FCS_SSH_EXT.1.2, SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227, RHEL-08-010521, SV-230291r858707_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Disable Kerberos Authentication
   block:
 
   - name: Check for duplicate values
@@ -83765,29 +83743,12 @@
   - no_reboot_needed
   - restrict_strategy
   - sshd_disable_kerb_auth
-
Rule  
-                                Disable SSH Root Login
-                                  [ref]
The root user should never be allowed to login to a
-system directly over a network.
-To disable root login via SSH, add or correct the following line in
-
-
-/etc/ssh/sshd_config:
-
-
PermitRootLogin no
Warning: 
-                                        This rule is disabled on Red Hat Virtualization Hosts and Managers, it will report not applicable.
-RHV hosts require root access to be managed by RHV Manager.
Rationale:
Even though the communications channel may be encrypted, an additional layer of
-security is gained by extending the policy of not logging directly on as root.
-In addition, logging in with a user-specific account provides individual
-accountability of actions performed on the system and also helps to minimize
-direct attack attempts on root's password.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80901-2
References: 
-            BP28(R19), NT007(R21), 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.6, APO01.06, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.1.5, CCI-000366, CCI-000770, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-6(2), AC-17(a), IA-2, IA-2(5), CM-7(a), CM-7(b), CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, PR.PT-3, FAU_GEN.1, Req-2.2.4, 2.2.6, SRG-OS-000109-GPOS-00056, SRG-OS-000480-GPOS-00227, SRG-APP-000148-CTR-000335, SRG-APP-000190-CTR-000500, RHEL-08-010550, 5.2.7, SV-230296r858711_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
     
-    LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config"
+    LC_ALL=C sed -i "/^\s*KerberosAuthentication\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"
 fi
@@ -83796,7 +83757,7 @@
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
 # Insert at the beginning of the file
-printf '%s\n' "PermitRootLogin no" > "/etc/ssh/sshd_config"
+printf '%s\n' "KerberosAuthentication no" > "/etc/ssh/sshd_config"
 cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
@@ -83804,7 +83765,24 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Disable SSH Root Login
+
Rule  
+                                Disable SSH Root Login
+                                  [ref]
The root user should never be allowed to login to a
+system directly over a network.
+To disable root login via SSH, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+
PermitRootLogin no
Warning: 
+                                        This rule is disabled on Red Hat Virtualization Hosts and Managers, it will report not applicable.
+RHV hosts require root access to be managed by RHV Manager.
Rationale:
Even though the communications channel may be encrypted, an additional layer of
+security is gained by extending the policy of not logging directly on as root.
+In addition, logging in with a user-specific account provides individual
+accountability of actions performed on the system and also helps to minimize
+direct attack attempts on root's password.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80901-2
References: 
+            BP28(R19), NT007(R21), 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.6, APO01.06, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.1.5, CCI-000366, CCI-000770, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-6(2), AC-17(a), IA-2, IA-2(5), CM-7(a), CM-7(b), CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, PR.PT-3, FAU_GEN.1, Req-2.2.4, 2.2.6, SRG-OS-000109-GPOS-00056, SRG-OS-000480-GPOS-00227, SRG-APP-000148-CTR-000335, SRG-APP-000190-CTR-000500, RHEL-08-010550, 5.2.7, SV-230296r858711_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Disable SSH Root Login
   block:
 
   - name: Check for duplicate values
@@ -83856,26 +83834,12 @@
   - no_reboot_needed
   - restrict_strategy
   - sshd_disable_root_login
-
Rule  
-                                Disable SSH Support for User Known Hosts
-                                  [ref]
SSH can allow system users to connect to systems if a cache of the remote
-systems public keys is available.  This should be disabled.
-


-To ensure this behavior is disabled, add or correct the following line in
-
-
-/etc/ssh/sshd_config:
-
-
IgnoreUserKnownHosts yes
Rationale:
Configuring this setting for the SSH daemon provides additional
-assurance that remote login via SSH will require a password, even
-in the event of misconfiguration elsewhere.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80902-0
References: 
-            11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, FIA_UAU.1, SRG-OS-000480-GPOS-00227, RHEL-08-010520, SV-230290r858705_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
     
-    LC_ALL=C sed -i "/^\s*IgnoreUserKnownHosts\s\+/Id" "/etc/ssh/sshd_config"
+    LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"
 fi
@@ -83884,7 +83848,7 @@
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
 # Insert at the beginning of the file
-printf '%s\n' "IgnoreUserKnownHosts yes" > "/etc/ssh/sshd_config"
+printf '%s\n' "PermitRootLogin no" > "/etc/ssh/sshd_config"
 cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
@@ -83892,7 +83856,21 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Disable SSH Support for User Known Hosts
+
Rule  
+                                Disable SSH Support for User Known Hosts
+                                  [ref]
SSH can allow system users to connect to systems if a cache of the remote
+systems public keys is available.  This should be disabled.
+


+To ensure this behavior is disabled, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+
IgnoreUserKnownHosts yes
Rationale:
Configuring this setting for the SSH daemon provides additional
+assurance that remote login via SSH will require a password, even
+in the event of misconfiguration elsewhere.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80902-0
References: 
+            11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, FIA_UAU.1, SRG-OS-000480-GPOS-00227, RHEL-08-010520, SV-230290r858705_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Disable SSH Support for User Known Hosts
   block:
 
   - name: Check for duplicate values
@@ -83937,6 +83915,28 @@
   - no_reboot_needed
   - restrict_strategy
   - sshd_disable_user_known_hosts
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+    
+    LC_ALL=C sed -i "/^\s*IgnoreUserKnownHosts\s\+/Id" "/etc/ssh/sshd_config"
+else
+    touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert at the beginning of the file
+printf '%s\n' "IgnoreUserKnownHosts yes" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Disable X11 Forwarding
                                   [ref]
The X11Forwarding parameter provides the ability to tunnel X11 traffic
@@ -83958,29 +83958,7 @@
 other users on the X11 server. Note that even if X11 forwarding is disabled,
 users can always install their own forwarders.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-83360-8
References: 
-            CCI-000366, CM-6(b), 2.2.6, SRG-OS-000480-GPOS-00227, RHEL-08-040340, 5.2.12, SV-230555r858721_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if [ -e "/etc/ssh/sshd_config" ] ; then
-    
-    LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config"
-else
-    touch "/etc/ssh/sshd_config"
-fi
-# make sure file has newline at the end
-sed -i -e '$a\' "/etc/ssh/sshd_config"
-
-cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert at the beginning of the file
-printf '%s\n' "X11Forwarding no" > "/etc/ssh/sshd_config"
-cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-# Clean up after ourselves.
-rm "/etc/ssh/sshd_config.bak"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Disable X11 Forwarding
+            CCI-000366, CM-6(b), 2.2.6, SRG-OS-000480-GPOS-00227, RHEL-08-040340, 5.2.12, SV-230555r858721_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Disable X11 Forwarding
   block:
 
   - name: Check for duplicate values
@@ -84022,27 +84000,12 @@
   - no_reboot_needed
   - restrict_strategy
   - sshd_disable_x11_forwarding
-
Rule  
-                                Do Not Allow SSH Environment Options
-                                  [ref]
Ensure that users are not able to override environment variables of the SSH daemon.
-

-The default SSH configuration disables environment processing. The appropriate
-configuration is used if no value is set for PermitUserEnvironment.
-

-To explicitly disable Environment options, add or correct the following
-
-
-/etc/ssh/sshd_config:
-
-
PermitUserEnvironment no
Rationale:
SSH environment options potentially allow users to bypass
-access restriction in some configurations.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80903-8
References: 
-            11, 3, 9, 5.5.6, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, Req-2.2.4, 2.2.6, SRG-OS-000480-GPOS-00229, RHEL-08-010830, 5.2.10, SV-230330r877377_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
     
-    LC_ALL=C sed -i "/^\s*PermitUserEnvironment\s\+/Id" "/etc/ssh/sshd_config"
+    LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"
 fi
@@ -84051,7 +84014,7 @@
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
 # Insert at the beginning of the file
-printf '%s\n' "PermitUserEnvironment no" > "/etc/ssh/sshd_config"
+printf '%s\n' "X11Forwarding no" > "/etc/ssh/sshd_config"
 cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
@@ -84059,7 +84022,22 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Do Not Allow SSH Environment Options
+
Rule  
+                                Do Not Allow SSH Environment Options
+                                  [ref]
Ensure that users are not able to override environment variables of the SSH daemon.
+

+The default SSH configuration disables environment processing. The appropriate
+configuration is used if no value is set for PermitUserEnvironment.
+

+To explicitly disable Environment options, add or correct the following
+
+
+/etc/ssh/sshd_config:
+
+
PermitUserEnvironment no
Rationale:
SSH environment options potentially allow users to bypass
+access restriction in some configurations.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80903-8
References: 
+            11, 3, 9, 5.5.6, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, Req-2.2.4, 2.2.6, SRG-OS-000480-GPOS-00229, RHEL-08-010830, 5.2.10, SV-230330r877377_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Do Not Allow SSH Environment Options
   block:
 
   - name: Check for duplicate values
@@ -84107,29 +84085,12 @@
   - no_reboot_needed
   - restrict_strategy
   - sshd_do_not_permit_user_env
-
Rule  
-                                Enable Use of Strict Mode Checking
-                                  [ref]
SSHs StrictModes option checks file and ownership permissions in
-the user's home directory .ssh folder before accepting login. If world-
-writable permissions are found, logon is rejected.
-

-The default SSH configuration has StrictModes enabled. The appropriate
-configuration is used if no value is set for StrictModes.
-

-To explicitly enable StrictModes in SSH, add or correct the following line in
-
-
-/etc/ssh/sshd_config:
-
-
StrictModes yes
Rationale:
If other users have access to modify user-specific SSH configuration files, they
-may be able to log into the system as another user.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80904-6
References: 
-            12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6, AC-17(a), CM-6(a), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-08-010500, SV-230288r858701_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
     
-    LC_ALL=C sed -i "/^\s*StrictModes\s\+/Id" "/etc/ssh/sshd_config"
+    LC_ALL=C sed -i "/^\s*PermitUserEnvironment\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"
 fi
@@ -84138,7 +84099,7 @@
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
 # Insert at the beginning of the file
-printf '%s\n' "StrictModes yes" > "/etc/ssh/sshd_config"
+printf '%s\n' "PermitUserEnvironment no" > "/etc/ssh/sshd_config"
 cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
@@ -84146,7 +84107,24 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Enable Use of Strict Mode Checking
+
Rule  
+                                Enable Use of Strict Mode Checking
+                                  [ref]
SSHs StrictModes option checks file and ownership permissions in
+the user's home directory .ssh folder before accepting login. If world-
+writable permissions are found, logon is rejected.
+

+The default SSH configuration has StrictModes enabled. The appropriate
+configuration is used if no value is set for StrictModes.
+

+To explicitly enable StrictModes in SSH, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+
StrictModes yes
Rationale:
If other users have access to modify user-specific SSH configuration files, they
+may be able to log into the system as another user.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80904-6
References: 
+            12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6, AC-17(a), CM-6(a), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-08-010500, SV-230288r858701_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Enable Use of Strict Mode Checking
   block:
 
   - name: Check for duplicate values
@@ -84190,27 +84168,12 @@
   - no_reboot_needed
   - restrict_strategy
   - sshd_enable_strictmodes
-
Rule  
-                                Enable SSH Warning Banner
-                                  [ref]
To enable the warning banner and ensure it is consistent
-across the system, add or correct the following line in
-
-
-/etc/ssh/sshd_config:
-
-
Banner /etc/issue

-Another section contains information on how to create an
-appropriate system-wide warning banner.
Rationale:
The warning message reinforces policy awareness during the logon process and
-facilitates possible legal action against attackers. Alternatively, systems
-whose ownership should not be obvious should ensure usage of a banner that does
-not provide easy attribution.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-80905-3
References: 
-            1, 12, 15, 16, 5.5.6, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), AC-17(a), CM-6(a), PR.AC-7, FTA_TAB.1, Req-2.2.4, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, RHEL-08-010040, SV-230225r858694_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
     
-    LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config"
+    LC_ALL=C sed -i "/^\s*StrictModes\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"
 fi
@@ -84219,7 +84182,7 @@
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
 # Insert at the beginning of the file
-printf '%s\n' "Banner /etc/issue" > "/etc/ssh/sshd_config"
+printf '%s\n' "StrictModes yes" > "/etc/ssh/sshd_config"
 cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
@@ -84227,7 +84190,22 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Enable SSH Warning Banner
+
Rule  
+                                Enable SSH Warning Banner
+                                  [ref]
To enable the warning banner and ensure it is consistent
+across the system, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+
Banner /etc/issue

+Another section contains information on how to create an
+appropriate system-wide warning banner.
Rationale:
The warning message reinforces policy awareness during the logon process and
+facilitates possible legal action against attackers. Alternatively, systems
+whose ownership should not be obvious should ensure usage of a banner that does
+not provide easy attribution.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-80905-3
References: 
+            1, 12, 15, 16, 5.5.6, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), AC-17(a), CM-6(a), PR.AC-7, FTA_TAB.1, Req-2.2.4, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, RHEL-08-010040, SV-230225r858694_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Enable SSH Warning Banner
   block:
 
   - name: Check for duplicate values
@@ -84274,27 +84252,12 @@
   - no_reboot_needed
   - restrict_strategy
   - sshd_enable_warning_banner
-
Rule  
-                                Enable SSH Print Last Log
-                                  [ref]
Ensure that SSH will display the date and time of the last successful account logon.
-

-The default SSH configuration enables print of the date and time of the last login.
-The appropriate configuration is used if no value is set for PrintLastLog.
-

-To explicitly enable LastLog in SSH, add or correct the following line in
-
-
-/etc/ssh/sshd_config:
-
-
PrintLastLog yes
Rationale:
Providing users feedback on when account accesses last occurred facilitates user
-recognition and reporting of unauthorized account use.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-82281-7
References: 
-            1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-000052, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-9, AC-9(1), PR.AC-7, SRG-OS-000480-GPOS-00227, RHEL-08-020350, SV-230382r858717_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
     
-    LC_ALL=C sed -i "/^\s*PrintLastLog\s\+/Id" "/etc/ssh/sshd_config"
+    LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"
 fi
@@ -84303,7 +84266,7 @@
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
 # Insert at the beginning of the file
-printf '%s\n' "PrintLastLog yes" > "/etc/ssh/sshd_config"
+printf '%s\n' "Banner /etc/issue" > "/etc/ssh/sshd_config"
 cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
@@ -84311,7 +84274,22 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Enable SSH Print Last Log
+
Rule  
+                                Enable SSH Print Last Log
+                                  [ref]
Ensure that SSH will display the date and time of the last successful account logon.
+

+The default SSH configuration enables print of the date and time of the last login.
+The appropriate configuration is used if no value is set for PrintLastLog.
+

+To explicitly enable LastLog in SSH, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+
PrintLastLog yes
Rationale:
Providing users feedback on when account accesses last occurred facilitates user
+recognition and reporting of unauthorized account use.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-82281-7
References: 
+            1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-000052, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-9, AC-9(1), PR.AC-7, SRG-OS-000480-GPOS-00227, RHEL-08-020350, SV-230382r858717_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Enable SSH Print Last Log
   block:
 
   - name: Check for duplicate values
@@ -84353,33 +84331,12 @@
   - no_reboot_needed
   - restrict_strategy
   - sshd_print_last_log
-
Rule  
-                                Force frequent session key renegotiation
-                                  [ref]
The RekeyLimit parameter specifies how often
-the session key of the is renegotiated, both in terms of
-amount of data that may be transmitted and the time
-elapsed.

-To decrease the default limits, add or correct the following line in
-
-
-/etc/ssh/sshd_config:
-
-
RekeyLimit 1G 1h
Rationale:
By decreasing the limit based on the amount of data and enabling
-time-based limit, effects of potential attacks against
-encryption keys are limited.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-82177-7
References: 
-            CCI-000068, FCS_SSH_EXT.1.8, SRG-OS-000480-GPOS-00227, SRG-OS-000033-GPOS-00014, RHEL-08-040161, SV-230527r877398_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-var_rekey_limit_size='1G'
-var_rekey_limit_time='1h'
-
-
-
-
 if [ -e "/etc/ssh/sshd_config" ] ; then
     
-    LC_ALL=C sed -i "/^\s*RekeyLimit\s\+/Id" "/etc/ssh/sshd_config"
+    LC_ALL=C sed -i "/^\s*PrintLastLog\s\+/Id" "/etc/ssh/sshd_config"
 else
     touch "/etc/ssh/sshd_config"
 fi
@@ -84388,7 +84345,7 @@
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
 # Insert at the beginning of the file
-printf '%s\n' "RekeyLimit $var_rekey_limit_size $var_rekey_limit_time" > "/etc/ssh/sshd_config"
+printf '%s\n' "PrintLastLog yes" > "/etc/ssh/sshd_config"
 cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
@@ -84396,7 +84353,22 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: XCCDF Value var_rekey_limit_size # promote to variable
+
Rule  
+                                Force frequent session key renegotiation
+                                  [ref]
The RekeyLimit parameter specifies how often
+the session key of the is renegotiated, both in terms of
+amount of data that may be transmitted and the time
+elapsed.

+To decrease the default limits, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+
RekeyLimit 1G 1h
Rationale:
By decreasing the limit based on the amount of data and enabling
+time-based limit, effects of potential attacks against
+encryption keys are limited.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-82177-7
References: 
+            CCI-000068, FCS_SSH_EXT.1.8, SRG-OS-000480-GPOS-00227, SRG-OS-000033-GPOS-00014, RHEL-08-040161, SV-230527r877398_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: XCCDF Value var_rekey_limit_size # promote to variable
   set_fact:
     var_rekey_limit_size: !!str 1G
   tags:
@@ -84447,6 +84419,34 @@
   - medium_severity
   - no_reboot_needed
   - sshd_rekey_limit
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+var_rekey_limit_size='1G'
+var_rekey_limit_time='1h'
+
+
+
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+    
+    LC_ALL=C sed -i "/^\s*RekeyLimit\s\+/Id" "/etc/ssh/sshd_config"
+else
+    touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert at the beginning of the file
+printf '%s\n' "RekeyLimit $var_rekey_limit_size $var_rekey_limit_time" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Use Only FIPS 140-2 Validated Key Exchange Algorithms
                                   [ref]
Limit the key exchange algorithms to those  which are FIPS-approved.
@@ -84489,37 +84489,7 @@
 entropy elliminates the possibility that the output of the random number generator used by SSH
 would be known to potential attackers.
Severity: 
low
Identifiers and References
Identifiers: 
             CCE-82462-3
References: 
-            CCI-000366, FCS_RBG_EXT.1.2, SRG-OS-000480-GPOS-00232, SRG-OS-000480-GPOS-00227, RHEL-08-010292, SV-230253r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if [ -e "/etc/sysconfig/sshd" ] ; then
-    
-    LC_ALL=C sed -i "/^\s*SSH_USE_STRONG_RNG\s*=\s*/d" "/etc/sysconfig/sshd"
-else
-    touch "/etc/sysconfig/sshd"
-fi
-# make sure file has newline at the end
-sed -i -e '$a\' "/etc/sysconfig/sshd"
-
-cp "/etc/sysconfig/sshd" "/etc/sysconfig/sshd.bak"
-# Insert before the line matching the regex '^#\s*SSH_USE_STRONG_RNG'.
-line_number="$(LC_ALL=C grep -n "^#\s*SSH_USE_STRONG_RNG" "/etc/sysconfig/sshd.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^#\s*SSH_USE_STRONG_RNG', insert at
-    # the end of the file.
-    printf '%s\n' "SSH_USE_STRONG_RNG=32" >> "/etc/sysconfig/sshd"
-else
-    head -n "$(( line_number - 1 ))" "/etc/sysconfig/sshd.bak" > "/etc/sysconfig/sshd"
-    printf '%s\n' "SSH_USE_STRONG_RNG=32" >> "/etc/sysconfig/sshd"
-    tail -n "+$(( line_number ))" "/etc/sysconfig/sshd.bak" >> "/etc/sysconfig/sshd"
-fi
-# Clean up after ourselves.
-rm "/etc/sysconfig/sshd.bak"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Setting unquoted shell-style assignment of 'SSH_USE_STRONG_RNG' to '32' in
+            CCI-000366, FCS_RBG_EXT.1.2, SRG-OS-000480-GPOS-00232, SRG-OS-000480-GPOS-00227, RHEL-08-010292, SV-230253r627750_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Setting unquoted shell-style assignment of 'SSH_USE_STRONG_RNG' to '32' in
     '/etc/sysconfig/sshd'
   block:
 
@@ -84560,6 +84530,36 @@
   - no_reboot_needed
   - restrict_strategy
   - sshd_use_strong_rng
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -e "/etc/sysconfig/sshd" ] ; then
+    
+    LC_ALL=C sed -i "/^\s*SSH_USE_STRONG_RNG\s*=\s*/d" "/etc/sysconfig/sshd"
+else
+    touch "/etc/sysconfig/sshd"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/sysconfig/sshd"
+
+cp "/etc/sysconfig/sshd" "/etc/sysconfig/sshd.bak"
+# Insert before the line matching the regex '^#\s*SSH_USE_STRONG_RNG'.
+line_number="$(LC_ALL=C grep -n "^#\s*SSH_USE_STRONG_RNG" "/etc/sysconfig/sshd.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+    # There was no match of '^#\s*SSH_USE_STRONG_RNG', insert at
+    # the end of the file.
+    printf '%s\n' "SSH_USE_STRONG_RNG=32" >> "/etc/sysconfig/sshd"
+else
+    head -n "$(( line_number - 1 ))" "/etc/sysconfig/sshd.bak" > "/etc/sysconfig/sshd"
+    printf '%s\n' "SSH_USE_STRONG_RNG=32" >> "/etc/sysconfig/sshd"
+    tail -n "+$(( line_number ))" "/etc/sysconfig/sshd.bak" >> "/etc/sysconfig/sshd"
+fi
+# Clean up after ourselves.
+rm "/etc/sysconfig/sshd.bak"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Prevent remote hosts from connecting to the proxy display
                                   [ref]
The SSH daemon should prevent remote hosts from connecting to the proxy
@@ -84581,29 +84581,7 @@
 environment variable to localhost. This prevents remote hosts from
 connecting to the proxy display.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-84058-7
References: 
-            CCI-000366, CM-6(b), SRG-OS-000480-GPOS-00227, RHEL-08-040341, SV-230556r858723_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if [ -e "/etc/ssh/sshd_config" ] ; then
-    
-    LC_ALL=C sed -i "/^\s*X11UseLocalhost\s\+/Id" "/etc/ssh/sshd_config"
-else
-    touch "/etc/ssh/sshd_config"
-fi
-# make sure file has newline at the end
-sed -i -e '$a\' "/etc/ssh/sshd_config"
-
-cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert at the beginning of the file
-printf '%s\n' "X11UseLocalhost yes" > "/etc/ssh/sshd_config"
-cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-# Clean up after ourselves.
-rm "/etc/ssh/sshd_config.bak"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Prevent remote hosts from connecting to the proxy display
+            CCI-000366, CM-6(b), SRG-OS-000480-GPOS-00227, RHEL-08-040341, SV-230556r858723_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Prevent remote hosts from connecting to the proxy display
   block:
 
   - name: Check for duplicate values
@@ -84644,6 +84622,28 @@
   - no_reboot_needed
   - restrict_strategy
   - sshd_x11_use_localhost
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+    
+    LC_ALL=C sed -i "/^\s*X11UseLocalhost\s\+/Id" "/etc/ssh/sshd_config"
+else
+    touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert at the beginning of the file
+printf '%s\n' "X11UseLocalhost yes" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Install the OpenSSH Server Package
                                   [ref]
The openssh-server package should be installed.
@@ -84653,20 +84653,12 @@
 integrity may be compromised because unprotected communications can be
 intercepted and either read or altered.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-83303-8
References: 
-            13, 14, APO01.06, DSS05.02, DSS05.04, DSS05.07, DSS06.02, DSS06.06, CCI-002418, CCI-002420, CCI-002421, CCI-002422, SR 3.1, SR 3.8, SR 4.1, SR 4.2, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), PR.DS-2, PR.DS-5, FIA_UAU.5, FTP_ITC_EXT.1, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190, RHEL-08-040159, SV-244549r916422_rule
Remediation script:   (show)

Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

+package --add=openssh-server
+
Remediation script:   (show)


 [[packages]]
 name = "openssh-server"
 version = "*"
-
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "openssh-server" ; then
-    yum install -y "openssh-server"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
 
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include install_openssh-server
 
 class install_openssh-server {
@@ -84689,8 +84681,16 @@
   - medium_severity
   - no_reboot_needed
   - package_openssh-server_installed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

-package --add=openssh-server
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "openssh-server" ; then
+    yum install -y "openssh-server"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Enable the OpenSSH Service
                                   [ref]
The SSH server service, sshd, is commonly needed.
@@ -84709,18 +84709,7 @@
             13, 14, APO01.06, DSS05.02, DSS05.04, DSS05.07, DSS06.02, DSS06.06, 3.1.13, 3.5.4, 3.13.8, CCI-002418, CCI-002420, CCI-002421, CCI-002422, SR 3.1, SR 3.8, SR 4.1, SR 4.2, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), SC-8, SC-8(1), SC-8(2), SC-8(3), SC-8(4), PR.DS-2, PR.DS-5, SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190, RHEL-08-040160, SV-230526r916422_rule
Remediation script:   (show)


 [customizations.services]
 enabled = ["sshd"]
-
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" unmask 'sshd.service'
-"$SYSTEMCTL_EXEC" start 'sshd.service'
-"$SYSTEMCTL_EXEC" enable 'sshd.service'
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include enable_sshd
+
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include enable_sshd
 
 class enable_sshd {
   service {'sshd':
@@ -84728,7 +84717,7 @@
     ensure => 'running',
   }
 }
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
- name: Enable service sshd
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
- name: Enable service sshd
   block:
 
   - name: Gather the package facts
@@ -84762,6 +84751,17 @@
   - medium_severity
   - no_reboot_needed
   - service_sshd_enabled
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" unmask 'sshd.service'
+"$SYSTEMCTL_EXEC" start 'sshd.service'
+"$SYSTEMCTL_EXEC" enable 'sshd.service'
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Verify Permissions on SSH Server Private *_key Key Files
                                   [ref]
SSH server private keys - files that match the /etc/ssh/*_key glob, have to have restricted permissions.
@@ -84769,26 +84769,7 @@
 If they are owned by the root user, but by a dedicated group ssh_keys, they can have the 0640 permission or stricter.
Rationale:
If an unauthorized user obtains the private SSH host key file, the host could be
 impersonated.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-82424-3
References: 
-            BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.13, 3.13.10, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-2.2.4, 2.2.6, SRG-OS-000480-GPOS-00227, RHEL-08-010490, 5.2.2, SV-230287r880714_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-for keyfile in /etc/ssh/*_key; do
-    test -f "$keyfile" || continue
-    if test root:root = "$(stat -c "%U:%G" "$keyfile")"; then
-    
-	chmod u-xs,g-xwrs,o-xwrt "$keyfile"
-    
-    elif test root:ssh_keys = "$(stat -c "%U:%G" "$keyfile")"; then
-	chmod u-xs,g-xws,o-xwrt "$keyfile"
-    else
-        echo "Key-like file '$keyfile' is owned by an unexpected user:group combination"
-    fi
-done
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Puppet snippet:   (show)

Remediation Puppet snippet:   (show)

include ssh_private_key_perms
 
 class ssh_private_key_perms {
   exec { 'sshd_priv_key':
@@ -84796,7 +84777,7 @@
     path    => '/bin:/usr/bin'
   }
 }
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Find root:root-owned keys
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Find root:root-owned keys
   ansible.builtin.command: find -H /etc/ssh/ -maxdepth 1 -user root -regex ".*_key$"
     -type f -group root -perm /u+xs,g+xwrs,o+xwrt
   register: root_owned_keys
@@ -84895,20 +84876,31 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-
Rule  
-                                Verify Permissions on SSH Server Public *.pub Key Files
-                                  [ref]
 To properly set the permissions of /etc/ssh/*.pub, run the command: 
$ sudo chmod 0644 /etc/ssh/*.pub
Rationale:
If a public host key file is modified by an unauthorized user, the SSH service
-may be compromised.
Severity: 
medium
Identifiers and References
Identifiers: 
-            CCE-82428-4
References: 
-            12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.13, 3.13.10, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-2.2.4, 2.2.6, SRG-OS-000480-GPOS-00227, RHEL-08-010480, 5.2.3, SV-230286r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-find -H /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt  -type f -regex '^.*\.pub$' -exec chmod u-xs,g-xws,o-xwt {} \;
+for keyfile in /etc/ssh/*_key; do
+    test -f "$keyfile" || continue
+    if test root:root = "$(stat -c "%U:%G" "$keyfile")"; then
+    
+	chmod u-xs,g-xwrs,o-xwrt "$keyfile"
+    
+    elif test root:ssh_keys = "$(stat -c "%U:%G" "$keyfile")"; then
+	chmod u-xs,g-xws,o-xwrt "$keyfile"
+    else
+        echo "Key-like file '$keyfile' is owned by an unexpected user:group combination"
+    fi
+done
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Puppet snippet:   (show)

include ssh_public_key_perms
+
Rule  
+                                Verify Permissions on SSH Server Public *.pub Key Files
+                                  [ref]
 To properly set the permissions of /etc/ssh/*.pub, run the command: 
$ sudo chmod 0644 /etc/ssh/*.pub
Rationale:
If a public host key file is modified by an unauthorized user, the SSH service
+may be compromised.
Severity: 
medium
Identifiers and References
Identifiers: 
+            CCE-82428-4
References: 
+            12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.13, 3.13.10, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-2.2.4, 2.2.6, SRG-OS-000480-GPOS-00227, RHEL-08-010480, 5.2.3, SV-230286r627750_rule
Remediation Puppet snippet:   (show)

include ssh_public_key_perms
 
 class ssh_public_key_perms {
   exec { 'sshd_pub_key':
@@ -84916,7 +84908,7 @@
     path    => '/bin:/usr/bin'
   }
 }
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Find /etc/ssh/ file(s)
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Find /etc/ssh/ file(s)
   command: find -H /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt  -type f -regex "^.*\.pub$"
   register: files_found
   changed_when: false
@@ -84964,6 +84956,14 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+find -H /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt  -type f -regex '^.*\.pub$' -exec chmod u-xs,g-xws,o-xwt {} \;
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 System Security Services Daemon
                           Group contains 5 rules
[ref]  
@@ -84982,52 +84982,7 @@
 multifactor solutions are checked via Online Certificate Status Protocol (OCSP).
Rationale:
Ensuring that multifactor solutions certificates are checked via Online Certificate Status Protocol (OCSP)
 ensures the security of the system.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-86120-3
References: 
-            CCI-001948, CCI-001954, IA-2(11), SRG-OS-000375-GPOS-00160, SRG-OS-000377-GPOS-00162, RHEL-08-010400, SV-230274r858741_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
# Remediation is applicable only in certain platforms
-if rpm --quiet -q sssd-common; then
-
-var_sssd_certificate_verification_digest_function='sha1'
-
-
-# sssd configuration files must be created with 600 permissions if they don't exist
-# otherwise the sssd module fails to start
-OLD_UMASK=$(umask)
-umask u=rw,go=
-
-MAIN_CONF="/etc/sssd/conf.d/certificate_verification.conf"
-
-found=false
-
-# set value in all files if they contain section or key
-for f in $(echo -n "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf"); do
-    if [ ! -e "$f" ]; then
-        continue
-    fi
-
-    # find key in section and change value
-    if grep -qzosP "[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*certificate_verification" "$f"; then
-            sed -i "s/certificate_verification[^(\n)]*/certificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function/" "$f"
-            found=true
-
-    # find section and add key = value to it
-    elif grep -qs "[[:space:]]*\[sssd\]" "$f"; then
-            sed -i "/[[:space:]]*\[sssd\]/a certificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function" "$f"
-            found=true
-    fi
-done
-
-# if section not in any file, append section with key = value to FIRST file in files parameter
-if ! $found ; then
-    file=$(echo "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf" | cut -f1 -d ' ')
-    mkdir -p "$(dirname "$file")"
-    echo -e "[sssd]\ncertificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function" >> "$file"
-fi
-
-umask $OLD_UMASK
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
- name: Gather the package facts
+            CCI-001948, CCI-001954, IA-2(11), SRG-OS-000375-GPOS-00160, SRG-OS-000377-GPOS-00162, RHEL-08-010400, SV-230274r858741_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -85103,6 +85058,51 @@
   - medium_severity
   - no_reboot_needed
   - sssd_certificate_verification
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
# Remediation is applicable only in certain platforms
+if rpm --quiet -q sssd-common; then
+
+var_sssd_certificate_verification_digest_function='sha1'
+
+
+# sssd configuration files must be created with 600 permissions if they don't exist
+# otherwise the sssd module fails to start
+OLD_UMASK=$(umask)
+umask u=rw,go=
+
+MAIN_CONF="/etc/sssd/conf.d/certificate_verification.conf"
+
+found=false
+
+# set value in all files if they contain section or key
+for f in $(echo -n "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf"); do
+    if [ ! -e "$f" ]; then
+        continue
+    fi
+
+    # find key in section and change value
+    if grep -qzosP "[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*certificate_verification" "$f"; then
+            sed -i "s/certificate_verification[^(\n)]*/certificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function/" "$f"
+            found=true
+
+    # find section and add key = value to it
+    elif grep -qs "[[:space:]]*\[sssd\]" "$f"; then
+            sed -i "/[[:space:]]*\[sssd\]/a certificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function" "$f"
+            found=true
+    fi
+done
+
+# if section not in any file, append section with key = value to FIRST file in files parameter
+if ! $found ; then
+    file=$(echo "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf" | cut -f1 -d ' ')
+    mkdir -p "$(dirname "$file")"
+    echo -e "[sssd]\ncertificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function" >> "$file"
+fi
+
+umask $OLD_UMASK
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Enable Certmap in SSSD
                                   [ref]
SSSD should be configured to verify the certificate of the user or group. To set this up
@@ -85146,89 +85146,7 @@
 as the U.S. Government Personal Identity Verification card and the DoD Common
 Access Card.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-80909-5
References: 
-            CCI-001954, CCI-000765, CCI-000766, CCI-000767, CCI-000768, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, Req-8.3, 8.4, SRG-OS-000375-GPOS-00160, SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, RHEL-08-020250, SV-230372r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
# Remediation is applicable only in certain platforms
-if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# sssd configuration files must be created with 600 permissions if they don't exist
-# otherwise the sssd module fails to start
-OLD_UMASK=$(umask)
-umask u=rw,go=
-
-found=false
-
-# set value in all files if they contain section or key
-for f in $(echo -n "/etc/sssd/sssd.conf"); do
-    if [ ! -e "$f" ]; then
-        continue
-    fi
-
-    # find key in section and change value
-    if grep -qzosP "[[:space:]]*\[pam\]([^\n\[]*\n+)+?[[:space:]]*pam_cert_auth" "$f"; then
-            sed -i "s/pam_cert_auth[^(\n)]*/pam_cert_auth = True/" "$f"
-            found=true
-
-    # find section and add key = value to it
-    elif grep -qs "[[:space:]]*\[pam\]" "$f"; then
-            sed -i "/[[:space:]]*\[pam\]/a pam_cert_auth = True" "$f"
-            found=true
-    fi
-done
-
-# if section not in any file, append section with key = value to FIRST file in files parameter
-if ! $found ; then
-    file=$(echo "/etc/sssd/sssd.conf" | cut -f1 -d ' ')
-    mkdir -p "$(dirname "$file")"
-    echo -e "[pam]\npam_cert_auth = True" >> "$file"
-fi
-
-umask $OLD_UMASK
-
-
-if [ -f /usr/bin/authselect ]; then
-    if ! authselect check; then
-    echo "
-    authselect integrity check failed. Remediation aborted!
-    This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
-    It is not recommended to manually edit the PAM files when authselect tool is available.
-    In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
-    exit 1
-    fi
-    authselect enable-feature with-smartcard
-
-    authselect apply-changes -b
-else
-    if ! grep -qP '^\s*auth\s+'"sufficient"'\s+pam_sss.so\s*.*' "/etc/pam.d/smartcard-auth"; then
-        # Line matching group + control + module was not found. Check group + module.
-        if [ "$(grep -cP '^\s*auth\s+.*\s+pam_sss.so\s*' "/etc/pam.d/smartcard-auth")" -eq 1 ]; then
-            # The control is updated only if one single line matches.
-            sed -i -E --follow-symlinks 's/^(\s*auth\s+).*(\bpam_sss.so.*)/\1'"sufficient"' \2/' "/etc/pam.d/smartcard-auth"
-        else
-            echo 'auth    '"sufficient"'    pam_sss.so' >> "/etc/pam.d/smartcard-auth"
-        fi
-    fi
-    # Check the option
-    if ! grep -qP '^\s*auth\s+'"sufficient"'\s+pam_sss.so\s*.*\sallow_missing_name\b' "/etc/pam.d/smartcard-auth"; then
-        sed -i -E --follow-symlinks '/\s*auth\s+'"sufficient"'\s+pam_sss.so.*/ s/$/ allow_missing_name/' "/etc/pam.d/smartcard-auth"
-    fi
-    if ! grep -qP '^\s*auth\s+'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"'\s+pam_sss.so\s*.*' "/etc/pam.d/system-auth"; then
-        # Line matching group + control + module was not found. Check group + module.
-        if [ "$(grep -cP '^\s*auth\s+.*\s+pam_sss.so\s*' "/etc/pam.d/system-auth")" -eq 1 ]; then
-            # The control is updated only if one single line matches.
-            sed -i -E --follow-symlinks 's/^(\s*auth\s+).*(\bpam_sss.so.*)/\1'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"' \2/' "/etc/pam.d/system-auth"
-        else
-            echo 'auth    '"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"'    pam_sss.so' >> "/etc/pam.d/system-auth"
-        fi
-    fi
-    # Check the option
-    if ! grep -qP '^\s*auth\s+'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"'\s+pam_sss.so\s*.*\stry_cert_auth\b' "/etc/pam.d/system-auth"; then
-        sed -i -E --follow-symlinks '/\s*auth\s+'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"'\s+pam_sss.so.*/ s/$/ try_cert_auth/' "/etc/pam.d/system-auth"
-    fi
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -85580,6 +85498,88 @@
   - medium_severity
   - no_reboot_needed
   - sssd_enable_smartcards
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
# Remediation is applicable only in certain platforms
+if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# sssd configuration files must be created with 600 permissions if they don't exist
+# otherwise the sssd module fails to start
+OLD_UMASK=$(umask)
+umask u=rw,go=
+
+found=false
+
+# set value in all files if they contain section or key
+for f in $(echo -n "/etc/sssd/sssd.conf"); do
+    if [ ! -e "$f" ]; then
+        continue
+    fi
+
+    # find key in section and change value
+    if grep -qzosP "[[:space:]]*\[pam\]([^\n\[]*\n+)+?[[:space:]]*pam_cert_auth" "$f"; then
+            sed -i "s/pam_cert_auth[^(\n)]*/pam_cert_auth = True/" "$f"
+            found=true
+
+    # find section and add key = value to it
+    elif grep -qs "[[:space:]]*\[pam\]" "$f"; then
+            sed -i "/[[:space:]]*\[pam\]/a pam_cert_auth = True" "$f"
+            found=true
+    fi
+done
+
+# if section not in any file, append section with key = value to FIRST file in files parameter
+if ! $found ; then
+    file=$(echo "/etc/sssd/sssd.conf" | cut -f1 -d ' ')
+    mkdir -p "$(dirname "$file")"
+    echo -e "[pam]\npam_cert_auth = True" >> "$file"
+fi
+
+umask $OLD_UMASK
+
+
+if [ -f /usr/bin/authselect ]; then
+    if ! authselect check; then
+    echo "
+    authselect integrity check failed. Remediation aborted!
+    This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
+    It is not recommended to manually edit the PAM files when authselect tool is available.
+    In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
+    exit 1
+    fi
+    authselect enable-feature with-smartcard
+
+    authselect apply-changes -b
+else
+    if ! grep -qP '^\s*auth\s+'"sufficient"'\s+pam_sss.so\s*.*' "/etc/pam.d/smartcard-auth"; then
+        # Line matching group + control + module was not found. Check group + module.
+        if [ "$(grep -cP '^\s*auth\s+.*\s+pam_sss.so\s*' "/etc/pam.d/smartcard-auth")" -eq 1 ]; then
+            # The control is updated only if one single line matches.
+            sed -i -E --follow-symlinks 's/^(\s*auth\s+).*(\bpam_sss.so.*)/\1'"sufficient"' \2/' "/etc/pam.d/smartcard-auth"
+        else
+            echo 'auth    '"sufficient"'    pam_sss.so' >> "/etc/pam.d/smartcard-auth"
+        fi
+    fi
+    # Check the option
+    if ! grep -qP '^\s*auth\s+'"sufficient"'\s+pam_sss.so\s*.*\sallow_missing_name\b' "/etc/pam.d/smartcard-auth"; then
+        sed -i -E --follow-symlinks '/\s*auth\s+'"sufficient"'\s+pam_sss.so.*/ s/$/ allow_missing_name/' "/etc/pam.d/smartcard-auth"
+    fi
+    if ! grep -qP '^\s*auth\s+'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"'\s+pam_sss.so\s*.*' "/etc/pam.d/system-auth"; then
+        # Line matching group + control + module was not found. Check group + module.
+        if [ "$(grep -cP '^\s*auth\s+.*\s+pam_sss.so\s*' "/etc/pam.d/system-auth")" -eq 1 ]; then
+            # The control is updated only if one single line matches.
+            sed -i -E --follow-symlinks 's/^(\s*auth\s+).*(\bpam_sss.so.*)/\1'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"' \2/' "/etc/pam.d/system-auth"
+        else
+            echo 'auth    '"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"'    pam_sss.so' >> "/etc/pam.d/system-auth"
+        fi
+    fi
+    # Check the option
+    if ! grep -qP '^\s*auth\s+'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"'\s+pam_sss.so\s*.*\stry_cert_auth\b' "/etc/pam.d/system-auth"; then
+        sed -i -E --follow-symlinks '/\s*auth\s+'"\[success=done authinfo_unavail=ignore ignore=ignore default=die\]"'\s+pam_sss.so.*/ s/$/ try_cert_auth/' "/etc/pam.d/system-auth"
+    fi
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 SSSD Has a Correct Trust Anchor
                                   [ref]
SSSD must have acceptable trust anchor present.
Warning: 
@@ -85620,47 +85620,7 @@
 
Rationale:
If cached authentication information is out-of-date, the validity of the
 authentication information may be questionable.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-82460-7
References: 
-            1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-002007, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), IA-5(13), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000383-GPOS-00166, RHEL-08-020290, SV-230376r854036_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
# Remediation is applicable only in certain platforms
-if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# sssd configuration files must be created with 600 permissions if they don't exist
-# otherwise the sssd module fails to start
-OLD_UMASK=$(umask)
-umask u=rw,go=
-
-found=false
-
-# set value in all files if they contain section or key
-for f in $(echo -n "/etc/sssd/sssd.conf"); do
-    if [ ! -e "$f" ]; then
-        continue
-    fi
-
-    # find key in section and change value
-    if grep -qzosP "[[:space:]]*\[pam\]([^\n\[]*\n+)+?[[:space:]]*offline_credentials_expiration" "$f"; then
-            sed -i "s/offline_credentials_expiration[^(\n)]*/offline_credentials_expiration = 1/" "$f"
-            found=true
-
-    # find section and add key = value to it
-    elif grep -qs "[[:space:]]*\[pam\]" "$f"; then
-            sed -i "/[[:space:]]*\[pam\]/a offline_credentials_expiration = 1" "$f"
-            found=true
-    fi
-done
-
-# if section not in any file, append section with key = value to FIRST file in files parameter
-if ! $found ; then
-    file=$(echo "/etc/sssd/sssd.conf" | cut -f1 -d ' ')
-    mkdir -p "$(dirname "$file")"
-    echo -e "[pam]\noffline_credentials_expiration = 1" >> "$file"
-fi
-
-umask $OLD_UMASK
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -85750,6 +85710,46 @@
   - medium_severity
   - no_reboot_needed
   - sssd_offline_cred_expiration
+
Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
# Remediation is applicable only in certain platforms
+if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# sssd configuration files must be created with 600 permissions if they don't exist
+# otherwise the sssd module fails to start
+OLD_UMASK=$(umask)
+umask u=rw,go=
+
+found=false
+
+# set value in all files if they contain section or key
+for f in $(echo -n "/etc/sssd/sssd.conf"); do
+    if [ ! -e "$f" ]; then
+        continue
+    fi
+
+    # find key in section and change value
+    if grep -qzosP "[[:space:]]*\[pam\]([^\n\[]*\n+)+?[[:space:]]*offline_credentials_expiration" "$f"; then
+            sed -i "s/offline_credentials_expiration[^(\n)]*/offline_credentials_expiration = 1/" "$f"
+            found=true
+
+    # find section and add key = value to it
+    elif grep -qs "[[:space:]]*\[pam\]" "$f"; then
+            sed -i "/[[:space:]]*\[pam\]/a offline_credentials_expiration = 1" "$f"
+            found=true
+    fi
+done
+
+# if section not in any file, append section with key = value to FIRST file in files parameter
+if ! $found ; then
+    file=$(echo "/etc/sssd/sssd.conf" | cut -f1 -d ' ')
+    mkdir -p "$(dirname "$file")"
+    echo -e "[pam]\noffline_credentials_expiration = 1" >> "$file"
+fi
+
+umask $OLD_UMASK
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 USBGuard daemon
                           Group contains 4 rules
[ref]  
@@ -85762,28 +85762,29 @@
 against rogue USB devices by implementing basic whitelisting/blacklisting
 capabilities based on USB device attributes.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-82959-8
References: 
-            CCI-001958, 1418, CM-8(3), IA-3, SRG-OS-000378-GPOS-00163, RHEL-08-040139, SV-244547r854076_rule
Remediation script:   (show)


+            CCI-001958, 1418, CM-8(3), IA-3, SRG-OS-000378-GPOS-00163, RHEL-08-040139, SV-244547r854076_rule
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

+package --add=usbguard
+
Remediation script:   (show)


 [[packages]]
 name = "usbguard"
 version = "*"
-
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then
-
-if ! rpm -q --quiet "usbguard" ; then
-    yum install -y "usbguard"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include install_usbguard
+
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+  extensions:
+    - usbguard
+
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include install_usbguard
 
 class install_usbguard {
   package { 'usbguard':
     ensure => 'installed',
   }
 }
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
- name: Ensure usbguard is installed
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
- name: Ensure usbguard is installed
   package:
     name: usbguard
     state: present
@@ -85800,17 +85801,16 @@
   - medium_severity
   - no_reboot_needed
   - package_usbguard_installed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

-package --add=usbguard
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-  extensions:
-    - usbguard
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then
+
+if ! rpm -q --quiet "usbguard" ; then
+    yum install -y "usbguard"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Rule  
                                 Enable the USBGuard Service
                                   [ref]
The USBGuard service should be enabled.
@@ -85822,17 +85822,20 @@
             CCI-000416, CCI-001958, 1418, CM-8(3)(a), IA-3, FMT_SMF_EXT.1, SRG-OS-000378-GPOS-00163, RHEL-08-040141, SV-244548r854077_rule
Remediation script:   (show)


 [customizations.services]
 enabled = ["usbguard"]
-
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then
-
-SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" unmask 'usbguard.service'
-"$SYSTEMCTL_EXEC" start 'usbguard.service'
-"$SYSTEMCTL_EXEC" enable 'usbguard.service'
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
+
Remediation script:   (show)

---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+  annotations:
+    complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: usbguard.service
+        enabled: true
 
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include enable_usbguard
 
 class enable_usbguard {
@@ -85869,29 +85872,44 @@
   - medium_severity
   - no_reboot_needed
   - service_usbguard_enabled
-
Remediation script:   (show)

---
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" unmask 'usbguard.service'
+"$SYSTEMCTL_EXEC" start 'usbguard.service'
+"$SYSTEMCTL_EXEC" enable 'usbguard.service'
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
Rule  
+                                Log USBGuard daemon audit events using Linux Audit
+                                  [ref]
To configure USBGuard daemon to log via Linux Audit
+(as opposed directly to a file),
+AuditBackend option in /etc/usbguard/usbguard-daemon.conf
+needs to be set to LinuxAudit.
Rationale:
Using the Linux Audit logging allows for centralized trace
+of events.
Severity: 
low
Identifiers and References
Identifiers: 
+            CCE-82168-6
References: 
+            CCI-000169, CCI-000172, AU-2, CM-8(3), IA-3, FMT_SMF_EXT.1, SRG-OS-000062-GPOS-00031, SRG-OS-000471-GPOS-00215, SRG-APP-000141-CTR-000315, RHEL-08-030603, SV-230470r744006_rule
Remediation script:   (show)

---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 metadata:
   annotations:
     complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed
+    complianceascode.io/ocp-version: '>=4.7.0'
 spec:
   config:
     ignition:
       version: 3.1.0
-    systemd:
-      units:
-      - name: usbguard.service
-        enabled: true
-
Rule  
-                                Log USBGuard daemon audit events using Linux Audit
-                                  [ref]
To configure USBGuard daemon to log via Linux Audit
-(as opposed directly to a file),
-AuditBackend option in /etc/usbguard/usbguard-daemon.conf
-needs to be set to LinuxAudit.
Rationale:
Using the Linux Audit logging allows for centralized trace
-of events.
Severity: 
low
Identifiers and References
Identifiers: 
-            CCE-82168-6
References: 
-            CCI-000169, CCI-000172, AU-2, CM-8(3), IA-3, FMT_SMF_EXT.1, SRG-OS-000062-GPOS-00031, SRG-OS-000471-GPOS-00215, SRG-APP-000141-CTR-000315, RHEL-08-030603, SV-230470r744006_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+    storage:
+      files:
+      - contents:
+          source: data:,{{ %0A%23%0A%23%20Rule%20set%20file%20path.%0A%23%0A%23%20The%20USBGuard%20daemon%20will%20use%20this%20file%20to%20load%20the%20policy%0A%23%20rule%20set%20from%20it%20and%20to%20write%20new%20rules%20received%20via%20the%0A%23%20IPC%20interface.%0A%23%0A%23%20RuleFile%3D/path/to/rules.conf%0A%23%0ARuleFile%3D/etc/usbguard/rules.conf%0A%0A%23%0A%23%20Rule%20set%20folder%20path.%0A%23%0A%23%20The%20USBGuard%20daemon%20will%20use%20this%20folder%20to%20load%20the%20policy%0A%23%20rule%20set%20from%20it%20and%20to%20write%20new%20rules%20received%20via%20the%0A%23%20IPC%20interface.%20Usually%2C%20we%20set%20the%20option%20to%0A%23%20/etc/usbguard/rules.d/.%20The%20USBGuard%20daemon%20is%20supposed%20to%0A%23%20behave%20like%20any%20other%20standard%20Linux%20daemon%20therefore%20it%0A%23%20loads%20rule%20files%20in%20alpha-numeric%20order.%20File%20names%20inside%0A%23%20RuleFolder%20directory%20should%20start%20with%20a%20two-digit%20number%0A%23%20prefix%20indicating%20the%20position%2C%20in%20which%20the%20rules%20are%0A%23%20scanned%20by%20the%20daemon.%0A%23%0A%23%20RuleFolder%3D/path/to/rulesfolder/%0A%23%0ARuleFolder%3D/etc/usbguard/rules.d/%0A%0A%23%0A%23%20Implicit%20policy%20target.%0A%23%0A%23%20How%20to%20treat%20devices%20that%20don%27t%20match%20any%20rule%20in%20the%0A%23%20policy.%20One%20of%3A%0A%23%0A%23%20%2A%20allow%20%20-%20authorize%20the%20device%0A%23%20%2A%20block%20%20-%20block%20the%20device%0A%23%20%2A%20reject%20-%20remove%20the%20device%0A%23%0AImplicitPolicyTarget%3Dblock%0A%0A%23%0A%23%20Present%20device%20policy.%0A%23%0A%23%20How%20to%20treat%20devices%20that%20are%20already%20connected%20when%20the%0A%23%20daemon%20starts.%20One%20of%3A%0A%23%0A%23%20%2A%20allow%20%20%20%20%20%20%20%20-%20authorize%20every%20present%20device%0A%23%20%2A%20block%20%20%20%20%20%20%20%20-%20deauthorize%20every%20present%20device%0A%23%20%2A%20reject%20%20%20%20%20%20%20-%20remove%20every%20present%20device%0A%23%20%2A%20keep%20%20%20%20%20%20%20%20%20-%20just%20sync%20the%20internal%20state%20and%20leave%20it%0A%23%20%2A%20apply-policy%20-%20evaluate%20the%20ruleset%20for%20every%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20device%0A%23%0APresentDevicePolicy%3Dapply-policy%0A%0A%23%0A%23%20Present%20controller%20policy.%0A%23%0A%23%20How%20to%20treat%20USB%20controllers%20that%20are%20already%20connected%0A%23%20when%20the%20daemon%20starts.%20One%20of%3A%0A%23%0A%23%20%2A%20allow%20%20%20%20%20%20%20%20-%20authorize%20every%20present%20device%0A%23%20%2A%20block%20%20%20%20%20%20%20%20-%20deauthorize%20every%20present%20device%0A%23%20%2A%20reject%20%20%20%20%20%20%20-%20remove%20every%20present%20device%0A%23%20%2A%20keep%20%20%20%20%20%20%20%20%20-%20just%20sync%20the%20internal%20state%20and%20leave%20it%0A%23%20%2A%20apply-policy%20-%20evaluate%20the%20ruleset%20for%20every%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20device%0A%23%0APresentControllerPolicy%3Dkeep%0A%0A%23%0A%23%20Inserted%20device%20policy.%0A%23%0A%23%20How%20to%20treat%20USB%20devices%20that%20are%20already%20connected%0A%23%20%2Aafter%2A%20the%20daemon%20starts.%20One%20of%3A%0A%23%0A%23%20%2A%20block%20%20%20%20%20%20%20%20-%20deauthorize%20every%20present%20device%0A%23%20%2A%20reject%20%20%20%20%20%20%20-%20remove%20every%20present%20device%0A%23%20%2A%20apply-policy%20-%20evaluate%20the%20ruleset%20for%20every%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20device%0A%23%0AInsertedDevicePolicy%3Dapply-policy%0A%0A%23%0A%23%20Control%20which%20devices%20are%20authorized%20by%20default.%0A%23%0A%23%20The%20USBGuard%20daemon%20modifies%20some%20the%20default%20authorization%20state%20attributes%0A%23%20of%20controller%20devices.%20This%20setting%2C%20enables%20you%20to%20define%20what%20value%20the%0A%23%20default%20authorization%20is%20set%20to.%0A%23%0A%23%20%2A%20keep%20%20%20%20%20%20%20%20%20-%20do%20not%20change%20the%20authorization%20state%0A%23%20%2A%20none%20%20%20%20%20%20%20%20%20-%20every%20new%20device%20starts%20out%20deauthorized%0A%23%20%2A%20all%20%20%20%20%20%20%20%20%20%20-%20every%20new%20device%20starts%20out%20authorized%0A%23%20%2A%20internal%20%20%20%20%20-%20internal%20devices%20start%20out%20authorized%2C%20external%20devices%20start%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20out%20deauthorized%20%28this%20requires%20the%20ACPI%20tables%20to%20properly%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20label%20internal%20devices%2C%20and%20kernel%20support%29%0A%23%0A%23AuthorizedDefault%3Dnone%0A%0A%23%0A%23%20Restore%20controller%20device%20state.%0A%23%0A%23%20The%20USBGuard%20daemon%20modifies%20some%20attributes%20of%20controller%0A%23%20devices%20like%20the%20default%20authorization%20state%20of%20new%20child%20device%0A%23%20instances.%20Using%20this%20setting%2C%20you%20can%20control%20whether%20the%0A%23%20daemon%20will%20try%20to%20restore%20the%20attribute%20values%20to%20the%20state%0A%23%20before%20modification%20on%20shutdown.%0A%23%0A%23%20SECURITY%20CONSIDERATIONS%3A%20If%20set%20to%20true%2C%20the%20USB%20authorization%0A%23%20policy%20could%20be%20bypassed%20by%20performing%20some%20sort%20of%20attack%20on%20the%0A%23%20daemon%20%28via%20a%20local%20exploit%20or%20via%20a%20USB%20device%29%20to%20make%20it%20shutdown%0A%23%20and%20restore%20to%20the%20operating-system%20default%20state%20%28known%20to%20be%20permissive%29.%0A%23%0ARestoreControllerDeviceState%3Dfalse%0A%0A%23%0A%23%20Device%20manager%20backend%0A%23%0A%23%20Which%20device%20manager%20backend%20implementation%20to%20use.%20One%20of%3A%0A%23%0A%23%20%2A%20uevent%20%20%20-%20Netlink%20based%20implementation%20which%20uses%20sysfs%20to%20scan%20for%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20devices%20and%20an%20uevent%20netlink%20socket%20for%20receiving%20USB%20device%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20related%20events.%0A%23%20%2A%20umockdev%20-%20umockdev%20based%20device%20manager%20capable%20of%20simulating%20devices%20based%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20on%20umockdev-record%20files.%20Useful%20for%20testing.%0A%23%0ADeviceManagerBackend%3Duevent%0A%0A%23%21%21%21%20WARNING%3A%20It%27s%20good%20practice%20to%20set%20at%20least%20one%20of%20the%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20two%20options%20bellow.%20If%20none%20of%20them%20are%20set%2C%20%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20the%20daemon%20will%20accept%20IPC%20connections%20from%20%20%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20anyone%2C%20thus%20allowing%20anyone%20to%20modify%20the%20%20%20%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20rule%20set%20and%20%28de%29authorize%20USB%20devices.%20%20%20%20%20%20%20%21%21%21%0A%0A%23%0A%23%20Users%20allowed%20to%20use%20the%20IPC%20interface.%0A%23%0A%23%20A%20space%20delimited%20list%20of%20usernames%20that%20the%20daemon%20will%0A%23%20accept%20IPC%20connections%20from.%0A%23%0A%23%20IPCAllowedUsers%3Dusername1%20username2%20...%0A%23%0AIPCAllowedUsers%3Droot%0A%0A%23%0A%23%20Groups%20allowed%20to%20use%20the%20IPC%20interface.%0A%23%0A%23%20A%20space%20delimited%20list%20of%20groupnames%20that%20the%20daemon%20will%0A%23%20accept%20IPC%20connections%20from.%0A%23%0A%23%20IPCAllowedGroups%3Dgroupname1%20groupname2%20...%0A%23%0AIPCAllowedGroups%3Dwheel%0A%0A%23%0A%23%20IPC%20access%20control%20definition%20files%20path.%0A%23%0A%23%20The%20files%20at%20this%20location%20will%20be%20interpreted%20by%20the%20daemon%0A%23%20as%20access%20control%20definition%20files.%20The%20%28base%29name%20of%20a%20file%0A%23%20should%20be%20in%20the%20form%3A%0A%23%0A%23%20%20%20%5Buser%5D%5B%3A%3Cgroup%3E%5D%0A%23%0A%23%20and%20should%20contain%20lines%20in%20the%20form%3A%0A%23%0A%23%20%20%20%3Csection%3E%3D%5Bprivilege%5D%20...%0A%23%0A%23%20This%20way%20each%20file%20defines%20who%20is%20able%20to%20connect%20to%20the%20IPC%0A%23%20bus%20and%20what%20privileges%20he%20has.%0A%23%0AIPCAccessControlFiles%3D/etc/usbguard/IPCAccessControl.d/%0A%0A%23%0A%23%20Generate%20device%20specific%20rules%20including%20the%20%22via-port%22%0A%23%20attribute.%0A%23%0A%23%20This%20option%20modifies%20the%20behavior%20of%20the%20allowDevice%0A%23%20action.%20When%20instructed%20to%20generate%20a%20permanent%20rule%2C%0A%23%20the%20action%20can%20generate%20a%20port%20specific%20rule.%20Because%0A%23%20some%20systems%20have%20unstable%20port%20numbering%2C%20the%20generated%0A%23%20rule%20might%20not%20match%20the%20device%20after%20rebooting%20the%20system.%0A%23%0A%23%20If%20set%20to%20false%2C%20the%20generated%20rule%20will%20still%20contain%0A%23%20the%20%22parent-hash%22%20attribute%20which%20also%20defines%20an%20association%0A%23%20to%20the%20parent%20device.%20See%20usbguard-rules.conf%285%29%20for%20more%0A%23%20details.%0A%23%0ADeviceRulesWithPort%3Dfalse%0A%0A%23%0A%23%20USBGuard%20Audit%20events%20log%20backend%0A%23%0A%23%20One%20of%3A%0A%23%0A%23%20%2A%20FileAudit%20-%20Log%20audit%20events%20into%20a%20file%20specified%20by%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20AuditFilePath%20setting%20%28see%20below%29%0A%23%20%2A%20LinuxAudit%20-%20Log%20audit%20events%20using%20the%20Linux%20Audit%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20subsystem%20%28using%20audit_log_user_message%29%0A%23%0AAuditBackend%3DLinuxAudit%0A%0A%23%0A%23%20USBGuard%20audit%20events%20log%20file%20path.%0A%23%0A%23AuditFilePath%3D/var/log/usbguard/usbguard-audit.log%0A%0A%23%0A%23%20Hides%20personally%20identifiable%20information%20such%20as%20device%20serial%20numbers%20and%0A%23%20hashes%20of%20descriptors%20%28which%20include%20the%20serial%20number%29%20from%20audit%20entries.%0A%23%0A%23HidePII%3Dfalse }}
+        mode: 0600
+        path: /etc/usbguard/usbguard-daemon.conf
+        overwrite: true
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
 if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ) && { rpm --quiet -q usbguard; }; then
 
 if [ -e "/etc/usbguard/usbguard-daemon.conf" ] ; then
@@ -85912,24 +85930,6 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation script:   (show)

---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  annotations:
-    complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed
-    complianceascode.io/ocp-version: '>=4.7.0'
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %0A%23%0A%23%20Rule%20set%20file%20path.%0A%23%0A%23%20The%20USBGuard%20daemon%20will%20use%20this%20file%20to%20load%20the%20policy%0A%23%20rule%20set%20from%20it%20and%20to%20write%20new%20rules%20received%20via%20the%0A%23%20IPC%20interface.%0A%23%0A%23%20RuleFile%3D/path/to/rules.conf%0A%23%0ARuleFile%3D/etc/usbguard/rules.conf%0A%0A%23%0A%23%20Rule%20set%20folder%20path.%0A%23%0A%23%20The%20USBGuard%20daemon%20will%20use%20this%20folder%20to%20load%20the%20policy%0A%23%20rule%20set%20from%20it%20and%20to%20write%20new%20rules%20received%20via%20the%0A%23%20IPC%20interface.%20Usually%2C%20we%20set%20the%20option%20to%0A%23%20/etc/usbguard/rules.d/.%20The%20USBGuard%20daemon%20is%20supposed%20to%0A%23%20behave%20like%20any%20other%20standard%20Linux%20daemon%20therefore%20it%0A%23%20loads%20rule%20files%20in%20alpha-numeric%20order.%20File%20names%20inside%0A%23%20RuleFolder%20directory%20should%20start%20with%20a%20two-digit%20number%0A%23%20prefix%20indicating%20the%20position%2C%20in%20which%20the%20rules%20are%0A%23%20scanned%20by%20the%20daemon.%0A%23%0A%23%20RuleFolder%3D/path/to/rulesfolder/%0A%23%0ARuleFolder%3D/etc/usbguard/rules.d/%0A%0A%23%0A%23%20Implicit%20policy%20target.%0A%23%0A%23%20How%20to%20treat%20devices%20that%20don%27t%20match%20any%20rule%20in%20the%0A%23%20policy.%20One%20of%3A%0A%23%0A%23%20%2A%20allow%20%20-%20authorize%20the%20device%0A%23%20%2A%20block%20%20-%20block%20the%20device%0A%23%20%2A%20reject%20-%20remove%20the%20device%0A%23%0AImplicitPolicyTarget%3Dblock%0A%0A%23%0A%23%20Present%20device%20policy.%0A%23%0A%23%20How%20to%20treat%20devices%20that%20are%20already%20connected%20when%20the%0A%23%20daemon%20starts.%20One%20of%3A%0A%23%0A%23%20%2A%20allow%20%20%20%20%20%20%20%20-%20authorize%20every%20present%20device%0A%23%20%2A%20block%20%20%20%20%20%20%20%20-%20deauthorize%20every%20present%20device%0A%23%20%2A%20reject%20%20%20%20%20%20%20-%20remove%20every%20present%20device%0A%23%20%2A%20keep%20%20%20%20%20%20%20%20%20-%20just%20sync%20the%20internal%20state%20and%20leave%20it%0A%23%20%2A%20apply-policy%20-%20evaluate%20the%20ruleset%20for%20every%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20device%0A%23%0APresentDevicePolicy%3Dapply-policy%0A%0A%23%0A%23%20Present%20controller%20policy.%0A%23%0A%23%20How%20to%20treat%20USB%20controllers%20that%20are%20already%20connected%0A%23%20when%20the%20daemon%20starts.%20One%20of%3A%0A%23%0A%23%20%2A%20allow%20%20%20%20%20%20%20%20-%20authorize%20every%20present%20device%0A%23%20%2A%20block%20%20%20%20%20%20%20%20-%20deauthorize%20every%20present%20device%0A%23%20%2A%20reject%20%20%20%20%20%20%20-%20remove%20every%20present%20device%0A%23%20%2A%20keep%20%20%20%20%20%20%20%20%20-%20just%20sync%20the%20internal%20state%20and%20leave%20it%0A%23%20%2A%20apply-policy%20-%20evaluate%20the%20ruleset%20for%20every%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20device%0A%23%0APresentControllerPolicy%3Dkeep%0A%0A%23%0A%23%20Inserted%20device%20policy.%0A%23%0A%23%20How%20to%20treat%20USB%20devices%20that%20are%20already%20connected%0A%23%20%2Aafter%2A%20the%20daemon%20starts.%20One%20of%3A%0A%23%0A%23%20%2A%20block%20%20%20%20%20%20%20%20-%20deauthorize%20every%20present%20device%0A%23%20%2A%20reject%20%20%20%20%20%20%20-%20remove%20every%20present%20device%0A%23%20%2A%20apply-policy%20-%20evaluate%20the%20ruleset%20for%20every%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20device%0A%23%0AInsertedDevicePolicy%3Dapply-policy%0A%0A%23%0A%23%20Control%20which%20devices%20are%20authorized%20by%20default.%0A%23%0A%23%20The%20USBGuard%20daemon%20modifies%20some%20the%20default%20authorization%20state%20attributes%0A%23%20of%20controller%20devices.%20This%20setting%2C%20enables%20you%20to%20define%20what%20value%20the%0A%23%20default%20authorization%20is%20set%20to.%0A%23%0A%23%20%2A%20keep%20%20%20%20%20%20%20%20%20-%20do%20not%20change%20the%20authorization%20state%0A%23%20%2A%20none%20%20%20%20%20%20%20%20%20-%20every%20new%20device%20starts%20out%20deauthorized%0A%23%20%2A%20all%20%20%20%20%20%20%20%20%20%20-%20every%20new%20device%20starts%20out%20authorized%0A%23%20%2A%20internal%20%20%20%20%20-%20internal%20devices%20start%20out%20authorized%2C%20external%20devices%20start%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20out%20deauthorized%20%28this%20requires%20the%20ACPI%20tables%20to%20properly%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20label%20internal%20devices%2C%20and%20kernel%20support%29%0A%23%0A%23AuthorizedDefault%3Dnone%0A%0A%23%0A%23%20Restore%20controller%20device%20state.%0A%23%0A%23%20The%20USBGuard%20daemon%20modifies%20some%20attributes%20of%20controller%0A%23%20devices%20like%20the%20default%20authorization%20state%20of%20new%20child%20device%0A%23%20instances.%20Using%20this%20setting%2C%20you%20can%20control%20whether%20the%0A%23%20daemon%20will%20try%20to%20restore%20the%20attribute%20values%20to%20the%20state%0A%23%20before%20modification%20on%20shutdown.%0A%23%0A%23%20SECURITY%20CONSIDERATIONS%3A%20If%20set%20to%20true%2C%20the%20USB%20authorization%0A%23%20policy%20could%20be%20bypassed%20by%20performing%20some%20sort%20of%20attack%20on%20the%0A%23%20daemon%20%28via%20a%20local%20exploit%20or%20via%20a%20USB%20device%29%20to%20make%20it%20shutdown%0A%23%20and%20restore%20to%20the%20operating-system%20default%20state%20%28known%20to%20be%20permissive%29.%0A%23%0ARestoreControllerDeviceState%3Dfalse%0A%0A%23%0A%23%20Device%20manager%20backend%0A%23%0A%23%20Which%20device%20manager%20backend%20implementation%20to%20use.%20One%20of%3A%0A%23%0A%23%20%2A%20uevent%20%20%20-%20Netlink%20based%20implementation%20which%20uses%20sysfs%20to%20scan%20for%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20devices%20and%20an%20uevent%20netlink%20socket%20for%20receiving%20USB%20device%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20related%20events.%0A%23%20%2A%20umockdev%20-%20umockdev%20based%20device%20manager%20capable%20of%20simulating%20devices%20based%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20on%20umockdev-record%20files.%20Useful%20for%20testing.%0A%23%0ADeviceManagerBackend%3Duevent%0A%0A%23%21%21%21%20WARNING%3A%20It%27s%20good%20practice%20to%20set%20at%20least%20one%20of%20the%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20two%20options%20bellow.%20If%20none%20of%20them%20are%20set%2C%20%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20the%20daemon%20will%20accept%20IPC%20connections%20from%20%20%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20anyone%2C%20thus%20allowing%20anyone%20to%20modify%20the%20%20%20%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20rule%20set%20and%20%28de%29authorize%20USB%20devices.%20%20%20%20%20%20%20%21%21%21%0A%0A%23%0A%23%20Users%20allowed%20to%20use%20the%20IPC%20interface.%0A%23%0A%23%20A%20space%20delimited%20list%20of%20usernames%20that%20the%20daemon%20will%0A%23%20accept%20IPC%20connections%20from.%0A%23%0A%23%20IPCAllowedUsers%3Dusername1%20username2%20...%0A%23%0AIPCAllowedUsers%3Droot%0A%0A%23%0A%23%20Groups%20allowed%20to%20use%20the%20IPC%20interface.%0A%23%0A%23%20A%20space%20delimited%20list%20of%20groupnames%20that%20the%20daemon%20will%0A%23%20accept%20IPC%20connections%20from.%0A%23%0A%23%20IPCAllowedGroups%3Dgroupname1%20groupname2%20...%0A%23%0AIPCAllowedGroups%3Dwheel%0A%0A%23%0A%23%20IPC%20access%20control%20definition%20files%20path.%0A%23%0A%23%20The%20files%20at%20this%20location%20will%20be%20interpreted%20by%20the%20daemon%0A%23%20as%20access%20control%20definition%20files.%20The%20%28base%29name%20of%20a%20file%0A%23%20should%20be%20in%20the%20form%3A%0A%23%0A%23%20%20%20%5Buser%5D%5B%3A%3Cgroup%3E%5D%0A%23%0A%23%20and%20should%20contain%20lines%20in%20the%20form%3A%0A%23%0A%23%20%20%20%3Csection%3E%3D%5Bprivilege%5D%20...%0A%23%0A%23%20This%20way%20each%20file%20defines%20who%20is%20able%20to%20connect%20to%20the%20IPC%0A%23%20bus%20and%20what%20privileges%20he%20has.%0A%23%0AIPCAccessControlFiles%3D/etc/usbguard/IPCAccessControl.d/%0A%0A%23%0A%23%20Generate%20device%20specific%20rules%20including%20the%20%22via-port%22%0A%23%20attribute.%0A%23%0A%23%20This%20option%20modifies%20the%20behavior%20of%20the%20allowDevice%0A%23%20action.%20When%20instructed%20to%20generate%20a%20permanent%20rule%2C%0A%23%20the%20action%20can%20generate%20a%20port%20specific%20rule.%20Because%0A%23%20some%20systems%20have%20unstable%20port%20numbering%2C%20the%20generated%0A%23%20rule%20might%20not%20match%20the%20device%20after%20rebooting%20the%20system.%0A%23%0A%23%20If%20set%20to%20false%2C%20the%20generated%20rule%20will%20still%20contain%0A%23%20the%20%22parent-hash%22%20attribute%20which%20also%20defines%20an%20association%0A%23%20to%20the%20parent%20device.%20See%20usbguard-rules.conf%285%29%20for%20more%0A%23%20details.%0A%23%0ADeviceRulesWithPort%3Dfalse%0A%0A%23%0A%23%20USBGuard%20Audit%20events%20log%20backend%0A%23%0A%23%20One%20of%3A%0A%23%0A%23%20%2A%20FileAudit%20-%20Log%20audit%20events%20into%20a%20file%20specified%20by%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20AuditFilePath%20setting%20%28see%20below%29%0A%23%20%2A%20LinuxAudit%20-%20Log%20audit%20events%20using%20the%20Linux%20Audit%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20subsystem%20%28using%20audit_log_user_message%29%0A%23%0AAuditBackend%3DLinuxAudit%0A%0A%23%0A%23%20USBGuard%20audit%20events%20log%20file%20path.%0A%23%0A%23AuditFilePath%3D/var/log/usbguard/usbguard-audit.log%0A%0A%23%0A%23%20Hides%20personally%20identifiable%20information%20such%20as%20device%20serial%20numbers%20and%0A%23%20hashes%20of%20descriptors%20%28which%20include%20the%20serial%20number%29%20from%20audit%20entries.%0A%23%0A%23HidePII%3Dfalse }}
-        mode: 0600
-        path: /etc/usbguard/usbguard-daemon.conf
-        overwrite: true
 
Rule  
                                 Generate USBGuard Policy
                                   [ref]
By default USBGuard when enabled prevents access to all USB devices and this lead
@@ -85938,36 +85938,7 @@
 devices.
Rationale:
The usbguard must be configured to allow connected USB devices to work
 properly, avoiding the system to become inaccessible.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-83774-0
References: 
-            CCI-000416, CCI-001958, CM-8(3)(a), IA-3, FMT_SMF_EXT.1, SRG-OS-000378-GPOS-00163, RHEL-08-040140, SV-230524r854065_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
# Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then
-
-if rpm --quiet -q usbguard
-then
-    USBGUARD_CONF=/etc/usbguard/rules.conf
-    if [ ! -f "$USBGUARD_CONF" ] || [ ! -s "$USBGUARD_CONF" ]; then
-        usbguard generate-policy > $USBGUARD_CONF
-        if [ ! -s "$USBGUARD_CONF" ]; then
-            # make sure OVAL check doesn't fail on systems where
-            # generate-policy doesn't find any USB devices (for
-            # example a system might not have a USB bus)
-            echo "# No USB devices found" > $USBGUARD_CONF
-        fi
-        # make sure it has correct permissions
-        chmod 600 $USBGUARD_CONF
-
-        SYSTEMCTL_EXEC='/usr/bin/systemctl'
-        "$SYSTEMCTL_EXEC" unmask 'usbguard.service'
-        "$SYSTEMCTL_EXEC" restart 'usbguard.service'
-        "$SYSTEMCTL_EXEC" enable 'usbguard.service'
-    fi
-else
-    echo "USBGuard is not installed. No remediation was applied!"
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Gather the package facts
+            CCI-000416, CCI-001958, CM-8(3)(a), IA-3, FMT_SMF_EXT.1, SRG-OS-000378-GPOS-00163, RHEL-08-040140, SV-230524r854065_rule
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -86034,6 +86005,35 @@
   - medium_severity
   - no_reboot_needed
   - usbguard_generate_policy
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
# Remediation is applicable only in certain platforms
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then
+
+if rpm --quiet -q usbguard
+then
+    USBGUARD_CONF=/etc/usbguard/rules.conf
+    if [ ! -f "$USBGUARD_CONF" ] || [ ! -s "$USBGUARD_CONF" ]; then
+        usbguard generate-policy > $USBGUARD_CONF
+        if [ ! -s "$USBGUARD_CONF" ]; then
+            # make sure OVAL check doesn't fail on systems where
+            # generate-policy doesn't find any USB devices (for
+            # example a system might not have a USB bus)
+            echo "# No USB devices found" > $USBGUARD_CONF
+        fi
+        # make sure it has correct permissions
+        chmod 600 $USBGUARD_CONF
+
+        SYSTEMCTL_EXEC='/usr/bin/systemctl'
+        "$SYSTEMCTL_EXEC" unmask 'usbguard.service'
+        "$SYSTEMCTL_EXEC" restart 'usbguard.service'
+        "$SYSTEMCTL_EXEC" enable 'usbguard.service'
+    fi
+else
+    echo "USBGuard is not installed. No remediation was applied!"
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group  
                 X Window System
                           Group contains 1 group and 2 rules
[ref]  
@@ -86069,7 +86069,27 @@
 X11 graphic libraries are dependency of OpenStack Cinderlib storage provider.
Rationale:
Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security
 vulnerabilities and should not be installed unless approved and documented.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-83411-9
References: 
-            CCI-000366, CM-6(b), SRG-OS-000480-GPOS-00227, RHEL-08-040320, SV-230553r809324_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict

+            CCI-000366, CM-6(b), SRG-OS-000480-GPOS-00227, RHEL-08-040320, SV-230553r809324_rule
Remediation Anaconda snippet:   (show)


+package --remove=xorg-x11-server-Xorg --remove=xorg-x11-server-common --remove=xorg-x11-server-utils --remove=xorg-x11-server-Xwayland
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Ensure xorg packages are removed
+  package:
+    name:
+    - xorg-x11-server-Xorg
+    - xorg-x11-server-common
+    - xorg-x11-server-utils
+    - xorg-x11-server-Xwayland
+    state: absent
+  tags:
+  - CCE-83411-9
+  - DISA-STIG-RHEL-08-040320
+  - NIST-800-53-CM-6(b)
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - reboot_required
+  - restrict_strategy
+  - xwindows_remove_packages
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict

 
 # remove packages
 if rpm -q --quiet "xorg-x11-server-Xorg" ; then
@@ -86093,26 +86113,6 @@
     yum remove -y "xorg-x11-server-Xwayland"
 
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Ensure xorg packages are removed
-  package:
-    name:
-    - xorg-x11-server-Xorg
-    - xorg-x11-server-common
-    - xorg-x11-server-utils
-    - xorg-x11-server-Xwayland
-    state: absent
-  tags:
-  - CCE-83411-9
-  - DISA-STIG-RHEL-08-040320
-  - NIST-800-53-CM-6(b)
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - reboot_required
-  - restrict_strategy
-  - xwindows_remove_packages
-
Remediation Anaconda snippet:   (show)


-package --remove=xorg-x11-server-Xorg --remove=xorg-x11-server-common --remove=xorg-x11-server-utils --remove=xorg-x11-server-Xwayland
 
Rule  
                                 Disable X Windows Startup By Setting Default Target
                                   [ref]
Systems that do not require a graphical user interface should only boot by
@@ -86127,15 +86127,7 @@
 long history of security vulnerabilities and should not be used unless approved
 and documented.
Severity: 
medium
Identifiers and References
Identifiers: 
             CCE-83380-6
References: 
-            12, 15, 8, APO13.01, DSS01.04, DSS05.02, DSS05.03, CCI-000366, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040321, 2.2.2, SV-251718r809378_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-systemctl set-default multi-user.target
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
Remediation Ansible snippet:   (show)

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: Switch to multi-user runlevel
   file:
     src: /usr/lib/systemd/system/multi-user.target
     dest: /etc/systemd/system/default.target
@@ -86154,6 +86146,14 @@
   - reboot_required
   - restrict_strategy
   - xwindows_runlevel_target
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+systemctl set-default multi-user.target
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Red Hat and Red Hat Enterprise Linux are either registered
 trademarks or trademarks of Red Hat, Inc. in the United States and other
 countries. All other names are registered trademarks or trademarks of their
diff --git a/table-rhel8-srgmap-flat.html b/table-rhel8-srgmap-flat.html
index 81bc952..7b63133 100644
--- a/table-rhel8-srgmap-flat.html
+++ b/table-rhel8-srgmap-flat.html
@@ -148,7 +148,7 @@
     TBD - Assigned by DISA after STIG release
     The operating system must audit all account creations.
 
-    CCE-80758-6: Record Events that Modify User/Group Information - /etc/group
+    CCE-80760-2: Record Events that Modify User/Group Information - /etc/security/opasswd
 
     Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes.
 
@@ -159,21 +159,21 @@
 directory /etc/audit/rules.d, in order to capture events that modify
 account changes:
 


-
-w /etc/group -p wa -k audit_rules_usergroup_modification

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

 


 If the auditd daemon is configured to use the auditctl
 utility to read audit rules during daemon startup, add the following lines to
 /etc/audit/audit.rules file, in order to capture events that modify
 account changes:
 


-
-w /etc/group -p wa -k audit_rules_usergroup_modification

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

     Applicable - Configurable
     Verify the operating system automatically audits account creation. If it does not, this is a finding.
-    Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command:
+    Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command:
 
-$ sudo auditctl -l | grep -E '(/etc/group)'
+$ sudo auditctl -l | grep -E '(/etc/security/opasswd)'
 
--w /etc/group -p wa -k identity Is it the case that the command does not return a line, or the line is commented out?
+-w /etc/security/opasswd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out?
     Configure the operating system to automatically audit account creation.
     If the auditd daemon is configured to use the
 augenrules program to read audit rules during daemon startup (the
@@ -181,14 +181,14 @@
 directory /etc/audit/rules.d, in order to capture events that modify
 account changes:
 


-
-w /etc/group -p wa -k audit_rules_usergroup_modification

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

 


 If the auditd daemon is configured to use the auditctl
 utility to read audit rules during daemon startup, add the following lines to
 /etc/audit/audit.rules file, in order to capture events that modify
 account changes:
 


-
-w /etc/group -p wa -k audit_rules_usergroup_modification

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

     medium
     
     
@@ -201,39 +201,47 @@
     TBD - Assigned by DISA after STIG release
     The operating system must audit all account creations.
 
-    CCE-89497-2: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
+    CCE-80761-0: Record Events that Modify User/Group Information - /etc/passwd
 
     Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes.
 
 To address access requirements, many operating systems may be integrated with enterprise level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. 
-    At a minimum, the audit system should collect administrator actions
-for all users and root. If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the default),
-add the following line to a file with suffix .rules in the directory
-/etc/audit/rules.d:
-
-w /etc/sudoers.d/ -p wa -k actions

+    If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following lines to a file with suffix .rules in the
+directory /etc/audit/rules.d, in order to capture events that modify
+account changes:
+


+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification

+


 If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
-
-w /etc/sudoers.d/ -p wa -k actions

+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file, in order to capture events that modify
+account changes:
+


+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification

     Applicable - Configurable
     Verify the operating system automatically audits account creation. If it does not, this is a finding.
-    Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command:
+    Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command:
 
-$ sudo auditctl -l | grep/etc/sudoers.d
+$  sudo auditctl -l | grep -E '(/etc/passwd)'
 
--w /etc/sudoers.d/ -p wa -k identity Is it the case that the command does not return a line, or the line is commented out?
+-w /etc/passwd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out?
     Configure the operating system to automatically audit account creation.
-    At a minimum, the audit system should collect administrator actions
-for all users and root. If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the default),
-add the following line to a file with suffix .rules in the directory
-/etc/audit/rules.d:
-
-w /etc/sudoers.d/ -p wa -k actions

+    If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following lines to a file with suffix .rules in the
+directory /etc/audit/rules.d, in order to capture events that modify
+account changes:
+


+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification

+


 If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
-
-w /etc/sudoers.d/ -p wa -k actions

+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file, in order to capture events that modify
+account changes:
+


+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification

     medium
     
     
@@ -246,7 +254,7 @@
     TBD - Assigned by DISA after STIG release
     The operating system must audit all account creations.
 
-    CCE-80760-2: Record Events that Modify User/Group Information - /etc/security/opasswd
+    CCE-80758-6: Record Events that Modify User/Group Information - /etc/group
 
     Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes.
 
@@ -257,21 +265,21 @@
 directory /etc/audit/rules.d, in order to capture events that modify
 account changes:
 


-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

+
-w /etc/group -p wa -k audit_rules_usergroup_modification

 


 If the auditd daemon is configured to use the auditctl
 utility to read audit rules during daemon startup, add the following lines to
 /etc/audit/audit.rules file, in order to capture events that modify
 account changes:
 


-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

+
-w /etc/group -p wa -k audit_rules_usergroup_modification

     Applicable - Configurable
     Verify the operating system automatically audits account creation. If it does not, this is a finding.
-    Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command:
+    Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command:
 
-$ sudo auditctl -l | grep -E '(/etc/security/opasswd)'
+$ sudo auditctl -l | grep -E '(/etc/group)'
 
--w /etc/security/opasswd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out?
+-w /etc/group -p wa -k identity Is it the case that the command does not return a line, or the line is commented out?
     Configure the operating system to automatically audit account creation.
     If the auditd daemon is configured to use the
 augenrules program to read audit rules during daemon startup (the
@@ -279,14 +287,14 @@
 directory /etc/audit/rules.d, in order to capture events that modify
 account changes:
 


-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

+
-w /etc/group -p wa -k audit_rules_usergroup_modification

 


 If the auditd daemon is configured to use the auditctl
 utility to read audit rules during daemon startup, add the following lines to
 /etc/audit/audit.rules file, in order to capture events that modify
 account changes:
 


-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

+
-w /etc/group -p wa -k audit_rules_usergroup_modification

     medium
     
     
@@ -299,7 +307,7 @@
     TBD - Assigned by DISA after STIG release
     The operating system must audit all account creations.
 
-    CCE-80761-0: Record Events that Modify User/Group Information - /etc/passwd
+    CCE-80759-4: Record Events that Modify User/Group Information - /etc/gshadow
 
     Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes.
 
@@ -310,21 +318,23 @@
 directory /etc/audit/rules.d, in order to capture events that modify
 account changes:
 


-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

 


 If the auditd daemon is configured to use the auditctl
 utility to read audit rules during daemon startup, add the following lines to
 /etc/audit/audit.rules file, in order to capture events that modify
 account changes:
 


-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

     Applicable - Configurable
     Verify the operating system automatically audits account creation. If it does not, this is a finding.
-    Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command:
+    Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command:
 
-$  sudo auditctl -l | grep -E '(/etc/passwd)'
+$ sudo auditctl -l | grep -E '(/etc/gshadow)'
 
--w /etc/passwd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out?
+-w /etc/gshadow -p wa -k identity
+
+If the command does not return a line, or the line is commented out, this is a finding. Is it the case that the system is not configured to audit account changes?
     Configure the operating system to automatically audit account creation.
     If the auditd daemon is configured to use the
 augenrules program to read audit rules during daemon startup (the
@@ -332,14 +342,14 @@
 directory /etc/audit/rules.d, in order to capture events that modify
 account changes:
 


-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

 


 If the auditd daemon is configured to use the auditctl
 utility to read audit rules during daemon startup, add the following lines to
 /etc/audit/audit.rules file, in order to capture events that modify
 account changes:
 


-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

     medium
     
     
@@ -405,49 +415,39 @@
     TBD - Assigned by DISA after STIG release
     The operating system must audit all account creations.
 
-    CCE-80759-4: Record Events that Modify User/Group Information - /etc/gshadow
+    CCE-89497-2: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
 
     Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes.
 
 To address access requirements, many operating systems may be integrated with enterprise level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. 
-    If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix .rules in the
-directory /etc/audit/rules.d, in order to capture events that modify
-account changes:
-


-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

-


+    At a minimum, the audit system should collect administrator actions
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the default),
+add the following line to a file with suffix .rules in the directory
+/etc/audit/rules.d:
+
-w /etc/sudoers.d/ -p wa -k actions

 If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file, in order to capture events that modify
-account changes:
-


-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+
-w /etc/sudoers.d/ -p wa -k actions

     Applicable - Configurable
     Verify the operating system automatically audits account creation. If it does not, this is a finding.
-    Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command:
-
-$ sudo auditctl -l | grep -E '(/etc/gshadow)'
+    Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command:
 
--w /etc/gshadow -p wa -k identity
+$ sudo auditctl -l | grep/etc/sudoers.d
 
-If the command does not return a line, or the line is commented out, this is a finding. Is it the case that the system is not configured to audit account changes?
+-w /etc/sudoers.d/ -p wa -k identity Is it the case that the command does not return a line, or the line is commented out?
     Configure the operating system to automatically audit account creation.
-    If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix .rules in the
-directory /etc/audit/rules.d, in order to capture events that modify
-account changes:
-


-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

-


+    At a minimum, the audit system should collect administrator actions
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the default),
+add the following line to a file with suffix .rules in the directory
+/etc/audit/rules.d:
+
-w /etc/sudoers.d/ -p wa -k actions

 If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file, in order to capture events that modify
-account changes:
-


-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+
-w /etc/sudoers.d/ -p wa -k actions

     medium
     
     
@@ -510,31 +510,77 @@
     TBD - Assigned by DISA after STIG release
     The operating system must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
 
-    CCE-86248-2: An SELinux Context must be configured for the pam_faillock.so records directory
+    CCE-86067-6: Lock Accounts Must Persist
 
     By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
-    The dir configuration option in PAM pam_faillock.so module defines where the lockout
-records is stored. The configured directory must have the correct SELinux context.
+    This rule ensures that the system lock out accounts using pam_faillock.so persist
+after system reboot. From "pam_faillock" man pages:
+
Note that the default directory that "pam_faillock" uses is usually cleared on system
+boot so the access will be reenabled after system reboot. If that is undesirable, a different
+tally directory must be set with the "dir" option.

+
+pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
+defined to work as expected. In order to avoid errors when manually editing these files, it is
+recommended to use the appropriate tools, such as authselect or authconfig,
+depending on the OS version.
+
+The chosen profile expects the directory to be .
     Applicable - Configurable
     Verify that the operating system enforces the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. If it does not, this is a finding.
-    If the system does not have SELinux enabled and enforcing a targeted policy, or if the
-pam_faillock.so module is not configured for use, this requirement is not applicable.
+    To ensure the tally directory is configured correctly, run the following command:
+
$ sudo grep 'dir =' /etc/security/faillock.conf

+The output should show that dir is set to something other than "/var/run/faillock" Is it the case that the "dir" option is not set to a non-default documented tally log directory, is missing or commented out?
+    Configure the operating system to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
+    This rule ensures that the system lock out accounts using pam_faillock.so persist
+after system reboot. From "pam_faillock" man pages:
+
Note that the default directory that "pam_faillock" uses is usually cleared on system
+boot so the access will be reenabled after system reboot. If that is undesirable, a different
+tally directory must be set with the "dir" option.

 
-Verify the location of the non-default tally directory for the pam_faillock.so module with
-the following command:
+pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
+defined to work as expected. In order to avoid errors when manually editing these files, it is
+recommended to use the appropriate tools, such as authselect or authconfig,
+depending on the OS version.
 
-$ sudo grep -w dir /etc/security/faillock.conf
+The chosen profile expects the directory to be .
+    medium
+    
+    
+    
+  
 
-dir = /var/log/faillock
+  
+    CCI-000044
+    SRG-OS-000021-GPOS-00005
+    TBD - Assigned by DISA after STIG release
+    The operating system must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
 
-Check the security context type of the non-default tally directory with the following command:
+    CCE-87096-4: Do Not Show System Messages When Unsuccessful Logon Attempts Occur
 
-$ sudo ls -Zd /var/log/faillock
+    By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
+    This rule ensures the system prevents informative messages from being presented to the user
+pertaining to logon information after a number of incorrect login attempts using
+pam_faillock.so.
 
-unconfined_u:object_r:faillog_t:s0 /var/log/faillock Is it the case that the security context type of the non-default tally directory is not "faillog_t"?
+pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
+defined to work as expected. In order to avoid errors when manually editing these files, it is
+recommended to use the appropriate tools, such as authselect or authconfig,
+depending on the OS version.
+    Applicable - Configurable
+    Verify that the operating system enforces the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. If it does not, this is a finding.
+    To ensure that the system prevents messages from being shown when three unsuccessful logon
+attempts occur, run the following command:
+
$ grep silent /etc/security/faillock.conf

+The output should show silent. Is it the case that the system shows messages when three unsuccessful logon attempts occur?
     Configure the operating system to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
-    The dir configuration option in PAM pam_faillock.so module defines where the lockout
-records is stored. The configured directory must have the correct SELinux context.
+    This rule ensures the system prevents informative messages from being presented to the user
+pertaining to logon information after a number of incorrect login attempts using
+pam_faillock.so.
+
+pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
+defined to work as expected. In order to avoid errors when manually editing these files, it is
+recommended to use the appropriate tools, such as authselect or authconfig,
+depending on the OS version.
     medium
     
     
@@ -585,19 +631,47 @@
     TBD - Assigned by DISA after STIG release
     The operating system must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
 
-    CCE-86099-9: Account Lockouts Must Be Logged
+    CCE-80667-9: Lock Accounts After Failed Password Attempts
 
     By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
-    PAM faillock locks an account due to excessive password failures, this event must be logged.
+    This rule configures the system to lock out accounts after a number of incorrect login attempts
+using pam_faillock.so.
+pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
+defined to work as expected.
+
+Ensure that the file /etc/security/faillock.conf contains the following entry:
+deny = <count>
+Where count should be less than or equal to 
+ and greater than 0.
+
+
+In order to avoid errors when manually editing these files, it is
+recommended to use the appropriate tools, such as authselect or authconfig,
+depending on the OS version.
     Applicable - Configurable
     Verify that the operating system enforces the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. If it does not, this is a finding.
-    Verify the "/etc/security/faillock.conf" file is configured to log user name information when unsuccessful logon attempts occur:
+    Verify Red Hat Enterprise Linux 8 is configured to lock an account after 
+unsuccessful logon attempts with the command:
 
-$ sudo grep audit /etc/security/faillock.conf
 
-audit Is it the case that the "audit" option is not set, is missing or commented out?
+
$ grep 'deny =' /etc/security/faillock.conf

+deny = . Is it the case that the "deny" option is not set to ""
+or less (but not "0"), is missing or commented out?
     Configure the operating system to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
-    PAM faillock locks an account due to excessive password failures, this event must be logged.
+    This rule configures the system to lock out accounts after a number of incorrect login attempts
+using pam_faillock.so.
+pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
+defined to work as expected.
+
+Ensure that the file /etc/security/faillock.conf contains the following entry:
+deny = <count>
+Where count should be less than or equal to 
+ and greater than 0.
+
+
+In order to avoid errors when manually editing these files, it is
+recommended to use the appropriate tools, such as authselect or authconfig,
+depending on the OS version.
     medium
     
     
@@ -662,6 +736,33 @@
     
   
 
+  
+    CCI-000044
+    SRG-OS-000021-GPOS-00005
+    TBD - Assigned by DISA after STIG release
+    The operating system must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
+
+    CCE-86916-4: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File.
+
+    By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
+    The pam_faillock.so module must be loaded in preauth in /etc/pam.d/system-auth.
+    Applicable - Configurable
+    Verify that the operating system enforces the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. If it does not, this is a finding.
+    Verify the pam_faillock.so module is present in the "/etc/pam.d/system-auth" file:
+
+$ sudo grep pam_faillock.so /etc/pam.d/system-auth
+
+auth required pam_faillock.so preauth
+auth required pam_faillock.so authfail
+account required pam_faillock.so Is it the case that the pam_faillock.so module is not present in the "/etc/pam.d/system-auth" file with the "preauth" line listed before pam_unix.so?
+    Configure the operating system to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
+    The pam_faillock.so module must be loaded in preauth in /etc/pam.d/system-auth.
+    medium
+    
+    
+    
+  
+
   
     CCI-000044
     SRG-OS-000021-GPOS-00005
@@ -713,77 +814,21 @@
     TBD - Assigned by DISA after STIG release
     The operating system must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
 
-    CCE-87096-4: Do Not Show System Messages When Unsuccessful Logon Attempts Occur
+    CCE-86931-3: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File.
 
     By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
-    This rule ensures the system prevents informative messages from being presented to the user
-pertaining to logon information after a number of incorrect login attempts using
-pam_faillock.so.
-
-pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
-defined to work as expected. In order to avoid errors when manually editing these files, it is
-recommended to use the appropriate tools, such as authselect or authconfig,
-depending on the OS version.
+    The pam_faillock.so module must be loaded in preauth in /etc/pam.d/password-auth.
     Applicable - Configurable
     Verify that the operating system enforces the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. If it does not, this is a finding.
-    To ensure that the system prevents messages from being shown when three unsuccessful logon
-attempts occur, run the following command:
-
$ grep silent /etc/security/faillock.conf

-The output should show silent. Is it the case that the system shows messages when three unsuccessful logon attempts occur?
-    Configure the operating system to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
-    This rule ensures the system prevents informative messages from being presented to the user
-pertaining to logon information after a number of incorrect login attempts using
-pam_faillock.so.
-
-pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
-defined to work as expected. In order to avoid errors when manually editing these files, it is
-recommended to use the appropriate tools, such as authselect or authconfig,
-depending on the OS version.
-    medium
-    
-    
-    
-  
-
-  
-    CCI-000044
-    SRG-OS-000021-GPOS-00005
-    TBD - Assigned by DISA after STIG release
-    The operating system must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
-
-    CCE-86067-6: Lock Accounts Must Persist
-
-    By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
-    This rule ensures that the system lock out accounts using pam_faillock.so persist
-after system reboot. From "pam_faillock" man pages:
-
Note that the default directory that "pam_faillock" uses is usually cleared on system
-boot so the access will be reenabled after system reboot. If that is undesirable, a different
-tally directory must be set with the "dir" option.

+    Verify the pam_faillock.so module is present in the "/etc/pam.d/password-auth" file:
 
-pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
-defined to work as expected. In order to avoid errors when manually editing these files, it is
-recommended to use the appropriate tools, such as authselect or authconfig,
-depending on the OS version.
+$ sudo grep pam_faillock.so /etc/pam.d/password-auth
 
-The chosen profile expects the directory to be .
-    Applicable - Configurable
-    Verify that the operating system enforces the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. If it does not, this is a finding.
-    To ensure the tally directory is configured correctly, run the following command:
-
$ sudo grep 'dir =' /etc/security/faillock.conf

-The output should show that dir is set to something other than "/var/run/faillock" Is it the case that the "dir" option is not set to a non-default documented tally log directory, is missing or commented out?
+auth required pam_faillock.so preauth
+auth required pam_faillock.so authfail
+account required pam_faillock.so Is it the case that the pam_faillock.so module is not present in the "/etc/pam.d/password-auth" file with the "preauth" line listed before pam_unix.so?
     Configure the operating system to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
-    This rule ensures that the system lock out accounts using pam_faillock.so persist
-after system reboot. From "pam_faillock" man pages:
-
Note that the default directory that "pam_faillock" uses is usually cleared on system
-boot so the access will be reenabled after system reboot. If that is undesirable, a different
-tally directory must be set with the "dir" option.

-
-pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
-defined to work as expected. In order to avoid errors when manually editing these files, it is
-recommended to use the appropriate tools, such as authselect or authconfig,
-depending on the OS version.
-
-The chosen profile expects the directory to be .
+    The pam_faillock.so module must be loaded in preauth in /etc/pam.d/password-auth.
     medium
     
     
@@ -796,47 +841,19 @@
     TBD - Assigned by DISA after STIG release
     The operating system must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
 
-    CCE-80667-9: Lock Accounts After Failed Password Attempts
+    CCE-86099-9: Account Lockouts Must Be Logged
 
     By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
-    This rule configures the system to lock out accounts after a number of incorrect login attempts
-using pam_faillock.so.
-pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
-defined to work as expected.
-
-Ensure that the file /etc/security/faillock.conf contains the following entry:
-deny = <count>
-Where count should be less than or equal to 
- and greater than 0.
-
-
-In order to avoid errors when manually editing these files, it is
-recommended to use the appropriate tools, such as authselect or authconfig,
-depending on the OS version.
+    PAM faillock locks an account due to excessive password failures, this event must be logged.
     Applicable - Configurable
     Verify that the operating system enforces the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. If it does not, this is a finding.
-    Verify Red Hat Enterprise Linux 8 is configured to lock an account after 
-unsuccessful logon attempts with the command:
+    Verify the "/etc/security/faillock.conf" file is configured to log user name information when unsuccessful logon attempts occur:
 
+$ sudo grep audit /etc/security/faillock.conf
 
-
$ grep 'deny =' /etc/security/faillock.conf

-deny = . Is it the case that the "deny" option is not set to ""
-or less (but not "0"), is missing or commented out?
+audit Is it the case that the "audit" option is not set, is missing or commented out?
     Configure the operating system to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
-    This rule configures the system to lock out accounts after a number of incorrect login attempts
-using pam_faillock.so.
-pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
-defined to work as expected.
-
-Ensure that the file /etc/security/faillock.conf contains the following entry:
-deny = <count>
-Where count should be less than or equal to 
- and greater than 0.
-
-
-In order to avoid errors when manually editing these files, it is
-recommended to use the appropriate tools, such as authselect or authconfig,
-depending on the OS version.
+    PAM faillock locks an account due to excessive password failures, this event must be logged.
     medium
     
     
@@ -849,48 +866,31 @@
     TBD - Assigned by DISA after STIG release
     The operating system must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
 
-    CCE-86916-4: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File.
+    CCE-86248-2: An SELinux Context must be configured for the pam_faillock.so records directory
 
     By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
-    The pam_faillock.so module must be loaded in preauth in /etc/pam.d/system-auth.
+    The dir configuration option in PAM pam_faillock.so module defines where the lockout
+records is stored. The configured directory must have the correct SELinux context.
     Applicable - Configurable
     Verify that the operating system enforces the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. If it does not, this is a finding.
-    Verify the pam_faillock.so module is present in the "/etc/pam.d/system-auth" file:
-
-$ sudo grep pam_faillock.so /etc/pam.d/system-auth
+    If the system does not have SELinux enabled and enforcing a targeted policy, or if the
+pam_faillock.so module is not configured for use, this requirement is not applicable.
 
-auth required pam_faillock.so preauth
-auth required pam_faillock.so authfail
-account required pam_faillock.so Is it the case that the pam_faillock.so module is not present in the "/etc/pam.d/system-auth" file with the "preauth" line listed before pam_unix.so?
-    Configure the operating system to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
-    The pam_faillock.so module must be loaded in preauth in /etc/pam.d/system-auth.
-    medium
-    
-    
-    
-  
+Verify the location of the non-default tally directory for the pam_faillock.so module with
+the following command:
 
-  
-    CCI-000044
-    SRG-OS-000021-GPOS-00005
-    TBD - Assigned by DISA after STIG release
-    The operating system must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
+$ sudo grep -w dir /etc/security/faillock.conf
 
-    CCE-86931-3: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File.
+dir = /var/log/faillock
 
-    By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
-    The pam_faillock.so module must be loaded in preauth in /etc/pam.d/password-auth.
-    Applicable - Configurable
-    Verify that the operating system enforces the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. If it does not, this is a finding.
-    Verify the pam_faillock.so module is present in the "/etc/pam.d/password-auth" file:
+Check the security context type of the non-default tally directory with the following command:
 
-$ sudo grep pam_faillock.so /etc/pam.d/password-auth
+$ sudo ls -Zd /var/log/faillock
 
-auth required pam_faillock.so preauth
-auth required pam_faillock.so authfail
-account required pam_faillock.so Is it the case that the pam_faillock.so module is not present in the "/etc/pam.d/password-auth" file with the "preauth" line listed before pam_unix.so?
+unconfined_u:object_r:faillog_t:s0 /var/log/faillock Is it the case that the security context type of the non-default tally directory is not "faillog_t"?
     Configure the operating system to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
-    The pam_faillock.so module must be loaded in preauth in /etc/pam.d/password-auth.
+    The dir configuration option in PAM pam_faillock.so module defines where the lockout
+records is stored. The configured directory must have the correct SELinux context.
     medium
     
     
@@ -1482,45 +1482,6 @@
 
 
 
-  
-    CCI-000056
-    SRG-OS-000028-GPOS-00009
-    TBD - Assigned by DISA after STIG release
-    The operating system must retain a users session lock until that user reestablishes access using established identification and authentication procedures.
-
-    CCE-80644-8: Install the tmux Package
-
-    A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
-
-The session lock is implemented at the point where session activity can be determined.
-
-Regardless of where the session lock is determined and implemented, once invoked, the session lock shall remain in place until the user re-authenticates. No other activity aside from re-authentication shall unlock the system.
-    To enable console screen locking, install the tmux package.
-A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
-The session lock is implemented at the point where session activity can be determined.
-Rather than be forced to wait for a period of time to expire before the user session can be locked, Red Hat Enterprise Linux 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
-Instruct users to begin new terminal sessions with the following command:
-
$ tmux

-The console can now be locked with the following key combination:
-
ctrl+b :lock-session

-    Applicable - Configurable
-    Verify the operating system retains a user's session lock until that user reestablishes access using established identification and authentication procedures. If it does not, this is a finding.
-    Run the following command to determine if the tmux package is installed: 
$ rpm -q tmux
 Is it the case that the package is not installed?
-    Configure the operating system to retain a user's session lock until that user reestablishes access using established identification and authentication procedures.
-    To enable console screen locking, install the tmux package.
-A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
-The session lock is implemented at the point where session activity can be determined.
-Rather than be forced to wait for a period of time to expire before the user session can be locked, Red Hat Enterprise Linux 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
-Instruct users to begin new terminal sessions with the following command:
-
$ tmux

-The console can now be locked with the following key combination:
-
ctrl+b :lock-session

-    medium
-    
-    
-    
-  
-
   
     CCI-000056
     SRG-OS-000028-GPOS-00009
@@ -1572,6 +1533,60 @@
     
   
 
+  
+    CCI-000056
+    SRG-OS-000028-GPOS-00009
+    TBD - Assigned by DISA after STIG release
+    The operating system must retain a users session lock until that user reestablishes access using established identification and authentication procedures.
+
+    CCE-83910-0: Enable the GNOME3 Screen Locking On Smartcard Removal
+
+    A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
+
+The session lock is implemented at the point where session activity can be determined.
+
+Regardless of where the session lock is determined and implemented, once invoked, the session lock shall remain in place until the user re-authenticates. No other activity aside from re-authentication shall unlock the system.
+    In the default graphical environment, screen locking on smartcard removal
+can be enabled by setting removal-action
+to 'lock-screen'.
+


+To enable, add or edit removal-action to
+/etc/dconf/db/local.d/00-security-settings. For example:
+
[org/gnome/settings-daemon/peripherals/smartcard]
+removal-action='lock-screen'

+Once the setting has been added, add a lock to
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+For example:
+
/org/gnome/settings-daemon/peripherals/smartcard/removal-action

+After the settings have been set, run dconf update.
+    Applicable - Configurable
+    Verify the operating system retains a user's session lock until that user reestablishes access using established identification and authentication procedures. If it does not, this is a finding.
+    To ensure screen locking on smartcard removal is enabled, run the following command:
+
$ grep removal-action /etc/dconf/db/local.d/*

+The output should be 'lock-screen'.
+To ensure that users cannot disable screen locking on smartcard removal, run the following:
+
$ grep removal-action /etc/dconf/db/local.d/locks/*

+If properly configured, the output should be /org/gnome/settings-daemon/peripherals/smartcard/removal-action Is it the case that removal-action has not been configured?
+    Configure the operating system to retain a user's session lock until that user reestablishes access using established identification and authentication procedures.
+    In the default graphical environment, screen locking on smartcard removal
+can be enabled by setting removal-action
+to 'lock-screen'.
+


+To enable, add or edit removal-action to
+/etc/dconf/db/local.d/00-security-settings. For example:
+
[org/gnome/settings-daemon/peripherals/smartcard]
+removal-action='lock-screen'

+Once the setting has been added, add a lock to
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+For example:
+
/org/gnome/settings-daemon/peripherals/smartcard/removal-action

+After the settings have been set, run dconf update.
+    medium
+    
+    
+    
+  
+
   
     CCI-000056
     SRG-OS-000028-GPOS-00009
@@ -1631,48 +1646,33 @@
     TBD - Assigned by DISA after STIG release
     The operating system must retain a users session lock until that user reestablishes access using established identification and authentication procedures.
 
-    CCE-83910-0: Enable the GNOME3 Screen Locking On Smartcard Removal
+    CCE-80644-8: Install the tmux Package
 
     A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
 
 The session lock is implemented at the point where session activity can be determined.
 
 Regardless of where the session lock is determined and implemented, once invoked, the session lock shall remain in place until the user re-authenticates. No other activity aside from re-authentication shall unlock the system.
-    In the default graphical environment, screen locking on smartcard removal
-can be enabled by setting removal-action
-to 'lock-screen'.
-


-To enable, add or edit removal-action to
-/etc/dconf/db/local.d/00-security-settings. For example:
-
[org/gnome/settings-daemon/peripherals/smartcard]
-removal-action='lock-screen'

-Once the setting has been added, add a lock to
-/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
-For example:
-
/org/gnome/settings-daemon/peripherals/smartcard/removal-action

-After the settings have been set, run dconf update.
+    To enable console screen locking, install the tmux package.
+A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
+The session lock is implemented at the point where session activity can be determined.
+Rather than be forced to wait for a period of time to expire before the user session can be locked, Red Hat Enterprise Linux 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
+Instruct users to begin new terminal sessions with the following command:
+
$ tmux

+The console can now be locked with the following key combination:
+
ctrl+b :lock-session

     Applicable - Configurable
     Verify the operating system retains a user's session lock until that user reestablishes access using established identification and authentication procedures. If it does not, this is a finding.
-    To ensure screen locking on smartcard removal is enabled, run the following command:
-
$ grep removal-action /etc/dconf/db/local.d/*

-The output should be 'lock-screen'.
-To ensure that users cannot disable screen locking on smartcard removal, run the following:
-
$ grep removal-action /etc/dconf/db/local.d/locks/*

-If properly configured, the output should be /org/gnome/settings-daemon/peripherals/smartcard/removal-action Is it the case that removal-action has not been configured?
+    Run the following command to determine if the tmux package is installed: 
$ rpm -q tmux
 Is it the case that the package is not installed?
     Configure the operating system to retain a user's session lock until that user reestablishes access using established identification and authentication procedures.
-    In the default graphical environment, screen locking on smartcard removal
-can be enabled by setting removal-action
-to 'lock-screen'.
-


-To enable, add or edit removal-action to
-/etc/dconf/db/local.d/00-security-settings. For example:
-
[org/gnome/settings-daemon/peripherals/smartcard]
-removal-action='lock-screen'

-Once the setting has been added, add a lock to
-/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
-For example:
-
/org/gnome/settings-daemon/peripherals/smartcard/removal-action

-After the settings have been set, run dconf update.
+    To enable console screen locking, install the tmux package.
+A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
+The session lock is implemented at the point where session activity can be determined.
+Rather than be forced to wait for a period of time to expire before the user session can be locked, Red Hat Enterprise Linux 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
+Instruct users to begin new terminal sessions with the following command:
+
$ tmux

+The console can now be locked with the following key combination:
+
ctrl+b :lock-session

     medium
     
     
@@ -1685,38 +1685,40 @@
     TBD - Assigned by DISA after STIG release
     The operating system must retain a users session lock until that user reestablishes access using established identification and authentication procedures.
 
-    CCE-86135-1: Configure the tmux lock session key binding
+    CCE-80940-0: Configure the tmux Lock Command
 
     A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
 
 The session lock is implemented at the point where session activity can be determined.
 
 Regardless of where the session lock is determined and implemented, once invoked, the session lock shall remain in place until the user re-authenticates. No other activity aside from re-authentication shall unlock the system.
-    To set a key binding for the screen locking in tmux terminal multiplexer,
-the session-lock command must be bound to a key.
+    To enable console screen locking in tmux terminal multiplexer,
+the vlock command must be configured to be used as a locking
+mechanism.
 Add the following line to /etc/tmux.conf:
-
bind X lock-session
.
+
set -g lock-command vlock
.
 The console can now be locked with the following key combination:
-
Ctrl+b Shift+x

+
ctrl+b :lock-session

     Applicable - Configurable
     Verify the operating system retains a user's session lock until that user reestablishes access using established identification and authentication procedures. If it does not, this is a finding.
-    Verify Red Hat Enterprise Linux 8 enables the user to initiate a session lock trhough key bindings with the following commands:
+    Verify Red Hat Enterprise Linux 8 enables the user to initiate a session lock with the following command:
 
-
$ grep "lock-session" /etc/tmux.conf

+
$ grep lock-command /etc/tmux.conf

 
-
bind X lock-session

+
set -g lock-command vlock

 
 Then, verify that the /etc/tmux.conf file can be read by other users than root:
 
-
$ sudo ls -al /etc/tmux.conf
 Is it the case that the "lock-session" is not bound to a specific key?
+
$ sudo ls -al /etc/tmux.conf
 Is it the case that the "lock-command" is not set in the global settings to call "vlock"?
     Configure the operating system to retain a user's session lock until that user reestablishes access using established identification and authentication procedures.
-    To set a key binding for the screen locking in tmux terminal multiplexer,
-the session-lock command must be bound to a key.
+    To enable console screen locking in tmux terminal multiplexer,
+the vlock command must be configured to be used as a locking
+mechanism.
 Add the following line to /etc/tmux.conf:
-
bind X lock-session
.
+
set -g lock-command vlock
.
 The console can now be locked with the following key combination:
-
Ctrl+b Shift+x

-    low
+
ctrl+b :lock-session

+    medium
     
     
     
@@ -1797,40 +1799,38 @@
     TBD - Assigned by DISA after STIG release
     The operating system must retain a users session lock until that user reestablishes access using established identification and authentication procedures.
 
-    CCE-80940-0: Configure the tmux Lock Command
+    CCE-86135-1: Configure the tmux lock session key binding
 
     A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
 
 The session lock is implemented at the point where session activity can be determined.
 
 Regardless of where the session lock is determined and implemented, once invoked, the session lock shall remain in place until the user re-authenticates. No other activity aside from re-authentication shall unlock the system.
-    To enable console screen locking in tmux terminal multiplexer,
-the vlock command must be configured to be used as a locking
-mechanism.
+    To set a key binding for the screen locking in tmux terminal multiplexer,
+the session-lock command must be bound to a key.
 Add the following line to /etc/tmux.conf:
-
set -g lock-command vlock
.
+
bind X lock-session
.
 The console can now be locked with the following key combination:
-
ctrl+b :lock-session

+
Ctrl+b Shift+x

     Applicable - Configurable
     Verify the operating system retains a user's session lock until that user reestablishes access using established identification and authentication procedures. If it does not, this is a finding.
-    Verify Red Hat Enterprise Linux 8 enables the user to initiate a session lock with the following command:
+    Verify Red Hat Enterprise Linux 8 enables the user to initiate a session lock trhough key bindings with the following commands:
 
-
$ grep lock-command /etc/tmux.conf

+
$ grep "lock-session" /etc/tmux.conf

 
-
set -g lock-command vlock

+
bind X lock-session

 
 Then, verify that the /etc/tmux.conf file can be read by other users than root:
 
-
$ sudo ls -al /etc/tmux.conf
 Is it the case that the "lock-command" is not set in the global settings to call "vlock"?
+
$ sudo ls -al /etc/tmux.conf
 Is it the case that the "lock-session" is not bound to a specific key?
     Configure the operating system to retain a user's session lock until that user reestablishes access using established identification and authentication procedures.
-    To enable console screen locking in tmux terminal multiplexer,
-the vlock command must be configured to be used as a locking
-mechanism.
+    To set a key binding for the screen locking in tmux terminal multiplexer,
+the session-lock command must be bound to a key.
 Add the following line to /etc/tmux.conf:
-
set -g lock-command vlock
.
+
bind X lock-session
.
 The console can now be locked with the following key combination:
-
ctrl+b :lock-session

-    medium
+
Ctrl+b Shift+x

+    low
     
     
     
@@ -1883,33 +1883,31 @@
     TBD - Assigned by DISA after STIG release
     The operating system must initiate a session lock after a 15-minute period of inactivity for all connection types.
 
-    CCE-82199-1: Configure tmux to lock session after inactivity
+    CCE-80776-8: Set GNOME3 Screensaver Lock Delay After Activation Period
 
     A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
 
 The session lock is implemented at the point where session activity can be determined and/or controlled.
-    To enable console screen locking in tmux terminal multiplexer
-after a period of inactivity,
-the lock-after-time option has to be set to a value greater than 0 and less than
-or equal to 900 in /etc/tmux.conf.
+    To activate the locking delay of the screensaver in the GNOME3 desktop when
+the screensaver is activated, add or set lock-delay to uint32  in
+/etc/dconf/db/local.d/00-security-settings. For example:
+
[org/gnome/desktop/screensaver]
+lock-delay=uint32 
+

+After the settings have been set, run dconf update.
     Applicable - Configurable
     Verify the operating system initiates a session lock after a 15-minute period of inactivity for all connection types. If it does not, this is a finding.
-    Verify Red Hat Enterprise Linux 8 initiates a session lock after 15 minutes of inactivity.
-
-Check the value of the system inactivity timeout with the following command:
-
-
$ grep -i lock-after-time /etc/tmux.conf

-
-
set -g lock-after-time 900

-
-Then, verify that the /etc/tmux.conf file can be read by other users than root:
-
-
$ sudo ls -al /etc/tmux.conf
 Is it the case that "lock-after-time" is not set to "900" or less in the global tmux configuration file to enforce session lock after inactivity?
+    To check that the screen locks immediately when activated, run the following command:
+
$ gsettings get org.gnome.desktop.screensaver lock-delay

+If properly configured, the output should be 'uint32 '. Is it the case that the screensaver lock delay is missing, or is set to a value greater than ?
     Configure the operating system to initiate a session lock after a 15-minute period of inactivity for all connection types.
-    To enable console screen locking in tmux terminal multiplexer
-after a period of inactivity,
-the lock-after-time option has to be set to a value greater than 0 and less than
-or equal to 900 in /etc/tmux.conf.
+    To activate the locking delay of the screensaver in the GNOME3 desktop when
+the screensaver is activated, add or set lock-delay to uint32  in
+/etc/dconf/db/local.d/00-security-settings. For example:
+
[org/gnome/desktop/screensaver]
+lock-delay=uint32 
+

+After the settings have been set, run dconf update.
     medium
     
     
@@ -1922,67 +1920,33 @@
     TBD - Assigned by DISA after STIG release
     The operating system must initiate a session lock after a 15-minute period of inactivity for all connection types.
 
-    CCE-80781-8: Ensure Users Cannot Change GNOME3 Session Idle Settings
+    CCE-82199-1: Configure tmux to lock session after inactivity
 
     A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
 
 The session lock is implemented at the point where session activity can be determined and/or controlled.
-    If not already configured, ensure that users cannot change GNOME3 session idle settings
-by adding /org/gnome/desktop/session/idle-delay
-to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
-For example:
-
/org/gnome/desktop/session/idle-delay

-After the settings have been set, run dconf update.
+    To enable console screen locking in tmux terminal multiplexer
+after a period of inactivity,
+the lock-after-time option has to be set to a value greater than 0 and less than
+or equal to 900 in /etc/tmux.conf.
     Applicable - Configurable
     Verify the operating system initiates a session lock after a 15-minute period of inactivity for all connection types. If it does not, this is a finding.
-    To ensure that users cannot change session idle and lock settings, run the following:
-
$ grep 'idle-delay' /etc/dconf/db/local.d/locks/*

-If properly configured, the output should return:
-/org/gnome/desktop/session/idle-delay Is it the case that idle-delay is not locked?
-    Configure the operating system to initiate a session lock after a 15-minute period of inactivity for all connection types.
-    If not already configured, ensure that users cannot change GNOME3 session idle settings
-by adding /org/gnome/desktop/session/idle-delay
-to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
-For example:
-
/org/gnome/desktop/session/idle-delay

-After the settings have been set, run dconf update.
-    medium
-    
-    
-    
-  
+    Verify Red Hat Enterprise Linux 8 initiates a session lock after 15 minutes of inactivity.
 
-  
-    CCI-000057
-    SRG-OS-000029-GPOS-00010
-    TBD - Assigned by DISA after STIG release
-    The operating system must initiate a session lock after a 15-minute period of inactivity for all connection types.
+Check the value of the system inactivity timeout with the following command:
 
-    CCE-80776-8: Set GNOME3 Screensaver Lock Delay After Activation Period
+
$ grep -i lock-after-time /etc/tmux.conf

 
-    A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
+
set -g lock-after-time 900

 
-The session lock is implemented at the point where session activity can be determined and/or controlled.
-    To activate the locking delay of the screensaver in the GNOME3 desktop when
-the screensaver is activated, add or set lock-delay to uint32  in
-/etc/dconf/db/local.d/00-security-settings. For example:
-
[org/gnome/desktop/screensaver]
-lock-delay=uint32 
-

-After the settings have been set, run dconf update.
-    Applicable - Configurable
-    Verify the operating system initiates a session lock after a 15-minute period of inactivity for all connection types. If it does not, this is a finding.
-    To check that the screen locks immediately when activated, run the following command:
-
$ gsettings get org.gnome.desktop.screensaver lock-delay

-If properly configured, the output should be 'uint32 '. Is it the case that the screensaver lock delay is missing, or is set to a value greater than ?
+Then, verify that the /etc/tmux.conf file can be read by other users than root:
+
+
$ sudo ls -al /etc/tmux.conf
 Is it the case that "lock-after-time" is not set to "900" or less in the global tmux configuration file to enforce session lock after inactivity?
     Configure the operating system to initiate a session lock after a 15-minute period of inactivity for all connection types.
-    To activate the locking delay of the screensaver in the GNOME3 desktop when
-the screensaver is activated, add or set lock-delay to uint32  in
-/etc/dconf/db/local.d/00-security-settings. For example:
-
[org/gnome/desktop/screensaver]
-lock-delay=uint32 
-

-After the settings have been set, run dconf update.
+    To enable console screen locking in tmux terminal multiplexer
+after a period of inactivity,
+the lock-after-time option has to be set to a value greater than 0 and less than
+or equal to 900 in /etc/tmux.conf.
     medium
     
     
@@ -2031,48 +1995,47 @@
     
   
 
-
-
-
-
-
   
-    CCI-000058
-    SRG-OS-000030-GPOS-00011
+    CCI-000057
+    SRG-OS-000029-GPOS-00010
     TBD - Assigned by DISA after STIG release
-    The operating system must provide the capability for users to directly initiate a session lock for all connection types.
+    The operating system must initiate a session lock after a 15-minute period of inactivity for all connection types.
 
-    CCE-80644-8: Install the tmux Package
+    CCE-80781-8: Ensure Users Cannot Change GNOME3 Session Idle Settings
 
-    A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
+    A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
 
-The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, operating systems need to provide users with the ability to manually invoke a session lock so users may secure their session should the need arise for them to temporarily vacate the immediate physical vicinity.
-    To enable console screen locking, install the tmux package.
-A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
-The session lock is implemented at the point where session activity can be determined.
-Rather than be forced to wait for a period of time to expire before the user session can be locked, Red Hat Enterprise Linux 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
-Instruct users to begin new terminal sessions with the following command:
-
$ tmux

-The console can now be locked with the following key combination:
-
ctrl+b :lock-session

+The session lock is implemented at the point where session activity can be determined and/or controlled.
+    If not already configured, ensure that users cannot change GNOME3 session idle settings
+by adding /org/gnome/desktop/session/idle-delay
+to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+For example:
+
/org/gnome/desktop/session/idle-delay

+After the settings have been set, run dconf update.
     Applicable - Configurable
-    Verify the operating system provides the capability for users to directly initiate a session lock for all connection types. If it does not, this is a finding.
-    Run the following command to determine if the tmux package is installed: 
$ rpm -q tmux
 Is it the case that the package is not installed?
-    Configure the operating system to provide the capability for users to directly initiate a session lock for all connection types.
-    To enable console screen locking, install the tmux package.
-A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
-The session lock is implemented at the point where session activity can be determined.
-Rather than be forced to wait for a period of time to expire before the user session can be locked, Red Hat Enterprise Linux 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
-Instruct users to begin new terminal sessions with the following command:
-
$ tmux

-The console can now be locked with the following key combination:
-
ctrl+b :lock-session

+    Verify the operating system initiates a session lock after a 15-minute period of inactivity for all connection types. If it does not, this is a finding.
+    To ensure that users cannot change session idle and lock settings, run the following:
+
$ grep 'idle-delay' /etc/dconf/db/local.d/locks/*

+If properly configured, the output should return:
+/org/gnome/desktop/session/idle-delay Is it the case that idle-delay is not locked?
+    Configure the operating system to initiate a session lock after a 15-minute period of inactivity for all connection types.
+    If not already configured, ensure that users cannot change GNOME3 session idle settings
+by adding /org/gnome/desktop/session/idle-delay
+to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+For example:
+
/org/gnome/desktop/session/idle-delay

+After the settings have been set, run dconf update.
     medium
     
     
     
   
 
+
+
+
+
+
   
     CCI-000058
     SRG-OS-000030-GPOS-00011
@@ -2122,6 +2085,58 @@
     
   
 
+  
+    CCI-000058
+    SRG-OS-000030-GPOS-00011
+    TBD - Assigned by DISA after STIG release
+    The operating system must provide the capability for users to directly initiate a session lock for all connection types.
+
+    CCE-83910-0: Enable the GNOME3 Screen Locking On Smartcard Removal
+
+    A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
+
+The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, operating systems need to provide users with the ability to manually invoke a session lock so users may secure their session should the need arise for them to temporarily vacate the immediate physical vicinity.
+    In the default graphical environment, screen locking on smartcard removal
+can be enabled by setting removal-action
+to 'lock-screen'.
+


+To enable, add or edit removal-action to
+/etc/dconf/db/local.d/00-security-settings. For example:
+
[org/gnome/settings-daemon/peripherals/smartcard]
+removal-action='lock-screen'

+Once the setting has been added, add a lock to
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+For example:
+
/org/gnome/settings-daemon/peripherals/smartcard/removal-action

+After the settings have been set, run dconf update.
+    Applicable - Configurable
+    Verify the operating system provides the capability for users to directly initiate a session lock for all connection types. If it does not, this is a finding.
+    To ensure screen locking on smartcard removal is enabled, run the following command:
+
$ grep removal-action /etc/dconf/db/local.d/*

+The output should be 'lock-screen'.
+To ensure that users cannot disable screen locking on smartcard removal, run the following:
+
$ grep removal-action /etc/dconf/db/local.d/locks/*

+If properly configured, the output should be /org/gnome/settings-daemon/peripherals/smartcard/removal-action Is it the case that removal-action has not been configured?
+    Configure the operating system to provide the capability for users to directly initiate a session lock for all connection types.
+    In the default graphical environment, screen locking on smartcard removal
+can be enabled by setting removal-action
+to 'lock-screen'.
+


+To enable, add or edit removal-action to
+/etc/dconf/db/local.d/00-security-settings. For example:
+
[org/gnome/settings-daemon/peripherals/smartcard]
+removal-action='lock-screen'

+Once the setting has been added, add a lock to
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+For example:
+
/org/gnome/settings-daemon/peripherals/smartcard/removal-action

+After the settings have been set, run dconf update.
+    medium
+    
+    
+    
+  
+
   
     CCI-000058
     SRG-OS-000030-GPOS-00011
@@ -2179,46 +2194,31 @@
     TBD - Assigned by DISA after STIG release
     The operating system must provide the capability for users to directly initiate a session lock for all connection types.
 
-    CCE-83910-0: Enable the GNOME3 Screen Locking On Smartcard Removal
+    CCE-80644-8: Install the tmux Package
 
     A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
 
 The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, operating systems need to provide users with the ability to manually invoke a session lock so users may secure their session should the need arise for them to temporarily vacate the immediate physical vicinity.
-    In the default graphical environment, screen locking on smartcard removal
-can be enabled by setting removal-action
-to 'lock-screen'.
-


-To enable, add or edit removal-action to
-/etc/dconf/db/local.d/00-security-settings. For example:
-
[org/gnome/settings-daemon/peripherals/smartcard]
-removal-action='lock-screen'

-Once the setting has been added, add a lock to
-/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
-For example:
-
/org/gnome/settings-daemon/peripherals/smartcard/removal-action

-After the settings have been set, run dconf update.
+    To enable console screen locking, install the tmux package.
+A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
+The session lock is implemented at the point where session activity can be determined.
+Rather than be forced to wait for a period of time to expire before the user session can be locked, Red Hat Enterprise Linux 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
+Instruct users to begin new terminal sessions with the following command:
+
$ tmux

+The console can now be locked with the following key combination:
+
ctrl+b :lock-session

     Applicable - Configurable
     Verify the operating system provides the capability for users to directly initiate a session lock for all connection types. If it does not, this is a finding.
-    To ensure screen locking on smartcard removal is enabled, run the following command:
-
$ grep removal-action /etc/dconf/db/local.d/*

-The output should be 'lock-screen'.
-To ensure that users cannot disable screen locking on smartcard removal, run the following:
-
$ grep removal-action /etc/dconf/db/local.d/locks/*

-If properly configured, the output should be /org/gnome/settings-daemon/peripherals/smartcard/removal-action Is it the case that removal-action has not been configured?
+    Run the following command to determine if the tmux package is installed: 
$ rpm -q tmux
 Is it the case that the package is not installed?
     Configure the operating system to provide the capability for users to directly initiate a session lock for all connection types.
-    In the default graphical environment, screen locking on smartcard removal
-can be enabled by setting removal-action
-to 'lock-screen'.
-


-To enable, add or edit removal-action to
-/etc/dconf/db/local.d/00-security-settings. For example:
-
[org/gnome/settings-daemon/peripherals/smartcard]
-removal-action='lock-screen'

-Once the setting has been added, add a lock to
-/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
-For example:
-
/org/gnome/settings-daemon/peripherals/smartcard/removal-action

-After the settings have been set, run dconf update.
+    To enable console screen locking, install the tmux package.
+A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
+The session lock is implemented at the point where session activity can be determined.
+Rather than be forced to wait for a period of time to expire before the user session can be locked, Red Hat Enterprise Linux 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
+Instruct users to begin new terminal sessions with the following command:
+
$ tmux

+The console can now be locked with the following key combination:
+
ctrl+b :lock-session

     medium
     
     
@@ -2231,36 +2231,38 @@
     TBD - Assigned by DISA after STIG release
     The operating system must provide the capability for users to directly initiate a session lock for all connection types.
 
-    CCE-86135-1: Configure the tmux lock session key binding
+    CCE-80940-0: Configure the tmux Lock Command
 
     A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
 
 The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, operating systems need to provide users with the ability to manually invoke a session lock so users may secure their session should the need arise for them to temporarily vacate the immediate physical vicinity.
-    To set a key binding for the screen locking in tmux terminal multiplexer,
-the session-lock command must be bound to a key.
+    To enable console screen locking in tmux terminal multiplexer,
+the vlock command must be configured to be used as a locking
+mechanism.
 Add the following line to /etc/tmux.conf:
-
bind X lock-session
.
+
set -g lock-command vlock
.
 The console can now be locked with the following key combination:
-
Ctrl+b Shift+x

+
ctrl+b :lock-session

     Applicable - Configurable
     Verify the operating system provides the capability for users to directly initiate a session lock for all connection types. If it does not, this is a finding.
-    Verify Red Hat Enterprise Linux 8 enables the user to initiate a session lock trhough key bindings with the following commands:
+    Verify Red Hat Enterprise Linux 8 enables the user to initiate a session lock with the following command:
 
-
$ grep "lock-session" /etc/tmux.conf

+
$ grep lock-command /etc/tmux.conf

 
-
bind X lock-session

+
set -g lock-command vlock

 
 Then, verify that the /etc/tmux.conf file can be read by other users than root:
 
-
$ sudo ls -al /etc/tmux.conf
 Is it the case that the "lock-session" is not bound to a specific key?
+
$ sudo ls -al /etc/tmux.conf
 Is it the case that the "lock-command" is not set in the global settings to call "vlock"?
     Configure the operating system to provide the capability for users to directly initiate a session lock for all connection types.
-    To set a key binding for the screen locking in tmux terminal multiplexer,
-the session-lock command must be bound to a key.
+    To enable console screen locking in tmux terminal multiplexer,
+the vlock command must be configured to be used as a locking
+mechanism.
 Add the following line to /etc/tmux.conf:
-
bind X lock-session
.
+
set -g lock-command vlock
.
 The console can now be locked with the following key combination:
-
Ctrl+b Shift+x

-    low
+
ctrl+b :lock-session

+    medium
     
     
     
@@ -2337,38 +2339,36 @@
     TBD - Assigned by DISA after STIG release
     The operating system must provide the capability for users to directly initiate a session lock for all connection types.
 
-    CCE-80940-0: Configure the tmux Lock Command
+    CCE-86135-1: Configure the tmux lock session key binding
 
     A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
 
 The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, operating systems need to provide users with the ability to manually invoke a session lock so users may secure their session should the need arise for them to temporarily vacate the immediate physical vicinity.
-    To enable console screen locking in tmux terminal multiplexer,
-the vlock command must be configured to be used as a locking
-mechanism.
+    To set a key binding for the screen locking in tmux terminal multiplexer,
+the session-lock command must be bound to a key.
 Add the following line to /etc/tmux.conf:
-
set -g lock-command vlock
.
+
bind X lock-session
.
 The console can now be locked with the following key combination:
-
ctrl+b :lock-session

+
Ctrl+b Shift+x

     Applicable - Configurable
     Verify the operating system provides the capability for users to directly initiate a session lock for all connection types. If it does not, this is a finding.
-    Verify Red Hat Enterprise Linux 8 enables the user to initiate a session lock with the following command:
+    Verify Red Hat Enterprise Linux 8 enables the user to initiate a session lock trhough key bindings with the following commands:
 
-
$ grep lock-command /etc/tmux.conf

+
$ grep "lock-session" /etc/tmux.conf

 
-
set -g lock-command vlock

+
bind X lock-session

 
 Then, verify that the /etc/tmux.conf file can be read by other users than root:
 
-
$ sudo ls -al /etc/tmux.conf
 Is it the case that the "lock-command" is not set in the global settings to call "vlock"?
+
$ sudo ls -al /etc/tmux.conf
 Is it the case that the "lock-session" is not bound to a specific key?
     Configure the operating system to provide the capability for users to directly initiate a session lock for all connection types.
-    To enable console screen locking in tmux terminal multiplexer,
-the vlock command must be configured to be used as a locking
-mechanism.
+    To set a key binding for the screen locking in tmux terminal multiplexer,
+the session-lock command must be bound to a key.
 Add the following line to /etc/tmux.conf:
-
set -g lock-command vlock
.
+
bind X lock-session
.
 The console can now be locked with the following key combination:
-
ctrl+b :lock-session

-    medium
+
Ctrl+b Shift+x

+    low
     
     
     
@@ -2379,44 +2379,6 @@
 
 
 
-  
-    CCI-000060
-    SRG-OS-000031-GPOS-00012
-    TBD - Assigned by DISA after STIG release
-    The operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
-
-    CCE-80780-0: Ensure Users Cannot Change GNOME3 Screensaver Settings
-
-    A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence.
-
-The session lock is implemented at the point where session activity can be determined. The operating system session lock event must include an obfuscation of the display screen so as to prevent other users from reading what was previously displayed.
-
-Publicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, a clock, a battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information.
-    If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
-by adding /org/gnome/desktop/screensaver/lock-delay
-to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
-For example:
-
/org/gnome/desktop/screensaver/lock-delay

-After the settings have been set, run dconf update.
-    Applicable - Configurable
-    Verify the operating system conceals, via the session lock, information previously visible on the display with a publicly viewable image. If it does not, this is a finding.
-    To ensure that users cannot change session idle and lock settings, run the following:
-
$ grep 'lock-delay' /etc/dconf/db/local.d/locks/*

-If properly configured, the output should return:
-/org/gnome/desktop/screensaver/lock-delay Is it the case that GNOME3 session settings are not locked or configured properly?
-    Configure the operating system to conceal, via the session lock, information previously visible on the display with a publicly viewable image.
-    If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
-by adding /org/gnome/desktop/screensaver/lock-delay
-to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
-For example:
-
/org/gnome/desktop/screensaver/lock-delay

-After the settings have been set, run dconf update.
-    medium
-    
-    
-    
-  
-
   
     CCI-000060
     SRG-OS-000031-GPOS-00012
@@ -2474,72 +2436,31 @@
     TBD - Assigned by DISA after STIG release
     The operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
 
-    CCE-82199-1: Configure tmux to lock session after inactivity
-
-    A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence.
-
-The session lock is implemented at the point where session activity can be determined. The operating system session lock event must include an obfuscation of the display screen so as to prevent other users from reading what was previously displayed.
-
-Publicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, a clock, a battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information.
-    To enable console screen locking in tmux terminal multiplexer
-after a period of inactivity,
-the lock-after-time option has to be set to a value greater than 0 and less than
-or equal to 900 in /etc/tmux.conf.
-    Applicable - Configurable
-    Verify the operating system conceals, via the session lock, information previously visible on the display with a publicly viewable image. If it does not, this is a finding.
-    Verify Red Hat Enterprise Linux 8 initiates a session lock after 15 minutes of inactivity.
-
-Check the value of the system inactivity timeout with the following command:
-
-
$ grep -i lock-after-time /etc/tmux.conf

-
-
set -g lock-after-time 900

-
-Then, verify that the /etc/tmux.conf file can be read by other users than root:
-
-
$ sudo ls -al /etc/tmux.conf
 Is it the case that "lock-after-time" is not set to "900" or less in the global tmux configuration file to enforce session lock after inactivity?
-    Configure the operating system to conceal, via the session lock, information previously visible on the display with a publicly viewable image.
-    To enable console screen locking in tmux terminal multiplexer
-after a period of inactivity,
-the lock-after-time option has to be set to a value greater than 0 and less than
-or equal to 900 in /etc/tmux.conf.
-    medium
-    
-    
-    
-  
-
-  
-    CCI-000060
-    SRG-OS-000031-GPOS-00012
-    TBD - Assigned by DISA after STIG release
-    The operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
-
-    CCE-80781-8: Ensure Users Cannot Change GNOME3 Session Idle Settings
+    CCE-80780-0: Ensure Users Cannot Change GNOME3 Screensaver Settings
 
     A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence.
 
 The session lock is implemented at the point where session activity can be determined. The operating system session lock event must include an obfuscation of the display screen so as to prevent other users from reading what was previously displayed.
 
 Publicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, a clock, a battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information.
-    If not already configured, ensure that users cannot change GNOME3 session idle settings
-by adding /org/gnome/desktop/session/idle-delay
+    If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
+by adding /org/gnome/desktop/screensaver/lock-delay
 to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
 For example:
-
/org/gnome/desktop/session/idle-delay

+
/org/gnome/desktop/screensaver/lock-delay

 After the settings have been set, run dconf update.
     Applicable - Configurable
     Verify the operating system conceals, via the session lock, information previously visible on the display with a publicly viewable image. If it does not, this is a finding.
     To ensure that users cannot change session idle and lock settings, run the following:
-
$ grep 'idle-delay' /etc/dconf/db/local.d/locks/*

+
$ grep 'lock-delay' /etc/dconf/db/local.d/locks/*

 If properly configured, the output should return:
-/org/gnome/desktop/session/idle-delay Is it the case that idle-delay is not locked?
+/org/gnome/desktop/screensaver/lock-delay Is it the case that GNOME3 session settings are not locked or configured properly?
     Configure the operating system to conceal, via the session lock, information previously visible on the display with a publicly viewable image.
-    If not already configured, ensure that users cannot change GNOME3 session idle settings
-by adding /org/gnome/desktop/session/idle-delay
+    If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
+by adding /org/gnome/desktop/screensaver/lock-delay
 to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
 For example:
-
/org/gnome/desktop/session/idle-delay

+
/org/gnome/desktop/screensaver/lock-delay

 After the settings have been set, run dconf update.
     medium
     
@@ -2586,6 +2507,47 @@
     
   
 
+  
+    CCI-000060
+    SRG-OS-000031-GPOS-00012
+    TBD - Assigned by DISA after STIG release
+    The operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
+
+    CCE-82199-1: Configure tmux to lock session after inactivity
+
+    A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence.
+
+The session lock is implemented at the point where session activity can be determined. The operating system session lock event must include an obfuscation of the display screen so as to prevent other users from reading what was previously displayed.
+
+Publicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, a clock, a battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information.
+    To enable console screen locking in tmux terminal multiplexer
+after a period of inactivity,
+the lock-after-time option has to be set to a value greater than 0 and less than
+or equal to 900 in /etc/tmux.conf.
+    Applicable - Configurable
+    Verify the operating system conceals, via the session lock, information previously visible on the display with a publicly viewable image. If it does not, this is a finding.
+    Verify Red Hat Enterprise Linux 8 initiates a session lock after 15 minutes of inactivity.
+
+Check the value of the system inactivity timeout with the following command:
+
+
$ grep -i lock-after-time /etc/tmux.conf

+
+
set -g lock-after-time 900

+
+Then, verify that the /etc/tmux.conf file can be read by other users than root:
+
+
$ sudo ls -al /etc/tmux.conf
 Is it the case that "lock-after-time" is not set to "900" or less in the global tmux configuration file to enforce session lock after inactivity?
+    Configure the operating system to conceal, via the session lock, information previously visible on the display with a publicly viewable image.
+    To enable console screen locking in tmux terminal multiplexer
+after a period of inactivity,
+the lock-after-time option has to be set to a value greater than 0 and less than
+or equal to 900 in /etc/tmux.conf.
+    medium
+    
+    
+    
+  
+
   
     CCI-000060
     SRG-OS-000031-GPOS-00012
@@ -2630,6 +2592,44 @@
     
   
 
+  
+    CCI-000060
+    SRG-OS-000031-GPOS-00012
+    TBD - Assigned by DISA after STIG release
+    The operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
+
+    CCE-80781-8: Ensure Users Cannot Change GNOME3 Session Idle Settings
+
+    A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence.
+
+The session lock is implemented at the point where session activity can be determined. The operating system session lock event must include an obfuscation of the display screen so as to prevent other users from reading what was previously displayed.
+
+Publicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, a clock, a battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information.
+    If not already configured, ensure that users cannot change GNOME3 session idle settings
+by adding /org/gnome/desktop/session/idle-delay
+to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+For example:
+
/org/gnome/desktop/session/idle-delay

+After the settings have been set, run dconf update.
+    Applicable - Configurable
+    Verify the operating system conceals, via the session lock, information previously visible on the display with a publicly viewable image. If it does not, this is a finding.
+    To ensure that users cannot change session idle and lock settings, run the following:
+
$ grep 'idle-delay' /etc/dconf/db/local.d/locks/*

+If properly configured, the output should return:
+/org/gnome/desktop/session/idle-delay Is it the case that idle-delay is not locked?
+    Configure the operating system to conceal, via the session lock, information previously visible on the display with a publicly viewable image.
+    If not already configured, ensure that users cannot change GNOME3 session idle settings
+by adding /org/gnome/desktop/session/idle-delay
+to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+For example:
+
/org/gnome/desktop/session/idle-delay

+After the settings have been set, run dconf update.
+    medium
+    
+    
+    
+  
+
 
 
 
@@ -2685,48 +2685,6 @@
 
 
 
-  
-    CCI-000068
-    SRG-OS-000033-GPOS-00014
-    TBD - Assigned by DISA after STIG release
-    The operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
-
-    CCE-85902-5: Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config
-
-    Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
-
-Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
-
-Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information.
-    Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
-OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
-set up incorrectly.
-
-To check that Crypto Policies settings for ciphers are configured correctly, ensure that
-/etc/crypto-policies/back-ends/openssh.config contains the following
-line and is not commented out:
-
Ciphers 

-    Applicable - Configurable
-    Verify the operating system implements DoD-approved encryption to protect the confidentiality of remote access sessions. If it does not, this is a finding.
-    To verify if the OpenSSH client uses defined Cipher suite in the Crypto Policy, run:
-
$ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config

-and verify that the line matches:
-
Ciphers 
 Is it the case that Crypto Policy for OpenSSH client is not configured correctly?
-    Configure the operating system to implement DoD-approved encryption to protect the confidentiality of remote access sessions.
-    Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
-OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
-set up incorrectly.
-
-To check that Crypto Policies settings for ciphers are configured correctly, ensure that
-/etc/crypto-policies/back-ends/openssh.config contains the following
-line and is not commented out:
-
Ciphers 

-    high
-    
-    
-    
-  
-
   
     CCI-000068
     SRG-OS-000033-GPOS-00014
@@ -2776,6 +2734,63 @@
     
   
 
+  
+    CCI-000068
+    SRG-OS-000033-GPOS-00014
+    TBD - Assigned by DISA after STIG release
+    The operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
+
+    CCE-80937-6: Configure Libreswan to use System Crypto Policy
+
+    Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
+
+Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information.
+    Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
+Libreswan is supported by system crypto policy, but the Libreswan configuration may be
+set up to ignore it.
+
+To check that Crypto Policies settings are configured correctly, ensure that the /etc/ipsec.conf
+includes the appropriate configuration file.
+In /etc/ipsec.conf, make sure that the following line
+is not commented out or superseded by later includes:
+include /etc/crypto-policies/back-ends/libreswan.config
+    Applicable - Configurable
+    Verify the operating system implements DoD-approved encryption to protect the confidentiality of remote access sessions. If it does not, this is a finding.
+    Verify that the IPSec service uses the system crypto policy.
+
+If the ipsec service is not installed is not applicable.
+
+Check to see if the "IPsec" service is active with the following command:
+
+$ systemctl status ipsec
+
+ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
+Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
+Active: inactive (dead)
+
+If the "IPsec" service is active, check to see if it is using the system crypto policy with the following command:
+
+$ sudo grep include /etc/ipsec.conf /etc/ipsec.d/*.conf
+
+/etc/ipsec.conf:include /etc/crypto-policies/back-ends/libreswan.config Is it the case that the "IPsec" service is active and the ipsec configuration file does not contain does not contain include /etc/crypto-policies/back-ends/libreswan.config?
+    Configure the operating system to implement DoD-approved encryption to protect the confidentiality of remote access sessions.
+    Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
+Libreswan is supported by system crypto policy, but the Libreswan configuration may be
+set up to ignore it.
+
+To check that Crypto Policies settings are configured correctly, ensure that the /etc/ipsec.conf
+includes the appropriate configuration file.
+In /etc/ipsec.conf, make sure that the following line
+is not commented out or superseded by later includes:
+include /etc/crypto-policies/back-ends/libreswan.config
+    high
+    
+    
+    
+  
+
   
     CCI-000068
     SRG-OS-000033-GPOS-00014
@@ -2824,7 +2839,7 @@
     TBD - Assigned by DISA after STIG release
     The operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
 
-    CCE-80937-6: Configure Libreswan to use System Crypto Policy
+    CCE-85902-5: Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config
 
     Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
 
@@ -2832,43 +2847,28 @@
 
 Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information.
     Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
-Libreswan is supported by system crypto policy, but the Libreswan configuration may be
-set up to ignore it.
+OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
+set up incorrectly.
 
-To check that Crypto Policies settings are configured correctly, ensure that the /etc/ipsec.conf
-includes the appropriate configuration file.
-In /etc/ipsec.conf, make sure that the following line
-is not commented out or superseded by later includes:
-include /etc/crypto-policies/back-ends/libreswan.config
+To check that Crypto Policies settings for ciphers are configured correctly, ensure that
+/etc/crypto-policies/back-ends/openssh.config contains the following
+line and is not commented out:
+
Ciphers 

     Applicable - Configurable
     Verify the operating system implements DoD-approved encryption to protect the confidentiality of remote access sessions. If it does not, this is a finding.
-    Verify that the IPSec service uses the system crypto policy.
-
-If the ipsec service is not installed is not applicable.
-
-Check to see if the "IPsec" service is active with the following command:
-
-$ systemctl status ipsec
-
-ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
-Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
-Active: inactive (dead)
-
-If the "IPsec" service is active, check to see if it is using the system crypto policy with the following command:
-
-$ sudo grep include /etc/ipsec.conf /etc/ipsec.d/*.conf
-
-/etc/ipsec.conf:include /etc/crypto-policies/back-ends/libreswan.config Is it the case that the "IPsec" service is active and the ipsec configuration file does not contain does not contain include /etc/crypto-policies/back-ends/libreswan.config?
+    To verify if the OpenSSH client uses defined Cipher suite in the Crypto Policy, run:
+
$ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config

+and verify that the line matches:
+
Ciphers 
 Is it the case that Crypto Policy for OpenSSH client is not configured correctly?
     Configure the operating system to implement DoD-approved encryption to protect the confidentiality of remote access sessions.
     Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
-Libreswan is supported by system crypto policy, but the Libreswan configuration may be
-set up to ignore it.
+OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
+set up incorrectly.
 
-To check that Crypto Policies settings are configured correctly, ensure that the /etc/ipsec.conf
-includes the appropriate configuration file.
-In /etc/ipsec.conf, make sure that the following line
-is not commented out or superseded by later includes:
-include /etc/crypto-policies/back-ends/libreswan.config
+To check that Crypto Policies settings for ciphers are configured correctly, ensure that
+/etc/crypto-policies/back-ends/openssh.config contains the following
+line and is not commented out:
+
Ciphers 

     high
     
     
@@ -2886,41 +2886,49 @@
     TBD - Assigned by DISA after STIG release
     The operating system must produce audit records containing information to establish what type of events occurred.
 
-    CCE-80726-3: Ensure auditd Collects Information on the Use of Privileged Commands - chsh
+    CCE-80686-9: Record Events that Modify the System's Discretionary Access Controls - chown
 
     Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
 
 Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
 
 Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system.
-    At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the auditd daemon is
-configured to use the augenrules program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix .rules in the directory /etc/audit/rules.d:
-
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+    At a minimum, the audit system should collect file permission
+changes for all users and root. If the auditd daemon is configured to
+use the augenrules program to read audit rules during daemon startup
+(the default), add the following line to a file with suffix .rules in
+the directory /etc/audit/rules.d:
+
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

+If the system is 64 bit then also add the following line:
+
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

 If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add a line of the following
-form to /etc/audit/audit.rules:
-
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

+If the system is 64 bit then also add the following line:
+
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

     Applicable - Configurable
     Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding.
-    Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chsh" command with the following command:
-
-$ sudo auditctl -l | grep chsh
-
--a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chsh Is it the case that the command does not return a line, or the line is commented out?
+    To determine if the system is configured to audit calls to the
+chown system call, run the following command:
+
$ sudo grep "chown" /etc/audit/audit.*

+If the system is configured to audit this activity, it will return a line.
+ Is it the case that no line is returned?
     Configure the operating system to produce audit records containing information to establish what type of events occurred.
-    At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the auditd daemon is
-configured to use the augenrules program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix .rules in the directory /etc/audit/rules.d:
-
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+    At a minimum, the audit system should collect file permission
+changes for all users and root. If the auditd daemon is configured to
+use the augenrules program to read audit rules during daemon startup
+(the default), add the following line to a file with suffix .rules in
+the directory /etc/audit/rules.d:
+
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

+If the system is 64 bit then also add the following line:
+
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

 If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add a line of the following
-form to /etc/audit/audit.rules:
-
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

+If the system is 64 bit then also add the following line:
+
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

     medium
     
     
@@ -2933,41 +2941,72 @@
     TBD - Assigned by DISA after STIG release
     The operating system must produce audit records containing information to establish what type of events occurred.
 
-    CCE-80732-1: Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
+    CCE-80755-2: Record Unsuccessful Access Attempts to Files - open_by_handle_at
 
     Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
 
 Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
 
 Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system.
-    At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the auditd daemon is
-configured to use the augenrules program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix .rules in the directory /etc/audit/rules.d:
-
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+    At a minimum, the audit system should collect unauthorized file
+accesses for all users and root. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

 If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add a line of the following
-form to /etc/audit/audit.rules:
-
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file:
+
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

     Applicable - Configurable
     Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding.
-    Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postdrop" command with the following command:
+    Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open_by_handle_at system call.
 
-$ sudo auditctl -l | grep postdrop
+If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:
 
--a always,exit -F path=/usr/bin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postdrop Is it the case that the command does not return a line, or the line is commented out?
+$ sudo grep -r open_by_handle_at /etc/audit/rules.d
+
+If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:
+
+$ sudo grep open_by_handle_at /etc/audit/audit.rules
+
+The output should be the following:
+
+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out?
     Configure the operating system to produce audit records containing information to establish what type of events occurred.
-    At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the auditd daemon is
-configured to use the augenrules program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix .rules in the directory /etc/audit/rules.d:
-
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+    At a minimum, the audit system should collect unauthorized file
+accesses for all users and root. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

 If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add a line of the following
-form to /etc/audit/audit.rules:
-
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file:
+
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

     medium
     
     
@@ -2980,41 +3019,41 @@
     TBD - Assigned by DISA after STIG release
     The operating system must produce audit records containing information to establish what type of events occurred.
 
-    CCE-80741-2: Ensure auditd Collects Information on the Use of Privileged Commands - userhelper
+    CCE-80698-4: Record Any Attempts to Run chcon
 
     Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
 
 Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
 
 Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system.
-    At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the auditd daemon is
-configured to use the augenrules program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix .rules in the directory /etc/audit/rules.d:
-
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+    At a minimum, the audit system should collect any execution attempt
+of the chcon command for all users and root. If the auditd
+daemon is configured to use the augenrules program to read audit rules
+during daemon startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

 If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add a line of the following
-form to /etc/audit/audit.rules:
-
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file:
+
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

     Applicable - Configurable
     Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding.
-    Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "userhelper" command with the following command:
+    Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chcon" command with the following command:
 
-$ sudo auditctl -l | grep userhelper
+$ sudo auditctl -l | grep chcon
 
--a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-userhelper Is it the case that the command does not return a line, or the line is commented out?
+-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out?
     Configure the operating system to produce audit records containing information to establish what type of events occurred.
-    At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the auditd daemon is
-configured to use the augenrules program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix .rules in the directory /etc/audit/rules.d:
-
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+    At a minimum, the audit system should collect any execution attempt
+of the chcon command for all users and root. If the auditd
+daemon is configured to use the augenrules program to read audit rules
+during daemon startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

 If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add a line of the following
-form to /etc/audit/audit.rules:
-
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file:
+
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

     medium
     
     
@@ -3027,7 +3066,59 @@
     TBD - Assigned by DISA after STIG release
     The operating system must produce audit records containing information to establish what type of events occurred.
 
-    CCE-80706-5: Ensure auditd Collects File Deletion Events by User - unlink
+    CCE-80825-3: Enable Auditing for Processes Which Start Prior to the Audit Daemon
+
+    Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
+
+Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
+
+Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system.
+    To ensure all processes can be audited, even those which start
+prior to the audit daemon, add the argument audit=1 to the default
+GRUB 2 command line for the Linux operating system.
+To ensure that audit=1 is added as a kernel command line
+argument to newly installed kernels, add audit=1 to the
+default Grub2 command line for Linux operating systems. Modify the line within
+/etc/default/grub as shown below:
+
GRUB_CMDLINE_LINUX="... audit=1 ..."

+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"

+    Applicable - Configurable
+    Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding.
+    Inspect the form of default GRUB 2 command line for the Linux operating system
+in /etc/default/grub. If it includes audit=1,
+then the parameter will be configured for newly installed kernels.
+First check if the GRUB recovery is enabled:
+
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub

+If this option is set to true, then check that a line is output by the following command:
+
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit=1.*' /etc/default/grub

+If the recovery is disabled, check the line with
+
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit=1.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well.
+Run the following command:
+
$ sudo grubby --info=ALL | grep args | grep -v 'audit=1'

+The command should not return any output. Is it the case that auditing is not enabled at boot time?
+    Configure the operating system to produce audit records containing information to establish what type of events occurred.
+    To ensure all processes can be audited, even those which start
+prior to the audit daemon, add the argument audit=1 to the default
+GRUB 2 command line for the Linux operating system.
+To ensure that audit=1 is added as a kernel command line
+argument to newly installed kernels, add audit=1 to the
+default Grub2 command line for Linux operating systems. Modify the line within
+/etc/default/grub as shown below:
+
GRUB_CMDLINE_LINUX="... audit=1 ..."

+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"

+    low
+    
+    
+    
+  
+
+  
+    CCI-000130
+    SRG-OS-000037-GPOS-00015
+    TBD - Assigned by DISA after STIG release
+    The operating system must produce audit records containing information to establish what type of events occurred.
+
+    CCE-80703-2: Ensure auditd Collects File Deletion Events by User - rename
 
     Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
 
@@ -3040,17 +3131,17 @@
 default), add the following line to a file with suffix .rules in the
 directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
 appropriate for your system:
-
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete

+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete

 If the auditd daemon is configured to use the auditctl
 utility to read audit rules during daemon startup, add the following line to
 /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
 appropriate for your system:
-
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete

+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete

     Applicable - Configurable
     Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding.
     To determine if the system is configured to audit calls to the
-unlink system call, run the following command:
-
$ sudo grep "unlink" /etc/audit/audit.*

+rename system call, run the following command:
+
$ sudo grep "rename" /etc/audit/audit.*

 If the system is configured to audit this activity, it will return a line.
  Is it the case that no line is returned?
     Configure the operating system to produce audit records containing information to establish what type of events occurred.
@@ -3060,12 +3151,12 @@
 default), add the following line to a file with suffix .rules in the
 directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
 appropriate for your system:
-
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete

+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete

 If the auditd daemon is configured to use the auditctl
 utility to read audit rules during daemon startup, add the following line to
 /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
 appropriate for your system:
-
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete

+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete

     medium
     
     
@@ -3078,7 +3169,101 @@
     TBD - Assigned by DISA after STIG release
     The operating system must produce audit records containing information to establish what type of events occurred.
 
-    CCE-80691-9: Record Events that Modify the System's Discretionary Access Controls - fremovexattr
+    CCE-80732-1: Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
+
+    Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
+
+Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
+
+Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system.
+    At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+    Applicable - Configurable
+    Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding.
+    Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postdrop" command with the following command:
+
+$ sudo auditctl -l | grep postdrop
+
+-a always,exit -F path=/usr/bin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postdrop Is it the case that the command does not return a line, or the line is commented out?
+    Configure the operating system to produce audit records containing information to establish what type of events occurred.
+    At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+    medium
+    
+    
+    
+  
+
+  
+    CCI-000130
+    SRG-OS-000037-GPOS-00015
+    TBD - Assigned by DISA after STIG release
+    The operating system must produce audit records containing information to establish what type of events occurred.
+
+    CCE-80728-9: Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd
+
+    Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
+
+Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
+
+Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system.
+    At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+    Applicable - Configurable
+    Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding.
+    Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "gpasswd" command with the following command:
+
+$ sudo auditctl -l | grep gpasswd
+
+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd Is it the case that the command does not return a line, or the line is commented out?
+    Configure the operating system to produce audit records containing information to establish what type of events occurred.
+    At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

+    medium
+    
+    
+    
+  
+
+  
+    CCI-000130
+    SRG-OS-000037-GPOS-00015
+    TBD - Assigned by DISA after STIG release
+    The operating system must produce audit records containing information to establish what type of events occurred.
+
+    CCE-80694-3: Record Events that Modify the System's Discretionary Access Controls - lremovexattr
 
     Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
 
@@ -3092,27 +3277,27 @@
 to use the augenrules program to read audit rules during daemon
 startup (the default), add the following line to a file with suffix
 .rules in the directory /etc/audit/rules.d:
-
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod

+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod

 


 If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod

+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod

 


 If the auditd daemon is configured to use the auditctl
 utility to read audit rules during daemon startup, add the following line to
 /etc/audit/audit.rules file:
-
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod

+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod

 


 If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod

+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod

     Applicable - Configurable
     Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding.
     To determine if the system is configured to audit calls to the
-fremovexattr system call, run the following command:
-
$ sudo grep "fremovexattr" /etc/audit/audit.*

+lremovexattr system call, run the following command:
+
$ sudo grep "lremovexattr" /etc/audit/audit.*

 If the system is configured to audit this activity, it will return a line.
  Is it the case that no line is returned?
     Configure the operating system to produce audit records containing information to establish what type of events occurred.
@@ -3123,22 +3308,22 @@
 to use the augenrules program to read audit rules during daemon
 startup (the default), add the following line to a file with suffix
 .rules in the directory /etc/audit/rules.d:
-
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod

+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod

 


 If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod

+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod

 


 If the auditd daemon is configured to use the auditctl
 utility to read audit rules during daemon startup, add the following line to
 /etc/audit/audit.rules file:
-
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod

+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod

 


 If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod

+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod

     medium
     
     
@@ -3151,57 +3336,45 @@
     TBD - Assigned by DISA after STIG release
     The operating system must produce audit records containing information to establish what type of events occurred.
 
-    CCE-80695-0: Record Events that Modify the System's Discretionary Access Controls - lsetxattr
+    CCE-80711-5: Ensure auditd Collects Information on Kernel Module Unloading - delete_module
 
     Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
 
 Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
 
 Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system.
-    At a minimum, the audit system should collect file permission
-changes for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-.rules in the directory /etc/audit/rules.d:
-
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod

-If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
-
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod

-If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod

+    To capture kernel module unloading events, use following line, setting ARCH to
+either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
+
+
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules

+
+
+Place to add the line depends on a way auditd daemon is configured. If it is configured
+to use the augenrules program (the default), add the line to a file with suffix
+.rules in the directory /etc/audit/rules.d.
+
+If the auditd daemon is configured to use the auditctl utility,
+add the line to file /etc/audit/audit.rules.
     Applicable - Configurable
     Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding.
     To determine if the system is configured to audit calls to the
-lsetxattr system call, run the following command:
-
$ sudo grep "lsetxattr" /etc/audit/audit.*

+delete_module system call, run the following command:
+
$ sudo grep "delete_module" /etc/audit/audit.*

 If the system is configured to audit this activity, it will return a line.
  Is it the case that no line is returned?
     Configure the operating system to produce audit records containing information to establish what type of events occurred.
-    At a minimum, the audit system should collect file permission
-changes for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-.rules in the directory /etc/audit/rules.d:
-
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod

-If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod

-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
-
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod

-If the system is 64 bit then also add the following line:
-
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod

+    To capture kernel module unloading events, use following line, setting ARCH to
+either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
+
+
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules

+
+
+Place to add the line depends on a way auditd daemon is configured. If it is configured
+to use the augenrules program (the default), add the line to a file with suffix
+.rules in the directory /etc/audit/rules.d.
+
+If the auditd daemon is configured to use the auditctl utility,
+add the line to file /etc/audit/audit.rules.
     medium
     
     
@@ -3214,78 +3387,41 @@
     TBD - Assigned by DISA after STIG release
     The operating system must produce audit records containing information to establish what type of events occurred.
 
-    CCE-80754-5: Record Unsuccessful Access Attempts to Files - openat
+    CCE-80731-3: Ensure auditd Collects Information on the Use of Privileged Commands - passwd
 
     Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
 
 Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
 
 Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system.
-    At a minimum, the audit system should collect unauthorized file
-accesses for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d:
-
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-
+    At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

 If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file:
-
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

     Applicable - Configurable
     Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding.
-    Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the openat system call.
-
-If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:
-
-$ sudo grep -r openat /etc/audit/rules.d
-
-If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:
-
-$ sudo grep openat /etc/audit/audit.rules
+    Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "passwd" command with the following command:
 
-The output should be the following:
+$ sudo auditctl -l | grep passwd
 
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
--a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out?
+-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd Is it the case that the command does not return a line, or the line is commented out?
     Configure the operating system to produce audit records containing information to establish what type of events occurred.
-    At a minimum, the audit system should collect unauthorized file
-accesses for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d:
-
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-
+    At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

 If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file:
-
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

     medium
     
     
@@ -3298,7 +3434,7 @@
     TBD - Assigned by DISA after STIG release
     The operating system must produce audit records containing information to establish what type of events occurred.
 
-    CCE-80756-0: Record Unsuccessful Access Attempts to Files - truncate
+    CCE-80753-7: Record Unsuccessful Access Attempts to Files - open
 
     Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
 
@@ -3310,66 +3446,66 @@
 to use the augenrules program to read audit rules during daemon
 startup (the default), add the following lines to a file with suffix
 .rules in the directory /etc/audit/rules.d:
-
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

 
 If the system is 64 bit then also add the following lines:
 
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

 
 If the auditd daemon is configured to use the auditctl
 utility to read audit rules during daemon startup, add the following lines to
 /etc/audit/audit.rules file:
-
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

 
 If the system is 64 bit then also add the following lines:
 
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

     Applicable - Configurable
     Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding.
-    Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the truncate system call.
+    Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open system call.
 
 If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:
 
-$ sudo grep -r truncate /etc/audit/rules.d
+$ sudo grep -r open /etc/audit/rules.d
 
 If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:
 
-$ sudo grep truncate /etc/audit/audit.rules
+$ sudo grep open /etc/audit/audit.rules
 
 The output should be the following:
 
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
--a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out?
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
+-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
+-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out?
     Configure the operating system to produce audit records containing information to establish what type of events occurred.
     At a minimum, the audit system should collect unauthorized file
 accesses for all users and root. If the auditd daemon is configured
 to use the augenrules program to read audit rules during daemon
 startup (the default), add the following lines to a file with suffix
 .rules in the directory /etc/audit/rules.d:
-
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

 
 If the system is 64 bit then also add the following lines:
 
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access medium @@ -3382,45 +3518,45 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80719-8: Record Attempts to Alter Logon and Logout Events - lastlog + CCE-80713-1: Ensure auditd Collects Information on Kernel Module Loading - init_module Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - The audit system already collects login information for all users -and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d in order to watch for attempted manual -edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file in order to watch for unattempted manual -edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
+ To capture kernel module loading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: + +
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
+ + +Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog" with the following command: + To determine if the system is configured to audit calls to the +init_module system call, run the following command: +
$ sudo grep "init_module" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + Configure the operating system to produce audit records containing information to establish what type of events occurred. + To capture kernel module loading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -$ sudo auditctl -l | grep /var/log/lastlog +
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
--w /var/log/lastlog -p wa -k logins Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to produce audit records containing information to establish what type of events occurred. - The audit system already collects login information for all users -and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d in order to watch for attempted manual -edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file in order to watch for unattempted manual -edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
+ +Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. medium @@ -3433,41 +3569,45 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80727-1: Ensure auditd Collects Information on the Use of Privileged Commands - crontab + CCE-80722-2: Ensure auditd Collects Information on Exporting to Media (successful) Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect media exportation +events for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "crontab" command with the following command: - -$ sudo auditctl -l | grep crontab - --a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +mount system call, run the following command: +
$ sudo grep "mount" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to produce audit records containing information to establish what type of events occurred. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect media exportation +events for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
medium @@ -3480,41 +3620,41 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80989-7: Ensure auditd Collects Information on the Use of Privileged Commands - mount + CCE-85944-7: Record Any Attempts to Run ssh-agent Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect any execution attempt +of the ssh-agent command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "mount" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-agent" command with the following command: -$ sudo auditctl -l | grep mount +$ sudo auditctl -l | grep ssh-agent --a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to produce audit records containing information to establish what type of events occurred. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect any execution attempt +of the ssh-agent command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
medium @@ -3527,41 +3667,78 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-89446-9: Record Any Attempts to Run chacl + CCE-80752-9: Record Unsuccessful Access Attempts to Files - ftruncate Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - At a minimum, the audit system should collect any execution attempt -of the chacl command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chacl" command with the following command: + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the ftruncate system call. -$ sudo auditctl -l | grep chacl +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: --a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? +$ sudo grep -r ftruncate /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep ftruncate /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to produce audit records containing information to establish what type of events occurred. - At a minimum, the audit system should collect any execution attempt -of the chacl command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
medium @@ -3574,49 +3751,41 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80758-6: Record Events that Modify User/Group Information - /etc/group + CCE-80737-0: Ensure auditd Collects Information on the Use of Privileged Commands - sudo Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "sudo" command with the following command: -$ sudo auditctl -l | grep -E '(/etc/group)' +$ sudo auditctl -l | grep sudo --w /etc/group -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudo Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to produce audit records containing information to establish what type of events occurred. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -3629,7 +3798,7 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80735-4: Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign + CCE-89455-0: Ensure auditd Collects Information on the Use of Privileged Commands - kmod Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. @@ -3641,29 +3810,29 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-keysign" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "kmod" command with the following command: -$ sudo auditctl -l | grep ssh-keysign +$ sudo auditctl -l | grep kmod --a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-keysign Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-kmod Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to produce audit records containing information to establish what type of events occurred. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -3676,41 +3845,41 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-89497-2: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ + CCE-80700-8: Record Any Attempts to Run semanage Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers.d/ -p wa -k actions
+ At a minimum, the audit system should collect any execution attempt +of the semanage command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-w /etc/sudoers.d/ -p wa -k actions
+
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "semanage" command with the following command: -$ sudo auditctl -l | grep/etc/sudoers.d +$ sudo auditctl -l | grep semanage --w /etc/sudoers.d/ -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to produce audit records containing information to establish what type of events occurred. - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers.d/ -p wa -k actions
+ At a minimum, the audit system should collect any execution attempt +of the semanage command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-w /etc/sudoers.d/ -p wa -k actions
+
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -3723,67 +3892,45 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80694-3: Record Events that Modify the System's Discretionary Access Controls - lremovexattr + CCE-80706-5: Ensure auditd Collects File Deletion Events by User - unlink Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
-

+ At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. To determine if the system is configured to audit calls to the -lremovexattr system call, run the following command: -
$ sudo grep "lremovexattr" /etc/audit/audit.*
+unlink system call, run the following command: +
$ sudo grep "unlink" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to produce audit records containing information to establish what type of events occurred. - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
-

+ At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -3796,7 +3943,7 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80731-3: Ensure auditd Collects Information on the Use of Privileged Commands - passwd + CCE-80725-5: Ensure auditd Collects Information on the Use of Privileged Commands - chage Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. @@ -3808,29 +3955,29 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "passwd" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chage" command with the following command: -$ sudo auditctl -l | grep passwd +$ sudo auditctl -l | grep chage --a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to produce audit records containing information to establish what type of events occurred. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -3843,45 +3990,19 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80722-2: Ensure auditd Collects Information on Exporting to Media (successful) + CCE-81043-2: Ensure the audit Subsystem is Installed Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - At a minimum, the audit system should collect media exportation -events for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
+ The audit package should be installed. Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -mount system call, run the following command: -
$ sudo grep "mount" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Run the following command to determine if the audit package is installed: 
$ rpm -q audit
Is it the case that the audit package is not installed? Configure the operating system to produce audit records containing information to establish what type of events occurred. - At a minimum, the audit system should collect media exportation -events for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
+ The audit package should be installed. medium @@ -3894,41 +4015,49 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80740-4: Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd + CCE-80760-2: Record Events that Modify User/Group Information - /etc/security/opasswd Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "unix_chkpwd" command with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: -$ sudo auditctl -l | grep unix_chkpwd +$ sudo auditctl -l | grep -E '(/etc/security/opasswd)' --a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_chkpwd Is it the case that the command does not return a line, or the line is commented out? +-w /etc/security/opasswd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to produce audit records containing information to establish what type of events occurred. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
medium @@ -3941,7 +4070,7 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80703-2: Ensure auditd Collects File Deletion Events by User - rename + CCE-80705-7: Ensure auditd Collects File Deletion Events by User - rmdir Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. @@ -3954,17 +4083,17 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. To determine if the system is configured to audit calls to the -rename system call, run the following command: -
$ sudo grep "rename" /etc/audit/audit.*
+rmdir system call, run the following command: +
$ sudo grep "rmdir" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to produce audit records containing information to establish what type of events occurred. @@ -3974,12 +4103,12 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -3992,45 +4121,41 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80711-5: Ensure auditd Collects Information on Kernel Module Unloading - delete_module + CCE-80741-2: Ensure auditd Collects Information on the Use of Privileged Commands - userhelper Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - To capture kernel module unloading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - -
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
- - -Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -delete_module system call, run the following command: -
$ sudo grep "delete_module" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the operating system to produce audit records containing information to establish what type of events occurred. - To capture kernel module unloading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - -
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
- + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "userhelper" command with the following command: -Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. +$ sudo auditctl -l | grep userhelper -If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. +-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-userhelper Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to produce audit records containing information to establish what type of events occurred. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -4043,49 +4168,41 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80688-5: Record Events that Modify the System's Discretionary Access Controls - fchmodat + CCE-80726-3: Ensure auditd Collects Information on the Use of Privileged Commands - chsh Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -fchmodat system call, run the following command: -
$ sudo grep "fchmodat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chsh" command with the following command: + +$ sudo auditctl -l | grep chsh + +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chsh Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to produce audit records containing information to establish what type of events occurred. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -4098,92 +4215,49 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80707-3: Ensure auditd Collects File Deletion Events by User - unlinkat + CCE-80761-0: Record Events that Modify User/Group Information - /etc/passwd Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
- Applicable - Configurable - Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -unlinkat system call, run the following command: -
$ sudo grep "unlinkat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the operating system to produce audit records containing information to establish what type of events occurred. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the + If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
- medium - - - - - - - CCI-000130 - SRG-OS-000037-GPOS-00015 - TBD - Assigned by DISA after STIG release - The operating system must produce audit records containing information to establish what type of events occurred. - - CCE-82280-9: Record Any Attempts to Run setfiles - - Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. - -Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. - -Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - At a minimum, the audit system should collect any execution attempt -of the setfiles command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfiles" command with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: -$ sudo auditctl -l | grep setfiles +$ sudo auditctl -l | grep -E '(/etc/passwd)' --a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? +-w /etc/passwd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to produce audit records containing information to establish what type of events occurred. - At a minimum, the audit system should collect any execution attempt -of the setfiles command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
medium @@ -4196,7 +4270,7 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80687-7: Record Events that Modify the System's Discretionary Access Controls - fchmod + CCE-80689-3: Record Events that Modify the System's Discretionary Access Controls - fchown Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. @@ -4204,41 +4278,47 @@ Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. To determine if the system is configured to audit calls to the -fchmod system call, run the following command: -
$ sudo grep "fchmod" /etc/audit/audit.*
+fchown system call, run the following command: +
$ sudo grep "fchown" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to produce audit records containing information to establish what type of events occurred. At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -4251,45 +4331,41 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80704-0: Ensure auditd Collects File Deletion Events by User - renameat + CCE-89446-9: Record Any Attempts to Run chacl Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+ At a minimum, the audit system should collect any execution attempt +of the chacl command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -renameat system call, run the following command: -
$ sudo grep "renameat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chacl" command with the following command: + +$ sudo auditctl -l | grep chacl + +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to produce audit records containing information to establish what type of events occurred. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+ At a minimum, the audit system should collect any execution attempt +of the chacl command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -4302,49 +4378,72 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80760-2: Record Events that Modify User/Group Information - /etc/security/opasswd + CCE-80751-1: Record Unsuccessful Access Attempts to Files - creat Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the creat system call. -$ sudo auditctl -l | grep -E '(/etc/security/opasswd)' +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: --w /etc/security/opasswd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +$ sudo grep -r creat /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep creat /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to produce audit records containing information to establish what type of events occurred. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
medium @@ -4404,110 +4503,7 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80943-4: Extend Audit Backlog Limit for the Audit Daemon - - Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. - -Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. - -Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - To improve the kernel capacity to queue all log events, even those which occurred -prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default -GRUB 2 command line for the Linux operating system. -To ensure that audit_backlog_limit=8192 is added as a kernel command line -argument to newly installed kernels, add audit_backlog_limit=8192 to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
- Applicable - Configurable - Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes audit_backlog_limit=8192, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
-If this option is set to true, then check that a line is output by the following command: -
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit_backlog_limit=8192.*' /etc/default/grub
-If the recovery is disabled, check the line with -
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit_backlog_limit=8192.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -
$ sudo grubby --info=ALL | grep args | grep -v 'audit_backlog_limit=8192'
-The command should not return any output. Is it the case that audit backlog limit is not configured? - Configure the operating system to produce audit records containing information to establish what type of events occurred. - To improve the kernel capacity to queue all log events, even those which occurred -prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default -GRUB 2 command line for the Linux operating system. -To ensure that audit_backlog_limit=8192 is added as a kernel command line -argument to newly installed kernels, add audit_backlog_limit=8192 to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
- low - - - - - - - CCI-000130 - SRG-OS-000037-GPOS-00015 - TBD - Assigned by DISA after STIG release - The operating system must produce audit records containing information to establish what type of events occurred. - - CCE-80705-7: Ensure auditd Collects File Deletion Events by User - rmdir - - Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. - -Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. - -Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
- Applicable - Configurable - Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -rmdir system call, run the following command: -
$ sudo grep "rmdir" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the operating system to produce audit records containing information to establish what type of events occurred. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
- medium - - - - - - - CCI-000130 - SRG-OS-000037-GPOS-00015 - TBD - Assigned by DISA after STIG release - The operating system must produce audit records containing information to establish what type of events occurred. - - CCE-86027-0: Ensure auditd Collects Information on the Use of Privileged Commands - usermod + CCE-80740-4: Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. @@ -4519,124 +4515,29 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "usermod" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "unix_chkpwd" command with the following command: -$ sudo auditctl -l | grep usermod +$ sudo auditctl -l | grep unix_chkpwd --a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_chkpwd Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to produce audit records containing information to establish what type of events occurred. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- medium - - - - - - - CCI-000130 - SRG-OS-000037-GPOS-00015 - TBD - Assigned by DISA after STIG release - The operating system must produce audit records containing information to establish what type of events occurred. - - CCE-80685-1: Record Events that Modify the System's Discretionary Access Controls - chmod - - Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. - -Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. - -Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
- Applicable - Configurable - Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -chmod system call, run the following command: -
$ sudo grep "chmod" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the operating system to produce audit records containing information to establish what type of events occurred. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
- medium - - - - - - - CCI-000130 - SRG-OS-000037-GPOS-00015 - TBD - Assigned by DISA after STIG release - The operating system must produce audit records containing information to establish what type of events occurred. - - CCE-80872-5: Enable auditd Service - - Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. - -Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. - -Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - The auditd service is an essential userspace component of -the Linux Auditing System, as it is responsible for writing audit records to -disk. - -The auditd service can be enabled with the following command: -
$ sudo systemctl enable auditd.service
- Applicable - Configurable - Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - - -Run the following command to determine the current status of the -auditd service: -
$ sudo systemctl is-active auditd
-If the service is running, it should return the following: 
active
Is it the case that the auditd service is not running? - Configure the operating system to produce audit records containing information to establish what type of events occurred. - The auditd service is an essential userspace component of -the Linux Auditing System, as it is responsible for writing audit records to -disk. - -The auditd service can be enabled with the following command: -
$ sudo systemctl enable auditd.service
+
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -4649,7 +4550,7 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80761-0: Record Events that Modify User/Group Information - /etc/passwd + CCE-80758-6: Record Events that Modify User/Group Information - /etc/group Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. @@ -4662,21 +4563,21 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: -$ sudo auditctl -l | grep -E '(/etc/passwd)' +$ sudo auditctl -l | grep -E '(/etc/group)' --w /etc/passwd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-w /etc/group -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to produce audit records containing information to establish what type of events occurred. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the @@ -4684,14 +4585,14 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification
medium @@ -4759,102 +4660,51 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80698-4: Record Any Attempts to Run chcon + CCE-80759-4: Record Events that Modify User/Group Information - /etc/gshadow Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - At a minimum, the audit system should collect any execution attempt -of the chcon command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- Applicable - Configurable - Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chcon" command with the following command: - -$ sudo auditctl -l | grep chcon - --a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to produce audit records containing information to establish what type of events occurred. - At a minimum, the audit system should collect any execution attempt -of the chcon command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- medium - - - - - - - CCI-000130 - SRG-OS-000037-GPOS-00015 - TBD - Assigned by DISA after STIG release - The operating system must produce audit records containing information to establish what type of events occurred. - - CCE-80689-3: Record Events that Modify the System's Discretionary Access Controls - fchown - - Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. - -Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. - -Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- -If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- -If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -fchown system call, run the following command: -
$ sudo grep "fchown" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the operating system to produce audit records containing information to establish what type of events occurred. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: -If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+$ sudo auditctl -l | grep -E '(/etc/gshadow)' -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+-w /etc/gshadow -p wa -k identity -If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the command does not return a line, or the line is commented out, this is a finding. Is it the case that the system is not configured to audit account changes? + Configure the operating system to produce audit records containing information to establish what type of events occurred. + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
medium @@ -4867,41 +4717,49 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80725-5: Ensure auditd Collects Information on the Use of Privileged Commands - chage + CCE-80762-8: Record Events that Modify User/Group Information - /etc/shadow Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chage" command with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd with the following command: -$ sudo auditctl -l | grep chage +$ sudo auditctl -l | grep -E '(/etc/shadow)' --a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage Is it the case that the command does not return a line, or the line is commented out? +-w /etc/shadow -p wa -k identity Is it the case that command does not return a line, or the line is commented out? Configure the operating system to produce audit records containing information to establish what type of events occurred. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
medium @@ -4914,7 +4772,7 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-88437-9: Record Any Attempts to Run setfacl + CCE-80701-6: Record Any Attempts to Run setsebool Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. @@ -4922,33 +4780,33 @@ Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. At a minimum, the audit system should collect any execution attempt -of the setfacl command for all users and root. If the auditd +of the setsebool command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfacl" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setsebool" command with the following command: -$ sudo auditctl -l | grep setfacl +$ sudo auditctl -l | grep setsebool --a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to produce audit records containing information to establish what type of events occurred. At a minimum, the audit system should collect any execution attempt -of the setfacl command for all users and root. If the auditd +of the setsebool command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -5008,41 +4866,41 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80700-8: Record Any Attempts to Run semanage + CCE-80733-9: Ensure auditd Collects Information on the Use of Privileged Commands - postqueue Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - At a minimum, the audit system should collect any execution attempt -of the semanage command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "semanage" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postqueue" command with the following command: -$ sudo auditctl -l | grep semanage +$ sudo auditctl -l | grep postqueue --a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postqueue Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to produce audit records containing information to establish what type of events occurred. - At a minimum, the audit system should collect any execution attempt -of the semanage command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -5055,57 +4913,41 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80697-6: Record Events that Modify the System's Discretionary Access Controls - setxattr + CCE-80989-7: Ensure auditd Collects Information on the Use of Privileged Commands - mount Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -setxattr system call, run the following command: -
$ sudo grep "setxattr" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "mount" command with the following command: + +$ sudo auditctl -l | grep mount + +-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to produce audit records containing information to establish what type of events occurred. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -5118,7 +4960,7 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80728-9: Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd + CCE-80727-1: Ensure auditd Collects Information on the Use of Privileged Commands - crontab Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. @@ -5130,29 +4972,29 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "gpasswd" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "crontab" command with the following command: -$ sudo auditctl -l | grep gpasswd +$ sudo auditctl -l | grep crontab --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to produce audit records containing information to establish what type of events occurred. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -5165,74 +5007,45 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80762-8: Record Events that Modify User/Group Information - /etc/shadow + CCE-80707-3: Ensure auditd Collects File Deletion Events by User - unlinkat Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - If the auditd daemon is configured to use the + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-

+default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd with the following command: - -$ sudo auditctl -l | grep -E '(/etc/shadow)' - --w /etc/shadow -p wa -k identity Is it the case that command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +unlinkat system call, run the following command: +
$ sudo grep "unlinkat" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to produce audit records containing information to establish what type of events occurred. - If the auditd daemon is configured to use the + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-

+default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
- medium - - - - - - - CCI-000130 - SRG-OS-000037-GPOS-00015 - TBD - Assigned by DISA after STIG release - The operating system must produce audit records containing information to establish what type of events occurred. - - CCE-81043-2: Ensure the audit Subsystem is Installed - - Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. - -Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. - -Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - The audit package should be installed. - Applicable - Configurable - Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Run the following command to determine if the audit package is installed: 
$ rpm -q audit
Is it the case that the audit package is not installed? - Configure the operating system to produce audit records containing information to establish what type of events occurred. - The audit package should be installed. +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -5245,72 +5058,41 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80751-1: Record Unsuccessful Access Attempts to Files - creat + CCE-89497-2: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-w /etc/sudoers.d/ -p wa -k actions
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the creat system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r creat /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep creat /etc/audit/audit.rules + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command: -The output should be the following: +$ sudo auditctl -l | grep/etc/sudoers.d --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +-w /etc/sudoers.d/ -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to produce audit records containing information to establish what type of events occurred. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-w /etc/sudoers.d/ -p wa -k actions
medium @@ -5323,7 +5105,7 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80729-7: Ensure auditd Collects Information on the Use of Privileged Commands - newgrp + CCE-80730-5: Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. @@ -5335,29 +5117,33 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "newgrp" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "pam_timestamp_check" command with the following command: -$ sudo auditctl -l | grep newgrp +$ sudo auditctl -l | grep pam_timestamp_check --a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-newgrp Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to produce audit records containing information to establish what type of events occurred. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -5370,51 +5156,41 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80759-4: Record Events that Modify User/Group Information - /etc/gshadow + CCE-82280-9: Record Any Attempts to Run setfiles Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect any execution attempt +of the setfiles command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: - -$ sudo auditctl -l | grep -E '(/etc/gshadow)' + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfiles" command with the following command: --w /etc/gshadow -p wa -k identity +$ sudo auditctl -l | grep setfiles -If the command does not return a line, or the line is commented out, this is a finding. Is it the case that the system is not configured to audit account changes? +-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to produce audit records containing information to establish what type of events occurred. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-

-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+ At a minimum, the audit system should collect any execution attempt +of the setfiles command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -5427,7 +5203,7 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80693-5: Record Events that Modify the System's Discretionary Access Controls - lchown + CCE-80692-7: Record Events that Modify the System's Discretionary Access Controls - fsetxattr Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. @@ -5439,20 +5215,24 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. To determine if the system is configured to audit calls to the -lchown system call, run the following command: -
$ sudo grep "lchown" /etc/audit/audit.*
+fsetxattr system call, run the following command: +
$ sudo grep "fsetxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to produce audit records containing information to establish what type of events occurred. @@ -5461,62 +5241,19 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- medium - - - - - - - CCI-000130 - SRG-OS-000037-GPOS-00015 - TBD - Assigned by DISA after STIG release - The operating system must produce audit records containing information to establish what type of events occurred. - - CCE-89455-0: Ensure auditd Collects Information on the Use of Privileged Commands - kmod - - Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. - -Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. - -Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- Applicable - Configurable - Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "kmod" command with the following command: - -$ sudo auditctl -l | grep kmod - --a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-kmod Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to produce audit records containing information to establish what type of events occurred. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
medium @@ -5529,7 +5266,7 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80686-9: Record Events that Modify the System's Discretionary Access Controls - chown + CCE-80693-5: Record Events that Modify the System's Discretionary Access Controls - lchown Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. @@ -5537,41 +5274,41 @@ Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. To determine if the system is configured to audit calls to the -chown system call, run the following command: -
$ sudo grep "chown" /etc/audit/audit.*
+lchown system call, run the following command: +
$ sudo grep "lchown" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to produce audit records containing information to establish what type of events occurred. At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -5584,72 +5321,45 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80755-2: Record Unsuccessful Access Attempts to Files - open_by_handle_at + CCE-80719-8: Record Attempts to Alter Logon and Logout Events - lastlog Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ The audit system already collects login information for all users +and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d in order to watch for attempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+/etc/audit/audit.rules file in order to watch for unattempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open_by_handle_at system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r open_by_handle_at /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep open_by_handle_at /etc/audit/audit.rules + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog" with the following command: -The output should be the following: +$ sudo auditctl -l | grep /var/log/lastlog --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +-w /var/log/lastlog -p wa -k logins Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to produce audit records containing information to establish what type of events occurred. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ The audit system already collects login information for all users +and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d in order to watch for attempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+/etc/audit/audit.rules file in order to watch for unattempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
medium @@ -5662,79 +5372,47 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80752-9: Record Unsuccessful Access Attempts to Files - ftruncate + CCE-80943-4: Extend Audit Backlog Limit for the Audit Daemon Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ To improve the kernel capacity to queue all log events, even those which occurred +prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default +GRUB 2 command line for the Linux operating system. +To ensure that audit_backlog_limit=8192 is added as a kernel command line +argument to newly installed kernels, add audit_backlog_limit=8192 to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the ftruncate system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r ftruncate /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep ftruncate /etc/audit/audit.rules - -The output should be the following: - --a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes audit_backlog_limit=8192, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
+If this option is set to true, then check that a line is output by the following command: +
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit_backlog_limit=8192.*' /etc/default/grub
+If the recovery is disabled, check the line with +
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit_backlog_limit=8192.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +
$ sudo grubby --info=ALL | grep args | grep -v 'audit_backlog_limit=8192'
+The command should not return any output. Is it the case that audit backlog limit is not configured? Configure the operating system to produce audit records containing information to establish what type of events occurred. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- medium + To improve the kernel capacity to queue all log events, even those which occurred +prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default +GRUB 2 command line for the Linux operating system. +To ensure that audit_backlog_limit=8192 is added as a kernel command line +argument to newly installed kernels, add audit_backlog_limit=8192 to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
+ low @@ -5746,7 +5424,7 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80753-7: Record Unsuccessful Access Attempts to Files - open + CCE-80754-5: Record Unsuccessful Access Attempts to Files - openat Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. @@ -5758,66 +5436,66 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open system call. + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the openat system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -$ sudo grep -r open /etc/audit/rules.d +$ sudo grep -r openat /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -$ sudo grep open /etc/audit/audit.rules +$ sudo grep openat /etc/audit/audit.rules The output should be the following: --a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to produce audit records containing information to establish what type of events occurred. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access medium @@ -5830,7 +5508,7 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80692-7: Record Events that Modify the System's Discretionary Access Controls - fsetxattr + CCE-80695-0: Record Events that Modify the System's Discretionary Access Controls - lsetxattr Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. @@ -5842,24 +5520,24 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. To determine if the system is configured to audit calls to the -fsetxattr system call, run the following command: -
$ sudo grep "fsetxattr" /etc/audit/audit.*
+lsetxattr system call, run the following command: +
$ sudo grep "lsetxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to produce audit records containing information to establish what type of events occurred. @@ -5868,19 +5546,19 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
medium @@ -5893,41 +5571,57 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-85944-7: Record Any Attempts to Run ssh-agent + CCE-80697-6: Record Events that Modify the System's Discretionary Access Controls - setxattr Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - At a minimum, the audit system should collect any execution attempt -of the ssh-agent command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
+
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
+
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-agent" command with the following command: - -$ sudo auditctl -l | grep ssh-agent - --a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +setxattr system call, run the following command: +
$ sudo grep "setxattr" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to produce audit records containing information to establish what type of events occurred. - At a minimum, the audit system should collect any execution attempt -of the ssh-agent command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
+
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
+
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
medium @@ -5940,65 +5634,41 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80696-8: Record Events that Modify the System's Discretionary Access Controls - removexattr + CCE-90175-1: Ensure auditd Collects System Administrator Actions - /etc/sudoers Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
-

+ At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers -p wa -k actions
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+
-w /etc/sudoers -p wa -k actions
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -removexattr system call, run the following command: -
$ sudo grep "removexattr" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers" with the following command: + +$ sudo auditctl -l | grep /etc/sudoers + +-w /etc/sudoers -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to produce audit records containing information to establish what type of events occurred. - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
-

+ At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers -p wa -k actions
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+
-w /etc/sudoers -p wa -k actions
medium @@ -6011,7 +5681,7 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80733-9: Ensure auditd Collects Information on the Use of Privileged Commands - postqueue + CCE-80735-4: Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. @@ -6023,29 +5693,29 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postqueue" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-keysign" command with the following command: -$ sudo auditctl -l | grep postqueue +$ sudo auditctl -l | grep ssh-keysign --a always,exit -F path=/usr/bin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postqueue Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-keysign Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to produce audit records containing information to establish what type of events occurred. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -6058,47 +5728,50 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80825-3: Enable Auditing for Processes Which Start Prior to the Audit Daemon + CCE-80688-5: Record Events that Modify the System's Discretionary Access Controls - fchmodat Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - To ensure all processes can be audited, even those which start -prior to the audit daemon, add the argument audit=1 to the default -GRUB 2 command line for the Linux operating system. -To ensure that audit=1 is added as a kernel command line -argument to newly installed kernels, add audit=1 to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit=1 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes audit=1, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
-If this option is set to true, then check that a line is output by the following command: -
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit=1.*' /etc/default/grub
-If the recovery is disabled, check the line with -
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit=1.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -
$ sudo grubby --info=ALL | grep args | grep -v 'audit=1'
-The command should not return any output. Is it the case that auditing is not enabled at boot time? + To determine if the system is configured to audit calls to the +fchmodat system call, run the following command: +
$ sudo grep "fchmodat" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to produce audit records containing information to establish what type of events occurred. - To ensure all processes can be audited, even those which start -prior to the audit daemon, add the argument audit=1 to the default -GRUB 2 command line for the Linux operating system. -To ensure that audit=1 is added as a kernel command line -argument to newly installed kernels, add audit=1 to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit=1 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
- low + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+ medium @@ -6110,41 +5783,107 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80737-0: Ensure auditd Collects Information on the Use of Privileged Commands - sudo + CCE-80691-9: Record Events that Modify the System's Discretionary Access Controls - fremovexattr Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "sudo" command with the following command: + To determine if the system is configured to audit calls to the +fremovexattr system call, run the following command: +
$ sudo grep "fremovexattr" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + Configure the operating system to produce audit records containing information to establish what type of events occurred. + At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+ medium + + + + -$ sudo auditctl -l | grep sudo + + CCI-000130 + SRG-OS-000037-GPOS-00015 + TBD - Assigned by DISA after STIG release + The operating system must produce audit records containing information to establish what type of events occurred. --a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudo Is it the case that the command does not return a line, or the line is commented out? + CCE-80872-5: Enable auditd Service + + Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + +Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. + The auditd service is an essential userspace component of +the Linux Auditing System, as it is responsible for writing audit records to +disk. + +The auditd service can be enabled with the following command: +
$ sudo systemctl enable auditd.service
+ Applicable - Configurable + Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. + + +Run the following command to determine the current status of the +auditd service: +
$ sudo systemctl is-active auditd
+If the service is running, it should return the following: 
active
Is it the case that the auditd service is not running? Configure the operating system to produce audit records containing information to establish what type of events occurred. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ The auditd service is an essential userspace component of +the Linux Auditing System, as it is responsible for writing audit records to +disk. + +The auditd service can be enabled with the following command: +
$ sudo systemctl enable auditd.service
medium @@ -6208,45 +5947,125 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80713-1: Ensure auditd Collects Information on Kernel Module Loading - init_module + CCE-80756-0: Record Unsuccessful Access Attempts to Files - truncate Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - To capture kernel module loading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - -
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -init_module system call, run the following command: -
$ sudo grep "init_module" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the truncate system call. + +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: + +$ sudo grep -r truncate /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep truncate /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to produce audit records containing information to establish what type of events occurred. - To capture kernel module loading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ medium + + + + -Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. + + CCI-000130 + SRG-OS-000037-GPOS-00015 + TBD - Assigned by DISA after STIG release + The operating system must produce audit records containing information to establish what type of events occurred. -If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. + CCE-86027-0: Ensure auditd Collects Information on the Use of Privileged Commands - usermod + + Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + +Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ Applicable - Configurable + Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "usermod" command with the following command: + +$ sudo auditctl -l | grep usermod + +-a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to produce audit records containing information to establish what type of events occurred. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -6259,7 +6078,7 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80701-6: Record Any Attempts to Run setsebool + CCE-88437-9: Record Any Attempts to Run setfacl Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. @@ -6267,33 +6086,33 @@ Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. At a minimum, the audit system should collect any execution attempt -of the setsebool command for all users and root. If the auditd +of the setfacl command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setsebool" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfacl" command with the following command: -$ sudo auditctl -l | grep setsebool +$ sudo auditctl -l | grep setfacl --a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to produce audit records containing information to establish what type of events occurred. At a minimum, the audit system should collect any execution attempt -of the setsebool command for all users and root. If the auditd +of the setfacl command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -6306,41 +6125,49 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-90175-1: Ensure auditd Collects System Administrator Actions - /etc/sudoers + CCE-80685-1: Record Events that Modify the System's Discretionary Access Controls - chmod Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers -p wa -k actions
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-w /etc/sudoers -p wa -k actions
+
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers" with the following command: - -$ sudo auditctl -l | grep /etc/sudoers - --w /etc/sudoers -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +chmod system call, run the following command: +
$ sudo grep "chmod" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to produce audit records containing information to establish what type of events occurred. - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers -p wa -k actions
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-w /etc/sudoers -p wa -k actions
+
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -6353,7 +6180,7 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80739-6: Ensure auditd Collects Information on the Use of Privileged Commands - umount + CCE-80729-7: Ensure auditd Collects Information on the Use of Privileged Commands - newgrp Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. @@ -6365,29 +6192,29 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "umount" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "newgrp" command with the following command: -$ sudo auditctl -l | grep umount +$ sudo auditctl -l | grep newgrp --a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-umount Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-newgrp Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to produce audit records containing information to establish what type of events occurred. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -6400,96 +6227,229 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80730-5: Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check + CCE-80696-8: Record Events that Modify the System's Discretionary Access Controls - removexattr Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +following line to a file with suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "pam_timestamp_check" command with the following command: - -$ sudo auditctl -l | grep pam_timestamp_check - --a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +removexattr system call, run the following command: +
$ sudo grep "removexattr" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to produce audit records containing information to establish what type of events occurred. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +following line to a file with suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
medium - - - - - - CCI-000131 - SRG-OS-000038-GPOS-00016 + CCI-000130 + SRG-OS-000037-GPOS-00015 TBD - Assigned by DISA after STIG release - The operating system must produce audit records containing information to establish when (date and time) the events occurred. + The operating system must produce audit records containing information to establish what type of events occurred. - CCE-80872-5: Enable auditd Service + CCE-80704-0: Ensure auditd Collects File Deletion Events by User - renameat - Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. + Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. -In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know when events occurred (date and time). +Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. - The auditd service is an essential userspace component of -the Linux Auditing System, as it is responsible for writing audit records to -disk. - -The auditd service can be enabled with the following command: -
$ sudo systemctl enable auditd.service
+ At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable - Verify the operating system produces audit records containing information to establish when (date and time) the events occurred. If it does not, this is a finding. - + Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. + To determine if the system is configured to audit calls to the +renameat system call, run the following command: +
$ sudo grep "renameat" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + Configure the operating system to produce audit records containing information to establish what type of events occurred. + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+ medium + + + + -Run the following command to determine the current status of the -auditd service: -
$ sudo systemctl is-active auditd
-If the service is running, it should return the following: 
active
Is it the case that the auditd service is not running? - Configure the operating system to produce audit records containing information to establish when (date and time) the events occurred. - The auditd service is an essential userspace component of -the Linux Auditing System, as it is responsible for writing audit records to -disk. + + CCI-000130 + SRG-OS-000037-GPOS-00015 + TBD - Assigned by DISA after STIG release + The operating system must produce audit records containing information to establish what type of events occurred. -The auditd service can be enabled with the following command: -
$ sudo systemctl enable auditd.service
+ CCE-80739-6: Ensure auditd Collects Information on the Use of Privileged Commands - umount + + Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + +Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ Applicable - Configurable + Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "umount" command with the following command: + +$ sudo auditctl -l | grep umount + +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-umount Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to produce audit records containing information to establish what type of events occurred. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ medium + + + + + + + CCI-000130 + SRG-OS-000037-GPOS-00015 + TBD - Assigned by DISA after STIG release + The operating system must produce audit records containing information to establish what type of events occurred. + + CCE-80687-7: Record Events that Modify the System's Discretionary Access Controls - fchmod + + Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + +Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+ Applicable - Configurable + Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. + To determine if the system is configured to audit calls to the +fchmod system call, run the following command: +
$ sudo grep "fchmod" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + Configure the operating system to produce audit records containing information to establish what type of events occurred. + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
medium + + + + + CCI-000131 SRG-OS-000038-GPOS-00016 @@ -6515,24 +6475,19 @@ - - - - - - CCI-000132 - SRG-OS-000039-GPOS-00017 + CCI-000131 + SRG-OS-000038-GPOS-00016 TBD - Assigned by DISA after STIG release - The operating system must produce audit records containing information to establish where the events occurred. + The operating system must produce audit records containing information to establish when (date and time) the events occurred. CCE-80872-5: Enable auditd Service - Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. + Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. -In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know where events occurred, such as operating system components, modules, device identifiers, node names, file names, and functionality. +In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know when events occurred (date and time). -Associating information about where the event occurred within the operating system provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. +Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. @@ -6540,14 +6495,14 @@ The auditd service can be enabled with the following command: 
$ sudo systemctl enable auditd.service
Applicable - Configurable - Verify the operating system produces audit records containing information to establish where the events occurred. If it does not, this is a finding. + Verify the operating system produces audit records containing information to establish when (date and time) the events occurred. If it does not, this is a finding. Run the following command to determine the current status of the auditd service: 
$ sudo systemctl is-active auditd
If the service is running, it should return the following: 
active
Is it the case that the auditd service is not running? - Configure the operating system to produce audit records containing information to establish where the events occurred. + Configure the operating system to produce audit records containing information to establish when (date and time) the events occurred. The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. @@ -6560,6 +6515,11 @@ + + + + + CCI-000132 SRG-OS-000039-GPOS-00017 @@ -6620,24 +6580,19 @@ - - - - - - CCI-000133 - SRG-OS-000040-GPOS-00018 + CCI-000132 + SRG-OS-000039-GPOS-00017 TBD - Assigned by DISA after STIG release - The operating system must produce audit records containing information to establish the source of the events. + The operating system must produce audit records containing information to establish where the events occurred. CCE-80872-5: Enable auditd Service - Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. + Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. -In addition to logging where events occur within the operating system, the operating system must also generate audit records that identify sources of events. Sources of operating system events include, but are not limited to, processes and services. +In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know where events occurred, such as operating system components, modules, device identifiers, node names, file names, and functionality. -In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know the source of the event. +Associating information about where the event occurred within the operating system provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. @@ -6645,14 +6600,14 @@ The auditd service can be enabled with the following command: 
$ sudo systemctl enable auditd.service
Applicable - Configurable - Verify the operating system produces audit records containing information to establish the source of the events. If it does not, this is a finding. + Verify the operating system produces audit records containing information to establish where the events occurred. If it does not, this is a finding. Run the following command to determine the current status of the auditd service: 
$ sudo systemctl is-active auditd
If the service is running, it should return the following: 
active
Is it the case that the auditd service is not running? - Configure the operating system to produce audit records containing information to establish the source of the events. + Configure the operating system to produce audit records containing information to establish where the events occurred. The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. @@ -6665,6 +6620,11 @@ + + + + + CCI-000133 SRG-OS-000040-GPOS-00018 @@ -6690,22 +6650,19 @@ - - - - - - CCI-000134 - SRG-OS-000041-GPOS-00019 + CCI-000133 + SRG-OS-000040-GPOS-00018 TBD - Assigned by DISA after STIG release - The operating system must produce audit records containing information to establish the outcome of the events. + The operating system must produce audit records containing information to establish the source of the events. CCE-80872-5: Enable auditd Service - Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the system. + Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. -Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response. +In addition to logging where events occur within the operating system, the operating system must also generate audit records that identify sources of events. Sources of operating system events include, but are not limited to, processes and services. + +In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know the source of the event. The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. @@ -6713,14 +6670,14 @@ The auditd service can be enabled with the following command: 
$ sudo systemctl enable auditd.service
Applicable - Configurable - Verify the operating system produces audit records containing information to establish the outcome of the events. If it does not, this is a finding. + Verify the operating system produces audit records containing information to establish the source of the events. If it does not, this is a finding. Run the following command to determine the current status of the auditd service: 
$ sudo systemctl is-active auditd
If the service is running, it should return the following: 
active
Is it the case that the auditd service is not running? - Configure the operating system to produce audit records containing information to establish the outcome of the events. + Configure the operating system to produce audit records containing information to establish the source of the events. The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. @@ -6733,6 +6690,11 @@ + + + + + CCI-000134 SRG-OS-000041-GPOS-00019 @@ -6756,6 +6718,44 @@ + + CCI-000134 + SRG-OS-000041-GPOS-00019 + TBD - Assigned by DISA after STIG release + The operating system must produce audit records containing information to establish the outcome of the events. + + CCE-80872-5: Enable auditd Service + + Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the system. + +Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response. + The auditd service is an essential userspace component of +the Linux Auditing System, as it is responsible for writing audit records to +disk. + +The auditd service can be enabled with the following command: +
$ sudo systemctl enable auditd.service
+ Applicable - Configurable + Verify the operating system produces audit records containing information to establish the outcome of the events. If it does not, this is a finding. + + +Run the following command to determine the current status of the +auditd service: +
$ sudo systemctl is-active auditd
+If the service is running, it should return the following: 
active
Is it the case that the auditd service is not running? + Configure the operating system to produce audit records containing information to establish the outcome of the events. + The auditd service is an essential userspace component of +the Linux Auditing System, as it is responsible for writing audit records to +disk. + +The auditd service can be enabled with the following command: +
$ sudo systemctl enable auditd.service
+ medium + + + + + @@ -6767,39 +6767,47 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80726-3: Ensure auditd Collects Information on the Use of Privileged Commands - chsh + CCE-80686-9: Record Events that Modify the System's Discretionary Access Controls - chown Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chsh" command with the following command: - -$ sudo auditctl -l | grep chsh - --a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chsh Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +chown system call, run the following command: +
$ sudo grep "chown" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records containing the full-text recording of privileged commands. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -6812,39 +6820,70 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80732-1: Ensure auditd Collects Information on the Use of Privileged Commands - postdrop + CCE-80755-2: Record Unsuccessful Access Attempts to Files - open_by_handle_at Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postdrop" command with the following command: + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open_by_handle_at system call. -$ sudo auditctl -l | grep postdrop +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: --a always,exit -F path=/usr/bin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postdrop Is it the case that the command does not return a line, or the line is commented out? +$ sudo grep -r open_by_handle_at /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep open_by_handle_at /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records containing the full-text recording of privileged commands. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
medium @@ -6857,39 +6896,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80741-2: Ensure auditd Collects Information on the Use of Privileged Commands - userhelper + CCE-80698-4: Record Any Attempts to Run chcon Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect any execution attempt +of the chcon command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "userhelper" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chcon" command with the following command: -$ sudo auditctl -l | grep userhelper +$ sudo auditctl -l | grep chcon --a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-userhelper Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records containing the full-text recording of privileged commands. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect any execution attempt +of the chcon command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -6902,7 +6941,57 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80706-5: Ensure auditd Collects File Deletion Events by User - unlink + CCE-80825-3: Enable Auditing for Processes Which Start Prior to the Audit Daemon + + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. + To ensure all processes can be audited, even those which start +prior to the audit daemon, add the argument audit=1 to the default +GRUB 2 command line for the Linux operating system. +To ensure that audit=1 is added as a kernel command line +argument to newly installed kernels, add audit=1 to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... audit=1 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
+ Applicable - Configurable + Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes audit=1, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
+If this option is set to true, then check that a line is output by the following command: +
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit=1.*' /etc/default/grub
+If the recovery is disabled, check the line with +
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit=1.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +
$ sudo grubby --info=ALL | grep args | grep -v 'audit=1'
+The command should not return any output. Is it the case that auditing is not enabled at boot time? + Configure the operating system to generate audit records containing the full-text recording of privileged commands. + To ensure all processes can be audited, even those which start +prior to the audit daemon, add the argument audit=1 to the default +GRUB 2 command line for the Linux operating system. +To ensure that audit=1 is added as a kernel command line +argument to newly installed kernels, add audit=1 to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... audit=1 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
+ low + + + + + + + CCI-000135 + SRG-OS-000042-GPOS-00020 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records containing the full-text recording of privileged commands. + + CCE-80703-2: Ensure auditd Collects File Deletion Events by User - rename Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -6913,17 +7002,17 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. To determine if the system is configured to audit calls to the -unlink system call, run the following command: -
$ sudo grep "unlink" /etc/audit/audit.*
+rename system call, run the following command: +
$ sudo grep "rename" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records containing the full-text recording of privileged commands. @@ -6933,12 +7022,12 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -6951,65 +7040,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80691-9: Record Events that Modify the System's Discretionary Access Controls - fremovexattr + CCE-80732-1: Ensure auditd Collects Information on the Use of Privileged Commands - postdrop Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
-

+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -fremovexattr system call, run the following command: -
$ sudo grep "fremovexattr" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postdrop" command with the following command: + +$ sudo auditctl -l | grep postdrop + +-a always,exit -F path=/usr/bin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postdrop Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records containing the full-text recording of privileged commands. - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
-

+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -7022,55 +7085,110 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80695-0: Record Events that Modify the System's Discretionary Access Controls - lsetxattr + CCE-80728-9: Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd + + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ Applicable - Configurable + Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "gpasswd" command with the following command: + +$ sudo auditctl -l | grep gpasswd + +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to generate audit records containing the full-text recording of privileged commands. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ medium + + + + + + + CCI-000135 + SRG-OS-000042-GPOS-00020 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records containing the full-text recording of privileged commands. + + CCE-80694-3: Record Events that Modify the System's Discretionary Access Controls - lremovexattr Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. To determine if the system is configured to audit calls to the -lsetxattr system call, run the following command: -
$ sudo grep "lsetxattr" /etc/audit/audit.*
+lremovexattr system call, run the following command: +
$ sudo grep "lremovexattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records containing the full-text recording of privileged commands. At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
medium @@ -7083,76 +7201,88 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80754-5: Record Unsuccessful Access Attempts to Files - openat + CCE-80711-5: Ensure auditd Collects Information on Kernel Module Unloading - delete_module Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ To capture kernel module unloading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the openat system call. + To determine if the system is configured to audit calls to the +delete_module system call, run the following command: +
$ sudo grep "delete_module" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + Configure the operating system to generate audit records containing the full-text recording of privileged commands. + To capture kernel module unloading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: +
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
-$ sudo grep -r openat /etc/audit/rules.d -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: +Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. -$ sudo grep openat /etc/audit/audit.rules +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. + medium + + + + -The output should be the following: + + CCI-000135 + SRG-OS-000042-GPOS-00020 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records containing the full-text recording of privileged commands. --a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to generate audit records containing the full-text recording of privileged commands. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ CCE-80731-3: Ensure auditd Collects Information on the Use of Privileged Commands - passwd -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ Applicable - Configurable + Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "passwd" command with the following command: -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+$ sudo auditctl -l | grep passwd + +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to generate audit records containing the full-text recording of privileged commands. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -7165,7 +7295,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80756-0: Record Unsuccessful Access Attempts to Files - truncate + CCE-80753-7: Record Unsuccessful Access Attempts to Files - open Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -7175,66 +7305,66 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the truncate system call. + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -$ sudo grep -r truncate /etc/audit/rules.d +$ sudo grep -r open /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -$ sudo grep truncate /etc/audit/audit.rules +$ sudo grep open /etc/audit/audit.rules The output should be the following: --a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records containing the full-text recording of privileged commands. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access medium @@ -7247,88 +7377,43 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80719-8: Record Attempts to Alter Logon and Logout Events - lastlog + CCE-80713-1: Ensure auditd Collects Information on Kernel Module Loading - init_module Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - The audit system already collects login information for all users -and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d in order to watch for attempted manual -edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file in order to watch for unattempted manual -edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
- Applicable - Configurable - Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog" with the following command: - -$ sudo auditctl -l | grep /var/log/lastlog - --w /var/log/lastlog -p wa -k logins Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to generate audit records containing the full-text recording of privileged commands. - The audit system already collects login information for all users -and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d in order to watch for attempted manual -edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file in order to watch for unattempted manual -edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
- medium - - - - + To capture kernel module loading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - - CCI-000135 - SRG-OS-000042-GPOS-00020 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records containing the full-text recording of privileged commands. +
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
- CCE-80727-1: Ensure auditd Collects Information on the Use of Privileged Commands - crontab - Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. +Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. -At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "crontab" command with the following command: + To determine if the system is configured to audit calls to the +init_module system call, run the following command: +
$ sudo grep "init_module" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + Configure the operating system to generate audit records containing the full-text recording of privileged commands. + To capture kernel module loading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -$ sudo auditctl -l | grep crontab +
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
--a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to generate audit records containing the full-text recording of privileged commands. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ +Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. medium @@ -7341,39 +7426,43 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80989-7: Ensure auditd Collects Information on the Use of Privileged Commands - mount + CCE-80722-2: Ensure auditd Collects Information on Exporting to Media (successful) Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect media exportation +events for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "mount" command with the following command: - -$ sudo auditctl -l | grep mount - --a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +mount system call, run the following command: +
$ sudo grep "mount" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records containing the full-text recording of privileged commands. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect media exportation +events for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
medium @@ -7386,39 +7475,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-89446-9: Record Any Attempts to Run chacl + CCE-85944-7: Record Any Attempts to Run ssh-agent Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. At a minimum, the audit system should collect any execution attempt -of the chacl command for all users and root. If the auditd +of the ssh-agent command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chacl" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-agent" command with the following command: -$ sudo auditctl -l | grep chacl +$ sudo auditctl -l | grep ssh-agent --a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records containing the full-text recording of privileged commands. At a minimum, the audit system should collect any execution attempt -of the chacl command for all users and root. If the auditd +of the ssh-agent command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
medium @@ -7431,47 +7520,76 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80758-6: Record Events that Modify User/Group Information - /etc/group + CCE-80752-9: Record Unsuccessful Access Attempts to Files - ftruncate Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the ftruncate system call. -$ sudo auditctl -l | grep -E '(/etc/group)' +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: --w /etc/group -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +$ sudo grep -r ftruncate /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep ftruncate /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records containing the full-text recording of privileged commands. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
medium @@ -7484,7 +7602,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80735-4: Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign + CCE-80737-0: Ensure auditd Collects Information on the Use of Privileged Commands - sudo Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -7494,29 +7612,29 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-keysign" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "sudo" command with the following command: -$ sudo auditctl -l | grep ssh-keysign +$ sudo auditctl -l | grep sudo --a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-keysign Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudo Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records containing the full-text recording of privileged commands. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -7529,39 +7647,84 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-89497-2: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ + CCE-89455-0: Ensure auditd Collects Information on the Use of Privileged Commands - kmod Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers.d/ -p wa -k actions
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ Applicable - Configurable + Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "kmod" command with the following command: + +$ sudo auditctl -l | grep kmod + +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-kmod Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to generate audit records containing the full-text recording of privileged commands. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ medium + + + + + + + CCI-000135 + SRG-OS-000042-GPOS-00020 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records containing the full-text recording of privileged commands. + + CCE-80700-8: Record Any Attempts to Run semanage + + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. + At a minimum, the audit system should collect any execution attempt +of the semanage command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-w /etc/sudoers.d/ -p wa -k actions
+
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "semanage" command with the following command: -$ sudo auditctl -l | grep/etc/sudoers.d +$ sudo auditctl -l | grep semanage --w /etc/sudoers.d/ -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records containing the full-text recording of privileged commands. - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers.d/ -p wa -k actions
+ At a minimum, the audit system should collect any execution attempt +of the semanage command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-w /etc/sudoers.d/ -p wa -k actions
+
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -7574,65 +7737,43 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80694-3: Record Events that Modify the System's Discretionary Access Controls - lremovexattr + CCE-80706-5: Ensure auditd Collects File Deletion Events by User - unlink Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
-

+ At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. To determine if the system is configured to audit calls to the -lremovexattr system call, run the following command: -
$ sudo grep "lremovexattr" /etc/audit/audit.*
+unlink system call, run the following command: +
$ sudo grep "unlink" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records containing the full-text recording of privileged commands. - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
-

+ At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -7645,7 +7786,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80731-3: Ensure auditd Collects Information on the Use of Privileged Commands - passwd + CCE-80725-5: Ensure auditd Collects Information on the Use of Privileged Commands - chage Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -7655,29 +7796,29 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "passwd" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chage" command with the following command: -$ sudo auditctl -l | grep passwd +$ sudo auditctl -l | grep chage --a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records containing the full-text recording of privileged commands. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -7690,43 +7831,96 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80722-2: Ensure auditd Collects Information on Exporting to Media (successful) + CCE-80760-2: Record Events that Modify User/Group Information - /etc/security/opasswd Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - At a minimum, the audit system should collect media exportation -events for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+ Applicable - Configurable + Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: + +$ sudo auditctl -l | grep -E '(/etc/security/opasswd)' + +-w /etc/security/opasswd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to generate audit records containing the full-text recording of privileged commands. + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+ medium + + + + + + + CCI-000135 + SRG-OS-000042-GPOS-00020 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records containing the full-text recording of privileged commands. + + CCE-80705-7: Ensure auditd Collects File Deletion Events by User - rmdir + + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
+
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
+
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. To determine if the system is configured to audit calls to the -mount system call, run the following command: -
$ sudo grep "mount" /etc/audit/audit.*
+rmdir system call, run the following command: +
$ sudo grep "rmdir" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records containing the full-text recording of privileged commands. - At a minimum, the audit system should collect media exportation -events for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
+
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
+
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -7739,7 +7933,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80740-4: Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd + CCE-80741-2: Ensure auditd Collects Information on the Use of Privileged Commands - userhelper Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -7749,29 +7943,29 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "unix_chkpwd" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "userhelper" command with the following command: -$ sudo auditctl -l | grep unix_chkpwd +$ sudo auditctl -l | grep userhelper --a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_chkpwd Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-userhelper Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records containing the full-text recording of privileged commands. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -7784,43 +7978,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80703-2: Ensure auditd Collects File Deletion Events by User - rename + CCE-80726-3: Ensure auditd Collects Information on the Use of Privileged Commands - chsh Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -rename system call, run the following command: -
$ sudo grep "rename" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chsh" command with the following command: + +$ sudo auditctl -l | grep chsh + +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chsh Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records containing the full-text recording of privileged commands. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -7833,43 +8023,47 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80711-5: Ensure auditd Collects Information on Kernel Module Unloading - delete_module + CCE-80761-0: Record Events that Modify User/Group Information - /etc/passwd Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - To capture kernel module unloading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - -
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
- - -Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -delete_module system call, run the following command: -
$ sudo grep "delete_module" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the operating system to generate audit records containing the full-text recording of privileged commands. - To capture kernel module unloading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - -
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
- + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: -Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. +$ sudo auditctl -l | grep -E '(/etc/passwd)' -If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. +-w /etc/passwd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to generate audit records containing the full-text recording of privileged commands. + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
medium @@ -7882,47 +8076,53 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80688-5: Record Events that Modify the System's Discretionary Access Controls - fchmodat + CCE-80689-3: Record Events that Modify the System's Discretionary Access Controls - fchown Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. To determine if the system is configured to audit calls to the -fchmodat system call, run the following command: -
$ sudo grep "fchmodat" /etc/audit/audit.*
+fchown system call, run the following command: +
$ sudo grep "fchown" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records containing the full-text recording of privileged commands. At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -7935,88 +8135,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80707-3: Ensure auditd Collects File Deletion Events by User - unlinkat + CCE-89446-9: Record Any Attempts to Run chacl Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
- Applicable - Configurable - Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -unlinkat system call, run the following command: -
$ sudo grep "unlinkat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the operating system to generate audit records containing the full-text recording of privileged commands. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
- medium - - - - - - - CCI-000135 - SRG-OS-000042-GPOS-00020 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records containing the full-text recording of privileged commands. - - CCE-82280-9: Record Any Attempts to Run setfiles - - Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - At a minimum, the audit system should collect any execution attempt -of the setfiles command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect any execution attempt +of the chacl command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfiles" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chacl" command with the following command: -$ sudo auditctl -l | grep setfiles +$ sudo auditctl -l | grep chacl --a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records containing the full-text recording of privileged commands. At a minimum, the audit system should collect any execution attempt -of the setfiles command for all users and root. If the auditd +of the chacl command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -8029,149 +8180,70 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80687-7: Record Events that Modify the System's Discretionary Access Controls - fchmod + CCE-80751-1: Record Unsuccessful Access Attempts to Files - creat Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
- Applicable - Configurable - Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -fchmod system call, run the following command: -
$ sudo grep "fchmod" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the operating system to generate audit records containing the full-text recording of privileged commands. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
- medium - - - - - - - CCI-000135 - SRG-OS-000042-GPOS-00020 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records containing the full-text recording of privileged commands. - - CCE-80704-0: Ensure auditd Collects File Deletion Events by User - renameat - - Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -renameat system call, run the following command: -
$ sudo grep "renameat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the operating system to generate audit records containing the full-text recording of privileged commands. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
- medium - - - - + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the creat system call. - - CCI-000135 - SRG-OS-000042-GPOS-00020 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records containing the full-text recording of privileged commands. +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - CCE-80760-2: Record Events that Modify User/Group Information - /etc/security/opasswd +$ sudo grep -r creat /etc/audit/rules.d - Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
-

-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
- Applicable - Configurable - Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: +$ sudo grep creat /etc/audit/audit.rules -$ sudo auditctl -l | grep -E '(/etc/security/opasswd)' +The output should be the following: --w /etc/security/opasswd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records containing the full-text recording of privileged commands. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
medium @@ -8229,106 +8301,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80943-4: Extend Audit Backlog Limit for the Audit Daemon - - Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - To improve the kernel capacity to queue all log events, even those which occurred -prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default -GRUB 2 command line for the Linux operating system. -To ensure that audit_backlog_limit=8192 is added as a kernel command line -argument to newly installed kernels, add audit_backlog_limit=8192 to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
- Applicable - Configurable - Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes audit_backlog_limit=8192, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
-If this option is set to true, then check that a line is output by the following command: -
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit_backlog_limit=8192.*' /etc/default/grub
-If the recovery is disabled, check the line with -
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit_backlog_limit=8192.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -
$ sudo grubby --info=ALL | grep args | grep -v 'audit_backlog_limit=8192'
-The command should not return any output. Is it the case that audit backlog limit is not configured? - Configure the operating system to generate audit records containing the full-text recording of privileged commands. - To improve the kernel capacity to queue all log events, even those which occurred -prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default -GRUB 2 command line for the Linux operating system. -To ensure that audit_backlog_limit=8192 is added as a kernel command line -argument to newly installed kernels, add audit_backlog_limit=8192 to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
- low - - - - - - - CCI-000135 - SRG-OS-000042-GPOS-00020 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records containing the full-text recording of privileged commands. - - CCE-80705-7: Ensure auditd Collects File Deletion Events by User - rmdir - - Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
- Applicable - Configurable - Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -rmdir system call, run the following command: -
$ sudo grep "rmdir" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the operating system to generate audit records containing the full-text recording of privileged commands. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
- medium - - - - - - - CCI-000135 - SRG-OS-000042-GPOS-00020 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records containing the full-text recording of privileged commands. - - CCE-86027-0: Ensure auditd Collects Information on the Use of Privileged Commands - usermod + CCE-80740-4: Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -8338,82 +8311,29 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "usermod" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "unix_chkpwd" command with the following command: -$ sudo auditctl -l | grep usermod +$ sudo auditctl -l | grep unix_chkpwd --a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_chkpwd Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records containing the full-text recording of privileged commands. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- medium - - - - - - - CCI-000135 - SRG-OS-000042-GPOS-00020 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records containing the full-text recording of privileged commands. - - CCE-80685-1: Record Events that Modify the System's Discretionary Access Controls - chmod - - Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
- Applicable - Configurable - Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -chmod system call, run the following command: -
$ sudo grep "chmod" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the operating system to generate audit records containing the full-text recording of privileged commands. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -8426,7 +8346,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80761-0: Record Events that Modify User/Group Information - /etc/passwd + CCE-80758-6: Record Events that Modify User/Group Information - /etc/group Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -8437,21 +8357,21 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: -$ sudo auditctl -l | grep -E '(/etc/passwd)' +$ sudo auditctl -l | grep -E '(/etc/group)' --w /etc/passwd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-w /etc/group -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records containing the full-text recording of privileged commands. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the @@ -8459,14 +8379,14 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification
medium @@ -8532,39 +8452,49 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80698-4: Record Any Attempts to Run chcon + CCE-80759-4: Record Events that Modify User/Group Information - /etc/gshadow Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - At a minimum, the audit system should collect any execution attempt -of the chcon command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chcon" command with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: -$ sudo auditctl -l | grep chcon +$ sudo auditctl -l | grep -E '(/etc/gshadow)' --a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? +-w /etc/gshadow -p wa -k identity + +If the command does not return a line, or the line is commented out, this is a finding. Is it the case that the system is not configured to audit account changes? Configure the operating system to generate audit records containing the full-text recording of privileged commands. - At a minimum, the audit system should collect any execution attempt -of the chcon command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
medium @@ -8577,98 +8507,47 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80689-3: Record Events that Modify the System's Discretionary Access Controls - fchown + CCE-80762-8: Record Events that Modify User/Group Information - /etc/shadow Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- -If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- -If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -fchown system call, run the following command: -
$ sudo grep "fchown" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the operating system to generate audit records containing the full-text recording of privileged commands. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd with the following command: -If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- -If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- medium - - - - - - - CCI-000135 - SRG-OS-000042-GPOS-00020 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records containing the full-text recording of privileged commands. - - CCE-80725-5: Ensure auditd Collects Information on the Use of Privileged Commands - chage - - Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- Applicable - Configurable - Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chage" command with the following command: - -$ sudo auditctl -l | grep chage +$ sudo auditctl -l | grep -E '(/etc/shadow)' --a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage Is it the case that the command does not return a line, or the line is commented out? +-w /etc/shadow -p wa -k identity Is it the case that command does not return a line, or the line is commented out? Configure the operating system to generate audit records containing the full-text recording of privileged commands. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
medium @@ -8681,39 +8560,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-88437-9: Record Any Attempts to Run setfacl + CCE-80701-6: Record Any Attempts to Run setsebool Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. At a minimum, the audit system should collect any execution attempt -of the setfacl command for all users and root. If the auditd +of the setsebool command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfacl" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setsebool" command with the following command: -$ sudo auditctl -l | grep setfacl +$ sudo auditctl -l | grep setsebool --a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records containing the full-text recording of privileged commands. At a minimum, the audit system should collect any execution attempt -of the setfacl command for all users and root. If the auditd +of the setsebool command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -8771,39 +8650,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80700-8: Record Any Attempts to Run semanage + CCE-80733-9: Ensure auditd Collects Information on the Use of Privileged Commands - postqueue Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - At a minimum, the audit system should collect any execution attempt -of the semanage command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "semanage" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postqueue" command with the following command: -$ sudo auditctl -l | grep semanage +$ sudo auditctl -l | grep postqueue --a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postqueue Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records containing the full-text recording of privileged commands. - At a minimum, the audit system should collect any execution attempt -of the semanage command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -8816,55 +8695,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80697-6: Record Events that Modify the System's Discretionary Access Controls - setxattr + CCE-80989-7: Ensure auditd Collects Information on the Use of Privileged Commands - mount Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -setxattr system call, run the following command: -
$ sudo grep "setxattr" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "mount" command with the following command: + +$ sudo auditctl -l | grep mount + +-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records containing the full-text recording of privileged commands. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -8877,7 +8740,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80728-9: Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd + CCE-80727-1: Ensure auditd Collects Information on the Use of Privileged Commands - crontab Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -8887,29 +8750,29 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "gpasswd" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "crontab" command with the following command: -$ sudo auditctl -l | grep gpasswd +$ sudo auditctl -l | grep crontab --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records containing the full-text recording of privileged commands. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -8922,47 +8785,43 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80762-8: Record Events that Modify User/Group Information - /etc/shadow + CCE-80707-3: Ensure auditd Collects File Deletion Events by User - unlinkat Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - If the auditd daemon is configured to use the + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-

+default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd with the following command: - -$ sudo auditctl -l | grep -E '(/etc/shadow)' - --w /etc/shadow -p wa -k identity Is it the case that command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +unlinkat system call, run the following command: +
$ sudo grep "unlinkat" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records containing the full-text recording of privileged commands. - If the auditd daemon is configured to use the + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-

+default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -8975,70 +8834,66 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80751-1: Record Unsuccessful Access Attempts to Files - creat + CCE-89497-2: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-w /etc/sudoers.d/ -p wa -k actions
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the creat system call. + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command: -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: +$ sudo auditctl -l | grep/etc/sudoers.d -$ sudo grep -r creat /etc/audit/rules.d +-w /etc/sudoers.d/ -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to generate audit records containing the full-text recording of privileged commands. + At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers.d/ -p wa -k actions
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-w /etc/sudoers.d/ -p wa -k actions
+ medium + + + + -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + + CCI-000135 + SRG-OS-000042-GPOS-00020 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records containing the full-text recording of privileged commands. -$ sudo grep creat /etc/audit/audit.rules + CCE-89903-9: Ensure All Accounts on the System Have Unique User IDs -The output should be the following: + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. + Change user IDs (UIDs), or delete accounts, so each has a unique name. + Applicable - Configurable + Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. + Verify that Red Hat Enterprise Linux 8 contains no duplicate User IDs (UIDs) for interactive users. + +Check that the operating system contains no duplicate UIDs for interactive users with the following command: + +
$ sudo awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd
Is it the case that output is produced and the accounts listed are interactive user accounts? Configure the operating system to generate audit records containing the full-text recording of privileged commands. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ Change user IDs (UIDs), or delete accounts, so each has a unique name. medium @@ -9051,7 +8906,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80729-7: Ensure auditd Collects Information on the Use of Privileged Commands - newgrp + CCE-80730-5: Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -9061,29 +8916,33 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "newgrp" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "pam_timestamp_check" command with the following command: -$ sudo auditctl -l | grep newgrp +$ sudo auditctl -l | grep pam_timestamp_check --a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-newgrp Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records containing the full-text recording of privileged commands. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -9096,49 +8955,100 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80759-4: Record Events that Modify User/Group Information - /etc/gshadow + CCE-82280-9: Record Any Attempts to Run setfiles Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect any execution attempt +of the setfiles command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: - -$ sudo auditctl -l | grep -E '(/etc/gshadow)' + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfiles" command with the following command: --w /etc/gshadow -p wa -k identity +$ sudo auditctl -l | grep setfiles -If the command does not return a line, or the line is commented out, this is a finding. Is it the case that the system is not configured to audit account changes? +-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records containing the full-text recording of privileged commands. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect any execution attempt +of the setfiles command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ medium + + + + + + + CCI-000135 + SRG-OS-000042-GPOS-00020 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records containing the full-text recording of privileged commands. + + CCE-80692-7: Record Events that Modify the System's Discretionary Access Controls - fsetxattr + + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+ Applicable - Configurable + Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. + To determine if the system is configured to audit calls to the +fsetxattr system call, run the following command: +
$ sudo grep "fsetxattr" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + Configure the operating system to generate audit records containing the full-text recording of privileged commands. + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
medium @@ -9204,168 +9114,43 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-89455-0: Ensure auditd Collects Information on the Use of Privileged Commands - kmod + CCE-80719-8: Record Attempts to Alter Logon and Logout Events - lastlog Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- Applicable - Configurable - Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "kmod" command with the following command: - -$ sudo auditctl -l | grep kmod - --a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-kmod Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to generate audit records containing the full-text recording of privileged commands. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- medium - - - - - - - CCI-000135 - SRG-OS-000042-GPOS-00020 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records containing the full-text recording of privileged commands. - - CCE-80686-9: Record Events that Modify the System's Discretionary Access Controls - chown - - Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
- Applicable - Configurable - Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -chown system call, run the following command: -
$ sudo grep "chown" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the operating system to generate audit records containing the full-text recording of privileged commands. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
- medium - - - - - - - CCI-000135 - SRG-OS-000042-GPOS-00020 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records containing the full-text recording of privileged commands. - - CCE-80755-2: Record Unsuccessful Access Attempts to Files - open_by_handle_at - - Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ The audit system already collects login information for all users +and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d in order to watch for attempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+/etc/audit/audit.rules file in order to watch for unattempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open_by_handle_at system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r open_by_handle_at /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep open_by_handle_at /etc/audit/audit.rules + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog" with the following command: -The output should be the following: +$ sudo auditctl -l | grep /var/log/lastlog --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +-w /var/log/lastlog -p wa -k logins Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records containing the full-text recording of privileged commands. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ The audit system already collects login information for all users +and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d in order to watch for attempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+/etc/audit/audit.rules file in order to watch for unattempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
medium @@ -9378,77 +9163,45 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80752-9: Record Unsuccessful Access Attempts to Files - ftruncate + CCE-80943-4: Extend Audit Backlog Limit for the Audit Daemon Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ To improve the kernel capacity to queue all log events, even those which occurred +prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default +GRUB 2 command line for the Linux operating system. +To ensure that audit_backlog_limit=8192 is added as a kernel command line +argument to newly installed kernels, add audit_backlog_limit=8192 to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the ftruncate system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r ftruncate /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep ftruncate /etc/audit/audit.rules - -The output should be the following: - --a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes audit_backlog_limit=8192, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
+If this option is set to true, then check that a line is output by the following command: +
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit_backlog_limit=8192.*' /etc/default/grub
+If the recovery is disabled, check the line with +
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit_backlog_limit=8192.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +
$ sudo grubby --info=ALL | grep args | grep -v 'audit_backlog_limit=8192'
+The command should not return any output. Is it the case that audit backlog limit is not configured? Configure the operating system to generate audit records containing the full-text recording of privileged commands. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- medium + To improve the kernel capacity to queue all log events, even those which occurred +prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default +GRUB 2 command line for the Linux operating system. +To ensure that audit_backlog_limit=8192 is added as a kernel command line +argument to newly installed kernels, add audit_backlog_limit=8192 to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
+ low @@ -9460,7 +9213,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80753-7: Record Unsuccessful Access Attempts to Files - open + CCE-80754-5: Record Unsuccessful Access Attempts to Files - openat Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -9470,66 +9223,66 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open system call. + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the openat system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -$ sudo grep -r open /etc/audit/rules.d +$ sudo grep -r openat /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -$ sudo grep open /etc/audit/audit.rules +$ sudo grep openat /etc/audit/audit.rules The output should be the following: --a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records containing the full-text recording of privileged commands. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access medium @@ -9542,7 +9295,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80692-7: Record Events that Modify the System's Discretionary Access Controls - fsetxattr + CCE-80695-0: Record Events that Modify the System's Discretionary Access Controls - lsetxattr Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -9552,24 +9305,24 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. To determine if the system is configured to audit calls to the -fsetxattr system call, run the following command: -
$ sudo grep "fsetxattr" /etc/audit/audit.*
+lsetxattr system call, run the following command: +
$ sudo grep "lsetxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records containing the full-text recording of privileged commands. @@ -9578,19 +9331,19 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
medium @@ -9603,39 +9356,55 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-85944-7: Record Any Attempts to Run ssh-agent + CCE-80697-6: Record Events that Modify the System's Discretionary Access Controls - setxattr Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - At a minimum, the audit system should collect any execution attempt -of the ssh-agent command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
+
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
+
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-agent" command with the following command: - -$ sudo auditctl -l | grep ssh-agent - --a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +setxattr system call, run the following command: +
$ sudo grep "setxattr" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records containing the full-text recording of privileged commands. - At a minimum, the audit system should collect any execution attempt -of the ssh-agent command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
+
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
+
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
medium @@ -9648,63 +9417,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80696-8: Record Events that Modify the System's Discretionary Access Controls - removexattr + CCE-90175-1: Ensure auditd Collects System Administrator Actions - /etc/sudoers Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
-

+ At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers -p wa -k actions
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+
-w /etc/sudoers -p wa -k actions
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -removexattr system call, run the following command: -
$ sudo grep "removexattr" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers" with the following command: + +$ sudo auditctl -l | grep /etc/sudoers + +-w /etc/sudoers -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records containing the full-text recording of privileged commands. - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
-

+ At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers -p wa -k actions
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+
-w /etc/sudoers -p wa -k actions
medium @@ -9717,7 +9462,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80733-9: Ensure auditd Collects Information on the Use of Privileged Commands - postqueue + CCE-80735-4: Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -9727,29 +9472,29 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postqueue" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-keysign" command with the following command: -$ sudo auditctl -l | grep postqueue +$ sudo auditctl -l | grep ssh-keysign --a always,exit -F path=/usr/bin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postqueue Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-keysign Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records containing the full-text recording of privileged commands. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -9762,45 +9507,48 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80825-3: Enable Auditing for Processes Which Start Prior to the Audit Daemon + CCE-80688-5: Record Events that Modify the System's Discretionary Access Controls - fchmodat Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - To ensure all processes can be audited, even those which start -prior to the audit daemon, add the argument audit=1 to the default -GRUB 2 command line for the Linux operating system. -To ensure that audit=1 is added as a kernel command line -argument to newly installed kernels, add audit=1 to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit=1 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes audit=1, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
-If this option is set to true, then check that a line is output by the following command: -
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit=1.*' /etc/default/grub
-If the recovery is disabled, check the line with -
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit=1.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -
$ sudo grubby --info=ALL | grep args | grep -v 'audit=1'
-The command should not return any output. Is it the case that auditing is not enabled at boot time? - Configure the operating system to generate audit records containing the full-text recording of privileged commands. - To ensure all processes can be audited, even those which start -prior to the audit daemon, add the argument audit=1 to the default -GRUB 2 command line for the Linux operating system. -To ensure that audit=1 is added as a kernel command line -argument to newly installed kernels, add audit=1 to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit=1 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
- low + To determine if the system is configured to audit calls to the +fchmodat system call, run the following command: +
$ sudo grep "fchmodat" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + Configure the operating system to generate audit records containing the full-text recording of privileged commands. + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+ medium @@ -9812,39 +9560,65 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80737-0: Ensure auditd Collects Information on the Use of Privileged Commands - sudo + CCE-80691-9: Record Events that Modify the System's Discretionary Access Controls - fremovexattr Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "sudo" command with the following command: - -$ sudo auditctl -l | grep sudo - --a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudo Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +fremovexattr system call, run the following command: +
$ sudo grep "fremovexattr" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records containing the full-text recording of privileged commands. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
medium @@ -9906,43 +9680,121 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80713-1: Ensure auditd Collects Information on Kernel Module Loading - init_module + CCE-80756-0: Record Unsuccessful Access Attempts to Files - truncate Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - To capture kernel module loading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - -
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -init_module system call, run the following command: -
$ sudo grep "init_module" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the truncate system call. + +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: + +$ sudo grep -r truncate /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep truncate /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records containing the full-text recording of privileged commands. - To capture kernel module loading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ medium + + + + -If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. + + CCI-000135 + SRG-OS-000042-GPOS-00020 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records containing the full-text recording of privileged commands. + + CCE-86027-0: Ensure auditd Collects Information on the Use of Privileged Commands - usermod + + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ Applicable - Configurable + Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "usermod" command with the following command: + +$ sudo auditctl -l | grep usermod + +-a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to generate audit records containing the full-text recording of privileged commands. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -9955,39 +9807,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80701-6: Record Any Attempts to Run setsebool + CCE-88437-9: Record Any Attempts to Run setfacl Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. At a minimum, the audit system should collect any execution attempt -of the setsebool command for all users and root. If the auditd +of the setfacl command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setsebool" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfacl" command with the following command: -$ sudo auditctl -l | grep setsebool +$ sudo auditctl -l | grep setfacl --a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records containing the full-text recording of privileged commands. At a minimum, the audit system should collect any execution attempt -of the setsebool command for all users and root. If the auditd +of the setfacl command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -10000,39 +9852,47 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-90175-1: Ensure auditd Collects System Administrator Actions - /etc/sudoers + CCE-80685-1: Record Events that Modify the System's Discretionary Access Controls - chmod Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers -p wa -k actions
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-w /etc/sudoers -p wa -k actions
+
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers" with the following command: - -$ sudo auditctl -l | grep /etc/sudoers - --w /etc/sudoers -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +chmod system call, run the following command: +
$ sudo grep "chmod" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records containing the full-text recording of privileged commands. - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers -p wa -k actions
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-w /etc/sudoers -p wa -k actions
+
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -10045,7 +9905,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80739-6: Ensure auditd Collects Information on the Use of Privileged Commands - umount + CCE-80729-7: Ensure auditd Collects Information on the Use of Privileged Commands - newgrp Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -10055,29 +9915,29 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "umount" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "newgrp" command with the following command: -$ sudo auditctl -l | grep umount +$ sudo auditctl -l | grep newgrp --a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-umount Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-newgrp Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records containing the full-text recording of privileged commands. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -10090,21 +9950,112 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-89903-9: Ensure All Accounts on the System Have Unique User IDs + CCE-80696-8: Record Events that Modify the System's Discretionary Access Controls - removexattr Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - Change user IDs (UIDs), or delete accounts, so each has a unique name. + At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +following line to a file with suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 contains no duplicate User IDs (UIDs) for interactive users. + To determine if the system is configured to audit calls to the +removexattr system call, run the following command: +
$ sudo grep "removexattr" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + Configure the operating system to generate audit records containing the full-text recording of privileged commands. + At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +following line to a file with suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+ medium + + + + -Check that the operating system contains no duplicate UIDs for interactive users with the following command: + + CCI-000135 + SRG-OS-000042-GPOS-00020 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records containing the full-text recording of privileged commands. -
$ sudo awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd
Is it the case that output is produced and the accounts listed are interactive user accounts? + CCE-80704-0: Ensure auditd Collects File Deletion Events by User - renameat + + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+ Applicable - Configurable + Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. + To determine if the system is configured to audit calls to the +renameat system call, run the following command: +
$ sudo grep "renameat" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records containing the full-text recording of privileged commands. - Change user IDs (UIDs), or delete accounts, so each has a unique name. + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -10117,7 +10068,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records containing the full-text recording of privileged commands. - CCE-80730-5: Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check + CCE-80739-6: Ensure auditd Collects Information on the Use of Privileged Commands - umount Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -10127,33 +10078,82 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "pam_timestamp_check" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "umount" command with the following command: -$ sudo auditctl -l | grep pam_timestamp_check +$ sudo auditctl -l | grep umount --a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-umount Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records containing the full-text recording of privileged commands. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ medium + + + + + + + CCI-000135 + SRG-OS-000042-GPOS-00020 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records containing the full-text recording of privileged commands. + + CCE-80687-7: Record Events that Modify the System's Discretionary Access Controls - fchmod + + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+ Applicable - Configurable + Verify the operating system generates audit records containing the full-text recording of privileged commands. If it does not, this is a finding. + To determine if the system is configured to audit calls to the +fchmod system call, run the following command: +
$ sudo grep "fchmod" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + Configure the operating system to generate audit records containing the full-text recording of privileged commands. + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -10165,6 +10165,29 @@ + + CCI-000135 + SRG-OS-000042-GPOS-00021 + TBD - Assigned by DISA after STIG release + The operating system must produce audit records containing the individual identities of group account users. + + CCE-81043-2: Ensure the audit Subsystem is Installed + + Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. + +At a minimum, the organization must audit the individual identities of group users. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the actual account involved in the activity. + The audit package should be installed. + Applicable - Configurable + Verify the operating system produces audit records containing the individual identities of group account users. If it does not, this is a finding. + Run the following command to determine if the audit package is installed: 
$ rpm -q audit
Is it the case that the audit package is not installed? + Configure the operating system to produce audit records containing the individual identities of group account users. + The audit package should be installed. + medium + + + + + CCI-000135 SRG-OS-000042-GPOS-00021 @@ -10203,29 +10226,6 @@ - - CCI-000135 - SRG-OS-000042-GPOS-00021 - TBD - Assigned by DISA after STIG release - The operating system must produce audit records containing the individual identities of group account users. - - CCE-81043-2: Ensure the audit Subsystem is Installed - - Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -At a minimum, the organization must audit the individual identities of group users. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the actual account involved in the activity. - The audit package should be installed. - Applicable - Configurable - Verify the operating system produces audit records containing the individual identities of group account users. If it does not, this is a finding. - Run the following command to determine if the audit package is installed: 
$ rpm -q audit
Is it the case that the audit package is not installed? - Configure the operating system to produce audit records containing the individual identities of group account users. - The audit package should be installed. - medium - - - - - @@ -10274,31 +10274,25 @@ TBD - Assigned by DISA after STIG release The operating system must alert the ISSO and SA (at a minimum) in the event of an audit processing failure. - CCE-80678-6: Configure auditd mail_acct Action on Low Disk Space + CCE-85983-5: The Postfix package is installed It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. - The auditd service can be configured to send email to -a designated account in certain situations. Add or correct the following line -in /etc/audit/auditd.conf to ensure that administrators are notified -via email for those situations: -
action_mail_acct =
+ A mail server is required for sending emails. +The postfix package can be installed with the following command: +
+$ sudo yum install postfix
Applicable - Configurable Verify the operating system alerts the ISSO and SA (at a minimum) in the event of an audit processing failure. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to notify the SA and/or ISSO (at a minimum) in the event of an audit processing failure with the following command: - -
$ sudo grep action_mail_acct /etc/audit/auditd.conf
-
-action_mail_acct =
Is it the case that the value of the "action_mail_acct" keyword is not set to "" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the retuned line is commented out, ask the system administrator to indicate how they and the ISSO are notified of an audit process failure. If there is no evidence of the proper personnel being notified of an audit processing failure? + Run the following command to determine if the postfix package is installed: 
$ rpm -q postfix
Is it the case that the package is not installed? Configure the operating system to alert the ISSO and SA (at a minimum) in the event of an audit processing failure. - The auditd service can be configured to send email to -a designated account in certain situations. Add or correct the following line -in /etc/audit/auditd.conf to ensure that administrators are notified -via email for those situations: -
action_mail_acct =
+ A mail server is required for sending emails. +The postfix package can be installed with the following command: +
+$ sudo yum install postfix
medium @@ -10311,25 +10305,31 @@ TBD - Assigned by DISA after STIG release The operating system must alert the ISSO and SA (at a minimum) in the event of an audit processing failure. - CCE-85983-5: The Postfix package is installed + CCE-80678-6: Configure auditd mail_acct Action on Low Disk Space It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. - A mail server is required for sending emails. -The postfix package can be installed with the following command: -
-$ sudo yum install postfix
+ The auditd service can be configured to send email to +a designated account in certain situations. Add or correct the following line +in /etc/audit/auditd.conf to ensure that administrators are notified +via email for those situations: +
action_mail_acct =
Applicable - Configurable Verify the operating system alerts the ISSO and SA (at a minimum) in the event of an audit processing failure. If it does not, this is a finding. - Run the following command to determine if the postfix package is installed: 
$ rpm -q postfix
Is it the case that the package is not installed? + Verify that Red Hat Enterprise Linux 8 is configured to notify the SA and/or ISSO (at a minimum) in the event of an audit processing failure with the following command: + +
$ sudo grep action_mail_acct /etc/audit/auditd.conf
+
+action_mail_acct =
Is it the case that the value of the "action_mail_acct" keyword is not set to "" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the retuned line is commented out, ask the system administrator to indicate how they and the ISSO are notified of an audit process failure. If there is no evidence of the proper personnel being notified of an audit processing failure? Configure the operating system to alert the ISSO and SA (at a minimum) in the event of an audit processing failure. - A mail server is required for sending emails. -The postfix package can be installed with the following command: -
-$ sudo yum install postfix
+ The auditd service can be configured to send email to +a designated account in certain situations. Add or correct the following line +in /etc/audit/auditd.conf to ensure that administrators are notified +via email for those situations: +
action_mail_acct =
medium @@ -10487,6 +10487,31 @@ + + CCI-000154 + SRG-OS-000051-GPOS-00024 + TBD - Assigned by DISA after STIG release + The operating system must provide the capability to centrally review and analyze audit records from multiple components within the system. + + CCE-81043-2: Ensure the audit Subsystem is Installed + + Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner. If the operating system does not provide the ability to centrally review the operating system logs, forensic analysis is negatively impacted. + +Segregation of logging data to multiple disparate computer systems is counterproductive and makes log analysis and log event alarming difficult to implement and manage, particularly when the system has multiple logging components writing to different locations or systems. + +To support the centralized capability, the operating system must be able to provide the information in a format that can be extracted and used, allowing the application performing the centralization of the log records to meet this requirement. + The audit package should be installed. + Applicable - Configurable + Verify the operating system provides the capability to centrally review and analyze audit records from multiple components within the system. If it does not, this is a finding. + Run the following command to determine if the audit package is installed: 
$ rpm -q audit
Is it the case that the audit package is not installed? + Configure the operating system to provide the capability to centrally review and analyze audit records from multiple components within the system. + The audit package should be installed. + medium + + + + + CCI-000154 SRG-OS-000051-GPOS-00024 @@ -10527,24 +10552,29 @@ + + + + + - CCI-000154 - SRG-OS-000051-GPOS-00024 + CCI-000158 + SRG-OS-000054-GPOS-00025 TBD - Assigned by DISA after STIG release - The operating system must provide the capability to centrally review and analyze audit records from multiple components within the system. + The operating system must provide the capability to filter audit records for events of interest based upon all audit fields within audit records. CCE-81043-2: Ensure the audit Subsystem is Installed - Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner. If the operating system does not provide the ability to centrally review the operating system logs, forensic analysis is negatively impacted. + The ability to specify the event criteria that are of interest provides the individuals reviewing the logs with the ability to quickly isolate and identify these events without having to review entries that are of little or no consequence to the investigation. Without this capability, forensic investigations are impeded. -Segregation of logging data to multiple disparate computer systems is counterproductive and makes log analysis and log event alarming difficult to implement and manage, particularly when the system has multiple logging components writing to different locations or systems. +Events of interest can be identified by the content of specific audit record fields, including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific information system component. -To support the centralized capability, the operating system must be able to provide the information in a format that can be extracted and used, allowing the application performing the centralization of the log records to meet this requirement. +This requires operating systems to provide the capability to customize audit record reports based on all available criteria. The audit package should be installed. Applicable - Configurable - Verify the operating system provides the capability to centrally review and analyze audit records from multiple components within the system. If it does not, this is a finding. + Verify the operating system provides the capability to filter audit records for events of interest based upon all audit fields within audit records. If it does not, this is a finding. Run the following command to determine if the audit package is installed: 
$ rpm -q audit
Is it the case that the audit package is not installed? - Configure the operating system to provide the capability to centrally review and analyze audit records from multiple components within the system. + Configure the operating system to provide the capability to filter audit records for events of interest based upon all audit fields within audit records. The audit package should be installed. medium @@ -10552,11 +10582,6 @@ - - - - - CCI-000158 SRG-OS-000054-GPOS-00025 @@ -10597,31 +10622,6 @@ - - CCI-000158 - SRG-OS-000054-GPOS-00025 - TBD - Assigned by DISA after STIG release - The operating system must provide the capability to filter audit records for events of interest based upon all audit fields within audit records. - - CCE-81043-2: Ensure the audit Subsystem is Installed - - The ability to specify the event criteria that are of interest provides the individuals reviewing the logs with the ability to quickly isolate and identify these events without having to review entries that are of little or no consequence to the investigation. Without this capability, forensic investigations are impeded. - -Events of interest can be identified by the content of specific audit record fields, including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific information system component. - -This requires operating systems to provide the capability to customize audit record reports based on all available criteria. - The audit package should be installed. - Applicable - Configurable - Verify the operating system provides the capability to filter audit records for events of interest based upon all audit fields within audit records. If it does not, this is a finding. - Run the following command to determine if the audit package is installed: 
$ rpm -q audit
Is it the case that the audit package is not installed? - Configure the operating system to provide the capability to filter audit records for events of interest based upon all audit fields within audit records. - The audit package should be installed. - medium - - - - - @@ -10657,50 +10657,86 @@ TBD - Assigned by DISA after STIG release The operating system must protect audit information from unauthorized read access. - CCE-84048-8: System Audit Logs Must Have Mode 0750 or Less Permissive + CCE-80708-1: Make the auditd Configuration Immutable Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. - -Verify the audit log directories have a mode of "0700" or less permissive by first determining -where the audit logs are stored with the following command: -
$ sudo grep -iw log_file /etc/audit/auditd.conf
-
-log_file = /var/log/audit/audit.log
-Configure the audit log directory to be protected from unauthorized read access by setting the -correct permissive mode with the following command: -
$ sudo chmod 0700 audit_log_directory
-By default, audit_log_directory is "/var/log/audit". + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d in order to make the auditd configuration +immutable: +
-e 2
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file in order to make the auditd configuration +immutable: +
-e 2
+With this setting, a reboot will be required to change any audit rules. Applicable - Configurable Verify the operating system protects audit information from unauthorized read access. If it does not, this is a finding. - Verify the audit log directories have a correct mode or less permissive mode. + Verify the audit system prevents unauthorized changes with the following command: +
+$ sudo grep "^\s*[^#]" /etc/audit/audit.rules | tail -1
+-e 2
+
Is it the case that the audit system is not set to be immutable by adding the "-e 2" option to the end of "/etc/audit/audit.rules"? + Configure the operating system to protect audit information from unauthorized read access. + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d in order to make the auditd configuration +immutable: +
-e 2
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file in order to make the auditd configuration +immutable: +
-e 2
+With this setting, a reboot will be required to change any audit rules. + medium + + + + -Find the location of the audit logs: + + CCI-000162 + SRG-OS-000057-GPOS-00027 + TBD - Assigned by DISA after STIG release + The operating system must protect audit information from unauthorized read access. -$ sudo grep "^log_file" /etc/audit/auditd.conf + CCE-88226-6: System Audit Directories Must Be Owned By Root + Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. + All audit directories must be owned by root user. By default, the path for audit log is 
/var/log/audit/
. -Run the following command to check the mode of the system audit logs: +To properly set the owner of /var/log/audit, run the command: +
$ sudo chown root /var/log/audit
+ Applicable - Configurable + Verify the operating system protects audit information from unauthorized read access. If it does not, this is a finding. + Determine where the audit logs are stored with the following command: -$ sudo stat -c "%a %n" [audit_log_directory] +$ sudo grep -iw log_file /etc/audit/auditd.conf -Replace "[audit_log_directory]" to the correct audit log directory path, by default this location is "/var/log/audit". +log_file = /var/log/audit/audit.log +Determine the owner of the audit log directory by using the output of the above command +(default: "/var/log/audit/"). Run the following command with the correct audit log directory +path: -The correct permissions are 0700 Is it the case that audit logs have a more permissive mode? +$ sudo ls -ld /var/log/audit + +drwx------ 2 root root 23 Jun 11 11:56 /var/log/audit + +The audit log directory must be owned by "root" Is it the case that the directory is not owned by root? Configure the operating system to protect audit information from unauthorized read access. - -Verify the audit log directories have a mode of "0700" or less permissive by first determining -where the audit logs are stored with the following command: -
$ sudo grep -iw log_file /etc/audit/auditd.conf
+    All audit directories must be owned by root user. By default, the path for audit log is 
/var/log/audit/
.
 
-log_file = /var/log/audit/audit.log
-Configure the audit log directory to be protected from unauthorized read access by setting the -correct permissive mode with the following command: -
$ sudo chmod 0700 audit_log_directory
-By default, audit_log_directory is "/var/log/audit". +To properly set the owner of /var/log/audit, run the command: +
$ sudo chown root /var/log/audit
medium @@ -10766,45 +10802,6 @@ - - CCI-000162 - SRG-OS-000057-GPOS-00027 - TBD - Assigned by DISA after STIG release - The operating system must protect audit information from unauthorized read access. - - CCE-88228-2: System Audit Logs Must Be Owned By Root - - Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. - -Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. - All audit logs must be owned by root user. The path for audit log can be -configured via log_file parameter in 
/etc/audit/auditd.conf
-or by default, the path for audit log is 
/var/log/audit/
. - -To properly set the owner of /var/log/audit/*, run the command: -
$ sudo chown root /var/log/audit/*
- Applicable - Configurable - Verify the operating system protects audit information from unauthorized read access. If it does not, this is a finding. - Verify the audit logs are owned by "root". First, determine where the audit logs are stored with the following command: -
$ sudo grep -iw log_file /etc/audit/auditd.conf
-
log_file = /var/log/audit/audit.log
-Using the location of the audit log file, determine if the audit log is owned by "root" using the following command: -
$ sudo stat -c "%n %U" /var/log/audit/audit.log
-Audit logs must be owned by user root. -If the log_file isn't defined in /etc/audit/auditd.conf, check all files in /var/log/audit/ directory instead. Is it the case that the audit log is not owned by root? - Configure the operating system to protect audit information from unauthorized read access. - All audit logs must be owned by root user. The path for audit log can be -configured via log_file parameter in 
/etc/audit/auditd.conf
-or by default, the path for audit log is 
/var/log/audit/
. - -To properly set the owner of /var/log/audit/*, run the command: -
$ sudo chown root /var/log/audit/*
- medium - - - - - CCI-000162 SRG-OS-000057-GPOS-00027 @@ -10873,43 +10870,39 @@ TBD - Assigned by DISA after STIG release The operating system must protect audit information from unauthorized read access. - CCE-80708-1: Make the auditd Configuration Immutable + CCE-88225-8: System Audit Directories Must Be Group Owned By Root Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d in order to make the auditd configuration -immutable: -
-e 2
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file in order to make the auditd configuration -immutable: -
-e 2
-With this setting, a reboot will be required to change any audit rules. + All audit directories must be group owned by root user. By default, the path for audit log is 
/var/log/audit/
. + +To properly set the group owner of /var/log/audit, run the command: +
$ sudo chgrp root /var/log/audit
+ +If log_group in /etc/audit/auditd.conf is set to a group other than the root +group account, change the group ownership of the audit directories to this specific group. Applicable - Configurable Verify the operating system protects audit information from unauthorized read access. If it does not, this is a finding. - Verify the audit system prevents unauthorized changes with the following command: -
-$ sudo grep "^\s*[^#]" /etc/audit/audit.rules | tail -1
--e 2
-
Is it the case that the audit system is not set to be immutable by adding the "-e 2" option to the end of "/etc/audit/audit.rules"? + +Determine the audit log group by running the following command: + +$ sudo grep -P '^[ ]*log_group[ ]+=.*$' /etc/audit/auditd.conf + +Then, check that all directories within the /var/log/audit directory are owned by the group specified as log_group or by root if the log_group is not specified. +Run the following command: + +$ sudo find /var/log/audit -type d -printf "%p %g\n" + +All listed directories must be owned by the log_group or by root if the log_group is not specified. Is it the case that there is a directory owned by different group? Configure the operating system to protect audit information from unauthorized read access. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d in order to make the auditd configuration -immutable: -
-e 2
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file in order to make the auditd configuration -immutable: -
-e 2
-With this setting, a reboot will be required to change any audit rules. + All audit directories must be group owned by root user. By default, the path for audit log is 
/var/log/audit/
. + +To properly set the group owner of /var/log/audit, run the command: +
$ sudo chgrp root /var/log/audit
+ +If log_group in /etc/audit/auditd.conf is set to a group other than the root +group account, change the group ownership of the audit directories to this specific group. medium @@ -10922,36 +10915,50 @@ TBD - Assigned by DISA after STIG release The operating system must protect audit information from unauthorized read access. - CCE-80819-6: System Audit Logs Must Have Mode 0640 or Less Permissive + CCE-84048-8: System Audit Logs Must Have Mode 0750 or Less Permissive Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. -Determine where the audit logs are stored with the following command: +Verify the audit log directories have a mode of "0700" or less permissive by first determining +where the audit logs are stored with the following command: 
$ sudo grep -iw log_file /etc/audit/auditd.conf
+
 log_file = /var/log/audit/audit.log
-Configure the audit log to be protected from unauthorized read access by setting the correct -permissive mode with the following command: -
$ sudo chmod 0600 audit_log_file
-By default, audit_log_file is "/var/log/audit/audit.log". +Configure the audit log directory to be protected from unauthorized read access by setting the +correct permissive mode with the following command: +
$ sudo chmod 0700 audit_log_directory
+By default, audit_log_directory is "/var/log/audit". Applicable - Configurable Verify the operating system protects audit information from unauthorized read access. If it does not, this is a finding. - Run the following command to check the mode of the system audit logs: -
$ sudo grep -iw log_file /etc/audit/auditd.conf
-
log_file=/var/log/audit/audit.log
-
$ sudo stat -c "%n %a" /var/log/audit/*
-
$ sudo ls -l /var/log/audit
-Audit logs must be mode 0640 or less permissive. Is it the case that any permissions are more permissive? + Verify the audit log directories have a correct mode or less permissive mode. + +Find the location of the audit logs: + +$ sudo grep "^log_file" /etc/audit/auditd.conf + + + +Run the following command to check the mode of the system audit logs: + +$ sudo stat -c "%a %n" [audit_log_directory] + +Replace "[audit_log_directory]" to the correct audit log directory path, by default this location is "/var/log/audit". + + +The correct permissions are 0700 Is it the case that audit logs have a more permissive mode? Configure the operating system to protect audit information from unauthorized read access. -Determine where the audit logs are stored with the following command: +Verify the audit log directories have a mode of "0700" or less permissive by first determining +where the audit logs are stored with the following command: 
$ sudo grep -iw log_file /etc/audit/auditd.conf
+
 log_file = /var/log/audit/audit.log
-Configure the audit log to be protected from unauthorized read access by setting the correct -permissive mode with the following command: -
$ sudo chmod 0600 audit_log_file
-By default, audit_log_file is "/var/log/audit/audit.log". +Configure the audit log directory to be protected from unauthorized read access by setting the +correct permissive mode with the following command: +
$ sudo chmod 0700 audit_log_directory
+By default, audit_log_directory is "/var/log/audit". medium @@ -10964,39 +10971,33 @@ TBD - Assigned by DISA after STIG release The operating system must protect audit information from unauthorized read access. - CCE-88225-8: System Audit Directories Must Be Group Owned By Root + CCE-88228-2: System Audit Logs Must Be Owned By Root Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. - All audit directories must be group owned by root user. By default, the path for audit log is 
/var/log/audit/
. - -To properly set the group owner of /var/log/audit, run the command: -
$ sudo chgrp root /var/log/audit
+ All audit logs must be owned by root user. The path for audit log can be +configured via log_file parameter in 
/etc/audit/auditd.conf
+or by default, the path for audit log is 
/var/log/audit/
. -If log_group in /etc/audit/auditd.conf is set to a group other than the root -group account, change the group ownership of the audit directories to this specific group. +To properly set the owner of /var/log/audit/*, run the command: +
$ sudo chown root /var/log/audit/*
Applicable - Configurable Verify the operating system protects audit information from unauthorized read access. If it does not, this is a finding. - -Determine the audit log group by running the following command: - -$ sudo grep -P '^[ ]*log_group[ ]+=.*$' /etc/audit/auditd.conf - -Then, check that all directories within the /var/log/audit directory are owned by the group specified as log_group or by root if the log_group is not specified. -Run the following command: - -$ sudo find /var/log/audit -type d -printf "%p %g\n" - -All listed directories must be owned by the log_group or by root if the log_group is not specified. Is it the case that there is a directory owned by different group? + Verify the audit logs are owned by "root". First, determine where the audit logs are stored with the following command: +
$ sudo grep -iw log_file /etc/audit/auditd.conf
+
log_file = /var/log/audit/audit.log
+Using the location of the audit log file, determine if the audit log is owned by "root" using the following command: +
$ sudo stat -c "%n %U" /var/log/audit/audit.log
+Audit logs must be owned by user root. +If the log_file isn't defined in /etc/audit/auditd.conf, check all files in /var/log/audit/ directory instead. Is it the case that the audit log is not owned by root? Configure the operating system to protect audit information from unauthorized read access. - All audit directories must be group owned by root user. By default, the path for audit log is 
/var/log/audit/
. - -To properly set the group owner of /var/log/audit, run the command: -
$ sudo chgrp root /var/log/audit
+ All audit logs must be owned by root user. The path for audit log can be +configured via log_file parameter in 
/etc/audit/auditd.conf
+or by default, the path for audit log is 
/var/log/audit/
. -If log_group in /etc/audit/auditd.conf is set to a group other than the root -group account, change the group ownership of the audit directories to this specific group. +To properly set the owner of /var/log/audit/*, run the command: +
$ sudo chown root /var/log/audit/*
medium @@ -11009,37 +11010,36 @@ TBD - Assigned by DISA after STIG release The operating system must protect audit information from unauthorized read access. - CCE-88226-6: System Audit Directories Must Be Owned By Root + CCE-80819-6: System Audit Logs Must Have Mode 0640 or Less Permissive Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. - All audit directories must be owned by root user. By default, the path for audit log is 
/var/log/audit/
. - -To properly set the owner of /var/log/audit, run the command: -
$ sudo chown root /var/log/audit
+ +Determine where the audit logs are stored with the following command: +
$ sudo grep -iw log_file /etc/audit/auditd.conf
+log_file = /var/log/audit/audit.log
+Configure the audit log to be protected from unauthorized read access by setting the correct +permissive mode with the following command: +
$ sudo chmod 0600 audit_log_file
+By default, audit_log_file is "/var/log/audit/audit.log". Applicable - Configurable Verify the operating system protects audit information from unauthorized read access. If it does not, this is a finding. - Determine where the audit logs are stored with the following command: - -$ sudo grep -iw log_file /etc/audit/auditd.conf - -log_file = /var/log/audit/audit.log - -Determine the owner of the audit log directory by using the output of the above command -(default: "/var/log/audit/"). Run the following command with the correct audit log directory -path: - -$ sudo ls -ld /var/log/audit - -drwx------ 2 root root 23 Jun 11 11:56 /var/log/audit - -The audit log directory must be owned by "root" Is it the case that the directory is not owned by root? + Run the following command to check the mode of the system audit logs: +
$ sudo grep -iw log_file /etc/audit/auditd.conf
+
log_file=/var/log/audit/audit.log
+
$ sudo stat -c "%n %a" /var/log/audit/*
+
$ sudo ls -l /var/log/audit
+Audit logs must be mode 0640 or less permissive. Is it the case that any permissions are more permissive? Configure the operating system to protect audit information from unauthorized read access. - All audit directories must be owned by root user. By default, the path for audit log is 
/var/log/audit/
. - -To properly set the owner of /var/log/audit, run the command: -
$ sudo chown root /var/log/audit
+ +Determine where the audit logs are stored with the following command: +
$ sudo grep -iw log_file /etc/audit/auditd.conf
+log_file = /var/log/audit/audit.log
+Configure the audit log to be protected from unauthorized read access by setting the correct +permissive mode with the following command: +
$ sudo chmod 0600 audit_log_file
+By default, audit_log_file is "/var/log/audit/audit.log". medium @@ -11057,52 +11057,90 @@ TBD - Assigned by DISA after STIG release The operating system must protect audit information from unauthorized modification. - CCE-84048-8: System Audit Logs Must Have Mode 0750 or Less Permissive + CCE-80708-1: Make the auditd Configuration Immutable If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit information, the operating system must protect audit information from unauthorized modification. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity. - -Verify the audit log directories have a mode of "0700" or less permissive by first determining -where the audit logs are stored with the following command: -
$ sudo grep -iw log_file /etc/audit/auditd.conf
-
-log_file = /var/log/audit/audit.log
-Configure the audit log directory to be protected from unauthorized read access by setting the -correct permissive mode with the following command: -
$ sudo chmod 0700 audit_log_directory
-By default, audit_log_directory is "/var/log/audit". + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d in order to make the auditd configuration +immutable: +
-e 2
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file in order to make the auditd configuration +immutable: +
-e 2
+With this setting, a reboot will be required to change any audit rules. Applicable - Configurable Verify the operating system protects audit information from unauthorized modification. If it does not, this is a finding. - Verify the audit log directories have a correct mode or less permissive mode. + Verify the audit system prevents unauthorized changes with the following command: +
+$ sudo grep "^\s*[^#]" /etc/audit/audit.rules | tail -1
+-e 2
+
Is it the case that the audit system is not set to be immutable by adding the "-e 2" option to the end of "/etc/audit/audit.rules"? + Configure the operating system to protect audit information from unauthorized modification. + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d in order to make the auditd configuration +immutable: +
-e 2
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file in order to make the auditd configuration +immutable: +
-e 2
+With this setting, a reboot will be required to change any audit rules. + medium + + + + -Find the location of the audit logs: + + CCI-000163 + SRG-OS-000058-GPOS-00028 + TBD - Assigned by DISA after STIG release + The operating system must protect audit information from unauthorized modification. -$ sudo grep "^log_file" /etc/audit/auditd.conf + CCE-88226-6: System Audit Directories Must Be Owned By Root + If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. +To ensure the veracity of audit information, the operating system must protect audit information from unauthorized modification. -Run the following command to check the mode of the system audit logs: +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity. + All audit directories must be owned by root user. By default, the path for audit log is 
/var/log/audit/
. -$ sudo stat -c "%a %n" [audit_log_directory] +To properly set the owner of /var/log/audit, run the command: +
$ sudo chown root /var/log/audit
+ Applicable - Configurable + Verify the operating system protects audit information from unauthorized modification. If it does not, this is a finding. + Determine where the audit logs are stored with the following command: -Replace "[audit_log_directory]" to the correct audit log directory path, by default this location is "/var/log/audit". +$ sudo grep -iw log_file /etc/audit/auditd.conf +log_file = /var/log/audit/audit.log -The correct permissions are 0700 Is it the case that audit logs have a more permissive mode? +Determine the owner of the audit log directory by using the output of the above command +(default: "/var/log/audit/"). Run the following command with the correct audit log directory +path: + +$ sudo ls -ld /var/log/audit + +drwx------ 2 root root 23 Jun 11 11:56 /var/log/audit + +The audit log directory must be owned by "root" Is it the case that the directory is not owned by root? Configure the operating system to protect audit information from unauthorized modification. - -Verify the audit log directories have a mode of "0700" or less permissive by first determining -where the audit logs are stored with the following command: -
$ sudo grep -iw log_file /etc/audit/auditd.conf
+    All audit directories must be owned by root user. By default, the path for audit log is 
/var/log/audit/
.
 
-log_file = /var/log/audit/audit.log
-Configure the audit log directory to be protected from unauthorized read access by setting the -correct permissive mode with the following command: -
$ sudo chmod 0700 audit_log_directory
-By default, audit_log_directory is "/var/log/audit". +To properly set the owner of /var/log/audit, run the command: +
$ sudo chown root /var/log/audit
medium @@ -11170,47 +11208,6 @@ - - CCI-000163 - SRG-OS-000058-GPOS-00028 - TBD - Assigned by DISA after STIG release - The operating system must protect audit information from unauthorized modification. - - CCE-88228-2: System Audit Logs Must Be Owned By Root - - If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. - -To ensure the veracity of audit information, the operating system must protect audit information from unauthorized modification. - -Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity. - All audit logs must be owned by root user. The path for audit log can be -configured via log_file parameter in 
/etc/audit/auditd.conf
-or by default, the path for audit log is 
/var/log/audit/
. - -To properly set the owner of /var/log/audit/*, run the command: -
$ sudo chown root /var/log/audit/*
- Applicable - Configurable - Verify the operating system protects audit information from unauthorized modification. If it does not, this is a finding. - Verify the audit logs are owned by "root". First, determine where the audit logs are stored with the following command: -
$ sudo grep -iw log_file /etc/audit/auditd.conf
-
log_file = /var/log/audit/audit.log
-Using the location of the audit log file, determine if the audit log is owned by "root" using the following command: -
$ sudo stat -c "%n %U" /var/log/audit/audit.log
-Audit logs must be owned by user root. -If the log_file isn't defined in /etc/audit/auditd.conf, check all files in /var/log/audit/ directory instead. Is it the case that the audit log is not owned by root? - Configure the operating system to protect audit information from unauthorized modification. - All audit logs must be owned by root user. The path for audit log can be -configured via log_file parameter in 
/etc/audit/auditd.conf
-or by default, the path for audit log is 
/var/log/audit/
. - -To properly set the owner of /var/log/audit/*, run the command: -
$ sudo chown root /var/log/audit/*
- medium - - - - - CCI-000163 SRG-OS-000058-GPOS-00028 @@ -11275,101 +11272,6 @@ - - CCI-000163 - SRG-OS-000058-GPOS-00028 - TBD - Assigned by DISA after STIG release - The operating system must protect audit information from unauthorized modification. - - CCE-80708-1: Make the auditd Configuration Immutable - - If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. - -To ensure the veracity of audit information, the operating system must protect audit information from unauthorized modification. - -Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d in order to make the auditd configuration -immutable: -
-e 2
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file in order to make the auditd configuration -immutable: -
-e 2
-With this setting, a reboot will be required to change any audit rules. - Applicable - Configurable - Verify the operating system protects audit information from unauthorized modification. If it does not, this is a finding. - Verify the audit system prevents unauthorized changes with the following command: -
-$ sudo grep "^\s*[^#]" /etc/audit/audit.rules | tail -1
--e 2
-
Is it the case that the audit system is not set to be immutable by adding the "-e 2" option to the end of "/etc/audit/audit.rules"? - Configure the operating system to protect audit information from unauthorized modification. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d in order to make the auditd configuration -immutable: -
-e 2
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file in order to make the auditd configuration -immutable: -
-e 2
-With this setting, a reboot will be required to change any audit rules. - medium - - - - - - - CCI-000163 - SRG-OS-000058-GPOS-00028 - TBD - Assigned by DISA after STIG release - The operating system must protect audit information from unauthorized modification. - - CCE-80819-6: System Audit Logs Must Have Mode 0640 or Less Permissive - - If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. - -To ensure the veracity of audit information, the operating system must protect audit information from unauthorized modification. - -Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity. - -Determine where the audit logs are stored with the following command: -
$ sudo grep -iw log_file /etc/audit/auditd.conf
-log_file = /var/log/audit/audit.log
-Configure the audit log to be protected from unauthorized read access by setting the correct -permissive mode with the following command: -
$ sudo chmod 0600 audit_log_file
-By default, audit_log_file is "/var/log/audit/audit.log". - Applicable - Configurable - Verify the operating system protects audit information from unauthorized modification. If it does not, this is a finding. - Run the following command to check the mode of the system audit logs: -
$ sudo grep -iw log_file /etc/audit/auditd.conf
-
log_file=/var/log/audit/audit.log
-
$ sudo stat -c "%n %a" /var/log/audit/*
-
$ sudo ls -l /var/log/audit
-Audit logs must be mode 0640 or less permissive. Is it the case that any permissions are more permissive? - Configure the operating system to protect audit information from unauthorized modification. - -Determine where the audit logs are stored with the following command: -
$ sudo grep -iw log_file /etc/audit/auditd.conf
-log_file = /var/log/audit/audit.log
-Configure the audit log to be protected from unauthorized read access by setting the correct -permissive mode with the following command: -
$ sudo chmod 0600 audit_log_file
-By default, audit_log_file is "/var/log/audit/audit.log". - medium - - - - - CCI-000163 SRG-OS-000058-GPOS-00028 @@ -11423,61 +11325,11 @@ TBD - Assigned by DISA after STIG release The operating system must protect audit information from unauthorized modification. - CCE-88226-6: System Audit Directories Must Be Owned By Root - - If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. - -To ensure the veracity of audit information, the operating system must protect audit information from unauthorized modification. - -Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity. - All audit directories must be owned by root user. By default, the path for audit log is 
/var/log/audit/
. - -To properly set the owner of /var/log/audit, run the command: -
$ sudo chown root /var/log/audit
- Applicable - Configurable - Verify the operating system protects audit information from unauthorized modification. If it does not, this is a finding. - Determine where the audit logs are stored with the following command: - -$ sudo grep -iw log_file /etc/audit/auditd.conf - -log_file = /var/log/audit/audit.log - -Determine the owner of the audit log directory by using the output of the above command -(default: "/var/log/audit/"). Run the following command with the correct audit log directory -path: - -$ sudo ls -ld /var/log/audit - -drwx------ 2 root root 23 Jun 11 11:56 /var/log/audit - -The audit log directory must be owned by "root" Is it the case that the directory is not owned by root? - Configure the operating system to protect audit information from unauthorized modification. - All audit directories must be owned by root user. By default, the path for audit log is 
/var/log/audit/
. - -To properly set the owner of /var/log/audit, run the command: -
$ sudo chown root /var/log/audit
- medium - - - - - - - - - - - - CCI-000164 - SRG-OS-000059-GPOS-00029 - TBD - Assigned by DISA after STIG release - The operating system must protect audit information from unauthorized deletion. - CCE-84048-8: System Audit Logs Must Have Mode 0750 or Less Permissive If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. -To ensure the veracity of audit information, the operating system must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. +To ensure the veracity of audit information, the operating system must protect audit information from unauthorized modification. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity. @@ -11491,7 +11343,7 @@ 
$ sudo chmod 0700 audit_log_directory
By default, audit_log_directory is "/var/log/audit". Applicable - Configurable - Verify the operating system protects audit information from unauthorized deletion. If it does not, this is a finding. + Verify the operating system protects audit information from unauthorized modification. If it does not, this is a finding. Verify the audit log directories have a correct mode or less permissive mode. Find the location of the audit logs: @@ -11508,7 +11360,7 @@ The correct permissions are 0700 Is it the case that audit logs have a more permissive mode? - Configure the operating system to protect audit information from unauthorized deletion. + Configure the operating system to protect audit information from unauthorized modification. Verify the audit log directories have a mode of "0700" or less permissive by first determining where the audit logs are stored with the following command: @@ -11526,60 +11378,140 @@ - CCI-000164 - SRG-OS-000059-GPOS-00029 + CCI-000163 + SRG-OS-000058-GPOS-00028 TBD - Assigned by DISA after STIG release - The operating system must protect audit information from unauthorized deletion. + The operating system must protect audit information from unauthorized modification. - CCE-90783-2: Configure immutable Audit login UIDs + CCE-88228-2: System Audit Logs Must Be Owned By Root If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. -To ensure the veracity of audit information, the operating system must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. +To ensure the veracity of audit information, the operating system must protect audit information from unauthorized modification. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity. - Configure kernel to prevent modification of login UIDs once they are set. -Changing login UIDs while this configuration is enforced requires special capabilities which -are not available to unprivileged users. -If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d in order to make login UIDs -immutable: -
--loginuid-immutable
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file in order to make login UIDs -immutable: -
--loginuid-immutable
+ All audit logs must be owned by root user. The path for audit log can be +configured via log_file parameter in 
/etc/audit/auditd.conf
+or by default, the path for audit log is 
/var/log/audit/
. + +To properly set the owner of /var/log/audit/*, run the command: +
$ sudo chown root /var/log/audit/*
Applicable - Configurable - Verify the operating system protects audit information from unauthorized deletion. If it does not, this is a finding. - To determine if the system is configured to make login UIDs immutable, run -one of the following commands. -If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), run the following: -
sudo grep immutable /etc/audit/rules.d/*.rules
+ Verify the operating system protects audit information from unauthorized modification. If it does not, this is a finding. + Verify the audit logs are owned by "root". First, determine where the audit logs are stored with the following command: +
$ sudo grep -iw log_file /etc/audit/auditd.conf
+
log_file = /var/log/audit/audit.log
+Using the location of the audit log file, determine if the audit log is owned by "root" using the following command: +
$ sudo stat -c "%n %U" /var/log/audit/audit.log
+Audit logs must be owned by user root. +If the log_file isn't defined in /etc/audit/auditd.conf, check all files in /var/log/audit/ directory instead. Is it the case that the audit log is not owned by root? + Configure the operating system to protect audit information from unauthorized modification. + All audit logs must be owned by root user. The path for audit log can be +configured via log_file parameter in 
/etc/audit/auditd.conf
+or by default, the path for audit log is 
/var/log/audit/
. + +To properly set the owner of /var/log/audit/*, run the command: +
$ sudo chown root /var/log/audit/*
+ medium + + + + + + + CCI-000163 + SRG-OS-000058-GPOS-00028 + TBD - Assigned by DISA after STIG release + The operating system must protect audit information from unauthorized modification. + + CCE-80819-6: System Audit Logs Must Have Mode 0640 or Less Permissive + + If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. + +To ensure the veracity of audit information, the operating system must protect audit information from unauthorized modification. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity. + +Determine where the audit logs are stored with the following command: +
$ sudo grep -iw log_file /etc/audit/auditd.conf
+log_file = /var/log/audit/audit.log
+Configure the audit log to be protected from unauthorized read access by setting the correct +permissive mode with the following command: +
$ sudo chmod 0600 audit_log_file
+By default, audit_log_file is "/var/log/audit/audit.log". + Applicable - Configurable + Verify the operating system protects audit information from unauthorized modification. If it does not, this is a finding. + Run the following command to check the mode of the system audit logs: +
$ sudo grep -iw log_file /etc/audit/auditd.conf
+
log_file=/var/log/audit/audit.log
+
$ sudo stat -c "%n %a" /var/log/audit/*
+
$ sudo ls -l /var/log/audit
+Audit logs must be mode 0640 or less permissive. Is it the case that any permissions are more permissive? + Configure the operating system to protect audit information from unauthorized modification. + +Determine where the audit logs are stored with the following command: +
$ sudo grep -iw log_file /etc/audit/auditd.conf
+log_file = /var/log/audit/audit.log
+Configure the audit log to be protected from unauthorized read access by setting the correct +permissive mode with the following command: +
$ sudo chmod 0600 audit_log_file
+By default, audit_log_file is "/var/log/audit/audit.log". + medium + + + + + + + + + + + + CCI-000164 + SRG-OS-000059-GPOS-00029 + TBD - Assigned by DISA after STIG release + The operating system must protect audit information from unauthorized deletion. + + CCE-80708-1: Make the auditd Configuration Immutable + + If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. + +To ensure the veracity of audit information, the operating system must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity. + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d in order to make the auditd configuration +immutable: +
-e 2
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, run the following command: -
sudo grep immutable /etc/audit/audit.rules
-The following line should be returned: -
--loginuid-immutable
Is it the case that the system is not configured to make login UIDs immutable? +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file in order to make the auditd configuration +immutable: +
-e 2
+With this setting, a reboot will be required to change any audit rules. + Applicable - Configurable + Verify the operating system protects audit information from unauthorized deletion. If it does not, this is a finding. + Verify the audit system prevents unauthorized changes with the following command: +
+$ sudo grep "^\s*[^#]" /etc/audit/audit.rules | tail -1
+-e 2
+
Is it the case that the audit system is not set to be immutable by adding the "-e 2" option to the end of "/etc/audit/audit.rules"? Configure the operating system to protect audit information from unauthorized deletion. - Configure kernel to prevent modification of login UIDs once they are set. -Changing login UIDs while this configuration is enforced requires special capabilities which -are not available to unprivileged users. -If the auditd daemon is configured to use the + If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d in order to make login UIDs +directory /etc/audit/rules.d in order to make the auditd configuration immutable: -
--loginuid-immutable
+
-e 2
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file in order to make login UIDs +/etc/audit/audit.rules file in order to make the auditd configuration immutable: -
--loginuid-immutable
+
-e 2
+With this setting, a reboot will be required to change any audit rules. medium @@ -11592,35 +11524,100 @@ TBD - Assigned by DISA after STIG release The operating system must protect audit information from unauthorized deletion. - CCE-88228-2: System Audit Logs Must Be Owned By Root + CCE-88226-6: System Audit Directories Must Be Owned By Root If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit information, the operating system must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity. - All audit logs must be owned by root user. The path for audit log can be -configured via log_file parameter in 
/etc/audit/auditd.conf
-or by default, the path for audit log is 
/var/log/audit/
. + All audit directories must be owned by root user. By default, the path for audit log is 
/var/log/audit/
. -To properly set the owner of /var/log/audit/*, run the command: -
$ sudo chown root /var/log/audit/*
+To properly set the owner of /var/log/audit, run the command: +
$ sudo chown root /var/log/audit
Applicable - Configurable Verify the operating system protects audit information from unauthorized deletion. If it does not, this is a finding. - Verify the audit logs are owned by "root". First, determine where the audit logs are stored with the following command: -
$ sudo grep -iw log_file /etc/audit/auditd.conf
-
log_file = /var/log/audit/audit.log
-Using the location of the audit log file, determine if the audit log is owned by "root" using the following command: -
$ sudo stat -c "%n %U" /var/log/audit/audit.log
-Audit logs must be owned by user root. -If the log_file isn't defined in /etc/audit/auditd.conf, check all files in /var/log/audit/ directory instead. Is it the case that the audit log is not owned by root? + Determine where the audit logs are stored with the following command: + +$ sudo grep -iw log_file /etc/audit/auditd.conf + +log_file = /var/log/audit/audit.log + +Determine the owner of the audit log directory by using the output of the above command +(default: "/var/log/audit/"). Run the following command with the correct audit log directory +path: + +$ sudo ls -ld /var/log/audit + +drwx------ 2 root root 23 Jun 11 11:56 /var/log/audit + +The audit log directory must be owned by "root" Is it the case that the directory is not owned by root? Configure the operating system to protect audit information from unauthorized deletion. - All audit logs must be owned by root user. The path for audit log can be -configured via log_file parameter in 
/etc/audit/auditd.conf
-or by default, the path for audit log is 
/var/log/audit/
. + All audit directories must be owned by root user. By default, the path for audit log is 
/var/log/audit/
. -To properly set the owner of /var/log/audit/*, run the command: -
$ sudo chown root /var/log/audit/*
+To properly set the owner of /var/log/audit, run the command: +
$ sudo chown root /var/log/audit
+ medium + + + + + + + CCI-000164 + SRG-OS-000059-GPOS-00029 + TBD - Assigned by DISA after STIG release + The operating system must protect audit information from unauthorized deletion. + + CCE-90783-2: Configure immutable Audit login UIDs + + If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. + +To ensure the veracity of audit information, the operating system must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. + +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity. + Configure kernel to prevent modification of login UIDs once they are set. +Changing login UIDs while this configuration is enforced requires special capabilities which +are not available to unprivileged users. +If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d in order to make login UIDs +immutable: +
--loginuid-immutable
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file in order to make login UIDs +immutable: +
--loginuid-immutable
+ Applicable - Configurable + Verify the operating system protects audit information from unauthorized deletion. If it does not, this is a finding. + To determine if the system is configured to make login UIDs immutable, run +one of the following commands. +If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), run the following: +
sudo grep immutable /etc/audit/rules.d/*.rules
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, run the following command: +
sudo grep immutable /etc/audit/audit.rules
+The following line should be returned: +
--loginuid-immutable
Is it the case that the system is not configured to make login UIDs immutable? + Configure the operating system to protect audit information from unauthorized deletion. + Configure kernel to prevent modification of login UIDs once they are set. +Changing login UIDs while this configuration is enforced requires special capabilities which +are not available to unprivileged users. +If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d in order to make login UIDs +immutable: +
--loginuid-immutable
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file in order to make login UIDs +immutable: +
--loginuid-immutable
medium @@ -11697,45 +11694,41 @@ TBD - Assigned by DISA after STIG release The operating system must protect audit information from unauthorized deletion. - CCE-80708-1: Make the auditd Configuration Immutable + CCE-88225-8: System Audit Directories Must Be Group Owned By Root If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit information, the operating system must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d in order to make the auditd configuration -immutable: -
-e 2
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file in order to make the auditd configuration -immutable: -
-e 2
-With this setting, a reboot will be required to change any audit rules. + All audit directories must be group owned by root user. By default, the path for audit log is 
/var/log/audit/
. + +To properly set the group owner of /var/log/audit, run the command: +
$ sudo chgrp root /var/log/audit
+ +If log_group in /etc/audit/auditd.conf is set to a group other than the root +group account, change the group ownership of the audit directories to this specific group. Applicable - Configurable Verify the operating system protects audit information from unauthorized deletion. If it does not, this is a finding. - Verify the audit system prevents unauthorized changes with the following command: -
-$ sudo grep "^\s*[^#]" /etc/audit/audit.rules | tail -1
--e 2
-
Is it the case that the audit system is not set to be immutable by adding the "-e 2" option to the end of "/etc/audit/audit.rules"? + +Determine the audit log group by running the following command: + +$ sudo grep -P '^[ ]*log_group[ ]+=.*$' /etc/audit/auditd.conf + +Then, check that all directories within the /var/log/audit directory are owned by the group specified as log_group or by root if the log_group is not specified. +Run the following command: + +$ sudo find /var/log/audit -type d -printf "%p %g\n" + +All listed directories must be owned by the log_group or by root if the log_group is not specified. Is it the case that there is a directory owned by different group? Configure the operating system to protect audit information from unauthorized deletion. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d in order to make the auditd configuration -immutable: -
-e 2
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file in order to make the auditd configuration -immutable: -
-e 2
-With this setting, a reboot will be required to change any audit rules. + All audit directories must be group owned by root user. By default, the path for audit log is 
/var/log/audit/
. + +To properly set the group owner of /var/log/audit, run the command: +
$ sudo chgrp root /var/log/audit
+ +If log_group in /etc/audit/auditd.conf is set to a group other than the root +group account, change the group ownership of the audit directories to this specific group. medium @@ -11748,7 +11741,7 @@ TBD - Assigned by DISA after STIG release The operating system must protect audit information from unauthorized deletion. - CCE-80819-6: System Audit Logs Must Have Mode 0640 or Less Permissive + CCE-84048-8: System Audit Logs Must Have Mode 0750 or Less Permissive If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. @@ -11756,30 +11749,44 @@ Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity. -Determine where the audit logs are stored with the following command: +Verify the audit log directories have a mode of "0700" or less permissive by first determining +where the audit logs are stored with the following command: 
$ sudo grep -iw log_file /etc/audit/auditd.conf
+
 log_file = /var/log/audit/audit.log
-Configure the audit log to be protected from unauthorized read access by setting the correct -permissive mode with the following command: -
$ sudo chmod 0600 audit_log_file
-By default, audit_log_file is "/var/log/audit/audit.log". +Configure the audit log directory to be protected from unauthorized read access by setting the +correct permissive mode with the following command: +
$ sudo chmod 0700 audit_log_directory
+By default, audit_log_directory is "/var/log/audit". Applicable - Configurable Verify the operating system protects audit information from unauthorized deletion. If it does not, this is a finding. - Run the following command to check the mode of the system audit logs: -
$ sudo grep -iw log_file /etc/audit/auditd.conf
-
log_file=/var/log/audit/audit.log
-
$ sudo stat -c "%n %a" /var/log/audit/*
-
$ sudo ls -l /var/log/audit
-Audit logs must be mode 0640 or less permissive. Is it the case that any permissions are more permissive? + Verify the audit log directories have a correct mode or less permissive mode. + +Find the location of the audit logs: + +$ sudo grep "^log_file" /etc/audit/auditd.conf + + + +Run the following command to check the mode of the system audit logs: + +$ sudo stat -c "%a %n" [audit_log_directory] + +Replace "[audit_log_directory]" to the correct audit log directory path, by default this location is "/var/log/audit". + + +The correct permissions are 0700 Is it the case that audit logs have a more permissive mode? Configure the operating system to protect audit information from unauthorized deletion. -Determine where the audit logs are stored with the following command: +Verify the audit log directories have a mode of "0700" or less permissive by first determining +where the audit logs are stored with the following command: 
$ sudo grep -iw log_file /etc/audit/auditd.conf
+
 log_file = /var/log/audit/audit.log
-Configure the audit log to be protected from unauthorized read access by setting the correct -permissive mode with the following command: -
$ sudo chmod 0600 audit_log_file
-By default, audit_log_file is "/var/log/audit/audit.log". +Configure the audit log directory to be protected from unauthorized read access by setting the +correct permissive mode with the following command: +
$ sudo chmod 0700 audit_log_directory
+By default, audit_log_directory is "/var/log/audit". medium @@ -11792,41 +11799,35 @@ TBD - Assigned by DISA after STIG release The operating system must protect audit information from unauthorized deletion. - CCE-88225-8: System Audit Directories Must Be Group Owned By Root + CCE-88228-2: System Audit Logs Must Be Owned By Root If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit information, the operating system must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity. - All audit directories must be group owned by root user. By default, the path for audit log is 
/var/log/audit/
. - -To properly set the group owner of /var/log/audit, run the command: -
$ sudo chgrp root /var/log/audit
+ All audit logs must be owned by root user. The path for audit log can be +configured via log_file parameter in 
/etc/audit/auditd.conf
+or by default, the path for audit log is 
/var/log/audit/
. -If log_group in /etc/audit/auditd.conf is set to a group other than the root -group account, change the group ownership of the audit directories to this specific group. +To properly set the owner of /var/log/audit/*, run the command: +
$ sudo chown root /var/log/audit/*
Applicable - Configurable Verify the operating system protects audit information from unauthorized deletion. If it does not, this is a finding. - -Determine the audit log group by running the following command: - -$ sudo grep -P '^[ ]*log_group[ ]+=.*$' /etc/audit/auditd.conf - -Then, check that all directories within the /var/log/audit directory are owned by the group specified as log_group or by root if the log_group is not specified. -Run the following command: - -$ sudo find /var/log/audit -type d -printf "%p %g\n" - -All listed directories must be owned by the log_group or by root if the log_group is not specified. Is it the case that there is a directory owned by different group? + Verify the audit logs are owned by "root". First, determine where the audit logs are stored with the following command: +
$ sudo grep -iw log_file /etc/audit/auditd.conf
+
log_file = /var/log/audit/audit.log
+Using the location of the audit log file, determine if the audit log is owned by "root" using the following command: +
$ sudo stat -c "%n %U" /var/log/audit/audit.log
+Audit logs must be owned by user root. +If the log_file isn't defined in /etc/audit/auditd.conf, check all files in /var/log/audit/ directory instead. Is it the case that the audit log is not owned by root? Configure the operating system to protect audit information from unauthorized deletion. - All audit directories must be group owned by root user. By default, the path for audit log is 
/var/log/audit/
. - -To properly set the group owner of /var/log/audit, run the command: -
$ sudo chgrp root /var/log/audit
+ All audit logs must be owned by root user. The path for audit log can be +configured via log_file parameter in 
/etc/audit/auditd.conf
+or by default, the path for audit log is 
/var/log/audit/
. -If log_group in /etc/audit/auditd.conf is set to a group other than the root -group account, change the group ownership of the audit directories to this specific group. +To properly set the owner of /var/log/audit/*, run the command: +
$ sudo chown root /var/log/audit/*
medium @@ -11839,39 +11840,38 @@ TBD - Assigned by DISA after STIG release The operating system must protect audit information from unauthorized deletion. - CCE-88226-6: System Audit Directories Must Be Owned By Root + CCE-80819-6: System Audit Logs Must Have Mode 0640 or Less Permissive If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit information, the operating system must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity. - All audit directories must be owned by root user. By default, the path for audit log is 
/var/log/audit/
. - -To properly set the owner of /var/log/audit, run the command: -
$ sudo chown root /var/log/audit
+ +Determine where the audit logs are stored with the following command: +
$ sudo grep -iw log_file /etc/audit/auditd.conf
+log_file = /var/log/audit/audit.log
+Configure the audit log to be protected from unauthorized read access by setting the correct +permissive mode with the following command: +
$ sudo chmod 0600 audit_log_file
+By default, audit_log_file is "/var/log/audit/audit.log". Applicable - Configurable Verify the operating system protects audit information from unauthorized deletion. If it does not, this is a finding. - Determine where the audit logs are stored with the following command: - -$ sudo grep -iw log_file /etc/audit/auditd.conf - -log_file = /var/log/audit/audit.log - -Determine the owner of the audit log directory by using the output of the above command -(default: "/var/log/audit/"). Run the following command with the correct audit log directory -path: - -$ sudo ls -ld /var/log/audit - -drwx------ 2 root root 23 Jun 11 11:56 /var/log/audit - -The audit log directory must be owned by "root" Is it the case that the directory is not owned by root? + Run the following command to check the mode of the system audit logs: +
$ sudo grep -iw log_file /etc/audit/auditd.conf
+
log_file=/var/log/audit/audit.log
+
$ sudo stat -c "%n %a" /var/log/audit/*
+
$ sudo ls -l /var/log/audit
+Audit logs must be mode 0640 or less permissive. Is it the case that any permissions are more permissive? Configure the operating system to protect audit information from unauthorized deletion. - All audit directories must be owned by root user. By default, the path for audit log is 
/var/log/audit/
. - -To properly set the owner of /var/log/audit, run the command: -
$ sudo chown root /var/log/audit
+ +Determine where the audit logs are stored with the following command: +
$ sudo grep -iw log_file /etc/audit/auditd.conf
+log_file = /var/log/audit/audit.log
+Configure the audit log to be protected from unauthorized read access by setting the correct +permissive mode with the following command: +
$ sudo chmod 0600 audit_log_file
+By default, audit_log_file is "/var/log/audit/audit.log". medium @@ -11889,7 +11889,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80726-3: Ensure auditd Collects Information on the Use of Privileged Commands - chsh + CCE-80686-9: Record Events that Modify the System's Discretionary Access Controls - chown Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -11906,16 +11906,20 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -11930,11 +11934,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chsh" command with the following command: - -$ sudo auditctl -l | grep chsh - --a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chsh Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +chown system call, run the following command: +
$ sudo grep "chown" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -11946,16 +11950,20 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -11968,7 +11976,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80732-1: Ensure auditd Collects Information on the Use of Privileged Commands - postdrop + CCE-80755-2: Record Unsuccessful Access Attempts to Files - open_by_handle_at Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -11985,16 +11993,26 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -12009,32 +12027,53 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postdrop" command with the following command: + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open_by_handle_at system call. -$ sudo auditctl -l | grep postdrop +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: --a always,exit -F path=/usr/bin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postdrop Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. +$ sudo grep -r open_by_handle_at /etc/audit/rules.d -DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); +$ sudo grep open_by_handle_at /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. + +DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: + +1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
medium @@ -12047,7 +12086,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80741-2: Ensure auditd Collects Information on the Use of Privileged Commands - userhelper + CCE-80698-4: Record Any Attempts to Run chcon Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -12064,16 +12103,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect any execution attempt +of the chcon command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -12088,11 +12127,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "userhelper" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chcon" command with the following command: -$ sudo auditctl -l | grep userhelper +$ sudo auditctl -l | grep chcon --a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-userhelper Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -12104,16 +12143,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect any execution attempt +of the chcon command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -12126,7 +12165,91 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80706-5: Ensure auditd Collects File Deletion Events by User - unlink + CCE-80825-3: Enable Auditing for Processes Which Start Prior to the Audit Daemon + + Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + +The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. + +DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: + +1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); + +2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; + +3) All account creations, modifications, disabling, and terminations; and + +4) All kernel module load, unload, and restart actions. + To ensure all processes can be audited, even those which start +prior to the audit daemon, add the argument audit=1 to the default +GRUB 2 command line for the Linux operating system. +To ensure that audit=1 is added as a kernel command line +argument to newly installed kernels, add audit=1 to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... audit=1 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
+ Applicable - Configurable + Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. + +DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: + +1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); + +2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; + +3) All account creations, modifications, disabling, and terminations; and + +4) All kernel module load, unload, and restart actions. + +If it does not, this is a finding. + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes audit=1, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
+If this option is set to true, then check that a line is output by the following command: +
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit=1.*' /etc/default/grub
+If the recovery is disabled, check the line with +
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit=1.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +
$ sudo grubby --info=ALL | grep args | grep -v 'audit=1'
+The command should not return any output. Is it the case that auditing is not enabled at boot time? + Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. + +DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: + +1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); + +2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; + +3) All account creations, modifications, disabling, and terminations; and + +4) All kernel module load, unload, and restart actions. + To ensure all processes can be audited, even those which start +prior to the audit daemon, add the argument audit=1 to the default +GRUB 2 command line for the Linux operating system. +To ensure that audit=1 is added as a kernel command line +argument to newly installed kernels, add audit=1 to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... audit=1 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
+ low + + + + + + + CCI-000169 + SRG-OS-000062-GPOS-00031 + TBD - Assigned by DISA after STIG release + The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. + + CCE-80703-2: Ensure auditd Collects File Deletion Events by User - rename Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -12149,12 +12272,12 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -12170,8 +12293,8 @@ If it does not, this is a finding. To determine if the system is configured to audit calls to the -unlink system call, run the following command: -
$ sudo grep "unlink" /etc/audit/audit.*
+rename system call, run the following command: +
$ sudo grep "rename" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. @@ -12191,12 +12314,12 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -12209,7 +12332,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80691-9: Record Events that Modify the System's Discretionary Access Controls - fremovexattr + CCE-80732-1: Ensure auditd Collects Information on the Use of Privileged Commands - postdrop Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -12226,29 +12349,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
-

+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -12263,11 +12373,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -fremovexattr system call, run the following command: -
$ sudo grep "fremovexattr" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postdrop" command with the following command: + +$ sudo auditctl -l | grep postdrop + +-a always,exit -F path=/usr/bin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postdrop Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -12279,29 +12389,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
-

+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -12314,7 +12411,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80695-0: Record Events that Modify the System's Discretionary Access Controls - lsetxattr + CCE-82233-8: Include Local Events in Audit Logs Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -12331,24 +12428,9 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+ To configure Audit daemon to include local events in Audit logs, set +local_events to yes in /etc/audit/auditd.conf. +This is the default setting. Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -12363,11 +12445,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -lsetxattr system call, run the following command: -
$ sudo grep "lsetxattr" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + To verify that Audit Daemon is configured to include local events, run the +following command: +
$ sudo grep local_events /etc/audit/auditd.conf
+The output should return the following: +
local_events = yes
Is it the case that local_events isn't set to yes? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -12379,24 +12461,9 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+ To configure Audit daemon to include local events in Audit logs, set +local_events to yes in /etc/audit/auditd.conf. +This is the default setting. medium @@ -12409,7 +12476,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80754-5: Record Unsuccessful Access Attempts to Files - openat + CCE-80728-9: Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -12426,29 +12493,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -12463,22 +12517,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the openat system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r openat /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep openat /etc/audit/audit.rules + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "gpasswd" command with the following command: -The output should be the following: +$ sudo auditctl -l | grep gpasswd --a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -12490,29 +12533,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -12525,7 +12555,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80756-0: Record Unsuccessful Access Attempts to Files - truncate + CCE-80694-3: Record Events that Modify the System's Discretionary Access Controls - lremovexattr Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -12542,29 +12572,29 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured + At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix +startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- +
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -12579,22 +12609,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the truncate system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r truncate /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep truncate /etc/audit/audit.rules - -The output should be the following: - --a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +lremovexattr system call, run the following command: +
$ sudo grep "lremovexattr" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -12606,29 +12625,29 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured + At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix +startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- +
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
medium @@ -12641,7 +12660,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80719-8: Record Attempts to Alter Logon and Logout Events - lastlog + CCE-80711-5: Ensure auditd Collects Information on Kernel Module Unloading - delete_module Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -12658,37 +12677,37 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - The audit system already collects login information for all users -and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d in order to watch for attempted manual -edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file in order to watch for unattempted manual -edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
- Applicable - Configurable - Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. + To capture kernel module unloading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: +
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
-1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); -2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; +Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. + Applicable - Configurable + Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. + +DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: + +1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); + +2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog" with the following command: - -$ sudo auditctl -l | grep /var/log/lastlog - --w /var/log/lastlog -p wa -k logins Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +delete_module system call, run the following command: +
$ sudo grep "delete_module" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -12700,18 +12719,18 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - The audit system already collects login information for all users -and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d in order to watch for attempted manual -edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file in order to watch for unattempted manual -edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
+ To capture kernel module unloading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: + +
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
+ + +Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. medium @@ -12724,7 +12743,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80727-1: Ensure auditd Collects Information on the Use of Privileged Commands - crontab + CCE-80731-3: Ensure auditd Collects Information on the Use of Privileged Commands - passwd Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -12746,11 +12765,11 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -12765,11 +12784,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "crontab" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "passwd" command with the following command: -$ sudo auditctl -l | grep crontab +$ sudo auditctl -l | grep passwd --a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -12786,11 +12805,11 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -12803,7 +12822,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80989-7: Ensure auditd Collects Information on the Use of Privileged Commands - mount + CCE-80753-7: Record Unsuccessful Access Attempts to Files - open Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -12820,16 +12839,29 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -12844,11 +12876,22 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "mount" command with the following command: + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open system call. -$ sudo auditctl -l | grep mount +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: --a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount Is it the case that the command does not return a line, or the line is commented out? +$ sudo grep -r open /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep open /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -12860,16 +12903,29 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
medium @@ -12882,7 +12938,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-89446-9: Record Any Attempts to Run chacl + CCE-80713-1: Ensure auditd Collects Information on Kernel Module Loading - init_module Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -12899,16 +12955,18 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect any execution attempt -of the chacl command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ To capture kernel module loading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: + +
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
+ + +Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -12923,11 +12981,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chacl" command with the following command: - -$ sudo auditctl -l | grep chacl - --a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +init_module system call, run the following command: +
$ sudo grep "init_module" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -12939,16 +12997,18 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect any execution attempt -of the chacl command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ To capture kernel module loading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: + +
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
+ + +Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. medium @@ -12961,7 +13021,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80758-6: Record Events that Modify User/Group Information - /etc/group + CCE-80722-2: Ensure auditd Collects Information on Exporting to Media (successful) Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -12978,20 +13038,18 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect media exportation +events for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -13006,11 +13064,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: - -$ sudo auditctl -l | grep -E '(/etc/group)' - --w /etc/group -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +mount system call, run the following command: +
$ sudo grep "mount" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -13022,20 +13080,18 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect media exportation +events for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
medium @@ -13048,7 +13104,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80735-4: Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign + CCE-85944-7: Record Any Attempts to Run ssh-agent Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -13065,16 +13121,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect any execution attempt +of the ssh-agent command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -13089,11 +13145,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-keysign" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-agent" command with the following command: -$ sudo auditctl -l | grep ssh-keysign +$ sudo auditctl -l | grep ssh-agent --a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-keysign Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -13105,16 +13161,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect any execution attempt +of the ssh-agent command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
medium @@ -13127,7 +13183,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-89497-2: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ + CCE-80752-9: Record Unsuccessful Access Attempts to Files - ftruncate Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -13144,16 +13200,29 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers.d/ -p wa -k actions
+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-w /etc/sudoers.d/ -p wa -k actions
+
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -13168,11 +13237,22 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command: + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the ftruncate system call. -$ sudo auditctl -l | grep/etc/sudoers.d +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: --w /etc/sudoers.d/ -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +$ sudo grep -r ftruncate /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep ftruncate /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -13184,16 +13264,29 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers.d/ -p wa -k actions
+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-w /etc/sudoers.d/ -p wa -k actions
+
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
medium @@ -13206,7 +13299,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80694-3: Record Events that Modify the System's Discretionary Access Controls - lremovexattr + CCE-80737-0: Ensure auditd Collects Information on the Use of Privileged Commands - sudo Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -13223,29 +13316,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
-

+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -13260,11 +13340,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -lremovexattr system call, run the following command: -
$ sudo grep "lremovexattr" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "sudo" command with the following command: + +$ sudo auditctl -l | grep sudo + +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudo Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -13276,29 +13356,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
-

+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -13311,7 +13378,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80731-3: Ensure auditd Collects Information on the Use of Privileged Commands - passwd + CCE-89455-0: Ensure auditd Collects Information on the Use of Privileged Commands - kmod Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -13333,11 +13400,11 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -13352,11 +13419,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "passwd" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "kmod" command with the following command: -$ sudo auditctl -l | grep passwd +$ sudo auditctl -l | grep kmod --a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-kmod Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -13373,11 +13440,11 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -13390,7 +13457,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80722-2: Ensure auditd Collects Information on Exporting to Media (successful) + CCE-80700-8: Record Any Attempts to Run semanage Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -13407,18 +13474,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect media exportation -events for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
+ At a minimum, the audit system should collect any execution attempt +of the semanage command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -13433,11 +13498,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -mount system call, run the following command: -
$ sudo grep "mount" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "semanage" command with the following command: + +$ sudo auditctl -l | grep semanage + +-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -13449,18 +13514,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect media exportation -events for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
+ At a minimum, the audit system should collect any execution attempt +of the semanage command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -13473,7 +13536,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80740-4: Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd + CCE-80706-5: Ensure auditd Collects File Deletion Events by User - unlink Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -13490,16 +13553,18 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -13514,11 +13579,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "unix_chkpwd" command with the following command: - -$ sudo auditctl -l | grep unix_chkpwd - --a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_chkpwd Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +unlink system call, run the following command: +
$ sudo grep "unlink" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -13530,16 +13595,18 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -13552,7 +13619,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80703-2: Ensure auditd Collects File Deletion Events by User - rename + CCE-80725-5: Ensure auditd Collects Information on the Use of Privileged Commands - chage Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -13569,18 +13636,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -13595,11 +13660,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -rename system call, run the following command: -
$ sudo grep "rename" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chage" command with the following command: + +$ sudo auditctl -l | grep chage + +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -13611,18 +13676,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -13635,7 +13698,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80711-5: Ensure auditd Collects Information on Kernel Module Unloading - delete_module + CCE-81043-2: Ensure the audit Subsystem is Installed Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -13652,18 +13715,7 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - To capture kernel module unloading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - -
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
- - -Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. + The audit package should be installed. Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -13678,11 +13730,7 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -delete_module system call, run the following command: -
$ sudo grep "delete_module" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Run the following command to determine if the audit package is installed: 
$ rpm -q audit
Is it the case that the audit package is not installed? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -13694,18 +13742,7 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - To capture kernel module unloading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - -
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
- - -Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. + The audit package should be installed. medium @@ -13718,7 +13755,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80688-5: Record Events that Modify the System's Discretionary Access Controls - fchmodat + CCE-80760-2: Record Events that Modify User/Group Information - /etc/security/opasswd Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -13735,20 +13772,20 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -13763,11 +13800,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -fchmodat system call, run the following command: -
$ sudo grep "fchmodat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: + +$ sudo auditctl -l | grep -E '(/etc/security/opasswd)' + +-w /etc/security/opasswd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -13779,20 +13816,20 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
medium @@ -13805,7 +13842,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80707-3: Ensure auditd Collects File Deletion Events by User - unlinkat + CCE-80705-7: Ensure auditd Collects File Deletion Events by User - rmdir Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -13828,12 +13865,12 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -13849,8 +13886,8 @@ If it does not, this is a finding. To determine if the system is configured to audit calls to the -unlinkat system call, run the following command: -
$ sudo grep "unlinkat" /etc/audit/audit.*
+rmdir system call, run the following command: +
$ sudo grep "rmdir" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. @@ -13870,12 +13907,12 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -13888,7 +13925,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-82280-9: Record Any Attempts to Run setfiles + CCE-80741-2: Ensure auditd Collects Information on the Use of Privileged Commands - userhelper Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -13905,16 +13942,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect any execution attempt -of the setfiles command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -13929,11 +13966,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfiles" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "userhelper" command with the following command: -$ sudo auditctl -l | grep setfiles +$ sudo auditctl -l | grep userhelper --a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-userhelper Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -13945,16 +13982,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect any execution attempt -of the setfiles command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -13967,7 +14004,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80687-7: Record Events that Modify the System's Discretionary Access Controls - fchmod + CCE-80726-3: Ensure auditd Collects Information on the Use of Privileged Commands - chsh Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -13984,20 +14021,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -14012,11 +14045,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -fchmod system call, run the following command: -
$ sudo grep "fchmod" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chsh" command with the following command: + +$ sudo auditctl -l | grep chsh + +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chsh Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -14028,20 +14061,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -14054,7 +14083,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80704-0: Ensure auditd Collects File Deletion Events by User - renameat + CCE-80761-0: Record Events that Modify User/Group Information - /etc/passwd Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -14071,18 +14100,20 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the + If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -14097,11 +14128,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -renameat system call, run the following command: -
$ sudo grep "renameat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: + +$ sudo auditctl -l | grep -E '(/etc/passwd)' + +-w /etc/passwd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -14113,18 +14144,20 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the + If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
medium @@ -14137,7 +14170,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80760-2: Record Events that Modify User/Group Information - /etc/security/opasswd + CCE-80689-3: Record Events that Modify the System's Discretionary Access Controls - fchown Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -14154,20 +14187,23 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ +If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ +If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -14182,11 +14218,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: - -$ sudo auditctl -l | grep -E '(/etc/security/opasswd)' - --w /etc/security/opasswd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +fchown system call, run the following command: +
$ sudo grep "fchown" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -14198,20 +14234,23 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ +If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ +If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -14224,7 +14263,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-89480-8: Ensure auditd Collects Information on the Use of Privileged Commands - unix_update + CCE-89446-9: Record Any Attempts to Run chacl Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -14241,16 +14280,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect any execution attempt +of the chacl command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -14265,11 +14304,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "unix_update" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chacl" command with the following command: -$ sudo auditctl -l | grep unix_update +$ sudo auditctl -l | grep chacl --a always,exit -F path=/usr/bin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_update Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -14281,16 +14320,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect any execution attempt +of the chacl command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -14303,7 +14342,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80943-4: Extend Audit Backlog Limit for the Audit Daemon + CCE-80751-1: Record Unsuccessful Access Attempts to Files - creat Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -14320,16 +14359,27 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - To improve the kernel capacity to queue all log events, even those which occurred -prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default -GRUB 2 command line for the Linux operating system. -To ensure that audit_backlog_limit=8192 is added as a kernel command line -argument to newly installed kernels, add audit_backlog_limit=8192 to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
- Applicable - Configurable + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -14343,18 +14393,22 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes audit_backlog_limit=8192, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
-If this option is set to true, then check that a line is output by the following command: -
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit_backlog_limit=8192.*' /etc/default/grub
-If the recovery is disabled, check the line with -
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit_backlog_limit=8192.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -
$ sudo grubby --info=ALL | grep args | grep -v 'audit_backlog_limit=8192'
-The command should not return any output. Is it the case that audit backlog limit is not configured? + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the creat system call. + +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: + +$ sudo grep -r creat /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep creat /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -14366,16 +14420,27 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - To improve the kernel capacity to queue all log events, even those which occurred -prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default -GRUB 2 command line for the Linux operating system. -To ensure that audit_backlog_limit=8192 is added as a kernel command line -argument to newly installed kernels, add audit_backlog_limit=8192 to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
- low + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ medium @@ -14387,7 +14452,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80705-7: Ensure auditd Collects File Deletion Events by User - rmdir + CCE-89480-8: Ensure auditd Collects Information on the Use of Privileged Commands - unix_update Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -14404,18 +14469,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -14430,11 +14493,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -rmdir system call, run the following command: -
$ sudo grep "rmdir" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "unix_update" command with the following command: + +$ sudo auditctl -l | grep unix_update + +-a always,exit -F path=/usr/bin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_update Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -14446,18 +14509,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -14470,7 +14531,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-86027-0: Ensure auditd Collects Information on the Use of Privileged Commands - usermod + CCE-80740-4: Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -14492,11 +14553,11 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -14511,11 +14572,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "usermod" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "unix_chkpwd" command with the following command: -$ sudo auditctl -l | grep usermod +$ sudo auditctl -l | grep unix_chkpwd --a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_chkpwd Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -14532,11 +14593,11 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -14549,7 +14610,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80685-1: Record Events that Modify the System's Discretionary Access Controls - chmod + CCE-80758-6: Record Events that Modify User/Group Information - /etc/group Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -14566,20 +14627,20 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/group -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/group -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -14594,11 +14655,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -chmod system call, run the following command: -
$ sudo grep "chmod" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: + +$ sudo auditctl -l | grep -E '(/etc/group)' + +-w /etc/group -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -14610,20 +14671,20 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/group -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/group -p wa -k audit_rules_usergroup_modification
medium @@ -14636,7 +14697,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80872-5: Enable auditd Service + CCE-80690-1: Record Events that Modify the System's Discretionary Access Controls - fchownat Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -14653,12 +14714,20 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - The auditd service is an essential userspace component of -the Linux Auditing System, as it is responsible for writing audit records to -disk. - -The auditd service can be enabled with the following command: -
$ sudo systemctl enable auditd.service
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -14673,12 +14742,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - - -Run the following command to determine the current status of the -auditd service: -
$ sudo systemctl is-active auditd
-If the service is running, it should return the following: 
active
Is it the case that the auditd service is not running? + To determine if the system is configured to audit calls to the +fchownat system call, run the following command: +
$ sudo grep "fchownat" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -14690,12 +14758,20 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - The auditd service is an essential userspace component of -the Linux Auditing System, as it is responsible for writing audit records to -disk. - -The auditd service can be enabled with the following command: -
$ sudo systemctl enable auditd.service
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -14708,7 +14784,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-82233-8: Include Local Events in Audit Logs + CCE-80759-4: Record Events that Modify User/Group Information - /etc/gshadow Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -14725,9 +14801,20 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - To configure Audit daemon to include local events in Audit logs, set -local_events to yes in /etc/audit/auditd.conf. -This is the default setting. + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -14742,11 +14829,13 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - To verify that Audit Daemon is configured to include local events, run the -following command: -
$ sudo grep local_events /etc/audit/auditd.conf
-The output should return the following: -
local_events = yes
Is it the case that local_events isn't set to yes? + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: + +$ sudo auditctl -l | grep -E '(/etc/gshadow)' + +-w /etc/gshadow -p wa -k identity + +If the command does not return a line, or the line is commented out, this is a finding. Is it the case that the system is not configured to audit account changes? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -14758,9 +14847,20 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - To configure Audit daemon to include local events in Audit logs, set -local_events to yes in /etc/audit/auditd.conf. -This is the default setting. + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
medium @@ -14773,7 +14873,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80761-0: Record Events that Modify User/Group Information - /etc/passwd + CCE-80762-8: Record Events that Modify User/Group Information - /etc/shadow Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -14796,14 +14896,14 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -14818,11 +14918,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd with the following command: -$ sudo auditctl -l | grep -E '(/etc/passwd)' +$ sudo auditctl -l | grep -E '(/etc/shadow)' --w /etc/passwd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-w /etc/shadow -p wa -k identity Is it the case that command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -14840,14 +14940,14 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
medium @@ -14860,7 +14960,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80690-1: Record Events that Modify the System's Discretionary Access Controls - fchownat + CCE-80701-6: Record Any Attempts to Run setsebool Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -14877,20 +14977,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix + At a minimum, the audit system should collect any execution attempt +of the setsebool command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -14905,11 +15001,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -fchownat system call, run the following command: -
$ sudo grep "fchownat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setsebool" command with the following command: + +$ sudo auditctl -l | grep setsebool + +-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -14921,20 +15017,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix + At a minimum, the audit system should collect any execution attempt +of the setsebool command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -14947,7 +15039,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80698-4: Record Any Attempts to Run chcon + CCE-80736-2: Ensure auditd Collects Information on the Use of Privileged Commands - su Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -14964,16 +15056,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect any execution attempt -of the chcon command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -14988,11 +15080,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chcon" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "su" command with the following command: -$ sudo auditctl -l | grep chcon +$ sudo auditctl -l | grep su --a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-su Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -15004,16 +15096,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect any execution attempt -of the chcon command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -15026,7 +15118,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80689-3: Record Events that Modify the System's Discretionary Access Controls - fchown + CCE-82168-6: Log USBGuard daemon audit events using Linux Audit Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -15043,23 +15135,10 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- -If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- -If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ To configure USBGuard daemon to log via Linux Audit +(as opposed directly to a file), +AuditBackend option in /etc/usbguard/usbguard-daemon.conf +needs to be set to LinuxAudit. Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -15074,11 +15153,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -fchown system call, run the following command: -
$ sudo grep "fchown" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + To verify that Linux Audit logging is enabled for the USBGuard daemon, +run the following command: +
$ sudo grep AuditBackend /etc/usbguard/usbguard-daemon.conf
+The output should be +
AuditBackend=LinuxAudit
Is it the case that AuditBackend is not set to LinuxAudit? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -15090,24 +15169,11 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- -If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- -If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- medium + To configure USBGuard daemon to log via Linux Audit +(as opposed directly to a file), +AuditBackend option in /etc/usbguard/usbguard-daemon.conf +needs to be set to LinuxAudit. + low @@ -15119,7 +15185,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80725-5: Ensure auditd Collects Information on the Use of Privileged Commands - chage + CCE-80733-9: Ensure auditd Collects Information on the Use of Privileged Commands - postqueue Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -15141,11 +15207,11 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -15160,11 +15226,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chage" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postqueue" command with the following command: -$ sudo auditctl -l | grep chage +$ sudo auditctl -l | grep postqueue --a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postqueue Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -15181,11 +15247,11 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -15198,7 +15264,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-88437-9: Record Any Attempts to Run setfacl + CCE-80989-7: Ensure auditd Collects Information on the Use of Privileged Commands - mount Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -15215,18 +15281,18 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect any execution attempt -of the setfacl command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- Applicable - Configurable - Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ Applicable - Configurable + Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -15239,11 +15305,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfacl" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "mount" command with the following command: -$ sudo auditctl -l | grep setfacl +$ sudo auditctl -l | grep mount --a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -15255,16 +15321,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect any execution attempt -of the setfacl command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -15277,7 +15343,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80736-2: Ensure auditd Collects Information on the Use of Privileged Commands - su + CCE-80727-1: Ensure auditd Collects Information on the Use of Privileged Commands - crontab Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -15299,11 +15365,11 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -15318,11 +15384,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "su" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "crontab" command with the following command: -$ sudo auditctl -l | grep su +$ sudo auditctl -l | grep crontab --a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-su Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -15339,11 +15405,11 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -15356,7 +15422,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80700-8: Record Any Attempts to Run semanage + CCE-80707-3: Ensure auditd Collects File Deletion Events by User - unlinkat Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -15373,16 +15439,18 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect any execution attempt -of the semanage command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -15397,11 +15465,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "semanage" command with the following command: - -$ sudo auditctl -l | grep semanage - --a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +unlinkat system call, run the following command: +
$ sudo grep "unlinkat" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -15413,16 +15481,18 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect any execution attempt -of the semanage command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -15435,7 +15505,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80697-6: Record Events that Modify the System's Discretionary Access Controls - setxattr + CCE-89497-2: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -15452,24 +15522,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+ At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+
-w /etc/sudoers.d/ -p wa -k actions
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -15484,11 +15546,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -setxattr system call, run the following command: -
$ sudo grep "setxattr" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command: + +$ sudo auditctl -l | grep/etc/sudoers.d + +-w /etc/sudoers.d/ -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -15500,24 +15562,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+ At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+
-w /etc/sudoers.d/ -p wa -k actions
medium @@ -15530,7 +15584,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80728-9: Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd + CCE-80730-5: Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -15552,11 +15606,13 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -15571,11 +15627,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "gpasswd" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "pam_timestamp_check" command with the following command: -$ sudo auditctl -l | grep gpasswd +$ sudo auditctl -l | grep pam_timestamp_check --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -15592,11 +15648,13 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -15609,7 +15667,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80762-8: Record Events that Modify User/Group Information - /etc/shadow + CCE-82280-9: Record Any Attempts to Run setfiles Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -15626,20 +15684,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect any execution attempt +of the setfiles command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -15654,11 +15708,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfiles" command with the following command: -$ sudo auditctl -l | grep -E '(/etc/shadow)' +$ sudo auditctl -l | grep setfiles --w /etc/shadow -p wa -k identity Is it the case that command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -15670,20 +15724,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect any execution attempt +of the setfiles command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -15696,7 +15746,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-81043-2: Ensure the audit Subsystem is Installed + CCE-80692-7: Record Events that Modify the System's Discretionary Access Controls - fsetxattr Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -15713,7 +15763,24 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - The audit package should be installed. + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -15728,7 +15795,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Run the following command to determine if the audit package is installed: 
$ rpm -q audit
Is it the case that the audit package is not installed? + To determine if the system is configured to audit calls to the +fsetxattr system call, run the following command: +
$ sudo grep "fsetxattr" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -15740,7 +15811,24 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - The audit package should be installed. + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
medium @@ -15753,7 +15841,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80751-1: Record Unsuccessful Access Attempts to Files - creat + CCE-80693-5: Record Events that Modify the System's Discretionary Access Controls - lchown Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -15770,26 +15858,20 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix +startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -15804,22 +15886,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the creat system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r creat /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep creat /etc/audit/audit.rules - -The output should be the following: - --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +lchown system call, run the following command: +
$ sudo grep "lchown" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -15831,26 +15902,20 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix +startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -15863,7 +15928,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80729-7: Ensure auditd Collects Information on the Use of Privileged Commands - newgrp + CCE-80719-8: Record Attempts to Alter Logon and Logout Events - lastlog Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -15880,16 +15945,18 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ The audit system already collects login information for all users +and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d in order to watch for attempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file in order to watch for unattempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -15904,11 +15971,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "newgrp" command with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog" with the following command: -$ sudo auditctl -l | grep newgrp +$ sudo auditctl -l | grep /var/log/lastlog --a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-newgrp Is it the case that the command does not return a line, or the line is commented out? +-w /var/log/lastlog -p wa -k logins Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -15920,16 +15987,18 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ The audit system already collects login information for all users +and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d in order to watch for attempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file in order to watch for unattempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
medium @@ -15942,7 +16011,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80759-4: Record Events that Modify User/Group Information - /etc/gshadow + CCE-80943-4: Extend Audit Backlog Limit for the Audit Daemon Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -15959,20 +16028,15 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-

-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+ To improve the kernel capacity to queue all log events, even those which occurred +prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default +GRUB 2 command line for the Linux operating system. +To ensure that audit_backlog_limit=8192 is added as a kernel command line +argument to newly installed kernels, add audit_backlog_limit=8192 to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -15987,13 +16051,18 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: - -$ sudo auditctl -l | grep -E '(/etc/gshadow)' - --w /etc/gshadow -p wa -k identity - -If the command does not return a line, or the line is commented out, this is a finding. Is it the case that the system is not configured to audit account changes? + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes audit_backlog_limit=8192, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
+If this option is set to true, then check that a line is output by the following command: +
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit_backlog_limit=8192.*' /etc/default/grub
+If the recovery is disabled, check the line with +
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit_backlog_limit=8192.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +
$ sudo grubby --info=ALL | grep args | grep -v 'audit_backlog_limit=8192'
+The command should not return any output. Is it the case that audit backlog limit is not configured? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -16005,21 +16074,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-

-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
- medium + To improve the kernel capacity to queue all log events, even those which occurred +prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default +GRUB 2 command line for the Linux operating system. +To ensure that audit_backlog_limit=8192 is added as a kernel command line +argument to newly installed kernels, add audit_backlog_limit=8192 to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
+ low @@ -16031,7 +16095,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80693-5: Record Events that Modify the System's Discretionary Access Controls - lchown + CCE-80754-5: Record Unsuccessful Access Attempts to Files - openat Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -16048,20 +16112,29 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix +startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -16076,11 +16149,22 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -lchown system call, run the following command: -
$ sudo grep "lchown" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the openat system call. + +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: + +$ sudo grep -r openat /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep openat /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -16092,20 +16176,29 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix +startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
medium @@ -16118,7 +16211,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-89455-0: Ensure auditd Collects Information on the Use of Privileged Commands - kmod + CCE-80695-0: Record Events that Modify the System's Discretionary Access Controls - lsetxattr Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -16135,16 +16228,24 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -16159,11 +16260,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "kmod" command with the following command: - -$ sudo auditctl -l | grep kmod - --a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-kmod Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +lsetxattr system call, run the following command: +
$ sudo grep "lsetxattr" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -16175,16 +16276,24 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
medium @@ -16197,7 +16306,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80686-9: Record Events that Modify the System's Discretionary Access Controls - chown + CCE-80697-6: Record Events that Modify the System's Discretionary Access Controls - setxattr Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -16215,19 +16324,23 @@ 4) All kernel module load, unload, and restart actions. At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -16243,8 +16356,8 @@ If it does not, this is a finding. To determine if the system is configured to audit calls to the -chown system call, run the following command: -
$ sudo grep "chown" /etc/audit/audit.*
+setxattr system call, run the following command: +
$ sudo grep "setxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. @@ -16259,19 +16372,23 @@ 4) All kernel module load, unload, and restart actions. At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
medium @@ -16284,7 +16401,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-82168-6: Log USBGuard daemon audit events using Linux Audit + CCE-90175-1: Ensure auditd Collects System Administrator Actions - /etc/sudoers Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -16301,10 +16418,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - To configure USBGuard daemon to log via Linux Audit -(as opposed directly to a file), -AuditBackend option in /etc/usbguard/usbguard-daemon.conf -needs to be set to LinuxAudit. + At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers -p wa -k actions
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-w /etc/sudoers -p wa -k actions
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -16319,11 +16442,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - To verify that Linux Audit logging is enabled for the USBGuard daemon, -run the following command: -
$ sudo grep AuditBackend /etc/usbguard/usbguard-daemon.conf
-The output should be -
AuditBackend=LinuxAudit
Is it the case that AuditBackend is not set to LinuxAudit? + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers" with the following command: + +$ sudo auditctl -l | grep /etc/sudoers + +-w /etc/sudoers -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -16335,11 +16458,17 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - To configure USBGuard daemon to log via Linux Audit -(as opposed directly to a file), -AuditBackend option in /etc/usbguard/usbguard-daemon.conf -needs to be set to LinuxAudit. - low + At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers -p wa -k actions
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-w /etc/sudoers -p wa -k actions
+ medium @@ -16351,7 +16480,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80755-2: Record Unsuccessful Access Attempts to Files - open_by_handle_at + CCE-80735-4: Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -16368,26 +16497,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -16402,22 +16521,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open_by_handle_at system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r open_by_handle_at /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep open_by_handle_at /etc/audit/audit.rules + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-keysign" command with the following command: -The output should be the following: +$ sudo auditctl -l | grep ssh-keysign --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-keysign Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -16429,26 +16537,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -16461,7 +16559,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80752-9: Record Unsuccessful Access Attempts to Files - ftruncate + CCE-80688-5: Record Events that Modify the System's Discretionary Access Controls - fchmodat Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -16478,29 +16576,20 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -16515,22 +16604,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the ftruncate system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r ftruncate /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep ftruncate /etc/audit/audit.rules - -The output should be the following: - --a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +fchmodat system call, run the following command: +
$ sudo grep "fchmodat" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -16542,29 +16620,20 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -16577,7 +16646,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80753-7: Record Unsuccessful Access Attempts to Files - open + CCE-80691-9: Record Events that Modify the System's Discretionary Access Controls - fremovexattr Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -16594,29 +16663,29 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured + At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix +startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- +
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -16631,22 +16700,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r open /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep open /etc/audit/audit.rules - -The output should be the following: - --a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +fremovexattr system call, run the following command: +
$ sudo grep "fremovexattr" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -16658,29 +16716,29 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured + At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix +startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- +
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
medium @@ -16693,7 +16751,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80692-7: Record Events that Modify the System's Discretionary Access Controls - fsetxattr + CCE-80872-5: Enable auditd Service Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -16710,24 +16768,12 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+ The auditd service is an essential userspace component of +the Linux Auditing System, as it is responsible for writing audit records to +disk. + +The auditd service can be enabled with the following command: +
$ sudo systemctl enable auditd.service
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -16742,11 +16788,12 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -fsetxattr system call, run the following command: -
$ sudo grep "fsetxattr" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + + +Run the following command to determine the current status of the +auditd service: +
$ sudo systemctl is-active auditd
+If the service is running, it should return the following: 
active
Is it the case that the auditd service is not running? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -16758,24 +16805,12 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+ The auditd service is an essential userspace component of +the Linux Auditing System, as it is responsible for writing audit records to +disk. + +The auditd service can be enabled with the following command: +
$ sudo systemctl enable auditd.service
medium @@ -16788,7 +16823,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-85944-7: Record Any Attempts to Run ssh-agent + CCE-80712-3: Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -16805,16 +16840,18 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect any execution attempt -of the ssh-agent command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
+ If the auditd daemon is configured to use the augenrules program +to read audit rules during daemon startup (the default), add the following lines to a file +with suffix .rules in the directory /etc/audit/rules.d to capture kernel module +loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: + +
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
+ If the auditd daemon is configured to use the auditctl utility to read audit +rules during daemon startup, add the following lines to /etc/audit/audit.rules file +in order to capture kernel module loading and unloading events, setting ARCH to either b32 or +b64 as appropriate for your system: + +
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -16829,11 +16866,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-agent" command with the following command: - -$ sudo auditctl -l | grep ssh-agent - --a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +finit_module system call, run the following command: +
$ sudo grep "finit_module" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -16845,16 +16882,18 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect any execution attempt -of the ssh-agent command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
+ If the auditd daemon is configured to use the augenrules program +to read audit rules during daemon startup (the default), add the following lines to a file +with suffix .rules in the directory /etc/audit/rules.d to capture kernel module +loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: + +
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
+ If the auditd daemon is configured to use the auditctl utility to read audit +rules during daemon startup, add the following lines to /etc/audit/audit.rules file +in order to capture kernel module loading and unloading events, setting ARCH to either b32 or +b64 as appropriate for your system: + +
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
medium @@ -16867,7 +16906,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80696-8: Record Events that Modify the System's Discretionary Access Controls - removexattr + CCE-80756-0: Record Unsuccessful Access Attempts to Files - truncate Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -16884,28 +16923,29 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
-

+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -16920,11 +16960,22 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -removexattr system call, run the following command: -
$ sudo grep "removexattr" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the truncate system call. + +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: + +$ sudo grep -r truncate /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep truncate /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -16936,28 +16987,29 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
-

+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
medium @@ -16970,7 +17022,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80733-9: Ensure auditd Collects Information on the Use of Privileged Commands - postqueue + CCE-86027-0: Ensure auditd Collects Information on the Use of Privileged Commands - usermod Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -16992,11 +17044,11 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -17011,11 +17063,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postqueue" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "usermod" command with the following command: -$ sudo auditctl -l | grep postqueue +$ sudo auditctl -l | grep usermod --a always,exit -F path=/usr/bin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postqueue Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -17032,11 +17084,11 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -17049,7 +17101,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80825-3: Enable Auditing for Processes Which Start Prior to the Audit Daemon + CCE-88437-9: Record Any Attempts to Run setfacl Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -17066,15 +17118,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - To ensure all processes can be audited, even those which start -prior to the audit daemon, add the argument audit=1 to the default -GRUB 2 command line for the Linux operating system. -To ensure that audit=1 is added as a kernel command line -argument to newly installed kernels, add audit=1 to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit=1 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
+ At a minimum, the audit system should collect any execution attempt +of the setfacl command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -17089,18 +17142,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes audit=1, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
-If this option is set to true, then check that a line is output by the following command: -
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit=1.*' /etc/default/grub
-If the recovery is disabled, check the line with -
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit=1.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -
$ sudo grubby --info=ALL | grep args | grep -v 'audit=1'
-The command should not return any output. Is it the case that auditing is not enabled at boot time? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfacl" command with the following command: + +$ sudo auditctl -l | grep setfacl + +-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -17112,16 +17158,17 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - To ensure all processes can be audited, even those which start -prior to the audit daemon, add the argument audit=1 to the default -GRUB 2 command line for the Linux operating system. -To ensure that audit=1 is added as a kernel command line -argument to newly installed kernels, add audit=1 to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit=1 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
- low + At a minimum, the audit system should collect any execution attempt +of the setfacl command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ medium @@ -17133,7 +17180,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80737-0: Ensure auditd Collects Information on the Use of Privileged Commands - sudo + CCE-80685-1: Record Events that Modify the System's Discretionary Access Controls - chmod Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -17150,16 +17197,20 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -17174,11 +17225,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "sudo" command with the following command: - -$ sudo auditctl -l | grep sudo - --a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudo Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +chmod system call, run the following command: +
$ sudo grep "chmod" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -17190,16 +17241,20 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -17212,7 +17267,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80712-3: Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module + CCE-80729-7: Ensure auditd Collects Information on the Use of Privileged Commands - newgrp Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -17229,18 +17284,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - If the auditd daemon is configured to use the augenrules program -to read audit rules during daemon startup (the default), add the following lines to a file -with suffix .rules in the directory /etc/audit/rules.d to capture kernel module -loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: - -
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
- If the auditd daemon is configured to use the auditctl utility to read audit -rules during daemon startup, add the following lines to /etc/audit/audit.rules file -in order to capture kernel module loading and unloading events, setting ARCH to either b32 or -b64 as appropriate for your system: - -
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -17255,11 +17308,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -finit_module system call, run the following command: -
$ sudo grep "finit_module" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "newgrp" command with the following command: + +$ sudo auditctl -l | grep newgrp + +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-newgrp Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -17271,18 +17324,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - If the auditd daemon is configured to use the augenrules program -to read audit rules during daemon startup (the default), add the following lines to a file -with suffix .rules in the directory /etc/audit/rules.d to capture kernel module -loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: - -
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
- If the auditd daemon is configured to use the auditctl utility to read audit -rules during daemon startup, add the following lines to /etc/audit/audit.rules file -in order to capture kernel module loading and unloading events, setting ARCH to either b32 or -b64 as appropriate for your system: - -
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -17295,7 +17346,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80713-1: Ensure auditd Collects Information on Kernel Module Loading - init_module + CCE-80696-8: Record Events that Modify the System's Discretionary Access Controls - removexattr Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -17312,18 +17363,28 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - To capture kernel module loading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - -
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
- - -Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. + At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +following line to a file with suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -17339,8 +17400,8 @@ If it does not, this is a finding. To determine if the system is configured to audit calls to the -init_module system call, run the following command: -
$ sudo grep "init_module" /etc/audit/audit.*
+removexattr system call, run the following command: +
$ sudo grep "removexattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. @@ -17354,18 +17415,28 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - To capture kernel module loading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - -
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
- - -Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. + At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +following line to a file with suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
medium @@ -17378,7 +17449,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80701-6: Record Any Attempts to Run setsebool + CCE-80704-0: Ensure auditd Collects File Deletion Events by User - renameat Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -17395,16 +17466,18 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect any execution attempt -of the setsebool command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -17419,11 +17492,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setsebool" command with the following command: - -$ sudo auditctl -l | grep setsebool - --a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +renameat system call, run the following command: +
$ sudo grep "renameat" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -17435,16 +17508,18 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect any execution attempt -of the setsebool command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -17457,7 +17532,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-90175-1: Ensure auditd Collects System Administrator Actions - /etc/sudoers + CCE-80739-6: Ensure auditd Collects Information on the Use of Privileged Commands - umount Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -17474,16 +17549,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers -p wa -k actions
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-w /etc/sudoers -p wa -k actions
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -17498,11 +17573,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers" with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "umount" command with the following command: -$ sudo auditctl -l | grep /etc/sudoers +$ sudo auditctl -l | grep umount --w /etc/sudoers -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-umount Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -17514,16 +17589,16 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers -p wa -k actions
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-w /etc/sudoers -p wa -k actions
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -17536,7 +17611,7 @@ TBD - Assigned by DISA after STIG release The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - CCE-80739-6: Ensure auditd Collects Information on the Use of Privileged Commands - umount + CCE-80687-7: Record Events that Modify the System's Discretionary Access Controls - fchmod Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -17553,97 +17628,20 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- Applicable - Configurable - Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. - -DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: - -1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); - -2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; - -3) All account creations, modifications, disabling, and terminations; and - -4) All kernel module load, unload, and restart actions. - -If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "umount" command with the following command: - -$ sudo auditctl -l | grep umount - --a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-umount Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. - -DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: - -1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); - -2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; - -3) All account creations, modifications, disabling, and terminations; and - -4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- medium - - - - - - - CCI-000169 - SRG-OS-000062-GPOS-00031 - TBD - Assigned by DISA after STIG release - The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. - - CCE-80730-5: Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check - - Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - -The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. - -DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: - -1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); - -2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; - -3) All account creations, modifications, disabling, and terminations; and - -4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system provides audit record generation capability for DoD-defined auditable events for all operating system components. @@ -17658,11 +17656,11 @@ 4) All kernel module load, unload, and restart actions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "pam_timestamp_check" command with the following command: - -$ sudo auditctl -l | grep pam_timestamp_check - --a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +fchmod system call, run the following command: +
$ sudo grep "fchmod" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to provide audit record generation capability for DoD-defined auditable events for all operating system components. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: @@ -17674,18 +17672,20 @@ 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -17766,65 +17766,47 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access privileges occur. - CCE-80691-9: Record Events that Modify the System's Discretionary Access Controls - fremovexattr + CCE-80686-9: Record Events that Modify the System's Discretionary Access Controls - chown Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

+changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access privileges occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -fremovexattr system call, run the following command: -
$ sudo grep "fremovexattr" /etc/audit/audit.*
+chown system call, run the following command: +
$ sudo grep "chown" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to access privileges occur. At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

+changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -17837,55 +17819,141 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access privileges occur. - CCE-80695-0: Record Events that Modify the System's Discretionary Access Controls - lsetxattr + CCE-80755-2: Record Unsuccessful Access Attempts to Files - open_by_handle_at + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ Applicable - Configurable + Verify the operating system generates audit records when successful/unsuccessful attempts to access privileges occur. If it does not, this is a finding. + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open_by_handle_at system call. + +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: + +$ sudo grep -r open_by_handle_at /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep open_by_handle_at /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to generate audit records when successful/unsuccessful attempts to access privileges occur. + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ medium + + + + + + + CCI-000172 + SRG-OS-000064-GPOS-00033 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records when successful/unsuccessful attempts to access privileges occur. + + CCE-80694-3: Record Events that Modify the System's Discretionary Access Controls - lremovexattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access privileges occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -lsetxattr system call, run the following command: -
$ sudo grep "lsetxattr" /etc/audit/audit.*
+lremovexattr system call, run the following command: +
$ sudo grep "lremovexattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to access privileges occur. At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
medium @@ -17898,7 +17966,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access privileges occur. - CCE-80754-5: Record Unsuccessful Access Attempts to Files - openat + CCE-80753-7: Record Unsuccessful Access Attempts to Files - open Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -17908,66 +17976,66 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access privileges occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the openat system call. + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -$ sudo grep -r openat /etc/audit/rules.d +$ sudo grep -r open /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -$ sudo grep openat /etc/audit/audit.rules +$ sudo grep open /etc/audit/audit.rules The output should be the following: --a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to access privileges occur. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access medium @@ -17980,7 +18048,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access privileges occur. - CCE-80756-0: Record Unsuccessful Access Attempts to Files - truncate + CCE-80752-9: Record Unsuccessful Access Attempts to Files - ftruncate Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -17990,66 +18058,66 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access privileges occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the truncate system call. + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the ftruncate system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -$ sudo grep -r truncate /etc/audit/rules.d +$ sudo grep -r ftruncate /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -$ sudo grep truncate /etc/audit/audit.rules +$ sudo grep ftruncate /etc/audit/audit.rules The output should be the following: --a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to access privileges occur. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access medium @@ -18062,65 +18130,53 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access privileges occur. - CCE-80694-3: Record Events that Modify the System's Discretionary Access Controls - lremovexattr + CCE-80689-3: Record Events that Modify the System's Discretionary Access Controls - fchown Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured +changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access privileges occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -lremovexattr system call, run the following command: -
$ sudo grep "lremovexattr" /etc/audit/audit.*
+fchown system call, run the following command: +
$ sudo grep "fchown" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to access privileges occur. At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured +changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -18133,100 +18189,70 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access privileges occur. - CCE-80688-5: Record Events that Modify the System's Discretionary Access Controls - fchmodat + CCE-80751-1: Record Unsuccessful Access Attempts to Files - creat Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access privileges occur. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -fchmodat system call, run the following command: -
$ sudo grep "fchmodat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the operating system to generate audit records when successful/unsuccessful attempts to access privileges occur. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
- medium - - - - + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the creat system call. - - CCI-000172 - SRG-OS-000064-GPOS-00033 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records when successful/unsuccessful attempts to access privileges occur. +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - CCE-80687-7: Record Events that Modify the System's Discretionary Access Controls - fchmod +$ sudo grep -r creat /etc/audit/rules.d - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
- Applicable - Configurable - Verify the operating system generates audit records when successful/unsuccessful attempts to access privileges occur. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -fchmod system call, run the following command: -
$ sudo grep "fchmod" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? +$ sudo grep creat /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to access privileges occur. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
medium @@ -18278,59 +18304,6 @@ - - CCI-000172 - SRG-OS-000064-GPOS-00033 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records when successful/unsuccessful attempts to access privileges occur. - - CCE-80685-1: Record Events that Modify the System's Discretionary Access Controls - chmod - - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
- Applicable - Configurable - Verify the operating system generates audit records when successful/unsuccessful attempts to access privileges occur. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -chmod system call, run the following command: -
$ sudo grep "chmod" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the operating system to generate audit records when successful/unsuccessful attempts to access privileges occur. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
- medium - - - - - CCI-000172 SRG-OS-000064-GPOS-00033 @@ -18390,7 +18363,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access privileges occur. - CCE-80689-3: Record Events that Modify the System's Discretionary Access Controls - fchown + CCE-80692-7: Record Events that Modify the System's Discretionary Access Controls - fsetxattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -18400,23 +18373,24 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- +
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- +
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- +
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access privileges occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -fchown system call, run the following command: -
$ sudo grep "fchown" /etc/audit/audit.*
+fsetxattr system call, run the following command: +
$ sudo grep "fsetxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to access privileges occur. @@ -18425,18 +18399,19 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- +
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- +
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- +
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
medium @@ -18449,7 +18424,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access privileges occur. - CCE-80697-6: Record Events that Modify the System's Discretionary Access Controls - setxattr + CCE-80693-5: Record Events that Modify the System's Discretionary Access Controls - lchown Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -18459,24 +18434,20 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access privileges occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -setxattr system call, run the following command: -
$ sudo grep "setxattr" /etc/audit/audit.*
+lchown system call, run the following command: +
$ sudo grep "lchown" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to access privileges occur. @@ -18485,19 +18456,15 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -18510,7 +18477,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access privileges occur. - CCE-80751-1: Record Unsuccessful Access Attempts to Files - creat + CCE-80754-5: Record Unsuccessful Access Attempts to Files - openat Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -18520,60 +18487,66 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access privileges occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the creat system call. + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the openat system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -$ sudo grep -r creat /etc/audit/rules.d +$ sudo grep -r openat /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -$ sudo grep creat /etc/audit/audit.rules +$ sudo grep openat /etc/audit/audit.rules The output should be the following: --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to access privileges occur. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access medium @@ -18586,7 +18559,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access privileges occur. - CCE-80693-5: Record Events that Modify the System's Discretionary Access Controls - lchown + CCE-80695-0: Record Events that Modify the System's Discretionary Access Controls - lsetxattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -18596,20 +18569,24 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access privileges occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -lchown system call, run the following command: -
$ sudo grep "lchown" /etc/audit/audit.*
+lsetxattr system call, run the following command: +
$ sudo grep "lsetxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to access privileges occur. @@ -18618,15 +18595,19 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
medium @@ -18639,7 +18620,68 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access privileges occur. - CCE-80686-9: Record Events that Modify the System's Discretionary Access Controls - chown + CCE-80697-6: Record Events that Modify the System's Discretionary Access Controls - setxattr + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+ Applicable - Configurable + Verify the operating system generates audit records when successful/unsuccessful attempts to access privileges occur. If it does not, this is a finding. + To determine if the system is configured to audit calls to the +setxattr system call, run the following command: +
$ sudo grep "setxattr" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + Configure the operating system to generate audit records when successful/unsuccessful attempts to access privileges occur. + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+ medium + + + + + + + CCI-000172 + SRG-OS-000064-GPOS-00033 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records when successful/unsuccessful attempts to access privileges occur. + + CCE-80688-5: Record Events that Modify the System's Discretionary Access Controls - fchmodat Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -18649,20 +18691,20 @@ use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access privileges occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -chown system call, run the following command: -
$ sudo grep "chown" /etc/audit/audit.*
+fchmodat system call, run the following command: +
$ sudo grep "fchmodat" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to access privileges occur. @@ -18671,15 +18713,15 @@ use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -18692,70 +18734,65 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access privileges occur. - CCE-80755-2: Record Unsuccessful Access Attempts to Files - open_by_handle_at + CCE-80691-9: Record Events that Modify the System's Discretionary Access Controls - fremovexattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured + At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix +startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access privileges occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open_by_handle_at system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r open_by_handle_at /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep open_by_handle_at /etc/audit/audit.rules - -The output should be the following: - --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +fremovexattr system call, run the following command: +
$ sudo grep "fremovexattr" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to access privileges occur. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured + At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix +startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
medium @@ -18768,7 +18805,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access privileges occur. - CCE-80752-9: Record Unsuccessful Access Attempts to Files - ftruncate + CCE-80756-0: Record Unsuccessful Access Attempts to Files - truncate Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -18778,66 +18815,66 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access privileges occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the ftruncate system call. + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the truncate system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -$ sudo grep -r ftruncate /etc/audit/rules.d +$ sudo grep -r truncate /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -$ sudo grep ftruncate /etc/audit/audit.rules +$ sudo grep truncate /etc/audit/audit.rules The output should be the following: --a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to access privileges occur. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access medium @@ -18850,137 +18887,47 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access privileges occur. - CCE-80753-7: Record Unsuccessful Access Attempts to Files - open - - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- Applicable - Configurable - Verify the operating system generates audit records when successful/unsuccessful attempts to access privileges occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r open /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep open /etc/audit/audit.rules - -The output should be the following: - --a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to generate audit records when successful/unsuccessful attempts to access privileges occur. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- medium - - - - - - - CCI-000172 - SRG-OS-000064-GPOS-00033 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records when successful/unsuccessful attempts to access privileges occur. - - CCE-80692-7: Record Events that Modify the System's Discretionary Access Controls - fsetxattr + CCE-80685-1: Record Events that Modify the System's Discretionary Access Controls - chmod Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access privileges occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -fsetxattr system call, run the following command: -
$ sudo grep "fsetxattr" /etc/audit/audit.*
+chmod system call, run the following command: +
$ sudo grep "chmod" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to access privileges occur. At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -19056,6 +19003,59 @@ + + CCI-000172 + SRG-OS-000064-GPOS-00033 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records when successful/unsuccessful attempts to access privileges occur. + + CCE-80687-7: Record Events that Modify the System's Discretionary Access Controls - fchmod + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+ Applicable - Configurable + Verify the operating system generates audit records when successful/unsuccessful attempts to access privileges occur. If it does not, this is a finding. + To determine if the system is configured to audit calls to the +fchmod system call, run the following command: +
$ sudo grep "fchmod" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + Configure the operating system to generate audit records when successful/unsuccessful attempts to access privileges occur. + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+ medium + + + + + @@ -19209,31 +19209,33 @@ TBD - Assigned by DISA after STIG release The operating system must enforce password complexity by requiring that at least one upper-case character be used. - CCE-80665-3: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters + CCE-80664-6: Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - The pam_pwquality module's ucredit= parameter controls requirements for -usage of uppercase letters in a password. When set to a negative number, any password will be required to -contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional -length credit for each uppercase character. Modify the ucredit setting in -/etc/security/pwquality.conf to require the use of an uppercase character in passwords. + To configure the number of retry prompts that are permitted per-session: + +Edit the /etc/security/pwquality.conf to include + +retry=, or a lower value if site +policy is more restrictive. The DoD requirement is a maximum of 3 prompts +per session. Applicable - Configurable Verify the operating system enforces password complexity by requiring that at least one upper-case character be used. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 enforces password complexity by requiring that at least one upper-case character. - -Check the value for "ucredit" with the following command: + Verify Red Hat Enterprise Linux 8 is configured to limit the "pwquality" retry option to . -$ sudo grep ucredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf -ucredit = -1 Is it the case that the value of "ucredit" is a positive number or is commented out? +Check for the use of the "pwquality" retry option in the pwquality.conf file with the following command: +
$ grep retry /etc/security/pwquality.conf
Is it the case that the value of "retry" is set to "0" or greater than "", or is missing? Configure the operating system to enforce password complexity by requiring that at least one upper-case character be used. - The pam_pwquality module's ucredit= parameter controls requirements for -usage of uppercase letters in a password. When set to a negative number, any password will be required to -contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional -length credit for each uppercase character. Modify the ucredit setting in -/etc/security/pwquality.conf to require the use of an uppercase character in passwords. + To configure the number of retry prompts that are permitted per-session: + +Edit the /etc/security/pwquality.conf to include + +retry=, or a lower value if site +policy is more restrictive. The DoD requirement is a maximum of 3 prompts +per session. medium @@ -19278,33 +19280,31 @@ TBD - Assigned by DISA after STIG release The operating system must enforce password complexity by requiring that at least one upper-case character be used. - CCE-80664-6: Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session + CCE-80665-3: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - To configure the number of retry prompts that are permitted per-session: - -Edit the /etc/security/pwquality.conf to include - -retry=, or a lower value if site -policy is more restrictive. The DoD requirement is a maximum of 3 prompts -per session. + The pam_pwquality module's ucredit= parameter controls requirements for +usage of uppercase letters in a password. When set to a negative number, any password will be required to +contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional +length credit for each uppercase character. Modify the ucredit setting in +/etc/security/pwquality.conf to require the use of an uppercase character in passwords. Applicable - Configurable Verify the operating system enforces password complexity by requiring that at least one upper-case character be used. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 is configured to limit the "pwquality" retry option to . - + Verify that Red Hat Enterprise Linux 8 enforces password complexity by requiring that at least one upper-case character. -Check for the use of the "pwquality" retry option in the pwquality.conf file with the following command: -
$ grep retry /etc/security/pwquality.conf
Is it the case that the value of "retry" is set to "0" or greater than "", or is missing? - Configure the operating system to enforce password complexity by requiring that at least one upper-case character be used. - To configure the number of retry prompts that are permitted per-session: +Check the value for "ucredit" with the following command: -Edit the /etc/security/pwquality.conf to include +$ sudo grep ucredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf -retry=, or a lower value if site -policy is more restrictive. The DoD requirement is a maximum of 3 prompts -per session. +ucredit = -1 Is it the case that the value of "ucredit" is a positive number or is commented out? + Configure the operating system to enforce password complexity by requiring that at least one upper-case character be used. + The pam_pwquality module's ucredit= parameter controls requirements for +usage of uppercase letters in a password. When set to a negative number, any password will be required to +contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional +length credit for each uppercase character. Modify the ucredit setting in +/etc/security/pwquality.conf to require the use of an uppercase character in passwords. medium @@ -19322,31 +19322,31 @@ TBD - Assigned by DISA after STIG release The operating system must enforce password complexity by requiring that at least one lower-case character be used. - CCE-80665-3: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters + CCE-80655-4: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - The pam_pwquality module's ucredit= parameter controls requirements for -usage of uppercase letters in a password. When set to a negative number, any password will be required to -contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional -length credit for each uppercase character. Modify the ucredit setting in -/etc/security/pwquality.conf to require the use of an uppercase character in passwords. + The pam_pwquality module's lcredit parameter controls requirements for +usage of lowercase letters in a password. When set to a negative number, any password will be required to +contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional +length credit for each lowercase character. Modify the lcredit setting in +/etc/security/pwquality.conf to require the use of a lowercase character in passwords. Applicable - Configurable Verify the operating system enforces password complexity by requiring that at least one lower-case character be used. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 enforces password complexity by requiring that at least one upper-case character. + Verify that Red Hat Enterprise Linux 8 enforces password complexity by requiring that at least one lower-case character. -Check the value for "ucredit" with the following command: +Check the value for "lcredit" with the following command: -$ sudo grep ucredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf +
$ sudo grep lcredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf
 
-ucredit = -1 Is it the case that the value of "ucredit" is a positive number or is commented out?
+/etc/security/pwquality.conf:lcredit = -1
Is it the case that the value of "lcredit" is a positive number or is commented out? Configure the operating system to enforce password complexity by requiring that at least one lower-case character be used. - The pam_pwquality module's ucredit= parameter controls requirements for -usage of uppercase letters in a password. When set to a negative number, any password will be required to -contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional -length credit for each uppercase character. Modify the ucredit setting in -/etc/security/pwquality.conf to require the use of an uppercase character in passwords. + The pam_pwquality module's lcredit parameter controls requirements for +usage of lowercase letters in a password. When set to a negative number, any password will be required to +contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional +length credit for each lowercase character. Modify the lcredit setting in +/etc/security/pwquality.conf to require the use of a lowercase character in passwords. medium @@ -19391,31 +19391,31 @@ TBD - Assigned by DISA after STIG release The operating system must enforce password complexity by requiring that at least one lower-case character be used. - CCE-80655-4: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters + CCE-80665-3: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - The pam_pwquality module's lcredit parameter controls requirements for -usage of lowercase letters in a password. When set to a negative number, any password will be required to -contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional -length credit for each lowercase character. Modify the lcredit setting in -/etc/security/pwquality.conf to require the use of a lowercase character in passwords. + The pam_pwquality module's ucredit= parameter controls requirements for +usage of uppercase letters in a password. When set to a negative number, any password will be required to +contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional +length credit for each uppercase character. Modify the ucredit setting in +/etc/security/pwquality.conf to require the use of an uppercase character in passwords. Applicable - Configurable Verify the operating system enforces password complexity by requiring that at least one lower-case character be used. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 enforces password complexity by requiring that at least one lower-case character. + Verify that Red Hat Enterprise Linux 8 enforces password complexity by requiring that at least one upper-case character. -Check the value for "lcredit" with the following command: +Check the value for "ucredit" with the following command: -
$ sudo grep lcredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf
+$ sudo grep ucredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf
 
-/etc/security/pwquality.conf:lcredit = -1
Is it the case that the value of "lcredit" is a positive number or is commented out? +ucredit = -1 Is it the case that the value of "ucredit" is a positive number or is commented out? Configure the operating system to enforce password complexity by requiring that at least one lower-case character be used. - The pam_pwquality module's lcredit parameter controls requirements for -usage of lowercase letters in a password. When set to a negative number, any password will be required to -contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional -length credit for each lowercase character. Modify the lcredit setting in -/etc/security/pwquality.conf to require the use of a lowercase character in passwords. + The pam_pwquality module's ucredit= parameter controls requirements for +usage of uppercase letters in a password. When set to a negative number, any password will be required to +contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional +length credit for each uppercase character. Modify the ucredit setting in +/etc/security/pwquality.conf to require the use of an uppercase character in passwords. medium @@ -19475,31 +19475,53 @@ TBD - Assigned by DISA after STIG release The operating system must require the change of at least 50% of the total number of characters when passwords are changed. - CCE-82066-2: Set Password Maximum Consecutive Repeating Characters + CCE-82046-4: Ensure PAM Enforces Password Requirements - Minimum Different Categories If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. If the password length is an odd number then number of changed characters must be rounded up. For example, a password length of 15 characters must require the change of at least 8 characters. - The pam_pwquality module's maxrepeat parameter controls requirements for -consecutive repeating characters. When set to a positive number, it will reject passwords -which contain more than that number of consecutive characters. Modify the maxrepeat setting -in /etc/security/pwquality.conf to equal to prevent a -run of ( + 1) or more identical characters. + The pam_pwquality module's minclass parameter controls +requirements for usage of different character classes, or types, of character +that must exist in a password before it is considered valid. For example, +setting this value to three (3) requires that any password must have characters +from at least three different categories in order to be approved. The default +value is zero (0), meaning there are no required classes. There are four +categories available: +
+* Upper-case characters
+* Lower-case characters
+* Digits
+* Special characters (for example, punctuation)
+
+Modify the minclass setting in /etc/security/pwquality.conf entry +to require +differing categories of characters when changing passwords. Applicable - Configurable Verify the operating system requires the change of at least eight of the total number of characters when passwords are changed. If it does not, this is a finding. - Verify the value of the "maxrepeat" option in "/etc/security/pwquality.conf" with the following command: + Verify the value of the "minclass" option in "/etc/security/pwquality.conf" with the following command: -
$ grep maxrepeat /etc/security/pwquality.conf
+
$ grep minclass /etc/security/pwquality.conf
 
-maxrepeat = 
 Is it the case that the value of "maxrepeat" is set to more than "" or is commented out?
+minclass =
Is it the case that the value of "minclass" is set to less than "" or is commented out? Configure the operating system to require the change of at least eight of the total number of characters when passwords are changed. - The pam_pwquality module's maxrepeat parameter controls requirements for -consecutive repeating characters. When set to a positive number, it will reject passwords -which contain more than that number of consecutive characters. Modify the maxrepeat setting -in /etc/security/pwquality.conf to equal to prevent a -run of ( + 1) or more identical characters. + The pam_pwquality module's minclass parameter controls +requirements for usage of different character classes, or types, of character +that must exist in a password before it is considered valid. For example, +setting this value to three (3) requires that any password must have characters +from at least three different categories in order to be approved. The default +value is zero (0), meaning there are no required classes. There are four +categories available: +
+* Upper-case characters
+* Lower-case characters
+* Digits
+* Special characters (for example, punctuation)
+
+Modify the minclass setting in /etc/security/pwquality.conf entry +to require +differing categories of characters when changing passwords. medium @@ -19551,31 +19573,31 @@ TBD - Assigned by DISA after STIG release The operating system must require the change of at least 50% of the total number of characters when passwords are changed. - CCE-81034-1: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class + CCE-82066-2: Set Password Maximum Consecutive Repeating Characters If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. If the password length is an odd number then number of changed characters must be rounded up. For example, a password length of 15 characters must require the change of at least 8 characters. - The pam_pwquality module's maxclassrepeat parameter controls requirements for -consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords -which contain more than that number of consecutive characters from the same character class. Modify the -maxclassrepeat setting in /etc/security/pwquality.conf to equal -to prevent a run of ( + 1) or more identical characters. + The pam_pwquality module's maxrepeat parameter controls requirements for +consecutive repeating characters. When set to a positive number, it will reject passwords +which contain more than that number of consecutive characters. Modify the maxrepeat setting +in /etc/security/pwquality.conf to equal to prevent a +run of ( + 1) or more identical characters. Applicable - Configurable Verify the operating system requires the change of at least eight of the total number of characters when passwords are changed. If it does not, this is a finding. - Verify the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command: + Verify the value of the "maxrepeat" option in "/etc/security/pwquality.conf" with the following command: -
$ grep maxclassrepeat /etc/security/pwquality.conf
+
$ grep maxrepeat /etc/security/pwquality.conf
 
-maxclassrepeat = 
 Is it the case that the value of "maxclassrepeat" is set to "0", more than "" or is commented out?
+maxrepeat =
Is it the case that the value of "maxrepeat" is set to more than "" or is commented out? Configure the operating system to require the change of at least eight of the total number of characters when passwords are changed. - The pam_pwquality module's maxclassrepeat parameter controls requirements for -consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords -which contain more than that number of consecutive characters from the same character class. Modify the -maxclassrepeat setting in /etc/security/pwquality.conf to equal -to prevent a run of ( + 1) or more identical characters. + The pam_pwquality module's maxrepeat parameter controls requirements for +consecutive repeating characters. When set to a positive number, it will reject passwords +which contain more than that number of consecutive characters. Modify the maxrepeat setting +in /etc/security/pwquality.conf to equal to prevent a +run of ( + 1) or more identical characters. medium @@ -19588,53 +19610,31 @@ TBD - Assigned by DISA after STIG release The operating system must require the change of at least 50% of the total number of characters when passwords are changed. - CCE-82046-4: Ensure PAM Enforces Password Requirements - Minimum Different Categories + CCE-81034-1: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. If the password length is an odd number then number of changed characters must be rounded up. For example, a password length of 15 characters must require the change of at least 8 characters. - The pam_pwquality module's minclass parameter controls -requirements for usage of different character classes, or types, of character -that must exist in a password before it is considered valid. For example, -setting this value to three (3) requires that any password must have characters -from at least three different categories in order to be approved. The default -value is zero (0), meaning there are no required classes. There are four -categories available: -
-* Upper-case characters
-* Lower-case characters
-* Digits
-* Special characters (for example, punctuation)
-
-Modify the minclass setting in /etc/security/pwquality.conf entry -to require -differing categories of characters when changing passwords. + The pam_pwquality module's maxclassrepeat parameter controls requirements for +consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords +which contain more than that number of consecutive characters from the same character class. Modify the +maxclassrepeat setting in /etc/security/pwquality.conf to equal +to prevent a run of ( + 1) or more identical characters. Applicable - Configurable Verify the operating system requires the change of at least eight of the total number of characters when passwords are changed. If it does not, this is a finding. - Verify the value of the "minclass" option in "/etc/security/pwquality.conf" with the following command: + Verify the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command: -
$ grep minclass /etc/security/pwquality.conf
+
$ grep maxclassrepeat /etc/security/pwquality.conf
 
-minclass = 
 Is it the case that the value of "minclass" is set to less than "" or is commented out?
+maxclassrepeat =
Is it the case that the value of "maxclassrepeat" is set to "0", more than "" or is commented out? Configure the operating system to require the change of at least eight of the total number of characters when passwords are changed. - The pam_pwquality module's minclass parameter controls -requirements for usage of different character classes, or types, of character -that must exist in a password before it is considered valid. For example, -setting this value to three (3) requires that any password must have characters -from at least three different categories in order to be approved. The default -value is zero (0), meaning there are no required classes. There are four -categories available: -
-* Upper-case characters
-* Lower-case characters
-* Digits
-* Special characters (for example, punctuation)
-
-Modify the minclass setting in /etc/security/pwquality.conf entry -to require -differing categories of characters when changing passwords. + The pam_pwquality module's maxclassrepeat parameter controls requirements for +consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords +which contain more than that number of consecutive characters from the same character class. Modify the +maxclassrepeat setting in /etc/security/pwquality.conf to equal +to prevent a run of ( + 1) or more identical characters. medium @@ -19652,47 +19652,29 @@ TBD - Assigned by DISA after STIG release The operating system must store only encrypted representations of passwords. - CCE-80893-1: Set PAM''s Password Hashing Algorithm + CCE-89707-4: Set Password Hashing Rounds in /etc/login.defs Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. - The PAM system service can be configured to only store encrypted -representations of passwords. In "/etc/pam.d/system-auth", the -password section of the file controls which PAM modules execute -during a password change. Set the pam_unix.so module in the -password section to include the argument sha512, as shown -below: -
- -
password    sufficient    pam_unix.so sha512 other arguments...
- -
-This will help ensure when local users change their passwords, hashes for -the new passwords will be generated using the SHA-512 algorithm. This is -the default. + In /etc/login.defs, ensure SHA_CRYPT_MIN_ROUNDS and +SHA_CRYPT_MAX_ROUNDS has the minimum value of 5000. +For example: +
SHA_CRYPT_MIN_ROUNDS 5000
+SHA_CRYPT_MAX_ROUNDS 5000
+Notice that if neither are set, they already have the default value of 5000. +If either is set, they must have the minimum value of 5000. Applicable - Configurable Verify the operating system stores only encrypted representations of passwords. If it does not, this is a finding. - Inspect the password section of /etc/pam.d/system-auth -and ensure that the pam_unix.so module is configured to use the argument -sha512: - -
$ sudo grep "^password.*pam_unix\.so.*sha512" /etc/pam.d/system-auth
-
-password sufficient pam_unix.so sha512
Is it the case that "sha512" is missing, or is commented out? + Inspect /etc/login.defs and ensure that if eihter +SHA_CRYPT_MIN_ROUNDS or SHA_CRYPT_MAX_ROUNDS +are set, they must have the minimum value of 5000. Is it the case that it does not? Configure the operating system to store only encrypted representations of passwords. - The PAM system service can be configured to only store encrypted -representations of passwords. In "/etc/pam.d/system-auth", the -password section of the file controls which PAM modules execute -during a password change. Set the pam_unix.so module in the -password section to include the argument sha512, as shown -below: -
- -
password    sufficient    pam_unix.so sha512 other arguments...
- -
-This will help ensure when local users change their passwords, hashes for -the new passwords will be generated using the SHA-512 algorithm. This is -the default. + In /etc/login.defs, ensure SHA_CRYPT_MIN_ROUNDS and +SHA_CRYPT_MAX_ROUNDS has the minimum value of 5000. +For example: +
SHA_CRYPT_MIN_ROUNDS 5000
+SHA_CRYPT_MAX_ROUNDS 5000
+Notice that if neither are set, they already have the default value of 5000. +If either is set, they must have the minimum value of 5000. medium @@ -19737,55 +19719,20 @@ TBD - Assigned by DISA after STIG release The operating system must store only encrypted representations of passwords. - CCE-89707-4: Set Password Hashing Rounds in /etc/login.defs + CCE-83484-6: Verify All Account Password Hashes are Shadowed with SHA512 Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. - In /etc/login.defs, ensure SHA_CRYPT_MIN_ROUNDS and -SHA_CRYPT_MAX_ROUNDS has the minimum value of 5000. -For example: -
SHA_CRYPT_MIN_ROUNDS 5000
-SHA_CRYPT_MAX_ROUNDS 5000
-Notice that if neither are set, they already have the default value of 5000. -If either is set, they must have the minimum value of 5000. - Applicable - Configurable - Verify the operating system stores only encrypted representations of passwords. If it does not, this is a finding. - Inspect /etc/login.defs and ensure that if eihter -SHA_CRYPT_MIN_ROUNDS or SHA_CRYPT_MAX_ROUNDS -are set, they must have the minimum value of 5000. Is it the case that it does not? - Configure the operating system to store only encrypted representations of passwords. - In /etc/login.defs, ensure SHA_CRYPT_MIN_ROUNDS and -SHA_CRYPT_MAX_ROUNDS has the minimum value of 5000. -For example: -
SHA_CRYPT_MIN_ROUNDS 5000
-SHA_CRYPT_MAX_ROUNDS 5000
-Notice that if neither are set, they already have the default value of 5000. -If either is set, they must have the minimum value of 5000. - medium - - - - - - - CCI-000196 - SRG-OS-000073-GPOS-00041 - TBD - Assigned by DISA after STIG release - The operating system must store only encrypted representations of passwords. - - CCE-83484-6: Verify All Account Password Hashes are Shadowed with SHA512 - - Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. - Verify the operating system requires the shadow password suite -configuration be set to encrypt interactive user passwords using a strong -cryptographic hash. -Check that the interactive user account passwords are using a strong -password hash with the following command: -
$ sudo cut -d: -f2 /etc/shadow
-$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/
-Password hashes ! or * indicate inactive accounts not -available for logon and are not evaluated. -If any interactive user password hash does not begin with $6, -this is a finding. + Verify the operating system requires the shadow password suite +configuration be set to encrypt interactive user passwords using a strong +cryptographic hash. +Check that the interactive user account passwords are using a strong +password hash with the following command: +
$ sudo cut -d: -f2 /etc/shadow
+$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/
+Password hashes ! or * indicate inactive accounts not +available for logon and are not evaluated. +If any interactive user password hash does not begin with $6, +this is a finding. Applicable - Configurable Verify the operating system stores only encrypted representations of passwords. If it does not, this is a finding. Verify that the interactive user account passwords are using a strong @@ -19865,6 +19812,59 @@ + + CCI-000196 + SRG-OS-000073-GPOS-00041 + TBD - Assigned by DISA after STIG release + The operating system must store only encrypted representations of passwords. + + CCE-80893-1: Set PAM''s Password Hashing Algorithm + + Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. + The PAM system service can be configured to only store encrypted +representations of passwords. In "/etc/pam.d/system-auth", the +password section of the file controls which PAM modules execute +during a password change. Set the pam_unix.so module in the +password section to include the argument sha512, as shown +below: +
+ +
password    sufficient    pam_unix.so sha512 other arguments...
+ +
+This will help ensure when local users change their passwords, hashes for +the new passwords will be generated using the SHA-512 algorithm. This is +the default. + Applicable - Configurable + Verify the operating system stores only encrypted representations of passwords. If it does not, this is a finding. + Inspect the password section of /etc/pam.d/system-auth +and ensure that the pam_unix.so module is configured to use the argument +sha512: + +
$ sudo grep "^password.*pam_unix\.so.*sha512" /etc/pam.d/system-auth
+
+password sufficient pam_unix.so sha512
Is it the case that "sha512" is missing, or is commented out? + Configure the operating system to store only encrypted representations of passwords. + The PAM system service can be configured to only store encrypted +representations of passwords. In "/etc/pam.d/system-auth", the +password section of the file controls which PAM modules execute +during a password change. Set the pam_unix.so module in the +password section to include the argument sha512, as shown +below: +
+ +
password    sufficient    pam_unix.so sha512 other arguments...
+ +
+This will help ensure when local users change their passwords, hashes for +the new passwords will be generated using the SHA-512 algorithm. This is +the default. + medium + + + + + @@ -20289,6 +20289,66 @@ + + CCI-000213 + SRG-OS-000080-GPOS-00048 + TBD - Assigned by DISA after STIG release + The operating system must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. + + CCE-83561-1: Set the Boot Loader Admin Username to a Non-Default Value + + To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. + +Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. + The grub2 boot loader should have a superuser account and password +protection enabled to protect boot-time settings. +

+To maximize the protection, select a password-protected superuser account with unique name, and modify the +/etc/grub.d/01_users configuration file to reflect the account name change. +

+Do not to use common administrator account names like root, +admin, or administrator for the grub2 superuser account. +

+Change the superuser to a different username (The default is 'root'). +
$ sed -i 's/\(set superusers=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users
+

+Once the superuser account has been added, +update the +grub.cfg file by running: +
grubby --update-kernel=ALL --env=/boot/grub2/grubenv
+ Applicable - Configurable + Verify the operating system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. If it does not, this is a finding. + To verify the boot loader superuser account has been set, run the following +command: +
sudo grep -A1 "superusers" /boot/grub2/grub.cfg
+The output should show the following: +
set superusers="superusers-account"
+export superusers
+where superusers-account is the actual account name different from common names like root, +admin, or administrator and different from any other existing user name. Is it the case that superuser account is not set or is set to root, admin, administrator or any other existing user name? + Configure the operating system to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. + The grub2 boot loader should have a superuser account and password +protection enabled to protect boot-time settings. +

+To maximize the protection, select a password-protected superuser account with unique name, and modify the +/etc/grub.d/01_users configuration file to reflect the account name change. +

+Do not to use common administrator account names like root, +admin, or administrator for the grub2 superuser account. +

+Change the superuser to a different username (The default is 'root'). +
$ sed -i 's/\(set superusers=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users
+

+Once the superuser account has been added, +update the +grub.cfg file by running: +
grubby --update-kernel=ALL --env=/boot/grub2/grubenv
+ high + + + + + CCI-000213 SRG-OS-000080-GPOS-00048 @@ -20344,42 +20404,48 @@ TBD - Assigned by DISA after STIG release The operating system must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. - CCE-80829-5: Set the UEFI Boot Loader Password + CCE-82186-8: Require Authentication for Emergency Systemd Target To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. - The grub2 boot loader should have a superuser account and password -protection enabled to protect boot-time settings. + Emergency mode is intended as a system recovery +method, providing a single user root access to the system +during a failed boot sequence.

-Since plaintext passwords are a security risk, generate a hash for the password -by running the following command: - -
# grub2-setpassword
- -When prompted, enter the password that was selected. -

+By default, Emergency mode is protected by requiring a password and is set +in /usr/lib/systemd/system/emergency.service. Applicable - Configurable Verify the operating system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. If it does not, this is a finding. - To verify the boot loader superuser password has been set, run the following command: -$ sudo grep "^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$" /boot/efi/EFI/redhat/user.cfg -The output should be similar to: -
GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
-2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
-916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
-0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828
Is it the case that no password is set? - Configure the operating system to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. - The grub2 boot loader should have a superuser account and password -protection enabled to protect boot-time settings. -

-Since plaintext passwords are a security risk, generate a hash for the password -by running the following command: + To check if authentication is required for emergency mode, run the following command: +
$ grep sulogin /usr/lib/systemd/system/emergency.service
+The output should be similar to the following, and the line must begin with +ExecStart and /usr/lib/systemd/systemd-sulogin-shell. + 
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
-
# grub2-setpassword
+Then, check if the emergency target requires the emergency service: +Run the following command: +
$ sudo grep Requires /usr/lib/systemd/system/emergency.target
+The output should be the following: +
Requires=emergency.service
-When prompted, enter the password that was selected. -

- high +Then, check if there is no custom emergency target configured in systemd configuration. +Run the following command: +
$ sudo grep -r emergency.target /etc/systemd/system/
+The output should be empty. + +Then, check if there is no custom emergency service configured in systemd configuration. +Run the following command: +
$ sudo grep -r emergency.service /etc/systemd/system/
+The output should be empty. Is it the case that the output is different? + Configure the operating system to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. + Emergency mode is intended as a system recovery +method, providing a single user root access to the system +during a failed boot sequence. +

+By default, Emergency mode is protected by requiring a password and is set +in /usr/lib/systemd/system/emergency.service. + medium @@ -20391,55 +20457,32 @@ TBD - Assigned by DISA after STIG release The operating system must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. - CCE-83561-1: Set the Boot Loader Admin Username to a Non-Default Value + CCE-80855-0: Require Authentication for Single User Mode To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. - The grub2 boot loader should have a superuser account and password -protection enabled to protect boot-time settings. -

-To maximize the protection, select a password-protected superuser account with unique name, and modify the -/etc/grub.d/01_users configuration file to reflect the account name change. -

-Do not to use common administrator account names like root, -admin, or administrator for the grub2 superuser account. -

-Change the superuser to a different username (The default is 'root'). -
$ sed -i 's/\(set superusers=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users
+ Single-user mode is intended as a system recovery +method, providing a single user root access to the system by +providing a boot option at startup.

-Once the superuser account has been added, -update the -grub.cfg file by running: -
grubby --update-kernel=ALL --env=/boot/grub2/grubenv
+By default, single-user mode is protected by requiring a password and is set +in /usr/lib/systemd/system/rescue.service. Applicable - Configurable Verify the operating system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. If it does not, this is a finding. - To verify the boot loader superuser account has been set, run the following -command: -
sudo grep -A1 "superusers" /boot/grub2/grub.cfg
-The output should show the following: -
set superusers="superusers-account"
-export superusers
-where superusers-account is the actual account name different from common names like root, -admin, or administrator and different from any other existing user name. Is it the case that superuser account is not set or is set to root, admin, administrator or any other existing user name? + To check if authentication is required for single-user mode, run the following command: +
$ grep sulogin /usr/lib/systemd/system/rescue.service
+The output should be similar to the following, and the line must begin with +ExecStart and /usr/lib/systemd/systemd-sulogin-shell. + 
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
Is it the case that the output is different? Configure the operating system to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. - The grub2 boot loader should have a superuser account and password -protection enabled to protect boot-time settings. -

-To maximize the protection, select a password-protected superuser account with unique name, and modify the -/etc/grub.d/01_users configuration file to reflect the account name change. -

-Do not to use common administrator account names like root, -admin, or administrator for the grub2 superuser account. -

-Change the superuser to a different username (The default is 'root'). -
$ sed -i 's/\(set superusers=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users
+ Single-user mode is intended as a system recovery +method, providing a single user root access to the system by +providing a boot option at startup.

-Once the superuser account has been added, -update the -grub.cfg file by running: -
grubby --update-kernel=ALL --env=/boot/grub2/grubenv
- high +By default, single-user mode is protected by requiring a password and is set +in /usr/lib/systemd/system/rescue.service. + medium @@ -20511,85 +20554,42 @@ TBD - Assigned by DISA after STIG release The operating system must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. - CCE-80855-0: Require Authentication for Single User Mode + CCE-80829-5: Set the UEFI Boot Loader Password To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. - Single-user mode is intended as a system recovery -method, providing a single user root access to the system by -providing a boot option at startup. -

-By default, single-user mode is protected by requiring a password and is set -in /usr/lib/systemd/system/rescue.service. - Applicable - Configurable - Verify the operating system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. If it does not, this is a finding. - To check if authentication is required for single-user mode, run the following command: -
$ grep sulogin /usr/lib/systemd/system/rescue.service
-The output should be similar to the following, and the line must begin with -ExecStart and /usr/lib/systemd/systemd-sulogin-shell. - 
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
Is it the case that the output is different? - Configure the operating system to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. - Single-user mode is intended as a system recovery -method, providing a single user root access to the system by -providing a boot option at startup. + The grub2 boot loader should have a superuser account and password +protection enabled to protect boot-time settings.

-By default, single-user mode is protected by requiring a password and is set -in /usr/lib/systemd/system/rescue.service. - medium - - - - - - - CCI-000213 - SRG-OS-000080-GPOS-00048 - TBD - Assigned by DISA after STIG release - The operating system must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. - - CCE-82186-8: Require Authentication for Emergency Systemd Target +Since plaintext passwords are a security risk, generate a hash for the password +by running the following command: - To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. +
# grub2-setpassword
-Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. - Emergency mode is intended as a system recovery -method, providing a single user root access to the system -during a failed boot sequence. -

-By default, Emergency mode is protected by requiring a password and is set -in /usr/lib/systemd/system/emergency.service. +When prompted, enter the password that was selected. +

Applicable - Configurable Verify the operating system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. If it does not, this is a finding. - To check if authentication is required for emergency mode, run the following command: -
$ grep sulogin /usr/lib/systemd/system/emergency.service
-The output should be similar to the following, and the line must begin with -ExecStart and /usr/lib/systemd/systemd-sulogin-shell. - 
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
- -Then, check if the emergency target requires the emergency service: -Run the following command: -
$ sudo grep Requires /usr/lib/systemd/system/emergency.target
-The output should be the following: -
Requires=emergency.service
- -Then, check if there is no custom emergency target configured in systemd configuration. -Run the following command: -
$ sudo grep -r emergency.target /etc/systemd/system/
-The output should be empty. - -Then, check if there is no custom emergency service configured in systemd configuration. -Run the following command: -
$ sudo grep -r emergency.service /etc/systemd/system/
-The output should be empty. Is it the case that the output is different? + To verify the boot loader superuser password has been set, run the following command: +$ sudo grep "^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$" /boot/efi/EFI/redhat/user.cfg +The output should be similar to: +
GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
+2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
+916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
+0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828
Is it the case that no password is set? Configure the operating system to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. - Emergency mode is intended as a system recovery -method, providing a single user root access to the system -during a failed boot sequence. + The grub2 boot loader should have a superuser account and password +protection enabled to protect boot-time settings.

-By default, Emergency mode is protected by requiring a password and is set -in /usr/lib/systemd/system/emergency.service. - medium +Since plaintext passwords are a security risk, generate a hash for the password +by running the following command: + +
# grub2-setpassword
+ +When prompted, enter the password that was selected. +

+ high @@ -20606,25 +20606,25 @@ TBD - Assigned by DISA after STIG release The operating system must be configured to disable non-essential capabilities. - CCE-82926-7: Uninstall abrt-addon-kerneloops Package + CCE-82943-2: Uninstall gssproxy Package It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - The abrt-addon-kerneloops package can be removed with the following command: + The gssproxy package can be removed with the following command: 
-$ sudo yum erase abrt-addon-kerneloops
+$ sudo yum erase gssproxy Applicable - Configurable Verify the operating system is configured to disable non-essential capabilities. If it does not, this is a finding. - Run the following command to determine if the abrt-addon-kerneloops package is installed: -
$ rpm -q abrt-addon-kerneloops
Is it the case that the package is installed? + Run the following command to determine if the gssproxy package is installed: +
$ rpm -q gssproxy
Is it the case that the package is installed? Configure the operating system to disable non-essential capabilities. - The abrt-addon-kerneloops package can be removed with the following command: + The gssproxy package can be removed with the following command: 
-$ sudo yum erase abrt-addon-kerneloops
- low +$ sudo yum erase gssproxy + medium @@ -20636,55 +20636,47 @@ TBD - Assigned by DISA after STIG release The operating system must be configured to disable non-essential capabilities. - CCE-81031-7: Disable Mounting of cramfs + CCE-82297-3: Disable TIPC Support It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - -To configure the system to prevent the cramfs -kernel module from being loaded, add the following line to the file /etc/modprobe.d/cramfs.conf: -
install cramfs /bin/true
- -To configure the system to prevent the cramfs from being used, -add the following line to file /etc/modprobe.d/cramfs.conf: -
blacklist cramfs
+ The Transparent Inter-Process Communication (TIPC) protocol +is designed to provide communications between nodes in a +cluster. -This effectively prevents usage of this uncommon filesystem. +To configure the system to prevent the tipc +kernel module from being loaded, add the following line to the file /etc/modprobe.d/tipc.conf: +
install tipc /bin/true
-The cramfs filesystem type is a compressed read-only -Linux filesystem embedded in small footprint systems. A -cramfs image can be used without having to first -decompress the image. +To configure the system to prevent the tipc from being used, +add the following line to file /etc/modprobe.d/tipc.conf: +
blacklist tipc
Applicable - Configurable Verify the operating system is configured to disable non-essential capabilities. If it does not, this is a finding. -If the system is configured to prevent the loading of the cramfs kernel module, +If the system is configured to prevent the loading of the tipc kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. -These lines can also instruct the module loading system to ignore the cramfs kernel module via blacklist keyword. +These lines can also instruct the module loading system to ignore the tipc kernel module via blacklist keyword. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -
$ grep -r cramfs /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned? +
$ grep -r tipc /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned? Configure the operating system to disable non-essential capabilities. - -To configure the system to prevent the cramfs -kernel module from being loaded, add the following line to the file /etc/modprobe.d/cramfs.conf: -
install cramfs /bin/true
- -To configure the system to prevent the cramfs from being used, -add the following line to file /etc/modprobe.d/cramfs.conf: -
blacklist cramfs
+ The Transparent Inter-Process Communication (TIPC) protocol +is designed to provide communications between nodes in a +cluster. -This effectively prevents usage of this uncommon filesystem. +To configure the system to prevent the tipc +kernel module from being loaded, add the following line to the file /etc/modprobe.d/tipc.conf: +
install tipc /bin/true
-The cramfs filesystem type is a compressed read-only -Linux filesystem embedded in small footprint systems. A -cramfs image can be used without having to first -decompress the image. +To configure the system to prevent the tipc from being used, +add the following line to file /etc/modprobe.d/tipc.conf: +
blacklist tipc
low @@ -20697,77 +20689,28 @@ TBD - Assigned by DISA after STIG release The operating system must be configured to disable non-essential capabilities. - CCE-82907-7: Uninstall abrt-cli Package + CCE-81039-0: Uninstall Sendmail Package It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - The abrt-cli package can be removed with the following command: + Sendmail is not the default mail transfer agent and is +not installed by default. +The sendmail package can be removed with the following command: 
-$ sudo yum erase abrt-cli
+$ sudo yum erase sendmail Applicable - Configurable Verify the operating system is configured to disable non-essential capabilities. If it does not, this is a finding. - Run the following command to determine if the abrt-cli package is installed: -
$ rpm -q abrt-cli
Is it the case that the package is installed? + Run the following command to determine if the sendmail package is installed: +
$ rpm -q sendmail
Is it the case that the package is installed? Configure the operating system to disable non-essential capabilities. - The abrt-cli package can be removed with the following command: + Sendmail is not the default mail transfer agent and is +not installed by default. +The sendmail package can be removed with the following command: 
-$ sudo yum erase abrt-cli
- low - - - - - - - CCI-000381 - SRG-OS-000095-GPOS-00049 - TBD - Assigned by DISA after STIG release - The operating system must be configured to disable non-essential capabilities. - - CCE-82028-2: Disable ATM Support - - It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). - -Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - The Asynchronous Transfer Mode (ATM) is a protocol operating on -network, data link, and physical layers, based on virtual circuits -and virtual paths. - -To configure the system to prevent the atm -kernel module from being loaded, add the following line to the file /etc/modprobe.d/atm.conf: -
install atm /bin/true
- -To configure the system to prevent the atm from being used, -add the following line to file /etc/modprobe.d/atm.conf: -
blacklist atm
- Applicable - Configurable - Verify the operating system is configured to disable non-essential capabilities. If it does not, this is a finding. - -If the system is configured to prevent the loading of the atm kernel module, -it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. -These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. - -These lines can also instruct the module loading system to ignore the atm kernel module via blacklist keyword. - -Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -
$ grep -r atm /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned? - Configure the operating system to disable non-essential capabilities. - The Asynchronous Transfer Mode (ATM) is a protocol operating on -network, data link, and physical layers, based on virtual circuits -and virtual paths. - -To configure the system to prevent the atm -kernel module from being loaded, add the following line to the file /etc/modprobe.d/atm.conf: -
install atm /bin/true
- -To configure the system to prevent the atm from being used, -add the following line to file /etc/modprobe.d/atm.conf: -
blacklist atm
+$ sudo yum erase sendmail medium @@ -20780,46 +20723,24 @@ TBD - Assigned by DISA after STIG release The operating system must be configured to disable non-essential capabilities. - CCE-82194-2: Enable Kernel Page-Table Isolation (KPTI) + CCE-86084-1: Uninstall python3-abrt-addon Package It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - To enable Kernel page-table isolation, -add the argument pti=on to the default -GRUB 2 command line for the Linux operating system. -To ensure that pti=on is added as a kernel command line -argument to newly installed kernels, add pti=on to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... pti=on ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="pti=on"
+ The python3-abrt-addon package can be removed with the following command: +
+$ sudo yum erase python3-abrt-addon
Applicable - Configurable Verify the operating system is configured to disable non-essential capabilities. If it does not, this is a finding. - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes pti=on, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
-If this option is set to true, then check that a line is output by the following command: -
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*pti=on.*' /etc/default/grub
-If the recovery is disabled, check the line with -
$ sudo grep 'GRUB_CMDLINE_LINUX.*pti=on.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -
$ sudo grubby --info=ALL | grep args | grep -v 'pti=on'
-The command should not return any output. Is it the case that Kernel page-table isolation is not enabled? + Run the following command to determine if the python3-abrt-addon package is installed: +
$ rpm -q python3-abrt-addon
Is it the case that the package is installed? Configure the operating system to disable non-essential capabilities. - To enable Kernel page-table isolation, -add the argument pti=on to the default -GRUB 2 command line for the Linux operating system. -To ensure that pti=on is added as a kernel command line -argument to newly installed kernels, add pti=on to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... pti=on ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="pti=on"
+ The python3-abrt-addon package can be removed with the following command: +
+$ sudo yum erase python3-abrt-addon
low @@ -20832,25 +20753,25 @@ TBD - Assigned by DISA after STIG release The operating system must be configured to disable non-essential capabilities. - CCE-86084-1: Uninstall python3-abrt-addon Package + CCE-82904-4: Uninstall tuned Package It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - The python3-abrt-addon package can be removed with the following command: + The tuned package can be removed with the following command: 
-$ sudo yum erase python3-abrt-addon
+$ sudo yum erase tuned Applicable - Configurable Verify the operating system is configured to disable non-essential capabilities. If it does not, this is a finding. - Run the following command to determine if the python3-abrt-addon package is installed: -
$ rpm -q python3-abrt-addon
Is it the case that the package is installed? + Run the following command to determine if the tuned package is installed: +
$ rpm -q tuned
Is it the case that the package is installed? Configure the operating system to disable non-essential capabilities. - The python3-abrt-addon package can be removed with the following command: + The tuned package can be removed with the following command: 
-$ sudo yum erase python3-abrt-addon
- low +$ sudo yum erase tuned + medium @@ -20862,45 +20783,55 @@ TBD - Assigned by DISA after STIG release The operating system must be configured to disable non-essential capabilities. - CCE-82005-0: Disable IEEE 1394 (FireWire) Support + CCE-81031-7: Disable Mounting of cramfs It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - The IEEE 1394 (FireWire) is a serial bus standard for -high-speed real-time communication. + +To configure the system to prevent the cramfs +kernel module from being loaded, add the following line to the file /etc/modprobe.d/cramfs.conf: +
install cramfs /bin/true
-To configure the system to prevent the firewire-core -kernel module from being loaded, add the following line to the file /etc/modprobe.d/firewire-core.conf: -
install firewire-core /bin/true
+To configure the system to prevent the cramfs from being used, +add the following line to file /etc/modprobe.d/cramfs.conf: +
blacklist cramfs
-To configure the system to prevent the firewire-core from being used, -add the following line to file /etc/modprobe.d/firewire-core.conf: -
blacklist firewire-core
+This effectively prevents usage of this uncommon filesystem. + +The cramfs filesystem type is a compressed read-only +Linux filesystem embedded in small footprint systems. A +cramfs image can be used without having to first +decompress the image. Applicable - Configurable Verify the operating system is configured to disable non-essential capabilities. If it does not, this is a finding. -If the system is configured to prevent the loading of the firewire-core kernel module, +If the system is configured to prevent the loading of the cramfs kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. -These lines can also instruct the module loading system to ignore the firewire-core kernel module via blacklist keyword. +These lines can also instruct the module loading system to ignore the cramfs kernel module via blacklist keyword. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -
$ grep -r firewire-core /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned? +
$ grep -r cramfs /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned? Configure the operating system to disable non-essential capabilities. - The IEEE 1394 (FireWire) is a serial bus standard for -high-speed real-time communication. + +To configure the system to prevent the cramfs +kernel module from being loaded, add the following line to the file /etc/modprobe.d/cramfs.conf: +
install cramfs /bin/true
-To configure the system to prevent the firewire-core -kernel module from being loaded, add the following line to the file /etc/modprobe.d/firewire-core.conf: -
install firewire-core /bin/true
+To configure the system to prevent the cramfs from being used, +add the following line to file /etc/modprobe.d/cramfs.conf: +
blacklist cramfs
-To configure the system to prevent the firewire-core from being used, -add the following line to file /etc/modprobe.d/firewire-core.conf: -
blacklist firewire-core
+This effectively prevents usage of this uncommon filesystem. + +The cramfs filesystem type is a compressed read-only +Linux filesystem embedded in small footprint systems. A +cramfs image can be used without having to first +decompress the image. low @@ -20913,24 +20844,24 @@ TBD - Assigned by DISA after STIG release The operating system must be configured to disable non-essential capabilities. - CCE-82919-2: Uninstall abrt-addon-ccpp Package + CCE-89201-8: Uninstall libreport-plugin-logger Package It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - The abrt-addon-ccpp package can be removed with the following command: + The libreport-plugin-logger package can be removed with the following command: 
-$ sudo yum erase abrt-addon-ccpp
+$ sudo yum erase libreport-plugin-logger Applicable - Configurable Verify the operating system is configured to disable non-essential capabilities. If it does not, this is a finding. - Run the following command to determine if the abrt-addon-ccpp package is installed: -
$ rpm -q abrt-addon-ccpp
Is it the case that the package is installed? + Run the following command to determine if the libreport-plugin-logger package is installed: +
$ rpm -q libreport-plugin-logger
Is it the case that the package is installed? Configure the operating system to disable non-essential capabilities. - The abrt-addon-ccpp package can be removed with the following command: + The libreport-plugin-logger package can be removed with the following command: 
-$ sudo yum erase abrt-addon-ccpp
+$ sudo yum erase libreport-plugin-logger low @@ -20943,28 +20874,34 @@ TBD - Assigned by DISA after STIG release The operating system must be configured to disable non-essential capabilities. - CCE-81039-0: Uninstall Sendmail Package + CCE-80948-3: Uninstall Automatic Bug Reporting Tool (abrt) It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - Sendmail is not the default mail transfer agent and is -not installed by default. -The sendmail package can be removed with the following command: + The Automatic Bug Reporting Tool (abrt) collects +and reports crash data when an application crash is detected. Using a variety +of plugins, abrt can email crash reports to system administrators, log crash +reports to files, or forward crash reports to a centralized issue tracking +system such as RHTSupport. +The abrt package can be removed with the following command: 
-$ sudo yum erase sendmail
+$ sudo yum erase abrt Applicable - Configurable Verify the operating system is configured to disable non-essential capabilities. If it does not, this is a finding. - Run the following command to determine if the sendmail package is installed: -
$ rpm -q sendmail
Is it the case that the package is installed? + Run the following command to determine if the abrt package is installed: +
$ rpm -q abrt
Is it the case that the package is installed? Configure the operating system to disable non-essential capabilities. - Sendmail is not the default mail transfer agent and is -not installed by default. -The sendmail package can be removed with the following command: + The Automatic Bug Reporting Tool (abrt) collects +and reports crash data when an application crash is detected. Using a variety +of plugins, abrt can email crash reports to system administrators, log crash +reports to files, or forward crash reports to a centralized issue tracking +system such as RHTSupport. +The abrt package can be removed with the following command: 
-$ sudo yum erase sendmail
+$ sudo yum erase abrt medium @@ -20977,48 +20914,25 @@ TBD - Assigned by DISA after STIG release The operating system must be configured to disable non-essential capabilities. - CCE-82297-3: Disable TIPC Support + CCE-82946-5: Uninstall iprutils Package It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - The Transparent Inter-Process Communication (TIPC) protocol -is designed to provide communications between nodes in a -cluster. - -To configure the system to prevent the tipc -kernel module from being loaded, add the following line to the file /etc/modprobe.d/tipc.conf: -
install tipc /bin/true
- -To configure the system to prevent the tipc from being used, -add the following line to file /etc/modprobe.d/tipc.conf: -
blacklist tipc
+ The iprutils package can be removed with the following command: +
+$ sudo yum erase iprutils
Applicable - Configurable Verify the operating system is configured to disable non-essential capabilities. If it does not, this is a finding. - -If the system is configured to prevent the loading of the tipc kernel module, -it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. -These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. - -These lines can also instruct the module loading system to ignore the tipc kernel module via blacklist keyword. - -Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -
$ grep -r tipc /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned? + Run the following command to determine if the iprutils package is installed: +
$ rpm -q iprutils
Is it the case that the package is installed? Configure the operating system to disable non-essential capabilities. - The Transparent Inter-Process Communication (TIPC) protocol -is designed to provide communications between nodes in a -cluster. - -To configure the system to prevent the tipc -kernel module from being loaded, add the following line to the file /etc/modprobe.d/tipc.conf: -
install tipc /bin/true
- -To configure the system to prevent the tipc from being used, -add the following line to file /etc/modprobe.d/tipc.conf: -
blacklist tipc
- low + The iprutils package can be removed with the following command: +
+$ sudo yum erase iprutils
+ medium @@ -21030,21 +20944,36 @@ TBD - Assigned by DISA after STIG release The operating system must be configured to disable non-essential capabilities. - CCE-82414-4: Uninstall vsftpd Package + CCE-86960-2: Disable the uvcvideo module It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - The vsftpd package can be removed with the following command: 
 $ sudo yum erase vsftpd
+ If the device contains a camera it should be covered or disabled when not in use. Applicable - Configurable Verify the operating system is configured to disable non-essential capabilities. If it does not, this is a finding. - Run the following command to determine if the vsftpd package is installed: -
$ rpm -q vsftpd
Is it the case that the package is installed? + If the device or Red Hat Enterprise Linux 8 does not have a camera installed, this requirement is not applicable. + +This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision. + +This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed. + +For an external camera, if there is not a method for the operator to manually disconnect the camera at the end of collaborative computing sessions, this is a finding. + +For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding. + +If the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software with the following commands: + +Verify the operating system disables the ability to load the uvcvideo kernel module. + +$ sudo grep -r uvcvideo /etc/modprobe.d/* | grep "/bin/true" + +install uvcvideo /bin/true Is it the case that the command does not return any output, or the line is commented out, and the collaborative computing device has not been authorized for use? Configure the operating system to disable non-essential capabilities. - The vsftpd package can be removed with the following command: 
 $ sudo yum erase vsftpd
- high + If the device contains a camera it should be covered or disabled when not in use. + medium @@ -21056,25 +20985,25 @@ TBD - Assigned by DISA after STIG release The operating system must be configured to disable non-essential capabilities. - CCE-82184-3: Uninstall rsh-server Package + CCE-82910-1: Uninstall abrt-plugin-sosreport Package It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - The rsh-server package can be removed with the following command: + The abrt-plugin-sosreport package can be removed with the following command: 
-$ sudo yum erase rsh-server
+$ sudo yum erase abrt-plugin-sosreport Applicable - Configurable Verify the operating system is configured to disable non-essential capabilities. If it does not, this is a finding. - Run the following command to determine if the rsh-server package is installed: -
$ rpm -q rsh-server
Is it the case that the package is installed? + Run the following command to determine if the abrt-plugin-sosreport package is installed: +
$ rpm -q abrt-plugin-sosreport
Is it the case that the package is installed? Configure the operating system to disable non-essential capabilities. - The rsh-server package can be removed with the following command: + The abrt-plugin-sosreport package can be removed with the following command: 
-$ sudo yum erase rsh-server
- high +$ sudo yum erase abrt-plugin-sosreport + low @@ -21086,25 +21015,26 @@ TBD - Assigned by DISA after STIG release The operating system must be configured to disable non-essential capabilities. - CCE-82904-4: Uninstall tuned Package + CCE-82988-7: Disable chrony daemon from acting as server It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - The tuned package can be removed with the following command: -
-$ sudo yum erase tuned
+ The port option in /etc/chrony.conf can be set to +0 to make chrony daemon to never open any listening port +for server operation and to operate strictly in a client-only mode. Applicable - Configurable Verify the operating system is configured to disable non-essential capabilities. If it does not, this is a finding. - Run the following command to determine if the tuned package is installed: -
$ rpm -q tuned
Is it the case that the package is installed? + Verify Red Hat Enterprise Linux 8 disables the chrony daemon from acting as a server with the following command: +
$ grep -w port /etc/chrony.conf
+
port 0
Is it the case that the "port" option is not set to "0", is commented out, or is missing? Configure the operating system to disable non-essential capabilities. - The tuned package can be removed with the following command: -
-$ sudo yum erase tuned
- medium + The port option in /etc/chrony.conf can be set to +0 to make chrony daemon to never open any listening port +for server operation and to operate strictly in a client-only mode. + low @@ -21169,36 +21099,26 @@ TBD - Assigned by DISA after STIG release The operating system must be configured to disable non-essential capabilities. - CCE-80948-3: Uninstall Automatic Bug Reporting Tool (abrt) + CCE-82907-7: Uninstall abrt-cli Package It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - The Automatic Bug Reporting Tool (abrt) collects -and reports crash data when an application crash is detected. Using a variety -of plugins, abrt can email crash reports to system administrators, log crash -reports to files, or forward crash reports to a centralized issue tracking -system such as RHTSupport. -The abrt package can be removed with the following command: + The abrt-cli package can be removed with the following command: 
-$ sudo yum erase abrt
+$ sudo yum erase abrt-cli Applicable - Configurable Verify the operating system is configured to disable non-essential capabilities. If it does not, this is a finding. - Run the following command to determine if the abrt package is installed: -
$ rpm -q abrt
Is it the case that the package is installed? + Run the following command to determine if the abrt-cli package is installed: +
$ rpm -q abrt-cli
Is it the case that the package is installed? Configure the operating system to disable non-essential capabilities. - The Automatic Bug Reporting Tool (abrt) collects -and reports crash data when an application crash is detected. Using a variety -of plugins, abrt can email crash reports to system administrators, log crash -reports to files, or forward crash reports to a centralized issue tracking -system such as RHTSupport. -The abrt package can be removed with the following command: + The abrt-cli package can be removed with the following command: 
-$ sudo yum erase abrt
- medium - +$ sudo yum erase abrt-cli + low + @@ -21209,24 +21129,79 @@ TBD - Assigned by DISA after STIG release The operating system must be configured to disable non-essential capabilities. - CCE-82910-1: Uninstall abrt-plugin-sosreport Package + CCE-80834-5: Disable SCTP Support It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - The abrt-plugin-sosreport package can be removed with the following command: + The Stream Control Transmission Protocol (SCTP) is a +transport layer protocol, designed to support the idea of +message-oriented communication, with several streams of messages +within one connection. + +To configure the system to prevent the sctp +kernel module from being loaded, add the following line to the file /etc/modprobe.d/sctp.conf: +
install sctp /bin/true
+ +To configure the system to prevent the sctp from being used, +add the following line to file /etc/modprobe.d/sctp.conf: +
blacklist sctp
+ Applicable - Configurable + Verify the operating system is configured to disable non-essential capabilities. If it does not, this is a finding. + +If the system is configured to prevent the loading of the sctp kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. + +These lines can also instruct the module loading system to ignore the sctp kernel module via blacklist keyword. + +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +
$ grep -r sctp /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned? + Configure the operating system to disable non-essential capabilities. + The Stream Control Transmission Protocol (SCTP) is a +transport layer protocol, designed to support the idea of +message-oriented communication, with several streams of messages +within one connection. + +To configure the system to prevent the sctp +kernel module from being loaded, add the following line to the file /etc/modprobe.d/sctp.conf: +
install sctp /bin/true
+ +To configure the system to prevent the sctp from being used, +add the following line to file /etc/modprobe.d/sctp.conf: +
blacklist sctp
+ medium + + + + + + + CCI-000381 + SRG-OS-000095-GPOS-00049 + TBD - Assigned by DISA after STIG release + The operating system must be configured to disable non-essential capabilities. + + CCE-88955-0: Uninstall libreport-plugin-rhtsupport Package + + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. + The libreport-plugin-rhtsupport package can be removed with the following command: 
-$ sudo yum erase abrt-plugin-sosreport
+$ sudo yum erase libreport-plugin-rhtsupport Applicable - Configurable Verify the operating system is configured to disable non-essential capabilities. If it does not, this is a finding. - Run the following command to determine if the abrt-plugin-sosreport package is installed: -
$ rpm -q abrt-plugin-sosreport
Is it the case that the package is installed? + Run the following command to determine if the libreport-plugin-rhtsupport package is installed: +
$ rpm -q libreport-plugin-rhtsupport
Is it the case that the package is installed? Configure the operating system to disable non-essential capabilities. - The abrt-plugin-sosreport package can be removed with the following command: + The libreport-plugin-rhtsupport package can be removed with the following command: 
-$ sudo yum erase abrt-plugin-sosreport
+$ sudo yum erase libreport-plugin-rhtsupport low @@ -21239,25 +21214,54 @@ TBD - Assigned by DISA after STIG release The operating system must be configured to disable non-essential capabilities. - CCE-82840-0: Disable network management of chrony daemon + CCE-82926-7: Uninstall abrt-addon-kerneloops Package It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - The cmdport option in /etc/chrony.conf can be set to -0 to stop chrony daemon from listening on the UDP port 323 -for management connections made by chronyc. + The abrt-addon-kerneloops package can be removed with the following command: +
+$ sudo yum erase abrt-addon-kerneloops
Applicable - Configurable Verify the operating system is configured to disable non-essential capabilities. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 disables network management of the chrony daemon with the following command: -
$ grep -w cmdport /etc/chrony.conf
-
cmdport 0
Is it the case that the "cmdport" option is not set to "0", is commented out, or is missing? + Run the following command to determine if the abrt-addon-kerneloops package is installed: +
$ rpm -q abrt-addon-kerneloops
Is it the case that the package is installed? Configure the operating system to disable non-essential capabilities. - The cmdport option in /etc/chrony.conf can be set to -0 to stop chrony daemon from listening on the UDP port 323 -for management connections made by chronyc. + The abrt-addon-kerneloops package can be removed with the following command: +
+$ sudo yum erase abrt-addon-kerneloops
+ low + + + + + + + CCI-000381 + SRG-OS-000095-GPOS-00049 + TBD - Assigned by DISA after STIG release + The operating system must be configured to disable non-essential capabilities. + + CCE-82919-2: Uninstall abrt-addon-ccpp Package + + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + +Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. + The abrt-addon-ccpp package can be removed with the following command: +
+$ sudo yum erase abrt-addon-ccpp
+ Applicable - Configurable + Verify the operating system is configured to disable non-essential capabilities. If it does not, this is a finding. + Run the following command to determine if the abrt-addon-ccpp package is installed: +
$ rpm -q abrt-addon-ccpp
Is it the case that the package is installed? + Configure the operating system to disable non-essential capabilities. + The abrt-addon-ccpp package can be removed with the following command: +
+$ sudo yum erase abrt-addon-ccpp
low @@ -21300,25 +21304,47 @@ TBD - Assigned by DISA after STIG release The operating system must be configured to disable non-essential capabilities. - CCE-82946-5: Uninstall iprutils Package + CCE-82194-2: Enable Kernel Page-Table Isolation (KPTI) It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - The iprutils package can be removed with the following command: -
-$ sudo yum erase iprutils
+ To enable Kernel page-table isolation, +add the argument pti=on to the default +GRUB 2 command line for the Linux operating system. +To ensure that pti=on is added as a kernel command line +argument to newly installed kernels, add pti=on to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... pti=on ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="pti=on"
Applicable - Configurable Verify the operating system is configured to disable non-essential capabilities. If it does not, this is a finding. - Run the following command to determine if the iprutils package is installed: -
$ rpm -q iprutils
Is it the case that the package is installed? + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes pti=on, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
+If this option is set to true, then check that a line is output by the following command: +
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*pti=on.*' /etc/default/grub
+If the recovery is disabled, check the line with +
$ sudo grep 'GRUB_CMDLINE_LINUX.*pti=on.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +
$ sudo grubby --info=ALL | grep args | grep -v 'pti=on'
+The command should not return any output. Is it the case that Kernel page-table isolation is not enabled? Configure the operating system to disable non-essential capabilities. - The iprutils package can be removed with the following command: -
-$ sudo yum erase iprutils
- medium + To enable Kernel page-table isolation, +add the argument pti=on to the default +GRUB 2 command line for the Linux operating system. +To ensure that pti=on is added as a kernel command line +argument to newly installed kernels, add pti=on to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... pti=on ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="pti=on"
+ low @@ -21330,24 +21356,35 @@ TBD - Assigned by DISA after STIG release The operating system must be configured to disable non-essential capabilities. - CCE-82943-2: Uninstall gssproxy Package + CCE-80832-9: Disable Bluetooth Kernel Module It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - The gssproxy package can be removed with the following command: -
-$ sudo yum erase gssproxy
+ The kernel's module loading system can be configured to prevent +loading of the Bluetooth module. Add the following to +the appropriate /etc/modprobe.d configuration file +to prevent the loading of the Bluetooth module: +
install bluetooth /bin/true
Applicable - Configurable Verify the operating system is configured to disable non-essential capabilities. If it does not, this is a finding. - Run the following command to determine if the gssproxy package is installed: -
$ rpm -q gssproxy
Is it the case that the package is installed? + +If the system is configured to prevent the loading of the bluetooth kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. + +These lines can also instruct the module loading system to ignore the bluetooth kernel module via blacklist keyword. + +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +
$ grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned? Configure the operating system to disable non-essential capabilities. - The gssproxy package can be removed with the following command: -
-$ sudo yum erase gssproxy
+ The kernel's module loading system can be configured to prevent +loading of the Bluetooth module. Add the following to +the appropriate /etc/modprobe.d configuration file +to prevent the loading of the Bluetooth module: +
install bluetooth /bin/true
medium @@ -21360,25 +21397,21 @@ TBD - Assigned by DISA after STIG release The operating system must be configured to disable non-essential capabilities. - CCE-89201-8: Uninstall libreport-plugin-logger Package + CCE-82414-4: Uninstall vsftpd Package It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - The libreport-plugin-logger package can be removed with the following command: -
-$ sudo yum erase libreport-plugin-logger
+ The vsftpd package can be removed with the following command: 
 $ sudo yum erase vsftpd
Applicable - Configurable Verify the operating system is configured to disable non-essential capabilities. If it does not, this is a finding. - Run the following command to determine if the libreport-plugin-logger package is installed: -
$ rpm -q libreport-plugin-logger
Is it the case that the package is installed? + Run the following command to determine if the vsftpd package is installed: +
$ rpm -q vsftpd
Is it the case that the package is installed? Configure the operating system to disable non-essential capabilities. - The libreport-plugin-logger package can be removed with the following command: -
-$ sudo yum erase libreport-plugin-logger
- low + The vsftpd package can be removed with the following command: 
 $ sudo yum erase vsftpd
+ high @@ -21390,25 +21423,25 @@ TBD - Assigned by DISA after STIG release The operating system must be configured to disable non-essential capabilities. - CCE-82931-7: Uninstall krb5-workstation Package + CCE-82184-3: Uninstall rsh-server Package It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - The krb5-workstation package can be removed with the following command: + The rsh-server package can be removed with the following command: 
-$ sudo yum erase krb5-workstation
+$ sudo yum erase rsh-server Applicable - Configurable Verify the operating system is configured to disable non-essential capabilities. If it does not, this is a finding. - Run the following command to determine if the krb5-workstation package is installed: -
$ rpm -q krb5-workstation
Is it the case that the package is installed? + Run the following command to determine if the rsh-server package is installed: +
$ rpm -q rsh-server
Is it the case that the package is installed? Configure the operating system to disable non-essential capabilities. - The krb5-workstation package can be removed with the following command: + The rsh-server package can be removed with the following command: 
-$ sudo yum erase krb5-workstation
- medium +$ sudo yum erase rsh-server + high @@ -21420,25 +21453,25 @@ TBD - Assigned by DISA after STIG release The operating system must be configured to disable non-essential capabilities. - CCE-88955-0: Uninstall libreport-plugin-rhtsupport Package + CCE-82931-7: Uninstall krb5-workstation Package It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - The libreport-plugin-rhtsupport package can be removed with the following command: + The krb5-workstation package can be removed with the following command: 
-$ sudo yum erase libreport-plugin-rhtsupport
+$ sudo yum erase krb5-workstation Applicable - Configurable Verify the operating system is configured to disable non-essential capabilities. If it does not, this is a finding. - Run the following command to determine if the libreport-plugin-rhtsupport package is installed: -
$ rpm -q libreport-plugin-rhtsupport
Is it the case that the package is installed? + Run the following command to determine if the krb5-workstation package is installed: +
$ rpm -q krb5-workstation
Is it the case that the package is installed? Configure the operating system to disable non-essential capabilities. - The libreport-plugin-rhtsupport package can be removed with the following command: + The krb5-workstation package can be removed with the following command: 
-$ sudo yum erase libreport-plugin-rhtsupport
- low +$ sudo yum erase krb5-workstation + medium @@ -21450,49 +21483,47 @@ TBD - Assigned by DISA after STIG release The operating system must be configured to disable non-essential capabilities. - CCE-80834-5: Disable SCTP Support + CCE-82028-2: Disable ATM Support It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - The Stream Control Transmission Protocol (SCTP) is a -transport layer protocol, designed to support the idea of -message-oriented communication, with several streams of messages -within one connection. + The Asynchronous Transfer Mode (ATM) is a protocol operating on +network, data link, and physical layers, based on virtual circuits +and virtual paths. -To configure the system to prevent the sctp -kernel module from being loaded, add the following line to the file /etc/modprobe.d/sctp.conf: -
install sctp /bin/true
+To configure the system to prevent the atm +kernel module from being loaded, add the following line to the file /etc/modprobe.d/atm.conf: +
install atm /bin/true
-To configure the system to prevent the sctp from being used, -add the following line to file /etc/modprobe.d/sctp.conf: -
blacklist sctp
+To configure the system to prevent the atm from being used, +add the following line to file /etc/modprobe.d/atm.conf: +
blacklist atm
Applicable - Configurable Verify the operating system is configured to disable non-essential capabilities. If it does not, this is a finding. -If the system is configured to prevent the loading of the sctp kernel module, +If the system is configured to prevent the loading of the atm kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. -These lines can also instruct the module loading system to ignore the sctp kernel module via blacklist keyword. +These lines can also instruct the module loading system to ignore the atm kernel module via blacklist keyword. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -
$ grep -r sctp /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned? +
$ grep -r atm /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned? Configure the operating system to disable non-essential capabilities. - The Stream Control Transmission Protocol (SCTP) is a -transport layer protocol, designed to support the idea of -message-oriented communication, with several streams of messages -within one connection. + The Asynchronous Transfer Mode (ATM) is a protocol operating on +network, data link, and physical layers, based on virtual circuits +and virtual paths. -To configure the system to prevent the sctp -kernel module from being loaded, add the following line to the file /etc/modprobe.d/sctp.conf: -
install sctp /bin/true
+To configure the system to prevent the atm +kernel module from being loaded, add the following line to the file /etc/modprobe.d/atm.conf: +
install atm /bin/true
-To configure the system to prevent the sctp from being used, -add the following line to file /etc/modprobe.d/sctp.conf: -
blacklist sctp
+To configure the system to prevent the atm from being used, +add the following line to file /etc/modprobe.d/atm.conf: +
blacklist atm
medium @@ -21505,36 +21536,46 @@ TBD - Assigned by DISA after STIG release The operating system must be configured to disable non-essential capabilities. - CCE-86960-2: Disable the uvcvideo module + CCE-82005-0: Disable IEEE 1394 (FireWire) Support It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - If the device contains a camera it should be covered or disabled when not in use. - Applicable - Configurable - Verify the operating system is configured to disable non-essential capabilities. If it does not, this is a finding. - If the device or Red Hat Enterprise Linux 8 does not have a camera installed, this requirement is not applicable. - -This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision. - -This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed. + The IEEE 1394 (FireWire) is a serial bus standard for +high-speed real-time communication. -For an external camera, if there is not a method for the operator to manually disconnect the camera at the end of collaborative computing sessions, this is a finding. +To configure the system to prevent the firewire-core +kernel module from being loaded, add the following line to the file /etc/modprobe.d/firewire-core.conf: +
install firewire-core /bin/true
-For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding. +To configure the system to prevent the firewire-core from being used, +add the following line to file /etc/modprobe.d/firewire-core.conf: +
blacklist firewire-core
+ Applicable - Configurable + Verify the operating system is configured to disable non-essential capabilities. If it does not, this is a finding. + +If the system is configured to prevent the loading of the firewire-core kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. -If the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software with the following commands: +These lines can also instruct the module loading system to ignore the firewire-core kernel module via blacklist keyword. -Verify the operating system disables the ability to load the uvcvideo kernel module. +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +
$ grep -r firewire-core /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned? + Configure the operating system to disable non-essential capabilities. + The IEEE 1394 (FireWire) is a serial bus standard for +high-speed real-time communication. -$ sudo grep -r uvcvideo /etc/modprobe.d/* | grep "/bin/true" +To configure the system to prevent the firewire-core +kernel module from being loaded, add the following line to the file /etc/modprobe.d/firewire-core.conf: +
install firewire-core /bin/true
-install uvcvideo /bin/true Is it the case that the command does not return any output, or the line is commented out, and the collaborative computing device has not been authorized for use? - Configure the operating system to disable non-essential capabilities. - If the device contains a camera it should be covered or disabled when not in use. - medium +To configure the system to prevent the firewire-core from being used, +add the following line to file /etc/modprobe.d/firewire-core.conf: +
blacklist firewire-core
+ low @@ -21546,63 +21587,58 @@ TBD - Assigned by DISA after STIG release The operating system must be configured to disable non-essential capabilities. - CCE-80832-9: Disable Bluetooth Kernel Module + CCE-82840-0: Disable network management of chrony daemon It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. - The kernel's module loading system can be configured to prevent -loading of the Bluetooth module. Add the following to -the appropriate /etc/modprobe.d configuration file -to prevent the loading of the Bluetooth module: -
install bluetooth /bin/true
+ The cmdport option in /etc/chrony.conf can be set to +0 to stop chrony daemon from listening on the UDP port 323 +for management connections made by chronyc. Applicable - Configurable Verify the operating system is configured to disable non-essential capabilities. If it does not, this is a finding. - -If the system is configured to prevent the loading of the bluetooth kernel module, -it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. -These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. - -These lines can also instruct the module loading system to ignore the bluetooth kernel module via blacklist keyword. - -Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -
$ grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned? + Verify Red Hat Enterprise Linux 8 disables network management of the chrony daemon with the following command: +
$ grep -w cmdport /etc/chrony.conf
+
cmdport 0
Is it the case that the "cmdport" option is not set to "0", is commented out, or is missing? Configure the operating system to disable non-essential capabilities. - The kernel's module loading system can be configured to prevent -loading of the Bluetooth module. Add the following to -the appropriate /etc/modprobe.d configuration file -to prevent the loading of the Bluetooth module: -
install bluetooth /bin/true
- medium + The cmdport option in /etc/chrony.conf can be set to +0 to stop chrony daemon from listening on the UDP port 323 +for management connections made by chronyc. + low + + + + + - CCI-000381 - SRG-OS-000095-GPOS-00049 + CCI-000382 + SRG-OS-000096-GPOS-00050 TBD - Assigned by DISA after STIG release - The operating system must be configured to disable non-essential capabilities. + The operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. CCE-82988-7: Disable chrony daemon from acting as server - It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. -Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. -Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. +To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues. The port option in /etc/chrony.conf can be set to 0 to make chrony daemon to never open any listening port for server operation and to operate strictly in a client-only mode. Applicable - Configurable - Verify the operating system is configured to disable non-essential capabilities. If it does not, this is a finding. + Verify the operating system is configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. If it does not, this is a finding. Verify Red Hat Enterprise Linux 8 disables the chrony daemon from acting as a server with the following command: 
$ grep -w port /etc/chrony.conf
port 0
Is it the case that the "port" option is not set to "0", is commented out, or is missing? - Configure the operating system to disable non-essential capabilities. + Configure the operating system to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. The port option in /etc/chrony.conf can be set to 0 to make chrony daemon to never open any listening port for server operation and to operate strictly in a client-only mode. @@ -21612,10 +21648,34 @@ + + CCI-000382 + SRG-OS-000096-GPOS-00050 + TBD - Assigned by DISA after STIG release + The operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. + CCE-82998-6: Install firewalld Package + In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. +Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. +To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues. + The firewalld package can be installed with the following command: +
+$ sudo yum install firewalld
+ Applicable - Configurable + Verify the operating system is configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. If it does not, this is a finding. + Run the following command to determine if the firewalld package is installed: 
$ rpm -q firewalld
Is it the case that the package is not installed? + Configure the operating system to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. + The firewalld package can be installed with the following command: +
+$ sudo yum install firewalld
+ medium + + + + CCI-000382 @@ -21691,35 +21751,6 @@ - - CCI-000382 - SRG-OS-000096-GPOS-00050 - TBD - Assigned by DISA after STIG release - The operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. - - CCE-82998-6: Install firewalld Package - - In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. - -Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. - -To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues. - The firewalld package can be installed with the following command: -
-$ sudo yum install firewalld
- Applicable - Configurable - Verify the operating system is configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. If it does not, this is a finding. - Run the following command to determine if the firewalld package is installed: 
$ rpm -q firewalld
Is it the case that the package is not installed? - Configure the operating system to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. - The firewalld package can be installed with the following command: -
-$ sudo yum install firewalld
- medium - - - - - CCI-000382 SRG-OS-000096-GPOS-00050 @@ -21751,37 +21782,6 @@ - - CCI-000382 - SRG-OS-000096-GPOS-00050 - TBD - Assigned by DISA after STIG release - The operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. - - CCE-82988-7: Disable chrony daemon from acting as server - - In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. - -Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. - -To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues. - The port option in /etc/chrony.conf can be set to -0 to make chrony daemon to never open any listening port -for server operation and to operate strictly in a client-only mode. - Applicable - Configurable - Verify the operating system is configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 disables the chrony daemon from acting as a server with the following command: -
$ grep -w port /etc/chrony.conf
-
port 0
Is it the case that the "port" option is not set to "0", is commented out, or is missing? - Configure the operating system to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. - The port option in /etc/chrony.conf can be set to -0 to make chrony daemon to never open any listening port -for server operation and to operate strictly in a client-only mode. - low - - - - - @@ -22544,51 +22544,29 @@ TBD - Assigned by DISA after STIG release The operating system must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. - CCE-80893-1: Set PAM''s Password Hashing Algorithm + CCE-82175-1: Disable Kerberos by removing host keytab Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system. - The PAM system service can be configured to only store encrypted -representations of passwords. In "/etc/pam.d/system-auth", the -password section of the file controls which PAM modules execute -during a password change. Set the pam_unix.so module in the -password section to include the argument sha512, as shown -below: -
- -
password    sufficient    pam_unix.so sha512 other arguments...
- -
-This will help ensure when local users change their passwords, hashes for -the new passwords will be generated using the SHA-512 algorithm. This is -the default. + Kerberos is not an approved key distribution method for +Common Criteria. To prevent using Kerberos by system daemons, +remove the Kerberos keytab files, especially +/etc/krb5.keytab. Applicable - Configurable Verify the operating system uses mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. If it does not, this is a finding. - Inspect the password section of /etc/pam.d/system-auth -and ensure that the pam_unix.so module is configured to use the argument -sha512: - -
$ sudo grep "^password.*pam_unix\.so.*sha512" /etc/pam.d/system-auth
-
-password sufficient pam_unix.so sha512
Is it the case that "sha512" is missing, or is commented out? + Run the following command to see if there are some keytabs +that would potentially allow the use of Kerberos by system daemons. +
$ ls -la /etc/*.keytab
+The expected result is +
ls: cannot access '/etc/*.keytab': No such file or directory
Is it the case that a keytab file is present on the system? Configure the operating system to use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. - The PAM system service can be configured to only store encrypted -representations of passwords. In "/etc/pam.d/system-auth", the -password section of the file controls which PAM modules execute -during a password change. Set the pam_unix.so module in the -password section to include the argument sha512, as shown -below: -
- -
password    sufficient    pam_unix.so sha512 other arguments...
- -
-This will help ensure when local users change their passwords, hashes for -the new passwords will be generated using the SHA-512 algorithm. This is -the default. + Kerberos is not an approved key distribution method for +Common Criteria. To prevent using Kerberos by system daemons, +remove the Kerberos keytab files, especially +/etc/krb5.keytab. medium @@ -22601,35 +22579,33 @@ TBD - Assigned by DISA after STIG release The operating system must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. - CCE-85887-8: Remove the Kerberos Server Package + CCE-89707-4: Set Password Hashing Rounds in /etc/login.defs Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system. - The krb5-server package should be removed if not in use. -Is this system the Kerberos server? If not, remove the package. -The krb5-server package can be removed with the following command: -
-$ sudo yum erase krb5-server
-The krb5-server RPM is not installed by default on a Red Hat Enterprise Linux 8 -system. It is needed only by the Kerberos servers, not by the -clients which use Kerberos for authentication. If the system is not -intended for use as a Kerberos Server it should be removed. + In /etc/login.defs, ensure SHA_CRYPT_MIN_ROUNDS and +SHA_CRYPT_MAX_ROUNDS has the minimum value of 5000. +For example: +
SHA_CRYPT_MIN_ROUNDS 5000
+SHA_CRYPT_MAX_ROUNDS 5000
+Notice that if neither are set, they already have the default value of 5000. +If either is set, they must have the minimum value of 5000. Applicable - Configurable Verify the operating system uses mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. If it does not, this is a finding. - Run the following command to determine if the krb5-server package is installed: 
$ rpm -q krb5-server
Is it the case that the package is installed? + Inspect /etc/login.defs and ensure that if eihter +SHA_CRYPT_MIN_ROUNDS or SHA_CRYPT_MAX_ROUNDS +are set, they must have the minimum value of 5000. Is it the case that it does not? Configure the operating system to use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. - The krb5-server package should be removed if not in use. -Is this system the Kerberos server? If not, remove the package. -The krb5-server package can be removed with the following command: -
-$ sudo yum erase krb5-server
-The krb5-server RPM is not installed by default on a Red Hat Enterprise Linux 8 -system. It is needed only by the Kerberos servers, not by the -clients which use Kerberos for authentication. If the system is not -intended for use as a Kerberos Server it should be removed. + In /etc/login.defs, ensure SHA_CRYPT_MIN_ROUNDS and +SHA_CRYPT_MAX_ROUNDS has the minimum value of 5000. +For example: +
SHA_CRYPT_MIN_ROUNDS 5000
+SHA_CRYPT_MAX_ROUNDS 5000
+Notice that if neither are set, they already have the default value of 5000. +If either is set, they must have the minimum value of 5000. medium @@ -22676,34 +22652,33 @@ TBD - Assigned by DISA after STIG release The operating system must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. - CCE-89707-4: Set Password Hashing Rounds in /etc/login.defs + CCE-80936-8: Configure Kerberos to use System Crypto Policy Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system. - In /etc/login.defs, ensure SHA_CRYPT_MIN_ROUNDS and -SHA_CRYPT_MAX_ROUNDS has the minimum value of 5000. -For example: -
SHA_CRYPT_MIN_ROUNDS 5000
-SHA_CRYPT_MAX_ROUNDS 5000
-Notice that if neither are set, they already have the default value of 5000. -If either is set, they must have the minimum value of 5000. + Crypto Policies provide a centralized control over crypto algorithms usage of many packages. +Kerberos is supported by crypto policy, but it's configuration may be +set up to ignore it. +To check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at +/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config. +If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. Applicable - Configurable Verify the operating system uses mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. If it does not, this is a finding. - Inspect /etc/login.defs and ensure that if eihter -SHA_CRYPT_MIN_ROUNDS or SHA_CRYPT_MAX_ROUNDS -are set, they must have the minimum value of 5000. Is it the case that it does not? + Check that the symlink exists and target the correct Kerberos crypto policy, with the following command: +
file /etc/krb5.conf.d/crypto-policies
+If command ouput shows the following line, Kerberos is configured to use the system-wide crypto policy. +
/etc/krb5.conf.d/crypto-policies: symbolic link to /etc/crypto-policies/back-ends/krb5.config
Is it the case that the symlink does not exist or points to a different target? Configure the operating system to use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. - In /etc/login.defs, ensure SHA_CRYPT_MIN_ROUNDS and -SHA_CRYPT_MAX_ROUNDS has the minimum value of 5000. -For example: -
SHA_CRYPT_MIN_ROUNDS 5000
-SHA_CRYPT_MAX_ROUNDS 5000
-Notice that if neither are set, they already have the default value of 5000. -If either is set, they must have the minimum value of 5000. - medium + Crypto Policies provide a centralized control over crypto algorithms usage of many packages. +Kerberos is supported by crypto policy, but it's configuration may be +set up to ignore it. +To check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at +/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config. +If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. + high @@ -22715,29 +22690,35 @@ TBD - Assigned by DISA after STIG release The operating system must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. - CCE-82175-1: Disable Kerberos by removing host keytab + CCE-85887-8: Remove the Kerberos Server Package Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system. - Kerberos is not an approved key distribution method for -Common Criteria. To prevent using Kerberos by system daemons, -remove the Kerberos keytab files, especially -/etc/krb5.keytab. + The krb5-server package should be removed if not in use. +Is this system the Kerberos server? If not, remove the package. +The krb5-server package can be removed with the following command: +
+$ sudo yum erase krb5-server
+The krb5-server RPM is not installed by default on a Red Hat Enterprise Linux 8 +system. It is needed only by the Kerberos servers, not by the +clients which use Kerberos for authentication. If the system is not +intended for use as a Kerberos Server it should be removed. Applicable - Configurable Verify the operating system uses mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. If it does not, this is a finding. - Run the following command to see if there are some keytabs -that would potentially allow the use of Kerberos by system daemons. -
$ ls -la /etc/*.keytab
-The expected result is -
ls: cannot access '/etc/*.keytab': No such file or directory
Is it the case that a keytab file is present on the system? + Run the following command to determine if the krb5-server package is installed: 
$ rpm -q krb5-server
Is it the case that the package is installed? Configure the operating system to use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. - Kerberos is not an approved key distribution method for -Common Criteria. To prevent using Kerberos by system daemons, -remove the Kerberos keytab files, especially -/etc/krb5.keytab. + The krb5-server package should be removed if not in use. +Is this system the Kerberos server? If not, remove the package. +The krb5-server package can be removed with the following command: +
+$ sudo yum erase krb5-server
+The krb5-server RPM is not installed by default on a Red Hat Enterprise Linux 8 +system. It is needed only by the Kerberos servers, not by the +clients which use Kerberos for authentication. If the system is not +intended for use as a Kerberos Server it should be removed. medium @@ -22803,33 +22784,49 @@ TBD - Assigned by DISA after STIG release The operating system must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. - CCE-80936-8: Configure Kerberos to use System Crypto Policy + CCE-85945-4: Set PAM''s Password Hashing Algorithm - password-auth Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system. - Crypto Policies provide a centralized control over crypto algorithms usage of many packages. -Kerberos is supported by crypto policy, but it's configuration may be -set up to ignore it. -To check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at -/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config. -If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. + The PAM system service can be configured to only store encrypted +representations of passwords. In +/etc/pam.d/password-auth, +the +password section of the file controls which PAM modules execute +during a password change. Set the pam_unix.so module in the +password section to include the argument sha512, as shown +below: +
+
password    sufficient    pam_unix.so sha512 other arguments...
+
+This will help ensure when local users change their passwords, hashes for +the new passwords will be generated using the SHA-512 algorithm. This is +the default. Applicable - Configurable Verify the operating system uses mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. If it does not, this is a finding. - Check that the symlink exists and target the correct Kerberos crypto policy, with the following command: -
file /etc/krb5.conf.d/crypto-policies
-If command ouput shows the following line, Kerberos is configured to use the system-wide crypto policy. -
/etc/krb5.conf.d/crypto-policies: symbolic link to /etc/crypto-policies/back-ends/krb5.config
Is it the case that the symlink does not exist or points to a different target? + Inspect the password section of /etc/pam.d/password-auth +and ensure that the pam_unix.so module includes the argument +sha512: +
$ grep sha512 /etc/pam.d/password-auth
Is it the case that it does not? Configure the operating system to use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. - Crypto Policies provide a centralized control over crypto algorithms usage of many packages. -Kerberos is supported by crypto policy, but it's configuration may be -set up to ignore it. -To check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at -/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config. -If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. - high + The PAM system service can be configured to only store encrypted +representations of passwords. In +/etc/pam.d/password-auth, +the +password section of the file controls which PAM modules execute +during a password change. Set the pam_unix.so module in the +password section to include the argument sha512, as shown +below: +
+
password    sufficient    pam_unix.so sha512 other arguments...
+
+This will help ensure when local users change their passwords, hashes for +the new passwords will be generated using the SHA-512 algorithm. This is +the default. + medium @@ -22871,7 +22868,7 @@ TBD - Assigned by DISA after STIG release The operating system must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. - CCE-85945-4: Set PAM''s Password Hashing Algorithm - password-auth + CCE-80893-1: Set PAM''s Password Hashing Algorithm Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. @@ -22879,36 +22876,39 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system. The PAM system service can be configured to only store encrypted -representations of passwords. In -/etc/pam.d/password-auth, -the +representations of passwords. In "/etc/pam.d/system-auth", the password section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the password section to include the argument sha512, as shown below:
+ 
password    sufficient    pam_unix.so sha512 other arguments...
+
This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default. Applicable - Configurable Verify the operating system uses mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. If it does not, this is a finding. - Inspect the password section of /etc/pam.d/password-auth -and ensure that the pam_unix.so module includes the argument + Inspect the password section of /etc/pam.d/system-auth +and ensure that the pam_unix.so module is configured to use the argument sha512: -
$ grep sha512 /etc/pam.d/password-auth
Is it the case that it does not? + +
$ sudo grep "^password.*pam_unix\.so.*sha512" /etc/pam.d/system-auth
+
+password sufficient pam_unix.so sha512
Is it the case that "sha512" is missing, or is commented out? Configure the operating system to use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. The PAM system service can be configured to only store encrypted -representations of passwords. In -/etc/pam.d/password-auth, -the +representations of passwords. In "/etc/pam.d/system-auth", the password section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the password section to include the argument sha512, as shown below:
+ 
password    sufficient    pam_unix.so sha512 other arguments...
+
This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is @@ -22964,32 +22964,17 @@ TBD - Assigned by DISA after STIG release The operating system must provide an audit reduction capability that supports on-demand reporting requirements. - CCE-80872-5: Enable auditd Service + CCE-81043-2: Ensure the audit Subsystem is Installed The ability to generate on-demand reports, including after the audit data has been subjected to audit reduction, greatly facilitates the organization's ability to generate incident reports as needed to better handle larger-scale or more complex security incidents. Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. The report generation capability provided by the application must support on-demand (i.e., customizable, ad hoc, and as-needed) reports. - The auditd service is an essential userspace component of -the Linux Auditing System, as it is responsible for writing audit records to -disk. - -The auditd service can be enabled with the following command: -
$ sudo systemctl enable auditd.service
+ The audit package should be installed. Applicable - Configurable Verify the operating system provides an audit reduction capability that supports on-demand reporting requirements. If it does not, this is a finding. - - -Run the following command to determine the current status of the -auditd service: -
$ sudo systemctl is-active auditd
-If the service is running, it should return the following: 
active
Is it the case that the auditd service is not running? + Run the following command to determine if the audit package is installed: 
$ rpm -q audit
Is it the case that the audit package is not installed? Configure the operating system to provide an audit reduction capability that supports on-demand reporting requirements. - The auditd service is an essential userspace component of -the Linux Auditing System, as it is responsible for writing audit records to -disk. - -The auditd service can be enabled with the following command: -
$ sudo systemctl enable auditd.service
+ The audit package should be installed. medium @@ -23002,17 +22987,32 @@ TBD - Assigned by DISA after STIG release The operating system must provide an audit reduction capability that supports on-demand reporting requirements. - CCE-81043-2: Ensure the audit Subsystem is Installed + CCE-80872-5: Enable auditd Service The ability to generate on-demand reports, including after the audit data has been subjected to audit reduction, greatly facilitates the organization's ability to generate incident reports as needed to better handle larger-scale or more complex security incidents. Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. The report generation capability provided by the application must support on-demand (i.e., customizable, ad hoc, and as-needed) reports. - The audit package should be installed. + The auditd service is an essential userspace component of +the Linux Auditing System, as it is responsible for writing audit records to +disk. + +The auditd service can be enabled with the following command: +
$ sudo systemctl enable auditd.service
Applicable - Configurable Verify the operating system provides an audit reduction capability that supports on-demand reporting requirements. If it does not, this is a finding. - Run the following command to determine if the audit package is installed: 
$ rpm -q audit
Is it the case that the audit package is not installed? + + +Run the following command to determine the current status of the +auditd service: +
$ sudo systemctl is-active auditd
+If the service is running, it should return the following: 
active
Is it the case that the auditd service is not running? Configure the operating system to provide an audit reduction capability that supports on-demand reporting requirements. - The audit package should be installed. + The auditd service is an essential userspace component of +the Linux Auditing System, as it is responsible for writing audit records to +disk. + +The auditd service can be enabled with the following command: +
$ sudo systemctl enable auditd.service
medium @@ -23085,7 +23085,7 @@ TBD - Assigned by DISA after STIG release The operating system must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. - CCE-85902-5: Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config + CCE-85897-7: Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing systems and applications includes the ability to access sensitive application information, such as system configuration details, diagnostic information, user information, and potentially sensitive application data. @@ -23097,25 +23097,25 @@ set up incorrectly. To check that Crypto Policies settings for ciphers are configured correctly, ensure that -/etc/crypto-policies/back-ends/openssh.config contains the following -line and is not commented out: -
Ciphers
+/etc/crypto-policies/back-ends/opensshserver.config contains the following +text and is not commented out: +
-oCiphers=
Applicable - Configurable Verify the operating system employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - To verify if the OpenSSH client uses defined Cipher suite in the Crypto Policy, run: -
$ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config
+ To verify if the OpenSSH server uses defined ciphers in the Crypto Policy, run: +
$ grep -Po '(-oCiphers=\S+)' /etc/crypto-policies/back-ends/opensshserver.config
and verify that the line matches: -
Ciphers
Is it the case that Crypto Policy for OpenSSH client is not configured correctly? +
-oCiphers=
Is it the case that Crypto Policy for OpenSSH Server is not configured correctly? Configure the operating system to employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be set up incorrectly. To check that Crypto Policies settings for ciphers are configured correctly, ensure that -/etc/crypto-policies/back-ends/openssh.config contains the following -line and is not commented out: -
Ciphers
- high +/etc/crypto-policies/back-ends/opensshserver.config contains the following +text and is not commented out: +
-oCiphers=
+ medium @@ -23169,7 +23169,7 @@ TBD - Assigned by DISA after STIG release The operating system must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. - CCE-85897-7: Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config + CCE-85870-4: Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing systems and applications includes the ability to access sensitive application information, such as system configuration details, diagnostic information, user information, and potentially sensitive application data. @@ -23180,25 +23180,25 @@ OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be set up incorrectly. -To check that Crypto Policies settings for ciphers are configured correctly, ensure that -/etc/crypto-policies/back-ends/opensshserver.config contains the following -text and is not commented out: -
-oCiphers=
+To check that Crypto Policies settings are configured correctly, ensure that +/etc/crypto-policies/back-ends/openssh.config contains the following +line and is not commented out: +MACs Applicable - Configurable Verify the operating system employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - To verify if the OpenSSH server uses defined ciphers in the Crypto Policy, run: -
$ grep -Po '(-oCiphers=\S+)' /etc/crypto-policies/back-ends/opensshserver.config
+ To verify if the OpenSSH client uses defined MACs in the Crypto Policy, run: +
$ grep -i macs /etc/crypto-policies/back-ends/openssh.config
and verify that the line matches: -
-oCiphers=
Is it the case that Crypto Policy for OpenSSH Server is not configured correctly? +
MACs
Is it the case that Crypto Policy for OpenSSH client is not configured correctly? Configure the operating system to employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be set up incorrectly. -To check that Crypto Policies settings for ciphers are configured correctly, ensure that -/etc/crypto-policies/back-ends/opensshserver.config contains the following -text and is not commented out: -
-oCiphers=
+To check that Crypto Policies settings are configured correctly, ensure that +/etc/crypto-policies/back-ends/openssh.config contains the following +line and is not commented out: +MACs medium @@ -23253,7 +23253,7 @@ TBD - Assigned by DISA after STIG release The operating system must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. - CCE-85870-4: Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config + CCE-85902-5: Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing systems and applications includes the ability to access sensitive application information, such as system configuration details, diagnostic information, user information, and potentially sensitive application data. @@ -23264,26 +23264,26 @@ OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be set up incorrectly. -To check that Crypto Policies settings are configured correctly, ensure that +To check that Crypto Policies settings for ciphers are configured correctly, ensure that /etc/crypto-policies/back-ends/openssh.config contains the following line and is not commented out: -MACs +
Ciphers
Applicable - Configurable Verify the operating system employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - To verify if the OpenSSH client uses defined MACs in the Crypto Policy, run: -
$ grep -i macs /etc/crypto-policies/back-ends/openssh.config
+ To verify if the OpenSSH client uses defined Cipher suite in the Crypto Policy, run: +
$ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config
and verify that the line matches: -
MACs
Is it the case that Crypto Policy for OpenSSH client is not configured correctly? +
Ciphers
Is it the case that Crypto Policy for OpenSSH client is not configured correctly? Configure the operating system to employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be set up incorrectly. -To check that Crypto Policies settings are configured correctly, ensure that +To check that Crypto Policies settings for ciphers are configured correctly, ensure that /etc/crypto-policies/back-ends/openssh.config contains the following line and is not commented out: -MACs - medium +
Ciphers
+ high @@ -23458,39 +23458,6 @@ - - CCI-001082 - SRG-OS-000132-GPOS-00067 - TBD - Assigned by DISA after STIG release - The operating system must separate user functionality (including user interface services) from operating system management functionality. - - CCE-80913-7: Restrict Access to Kernel Message Buffer - - Operating system management functionality includes functions necessary for administration and requires privileged user access. Allowing non-privileged users to access operating system management functionality capabilities increases the risk that non-privileged users may obtain elevated privileges. - -Operating system management functionality includes functions necessary to administer console, network components, workstations, or servers and typically requires privileged user access. - -The separation of user functionality from information system management functionality is either physical or logical and is accomplished by using different computers, different central processing units, different instances of the operating system, different network addresses, different TCP/UDP ports, virtualization techniques, combinations of these methods, or other methods, as appropriate. - -An example of this type of separation is observed in web administrative interfaces that use separate authentication methods for users of any other information system resources. This may include isolating the administrative interface on a different security domain and with additional access controls. - To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: 
$ sudo sysctl -w kernel.dmesg_restrict=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.dmesg_restrict = 1
- Applicable - Configurable - Verify the operating system separates user functionality (including user interface services) from operating system management functionality. If it does not, this is a finding. - The runtime status of the kernel.dmesg_restrict kernel parameter can be queried -by running the following command: -
$ sysctl kernel.dmesg_restrict
-1. - Is it the case that the correct value is not returned? - Configure the operating system to separate user functionality (including user interface services) from operating system management functionality. - To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: 
$ sudo sysctl -w kernel.dmesg_restrict=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.dmesg_restrict = 1
- low - - - - - CCI-001082 SRG-OS-000132-GPOS-00067 @@ -23608,6 +23575,39 @@ + + CCI-001082 + SRG-OS-000132-GPOS-00067 + TBD - Assigned by DISA after STIG release + The operating system must separate user functionality (including user interface services) from operating system management functionality. + + CCE-80913-7: Restrict Access to Kernel Message Buffer + + Operating system management functionality includes functions necessary for administration and requires privileged user access. Allowing non-privileged users to access operating system management functionality capabilities increases the risk that non-privileged users may obtain elevated privileges. + +Operating system management functionality includes functions necessary to administer console, network components, workstations, or servers and typically requires privileged user access. + +The separation of user functionality from information system management functionality is either physical or logical and is accomplished by using different computers, different central processing units, different instances of the operating system, different network addresses, different TCP/UDP ports, virtualization techniques, combinations of these methods, or other methods, as appropriate. + +An example of this type of separation is observed in web administrative interfaces that use separate authentication methods for users of any other information system resources. This may include isolating the administrative interface on a different security domain and with additional access controls. + To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: 
$ sudo sysctl -w kernel.dmesg_restrict=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.dmesg_restrict = 1
+ Applicable - Configurable + Verify the operating system separates user functionality (including user interface services) from operating system management functionality. If it does not, this is a finding. + The runtime status of the kernel.dmesg_restrict kernel parameter can be queried +by running the following command: +
$ sysctl kernel.dmesg_restrict
+1. + Is it the case that the correct value is not returned? + Configure the operating system to separate user functionality (including user interface services) from operating system management functionality. + To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: 
$ sudo sysctl -w kernel.dmesg_restrict=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.dmesg_restrict = 1
+ low + + + + + @@ -23619,88 +23619,52 @@ TBD - Assigned by DISA after STIG release The operating system must isolate security functions from nonsecurity functions. - CCE-80945-9: Enable SLUB/SLAB allocator poisoning + CCE-80944-2: Enable page allocator poisoning An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions. Security functions are the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Operating systems implement code separation (i.e., separation of security functions from nonsecurity functions) in a number of ways, including through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that serve to protect the code on disk and address space protections that protect executing code. Developers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles. Implementation may include isolation of memory space and libraries. Operating systems restrict access to security functions through the use of access control mechanisms and by implementing least privilege capabilities. - To enable poisoning of SLUB/SLAB objects, -add the argument slub_debug= to the default + To enable poisoning of free pages, +add the argument page_poison=1 to the default GRUB 2 command line for the Linux operating system. -To ensure that slub_debug= is added as a kernel command line -argument to newly installed kernels, add slub_debug= to the +To ensure that page_poison=1 is added as a kernel command line +argument to newly installed kernels, add page_poison=1 to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... slub_debug= ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="slub_debug="
+
GRUB_CMDLINE_LINUX="... page_poison=1 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="page_poison=1"
Applicable - Configurable Verify the operating system isolates security functions from nonsecurity functions. If it does not, this is a finding. Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes slub_debug=, +in /etc/default/grub. If it includes page_poison=1, then the parameter will be configured for newly installed kernels. First check if the GRUB recovery is enabled: 
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
If this option is set to true, then check that a line is output by the following command: -
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*slub_debug=.*' /etc/default/grub
+
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*page_poison=1.*' /etc/default/grub
If the recovery is disabled, check the line with -
$ sudo grep 'GRUB_CMDLINE_LINUX.*slub_debug=.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. +
$ sudo grep 'GRUB_CMDLINE_LINUX.*page_poison=1.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. Run the following command: -
$ sudo grubby --info=ALL | grep args | grep -v 'slub_debug='
-The command should not return any output. Is it the case that SLUB/SLAB poisoning is not enabled? +
$ sudo grubby --info=ALL | grep args | grep -v 'page_poison=1'
+The command should not return any output. Is it the case that page allocator poisoning is not enabled? Configure the operating system to isolate security functions from nonsecurity functions. - To enable poisoning of SLUB/SLAB objects, -add the argument slub_debug= to the default + To enable poisoning of free pages, +add the argument page_poison=1 to the default GRUB 2 command line for the Linux operating system. -To ensure that slub_debug= is added as a kernel command line -argument to newly installed kernels, add slub_debug= to the +To ensure that page_poison=1 is added as a kernel command line +argument to newly installed kernels, add page_poison=1 to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... slub_debug= ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="slub_debug="
+
GRUB_CMDLINE_LINUX="... page_poison=1 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="page_poison=1"
medium - - CCI-001084 - SRG-OS-000134-GPOS-00068 - TBD - Assigned by DISA after STIG release - The operating system must isolate security functions from nonsecurity functions. - - CCE-80869-1: Ensure SELinux State is Enforcing - - An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions. - -Security functions are the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Operating systems implement code separation (i.e., separation of security functions from nonsecurity functions) in a number of ways, including through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that serve to protect the code on disk and address space protections that protect executing code. - -Developers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles. Implementation may include isolation of memory space and libraries. Operating systems restrict access to security functions through the use of access control mechanisms and by implementing least privilege capabilities. - The SELinux state should be set to at -system boot time. In the file /etc/selinux/config, add or correct the -following line to configure the system to boot into enforcing mode: -
SELINUX=
- Applicable - Configurable - Verify the operating system isolates security functions from nonsecurity functions. If it does not, this is a finding. - Ensure that Red Hat Enterprise Linux 8 verifies correct operation of security functions. - -Check if "SELinux" is active and in "" mode with the following command: - -$ sudo getenforce - Is it the case that SELINUX is not set to enforcing? - Configure the operating system to isolate security functions from nonsecurity functions. - The SELinux state should be set to at -system boot time. In the file /etc/selinux/config, add or correct the -following line to configure the system to boot into enforcing mode: -
SELINUX=
- high - - - - - CCI-001084 SRG-OS-000134-GPOS-00068 @@ -23788,46 +23752,82 @@ TBD - Assigned by DISA after STIG release The operating system must isolate security functions from nonsecurity functions. - CCE-80944-2: Enable page allocator poisoning + CCE-80869-1: Ensure SELinux State is Enforcing An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions. Security functions are the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Operating systems implement code separation (i.e., separation of security functions from nonsecurity functions) in a number of ways, including through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that serve to protect the code on disk and address space protections that protect executing code. Developers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles. Implementation may include isolation of memory space and libraries. Operating systems restrict access to security functions through the use of access control mechanisms and by implementing least privilege capabilities. - To enable poisoning of free pages, -add the argument page_poison=1 to the default + The SELinux state should be set to at +system boot time. In the file /etc/selinux/config, add or correct the +following line to configure the system to boot into enforcing mode: +
SELINUX=
+ Applicable - Configurable + Verify the operating system isolates security functions from nonsecurity functions. If it does not, this is a finding. + Ensure that Red Hat Enterprise Linux 8 verifies correct operation of security functions. + +Check if "SELinux" is active and in "" mode with the following command: + +$ sudo getenforce + Is it the case that SELINUX is not set to enforcing? + Configure the operating system to isolate security functions from nonsecurity functions. + The SELinux state should be set to at +system boot time. In the file /etc/selinux/config, add or correct the +following line to configure the system to boot into enforcing mode: +
SELINUX=
+ high + + + + + + + CCI-001084 + SRG-OS-000134-GPOS-00068 + TBD - Assigned by DISA after STIG release + The operating system must isolate security functions from nonsecurity functions. + + CCE-80945-9: Enable SLUB/SLAB allocator poisoning + + An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions. + +Security functions are the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Operating systems implement code separation (i.e., separation of security functions from nonsecurity functions) in a number of ways, including through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that serve to protect the code on disk and address space protections that protect executing code. + +Developers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles. Implementation may include isolation of memory space and libraries. Operating systems restrict access to security functions through the use of access control mechanisms and by implementing least privilege capabilities. + To enable poisoning of SLUB/SLAB objects, +add the argument slub_debug= to the default GRUB 2 command line for the Linux operating system. -To ensure that page_poison=1 is added as a kernel command line -argument to newly installed kernels, add page_poison=1 to the +To ensure that slub_debug= is added as a kernel command line +argument to newly installed kernels, add slub_debug= to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... page_poison=1 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="page_poison=1"
+
GRUB_CMDLINE_LINUX="... slub_debug= ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="slub_debug="
Applicable - Configurable Verify the operating system isolates security functions from nonsecurity functions. If it does not, this is a finding. Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes page_poison=1, +in /etc/default/grub. If it includes slub_debug=, then the parameter will be configured for newly installed kernels. First check if the GRUB recovery is enabled: 
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
If this option is set to true, then check that a line is output by the following command: -
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*page_poison=1.*' /etc/default/grub
+
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*slub_debug=.*' /etc/default/grub
If the recovery is disabled, check the line with -
$ sudo grep 'GRUB_CMDLINE_LINUX.*page_poison=1.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. +
$ sudo grep 'GRUB_CMDLINE_LINUX.*slub_debug=.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. Run the following command: -
$ sudo grubby --info=ALL | grep args | grep -v 'page_poison=1'
-The command should not return any output. Is it the case that page allocator poisoning is not enabled? +
$ sudo grubby --info=ALL | grep args | grep -v 'slub_debug='
+The command should not return any output. Is it the case that SLUB/SLAB poisoning is not enabled? Configure the operating system to isolate security functions from nonsecurity functions. - To enable poisoning of free pages, -add the argument page_poison=1 to the default + To enable poisoning of SLUB/SLAB objects, +add the argument slub_debug= to the default GRUB 2 command line for the Linux operating system. -To ensure that page_poison=1 is added as a kernel command line -argument to newly installed kernels, add page_poison=1 to the +To ensure that slub_debug= is added as a kernel command line +argument to newly installed kernels, add slub_debug= to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... page_poison=1 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="page_poison=1"
+
GRUB_CMDLINE_LINUX="... slub_debug= ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="slub_debug="
medium @@ -23839,37 +23839,6 @@ - - CCI-001090 - SRG-OS-000138-GPOS-00069 - TBD - Assigned by DISA after STIG release - Operating systems must prevent unauthorized and unintended information transfer via shared system resources. - - CCE-80913-7: Restrict Access to Kernel Message Buffer - - Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. - -This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies. - -There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components. - To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: 
$ sudo sysctl -w kernel.dmesg_restrict=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.dmesg_restrict = 1
- Applicable - Configurable - Verify operating systems prevents unauthorized and unintended information transfer via shared system resources. If it does not, this is a finding. - The runtime status of the kernel.dmesg_restrict kernel parameter can be queried -by running the following command: -
$ sysctl kernel.dmesg_restrict
-1. - Is it the case that the correct value is not returned? - Configure operating systems to prevent unauthorized and unintended information transfer via shared system resources. - To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: 
$ sudo sysctl -w kernel.dmesg_restrict=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.dmesg_restrict = 1
- low - - - - - CCI-001090 SRG-OS-000138-GPOS-00069 @@ -23992,6 +23961,37 @@ + + CCI-001090 + SRG-OS-000138-GPOS-00069 + TBD - Assigned by DISA after STIG release + Operating systems must prevent unauthorized and unintended information transfer via shared system resources. + + CCE-80913-7: Restrict Access to Kernel Message Buffer + + Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. + +This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies. + +There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components. + To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: 
$ sudo sysctl -w kernel.dmesg_restrict=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.dmesg_restrict = 1
+ Applicable - Configurable + Verify operating systems prevents unauthorized and unintended information transfer via shared system resources. If it does not, this is a finding. + The runtime status of the kernel.dmesg_restrict kernel parameter can be queried +by running the following command: +
$ sysctl kernel.dmesg_restrict
+1. + Is it the case that the correct value is not returned? + Configure operating systems to prevent unauthorized and unintended information transfer via shared system resources. + To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: 
$ sudo sysctl -w kernel.dmesg_restrict=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.dmesg_restrict = 1
+ low + + + + + @@ -24021,6 +24021,42 @@ + + CCI-001133 + SRG-OS-000163-GPOS-00072 + TBD - Assigned by DISA after STIG release + The operating system must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements. + + CCE-90784-0: Configure Logind to terminate idle sessions after certain time of inactivity + + Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. + +Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. + To configure logind service to terminate inactive user sessions +after seconds, edit the file +/etc/systemd/logind.conf. Ensure that there is a section +
[Login]
which contains the configuration +
StopIdleSessionSec=
. + Applicable - Configurable + Verify the operating system terminates all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements. + +If it does not, this is a finding. + Display the contents of the file /etc/systemd/logind.conf: +
cat /etc/systemd/logind.conf
+Ensure that there is a section [login] which contains the +configuration StopIdleSessionSec=. Is it the case that the option is not configured? + Configure the operating system to terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements. + To configure logind service to terminate inactive user sessions +after seconds, edit the file +/etc/systemd/logind.conf. Ensure that there is a section +
[Login]
which contains the configuration +
StopIdleSessionSec=
. + medium + + + + + CCI-001133 SRG-OS-000163-GPOS-00072 @@ -24078,42 +24114,6 @@ - - CCI-001133 - SRG-OS-000163-GPOS-00072 - TBD - Assigned by DISA after STIG release - The operating system must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements. - - CCE-90784-0: Configure Logind to terminate idle sessions after certain time of inactivity - - Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. - -Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. - To configure logind service to terminate inactive user sessions -after seconds, edit the file -/etc/systemd/logind.conf. Ensure that there is a section -
[Login]
which contains the configuration -
StopIdleSessionSec=
. - Applicable - Configurable - Verify the operating system terminates all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements. - -If it does not, this is a finding. - Display the contents of the file /etc/systemd/logind.conf: -
cat /etc/systemd/logind.conf
-Ensure that there is a section [login] which contains the -configuration StopIdleSessionSec=. Is it the case that the option is not configured? - Configure the operating system to terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements. - To configure logind service to terminate inactive user sessions -after seconds, edit the file -/etc/systemd/logind.conf. Ensure that there is a section -
[Login]
which contains the configuration -
StopIdleSessionSec=
. - medium - - - - - CCI-001133 SRG-OS-000163-GPOS-00072 @@ -24421,25 +24421,21 @@ TBD - Assigned by DISA after STIG release The operating system must reveal error messages only to authorized users. - CCE-83665-0: Verify Permissions on /var/log/messages File + CCE-83661-9: Verify User Who Owns /var/log Directory Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. - -To properly set the permissions of /var/log/messages, run the command: -
$ sudo chmod 0640 /var/log/messages
+ To properly set the owner of /var/log, run the command: 
$ sudo chown root /var/log
Applicable - Configurable Verify the operating system reveals error messages only to authorized users. If it does not, this is a finding. - To check the permissions of /var/log/messages, + To check the ownership of /var/log, run the command: -
$ ls -l /var/log/messages
-If properly configured, the output should indicate the following permissions: --rw-r----- Is it the case that /var/log/messages does not have unix mode -rw-r-----? +
$ ls -lL /var/log
+If properly configured, the output should indicate the following owner: +root Is it the case that /var/log does not have an owner of root? Configure the operating system to reveal error messages only to authorized users. - -To properly set the permissions of /var/log/messages, run the command: -
$ sudo chmod 0640 /var/log/messages
+ To properly set the owner of /var/log, run the command: 
$ sudo chown root /var/log
medium @@ -24452,25 +24448,37 @@ TBD - Assigned by DISA after STIG release The operating system must reveal error messages only to authorized users. - CCE-83663-5: Verify Permissions on /var/log Directory + CCE-88226-6: System Audit Directories Must Be Owned By Root Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. - -To properly set the permissions of /var/log, run the command: -
$ sudo chmod 0755 /var/log
+ All audit directories must be owned by root user. By default, the path for audit log is 
/var/log/audit/
. + +To properly set the owner of /var/log/audit, run the command: +
$ sudo chown root /var/log/audit
Applicable - Configurable Verify the operating system reveals error messages only to authorized users. If it does not, this is a finding. - To check the permissions of /var/log, -run the command: -
$ ls -l /var/log
-If properly configured, the output should indicate the following permissions: -drwxr-xr-x Is it the case that /var/log does not have unix mode drwxr-xr-x? + Determine where the audit logs are stored with the following command: + +$ sudo grep -iw log_file /etc/audit/auditd.conf + +log_file = /var/log/audit/audit.log + +Determine the owner of the audit log directory by using the output of the above command +(default: "/var/log/audit/"). Run the following command with the correct audit log directory +path: + +$ sudo ls -ld /var/log/audit + +drwx------ 2 root root 23 Jun 11 11:56 /var/log/audit + +The audit log directory must be owned by "root" Is it the case that the directory is not owned by root? Configure the operating system to reveal error messages only to authorized users. - -To properly set the permissions of /var/log, run the command: -
$ sudo chmod 0755 /var/log
+ All audit directories must be owned by root user. By default, the path for audit log is 
/var/log/audit/
. + +To properly set the owner of /var/log/audit, run the command: +
$ sudo chown root /var/log/audit
medium @@ -24483,33 +24491,25 @@ TBD - Assigned by DISA after STIG release The operating system must reveal error messages only to authorized users. - CCE-88228-2: System Audit Logs Must Be Owned By Root + CCE-83663-5: Verify Permissions on /var/log Directory Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. - All audit logs must be owned by root user. The path for audit log can be -configured via log_file parameter in 
/etc/audit/auditd.conf
-or by default, the path for audit log is 
/var/log/audit/
. - -To properly set the owner of /var/log/audit/*, run the command: -
$ sudo chown root /var/log/audit/*
+ +To properly set the permissions of /var/log, run the command: +
$ sudo chmod 0755 /var/log
Applicable - Configurable Verify the operating system reveals error messages only to authorized users. If it does not, this is a finding. - Verify the audit logs are owned by "root". First, determine where the audit logs are stored with the following command: -
$ sudo grep -iw log_file /etc/audit/auditd.conf
-
log_file = /var/log/audit/audit.log
-Using the location of the audit log file, determine if the audit log is owned by "root" using the following command: -
$ sudo stat -c "%n %U" /var/log/audit/audit.log
-Audit logs must be owned by user root. -If the log_file isn't defined in /etc/audit/auditd.conf, check all files in /var/log/audit/ directory instead. Is it the case that the audit log is not owned by root? + To check the permissions of /var/log, +run the command: +
$ ls -l /var/log
+If properly configured, the output should indicate the following permissions: +drwxr-xr-x Is it the case that /var/log does not have unix mode drwxr-xr-x? Configure the operating system to reveal error messages only to authorized users. - All audit logs must be owned by root user. The path for audit log can be -configured via log_file parameter in 
/etc/audit/auditd.conf
-or by default, the path for audit log is 
/var/log/audit/
. - -To properly set the owner of /var/log/audit/*, run the command: -
$ sudo chown root /var/log/audit/*
+ +To properly set the permissions of /var/log, run the command: +
$ sudo chmod 0755 /var/log
medium @@ -24522,21 +24522,21 @@ TBD - Assigned by DISA after STIG release The operating system must reveal error messages only to authorized users. - CCE-83661-9: Verify User Who Owns /var/log Directory + CCE-83662-7: Verify User Who Owns /var/log/messages File Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. - To properly set the owner of /var/log, run the command: 
$ sudo chown root /var/log
+ To properly set the owner of /var/log/messages, run the command: 
$ sudo chown root /var/log/messages
Applicable - Configurable Verify the operating system reveals error messages only to authorized users. If it does not, this is a finding. - To check the ownership of /var/log, + To check the ownership of /var/log/messages, run the command: -
$ ls -lL /var/log
+
$ ls -lL /var/log/messages
If properly configured, the output should indicate the following owner: -root Is it the case that /var/log does not have an owner of root? +root Is it the case that /var/log/messages does not have an owner of root? Configure the operating system to reveal error messages only to authorized users. - To properly set the owner of /var/log, run the command: 
$ sudo chown root /var/log
+ To properly set the owner of /var/log/messages, run the command: 
$ sudo chown root /var/log/messages
medium @@ -24611,63 +24611,25 @@ TBD - Assigned by DISA after STIG release The operating system must reveal error messages only to authorized users. - CCE-83660-1: Verify Group Who Owns /var/log/messages File - - Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. - -The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. - To properly set the group owner of /var/log/messages, run the command: 
$ sudo chgrp root /var/log/messages
- Applicable - Configurable - Verify the operating system reveals error messages only to authorized users. If it does not, this is a finding. - To check the group ownership of /var/log/messages, -run the command: -
$ ls -lL /var/log/messages
-If properly configured, the output should indicate the following group-owner: -root Is it the case that /var/log/messages does not have a group owner of root? - Configure the operating system to reveal error messages only to authorized users. - To properly set the group owner of /var/log/messages, run the command: 
$ sudo chgrp root /var/log/messages
- medium - - - - - - - CCI-001314 - SRG-OS-000206-GPOS-00084 - TBD - Assigned by DISA after STIG release - The operating system must reveal error messages only to authorized users. - - CCE-80819-6: System Audit Logs Must Have Mode 0640 or Less Permissive + CCE-83665-0: Verify Permissions on /var/log/messages File Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. -Determine where the audit logs are stored with the following command: -
$ sudo grep -iw log_file /etc/audit/auditd.conf
-log_file = /var/log/audit/audit.log
-Configure the audit log to be protected from unauthorized read access by setting the correct -permissive mode with the following command: -
$ sudo chmod 0600 audit_log_file
-By default, audit_log_file is "/var/log/audit/audit.log". +To properly set the permissions of /var/log/messages, run the command: +
$ sudo chmod 0640 /var/log/messages
Applicable - Configurable Verify the operating system reveals error messages only to authorized users. If it does not, this is a finding. - Run the following command to check the mode of the system audit logs: -
$ sudo grep -iw log_file /etc/audit/auditd.conf
-
log_file=/var/log/audit/audit.log
-
$ sudo stat -c "%n %a" /var/log/audit/*
-
$ sudo ls -l /var/log/audit
-Audit logs must be mode 0640 or less permissive. Is it the case that any permissions are more permissive? + To check the permissions of /var/log/messages, +run the command: +
$ ls -l /var/log/messages
+If properly configured, the output should indicate the following permissions: +-rw-r----- Is it the case that /var/log/messages does not have unix mode -rw-r-----? Configure the operating system to reveal error messages only to authorized users. -Determine where the audit logs are stored with the following command: -
$ sudo grep -iw log_file /etc/audit/auditd.conf
-log_file = /var/log/audit/audit.log
-Configure the audit log to be protected from unauthorized read access by setting the correct -permissive mode with the following command: -
$ sudo chmod 0600 audit_log_file
-By default, audit_log_file is "/var/log/audit/audit.log". +To properly set the permissions of /var/log/messages, run the command: +
$ sudo chmod 0640 /var/log/messages
medium @@ -24725,37 +24687,75 @@ TBD - Assigned by DISA after STIG release The operating system must reveal error messages only to authorized users. - CCE-88226-6: System Audit Directories Must Be Owned By Root + CCE-88228-2: System Audit Logs Must Be Owned By Root Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. - All audit directories must be owned by root user. By default, the path for audit log is 
/var/log/audit/
. + All audit logs must be owned by root user. The path for audit log can be +configured via log_file parameter in 
/etc/audit/auditd.conf
+or by default, the path for audit log is 
/var/log/audit/
. -To properly set the owner of /var/log/audit, run the command: -
$ sudo chown root /var/log/audit
+To properly set the owner of /var/log/audit/*, run the command: +
$ sudo chown root /var/log/audit/*
Applicable - Configurable Verify the operating system reveals error messages only to authorized users. If it does not, this is a finding. - Determine where the audit logs are stored with the following command: - -$ sudo grep -iw log_file /etc/audit/auditd.conf + Verify the audit logs are owned by "root". First, determine where the audit logs are stored with the following command: +
$ sudo grep -iw log_file /etc/audit/auditd.conf
+
log_file = /var/log/audit/audit.log
+Using the location of the audit log file, determine if the audit log is owned by "root" using the following command: +
$ sudo stat -c "%n %U" /var/log/audit/audit.log
+Audit logs must be owned by user root. +If the log_file isn't defined in /etc/audit/auditd.conf, check all files in /var/log/audit/ directory instead. Is it the case that the audit log is not owned by root? + Configure the operating system to reveal error messages only to authorized users. + All audit logs must be owned by root user. The path for audit log can be +configured via log_file parameter in 
/etc/audit/auditd.conf
+or by default, the path for audit log is 
/var/log/audit/
. -log_file = /var/log/audit/audit.log +To properly set the owner of /var/log/audit/*, run the command: +
$ sudo chown root /var/log/audit/*
+ medium + + + + -Determine the owner of the audit log directory by using the output of the above command -(default: "/var/log/audit/"). Run the following command with the correct audit log directory -path: + + CCI-001314 + SRG-OS-000206-GPOS-00084 + TBD - Assigned by DISA after STIG release + The operating system must reveal error messages only to authorized users. -$ sudo ls -ld /var/log/audit + CCE-80819-6: System Audit Logs Must Have Mode 0640 or Less Permissive -drwx------ 2 root root 23 Jun 11 11:56 /var/log/audit + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. -The audit log directory must be owned by "root" Is it the case that the directory is not owned by root? +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +Determine where the audit logs are stored with the following command: +
$ sudo grep -iw log_file /etc/audit/auditd.conf
+log_file = /var/log/audit/audit.log
+Configure the audit log to be protected from unauthorized read access by setting the correct +permissive mode with the following command: +
$ sudo chmod 0600 audit_log_file
+By default, audit_log_file is "/var/log/audit/audit.log". + Applicable - Configurable + Verify the operating system reveals error messages only to authorized users. If it does not, this is a finding. + Run the following command to check the mode of the system audit logs: +
$ sudo grep -iw log_file /etc/audit/auditd.conf
+
log_file=/var/log/audit/audit.log
+
$ sudo stat -c "%n %a" /var/log/audit/*
+
$ sudo ls -l /var/log/audit
+Audit logs must be mode 0640 or less permissive. Is it the case that any permissions are more permissive? Configure the operating system to reveal error messages only to authorized users. - All audit directories must be owned by root user. By default, the path for audit log is 
/var/log/audit/
. - -To properly set the owner of /var/log/audit, run the command: -
$ sudo chown root /var/log/audit
+ +Determine where the audit logs are stored with the following command: +
$ sudo grep -iw log_file /etc/audit/auditd.conf
+log_file = /var/log/audit/audit.log
+Configure the audit log to be protected from unauthorized read access by setting the correct +permissive mode with the following command: +
$ sudo chmod 0600 audit_log_file
+By default, audit_log_file is "/var/log/audit/audit.log". medium @@ -24768,21 +24768,21 @@ TBD - Assigned by DISA after STIG release The operating system must reveal error messages only to authorized users. - CCE-83662-7: Verify User Who Owns /var/log/messages File + CCE-83660-1: Verify Group Who Owns /var/log/messages File Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. - To properly set the owner of /var/log/messages, run the command: 
$ sudo chown root /var/log/messages
+ To properly set the group owner of /var/log/messages, run the command: 
$ sudo chgrp root /var/log/messages
Applicable - Configurable Verify the operating system reveals error messages only to authorized users. If it does not, this is a finding. - To check the ownership of /var/log/messages, + To check the group ownership of /var/log/messages, run the command: 
$ ls -lL /var/log/messages
-If properly configured, the output should indicate the following owner: -root Is it the case that /var/log/messages does not have an owner of root? +If properly configured, the output should indicate the following group-owner: +root Is it the case that /var/log/messages does not have a group owner of root? Configure the operating system to reveal error messages only to authorized users. - To properly set the owner of /var/log/messages, run the command: 
$ sudo chown root /var/log/messages
+ To properly set the group owner of /var/log/messages, run the command: 
$ sudo chgrp root /var/log/messages
medium @@ -25295,6 +25295,112 @@ + + CCI-001403 + SRG-OS-000239-GPOS-00089 + TBD - Assigned by DISA after STIG release + The operating system must audit all account modifications. + + CCE-80760-2: Record Events that Modify User/Group Information - /etc/security/opasswd + + Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an existing account. Auditing account modification actions provides logging that can be used for forensic purposes. + +To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+ Applicable - Configurable + Verify the operating system automatically audits account modification. If it does not, this is a finding. + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: + +$ sudo auditctl -l | grep -E '(/etc/security/opasswd)' + +-w /etc/security/opasswd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to automatically audit account modification. + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+ medium + + + + + + + CCI-001403 + SRG-OS-000239-GPOS-00089 + TBD - Assigned by DISA after STIG release + The operating system must audit all account modifications. + + CCE-80761-0: Record Events that Modify User/Group Information - /etc/passwd + + Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an existing account. Auditing account modification actions provides logging that can be used for forensic purposes. + +To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+ Applicable - Configurable + Verify the operating system automatically audits account modification. If it does not, this is a finding. + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: + +$ sudo auditctl -l | grep -E '(/etc/passwd)' + +-w /etc/passwd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to automatically audit account modification. + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+ medium + + + + + CCI-001403 SRG-OS-000239-GPOS-00089 @@ -25348,6 +25454,114 @@ + + CCI-001403 + SRG-OS-000239-GPOS-00089 + TBD - Assigned by DISA after STIG release + The operating system must audit all account modifications. + + CCE-80759-4: Record Events that Modify User/Group Information - /etc/gshadow + + Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an existing account. Auditing account modification actions provides logging that can be used for forensic purposes. + +To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+ Applicable - Configurable + Verify the operating system automatically audits account modification. If it does not, this is a finding. + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: + +$ sudo auditctl -l | grep -E '(/etc/gshadow)' + +-w /etc/gshadow -p wa -k identity + +If the command does not return a line, or the line is commented out, this is a finding. Is it the case that the system is not configured to audit account changes? + Configure the operating system to automatically audit account modification. + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+ medium + + + + + + + CCI-001403 + SRG-OS-000239-GPOS-00089 + TBD - Assigned by DISA after STIG release + The operating system must audit all account modifications. + + CCE-80762-8: Record Events that Modify User/Group Information - /etc/shadow + + Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an existing account. Auditing account modification actions provides logging that can be used for forensic purposes. + +To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+ Applicable - Configurable + Verify the operating system automatically audits account modification. If it does not, this is a finding. + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd with the following command: + +$ sudo auditctl -l | grep -E '(/etc/shadow)' + +-w /etc/shadow -p wa -k identity Is it the case that command does not return a line, or the line is commented out? + Configure the operating system to automatically audit account modification. + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+ medium + + + + + CCI-001403 SRG-OS-000239-GPOS-00089 @@ -25399,11 +25613,61 @@ TBD - Assigned by DISA after STIG release The operating system must audit all account modifications. - CCE-80760-2: Record Events that Modify User/Group Information - /etc/security/opasswd + CCE-90175-1: Ensure auditd Collects System Administrator Actions - /etc/sudoers Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an existing account. Auditing account modification actions provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. + At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers -p wa -k actions
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-w /etc/sudoers -p wa -k actions
+ Applicable - Configurable + Verify the operating system automatically audits account modification. If it does not, this is a finding. + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers" with the following command: + +$ sudo auditctl -l | grep /etc/sudoers + +-w /etc/sudoers -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to automatically audit account modification. + At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers -p wa -k actions
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-w /etc/sudoers -p wa -k actions
+ medium + + + + + + + + + + + + CCI-001404 + SRG-OS-000240-GPOS-00090 + TBD - Assigned by DISA after STIG release + The operating system must audit all account disabling actions. + + CCE-80760-2: Record Events that Modify User/Group Information - /etc/security/opasswd + + When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the operating system processes themselves. In order to detect and respond to events affecting user accessibility and system processing, operating systems must audit account disabling actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. + +To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the @@ -25419,13 +25683,13 @@ 

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
Applicable - Configurable - Verify the operating system automatically audits account modification. If it does not, this is a finding. + Verify the operating system automatically audits account disabling actions. If it does not, this is a finding. Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: $ sudo auditctl -l | grep -E '(/etc/security/opasswd)' -w /etc/security/opasswd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to automatically audit account modification. + Configure the operating system to automatically audit account disabling actions. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the @@ -25447,16 +25711,16 @@ - CCI-001403 - SRG-OS-000239-GPOS-00089 + CCI-001404 + SRG-OS-000240-GPOS-00090 TBD - Assigned by DISA after STIG release - The operating system must audit all account modifications. + The operating system must audit all account disabling actions. CCE-80761-0: Record Events that Modify User/Group Information - /etc/passwd - Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an existing account. Auditing account modification actions provides logging that can be used for forensic purposes. + When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the operating system processes themselves. In order to detect and respond to events affecting user accessibility and system processing, operating systems must audit account disabling actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. -To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. +To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the @@ -25472,13 +25736,13 @@ 

-w /etc/passwd -p wa -k audit_rules_usergroup_modification
Applicable - Configurable - Verify the operating system automatically audits account modification. If it does not, this is a finding. + Verify the operating system automatically audits account disabling actions. If it does not, this is a finding. Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: $ sudo auditctl -l | grep -E '(/etc/passwd)' -w /etc/passwd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to automatically audit account modification. + Configure the operating system to automatically audit account disabling actions. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the @@ -25500,52 +25764,52 @@ - CCI-001403 - SRG-OS-000239-GPOS-00089 + CCI-001404 + SRG-OS-000240-GPOS-00090 TBD - Assigned by DISA after STIG release - The operating system must audit all account modifications. + The operating system must audit all account disabling actions. - CCE-80762-8: Record Events that Modify User/Group Information - /etc/shadow + CCE-80758-6: Record Events that Modify User/Group Information - /etc/group - Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an existing account. Auditing account modification actions provides logging that can be used for forensic purposes. + When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the operating system processes themselves. In order to detect and respond to events affecting user accessibility and system processing, operating systems must audit account disabling actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. -To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. +To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification
Applicable - Configurable - Verify the operating system automatically audits account modification. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd with the following command: + Verify the operating system automatically audits account disabling actions. If it does not, this is a finding. + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: -$ sudo auditctl -l | grep -E '(/etc/shadow)' +$ sudo auditctl -l | grep -E '(/etc/group)' --w /etc/shadow -p wa -k identity Is it the case that command does not return a line, or the line is commented out? - Configure the operating system to automatically audit account modification. +-w /etc/group -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to automatically audit account disabling actions. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification
medium @@ -25553,16 +25817,16 @@ - CCI-001403 - SRG-OS-000239-GPOS-00089 + CCI-001404 + SRG-OS-000240-GPOS-00090 TBD - Assigned by DISA after STIG release - The operating system must audit all account modifications. + The operating system must audit all account disabling actions. CCE-80759-4: Record Events that Modify User/Group Information - /etc/gshadow - Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an existing account. Auditing account modification actions provides logging that can be used for forensic purposes. + When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the operating system processes themselves. In order to detect and respond to events affecting user accessibility and system processing, operating systems must audit account disabling actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. -To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. +To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the @@ -25578,7 +25842,7 @@ 

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
Applicable - Configurable - Verify the operating system automatically audits account modification. If it does not, this is a finding. + Verify the operating system automatically audits account disabling actions. If it does not, this is a finding. Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: $ sudo auditctl -l | grep -E '(/etc/gshadow)' @@ -25586,7 +25850,7 @@ -w /etc/gshadow -p wa -k identity If the command does not return a line, or the line is commented out, this is a finding. Is it the case that the system is not configured to audit account changes? - Configure the operating system to automatically audit account modification. + Configure the operating system to automatically audit account disabling actions. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the @@ -25607,63 +25871,13 @@ - - CCI-001403 - SRG-OS-000239-GPOS-00089 - TBD - Assigned by DISA after STIG release - The operating system must audit all account modifications. - - CCE-90175-1: Ensure auditd Collects System Administrator Actions - /etc/sudoers - - Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an existing account. Auditing account modification actions provides logging that can be used for forensic purposes. - -To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers -p wa -k actions
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-w /etc/sudoers -p wa -k actions
- Applicable - Configurable - Verify the operating system automatically audits account modification. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers" with the following command: - -$ sudo auditctl -l | grep /etc/sudoers - --w /etc/sudoers -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to automatically audit account modification. - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers -p wa -k actions
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-w /etc/sudoers -p wa -k actions
- medium - - - - - - - - - - CCI-001404 SRG-OS-000240-GPOS-00090 TBD - Assigned by DISA after STIG release The operating system must audit all account disabling actions. - CCE-80758-6: Record Events that Modify User/Group Information - /etc/group + CCE-80762-8: Record Events that Modify User/Group Information - /etc/shadow When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the operating system processes themselves. In order to detect and respond to events affecting user accessibility and system processing, operating systems must audit account disabling actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. @@ -25674,21 +25888,21 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system automatically audits account disabling actions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd with the following command: -$ sudo auditctl -l | grep -E '(/etc/group)' +$ sudo auditctl -l | grep -E '(/etc/shadow)' --w /etc/group -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-w /etc/shadow -p wa -k identity Is it the case that command does not return a line, or the line is commented out? Configure the operating system to automatically audit account disabling actions. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the @@ -25696,14 +25910,14 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
medium @@ -25761,10 +25975,60 @@ TBD - Assigned by DISA after STIG release The operating system must audit all account disabling actions. - CCE-80760-2: Record Events that Modify User/Group Information - /etc/security/opasswd + CCE-90175-1: Ensure auditd Collects System Administrator Actions - /etc/sudoers When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the operating system processes themselves. In order to detect and respond to events affecting user accessibility and system processing, operating systems must audit account disabling actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. +To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. + At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers -p wa -k actions
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-w /etc/sudoers -p wa -k actions
+ Applicable - Configurable + Verify the operating system automatically audits account disabling actions. If it does not, this is a finding. + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers" with the following command: + +$ sudo auditctl -l | grep /etc/sudoers + +-w /etc/sudoers -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to automatically audit account disabling actions. + At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers -p wa -k actions
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-w /etc/sudoers -p wa -k actions
+ medium + + + + + + + + + + + + CCI-001405 + SRG-OS-000241-GPOS-00091 + TBD - Assigned by DISA after STIG release + The operating system must audit all account removal actions. + + CCE-80760-2: Record Events that Modify User/Group Information - /etc/security/opasswd + + When operating system accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the operating system processes themselves. In order to detect and respond to events affecting user accessibility and system processing, operating systems must audit account removal actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. + To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the @@ -25781,13 +26045,13 @@ 

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
Applicable - Configurable - Verify the operating system automatically audits account disabling actions. If it does not, this is a finding. + Verify the operating system automatically audits account removal actions. If it does not, this is a finding. Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: $ sudo auditctl -l | grep -E '(/etc/security/opasswd)' -w /etc/security/opasswd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to automatically audit account disabling actions. + Configure the operating system to automatically audit account removal actions. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the @@ -25809,14 +26073,14 @@ - CCI-001404 - SRG-OS-000240-GPOS-00090 + CCI-001405 + SRG-OS-000241-GPOS-00091 TBD - Assigned by DISA after STIG release - The operating system must audit all account disabling actions. + The operating system must audit all account removal actions. CCE-80761-0: Record Events that Modify User/Group Information - /etc/passwd - When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the operating system processes themselves. In order to detect and respond to events affecting user accessibility and system processing, operating systems must audit account disabling actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. + When operating system accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the operating system processes themselves. In order to detect and respond to events affecting user accessibility and system processing, operating systems must audit account removal actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. If the auditd daemon is configured to use the @@ -25834,13 +26098,13 @@ 

-w /etc/passwd -p wa -k audit_rules_usergroup_modification
Applicable - Configurable - Verify the operating system automatically audits account disabling actions. If it does not, this is a finding. + Verify the operating system automatically audits account removal actions. If it does not, this is a finding. Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: $ sudo auditctl -l | grep -E '(/etc/passwd)' -w /etc/passwd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to automatically audit account disabling actions. + Configure the operating system to automatically audit account removal actions. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the @@ -25862,14 +26126,14 @@ - CCI-001404 - SRG-OS-000240-GPOS-00090 + CCI-001405 + SRG-OS-000241-GPOS-00091 TBD - Assigned by DISA after STIG release - The operating system must audit all account disabling actions. + The operating system must audit all account removal actions. - CCE-80762-8: Record Events that Modify User/Group Information - /etc/shadow + CCE-80758-6: Record Events that Modify User/Group Information - /etc/group - When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the operating system processes themselves. In order to detect and respond to events affecting user accessibility and system processing, operating systems must audit account disabling actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. + When operating system accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the operating system processes themselves. In order to detect and respond to events affecting user accessibility and system processing, operating systems must audit account removal actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. If the auditd daemon is configured to use the @@ -25878,36 +26142,36 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification
Applicable - Configurable - Verify the operating system automatically audits account disabling actions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd with the following command: + Verify the operating system automatically audits account removal actions. If it does not, this is a finding. + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: -$ sudo auditctl -l | grep -E '(/etc/shadow)' +$ sudo auditctl -l | grep -E '(/etc/group)' --w /etc/shadow -p wa -k identity Is it the case that command does not return a line, or the line is commented out? - Configure the operating system to automatically audit account disabling actions. +-w /etc/group -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to automatically audit account removal actions. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification
medium @@ -25915,14 +26179,14 @@ - CCI-001404 - SRG-OS-000240-GPOS-00090 + CCI-001405 + SRG-OS-000241-GPOS-00091 TBD - Assigned by DISA after STIG release - The operating system must audit all account disabling actions. + The operating system must audit all account removal actions. CCE-80759-4: Record Events that Modify User/Group Information - /etc/gshadow - When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the operating system processes themselves. In order to detect and respond to events affecting user accessibility and system processing, operating systems must audit account disabling actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. + When operating system accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the operating system processes themselves. In order to detect and respond to events affecting user accessibility and system processing, operating systems must audit account removal actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. If the auditd daemon is configured to use the @@ -25940,7 +26204,7 @@ 

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
Applicable - Configurable - Verify the operating system automatically audits account disabling actions. If it does not, this is a finding. + Verify the operating system automatically audits account removal actions. If it does not, this is a finding. Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: $ sudo auditctl -l | grep -E '(/etc/gshadow)' @@ -25948,7 +26212,7 @@ -w /etc/gshadow -p wa -k identity If the command does not return a line, or the line is commented out, this is a finding. Is it the case that the system is not configured to audit account changes? - Configure the operating system to automatically audit account disabling actions. + Configure the operating system to automatically audit account removal actions. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the @@ -25969,63 +26233,13 @@ - - CCI-001404 - SRG-OS-000240-GPOS-00090 - TBD - Assigned by DISA after STIG release - The operating system must audit all account disabling actions. - - CCE-90175-1: Ensure auditd Collects System Administrator Actions - /etc/sudoers - - When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the operating system processes themselves. In order to detect and respond to events affecting user accessibility and system processing, operating systems must audit account disabling actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. - -To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers -p wa -k actions
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-w /etc/sudoers -p wa -k actions
- Applicable - Configurable - Verify the operating system automatically audits account disabling actions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers" with the following command: - -$ sudo auditctl -l | grep /etc/sudoers - --w /etc/sudoers -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to automatically audit account disabling actions. - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers -p wa -k actions
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-w /etc/sudoers -p wa -k actions
- medium - - - - - - - - - - CCI-001405 SRG-OS-000241-GPOS-00091 TBD - Assigned by DISA after STIG release The operating system must audit all account removal actions. - CCE-80758-6: Record Events that Modify User/Group Information - /etc/group + CCE-80762-8: Record Events that Modify User/Group Information - /etc/shadow When operating system accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the operating system processes themselves. In order to detect and respond to events affecting user accessibility and system processing, operating systems must audit account removal actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. @@ -26036,21 +26250,21 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system automatically audits account removal actions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd with the following command: -$ sudo auditctl -l | grep -E '(/etc/group)' +$ sudo auditctl -l | grep -E '(/etc/shadow)' --w /etc/group -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-w /etc/shadow -p wa -k identity Is it the case that command does not return a line, or the line is commented out? Configure the operating system to automatically audit account removal actions. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the @@ -26058,14 +26272,14 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
medium @@ -26117,220 +26331,6 @@ - - CCI-001405 - SRG-OS-000241-GPOS-00091 - TBD - Assigned by DISA after STIG release - The operating system must audit all account removal actions. - - CCE-80760-2: Record Events that Modify User/Group Information - /etc/security/opasswd - - When operating system accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the operating system processes themselves. In order to detect and respond to events affecting user accessibility and system processing, operating systems must audit account removal actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. - -To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
-

-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
- Applicable - Configurable - Verify the operating system automatically audits account removal actions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: - -$ sudo auditctl -l | grep -E '(/etc/security/opasswd)' - --w /etc/security/opasswd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to automatically audit account removal actions. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
-

-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
- medium - - - - - - - CCI-001405 - SRG-OS-000241-GPOS-00091 - TBD - Assigned by DISA after STIG release - The operating system must audit all account removal actions. - - CCE-80761-0: Record Events that Modify User/Group Information - /etc/passwd - - When operating system accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the operating system processes themselves. In order to detect and respond to events affecting user accessibility and system processing, operating systems must audit account removal actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. - -To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-

-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
- Applicable - Configurable - Verify the operating system automatically audits account removal actions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: - -$ sudo auditctl -l | grep -E '(/etc/passwd)' - --w /etc/passwd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to automatically audit account removal actions. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-

-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
- medium - - - - - - - CCI-001405 - SRG-OS-000241-GPOS-00091 - TBD - Assigned by DISA after STIG release - The operating system must audit all account removal actions. - - CCE-80762-8: Record Events that Modify User/Group Information - /etc/shadow - - When operating system accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the operating system processes themselves. In order to detect and respond to events affecting user accessibility and system processing, operating systems must audit account removal actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. - -To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-

-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
- Applicable - Configurable - Verify the operating system automatically audits account removal actions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd with the following command: - -$ sudo auditctl -l | grep -E '(/etc/shadow)' - --w /etc/shadow -p wa -k identity Is it the case that command does not return a line, or the line is commented out? - Configure the operating system to automatically audit account removal actions. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-

-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
- medium - - - - - - - CCI-001405 - SRG-OS-000241-GPOS-00091 - TBD - Assigned by DISA after STIG release - The operating system must audit all account removal actions. - - CCE-80759-4: Record Events that Modify User/Group Information - /etc/gshadow - - When operating system accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the operating system processes themselves. In order to detect and respond to events affecting user accessibility and system processing, operating systems must audit account removal actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. - -To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-

-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
- Applicable - Configurable - Verify the operating system automatically audits account removal actions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: - -$ sudo auditctl -l | grep -E '(/etc/gshadow)' - --w /etc/gshadow -p wa -k identity - -If the command does not return a line, or the line is commented out, this is a finding. Is it the case that the system is not configured to audit account changes? - Configure the operating system to automatically audit account removal actions. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-

-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
- medium - - - - - CCI-001405 SRG-OS-000241-GPOS-00091 @@ -26387,33 +26387,36 @@ TBD - Assigned by DISA after STIG release The operating system must implement cryptography to protect the integrity of remote access sessions. - CCE-86059-3: Use Only FIPS 140-2 Validated Key Exchange Algorithms + CCE-80939-2: Configure SSH to use System Crypto Policy Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. - Limit the key exchange algorithms to those which are FIPS-approved. -Add or modify the following line in /etc/crypto-policies/back-ends/opensshserver.config -
CRYPTO_POLICY='-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512'
-This rule ensures that only the key exchange algorithms mentioned -above (or their subset) are configured for use, keeping the given -order of algorithms. + Crypto Policies provide a centralized control over crypto algorithms usage of many packages. +SSH is supported by crypto policy, but the SSH configuration may be +set up to ignore it. +To check that Crypto Policies settings are configured correctly, ensure that +the CRYPTO_POLICY variable is either commented or not set at all +in the /etc/sysconfig/sshd. Applicable - Configurable Verify the operating system implements cryptography to protect the integrity of remote access sessions. If it does not, this is a finding. - Only FIPS-approved key exchange algorithms must be used. To verify that only FIPS-approved -key exchange algorithms are in use, run the following command: -
$ sudo grep -i kexalgorithms /etc/crypto-policies/back-ends/opensshserver.config
-The output should contain only following algorithms (or a subset) in the exact order: -
CRYPTO_POLICY='-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512'
Is it the case that KexAlgorithms option is commented out, contains non-approved algorithms, or the FIPS-approved algorithms are not in the exact order? + Verify that sshd isn't configured to ignore the system wide cryptographic policy. + +Check that the CRYPTO_POLICY variable is not set or is commented out in the +/etc/sysconfig/sshd. + +Run the following command: + +$ sudo grep CRYPTO_POLICY /etc/sysconfig/sshd Is it the case that the CRYPTO_POLICY variable is set or is not commented out in the /etc/sysconfig/sshd? Configure the operating system to implement cryptography to protect the integrity of remote access sessions. - Limit the key exchange algorithms to those which are FIPS-approved. -Add or modify the following line in /etc/crypto-policies/back-ends/opensshserver.config -
CRYPTO_POLICY='-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512'
-This rule ensures that only the key exchange algorithms mentioned -above (or their subset) are configured for use, keeping the given -order of algorithms. + Crypto Policies provide a centralized control over crypto algorithms usage of many packages. +SSH is supported by crypto policy, but the SSH configuration may be +set up to ignore it. +To check that Crypto Policies settings are configured correctly, ensure that +the CRYPTO_POLICY variable is either commented or not set at all +in the /etc/sysconfig/sshd. medium @@ -26426,7 +26429,7 @@ TBD - Assigned by DISA after STIG release The operating system must implement cryptography to protect the integrity of remote access sessions. - CCE-85902-5: Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config + CCE-85897-7: Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config Without cryptographic integrity protections, information can be altered by unauthorized users without detection. @@ -26438,25 +26441,25 @@ set up incorrectly. To check that Crypto Policies settings for ciphers are configured correctly, ensure that -/etc/crypto-policies/back-ends/openssh.config contains the following -line and is not commented out: -
Ciphers
+/etc/crypto-policies/back-ends/opensshserver.config contains the following +text and is not commented out: +
-oCiphers=
Applicable - Configurable Verify the operating system implements cryptography to protect the integrity of remote access sessions. If it does not, this is a finding. - To verify if the OpenSSH client uses defined Cipher suite in the Crypto Policy, run: -
$ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config
+ To verify if the OpenSSH server uses defined ciphers in the Crypto Policy, run: +
$ grep -Po '(-oCiphers=\S+)' /etc/crypto-policies/back-ends/opensshserver.config
and verify that the line matches: -
Ciphers
Is it the case that Crypto Policy for OpenSSH client is not configured correctly? +
-oCiphers=
Is it the case that Crypto Policy for OpenSSH Server is not configured correctly? Configure the operating system to implement cryptography to protect the integrity of remote access sessions. Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be set up incorrectly. To check that Crypto Policies settings for ciphers are configured correctly, ensure that -/etc/crypto-policies/back-ends/openssh.config contains the following -line and is not commented out: -
Ciphers
- high +/etc/crypto-policies/back-ends/opensshserver.config contains the following +text and is not commented out: +
-oCiphers=
+ medium @@ -26510,7 +26513,7 @@ TBD - Assigned by DISA after STIG release The operating system must implement cryptography to protect the integrity of remote access sessions. - CCE-80939-2: Configure SSH to use System Crypto Policy + CCE-85870-4: Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config Without cryptographic integrity protections, information can be altered by unauthorized users without detection. @@ -26518,28 +26521,28 @@ Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. Crypto Policies provide a centralized control over crypto algorithms usage of many packages. -SSH is supported by crypto policy, but the SSH configuration may be -set up to ignore it. +OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be +set up incorrectly. + To check that Crypto Policies settings are configured correctly, ensure that -the CRYPTO_POLICY variable is either commented or not set at all -in the /etc/sysconfig/sshd. +/etc/crypto-policies/back-ends/openssh.config contains the following +line and is not commented out: +MACs Applicable - Configurable Verify the operating system implements cryptography to protect the integrity of remote access sessions. If it does not, this is a finding. - Verify that sshd isn't configured to ignore the system wide cryptographic policy. - -Check that the CRYPTO_POLICY variable is not set or is commented out in the -/etc/sysconfig/sshd. - -Run the following command: - -$ sudo grep CRYPTO_POLICY /etc/sysconfig/sshd Is it the case that the CRYPTO_POLICY variable is set or is not commented out in the /etc/sysconfig/sshd? + To verify if the OpenSSH client uses defined MACs in the Crypto Policy, run: +
$ grep -i macs /etc/crypto-policies/back-ends/openssh.config
+and verify that the line matches: +
MACs
Is it the case that Crypto Policy for OpenSSH client is not configured correctly? Configure the operating system to implement cryptography to protect the integrity of remote access sessions. Crypto Policies provide a centralized control over crypto algorithms usage of many packages. -SSH is supported by crypto policy, but the SSH configuration may be -set up to ignore it. +OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be +set up incorrectly. + To check that Crypto Policies settings are configured correctly, ensure that -the CRYPTO_POLICY variable is either commented or not set at all -in the /etc/sysconfig/sshd. +/etc/crypto-policies/back-ends/openssh.config contains the following +line and is not commented out: +MACs medium @@ -26588,90 +26591,6 @@ - - CCI-001453 - SRG-OS-000250-GPOS-00093 - TBD - Assigned by DISA after STIG release - The operating system must implement cryptography to protect the integrity of remote access sessions. - - CCE-85897-7: Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config - - Without cryptographic integrity protections, information can be altered by unauthorized users without detection. - -Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. - Crypto Policies provide a centralized control over crypto algorithms usage of many packages. -OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be -set up incorrectly. - -To check that Crypto Policies settings for ciphers are configured correctly, ensure that -/etc/crypto-policies/back-ends/opensshserver.config contains the following -text and is not commented out: -
-oCiphers=
- Applicable - Configurable - Verify the operating system implements cryptography to protect the integrity of remote access sessions. If it does not, this is a finding. - To verify if the OpenSSH server uses defined ciphers in the Crypto Policy, run: -
$ grep -Po '(-oCiphers=\S+)' /etc/crypto-policies/back-ends/opensshserver.config
-and verify that the line matches: -
-oCiphers=
Is it the case that Crypto Policy for OpenSSH Server is not configured correctly? - Configure the operating system to implement cryptography to protect the integrity of remote access sessions. - Crypto Policies provide a centralized control over crypto algorithms usage of many packages. -OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be -set up incorrectly. - -To check that Crypto Policies settings for ciphers are configured correctly, ensure that -/etc/crypto-policies/back-ends/opensshserver.config contains the following -text and is not commented out: -
-oCiphers=
- medium - - - - - - - CCI-001453 - SRG-OS-000250-GPOS-00093 - TBD - Assigned by DISA after STIG release - The operating system must implement cryptography to protect the integrity of remote access sessions. - - CCE-80938-4: Configure OpenSSL library to use System Crypto Policy - - Without cryptographic integrity protections, information can be altered by unauthorized users without detection. - -Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - -Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. - Crypto Policies provide a centralized control over crypto algorithms usage of many packages. -OpenSSL is supported by crypto policy, but the OpenSSL configuration may be -set up to ignore it. -To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file -available under /etc/pki/tls/openssl.cnf. -This file has the ini format, and it enables crypto policy support -if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config directive. - Applicable - Configurable - Verify the operating system implements cryptography to protect the integrity of remote access sessions. If it does not, this is a finding. - To verify that OpenSSL uses the system crypto policy, check out that the OpenSSL config file -
/etc/pki/tls/openssl.cnf
contains the 
[ crypto_policy ]
section with the -
.include /etc/crypto-policies/back-ends/opensslcnf.config
directive: - -
$ sudo grep '\.include\s* /etc/crypto-policies/back-ends/opensslcnf.config$' /etc/pki/tls/openssl.cnf
. Is it the case that the OpenSSL config file doesn't contain the whole section, -or the section doesn't contain the 
.include /etc/crypto-policies/back-ends/opensslcnf.config
directive? - Configure the operating system to implement cryptography to protect the integrity of remote access sessions. - Crypto Policies provide a centralized control over crypto algorithms usage of many packages. -OpenSSL is supported by crypto policy, but the OpenSSL configuration may be -set up to ignore it. -To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file -available under /etc/pki/tls/openssl.cnf. -This file has the ini format, and it enables crypto policy support -if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config directive. - medium - - - - - CCI-001453 SRG-OS-000250-GPOS-00093 @@ -26720,7 +26639,7 @@ TBD - Assigned by DISA after STIG release The operating system must implement cryptography to protect the integrity of remote access sessions. - CCE-85870-4: Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config + CCE-85902-5: Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config Without cryptographic integrity protections, information can be altered by unauthorized users without detection. @@ -26731,26 +26650,26 @@ OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be set up incorrectly. -To check that Crypto Policies settings are configured correctly, ensure that +To check that Crypto Policies settings for ciphers are configured correctly, ensure that /etc/crypto-policies/back-ends/openssh.config contains the following line and is not commented out: -MACs +
Ciphers
Applicable - Configurable Verify the operating system implements cryptography to protect the integrity of remote access sessions. If it does not, this is a finding. - To verify if the OpenSSH client uses defined MACs in the Crypto Policy, run: -
$ grep -i macs /etc/crypto-policies/back-ends/openssh.config
+ To verify if the OpenSSH client uses defined Cipher suite in the Crypto Policy, run: +
$ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config
and verify that the line matches: -
MACs
Is it the case that Crypto Policy for OpenSSH client is not configured correctly? +
Ciphers
Is it the case that Crypto Policy for OpenSSH client is not configured correctly? Configure the operating system to implement cryptography to protect the integrity of remote access sessions. Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be set up incorrectly. -To check that Crypto Policies settings are configured correctly, ensure that +To check that Crypto Policies settings for ciphers are configured correctly, ensure that /etc/crypto-policies/back-ends/openssh.config contains the following line and is not commented out: -MACs - medium +
Ciphers
+ high @@ -26830,6 +26749,87 @@ + + CCI-001453 + SRG-OS-000250-GPOS-00093 + TBD - Assigned by DISA after STIG release + The operating system must implement cryptography to protect the integrity of remote access sessions. + + CCE-80938-4: Configure OpenSSL library to use System Crypto Policy + + Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + Crypto Policies provide a centralized control over crypto algorithms usage of many packages. +OpenSSL is supported by crypto policy, but the OpenSSL configuration may be +set up to ignore it. +To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file +available under /etc/pki/tls/openssl.cnf. +This file has the ini format, and it enables crypto policy support +if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config directive. + Applicable - Configurable + Verify the operating system implements cryptography to protect the integrity of remote access sessions. If it does not, this is a finding. + To verify that OpenSSL uses the system crypto policy, check out that the OpenSSL config file +
/etc/pki/tls/openssl.cnf
contains the 
[ crypto_policy ]
section with the +
.include /etc/crypto-policies/back-ends/opensslcnf.config
directive: + +
$ sudo grep '\.include\s* /etc/crypto-policies/back-ends/opensslcnf.config$' /etc/pki/tls/openssl.cnf
. Is it the case that the OpenSSL config file doesn't contain the whole section, +or the section doesn't contain the 
.include /etc/crypto-policies/back-ends/opensslcnf.config
directive? + Configure the operating system to implement cryptography to protect the integrity of remote access sessions. + Crypto Policies provide a centralized control over crypto algorithms usage of many packages. +OpenSSL is supported by crypto policy, but the OpenSSL configuration may be +set up to ignore it. +To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file +available under /etc/pki/tls/openssl.cnf. +This file has the ini format, and it enables crypto policy support +if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config directive. + medium + + + + + + + CCI-001453 + SRG-OS-000250-GPOS-00093 + TBD - Assigned by DISA after STIG release + The operating system must implement cryptography to protect the integrity of remote access sessions. + + CCE-86059-3: Use Only FIPS 140-2 Validated Key Exchange Algorithms + + Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + Limit the key exchange algorithms to those which are FIPS-approved. +Add or modify the following line in /etc/crypto-policies/back-ends/opensshserver.config +
CRYPTO_POLICY='-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512'
+This rule ensures that only the key exchange algorithms mentioned +above (or their subset) are configured for use, keeping the given +order of algorithms. + Applicable - Configurable + Verify the operating system implements cryptography to protect the integrity of remote access sessions. If it does not, this is a finding. + Only FIPS-approved key exchange algorithms must be used. To verify that only FIPS-approved +key exchange algorithms are in use, run the following command: +
$ sudo grep -i kexalgorithms /etc/crypto-policies/back-ends/opensshserver.config
+The output should contain only following algorithms (or a subset) in the exact order: +
CRYPTO_POLICY='-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512'
Is it the case that KexAlgorithms option is commented out, contains non-approved algorithms, or the FIPS-approved algorithms are not in the exact order? + Configure the operating system to implement cryptography to protect the integrity of remote access sessions. + Limit the key exchange algorithms to those which are FIPS-approved. +Add or modify the following line in /etc/crypto-policies/back-ends/opensshserver.config +
CRYPTO_POLICY='-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512'
+This rule ensures that only the key exchange algorithms mentioned +above (or their subset) are configured for use, keeping the given +order of algorithms. + medium + + + + + @@ -26841,84 +26841,48 @@ TBD - Assigned by DISA after STIG release The operating system must initiate session audits at system start-up. - CCE-80943-4: Extend Audit Backlog Limit for the Audit Daemon + CCE-80825-3: Enable Auditing for Processes Which Start Prior to the Audit Daemon If auditing is enabled late in the start-up process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. - To improve the kernel capacity to queue all log events, even those which occurred -prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default + To ensure all processes can be audited, even those which start +prior to the audit daemon, add the argument audit=1 to the default GRUB 2 command line for the Linux operating system. -To ensure that audit_backlog_limit=8192 is added as a kernel command line -argument to newly installed kernels, add audit_backlog_limit=8192 to the +To ensure that audit=1 is added as a kernel command line +argument to newly installed kernels, add audit=1 to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
+
GRUB_CMDLINE_LINUX="... audit=1 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
Applicable - Configurable Verify the operating system initiates session audits at system start-up. If it does not, this is a finding. Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes audit_backlog_limit=8192, +in /etc/default/grub. If it includes audit=1, then the parameter will be configured for newly installed kernels. First check if the GRUB recovery is enabled: 
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
If this option is set to true, then check that a line is output by the following command: -
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit_backlog_limit=8192.*' /etc/default/grub
+
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit=1.*' /etc/default/grub
If the recovery is disabled, check the line with -
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit_backlog_limit=8192.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. +
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit=1.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. Run the following command: -
$ sudo grubby --info=ALL | grep args | grep -v 'audit_backlog_limit=8192'
-The command should not return any output. Is it the case that audit backlog limit is not configured? +
$ sudo grubby --info=ALL | grep args | grep -v 'audit=1'
+The command should not return any output. Is it the case that auditing is not enabled at boot time? Configure the operating system to initiate session audits at system start-up. - To improve the kernel capacity to queue all log events, even those which occurred -prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default + To ensure all processes can be audited, even those which start +prior to the audit daemon, add the argument audit=1 to the default GRUB 2 command line for the Linux operating system. -To ensure that audit_backlog_limit=8192 is added as a kernel command line -argument to newly installed kernels, add audit_backlog_limit=8192 to the +To ensure that audit=1 is added as a kernel command line +argument to newly installed kernels, add audit=1 to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
+
GRUB_CMDLINE_LINUX="... audit=1 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
low - - CCI-001464 - SRG-OS-000254-GPOS-00095 - TBD - Assigned by DISA after STIG release - The operating system must initiate session audits at system start-up. - - CCE-80872-5: Enable auditd Service - - If auditing is enabled late in the start-up process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. - The auditd service is an essential userspace component of -the Linux Auditing System, as it is responsible for writing audit records to -disk. - -The auditd service can be enabled with the following command: -
$ sudo systemctl enable auditd.service
- Applicable - Configurable - Verify the operating system initiates session audits at system start-up. If it does not, this is a finding. - - -Run the following command to determine the current status of the -auditd service: -
$ sudo systemctl is-active auditd
-If the service is running, it should return the following: 
active
Is it the case that the auditd service is not running? - Configure the operating system to initiate session audits at system start-up. - The auditd service is an essential userspace component of -the Linux Auditing System, as it is responsible for writing audit records to -disk. - -The auditd service can be enabled with the following command: -
$ sudo systemctl enable auditd.service
- medium - - - - - CCI-001464 SRG-OS-000254-GPOS-00095 @@ -26946,62 +26910,57 @@ TBD - Assigned by DISA after STIG release The operating system must initiate session audits at system start-up. - CCE-80825-3: Enable Auditing for Processes Which Start Prior to the Audit Daemon + CCE-80943-4: Extend Audit Backlog Limit for the Audit Daemon If auditing is enabled late in the start-up process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. - To ensure all processes can be audited, even those which start -prior to the audit daemon, add the argument audit=1 to the default + To improve the kernel capacity to queue all log events, even those which occurred +prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default GRUB 2 command line for the Linux operating system. -To ensure that audit=1 is added as a kernel command line -argument to newly installed kernels, add audit=1 to the +To ensure that audit_backlog_limit=8192 is added as a kernel command line +argument to newly installed kernels, add audit_backlog_limit=8192 to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit=1 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
+
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
Applicable - Configurable Verify the operating system initiates session audits at system start-up. If it does not, this is a finding. Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes audit=1, +in /etc/default/grub. If it includes audit_backlog_limit=8192, then the parameter will be configured for newly installed kernels. First check if the GRUB recovery is enabled: 
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
If this option is set to true, then check that a line is output by the following command: -
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit=1.*' /etc/default/grub
+
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit_backlog_limit=8192.*' /etc/default/grub
If the recovery is disabled, check the line with -
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit=1.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. +
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit_backlog_limit=8192.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. Run the following command: -
$ sudo grubby --info=ALL | grep args | grep -v 'audit=1'
-The command should not return any output. Is it the case that auditing is not enabled at boot time? +
$ sudo grubby --info=ALL | grep args | grep -v 'audit_backlog_limit=8192'
+The command should not return any output. Is it the case that audit backlog limit is not configured? Configure the operating system to initiate session audits at system start-up. - To ensure all processes can be audited, even those which start -prior to the audit daemon, add the argument audit=1 to the default + To improve the kernel capacity to queue all log events, even those which occurred +prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default GRUB 2 command line for the Linux operating system. -To ensure that audit=1 is added as a kernel command line -argument to newly installed kernels, add audit=1 to the +To ensure that audit_backlog_limit=8192 is added as a kernel command line +argument to newly installed kernels, add audit_backlog_limit=8192 to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit=1 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
+
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
low - - - - - - CCI-001487 - SRG-OS-000255-GPOS-00096 + CCI-001464 + SRG-OS-000254-GPOS-00095 TBD - Assigned by DISA after STIG release - The operating system must produce audit records containing information to establish the identity of any individual or process associated with the event. + The operating system must initiate session audits at system start-up. CCE-80872-5: Enable auditd Service - Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event. + If auditing is enabled late in the start-up process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. @@ -27009,14 +26968,14 @@ The auditd service can be enabled with the following command: 
$ sudo systemctl enable auditd.service
Applicable - Configurable - Verify the operating system produces audit records containing information to establish the identity of any individual or process associated with the event. If it does not, this is a finding. + Verify the operating system initiates session audits at system start-up. If it does not, this is a finding. Run the following command to determine the current status of the auditd service: 
$ sudo systemctl is-active auditd
If the service is running, it should return the following: 
active
Is it the case that the auditd service is not running? - Configure the operating system to produce audit records containing information to establish the identity of any individual or process associated with the event. + Configure the operating system to initiate session audits at system start-up. The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. @@ -27029,6 +26988,43 @@ + + + + + + + CCI-001487 + SRG-OS-000255-GPOS-00096 + TBD - Assigned by DISA after STIG release + The operating system must produce audit records containing information to establish the identity of any individual or process associated with the event. + + CCE-82201-5: Resolve information before writing to audit logs + + Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event. + To configure Audit daemon to resolve all uid, gid, syscall, +architecture, and socket address information before writing the +events to disk, set log_format to ENRICHED +in /etc/audit/auditd.conf. + Applicable - Configurable + Verify the operating system produces audit records containing information to establish the identity of any individual or process associated with the event. If it does not, this is a finding. + To verify that Audit Daemon is configured to resolve all uid, gid, syscall, +architecture, and socket address information before writing the event to disk, +run the following command: +
$ sudo grep log_format /etc/audit/auditd.conf
+The output should return the following: +
log_format = ENRICHED
Is it the case that log_format isn't set to ENRICHED? + Configure the operating system to produce audit records containing information to establish the identity of any individual or process associated with the event. + To configure Audit daemon to resolve all uid, gid, syscall, +architecture, and socket address information before writing the +events to disk, set log_format to ENRICHED +in /etc/audit/auditd.conf. + low + + + + + CCI-001487 SRG-OS-000255-GPOS-00096 @@ -27056,27 +27052,31 @@ TBD - Assigned by DISA after STIG release The operating system must produce audit records containing information to establish the identity of any individual or process associated with the event. - CCE-82201-5: Resolve information before writing to audit logs + CCE-80872-5: Enable auditd Service Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event. - To configure Audit daemon to resolve all uid, gid, syscall, -architecture, and socket address information before writing the -events to disk, set log_format to ENRICHED -in /etc/audit/auditd.conf. + The auditd service is an essential userspace component of +the Linux Auditing System, as it is responsible for writing audit records to +disk. + +The auditd service can be enabled with the following command: +
$ sudo systemctl enable auditd.service
Applicable - Configurable Verify the operating system produces audit records containing information to establish the identity of any individual or process associated with the event. If it does not, this is a finding. - To verify that Audit Daemon is configured to resolve all uid, gid, syscall, -architecture, and socket address information before writing the event to disk, -run the following command: -
$ sudo grep log_format /etc/audit/auditd.conf
-The output should return the following: -
log_format = ENRICHED
Is it the case that log_format isn't set to ENRICHED? + + +Run the following command to determine the current status of the +auditd service: +
$ sudo systemctl is-active auditd
+If the service is running, it should return the following: 
active
Is it the case that the auditd service is not running? Configure the operating system to produce audit records containing information to establish the identity of any individual or process associated with the event. - To configure Audit daemon to resolve all uid, gid, syscall, -architecture, and socket address information before writing the -events to disk, set log_format to ENRICHED -in /etc/audit/auditd.conf. - low + The auditd service is an essential userspace component of +the Linux Auditing System, as it is responsible for writing audit records to +disk. + +The auditd service can be enabled with the following command: +
$ sudo systemctl enable auditd.service
+ medium @@ -27093,7 +27093,7 @@ TBD - Assigned by DISA after STIG release The operating system must protect audit tools from unauthorized access. - CCE-86227-6: Audit Tools Must Have a Mode of 0755 or Less Permissive + CCE-86259-9: Audit Tools Must Be Owned by Root Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. @@ -27104,20 +27104,28 @@ Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. -Audit tools must have a mode of 0755 or less permissive. +Audit tools must have the correct owner. Applicable - Configurable Verify the operating system protects audit tools from unauthorized access. If it does not, this is a finding. - Verify the audit tools are protected from unauthorized access, deletion, or modification by checking the permissive mode. + Verify the audit tools are owned by "root" to prevent any unauthorized access, deletion, or modification. -Check the octal permission of each audit tool by running the following command: +Check the owner of each audit tool by running the following command: -$ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules Is it the case that any of these files have more permissive permissions than 0755? +$ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules + +root /sbin/auditctl +root /sbin/aureport +root /sbin/ausearch +root /sbin/autrace +root /sbin/auditd +root /sbin/rsyslogd +root /sbin/augenrules Is it the case that any audit tools are not owned by root? Configure the operating system to protect audit tools from unauthorized access. Red Hat Enterprise Linux 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. -Audit tools must have a mode of 0755 or less permissive. +Audit tools must have the correct owner. medium @@ -27175,7 +27183,7 @@ TBD - Assigned by DISA after STIG release The operating system must protect audit tools from unauthorized access. - CCE-86259-9: Audit Tools Must Be Owned by Root + CCE-86227-6: Audit Tools Must Have a Mode of 0755 or Less Permissive Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. @@ -27186,28 +27194,20 @@ Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. -Audit tools must have the correct owner. +Audit tools must have a mode of 0755 or less permissive. Applicable - Configurable Verify the operating system protects audit tools from unauthorized access. If it does not, this is a finding. - Verify the audit tools are owned by "root" to prevent any unauthorized access, deletion, or modification. - -Check the owner of each audit tool by running the following command: + Verify the audit tools are protected from unauthorized access, deletion, or modification by checking the permissive mode. -$ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules +Check the octal permission of each audit tool by running the following command: -root /sbin/auditctl -root /sbin/aureport -root /sbin/ausearch -root /sbin/autrace -root /sbin/auditd -root /sbin/rsyslogd -root /sbin/augenrules Is it the case that any audit tools are not owned by root? +$ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules Is it the case that any of these files have more permissive permissions than 0755? Configure the operating system to protect audit tools from unauthorized access. Red Hat Enterprise Linux 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. -Audit tools must have the correct owner. +Audit tools must have a mode of 0755 or less permissive. medium @@ -27225,7 +27225,7 @@ TBD - Assigned by DISA after STIG release The operating system must protect audit tools from unauthorized modification. - CCE-86227-6: Audit Tools Must Have a Mode of 0755 or Less Permissive + CCE-86259-9: Audit Tools Must Be Owned by Root Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. @@ -27236,20 +27236,28 @@ Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. -Audit tools must have a mode of 0755 or less permissive. +Audit tools must have the correct owner. Applicable - Configurable Verify the operating system protects audit tools from unauthorized modification. If it does not, this is a finding. - Verify the audit tools are protected from unauthorized access, deletion, or modification by checking the permissive mode. + Verify the audit tools are owned by "root" to prevent any unauthorized access, deletion, or modification. -Check the octal permission of each audit tool by running the following command: +Check the owner of each audit tool by running the following command: -$ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules Is it the case that any of these files have more permissive permissions than 0755? +$ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules + +root /sbin/auditctl +root /sbin/aureport +root /sbin/ausearch +root /sbin/autrace +root /sbin/auditd +root /sbin/rsyslogd +root /sbin/augenrules Is it the case that any audit tools are not owned by root? Configure the operating system to protect audit tools from unauthorized modification. Red Hat Enterprise Linux 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. -Audit tools must have a mode of 0755 or less permissive. +Audit tools must have the correct owner. medium @@ -27307,7 +27315,7 @@ TBD - Assigned by DISA after STIG release The operating system must protect audit tools from unauthorized modification. - CCE-86259-9: Audit Tools Must Be Owned by Root + CCE-86227-6: Audit Tools Must Have a Mode of 0755 or Less Permissive Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. @@ -27318,28 +27326,20 @@ Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. -Audit tools must have the correct owner. +Audit tools must have a mode of 0755 or less permissive. Applicable - Configurable Verify the operating system protects audit tools from unauthorized modification. If it does not, this is a finding. - Verify the audit tools are owned by "root" to prevent any unauthorized access, deletion, or modification. - -Check the owner of each audit tool by running the following command: + Verify the audit tools are protected from unauthorized access, deletion, or modification by checking the permissive mode. -$ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules +Check the octal permission of each audit tool by running the following command: -root /sbin/auditctl -root /sbin/aureport -root /sbin/ausearch -root /sbin/autrace -root /sbin/auditd -root /sbin/rsyslogd -root /sbin/augenrules Is it the case that any audit tools are not owned by root? +$ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules Is it the case that any of these files have more permissive permissions than 0755? Configure the operating system to protect audit tools from unauthorized modification. Red Hat Enterprise Linux 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. -Audit tools must have the correct owner. +Audit tools must have a mode of 0755 or less permissive. medium @@ -27357,7 +27357,7 @@ TBD - Assigned by DISA after STIG release The operating system must protect audit tools from unauthorized deletion. - CCE-86227-6: Audit Tools Must Have a Mode of 0755 or Less Permissive + CCE-86259-9: Audit Tools Must Be Owned by Root Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. @@ -27368,20 +27368,28 @@ Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. -Audit tools must have a mode of 0755 or less permissive. +Audit tools must have the correct owner. Applicable - Configurable Verify the operating system protects audit tools from unauthorized deletion. If it does not, this is a finding. - Verify the audit tools are protected from unauthorized access, deletion, or modification by checking the permissive mode. + Verify the audit tools are owned by "root" to prevent any unauthorized access, deletion, or modification. -Check the octal permission of each audit tool by running the following command: +Check the owner of each audit tool by running the following command: -$ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules Is it the case that any of these files have more permissive permissions than 0755? +$ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules + +root /sbin/auditctl +root /sbin/aureport +root /sbin/ausearch +root /sbin/autrace +root /sbin/auditd +root /sbin/rsyslogd +root /sbin/augenrules Is it the case that any audit tools are not owned by root? Configure the operating system to protect audit tools from unauthorized deletion. Red Hat Enterprise Linux 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. -Audit tools must have a mode of 0755 or less permissive. +Audit tools must have the correct owner. medium @@ -27439,7 +27447,7 @@ TBD - Assigned by DISA after STIG release The operating system must protect audit tools from unauthorized deletion. - CCE-86259-9: Audit Tools Must Be Owned by Root + CCE-86227-6: Audit Tools Must Have a Mode of 0755 or Less Permissive Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. @@ -27450,28 +27458,20 @@ Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. -Audit tools must have the correct owner. +Audit tools must have a mode of 0755 or less permissive. Applicable - Configurable Verify the operating system protects audit tools from unauthorized deletion. If it does not, this is a finding. - Verify the audit tools are owned by "root" to prevent any unauthorized access, deletion, or modification. - -Check the owner of each audit tool by running the following command: + Verify the audit tools are protected from unauthorized access, deletion, or modification by checking the permissive mode. -$ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules +Check the octal permission of each audit tool by running the following command: -root /sbin/auditctl -root /sbin/aureport -root /sbin/ausearch -root /sbin/autrace -root /sbin/auditd -root /sbin/rsyslogd -root /sbin/augenrules Is it the case that any audit tools are not owned by root? +$ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules Is it the case that any of these files have more permissive permissions than 0755? Configure the operating system to protect audit tools from unauthorized deletion. Red Hat Enterprise Linux 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. -Audit tools must have the correct owner. +Audit tools must have a mode of 0755 or less permissive. medium @@ -27489,7 +27489,7 @@ TBD - Assigned by DISA after STIG release The operating system must limit privileges to change software resident within software libraries. - CCE-80815-4: Verify that Shared Library Files Have Restrictive Permissions + CCE-85894-4: Verify that Shared Library Directories Have Root Group Ownership If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. @@ -27502,17 +27502,19 @@ /usr/lib /usr/lib64 -Kernel modules, which can be added to the kernel during runtime, are -stored in /lib/modules. All files in these directories -should not be group-writable or world-writable. If any file in these -directories is found to be group-writable or world-writable, correct -its permission with the following command: -
$ sudo chmod go-w FILE
+Kernel modules, which can be added to the kernel during runtime, are also +stored in /lib/modules. All files in these directories should be +group-owned by the root user. If the directories, is found to be owned +by a user other than root correct its +ownership with the following command: +
$ sudo chgrp root DIR
Applicable - Configurable Verify the operating system limits privileges to change software resident within software libraries. If it does not, this is a finding. - Verify the system-wide shared library files contained in the following directories have mode "755" or less permissive with the following command: + Verify the system-wide shared library directories are group-owned by "root" with the following command: -$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec ls -l {} \; Is it the case that any system-wide shared library file is found to be group-writable or world-writable? +$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \; + +If any system-wide shared library directory is returned and is not group-owned by a required system account, this is a finding. Is it the case that any system-wide shared library directory is returned and is not group-owned by a required system account? Configure the operating system to limit privileges to change software resident within software libraries. System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories @@ -27522,12 +27524,12 @@ /usr/lib /usr/lib64 -Kernel modules, which can be added to the kernel during runtime, are -stored in /lib/modules. All files in these directories -should not be group-writable or world-writable. If any file in these -directories is found to be group-writable or world-writable, correct -its permission with the following command: -
$ sudo chmod go-w FILE
+Kernel modules, which can be added to the kernel during runtime, are also +stored in /lib/modules. All files in these directories should be +group-owned by the root user. If the directories, is found to be owned +by a user other than root correct its +ownership with the following command: +
$ sudo chgrp root DIR
medium @@ -27540,40 +27542,45 @@ TBD - Assigned by DISA after STIG release The operating system must limit privileges to change software resident within software libraries. - CCE-86523-8: Verify the system-wide library files in directories -"/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root. + CCE-80807-1: Verify that Shared Library Files Have Root Ownership If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. - System-wide library files are stored in the following directories + System-wide shared library files, which are linked to executables +during process load time or run time, are stored in the following directories by default: 
/lib
 /lib64
 /usr/lib
 /usr/lib64
-All system-wide shared library files should be protected from unauthorised -access. If any of these files is not group-owned by root, correct its group-owner with -the following command: -
$ sudo chgrp root FILE
+Kernel modules, which can be added to the kernel during runtime, are also +stored in /lib/modules. All files in these directories should be +owned by the root user. If the directory, or any file in these +directories, is found to be owned by a user other than root correct its +ownership with the following command: +
$ sudo chown root FILE
Applicable - Configurable Verify the operating system limits privileges to change software resident within software libraries. If it does not, this is a finding. - Verify the system-wide shared library files are group-owned by "root" with the following command: + Verify the system-wide shared library files are owned by "root" with the following command: -$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} \; Is it the case that any system wide shared library file is returned and is not group-owned by a required system account? +$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -user root -exec ls -l {} \; Is it the case that any system wide shared library file is not owned by root? Configure the operating system to limit privileges to change software resident within software libraries. - System-wide library files are stored in the following directories + System-wide shared library files, which are linked to executables +during process load time or run time, are stored in the following directories by default: 
/lib
 /lib64
 /usr/lib
 /usr/lib64
-All system-wide shared library files should be protected from unauthorised -access. If any of these files is not group-owned by root, correct its group-owner with -the following command: -
$ sudo chgrp root FILE
+Kernel modules, which can be added to the kernel during runtime, are also +stored in /lib/modules. All files in these directories should be +owned by the root user. If the directory, or any file in these +directories, is found to be owned by a user other than root correct its +ownership with the following command: +
$ sudo chown root FILE
medium @@ -27586,45 +27593,40 @@ TBD - Assigned by DISA after STIG release The operating system must limit privileges to change software resident within software libraries. - CCE-89021-0: Verify that Shared Library Directories Have Root Ownership + CCE-86523-8: Verify the system-wide library files in directories +"/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root. If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. - System-wide shared library files, which are linked to executables -during process load time or run time, are stored in the following directories + System-wide library files are stored in the following directories by default: 
/lib
 /lib64
 /usr/lib
 /usr/lib64
-Kernel modules, which can be added to the kernel during runtime, are also -stored in /lib/modules. All files in these directories should be -owned by the root user. If the directories, is found to be owned -by a user other than root correct its -ownership with the following command: -
$ sudo chown root DIR
+All system-wide shared library files should be protected from unauthorised +access. If any of these files is not group-owned by root, correct its group-owner with +the following command: +
$ sudo chgrp root FILE
Applicable - Configurable Verify the operating system limits privileges to change software resident within software libraries. If it does not, this is a finding. - Verify the system-wide shared library directories are owned by "root" with the following command: + Verify the system-wide shared library files are group-owned by "root" with the following command: -$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c "%n %U" '{}' \; Is it the case that any system-wide shared library directory is not owned by root? +$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} \; Is it the case that any system wide shared library file is returned and is not group-owned by a required system account? Configure the operating system to limit privileges to change software resident within software libraries. - System-wide shared library files, which are linked to executables -during process load time or run time, are stored in the following directories + System-wide library files are stored in the following directories by default: 
/lib
 /lib64
 /usr/lib
 /usr/lib64
-Kernel modules, which can be added to the kernel during runtime, are also -stored in /lib/modules. All files in these directories should be -owned by the root user. If the directories, is found to be owned -by a user other than root correct its -ownership with the following command: -
$ sudo chown root DIR
+All system-wide shared library files should be protected from unauthorised +access. If any of these files is not group-owned by root, correct its group-owner with +the following command: +
$ sudo chgrp root FILE
medium @@ -27637,45 +27639,43 @@ TBD - Assigned by DISA after STIG release The operating system must limit privileges to change software resident within software libraries. - CCE-86519-6: Verify that system commands files are group owned by root or a system account + CCE-80809-7: Verify that System Executables Have Restrictive Permissions If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. - System commands files are stored in the following directories by default: + System executables are stored in the following directories by default: 
/bin
 /sbin
 /usr/bin
-/usr/sbin
+/usr/libexec
 /usr/local/bin
 /usr/local/sbin
-
-All files in these directories should be owned by the root group, -or a system account. -If the directory, or any file in these directories, is found to be owned -by a group other than root or a a system account correct its ownership -with the following command: -
$ sudo chgrp root FILE
+/usr/sbin +All files in these directories should not be group-writable or world-writable. +If any file FILE in these directories is found +to be group-writable or world-writable, correct its permission with the +following command: +
$ sudo chmod go-w FILE
Applicable - Configurable Verify the operating system limits privileges to change software resident within software libraries. If it does not, this is a finding. - Verify the system commands contained in the following directories are group-owned by "root", or a required system account, with the following command: + Verify the system commands contained in the following directories have mode "755" or less permissive with the following command: -$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -exec ls -l {} \; Is it the case that any system commands are returned and is not group-owned by a required system account? +$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin -perm /022 -exec ls -l {} \; Is it the case that any system commands are found to be group-writable or world-writable? Configure the operating system to limit privileges to change software resident within software libraries. - System commands files are stored in the following directories by default: + System executables are stored in the following directories by default: 
/bin
 /sbin
 /usr/bin
-/usr/sbin
+/usr/libexec
 /usr/local/bin
 /usr/local/sbin
-
-All files in these directories should be owned by the root group, -or a system account. -If the directory, or any file in these directories, is found to be owned -by a group other than root or a a system account correct its ownership -with the following command: -
$ sudo chgrp root FILE
+/usr/sbin +All files in these directories should not be group-writable or world-writable. +If any file FILE in these directories is found +to be group-writable or world-writable, correct its permission with the +following command: +
$ sudo chmod go-w FILE
medium @@ -27688,7 +27688,7 @@ TBD - Assigned by DISA after STIG release The operating system must limit privileges to change software resident within software libraries. - CCE-80809-7: Verify that System Executables Have Restrictive Permissions + CCE-80806-3: Verify that System Executables Have Root Ownership If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. @@ -27701,16 +27701,16 @@ /usr/local/bin /usr/local/sbin /usr/sbin -All files in these directories should not be group-writable or world-writable. +All files in these directories should be owned by the root user. If any file FILE in these directories is found -to be group-writable or world-writable, correct its permission with the +to be owned by a user other than root, correct its ownership with the following command: -
$ sudo chmod go-w FILE
+
$ sudo chown root FILE
Applicable - Configurable Verify the operating system limits privileges to change software resident within software libraries. If it does not, this is a finding. - Verify the system commands contained in the following directories have mode "755" or less permissive with the following command: + Verify the system commands contained in the following directories are owned by "root" with the following command: -$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin -perm /022 -exec ls -l {} \; Is it the case that any system commands are found to be group-writable or world-writable? +$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin ! -user root -exec ls -l {} \; Is it the case that any system commands are found to not be owned by root? Configure the operating system to limit privileges to change software resident within software libraries. System executables are stored in the following directories by default: 
/bin
@@ -27720,11 +27720,11 @@
 /usr/local/bin
 /usr/local/sbin
 /usr/sbin
-All files in these directories should not be group-writable or world-writable. +All files in these directories should be owned by the root user. If any file FILE in these directories is found -to be group-writable or world-writable, correct its permission with the +to be owned by a user other than root, correct its ownership with the following command: -
$ sudo chmod go-w FILE
+
$ sudo chown root FILE
medium @@ -27737,45 +27737,45 @@ TBD - Assigned by DISA after STIG release The operating system must limit privileges to change software resident within software libraries. - CCE-80807-1: Verify that Shared Library Files Have Root Ownership + CCE-86519-6: Verify that system commands files are group owned by root or a system account If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. - System-wide shared library files, which are linked to executables -during process load time or run time, are stored in the following directories -by default: -
/lib
-/lib64
-/usr/lib
-/usr/lib64
+    System commands files are stored in the following directories by default:
+
/bin
+/sbin
+/usr/bin
+/usr/sbin
+/usr/local/bin
+/usr/local/sbin
 

-Kernel modules, which can be added to the kernel during runtime, are also
-stored in /lib/modules. All files in these directories should be
-owned by the root user. If the directory, or any file in these
-directories, is found to be owned by a user other than root correct its
-ownership with the following command:
-
$ sudo chown root FILE

+All files in these directories should be owned by the root group,
+or a system account.
+If the directory, or any file in these directories, is found to be owned
+by a group other than root or a a system account correct its ownership
+with the following command:
+
$ sudo chgrp root FILE

     Applicable - Configurable
     Verify the operating system limits privileges to change software resident within software libraries. If it does not, this is a finding.
-    Verify the system-wide shared library files are owned by "root" with the following command:
+    Verify the system commands contained in the following directories are group-owned by "root", or a required system account, with the following command:
 
-$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -user root -exec ls -l {} \; Is it the case that any system wide shared library file is not owned by root?
+$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -exec ls -l {} \; Is it the case that any system commands are returned and is not group-owned by a required system account?
     Configure the operating system to limit privileges to change software resident within software libraries.
-    System-wide shared library files, which are linked to executables
-during process load time or run time, are stored in the following directories
-by default:
-
/lib
-/lib64
-/usr/lib
-/usr/lib64
+    System commands files are stored in the following directories by default:
+
/bin
+/sbin
+/usr/bin
+/usr/sbin
+/usr/local/bin
+/usr/local/sbin
 

-Kernel modules, which can be added to the kernel during runtime, are also
-stored in /lib/modules. All files in these directories should be
-owned by the root user. If the directory, or any file in these
-directories, is found to be owned by a user other than root correct its
-ownership with the following command:
-
$ sudo chown root FILE

+All files in these directories should be owned by the root group,
+or a system account.
+If the directory, or any file in these directories, is found to be owned
+by a group other than root or a a system account correct its ownership
+with the following command:
+
$ sudo chgrp root FILE

     medium
     
     
@@ -27788,7 +27788,7 @@
     TBD - Assigned by DISA after STIG release
     The operating system must limit privileges to change software resident within software libraries.
 
-    CCE-85894-4: Verify that Shared Library Directories Have Root Group Ownership
+    CCE-80815-4: Verify that Shared Library Files Have Restrictive Permissions
 
      If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
 
@@ -27801,19 +27801,17 @@
 /usr/lib
 /usr/lib64
 

-Kernel modules, which can be added to the kernel during runtime, are also
-stored in /lib/modules. All files in these directories should be
-group-owned by the root user. If the  directories, is found to be owned
-by a user other than root correct its
-ownership with the following command:
-
$ sudo chgrp root DIR

+Kernel modules, which can be added to the kernel during runtime, are
+stored in /lib/modules. All files in these directories
+should not be group-writable or world-writable. If any file in these
+directories is found to be group-writable or world-writable, correct
+its permission with the following command:
+
$ sudo chmod go-w FILE

     Applicable - Configurable
     Verify the operating system limits privileges to change software resident within software libraries. If it does not, this is a finding.
-    Verify the system-wide shared library directories are group-owned by "root" with the following command:
-
-$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \;
+    Verify the system-wide shared library files contained in the following directories have mode "755" or less permissive with the following command:
 
-If any system-wide shared library directory is returned and is not group-owned by a required system account, this is a finding. Is it the case that any system-wide shared library directory is returned and is not group-owned by a required system account?
+$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec ls -l {} \; Is it the case that any system-wide shared library file is found to be group-writable or world-writable?
     Configure the operating system to limit privileges to change software resident within software libraries.
     System-wide shared library files, which are linked to executables
 during process load time or run time, are stored in the following directories
@@ -27823,61 +27821,12 @@
 /usr/lib
 /usr/lib64
-Kernel modules, which can be added to the kernel during runtime, are also -stored in /lib/modules. All files in these directories should be -group-owned by the root user. If the directories, is found to be owned -by a user other than root correct its -ownership with the following command: -
$ sudo chgrp root DIR
- medium - - - - - - - CCI-001499 - SRG-OS-000259-GPOS-00100 - TBD - Assigned by DISA after STIG release - The operating system must limit privileges to change software resident within software libraries. - - CCE-80806-3: Verify that System Executables Have Root Ownership - - If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. - -This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. - System executables are stored in the following directories by default: -
/bin
-/sbin
-/usr/bin
-/usr/libexec
-/usr/local/bin
-/usr/local/sbin
-/usr/sbin
-All files in these directories should be owned by the root user. -If any file FILE in these directories is found -to be owned by a user other than root, correct its ownership with the -following command: -
$ sudo chown root FILE
- Applicable - Configurable - Verify the operating system limits privileges to change software resident within software libraries. If it does not, this is a finding. - Verify the system commands contained in the following directories are owned by "root" with the following command: - -$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin ! -user root -exec ls -l {} \; Is it the case that any system commands are found to not be owned by root? - Configure the operating system to limit privileges to change software resident within software libraries. - System executables are stored in the following directories by default: -
/bin
-/sbin
-/usr/bin
-/usr/libexec
-/usr/local/bin
-/usr/local/sbin
-/usr/sbin
-All files in these directories should be owned by the root user. -If any file FILE in these directories is found -to be owned by a user other than root, correct its ownership with the -following command: -
$ sudo chown root FILE
+Kernel modules, which can be added to the kernel during runtime, are +stored in /lib/modules. All files in these directories +should not be group-writable or world-writable. If any file in these +directories is found to be group-writable or world-writable, correct +its permission with the following command: +
$ sudo chmod go-w FILE
medium @@ -27941,6 +27890,57 @@ + + CCI-001499 + SRG-OS-000259-GPOS-00100 + TBD - Assigned by DISA after STIG release + The operating system must limit privileges to change software resident within software libraries. + + CCE-89021-0: Verify that Shared Library Directories Have Root Ownership + + If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + System-wide shared library files, which are linked to executables +during process load time or run time, are stored in the following directories +by default: +
/lib
+/lib64
+/usr/lib
+/usr/lib64
+
+Kernel modules, which can be added to the kernel during runtime, are also +stored in /lib/modules. All files in these directories should be +owned by the root user. If the directories, is found to be owned +by a user other than root correct its +ownership with the following command: +
$ sudo chown root DIR
+ Applicable - Configurable + Verify the operating system limits privileges to change software resident within software libraries. If it does not, this is a finding. + Verify the system-wide shared library directories are owned by "root" with the following command: + +$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c "%n %U" '{}' \; Is it the case that any system-wide shared library directory is not owned by root? + Configure the operating system to limit privileges to change software resident within software libraries. + System-wide shared library files, which are linked to executables +during process load time or run time, are stored in the following directories +by default: +
/lib
+/lib64
+/usr/lib
+/usr/lib64
+
+Kernel modules, which can be added to the kernel during runtime, are also +stored in /lib/modules. All files in these directories should be +owned by the root user. If the directories, is found to be owned +by a user other than root correct its +ownership with the following command: +
$ sudo chown root DIR
+ medium + + + + + @@ -28505,28 +28505,23 @@ TBD - Assigned by DISA after STIG release The operating system must control remote access methods. - CCE-80877-4: Verify firewalld Enabled + CCE-82998-6: Install firewalld Package Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Operating system functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). - -The firewalld service can be enabled with the following command: -
$ sudo systemctl enable firewalld.service
+ The firewalld package can be installed with the following command: +
+$ sudo yum install firewalld
Applicable - Configurable Verify the operating system controls remote access methods. If it does not, this is a finding. - - -Run the following command to determine the current status of the -firewalld service: -
$ sudo systemctl is-active firewalld
-If the service is running, it should return the following: 
active
Is it the case that the "firewalld" service is disabled, masked, or not started.? + Run the following command to determine if the firewalld package is installed: 
$ rpm -q firewalld
Is it the case that the package is not installed? Configure the operating system to control remote access methods. - -The firewalld service can be enabled with the following command: -
$ sudo systemctl enable firewalld.service
+ The firewalld package can be installed with the following command: +
+$ sudo yum install firewalld
medium @@ -28539,34 +28534,28 @@ TBD - Assigned by DISA after STIG release The operating system must control remote access methods. - CCE-84300-3: Configure the Firewalld Ports + CCE-80877-4: Verify firewalld Enabled Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Operating system functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). - Configure the firewalld ports to allow approved services to have access to the system. -To configure firewalld to open ports, run the following command: -
firewall-cmd --permanent --add-port=port_number/tcp
-To configure firewalld to allow access for pre-defined services, run the following -command: -
firewall-cmd --permanent --add-service=service_name
+ +The firewalld service can be enabled with the following command: +
$ sudo systemctl enable firewalld.service
Applicable - Configurable Verify the operating system controls remote access methods. If it does not, this is a finding. - Inspect the list of enabled firewall ports and verify they are configured correctly by running -the following command: - -
$ sudo firewall-cmd --list-all
+ -Ask the System Administrator for the site or program Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA). Verify the services allowed by the firewall match the PPSM CLSA. Is it the case that there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), or there are no firewall rules configured? +Run the following command to determine the current status of the +firewalld service: +
$ sudo systemctl is-active firewalld
+If the service is running, it should return the following: 
active
Is it the case that the "firewalld" service is disabled, masked, or not started.? Configure the operating system to control remote access methods. - Configure the firewalld ports to allow approved services to have access to the system. -To configure firewalld to open ports, run the following command: -
firewall-cmd --permanent --add-port=port_number/tcp
-To configure firewalld to allow access for pre-defined services, run the following -command: -
firewall-cmd --permanent --add-service=service_name
+ +The firewalld service can be enabled with the following command: +
$ sudo systemctl enable firewalld.service
medium @@ -28579,23 +28568,36 @@ TBD - Assigned by DISA after STIG release The operating system must control remote access methods. - CCE-82998-6: Install firewalld Package + CCE-86266-4: Firewalld Must Employ a Deny-all, Allow-by-exception Policy for Allowing Connections to Other Systems Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Operating system functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). - The firewalld package can be installed with the following command: -
-$ sudo yum install firewalld
+ Red Hat Enterprise Linux 8 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. +Zones can be utilized to a deny-all, allow-by-exception approach. +The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection. Applicable - Configurable Verify the operating system controls remote access methods. If it does not, this is a finding. - Run the following command to determine if the firewalld package is installed: 
$ rpm -q firewalld
Is it the case that the package is not installed? + Verify "firewalld" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands: + +$ sudo firewall-cmd --state + +running + +$ sudo firewall-cmd --get-active-zones + +[custom] +interfaces: ens33 + +$ sudo firewall-cmd --info-zone=[custom] | grep target + +target: DROP Is it the case that no zones are active on the interfaces or if the target is set to a different option other than "DROP"? Configure the operating system to control remote access methods. - The firewalld package can be installed with the following command: -
-$ sudo yum install firewalld
+ Red Hat Enterprise Linux 8 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. +Zones can be utilized to a deny-all, allow-by-exception approach. +The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection. medium @@ -28608,36 +28610,34 @@ TBD - Assigned by DISA after STIG release The operating system must control remote access methods. - CCE-86266-4: Firewalld Must Employ a Deny-all, Allow-by-exception Policy for Allowing Connections to Other Systems + CCE-84300-3: Configure the Firewalld Ports Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Operating system functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). - Red Hat Enterprise Linux 8 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. -Zones can be utilized to a deny-all, allow-by-exception approach. -The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection. + Configure the firewalld ports to allow approved services to have access to the system. +To configure firewalld to open ports, run the following command: +
firewall-cmd --permanent --add-port=port_number/tcp
+To configure firewalld to allow access for pre-defined services, run the following +command: +
firewall-cmd --permanent --add-service=service_name
Applicable - Configurable Verify the operating system controls remote access methods. If it does not, this is a finding. - Verify "firewalld" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands: - -$ sudo firewall-cmd --state - -running - -$ sudo firewall-cmd --get-active-zones - -[custom] -interfaces: ens33 + Inspect the list of enabled firewall ports and verify they are configured correctly by running +the following command: -$ sudo firewall-cmd --info-zone=[custom] | grep target +
$ sudo firewall-cmd --list-all
-target: DROP Is it the case that no zones are active on the interfaces or if the target is set to a different option other than "DROP"? +Ask the System Administrator for the site or program Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA). Verify the services allowed by the firewall match the PPSM CLSA. Is it the case that there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), or there are no firewall rules configured? Configure the operating system to control remote access methods. - Red Hat Enterprise Linux 8 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. -Zones can be utilized to a deny-all, allow-by-exception approach. -The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection. + Configure the firewalld ports to allow approved services to have access to the system. +To configure firewalld to open ports, run the following command: +
firewall-cmd --permanent --add-port=port_number/tcp
+To configure firewalld to allow access for pre-defined services, run the following +command: +
firewall-cmd --permanent --add-service=service_name
medium @@ -28834,7 +28834,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all account enabling actions. - CCE-80758-6: Record Events that Modify User/Group Information - /etc/group + CCE-80760-2: Record Events that Modify User/Group Information - /etc/security/opasswd Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to enable a new or disabled account. Auditing account modification actions provides logging that can be used for forensic purposes. @@ -28845,21 +28845,21 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system automatically audits account enabling actions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: -$ sudo auditctl -l | grep -E '(/etc/group)' +$ sudo auditctl -l | grep -E '(/etc/security/opasswd)' --w /etc/group -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-w /etc/security/opasswd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to automatically audit account enabling actions. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the @@ -28867,14 +28867,14 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
medium @@ -28887,39 +28887,47 @@ TBD - Assigned by DISA after STIG release The operating system must audit all account enabling actions. - CCE-89497-2: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ + CCE-80761-0: Record Events that Modify User/Group Information - /etc/passwd Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to enable a new or disabled account. Auditing account modification actions provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers.d/ -p wa -k actions
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-w /etc/sudoers.d/ -p wa -k actions
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system automatically audits account enabling actions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: -$ sudo auditctl -l | grep/etc/sudoers.d +$ sudo auditctl -l | grep -E '(/etc/passwd)' --w /etc/sudoers.d/ -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-w /etc/passwd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to automatically audit account enabling actions. - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers.d/ -p wa -k actions
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-w /etc/sudoers.d/ -p wa -k actions
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
medium @@ -28932,7 +28940,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all account enabling actions. - CCE-80760-2: Record Events that Modify User/Group Information - /etc/security/opasswd + CCE-80758-6: Record Events that Modify User/Group Information - /etc/group Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to enable a new or disabled account. Auditing account modification actions provides logging that can be used for forensic purposes. @@ -28943,21 +28951,21 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system automatically audits account enabling actions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: -$ sudo auditctl -l | grep -E '(/etc/security/opasswd)' +$ sudo auditctl -l | grep -E '(/etc/group)' --w /etc/security/opasswd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-w /etc/group -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to automatically audit account enabling actions. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the @@ -28965,14 +28973,14 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification
medium @@ -28985,7 +28993,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all account enabling actions. - CCE-80761-0: Record Events that Modify User/Group Information - /etc/passwd + CCE-80759-4: Record Events that Modify User/Group Information - /etc/gshadow Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to enable a new or disabled account. Auditing account modification actions provides logging that can be used for forensic purposes. @@ -28996,21 +29004,23 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system automatically audits account enabling actions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: -$ sudo auditctl -l | grep -E '(/etc/passwd)' +$ sudo auditctl -l | grep -E '(/etc/gshadow)' --w /etc/passwd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-w /etc/gshadow -p wa -k identity + +If the command does not return a line, or the line is commented out, this is a finding. Is it the case that the system is not configured to audit account changes? Configure the operating system to automatically audit account enabling actions. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the @@ -29018,14 +29028,14 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
medium @@ -29091,49 +29101,39 @@ TBD - Assigned by DISA after STIG release The operating system must audit all account enabling actions. - CCE-80759-4: Record Events that Modify User/Group Information - /etc/gshadow + CCE-89497-2: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to enable a new or disabled account. Auditing account modification actions provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-w /etc/sudoers.d/ -p wa -k actions
Applicable - Configurable Verify the operating system automatically audits account enabling actions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: - -$ sudo auditctl -l | grep -E '(/etc/gshadow)' + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command: --w /etc/gshadow -p wa -k identity +$ sudo auditctl -l | grep/etc/sudoers.d -If the command does not return a line, or the line is commented out, this is a finding. Is it the case that the system is not configured to audit account changes? +-w /etc/sudoers.d/ -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to automatically audit account enabling actions. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-w /etc/sudoers.d/ -p wa -k actions
medium @@ -29196,7 +29196,7 @@ TBD - Assigned by DISA after STIG release The operating system must notify system administrators and ISSOs of account enabling actions. - CCE-80758-6: Record Events that Modify User/Group Information - /etc/group + CCE-80760-2: Record Events that Modify User/Group Information - /etc/security/opasswd Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to enable an existing disabled account. Sending notification of account enabling actions to the system administrator and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. @@ -29209,21 +29209,21 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system notifies the System Administrator and Information System Security Officer(s) when accounts are created, or enabled when previously disabled. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: -$ sudo auditctl -l | grep -E '(/etc/group)' +$ sudo auditctl -l | grep -E '(/etc/security/opasswd)' --w /etc/group -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-w /etc/security/opasswd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to notify the System Administrator(s) and Information System Security Officer(s) when accounts are created, or enabled when previously disabled. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the @@ -29231,14 +29231,14 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
medium @@ -29251,41 +29251,49 @@ TBD - Assigned by DISA after STIG release The operating system must notify system administrators and ISSOs of account enabling actions. - CCE-89497-2: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ + CCE-80761-0: Record Events that Modify User/Group Information - /etc/passwd Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to enable an existing disabled account. Sending notification of account enabling actions to the system administrator and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. In order to detect and respond to events that affect user accessibility and application processing, operating systems must audit account enabling actions and, as required, notify the appropriate individuals so they can investigate the event. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers.d/ -p wa -k actions
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-w /etc/sudoers.d/ -p wa -k actions
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system notifies the System Administrator and Information System Security Officer(s) when accounts are created, or enabled when previously disabled. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: -$ sudo auditctl -l | grep/etc/sudoers.d +$ sudo auditctl -l | grep -E '(/etc/passwd)' --w /etc/sudoers.d/ -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-w /etc/passwd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to notify the System Administrator(s) and Information System Security Officer(s) when accounts are created, or enabled when previously disabled. - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers.d/ -p wa -k actions
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-w /etc/sudoers.d/ -p wa -k actions
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
medium @@ -29298,7 +29306,7 @@ TBD - Assigned by DISA after STIG release The operating system must notify system administrators and ISSOs of account enabling actions. - CCE-80760-2: Record Events that Modify User/Group Information - /etc/security/opasswd + CCE-80761-0: Record Events that Modify User/Group Information - /etc/passwd Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to enable an existing disabled account. Sending notification of account enabling actions to the system administrator and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. @@ -29311,21 +29319,21 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system notifies the System Administrator and Information System Security Officer(s) when accounts are created, or enabled when previously disabled. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: -$ sudo auditctl -l | grep -E '(/etc/security/opasswd)' +$ sudo auditctl -l | grep -E '(/etc/passwd)' --w /etc/security/opasswd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-w /etc/passwd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to notify the System Administrator(s) and Information System Security Officer(s) when accounts are created, or enabled when previously disabled. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the @@ -29333,14 +29341,14 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
medium @@ -29353,7 +29361,7 @@ TBD - Assigned by DISA after STIG release The operating system must notify system administrators and ISSOs of account enabling actions. - CCE-80761-0: Record Events that Modify User/Group Information - /etc/passwd + CCE-80758-6: Record Events that Modify User/Group Information - /etc/group Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to enable an existing disabled account. Sending notification of account enabling actions to the system administrator and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. @@ -29366,21 +29374,21 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system notifies the System Administrator and Information System Security Officer(s) when accounts are created, or enabled when previously disabled. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: -$ sudo auditctl -l | grep -E '(/etc/passwd)' +$ sudo auditctl -l | grep -E '(/etc/group)' --w /etc/passwd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-w /etc/group -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to notify the System Administrator(s) and Information System Security Officer(s) when accounts are created, or enabled when previously disabled. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the @@ -29388,14 +29396,14 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification
medium @@ -29408,7 +29416,7 @@ TBD - Assigned by DISA after STIG release The operating system must notify system administrators and ISSOs of account enabling actions. - CCE-80761-0: Record Events that Modify User/Group Information - /etc/passwd + CCE-80759-4: Record Events that Modify User/Group Information - /etc/gshadow Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to enable an existing disabled account. Sending notification of account enabling actions to the system administrator and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. @@ -29421,21 +29429,23 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system notifies the System Administrator and Information System Security Officer(s) when accounts are created, or enabled when previously disabled. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: -$ sudo auditctl -l | grep -E '(/etc/passwd)' +$ sudo auditctl -l | grep -E '(/etc/gshadow)' --w /etc/passwd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-w /etc/gshadow -p wa -k identity + +If the command does not return a line, or the line is commented out, this is a finding. Is it the case that the system is not configured to audit account changes? Configure the operating system to notify the System Administrator(s) and Information System Security Officer(s) when accounts are created, or enabled when previously disabled. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the @@ -29443,14 +29453,14 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
medium @@ -29518,51 +29528,41 @@ TBD - Assigned by DISA after STIG release The operating system must notify system administrators and ISSOs of account enabling actions. - CCE-80759-4: Record Events that Modify User/Group Information - /etc/gshadow + CCE-89497-2: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to enable an existing disabled account. Sending notification of account enabling actions to the system administrator and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. In order to detect and respond to events that affect user accessibility and application processing, operating systems must audit account enabling actions and, as required, notify the appropriate individuals so they can investigate the event. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-w /etc/sudoers.d/ -p wa -k actions
Applicable - Configurable Verify the operating system notifies the System Administrator and Information System Security Officer(s) when accounts are created, or enabled when previously disabled. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: - -$ sudo auditctl -l | grep -E '(/etc/gshadow)' + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command: --w /etc/gshadow -p wa -k identity +$ sudo auditctl -l | grep/etc/sudoers.d -If the command does not return a line, or the line is commented out, this is a finding. Is it the case that the system is not configured to audit account changes? +-w /etc/sudoers.d/ -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to notify the System Administrator(s) and Information System Security Officer(s) when accounts are created, or enabled when previously disabled. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-w /etc/sudoers.d/ -p wa -k actions
medium @@ -29627,23 +29627,23 @@ TBD - Assigned by DISA after STIG release The operating system must allow operating system admins to pass information to any other operating system admin or user. - CCE-81030-9: Enable Kernel Parameter to Enforce DAC on Symlinks + CCE-81027-5: Enable Kernel Parameter to Enforce DAC on Hardlinks Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. - To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: 
$ sudo sysctl -w fs.protected_symlinks=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
fs.protected_symlinks = 1
+ To set the runtime status of the fs.protected_hardlinks kernel parameter, run the following command: 
$ sudo sysctl -w fs.protected_hardlinks=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
fs.protected_hardlinks = 1
Applicable - Configurable Verify the operating system allows operating system admins to pass information to any other operating system admin or user. If it does not, this is a finding. - The runtime status of the fs.protected_symlinks kernel parameter can be queried + The runtime status of the fs.protected_hardlinks kernel parameter can be queried by running the following command: -
$ sysctl fs.protected_symlinks
+
$ sysctl fs.protected_hardlinks
1. Is it the case that the correct value is not returned? Configure the operating system to allow operating system admins to pass information to any other operating system admin or user. - To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: 
$ sudo sysctl -w fs.protected_symlinks=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
fs.protected_symlinks = 1
+ To set the runtime status of the fs.protected_hardlinks kernel parameter, run the following command: 
$ sudo sysctl -w fs.protected_hardlinks=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
fs.protected_hardlinks = 1
medium @@ -29656,23 +29656,23 @@ TBD - Assigned by DISA after STIG release The operating system must allow operating system admins to pass information to any other operating system admin or user. - CCE-81027-5: Enable Kernel Parameter to Enforce DAC on Hardlinks + CCE-81030-9: Enable Kernel Parameter to Enforce DAC on Symlinks Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. - To set the runtime status of the fs.protected_hardlinks kernel parameter, run the following command: 
$ sudo sysctl -w fs.protected_hardlinks=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
fs.protected_hardlinks = 1
+ To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: 
$ sudo sysctl -w fs.protected_symlinks=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
fs.protected_symlinks = 1
Applicable - Configurable Verify the operating system allows operating system admins to pass information to any other operating system admin or user. If it does not, this is a finding. - The runtime status of the fs.protected_hardlinks kernel parameter can be queried + The runtime status of the fs.protected_symlinks kernel parameter can be queried by running the following command: -
$ sysctl fs.protected_hardlinks
+
$ sysctl fs.protected_symlinks
1. Is it the case that the correct value is not returned? Configure the operating system to allow operating system admins to pass information to any other operating system admin or user. - To set the runtime status of the fs.protected_hardlinks kernel parameter, run the following command: 
$ sudo sysctl -w fs.protected_hardlinks=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
fs.protected_hardlinks = 1
+ To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: 
$ sudo sysctl -w fs.protected_symlinks=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
fs.protected_symlinks = 1
medium @@ -29690,23 +29690,23 @@ TBD - Assigned by DISA after STIG release The operating system must allow operating system admins to grant their privileges to other operating system admins. - CCE-81030-9: Enable Kernel Parameter to Enforce DAC on Symlinks + CCE-81027-5: Enable Kernel Parameter to Enforce DAC on Hardlinks Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. - To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: 
$ sudo sysctl -w fs.protected_symlinks=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
fs.protected_symlinks = 1
+ To set the runtime status of the fs.protected_hardlinks kernel parameter, run the following command: 
$ sudo sysctl -w fs.protected_hardlinks=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
fs.protected_hardlinks = 1
Applicable - Configurable Verify the operating system allows operating system admins to grant their privileges to other operating system admins. If it does not, this is a finding. - The runtime status of the fs.protected_symlinks kernel parameter can be queried + The runtime status of the fs.protected_hardlinks kernel parameter can be queried by running the following command: -
$ sysctl fs.protected_symlinks
+
$ sysctl fs.protected_hardlinks
1. Is it the case that the correct value is not returned? Configure the operating system to allow operating system admins to grant their privileges to other operating system admins. - To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: 
$ sudo sysctl -w fs.protected_symlinks=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
fs.protected_symlinks = 1
+ To set the runtime status of the fs.protected_hardlinks kernel parameter, run the following command: 
$ sudo sysctl -w fs.protected_hardlinks=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
fs.protected_hardlinks = 1
medium @@ -29719,23 +29719,23 @@ TBD - Assigned by DISA after STIG release The operating system must allow operating system admins to grant their privileges to other operating system admins. - CCE-81027-5: Enable Kernel Parameter to Enforce DAC on Hardlinks + CCE-81030-9: Enable Kernel Parameter to Enforce DAC on Symlinks Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. - To set the runtime status of the fs.protected_hardlinks kernel parameter, run the following command: 
$ sudo sysctl -w fs.protected_hardlinks=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
fs.protected_hardlinks = 1
+ To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: 
$ sudo sysctl -w fs.protected_symlinks=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
fs.protected_symlinks = 1
Applicable - Configurable Verify the operating system allows operating system admins to grant their privileges to other operating system admins. If it does not, this is a finding. - The runtime status of the fs.protected_hardlinks kernel parameter can be queried + The runtime status of the fs.protected_symlinks kernel parameter can be queried by running the following command: -
$ sysctl fs.protected_hardlinks
+
$ sysctl fs.protected_symlinks
1. Is it the case that the correct value is not returned? Configure the operating system to allow operating system admins to grant their privileges to other operating system admins. - To set the runtime status of the fs.protected_hardlinks kernel parameter, run the following command: 
$ sudo sysctl -w fs.protected_hardlinks=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
fs.protected_hardlinks = 1
+ To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: 
$ sudo sysctl -w fs.protected_symlinks=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
fs.protected_symlinks = 1
medium @@ -29771,6 +29771,59 @@ + + CCI-002235 + SRG-OS-000324-GPOS-00125 + TBD - Assigned by DISA after STIG release + The operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. + + CCE-80785-9: Disable Ctrl-Alt-Del Reboot Activation + + Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. + +Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. + By default, SystemD will reboot the system if the Ctrl-Alt-Del +key sequence is pressed. +

+To configure the system to ignore the Ctrl-Alt-Del key sequence from the + +command line instead of rebooting the system, do either of the following: +
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
+or +
systemctl mask ctrl-alt-del.target
+

+Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file, +as this file may be restored during future system updates. + Applicable - Configurable + Verify that the operating system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. If it does not, this is a finding. + To ensure the system is configured to mask the Ctrl-Alt-Del sequence, Check +that the ctrl-alt-del.target is masked and not active with the following +command: +
sudo systemctl status ctrl-alt-del.target
+The output should indicate that the target is masked and not active. It +might resemble following output: +
ctrl-alt-del.target
+Loaded: masked (/dev/null; bad)
+Active: inactive (dead)
Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed? + Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. + By default, SystemD will reboot the system if the Ctrl-Alt-Del +key sequence is pressed. +

+To configure the system to ignore the Ctrl-Alt-Del key sequence from the + +command line instead of rebooting the system, do either of the following: +
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
+or +
systemctl mask ctrl-alt-del.target
+

+Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file, +as this file may be restored during future system updates. + high + + + + + CCI-002235 SRG-OS-000324-GPOS-00125 @@ -29840,50 +29893,25 @@ TBD - Assigned by DISA after STIG release The operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. - CCE-86353-0: Map System Users To The Appropriate SELinux Role + CCE-82361-7: Prevent user from disabling the screen lock Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. - Configure the operating system to prevent non-privileged users from executing -privileged functions to include disabling, circumventing, or altering -implemented security safeguards/countermeasures. All administrators must be -mapped to the sysadm_u or staff_u users with the -appropriate domains (sysadm_t and staff_t). -
$ sudo semanage login -m -s sysadm_u USER
or -
$ sudo semanage login -m -s staff_u USER
-

-All authorized non-administrative -users must be mapped to the user_u role or the appropriate domain -(user_t). -
$ sudo semanage login -m -s user_u USER
+ The tmux terminal multiplexer is used to implement +automatic session locking. It should not be listed in +/etc/shells. Applicable - Configurable Verify that the operating system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. If it does not, this is a finding. - To verify the operating system prevents non-privileged users from executing -privileged functions to include disabling, circumventing, or altering -implemented security safeguards/countermeasures, run the following -command: -
$ sudo semanage login -l
-All administrators must be mapped to the sysadm_u or staff_u -users with the appropriate domains (sysadm_t and staff_t). -

-All authorized non-administrative -users must be mapped to the user_u role or the appropriate domain -(user_t). Is it the case that non-admin users are not confined correctly? + To verify that tmux is not listed as allowed shell on the system +run the following command: +
$ grep 'tmux$' /etc/shells
+The output should be empty. Is it the case that tmux is listed in /etc/shells? Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. - Configure the operating system to prevent non-privileged users from executing -privileged functions to include disabling, circumventing, or altering -implemented security safeguards/countermeasures. All administrators must be -mapped to the sysadm_u or staff_u users with the -appropriate domains (sysadm_t and staff_t). -
$ sudo semanage login -m -s sysadm_u USER
or -
$ sudo semanage login -m -s staff_u USER
-

-All authorized non-administrative -users must be mapped to the user_u role or the appropriate domain -(user_t). -
$ sudo semanage login -m -s user_u USER
- medium + The tmux terminal multiplexer is used to implement +automatic session locking. It should not be listed in +/etc/shells. + low @@ -29895,24 +29923,34 @@ TBD - Assigned by DISA after STIG release The operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. - CCE-81030-9: Enable Kernel Parameter to Enforce DAC on Symlinks + CCE-80784-2: Disable Ctrl-Alt-Del Burst Action Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. - To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: 
$ sudo sysctl -w fs.protected_symlinks=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
fs.protected_symlinks = 1
+ By default, SystemD will reboot the system if the Ctrl-Alt-Del +key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds. +

+To configure the system to ignore the CtrlAltDelBurstAction + +setting, add or modify the following to /etc/systemd/system.conf: +
CtrlAltDelBurstAction=none
Applicable - Configurable Verify that the operating system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. If it does not, this is a finding. - The runtime status of the fs.protected_symlinks kernel parameter can be queried -by running the following command: -
$ sysctl fs.protected_symlinks
-1. - Is it the case that the correct value is not returned? + To ensure the system is configured to ignore the Ctrl-Alt-Del setting, +enter the following command: +
$ sudo grep -i ctrlaltdelburstaction /etc/systemd/system.conf
+The output should return: +
CtrlAltDelBurstAction=none
Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed more than 7 times in 2 seconds.? Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. - To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: 
$ sudo sysctl -w fs.protected_symlinks=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
fs.protected_symlinks = 1
- medium + By default, SystemD will reboot the system if the Ctrl-Alt-Del +key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds. +

+To configure the system to ignore the CtrlAltDelBurstAction + +setting, add or modify the following to /etc/systemd/system.conf: +
CtrlAltDelBurstAction=none
+ high @@ -29953,64 +29991,24 @@ TBD - Assigned by DISA after STIG release The operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. - CCE-80784-2: Disable Ctrl-Alt-Del Burst Action - - Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. - -Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. - By default, SystemD will reboot the system if the Ctrl-Alt-Del -key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds. -

-To configure the system to ignore the CtrlAltDelBurstAction - -setting, add or modify the following to /etc/systemd/system.conf: -
CtrlAltDelBurstAction=none
- Applicable - Configurable - Verify that the operating system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. If it does not, this is a finding. - To ensure the system is configured to ignore the Ctrl-Alt-Del setting, -enter the following command: -
$ sudo grep -i ctrlaltdelburstaction /etc/systemd/system.conf
-The output should return: -
CtrlAltDelBurstAction=none
Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed more than 7 times in 2 seconds.? - Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. - By default, SystemD will reboot the system if the Ctrl-Alt-Del -key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds. -

-To configure the system to ignore the CtrlAltDelBurstAction - -setting, add or modify the following to /etc/systemd/system.conf: -
CtrlAltDelBurstAction=none
- high - - - - - - - CCI-002235 - SRG-OS-000324-GPOS-00125 - TBD - Assigned by DISA after STIG release - The operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. - - CCE-82361-7: Prevent user from disabling the screen lock + CCE-81030-9: Enable Kernel Parameter to Enforce DAC on Symlinks Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. - The tmux terminal multiplexer is used to implement -automatic session locking. It should not be listed in -/etc/shells. + To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: 
$ sudo sysctl -w fs.protected_symlinks=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
fs.protected_symlinks = 1
Applicable - Configurable Verify that the operating system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. If it does not, this is a finding. - To verify that tmux is not listed as allowed shell on the system -run the following command: -
$ grep 'tmux$' /etc/shells
-The output should be empty. Is it the case that tmux is listed in /etc/shells? + The runtime status of the fs.protected_symlinks kernel parameter can be queried +by running the following command: +
$ sysctl fs.protected_symlinks
+1. + Is it the case that the correct value is not returned? Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. - The tmux terminal multiplexer is used to implement -automatic session locking. It should not be listed in -/etc/shells. - low + To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: 
$ sudo sysctl -w fs.protected_symlinks=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
fs.protected_symlinks = 1
+ medium @@ -30022,48 +30020,50 @@ TBD - Assigned by DISA after STIG release The operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. - CCE-80785-9: Disable Ctrl-Alt-Del Reboot Activation + CCE-86353-0: Map System Users To The Appropriate SELinux Role Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. - By default, SystemD will reboot the system if the Ctrl-Alt-Del -key sequence is pressed. -

-To configure the system to ignore the Ctrl-Alt-Del key sequence from the - -command line instead of rebooting the system, do either of the following: -
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
-or -
systemctl mask ctrl-alt-del.target
+ Configure the operating system to prevent non-privileged users from executing +privileged functions to include disabling, circumventing, or altering +implemented security safeguards/countermeasures. All administrators must be +mapped to the sysadm_u or staff_u users with the +appropriate domains (sysadm_t and staff_t). +
$ sudo semanage login -m -s sysadm_u USER
or +
$ sudo semanage login -m -s staff_u USER


-Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file, -as this file may be restored during future system updates. +All authorized non-administrative +users must be mapped to the user_u role or the appropriate domain +(user_t). +
$ sudo semanage login -m -s user_u USER
Applicable - Configurable Verify that the operating system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. If it does not, this is a finding. - To ensure the system is configured to mask the Ctrl-Alt-Del sequence, Check -that the ctrl-alt-del.target is masked and not active with the following + To verify the operating system prevents non-privileged users from executing +privileged functions to include disabling, circumventing, or altering +implemented security safeguards/countermeasures, run the following command: -
sudo systemctl status ctrl-alt-del.target
-The output should indicate that the target is masked and not active. It -might resemble following output: -
ctrl-alt-del.target
-Loaded: masked (/dev/null; bad)
-Active: inactive (dead)
Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed? - Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. - By default, SystemD will reboot the system if the Ctrl-Alt-Del -key sequence is pressed. +
$ sudo semanage login -l
+All administrators must be mapped to the sysadm_u or staff_u +users with the appropriate domains (sysadm_t and staff_t).

-To configure the system to ignore the Ctrl-Alt-Del key sequence from the - -command line instead of rebooting the system, do either of the following: -
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
-or -
systemctl mask ctrl-alt-del.target
+All authorized non-administrative +users must be mapped to the user_u role or the appropriate domain +(user_t). Is it the case that non-admin users are not confined correctly? + Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. + Configure the operating system to prevent non-privileged users from executing +privileged functions to include disabling, circumventing, or altering +implemented security safeguards/countermeasures. All administrators must be +mapped to the sysadm_u or staff_u users with the +appropriate domains (sysadm_t and staff_t). +
$ sudo semanage login -m -s sysadm_u USER
or +
$ sudo semanage login -m -s staff_u USER


-Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file, -as this file may be restored during future system updates. - high +All authorized non-administrative +users must be mapped to the user_u role or the appropriate domain +(user_t). +
$ sudo semanage login -m -s user_u USER
+ medium @@ -30224,6 +30224,89 @@ + + CCI-002238 + SRG-OS-000329-GPOS-00128 + TBD - Assigned by DISA after STIG release + The operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur. + + CCE-86067-6: Lock Accounts Must Persist + + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. + This rule ensures that the system lock out accounts using pam_faillock.so persist +after system reboot. From "pam_faillock" man pages: +
Note that the default directory that "pam_faillock" uses is usually cleared on system
+boot so the access will be reenabled after system reboot. If that is undesirable, a different
+tally directory must be set with the "dir" option.
+ +pam_faillock.so module requires multiple entries in pam files. These entries must be carefully +defined to work as expected. In order to avoid errors when manually editing these files, it is +recommended to use the appropriate tools, such as authselect or authconfig, +depending on the OS version. + +The chosen profile expects the directory to be . + Applicable - Configurable + Verify the operating system automatically locks an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are made. If it does not, this is a finding. + To ensure the tally directory is configured correctly, run the following command: +
$ sudo grep 'dir =' /etc/security/faillock.conf
+The output should show that dir is set to something other than "/var/run/faillock" Is it the case that the "dir" option is not set to a non-default documented tally log directory, is missing or commented out? + Configure the operating system to automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are made. + This rule ensures that the system lock out accounts using pam_faillock.so persist +after system reboot. From "pam_faillock" man pages: +
Note that the default directory that "pam_faillock" uses is usually cleared on system
+boot so the access will be reenabled after system reboot. If that is undesirable, a different
+tally directory must be set with the "dir" option.
+ +pam_faillock.so module requires multiple entries in pam files. These entries must be carefully +defined to work as expected. In order to avoid errors when manually editing these files, it is +recommended to use the appropriate tools, such as authselect or authconfig, +depending on the OS version. + +The chosen profile expects the directory to be . + medium + + + + + + + CCI-002238 + SRG-OS-000329-GPOS-00128 + TBD - Assigned by DISA after STIG release + The operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur. + + CCE-87096-4: Do Not Show System Messages When Unsuccessful Logon Attempts Occur + + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. + This rule ensures the system prevents informative messages from being presented to the user +pertaining to logon information after a number of incorrect login attempts using +pam_faillock.so. + +pam_faillock.so module requires multiple entries in pam files. These entries must be carefully +defined to work as expected. In order to avoid errors when manually editing these files, it is +recommended to use the appropriate tools, such as authselect or authconfig, +depending on the OS version. + Applicable - Configurable + Verify the operating system automatically locks an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are made. If it does not, this is a finding. + To ensure that the system prevents messages from being shown when three unsuccessful logon +attempts occur, run the following command: +
$ grep silent /etc/security/faillock.conf
+The output should show silent. Is it the case that the system shows messages when three unsuccessful logon attempts occur? + Configure the operating system to automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are made. + This rule ensures the system prevents informative messages from being presented to the user +pertaining to logon information after a number of incorrect login attempts using +pam_faillock.so. + +pam_faillock.so module requires multiple entries in pam files. These entries must be carefully +defined to work as expected. In order to avoid errors when manually editing these files, it is +recommended to use the appropriate tools, such as authselect or authconfig, +depending on the OS version. + medium + + + + + CCI-002238 SRG-OS-000329-GPOS-00128 @@ -30262,6 +30345,59 @@ + + CCI-002238 + SRG-OS-000329-GPOS-00128 + TBD - Assigned by DISA after STIG release + The operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur. + + CCE-80667-9: Lock Accounts After Failed Password Attempts + + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. + This rule configures the system to lock out accounts after a number of incorrect login attempts +using pam_faillock.so. +pam_faillock.so module requires multiple entries in pam files. These entries must be carefully +defined to work as expected. + +Ensure that the file /etc/security/faillock.conf contains the following entry: +deny = <count> +Where count should be less than or equal to + and greater than 0. + + +In order to avoid errors when manually editing these files, it is +recommended to use the appropriate tools, such as authselect or authconfig, +depending on the OS version. + Applicable - Configurable + Verify the operating system automatically locks an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are made. If it does not, this is a finding. + Verify Red Hat Enterprise Linux 8 is configured to lock an account after +unsuccessful logon attempts with the command: + + +
$ grep 'deny =' /etc/security/faillock.conf
+deny = . Is it the case that the "deny" option is not set to "" +or less (but not "0"), is missing or commented out? + Configure the operating system to automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are made. + This rule configures the system to lock out accounts after a number of incorrect login attempts +using pam_faillock.so. +pam_faillock.so module requires multiple entries in pam files. These entries must be carefully +defined to work as expected. + +Ensure that the file /etc/security/faillock.conf contains the following entry: +deny = <count> +Where count should be less than or equal to + and greater than 0. + + +In order to avoid errors when manually editing these files, it is +recommended to use the appropriate tools, such as authselect or authconfig, +depending on the OS version. + medium + + + + + CCI-002238 SRG-OS-000329-GPOS-00128 @@ -30365,147 +30501,34 @@ - - CCI-002238 - SRG-OS-000329-GPOS-00128 - TBD - Assigned by DISA after STIG release - The operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur. - - CCE-87096-4: Do Not Show System Messages When Unsuccessful Logon Attempts Occur - - By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. - This rule ensures the system prevents informative messages from being presented to the user -pertaining to logon information after a number of incorrect login attempts using -pam_faillock.so. - -pam_faillock.so module requires multiple entries in pam files. These entries must be carefully -defined to work as expected. In order to avoid errors when manually editing these files, it is -recommended to use the appropriate tools, such as authselect or authconfig, -depending on the OS version. - Applicable - Configurable - Verify the operating system automatically locks an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are made. If it does not, this is a finding. - To ensure that the system prevents messages from being shown when three unsuccessful logon -attempts occur, run the following command: -
$ grep silent /etc/security/faillock.conf
-The output should show silent. Is it the case that the system shows messages when three unsuccessful logon attempts occur? - Configure the operating system to automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are made. - This rule ensures the system prevents informative messages from being presented to the user -pertaining to logon information after a number of incorrect login attempts using -pam_faillock.so. - -pam_faillock.so module requires multiple entries in pam files. These entries must be carefully -defined to work as expected. In order to avoid errors when manually editing these files, it is -recommended to use the appropriate tools, such as authselect or authconfig, -depending on the OS version. - medium - - - - - - - CCI-002238 - SRG-OS-000329-GPOS-00128 - TBD - Assigned by DISA after STIG release - The operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur. - - CCE-86067-6: Lock Accounts Must Persist - - By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. - This rule ensures that the system lock out accounts using pam_faillock.so persist -after system reboot. From "pam_faillock" man pages: -
Note that the default directory that "pam_faillock" uses is usually cleared on system
-boot so the access will be reenabled after system reboot. If that is undesirable, a different
-tally directory must be set with the "dir" option.
-pam_faillock.so module requires multiple entries in pam files. These entries must be carefully -defined to work as expected. In order to avoid errors when manually editing these files, it is -recommended to use the appropriate tools, such as authselect or authconfig, -depending on the OS version. -The chosen profile expects the directory to be . - Applicable - Configurable - Verify the operating system automatically locks an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are made. If it does not, this is a finding. - To ensure the tally directory is configured correctly, run the following command: -
$ sudo grep 'dir =' /etc/security/faillock.conf
-The output should show that dir is set to something other than "/var/run/faillock" Is it the case that the "dir" option is not set to a non-default documented tally log directory, is missing or commented out? - Configure the operating system to automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are made. - This rule ensures that the system lock out accounts using pam_faillock.so persist -after system reboot. From "pam_faillock" man pages: -
Note that the default directory that "pam_faillock" uses is usually cleared on system
-boot so the access will be reenabled after system reboot. If that is undesirable, a different
-tally directory must be set with the "dir" option.
-pam_faillock.so module requires multiple entries in pam files. These entries must be carefully -defined to work as expected. In order to avoid errors when manually editing these files, it is -recommended to use the appropriate tools, such as authselect or authconfig, -depending on the OS version. -The chosen profile expects the directory to be . - medium - - - - - CCI-002238 - SRG-OS-000329-GPOS-00128 + CCI-001914 + SRG-OS-000337-GPOS-00129 TBD - Assigned by DISA after STIG release - The operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur. - - CCE-80667-9: Lock Accounts After Failed Password Attempts - - By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. - This rule configures the system to lock out accounts after a number of incorrect login attempts -using pam_faillock.so. -pam_faillock.so module requires multiple entries in pam files. These entries must be carefully -defined to work as expected. + The operating system must provide the capability for assigned IMOs/ISSOs or designated SAs to change the auditing to be performed on all operating system components, based on all selectable event criteria in near real time. -Ensure that the file /etc/security/faillock.conf contains the following entry: -deny = <count> -Where count should be less than or equal to - and greater than 0. + CCE-81043-2: Ensure the audit Subsystem is Installed + If authorized individuals do not have the ability to modify auditing parameters in response to a changing threat environment, the organization may not be able to effectively respond, and important forensic information may be lost. -In order to avoid errors when manually editing these files, it is -recommended to use the appropriate tools, such as authselect or authconfig, -depending on the OS version. +This requirement enables organizations to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve information system resources may be extended to address certain threat situations. In addition, auditing may be limited to a specific set of events to facilitate audit reduction, analysis, and reporting. + The audit package should be installed. Applicable - Configurable - Verify the operating system automatically locks an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are made. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 is configured to lock an account after -unsuccessful logon attempts with the command: - - -
$ grep 'deny =' /etc/security/faillock.conf
-deny = . Is it the case that the "deny" option is not set to "" -or less (but not "0"), is missing or commented out? - Configure the operating system to automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are made. - This rule configures the system to lock out accounts after a number of incorrect login attempts -using pam_faillock.so. -pam_faillock.so module requires multiple entries in pam files. These entries must be carefully -defined to work as expected. - -Ensure that the file /etc/security/faillock.conf contains the following entry: -deny = <count> -Where count should be less than or equal to - and greater than 0. - - -In order to avoid errors when manually editing these files, it is -recommended to use the appropriate tools, such as authselect or authconfig, -depending on the OS version. + Verify the operating system provides the capability for assigned IMOs/ISSOs or designated SAs to change the auditing to be performed on all operating system components, based on all selectable event criteria in near real time. If it does not, this is a finding. + Run the following command to determine if the audit package is installed: 
$ rpm -q audit
Is it the case that the audit package is not installed? + Configure the operating system to provide the capability for assigned IMOs/ISSOs or designated SAs to change the auditing to be performed on all operating system components, based on all selectable event criteria in near real time. + The audit package should be installed. medium - - - - - CCI-001914 SRG-OS-000337-GPOS-00129 @@ -30544,29 +30567,6 @@ - - CCI-001914 - SRG-OS-000337-GPOS-00129 - TBD - Assigned by DISA after STIG release - The operating system must provide the capability for assigned IMOs/ISSOs or designated SAs to change the auditing to be performed on all operating system components, based on all selectable event criteria in near real time. - - CCE-81043-2: Ensure the audit Subsystem is Installed - - If authorized individuals do not have the ability to modify auditing parameters in response to a changing threat environment, the organization may not be able to effectively respond, and important forensic information may be lost. - -This requirement enables organizations to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve information system resources may be extended to address certain threat situations. In addition, auditing may be limited to a specific set of events to facilitate audit reduction, analysis, and reporting. - The audit package should be installed. - Applicable - Configurable - Verify the operating system provides the capability for assigned IMOs/ISSOs or designated SAs to change the auditing to be performed on all operating system components, based on all selectable event criteria in near real time. If it does not, this is a finding. - Run the following command to determine if the audit package is installed: 
$ rpm -q audit
Is it the case that the audit package is not installed? - Configure the operating system to provide the capability for assigned IMOs/ISSOs or designated SAs to change the auditing to be performed on all operating system components, based on all selectable event criteria in near real time. - The audit package should be installed. - medium - - - - - @@ -30578,57 +30578,7 @@ TBD - Assigned by DISA after STIG release The operating system must allocate audit record storage capacity to store at least one weeks worth of audit records, when audit records are not immediately sent to a central audit record storage facility. - CCE-80943-4: Extend Audit Backlog Limit for the Audit Daemon - - In order to ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems need to be able to allocate audit record storage capacity. - -The task of allocating audit record storage capacity is usually performed during initial installation of the operating system. - To improve the kernel capacity to queue all log events, even those which occurred -prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default -GRUB 2 command line for the Linux operating system. -To ensure that audit_backlog_limit=8192 is added as a kernel command line -argument to newly installed kernels, add audit_backlog_limit=8192 to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
- Applicable - Configurable - Verify the operating system allocates audit record storage capacity to store at least one week's worth of audit records, when audit records are not immediately sent to a central audit record storage facility. If it does not, this is a finding. - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes audit_backlog_limit=8192, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
-If this option is set to true, then check that a line is output by the following command: -
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit_backlog_limit=8192.*' /etc/default/grub
-If the recovery is disabled, check the line with -
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit_backlog_limit=8192.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -
$ sudo grubby --info=ALL | grep args | grep -v 'audit_backlog_limit=8192'
-The command should not return any output. Is it the case that audit backlog limit is not configured? - Configure the operating system to allocate audit record storage capacity to store at least one week's worth of audit records, when audit records are not immediately sent to a central audit record storage facility. - To improve the kernel capacity to queue all log events, even those which occurred -prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default -GRUB 2 command line for the Linux operating system. -To ensure that audit_backlog_limit=8192 is added as a kernel command line -argument to newly installed kernels, add audit_backlog_limit=8192 to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
- low - - - - - - - CCI-001849 - SRG-OS-000341-GPOS-00132 - TBD - Assigned by DISA after STIG release - The operating system must allocate audit record storage capacity to store at least one weeks worth of audit records, when audit records are not immediately sent to a central audit record storage facility. - - CCE-84005-8: Configure a Sufficiently Large Partition for Audit Logs + CCE-84005-8: Configure a Sufficiently Large Partition for Audit Logs In order to ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems need to be able to allocate audit record storage capacity. @@ -30740,6 +30690,56 @@ + + CCI-001849 + SRG-OS-000341-GPOS-00132 + TBD - Assigned by DISA after STIG release + The operating system must allocate audit record storage capacity to store at least one weeks worth of audit records, when audit records are not immediately sent to a central audit record storage facility. + + CCE-80943-4: Extend Audit Backlog Limit for the Audit Daemon + + In order to ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems need to be able to allocate audit record storage capacity. + +The task of allocating audit record storage capacity is usually performed during initial installation of the operating system. + To improve the kernel capacity to queue all log events, even those which occurred +prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default +GRUB 2 command line for the Linux operating system. +To ensure that audit_backlog_limit=8192 is added as a kernel command line +argument to newly installed kernels, add audit_backlog_limit=8192 to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
+ Applicable - Configurable + Verify the operating system allocates audit record storage capacity to store at least one week's worth of audit records, when audit records are not immediately sent to a central audit record storage facility. If it does not, this is a finding. + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes audit_backlog_limit=8192, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
+If this option is set to true, then check that a line is output by the following command: +
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit_backlog_limit=8192.*' /etc/default/grub
+If the recovery is disabled, check the line with +
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit_backlog_limit=8192.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +
$ sudo grubby --info=ALL | grep args | grep -v 'audit_backlog_limit=8192'
+The command should not return any output. Is it the case that audit backlog limit is not configured? + Configure the operating system to allocate audit record storage capacity to store at least one week's worth of audit records, when audit records are not immediately sent to a central audit record storage facility. + To improve the kernel capacity to queue all log events, even those which occurred +prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default +GRUB 2 command line for the Linux operating system. +To ensure that audit_backlog_limit=8192 is added as a kernel command line +argument to newly installed kernels, add audit_backlog_limit=8192 to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
+ low + + + + + @@ -30751,7 +30751,7 @@ TBD - Assigned by DISA after STIG release The operating system must off-load audit records onto a different system or media from the system being audited. - CCE-86339-9: Ensure Rsyslog Authenticates Off-Loaded Audit Records + CCE-86098-1: Ensure Rsyslog Encrypts Off-Loaded Audit Records Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -30762,14 +30762,17 @@ library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. -When using rsyslogd to off-load logs the remote system must be authenticated. +When using rsyslogd to off-load logs off a encrpytion system must be used. Applicable - Configurable Verify the operating system off-loads audit records onto a different system or media from the system being audited. If it does not, this is a finding. - Verify the operating system authenticates the remote logging server for off-loading audit logs with the following command: + Verify the operating system encrypts audit records off-loaded onto a different system +or media from the system being audited with the following commands: -
$ sudo grep -i '$ActionSendStreamDriverAuthMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
-The output should be -
$/etc/rsyslog.conf:$ActionSendStreamDriverAuthMode x509/name
Is it the case that $ActionSendStreamDriverAuthMode in /etc/rsyslog.conf is not set to x509/name? +
$ sudo grep -i '$ActionSendStreamDriverMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
+ +The output should be: + +
/etc/rsyslog.conf:$ActionSendStreamDriverMode 1
Is it the case that rsyslogd ActionSendStreamDriverMode is not set to 1? Configure the operating system to off-load audit records onto a different system or media from the system being audited. Rsyslogd is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local @@ -30777,7 +30780,7 @@ library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. -When using rsyslogd to off-load logs the remote system must be authenticated. +When using rsyslogd to off-load logs off a encrpytion system must be used. medium @@ -30790,36 +30793,100 @@ TBD - Assigned by DISA after STIG release The operating system must off-load audit records onto a different system or media from the system being audited. - CCE-85992-6: Ensure Rsyslog Encrypts Off-Loaded Audit Records + CCE-80863-4: Ensure Logs Sent To Remote Host Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. - Rsyslogd is a system utility providing support for message logging. Support -for both internet and UNIX domain sockets enables this utility to support both local -and remote logging. Couple this utility with gnutls (which is a secure communications -library implementing the SSL, TLS and DTLS protocols), and you have a method to securely -encrypt and off-load auditing. - -When using rsyslogd to off-load logs off an encryption system must be used. + To configure rsyslog to send logs to a remote log server, +open /etc/rsyslog.conf and read and understand the last section of the file, +which describes the multiple directives necessary to activate remote +logging. +Along with these other directives, the system can be configured +to forward its logs to a particular log server by +adding or correcting one of the following lines, +substituting appropriately. +The choice of protocol depends on the environment of the system; +although TCP and RELP provide more reliable message delivery, +they may not be supported in all environments. +
+To use UDP for log message delivery: +
*.* @
+
+To use TCP for log message delivery: +
*.* @@
+
+To use RELP for log message delivery: +
*.* :omrelp:
+
+There must be a resolvable DNS CNAME or Alias record set to "" for logs to be sent correctly to the centralized logging utility. Applicable - Configurable Verify the operating system off-loads audit records onto a different system or media from the system being audited. If it does not, this is a finding. - Verify the operating system encrypts audit records off-loaded onto a different system -or media from the system being audited with the following commands: + To ensure logs are sent to a remote host, examine the file +/etc/rsyslog.conf. +If using UDP, a line similar to the following should be present: +
 *.* @
+If using TCP, a line similar to the following should be present: +
 *.* @@
+If using RELP, a line similar to the following should be present: +
 *.* :omrelp:
Is it the case that no evidence that the audit logs are being off-loaded to another system or media? + Configure the operating system to off-load audit records onto a different system or media from the system being audited. + To configure rsyslog to send logs to a remote log server, +open /etc/rsyslog.conf and read and understand the last section of the file, +which describes the multiple directives necessary to activate remote +logging. +Along with these other directives, the system can be configured +to forward its logs to a particular log server by +adding or correcting one of the following lines, +substituting appropriately. +The choice of protocol depends on the environment of the system; +although TCP and RELP provide more reliable message delivery, +they may not be supported in all environments. +
+To use UDP for log message delivery: +
*.* @
+
+To use TCP for log message delivery: +
*.* @@
+
+To use RELP for log message delivery: +
*.* :omrelp:
+
+There must be a resolvable DNS CNAME or Alias record set to "" for logs to be sent correctly to the centralized logging utility. + medium + + + + -
$ sudo grep -i '$DefaultNetstreamDriver' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
+ + CCI-001851 + SRG-OS-000342-GPOS-00133 + TBD - Assigned by DISA after STIG release + The operating system must off-load audit records onto a different system or media from the system being audited. -The output should be: + CCE-85889-4: Appropriate Action Must be Setup When the Internal Audit Event Queue is Full -
/etc/rsyslog.conf:$DefaultNetstreamDriver gtls
Is it the case that rsyslogd DefaultNetstreamDriver not set to gtls? - Configure the operating system to off-load audit records onto a different system or media from the system being audited. - Rsyslogd is a system utility providing support for message logging. Support -for both internet and UNIX domain sockets enables this utility to support both local -and remote logging. Couple this utility with gnutls (which is a secure communications -library implementing the SSL, TLS and DTLS protocols), and you have a method to securely -encrypt and off-load auditing. + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. -When using rsyslogd to off-load logs off an encryption system must be used. +Off-loading is a common process in information systems with limited audit storage capacity. + The audit system should have an action setup in the event the internal event queue becomes full. +To setup an overflow action edit /etc/audit/auditd.conf. Set overflow_action +to one of the following values: syslog, single, halt. + Applicable - Configurable + Verify the operating system off-loads audit records onto a different system or media from the system being audited. If it does not, this is a finding. + Verify the audit system is configured to take an appropriate action when the internal event queue is full: +
$ sudo grep -i overflow_action /etc/audit/auditd.conf
+ +The output should contain overflow_action = syslog + +If the value of the "overflow_action" option is not set to syslog, +single, halt or the line is commented out, ask the System Administrator +to indicate how the audit logs are off-loaded to a different system or media. Is it the case that auditd overflow action is not set correctly? + Configure the operating system to off-load audit records onto a different system or media from the system being audited. + The audit system should have an action setup in the event the internal event queue becomes full. +To setup an overflow action edit /etc/audit/auditd.conf. Set overflow_action +to one of the following values: syslog, single, halt. medium @@ -30947,7 +31014,7 @@ TBD - Assigned by DISA after STIG release The operating system must off-load audit records onto a different system or media from the system being audited. - CCE-86098-1: Ensure Rsyslog Encrypts Off-Loaded Audit Records + CCE-86339-9: Ensure Rsyslog Authenticates Off-Loaded Audit Records Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -30958,17 +31025,14 @@ library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. -When using rsyslogd to off-load logs off a encrpytion system must be used. +When using rsyslogd to off-load logs the remote system must be authenticated. Applicable - Configurable Verify the operating system off-loads audit records onto a different system or media from the system being audited. If it does not, this is a finding. - Verify the operating system encrypts audit records off-loaded onto a different system -or media from the system being audited with the following commands: - -
$ sudo grep -i '$ActionSendStreamDriverMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
- -The output should be: + Verify the operating system authenticates the remote logging server for off-loading audit logs with the following command: -
/etc/rsyslog.conf:$ActionSendStreamDriverMode 1
Is it the case that rsyslogd ActionSendStreamDriverMode is not set to 1? +
$ sudo grep -i '$ActionSendStreamDriverAuthMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
+The output should be +
$/etc/rsyslog.conf:$ActionSendStreamDriverAuthMode x509/name
Is it the case that $ActionSendStreamDriverAuthMode in /etc/rsyslog.conf is not set to x509/name? Configure the operating system to off-load audit records onto a different system or media from the system being audited. Rsyslogd is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local @@ -30976,7 +31040,7 @@ library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. -When using rsyslogd to off-load logs off a encrpytion system must be used. +When using rsyslogd to off-load logs the remote system must be authenticated. medium @@ -30989,111 +31053,84 @@ TBD - Assigned by DISA after STIG release The operating system must off-load audit records onto a different system or media from the system being audited. - CCE-80863-4: Ensure Logs Sent To Remote Host + CCE-85992-6: Ensure Rsyslog Encrypts Off-Loaded Audit Records Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. - To configure rsyslog to send logs to a remote log server, -open /etc/rsyslog.conf and read and understand the last section of the file, -which describes the multiple directives necessary to activate remote -logging. -Along with these other directives, the system can be configured -to forward its logs to a particular log server by -adding or correcting one of the following lines, -substituting appropriately. -The choice of protocol depends on the environment of the system; -although TCP and RELP provide more reliable message delivery, -they may not be supported in all environments. -
-To use UDP for log message delivery: -
*.* @
-
-To use TCP for log message delivery: -
*.* @@
-
-To use RELP for log message delivery: -
*.* :omrelp:
-
-There must be a resolvable DNS CNAME or Alias record set to "" for logs to be sent correctly to the centralized logging utility. + Rsyslogd is a system utility providing support for message logging. Support +for both internet and UNIX domain sockets enables this utility to support both local +and remote logging. Couple this utility with gnutls (which is a secure communications +library implementing the SSL, TLS and DTLS protocols), and you have a method to securely +encrypt and off-load auditing. + +When using rsyslogd to off-load logs off an encryption system must be used. Applicable - Configurable Verify the operating system off-loads audit records onto a different system or media from the system being audited. If it does not, this is a finding. - To ensure logs are sent to a remote host, examine the file -/etc/rsyslog.conf. -If using UDP, a line similar to the following should be present: -
 *.* @
-If using TCP, a line similar to the following should be present: -
 *.* @@
-If using RELP, a line similar to the following should be present: -
 *.* :omrelp:
Is it the case that no evidence that the audit logs are being off-loaded to another system or media? + Verify the operating system encrypts audit records off-loaded onto a different system +or media from the system being audited with the following commands: + +
$ sudo grep -i '$DefaultNetstreamDriver' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
+ +The output should be: + +
/etc/rsyslog.conf:$DefaultNetstreamDriver gtls
Is it the case that rsyslogd DefaultNetstreamDriver not set to gtls? Configure the operating system to off-load audit records onto a different system or media from the system being audited. - To configure rsyslog to send logs to a remote log server, -open /etc/rsyslog.conf and read and understand the last section of the file, -which describes the multiple directives necessary to activate remote -logging. -Along with these other directives, the system can be configured -to forward its logs to a particular log server by -adding or correcting one of the following lines, -substituting appropriately. -The choice of protocol depends on the environment of the system; -although TCP and RELP provide more reliable message delivery, -they may not be supported in all environments. -
-To use UDP for log message delivery: -
*.* @
-
-To use TCP for log message delivery: -
*.* @@
-
-To use RELP for log message delivery: -
*.* :omrelp:
-
-There must be a resolvable DNS CNAME or Alias record set to "" for logs to be sent correctly to the centralized logging utility. + Rsyslogd is a system utility providing support for message logging. Support +for both internet and UNIX domain sockets enables this utility to support both local +and remote logging. Couple this utility with gnutls (which is a secure communications +library implementing the SSL, TLS and DTLS protocols), and you have a method to securely +encrypt and off-load auditing. + +When using rsyslogd to off-load logs off an encryption system must be used. medium + + + + + - CCI-001851 - SRG-OS-000342-GPOS-00133 + CCI-001855 + SRG-OS-000343-GPOS-00134 TBD - Assigned by DISA after STIG release - The operating system must off-load audit records onto a different system or media from the system being audited. - - CCE-85889-4: Appropriate Action Must be Setup When the Internal Audit Event Queue is Full + The operating system must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. - Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + CCE-86055-1: Configure auditd space_left on Low Disk Space -Off-loading is a common process in information systems with limited audit storage capacity. - The audit system should have an action setup in the event the internal event queue becomes full. -To setup an overflow action edit /etc/audit/auditd.conf. Set overflow_action -to one of the following values: syslog, single, halt. + If security personnel are not notified immediately when storage volume reaches 75% utilization, they are unable to plan for audit record storage capacity expansion. + The auditd service can be configured to take an action +when disk space is running low but prior to running out of space completely. +Edit the file /etc/audit/auditd.conf. Add or modify the following line, +substituting PERCENTAGE appropriately: +
space_left = PERCENTAGE%
+Set this value to at least 25 to cause the system to +notify the user of an issue. Applicable - Configurable - Verify the operating system off-loads audit records onto a different system or media from the system being audited. If it does not, this is a finding. - Verify the audit system is configured to take an appropriate action when the internal event queue is full: -
$ sudo grep -i overflow_action /etc/audit/auditd.conf
+ Verify the operating system immediately notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. If it does not, this is a finding. + Verify Red Hat Enterprise Linux 8 takes action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command: -The output should contain overflow_action = syslog +
$ sudo grep -w space_left /etc/audit/auditd.conf
-If the value of the "overflow_action" option is not set to syslog, -single, halt or the line is commented out, ask the System Administrator -to indicate how the audit logs are off-loaded to a different system or media. Is it the case that auditd overflow action is not set correctly? - Configure the operating system to off-load audit records onto a different system or media from the system being audited. - The audit system should have an action setup in the event the internal event queue becomes full. -To setup an overflow action edit /etc/audit/auditd.conf. Set overflow_action -to one of the following values: syslog, single, halt. +
space_left = %
Is it the case that the value of the "space_left" keyword is not set to % of the storage volume allocated to audit logs, or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO. If the "space_left" value is not configured to the correct value? + Configure the operating system to immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. + The auditd service can be configured to take an action +when disk space is running low but prior to running out of space completely. +Edit the file /etc/audit/auditd.conf. Add or modify the following line, +substituting PERCENTAGE appropriately: +
space_left = PERCENTAGE%
+Set this value to at least 25 to cause the system to +notify the user of an issue. medium - - - - - CCI-001855 SRG-OS-000343-GPOS-00134 @@ -31188,43 +31225,6 @@ - - CCI-001855 - SRG-OS-000343-GPOS-00134 - TBD - Assigned by DISA after STIG release - The operating system must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. - - CCE-86055-1: Configure auditd space_left on Low Disk Space - - If security personnel are not notified immediately when storage volume reaches 75% utilization, they are unable to plan for audit record storage capacity expansion. - The auditd service can be configured to take an action -when disk space is running low but prior to running out of space completely. -Edit the file /etc/audit/auditd.conf. Add or modify the following line, -substituting PERCENTAGE appropriately: -
space_left = PERCENTAGE%
-Set this value to at least 25 to cause the system to -notify the user of an issue. - Applicable - Configurable - Verify the operating system immediately notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 takes action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command: - -
$ sudo grep -w space_left /etc/audit/auditd.conf
- -
space_left = %
Is it the case that the value of the "space_left" keyword is not set to % of the storage volume allocated to audit logs, or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO. If the "space_left" value is not configured to the correct value? - Configure the operating system to immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. - The auditd service can be configured to take an action -when disk space is running low but prior to running out of space completely. -Edit the file /etc/audit/auditd.conf. Add or modify the following line, -substituting PERCENTAGE appropriately: -
space_left = PERCENTAGE%
-Set this value to at least 25 to cause the system to -notify the user of an issue. - medium - - - - - @@ -31254,6 +31254,29 @@ + + CCI-001875 + SRG-OS-000348-GPOS-00136 + TBD - Assigned by DISA after STIG release + The operating system must provide an audit reduction capability that supports on-demand audit review and analysis. + + CCE-81043-2: Ensure the audit Subsystem is Installed + + The ability to perform on-demand audit review and analysis, including after the audit data has been subjected to audit reduction, greatly facilitates the organization's ability to generate incident reports, as needed, to better handle larger-scale or more complex security incidents. + +Audit reduction is a technique used to reduce the volume of audit records in order to facilitate a manual review. Audit reduction does not alter original audit records. The report generation capability provided by the application must support on-demand (i.e., customizable, ad hoc, and as-needed) reports. + The audit package should be installed. + Applicable - Configurable + Verify the operating system provides an audit reduction capability that supports on-demand audit review and analysis. If it does not, this is a finding. + Run the following command to determine if the audit package is installed: 
$ rpm -q audit
Is it the case that the audit package is not installed? + Configure the operating system to provide an audit reduction capability that supports on-demand audit review and analysis. + The audit package should be installed. + medium + + + + + CCI-001875 SRG-OS-000348-GPOS-00136 @@ -31292,22 +31315,29 @@ + + + + + - CCI-001875 - SRG-OS-000348-GPOS-00136 + CCI-001877 + SRG-OS-000349-GPOS-00137 TBD - Assigned by DISA after STIG release - The operating system must provide an audit reduction capability that supports on-demand audit review and analysis. + The operating system must provide an audit reduction capability that supports after-the-fact investigations of security incidents. CCE-81043-2: Ensure the audit Subsystem is Installed - The ability to perform on-demand audit review and analysis, including after the audit data has been subjected to audit reduction, greatly facilitates the organization's ability to generate incident reports, as needed, to better handle larger-scale or more complex security incidents. + If the audit reduction capability does not support after-the-fact investigations, it is difficult to establish, correlate, and investigate the events leading up to an outage or attack or identify those responses for one. This capability is also required to comply with applicable Federal laws and DoD policies. -Audit reduction is a technique used to reduce the volume of audit records in order to facilitate a manual review. Audit reduction does not alter original audit records. The report generation capability provided by the application must support on-demand (i.e., customizable, ad hoc, and as-needed) reports. +Audit reduction capability must support after-the-fact investigations of security incidents either natively or through the use of third-party tools. + +This requirement is specific to operating systems with audit reduction capabilities. The audit package should be installed. Applicable - Configurable - Verify the operating system provides an audit reduction capability that supports on-demand audit review and analysis. If it does not, this is a finding. + Verify the operating system provides an audit reduction capability that supports after-the-fact investigations of security incidents. If it does not, this is a finding. Run the following command to determine if the audit package is installed: 
$ rpm -q audit
Is it the case that the audit package is not installed? - Configure the operating system to provide an audit reduction capability that supports on-demand audit review and analysis. + Configure the operating system to provide an audit reduction capability that supports after-the-fact investigations of security incidents. The audit package should be installed. medium @@ -31315,11 +31345,6 @@ - - - - - CCI-001877 SRG-OS-000349-GPOS-00137 @@ -31360,24 +31385,27 @@ + + + + + - CCI-001877 - SRG-OS-000349-GPOS-00137 + CCI-001878 + SRG-OS-000350-GPOS-00138 TBD - Assigned by DISA after STIG release - The operating system must provide an audit reduction capability that supports after-the-fact investigations of security incidents. + The operating system must provide a report generation capability that supports on-demand audit review and analysis. CCE-81043-2: Ensure the audit Subsystem is Installed - If the audit reduction capability does not support after-the-fact investigations, it is difficult to establish, correlate, and investigate the events leading up to an outage or attack or identify those responses for one. This capability is also required to comply with applicable Federal laws and DoD policies. - -Audit reduction capability must support after-the-fact investigations of security incidents either natively or through the use of third-party tools. + The report generation capability must support on-demand review and analysis in order to facilitate the organization's ability to generate incident reports, as needed, to better handle larger-scale or more complex security incidents. -This requirement is specific to operating systems with audit reduction capabilities. +Report generation must be capable of generating on-demand (i.e., customizable, ad hoc, and as-needed) reports. On-demand reporting allows personnel to report issues more rapidly to more effectively meet reporting requirements. Collecting log data and aggregating it to present the data in a single, consolidated report achieves this objective. The audit package should be installed. Applicable - Configurable - Verify the operating system provides an audit reduction capability that supports after-the-fact investigations of security incidents. If it does not, this is a finding. + Verify the operating system provides a report generation capability that supports on-demand audit review and analysis. If it does not, this is a finding. Run the following command to determine if the audit package is installed: 
$ rpm -q audit
Is it the case that the audit package is not installed? - Configure the operating system to provide an audit reduction capability that supports after-the-fact investigations of security incidents. + Configure the operating system to provide a report generation capability that supports on-demand audit review and analysis. The audit package should be installed. medium @@ -31385,11 +31413,6 @@ - - - - - CCI-001878 SRG-OS-000350-GPOS-00138 @@ -31428,22 +31451,27 @@ + + + + + - CCI-001878 - SRG-OS-000350-GPOS-00138 + CCI-001879 + SRG-OS-000351-GPOS-00139 TBD - Assigned by DISA after STIG release - The operating system must provide a report generation capability that supports on-demand audit review and analysis. + The operating system must provide a report generation capability that supports on-demand reporting requirements. CCE-81043-2: Ensure the audit Subsystem is Installed - The report generation capability must support on-demand review and analysis in order to facilitate the organization's ability to generate incident reports, as needed, to better handle larger-scale or more complex security incidents. + The report generation capability must support on-demand reporting in order to facilitate the organization's ability to generate incident reports, as needed, to better handle larger-scale or more complex security incidents. Report generation must be capable of generating on-demand (i.e., customizable, ad hoc, and as-needed) reports. On-demand reporting allows personnel to report issues more rapidly to more effectively meet reporting requirements. Collecting log data and aggregating it to present the data in a single, consolidated report achieves this objective. The audit package should be installed. Applicable - Configurable - Verify the operating system provides a report generation capability that supports on-demand audit review and analysis. If it does not, this is a finding. + Verify the operating system provides a report generation capability that supports on-demand reporting requirements. If it does not, this is a finding. Run the following command to determine if the audit package is installed: 
$ rpm -q audit
Is it the case that the audit package is not installed? - Configure the operating system to provide a report generation capability that supports on-demand audit review and analysis. + Ensure the operating system provides a report generation capability that supports on-demand reporting requirements. The audit package should be installed. medium @@ -31451,11 +31479,6 @@ - - - - - CCI-001879 SRG-OS-000351-GPOS-00139 @@ -31494,22 +31517,27 @@ + + + + + - CCI-001879 - SRG-OS-000351-GPOS-00139 + CCI-001880 + SRG-OS-000352-GPOS-00140 TBD - Assigned by DISA after STIG release - The operating system must provide a report generation capability that supports on-demand reporting requirements. + The operating system must provide a report generation capability that supports after-the-fact investigations of security incidents. CCE-81043-2: Ensure the audit Subsystem is Installed - The report generation capability must support on-demand reporting in order to facilitate the organization's ability to generate incident reports, as needed, to better handle larger-scale or more complex security incidents. + If the report generation capability does not support after-the-fact investigations, it is difficult to establish, correlate, and investigate the events leading up to an outage or attack or identify those responses for one. This capability is also required to comply with applicable Federal laws and DoD policies. -Report generation must be capable of generating on-demand (i.e., customizable, ad hoc, and as-needed) reports. On-demand reporting allows personnel to report issues more rapidly to more effectively meet reporting requirements. Collecting log data and aggregating it to present the data in a single, consolidated report achieves this objective. +The report generation capability must support after-the-fact investigations of security incidents either natively or through the use of third-party tools. The audit package should be installed. Applicable - Configurable - Verify the operating system provides a report generation capability that supports on-demand reporting requirements. If it does not, this is a finding. + Verify the operating system provides a report generation capability that supports after-the-fact investigations of security incidents. If it does not, this is a finding. Run the following command to determine if the audit package is installed: 
$ rpm -q audit
Is it the case that the audit package is not installed? - Ensure the operating system provides a report generation capability that supports on-demand reporting requirements. + Ensure the operating system provides a report generation capability that supports after-the-fact investigations of security incidents. The audit package should be installed. medium @@ -31517,11 +31545,6 @@ - - - - - CCI-001880 SRG-OS-000352-GPOS-00140 @@ -31560,22 +31583,29 @@ + + + + + - CCI-001880 - SRG-OS-000352-GPOS-00140 + CCI-001881 + SRG-OS-000353-GPOS-00141 TBD - Assigned by DISA after STIG release - The operating system must provide a report generation capability that supports after-the-fact investigations of security incidents. + The operating system must not alter original content or time ordering of audit records when it provides an audit reduction capability. CCE-81043-2: Ensure the audit Subsystem is Installed - If the report generation capability does not support after-the-fact investigations, it is difficult to establish, correlate, and investigate the events leading up to an outage or attack or identify those responses for one. This capability is also required to comply with applicable Federal laws and DoD policies. + If the audit reduction capability alters the content or time ordering of audit records, the integrity of the audit records is compromised, and the records are no longer usable for forensic analysis. -The report generation capability must support after-the-fact investigations of security incidents either natively or through the use of third-party tools. +Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Time ordering refers to the chronological organization of records based on time stamps. The degree of time stamp precision can affect this. + +This requirement is specific to operating systems providing audit reduction capabilities. The audit reduction capability can be met either natively or through the use of third-party tools. The audit package should be installed. Applicable - Configurable - Verify the operating system provides a report generation capability that supports after-the-fact investigations of security incidents. If it does not, this is a finding. + Verify the operating system does not alter original content or time ordering of audit records when it provides an audit reduction capability. If it does not, this is a finding. Run the following command to determine if the audit package is installed: 
$ rpm -q audit
Is it the case that the audit package is not installed? - Ensure the operating system provides a report generation capability that supports after-the-fact investigations of security incidents. + Configure the operating system to not alter original content or time ordering of audit records when it provides an audit reduction capability. The audit package should be installed. medium @@ -31583,11 +31613,6 @@ - - - - - CCI-001881 SRG-OS-000353-GPOS-00141 @@ -31628,24 +31653,29 @@ + + + + + - CCI-001881 - SRG-OS-000353-GPOS-00141 + CCI-001882 + SRG-OS-000354-GPOS-00142 TBD - Assigned by DISA after STIG release - The operating system must not alter original content or time ordering of audit records when it provides an audit reduction capability. + The operating system must not alter original content or time ordering of audit records when it provides a report generation capability. CCE-81043-2: Ensure the audit Subsystem is Installed - If the audit reduction capability alters the content or time ordering of audit records, the integrity of the audit records is compromised, and the records are no longer usable for forensic analysis. + If the report generation capability alters the content or time ordering of audit records, the integrity of the audit records is compromised, and the records are no longer usable for forensic analysis. -Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Time ordering refers to the chronological organization of records based on time stamps. The degree of time stamp precision can affect this. +Time ordering refers to the chronological organization of records based on time stamps. The degree of time stamp precision can affect this. -This requirement is specific to operating systems providing audit reduction capabilities. The audit reduction capability can be met either natively or through the use of third-party tools. +This requirement is specific to operating systems providing report generation capabilities. The report generation capability can be met either natively or through the use of third-party tools. The audit package should be installed. Applicable - Configurable - Verify the operating system does not alter original content or time ordering of audit records when it provides an audit reduction capability. If it does not, this is a finding. + Verify the operating system does not alter original content or time ordering of audit records when it provides a report generation capability. If it does not, this is a finding. Run the following command to determine if the audit package is installed: 
$ rpm -q audit
Is it the case that the audit package is not installed? - Configure the operating system to not alter original content or time ordering of audit records when it provides an audit reduction capability. + Configure the operating system to not alter original content or time ordering of audit records when it provides a report generation capability. The audit package should be installed. medium @@ -31653,11 +31683,6 @@ - - - - - CCI-001882 SRG-OS-000354-GPOS-00142 @@ -31698,31 +31723,6 @@ - - CCI-001882 - SRG-OS-000354-GPOS-00142 - TBD - Assigned by DISA after STIG release - The operating system must not alter original content or time ordering of audit records when it provides a report generation capability. - - CCE-81043-2: Ensure the audit Subsystem is Installed - - If the report generation capability alters the content or time ordering of audit records, the integrity of the audit records is compromised, and the records are no longer usable for forensic analysis. - -Time ordering refers to the chronological organization of records based on time stamps. The degree of time stamp precision can affect this. - -This requirement is specific to operating systems providing report generation capabilities. The report generation capability can be met either natively or through the use of third-party tools. - The audit package should be installed. - Applicable - Configurable - Verify the operating system does not alter original content or time ordering of audit records when it provides a report generation capability. If it does not, this is a finding. - Run the following command to determine if the audit package is installed: 
$ rpm -q audit
Is it the case that the audit package is not installed? - Configure the operating system to not alter original content or time ordering of audit records when it provides a report generation capability. - The audit package should be installed. - medium - - - - - @@ -31888,32 +31888,17 @@ TBD - Assigned by DISA after STIG release The operating system must record time stamps for audit records that meet a minimum granularity of one second for a minimum degree of precision. - CCE-80872-5: Enable auditd Service + CCE-81043-2: Ensure the audit Subsystem is Installed Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by the operating system include date and time. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks. - The auditd service is an essential userspace component of -the Linux Auditing System, as it is responsible for writing audit records to -disk. - -The auditd service can be enabled with the following command: -
$ sudo systemctl enable auditd.service
+ The audit package should be installed. Applicable - Configurable Verify the operating system records time stamps for audit records that meet a minimum granularity of one second for a minimum degree of precision. If it does not, this is a finding. - - -Run the following command to determine the current status of the -auditd service: -
$ sudo systemctl is-active auditd
-If the service is running, it should return the following: 
active
Is it the case that the auditd service is not running? + Run the following command to determine if the audit package is installed: 
$ rpm -q audit
Is it the case that the audit package is not installed? Configure the operating system to record time stamps for audit records that meet a minimum granularity of one second for a minimum degree of precision. - The auditd service is an essential userspace component of -the Linux Auditing System, as it is responsible for writing audit records to -disk. - -The auditd service can be enabled with the following command: -
$ sudo systemctl enable auditd.service
+ The audit package should be installed. medium @@ -31926,17 +31911,32 @@ TBD - Assigned by DISA after STIG release The operating system must record time stamps for audit records that meet a minimum granularity of one second for a minimum degree of precision. - CCE-81043-2: Ensure the audit Subsystem is Installed + CCE-80872-5: Enable auditd Service Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by the operating system include date and time. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks. - The audit package should be installed. + The auditd service is an essential userspace component of +the Linux Auditing System, as it is responsible for writing audit records to +disk. + +The auditd service can be enabled with the following command: +
$ sudo systemctl enable auditd.service
Applicable - Configurable Verify the operating system records time stamps for audit records that meet a minimum granularity of one second for a minimum degree of precision. If it does not, this is a finding. - Run the following command to determine if the audit package is installed: 
$ rpm -q audit
Is it the case that the audit package is not installed? + + +Run the following command to determine the current status of the +auditd service: +
$ sudo systemctl is-active auditd
+If the service is running, it should return the following: 
active
Is it the case that the auditd service is not running? Configure the operating system to record time stamps for audit records that meet a minimum granularity of one second for a minimum degree of precision. - The audit package should be installed. + The auditd service is an essential userspace component of +the Linux Auditing System, as it is responsible for writing audit records to +disk. + +The auditd service can be enabled with the following command: +
$ sudo systemctl enable auditd.service
medium @@ -32071,6 +32071,35 @@ + + CCI-001744 + SRG-OS-000363-GPOS-00150 + TBD - Assigned by DISA after STIG release + The operating system must notify designated personnel if baseline configurations are changed in an unauthorized manner. + + CCE-87036-0: The mailx Package Is Installed + + Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. + +Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. + A mail server is required for sending emails. +The mailx package can be installed with the following command: +
+$ sudo yum install mailx
+ Applicable - Configurable + Verify the operating system notifies designated personnel if baseline configurations are changed in an unauthorized manner. If it does not, this is a finding. + Run the following command to determine if the mailx package is installed: 
$ rpm -q mailx
Is it the case that the package is not installed? + Configure the operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. + A mail server is required for sending emails. +The mailx package can be installed with the following command: +
+$ sudo yum install mailx
+ medium + + + + + CCI-001744 SRG-OS-000363-GPOS-00150 @@ -32112,35 +32141,6 @@ - - CCI-001744 - SRG-OS-000363-GPOS-00150 - TBD - Assigned by DISA after STIG release - The operating system must notify designated personnel if baseline configurations are changed in an unauthorized manner. - - CCE-87036-0: The mailx Package Is Installed - - Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. - -Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. - A mail server is required for sending emails. -The mailx package can be installed with the following command: -
-$ sudo yum install mailx
- Applicable - Configurable - Verify the operating system notifies designated personnel if baseline configurations are changed in an unauthorized manner. If it does not, this is a finding. - Run the following command to determine if the mailx package is installed: 
$ rpm -q mailx
Is it the case that the package is not installed? - Configure the operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. - A mail server is required for sending emails. -The mailx package can be installed with the following command: -
-$ sudo yum install mailx
- medium - - - - - @@ -32152,7 +32152,7 @@ TBD - Assigned by DISA after STIG release The operating system must enforce access restrictions. - CCE-80898-0: Disable Kerberos Authentication + CCE-80897-2: Disable GSSAPI Authentication Failure to provide logical access restrictions associated with changes to system configuration may have significant effects on the overall security of the system. @@ -32162,38 +32162,38 @@ Logical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover). Unless needed, SSH should not permit extraneous or unnecessary -authentication mechanisms like Kerberos. +authentication mechanisms like GSSAPI.
-The default SSH configuration disallows authentication validation through Kerberos. -The appropriate configuration is used if no value is set for KerberosAuthentication. +The default SSH configuration disallows authentications based on GSSAPI. The appropriate +configuration is used if no value is set for GSSAPIAuthentication.
-To explicitly disable Kerberos authentication, add or correct the following line in +To explicitly disable GSSAPI authentication, add or correct the following line in /etc/ssh/sshd_config: -
KerberosAuthentication no
+
GSSAPIAuthentication no
Applicable - Configurable Verify the operating system enforces access restrictions. If it does not, this is a finding. - To determine how the SSH daemon's KerberosAuthentication option is set, run the following command: + To determine how the SSH daemon's GSSAPIAuthentication option is set, run the following command: -
$ sudo grep -i KerberosAuthentication /etc/ssh/sshd_config
+
$ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config
If a line indicating no is returned, then the required value is set. Is it the case that the required value is not set? Configure the operating system to enforce access restrictions. Unless needed, SSH should not permit extraneous or unnecessary -authentication mechanisms like Kerberos. +authentication mechanisms like GSSAPI.
-The default SSH configuration disallows authentication validation through Kerberos. -The appropriate configuration is used if no value is set for KerberosAuthentication. +The default SSH configuration disallows authentications based on GSSAPI. The appropriate +configuration is used if no value is set for GSSAPIAuthentication.
-To explicitly disable Kerberos authentication, add or correct the following line in +To explicitly disable GSSAPI authentication, add or correct the following line in /etc/ssh/sshd_config: -
KerberosAuthentication no
+
GSSAPIAuthentication no
medium @@ -32206,7 +32206,7 @@ TBD - Assigned by DISA after STIG release The operating system must enforce access restrictions. - CCE-80897-2: Disable GSSAPI Authentication + CCE-80898-0: Disable Kerberos Authentication Failure to provide logical access restrictions associated with changes to system configuration may have significant effects on the overall security of the system. @@ -32216,38 +32216,38 @@ Logical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover). Unless needed, SSH should not permit extraneous or unnecessary -authentication mechanisms like GSSAPI. +authentication mechanisms like Kerberos.
-The default SSH configuration disallows authentications based on GSSAPI. The appropriate -configuration is used if no value is set for GSSAPIAuthentication. +The default SSH configuration disallows authentication validation through Kerberos. +The appropriate configuration is used if no value is set for KerberosAuthentication.
-To explicitly disable GSSAPI authentication, add or correct the following line in +To explicitly disable Kerberos authentication, add or correct the following line in /etc/ssh/sshd_config: -
GSSAPIAuthentication no
+
KerberosAuthentication no
Applicable - Configurable Verify the operating system enforces access restrictions. If it does not, this is a finding. - To determine how the SSH daemon's GSSAPIAuthentication option is set, run the following command: + To determine how the SSH daemon's KerberosAuthentication option is set, run the following command: -
$ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config
+
$ sudo grep -i KerberosAuthentication /etc/ssh/sshd_config
If a line indicating no is returned, then the required value is set. Is it the case that the required value is not set? Configure the operating system to enforce access restrictions. Unless needed, SSH should not permit extraneous or unnecessary -authentication mechanisms like GSSAPI. +authentication mechanisms like Kerberos.
-The default SSH configuration disallows authentications based on GSSAPI. The appropriate -configuration is used if no value is set for GSSAPIAuthentication. +The default SSH configuration disallows authentication validation through Kerberos. +The appropriate configuration is used if no value is set for KerberosAuthentication.
-To explicitly disable GSSAPI authentication, add or correct the following line in +To explicitly disable Kerberos authentication, add or correct the following line in /etc/ssh/sshd_config: -
GSSAPIAuthentication no
+
KerberosAuthentication no
medium @@ -32259,6 +32259,29 @@ + + CCI-001814 + SRG-OS-000365-GPOS-00152 + TBD - Assigned by DISA after STIG release + The operating system must audit the enforcement actions used to restrict access associated with changes to the system. + + CCE-81043-2: Ensure the audit Subsystem is Installed + + Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation for after-the-fact actions. + +Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact. + The audit package should be installed. + Applicable - Configurable + Verify the operating system audits the enforcement actions used to restrict access associated with changes to the system. If it does not, this is a finding. + Run the following command to determine if the audit package is installed: 
$ rpm -q audit
Is it the case that the audit package is not installed? + Configure the operating system to audit the enforcement actions used to restrict access associated with changes to the system. + The audit package should be installed. + medium + + + + + CCI-001814 SRG-OS-000365-GPOS-00152 @@ -32297,69 +32320,74 @@ + + + + + - CCI-001814 - SRG-OS-000365-GPOS-00152 + CCI-001749 + SRG-OS-000366-GPOS-00153 TBD - Assigned by DISA after STIG release - The operating system must audit the enforcement actions used to restrict access associated with changes to the system. + The operating system must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. - CCE-81043-2: Ensure the audit Subsystem is Installed + CCE-80791-7: Ensure gpgcheck Enabled for Local Packages - Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation for after-the-fact actions. + Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. -Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact. - The audit package should be installed. +Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. + +Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA. + yum should be configured to verify the signature(s) of local packages +prior to installation. To configure yum to verify signatures of local +packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf. Applicable - Configurable - Verify the operating system audits the enforcement actions used to restrict access associated with changes to the system. If it does not, this is a finding. - Run the following command to determine if the audit package is installed: 
$ rpm -q audit
Is it the case that the audit package is not installed? - Configure the operating system to audit the enforcement actions used to restrict access associated with changes to the system. - The audit package should be installed. - medium + Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. If it does not, this is a finding. + Verify that yum verifies the signature of local packages prior to install with the following command: + +
$ grep localpkg_gpgcheck /etc/yum.conf
+ +
localpkg_gpgcheck=1
+ +If "localpkg_gpgcheck" is not set to "1", or if the option is missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified. Is it the case that there is no process to validate certificates for local packages that is approved by the organization? + Configure the operating system to prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. + yum should be configured to verify the signature(s) of local packages +prior to installation. To configure yum to verify signatures of local +packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf. + high - - - - - CCI-001749 SRG-OS-000366-GPOS-00153 TBD - Assigned by DISA after STIG release The operating system must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. - CCE-80790-9: Ensure gpgcheck Enabled In Main yum Configuration + CCE-80792-5: Ensure gpgcheck Enabled for All yum Package Repositories Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA. - The gpgcheck option controls whether -RPM packages' signatures are always checked prior to installation. -To configure yum to check package signatures before installing -them, ensure the following line appears in /etc/yum.conf in -the [main] section: -
gpgcheck=1
+ To ensure signature checking is not disabled for +any repos, remove any lines from files in /etc/yum.repos.d of the form: +
gpgcheck=0
Applicable - Configurable Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. If it does not, this is a finding. - Verify that yum verifies the signature of packages from a repository prior to install with the following command: - -
$ grep gpgcheck /etc/yum.conf
- -
gpgcheck=1
- -If "gpgcheck" is not set to "1", or if the option is missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified. Is it the case that there is no process to validate certificates that is approved by the organization? + To determine whether yum has been configured to disable +gpgcheck for any repos, inspect all files in +/etc/yum.repos.d and ensure the following does not appear in any +sections: +
gpgcheck=0
+A value of 0 indicates that gpgcheck has been disabled for that repo. Is it the case that GPG checking is disabled? Configure the operating system to prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. - The gpgcheck option controls whether -RPM packages' signatures are always checked prior to installation. -To configure yum to check package signatures before installing -them, ensure the following line appears in /etc/yum.conf in -the [main] section: -
gpgcheck=1
+ To ensure signature checking is not disabled for +any repos, remove any lines from files in /etc/yum.repos.d of the form: +
gpgcheck=0
high @@ -32461,63 +32489,35 @@ TBD - Assigned by DISA after STIG release The operating system must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. - CCE-80791-7: Ensure gpgcheck Enabled for Local Packages + CCE-80790-9: Ensure gpgcheck Enabled In Main yum Configuration Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA. - yum should be configured to verify the signature(s) of local packages -prior to installation. To configure yum to verify signatures of local -packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf. + The gpgcheck option controls whether +RPM packages' signatures are always checked prior to installation. +To configure yum to check package signatures before installing +them, ensure the following line appears in /etc/yum.conf in +the [main] section: +
gpgcheck=1
Applicable - Configurable Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. If it does not, this is a finding. - Verify that yum verifies the signature of local packages prior to install with the following command: - -
$ grep localpkg_gpgcheck /etc/yum.conf
- -
localpkg_gpgcheck=1
- -If "localpkg_gpgcheck" is not set to "1", or if the option is missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified. Is it the case that there is no process to validate certificates for local packages that is approved by the organization? - Configure the operating system to prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. - yum should be configured to verify the signature(s) of local packages -prior to installation. To configure yum to verify signatures of local -packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf. - high - - - - - - - CCI-001749 - SRG-OS-000366-GPOS-00153 - TBD - Assigned by DISA after STIG release - The operating system must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. - - CCE-80792-5: Ensure gpgcheck Enabled for All yum Package Repositories + Verify that yum verifies the signature of packages from a repository prior to install with the following command: - Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. +
$ grep gpgcheck /etc/yum.conf
-Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. +
gpgcheck=1
-Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA. - To ensure signature checking is not disabled for -any repos, remove any lines from files in /etc/yum.repos.d of the form: -
gpgcheck=0
- Applicable - Configurable - Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. If it does not, this is a finding. - To determine whether yum has been configured to disable -gpgcheck for any repos, inspect all files in -/etc/yum.repos.d and ensure the following does not appear in any -sections: -
gpgcheck=0
-A value of 0 indicates that gpgcheck has been disabled for that repo. Is it the case that GPG checking is disabled? +If "gpgcheck" is not set to "1", or if the option is missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified. Is it the case that there is no process to validate certificates that is approved by the organization? Configure the operating system to prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. - To ensure signature checking is not disabled for -any repos, remove any lines from files in /etc/yum.repos.d of the form: -
gpgcheck=0
+ The gpgcheck option controls whether +RPM packages' signatures are always checked prior to installation. +To configure yum to check package signatures before installing +them, ensure the following line appears in /etc/yum.conf in +the [main] section: +
gpgcheck=1
high @@ -32535,33 +32535,30 @@ TBD - Assigned by DISA after STIG release The operating system must prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - CCE-82921-8: Add nosuid Option to /var/log/audit + CCE-82249-4: Enable the File Access Policy Service Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level. Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline. Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles). - The nosuid mount option can be used to prevent -execution of setuid programs in /var/log/audit. The SUID and SGID permissions -should not be required in directories containing audit log files. -Add the nosuid option to the fourth column of -/etc/fstab for the line which controls mounting of -/var/log/audit. + The File Access Policy service should be enabled. + +The fapolicyd service can be enabled with the following command: +
$ sudo systemctl enable fapolicyd.service
Applicable - Configurable Verify the operating system prevents program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. If it does not, this is a finding. - Verify the nosuid option is configured for the /var/log/audit mount point, - run the following command: - 
$ sudo mount | grep '\s/var/log/audit\s'
- 
. . . /var/log/audit . . . nosuid . . .
- Is it the case that the "/var/log/audit" file system does not have the "nosuid" option set? + + +Run the following command to determine the current status of the +fapolicyd service: +
$ sudo systemctl is-active fapolicyd
+If the service is running, it should return the following: 
active
Is it the case that the service is not enabled? Configure the operating system to prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - The nosuid mount option can be used to prevent -execution of setuid programs in /var/log/audit. The SUID and SGID permissions -should not be required in directories containing audit log files. -Add the nosuid option to the fourth column of -/etc/fstab for the line which controls mounting of -/var/log/audit. + The File Access Policy service should be enabled. + +The fapolicyd service can be enabled with the following command: +
$ sudo systemctl enable fapolicyd.service
medium @@ -32574,37 +32571,36 @@ TBD - Assigned by DISA after STIG release The operating system must prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - CCE-82077-9: Add nodev Option to /var/log + CCE-82069-6: Add nodev Option to Non-Root Local Partitions Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level. Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline. Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles). - The nodev mount option can be used to prevent device files from -being created in /var/log. -Legitimate character and block devices should exist only in -the /dev directory on the root partition or within chroot -jails built for system services. + The nodev mount option prevents files from being interpreted as +character or block devices. Legitimate character and block devices should +exist only in the /dev directory on the root partition or within +chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of -/var/log. + + any non-root local partitions. Applicable - Configurable Verify the operating system prevents program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. If it does not, this is a finding. - Verify the nodev option is configured for the /var/log mount point, - run the following command: - 
$ sudo mount | grep '\s/var/log\s'
- 
. . . /var/log . . . nodev . . .
- Is it the case that the "/var/log" file system does not have the "nodev" option set? + To verify the nodev option is configured for non-root local partitions, run the following command: +
$ sudo mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev'
+The output shows local non-root partitions mounted without the nodev option, and there should be no output at all. + Is it the case that some mounts appear among output lines? Configure the operating system to prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - The nodev mount option can be used to prevent device files from -being created in /var/log. -Legitimate character and block devices should exist only in -the /dev directory on the root partition or within chroot -jails built for system services. + The nodev mount option prevents files from being interpreted as +character or block devices. Legitimate character and block devices should +exist only in the /dev directory on the root partition or within +chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of -/var/log. + + any non-root local partitions. medium @@ -32617,31 +32613,33 @@ TBD - Assigned by DISA after STIG release The operating system must prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - CCE-82139-7: Add noexec Option to /tmp + CCE-82154-6: Add nosuid Option to /var/tmp Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level. Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline. Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles). - The noexec mount option can be used to prevent binaries -from being executed out of /tmp. -Add the noexec option to the fourth column of + The nosuid mount option can be used to prevent +execution of setuid programs in /var/tmp. The SUID and SGID permissions +should not be required in these world-writable directories. +Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of -/tmp. +/var/tmp. Applicable - Configurable Verify the operating system prevents program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. If it does not, this is a finding. - Verify the noexec option is configured for the /tmp mount point, + Verify the nosuid option is configured for the /var/tmp mount point, run the following command: - 
$ sudo mount | grep '\s/tmp\s'
- 
. . . /tmp . . . noexec . . .
- Is it the case that the "/tmp" file system does not have the "noexec" option set? + 
$ sudo mount | grep '\s/var/tmp\s'
+ 
. . . /var/tmp . . . nosuid . . .
+ Is it the case that the "/var/tmp" file system does not have the "nosuid" option set? Configure the operating system to prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - The noexec mount option can be used to prevent binaries -from being executed out of /tmp. -Add the noexec option to the fourth column of + The nosuid mount option can be used to prevent +execution of setuid programs in /var/tmp. The SUID and SGID permissions +should not be required in these world-writable directories. +Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of -/tmp. +/var/tmp. medium @@ -32654,35 +32652,23 @@ TBD - Assigned by DISA after STIG release The operating system must prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - CCE-80838-6: Add noexec Option to /dev/shm + CCE-82191-8: Install fapolicyd Package Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level. Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline. Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles). - The noexec mount option can be used to prevent binaries -from being executed out of /dev/shm. -It can be dangerous to allow the execution of binaries -from world-writable temporary storage directories such as /dev/shm. -Add the noexec option to the fourth column of -/etc/fstab for the line which controls mounting of -/dev/shm. + The fapolicyd package can be installed with the following command: +
+$ sudo yum install fapolicyd
Applicable - Configurable Verify the operating system prevents program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. If it does not, this is a finding. - Verify the noexec option is configured for the /dev/shm mount point, - run the following command: - 
$ sudo mount | grep '\s/dev/shm\s'
- 
. . . /dev/shm . . . noexec . . .
- Is it the case that the "/dev/shm" file system does not have the "noexec" option set? + Run the following command to determine if the fapolicyd package is installed: 
$ rpm -q fapolicyd
Is it the case that the fapolicyd package is not installed? Configure the operating system to prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - The noexec mount option can be used to prevent binaries -from being executed out of /dev/shm. -It can be dangerous to allow the execution of binaries -from world-writable temporary storage directories such as /dev/shm. -Add the noexec option to the fourth column of -/etc/fstab for the line which controls mounting of -/dev/shm. + The fapolicyd package can be installed with the following command: +
+$ sudo yum install fapolicyd
medium @@ -32695,36 +32681,37 @@ TBD - Assigned by DISA after STIG release The operating system must prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - CCE-82069-6: Add nodev Option to Non-Root Local Partitions + CCE-82080-3: Add nodev Option to /var/log/audit Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level. Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline. Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles). - The nodev mount option prevents files from being interpreted as -character or block devices. Legitimate character and block devices should -exist only in the /dev directory on the root partition or within -chroot jails built for system services. + The nodev mount option can be used to prevent device files from +being created in /var/log/audit. +Legitimate character and block devices should exist only in +the /dev directory on the root partition or within chroot +jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of - - any non-root local partitions. +/var/log/audit. Applicable - Configurable Verify the operating system prevents program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. If it does not, this is a finding. - To verify the nodev option is configured for non-root local partitions, run the following command: -
$ sudo mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev'
-The output shows local non-root partitions mounted without the nodev option, and there should be no output at all. - Is it the case that some mounts appear among output lines? + Verify the nodev option is configured for the /var/log/audit mount point, + run the following command: + 
$ sudo mount | grep '\s/var/log/audit\s'
+ 
. . . /var/log/audit . . . nodev . . .
+ Is it the case that the "/var/log/audit" file system does not have the "nodev" option set? Configure the operating system to prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - The nodev mount option prevents files from being interpreted as -character or block devices. Legitimate character and block devices should -exist only in the /dev directory on the root partition or within -chroot jails built for system services. + The nodev mount option can be used to prevent device files from +being created in /var/log/audit. +Legitimate character and block devices should exist only in +the /dev directory on the root partition or within chroot +jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of - - any non-root local partitions. +/var/log/audit. medium @@ -32737,7 +32724,7 @@ TBD - Assigned by DISA after STIG release The operating system must prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - CCE-82154-6: Add nosuid Option to /var/tmp + CCE-81050-7: Add nosuid Option to /home Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level. @@ -32745,25 +32732,25 @@ Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles). The nosuid mount option can be used to prevent -execution of setuid programs in /var/tmp. The SUID and SGID permissions -should not be required in these world-writable directories. +execution of setuid programs in /home. The SUID and SGID permissions +should not be required in these user data directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of -/var/tmp. +/home. Applicable - Configurable Verify the operating system prevents program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. If it does not, this is a finding. - Verify the nosuid option is configured for the /var/tmp mount point, + Verify the nosuid option is configured for the /home mount point, run the following command: - 
$ sudo mount | grep '\s/var/tmp\s'
- 
. . . /var/tmp . . . nosuid . . .
- Is it the case that the "/var/tmp" file system does not have the "nosuid" option set? + 
$ sudo mount | grep '\s/home\s'
+ 
. . . /home . . . nosuid . . .
+ Is it the case that the "/home" file system does not have the "nosuid" option set? Configure the operating system to prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. The nosuid mount option can be used to prevent -execution of setuid programs in /var/tmp. The SUID and SGID permissions -should not be required in these world-writable directories. +execution of setuid programs in /home. The SUID and SGID permissions +should not be required in these user data directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of -/var/tmp. +/home. medium @@ -32776,33 +32763,33 @@ TBD - Assigned by DISA after STIG release The operating system must prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - CCE-81033-3: Add nosuid Option to /boot + CCE-80839-4: Add nosuid Option to /dev/shm Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level. Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline. Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles). - The nosuid mount option can be used to prevent -execution of setuid programs in /boot. The SUID and SGID permissions -should not be required on the boot partition. + The nosuid mount option can be used to prevent execution +of setuid programs in /dev/shm. The SUID and SGID permissions should not +be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of -/boot. +/dev/shm. Applicable - Configurable Verify the operating system prevents program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. If it does not, this is a finding. - Verify the nosuid option is configured for the /boot mount point, + Verify the nosuid option is configured for the /dev/shm mount point, run the following command: - 
$ sudo mount | grep '\s/boot\s'
- 
. . . /boot . . . nosuid . . .
- Is it the case that the "/boot" file system does not have the "nosuid" option set? + 
$ sudo mount | grep '\s/dev/shm\s'
+ 
. . . /dev/shm . . . nosuid . . .
+ Is it the case that the "/dev/shm" file system does not have the "nosuid" option set? Configure the operating system to prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - The nosuid mount option can be used to prevent -execution of setuid programs in /boot. The SUID and SGID permissions -should not be required on the boot partition. + The nosuid mount option can be used to prevent execution +of setuid programs in /dev/shm. The SUID and SGID permissions should not +be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of -/boot. +/dev/shm. medium @@ -32815,33 +32802,31 @@ TBD - Assigned by DISA after STIG release The operating system must prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - CCE-82065-4: Add nosuid Option to /var/log + CCE-82139-7: Add noexec Option to /tmp Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level. Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline. Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles). - The nosuid mount option can be used to prevent -execution of setuid programs in /var/log. The SUID and SGID permissions -should not be required in directories containing log files. -Add the nosuid option to the fourth column of + The noexec mount option can be used to prevent binaries +from being executed out of /tmp. +Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of -/var/log. +/tmp. Applicable - Configurable Verify the operating system prevents program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. If it does not, this is a finding. - Verify the nosuid option is configured for the /var/log mount point, + Verify the noexec option is configured for the /tmp mount point, run the following command: - 
$ sudo mount | grep '\s/var/log\s'
- 
. . . /var/log . . . nosuid . . .
- Is it the case that the "/var/log" file system does not have the "nosuid" option set? + 
$ sudo mount | grep '\s/tmp\s'
+ 
. . . /tmp . . . noexec . . .
+ Is it the case that the "/tmp" file system does not have the "noexec" option set? Configure the operating system to prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - The nosuid mount option can be used to prevent -execution of setuid programs in /var/log. The SUID and SGID permissions -should not be required in directories containing log files. -Add the nosuid option to the fourth column of + The noexec mount option can be used to prevent binaries +from being executed out of /tmp. +Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of -/var/log. +/tmp. medium @@ -32854,31 +32839,29 @@ TBD - Assigned by DISA after STIG release The operating system must prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - CCE-82068-8: Add nodev Option to /var/tmp + CCE-82151-2: Add noexec Option to /var/tmp Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level. Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline. Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles). - The nodev mount option can be used to prevent device files from -being created in /var/tmp. Legitimate character and block devices -should not exist within temporary directories like /var/tmp. -Add the nodev option to the fourth column of + The noexec mount option can be used to prevent binaries +from being executed out of /var/tmp. +Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp. Applicable - Configurable Verify the operating system prevents program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. If it does not, this is a finding. - Verify the nodev option is configured for the /var/tmp mount point, + Verify the noexec option is configured for the /var/tmp mount point, run the following command: 
$ sudo mount | grep '\s/var/tmp\s'
- 
. . . /var/tmp . . . nodev . . .
- Is it the case that the "/var/tmp" file system does not have the "nodev" option set? + 
. . . /var/tmp . . . noexec . . .
+ Is it the case that the "/var/tmp" file system does not have the "noexec" option set? Configure the operating system to prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - The nodev mount option can be used to prevent device files from -being created in /var/tmp. Legitimate character and block devices -should not exist within temporary directories like /var/tmp. -Add the nodev option to the fourth column of + The noexec mount option can be used to prevent binaries +from being executed out of /var/tmp. +Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp. medium @@ -32887,6 +32870,45 @@ + + CCI-001764 + SRG-OS-000368-GPOS-00154 + TBD - Assigned by DISA after STIG release + The operating system must prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. + + CCE-81033-3: Add nosuid Option to /boot + + Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level. + +Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline. + +Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles). + The nosuid mount option can be used to prevent +execution of setuid programs in /boot. The SUID and SGID permissions +should not be required on the boot partition. +Add the nosuid option to the fourth column of +/etc/fstab for the line which controls mounting of +/boot. + Applicable - Configurable + Verify the operating system prevents program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. If it does not, this is a finding. + Verify the nosuid option is configured for the /boot mount point, + run the following command: + 
$ sudo mount | grep '\s/boot\s'
+ 
. . . /boot . . . nosuid . . .
+ Is it the case that the "/boot" file system does not have the "nosuid" option set? + Configure the operating system to prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. + The nosuid mount option can be used to prevent +execution of setuid programs in /boot. The SUID and SGID permissions +should not be required on the boot partition. +Add the nosuid option to the fourth column of +/etc/fstab for the line which controls mounting of +/boot. + medium + + + + + CCI-001764 SRG-OS-000368-GPOS-00154 @@ -32930,6 +32952,45 @@ + + CCI-001764 + SRG-OS-000368-GPOS-00154 + TBD - Assigned by DISA after STIG release + The operating system must prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. + + CCE-82623-0: Add nodev Option to /tmp + + Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level. + +Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline. + +Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles). + The nodev mount option can be used to prevent device files from +being created in /tmp. Legitimate character and block devices +should not exist within temporary directories like /tmp. +Add the nodev option to the fourth column of +/etc/fstab for the line which controls mounting of +/tmp. + Applicable - Configurable + Verify the operating system prevents program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. If it does not, this is a finding. + Verify the nodev option is configured for the /tmp mount point, + run the following command: + 
$ sudo mount | grep '\s/tmp\s'
+ 
. . . /tmp . . . nodev . . .
+ Is it the case that the "/tmp" file system does not have the "nodev" option set? + Configure the operating system to prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. + The nodev mount option can be used to prevent device files from +being created in /tmp. Legitimate character and block devices +should not exist within temporary directories like /tmp. +Add the nodev option to the fourth column of +/etc/fstab for the line which controls mounting of +/tmp. + medium + + + + + CCI-001764 SRG-OS-000368-GPOS-00154 @@ -32973,33 +33034,33 @@ TBD - Assigned by DISA after STIG release The operating system must prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - CCE-80839-4: Add nosuid Option to /dev/shm + CCE-82068-8: Add nodev Option to /var/tmp Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level. Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline. Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles). - The nosuid mount option can be used to prevent execution -of setuid programs in /dev/shm. The SUID and SGID permissions should not -be required in these world-writable directories. -Add the nosuid option to the fourth column of + The nodev mount option can be used to prevent device files from +being created in /var/tmp. Legitimate character and block devices +should not exist within temporary directories like /var/tmp. +Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of -/dev/shm. +/var/tmp. Applicable - Configurable Verify the operating system prevents program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. If it does not, this is a finding. - Verify the nosuid option is configured for the /dev/shm mount point, + Verify the nodev option is configured for the /var/tmp mount point, run the following command: - 
$ sudo mount | grep '\s/dev/shm\s'
- 
. . . /dev/shm . . . nosuid . . .
- Is it the case that the "/dev/shm" file system does not have the "nosuid" option set? + 
$ sudo mount | grep '\s/var/tmp\s'
+ 
. . . /var/tmp . . . nodev . . .
+ Is it the case that the "/var/tmp" file system does not have the "nodev" option set? Configure the operating system to prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - The nosuid mount option can be used to prevent execution -of setuid programs in /dev/shm. The SUID and SGID permissions should not -be required in these world-writable directories. -Add the nosuid option to the fourth column of + The nodev mount option can be used to prevent device files from +being created in /var/tmp. Legitimate character and block devices +should not exist within temporary directories like /var/tmp. +Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of -/dev/shm. +/var/tmp. medium @@ -33012,37 +33073,31 @@ TBD - Assigned by DISA after STIG release The operating system must prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - CCE-82080-3: Add nodev Option to /var/log/audit + CCE-82008-4: Add noexec Option to /var/log Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level. Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline. Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles). - The nodev mount option can be used to prevent device files from -being created in /var/log/audit. -Legitimate character and block devices should exist only in -the /dev directory on the root partition or within chroot -jails built for system services. -Add the nodev option to the fourth column of + The noexec mount option can be used to prevent binaries +from being executed out of /var/log. +Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of -/var/log/audit. +/var/log. Applicable - Configurable Verify the operating system prevents program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. If it does not, this is a finding. - Verify the nodev option is configured for the /var/log/audit mount point, + Verify the noexec option is configured for the /var/log mount point, run the following command: - 
$ sudo mount | grep '\s/var/log/audit\s'
- 
. . . /var/log/audit . . . nodev . . .
- Is it the case that the "/var/log/audit" file system does not have the "nodev" option set? + 
$ sudo mount | grep '\s/var/log\s'
+ 
. . . /var/log . . . noexec . . .
+ Is it the case that the "/var/log" file system does not have the "noexec" option set? Configure the operating system to prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - The nodev mount option can be used to prevent device files from -being created in /var/log/audit. -Legitimate character and block devices should exist only in -the /dev directory on the root partition or within chroot -jails built for system services. -Add the nodev option to the fourth column of + The noexec mount option can be used to prevent binaries +from being executed out of /var/log. +Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of -/var/log/audit. +/var/log. medium @@ -33055,33 +33110,33 @@ TBD - Assigned by DISA after STIG release The operating system must prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - CCE-80837-8: Add nodev Option to /dev/shm + CCE-82065-4: Add nosuid Option to /var/log Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level. Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline. Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles). - The nodev mount option can be used to prevent creation of device -files in /dev/shm. Legitimate character and block devices should -not exist within temporary directories like /dev/shm. -Add the nodev option to the fourth column of + The nosuid mount option can be used to prevent +execution of setuid programs in /var/log. The SUID and SGID permissions +should not be required in directories containing log files. +Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of -/dev/shm. +/var/log. Applicable - Configurable Verify the operating system prevents program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. If it does not, this is a finding. - Verify the nodev option is configured for the /dev/shm mount point, + Verify the nosuid option is configured for the /var/log mount point, run the following command: - 
$ sudo mount | grep '\s/dev/shm\s'
- 
. . . /dev/shm . . . nodev . . .
- Is it the case that the "/dev/shm" file system does not have the "nodev" option set? + 
$ sudo mount | grep '\s/var/log\s'
+ 
. . . /var/log . . . nosuid . . .
+ Is it the case that the "/var/log" file system does not have the "nosuid" option set? Configure the operating system to prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - The nodev mount option can be used to prevent creation of device -files in /dev/shm. Legitimate character and block devices should -not exist within temporary directories like /dev/shm. -Add the nodev option to the fourth column of + The nosuid mount option can be used to prevent +execution of setuid programs in /var/log. The SUID and SGID permissions +should not be required in directories containing log files. +Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of -/dev/shm. +/var/log. medium @@ -33094,23 +33149,33 @@ TBD - Assigned by DISA after STIG release The operating system must prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - CCE-82191-8: Install fapolicyd Package + CCE-80837-8: Add nodev Option to /dev/shm Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level. Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline. Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles). - The fapolicyd package can be installed with the following command: -
-$ sudo yum install fapolicyd
+ The nodev mount option can be used to prevent creation of device +files in /dev/shm. Legitimate character and block devices should +not exist within temporary directories like /dev/shm. +Add the nodev option to the fourth column of +/etc/fstab for the line which controls mounting of +/dev/shm. Applicable - Configurable Verify the operating system prevents program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. If it does not, this is a finding. - Run the following command to determine if the fapolicyd package is installed: 
$ rpm -q fapolicyd
Is it the case that the fapolicyd package is not installed? + Verify the nodev option is configured for the /dev/shm mount point, + run the following command: + 
$ sudo mount | grep '\s/dev/shm\s'
+ 
. . . /dev/shm . . . nodev . . .
+ Is it the case that the "/dev/shm" file system does not have the "nodev" option set? Configure the operating system to prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - The fapolicyd package can be installed with the following command: -
-$ sudo yum install fapolicyd
+ The nodev mount option can be used to prevent creation of device +files in /dev/shm. Legitimate character and block devices should +not exist within temporary directories like /dev/shm. +Add the nodev option to the fourth column of +/etc/fstab for the line which controls mounting of +/dev/shm. medium @@ -33123,7 +33188,7 @@ TBD - Assigned by DISA after STIG release The operating system must prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - CCE-82008-4: Add noexec Option to /var/log + CCE-80838-6: Add noexec Option to /dev/shm Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level. @@ -33131,23 +33196,27 @@ Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles). The noexec mount option can be used to prevent binaries -from being executed out of /var/log. +from being executed out of /dev/shm. +It can be dangerous to allow the execution of binaries +from world-writable temporary storage directories such as /dev/shm. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of -/var/log. +/dev/shm. Applicable - Configurable Verify the operating system prevents program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. If it does not, this is a finding. - Verify the noexec option is configured for the /var/log mount point, + Verify the noexec option is configured for the /dev/shm mount point, run the following command: - 
$ sudo mount | grep '\s/var/log\s'
- 
. . . /var/log . . . noexec . . .
- Is it the case that the "/var/log" file system does not have the "noexec" option set? + 
$ sudo mount | grep '\s/dev/shm\s'
+ 
. . . /dev/shm . . . noexec . . .
+ Is it the case that the "/dev/shm" file system does not have the "noexec" option set? Configure the operating system to prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. The noexec mount option can be used to prevent binaries -from being executed out of /var/log. +from being executed out of /dev/shm. +It can be dangerous to allow the execution of binaries +from world-writable temporary storage directories such as /dev/shm. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of -/var/log. +/dev/shm. medium @@ -33160,33 +33229,37 @@ TBD - Assigned by DISA after STIG release The operating system must prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - CCE-81050-7: Add nosuid Option to /home + CCE-82077-9: Add nodev Option to /var/log Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level. Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline. Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles). - The nosuid mount option can be used to prevent -execution of setuid programs in /home. The SUID and SGID permissions -should not be required in these user data directories. -Add the nosuid option to the fourth column of + The nodev mount option can be used to prevent device files from +being created in /var/log. +Legitimate character and block devices should exist only in +the /dev directory on the root partition or within chroot +jails built for system services. +Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of -/home. +/var/log. Applicable - Configurable Verify the operating system prevents program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. If it does not, this is a finding. - Verify the nosuid option is configured for the /home mount point, + Verify the nodev option is configured for the /var/log mount point, run the following command: - 
$ sudo mount | grep '\s/home\s'
- 
. . . /home . . . nosuid . . .
- Is it the case that the "/home" file system does not have the "nosuid" option set? + 
$ sudo mount | grep '\s/var/log\s'
+ 
. . . /var/log . . . nodev . . .
+ Is it the case that the "/var/log" file system does not have the "nodev" option set? Configure the operating system to prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - The nosuid mount option can be used to prevent -execution of setuid programs in /home. The SUID and SGID permissions -should not be required in these user data directories. -Add the nosuid option to the fourth column of + The nodev mount option can be used to prevent device files from +being created in /var/log. +Legitimate character and block devices should exist only in +the /dev directory on the root partition or within chroot +jails built for system services. +Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of -/home. +/var/log. medium @@ -33238,106 +33311,33 @@ TBD - Assigned by DISA after STIG release The operating system must prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - CCE-82249-4: Enable the File Access Policy Service - - Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level. - -Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline. - -Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles). - The File Access Policy service should be enabled. - -The fapolicyd service can be enabled with the following command: -
$ sudo systemctl enable fapolicyd.service
- Applicable - Configurable - Verify the operating system prevents program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. If it does not, this is a finding. - - -Run the following command to determine the current status of the -fapolicyd service: -
$ sudo systemctl is-active fapolicyd
-If the service is running, it should return the following: 
active
Is it the case that the service is not enabled? - Configure the operating system to prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - The File Access Policy service should be enabled. - -The fapolicyd service can be enabled with the following command: -
$ sudo systemctl enable fapolicyd.service
- medium - - - - - - - CCI-001764 - SRG-OS-000368-GPOS-00154 - TBD - Assigned by DISA after STIG release - The operating system must prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - - CCE-82151-2: Add noexec Option to /var/tmp - - Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level. - -Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline. - -Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles). - The noexec mount option can be used to prevent binaries -from being executed out of /var/tmp. -Add the noexec option to the fourth column of -/etc/fstab for the line which controls mounting of -/var/tmp. - Applicable - Configurable - Verify the operating system prevents program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. If it does not, this is a finding. - Verify the noexec option is configured for the /var/tmp mount point, - run the following command: - 
$ sudo mount | grep '\s/var/tmp\s'
- 
. . . /var/tmp . . . noexec . . .
- Is it the case that the "/var/tmp" file system does not have the "noexec" option set? - Configure the operating system to prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - The noexec mount option can be used to prevent binaries -from being executed out of /var/tmp. -Add the noexec option to the fourth column of -/etc/fstab for the line which controls mounting of -/var/tmp. - medium - - - - - - - CCI-001764 - SRG-OS-000368-GPOS-00154 - TBD - Assigned by DISA after STIG release - The operating system must prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - - CCE-82623-0: Add nodev Option to /tmp + CCE-82921-8: Add nosuid Option to /var/log/audit Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level. Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline. Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles). - The nodev mount option can be used to prevent device files from -being created in /tmp. Legitimate character and block devices -should not exist within temporary directories like /tmp. -Add the nodev option to the fourth column of + The nosuid mount option can be used to prevent +execution of setuid programs in /var/log/audit. The SUID and SGID permissions +should not be required in directories containing audit log files. +Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of -/tmp. +/var/log/audit. Applicable - Configurable Verify the operating system prevents program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. If it does not, this is a finding. - Verify the nodev option is configured for the /tmp mount point, + Verify the nosuid option is configured for the /var/log/audit mount point, run the following command: - 
$ sudo mount | grep '\s/tmp\s'
- 
. . . /tmp . . . nodev . . .
- Is it the case that the "/tmp" file system does not have the "nodev" option set? + 
$ sudo mount | grep '\s/var/log/audit\s'
+ 
. . . /var/log/audit . . . nosuid . . .
+ Is it the case that the "/var/log/audit" file system does not have the "nosuid" option set? Configure the operating system to prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. - The nodev mount option can be used to prevent device files from -being created in /tmp. Legitimate character and block devices -should not exist within temporary directories like /tmp. -Add the nodev option to the fourth column of + The nosuid mount option can be used to prevent +execution of setuid programs in /var/log/audit. The SUID and SGID permissions +should not be required in directories containing audit log files. +Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of -/tmp. +/var/log/audit. medium @@ -33355,7 +33355,7 @@ TBD - Assigned by DISA after STIG release The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. - CCE-86478-5: Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs. + CCE-82249-4: Enable the File Access Policy Service Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. @@ -33364,30 +33364,23 @@ Verification of white-listed software occurs prior to execution or at system startup. This requirement applies to operating system programs, functions, and services designed to manage system processes and configurations (e.g., group policies). - The Fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and to prevent unauthorized software from running. + The File Access Policy service should be enabled. + +The fapolicyd service can be enabled with the following command: +
$ sudo systemctl enable fapolicyd.service
Applicable - Configurable Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. If it does not, this is a finding. - Verify the Red Hat Enterprise Linux 8 "fapolicyd" employs a deny-all, permit-by-exception policy. - -Check that "fapolicyd" is in enforcement mode with the following command: - -$ sudo grep permissive /etc/fapolicyd/fapolicyd.conf - -permissive = 0 - -Check that fapolicyd employs a deny-all policy on system mounts with the following commands: - -For RHEL 8.5 systems and older: -$ sudo tail /etc/fapolicyd/fapolicyd.rules - -For RHEL 8.6 systems and newer: -$ sudo tail /etc/fapolicyd/compiled.rules + -allow exe=/usr/bin/python3.7 : ftype=text/x-python -deny_audit perm=any pattern=ld_so : all -deny perm=any all : all Is it the case that fapolicyd is not running in enforcement mode with a deny-all, permit-by-exception policy? +Run the following command to determine the current status of the +fapolicyd service: +
$ sudo systemctl is-active fapolicyd
+If the service is running, it should return the following: 
active
Is it the case that the service is not enabled? Configure the operating system to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. - The Fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and to prevent unauthorized software from running. + The File Access Policy service should be enabled. + +The fapolicyd service can be enabled with the following command: +
$ sudo systemctl enable fapolicyd.service
medium @@ -33431,7 +33424,7 @@ TBD - Assigned by DISA after STIG release The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. - CCE-82249-4: Enable the File Access Policy Service + CCE-86960-2: Disable the uvcvideo module Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. @@ -33440,23 +33433,28 @@ Verification of white-listed software occurs prior to execution or at system startup. This requirement applies to operating system programs, functions, and services designed to manage system processes and configurations (e.g., group policies). - The File Access Policy service should be enabled. - -The fapolicyd service can be enabled with the following command: -
$ sudo systemctl enable fapolicyd.service
+ If the device contains a camera it should be covered or disabled when not in use. Applicable - Configurable Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. If it does not, this is a finding. - + If the device or Red Hat Enterprise Linux 8 does not have a camera installed, this requirement is not applicable. -Run the following command to determine the current status of the -fapolicyd service: -
$ sudo systemctl is-active fapolicyd
-If the service is running, it should return the following: 
active
Is it the case that the service is not enabled? - Configure the operating system to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. - The File Access Policy service should be enabled. +This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision. -The fapolicyd service can be enabled with the following command: -
$ sudo systemctl enable fapolicyd.service
+This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed. + +For an external camera, if there is not a method for the operator to manually disconnect the camera at the end of collaborative computing sessions, this is a finding. + +For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding. + +If the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software with the following commands: + +Verify the operating system disables the ability to load the uvcvideo kernel module. + +$ sudo grep -r uvcvideo /etc/modprobe.d/* | grep "/bin/true" + +install uvcvideo /bin/true Is it the case that the command does not return any output, or the line is commented out, and the collaborative computing device has not been authorized for use? + Configure the operating system to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. + If the device contains a camera it should be covered or disabled when not in use. medium @@ -33469,7 +33467,7 @@ TBD - Assigned by DISA after STIG release The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. - CCE-86960-2: Disable the uvcvideo module + CCE-86478-5: Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs. Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. @@ -33478,28 +33476,30 @@ Verification of white-listed software occurs prior to execution or at system startup. This requirement applies to operating system programs, functions, and services designed to manage system processes and configurations (e.g., group policies). - If the device contains a camera it should be covered or disabled when not in use. + The Fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and to prevent unauthorized software from running. Applicable - Configurable Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. If it does not, this is a finding. - If the device or Red Hat Enterprise Linux 8 does not have a camera installed, this requirement is not applicable. - -This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision. + Verify the Red Hat Enterprise Linux 8 "fapolicyd" employs a deny-all, permit-by-exception policy. -This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed. +Check that "fapolicyd" is in enforcement mode with the following command: -For an external camera, if there is not a method for the operator to manually disconnect the camera at the end of collaborative computing sessions, this is a finding. +$ sudo grep permissive /etc/fapolicyd/fapolicyd.conf -For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding. +permissive = 0 -If the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software with the following commands: +Check that fapolicyd employs a deny-all policy on system mounts with the following commands: -Verify the operating system disables the ability to load the uvcvideo kernel module. +For RHEL 8.5 systems and older: +$ sudo tail /etc/fapolicyd/fapolicyd.rules -$ sudo grep -r uvcvideo /etc/modprobe.d/* | grep "/bin/true" +For RHEL 8.6 systems and newer: +$ sudo tail /etc/fapolicyd/compiled.rules -install uvcvideo /bin/true Is it the case that the command does not return any output, or the line is commented out, and the collaborative computing device has not been authorized for use? +allow exe=/usr/bin/python3.7 : ftype=text/x-python +deny_audit perm=any pattern=ld_so : all +deny perm=any all : all Is it the case that fapolicyd is not running in enforcement mode with a deny-all, permit-by-exception policy? Configure the operating system to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. - If the device contains a camera it should be covered or disabled when not in use. + The Fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and to prevent unauthorized software from running. medium @@ -33517,25 +33517,36 @@ TBD - Assigned by DISA after STIG release The operating system must require users to re-authenticate for privilege escalation. - CCE-86319-1: Disallow Configuration to Bypass Password Requirements for Privilege Escalation + CCE-87838-9: Require Re-Authentication When Using the sudo Command Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. - Verify the operating system is not configured to bypass password requirements for privilege -escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command: -
$ sudo grep pam_succeed_if /etc/pam.d/sudo
-If any occurrences of "pam_succeed_if" is returned from the command, this is a finding. + The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits. +The default timestamp_timeout value is 5 minutes. +The timestamp_timeout should be configured by making sure that the +timestamp_timeout tag exists in +/etc/sudoers configuration file or any sudo configuration snippets +in /etc/sudoers.d/. +If the value is set to an integer less than 0, the user's time stamp will not expire +and the user will not have to re-authenticate for privileged actions until the user's session is terminated. Applicable - Configurable Verify the operating system requires users to re-authenticate for privilege escalation. If it does not, this is a finding. - Verify the operating system is not configured to bypass password requirements for privilege -escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command: -
$ sudo grep pam_succeed_if /etc/pam.d/sudo
Is it the case that system is configured to bypass password requirements for privilege escalation? + Verify the operating system requires re-authentication +when using the "sudo" command to elevate privileges, run the following command: +
sudo grep -ri '^Defaults.*timestamp_timeout' /etc/sudoers /etc/sudoers.d
+The output should be: +
/etc/sudoers:Defaults timestamp_timeout=0
or "timestamp_timeout" is set to a positive number. +If conflicting results are returned, this is a finding. Is it the case that timestamp_timeout is not set with the appropriate value for sudo? Configure the operating system to require users to re-authenticate for privilege escalation. - Verify the operating system is not configured to bypass password requirements for privilege -escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command: -
$ sudo grep pam_succeed_if /etc/pam.d/sudo
-If any occurrences of "pam_succeed_if" is returned from the command, this is a finding. + The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits. +The default timestamp_timeout value is 5 minutes. +The timestamp_timeout should be configured by making sure that the +timestamp_timeout tag exists in +/etc/sudoers configuration file or any sudo configuration snippets +in /etc/sudoers.d/. +If the value is set to an integer less than 0, the user's time stamp will not expire +and the user will not have to re-authenticate for privileged actions until the user's session is terminated. medium @@ -33548,27 +33559,25 @@ TBD - Assigned by DISA after STIG release The operating system must require users to re-authenticate for privilege escalation. - CCE-82197-5: Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + CCE-86319-1: Disallow Configuration to Bypass Password Requirements for Privilege Escalation Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. - The sudo NOPASSWD tag, when specified, allows a user to execute -commands using sudo without having to authenticate. This should be disabled -by making sure that the NOPASSWD tag does not exist in -/etc/sudoers configuration file or any sudo configuration snippets -in /etc/sudoers.d/. + Verify the operating system is not configured to bypass password requirements for privilege +escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command: +
$ sudo grep pam_succeed_if /etc/pam.d/sudo
+If any occurrences of "pam_succeed_if" is returned from the command, this is a finding. Applicable - Configurable Verify the operating system requires users to re-authenticate for privilege escalation. If it does not, this is a finding. - To determine if NOPASSWD has been configured for sudo, run the following command: -
$ sudo grep -ri nopasswd /etc/sudoers /etc/sudoers.d/
-The command should return no output. Is it the case that nopasswd is specified in the sudo config files? + Verify the operating system is not configured to bypass password requirements for privilege +escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command: +
$ sudo grep pam_succeed_if /etc/pam.d/sudo
Is it the case that system is configured to bypass password requirements for privilege escalation? Configure the operating system to require users to re-authenticate for privilege escalation. - The sudo NOPASSWD tag, when specified, allows a user to execute -commands using sudo without having to authenticate. This should be disabled -by making sure that the NOPASSWD tag does not exist in -/etc/sudoers configuration file or any sudo configuration snippets -in /etc/sudoers.d/. + Verify the operating system is not configured to bypass password requirements for privilege +escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command: +
$ sudo grep pam_succeed_if /etc/pam.d/sudo
+If any occurrences of "pam_succeed_if" is returned from the command, this is a finding. medium @@ -33612,11 +33621,49 @@ TBD - Assigned by DISA after STIG release The operating system must require users to re-authenticate for privilege escalation. - CCE-87838-9: Require Re-Authentication When Using the sudo Command + CCE-82197-5: Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. + The sudo NOPASSWD tag, when specified, allows a user to execute +commands using sudo without having to authenticate. This should be disabled +by making sure that the NOPASSWD tag does not exist in +/etc/sudoers configuration file or any sudo configuration snippets +in /etc/sudoers.d/. + Applicable - Configurable + Verify the operating system requires users to re-authenticate for privilege escalation. If it does not, this is a finding. + To determine if NOPASSWD has been configured for sudo, run the following command: +
$ sudo grep -ri nopasswd /etc/sudoers /etc/sudoers.d/
+The command should return no output. Is it the case that nopasswd is specified in the sudo config files? + Configure the operating system to require users to re-authenticate for privilege escalation. + The sudo NOPASSWD tag, when specified, allows a user to execute +commands using sudo without having to authenticate. This should be disabled +by making sure that the NOPASSWD tag does not exist in +/etc/sudoers configuration file or any sudo configuration snippets +in /etc/sudoers.d/. + medium + + + + + + + + + + + + CCI-002038 + SRG-OS-000373-GPOS-00157 + TBD - Assigned by DISA after STIG release + The operating system must require users to re-authenticate when changing roles. + + CCE-87838-9: Require Re-Authentication When Using the sudo Command + + Without re-authentication, users may access resources or perform tasks for which they do not have authorization. + +When operating systems provide the capability to change security roles, it is critical the user re-authenticate. The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits. The default timestamp_timeout value is 5 minutes. The timestamp_timeout should be configured by making sure that the @@ -33626,14 +33673,14 @@ If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated. Applicable - Configurable - Verify the operating system requires users to re-authenticate for privilege escalation. If it does not, this is a finding. + Verify the operating system requires users to re-authenticate when changing roles. If it does not, this is a finding. Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges, run the following command: 
sudo grep -ri '^Defaults.*timestamp_timeout' /etc/sudoers /etc/sudoers.d
The output should be: 
/etc/sudoers:Defaults timestamp_timeout=0
or "timestamp_timeout" is set to a positive number. If conflicting results are returned, this is a finding. Is it the case that timestamp_timeout is not set with the appropriate value for sudo? - Configure the operating system to require users to re-authenticate for privilege escalation. + Configure the operating system to require users to re-authenticate when changing roles. The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits. The default timestamp_timeout value is 5 minutes. The timestamp_timeout should be configured by making sure that the @@ -33648,11 +33695,6 @@ - - - - - CCI-002038 SRG-OS-000373-GPOS-00157 @@ -33690,27 +33732,25 @@ TBD - Assigned by DISA after STIG release The operating system must require users to re-authenticate when changing roles. - CCE-82197-5: Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + CCE-82202-3: Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to change security roles, it is critical the user re-authenticate. - The sudo NOPASSWD tag, when specified, allows a user to execute -commands using sudo without having to authenticate. This should be disabled -by making sure that the NOPASSWD tag does not exist in -/etc/sudoers configuration file or any sudo configuration snippets -in /etc/sudoers.d/. + The sudo !authenticate option, when specified, allows a user to execute commands using +sudo without having to authenticate. This should be disabled by making sure that the +!authenticate option does not exist in /etc/sudoers configuration file or +any sudo configuration snippets in /etc/sudoers.d/. Applicable - Configurable Verify the operating system requires users to re-authenticate when changing roles. If it does not, this is a finding. - To determine if NOPASSWD has been configured for sudo, run the following command: -
$ sudo grep -ri nopasswd /etc/sudoers /etc/sudoers.d/
-The command should return no output. Is it the case that nopasswd is specified in the sudo config files? + To determine if !authenticate has not been configured for sudo, run the following command: +
$ sudo grep -r \!authenticate /etc/sudoers /etc/sudoers.d/
+The command should return no output. Is it the case that !authenticate is specified in the sudo config files? Configure the operating system to require users to re-authenticate when changing roles. - The sudo NOPASSWD tag, when specified, allows a user to execute -commands using sudo without having to authenticate. This should be disabled -by making sure that the NOPASSWD tag does not exist in -/etc/sudoers configuration file or any sudo configuration snippets -in /etc/sudoers.d/. + The sudo !authenticate option, when specified, allows a user to execute commands using +sudo without having to authenticate. This should be disabled by making sure that the +!authenticate option does not exist in /etc/sudoers configuration file or +any sudo configuration snippets in /etc/sudoers.d/. medium @@ -33723,42 +33763,49 @@ TBD - Assigned by DISA after STIG release The operating system must require users to re-authenticate when changing roles. - CCE-82202-3: Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate + CCE-82197-5: Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to change security roles, it is critical the user re-authenticate. - The sudo !authenticate option, when specified, allows a user to execute commands using -sudo without having to authenticate. This should be disabled by making sure that the -!authenticate option does not exist in /etc/sudoers configuration file or -any sudo configuration snippets in /etc/sudoers.d/. + The sudo NOPASSWD tag, when specified, allows a user to execute +commands using sudo without having to authenticate. This should be disabled +by making sure that the NOPASSWD tag does not exist in +/etc/sudoers configuration file or any sudo configuration snippets +in /etc/sudoers.d/. Applicable - Configurable Verify the operating system requires users to re-authenticate when changing roles. If it does not, this is a finding. - To determine if !authenticate has not been configured for sudo, run the following command: -
$ sudo grep -r \!authenticate /etc/sudoers /etc/sudoers.d/
-The command should return no output. Is it the case that !authenticate is specified in the sudo config files? + To determine if NOPASSWD has been configured for sudo, run the following command: +
$ sudo grep -ri nopasswd /etc/sudoers /etc/sudoers.d/
+The command should return no output. Is it the case that nopasswd is specified in the sudo config files? Configure the operating system to require users to re-authenticate when changing roles. - The sudo !authenticate option, when specified, allows a user to execute commands using -sudo without having to authenticate. This should be disabled by making sure that the -!authenticate option does not exist in /etc/sudoers configuration file or -any sudo configuration snippets in /etc/sudoers.d/. + The sudo NOPASSWD tag, when specified, allows a user to execute +commands using sudo without having to authenticate. This should be disabled +by making sure that the NOPASSWD tag does not exist in +/etc/sudoers configuration file or any sudo configuration snippets +in /etc/sudoers.d/. medium + + + + + CCI-002038 - SRG-OS-000373-GPOS-00157 + SRG-OS-000373-GPOS-00158 TBD - Assigned by DISA after STIG release - The operating system must require users to re-authenticate when changing roles. + The operating system must require users to re-authenticate when changing authenticators. CCE-87838-9: Require Re-Authentication When Using the sudo Command Without re-authentication, users may access resources or perform tasks for which they do not have authorization. -When operating systems provide the capability to change security roles, it is critical the user re-authenticate. +When operating systems provide the capability to change user authenticators, it is critical the user re-authenticate. The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits. The default timestamp_timeout value is 5 minutes. The timestamp_timeout should be configured by making sure that the @@ -33768,14 +33815,14 @@ If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated. Applicable - Configurable - Verify the operating system requires users to re-authenticate when changing roles. If it does not, this is a finding. + Verify the operating system requires users to re-authenticate when changing authenticators. If it does not, this is a finding. Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges, run the following command: 
sudo grep -ri '^Defaults.*timestamp_timeout' /etc/sudoers /etc/sudoers.d
The output should be: 
/etc/sudoers:Defaults timestamp_timeout=0
or "timestamp_timeout" is set to a positive number. If conflicting results are returned, this is a finding. Is it the case that timestamp_timeout is not set with the appropriate value for sudo? - Configure the operating system to require users to re-authenticate when changing roles. + Configure the operating system to require users to re-authenticate when changing authenticators. The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits. The default timestamp_timeout value is 5 minutes. The timestamp_timeout should be configured by making sure that the @@ -33790,11 +33837,6 @@ - - - - - CCI-002038 SRG-OS-000373-GPOS-00158 @@ -33826,39 +33868,6 @@ - - CCI-002038 - SRG-OS-000373-GPOS-00158 - TBD - Assigned by DISA after STIG release - The operating system must require users to re-authenticate when changing authenticators. - - CCE-82197-5: Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - - Without re-authentication, users may access resources or perform tasks for which they do not have authorization. - -When operating systems provide the capability to change user authenticators, it is critical the user re-authenticate. - The sudo NOPASSWD tag, when specified, allows a user to execute -commands using sudo without having to authenticate. This should be disabled -by making sure that the NOPASSWD tag does not exist in -/etc/sudoers configuration file or any sudo configuration snippets -in /etc/sudoers.d/. - Applicable - Configurable - Verify the operating system requires users to re-authenticate when changing authenticators. If it does not, this is a finding. - To determine if NOPASSWD has been configured for sudo, run the following command: -
$ sudo grep -ri nopasswd /etc/sudoers /etc/sudoers.d/
-The command should return no output. Is it the case that nopasswd is specified in the sudo config files? - Configure the operating system to require users to re-authenticate when changing authenticators. - The sudo NOPASSWD tag, when specified, allows a user to execute -commands using sudo without having to authenticate. This should be disabled -by making sure that the NOPASSWD tag does not exist in -/etc/sudoers configuration file or any sudo configuration snippets -in /etc/sudoers.d/. - medium - - - - - CCI-002038 SRG-OS-000373-GPOS-00158 @@ -33896,36 +33905,27 @@ TBD - Assigned by DISA after STIG release The operating system must require users to re-authenticate when changing authenticators. - CCE-87838-9: Require Re-Authentication When Using the sudo Command + CCE-82197-5: Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to change user authenticators, it is critical the user re-authenticate. - The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits. -The default timestamp_timeout value is 5 minutes. -The timestamp_timeout should be configured by making sure that the -timestamp_timeout tag exists in + The sudo NOPASSWD tag, when specified, allows a user to execute +commands using sudo without having to authenticate. This should be disabled +by making sure that the NOPASSWD tag does not exist in /etc/sudoers configuration file or any sudo configuration snippets -in /etc/sudoers.d/. -If the value is set to an integer less than 0, the user's time stamp will not expire -and the user will not have to re-authenticate for privileged actions until the user's session is terminated. +in /etc/sudoers.d/. Applicable - Configurable Verify the operating system requires users to re-authenticate when changing authenticators. If it does not, this is a finding. - Verify the operating system requires re-authentication -when using the "sudo" command to elevate privileges, run the following command: -
sudo grep -ri '^Defaults.*timestamp_timeout' /etc/sudoers /etc/sudoers.d
-The output should be: -
/etc/sudoers:Defaults timestamp_timeout=0
or "timestamp_timeout" is set to a positive number. -If conflicting results are returned, this is a finding. Is it the case that timestamp_timeout is not set with the appropriate value for sudo? + To determine if NOPASSWD has been configured for sudo, run the following command: +
$ sudo grep -ri nopasswd /etc/sudoers /etc/sudoers.d/
+The command should return no output. Is it the case that nopasswd is specified in the sudo config files? Configure the operating system to require users to re-authenticate when changing authenticators. - The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits. -The default timestamp_timeout value is 5 minutes. -The timestamp_timeout should be configured by making sure that the -timestamp_timeout tag exists in + The sudo NOPASSWD tag, when specified, allows a user to execute +commands using sudo without having to authenticate. This should be disabled +by making sure that the NOPASSWD tag does not exist in /etc/sudoers configuration file or any sudo configuration snippets -in /etc/sudoers.d/. -If the value is set to an integer less than 0, the user's time stamp will not expire -and the user will not have to re-authenticate for privileged actions until the user's session is terminated. +in /etc/sudoers.d/. medium @@ -33967,7 +33967,7 @@ TBD - Assigned by DISA after STIG release The operating system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access. - CCE-84029-8: Install Smart Card Packages For Multifactor Authentication + CCE-80846-9: Install the opensc Package For Multifactor Authentication Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. @@ -33980,25 +33980,18 @@ This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). Requires further clarification from NIST. - Configure the operating system to implement multifactor authentication by -installing the required package with the following command: - -The openssl-pkcs11 package can be installed with the following command: + +The opensc package can be installed with the following command: 
-$ sudo yum install openssl-pkcs11
+$ sudo yum install opensc Applicable - Configurable Verify the operating system implements multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access. If it does not, this is a finding. - Check that Red Hat Enterprise Linux 8 has the packages for smart card support installed. - -Run the following command to determine if the openssl-pkcs11 package is installed: -
$ rpm -q openssl-pkcs11
Is it the case that smartcard software is not installed? + Run the following command to determine if the opensc package is installed: 
$ rpm -q opensc
Is it the case that the package is not installed? Configure the operating system to implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access. - Configure the operating system to implement multifactor authentication by -installing the required package with the following command: - -The openssl-pkcs11 package can be installed with the following command: + +The opensc package can be installed with the following command: 
-$ sudo yum install openssl-pkcs11
+$ sudo yum install opensc medium @@ -34011,7 +34004,7 @@ TBD - Assigned by DISA after STIG release The operating system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access. - CCE-80846-9: Install the opensc Package For Multifactor Authentication + CCE-84029-8: Install Smart Card Packages For Multifactor Authentication Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. @@ -34024,18 +34017,25 @@ This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). Requires further clarification from NIST. - -The opensc package can be installed with the following command: + Configure the operating system to implement multifactor authentication by +installing the required package with the following command: + +The openssl-pkcs11 package can be installed with the following command: 
-$ sudo yum install opensc
+$ sudo yum install openssl-pkcs11 Applicable - Configurable Verify the operating system implements multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access. If it does not, this is a finding. - Run the following command to determine if the opensc package is installed: 
$ rpm -q opensc
Is it the case that the package is not installed? + Check that Red Hat Enterprise Linux 8 has the packages for smart card support installed. + +Run the following command to determine if the openssl-pkcs11 package is installed: +
$ rpm -q openssl-pkcs11
Is it the case that smartcard software is not installed? Configure the operating system to implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access. - -The opensc package can be installed with the following command: + Configure the operating system to implement multifactor authentication by +installing the required package with the following command: + +The openssl-pkcs11 package can be installed with the following command: 
-$ sudo yum install opensc
+$ sudo yum install openssl-pkcs11 medium @@ -34277,28 +34277,58 @@ TBD - Assigned by DISA after STIG release The operating system must authenticate peripherals before establishing a connection. - CCE-82853-3: Enable the USBGuard Service + CCE-82959-8: Install usbguard Package Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. - The USBGuard service should be enabled. - -The usbguard service can be enabled with the following command: -
$ sudo systemctl enable usbguard.service
+ +The usbguard package can be installed with the following command: +
+$ sudo yum install usbguard
Applicable - Configurable Verify the operating system authenticates peripherals before establishing a connection. If it does not, this is a finding. + Run the following command to determine if the usbguard package is installed: 
$ rpm -q usbguard
Is it the case that the package is not installed? + Configure the operating system to authenticate peripherals before establishing a connection. +The usbguard package can be installed with the following command: +
+$ sudo yum install usbguard
+ medium + + + + -Run the following command to determine the current status of the -usbguard service: -
$ sudo systemctl is-active usbguard
-If the service is running, it should return the following: 
active
Is it the case that the service is not enabled? - Configure the operating system to authenticate peripherals before establishing a connection. - The USBGuard service should be enabled. + + CCI-001958 + SRG-OS-000378-GPOS-00163 + TBD - Assigned by DISA after STIG release + The operating system must authenticate peripherals before establishing a connection. -The usbguard service can be enabled with the following command: -
$ sudo systemctl enable usbguard.service
+ CCE-83774-0: Generate USBGuard Policy + + Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. + +Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. + By default USBGuard when enabled prevents access to all USB devices and this lead +to inaccessible system if they use USB mouse/keyboard. To prevent this scenario, +the initial policy configuration must be generated based on current connected USB +devices. + Applicable - Configurable + Verify the operating system authenticates peripherals before establishing a connection. If it does not, this is a finding. + Verify the USBGuard has a policy configured with the following command: + +$ usbguard list-rules + +allow id 1d6b:0001 serial + +If the command does not return results or an error is returned, ask the SA to indicate how unauthorized peripherals are being blocked. Is it the case that there is no evidence that unauthorized peripherals are being blocked before establishing a connection? + Configure the operating system to authenticate peripherals before establishing a connection. + By default USBGuard when enabled prevents access to all USB devices and this lead +to inaccessible system if they use USB mouse/keyboard. To prevent this scenario, +the initial policy configuration must be generated based on current connected USB +devices. medium @@ -34362,41 +34392,6 @@ - - CCI-001958 - SRG-OS-000378-GPOS-00163 - TBD - Assigned by DISA after STIG release - The operating system must authenticate peripherals before establishing a connection. - - CCE-83774-0: Generate USBGuard Policy - - Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. - -Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. - By default USBGuard when enabled prevents access to all USB devices and this lead -to inaccessible system if they use USB mouse/keyboard. To prevent this scenario, -the initial policy configuration must be generated based on current connected USB -devices. - Applicable - Configurable - Verify the operating system authenticates peripherals before establishing a connection. If it does not, this is a finding. - Verify the USBGuard has a policy configured with the following command: - -$ usbguard list-rules - -allow id 1d6b:0001 serial - -If the command does not return results or an error is returned, ask the SA to indicate how unauthorized peripherals are being blocked. Is it the case that there is no evidence that unauthorized peripherals are being blocked before establishing a connection? - Configure the operating system to authenticate peripherals before establishing a connection. - By default USBGuard when enabled prevents access to all USB devices and this lead -to inaccessible system if they use USB mouse/keyboard. To prevent this scenario, -the initial policy configuration must be generated based on current connected USB -devices. - medium - - - - - CCI-001958 SRG-OS-000378-GPOS-00163 @@ -34466,23 +34461,28 @@ TBD - Assigned by DISA after STIG release The operating system must authenticate peripherals before establishing a connection. - CCE-82959-8: Install usbguard Package + CCE-82853-3: Enable the USBGuard Service Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. - -The usbguard package can be installed with the following command: -
-$ sudo yum install usbguard
+ The USBGuard service should be enabled. + +The usbguard service can be enabled with the following command: +
$ sudo systemctl enable usbguard.service
Applicable - Configurable Verify the operating system authenticates peripherals before establishing a connection. If it does not, this is a finding. - Run the following command to determine if the usbguard package is installed: 
$ rpm -q usbguard
Is it the case that the package is not installed? - Configure the operating system to authenticate peripherals before establishing a connection. -The usbguard package can be installed with the following command: -
-$ sudo yum install usbguard
+ +Run the following command to determine the current status of the +usbguard service: +
$ sudo systemctl is-active usbguard
+If the service is running, it should return the following: 
active
Is it the case that the service is not enabled? + Configure the operating system to authenticate peripherals before establishing a connection. + The USBGuard service should be enabled. + +The usbguard service can be enabled with the following command: +
$ sudo systemctl enable usbguard.service
medium @@ -34661,7 +34661,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80726-3: Ensure auditd Collects Information on the Use of Privileged Commands - chsh + CCE-80686-9: Record Events that Modify the System's Discretionary Access Controls - chown If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -34670,34 +34670,42 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chsh" command with the following command: - -$ sudo auditctl -l | grep chsh - --a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chsh Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +chown system call, run the following command: +
$ sudo grep "chown" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -34710,7 +34718,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80732-1: Ensure auditd Collects Information on the Use of Privileged Commands - postdrop + CCE-80755-2: Record Unsuccessful Access Attempts to Files - open_by_handle_at If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -34719,34 +34727,65 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postdrop" command with the following command: + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open_by_handle_at system call. -$ sudo auditctl -l | grep postdrop +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: --a always,exit -F path=/usr/bin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postdrop Is it the case that the command does not return a line, or the line is commented out? +$ sudo grep -r open_by_handle_at /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep open_by_handle_at /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
medium @@ -34759,7 +34798,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80741-2: Ensure auditd Collects Information on the Use of Privileged Commands - userhelper + CCE-80698-4: Record Any Attempts to Run chcon If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -34768,34 +34807,34 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect any execution attempt +of the chcon command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "userhelper" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chcon" command with the following command: -$ sudo auditctl -l | grep userhelper +$ sudo auditctl -l | grep chcon --a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-userhelper Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect any execution attempt +of the chcon command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -34808,7 +34847,61 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80706-5: Ensure auditd Collects File Deletion Events by User - unlink + CCE-80825-3: Enable Auditing for Processes Which Start Prior to the Audit Daemon + + If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. + +This requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. + +Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. + +This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. + To ensure all processes can be audited, even those which start +prior to the audit daemon, add the argument audit=1 to the default +GRUB 2 command line for the Linux operating system. +To ensure that audit=1 is added as a kernel command line +argument to newly installed kernels, add audit=1 to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... audit=1 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
+ Applicable - Configurable + Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes audit=1, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
+If this option is set to true, then check that a line is output by the following command: +
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit=1.*' /etc/default/grub
+If the recovery is disabled, check the line with +
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit=1.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +
$ sudo grubby --info=ALL | grep args | grep -v 'audit=1'
+The command should not return any output. Is it the case that auditing is not enabled at boot time? + Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. + To ensure all processes can be audited, even those which start +prior to the audit daemon, add the argument audit=1 to the default +GRUB 2 command line for the Linux operating system. +To ensure that audit=1 is added as a kernel command line +argument to newly installed kernels, add audit=1 to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... audit=1 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
+ low + + + + + + + CCI-002884 + SRG-OS-000392-GPOS-00172 + TBD - Assigned by DISA after STIG release + The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. + + CCE-80703-2: Ensure auditd Collects File Deletion Events by User - rename If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -34823,17 +34916,17 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. To determine if the system is configured to audit calls to the -unlink system call, run the following command: -
$ sudo grep "unlink" /etc/audit/audit.*
+rename system call, run the following command: +
$ sudo grep "rename" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. @@ -34843,12 +34936,12 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -34861,7 +34954,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80691-9: Record Events that Modify the System's Discretionary Access Controls - fremovexattr + CCE-80732-1: Ensure auditd Collects Information on the Use of Privileged Commands - postdrop If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -34870,60 +34963,34 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
-

+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -fremovexattr system call, run the following command: -
$ sudo grep "fremovexattr" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postdrop" command with the following command: + +$ sudo auditctl -l | grep postdrop + +-a always,exit -F path=/usr/bin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postdrop Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
-

+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -34936,7 +35003,56 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80695-0: Record Events that Modify the System's Discretionary Access Controls - lsetxattr + CCE-80728-9: Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd + + If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. + +This requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. + +Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. + +This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ Applicable - Configurable + Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "gpasswd" command with the following command: + +$ sudo auditctl -l | grep gpasswd + +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ medium + + + + + + + CCI-002884 + SRG-OS-000392-GPOS-00172 + TBD - Assigned by DISA after STIG release + The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. + + CCE-80694-3: Record Events that Modify the System's Discretionary Access Controls - lremovexattr If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -34946,49 +35062,59 @@ This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. To determine if the system is configured to audit calls to the -lsetxattr system call, run the following command: -
$ sudo grep "lsetxattr" /etc/audit/audit.*
+lremovexattr system call, run the following command: +
$ sudo grep "lremovexattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
medium @@ -35001,7 +35127,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80754-5: Record Unsuccessful Access Attempts to Files - openat + CCE-80711-5: Ensure auditd Collects Information on Kernel Module Unloading - delete_module If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -35010,71 +35136,87 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ To capture kernel module unloading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the openat system call. + To determine if the system is configured to audit calls to the +delete_module system call, run the following command: +
$ sudo grep "delete_module" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. + To capture kernel module unloading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: +
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
-$ sudo grep -r openat /etc/audit/rules.d -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: +Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. -$ sudo grep openat /etc/audit/audit.rules +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. + medium + + + + -The output should be the following: + + CCI-002884 + SRG-OS-000392-GPOS-00172 + TBD - Assigned by DISA after STIG release + The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. --a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ CCE-80731-3: Ensure auditd Collects Information on the Use of Privileged Commands - passwd -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. + +This requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. + +Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. +This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ Applicable - Configurable + Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "passwd" command with the following command: -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+$ sudo auditctl -l | grep passwd + +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -35087,7 +35229,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80756-0: Record Unsuccessful Access Attempts to Files - truncate + CCE-80753-7: Record Unsuccessful Access Attempts to Files - open If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -35101,66 +35243,66 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the truncate system call. + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -$ sudo grep -r truncate /etc/audit/rules.d +$ sudo grep -r open /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -$ sudo grep truncate /etc/audit/audit.rules +$ sudo grep open /etc/audit/audit.rules The output should be the following: --a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access medium @@ -35173,7 +35315,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80719-8: Record Attempts to Alter Logon and Logout Events - lastlog + CCE-80713-1: Ensure auditd Collects Information on Kernel Module Loading - init_module If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -35182,87 +35324,38 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - The audit system already collects login information for all users -and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d in order to watch for attempted manual -edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file in order to watch for unattempted manual -edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
- Applicable - Configurable - Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog" with the following command: - -$ sudo auditctl -l | grep /var/log/lastlog - --w /var/log/lastlog -p wa -k logins Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - The audit system already collects login information for all users -and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d in order to watch for attempted manual -edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file in order to watch for unattempted manual -edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
- medium - - - - - - - CCI-002884 - SRG-OS-000392-GPOS-00172 - TBD - Assigned by DISA after STIG release - The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - - CCE-80727-1: Ensure auditd Collects Information on the Use of Privileged Commands - crontab + To capture kernel module loading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. +
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
-This requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. -Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. +Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. -This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "crontab" command with the following command: + To determine if the system is configured to audit calls to the +init_module system call, run the following command: +
$ sudo grep "init_module" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. + To capture kernel module loading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -$ sudo auditctl -l | grep crontab +
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
--a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ +Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. medium @@ -35275,7 +35368,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80989-7: Ensure auditd Collects Information on the Use of Privileged Commands - mount + CCE-80722-2: Ensure auditd Collects Information on Exporting to Media (successful) If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -35284,34 +35377,38 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect media exportation +events for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "mount" command with the following command: - -$ sudo auditctl -l | grep mount - --a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +mount system call, run the following command: +
$ sudo grep "mount" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect media exportation +events for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
medium @@ -35324,7 +35421,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-89446-9: Record Any Attempts to Run chacl + CCE-85944-7: Record Any Attempts to Run ssh-agent If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -35334,33 +35431,33 @@ This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. At a minimum, the audit system should collect any execution attempt -of the chacl command for all users and root. If the auditd +of the ssh-agent command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chacl" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-agent" command with the following command: -$ sudo auditctl -l | grep chacl +$ sudo auditctl -l | grep ssh-agent --a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. At a minimum, the audit system should collect any execution attempt -of the chacl command for all users and root. If the auditd +of the ssh-agent command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
medium @@ -35373,7 +35470,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80758-6: Record Events that Modify User/Group Information - /etc/group + CCE-80752-9: Record Unsuccessful Access Attempts to Files - ftruncate If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -35382,42 +35479,124 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
- Applicable - Configurable - Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-$ sudo auditctl -l | grep -E '(/etc/group)' +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ Applicable - Configurable + Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the ftruncate system call. --w /etc/group -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: + +$ sudo grep -r ftruncate /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep ftruncate /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - If the auditd daemon is configured to use the + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ medium + + + + + + + CCI-002884 + SRG-OS-000392-GPOS-00172 + TBD - Assigned by DISA after STIG release + The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. + + CCE-80718-0: Record Attempts to Alter Logon and Logout Events - faillock + + If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. + +This requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. + +Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. + +This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. + The audit system already collects login information for all users +and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
-

+directory /etc/audit/rules.d in order to watch for attempted manual +edits of files involved in storing logon events: +
-w  -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+/etc/audit/audit.rules file in order to watch for unattempted manual +edits of files involved in storing logon events: +
-w  -p wa -k logins
+ Applicable - Configurable + Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: + +$ sudo auditctl -l | grep + +-w -p wa -k logins Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. + The audit system already collects login information for all users +and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d in order to watch for attempted manual +edits of files involved in storing logon events: +
-w  -p wa -k logins
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file in order to watch for unattempted manual +edits of files involved in storing logon events: +
-w  -p wa -k logins
medium @@ -35430,7 +35609,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80735-4: Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign + CCE-80737-0: Ensure auditd Collects Information on the Use of Privileged Commands - sudo If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -35444,29 +35623,29 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-keysign" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "sudo" command with the following command: -$ sudo auditctl -l | grep ssh-keysign +$ sudo auditctl -l | grep sudo --a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-keysign Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudo Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -35479,7 +35658,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-89497-2: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ + CCE-89455-0: Ensure auditd Collects Information on the Use of Privileged Commands - kmod If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -35488,34 +35667,83 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers.d/ -p wa -k actions
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ Applicable - Configurable + Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "kmod" command with the following command: + +$ sudo auditctl -l | grep kmod + +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-kmod Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ medium + + + + + + + CCI-002884 + SRG-OS-000392-GPOS-00172 + TBD - Assigned by DISA after STIG release + The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. + + CCE-80700-8: Record Any Attempts to Run semanage + + If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. + +This requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. + +Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. + +This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. + At a minimum, the audit system should collect any execution attempt +of the semanage command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-w /etc/sudoers.d/ -p wa -k actions
+
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "semanage" command with the following command: -$ sudo auditctl -l | grep/etc/sudoers.d +$ sudo auditctl -l | grep semanage --w /etc/sudoers.d/ -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers.d/ -p wa -k actions
+ At a minimum, the audit system should collect any execution attempt +of the semanage command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-w /etc/sudoers.d/ -p wa -k actions
+
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -35528,7 +35756,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80694-3: Record Events that Modify the System's Discretionary Access Controls - lremovexattr + CCE-80706-5: Ensure auditd Collects File Deletion Events by User - unlink If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -35537,60 +35765,38 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
-

+ At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. To determine if the system is configured to audit calls to the -lremovexattr system call, run the following command: -
$ sudo grep "lremovexattr" /etc/audit/audit.*
+unlink system call, run the following command: +
$ sudo grep "unlink" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
-

+ At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -35603,7 +35809,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80731-3: Ensure auditd Collects Information on the Use of Privileged Commands - passwd + CCE-80725-5: Ensure auditd Collects Information on the Use of Privileged Commands - chage If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -35617,29 +35823,29 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "passwd" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chage" command with the following command: -$ sudo auditctl -l | grep passwd +$ sudo auditctl -l | grep chage --a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -35652,7 +35858,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80722-2: Ensure auditd Collects Information on Exporting to Media (successful) + CCE-81043-2: Ensure the audit Subsystem is Installed If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -35661,38 +35867,12 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect media exportation -events for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
+ The audit package should be installed. Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -mount system call, run the following command: -
$ sudo grep "mount" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Run the following command to determine if the audit package is installed: 
$ rpm -q audit
Is it the case that the audit package is not installed? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect media exportation -events for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
+ The audit package should be installed. medium @@ -35705,7 +35885,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80740-4: Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd + CCE-80760-2: Record Events that Modify User/Group Information - /etc/security/opasswd If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -35714,34 +35894,42 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "unix_chkpwd" command with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: -$ sudo auditctl -l | grep unix_chkpwd +$ sudo auditctl -l | grep -E '(/etc/security/opasswd)' --a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_chkpwd Is it the case that the command does not return a line, or the line is commented out? +-w /etc/security/opasswd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
medium @@ -35754,7 +35942,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80703-2: Ensure auditd Collects File Deletion Events by User - rename + CCE-80705-7: Ensure auditd Collects File Deletion Events by User - rmdir If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -35769,17 +35957,17 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. To determine if the system is configured to audit calls to the -rename system call, run the following command: -
$ sudo grep "rename" /etc/audit/audit.*
+rmdir system call, run the following command: +
$ sudo grep "rmdir" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. @@ -35789,12 +35977,12 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -35807,7 +35995,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80711-5: Ensure auditd Collects Information on Kernel Module Unloading - delete_module + CCE-80741-2: Ensure auditd Collects Information on the Use of Privileged Commands - userhelper If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -35816,38 +36004,34 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - To capture kernel module unloading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - -
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
- - -Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -delete_module system call, run the following command: -
$ sudo grep "delete_module" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - To capture kernel module unloading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - -
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
- + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "userhelper" command with the following command: -Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. +$ sudo auditctl -l | grep userhelper -If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. +-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-userhelper Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -35860,7 +36044,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80688-5: Record Events that Modify the System's Discretionary Access Controls - fchmodat + CCE-80726-3: Ensure auditd Collects Information on the Use of Privileged Commands - chsh If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -35869,42 +36053,34 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -fchmodat system call, run the following command: -
$ sudo grep "fchmodat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chsh" command with the following command: + +$ sudo auditctl -l | grep chsh + +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chsh Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -35917,7 +36093,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80707-3: Ensure auditd Collects File Deletion Events by User - unlinkat + CCE-80761-0: Record Events that Modify User/Group Information - /etc/passwd If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -35926,87 +36102,42 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the + If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
- Applicable - Configurable - Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -unlinkat system call, run the following command: -
$ sudo grep "unlinkat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
- medium - - - - - - - CCI-002884 - SRG-OS-000392-GPOS-00172 - TBD - Assigned by DISA after STIG release - The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - - CCE-82280-9: Record Any Attempts to Run setfiles - - If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. - -This requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. - -Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. - -This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect any execution attempt -of the setfiles command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfiles" command with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: -$ sudo auditctl -l | grep setfiles +$ sudo auditctl -l | grep -E '(/etc/passwd)' --a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? +-w /etc/passwd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect any execution attempt -of the setfiles command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
medium @@ -36019,7 +36150,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80687-7: Record Events that Modify the System's Discretionary Access Controls - fchmod + CCE-80689-3: Record Events that Modify the System's Discretionary Access Controls - fchown If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -36029,41 +36160,47 @@ This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. To determine if the system is configured to audit calls to the -fchmod system call, run the following command: -
$ sudo grep "fchmod" /etc/audit/audit.*
+fchown system call, run the following command: +
$ sudo grep "fchown" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -36076,7 +36213,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80704-0: Ensure auditd Collects File Deletion Events by User - renameat + CCE-89446-9: Record Any Attempts to Run chacl If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -36085,38 +36222,34 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+ At a minimum, the audit system should collect any execution attempt +of the chacl command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -renameat system call, run the following command: -
$ sudo grep "renameat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chacl" command with the following command: + +$ sudo auditctl -l | grep chacl + +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+ At a minimum, the audit system should collect any execution attempt +of the chacl command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -36129,7 +36262,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80760-2: Record Events that Modify User/Group Information - /etc/security/opasswd + CCE-80751-1: Record Unsuccessful Access Attempts to Files - creat If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -36138,42 +36271,65 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the creat system call. -$ sudo auditctl -l | grep -E '(/etc/security/opasswd)' +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: --w /etc/security/opasswd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +$ sudo grep -r creat /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep creat /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
medium @@ -36235,114 +36391,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80943-4: Extend Audit Backlog Limit for the Audit Daemon - - If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. - -This requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. - -Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. - -This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - To improve the kernel capacity to queue all log events, even those which occurred -prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default -GRUB 2 command line for the Linux operating system. -To ensure that audit_backlog_limit=8192 is added as a kernel command line -argument to newly installed kernels, add audit_backlog_limit=8192 to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
- Applicable - Configurable - Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes audit_backlog_limit=8192, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
-If this option is set to true, then check that a line is output by the following command: -
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit_backlog_limit=8192.*' /etc/default/grub
-If the recovery is disabled, check the line with -
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit_backlog_limit=8192.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -
$ sudo grubby --info=ALL | grep args | grep -v 'audit_backlog_limit=8192'
-The command should not return any output. Is it the case that audit backlog limit is not configured? - Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - To improve the kernel capacity to queue all log events, even those which occurred -prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default -GRUB 2 command line for the Linux operating system. -To ensure that audit_backlog_limit=8192 is added as a kernel command line -argument to newly installed kernels, add audit_backlog_limit=8192 to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
- low - - - - - - - CCI-002884 - SRG-OS-000392-GPOS-00172 - TBD - Assigned by DISA after STIG release - The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - - CCE-80705-7: Ensure auditd Collects File Deletion Events by User - rmdir - - If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. - -This requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. - -Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. - -This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
- Applicable - Configurable - Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -rmdir system call, run the following command: -
$ sudo grep "rmdir" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
- medium - - - - - - - CCI-002884 - SRG-OS-000392-GPOS-00172 - TBD - Assigned by DISA after STIG release - The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - - CCE-86027-0: Ensure auditd Collects Information on the Use of Privileged Commands - usermod + CCE-80740-4: Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -36356,128 +36405,29 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "usermod" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "unix_chkpwd" command with the following command: -$ sudo auditctl -l | grep usermod +$ sudo auditctl -l | grep unix_chkpwd --a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_chkpwd Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- medium - - - - - - - CCI-002884 - SRG-OS-000392-GPOS-00172 - TBD - Assigned by DISA after STIG release - The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - - CCE-80685-1: Record Events that Modify the System's Discretionary Access Controls - chmod - - If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. - -This requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. - -Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. - -This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
- Applicable - Configurable - Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -chmod system call, run the following command: -
$ sudo grep "chmod" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
- medium - - - - - - - CCI-002884 - SRG-OS-000392-GPOS-00172 - TBD - Assigned by DISA after STIG release - The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - - CCE-80872-5: Enable auditd Service - - If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. - -This requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. - -Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. - -This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - The auditd service is an essential userspace component of -the Linux Auditing System, as it is responsible for writing audit records to -disk. - -The auditd service can be enabled with the following command: -
$ sudo systemctl enable auditd.service
- Applicable - Configurable - Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - - -Run the following command to determine the current status of the -auditd service: -
$ sudo systemctl is-active auditd
-If the service is running, it should return the following: 
active
Is it the case that the auditd service is not running? - Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - The auditd service is an essential userspace component of -the Linux Auditing System, as it is responsible for writing audit records to -disk. - -The auditd service can be enabled with the following command: -
$ sudo systemctl enable auditd.service
+
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -36490,7 +36440,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80761-0: Record Events that Modify User/Group Information - /etc/passwd + CCE-80758-6: Record Events that Modify User/Group Information - /etc/group If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -36505,21 +36455,21 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: -$ sudo auditctl -l | grep -E '(/etc/passwd)' +$ sudo auditctl -l | grep -E '(/etc/group)' --w /etc/passwd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-w /etc/group -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the @@ -36527,14 +36477,14 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification
medium @@ -36604,7 +36554,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80698-4: Record Any Attempts to Run chcon + CCE-80759-4: Record Events that Modify User/Group Information - /etc/gshadow If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -36613,97 +36563,44 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect any execution attempt -of the chcon command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+

+If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chcon" command with the following command: - -$ sudo auditctl -l | grep chcon - --a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect any execution attempt -of the chcon command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- medium - - - - - - - CCI-002884 - SRG-OS-000392-GPOS-00172 - TBD - Assigned by DISA after STIG release - The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - - CCE-80689-3: Record Events that Modify the System's Discretionary Access Controls - fchown - - If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. - -This requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. - -Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. - -This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: -If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+$ sudo auditctl -l | grep -E '(/etc/gshadow)' -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+-w /etc/gshadow -p wa -k identity -If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- Applicable - Configurable - Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -fchown system call, run the following command: -
$ sudo grep "fchown" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? +If the command does not return a line, or the line is commented out, this is a finding. Is it the case that the system is not configured to audit account changes? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- -If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- -If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
medium @@ -36716,7 +36613,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80725-5: Ensure auditd Collects Information on the Use of Privileged Commands - chage + CCE-80762-8: Record Events that Modify User/Group Information - /etc/shadow If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -36725,34 +36622,42 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chage" command with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd with the following command: -$ sudo auditctl -l | grep chage +$ sudo auditctl -l | grep -E '(/etc/shadow)' --a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage Is it the case that the command does not return a line, or the line is commented out? +-w /etc/shadow -p wa -k identity Is it the case that command does not return a line, or the line is commented out? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
medium @@ -36765,7 +36670,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-88437-9: Record Any Attempts to Run setfacl + CCE-80701-6: Record Any Attempts to Run setsebool If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -36775,33 +36680,33 @@ This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. At a minimum, the audit system should collect any execution attempt -of the setfacl command for all users and root. If the auditd +of the setsebool command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfacl" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setsebool" command with the following command: -$ sudo auditctl -l | grep setfacl +$ sudo auditctl -l | grep setsebool --a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. At a minimum, the audit system should collect any execution attempt -of the setfacl command for all users and root. If the auditd +of the setsebool command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -36863,7 +36768,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80700-8: Record Any Attempts to Run semanage + CCE-80733-9: Ensure auditd Collects Information on the Use of Privileged Commands - postqueue If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -36872,34 +36777,34 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect any execution attempt -of the semanage command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "semanage" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postqueue" command with the following command: -$ sudo auditctl -l | grep semanage +$ sudo auditctl -l | grep postqueue --a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postqueue Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect any execution attempt -of the semanage command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -36912,7 +36817,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80697-6: Record Events that Modify the System's Discretionary Access Controls - setxattr + CCE-80989-7: Ensure auditd Collects Information on the Use of Privileged Commands - mount If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -36921,50 +36826,34 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -setxattr system call, run the following command: -
$ sudo grep "setxattr" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "mount" command with the following command: + +$ sudo auditctl -l | grep mount + +-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -36977,7 +36866,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80728-9: Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd + CCE-80727-1: Ensure auditd Collects Information on the Use of Privileged Commands - crontab If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -36991,29 +36880,29 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "gpasswd" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "crontab" command with the following command: -$ sudo auditctl -l | grep gpasswd +$ sudo auditctl -l | grep crontab --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -37026,7 +36915,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80762-8: Record Events that Modify User/Group Information - /etc/shadow + CCE-80707-3: Ensure auditd Collects File Deletion Events by User - unlinkat If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -37035,42 +36924,38 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - If the auditd daemon is configured to use the + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-

+default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd with the following command: - -$ sudo auditctl -l | grep -E '(/etc/shadow)' - --w /etc/shadow -p wa -k identity Is it the case that command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +unlinkat system call, run the following command: +
$ sudo grep "unlinkat" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - If the auditd daemon is configured to use the + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-

+default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -37083,7 +36968,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-81043-2: Ensure the audit Subsystem is Installed + CCE-89497-2: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -37092,12 +36977,34 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - The audit package should be installed. + At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers.d/ -p wa -k actions
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-w /etc/sudoers.d/ -p wa -k actions
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Run the following command to determine if the audit package is installed: 
$ rpm -q audit
Is it the case that the audit package is not installed? + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command: + +$ sudo auditctl -l | grep/etc/sudoers.d + +-w /etc/sudoers.d/ -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - The audit package should be installed. + At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers.d/ -p wa -k actions
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-w /etc/sudoers.d/ -p wa -k actions
medium @@ -37110,7 +37017,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80718-0: Record Attempts to Alter Logon and Logout Events - faillock + CCE-80730-5: Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -37119,38 +37026,38 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - The audit system already collects login information for all users -and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d in order to watch for attempted manual -edits of files involved in storing logon events: -
-w  -p wa -k logins
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file in order to watch for unattempted manual -edits of files involved in storing logon events: -
-w  -p wa -k logins
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "pam_timestamp_check" command with the following command: -$ sudo auditctl -l | grep +$ sudo auditctl -l | grep pam_timestamp_check --w -p wa -k logins Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - The audit system already collects login information for all users -and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d in order to watch for attempted manual -edits of files involved in storing logon events: -
-w  -p wa -k logins
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file in order to watch for unattempted manual -edits of files involved in storing logon events: -
-w  -p wa -k logins
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -37163,7 +37070,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80751-1: Record Unsuccessful Access Attempts to Files - creat + CCE-82280-9: Record Any Attempts to Run setfiles If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -37172,65 +37079,34 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix + At a minimum, the audit system should collect any execution attempt +of the setfiles command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the creat system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r creat /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep creat /etc/audit/audit.rules + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfiles" command with the following command: -The output should be the following: +$ sudo auditctl -l | grep setfiles --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix + At a minimum, the audit system should collect any execution attempt +of the setfiles command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -37243,7 +37119,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80729-7: Ensure auditd Collects Information on the Use of Privileged Commands - newgrp + CCE-80692-7: Record Events that Modify the System's Discretionary Access Controls - fsetxattr If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -37252,93 +37128,50 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- Applicable - Configurable - Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "newgrp" command with the following command: - -$ sudo auditctl -l | grep newgrp - --a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-newgrp Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- medium - - - - - - - CCI-002884 - SRG-OS-000392-GPOS-00172 - TBD - Assigned by DISA after STIG release - The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - - CCE-80759-4: Record Events that Modify User/Group Information - /etc/gshadow - - If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. - -This requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. - -Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. - -This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: - -$ sudo auditctl -l | grep -E '(/etc/gshadow)' - --w /etc/gshadow -p wa -k identity - -If the command does not return a line, or the line is commented out, this is a finding. Is it the case that the system is not configured to audit account changes? + To determine if the system is configured to audit calls to the +fsetxattr system call, run the following command: +
$ sudo grep "fsetxattr" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
medium @@ -37408,7 +37241,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-89455-0: Ensure auditd Collects Information on the Use of Privileged Commands - kmod + CCE-80719-8: Record Attempts to Alter Logon and Logout Events - lastlog If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -37417,91 +37250,38 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ The audit system already collects login information for all users +and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d in order to watch for attempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file in order to watch for unattempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "kmod" command with the following command: - -$ sudo auditctl -l | grep kmod - --a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-kmod Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- medium - - - - - - - CCI-002884 - SRG-OS-000392-GPOS-00172 - TBD - Assigned by DISA after STIG release - The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - - CCE-80686-9: Record Events that Modify the System's Discretionary Access Controls - chown - - If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. - -This requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog" with the following command: -Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. +$ sudo auditctl -l | grep /var/log/lastlog -This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
- Applicable - Configurable - Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -chown system call, run the following command: -
$ sudo grep "chown" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? +-w /var/log/lastlog -p wa -k logins Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ The audit system already collects login information for all users +and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d in order to watch for attempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file in order to watch for unattempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
medium @@ -37514,7 +37294,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80755-2: Record Unsuccessful Access Attempts to Files - open_by_handle_at + CCE-80943-4: Extend Audit Backlog Limit for the Audit Daemon If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -37523,66 +37303,40 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ To improve the kernel capacity to queue all log events, even those which occurred +prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default +GRUB 2 command line for the Linux operating system. +To ensure that audit_backlog_limit=8192 is added as a kernel command line +argument to newly installed kernels, add audit_backlog_limit=8192 to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open_by_handle_at system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r open_by_handle_at /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep open_by_handle_at /etc/audit/audit.rules - -The output should be the following: - --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes audit_backlog_limit=8192, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
+If this option is set to true, then check that a line is output by the following command: +
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit_backlog_limit=8192.*' /etc/default/grub
+If the recovery is disabled, check the line with +
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit_backlog_limit=8192.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +
$ sudo grubby --info=ALL | grep args | grep -v 'audit_backlog_limit=8192'
+The command should not return any output. Is it the case that audit backlog limit is not configured? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- medium + To improve the kernel capacity to queue all log events, even those which occurred +prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default +GRUB 2 command line for the Linux operating system. +To ensure that audit_backlog_limit=8192 is added as a kernel command line +argument to newly installed kernels, add audit_backlog_limit=8192 to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
+ low @@ -37594,7 +37348,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80752-9: Record Unsuccessful Access Attempts to Files - ftruncate + CCE-80754-5: Record Unsuccessful Access Attempts to Files - openat If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -37608,66 +37362,66 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the ftruncate system call. + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the openat system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -$ sudo grep -r ftruncate /etc/audit/rules.d +$ sudo grep -r openat /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -$ sudo grep ftruncate /etc/audit/audit.rules +$ sudo grep openat /etc/audit/audit.rules The output should be the following: --a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access medium @@ -37680,7 +37434,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80753-7: Record Unsuccessful Access Attempts to Files - open + CCE-80695-0: Record Events that Modify the System's Discretionary Access Controls - lsetxattr If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -37689,71 +37443,50 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix +startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- +
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r open /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep open /etc/audit/audit.rules - -The output should be the following: - --a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +lsetxattr system call, run the following command: +
$ sudo grep "lsetxattr" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix +startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- +
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
medium @@ -37766,7 +37499,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80692-7: Record Events that Modify the System's Discretionary Access Controls - fsetxattr + CCE-80697-6: Record Events that Modify the System's Discretionary Access Controls - setxattr If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -37780,24 +37513,24 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. To determine if the system is configured to audit calls to the -fsetxattr system call, run the following command: -
$ sudo grep "fsetxattr" /etc/audit/audit.*
+setxattr system call, run the following command: +
$ sudo grep "setxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. @@ -37806,19 +37539,19 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
medium @@ -37831,7 +37564,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-85944-7: Record Any Attempts to Run ssh-agent + CCE-90175-1: Ensure auditd Collects System Administrator Actions - /etc/sudoers If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -37840,34 +37573,34 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect any execution attempt -of the ssh-agent command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
+ At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers -p wa -k actions
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
+
-w /etc/sudoers -p wa -k actions
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-agent" command with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers" with the following command: -$ sudo auditctl -l | grep ssh-agent +$ sudo auditctl -l | grep /etc/sudoers --a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent Is it the case that the command does not return a line, or the line is commented out? +-w /etc/sudoers -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect any execution attempt -of the ssh-agent command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
+ At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers -p wa -k actions
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
+
-w /etc/sudoers -p wa -k actions
medium @@ -37880,7 +37613,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80696-8: Record Events that Modify the System's Discretionary Access Controls - removexattr + CCE-80735-4: Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -37889,58 +37622,34 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
-

+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -removexattr system call, run the following command: -
$ sudo grep "removexattr" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-keysign" command with the following command: + +$ sudo auditctl -l | grep ssh-keysign + +-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-keysign Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
-

+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -37953,7 +37662,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80733-9: Ensure auditd Collects Information on the Use of Privileged Commands - postqueue + CCE-80688-5: Record Events that Modify the System's Discretionary Access Controls - fchmodat If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -37962,34 +37671,42 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postqueue" command with the following command: - -$ sudo auditctl -l | grep postqueue - --a always,exit -F path=/usr/bin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postqueue Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +fchmodat system call, run the following command: +
$ sudo grep "fchmodat" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -38002,7 +37719,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80825-3: Enable Auditing for Processes Which Start Prior to the Audit Daemon + CCE-80691-9: Record Events that Modify the System's Discretionary Access Controls - fremovexattr If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -38011,40 +37728,61 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - To ensure all processes can be audited, even those which start -prior to the audit daemon, add the argument audit=1 to the default -GRUB 2 command line for the Linux operating system. -To ensure that audit=1 is added as a kernel command line -argument to newly installed kernels, add audit=1 to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit=1 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
+ At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes audit=1, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
-If this option is set to true, then check that a line is output by the following command: -
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit=1.*' /etc/default/grub
-If the recovery is disabled, check the line with -
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit=1.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -
$ sudo grubby --info=ALL | grep args | grep -v 'audit=1'
-The command should not return any output. Is it the case that auditing is not enabled at boot time? + To determine if the system is configured to audit calls to the +fremovexattr system call, run the following command: +
$ sudo grep "fremovexattr" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - To ensure all processes can be audited, even those which start -prior to the audit daemon, add the argument audit=1 to the default -GRUB 2 command line for the Linux operating system. -To ensure that audit=1 is added as a kernel command line -argument to newly installed kernels, add audit=1 to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit=1 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
- low + At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+ medium @@ -38056,7 +37794,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80737-0: Ensure auditd Collects Information on the Use of Privileged Commands - sudo + CCE-80872-5: Enable auditd Service If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -38065,34 +37803,27 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ The auditd service is an essential userspace component of +the Linux Auditing System, as it is responsible for writing audit records to +disk. + +The auditd service can be enabled with the following command: +
$ sudo systemctl enable auditd.service
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "sudo" command with the following command: - -$ sudo auditctl -l | grep sudo + --a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudo Is it the case that the command does not return a line, or the line is commented out? +Run the following command to determine the current status of the +auditd service: +
$ sudo systemctl is-active auditd
+If the service is running, it should return the following: 
active
Is it the case that the auditd service is not running? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ The auditd service is an essential userspace component of +the Linux Auditing System, as it is responsible for writing audit records to +disk. + +The auditd service can be enabled with the following command: +
$ sudo systemctl enable auditd.service
medium @@ -38158,7 +37889,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80713-1: Ensure auditd Collects Information on Kernel Module Loading - init_module + CCE-80756-0: Record Unsuccessful Access Attempts to Files - truncate If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -38167,38 +37898,120 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - To capture kernel module loading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - -
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -init_module system call, run the following command: -
$ sudo grep "init_module" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the truncate system call. + +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: + +$ sudo grep -r truncate /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep truncate /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - To capture kernel module loading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ medium + + + + -If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. + + CCI-002884 + SRG-OS-000392-GPOS-00172 + TBD - Assigned by DISA after STIG release + The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. + + CCE-86027-0: Ensure auditd Collects Information on the Use of Privileged Commands - usermod + + If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. + +This requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. + +Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. + +This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ Applicable - Configurable + Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "usermod" command with the following command: + +$ sudo auditctl -l | grep usermod + +-a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -38211,7 +38024,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80701-6: Record Any Attempts to Run setsebool + CCE-88437-9: Record Any Attempts to Run setfacl If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -38221,33 +38034,33 @@ This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. At a minimum, the audit system should collect any execution attempt -of the setsebool command for all users and root. If the auditd +of the setfacl command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setsebool" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfacl" command with the following command: -$ sudo auditctl -l | grep setsebool +$ sudo auditctl -l | grep setfacl --a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. At a minimum, the audit system should collect any execution attempt -of the setsebool command for all users and root. If the auditd +of the setfacl command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -38260,7 +38073,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-90175-1: Ensure auditd Collects System Administrator Actions - /etc/sudoers + CCE-80685-1: Record Events that Modify the System's Discretionary Access Controls - chmod If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -38269,34 +38082,42 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers -p wa -k actions
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-w /etc/sudoers -p wa -k actions
+
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers" with the following command: - -$ sudo auditctl -l | grep /etc/sudoers - --w /etc/sudoers -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +chmod system call, run the following command: +
$ sudo grep "chmod" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers -p wa -k actions
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-w /etc/sudoers -p wa -k actions
+
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -38309,7 +38130,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80739-6: Ensure auditd Collects Information on the Use of Privileged Commands - umount + CCE-80729-7: Ensure auditd Collects Information on the Use of Privileged Commands - newgrp If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -38323,29 +38144,29 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "umount" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "newgrp" command with the following command: -$ sudo auditctl -l | grep umount +$ sudo auditctl -l | grep newgrp --a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-umount Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-newgrp Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -38358,7 +38179,7 @@ TBD - Assigned by DISA after STIG release The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. - CCE-80730-5: Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check + CCE-80696-8: Record Events that Modify the System's Discretionary Access Controls - removexattr If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. @@ -38367,38 +38188,217 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +following line to a file with suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- Applicable - Configurable - Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "pam_timestamp_check" command with the following command: - -$ sudo auditctl -l | grep pam_timestamp_check - --a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check Is it the case that the command does not return a line, or the line is commented out? +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+ Applicable - Configurable + Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. + To determine if the system is configured to audit calls to the +removexattr system call, run the following command: +
$ sudo grep "removexattr" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. + At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +following line to a file with suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+ medium + + + + + + + CCI-002884 + SRG-OS-000392-GPOS-00172 + TBD - Assigned by DISA after STIG release + The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. + + CCE-80704-0: Ensure auditd Collects File Deletion Events by User - renameat + + If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. + +This requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. + +Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. + +This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+ Applicable - Configurable + Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. + To determine if the system is configured to audit calls to the +renameat system call, run the following command: +
$ sudo grep "renameat" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+ medium + + + + + + + CCI-002884 + SRG-OS-000392-GPOS-00172 + TBD - Assigned by DISA after STIG release + The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. + + CCE-80739-6: Ensure auditd Collects Information on the Use of Privileged Commands - umount + + If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. + +This requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. + +Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. + +This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ Applicable - Configurable + Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "umount" command with the following command: + +$ sudo auditctl -l | grep umount + +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-umount Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ medium + + + + + + + CCI-002884 + SRG-OS-000392-GPOS-00172 + TBD - Assigned by DISA after STIG release + The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. + + CCE-80687-7: Record Events that Modify the System's Discretionary Access Controls - fchmod + + If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. + +This requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. + +Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. + +This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+ Applicable - Configurable + Verify the operating system audits all activities performed during nonlocal maintenance and diagnostic sessions. If it does not, this is a finding. + To determine if the system is configured to audit calls to the +fchmod system call, run the following command: +
$ sudo grep "fchmod" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + Configure the operating system to audit all activities performed during nonlocal maintenance and diagnostic sessions. + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -38461,36 +38461,36 @@ TBD - Assigned by DISA after STIG release The operating system must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions. - CCE-85902-5: Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config + CCE-84027-2: Set kernel parameter 'crypto.fips_enabled' to 1 Privileged access contains control and configuration information and is particularly sensitive, so additional protections are necessary. This is maintained by using cryptographic mechanisms, such as a hash function or digital signature, to protect integrity. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. The operating system can meet this requirement through leveraging a cryptographic module. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system (e.g., the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch). - Crypto Policies provide a centralized control over crypto algorithms usage of many packages. -OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be -set up incorrectly. + System running in FIPS mode is indicated by kernel parameter +'crypto.fips_enabled'. This parameter should be set to 1 in FIPS mode. +To enable FIPS mode, run the following command: +
fips-mode-setup --enable
-To check that Crypto Policies settings for ciphers are configured correctly, ensure that -/etc/crypto-policies/back-ends/openssh.config contains the following -line and is not commented out: -
Ciphers
+To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot +parameters during system installation so key generation is done with FIPS-approved algorithms +and continuous monitoring tests in place. Applicable - Configurable Verify the operating system implements cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions. If it does not, this is a finding. - To verify if the OpenSSH client uses defined Cipher suite in the Crypto Policy, run: -
$ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config
-and verify that the line matches: -
Ciphers
Is it the case that Crypto Policy for OpenSSH client is not configured correctly? + To verify that kernel parameter 'crypto.fips_enabled' is set properly, run the following command: +
sysctl crypto.fips_enabled
+The output should contain the following: +
crypto.fips_enabled = 1
Is it the case that crypto.fips_enabled is not 1? Configure the operating system to implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions. - Crypto Policies provide a centralized control over crypto algorithms usage of many packages. -OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be -set up incorrectly. + System running in FIPS mode is indicated by kernel parameter +'crypto.fips_enabled'. This parameter should be set to 1 in FIPS mode. +To enable FIPS mode, run the following command: +
fips-mode-setup --enable
-To check that Crypto Policies settings for ciphers are configured correctly, ensure that -/etc/crypto-policies/back-ends/openssh.config contains the following -line and is not commented out: -
Ciphers
+To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot +parameters during system installation so key generation is done with FIPS-approved algorithms +and continuous monitoring tests in place. high @@ -38503,36 +38503,36 @@ TBD - Assigned by DISA after STIG release The operating system must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions. - CCE-84027-2: Set kernel parameter 'crypto.fips_enabled' to 1 + CCE-85902-5: Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config Privileged access contains control and configuration information and is particularly sensitive, so additional protections are necessary. This is maintained by using cryptographic mechanisms, such as a hash function or digital signature, to protect integrity. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. The operating system can meet this requirement through leveraging a cryptographic module. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system (e.g., the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch). - System running in FIPS mode is indicated by kernel parameter -'crypto.fips_enabled'. This parameter should be set to 1 in FIPS mode. -To enable FIPS mode, run the following command: -
fips-mode-setup --enable
+ Crypto Policies provide a centralized control over crypto algorithms usage of many packages. +OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be +set up incorrectly. -To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot -parameters during system installation so key generation is done with FIPS-approved algorithms -and continuous monitoring tests in place. +To check that Crypto Policies settings for ciphers are configured correctly, ensure that +/etc/crypto-policies/back-ends/openssh.config contains the following +line and is not commented out: +
Ciphers
Applicable - Configurable Verify the operating system implements cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions. If it does not, this is a finding. - To verify that kernel parameter 'crypto.fips_enabled' is set properly, run the following command: -
sysctl crypto.fips_enabled
-The output should contain the following: -
crypto.fips_enabled = 1
Is it the case that crypto.fips_enabled is not 1? + To verify if the OpenSSH client uses defined Cipher suite in the Crypto Policy, run: +
$ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config
+and verify that the line matches: +
Ciphers
Is it the case that Crypto Policy for OpenSSH client is not configured correctly? Configure the operating system to implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions. - System running in FIPS mode is indicated by kernel parameter -'crypto.fips_enabled'. This parameter should be set to 1 in FIPS mode. -To enable FIPS mode, run the following command: -
fips-mode-setup --enable
+ Crypto Policies provide a centralized control over crypto algorithms usage of many packages. +OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be +set up incorrectly. -To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot -parameters during system installation so key generation is done with FIPS-approved algorithms -and continuous monitoring tests in place. +To check that Crypto Policies settings for ciphers are configured correctly, ensure that +/etc/crypto-policies/back-ends/openssh.config contains the following +line and is not commented out: +
Ciphers
high @@ -38671,7 +38671,7 @@ TBD - Assigned by DISA after STIG release The operating system must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions. - CCE-85902-5: Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config + CCE-84027-2: Set kernel parameter 'crypto.fips_enabled' to 1 Privileged access contains control and configuration information and is particularly sensitive, so additional protections are necessary. This is maintained by using cryptographic mechanisms such as encryption to protect confidentiality. @@ -38680,29 +38680,29 @@ This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system (e.g., the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch). The operating system can meet this requirement through leveraging a cryptographic module. - Crypto Policies provide a centralized control over crypto algorithms usage of many packages. -OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be -set up incorrectly. + System running in FIPS mode is indicated by kernel parameter +'crypto.fips_enabled'. This parameter should be set to 1 in FIPS mode. +To enable FIPS mode, run the following command: +
fips-mode-setup --enable
-To check that Crypto Policies settings for ciphers are configured correctly, ensure that -/etc/crypto-policies/back-ends/openssh.config contains the following -line and is not commented out: -
Ciphers
+To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot +parameters during system installation so key generation is done with FIPS-approved algorithms +and continuous monitoring tests in place. Applicable - Configurable Verify the operating system implements cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions. If it does not, this is a finding. - To verify if the OpenSSH client uses defined Cipher suite in the Crypto Policy, run: -
$ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config
-and verify that the line matches: -
Ciphers
Is it the case that Crypto Policy for OpenSSH client is not configured correctly? + To verify that kernel parameter 'crypto.fips_enabled' is set properly, run the following command: +
sysctl crypto.fips_enabled
+The output should contain the following: +
crypto.fips_enabled = 1
Is it the case that crypto.fips_enabled is not 1? Configure the operating system to implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions. - Crypto Policies provide a centralized control over crypto algorithms usage of many packages. -OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be -set up incorrectly. + System running in FIPS mode is indicated by kernel parameter +'crypto.fips_enabled'. This parameter should be set to 1 in FIPS mode. +To enable FIPS mode, run the following command: +
fips-mode-setup --enable
-To check that Crypto Policies settings for ciphers are configured correctly, ensure that -/etc/crypto-policies/back-ends/openssh.config contains the following -line and is not commented out: -
Ciphers
+To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot +parameters during system installation so key generation is done with FIPS-approved algorithms +and continuous monitoring tests in place. high @@ -38715,7 +38715,7 @@ TBD - Assigned by DISA after STIG release The operating system must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions. - CCE-84027-2: Set kernel parameter 'crypto.fips_enabled' to 1 + CCE-85902-5: Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config Privileged access contains control and configuration information and is particularly sensitive, so additional protections are necessary. This is maintained by using cryptographic mechanisms such as encryption to protect confidentiality. @@ -38724,29 +38724,29 @@ This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system (e.g., the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch). The operating system can meet this requirement through leveraging a cryptographic module. - System running in FIPS mode is indicated by kernel parameter -'crypto.fips_enabled'. This parameter should be set to 1 in FIPS mode. -To enable FIPS mode, run the following command: -
fips-mode-setup --enable
+ Crypto Policies provide a centralized control over crypto algorithms usage of many packages. +OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be +set up incorrectly. -To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot -parameters during system installation so key generation is done with FIPS-approved algorithms -and continuous monitoring tests in place. +To check that Crypto Policies settings for ciphers are configured correctly, ensure that +/etc/crypto-policies/back-ends/openssh.config contains the following +line and is not commented out: +
Ciphers
Applicable - Configurable Verify the operating system implements cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions. If it does not, this is a finding. - To verify that kernel parameter 'crypto.fips_enabled' is set properly, run the following command: -
sysctl crypto.fips_enabled
-The output should contain the following: -
crypto.fips_enabled = 1
Is it the case that crypto.fips_enabled is not 1? + To verify if the OpenSSH client uses defined Cipher suite in the Crypto Policy, run: +
$ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config
+and verify that the line matches: +
Ciphers
Is it the case that Crypto Policy for OpenSSH client is not configured correctly? Configure the operating system to implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions. - System running in FIPS mode is indicated by kernel parameter -'crypto.fips_enabled'. This parameter should be set to 1 in FIPS mode. -To enable FIPS mode, run the following command: -
fips-mode-setup --enable
+ Crypto Policies provide a centralized control over crypto algorithms usage of many packages. +OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be +set up incorrectly. -To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot -parameters during system installation so key generation is done with FIPS-approved algorithms -and continuous monitoring tests in place. +To check that Crypto Policies settings for ciphers are configured correctly, ensure that +/etc/crypto-policies/back-ends/openssh.config contains the following +line and is not commented out: +
Ciphers
high @@ -39318,48 +39318,6 @@ - - CCI-002418 - SRG-OS-000423-GPOS-00187 - TBD - Assigned by DISA after STIG release - The operating system must protect the confidentiality and integrity of transmitted information. - - CCE-85902-5: Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config - - Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. - -This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. - -Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. - Crypto Policies provide a centralized control over crypto algorithms usage of many packages. -OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be -set up incorrectly. - -To check that Crypto Policies settings for ciphers are configured correctly, ensure that -/etc/crypto-policies/back-ends/openssh.config contains the following -line and is not commented out: -
Ciphers
- Applicable - Configurable - Verify the operating system protects the confidentiality and integrity of transmitted information. If it does not, this is a finding. - To verify if the OpenSSH client uses defined Cipher suite in the Crypto Policy, run: -
$ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config
-and verify that the line matches: -
Ciphers
Is it the case that Crypto Policy for OpenSSH client is not configured correctly? - Configure the operating system to protect the confidentiality and integrity of transmitted information. - Crypto Policies provide a centralized control over crypto algorithms usage of many packages. -OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be -set up incorrectly. - -To check that Crypto Policies settings for ciphers are configured correctly, ensure that -/etc/crypto-policies/back-ends/openssh.config contains the following -line and is not commented out: -
Ciphers
- high - - - - - CCI-002418 SRG-OS-000423-GPOS-00187 @@ -39480,6 +39438,48 @@ + + CCI-002418 + SRG-OS-000423-GPOS-00187 + TBD - Assigned by DISA after STIG release + The operating system must protect the confidentiality and integrity of transmitted information. + + CCE-85902-5: Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config + + Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. + +This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. + Crypto Policies provide a centralized control over crypto algorithms usage of many packages. +OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be +set up incorrectly. + +To check that Crypto Policies settings for ciphers are configured correctly, ensure that +/etc/crypto-policies/back-ends/openssh.config contains the following +line and is not commented out: +
Ciphers
+ Applicable - Configurable + Verify the operating system protects the confidentiality and integrity of transmitted information. If it does not, this is a finding. + To verify if the OpenSSH client uses defined Cipher suite in the Crypto Policy, run: +
$ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config
+and verify that the line matches: +
Ciphers
Is it the case that Crypto Policy for OpenSSH client is not configured correctly? + Configure the operating system to protect the confidentiality and integrity of transmitted information. + Crypto Policies provide a centralized control over crypto algorithms usage of many packages. +OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be +set up incorrectly. + +To check that Crypto Policies settings for ciphers are configured correctly, ensure that +/etc/crypto-policies/back-ends/openssh.config contains the following +line and is not commented out: +
Ciphers
+ high + + + + + CCI-002418 SRG-OS-000423-GPOS-00187 @@ -39522,32 +39522,43 @@ TBD - Assigned by DISA after STIG release The operating system must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS). - CCE-82426-8: Enable the OpenSSH Service + CCE-83501-7: Deactivate Wireless Network Interfaces Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, operating systems need to leverage transmission protection mechanisms such as TLS, SSL VPNs, or IPSec. Alternative physical protection measures include PDS. PDSs are used to transmit unencrypted classified National Security Information (NSI) through an area of lesser classification or control. Since the classified NSI is unencrypted, the PDS must provide adequate electrical, electromagnetic, and physical safeguards to deter exploitation. - The SSH server service, sshd, is commonly needed. + Deactivating wireless network interfaces should prevent normal usage of the wireless +capability. +

-The sshd service can be enabled with the following command: -
$ sudo systemctl enable sshd.service
+Configure the system to disable all wireless network interfaces with the following command: +
$ sudo nmcli radio all off
Applicable - Configurable Verify the operating system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS). If it does not, this is a finding. - + Verify that there are no wireless interfaces configured on the system +with the following command: -Run the following command to determine the current status of the -sshd service: -
$ sudo systemctl is-active sshd
-If the service is running, it should return the following: 
active
Is it the case that sshd service is disabled? +Note: This requirement is Not Applicable for systems that do not have physical wireless network radios. + +
$ nmcli device status
+
DEVICE          TYPE      STATE         CONNECTION
+virbr0          bridge    connected     virbr0
+wlp7s0          wifi      connected     wifiSSID
+enp6s0          ethernet  disconnected  --
+p2p-dev-wlp7s0  wifi-p2p  disconnected  --
+lo              loopback  unmanaged     --
+virbr0-nic      tun       unmanaged     --
Is it the case that a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO)? Configure the operating system to implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS). - The SSH server service, sshd, is commonly needed. + Deactivating wireless network interfaces should prevent normal usage of the wireless +capability. +

-The sshd service can be enabled with the following command: -
$ sudo systemctl enable sshd.service
+Configure the system to disable all wireless network interfaces with the following command: +
$ sudo nmcli radio all off
medium @@ -39560,27 +39571,32 @@ TBD - Assigned by DISA after STIG release The operating system must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS). - CCE-83303-8: Install the OpenSSH Server Package + CCE-82426-8: Enable the OpenSSH Service Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, operating systems need to leverage transmission protection mechanisms such as TLS, SSL VPNs, or IPSec. Alternative physical protection measures include PDS. PDSs are used to transmit unencrypted classified National Security Information (NSI) through an area of lesser classification or control. Since the classified NSI is unencrypted, the PDS must provide adequate electrical, electromagnetic, and physical safeguards to deter exploitation. - The openssh-server package should be installed. -The openssh-server package can be installed with the following command: -
-$ sudo yum install openssh-server
+ The SSH server service, sshd, is commonly needed. + +The sshd service can be enabled with the following command: +
$ sudo systemctl enable sshd.service
Applicable - Configurable Verify the operating system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS). If it does not, this is a finding. - Run the following command to determine if the openssh-server package is installed: 
$ rpm -q openssh-server
Is it the case that the package is not installed? + + +Run the following command to determine the current status of the +sshd service: +
$ sudo systemctl is-active sshd
+If the service is running, it should return the following: 
active
Is it the case that sshd service is disabled? Configure the operating system to implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS). - The openssh-server package should be installed. -The openssh-server package can be installed with the following command: -
-$ sudo yum install openssh-server
+ The SSH server service, sshd, is commonly needed. + +The sshd service can be enabled with the following command: +
$ sudo systemctl enable sshd.service
medium @@ -39593,43 +39609,27 @@ TBD - Assigned by DISA after STIG release The operating system must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS). - CCE-83501-7: Deactivate Wireless Network Interfaces + CCE-83303-8: Install the OpenSSH Server Package Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, operating systems need to leverage transmission protection mechanisms such as TLS, SSL VPNs, or IPSec. Alternative physical protection measures include PDS. PDSs are used to transmit unencrypted classified National Security Information (NSI) through an area of lesser classification or control. Since the classified NSI is unencrypted, the PDS must provide adequate electrical, electromagnetic, and physical safeguards to deter exploitation. - Deactivating wireless network interfaces should prevent normal usage of the wireless -capability. -

- -Configure the system to disable all wireless network interfaces with the following command: -
$ sudo nmcli radio all off
+ The openssh-server package should be installed. +The openssh-server package can be installed with the following command: +
+$ sudo yum install openssh-server
Applicable - Configurable Verify the operating system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS). If it does not, this is a finding. - Verify that there are no wireless interfaces configured on the system -with the following command: - -Note: This requirement is Not Applicable for systems that do not have physical wireless network radios. - -
$ nmcli device status
-
DEVICE          TYPE      STATE         CONNECTION
-virbr0          bridge    connected     virbr0
-wlp7s0          wifi      connected     wifiSSID
-enp6s0          ethernet  disconnected  --
-p2p-dev-wlp7s0  wifi-p2p  disconnected  --
-lo              loopback  unmanaged     --
-virbr0-nic      tun       unmanaged     --
Is it the case that a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO)? + Run the following command to determine if the openssh-server package is installed: 
$ rpm -q openssh-server
Is it the case that the package is not installed? Configure the operating system to implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS). - Deactivating wireless network interfaces should prevent normal usage of the wireless -capability. -

- -Configure the system to disable all wireless network interfaces with the following command: -
$ sudo nmcli radio all off
+ The openssh-server package should be installed. +The openssh-server package can be installed with the following command: +
+$ sudo yum install openssh-server
medium @@ -39855,6 +39855,95 @@ + + CCI-002824 + SRG-OS-000433-GPOS-00192 + TBD - Assigned by DISA after STIG release + The operating system must implement non-executable data to protect its memory from unauthorized code execution. + + CCE-83918-3: Enable NX or XD Support in the BIOS + + Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. + +Examples of attacks are buffer overflow attacks. + Reboot the system and enter the BIOS or Setup configuration menu. +Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located +under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX) +on AMD-based systems. + Applicable - Configurable + Verify the operating system implements non-executable data to protect its memory from unauthorized code execution. If it does not, this is a finding. + Verify the NX (no-execution) bit flag is set on the system. + +Check that the no-execution bit flag is set with the following commands: + +$ sudo dmesg | grep NX + +[ 0.000000] NX (Execute Disable) protection: active + +If "dmesg" does not show "NX (Execute Disable) protection" active, check the cpuinfo settings with the following command: + +$ sudo grep flags /proc/cpuinfo +flags : fpu vme de pse tsc ms nx rdtscp lm constant_ts + +The output should contain the "nx" flag. Is it the case that NX is disabled? + Configure the operating system to implement non-executable data to protect its memory from unauthorized code execution. + Reboot the system and enter the BIOS or Setup configuration menu. +Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located +under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX) +on AMD-based systems. + medium + + + + + + + CCI-002824 + SRG-OS-000433-GPOS-00192 + TBD - Assigned by DISA after STIG release + The operating system must implement non-executable data to protect its memory from unauthorized code execution. + + CCE-80915-2: Restrict Exposed Kernel Pointer Addresses Access + + Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. + +Examples of attacks are buffer overflow attacks. + To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command: 
$ sudo sysctl -w kernel.kptr_restrict=
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.kptr_restrict =
+ Applicable - Configurable + Verify the operating system implements non-executable data to protect its memory from unauthorized code execution. If it does not, this is a finding. + The runtime status of the kernel.kptr_restrict kernel parameter can be queried +by running the following command: +
$ sysctl kernel.kptr_restrict
+The output of the command should indicate either: +kernel.kptr_restrict = 1 +or: +kernel.kptr_restrict = 2 +The output of the command should not indicate: +kernel.kptr_restrict = 0 + +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the 
/etc/sysctl.d
directory. +Verify that there is not any existing incorrect configuration by executing the following command: +
$ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d
+The command should not find any assignments other than: +kernel.kptr_restrict = 1 +or: +kernel.kptr_restrict = 2 + +Conflicting assignments are not allowed. Is it the case that the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0? + Configure the operating system to implement non-executable data to protect its memory from unauthorized code execution. + To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command: 
$ sudo sysctl -w kernel.kptr_restrict=
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.kptr_restrict =
+ medium + + + + + CCI-002824 SRG-OS-000433-GPOS-00192 @@ -39905,95 +39994,6 @@ - - CCI-002824 - SRG-OS-000433-GPOS-00192 - TBD - Assigned by DISA after STIG release - The operating system must implement non-executable data to protect its memory from unauthorized code execution. - - CCE-80915-2: Restrict Exposed Kernel Pointer Addresses Access - - Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. - -Examples of attacks are buffer overflow attacks. - To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command: 
$ sudo sysctl -w kernel.kptr_restrict=
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.kptr_restrict =
- Applicable - Configurable - Verify the operating system implements non-executable data to protect its memory from unauthorized code execution. If it does not, this is a finding. - The runtime status of the kernel.kptr_restrict kernel parameter can be queried -by running the following command: -
$ sysctl kernel.kptr_restrict
-The output of the command should indicate either: -kernel.kptr_restrict = 1 -or: -kernel.kptr_restrict = 2 -The output of the command should not indicate: -kernel.kptr_restrict = 0 - -The preferable way how to assure the runtime compliance is to have -correct persistent configuration, and rebooting the system. - -The persistent kernel parameter configuration is performed by specifying the appropriate -assignment in any file located in the 
/etc/sysctl.d
directory. -Verify that there is not any existing incorrect configuration by executing the following command: -
$ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d
-The command should not find any assignments other than: -kernel.kptr_restrict = 1 -or: -kernel.kptr_restrict = 2 - -Conflicting assignments are not allowed. Is it the case that the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0? - Configure the operating system to implement non-executable data to protect its memory from unauthorized code execution. - To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command: 
$ sudo sysctl -w kernel.kptr_restrict=
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.kptr_restrict =
- medium - - - - - - - CCI-002824 - SRG-OS-000433-GPOS-00192 - TBD - Assigned by DISA after STIG release - The operating system must implement non-executable data to protect its memory from unauthorized code execution. - - CCE-83918-3: Enable NX or XD Support in the BIOS - - Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. - -Examples of attacks are buffer overflow attacks. - Reboot the system and enter the BIOS or Setup configuration menu. -Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located -under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX) -on AMD-based systems. - Applicable - Configurable - Verify the operating system implements non-executable data to protect its memory from unauthorized code execution. If it does not, this is a finding. - Verify the NX (no-execution) bit flag is set on the system. - -Check that the no-execution bit flag is set with the following commands: - -$ sudo dmesg | grep NX - -[ 0.000000] NX (Execute Disable) protection: active - -If "dmesg" does not show "NX (Execute Disable) protection" active, check the cpuinfo settings with the following command: - -$ sudo grep flags /proc/cpuinfo -flags : fpu vme de pse tsc ms nx rdtscp lm constant_ts - -The output should contain the "nx" flag. Is it the case that NX is disabled? - Configure the operating system to implement non-executable data to protect its memory from unauthorized code execution. - Reboot the system and enter the BIOS or Setup configuration menu. -Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located -under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX) -on AMD-based systems. - medium - - - - - @@ -40125,67 +40125,6 @@ - - CCI-002696 - SRG-OS-000445-GPOS-00199 - TBD - Assigned by DISA after STIG release - The operating system must verify correct operation of all security functions. - - CCE-80869-1: Ensure SELinux State is Enforcing - - Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. - -This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality. - The SELinux state should be set to at -system boot time. In the file /etc/selinux/config, add or correct the -following line to configure the system to boot into enforcing mode: -
SELINUX=
- Applicable - Configurable - Verify the operating system verifies correct operation of all security functions. If it does not, this is a finding. - Ensure that Red Hat Enterprise Linux 8 verifies correct operation of security functions. - -Check if "SELinux" is active and in "" mode with the following command: - -$ sudo getenforce - Is it the case that SELINUX is not set to enforcing? - Configure the operating system to verify correct operation of all security functions. - The SELinux state should be set to at -system boot time. In the file /etc/selinux/config, add or correct the -following line to configure the system to boot into enforcing mode: -
SELINUX=
- high - - - - - - - CCI-002696 - SRG-OS-000445-GPOS-00199 - TBD - Assigned by DISA after STIG release - The operating system must verify correct operation of all security functions. - - CCE-80844-4: Install AIDE - - Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. - -This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality. - The aide package can be installed with the following command: -
-$ sudo yum install aide
- Applicable - Configurable - Verify the operating system verifies correct operation of all security functions. If it does not, this is a finding. - Run the following command to determine if the aide package is installed: 
$ rpm -q aide
Is it the case that the package is not installed? - Configure the operating system to verify correct operation of all security functions. - The aide package can be installed with the following command: -
-$ sudo yum install aide
- medium - - - - - CCI-002696 SRG-OS-000445-GPOS-00199 @@ -40227,6 +40166,40 @@ + + CCI-002696 + SRG-OS-000445-GPOS-00199 + TBD - Assigned by DISA after STIG release + The operating system must verify correct operation of all security functions. + + CCE-80869-1: Ensure SELinux State is Enforcing + + Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. + +This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality. + The SELinux state should be set to at +system boot time. In the file /etc/selinux/config, add or correct the +following line to configure the system to boot into enforcing mode: +
SELINUX=
+ Applicable - Configurable + Verify the operating system verifies correct operation of all security functions. If it does not, this is a finding. + Ensure that Red Hat Enterprise Linux 8 verifies correct operation of security functions. + +Check if "SELinux" is active and in "" mode with the following command: + +$ sudo getenforce + Is it the case that SELINUX is not set to enforcing? + Configure the operating system to verify correct operation of all security functions. + The SELinux state should be set to at +system boot time. In the file /etc/selinux/config, add or correct the +following line to configure the system to boot into enforcing mode: +
SELINUX=
+ high + + + + + CCI-002696 SRG-OS-000445-GPOS-00199 @@ -40285,6 +40258,33 @@ + + CCI-002696 + SRG-OS-000445-GPOS-00199 + TBD - Assigned by DISA after STIG release + The operating system must verify correct operation of all security functions. + + CCE-80844-4: Install AIDE + + Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. + +This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality. + The aide package can be installed with the following command: +
+$ sudo yum install aide
+ Applicable - Configurable + Verify the operating system verifies correct operation of all security functions. If it does not, this is a finding. + Run the following command to determine if the aide package is installed: 
$ rpm -q aide
Is it the case that the package is not installed? + Configure the operating system to verify correct operation of all security functions. + The aide package can be installed with the following command: +
+$ sudo yum install aide
+ medium + + + + + @@ -40394,65 +40394,47 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access security objects occur. - CCE-80691-9: Record Events that Modify the System's Discretionary Access Controls - fremovexattr + CCE-80686-9: Record Events that Modify the System's Discretionary Access Controls - chown Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

+changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access security objects occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -fremovexattr system call, run the following command: -
$ sudo grep "fremovexattr" /etc/audit/audit.*
+chown system call, run the following command: +
$ sudo grep "chown" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to access security objects occur. At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

+changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -40465,55 +40447,141 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access security objects occur. - CCE-80695-0: Record Events that Modify the System's Discretionary Access Controls - lsetxattr + CCE-80755-2: Record Unsuccessful Access Attempts to Files - open_by_handle_at + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ Applicable - Configurable + Verify the operating system generates audit records when successful/unsuccessful attempts to access security objects occur. If it does not, this is a finding. + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open_by_handle_at system call. + +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: + +$ sudo grep -r open_by_handle_at /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep open_by_handle_at /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to generate audit records when successful/unsuccessful attempts to access security objects occur. + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ medium + + + + + + + CCI-000172 + SRG-OS-000458-GPOS-00203 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records when successful/unsuccessful attempts to access security objects occur. + + CCE-80694-3: Record Events that Modify the System's Discretionary Access Controls - lremovexattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access security objects occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -lsetxattr system call, run the following command: -
$ sudo grep "lsetxattr" /etc/audit/audit.*
+lremovexattr system call, run the following command: +
$ sudo grep "lremovexattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to access security objects occur. At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
medium @@ -40526,7 +40594,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access security objects occur. - CCE-80754-5: Record Unsuccessful Access Attempts to Files - openat + CCE-80753-7: Record Unsuccessful Access Attempts to Files - open Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -40536,66 +40604,66 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access security objects occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the openat system call. + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -$ sudo grep -r openat /etc/audit/rules.d +$ sudo grep -r open /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -$ sudo grep openat /etc/audit/audit.rules +$ sudo grep open /etc/audit/audit.rules The output should be the following: --a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to access security objects occur. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access medium @@ -40608,7 +40676,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access security objects occur. - CCE-80756-0: Record Unsuccessful Access Attempts to Files - truncate + CCE-80752-9: Record Unsuccessful Access Attempts to Files - ftruncate Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -40618,66 +40686,66 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access security objects occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the truncate system call. + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the ftruncate system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -$ sudo grep -r truncate /etc/audit/rules.d +$ sudo grep -r ftruncate /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -$ sudo grep truncate /etc/audit/audit.rules +$ sudo grep ftruncate /etc/audit/audit.rules The output should be the following: --a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to access security objects occur. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access medium @@ -40690,65 +40758,53 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access security objects occur. - CCE-80694-3: Record Events that Modify the System's Discretionary Access Controls - lremovexattr + CCE-80689-3: Record Events that Modify the System's Discretionary Access Controls - fchown Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured +changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access security objects occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -lremovexattr system call, run the following command: -
$ sudo grep "lremovexattr" /etc/audit/audit.*
+fchown system call, run the following command: +
$ sudo grep "fchown" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to access security objects occur. At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured +changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -40761,153 +40817,70 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access security objects occur. - CCE-80688-5: Record Events that Modify the System's Discretionary Access Controls - fchmodat + CCE-80751-1: Record Unsuccessful Access Attempts to Files - creat Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access security objects occur. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -fchmodat system call, run the following command: -
$ sudo grep "fchmodat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the operating system to generate audit records when successful/unsuccessful attempts to access security objects occur. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
- medium - - - - - - - CCI-000172 - SRG-OS-000458-GPOS-00203 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records when successful/unsuccessful attempts to access security objects occur. - - CCE-80687-7: Record Events that Modify the System's Discretionary Access Controls - fchmod + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the creat system call. - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
- Applicable - Configurable - Verify the operating system generates audit records when successful/unsuccessful attempts to access security objects occur. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -fchmod system call, run the following command: -
$ sudo grep "fchmod" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the operating system to generate audit records when successful/unsuccessful attempts to access security objects occur. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
- medium - - - - +$ sudo grep -r creat /etc/audit/rules.d - - CCI-000172 - SRG-OS-000458-GPOS-00203 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records when successful/unsuccessful attempts to access security objects occur. +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - CCE-80685-1: Record Events that Modify the System's Discretionary Access Controls - chmod +$ sudo grep creat /etc/audit/audit.rules - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +The output should be the following: -Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
- Applicable - Configurable - Verify the operating system generates audit records when successful/unsuccessful attempts to access security objects occur. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -chmod system call, run the following command: -
$ sudo grep "chmod" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to access security objects occur. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
medium @@ -40973,7 +40946,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access security objects occur. - CCE-80689-3: Record Events that Modify the System's Discretionary Access Controls - fchown + CCE-80692-7: Record Events that Modify the System's Discretionary Access Controls - fsetxattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -40983,23 +40956,24 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- +
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- +
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- +
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access security objects occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -fchown system call, run the following command: -
$ sudo grep "fchown" /etc/audit/audit.*
+fsetxattr system call, run the following command: +
$ sudo grep "fsetxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to access security objects occur. @@ -41008,18 +40982,19 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- +
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- +
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- +
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
medium @@ -41032,7 +41007,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access security objects occur. - CCE-80697-6: Record Events that Modify the System's Discretionary Access Controls - setxattr + CCE-80693-5: Record Events that Modify the System's Discretionary Access Controls - lchown Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -41042,24 +41017,20 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access security objects occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -setxattr system call, run the following command: -
$ sudo grep "setxattr" /etc/audit/audit.*
+lchown system call, run the following command: +
$ sudo grep "lchown" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to access security objects occur. @@ -41068,19 +41039,15 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -41093,7 +41060,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access security objects occur. - CCE-80751-1: Record Unsuccessful Access Attempts to Files - creat + CCE-80754-5: Record Unsuccessful Access Attempts to Files - openat Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -41103,60 +41070,66 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access security objects occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the creat system call. + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the openat system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -$ sudo grep -r creat /etc/audit/rules.d +$ sudo grep -r openat /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -$ sudo grep creat /etc/audit/audit.rules +$ sudo grep openat /etc/audit/audit.rules The output should be the following: --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to access security objects occur. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access medium @@ -41169,7 +41142,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access security objects occur. - CCE-80693-5: Record Events that Modify the System's Discretionary Access Controls - lchown + CCE-80695-0: Record Events that Modify the System's Discretionary Access Controls - lsetxattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -41179,20 +41152,24 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access security objects occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -lchown system call, run the following command: -
$ sudo grep "lchown" /etc/audit/audit.*
+lsetxattr system call, run the following command: +
$ sudo grep "lsetxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to access security objects occur. @@ -41201,15 +41178,19 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
medium @@ -41222,47 +41203,55 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access security objects occur. - CCE-80686-9: Record Events that Modify the System's Discretionary Access Controls - chown + CCE-80697-6: Record Events that Modify the System's Discretionary Access Controls - setxattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access security objects occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -chown system call, run the following command: -
$ sudo grep "chown" /etc/audit/audit.*
+setxattr system call, run the following command: +
$ sudo grep "setxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to access security objects occur. At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
medium @@ -41275,70 +41264,47 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access security objects occur. - CCE-80755-2: Record Unsuccessful Access Attempts to Files - open_by_handle_at + CCE-80688-5: Record Events that Modify the System's Discretionary Access Controls - fchmodat Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access security objects occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open_by_handle_at system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r open_by_handle_at /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep open_by_handle_at /etc/audit/audit.rules - -The output should be the following: - --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +fchmodat system call, run the following command: +
$ sudo grep "fchmodat" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to access security objects occur. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -41351,76 +41317,65 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access security objects occur. - CCE-80752-9: Record Unsuccessful Access Attempts to Files - ftruncate + CCE-80691-9: Record Events that Modify the System's Discretionary Access Controls - fremovexattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured + At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix +startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- +
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access security objects occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the ftruncate system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r ftruncate /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep ftruncate /etc/audit/audit.rules - -The output should be the following: - --a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +fremovexattr system call, run the following command: +
$ sudo grep "fremovexattr" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to access security objects occur. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured + At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix +startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- +
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
medium @@ -41433,7 +41388,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access security objects occur. - CCE-80753-7: Record Unsuccessful Access Attempts to Files - open + CCE-80756-0: Record Unsuccessful Access Attempts to Files - truncate Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -41443,66 +41398,66 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access security objects occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open system call. + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the truncate system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -$ sudo grep -r open /etc/audit/rules.d +$ sudo grep -r truncate /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -$ sudo grep open /etc/audit/audit.rules +$ sudo grep truncate /etc/audit/audit.rules The output should be the following: --a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to access security objects occur. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access medium @@ -41515,55 +41470,47 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access security objects occur. - CCE-80692-7: Record Events that Modify the System's Discretionary Access Controls - fsetxattr + CCE-80685-1: Record Events that Modify the System's Discretionary Access Controls - chmod Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access security objects occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -fsetxattr system call, run the following command: -
$ sudo grep "fsetxattr" /etc/audit/audit.*
+chmod system call, run the following command: +
$ sudo grep "chmod" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to access security objects occur. At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -41639,6 +41586,59 @@ + + CCI-000172 + SRG-OS-000458-GPOS-00203 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records when successful/unsuccessful attempts to access security objects occur. + + CCE-80687-7: Record Events that Modify the System's Discretionary Access Controls - fchmod + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+ Applicable - Configurable + Verify the operating system generates audit records when successful/unsuccessful attempts to access security objects occur. If it does not, this is a finding. + To determine if the system is configured to audit calls to the +fchmod system call, run the following command: +
$ sudo grep "fchmod" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + Configure the operating system to generate audit records when successful/unsuccessful attempts to access security objects occur. + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+ medium + + + + + @@ -41650,7 +41650,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur. - CCE-80754-5: Record Unsuccessful Access Attempts to Files - openat + CCE-80755-2: Record Unsuccessful Access Attempts to Files - open_by_handle_at Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -41660,66 +41660,60 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- +
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- +
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the openat system call. + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open_by_handle_at system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -$ sudo grep -r openat /etc/audit/rules.d +$ sudo grep -r open_by_handle_at /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -$ sudo grep openat /etc/audit/audit.rules +$ sudo grep open_by_handle_at /etc/audit/audit.rules The output should be the following: --a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- +
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- +
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access medium @@ -41732,7 +41726,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur. - CCE-80756-0: Record Unsuccessful Access Attempts to Files - truncate + CCE-80753-7: Record Unsuccessful Access Attempts to Files - open Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -41742,66 +41736,66 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the truncate system call. + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -$ sudo grep -r truncate /etc/audit/rules.d +$ sudo grep -r open /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -$ sudo grep truncate /etc/audit/audit.rules +$ sudo grep open /etc/audit/audit.rules The output should be the following: --a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access medium @@ -41814,7 +41808,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur. - CCE-80751-1: Record Unsuccessful Access Attempts to Files - creat + CCE-80752-9: Record Unsuccessful Access Attempts to Files - ftruncate Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -41824,60 +41818,66 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the creat system call. + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the ftruncate system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -$ sudo grep -r creat /etc/audit/rules.d +$ sudo grep -r ftruncate /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -$ sudo grep creat /etc/audit/audit.rules +$ sudo grep ftruncate /etc/audit/audit.rules The output should be the following: --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access medium @@ -41890,7 +41890,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur. - CCE-80755-2: Record Unsuccessful Access Attempts to Files - open_by_handle_at + CCE-80751-1: Record Unsuccessful Access Attempts to Files - creat Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -41900,60 +41900,60 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open_by_handle_at system call. + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the creat system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -$ sudo grep -r open_by_handle_at /etc/audit/rules.d +$ sudo grep -r creat /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -$ sudo grep open_by_handle_at /etc/audit/audit.rules +$ sudo grep creat /etc/audit/audit.rules The output should be the following: --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access medium @@ -41966,7 +41966,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur. - CCE-80752-9: Record Unsuccessful Access Attempts to Files - ftruncate + CCE-80754-5: Record Unsuccessful Access Attempts to Files - openat Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -41976,66 +41976,66 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the ftruncate system call. + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the openat system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -$ sudo grep -r ftruncate /etc/audit/rules.d +$ sudo grep -r openat /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -$ sudo grep ftruncate /etc/audit/audit.rules +$ sudo grep openat /etc/audit/audit.rules The output should be the following: --a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access medium @@ -42048,7 +42048,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur. - CCE-80753-7: Record Unsuccessful Access Attempts to Files - open + CCE-80756-0: Record Unsuccessful Access Attempts to Files - truncate Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -42058,66 +42058,66 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open system call. + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the truncate system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -$ sudo grep -r open /etc/audit/rules.d +$ sudo grep -r truncate /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -$ sudo grep open /etc/audit/audit.rules +$ sudo grep truncate /etc/audit/audit.rules The output should be the following: --a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access medium @@ -42135,39 +42135,47 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80726-3: Ensure auditd Collects Information on the Use of Privileged Commands - chsh + CCE-80686-9: Record Events that Modify the System's Discretionary Access Controls - chown Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chsh" command with the following command: - -$ sudo auditctl -l | grep chsh - --a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chsh Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +chown system call, run the following command: +
$ sudo grep "chown" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -42180,39 +42188,70 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80732-1: Ensure auditd Collects Information on the Use of Privileged Commands - postdrop + CCE-80755-2: Record Unsuccessful Access Attempts to Files - open_by_handle_at Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postdrop" command with the following command: + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open_by_handle_at system call. -$ sudo auditctl -l | grep postdrop +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: --a always,exit -F path=/usr/bin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postdrop Is it the case that the command does not return a line, or the line is commented out? +$ sudo grep -r open_by_handle_at /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep open_by_handle_at /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
medium @@ -42225,39 +42264,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80741-2: Ensure auditd Collects Information on the Use of Privileged Commands - userhelper + CCE-80698-4: Record Any Attempts to Run chcon Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect any execution attempt +of the chcon command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "userhelper" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chcon" command with the following command: -$ sudo auditctl -l | grep userhelper +$ sudo auditctl -l | grep chcon --a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-userhelper Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect any execution attempt +of the chcon command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -42270,7 +42309,57 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80706-5: Ensure auditd Collects File Deletion Events by User - unlink + CCE-80825-3: Enable Auditing for Processes Which Start Prior to the Audit Daemon + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + To ensure all processes can be audited, even those which start +prior to the audit daemon, add the argument audit=1 to the default +GRUB 2 command line for the Linux operating system. +To ensure that audit=1 is added as a kernel command line +argument to newly installed kernels, add audit=1 to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... audit=1 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
+ Applicable - Configurable + Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes audit=1, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
+If this option is set to true, then check that a line is output by the following command: +
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit=1.*' /etc/default/grub
+If the recovery is disabled, check the line with +
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit=1.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +
$ sudo grubby --info=ALL | grep args | grep -v 'audit=1'
+The command should not return any output. Is it the case that auditing is not enabled at boot time? + Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. + To ensure all processes can be audited, even those which start +prior to the audit daemon, add the argument audit=1 to the default +GRUB 2 command line for the Linux operating system. +To ensure that audit=1 is added as a kernel command line +argument to newly installed kernels, add audit=1 to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... audit=1 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
+ low + + + + + + + CCI-000172 + SRG-OS-000462-GPOS-00206 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. + + CCE-80703-2: Ensure auditd Collects File Deletion Events by User - rename Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -42281,17 +42370,17 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -unlink system call, run the following command: -
$ sudo grep "unlink" /etc/audit/audit.*
+rename system call, run the following command: +
$ sudo grep "rename" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. @@ -42301,12 +42390,12 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -42319,7 +42408,97 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80691-9: Record Events that Modify the System's Discretionary Access Controls - fremovexattr + CCE-80732-1: Ensure auditd Collects Information on the Use of Privileged Commands - postdrop + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ Applicable - Configurable + Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postdrop" command with the following command: + +$ sudo auditctl -l | grep postdrop + +-a always,exit -F path=/usr/bin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postdrop Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ medium + + + + + + + CCI-000172 + SRG-OS-000462-GPOS-00206 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. + + CCE-80728-9: Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ Applicable - Configurable + Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "gpasswd" command with the following command: + +$ sudo auditctl -l | grep gpasswd + +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ medium + + + + + + + CCI-000172 + SRG-OS-000462-GPOS-00206 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. + + CCE-80694-3: Record Events that Modify the System's Discretionary Access Controls - lremovexattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -42331,27 +42510,27 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -fremovexattr system call, run the following command: -
$ sudo grep "fremovexattr" /etc/audit/audit.*
+lremovexattr system call, run the following command: +
$ sudo grep "lremovexattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. @@ -42362,22 +42541,22 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
medium @@ -42390,55 +42569,43 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80695-0: Record Events that Modify the System's Discretionary Access Controls - lsetxattr + CCE-80711-5: Ensure auditd Collects Information on Kernel Module Unloading - delete_module Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+ To capture kernel module unloading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: + +
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
+ + +Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -lsetxattr system call, run the following command: -
$ sudo grep "lsetxattr" /etc/audit/audit.*
+delete_module system call, run the following command: +
$ sudo grep "delete_module" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+ To capture kernel module unloading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: + +
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
+ + +Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. medium @@ -42451,53 +42618,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-90783-2: Configure immutable Audit login UIDs + CCE-80731-3: Ensure auditd Collects Information on the Use of Privileged Commands - passwd Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - Configure kernel to prevent modification of login UIDs once they are set. -Changing login UIDs while this configuration is enforced requires special capabilities which -are not available to unprivileged users. -If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d in order to make login UIDs -immutable: -
--loginuid-immutable
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file in order to make login UIDs -immutable: -
--loginuid-immutable
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - To determine if the system is configured to make login UIDs immutable, run -one of the following commands. -If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), run the following: -
sudo grep immutable /etc/audit/rules.d/*.rules
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, run the following command: -
sudo grep immutable /etc/audit/audit.rules
-The following line should be returned: -
--loginuid-immutable
Is it the case that the system is not configured to make login UIDs immutable? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "passwd" command with the following command: + +$ sudo auditctl -l | grep passwd + +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - Configure kernel to prevent modification of login UIDs once they are set. -Changing login UIDs while this configuration is enforced requires special capabilities which -are not available to unprivileged users. -If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d in order to make login UIDs -immutable: -
--loginuid-immutable
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file in order to make login UIDs -immutable: -
--loginuid-immutable
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -42510,7 +42663,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80754-5: Record Unsuccessful Access Attempts to Files - openat + CCE-80753-7: Record Unsuccessful Access Attempts to Files - open Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -42520,66 +42673,66 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the openat system call. + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -$ sudo grep -r openat /etc/audit/rules.d +$ sudo grep -r open /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -$ sudo grep openat /etc/audit/audit.rules +$ sudo grep open /etc/audit/audit.rules The output should be the following: --a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access medium @@ -42592,76 +42745,137 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80756-0: Record Unsuccessful Access Attempts to Files - truncate + CCE-80713-1: Ensure auditd Collects Information on Kernel Module Loading - init_module Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ To capture kernel module loading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the truncate system call. + To determine if the system is configured to audit calls to the +init_module system call, run the following command: +
$ sudo grep "init_module" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. + To capture kernel module loading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: +
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
-$ sudo grep -r truncate /etc/audit/rules.d -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: +Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. -$ sudo grep truncate /etc/audit/audit.rules +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. + medium + + + + -The output should be the following: + + CCI-000172 + SRG-OS-000462-GPOS-00206 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. --a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? + CCE-80722-2: Ensure auditd Collects Information on Exporting to Media (successful) + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + At a minimum, the audit system should collect media exportation +events for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
+ Applicable - Configurable + Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. + To determine if the system is configured to audit calls to the +mount system call, run the following command: +
$ sudo grep "mount" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ At a minimum, the audit system should collect media exportation +events for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
+ medium + + + + -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ + CCI-000172 + SRG-OS-000462-GPOS-00206 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. + CCE-85944-7: Record Any Attempts to Run ssh-agent + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + At a minimum, the audit system should collect any execution attempt +of the ssh-agent command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
+ Applicable - Configurable + Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-agent" command with the following command: -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+$ sudo auditctl -l | grep ssh-agent + +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. + At a minimum, the audit system should collect any execution attempt +of the ssh-agent command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
medium @@ -42674,43 +42888,76 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80719-8: Record Attempts to Alter Logon and Logout Events - lastlog + CCE-80752-9: Record Unsuccessful Access Attempts to Files - ftruncate Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - The audit system already collects login information for all users -and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d in order to watch for attempted manual -edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file in order to watch for unattempted manual -edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
+/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog" with the following command: + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the ftruncate system call. -$ sudo auditctl -l | grep /var/log/lastlog +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: --w /var/log/lastlog -p wa -k logins Is it the case that the command does not return a line, or the line is commented out? +$ sudo grep -r ftruncate /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep ftruncate /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - The audit system already collects login information for all users -and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d in order to watch for attempted manual -edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file in order to watch for unattempted manual -edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
+/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
medium @@ -42723,7 +42970,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80727-1: Ensure auditd Collects Information on the Use of Privileged Commands - crontab + CCE-80737-0: Ensure auditd Collects Information on the Use of Privileged Commands - sudo Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -42733,29 +42980,29 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "crontab" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "sudo" command with the following command: -$ sudo auditctl -l | grep crontab +$ sudo auditctl -l | grep sudo --a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudo Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -42768,7 +43015,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80989-7: Ensure auditd Collects Information on the Use of Privileged Commands - mount + CCE-89455-0: Ensure auditd Collects Information on the Use of Privileged Commands - kmod Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -42778,29 +43025,29 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "mount" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "kmod" command with the following command: -$ sudo auditctl -l | grep mount +$ sudo auditctl -l | grep kmod --a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-kmod Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -42813,39 +43060,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-89446-9: Record Any Attempts to Run chacl + CCE-80700-8: Record Any Attempts to Run semanage Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect any execution attempt -of the chacl command for all users and root. If the auditd +of the semanage command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chacl" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "semanage" command with the following command: -$ sudo auditctl -l | grep chacl +$ sudo auditctl -l | grep semanage --a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. At a minimum, the audit system should collect any execution attempt -of the chacl command for all users and root. If the auditd +of the semanage command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -42858,47 +43105,43 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80758-6: Record Events that Modify User/Group Information - /etc/group + CCE-80706-5: Ensure auditd Collects File Deletion Events by User - unlink Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - If the auditd daemon is configured to use the + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
-

+default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: - -$ sudo auditctl -l | grep -E '(/etc/group)' - --w /etc/group -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +unlink system call, run the following command: +
$ sudo grep "unlink" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - If the auditd daemon is configured to use the + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
-

+default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -42911,7 +43154,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80735-4: Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign + CCE-80725-5: Ensure auditd Collects Information on the Use of Privileged Commands - chage Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -42921,29 +43164,29 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-keysign" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chage" command with the following command: -$ sudo auditctl -l | grep ssh-keysign +$ sudo auditctl -l | grep chage --a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-keysign Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -42956,39 +43199,47 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-89497-2: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ + CCE-80760-2: Record Events that Modify User/Group Information - /etc/security/opasswd Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers.d/ -p wa -k actions
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-w /etc/sudoers.d/ -p wa -k actions
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: -$ sudo auditctl -l | grep/etc/sudoers.d +$ sudo auditctl -l | grep -E '(/etc/security/opasswd)' --w /etc/sudoers.d/ -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-w /etc/security/opasswd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers.d/ -p wa -k actions
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-w /etc/sudoers.d/ -p wa -k actions
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
medium @@ -43001,65 +43252,43 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80694-3: Record Events that Modify the System's Discretionary Access Controls - lremovexattr + CCE-80705-7: Ensure auditd Collects File Deletion Events by User - rmdir Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
-

+ At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -lremovexattr system call, run the following command: -
$ sudo grep "lremovexattr" /etc/audit/audit.*
+rmdir system call, run the following command: +
$ sudo grep "rmdir" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
-

+ At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -43072,7 +43301,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80731-3: Ensure auditd Collects Information on the Use of Privileged Commands - passwd + CCE-80741-2: Ensure auditd Collects Information on the Use of Privileged Commands - userhelper Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -43082,78 +43311,29 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "passwd" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "userhelper" command with the following command: -$ sudo auditctl -l | grep passwd +$ sudo auditctl -l | grep userhelper --a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-userhelper Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- medium - - - - - - - CCI-000172 - SRG-OS-000462-GPOS-00206 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - - CCE-80722-2: Ensure auditd Collects Information on Exporting to Media (successful) - - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect media exportation -events for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
- Applicable - Configurable - Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -mount system call, run the following command: -
$ sudo grep "mount" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect media exportation -events for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
+
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -43166,7 +43346,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80740-4: Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd + CCE-80726-3: Ensure auditd Collects Information on the Use of Privileged Commands - chsh Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -43176,29 +43356,29 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "unix_chkpwd" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chsh" command with the following command: -$ sudo auditctl -l | grep unix_chkpwd +$ sudo auditctl -l | grep chsh --a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_chkpwd Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chsh Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -43211,92 +43391,47 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80703-2: Ensure auditd Collects File Deletion Events by User - rename + CCE-80761-0: Record Events that Modify User/Group Information - /etc/passwd Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the + If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -rename system call, run the following command: -
$ sudo grep "rename" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
- medium - - - - - - - CCI-000172 - SRG-OS-000462-GPOS-00206 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - - CCE-80711-5: Ensure auditd Collects Information on Kernel Module Unloading - delete_module - - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - To capture kernel module unloading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - -
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
- + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: -Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. +$ sudo auditctl -l | grep -E '(/etc/passwd)' -If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. - Applicable - Configurable - Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -delete_module system call, run the following command: -
$ sudo grep "delete_module" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? +-w /etc/passwd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - To capture kernel module unloading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - -
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
- - -Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
medium @@ -43309,47 +43444,53 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80688-5: Record Events that Modify the System's Discretionary Access Controls - fchmodat + CCE-80689-3: Record Events that Modify the System's Discretionary Access Controls - fchown Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -fchmodat system call, run the following command: -
$ sudo grep "fchmodat" /etc/audit/audit.*
+fchown system call, run the following command: +
$ sudo grep "fchown" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -43362,43 +43503,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80707-3: Ensure auditd Collects File Deletion Events by User - unlinkat + CCE-89446-9: Record Any Attempts to Run chacl Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
+ At a minimum, the audit system should collect any execution attempt +of the chacl command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -unlinkat system call, run the following command: -
$ sudo grep "unlinkat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chacl" command with the following command: + +$ sudo auditctl -l | grep chacl + +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
+ At a minimum, the audit system should collect any execution attempt +of the chacl command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -43411,39 +43548,70 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-82280-9: Record Any Attempts to Run setfiles + CCE-80751-1: Record Unsuccessful Access Attempts to Files - creat Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect any execution attempt -of the setfiles command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfiles" command with the following command: + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the creat system call. -$ sudo auditctl -l | grep setfiles +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: --a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? +$ sudo grep -r creat /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep creat /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect any execution attempt -of the setfiles command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
medium @@ -43456,47 +43624,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80687-7: Record Events that Modify the System's Discretionary Access Controls - fchmod + CCE-89480-8: Ensure auditd Collects Information on the Use of Privileged Commands - unix_update Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -fchmod system call, run the following command: -
$ sudo grep "fchmod" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "unix_update" command with the following command: + +$ sudo auditctl -l | grep unix_update + +-a always,exit -F path=/usr/bin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_update Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -43509,43 +43669,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80704-0: Ensure auditd Collects File Deletion Events by User - renameat + CCE-80740-4: Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -renameat system call, run the following command: -
$ sudo grep "renameat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "unix_chkpwd" command with the following command: + +$ sudo auditctl -l | grep unix_chkpwd + +-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_chkpwd Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -43558,7 +43714,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80760-2: Record Events that Modify User/Group Information - /etc/security/opasswd + CCE-80758-6: Record Events that Modify User/Group Information - /etc/group Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -43569,21 +43725,21 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: -$ sudo auditctl -l | grep -E '(/etc/security/opasswd)' +$ sudo auditctl -l | grep -E '(/etc/group)' --w /etc/security/opasswd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-w /etc/group -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the @@ -43591,14 +43747,14 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification
medium @@ -43611,138 +43767,47 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-89480-8: Ensure auditd Collects Information on the Use of Privileged Commands - unix_update + CCE-80690-1: Record Events that Modify the System's Discretionary Access Controls - fchownat Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "unix_update" command with the following command: - -$ sudo auditctl -l | grep unix_update - --a always,exit -F path=/usr/bin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_update Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +fchownat system call, run the following command: +
$ sudo grep "fchownat" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- medium - - - - - - - CCI-000172 - SRG-OS-000462-GPOS-00206 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - - CCE-80943-4: Extend Audit Backlog Limit for the Audit Daemon - - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - To improve the kernel capacity to queue all log events, even those which occurred -prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default -GRUB 2 command line for the Linux operating system. -To ensure that audit_backlog_limit=8192 is added as a kernel command line -argument to newly installed kernels, add audit_backlog_limit=8192 to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
- Applicable - Configurable - Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes audit_backlog_limit=8192, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
-If this option is set to true, then check that a line is output by the following command: -
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit_backlog_limit=8192.*' /etc/default/grub
-If the recovery is disabled, check the line with -
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit_backlog_limit=8192.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -
$ sudo grubby --info=ALL | grep args | grep -v 'audit_backlog_limit=8192'
-The command should not return any output. Is it the case that audit backlog limit is not configured? - Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - To improve the kernel capacity to queue all log events, even those which occurred -prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default -GRUB 2 command line for the Linux operating system. -To ensure that audit_backlog_limit=8192 is added as a kernel command line -argument to newly installed kernels, add audit_backlog_limit=8192 to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
- low - - - - - - - CCI-000172 - SRG-OS-000462-GPOS-00206 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - - CCE-80705-7: Ensure auditd Collects File Deletion Events by User - rmdir - - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
- Applicable - Configurable - Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -rmdir system call, run the following command: -
$ sudo grep "rmdir" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -43755,92 +43820,49 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-86027-0: Ensure auditd Collects Information on the Use of Privileged Commands - usermod + CCE-80759-4: Record Events that Modify User/Group Information - /etc/gshadow Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "usermod" command with the following command: - -$ sudo auditctl -l | grep usermod - --a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- medium - - - - - - - CCI-000172 - SRG-OS-000462-GPOS-00206 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: - CCE-80685-1: Record Events that Modify the System's Discretionary Access Controls - chmod +$ sudo auditctl -l | grep -E '(/etc/gshadow)' - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +-w /etc/gshadow -p wa -k identity -Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
- Applicable - Configurable - Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -chmod system call, run the following command: -
$ sudo grep "chmod" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? +If the command does not return a line, or the line is commented out, this is a finding. Is it the case that the system is not configured to audit account changes? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
medium @@ -43853,7 +43875,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80761-0: Record Events that Modify User/Group Information - /etc/passwd + CCE-80762-8: Record Events that Modify User/Group Information - /etc/shadow Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -43864,21 +43886,21 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd with the following command: -$ sudo auditctl -l | grep -E '(/etc/passwd)' +$ sudo auditctl -l | grep -E '(/etc/shadow)' --w /etc/passwd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-w /etc/shadow -p wa -k identity Is it the case that command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the @@ -43886,14 +43908,14 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
medium @@ -43906,47 +43928,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80690-1: Record Events that Modify the System's Discretionary Access Controls - fchownat + CCE-80701-6: Record Any Attempts to Run setsebool Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix + At a minimum, the audit system should collect any execution attempt +of the setsebool command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -fchownat system call, run the following command: -
$ sudo grep "fchownat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setsebool" command with the following command: + +$ sudo auditctl -l | grep setsebool + +-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix + At a minimum, the audit system should collect any execution attempt +of the setsebool command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -43959,39 +43973,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80698-4: Record Any Attempts to Run chcon + CCE-80736-2: Ensure auditd Collects Information on the Use of Privileged Commands - su Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect any execution attempt -of the chcon command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chcon" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "su" command with the following command: -$ sudo auditctl -l | grep chcon +$ sudo auditctl -l | grep su --a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-su Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect any execution attempt -of the chcon command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -44004,53 +44018,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80689-3: Record Events that Modify the System's Discretionary Access Controls - fchown + CCE-80733-9: Ensure auditd Collects Information on the Use of Privileged Commands - postqueue Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- -If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- -If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -fchown system call, run the following command: -
$ sudo grep "fchown" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postqueue" command with the following command: -If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+$ sudo auditctl -l | grep postqueue +-a always,exit -F path=/usr/bin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postqueue Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- -If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -44063,7 +44063,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80725-5: Ensure auditd Collects Information on the Use of Privileged Commands - chage + CCE-80989-7: Ensure auditd Collects Information on the Use of Privileged Commands - mount Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -44073,29 +44073,29 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chage" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "mount" command with the following command: -$ sudo auditctl -l | grep chage +$ sudo auditctl -l | grep mount --a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -44108,39 +44108,53 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-88437-9: Record Any Attempts to Run setfacl + CCE-90783-2: Configure immutable Audit login UIDs Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect any execution attempt -of the setfacl command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ Configure kernel to prevent modification of login UIDs once they are set. +Changing login UIDs while this configuration is enforced requires special capabilities which +are not available to unprivileged users. +If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d in order to make login UIDs +immutable: +
--loginuid-immutable
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file in order to make login UIDs +immutable: +
--loginuid-immutable
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfacl" command with the following command: - -$ sudo auditctl -l | grep setfacl - --a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to make login UIDs immutable, run +one of the following commands. +If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), run the following: +
sudo grep immutable /etc/audit/rules.d/*.rules
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, run the following command: +
sudo grep immutable /etc/audit/audit.rules
+The following line should be returned: +
--loginuid-immutable
Is it the case that the system is not configured to make login UIDs immutable? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect any execution attempt -of the setfacl command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ Configure kernel to prevent modification of login UIDs once they are set. +Changing login UIDs while this configuration is enforced requires special capabilities which +are not available to unprivileged users. +If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d in order to make login UIDs +immutable: +
--loginuid-immutable
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file in order to make login UIDs +immutable: +
--loginuid-immutable
medium @@ -44153,7 +44167,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80736-2: Ensure auditd Collects Information on the Use of Privileged Commands - su + CCE-80727-1: Ensure auditd Collects Information on the Use of Privileged Commands - crontab Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -44163,29 +44177,29 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "su" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "crontab" command with the following command: -$ sudo auditctl -l | grep su +$ sudo auditctl -l | grep crontab --a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-su Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -44198,39 +44212,43 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80700-8: Record Any Attempts to Run semanage + CCE-80707-3: Ensure auditd Collects File Deletion Events by User - unlinkat Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect any execution attempt -of the semanage command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "semanage" command with the following command: - -$ sudo auditctl -l | grep semanage - --a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +unlinkat system call, run the following command: +
$ sudo grep "unlinkat" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect any execution attempt -of the semanage command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -44243,55 +44261,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80697-6: Record Events that Modify the System's Discretionary Access Controls - setxattr + CCE-89497-2: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+ At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+
-w /etc/sudoers.d/ -p wa -k actions
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -setxattr system call, run the following command: -
$ sudo grep "setxattr" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command: + +$ sudo auditctl -l | grep/etc/sudoers.d + +-w /etc/sudoers.d/ -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+ At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+
-w /etc/sudoers.d/ -p wa -k actions
medium @@ -44304,7 +44306,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80728-9: Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd + CCE-80730-5: Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -44314,29 +44316,33 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "gpasswd" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "pam_timestamp_check" command with the following command: -$ sudo auditctl -l | grep gpasswd +$ sudo auditctl -l | grep pam_timestamp_check --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -44349,47 +44355,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80762-8: Record Events that Modify User/Group Information - /etc/shadow + CCE-82280-9: Record Any Attempts to Run setfiles Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect any execution attempt +of the setfiles command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfiles" command with the following command: -$ sudo auditctl -l | grep -E '(/etc/shadow)' +$ sudo auditctl -l | grep setfiles --w /etc/shadow -p wa -k identity Is it the case that command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect any execution attempt +of the setfiles command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -44402,170 +44400,55 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80751-1: Record Unsuccessful Access Attempts to Files - creat + CCE-80692-7: Record Events that Modify the System's Discretionary Access Controls - fsetxattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix +startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the creat system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r creat /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep creat /etc/audit/audit.rules - -The output should be the following: - --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +fsetxattr system call, run the following command: +
$ sudo grep "fsetxattr" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix +startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- medium - - - - - - - CCI-000172 - SRG-OS-000462-GPOS-00206 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - - CCE-80729-7: Ensure auditd Collects Information on the Use of Privileged Commands - newgrp - - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- Applicable - Configurable - Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "newgrp" command with the following command: - -$ sudo auditctl -l | grep newgrp - --a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-newgrp Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- medium - - - - - - - CCI-000172 - SRG-OS-000462-GPOS-00206 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - - CCE-80759-4: Record Events that Modify User/Group Information - /etc/gshadow - - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-

-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
- Applicable - Configurable - Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: - -$ sudo auditctl -l | grep -E '(/etc/gshadow)' - --w /etc/gshadow -p wa -k identity - -If the command does not return a line, or the line is commented out, this is a finding. Is it the case that the system is not configured to audit account changes? - Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-

-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
medium @@ -44631,39 +44514,43 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-89455-0: Ensure auditd Collects Information on the Use of Privileged Commands - kmod + CCE-80719-8: Record Attempts to Alter Logon and Logout Events - lastlog Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ The audit system already collects login information for all users +and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d in order to watch for attempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file in order to watch for unattempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "kmod" command with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog" with the following command: -$ sudo auditctl -l | grep kmod +$ sudo auditctl -l | grep /var/log/lastlog --a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-kmod Is it the case that the command does not return a line, or the line is commented out? +-w /var/log/lastlog -p wa -k logins Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ The audit system already collects login information for all users +and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d in order to watch for attempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file in order to watch for unattempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
medium @@ -44676,48 +44563,45 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80686-9: Record Events that Modify the System's Discretionary Access Controls - chown + CCE-80943-4: Extend Audit Backlog Limit for the Audit Daemon Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ To improve the kernel capacity to queue all log events, even those which occurred +prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default +GRUB 2 command line for the Linux operating system. +To ensure that audit_backlog_limit=8192 is added as a kernel command line +argument to newly installed kernels, add audit_backlog_limit=8192 to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -chown system call, run the following command: -
$ sudo grep "chown" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes audit_backlog_limit=8192, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
+If this option is set to true, then check that a line is output by the following command: +
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit_backlog_limit=8192.*' /etc/default/grub
+If the recovery is disabled, check the line with +
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit_backlog_limit=8192.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +
$ sudo grubby --info=ALL | grep args | grep -v 'audit_backlog_limit=8192'
+The command should not return any output. Is it the case that audit backlog limit is not configured? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
- medium + To improve the kernel capacity to queue all log events, even those which occurred +prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default +GRUB 2 command line for the Linux operating system. +To ensure that audit_backlog_limit=8192 is added as a kernel command line +argument to newly installed kernels, add audit_backlog_limit=8192 to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
+ low @@ -44729,7 +44613,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80755-2: Record Unsuccessful Access Attempts to Files - open_by_handle_at + CCE-80754-5: Record Unsuccessful Access Attempts to Files - openat Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -44739,60 +44623,66 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open_by_handle_at system call. + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the openat system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -$ sudo grep -r open_by_handle_at /etc/audit/rules.d +$ sudo grep -r openat /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -$ sudo grep open_by_handle_at /etc/audit/audit.rules +$ sudo grep openat /etc/audit/audit.rules The output should be the following: --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access medium @@ -44805,158 +44695,55 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80752-9: Record Unsuccessful Access Attempts to Files - ftruncate + CCE-80695-0: Record Events that Modify the System's Discretionary Access Controls - lsetxattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix +startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- Applicable - Configurable - Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the ftruncate system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r ftruncate /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep ftruncate /etc/audit/audit.rules - -The output should be the following: - --a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- medium - - - - - - - CCI-000172 - SRG-OS-000462-GPOS-00206 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - - CCE-80753-7: Record Unsuccessful Access Attempts to Files - open - - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- +
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r open /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep open /etc/audit/audit.rules - -The output should be the following: - --a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +lsetxattr system call, run the following command: +
$ sudo grep "lsetxattr" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix +startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- +
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
medium @@ -44969,7 +44756,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80692-7: Record Events that Modify the System's Discretionary Access Controls - fsetxattr + CCE-80697-6: Record Events that Modify the System's Discretionary Access Controls - setxattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -44979,24 +44766,24 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -fsetxattr system call, run the following command: -
$ sudo grep "fsetxattr" /etc/audit/audit.*
+setxattr system call, run the following command: +
$ sudo grep "setxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. @@ -45005,19 +44792,19 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
medium @@ -45030,108 +44817,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-85944-7: Record Any Attempts to Run ssh-agent + CCE-90175-1: Ensure auditd Collects System Administrator Actions - /etc/sudoers Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect any execution attempt -of the ssh-agent command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
+ At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers -p wa -k actions
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
+
-w /etc/sudoers -p wa -k actions
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-agent" command with the following command: - -$ sudo auditctl -l | grep ssh-agent - --a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect any execution attempt -of the ssh-agent command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
- medium - - - - - - - CCI-000172 - SRG-OS-000462-GPOS-00206 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - - CCE-80696-8: Record Events that Modify the System's Discretionary Access Controls - removexattr + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers" with the following command: - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +$ sudo auditctl -l | grep /etc/sudoers -Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
-

-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
- Applicable - Configurable - Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -removexattr system call, run the following command: -
$ sudo grep "removexattr" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? +-w /etc/sudoers -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
-

+ At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers -p wa -k actions
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+
-w /etc/sudoers -p wa -k actions
medium @@ -45144,7 +44862,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80733-9: Ensure auditd Collects Information on the Use of Privileged Commands - postqueue + CCE-80735-4: Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -45154,29 +44872,29 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postqueue" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-keysign" command with the following command: -$ sudo auditctl -l | grep postqueue +$ sudo auditctl -l | grep ssh-keysign --a always,exit -F path=/usr/bin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postqueue Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-keysign Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -45189,45 +44907,48 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80825-3: Enable Auditing for Processes Which Start Prior to the Audit Daemon + CCE-80688-5: Record Events that Modify the System's Discretionary Access Controls - fchmodat Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - To ensure all processes can be audited, even those which start -prior to the audit daemon, add the argument audit=1 to the default -GRUB 2 command line for the Linux operating system. -To ensure that audit=1 is added as a kernel command line -argument to newly installed kernels, add audit=1 to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit=1 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes audit=1, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
-If this option is set to true, then check that a line is output by the following command: -
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit=1.*' /etc/default/grub
-If the recovery is disabled, check the line with -
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit=1.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -
$ sudo grubby --info=ALL | grep args | grep -v 'audit=1'
-The command should not return any output. Is it the case that auditing is not enabled at boot time? + To determine if the system is configured to audit calls to the +fchmodat system call, run the following command: +
$ sudo grep "fchmodat" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - To ensure all processes can be audited, even those which start -prior to the audit daemon, add the argument audit=1 to the default -GRUB 2 command line for the Linux operating system. -To ensure that audit=1 is added as a kernel command line -argument to newly installed kernels, add audit=1 to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit=1 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
- low + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+ medium @@ -45239,39 +44960,65 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80737-0: Ensure auditd Collects Information on the Use of Privileged Commands - sudo + CCE-80691-9: Record Events that Modify the System's Discretionary Access Controls - fremovexattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "sudo" command with the following command: - -$ sudo auditctl -l | grep sudo - --a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudo Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +fremovexattr system call, run the following command: +
$ sudo grep "fremovexattr" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
medium @@ -45333,44 +45080,77 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80713-1: Ensure auditd Collects Information on Kernel Module Loading - init_module + CCE-80756-0: Record Unsuccessful Access Attempts to Files - truncate Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - To capture kernel module loading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - -
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -init_module system call, run the following command: -
$ sudo grep "init_module" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - To capture kernel module loading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the truncate system call. -
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
+If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: +$ sudo grep -r truncate /etc/audit/rules.d -Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. - medium +$ sudo grep truncate /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ medium @@ -45382,39 +45162,84 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80701-6: Record Any Attempts to Run setsebool + CCE-86027-0: Ensure auditd Collects Information on the Use of Privileged Commands - usermod + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ Applicable - Configurable + Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "usermod" command with the following command: + +$ sudo auditctl -l | grep usermod + +-a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ medium + + + + + + + CCI-000172 + SRG-OS-000462-GPOS-00206 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. + + CCE-88437-9: Record Any Attempts to Run setfacl Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect any execution attempt -of the setsebool command for all users and root. If the auditd +of the setfacl command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setsebool" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfacl" command with the following command: -$ sudo auditctl -l | grep setsebool +$ sudo auditctl -l | grep setfacl --a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. At a minimum, the audit system should collect any execution attempt -of the setsebool command for all users and root. If the auditd +of the setfacl command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -45427,39 +45252,47 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-90175-1: Ensure auditd Collects System Administrator Actions - /etc/sudoers + CCE-80685-1: Record Events that Modify the System's Discretionary Access Controls - chmod Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers -p wa -k actions
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-w /etc/sudoers -p wa -k actions
+
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers" with the following command: - -$ sudo auditctl -l | grep /etc/sudoers - --w /etc/sudoers -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +chmod system call, run the following command: +
$ sudo grep "chmod" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers -p wa -k actions
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-w /etc/sudoers -p wa -k actions
+
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -45472,7 +45305,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80739-6: Ensure auditd Collects Information on the Use of Privileged Commands - umount + CCE-80729-7: Ensure auditd Collects Information on the Use of Privileged Commands - newgrp Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -45482,29 +45315,29 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "umount" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "newgrp" command with the following command: -$ sudo auditctl -l | grep umount +$ sudo auditctl -l | grep newgrp --a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-umount Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-newgrp Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -45517,7 +45350,125 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80730-5: Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check + CCE-80696-8: Record Events that Modify the System's Discretionary Access Controls - removexattr + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +following line to a file with suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+ Applicable - Configurable + Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. + To determine if the system is configured to audit calls to the +removexattr system call, run the following command: +
$ sudo grep "removexattr" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. + At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +following line to a file with suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+ medium + + + + + + + CCI-000172 + SRG-OS-000462-GPOS-00206 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. + + CCE-80704-0: Ensure auditd Collects File Deletion Events by User - renameat + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+ Applicable - Configurable + Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. + To determine if the system is configured to audit calls to the +renameat system call, run the following command: +
$ sudo grep "renameat" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+ medium + + + + + + + CCI-000172 + SRG-OS-000462-GPOS-00206 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. + + CCE-80739-6: Ensure auditd Collects Information on the Use of Privileged Commands - umount Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -45527,170 +45478,132 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "pam_timestamp_check" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "umount" command with the following command: -$ sudo auditctl -l | grep pam_timestamp_check +$ sudo auditctl -l | grep umount --a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-umount Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium - - - - - CCI-000172 - SRG-OS-000463-GPOS-00207 + SRG-OS-000462-GPOS-00206 TBD - Assigned by DISA after STIG release - The operating system must generate audit records when successful/unsuccessful attempts to modify security objects occur. + The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. - CCE-80691-9: Record Events that Modify the System's Discretionary Access Controls - fremovexattr + CCE-80687-7: Record Events that Modify the System's Discretionary Access Controls - fchmod Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

+changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable - Verify the operating system generates audit records when successful/unsuccessful attempts to modify security objects occur. If it does not, this is a finding. + Verify the operating system generates audit records when successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -fremovexattr system call, run the following command: -
$ sudo grep "fremovexattr" /etc/audit/audit.*
+fchmod system call, run the following command: +
$ sudo grep "fchmod" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? - Configure the operating system to generate audit records when successful/unsuccessful attempts to modify security objects occur. + Configure the operating system to generate audit records when successful/unsuccessful attempts to modify privileges occur. At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

+changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
medium + + + + + CCI-000172 SRG-OS-000463-GPOS-00207 TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify security objects occur. - CCE-80695-0: Record Events that Modify the System's Discretionary Access Controls - lsetxattr + CCE-80698-4: Record Any Attempts to Run chcon Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix + At a minimum, the audit system should collect any execution attempt +of the chcon command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify security objects occur. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -lsetxattr system call, run the following command: -
$ sudo grep "lsetxattr" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chcon" command with the following command: + +$ sudo auditctl -l | grep chcon + +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify security objects occur. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix + At a minimum, the audit system should collect any execution attempt +of the chcon command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -45774,39 +45687,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify security objects occur. - CCE-82280-9: Record Any Attempts to Run setfiles + CCE-80700-8: Record Any Attempts to Run semanage Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect any execution attempt -of the setfiles command for all users and root. If the auditd +of the semanage command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify security objects occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfiles" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "semanage" command with the following command: -$ sudo auditctl -l | grep setfiles +$ sudo auditctl -l | grep semanage --a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify security objects occur. At a minimum, the audit system should collect any execution attempt -of the setfiles command for all users and root. If the auditd +of the semanage command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -45819,39 +45732,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify security objects occur. - CCE-80698-4: Record Any Attempts to Run chcon + CCE-80701-6: Record Any Attempts to Run setsebool Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect any execution attempt -of the chcon command for all users and root. If the auditd +of the setsebool command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify security objects occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chcon" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setsebool" command with the following command: -$ sudo auditctl -l | grep chcon +$ sudo auditctl -l | grep setsebool --a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify security objects occur. At a minimum, the audit system should collect any execution attempt -of the chcon command for all users and root. If the auditd +of the setsebool command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -45864,39 +45777,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify security objects occur. - CCE-80700-8: Record Any Attempts to Run semanage + CCE-82280-9: Record Any Attempts to Run setfiles Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect any execution attempt -of the semanage command for all users and root. If the auditd +of the setfiles command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify security objects occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "semanage" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfiles" command with the following command: -$ sudo auditctl -l | grep semanage +$ sudo auditctl -l | grep setfiles --a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify security objects occur. At a minimum, the audit system should collect any execution attempt -of the semanage command for all users and root. If the auditd +of the setfiles command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -45970,63 +45883,55 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify security objects occur. - CCE-80696-8: Record Events that Modify the System's Discretionary Access Controls - removexattr + CCE-80695-0: Record Events that Modify the System's Discretionary Access Controls - lsetxattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-

+changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify security objects occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -removexattr system call, run the following command: -
$ sudo grep "removexattr" /etc/audit/audit.*
+lsetxattr system call, run the following command: +
$ sudo grep "lsetxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify security objects occur. At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-

+changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
medium @@ -46039,95 +45944,145 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to modify security objects occur. - CCE-80701-6: Record Any Attempts to Run setsebool + CCE-80691-9: Record Events that Modify the System's Discretionary Access Controls - fremovexattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect any execution attempt -of the setsebool command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix + At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to modify security objects occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setsebool" command with the following command: - -$ sudo auditctl -l | grep setsebool - --a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +fremovexattr system call, run the following command: +
$ sudo grep "fremovexattr" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to modify security objects occur. - At a minimum, the audit system should collect any execution attempt -of the setsebool command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix + At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
medium - - - - - CCI-000172 - SRG-OS-000465-GPOS-00209 + SRG-OS-000463-GPOS-00207 TBD - Assigned by DISA after STIG release - The operating system must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur. + The operating system must generate audit records when successful/unsuccessful attempts to modify security objects occur. - CCE-82280-9: Record Any Attempts to Run setfiles + CCE-80696-8: Record Events that Modify the System's Discretionary Access Controls - removexattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect any execution attempt -of the setfiles command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +following line to a file with suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
Applicable - Configurable - Verify the operating system generates audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfiles" command with the following command: - -$ sudo auditctl -l | grep setfiles - --a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur. - At a minimum, the audit system should collect any execution attempt -of the setfiles command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ Verify the operating system generates audit records when successful/unsuccessful attempts to modify security objects occur. If it does not, this is a finding. + To determine if the system is configured to audit calls to the +removexattr system call, run the following command: +
$ sudo grep "removexattr" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + Configure the operating system to generate audit records when successful/unsuccessful attempts to modify security objects occur. + At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +following line to a file with suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
medium + + + + + CCI-000172 SRG-OS-000465-GPOS-00209 @@ -46263,6 +46218,51 @@ + + CCI-000172 + SRG-OS-000465-GPOS-00209 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur. + + CCE-82280-9: Record Any Attempts to Run setfiles + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + At a minimum, the audit system should collect any execution attempt +of the setfiles command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ Applicable - Configurable + Verify the operating system generates audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur. If it does not, this is a finding. + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfiles" command with the following command: + +$ sudo auditctl -l | grep setfiles + +-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur. + At a minimum, the audit system should collect any execution attempt +of the setfiles command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ medium + + + + + @@ -46274,7 +46274,60 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur. - CCE-80706-5: Ensure auditd Collects File Deletion Events by User - unlink + CCE-80686-9: Record Events that Modify the System's Discretionary Access Controls - chown + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ Applicable - Configurable + Verify the operating system generates audit records when successful/unsuccessful attempts to delete privileges occur. If it does not, this is a finding. + To determine if the system is configured to audit calls to the +chown system call, run the following command: +
$ sudo grep "chown" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + Configure the operating system to generate audit records when successful/unsuccessful attempts to delete privileges occur. + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ medium + + + + + + + CCI-000172 + SRG-OS-000466-GPOS-00210 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur. + + CCE-80703-2: Ensure auditd Collects File Deletion Events by User - rename Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -46285,17 +46338,17 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete privileges occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -unlink system call, run the following command: -
$ sudo grep "unlink" /etc/audit/audit.*
+rename system call, run the following command: +
$ sudo grep "rename" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete privileges occur. @@ -46305,12 +46358,12 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -46323,7 +46376,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur. - CCE-80691-9: Record Events that Modify the System's Discretionary Access Controls - fremovexattr + CCE-80694-3: Record Events that Modify the System's Discretionary Access Controls - lremovexattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -46335,27 +46388,27 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete privileges occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -fremovexattr system call, run the following command: -
$ sudo grep "fremovexattr" /etc/audit/audit.*
+lremovexattr system call, run the following command: +
$ sudo grep "lremovexattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete privileges occur. @@ -46366,22 +46419,22 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
medium @@ -46394,55 +46447,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur. - CCE-80695-0: Record Events that Modify the System's Discretionary Access Controls - lsetxattr + CCE-80737-0: Ensure auditd Collects Information on the Use of Privileged Commands - sudo Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete privileges occur. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -lsetxattr system call, run the following command: -
$ sudo grep "lsetxattr" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "sudo" command with the following command: + +$ sudo auditctl -l | grep sudo + +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudo Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete privileges occur. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -46455,39 +46492,43 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur. - CCE-89446-9: Record Any Attempts to Run chacl + CCE-80706-5: Ensure auditd Collects File Deletion Events by User - unlink Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect any execution attempt -of the chacl command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete privileges occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chacl" command with the following command: - -$ sudo auditctl -l | grep chacl - --a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +unlink system call, run the following command: +
$ sudo grep "unlink" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete privileges occur. - At a minimum, the audit system should collect any execution attempt -of the chacl command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -46500,7 +46541,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur. - CCE-80758-6: Record Events that Modify User/Group Information - /etc/group + CCE-80760-2: Record Events that Modify User/Group Information - /etc/security/opasswd Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -46511,21 +46552,21 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete privileges occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: -$ sudo auditctl -l | grep -E '(/etc/group)' +$ sudo auditctl -l | grep -E '(/etc/security/opasswd)' --w /etc/group -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-w /etc/security/opasswd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete privileges occur. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the @@ -46533,14 +46574,14 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
medium @@ -46553,39 +46594,43 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur. - CCE-89497-2: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ + CCE-80705-7: Ensure auditd Collects File Deletion Events by User - rmdir Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect administrator actions + At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers.d/ -p wa -k actions
+augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-w /etc/sudoers.d/ -p wa -k actions
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete privileges occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command: - -$ sudo auditctl -l | grep/etc/sudoers.d - --w /etc/sudoers.d/ -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +rmdir system call, run the following command: +
$ sudo grep "rmdir" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete privileges occur. - At a minimum, the audit system should collect administrator actions + At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers.d/ -p wa -k actions
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-w /etc/sudoers.d/ -p wa -k actions
+augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -46598,65 +46643,47 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur. - CCE-80694-3: Record Events that Modify the System's Discretionary Access Controls - lremovexattr + CCE-80761-0: Record Events that Modify User/Group Information - /etc/passwd Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes:

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes:

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete privileges occur. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -lremovexattr system call, run the following command: -
$ sudo grep "lremovexattr" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: + +$ sudo auditctl -l | grep -E '(/etc/passwd)' + +-w /etc/passwd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete privileges occur. - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes:

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes:

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
medium @@ -46669,43 +46696,53 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur. - CCE-80703-2: Ensure auditd Collects File Deletion Events by User - rename + CCE-80689-3: Record Events that Modify the System's Discretionary Access Controls - fchown Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ +If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ +If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete privileges occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -rename system call, run the following command: -
$ sudo grep "rename" /etc/audit/audit.*
+fchown system call, run the following command: +
$ sudo grep "fchown" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete privileges occur. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ +If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ +If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -46718,47 +46755,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur. - CCE-80688-5: Record Events that Modify the System's Discretionary Access Controls - fchmodat + CCE-89446-9: Record Any Attempts to Run chacl Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+ At a minimum, the audit system should collect any execution attempt +of the chacl command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete privileges occur. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -fchmodat system call, run the following command: -
$ sudo grep "fchmodat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chacl" command with the following command: + +$ sudo auditctl -l | grep chacl + +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete privileges occur. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+ At a minimum, the audit system should collect any execution attempt +of the chacl command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -46771,43 +46800,47 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur. - CCE-80707-3: Ensure auditd Collects File Deletion Events by User - unlinkat + CCE-80758-6: Record Events that Modify User/Group Information - /etc/group Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the + If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
+default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/group -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/group -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete privileges occur. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -unlinkat system call, run the following command: -
$ sudo grep "unlinkat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: + +$ sudo auditctl -l | grep -E '(/etc/group)' + +-w /etc/group -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete privileges occur. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the + If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
+default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/group -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/group -p wa -k audit_rules_usergroup_modification
medium @@ -46820,47 +46853,47 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur. - CCE-80687-7: Record Events that Modify the System's Discretionary Access Controls - fchmod + CCE-80690-1: Record Events that Modify the System's Discretionary Access Controls - fchownat Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete privileges occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -fchmod system call, run the following command: -
$ sudo grep "fchmod" /etc/audit/audit.*
+fchownat system call, run the following command: +
$ sudo grep "fchownat" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete privileges occur. At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -46873,43 +46906,49 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur. - CCE-80704-0: Ensure auditd Collects File Deletion Events by User - renameat + CCE-80759-4: Record Events that Modify User/Group Information - /etc/gshadow Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the + If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete privileges occur. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -renameat system call, run the following command: -
$ sudo grep "renameat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: + +$ sudo auditctl -l | grep -E '(/etc/gshadow)' + +-w /etc/gshadow -p wa -k identity + +If the command does not return a line, or the line is commented out, this is a finding. Is it the case that the system is not configured to audit account changes? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete privileges occur. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the + If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
medium @@ -46922,7 +46961,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur. - CCE-80760-2: Record Events that Modify User/Group Information - /etc/security/opasswd + CCE-80762-8: Record Events that Modify User/Group Information - /etc/shadow Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -46933,21 +46972,21 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete privileges occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd with the following command: -$ sudo auditctl -l | grep -E '(/etc/security/opasswd)' +$ sudo auditctl -l | grep -E '(/etc/shadow)' --w /etc/security/opasswd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-w /etc/shadow -p wa -k identity Is it the case that command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete privileges occur. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the @@ -46955,14 +46994,14 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
medium @@ -46975,7 +47014,52 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur. - CCE-80705-7: Ensure auditd Collects File Deletion Events by User - rmdir + CCE-80736-2: Ensure auditd Collects Information on the Use of Privileged Commands - su + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ Applicable - Configurable + Verify the operating system generates audit records when successful/unsuccessful attempts to delete privileges occur. If it does not, this is a finding. + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "su" command with the following command: + +$ sudo auditctl -l | grep su + +-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-su Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to generate audit records when successful/unsuccessful attempts to delete privileges occur. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ medium + + + + + + + CCI-000172 + SRG-OS-000466-GPOS-00210 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur. + + CCE-80707-3: Ensure auditd Collects File Deletion Events by User - unlinkat Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -46986,17 +47070,17 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete privileges occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -rmdir system call, run the following command: -
$ sudo grep "rmdir" /etc/audit/audit.*
+unlinkat system call, run the following command: +
$ sudo grep "unlinkat" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete privileges occur. @@ -47006,12 +47090,12 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -47024,39 +47108,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur. - CCE-86027-0: Ensure auditd Collects Information on the Use of Privileged Commands - usermod + CCE-89497-2: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-w /etc/sudoers.d/ -p wa -k actions
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete privileges occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "usermod" command with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command: -$ sudo auditctl -l | grep usermod +$ sudo auditctl -l | grep/etc/sudoers.d --a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod Is it the case that the command does not return a line, or the line is commented out? +-w /etc/sudoers.d/ -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete privileges occur. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-w /etc/sudoers.d/ -p wa -k actions
medium @@ -47069,47 +47153,55 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur. - CCE-80685-1: Record Events that Modify the System's Discretionary Access Controls - chmod + CCE-80692-7: Record Events that Modify the System's Discretionary Access Controls - fsetxattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete privileges occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -chmod system call, run the following command: -
$ sudo grep "chmod" /etc/audit/audit.*
+fsetxattr system call, run the following command: +
$ sudo grep "fsetxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete privileges occur. At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
medium @@ -47122,60 +47214,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur. - CCE-80761-0: Record Events that Modify User/Group Information - /etc/passwd - - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-

-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
- Applicable - Configurable - Verify the operating system generates audit records when successful/unsuccessful attempts to delete privileges occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: - -$ sudo auditctl -l | grep -E '(/etc/passwd)' - --w /etc/passwd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to generate audit records when successful/unsuccessful attempts to delete privileges occur. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-

-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
- medium - - - - - - - CCI-000172 - SRG-OS-000466-GPOS-00210 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur. - - CCE-80690-1: Record Events that Modify the System's Discretionary Access Controls - fchownat + CCE-80693-5: Record Events that Modify the System's Discretionary Access Controls - lchown Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -47185,20 +47224,20 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete privileges occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -fchownat system call, run the following command: -
$ sudo grep "fchownat" /etc/audit/audit.*
+lchown system call, run the following command: +
$ sudo grep "lchown" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete privileges occur. @@ -47207,15 +47246,15 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -47228,7 +47267,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur. - CCE-80689-3: Record Events that Modify the System's Discretionary Access Controls - fchown + CCE-80695-0: Record Events that Modify the System's Discretionary Access Controls - lsetxattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -47238,23 +47277,24 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- +
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- +
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- +
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete privileges occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -fchown system call, run the following command: -
$ sudo grep "fchown" /etc/audit/audit.*
+lsetxattr system call, run the following command: +
$ sudo grep "lsetxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete privileges occur. @@ -47263,63 +47303,19 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- +
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- +
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- +
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- medium - - - - - - - CCI-000172 - SRG-OS-000466-GPOS-00210 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur. - - CCE-80736-2: Ensure auditd Collects Information on the Use of Privileged Commands - su - - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- Applicable - Configurable - Verify the operating system generates audit records when successful/unsuccessful attempts to delete privileges occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "su" command with the following command: - -$ sudo auditctl -l | grep su - --a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-su Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to generate audit records when successful/unsuccessful attempts to delete privileges occur. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
medium @@ -47393,47 +47389,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur. - CCE-80762-8: Record Events that Modify User/Group Information - /etc/shadow + CCE-90175-1: Ensure auditd Collects System Administrator Actions - /etc/sudoers Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers -p wa -k actions
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-w /etc/sudoers -p wa -k actions
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete privileges occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers" with the following command: -$ sudo auditctl -l | grep -E '(/etc/shadow)' +$ sudo auditctl -l | grep /etc/sudoers --w /etc/shadow -p wa -k identity Is it the case that command does not return a line, or the line is commented out? +-w /etc/sudoers -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete privileges occur. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers -p wa -k actions
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-w /etc/sudoers -p wa -k actions
medium @@ -47446,49 +47434,47 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur. - CCE-80759-4: Record Events that Modify User/Group Information - /etc/gshadow + CCE-80688-5: Record Events that Modify the System's Discretionary Access Controls - fchmodat Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete privileges occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: - -$ sudo auditctl -l | grep -E '(/etc/gshadow)' - --w /etc/gshadow -p wa -k identity - -If the command does not return a line, or the line is commented out, this is a finding. Is it the case that the system is not configured to audit account changes? + To determine if the system is configured to audit calls to the +fchmodat system call, run the following command: +
$ sudo grep "fchmodat" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete privileges occur. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -47501,47 +47487,65 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur. - CCE-80693-5: Record Events that Modify the System's Discretionary Access Controls - lchown + CCE-80691-9: Record Events that Modify the System's Discretionary Access Controls - fremovexattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete privileges occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -lchown system call, run the following command: -
$ sudo grep "lchown" /etc/audit/audit.*
+fremovexattr system call, run the following command: +
$ sudo grep "fremovexattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete privileges occur. At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
medium @@ -47554,47 +47558,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur. - CCE-80686-9: Record Events that Modify the System's Discretionary Access Controls - chown + CCE-86027-0: Ensure auditd Collects Information on the Use of Privileged Commands - usermod Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete privileges occur. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -chown system call, run the following command: -
$ sudo grep "chown" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "usermod" command with the following command: + +$ sudo auditctl -l | grep usermod + +-a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete privileges occur. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -47607,55 +47603,47 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur. - CCE-80692-7: Record Events that Modify the System's Discretionary Access Controls - fsetxattr + CCE-80685-1: Record Events that Modify the System's Discretionary Access Controls - chmod Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete privileges occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -fsetxattr system call, run the following command: -
$ sudo grep "fsetxattr" /etc/audit/audit.*
+chmod system call, run the following command: +
$ sudo grep "chmod" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete privileges occur. At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -47737,39 +47725,43 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur. - CCE-80737-0: Ensure auditd Collects Information on the Use of Privileged Commands - sudo + CCE-80704-0: Ensure auditd Collects File Deletion Events by User - renameat Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete privileges occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "sudo" command with the following command: - -$ sudo auditctl -l | grep sudo - --a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudo Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +renameat system call, run the following command: +
$ sudo grep "renameat" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete privileges occur. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -47782,41 +47774,49 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur. - CCE-90175-1: Ensure auditd Collects System Administrator Actions - /etc/sudoers + CCE-80687-7: Record Events that Modify the System's Discretionary Access Controls - fchmod Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers -p wa -k actions
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-w /etc/sudoers -p wa -k actions
+
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete privileges occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers" with the following command: - -$ sudo auditctl -l | grep /etc/sudoers - --w /etc/sudoers -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +fchmod system call, run the following command: +
$ sudo grep "fchmod" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete privileges occur. - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers -p wa -k actions
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-w /etc/sudoers -p wa -k actions
- medium - +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+ medium + @@ -47832,7 +47832,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete security levels occur. - CCE-80706-5: Ensure auditd Collects File Deletion Events by User - unlink + CCE-80703-2: Ensure auditd Collects File Deletion Events by User - rename Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -47843,17 +47843,17 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete security levels occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -unlink system call, run the following command: -
$ sudo grep "unlink" /etc/audit/audit.*
+rename system call, run the following command: +
$ sudo grep "rename" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete security levels occur. @@ -47863,12 +47863,12 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -47881,7 +47881,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete security levels occur. - CCE-80703-2: Ensure auditd Collects File Deletion Events by User - rename + CCE-80706-5: Ensure auditd Collects File Deletion Events by User - unlink Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -47892,17 +47892,17 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete security levels occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -rename system call, run the following command: -
$ sudo grep "rename" /etc/audit/audit.*
+unlink system call, run the following command: +
$ sudo grep "unlink" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete security levels occur. @@ -47912,12 +47912,12 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -47930,7 +47930,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete security levels occur. - CCE-80707-3: Ensure auditd Collects File Deletion Events by User - unlinkat + CCE-80705-7: Ensure auditd Collects File Deletion Events by User - rmdir Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -47941,17 +47941,17 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete security levels occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -unlinkat system call, run the following command: -
$ sudo grep "unlinkat" /etc/audit/audit.*
+rmdir system call, run the following command: +
$ sudo grep "rmdir" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete security levels occur. @@ -47961,12 +47961,12 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -47979,7 +47979,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete security levels occur. - CCE-80704-0: Ensure auditd Collects File Deletion Events by User - renameat + CCE-80707-3: Ensure auditd Collects File Deletion Events by User - unlinkat Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -47990,17 +47990,17 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete security levels occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -renameat system call, run the following command: -
$ sudo grep "renameat" /etc/audit/audit.*
+unlinkat system call, run the following command: +
$ sudo grep "unlinkat" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete security levels occur. @@ -48010,12 +48010,12 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -48028,7 +48028,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete security levels occur. - CCE-80705-7: Ensure auditd Collects File Deletion Events by User - rmdir + CCE-80704-0: Ensure auditd Collects File Deletion Events by User - renameat Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -48039,17 +48039,17 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete security levels occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -rmdir system call, run the following command: -
$ sudo grep "rmdir" /etc/audit/audit.*
+renameat system call, run the following command: +
$ sudo grep "renameat" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete security levels occur. @@ -48059,12 +48059,12 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -48082,114 +48082,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete security objects occur. - CCE-80706-5: Ensure auditd Collects File Deletion Events by User - unlink - - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
- Applicable - Configurable - Verify the operating system generates audit records when successful/unsuccessful attempts to delete security objects occur. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -unlink system call, run the following command: -
$ sudo grep "unlink" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the operating system to generate audit records when successful/unsuccessful attempts to delete security objects occur. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
- medium - - - - - - - CCI-000172 - SRG-OS-000468-GPOS-00212 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records when successful/unsuccessful attempts to delete security objects occur. - - CCE-80691-9: Record Events that Modify the System's Discretionary Access Controls - fremovexattr + CCE-80698-4: Record Any Attempts to Run chcon Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix + At a minimum, the audit system should collect any execution attempt +of the chcon command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete security objects occur. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -fremovexattr system call, run the following command: -
$ sudo grep "fremovexattr" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chcon" command with the following command: + +$ sudo auditctl -l | grep chcon + +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete security objects occur. - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix + At a minimum, the audit system should collect any execution attempt +of the chcon command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -48202,55 +48127,43 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete security objects occur. - CCE-80695-0: Record Events that Modify the System's Discretionary Access Controls - lsetxattr + CCE-80703-2: Ensure auditd Collects File Deletion Events by User - rename Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+ At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete security objects occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -lsetxattr system call, run the following command: -
$ sudo grep "lsetxattr" /etc/audit/audit.*
+rename system call, run the following command: +
$ sudo grep "rename" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete security objects occur. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+ At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -48334,7 +48247,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete security objects occur. - CCE-80703-2: Ensure auditd Collects File Deletion Events by User - rename + CCE-80706-5: Ensure auditd Collects File Deletion Events by User - unlink Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -48345,17 +48258,17 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete security objects occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -rename system call, run the following command: -
$ sudo grep "rename" /etc/audit/audit.*
+unlink system call, run the following command: +
$ sudo grep "unlink" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete security objects occur. @@ -48365,12 +48278,12 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -48383,43 +48296,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete security objects occur. - CCE-80707-3: Ensure auditd Collects File Deletion Events by User - unlinkat + CCE-80725-5: Ensure auditd Collects Information on the Use of Privileged Commands - chage Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete security objects occur. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -unlinkat system call, run the following command: -
$ sudo grep "unlinkat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chage" command with the following command: + +$ sudo auditctl -l | grep chage + +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete security objects occur. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -48432,7 +48341,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete security objects occur. - CCE-80704-0: Ensure auditd Collects File Deletion Events by User - renameat + CCE-80705-7: Ensure auditd Collects File Deletion Events by User - rmdir Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -48443,17 +48352,17 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete security objects occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -renameat system call, run the following command: -
$ sudo grep "renameat" /etc/audit/audit.*
+rmdir system call, run the following command: +
$ sudo grep "rmdir" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete security objects occur. @@ -48463,12 +48372,12 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -48481,7 +48390,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete security objects occur. - CCE-80705-7: Ensure auditd Collects File Deletion Events by User - rmdir + CCE-80707-3: Ensure auditd Collects File Deletion Events by User - unlinkat Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -48492,17 +48401,17 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete security objects occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -rmdir system call, run the following command: -
$ sudo grep "rmdir" /etc/audit/audit.*
+unlinkat system call, run the following command: +
$ sudo grep "unlinkat" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete security objects occur. @@ -48512,102 +48421,12 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
- medium - - - - - - - CCI-000172 - SRG-OS-000468-GPOS-00212 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records when successful/unsuccessful attempts to delete security objects occur. - - CCE-80698-4: Record Any Attempts to Run chcon - - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect any execution attempt -of the chcon command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- Applicable - Configurable - Verify the operating system generates audit records when successful/unsuccessful attempts to delete security objects occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chcon" command with the following command: - -$ sudo auditctl -l | grep chcon - --a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to generate audit records when successful/unsuccessful attempts to delete security objects occur. - At a minimum, the audit system should collect any execution attempt -of the chcon command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- medium - - - - - - - CCI-000172 - SRG-OS-000468-GPOS-00212 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records when successful/unsuccessful attempts to delete security objects occur. - - CCE-80725-5: Ensure auditd Collects Information on the Use of Privileged Commands - chage - - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- Applicable - Configurable - Verify the operating system generates audit records when successful/unsuccessful attempts to delete security objects occur. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chage" command with the following command: - -$ sudo auditctl -l | grep chage - --a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to generate audit records when successful/unsuccessful attempts to delete security objects occur. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -48681,104 +48500,285 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful attempts to delete security objects occur. - CCE-80696-8: Record Events that Modify the System's Discretionary Access Controls - removexattr + CCE-80695-0: Record Events that Modify the System's Discretionary Access Controls - lsetxattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-

+changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful attempts to delete security objects occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -removexattr system call, run the following command: -
$ sudo grep "removexattr" /etc/audit/audit.*
+lsetxattr system call, run the following command: +
$ sudo grep "lsetxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful attempts to delete security objects occur. At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-

+changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
medium - - - - - CCI-000172 - SRG-OS-000470-GPOS-00214 + SRG-OS-000468-GPOS-00212 TBD - Assigned by DISA after STIG release - The operating system must generate audit records when successful/unsuccessful logon attempts occur. + The operating system must generate audit records when successful/unsuccessful attempts to delete security objects occur. - CCE-80719-8: Record Attempts to Alter Logon and Logout Events - lastlog + CCE-80691-9: Record Events that Modify the System's Discretionary Access Controls - fremovexattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - The audit system already collects login information for all users -and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d in order to watch for attempted manual -edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
+ At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+ Applicable - Configurable + Verify the operating system generates audit records when successful/unsuccessful attempts to delete security objects occur. If it does not, this is a finding. + To determine if the system is configured to audit calls to the +fremovexattr system call, run the following command: +
$ sudo grep "fremovexattr" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + Configure the operating system to generate audit records when successful/unsuccessful attempts to delete security objects occur. + At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+ medium + + + + + + + CCI-000172 + SRG-OS-000468-GPOS-00212 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records when successful/unsuccessful attempts to delete security objects occur. + + CCE-80696-8: Record Events that Modify the System's Discretionary Access Controls - removexattr + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +following line to a file with suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+ Applicable - Configurable + Verify the operating system generates audit records when successful/unsuccessful attempts to delete security objects occur. If it does not, this is a finding. + To determine if the system is configured to audit calls to the +removexattr system call, run the following command: +
$ sudo grep "removexattr" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + Configure the operating system to generate audit records when successful/unsuccessful attempts to delete security objects occur. + At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +following line to a file with suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+ medium + + + + + + + CCI-000172 + SRG-OS-000468-GPOS-00212 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records when successful/unsuccessful attempts to delete security objects occur. + + CCE-80704-0: Ensure auditd Collects File Deletion Events by User - renameat + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+ Applicable - Configurable + Verify the operating system generates audit records when successful/unsuccessful attempts to delete security objects occur. If it does not, this is a finding. + To determine if the system is configured to audit calls to the +renameat system call, run the following command: +
$ sudo grep "renameat" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + Configure the operating system to generate audit records when successful/unsuccessful attempts to delete security objects occur. + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+ medium + + + + + + + + + + + + CCI-000172 + SRG-OS-000470-GPOS-00214 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records when successful/unsuccessful logon attempts occur. + + CCE-80718-0: Record Attempts to Alter Logon and Logout Events - faillock + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + The audit system already collects login information for all users +and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d in order to watch for attempted manual +edits of files involved in storing logon events: +
-w  -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
+
-w  -p wa -k logins
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful logon attempts occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog" with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: -$ sudo auditctl -l | grep /var/log/lastlog +$ sudo auditctl -l | grep --w /var/log/lastlog -p wa -k logins Is it the case that the command does not return a line, or the line is commented out? +-w -p wa -k logins Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful logon attempts occur. The audit system already collects login information for all users and root. If the auditd daemon is configured to use the @@ -48786,12 +48786,12 @@ default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
+
-w  -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
+
-w  -p wa -k logins
medium @@ -48804,7 +48804,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful logon attempts occur. - CCE-80758-6: Record Events that Modify User/Group Information - /etc/group + CCE-80760-2: Record Events that Modify User/Group Information - /etc/security/opasswd Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -48815,21 +48815,21 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful logon attempts occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: -$ sudo auditctl -l | grep -E '(/etc/group)' +$ sudo auditctl -l | grep -E '(/etc/security/opasswd)' --w /etc/group -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-w /etc/security/opasswd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful logon attempts occur. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the @@ -48837,14 +48837,14 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
medium @@ -48857,39 +48857,47 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful logon attempts occur. - CCE-89497-2: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ + CCE-80761-0: Record Events that Modify User/Group Information - /etc/passwd Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers.d/ -p wa -k actions
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-w /etc/sudoers.d/ -p wa -k actions
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful logon attempts occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: -$ sudo auditctl -l | grep/etc/sudoers.d +$ sudo auditctl -l | grep -E '(/etc/passwd)' --w /etc/sudoers.d/ -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-w /etc/passwd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful logon attempts occur. - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers.d/ -p wa -k actions
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-w /etc/sudoers.d/ -p wa -k actions
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
medium @@ -48902,7 +48910,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful logon attempts occur. - CCE-80760-2: Record Events that Modify User/Group Information - /etc/security/opasswd + CCE-80758-6: Record Events that Modify User/Group Information - /etc/group Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -48913,21 +48921,21 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful logon attempts occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: -$ sudo auditctl -l | grep -E '(/etc/security/opasswd)' +$ sudo auditctl -l | grep -E '(/etc/group)' --w /etc/security/opasswd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-w /etc/group -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful logon attempts occur. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the @@ -48935,14 +48943,14 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification
medium @@ -48955,7 +48963,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful logon attempts occur. - CCE-80761-0: Record Events that Modify User/Group Information - /etc/passwd + CCE-80759-4: Record Events that Modify User/Group Information - /etc/gshadow Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -48966,21 +48974,23 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful logon attempts occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: -$ sudo auditctl -l | grep -E '(/etc/passwd)' +$ sudo auditctl -l | grep -E '(/etc/gshadow)' --w /etc/passwd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-w /etc/gshadow -p wa -k identity + +If the command does not return a line, or the line is commented out, this is a finding. Is it the case that the system is not configured to audit account changes? Configure the operating system to generate audit records when successful/unsuccessful logon attempts occur. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the @@ -48988,14 +48998,14 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
medium @@ -49061,43 +49071,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful logon attempts occur. - CCE-80718-0: Record Attempts to Alter Logon and Logout Events - faillock + CCE-89497-2: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - The audit system already collects login information for all users -and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d in order to watch for attempted manual -edits of files involved in storing logon events: -
-w  -p wa -k logins
+ At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file in order to watch for unattempted manual -edits of files involved in storing logon events: -
-w  -p wa -k logins
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-w /etc/sudoers.d/ -p wa -k actions
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful logon attempts occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command: -$ sudo auditctl -l | grep +$ sudo auditctl -l | grep/etc/sudoers.d --w -p wa -k logins Is it the case that the command does not return a line, or the line is commented out? +-w /etc/sudoers.d/ -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful logon attempts occur. - The audit system already collects login information for all users -and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d in order to watch for attempted manual -edits of files involved in storing logon events: -
-w  -p wa -k logins
+ At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file in order to watch for unattempted manual -edits of files involved in storing logon events: -
-w  -p wa -k logins
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-w /etc/sudoers.d/ -p wa -k actions
medium @@ -49110,49 +49116,43 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful logon attempts occur. - CCE-80759-4: Record Events that Modify User/Group Information - /etc/gshadow + CCE-80719-8: Record Attempts to Alter Logon and Logout Events - lastlog Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - If the auditd daemon is configured to use the + The audit system already collects login information for all users +and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-

+directory /etc/audit/rules.d in order to watch for attempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+/etc/audit/audit.rules file in order to watch for unattempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful logon attempts occur. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: - -$ sudo auditctl -l | grep -E '(/etc/gshadow)' + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog" with the following command: --w /etc/gshadow -p wa -k identity +$ sudo auditctl -l | grep /var/log/lastlog -If the command does not return a line, or the line is commented out, this is a finding. Is it the case that the system is not configured to audit account changes? +-w /var/log/lastlog -p wa -k logins Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when successful/unsuccessful logon attempts occur. - If the auditd daemon is configured to use the + The audit system already collects login information for all users +and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-

+directory /etc/audit/rules.d in order to watch for attempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+/etc/audit/audit.rules file in order to watch for unattempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
medium @@ -49215,39 +49215,47 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80726-3: Ensure auditd Collects Information on the Use of Privileged Commands - chsh + CCE-80686-9: Record Events that Modify the System's Discretionary Access Controls - chown Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chsh" command with the following command: - -$ sudo auditctl -l | grep chsh - --a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chsh Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +chown system call, run the following command: +
$ sudo grep "chown" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -49260,39 +49268,70 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80732-1: Ensure auditd Collects Information on the Use of Privileged Commands - postdrop + CCE-80755-2: Record Unsuccessful Access Attempts to Files - open_by_handle_at Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postdrop" command with the following command: + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open_by_handle_at system call. -$ sudo auditctl -l | grep postdrop +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: --a always,exit -F path=/usr/bin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postdrop Is it the case that the command does not return a line, or the line is commented out? +$ sudo grep -r open_by_handle_at /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep open_by_handle_at /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
medium @@ -49305,39 +49344,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80741-2: Ensure auditd Collects Information on the Use of Privileged Commands - userhelper + CCE-80698-4: Record Any Attempts to Run chcon Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect any execution attempt +of the chcon command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "userhelper" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chcon" command with the following command: -$ sudo auditctl -l | grep userhelper +$ sudo auditctl -l | grep chcon --a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-userhelper Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect any execution attempt +of the chcon command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -49350,7 +49389,57 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80706-5: Ensure auditd Collects File Deletion Events by User - unlink + CCE-80825-3: Enable Auditing for Processes Which Start Prior to the Audit Daemon + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + To ensure all processes can be audited, even those which start +prior to the audit daemon, add the argument audit=1 to the default +GRUB 2 command line for the Linux operating system. +To ensure that audit=1 is added as a kernel command line +argument to newly installed kernels, add audit=1 to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... audit=1 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
+ Applicable - Configurable + Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes audit=1, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
+If this option is set to true, then check that a line is output by the following command: +
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit=1.*' /etc/default/grub
+If the recovery is disabled, check the line with +
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit=1.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +
$ sudo grubby --info=ALL | grep args | grep -v 'audit=1'
+The command should not return any output. Is it the case that auditing is not enabled at boot time? + Configure the operating system to generate audit records for privileged activities or other system-level access. + To ensure all processes can be audited, even those which start +prior to the audit daemon, add the argument audit=1 to the default +GRUB 2 command line for the Linux operating system. +To ensure that audit=1 is added as a kernel command line +argument to newly installed kernels, add audit=1 to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... audit=1 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
+ low + + + + + + + CCI-000172 + SRG-OS-000471-GPOS-00215 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records for privileged activities or other system-level access. + + CCE-80703-2: Ensure auditd Collects File Deletion Events by User - rename Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -49361,17 +49450,17 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. To determine if the system is configured to audit calls to the -unlink system call, run the following command: -
$ sudo grep "unlink" /etc/audit/audit.*
+rename system call, run the following command: +
$ sudo grep "rename" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records for privileged activities or other system-level access. @@ -49381,12 +49470,12 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -49399,7 +49488,97 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80691-9: Record Events that Modify the System's Discretionary Access Controls - fremovexattr + CCE-80732-1: Ensure auditd Collects Information on the Use of Privileged Commands - postdrop + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ Applicable - Configurable + Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postdrop" command with the following command: + +$ sudo auditctl -l | grep postdrop + +-a always,exit -F path=/usr/bin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postdrop Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to generate audit records for privileged activities or other system-level access. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ medium + + + + + + + CCI-000172 + SRG-OS-000471-GPOS-00215 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records for privileged activities or other system-level access. + + CCE-80728-9: Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ Applicable - Configurable + Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "gpasswd" command with the following command: + +$ sudo auditctl -l | grep gpasswd + +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to generate audit records for privileged activities or other system-level access. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ medium + + + + + + + CCI-000172 + SRG-OS-000471-GPOS-00215 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records for privileged activities or other system-level access. + + CCE-80694-3: Record Events that Modify the System's Discretionary Access Controls - lremovexattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -49411,27 +49590,27 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. To determine if the system is configured to audit calls to the -fremovexattr system call, run the following command: -
$ sudo grep "fremovexattr" /etc/audit/audit.*
+lremovexattr system call, run the following command: +
$ sudo grep "lremovexattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records for privileged activities or other system-level access. @@ -49442,22 +49621,22 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
medium @@ -49470,55 +49649,43 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80695-0: Record Events that Modify the System's Discretionary Access Controls - lsetxattr + CCE-80711-5: Ensure auditd Collects Information on Kernel Module Unloading - delete_module Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+ To capture kernel module unloading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: + +
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
+ + +Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. To determine if the system is configured to audit calls to the -lsetxattr system call, run the following command: -
$ sudo grep "lsetxattr" /etc/audit/audit.*
+delete_module system call, run the following command: +
$ sudo grep "delete_module" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+ To capture kernel module unloading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: + +
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
+ + +Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. medium @@ -49531,76 +49698,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80754-5: Record Unsuccessful Access Attempts to Files - openat + CCE-80731-3: Ensure auditd Collects Information on the Use of Privileged Commands - passwd Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the openat system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r openat /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep openat /etc/audit/audit.rules + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "passwd" command with the following command: -The output should be the following: +$ sudo auditctl -l | grep passwd --a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -49613,7 +49743,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80756-0: Record Unsuccessful Access Attempts to Files - truncate + CCE-80753-7: Record Unsuccessful Access Attempts to Files - open Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -49623,66 +49753,66 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the truncate system call. + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -$ sudo grep -r truncate /etc/audit/rules.d +$ sudo grep -r open /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -$ sudo grep truncate /etc/audit/audit.rules +$ sudo grep open /etc/audit/audit.rules The output should be the following: --a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records for privileged activities or other system-level access. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access medium @@ -49695,88 +49825,43 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80719-8: Record Attempts to Alter Logon and Logout Events - lastlog + CCE-80713-1: Ensure auditd Collects Information on Kernel Module Loading - init_module Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - The audit system already collects login information for all users -and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d in order to watch for attempted manual -edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file in order to watch for unattempted manual -edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
- Applicable - Configurable - Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog" with the following command: - -$ sudo auditctl -l | grep /var/log/lastlog - --w /var/log/lastlog -p wa -k logins Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to generate audit records for privileged activities or other system-level access. - The audit system already collects login information for all users -and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d in order to watch for attempted manual -edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file in order to watch for unattempted manual -edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
- medium - - - - + To capture kernel module loading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - - CCI-000172 - SRG-OS-000471-GPOS-00215 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records for privileged activities or other system-level access. +
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
- CCE-80727-1: Ensure auditd Collects Information on the Use of Privileged Commands - crontab - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. -Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "crontab" command with the following command: + To determine if the system is configured to audit calls to the +init_module system call, run the following command: +
$ sudo grep "init_module" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + Configure the operating system to generate audit records for privileged activities or other system-level access. + To capture kernel module loading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -$ sudo auditctl -l | grep crontab +
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
--a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ +Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. medium @@ -49789,39 +49874,43 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80989-7: Ensure auditd Collects Information on the Use of Privileged Commands - mount + CCE-80722-2: Ensure auditd Collects Information on Exporting to Media (successful) Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect media exportation +events for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "mount" command with the following command: - -$ sudo auditctl -l | grep mount - --a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +mount system call, run the following command: +
$ sudo grep "mount" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect media exportation +events for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
medium @@ -49834,39 +49923,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-89446-9: Record Any Attempts to Run chacl + CCE-85944-7: Record Any Attempts to Run ssh-agent Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect any execution attempt -of the chacl command for all users and root. If the auditd +of the ssh-agent command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chacl" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-agent" command with the following command: -$ sudo auditctl -l | grep chacl +$ sudo auditctl -l | grep ssh-agent --a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records for privileged activities or other system-level access. At a minimum, the audit system should collect any execution attempt -of the chacl command for all users and root. If the auditd +of the ssh-agent command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
medium @@ -49879,208 +49968,76 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80758-6: Record Events that Modify User/Group Information - /etc/group + CCE-80752-9: Record Unsuccessful Access Attempts to Files - ftruncate Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
-

-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
- Applicable - Configurable - Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-$ sudo auditctl -l | grep -E '(/etc/group)' +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
--w /etc/group -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to generate audit records for privileged activities or other system-level access. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
-

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
- medium - - - - - - - CCI-000172 - SRG-OS-000471-GPOS-00215 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records for privileged activities or other system-level access. - - CCE-80735-4: Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign - - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- Applicable - Configurable - Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-keysign" command with the following command: - -$ sudo auditctl -l | grep ssh-keysign - --a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-keysign Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- medium - - - - - - - CCI-000172 - SRG-OS-000471-GPOS-00215 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records for privileged activities or other system-level access. - - CCE-89497-2: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ - - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers.d/ -p wa -k actions
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-w /etc/sudoers.d/ -p wa -k actions
- Applicable - Configurable - Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command: - -$ sudo auditctl -l | grep/etc/sudoers.d - --w /etc/sudoers.d/ -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers.d/ -p wa -k actions
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-w /etc/sudoers.d/ -p wa -k actions
- medium - - - - - - - CCI-000172 - SRG-OS-000471-GPOS-00215 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records for privileged activities or other system-level access. - - CCE-80694-3: Record Events that Modify the System's Discretionary Access Controls - lremovexattr - - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
-

-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -lremovexattr system call, run the following command: -
$ sudo grep "lremovexattr" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the ftruncate system call. + +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: + +$ sudo grep -r ftruncate /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep ftruncate /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix +startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
medium @@ -50093,7 +50050,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80731-3: Ensure auditd Collects Information on the Use of Privileged Commands - passwd + CCE-80737-0: Ensure auditd Collects Information on the Use of Privileged Commands - sudo Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -50103,29 +50060,29 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "passwd" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "sudo" command with the following command: -$ sudo auditctl -l | grep passwd +$ sudo auditctl -l | grep sudo --a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudo Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records for privileged activities or other system-level access. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -50138,43 +50095,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80722-2: Ensure auditd Collects Information on Exporting to Media (successful) + CCE-89455-0: Ensure auditd Collects Information on the Use of Privileged Commands - kmod Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect media exportation -events for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -mount system call, run the following command: -
$ sudo grep "mount" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "kmod" command with the following command: + +$ sudo auditctl -l | grep kmod + +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-kmod Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect media exportation -events for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -50187,39 +50140,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80740-4: Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd + CCE-80700-8: Record Any Attempts to Run semanage Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect any execution attempt +of the semanage command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "unix_chkpwd" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "semanage" command with the following command: -$ sudo auditctl -l | grep unix_chkpwd +$ sudo auditctl -l | grep semanage --a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_chkpwd Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect any execution attempt +of the semanage command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -50232,7 +50185,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80703-2: Ensure auditd Collects File Deletion Events by User - rename + CCE-80706-5: Ensure auditd Collects File Deletion Events by User - unlink Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -50243,17 +50196,17 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. To determine if the system is configured to audit calls to the -rename system call, run the following command: -
$ sudo grep "rename" /etc/audit/audit.*
+unlink system call, run the following command: +
$ sudo grep "unlink" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records for privileged activities or other system-level access. @@ -50263,12 +50216,12 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -50281,43 +50234,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80711-5: Ensure auditd Collects Information on Kernel Module Unloading - delete_module + CCE-80725-5: Ensure auditd Collects Information on the Use of Privileged Commands - chage Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - To capture kernel module unloading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - -
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
- - -Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -delete_module system call, run the following command: -
$ sudo grep "delete_module" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the operating system to generate audit records for privileged activities or other system-level access. - To capture kernel module unloading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - -
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
- + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chage" command with the following command: -Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. +$ sudo auditctl -l | grep chage -If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to generate audit records for privileged activities or other system-level access. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -50330,47 +50279,47 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80688-5: Record Events that Modify the System's Discretionary Access Controls - fchmodat + CCE-80760-2: Record Events that Modify User/Group Information - /etc/security/opasswd Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -fchmodat system call, run the following command: -
$ sudo grep "fchmodat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: + +$ sudo auditctl -l | grep -E '(/etc/security/opasswd)' + +-w /etc/security/opasswd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
medium @@ -50383,7 +50332,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80707-3: Ensure auditd Collects File Deletion Events by User - unlinkat + CCE-80705-7: Ensure auditd Collects File Deletion Events by User - rmdir Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -50394,17 +50343,17 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. To determine if the system is configured to audit calls to the -unlinkat system call, run the following command: -
$ sudo grep "unlinkat" /etc/audit/audit.*
+rmdir system call, run the following command: +
$ sudo grep "rmdir" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records for privileged activities or other system-level access. @@ -50414,12 +50363,12 @@ default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: -
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
+
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -50432,39 +50381,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-82280-9: Record Any Attempts to Run setfiles + CCE-80741-2: Ensure auditd Collects Information on the Use of Privileged Commands - userhelper Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect any execution attempt -of the setfiles command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfiles" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "userhelper" command with the following command: -$ sudo auditctl -l | grep setfiles +$ sudo auditctl -l | grep userhelper --a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-userhelper Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect any execution attempt -of the setfiles command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -50477,96 +50426,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80687-7: Record Events that Modify the System's Discretionary Access Controls - fchmod + CCE-80726-3: Ensure auditd Collects Information on the Use of Privileged Commands - chsh Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -fchmod system call, run the following command: -
$ sudo grep "fchmod" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
- medium - - - - - - - CCI-000172 - SRG-OS-000471-GPOS-00215 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records for privileged activities or other system-level access. - - CCE-80704-0: Ensure auditd Collects File Deletion Events by User - renameat + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chsh" command with the following command: - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +$ sudo auditctl -l | grep chsh -Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
- Applicable - Configurable - Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -renameat system call, run the following command: -
$ sudo grep "renameat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chsh Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -50579,7 +50471,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80760-2: Record Events that Modify User/Group Information - /etc/security/opasswd + CCE-80761-0: Record Events that Modify User/Group Information - /etc/passwd Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -50590,21 +50482,21 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: -$ sudo auditctl -l | grep -E '(/etc/security/opasswd)' +$ sudo auditctl -l | grep -E '(/etc/passwd)' --w /etc/security/opasswd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-w /etc/passwd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records for privileged activities or other system-level access. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the @@ -50612,14 +50504,14 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
medium @@ -50632,39 +50524,53 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-89480-8: Ensure auditd Collects Information on the Use of Privileged Commands - unix_update + CCE-80689-3: Record Events that Modify the System's Discretionary Access Controls - fchown Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ +If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ +If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "unix_update" command with the following command: + To determine if the system is configured to audit calls to the +fchown system call, run the following command: +
$ sudo grep "fchown" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + Configure the operating system to generate audit records for privileged activities or other system-level access. + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-$ sudo auditctl -l | grep unix_update +If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
--a always,exit -F path=/usr/bin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_update Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ +If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -50677,45 +50583,40 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80943-4: Extend Audit Backlog Limit for the Audit Daemon + CCE-89446-9: Record Any Attempts to Run chacl Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - To improve the kernel capacity to queue all log events, even those which occurred -prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default -GRUB 2 command line for the Linux operating system. -To ensure that audit_backlog_limit=8192 is added as a kernel command line -argument to newly installed kernels, add audit_backlog_limit=8192 to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
+ At a minimum, the audit system should collect any execution attempt +of the chacl command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes audit_backlog_limit=8192, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
-If this option is set to true, then check that a line is output by the following command: -
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit_backlog_limit=8192.*' /etc/default/grub
-If the recovery is disabled, check the line with -
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit_backlog_limit=8192.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -
$ sudo grubby --info=ALL | grep args | grep -v 'audit_backlog_limit=8192'
-The command should not return any output. Is it the case that audit backlog limit is not configured? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chacl" command with the following command: + +$ sudo auditctl -l | grep chacl + +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records for privileged activities or other system-level access. - To improve the kernel capacity to queue all log events, even those which occurred -prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default -GRUB 2 command line for the Linux operating system. -To ensure that audit_backlog_limit=8192 is added as a kernel command line -argument to newly installed kernels, add audit_backlog_limit=8192 to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
- low + At a minimum, the audit system should collect any execution attempt +of the chacl command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ medium @@ -50727,43 +50628,70 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80705-7: Ensure auditd Collects File Deletion Events by User - rmdir + CCE-80751-1: Record Unsuccessful Access Attempts to Files - creat Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -rmdir system call, run the following command: -
$ sudo grep "rmdir" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the creat system call. + +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: + +$ sudo grep -r creat /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep creat /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect file deletion events -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following line to a file with suffix .rules in the -directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
medium @@ -50776,7 +50704,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-86027-0: Ensure auditd Collects Information on the Use of Privileged Commands - usermod + CCE-89480-8: Ensure auditd Collects Information on the Use of Privileged Commands - unix_update Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -50786,29 +50714,29 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "usermod" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "unix_update" command with the following command: -$ sudo auditctl -l | grep usermod +$ sudo auditctl -l | grep unix_update --a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_update Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records for privileged activities or other system-level access. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -50821,47 +50749,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80685-1: Record Events that Modify the System's Discretionary Access Controls - chmod + CCE-80740-4: Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -chmod system call, run the following command: -
$ sudo grep "chmod" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "unix_chkpwd" command with the following command: + +$ sudo auditctl -l | grep unix_chkpwd + +-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_chkpwd Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -50874,7 +50794,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80761-0: Record Events that Modify User/Group Information - /etc/passwd + CCE-80758-6: Record Events that Modify User/Group Information - /etc/group Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -50885,21 +50805,21 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: -$ sudo auditctl -l | grep -E '(/etc/passwd)' +$ sudo auditctl -l | grep -E '(/etc/group)' --w /etc/passwd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? +-w /etc/group -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records for privileged activities or other system-level access. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the @@ -50907,14 +50827,14 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification
medium @@ -50980,98 +50900,49 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80698-4: Record Any Attempts to Run chcon + CCE-80759-4: Record Events that Modify User/Group Information - /etc/gshadow Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect any execution attempt -of the chcon command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chcon" command with the following command: - -$ sudo auditctl -l | grep chcon - --a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect any execution attempt -of the chcon command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- medium - - - - - - - CCI-000172 - SRG-OS-000471-GPOS-00215 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records for privileged activities or other system-level access. - - CCE-80689-3: Record Events that Modify the System's Discretionary Access Controls - fchown - - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: -If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+$ sudo auditctl -l | grep -E '(/etc/gshadow)' -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+-w /etc/gshadow -p wa -k identity -If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- Applicable - Configurable - Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -fchown system call, run the following command: -
$ sudo grep "fchown" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? +If the command does not return a line, or the line is commented out, this is a finding. Is it the case that the system is not configured to audit account changes? Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- -If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- -If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
medium @@ -51084,39 +50955,47 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80725-5: Ensure auditd Collects Information on the Use of Privileged Commands - chage + CCE-80762-8: Record Events that Modify User/Group Information - /etc/shadow Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "chage" command with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd with the following command: -$ sudo auditctl -l | grep chage +$ sudo auditctl -l | grep -E '(/etc/shadow)' --a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage Is it the case that the command does not return a line, or the line is commented out? +-w /etc/shadow -p wa -k identity Is it the case that command does not return a line, or the line is commented out? Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
medium @@ -51129,39 +51008,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-88437-9: Record Any Attempts to Run setfacl + CCE-80701-6: Record Any Attempts to Run setsebool Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect any execution attempt -of the setfacl command for all users and root. If the auditd +of the setsebool command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfacl" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setsebool" command with the following command: -$ sudo auditctl -l | grep setfacl +$ sudo auditctl -l | grep setsebool --a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records for privileged activities or other system-level access. At a minimum, the audit system should collect any execution attempt -of the setfacl command for all users and root. If the auditd +of the setsebool command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -51219,39 +51098,72 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80700-8: Record Any Attempts to Run semanage + CCE-82168-6: Log USBGuard daemon audit events using Linux Audit Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect any execution attempt -of the semanage command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ To configure USBGuard daemon to log via Linux Audit +(as opposed directly to a file), +AuditBackend option in /etc/usbguard/usbguard-daemon.conf +needs to be set to LinuxAudit. + Applicable - Configurable + Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. + To verify that Linux Audit logging is enabled for the USBGuard daemon, +run the following command: +
$ sudo grep AuditBackend /etc/usbguard/usbguard-daemon.conf
+The output should be +
AuditBackend=LinuxAudit
Is it the case that AuditBackend is not set to LinuxAudit? + Configure the operating system to generate audit records for privileged activities or other system-level access. + To configure USBGuard daemon to log via Linux Audit +(as opposed directly to a file), +AuditBackend option in /etc/usbguard/usbguard-daemon.conf +needs to be set to LinuxAudit. + low + + + + + + + CCI-000172 + SRG-OS-000471-GPOS-00215 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records for privileged activities or other system-level access. + + CCE-80733-9: Ensure auditd Collects Information on the Use of Privileged Commands - postqueue + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "semanage" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postqueue" command with the following command: -$ sudo auditctl -l | grep semanage +$ sudo auditctl -l | grep postqueue --a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postqueue Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect any execution attempt -of the semanage command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -51264,55 +51176,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80697-6: Record Events that Modify the System's Discretionary Access Controls - setxattr + CCE-80989-7: Ensure auditd Collects Information on the Use of Privileged Commands - mount Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -setxattr system call, run the following command: -
$ sudo grep "setxattr" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "mount" command with the following command: + +$ sudo auditctl -l | grep mount + +-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+ At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -51325,7 +51221,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80728-9: Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd + CCE-80727-1: Ensure auditd Collects Information on the Use of Privileged Commands - crontab Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -51335,29 +51231,29 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "gpasswd" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "crontab" command with the following command: -$ sudo auditctl -l | grep gpasswd +$ sudo auditctl -l | grep crontab --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records for privileged activities or other system-level access. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -51370,47 +51266,43 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80762-8: Record Events that Modify User/Group Information - /etc/shadow + CCE-80707-3: Ensure auditd Collects File Deletion Events by User - unlinkat Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - If the auditd daemon is configured to use the + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-

+default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd with the following command: - -$ sudo auditctl -l | grep -E '(/etc/shadow)' - --w /etc/shadow -p wa -k identity Is it the case that command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +unlinkat system call, run the following command: +
$ sudo grep "unlinkat" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records for privileged activities or other system-level access. - If the auditd daemon is configured to use the + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-

+default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -51423,70 +51315,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80751-1: Record Unsuccessful Access Attempts to Files - creat + CCE-89497-2: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-w /etc/sudoers.d/ -p wa -k actions
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the creat system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r creat /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep creat /etc/audit/audit.rules + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command: -The output should be the following: +$ sudo auditctl -l | grep/etc/sudoers.d --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +-w /etc/sudoers.d/ -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-w /etc/sudoers.d/ -p wa -k actions
medium @@ -51499,7 +51360,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80729-7: Ensure auditd Collects Information on the Use of Privileged Commands - newgrp + CCE-80730-5: Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -51509,29 +51370,33 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "newgrp" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "pam_timestamp_check" command with the following command: -$ sudo auditctl -l | grep newgrp +$ sudo auditctl -l | grep pam_timestamp_check --a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-newgrp Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records for privileged activities or other system-level access. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/pam_timestamp_check
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -51544,49 +51409,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80759-4: Record Events that Modify User/Group Information - /etc/gshadow + CCE-82280-9: Record Any Attempts to Run setfiles Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect any execution attempt +of the setfiles command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: - -$ sudo auditctl -l | grep -E '(/etc/gshadow)' + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfiles" command with the following command: --w /etc/gshadow -p wa -k identity +$ sudo auditctl -l | grep setfiles -If the command does not return a line, or the line is commented out, this is a finding. Is it the case that the system is not configured to audit account changes? +-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records for privileged activities or other system-level access. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-

+ At a minimum, the audit system should collect any execution attempt +of the setfiles command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -51599,7 +51454,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80693-5: Record Events that Modify the System's Discretionary Access Controls - lchown + CCE-80692-7: Record Events that Modify the System's Discretionary Access Controls - fsetxattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -51609,20 +51464,24 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. To determine if the system is configured to audit calls to the -lchown system call, run the following command: -
$ sudo grep "lchown" /etc/audit/audit.*
+fsetxattr system call, run the following command: +
$ sudo grep "fsetxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records for privileged activities or other system-level access. @@ -51631,60 +51490,19 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- medium - - - - - - - CCI-000172 - SRG-OS-000471-GPOS-00215 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records for privileged activities or other system-level access. - - CCE-89455-0: Ensure auditd Collects Information on the Use of Privileged Commands - kmod - - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- Applicable - Configurable - Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "kmod" command with the following command: - -$ sudo auditctl -l | grep kmod - --a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-kmod Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
medium @@ -51697,47 +51515,47 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80686-9: Record Events that Modify the System's Discretionary Access Controls - chown + CCE-80693-5: Record Events that Modify the System's Discretionary Access Controls - lchown Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. To determine if the system is configured to audit calls to the -chown system call, run the following command: -
$ sudo grep "chown" /etc/audit/audit.*
+lchown system call, run the following command: +
$ sudo grep "lchown" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records for privileged activities or other system-level access. At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -51750,28 +51568,44 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-82168-6: Log USBGuard daemon audit events using Linux Audit + CCE-80719-8: Record Attempts to Alter Logon and Logout Events - lastlog Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - To configure USBGuard daemon to log via Linux Audit -(as opposed directly to a file), -AuditBackend option in /etc/usbguard/usbguard-daemon.conf -needs to be set to LinuxAudit. + The audit system already collects login information for all users +and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d in order to watch for attempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file in order to watch for unattempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - To verify that Linux Audit logging is enabled for the USBGuard daemon, -run the following command: -
$ sudo grep AuditBackend /etc/usbguard/usbguard-daemon.conf
-The output should be -
AuditBackend=LinuxAudit
Is it the case that AuditBackend is not set to LinuxAudit? + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog" with the following command: + +$ sudo auditctl -l | grep /var/log/lastlog + +-w /var/log/lastlog -p wa -k logins Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records for privileged activities or other system-level access. - To configure USBGuard daemon to log via Linux Audit -(as opposed directly to a file), -AuditBackend option in /etc/usbguard/usbguard-daemon.conf -needs to be set to LinuxAudit. - low + The audit system already collects login information for all users +and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d in order to watch for attempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file in order to watch for unattempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
+ medium @@ -51783,71 +51617,45 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80755-2: Record Unsuccessful Access Attempts to Files - open_by_handle_at + CCE-80943-4: Extend Audit Backlog Limit for the Audit Daemon Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ To improve the kernel capacity to queue all log events, even those which occurred +prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default +GRUB 2 command line for the Linux operating system. +To ensure that audit_backlog_limit=8192 is added as a kernel command line +argument to newly installed kernels, add audit_backlog_limit=8192 to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open_by_handle_at system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r open_by_handle_at /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep open_by_handle_at /etc/audit/audit.rules - -The output should be the following: - --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- medium + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes audit_backlog_limit=8192, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
+If this option is set to true, then check that a line is output by the following command: +
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit_backlog_limit=8192.*' /etc/default/grub
+If the recovery is disabled, check the line with +
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit_backlog_limit=8192.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +
$ sudo grubby --info=ALL | grep args | grep -v 'audit_backlog_limit=8192'
+The command should not return any output. Is it the case that audit backlog limit is not configured? + Configure the operating system to generate audit records for privileged activities or other system-level access. + To improve the kernel capacity to queue all log events, even those which occurred +prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default +GRUB 2 command line for the Linux operating system. +To ensure that audit_backlog_limit=8192 is added as a kernel command line +argument to newly installed kernels, add audit_backlog_limit=8192 to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
+ low @@ -51859,7 +51667,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80752-9: Record Unsuccessful Access Attempts to Files - ftruncate + CCE-80754-5: Record Unsuccessful Access Attempts to Files - openat Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -51869,66 +51677,66 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the ftruncate system call. + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the openat system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: -$ sudo grep -r ftruncate /etc/audit/rules.d +$ sudo grep -r openat /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: -$ sudo grep ftruncate /etc/audit/audit.rules +$ sudo grep openat /etc/audit/audit.rules The output should be the following: --a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records for privileged activities or other system-level access. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access medium @@ -51941,76 +51749,55 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80753-7: Record Unsuccessful Access Attempts to Files - open + CCE-80695-0: Record Events that Modify the System's Discretionary Access Controls - lsetxattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix +startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- +
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the open system call. - -If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: - -$ sudo grep -r open /etc/audit/rules.d - -If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: - -$ sudo grep open /etc/audit/audit.rules - -The output should be the following: - --a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +lsetxattr system call, run the following command: +
$ sudo grep "lsetxattr" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix +startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- +
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
medium @@ -52023,7 +51810,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80692-7: Record Events that Modify the System's Discretionary Access Controls - fsetxattr + CCE-80697-6: Record Events that Modify the System's Discretionary Access Controls - setxattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -52033,24 +51820,24 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. To determine if the system is configured to audit calls to the -fsetxattr system call, run the following command: -
$ sudo grep "fsetxattr" /etc/audit/audit.*
+setxattr system call, run the following command: +
$ sudo grep "setxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records for privileged activities or other system-level access. @@ -52059,19 +51846,19 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
medium @@ -52084,39 +51871,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-85944-7: Record Any Attempts to Run ssh-agent + CCE-90175-1: Ensure auditd Collects System Administrator Actions - /etc/sudoers Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect any execution attempt -of the ssh-agent command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
+ At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers -p wa -k actions
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
+
-w /etc/sudoers -p wa -k actions
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-agent" command with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers" with the following command: -$ sudo auditctl -l | grep ssh-agent +$ sudo auditctl -l | grep /etc/sudoers --a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent Is it the case that the command does not return a line, or the line is commented out? +-w /etc/sudoers -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect any execution attempt -of the ssh-agent command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
+ At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers -p wa -k actions
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
+
-w /etc/sudoers -p wa -k actions
medium @@ -52129,7 +51916,105 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80696-8: Record Events that Modify the System's Discretionary Access Controls - removexattr + CCE-80735-4: Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ Applicable - Configurable + Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "ssh-keysign" command with the following command: + +$ sudo auditctl -l | grep ssh-keysign + +-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-keysign Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to generate audit records for privileged activities or other system-level access. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ medium + + + + + + + CCI-000172 + SRG-OS-000471-GPOS-00215 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records for privileged activities or other system-level access. + + CCE-80688-5: Record Events that Modify the System's Discretionary Access Controls - fchmodat + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+ Applicable - Configurable + Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. + To determine if the system is configured to audit calls to the +fchmodat system call, run the following command: +
$ sudo grep "fchmodat" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + Configure the operating system to generate audit records for privileged activities or other system-level access. + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+ medium + + + + + + + CCI-000172 + SRG-OS-000471-GPOS-00215 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records for privileged activities or other system-level access. + + CCE-80691-9: Record Events that Modify the System's Discretionary Access Controls - fremovexattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -52137,55 +52022,57 @@ At a minimum, the audit system should collect file permission changes for all users and root.

-If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. To determine if the system is configured to audit calls to the -removexattr system call, run the following command: -
$ sudo grep "removexattr" /etc/audit/audit.*
+fremovexattr system call, run the following command: +
$ sudo grep "fremovexattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records for privileged activities or other system-level access. At a minimum, the audit system should collect file permission changes for all users and root.

-If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
medium @@ -52198,39 +52085,43 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80733-9: Ensure auditd Collects Information on the Use of Privileged Commands - postqueue + CCE-80712-3: Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the augenrules program +to read audit rules during daemon startup (the default), add the following lines to a file +with suffix .rules in the directory /etc/audit/rules.d to capture kernel module +loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: + +
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
+ If the auditd daemon is configured to use the auditctl utility to read audit +rules during daemon startup, add the following lines to /etc/audit/audit.rules file +in order to capture kernel module loading and unloading events, setting ARCH to either b32 or +b64 as appropriate for your system: + +
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "postqueue" command with the following command: + To determine if the system is configured to audit calls to the +finit_module system call, run the following command: +
$ sudo grep "finit_module" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + Configure the operating system to generate audit records for privileged activities or other system-level access. + If the auditd daemon is configured to use the augenrules program +to read audit rules during daemon startup (the default), add the following lines to a file +with suffix .rules in the directory /etc/audit/rules.d to capture kernel module +loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -$ sudo auditctl -l | grep postqueue +
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
+ If the auditd daemon is configured to use the auditctl utility to read audit +rules during daemon startup, add the following lines to /etc/audit/audit.rules file +in order to capture kernel module loading and unloading events, setting ARCH to either b32 or +b64 as appropriate for your system: --a always,exit -F path=/usr/bin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postqueue Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
medium @@ -52243,45 +52134,77 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80825-3: Enable Auditing for Processes Which Start Prior to the Audit Daemon + CCE-80756-0: Record Unsuccessful Access Attempts to Files - truncate Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - To ensure all processes can be audited, even those which start -prior to the audit daemon, add the argument audit=1 to the default -GRUB 2 command line for the Linux operating system. -To ensure that audit=1 is added as a kernel command line -argument to newly installed kernels, add audit=1 to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit=1 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
+ At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes audit=1, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
-If this option is set to true, then check that a line is output by the following command: -
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit=1.*' /etc/default/grub
-If the recovery is disabled, check the line with -
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit=1.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -
$ sudo grubby --info=ALL | grep args | grep -v 'audit=1'
-The command should not return any output. Is it the case that auditing is not enabled at boot time? + Verify Red Hat Enterprise Linux 8 generates an audit record for unsuccessful attempts to use the truncate system call. + +If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: + +$ sudo grep -r truncate /etc/audit/rules.d + +If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: + +$ sudo grep truncate /etc/audit/audit.rules + +The output should be the following: + +-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records for privileged activities or other system-level access. - To ensure all processes can be audited, even those which start -prior to the audit daemon, add the argument audit=1 to the default -GRUB 2 command line for the Linux operating system. -To ensure that audit=1 is added as a kernel command line -argument to newly installed kernels, add audit=1 to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit=1 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
- low + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ medium @@ -52293,7 +52216,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80737-0: Ensure auditd Collects Information on the Use of Privileged Commands - sudo + CCE-86027-0: Ensure auditd Collects Information on the Use of Privileged Commands - usermod Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -52303,29 +52226,29 @@ configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "sudo" command with the following command: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "usermod" command with the following command: -$ sudo auditctl -l | grep sudo +$ sudo auditctl -l | grep usermod --a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudo Is it the case that the command does not return a line, or the line is commented out? +-a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records for privileged activities or other system-level access. At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -52338,43 +52261,39 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80712-3: Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module + CCE-88437-9: Record Any Attempts to Run setfacl Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - If the auditd daemon is configured to use the augenrules program -to read audit rules during daemon startup (the default), add the following lines to a file -with suffix .rules in the directory /etc/audit/rules.d to capture kernel module -loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: - -
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
- If the auditd daemon is configured to use the auditctl utility to read audit -rules during daemon startup, add the following lines to /etc/audit/audit.rules file -in order to capture kernel module loading and unloading events, setting ARCH to either b32 or -b64 as appropriate for your system: - -
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
+ At a minimum, the audit system should collect any execution attempt +of the setfacl command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -finit_module system call, run the following command: -
$ sudo grep "finit_module" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the operating system to generate audit records for privileged activities or other system-level access. - If the auditd daemon is configured to use the augenrules program -to read audit rules during daemon startup (the default), add the following lines to a file -with suffix .rules in the directory /etc/audit/rules.d to capture kernel module -loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setfacl" command with the following command: -
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
- If the auditd daemon is configured to use the auditctl utility to read audit -rules during daemon startup, add the following lines to /etc/audit/audit.rules file -in order to capture kernel module loading and unloading events, setting ARCH to either b32 or -b64 as appropriate for your system: +$ sudo auditctl -l | grep setfacl -
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
+-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to generate audit records for privileged activities or other system-level access. + At a minimum, the audit system should collect any execution attempt +of the setfacl command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -52387,43 +52306,92 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80713-1: Ensure auditd Collects Information on Kernel Module Loading - init_module + CCE-80685-1: Record Events that Modify the System's Discretionary Access Controls - chmod Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - To capture kernel module loading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - -
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
- - -Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. To determine if the system is configured to audit calls to the -init_module system call, run the following command: -
$ sudo grep "init_module" /etc/audit/audit.*
+chmod system call, run the following command: +
$ sudo grep "chmod" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records for privileged activities or other system-level access. - To capture kernel module loading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+ medium + + + + -
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
+ + CCI-000172 + SRG-OS-000471-GPOS-00215 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records for privileged activities or other system-level access. + CCE-80729-7: Ensure auditd Collects Information on the Use of Privileged Commands - newgrp -Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. -If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. +Audit records can be generated from various components within the information system (e.g., module or policy filter). + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ Applicable - Configurable + Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. + Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "newgrp" command with the following command: + +$ sudo auditctl -l | grep newgrp + +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-newgrp Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to generate audit records for privileged activities or other system-level access. + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
medium @@ -52436,39 +52404,63 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80701-6: Record Any Attempts to Run setsebool + CCE-80696-8: Record Events that Modify the System's Discretionary Access Controls - removexattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect any execution attempt -of the setsebool command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +following line to a file with suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "setsebool" command with the following command: - -$ sudo auditctl -l | grep setsebool - --a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +removexattr system call, run the following command: +
$ sudo grep "removexattr" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect any execution attempt -of the setsebool command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +following line to a file with suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+

+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
medium @@ -52481,39 +52473,43 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-90175-1: Ensure auditd Collects System Administrator Actions - /etc/sudoers + CCE-80704-0: Ensure auditd Collects File Deletion Events by User - renameat Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect administrator actions + At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers -p wa -k actions
+augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-w /etc/sudoers -p wa -k actions
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers" with the following command: - -$ sudo auditctl -l | grep /etc/sudoers - --w /etc/sudoers -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +renameat system call, run the following command: +
$ sudo grep "renameat" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect administrator actions + At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers -p wa -k actions
+augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-w /etc/sudoers -p wa -k actions
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
medium @@ -52571,43 +52567,47 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for privileged activities or other system-level access. - CCE-80730-5: Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check + CCE-80687-7: Record Events that Modify the System's Discretionary Access Controls - fchmod Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to audit the execution of the "pam_timestamp_check" command with the following command: - -$ sudo auditctl -l | grep pam_timestamp_check - --a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check Is it the case that the command does not return a line, or the line is commented out? + To determine if the system is configured to audit calls to the +fchmod system call, run the following command: +
$ sudo grep "fchmod" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? Configure the operating system to generate audit records for privileged activities or other system-level access. - At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -52656,6 +52656,55 @@ 
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
+Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. + medium + + + + + + + CCI-000172 + SRG-OS-000471-GPOS-00216 + TBD - Assigned by DISA after STIG release + The audit system must be configured to audit the loading and unloading of dynamic kernel modules. + + CCE-80713-1: Ensure auditd Collects Information on Kernel Module Loading - init_module + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + To capture kernel module loading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: + +
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
+ + +Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. + Applicable - Configurable + Verify the audit system is configured to audit the loading and unloading of dynamic kernel modules. If it does not, this is a finding. + To determine if the system is configured to audit calls to the +init_module system call, run the following command: +
$ sudo grep "init_module" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + Configure the audit system to audit the loading and unloading of dynamic kernel modules. + To capture kernel module loading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: + +
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
+ + Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. @@ -52762,55 +52811,6 @@ - - CCI-000172 - SRG-OS-000471-GPOS-00216 - TBD - Assigned by DISA after STIG release - The audit system must be configured to audit the loading and unloading of dynamic kernel modules. - - CCE-80713-1: Ensure auditd Collects Information on Kernel Module Loading - init_module - - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - To capture kernel module loading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - -
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
- - -Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. - Applicable - Configurable - Verify the audit system is configured to audit the loading and unloading of dynamic kernel modules. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -init_module system call, run the following command: -
$ sudo grep "init_module" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the audit system to audit the loading and unloading of dynamic kernel modules. - To capture kernel module loading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - -
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
- - -Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. - medium - - - - - @@ -52846,44 +52846,45 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when concurrent logons to the same account occur from different sources. - CCE-80719-8: Record Attempts to Alter Logon and Logout Events - lastlog + CCE-80825-3: Enable Auditing for Processes Which Start Prior to the Audit Daemon Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - The audit system already collects login information for all users -and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d in order to watch for attempted manual -edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file in order to watch for unattempted manual -edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
+ To ensure all processes can be audited, even those which start +prior to the audit daemon, add the argument audit=1 to the default +GRUB 2 command line for the Linux operating system. +To ensure that audit=1 is added as a kernel command line +argument to newly installed kernels, add audit=1 to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... audit=1 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
Applicable - Configurable Verify the operating system generates audit records when concurrent logons to the same account occur from different sources. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog" with the following command: - -$ sudo auditctl -l | grep /var/log/lastlog - --w /var/log/lastlog -p wa -k logins Is it the case that the command does not return a line, or the line is commented out? + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes audit=1, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
+If this option is set to true, then check that a line is output by the following command: +
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit=1.*' /etc/default/grub
+If the recovery is disabled, check the line with +
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit=1.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +
$ sudo grubby --info=ALL | grep args | grep -v 'audit=1'
+The command should not return any output. Is it the case that auditing is not enabled at boot time? Configure the operating system to generate audit records when concurrent logons to the same account occur from different sources. - The audit system already collects login information for all users -and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d in order to watch for attempted manual -edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file in order to watch for unattempted manual -edits of files involved in storing logon events: -
-w /var/log/lastlog -p wa -k logins
- medium + To ensure all processes can be audited, even those which start +prior to the audit daemon, add the argument audit=1 to the default +GRUB 2 command line for the Linux operating system. +To ensure that audit=1 is added as a kernel command line +argument to newly installed kernels, add audit=1 to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... audit=1 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
+ low @@ -52944,45 +52945,44 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when concurrent logons to the same account occur from different sources. - CCE-80825-3: Enable Auditing for Processes Which Start Prior to the Audit Daemon + CCE-80719-8: Record Attempts to Alter Logon and Logout Events - lastlog Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - To ensure all processes can be audited, even those which start -prior to the audit daemon, add the argument audit=1 to the default -GRUB 2 command line for the Linux operating system. -To ensure that audit=1 is added as a kernel command line -argument to newly installed kernels, add audit=1 to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit=1 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
+ The audit system already collects login information for all users +and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d in order to watch for attempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file in order to watch for unattempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
Applicable - Configurable Verify the operating system generates audit records when concurrent logons to the same account occur from different sources. If it does not, this is a finding. - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes audit=1, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
-If this option is set to true, then check that a line is output by the following command: -
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit=1.*' /etc/default/grub
-If the recovery is disabled, check the line with -
$ sudo grep 'GRUB_CMDLINE_LINUX.*audit=1.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -
$ sudo grubby --info=ALL | grep args | grep -v 'audit=1'
-The command should not return any output. Is it the case that auditing is not enabled at boot time? + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog" with the following command: + +$ sudo auditctl -l | grep /var/log/lastlog + +-w /var/log/lastlog -p wa -k logins Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records when concurrent logons to the same account occur from different sources. - To ensure all processes can be audited, even those which start -prior to the audit daemon, add the argument audit=1 to the default -GRUB 2 command line for the Linux operating system. -To ensure that audit=1 is added as a kernel command line -argument to newly installed kernels, add audit=1 to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... audit=1 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
- low + The audit system already collects login information for all users +and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d in order to watch for attempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file in order to watch for unattempted manual +edits of files involved in storing logon events: +
-w /var/log/lastlog -p wa -k logins
+ medium @@ -52999,65 +52999,47 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful accesses to objects occur. - CCE-80691-9: Record Events that Modify the System's Discretionary Access Controls - fremovexattr + CCE-80686-9: Record Events that Modify the System's Discretionary Access Controls - chown Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

+changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful accesses to objects occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -fremovexattr system call, run the following command: -
$ sudo grep "fremovexattr" /etc/audit/audit.*
+chown system call, run the following command: +
$ sudo grep "chown" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful accesses to objects occur. At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

+changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -53070,55 +53052,65 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful accesses to objects occur. - CCE-80695-0: Record Events that Modify the System's Discretionary Access Controls - lsetxattr + CCE-80694-3: Record Events that Modify the System's Discretionary Access Controls - lremovexattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful accesses to objects occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -lsetxattr system call, run the following command: -
$ sudo grep "lsetxattr" /etc/audit/audit.*
+lremovexattr system call, run the following command: +
$ sudo grep "lremovexattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful accesses to objects occur. At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
+

If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
medium @@ -53131,65 +53123,53 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful accesses to objects occur. - CCE-80694-3: Record Events that Modify the System's Discretionary Access Controls - lremovexattr + CCE-80689-3: Record Events that Modify the System's Discretionary Access Controls - fchown Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured +changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful accesses to objects occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -lremovexattr system call, run the following command: -
$ sudo grep "lremovexattr" /etc/audit/audit.*
+fchown system call, run the following command: +
$ sudo grep "fchown" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful accesses to objects occur. At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured +changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

+
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
medium @@ -53255,7 +53235,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful accesses to objects occur. - CCE-80689-3: Record Events that Modify the System's Discretionary Access Controls - fchown + CCE-80692-7: Record Events that Modify the System's Discretionary Access Controls - fsetxattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -53265,23 +53245,24 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- +
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- +
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- +
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful accesses to objects occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -fchown system call, run the following command: -
$ sudo grep "fchown" /etc/audit/audit.*
+fsetxattr system call, run the following command: +
$ sudo grep "fsetxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful accesses to objects occur. @@ -53290,18 +53271,19 @@ to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- +
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- +
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- +
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
medium @@ -53367,47 +53349,55 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful accesses to objects occur. - CCE-80686-9: Record Events that Modify the System's Discretionary Access Controls - chown + CCE-80695-0: Record Events that Modify the System's Discretionary Access Controls - lsetxattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful accesses to objects occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -chown system call, run the following command: -
$ sudo grep "chown" /etc/audit/audit.*
+lsetxattr system call, run the following command: +
$ sudo grep "lsetxattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful accesses to objects occur. At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
medium @@ -53420,55 +53410,65 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records when successful/unsuccessful accesses to objects occur. - CCE-80692-7: Record Events that Modify the System's Discretionary Access Controls - fsetxattr + CCE-80691-9: Record Events that Modify the System's Discretionary Access Controls - fremovexattr Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
Applicable - Configurable Verify the operating system generates audit records when successful/unsuccessful accesses to objects occur. If it does not, this is a finding. To determine if the system is configured to audit calls to the -fsetxattr system call, run the following command: -
$ sudo grep "fsetxattr" /etc/audit/audit.*
+fremovexattr system call, run the following command: +
$ sudo grep "fremovexattr" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Configure the operating system to generate audit records when successful/unsuccessful accesses to objects occur. At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured +changes for all users and root. +

+If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+

If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
medium @@ -53549,6 +53549,29 @@ + + CCI-000172 + SRG-OS-000475-GPOS-00220 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records for all direct access to the information system. + + CCE-81043-2: Ensure the audit Subsystem is Installed + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + The audit package should be installed. + Applicable - Configurable + Verify the operating system generates audit records for all direct access to the information system. If it does not, this is a finding. + Run the following command to determine if the audit package is installed: 
$ rpm -q audit
Is it the case that the audit package is not installed? + Configure the operating system to generate audit records for all direct access to the information system. + The audit package should be installed. + medium + + + + + CCI-000172 SRG-OS-000475-GPOS-00220 @@ -53623,155 +53646,34 @@ the Linux Auditing System, as it is responsible for writing audit records to disk. -The auditd service can be enabled with the following command: -
$ sudo systemctl enable auditd.service
- Applicable - Configurable - Verify the operating system generates audit records for all direct access to the information system. If it does not, this is a finding. - - -Run the following command to determine the current status of the -auditd service: -
$ sudo systemctl is-active auditd
-If the service is running, it should return the following: 
active
Is it the case that the auditd service is not running? - Configure the operating system to generate audit records for all direct access to the information system. - The auditd service is an essential userspace component of -the Linux Auditing System, as it is responsible for writing audit records to -disk. - -The auditd service can be enabled with the following command: -
$ sudo systemctl enable auditd.service
- medium - - - - - - - CCI-000172 - SRG-OS-000475-GPOS-00220 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records for all direct access to the information system. - - CCE-81043-2: Ensure the audit Subsystem is Installed - - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - The audit package should be installed. - Applicable - Configurable - Verify the operating system generates audit records for all direct access to the information system. If it does not, this is a finding. - Run the following command to determine if the audit package is installed: 
$ rpm -q audit
Is it the case that the audit package is not installed? - Configure the operating system to generate audit records for all direct access to the information system. - The audit package should be installed. - medium - - - - - - - - - - - - CCI-000172 - SRG-OS-000476-GPOS-00221 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records for all account creations, modifications, disabling, and termination events. - - CCE-80758-6: Record Events that Modify User/Group Information - /etc/group - - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
-

-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
- Applicable - Configurable - Verify the operating system generates audit records for all account creations, modifications, disabling, and termination events. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: - -$ sudo auditctl -l | grep -E '(/etc/group)' - --w /etc/group -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events. - If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
-

-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/group -p wa -k audit_rules_usergroup_modification
- medium - - - - - - - CCI-000172 - SRG-OS-000476-GPOS-00221 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records for all account creations, modifications, disabling, and termination events. - - CCE-89497-2: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ - - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter). - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers.d/ -p wa -k actions
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-w /etc/sudoers.d/ -p wa -k actions
+The auditd service can be enabled with the following command: +
$ sudo systemctl enable auditd.service
Applicable - Configurable - Verify the operating system generates audit records for all account creations, modifications, disabling, and termination events. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command: + Verify the operating system generates audit records for all direct access to the information system. If it does not, this is a finding. + -$ sudo auditctl -l | grep/etc/sudoers.d +Run the following command to determine the current status of the +auditd service: +
$ sudo systemctl is-active auditd
+If the service is running, it should return the following: 
active
Is it the case that the auditd service is not running? + Configure the operating system to generate audit records for all direct access to the information system. + The auditd service is an essential userspace component of +the Linux Auditing System, as it is responsible for writing audit records to +disk. --w /etc/sudoers.d/ -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? - Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events. - At a minimum, the audit system should collect administrator actions -for all users and root. If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/sudoers.d/ -p wa -k actions
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-w /etc/sudoers.d/ -p wa -k actions
+The auditd service can be enabled with the following command: +
$ sudo systemctl enable auditd.service
medium + + + + + CCI-000172 SRG-OS-000476-GPOS-00221 @@ -53884,7 +53786,7 @@ TBD - Assigned by DISA after STIG release The operating system must generate audit records for all account creations, modifications, disabling, and termination events. - CCE-80762-8: Record Events that Modify User/Group Information - /etc/shadow + CCE-80758-6: Record Events that Modify User/Group Information - /etc/group Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -53895,21 +53797,21 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification
Applicable - Configurable Verify the operating system generates audit records for all account creations, modifications, disabling, and termination events. If it does not, this is a finding. - Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd with the following command: + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: -$ sudo auditctl -l | grep -E '(/etc/shadow)' +$ sudo auditctl -l | grep -E '(/etc/group)' --w /etc/shadow -p wa -k identity Is it the case that command does not return a line, or the line is commented out? +-w /etc/group -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the @@ -53917,14 +53819,14 @@ directory /etc/audit/rules.d, in order to capture events that modify account changes:

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+
-w /etc/group -p wa -k audit_rules_usergroup_modification
medium @@ -53986,6 +53888,104 @@ + + CCI-000172 + SRG-OS-000476-GPOS-00221 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records for all account creations, modifications, disabling, and termination events. + + CCE-80762-8: Record Events that Modify User/Group Information - /etc/shadow + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+ Applicable - Configurable + Verify the operating system generates audit records for all account creations, modifications, disabling, and termination events. If it does not, this is a finding. + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd with the following command: + +$ sudo auditctl -l | grep -E '(/etc/shadow)' + +-w /etc/shadow -p wa -k identity Is it the case that command does not return a line, or the line is commented out? + Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events. + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +

+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+

+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +

+
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+ medium + + + + + + + CCI-000172 + SRG-OS-000476-GPOS-00221 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records for all account creations, modifications, disabling, and termination events. + + CCE-89497-2: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers.d/ -p wa -k actions
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-w /etc/sudoers.d/ -p wa -k actions
+ Applicable - Configurable + Verify the operating system generates audit records for all account creations, modifications, disabling, and termination events. If it does not, this is a finding. + Verify Red Hat Enterprise Linux 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command: + +$ sudo auditctl -l | grep/etc/sudoers.d + +-w /etc/sudoers.d/ -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? + Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events. + At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +
-w /etc/sudoers.d/ -p wa -k actions
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-w /etc/sudoers.d/ -p wa -k actions
+ medium + + + + + CCI-000172 SRG-OS-000476-GPOS-00221 @@ -54073,6 +54073,55 @@ 
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
+Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. + medium + + + + + + + CCI-000172 + SRG-OS-000477-GPOS-00222 + TBD - Assigned by DISA after STIG release + The operating system must generate audit records for all kernel module load, unload, and restart actions, and also for all program initiations. + + CCE-80713-1: Ensure auditd Collects Information on Kernel Module Loading - init_module + + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter). + To capture kernel module loading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: + +
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
+ + +Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. + Applicable - Configurable + Verify the operating system generates audit records for all kernel module load, unload, and restart actions, and also for all program initiations. If it does not, this is a finding. + To determine if the system is configured to audit calls to the +init_module system call, run the following command: +
$ sudo grep "init_module" /etc/audit/audit.*
+If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + Configure the operating system to generate audit records for all kernel module load, unload, and restart actions, and also for all program initiations. + To capture kernel module loading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: + +
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
+ + Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. @@ -54179,60 +54228,41 @@ - - CCI-000172 - SRG-OS-000477-GPOS-00222 - TBD - Assigned by DISA after STIG release - The operating system must generate audit records for all kernel module load, unload, and restart actions, and also for all program initiations. - CCE-80713-1: Ensure auditd Collects Information on Kernel Module Loading - init_module - Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. -Audit records can be generated from various components within the information system (e.g., module or policy filter). - To capture kernel module loading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
+ + CCI-002450 + SRG-OS-000478-GPOS-00223 + TBD - Assigned by DISA after STIG release + The operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. -Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. + CCE-82155-3: Enable Dracut FIPS Module -If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. + Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. + To enable FIPS mode, run the following command: +
fips-mode-setup --enable
+To enable FIPS, the system requires that the fips module is added in dracut configuration. +Check if /etc/dracut.conf.d/40-fips.conf contain add_dracutmodules+=" fips " Applicable - Configurable - Verify the operating system generates audit records for all kernel module load, unload, and restart actions, and also for all program initiations. If it does not, this is a finding. - To determine if the system is configured to audit calls to the -init_module system call, run the following command: -
$ sudo grep "init_module" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line. - Is it the case that no line is returned? - Configure the operating system to generate audit records for all kernel module load, unload, and restart actions, and also for all program initiations. - To capture kernel module loading events, use following line, setting ARCH to -either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: - -
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
- - -Place to add the line depends on a way auditd daemon is configured. If it is configured -to use the augenrules program (the default), add the line to a file with suffix -.rules in the directory /etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl utility, -add the line to file /etc/audit/audit.rules. - medium + Verify the operating system implements NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. If it does not, this is a finding. + To verify that the Dracut FIPS module is enabled, run the following command: +grep "add_dracutmodules" /etc/dracut.conf.d/40-fips.conf +The output should look like this: +add_dracutmodules+=" fips " Is it the case that the Dracut FIPS module is not enabled? + Configure the operating system to implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. + To enable FIPS mode, run the following command: +
fips-mode-setup --enable
+To enable FIPS, the system requires that the fips module is added in dracut configuration. +Check if /etc/dracut.conf.d/40-fips.conf contain add_dracutmodules+=" fips " + high - - - - - CCI-002450 SRG-OS-000478-GPOS-00223 @@ -54271,36 +54301,6 @@ - - CCI-002450 - SRG-OS-000478-GPOS-00223 - TBD - Assigned by DISA after STIG release - The operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. - - CCE-82155-3: Enable Dracut FIPS Module - - Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. - To enable FIPS mode, run the following command: -
fips-mode-setup --enable
-To enable FIPS, the system requires that the fips module is added in dracut configuration. -Check if /etc/dracut.conf.d/40-fips.conf contain add_dracutmodules+=" fips " - Applicable - Configurable - Verify the operating system implements NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. If it does not, this is a finding. - To verify that the Dracut FIPS module is enabled, run the following command: -grep "add_dracutmodules" /etc/dracut.conf.d/40-fips.conf -The output should look like this: -add_dracutmodules+=" fips " Is it the case that the Dracut FIPS module is not enabled? - Configure the operating system to implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. - To enable FIPS mode, run the following command: -
fips-mode-setup --enable
-To enable FIPS, the system requires that the fips module is added in dracut configuration. -Check if /etc/dracut.conf.d/40-fips.conf contain add_dracutmodules+=" fips " - high - - - - - CCI-002450 SRG-OS-000478-GPOS-00223 @@ -54362,7 +54362,7 @@ TBD - Assigned by DISA after STIG release The operating system must, at a minimum, off-load audit data from interconnected systems in real time and off-load audit data from standalone systems weekly. - CCE-86339-9: Ensure Rsyslog Authenticates Off-Loaded Audit Records + CCE-86098-1: Ensure Rsyslog Encrypts Off-Loaded Audit Records Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -54373,14 +54373,17 @@ library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. -When using rsyslogd to off-load logs the remote system must be authenticated. +When using rsyslogd to off-load logs off a encrpytion system must be used. Applicable - Configurable Verify the operating system, at a minimum, off-loads interconnected systems in real time and off-loads standalone systems weekly. If it does not, this is a finding. - Verify the operating system authenticates the remote logging server for off-loading audit logs with the following command: + Verify the operating system encrypts audit records off-loaded onto a different system +or media from the system being audited with the following commands: -
$ sudo grep -i '$ActionSendStreamDriverAuthMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
-The output should be -
$/etc/rsyslog.conf:$ActionSendStreamDriverAuthMode x509/name
Is it the case that $ActionSendStreamDriverAuthMode in /etc/rsyslog.conf is not set to x509/name? +
$ sudo grep -i '$ActionSendStreamDriverMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
+ +The output should be: + +
/etc/rsyslog.conf:$ActionSendStreamDriverMode 1
Is it the case that rsyslogd ActionSendStreamDriverMode is not set to 1? Configure the operating system to, at a minimum, off-load interconnected systems in real time and off-load standalone systems weekly. Rsyslogd is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local @@ -54388,7 +54391,7 @@ library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. -When using rsyslogd to off-load logs the remote system must be authenticated. +When using rsyslogd to off-load logs off a encrpytion system must be used. medium @@ -54401,17 +54404,66 @@ TBD - Assigned by DISA after STIG release The operating system must, at a minimum, off-load audit data from interconnected systems in real time and off-load audit data from standalone systems weekly. - CCE-80847-7: Ensure rsyslog is Installed + CCE-80863-4: Ensure Logs Sent To Remote Host Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. - Rsyslog is installed by default. The rsyslog package can be installed with the following command: 
 $ sudo yum install rsyslog
+ To configure rsyslog to send logs to a remote log server, +open /etc/rsyslog.conf and read and understand the last section of the file, +which describes the multiple directives necessary to activate remote +logging. +Along with these other directives, the system can be configured +to forward its logs to a particular log server by +adding or correcting one of the following lines, +substituting appropriately. +The choice of protocol depends on the environment of the system; +although TCP and RELP provide more reliable message delivery, +they may not be supported in all environments. +
+To use UDP for log message delivery: +
*.* @
+
+To use TCP for log message delivery: +
*.* @@
+
+To use RELP for log message delivery: +
*.* :omrelp:
+
+There must be a resolvable DNS CNAME or Alias record set to "" for logs to be sent correctly to the centralized logging utility. Applicable - Configurable Verify the operating system, at a minimum, off-loads interconnected systems in real time and off-loads standalone systems weekly. If it does not, this is a finding. - Run the following command to determine if the rsyslog package is installed: 
$ rpm -q rsyslog
Is it the case that the package is not installed? + To ensure logs are sent to a remote host, examine the file +/etc/rsyslog.conf. +If using UDP, a line similar to the following should be present: +
 *.* @
+If using TCP, a line similar to the following should be present: +
 *.* @@
+If using RELP, a line similar to the following should be present: +
 *.* :omrelp:
Is it the case that no evidence that the audit logs are being off-loaded to another system or media? Configure the operating system to, at a minimum, off-load interconnected systems in real time and off-load standalone systems weekly. - Rsyslog is installed by default. The rsyslog package can be installed with the following command: 
 $ sudo yum install rsyslog
+ To configure rsyslog to send logs to a remote log server, +open /etc/rsyslog.conf and read and understand the last section of the file, +which describes the multiple directives necessary to activate remote +logging. +Along with these other directives, the system can be configured +to forward its logs to a particular log server by +adding or correcting one of the following lines, +substituting appropriately. +The choice of protocol depends on the environment of the system; +although TCP and RELP provide more reliable message delivery, +they may not be supported in all environments. +
+To use UDP for log message delivery: +
*.* @
+
+To use TCP for log message delivery: +
*.* @@
+
+To use RELP for log message delivery: +
*.* :omrelp:
+
+There must be a resolvable DNS CNAME or Alias record set to "" for logs to be sent correctly to the centralized logging utility. medium @@ -54424,36 +54476,51 @@ TBD - Assigned by DISA after STIG release The operating system must, at a minimum, off-load audit data from interconnected systems in real time and off-load audit data from standalone systems weekly. - CCE-85992-6: Ensure Rsyslog Encrypts Off-Loaded Audit Records + CCE-85889-4: Appropriate Action Must be Setup When the Internal Audit Event Queue is Full Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. - Rsyslogd is a system utility providing support for message logging. Support -for both internet and UNIX domain sockets enables this utility to support both local -and remote logging. Couple this utility with gnutls (which is a secure communications -library implementing the SSL, TLS and DTLS protocols), and you have a method to securely -encrypt and off-load auditing. - -When using rsyslogd to off-load logs off an encryption system must be used. + The audit system should have an action setup in the event the internal event queue becomes full. +To setup an overflow action edit /etc/audit/auditd.conf. Set overflow_action +to one of the following values: syslog, single, halt. Applicable - Configurable Verify the operating system, at a minimum, off-loads interconnected systems in real time and off-loads standalone systems weekly. If it does not, this is a finding. - Verify the operating system encrypts audit records off-loaded onto a different system -or media from the system being audited with the following commands: - -
$ sudo grep -i '$DefaultNetstreamDriver' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
+ Verify the audit system is configured to take an appropriate action when the internal event queue is full: +
$ sudo grep -i overflow_action /etc/audit/auditd.conf
-The output should be: +The output should contain overflow_action = syslog -
/etc/rsyslog.conf:$DefaultNetstreamDriver gtls
Is it the case that rsyslogd DefaultNetstreamDriver not set to gtls? +If the value of the "overflow_action" option is not set to syslog, +single, halt or the line is commented out, ask the System Administrator +to indicate how the audit logs are off-loaded to a different system or media. Is it the case that auditd overflow action is not set correctly? Configure the operating system to, at a minimum, off-load interconnected systems in real time and off-load standalone systems weekly. - Rsyslogd is a system utility providing support for message logging. Support -for both internet and UNIX domain sockets enables this utility to support both local -and remote logging. Couple this utility with gnutls (which is a secure communications -library implementing the SSL, TLS and DTLS protocols), and you have a method to securely -encrypt and off-load auditing. + The audit system should have an action setup in the event the internal event queue becomes full. +To setup an overflow action edit /etc/audit/auditd.conf. Set overflow_action +to one of the following values: syslog, single, halt. + medium + + + + -When using rsyslogd to off-load logs off an encryption system must be used. + + CCI-001851 + SRG-OS-000479-GPOS-00224 + TBD - Assigned by DISA after STIG release + The operating system must, at a minimum, off-load audit data from interconnected systems in real time and off-load audit data from standalone systems weekly. + + CCE-80847-7: Ensure rsyslog is Installed + + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. + Rsyslog is installed by default. The rsyslog package can be installed with the following command: 
 $ sudo yum install rsyslog
+ Applicable - Configurable + Verify the operating system, at a minimum, off-loads interconnected systems in real time and off-loads standalone systems weekly. If it does not, this is a finding. + Run the following command to determine if the rsyslog package is installed: 
$ rpm -q rsyslog
Is it the case that the package is not installed? + Configure the operating system to, at a minimum, off-load interconnected systems in real time and off-load standalone systems weekly. + Rsyslog is installed by default. The rsyslog package can be installed with the following command: 
 $ sudo yum install rsyslog
medium @@ -54499,7 +54566,7 @@ TBD - Assigned by DISA after STIG release The operating system must, at a minimum, off-load audit data from interconnected systems in real time and off-load audit data from standalone systems weekly. - CCE-86098-1: Ensure Rsyslog Encrypts Off-Loaded Audit Records + CCE-86339-9: Ensure Rsyslog Authenticates Off-Loaded Audit Records Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -54510,17 +54577,14 @@ library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. -When using rsyslogd to off-load logs off a encrpytion system must be used. +When using rsyslogd to off-load logs the remote system must be authenticated. Applicable - Configurable Verify the operating system, at a minimum, off-loads interconnected systems in real time and off-loads standalone systems weekly. If it does not, this is a finding. - Verify the operating system encrypts audit records off-loaded onto a different system -or media from the system being audited with the following commands: - -
$ sudo grep -i '$ActionSendStreamDriverMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
- -The output should be: + Verify the operating system authenticates the remote logging server for off-loading audit logs with the following command: -
/etc/rsyslog.conf:$ActionSendStreamDriverMode 1
Is it the case that rsyslogd ActionSendStreamDriverMode is not set to 1? +
$ sudo grep -i '$ActionSendStreamDriverAuthMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
+The output should be +
$/etc/rsyslog.conf:$ActionSendStreamDriverAuthMode x509/name
Is it the case that $ActionSendStreamDriverAuthMode in /etc/rsyslog.conf is not set to x509/name? Configure the operating system to, at a minimum, off-load interconnected systems in real time and off-load standalone systems weekly. Rsyslogd is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local @@ -54528,7 +54592,7 @@ library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. -When using rsyslogd to off-load logs off a encrpytion system must be used. +When using rsyslogd to off-load logs the remote system must be authenticated. medium @@ -54541,100 +54605,36 @@ TBD - Assigned by DISA after STIG release The operating system must, at a minimum, off-load audit data from interconnected systems in real time and off-load audit data from standalone systems weekly. - CCE-80863-4: Ensure Logs Sent To Remote Host + CCE-85992-6: Ensure Rsyslog Encrypts Off-Loaded Audit Records Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. - To configure rsyslog to send logs to a remote log server, -open /etc/rsyslog.conf and read and understand the last section of the file, -which describes the multiple directives necessary to activate remote -logging. -Along with these other directives, the system can be configured -to forward its logs to a particular log server by -adding or correcting one of the following lines, -substituting appropriately. -The choice of protocol depends on the environment of the system; -although TCP and RELP provide more reliable message delivery, -they may not be supported in all environments. -
-To use UDP for log message delivery: -
*.* @
-
-To use TCP for log message delivery: -
*.* @@
-
-To use RELP for log message delivery: -
*.* :omrelp:
-
-There must be a resolvable DNS CNAME or Alias record set to "" for logs to be sent correctly to the centralized logging utility. - Applicable - Configurable - Verify the operating system, at a minimum, off-loads interconnected systems in real time and off-loads standalone systems weekly. If it does not, this is a finding. - To ensure logs are sent to a remote host, examine the file -/etc/rsyslog.conf. -If using UDP, a line similar to the following should be present: -
 *.* @
-If using TCP, a line similar to the following should be present: -
 *.* @@
-If using RELP, a line similar to the following should be present: -
 *.* :omrelp:
Is it the case that no evidence that the audit logs are being off-loaded to another system or media? - Configure the operating system to, at a minimum, off-load interconnected systems in real time and off-load standalone systems weekly. - To configure rsyslog to send logs to a remote log server, -open /etc/rsyslog.conf and read and understand the last section of the file, -which describes the multiple directives necessary to activate remote -logging. -Along with these other directives, the system can be configured -to forward its logs to a particular log server by -adding or correcting one of the following lines, -substituting appropriately. -The choice of protocol depends on the environment of the system; -although TCP and RELP provide more reliable message delivery, -they may not be supported in all environments. -
-To use UDP for log message delivery: -
*.* @
-
-To use TCP for log message delivery: -
*.* @@
-
-To use RELP for log message delivery: -
*.* :omrelp:
-
-There must be a resolvable DNS CNAME or Alias record set to "" for logs to be sent correctly to the centralized logging utility. - medium - - - - - - - CCI-001851 - SRG-OS-000479-GPOS-00224 - TBD - Assigned by DISA after STIG release - The operating system must, at a minimum, off-load audit data from interconnected systems in real time and off-load audit data from standalone systems weekly. - - CCE-85889-4: Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - - Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + Rsyslogd is a system utility providing support for message logging. Support +for both internet and UNIX domain sockets enables this utility to support both local +and remote logging. Couple this utility with gnutls (which is a secure communications +library implementing the SSL, TLS and DTLS protocols), and you have a method to securely +encrypt and off-load auditing. -Off-loading is a common process in information systems with limited audit storage capacity. - The audit system should have an action setup in the event the internal event queue becomes full. -To setup an overflow action edit /etc/audit/auditd.conf. Set overflow_action -to one of the following values: syslog, single, halt. +When using rsyslogd to off-load logs off an encryption system must be used. Applicable - Configurable Verify the operating system, at a minimum, off-loads interconnected systems in real time and off-loads standalone systems weekly. If it does not, this is a finding. - Verify the audit system is configured to take an appropriate action when the internal event queue is full: -
$ sudo grep -i overflow_action /etc/audit/auditd.conf
+ Verify the operating system encrypts audit records off-loaded onto a different system +or media from the system being audited with the following commands: -The output should contain overflow_action = syslog +
$ sudo grep -i '$DefaultNetstreamDriver' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
-If the value of the "overflow_action" option is not set to syslog, -single, halt or the line is commented out, ask the System Administrator -to indicate how the audit logs are off-loaded to a different system or media. Is it the case that auditd overflow action is not set correctly? +The output should be: + +
/etc/rsyslog.conf:$DefaultNetstreamDriver gtls
Is it the case that rsyslogd DefaultNetstreamDriver not set to gtls? Configure the operating system to, at a minimum, off-load interconnected systems in real time and off-load standalone systems weekly. - The audit system should have an action setup in the event the internal event queue becomes full. -To setup an overflow action edit /etc/audit/auditd.conf. Set overflow_action -to one of the following values: syslog, single, halt. + Rsyslogd is a system utility providing support for message logging. Support +for both internet and UNIX domain sockets enables this utility to support both local +and remote logging. Couple this utility with gnutls (which is a secure communications +library implementing the SSL, TLS and DTLS protocols), and you have a method to securely +encrypt and off-load auditing. + +When using rsyslogd to off-load logs off an encryption system must be used. medium @@ -54717,26 +54717,33 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80877-4: Verify firewalld Enabled + CCE-80664-6: Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - -The firewalld service can be enabled with the following command: -
$ sudo systemctl enable firewalld.service
+ To configure the number of retry prompts that are permitted per-session: + +Edit the /etc/security/pwquality.conf to include + +retry=, or a lower value if site +policy is more restrictive. The DoD requirement is a maximum of 3 prompts +per session. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - + Verify Red Hat Enterprise Linux 8 is configured to limit the "pwquality" retry option to . -Run the following command to determine the current status of the -firewalld service: -
$ sudo systemctl is-active firewalld
-If the service is running, it should return the following: 
active
Is it the case that the "firewalld" service is disabled, masked, or not started.? + +Check for the use of the "pwquality" retry option in the pwquality.conf file with the following command: +
$ grep retry /etc/security/pwquality.conf
Is it the case that the value of "retry" is set to "0" or greater than "", or is missing? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - -The firewalld service can be enabled with the following command: -
$ sudo systemctl enable firewalld.service
+ To configure the number of retry prompts that are permitted per-session: + +Edit the /etc/security/pwquality.conf to include + +retry=, or a lower value if site +policy is more restrictive. The DoD requirement is a maximum of 3 prompts +per session. medium @@ -54749,21 +54756,22 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-82998-6: Install firewalld Package + CCE-82943-2: Uninstall gssproxy Package Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The firewalld package can be installed with the following command: + The gssproxy package can be removed with the following command: 
-$ sudo yum install firewalld
+$ sudo yum erase gssproxy Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Run the following command to determine if the firewalld package is installed: 
$ rpm -q firewalld
Is it the case that the package is not installed? + Run the following command to determine if the gssproxy package is installed: +
$ rpm -q gssproxy
Is it the case that the package is installed? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The firewalld package can be installed with the following command: + The gssproxy package can be removed with the following command: 
-$ sudo yum install firewalld
+$ sudo yum erase gssproxy medium @@ -54776,57 +54784,118 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80876-6: Disable debug-shell SystemD Service + CCE-80944-2: Enable page allocator poisoning Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - SystemD's debug-shell service is intended to -diagnose SystemD related boot issues with various systemctl -commands. Once enabled and following a system reboot, the root shell -will be available on tty9 which is access by pressing -CTRL-ALT-F9. The debug-shell service should only be used -for SystemD related issues and should otherwise be disabled. -

-By default, the debug-shell SystemD service is already disabled. + To enable poisoning of free pages, +add the argument page_poison=1 to the default +GRUB 2 command line for the Linux operating system. +To ensure that page_poison=1 is added as a kernel command line +argument to newly installed kernels, add page_poison=1 to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... page_poison=1 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="page_poison=1"
+ Applicable - Configurable + Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes page_poison=1, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
+If this option is set to true, then check that a line is output by the following command: +
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*page_poison=1.*' /etc/default/grub
+If the recovery is disabled, check the line with +
$ sudo grep 'GRUB_CMDLINE_LINUX.*page_poison=1.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +
$ sudo grubby --info=ALL | grep args | grep -v 'page_poison=1'
+The command should not return any output. Is it the case that page allocator poisoning is not enabled? + Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. + To enable poisoning of free pages, +add the argument page_poison=1 to the default +GRUB 2 command line for the Linux operating system. +To ensure that page_poison=1 is added as a kernel command line +argument to newly installed kernels, add page_poison=1 to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... page_poison=1 ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="page_poison=1"
+ medium + + + + -The debug-shell service can be disabled with the following command: -
$ sudo systemctl mask --now debug-shell.service
+ + CCI-000366 + SRG-OS-000480-GPOS-00227 + TBD - Assigned by DISA after STIG release + The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. + + CCE-82428-4: Verify Permissions on SSH Server Public *.pub Key Files + + Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. + +Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. + To properly set the permissions of /etc/ssh/*.pub, run the command: 
$ sudo chmod 0644 /etc/ssh/*.pub
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To check that the debug-shell service is disabled in system boot configuration, -run the following command: -
$ sudo systemctl is-enabled debug-shell
-Output should indicate the debug-shell service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -
$ sudo systemctl is-enabled debug-shell
 disabled
+ To check the permissions of /etc/ssh/*.pub, +run the command: +
$ ls -l /etc/ssh/*.pub
+If properly configured, the output should indicate the following permissions: +-rw-r--r-- Is it the case that /etc/ssh/*.pub does not have unix mode -rw-r--r--? + Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. + To properly set the permissions of /etc/ssh/*.pub, run the command: 
$ sudo chmod 0644 /etc/ssh/*.pub
+ medium + + + + -Run the following command to verify debug-shell is not active (i.e. not running) through current runtime configuration: -
$ sudo systemctl is-active debug-shell
+ + CCI-000366 + SRG-OS-000480-GPOS-00227 + TBD - Assigned by DISA after STIG release + The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. -If the service is not running the command will return the following output: -
inactive
+ CCE-82177-7: Force frequent session key renegotiation -The service will also be masked, to check that the debug-shell is masked, run the following command: -
$ sudo systemctl show debug-shell | grep "LoadState\|UnitFileState"
+ Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. -If the service is masked the command will return the following outputs: +Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. + The RekeyLimit parameter specifies how often +the session key of the is renegotiated, both in terms of +amount of data that may be transmitted and the time +elapsed.
+To decrease the default limits, add or correct the following line in -
LoadState=masked
-
UnitFileState=masked
Is it the case that the "debug-shell" is loaded and not masked? +/etc/ssh/sshd_config: + +
RekeyLimit
+ Applicable - Configurable + Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. + To check if RekeyLimit is set correctly, run the +following command: + +
$ sudo grep RekeyLimit /etc/ssh/sshd_config
+ +If configured properly, output should be +
RekeyLimit
Is it the case that it is commented out or is not set? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - SystemD's debug-shell service is intended to -diagnose SystemD related boot issues with various systemctl -commands. Once enabled and following a system reboot, the root shell -will be available on tty9 which is access by pressing -CTRL-ALT-F9. The debug-shell service should only be used -for SystemD related issues and should otherwise be disabled. -

-By default, the debug-shell SystemD service is already disabled. + The RekeyLimit parameter specifies how often +the session key of the is renegotiated, both in terms of +amount of data that may be transmitted and the time +elapsed.
+To decrease the default limits, add or correct the following line in -The debug-shell service can be disabled with the following command: -
$ sudo systemctl mask --now debug-shell.service
+ +/etc/ssh/sshd_config: + +
RekeyLimit
medium @@ -54839,48 +54908,62 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-86195-5: Disable the GNOME3 Login User List + CCE-84049-6: Configure Multiple DNS Servers in /etc/resolv.conf Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - In the default graphical environment, users logging directly into the -system are greeted with a login screen that displays all known users. -This functionality should be disabled by setting disable-user-list -to true. -

-To disable, add or edit disable-user-list to -/etc/dconf/db/gdm.d/00-security-settings. For example: -
[org/gnome/login-screen]
-disable-user-list=true
-Once the setting has been added, add a lock to -/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent -user modification. For example: -
/org/gnome/login-screen/disable-user-list
-After the settings have been set, run dconf update. + +Determine whether the system is using local or DNS name resolution with the +following command: +
$ sudo grep hosts /etc/nsswitch.conf
+hosts: files dns
+If the DNS entry is missing from the host's line in the "/etc/nsswitch.conf" +file, the "/etc/resolv.conf" file must be empty. +Verify the "/etc/resolv.conf" file is empty with the following command: +
$ sudo ls -al /etc/resolv.conf
+-rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf
+If the DNS entry is found on the host's line of the "/etc/nsswitch.conf" file, +then verify the following:
+ +Multiple Domain Name System (DNS) Servers should be configured +in /etc/resolv.conf. This provides redundant name resolution services +in the event that a domain server crashes. To configure the system to contain +as least 2 DNS servers, add a corresponding nameserver +ip_address entry in /etc/resolv.conf for each DNS +server where ip_address is the IP address of a valid DNS server. +For example: +
search example.com
+nameserver 192.168.0.1
+nameserver 192.168.0.2
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To ensure the user list is disabled, run the following command: -
$ grep disable-user-list /etc/dconf/db/gdm.d/*
-The output should be true. -To ensure that users cannot enable displaying the user list, run the following: -
$ grep disable-user-list /etc/dconf/db/gdm.d/locks/*
-If properly configured, the output should be /org/gnome/login-screen/disable-user-list Is it the case that disable-user-list has not been configured or is not disabled? + Verify that DNS servers have been configured properly, perform the following: +
$ sudo grep nameserver /etc/resolv.conf
Is it the case that less than two lines are returned that are not commented out? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - In the default graphical environment, users logging directly into the -system are greeted with a login screen that displays all known users. -This functionality should be disabled by setting disable-user-list -to true. -

-To disable, add or edit disable-user-list to -/etc/dconf/db/gdm.d/00-security-settings. For example: -
[org/gnome/login-screen]
-disable-user-list=true
-Once the setting has been added, add a lock to -/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent -user modification. For example: -
/org/gnome/login-screen/disable-user-list
-After the settings have been set, run dconf update. + +Determine whether the system is using local or DNS name resolution with the +following command: +
$ sudo grep hosts /etc/nsswitch.conf
+hosts: files dns
+If the DNS entry is missing from the host's line in the "/etc/nsswitch.conf" +file, the "/etc/resolv.conf" file must be empty. +Verify the "/etc/resolv.conf" file is empty with the following command: +
$ sudo ls -al /etc/resolv.conf
+-rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf
+If the DNS entry is found on the host's line of the "/etc/nsswitch.conf" file, +then verify the following:
+ +Multiple Domain Name System (DNS) Servers should be configured +in /etc/resolv.conf. This provides redundant name resolution services +in the event that a domain server crashes. To configure the system to contain +as least 2 DNS servers, add a corresponding nameserver +ip_address entry in /etc/resolv.conf for each DNS +server where ip_address is the IP address of a valid DNS server. +For example: +
search example.com
+nameserver 192.168.0.1
+nameserver 192.168.0.2
medium @@ -54893,21 +54976,25 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-82428-4: Verify Permissions on SSH Server Public *.pub Key Files + CCE-82233-8: Include Local Events in Audit Logs Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To properly set the permissions of /etc/ssh/*.pub, run the command: 
$ sudo chmod 0644 /etc/ssh/*.pub
+ To configure Audit daemon to include local events in Audit logs, set +local_events to yes in /etc/audit/auditd.conf. +This is the default setting. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To check the permissions of /etc/ssh/*.pub, -run the command: -
$ ls -l /etc/ssh/*.pub
-If properly configured, the output should indicate the following permissions: --rw-r--r-- Is it the case that /etc/ssh/*.pub does not have unix mode -rw-r--r--? + To verify that Audit Daemon is configured to include local events, run the +following command: +
$ sudo grep local_events /etc/audit/auditd.conf
+The output should return the following: +
local_events = yes
Is it the case that local_events isn't set to yes? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To properly set the permissions of /etc/ssh/*.pub, run the command: 
$ sudo chmod 0644 /etc/ssh/*.pub
+ To configure Audit daemon to include local events in Audit logs, set +local_events to yes in /etc/audit/auditd.conf. +This is the default setting. medium @@ -54920,22 +55007,56 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-82968-9: Install rng-tools Package + CCE-83375-6: Ensure All World-Writable Directories Are Owned by root User Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The rng-tools package can be installed with the following command: + All directories in local partitions which are world-writable should be owned by root. +If any world-writable directories are not owned by root, this should be investigated. +Following this, the files should be deleted or assigned to root user. + Applicable - Configurable + Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. + The following command will discover and print world-writable directories that +are not owned by root. Run it once for each local partition PART: +
$ sudo find PART -xdev -type d -perm -0002 -uid +0 -print
Is it the case that there are world-writable directories not owned by root? + Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. + All directories in local partitions which are world-writable should be owned by root. +If any world-writable directories are not owned by root, this should be investigated. +Following this, the files should be deleted or assigned to root user. + medium + + + + + + + CCI-000366 + SRG-OS-000480-GPOS-00227 + TBD - Assigned by DISA after STIG release + The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. + + CCE-81039-0: Uninstall Sendmail Package + + Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. + +Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. + Sendmail is not the default mail transfer agent and is +not installed by default. +The sendmail package can be removed with the following command: 
-$ sudo yum install rng-tools
+$ sudo yum erase sendmail Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Run the following command to determine if the rng-tools package is installed: 
$ rpm -q rng-tools
Is it the case that the package is not installed? + Run the following command to determine if the sendmail package is installed: +
$ rpm -q sendmail
Is it the case that the package is installed? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The rng-tools package can be installed with the following command: + Sendmail is not the default mail transfer agent and is +not installed by default. +The sendmail package can be removed with the following command: 
-$ sudo yum install rng-tools
- low +$ sudo yum erase sendmail + medium @@ -54976,37 +55097,44 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-82744-4: Add nosuid Option to Removable Media Partitions + CCE-80946-7: Disable vsyscalls Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The nosuid mount option prevents set-user-identifier (SUID) -and set-group-identifier (SGID) permissions from taking effect. These permissions -allow users to execute binaries with the same permissions as the owner and group -of the file respectively. Users should not be allowed to introduce SUID and SGID -files into the system via partitions mounted from removeable media. -Add the nosuid option to the fourth column of -/etc/fstab for the line which controls mounting of - - any removable media partitions. + To disable use of virtual syscalls, +add the argument vsyscall=none to the default +GRUB 2 command line for the Linux operating system. +To ensure that vsyscall=none is added as a kernel command line +argument to newly installed kernels, add vsyscall=none to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... vsyscall=none ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="vsyscall=none"
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify file systems that are used for removable media are mounted with the "nosuid" option with the following command: - -$ sudo more /etc/fstab - -UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0 Is it the case that file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set? + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes vsyscall=none, +then the parameter will be configured for newly installed kernels. +First check if the GRUB recovery is enabled: +
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
+If this option is set to true, then check that a line is output by the following command: +
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*vsyscall=none.*' /etc/default/grub
+If the recovery is disabled, check the line with +
$ sudo grep 'GRUB_CMDLINE_LINUX.*vsyscall=none.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +
$ sudo grubby --info=ALL | grep args | grep -v 'vsyscall=none'
+The command should not return any output. Is it the case that vsyscalls are enabled? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The nosuid mount option prevents set-user-identifier (SUID) -and set-group-identifier (SGID) permissions from taking effect. These permissions -allow users to execute binaries with the same permissions as the owner and group -of the file respectively. Users should not be allowed to introduce SUID and SGID -files into the system via partitions mounted from removeable media. -Add the nosuid option to the fourth column of -/etc/fstab for the line which controls mounting of - - any removable media partitions. + To disable use of virtual syscalls, +add the argument vsyscall=none to the default +GRUB 2 command line for the Linux operating system. +To ensure that vsyscall=none is added as a kernel command line +argument to newly installed kernels, add vsyscall=none to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... vsyscall=none ..."
+Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="vsyscall=none"
medium @@ -55019,34 +55147,70 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-82069-6: Add nodev Option to Non-Root Local Partitions + CCE-85953-8: Ensure There Are No Accounts With Blank or Null Passwords Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The nodev mount option prevents files from being interpreted as -character or block devices. Legitimate character and block devices should -exist only in the /dev directory on the root partition or within -chroot jails built for system services. -Add the nodev option to the fourth column of -/etc/fstab for the line which controls mounting of - - any non-root local partitions. + Check the "/etc/shadow" file for blank passwords with the +following command: +
$ sudo awk -F: '!$2 {print $1}' /etc/shadow
+If the command returns any results, this is a finding. +Configure all accounts on the system to have a password or lock +the account with the following commands: +Perform a password reset: +
$ sudo passwd [username]
+Lock an account: +
$ sudo passwd -l [username]
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To verify the nodev option is configured for non-root local partitions, run the following command: -
$ sudo mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev'
-The output shows local non-root partitions mounted without the nodev option, and there should be no output at all. - Is it the case that some mounts appear among output lines? + To verify that null passwords cannot be used, run the following command: +
$ sudo awk -F: '!$2 {print $1}' /etc/shadow
+If this produces any output, it may be possible to log into accounts +with empty passwords. Is it the case that Blank or NULL passwords can be used? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The nodev mount option prevents files from being interpreted as -character or block devices. Legitimate character and block devices should -exist only in the /dev directory on the root partition or within -chroot jails built for system services. -Add the nodev option to the fourth column of -/etc/fstab for the line which controls mounting of + Check the "/etc/shadow" file for blank passwords with the +following command: +
$ sudo awk -F: '!$2 {print $1}' /etc/shadow
+If the command returns any results, this is a finding. +Configure all accounts on the system to have a password or lock +the account with the following commands: +Perform a password reset: +
$ sudo passwd [username]
+Lock an account: +
$ sudo passwd -l [username]
+ high + + + + - any non-root local partitions. + + CCI-000366 + SRG-OS-000480-GPOS-00227 + TBD - Assigned by DISA after STIG release + The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. + + CCE-85872-0: Ensure PAM password complexity module is enabled in system-auth + + Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. + +Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. + To enable PAM password complexity in system-auth file: +Edit the password section in +/etc/pam.d/system-auth to show +password requisite pam_pwquality.so. + Applicable - Configurable + Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. + To check if pam_pwquality.so is enabled in system-auth, run the following command: +
$ grep pam_pwquality /etc/pam.d/system-auth
+The output should be similar to the following: +
password requisite pam_pwquality.so
Is it the case that pam_pwquality.so is not enabled in system-auth? + Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. + To enable PAM password complexity in system-auth file: +Edit the password section in +/etc/pam.d/system-auth to show +password requisite pam_pwquality.so. medium @@ -55059,23 +55223,66 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-81009-3: Disable Accepting ICMP Redirects for All IPv6 Interfaces + CCE-80863-4: Ensure Logs Sent To Remote Host Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.accept_redirects = 0
+ To configure rsyslog to send logs to a remote log server, +open /etc/rsyslog.conf and read and understand the last section of the file, +which describes the multiple directives necessary to activate remote +logging. +Along with these other directives, the system can be configured +to forward its logs to a particular log server by +adding or correcting one of the following lines, +substituting appropriately. +The choice of protocol depends on the environment of the system; +although TCP and RELP provide more reliable message delivery, +they may not be supported in all environments. +
+To use UDP for log message delivery: +
*.* @
+
+To use TCP for log message delivery: +
*.* @@
+
+To use RELP for log message delivery: +
*.* :omrelp:
+
+There must be a resolvable DNS CNAME or Alias record set to "" for logs to be sent correctly to the centralized logging utility. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - The runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter can be queried -by running the following command: -
$ sysctl net.ipv6.conf.all.accept_redirects
-0. - Is it the case that the correct value is not returned? + To ensure logs are sent to a remote host, examine the file +/etc/rsyslog.conf. +If using UDP, a line similar to the following should be present: +
 *.* @
+If using TCP, a line similar to the following should be present: +
 *.* @@
+If using RELP, a line similar to the following should be present: +
 *.* :omrelp:
Is it the case that no evidence that the audit logs are being off-loaded to another system or media? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.accept_redirects = 0
+ To configure rsyslog to send logs to a remote log server, +open /etc/rsyslog.conf and read and understand the last section of the file, +which describes the multiple directives necessary to activate remote +logging. +Along with these other directives, the system can be configured +to forward its logs to a particular log server by +adding or correcting one of the following lines, +substituting appropriately. +The choice of protocol depends on the environment of the system; +although TCP and RELP provide more reliable message delivery, +they may not be supported in all environments. +
+To use UDP for log message delivery: +
*.* @
+
+To use TCP for log message delivery: +
*.* @@
+
+To use RELP for log message delivery: +
*.* :omrelp:
+
+There must be a resolvable DNS CNAME or Alias record set to "" for logs to be sent correctly to the centralized logging utility. medium @@ -55088,28 +55295,29 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-82881-4: Disable acquiring, saving, and processing core dumps + CCE-82251-0: Disable core dump backtraces Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The systemd-coredump.socket unit is a socket activation of -the systemd-coredump@.service which processes core dumps. -By masking the unit, core dump processing is disabled. + The ProcessSizeMax option in [Coredump] section +of /etc/systemd/coredump.conf +specifies the maximum size in bytes of a core which will be processed. +Core dumps exceeding this size may be stored, but the backtrace will not +be generated. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To verify that acquiring, saving, and processing core dumps is disabled, run the -following command: -
$ systemctl status systemd-coredump.socket
-The output should be similar to: -
● systemd-coredump.socket
-   Loaded: masked (Reason: Unit systemd-coredump.socket is masked.)
-   Active: inactive (dead) ...
-
Is it the case that unit systemd-coredump.socket is not masked or running? + Verify Red Hat Enterprise Linux 8 disables core dump backtraces by issuing the following command: + +
$ grep -i process /etc/systemd/coredump.conf
+
+ProcessSizeMax=0
Is it the case that the "ProcessSizeMax" item is missing, commented out, or the value is anything other than "0" and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The systemd-coredump.socket unit is a socket activation of -the systemd-coredump@.service which processes core dumps. -By masking the unit, core dump processing is disabled. + The ProcessSizeMax option in [Coredump] section +of /etc/systemd/coredump.conf +specifies the maximum size in bytes of a core which will be processed. +Core dumps exceeding this size may be stored, but the backtrace will not +be generated. medium @@ -55122,28 +55330,45 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80886-5: Enable rsyslog Service + CCE-84058-7: Prevent remote hosts from connecting to the proxy display Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The rsyslog service provides syslog-style logging by default on Red Hat Enterprise Linux 8. + The SSH daemon should prevent remote hosts from connecting to the proxy +display. +
+The default SSH configuration for X11UseLocalhost is yes, +which prevents remote hosts from connecting to the proxy display. +
+To explicitly prevent remote connections to the proxy display, add or correct +the following line in -The rsyslog service can be enabled with the following command: -
$ sudo systemctl enable rsyslog.service
+ +/etc/ssh/sshd_config: + +X11UseLocalhost yes Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - + To determine how the SSH daemon's X11UseLocalhost option is set, run the following command: -Run the following command to determine the current status of the -rsyslog service: -
$ sudo systemctl is-active rsyslog
-If the service is running, it should return the following: 
active
Is it the case that the "rsyslog" service is disabled, masked, or not started.? +
$ sudo grep -i X11UseLocalhost /etc/ssh/sshd_config
+ +If a line indicating yes is returned, then the required value is set. Is it the case that the display proxy is listening on wildcard address? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The rsyslog service provides syslog-style logging by default on Red Hat Enterprise Linux 8. + The SSH daemon should prevent remote hosts from connecting to the proxy +display. +
+The default SSH configuration for X11UseLocalhost is yes, +which prevents remote hosts from connecting to the proxy display. +
+To explicitly prevent remote connections to the proxy display, add or correct +the following line in -The rsyslog service can be enabled with the following command: -
$ sudo systemctl enable rsyslog.service
+ +/etc/ssh/sshd_config: + +X11UseLocalhost yes medium @@ -55156,26 +55381,34 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-82859-0: Ensure rsyslog-gnutls is installed + CCE-82069-6: Add nodev Option to Non-Root Local Partitions Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - TLS protocol support for rsyslog is installed. + The nodev mount option prevents files from being interpreted as +character or block devices. Legitimate character and block devices should +exist only in the /dev directory on the root partition or within +chroot jails built for system services. +Add the nodev option to the fourth column of +/etc/fstab for the line which controls mounting of -The rsyslog-gnutls package can be installed with the following command: -
-$ sudo yum install rsyslog-gnutls
+ any non-root local partitions. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Run the following command to determine if the rsyslog-gnutls package is installed: -
$ rpm -q rsyslog-gnutls
Is it the case that the package is installed? + To verify the nodev option is configured for non-root local partitions, run the following command: +
$ sudo mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev'
+The output shows local non-root partitions mounted without the nodev option, and there should be no output at all. + Is it the case that some mounts appear among output lines? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - TLS protocol support for rsyslog is installed. + The nodev mount option prevents files from being interpreted as +character or block devices. Legitimate character and block devices should +exist only in the /dev directory on the root partition or within +chroot jails built for system services. +Add the nodev option to the fourth column of +/etc/fstab for the line which controls mounting of -The rsyslog-gnutls package can be installed with the following command: -
-$ sudo yum install rsyslog-gnutls
+ any non-root local partitions. medium @@ -55188,33 +55421,23 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-84036-3: All Interactive Users Must Have A Home Directory Defined + CCE-82863-2: Disable Kernel Parameter for IPv6 Forwarding Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - Assign home directories to all interactive users that currently do not -have a home directory assigned. - -This rule checks if the home directory is properly defined in a folder which has -at least one parent folder, like "user" in "/home/user" or "/remote/users/user". -Therefore, this rule will report a finding for home directories like /users, -/tmp or /. + To set the runtime status of the net.ipv6.conf.all.forwarding kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.forwarding=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.forwarding = 0
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify that interactive users on the system have a home directory assigned with the following command: - -
$ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd
- -Inspect the output and verify that all interactive users (normally users with a UID greater than 1000) have a home directory defined. Is it the case that users home directory is not defined? + The runtime status of the net.ipv6.conf.all.forwarding kernel parameter can be queried +by running the following command: +
$ sysctl net.ipv6.conf.all.forwarding
+0. +The ability to forward packets is only appropriate for routers. Is it the case that IP forwarding value is "1" and the system is not router? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - Assign home directories to all interactive users that currently do not -have a home directory assigned. - -This rule checks if the home directory is properly defined in a folder which has -at least one parent folder, like "user" in "/home/user" or "/remote/users/user". -Therefore, this rule will report a finding for home directories like /users, -/tmp or /. + To set the runtime status of the net.ipv6.conf.all.forwarding kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.forwarding=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.forwarding = 0
medium @@ -55227,23 +55450,23 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80920-2: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default + CCE-80918-6: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.default.accept_source_route = 0
+ To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.send_redirects = 0
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - The runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter can be queried + The runtime status of the net.ipv4.conf.all.send_redirects kernel parameter can be queried by running the following command: -
$ sysctl net.ipv4.conf.default.accept_source_route
+
$ sysctl net.ipv4.conf.all.send_redirects
0. Is it the case that the correct value is not returned? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.default.accept_source_route = 0
+ To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.send_redirects = 0
medium @@ -55256,49 +55479,23 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80896-4: Disable SSH Access via Empty Passwords + CCE-82904-4: Uninstall tuned Package Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - Disallow SSH login with empty passwords. -The default SSH configuration disables logins with empty passwords. The appropriate -configuration is used if no value is set for PermitEmptyPasswords. -
-To explicitly disallow SSH login from accounts with empty passwords, -add or correct the following line in - - -/etc/ssh/sshd_config: - -
-
PermitEmptyPasswords no
-Any accounts with empty passwords should be disabled immediately, and PAM configuration -should prevent users from being able to assign themselves empty passwords. + The tuned package can be removed with the following command: +
+$ sudo yum erase tuned
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To determine how the SSH daemon's PermitEmptyPasswords option is set, run the following command: - -
$ sudo grep -i PermitEmptyPasswords /etc/ssh/sshd_config
- -If a line indicating no is returned, then the required value is set. - Is it the case that the required value is not set? + Run the following command to determine if the tuned package is installed: +
$ rpm -q tuned
Is it the case that the package is installed? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - Disallow SSH login with empty passwords. -The default SSH configuration disables logins with empty passwords. The appropriate -configuration is used if no value is set for PermitEmptyPasswords. -
-To explicitly disallow SSH login from accounts with empty passwords, -add or correct the following line in - - -/etc/ssh/sshd_config: - -
-
PermitEmptyPasswords no
-Any accounts with empty passwords should be disabled immediately, and PAM configuration -should prevent users from being able to assign themselves empty passwords. - high + The tuned package can be removed with the following command: +
+$ sudo yum erase tuned
+ medium @@ -55310,25 +55507,23 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-82424-3: Verify Permissions on SSH Server Private *_key Key Files + CCE-84053-8: Mount Remote Filesystems with nosuid Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - SSH server private keys - files that match the /etc/ssh/*_key glob, have to have restricted permissions. -If those files are owned by the root user and the root group, they have to have the 0600 permission or stricter. -If they are owned by the root user, but by a dedicated group ssh_keys, they can have the 0640 permission or stricter. + Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of +any NFS mounts. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To check the permissions of /etc/ssh/*_key, -run the command: -
$ ls -l /etc/ssh/*_key
-If properly configured, the output should indicate the following permissions: --rw------- Is it the case that /etc/ssh/*_key does not have unix mode -rw-------? + To verify the nosuid option is configured for all NFS mounts, run +the following command: +
$ mount | grep nfs
+All NFS mounts should show the nosuid setting in parentheses. This +is not applicable if NFS is not implemented. Is it the case that the setting does not show? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - SSH server private keys - files that match the /etc/ssh/*_key glob, have to have restricted permissions. -If those files are owned by the root user and the root group, they have to have the 0600 permission or stricter. -If they are owned by the root user, but by a dedicated group ssh_keys, they can have the 0640 permission or stricter. + Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of +any NFS mounts. medium @@ -55341,44 +55536,51 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80898-0: Disable Kerberos Authentication + CCE-80835-2: Disable Modprobe Loading of USB Storage Driver Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - Unless needed, SSH should not permit extraneous or unnecessary -authentication mechanisms like Kerberos. -
-The default SSH configuration disallows authentication validation through Kerberos. -The appropriate configuration is used if no value is set for KerberosAuthentication. -
-To explicitly disable Kerberos authentication, add or correct the following line in + To prevent USB storage devices from being used, configure the kernel module loading system +to prevent automatic loading of the USB storage driver. +To configure the system to prevent the usb-storage +kernel module from being loaded, add the following line to the file /etc/modprobe.d/usb-storage.conf: +
install usb-storage /bin/true
-/etc/ssh/sshd_config: +To configure the system to prevent the usb-storage from being used, +add the following line to file /etc/modprobe.d/usb-storage.conf: +
blacklist usb-storage
-
KerberosAuthentication no
+This will prevent the modprobe program from loading the usb-storage +module, but will not prevent an administrator (or another program) from using the +insmod program to load the module manually. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To determine how the SSH daemon's KerberosAuthentication option is set, run the following command: + +If the system is configured to prevent the loading of the usb-storage kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. -
$ sudo grep -i KerberosAuthentication /etc/ssh/sshd_config
+These lines can also instruct the module loading system to ignore the usb-storage kernel module via blacklist keyword. -If a line indicating no is returned, then the required value is set. - Is it the case that the required value is not set? +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +
$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - Unless needed, SSH should not permit extraneous or unnecessary -authentication mechanisms like Kerberos. -
-The default SSH configuration disallows authentication validation through Kerberos. -The appropriate configuration is used if no value is set for KerberosAuthentication. -
-To explicitly disable Kerberos authentication, add or correct the following line in + To prevent USB storage devices from being used, configure the kernel module loading system +to prevent automatic loading of the USB storage driver. +To configure the system to prevent the usb-storage +kernel module from being loaded, add the following line to the file /etc/modprobe.d/usb-storage.conf: +
install usb-storage /bin/true
-/etc/ssh/sshd_config: +To configure the system to prevent the usb-storage from being used, +add the following line to file /etc/modprobe.d/usb-storage.conf: +
blacklist usb-storage
-
KerberosAuthentication no
+This will prevent the modprobe program from loading the usb-storage +module, but will not prevent an administrator (or another program) from using the +insmod program to load the module manually. medium @@ -55391,41 +55593,23 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80915-2: Restrict Exposed Kernel Pointer Addresses Access + CCE-81010-1: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command: 
$ sudo sysctl -w kernel.kptr_restrict=
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.kptr_restrict =
+ To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.default.accept_redirects = 0
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - The runtime status of the kernel.kptr_restrict kernel parameter can be queried + The runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter can be queried by running the following command: -
$ sysctl kernel.kptr_restrict
-The output of the command should indicate either: -kernel.kptr_restrict = 1 -or: -kernel.kptr_restrict = 2 -The output of the command should not indicate: -kernel.kptr_restrict = 0 - -The preferable way how to assure the runtime compliance is to have -correct persistent configuration, and rebooting the system. - -The persistent kernel parameter configuration is performed by specifying the appropriate -assignment in any file located in the 
/etc/sysctl.d
directory. -Verify that there is not any existing incorrect configuration by executing the following command: -
$ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d
-The command should not find any assignments other than: -kernel.kptr_restrict = 1 -or: -kernel.kptr_restrict = 2 - -Conflicting assignments are not allowed. Is it the case that the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0? +
$ sysctl net.ipv6.conf.default.accept_redirects
+0. + Is it the case that the correct value is not returned? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command: 
$ sudo sysctl -w kernel.kptr_restrict=
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.kptr_restrict =
+ To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.default.accept_redirects = 0
medium @@ -55438,31 +55622,21 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-81033-3: Add nosuid Option to /boot + CCE-88248-0: Enable authselect Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The nosuid mount option can be used to prevent -execution of setuid programs in /boot. The SUID and SGID permissions -should not be required on the boot partition. -Add the nosuid option to the fourth column of -/etc/fstab for the line which controls mounting of -/boot. + Configure user authentication setup to use the authselect tool. +If authselect profile is selected, the rule will enable the profile. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify the nosuid option is configured for the /boot mount point, - run the following command: - 
$ sudo mount | grep '\s/boot\s'
- 
. . . /boot . . . nosuid . . .
- Is it the case that the "/boot" file system does not have the "nosuid" option set? + Verify that authselect is enabled by running +
authselect current
+If authselect is enabled on the system, the output should show the ID of the profile which is currently in use. Is it the case that authselect is not used to manage user authentication setup on the system? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The nosuid mount option can be used to prevent -execution of setuid programs in /boot. The SUID and SGID permissions -should not be required on the boot partition. -Add the nosuid option to the fourth column of -/etc/fstab for the line which controls mounting of -/boot. + Configure user authentication setup to use the authselect tool. +If authselect profile is selected, the rule will enable the profile. medium @@ -55475,23 +55649,48 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-86220-1: Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces + CCE-86195-5: Disable the GNOME3 Login User List Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To set the runtime status of the net.ipv4.conf.all.forwarding kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.forwarding=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.forwarding = 0
+ In the default graphical environment, users logging directly into the +system are greeted with a login screen that displays all known users. +This functionality should be disabled by setting disable-user-list +to true. +

+To disable, add or edit disable-user-list to +/etc/dconf/db/gdm.d/00-security-settings. For example: +
[org/gnome/login-screen]
+disable-user-list=true
+Once the setting has been added, add a lock to +/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent +user modification. For example: +
/org/gnome/login-screen/disable-user-list
+After the settings have been set, run dconf update. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - The runtime status of the net.ipv4.conf.all.forwarding kernel parameter can be queried -by running the following command: -
$ sysctl net.ipv4.conf.all.forwarding
-0. -The ability to forward packets is only appropriate for routers. Is it the case that IP forwarding value is "1" and the system is not router? + To ensure the user list is disabled, run the following command: +
$ grep disable-user-list /etc/dconf/db/gdm.d/*
+The output should be true. +To ensure that users cannot enable displaying the user list, run the following: +
$ grep disable-user-list /etc/dconf/db/gdm.d/locks/*
+If properly configured, the output should be /org/gnome/login-screen/disable-user-list Is it the case that disable-user-list has not been configured or is not disabled? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To set the runtime status of the net.ipv4.conf.all.forwarding kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.forwarding=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.forwarding = 0
+ In the default graphical environment, users logging directly into the +system are greeted with a login screen that displays all known users. +This functionality should be disabled by setting disable-user-list +to true. +

+To disable, add or edit disable-user-list to +/etc/dconf/db/gdm.d/00-security-settings. For example: +
[org/gnome/login-screen]
+disable-user-list=true
+Once the setting has been added, add a lock to +/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent +user modification. For example: +
/org/gnome/login-screen/disable-user-list
+After the settings have been set, run dconf update. medium @@ -55504,28 +55703,40 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-84056-1: Remove User Host-Based Authentication Files + CCE-83497-8: Ensure All Files Are Owned by a Group Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The ~/.shosts (in each user's home directory) files -list remote hosts and users that are trusted by the -local system. To remove these files, run the following command -to delete them from any location: -
$ sudo find / -name '.shosts' -type f -delete
+ If any files are not owned by a group, then the +cause of their lack of group-ownership should be investigated. +Following this, the files should be deleted or assigned to an +appropriate group. The following command will discover and print +any files on local partitions which do not belong to a valid group: +
$ df --local -P | awk '{if (NR!=1) print $6}' | sudo xargs -I '{}' find '{}' -xdev -nogroup
+To search all filesystems on a system including network mounted +filesystems the following command can be run manually for each partition: +
$ sudo find PARTITION -xdev -nogroup
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To verify that there are no .shosts files -on the system, run the following command: -
$ sudo find / -name '.shosts'
Is it the case that .shosts files exist? + The following command will discover and print any +files on local partitions which do not belong to a valid group. +
$ df --local -P | awk '{if (NR!=1) print $6}' | sudo xargs -I '{}' find '{}' -xdev -nogroup
+
+Either remove all files and directories from the system that do not have a valid group, +or assign a valid group with the chgrp command: +
$ sudo chgrp group file
Is it the case that there is output? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The ~/.shosts (in each user's home directory) files -list remote hosts and users that are trusted by the -local system. To remove these files, run the following command -to delete them from any location: -
$ sudo find / -name '.shosts' -type f -delete
- high + If any files are not owned by a group, then the +cause of their lack of group-ownership should be investigated. +Following this, the files should be deleted or assigned to an +appropriate group. The following command will discover and print +any files on local partitions which do not belong to a valid group: +
$ df --local -P | awk '{if (NR!=1) print $6}' | sudo xargs -I '{}' find '{}' -xdev -nogroup
+To search all filesystems on a system including network mounted +filesystems the following command can be run manually for each partition: +
$ sudo find PARTITION -xdev -nogroup
+ medium @@ -55537,56 +55748,48 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-82462-3: SSH server uses strong entropy to seed + CCE-80785-9: Disable Ctrl-Alt-Del Reboot Activation Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To set up SSH server to use entropy from a high-quality source, edit the /etc/sysconfig/sshd file. -The SSH_USE_STRONG_RNG configuration value determines how many bytes of entropy to use, so -make sure that the file contains line -
SSH_USE_STRONG_RNG=32
- Applicable - Configurable - Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To determine whether the SSH service is configured to use strong entropy seed, -run 
$ sudo grep SSH_USE_STRONG_RNG /etc/sysconfig/sshd
-If a line indicating that SSH_USE_STRONG_RNG is set to 32 is returned, -then the option is set correctly. Is it the case that the SSH_USE_STRONG_RNG is not set to 32 in /etc/sysconfig/sshd? - Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To set up SSH server to use entropy from a high-quality source, edit the /etc/sysconfig/sshd file. -The SSH_USE_STRONG_RNG configuration value determines how many bytes of entropy to use, so -make sure that the file contains line -
SSH_USE_STRONG_RNG=32
- low - - - - - - - CCI-000366 - SRG-OS-000480-GPOS-00227 - TBD - Assigned by DISA after STIG release - The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - - CCE-82863-2: Disable Kernel Parameter for IPv6 Forwarding - - Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. + By default, SystemD will reboot the system if the Ctrl-Alt-Del +key sequence is pressed. +

+To configure the system to ignore the Ctrl-Alt-Del key sequence from the -Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To set the runtime status of the net.ipv6.conf.all.forwarding kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.forwarding=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.forwarding = 0
+command line instead of rebooting the system, do either of the following: +
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
+or +
systemctl mask ctrl-alt-del.target
+

+Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file, +as this file may be restored during future system updates. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - The runtime status of the net.ipv6.conf.all.forwarding kernel parameter can be queried -by running the following command: -
$ sysctl net.ipv6.conf.all.forwarding
-0. -The ability to forward packets is only appropriate for routers. Is it the case that IP forwarding value is "1" and the system is not router? + To ensure the system is configured to mask the Ctrl-Alt-Del sequence, Check +that the ctrl-alt-del.target is masked and not active with the following +command: +
sudo systemctl status ctrl-alt-del.target
+The output should indicate that the target is masked and not active. It +might resemble following output: +
ctrl-alt-del.target
+Loaded: masked (/dev/null; bad)
+Active: inactive (dead)
Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To set the runtime status of the net.ipv6.conf.all.forwarding kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.forwarding=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.forwarding = 0
- medium + By default, SystemD will reboot the system if the Ctrl-Alt-Del +key sequence is pressed. +

+To configure the system to ignore the Ctrl-Alt-Del key sequence from the + +command line instead of rebooting the system, do either of the following: +
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
+or +
systemctl mask ctrl-alt-del.target
+

+Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file, +as this file may be restored during future system updates. + high @@ -55598,42 +55801,29 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-82177-7: Force frequent session key renegotiation + CCE-82201-5: Resolve information before writing to audit logs Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The RekeyLimit parameter specifies how often -the session key of the is renegotiated, both in terms of -amount of data that may be transmitted and the time -elapsed.
-To decrease the default limits, add or correct the following line in - - -/etc/ssh/sshd_config: - -
RekeyLimit
+ To configure Audit daemon to resolve all uid, gid, syscall, +architecture, and socket address information before writing the +events to disk, set log_format to ENRICHED +in /etc/audit/auditd.conf. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To check if RekeyLimit is set correctly, run the -following command: - -
$ sudo grep RekeyLimit /etc/ssh/sshd_config
- -If configured properly, output should be -
RekeyLimit
Is it the case that it is commented out or is not set? + To verify that Audit Daemon is configured to resolve all uid, gid, syscall, +architecture, and socket address information before writing the event to disk, +run the following command: +
$ sudo grep log_format /etc/audit/auditd.conf
+The output should return the following: +
log_format = ENRICHED
Is it the case that log_format isn't set to ENRICHED? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The RekeyLimit parameter specifies how often -the session key of the is renegotiated, both in terms of -amount of data that may be transmitted and the time -elapsed.
-To decrease the default limits, add or correct the following line in - - -/etc/ssh/sshd_config: - -
RekeyLimit
- medium + To configure Audit daemon to resolve all uid, gid, syscall, +architecture, and socket address information before writing the +events to disk, set log_format to ENRICHED +in /etc/audit/auditd.conf. + low @@ -55645,32 +55835,29 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-86038-7: Add nosuid Option to /boot/efi + CCE-81044-0: Ensure /home Located On Separate Partition Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The nosuid mount option can be used to prevent -execution of setuid programs in /boot/efi. The SUID and SGID permissions -should not be required on the boot partition. -Add the nosuid option to the fourth column of -/etc/fstab for the line which controls mounting of -/boot/efi. + If user home directories will be stored locally, create a separate partition +for /home at installation time (or migrate it later using LVM). If +/home will be mounted from another system such as an NFS server, then +creating a separate partition is not necessary at installation time, and the +mountpoint can instead be configured later. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify the nosuid option is configured for the /boot/efi mount point, - run the following command: - 
$ sudo mount | grep '\s/boot/efi\s'
- 
. . . /boot/efi . . . nosuid . . .
- Is it the case that the "/boot/efi" file system does not have the "nosuid" option set? + Verify that a separate file system/partition has been created for /home with the following command: + +
$ mountpoint /home
+ Is it the case that "/home is not a mountpoint" is returned? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The nosuid mount option can be used to prevent -execution of setuid programs in /boot/efi. The SUID and SGID permissions -should not be required on the boot partition. -Add the nosuid option to the fourth column of -/etc/fstab for the line which controls mounting of -/boot/efi. - medium + If user home directories will be stored locally, create a separate partition +for /home at installation time (or migrate it later using LVM). If +/home will be mounted from another system such as an NFS server, then +creating a separate partition is not necessary at installation time, and the +mountpoint can instead be configured later. + low @@ -55682,26 +55869,17 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-81037-4: Ensure the Default C Shell Umask is Set Correctly + CCE-80847-7: Ensure rsyslog is Installed Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To ensure the default umask for users of the C shell is set properly, -add or correct the umask setting in /etc/csh.cshrc to read as follows: -
umask
+ Rsyslog is installed by default. The rsyslog package can be installed with the following command: 
 $ sudo yum install rsyslog
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify the "umask" setting is configured correctly in the "/etc/csh.cshrc" file with the following command: - -$ grep umask /etc/csh.cshrc - -umask 077 -umask 077 Is it the case that the value for the "umask" parameter is not "", or the "umask" parameter is missing or is commented out? + Run the following command to determine if the rsyslog package is installed: 
$ rpm -q rsyslog
Is it the case that the package is not installed? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To ensure the default umask for users of the C shell is set properly, -add or correct the umask setting in /etc/csh.cshrc to read as follows: -
umask
+ Rsyslog is installed by default. The rsyslog package can be installed with the following command: 
 $ sudo yum install rsyslog
medium @@ -55714,37 +55892,24 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-83733-6: Configure AIDE to Verify Extended Attributes + CCE-80852-7: Ensure /var Located On Separate Partition Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - By default, the xattrs option is added to the FIPSR ruleset in AIDE. -If using a custom ruleset or the xattrs option is missing, add xattrs -to the appropriate ruleset. -For example, add xattrs to the following line in /etc/aide.conf: -
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
-AIDE rules can be configured in multiple ways; this is merely one example that is already -configured by default. - -The remediation provided with this rule adds xattrs to all rule sets available in -/etc/aide.conf + The /var directory is used by daemons and other system +services to store frequently-changing data. Ensure that /var has its own partition +or logical volume at installation time, or migrate it using LVM. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To determine that AIDE is verifying extended file attributes, run the following command: -
$ grep xattrs /etc/aide.conf
-Verify that the xattrs option is added to the correct ruleset. Is it the case that the xattrs option is missing or not added to the correct ruleset? - Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - By default, the xattrs option is added to the FIPSR ruleset in AIDE. -If using a custom ruleset or the xattrs option is missing, add xattrs -to the appropriate ruleset. -For example, add xattrs to the following line in /etc/aide.conf: -
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
-AIDE rules can be configured in multiple ways; this is merely one example that is already -configured by default. + Verify that a separate file system/partition has been created for /var with the following command: -The remediation provided with this rule adds xattrs to all rule sets available in -/etc/aide.conf +
$ mountpoint /var
+ Is it the case that "/var is not a mountpoint" is returned? + Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. + The /var directory is used by daemons and other system +services to store frequently-changing data. Ensure that /var has its own partition +or logical volume at installation time, or migrate it using LVM. low @@ -55757,23 +55922,23 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-83375-6: Ensure All World-Writable Directories Are Owned by root User + CCE-80921-0: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - All directories in local partitions which are world-writable should be owned by root. -If any world-writable directories are not owned by root, this should be investigated. -Following this, the files should be deleted or assigned to root user. + To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.default.send_redirects = 0
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - The following command will discover and print world-writable directories that -are not owned by root. Run it once for each local partition PART: -
$ sudo find PART -xdev -type d -perm -0002 -uid +0 -print
Is it the case that there are world-writable directories not owned by root? + The runtime status of the net.ipv4.conf.default.send_redirects kernel parameter can be queried +by running the following command: +
$ sysctl net.ipv4.conf.default.send_redirects
+0. + Is it the case that the correct value is not returned? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - All directories in local partitions which are world-writable should be owned by root. -If any world-writable directories are not owned by root, this should be investigated. -Following this, the files should be deleted or assigned to root user. + To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.default.send_redirects = 0
medium @@ -55786,47 +55951,30 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80878-2: Disable KDump Kernel Crash Analyzer (kdump) + CCE-83789-8: Ensure Home Directories are Created for New Users Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The kdump service provides a kernel crash dump analyzer. It uses the kexec -system call to boot a secondary kernel ("capture" kernel) following a system -crash, which can load information from the crashed kernel for analysis. - -The kdump service can be disabled with the following command: -
$ sudo systemctl mask --now kdump.service
+ All local interactive user accounts, upon creation, should be assigned a home directory. +

+Configure the operating system to assign home directories to all new local interactive users by setting the CREATE_HOME +parameter in /etc/login.defs to yes as follows: +

+
CREATE_HOME yes
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To check that the kdump service is disabled in system boot configuration, -run the following command: -
$ sudo systemctl is-enabled kdump
-Output should indicate the kdump service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -
$ sudo systemctl is-enabled kdump
 disabled
- -Run the following command to verify kdump is not active (i.e. not running) through current runtime configuration: -
$ sudo systemctl is-active kdump
- -If the service is not running the command will return the following output: -
inactive
- -The service will also be masked, to check that the kdump is masked, run the following command: -
$ sudo systemctl show kdump | grep "LoadState\|UnitFileState"
- -If the service is masked the command will return the following outputs: - -
LoadState=masked
- -
UnitFileState=masked
Is it the case that the "kdump" is loaded and not masked? + Verify all local interactive users on Red Hat Enterprise Linux 8 are assigned a home +directory upon creation with the following command: +
$ grep -i create_home /etc/login.defs
+
CREATE_HOME yes
Is it the case that the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The kdump service provides a kernel crash dump analyzer. It uses the kexec -system call to boot a secondary kernel ("capture" kernel) following a system -crash, which can load information from the crashed kernel for analysis. - -The kdump service can be disabled with the following command: -
$ sudo systemctl mask --now kdump.service
+ All local interactive user accounts, upon creation, should be assigned a home directory. +

+Configure the operating system to assign home directories to all new local interactive users by setting the CREATE_HOME +parameter in /etc/login.defs to yes as follows: +

+
CREATE_HOME yes
medium @@ -55839,23 +55987,31 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80921-0: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default + CCE-81050-7: Add nosuid Option to /home Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.default.send_redirects = 0
+ The nosuid mount option can be used to prevent +execution of setuid programs in /home. The SUID and SGID permissions +should not be required in these user data directories. +Add the nosuid option to the fourth column of +/etc/fstab for the line which controls mounting of +/home. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - The runtime status of the net.ipv4.conf.default.send_redirects kernel parameter can be queried -by running the following command: -
$ sysctl net.ipv4.conf.default.send_redirects
-0. - Is it the case that the correct value is not returned? + Verify the nosuid option is configured for the /home mount point, + run the following command: + 
$ sudo mount | grep '\s/home\s'
+ 
. . . /home . . . nosuid . . .
+ Is it the case that the "/home" file system does not have the "nosuid" option set? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.default.send_redirects = 0
+ The nosuid mount option can be used to prevent +execution of setuid programs in /home. The SUID and SGID permissions +should not be required in these user data directories. +Add the nosuid option to the fourth column of +/etc/fstab for the line which controls mounting of +/home. medium @@ -55868,26 +56024,25 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-81038-2: Disable Core Dumps for All Users + CCE-80851-9: Ensure /tmp Located On Separate Partition Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To disable core dumps for all users, add the following line to -/etc/security/limits.conf, or to a file within the -/etc/security/limits.d/ directory: -
*     hard   core    0
+ The /tmp directory is a world-writable directory used +for temporary file storage. Ensure it has its own partition or +logical volume at installation time, or migrate it using LVM. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify that core dumps are disabled for all users, run the following command: -
$ grep core /etc/security/limits.conf
-
*     hard   core    0
Is it the case that the "core" item is missing, commented out, or the value is anything other than "0" and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core"? + Verify that a separate file system/partition has been created for /tmp with the following command: + +
$ mountpoint /tmp
+ Is it the case that "/tmp is not a mountpoint" is returned? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To disable core dumps for all users, add the following line to -/etc/security/limits.conf, or to a file within the -/etc/security/limits.d/ directory: -
*     hard   core    0
- medium + The /tmp directory is a world-writable directory used +for temporary file storage. Ensure it has its own partition or +logical volume at installation time, or migrate it using LVM. + low @@ -55899,42 +56054,36 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-82281-7: Enable SSH Print Last Log + CCE-80901-2: Disable SSH Root Login Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - Ensure that SSH will display the date and time of the last successful account logon. -
-The default SSH configuration enables print of the date and time of the last login. -The appropriate configuration is used if no value is set for PrintLastLog. -
-To explicitly enable LastLog in SSH, add or correct the following line in + The root user should never be allowed to login to a +system directly over a network. +To disable root login via SSH, add or correct the following line in /etc/ssh/sshd_config: -
PrintLastLog yes
+
PermitRootLogin no
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To determine how the SSH daemon's PrintLastLog option is set, run the following command: + To determine how the SSH daemon's PermitRootLogin option is set, run the following command: -
$ sudo grep -i PrintLastLog /etc/ssh/sshd_config
+
$ sudo grep -i PermitRootLogin /etc/ssh/sshd_config
-If a line indicating yes is returned, then the required value is set. +If a line indicating no is returned, then the required value is set. Is it the case that the required value is not set? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - Ensure that SSH will display the date and time of the last successful account logon. -
-The default SSH configuration enables print of the date and time of the last login. -The appropriate configuration is used if no value is set for PrintLastLog. -
-To explicitly enable LastLog in SSH, add or correct the following line in + The root user should never be allowed to login to a +system directly over a network. +To disable root login via SSH, add or correct the following line in /etc/ssh/sshd_config: -
PrintLastLog yes
+
PermitRootLogin no
medium @@ -55947,23 +56096,27 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-84055-3: Remove Host-Based Authentication Files + CCE-82462-3: SSH server uses strong entropy to seed Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The shosts.equiv file lists remote hosts and users that are trusted by the local -system. To remove these files, run the following command to delete them from any location: -
$ sudo rm /[path]/[to]/[file]/shosts.equiv
+ To set up SSH server to use entropy from a high-quality source, edit the /etc/sysconfig/sshd file. +The SSH_USE_STRONG_RNG configuration value determines how many bytes of entropy to use, so +make sure that the file contains line +
SSH_USE_STRONG_RNG=32
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify that there are no shosts.equiv files on the system, run the following command: -
$ find / -name shosts.equiv
Is it the case that shosts.equiv files exist? + To determine whether the SSH service is configured to use strong entropy seed, +run 
$ sudo grep SSH_USE_STRONG_RNG /etc/sysconfig/sshd
+If a line indicating that SSH_USE_STRONG_RNG is set to 32 is returned, +then the option is set correctly. Is it the case that the SSH_USE_STRONG_RNG is not set to 32 in /etc/sysconfig/sshd? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The shosts.equiv file lists remote hosts and users that are trusted by the local -system. To remove these files, run the following command to delete them from any location: -
$ sudo rm /[path]/[to]/[file]/shosts.equiv
- high + To set up SSH server to use entropy from a high-quality source, edit the /etc/sysconfig/sshd file. +The SSH_USE_STRONG_RNG configuration value determines how many bytes of entropy to use, so +make sure that the file contains line +
SSH_USE_STRONG_RNG=32
+ low @@ -55975,45 +56128,38 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-82028-2: Disable ATM Support + CCE-80902-0: Disable SSH Support for User Known Hosts Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The Asynchronous Transfer Mode (ATM) is a protocol operating on -network, data link, and physical layers, based on virtual circuits -and virtual paths. + SSH can allow system users to connect to systems if a cache of the remote +systems public keys is available. This should be disabled. +

+To ensure this behavior is disabled, add or correct the following line in -To configure the system to prevent the atm -kernel module from being loaded, add the following line to the file /etc/modprobe.d/atm.conf: -
install atm /bin/true
-To configure the system to prevent the atm from being used, -add the following line to file /etc/modprobe.d/atm.conf: -
blacklist atm
+/etc/ssh/sshd_config: + +
IgnoreUserKnownHosts yes
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - -If the system is configured to prevent the loading of the atm kernel module, -it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. -These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. + To determine how the SSH daemon's IgnoreUserKnownHosts option is set, run the following command: -These lines can also instruct the module loading system to ignore the atm kernel module via blacklist keyword. +
$ sudo grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config
-Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -
$ grep -r atm /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned? +If a line indicating yes is returned, then the required value is set. + Is it the case that the required value is not set? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The Asynchronous Transfer Mode (ATM) is a protocol operating on -network, data link, and physical layers, based on virtual circuits -and virtual paths. + SSH can allow system users to connect to systems if a cache of the remote +systems public keys is available. This should be disabled. +

+To ensure this behavior is disabled, add or correct the following line in -To configure the system to prevent the atm -kernel module from being loaded, add the following line to the file /etc/modprobe.d/atm.conf: -
install atm /bin/true
-To configure the system to prevent the atm from being used, -add the following line to file /etc/modprobe.d/atm.conf: -
blacklist atm
+/etc/ssh/sshd_config: + +
IgnoreUserKnownHosts yes
medium @@ -56026,23 +56172,41 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80952-5: Disable Kernel Image Loading + CCE-81021-8: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To set the runtime status of the kernel.kexec_load_disabled kernel parameter, run the following command: 
$ sudo sysctl -w kernel.kexec_load_disabled=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.kexec_load_disabled = 1
+ To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.rp_filter = 1
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - The runtime status of the kernel.kexec_load_disabled kernel parameter can be queried + The runtime status of the net.ipv4.conf.all.rp_filter parameter can be queried by running the following command: -
$ sysctl kernel.kexec_load_disabled
-1. - Is it the case that the correct value is not returned? +
$ sysctl net.ipv4.conf.all.rp_filter
+The output of the command should indicate either: +net.ipv4.conf.all.rp_filter = 1 +or: +net.ipv4.conf.all.rp_filter = 2 +The output of the command should not indicate: +net.ipv4.conf.all.rp_filter = 0 + +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent sysctl parameter configuration is performed by specifying the appropriate +assignment in any file located in the 
/etc/sysctl.d
directory. +Verify that there is not any existing incorrect configuration by executing the following command: +
$ grep -r '^\s*net.ipv4.conf.all.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d
+The command should not find any assignments other than: +net.ipv4.conf.all.rp_filter = 1 +or: +net.ipv4.conf.all.rp_filter = 2 + +Conflicting assignments are not allowed. Is it the case that the net.ipv4.conf.all.rp_filter is not set to 1 or 2 or is configured to be 0? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To set the runtime status of the kernel.kexec_load_disabled kernel parameter, run the following command: 
$ sudo sysctl -w kernel.kexec_load_disabled=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.kexec_load_disabled = 1
+ To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.rp_filter = 1
medium @@ -56055,19 +56219,23 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-82436-7: Uninstall tftp-server Package + CCE-84050-4: Mount Remote Filesystems with noexec Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The tftp-server package can be removed with the following command: 
 $ sudo yum erase tftp-server
+ Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of +any NFS mounts. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Run the following command to determine if the tftp-server package is installed: -
$ rpm -q tftp-server
Is it the case that the package is installed? + To verify the noexec option is configured for all NFS mounts, run the following command: +
$ mount | grep nfs
+All NFS mounts should show the noexec setting in parentheses. This is not applicable if NFS is +not implemented. Is it the case that the setting does not show? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The tftp-server package can be removed with the following command: 
 $ sudo yum erase tftp-server
- high + Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of +any NFS mounts. + medium @@ -56079,28 +56247,33 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-82283-3: Ensure System is Not Acting as a Network Sniffer + CCE-81035-8: Ensure the Default Umask is Set Correctly in /etc/profile Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The system should not be acting as a network sniffer, which can -capture all traffic on the network to which it is connected. Run the following -to determine if any interface is running in promiscuous mode: -
$ ip link | grep PROMISC
-Promiscuous mode of an interface can be disabled with the following command: -
$ sudo ip link set dev device_name multicast off promisc off
+ To ensure the default umask controlled by /etc/profile is set properly, +add or correct the umask setting in /etc/profile to read as follows: +
umask
+ +Note that /etc/profile also reads scrips within /etc/profile.d directory. +These scripts are also valid files to set umask value. Therefore, they should also be +considered during the check and properly remediated, if necessary. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify that Promiscuous mode of an interface is disabled, run the following command: -
$ ip link | grep PROMISC
Is it the case that any network device is in promiscuous mode? + Verify the umask setting is configured correctly in the /etc/profile file +or scripts within /etc/profile.d directory with the following command: +
$ grep "umask" /etc/profile*
+
umask
Is it the case that the value for the "umask" parameter is not "", +or the "umask" parameter is missing or is commented out? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The system should not be acting as a network sniffer, which can -capture all traffic on the network to which it is connected. Run the following -to determine if any interface is running in promiscuous mode: -
$ ip link | grep PROMISC
-Promiscuous mode of an interface can be disabled with the following command: -
$ sudo ip link set dev device_name multicast off promisc off
+ To ensure the default umask controlled by /etc/profile is set properly, +add or correct the umask setting in /etc/profile to read as follows: +
umask
+ +Note that /etc/profile also reads scrips within /etc/profile.d directory. +These scripts are also valid files to set umask value. Therefore, they should also be +considered during the check and properly remediated, if necessary. medium @@ -56113,40 +56286,59 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-83499-4: Ensure All Files Are Owned by a User + CCE-82946-5: Uninstall iprutils Package Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - If any files are not owned by a user, then the -cause of their lack of ownership should be investigated. -Following this, the files should be deleted or assigned to an -appropriate user. The following command will discover and print -any files on local partitions which do not belong to a valid user: -
$ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser
-To search all filesystems on a system including network mounted -filesystems the following command can be run manually for each partition: -
$ sudo find PARTITION -xdev -nouser
+ The iprutils package can be removed with the following command: +
+$ sudo yum erase iprutils
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - The following command will discover and print any -files on local partitions which do not belong to a valid user. -
$ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser
-

-Either remove all files and directories from the system that do not have a -valid user, or assign a valid user to all unowned files and directories on -the system with the chown command: -
$ sudo chown user file
Is it the case that files exist that are not owned by a valid user? + Run the following command to determine if the iprutils package is installed: +
$ rpm -q iprutils
Is it the case that the package is installed? + Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. + The iprutils package can be removed with the following command: +
+$ sudo yum erase iprutils
+ medium + + + + + + + CCI-000366 + SRG-OS-000480-GPOS-00227 + TBD - Assigned by DISA after STIG release + The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. + + CCE-86038-7: Add nosuid Option to /boot/efi + + Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. + +Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. + The nosuid mount option can be used to prevent +execution of setuid programs in /boot/efi. The SUID and SGID permissions +should not be required on the boot partition. +Add the nosuid option to the fourth column of +/etc/fstab for the line which controls mounting of +/boot/efi. + Applicable - Configurable + Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. + Verify the nosuid option is configured for the /boot/efi mount point, + run the following command: + 
$ sudo mount | grep '\s/boot/efi\s'
+ 
. . . /boot/efi . . . nosuid . . .
+ Is it the case that the "/boot/efi" file system does not have the "nosuid" option set? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - If any files are not owned by a user, then the -cause of their lack of ownership should be investigated. -Following this, the files should be deleted or assigned to an -appropriate user. The following command will discover and print -any files on local partitions which do not belong to a valid user: -
$ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser
-To search all filesystems on a system including network mounted -filesystems the following command can be run manually for each partition: -
$ sudo find PARTITION -xdev -nouser
+ The nosuid mount option can be used to prevent +execution of setuid programs in /boot/efi. The SUID and SGID permissions +should not be required on the boot partition. +Add the nosuid option to the fourth column of +/etc/fstab for the line which controls mounting of +/boot/efi. medium @@ -56159,22 +56351,33 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-84050-4: Mount Remote Filesystems with noexec + CCE-83434-1: All Interactive User Home Directories Must Be Group-Owned By The Primary Group Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of -any NFS mounts. + Change the group owner of interactive users home directory to the +group found in /etc/passwd. To change the group owner of +interactive users home directory, use the following command: +
$ sudo chgrp USER_GROUP /home/USER
+ +This rule ensures every home directory related to an interactive user is +group-owned by an interactive user. It also ensures that interactive users +are group-owners of one and only one home directory. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To verify the noexec option is configured for all NFS mounts, run the following command: -
$ mount | grep nfs
-All NFS mounts should show the noexec setting in parentheses. This is not applicable if NFS is -not implemented. Is it the case that the setting does not show? + To verify the assigned home directory of all interactive users is group- +owned by that users primary GID, run the following command: +
# ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)
Is it the case that the group ownership is incorrect? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of -any NFS mounts. + Change the group owner of interactive users home directory to the +group found in /etc/passwd. To change the group owner of +interactive users home directory, use the following command: +
$ sudo chgrp USER_GROUP /home/USER
+ +This rule ensures every home directory related to an interactive user is +group-owned by an interactive user. It also ensures that interactive users +are group-owners of one and only one home directory. medium @@ -56187,24 +56390,49 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-81007-7: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default + CCE-80896-4: Disable SSH Access via Empty Passwords Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.default.accept_ra = 0
+ Disallow SSH login with empty passwords. +The default SSH configuration disables logins with empty passwords. The appropriate +configuration is used if no value is set for PermitEmptyPasswords. +
+To explicitly disallow SSH login from accounts with empty passwords, +add or correct the following line in + + +/etc/ssh/sshd_config: + +
+
PermitEmptyPasswords no
+Any accounts with empty passwords should be disabled immediately, and PAM configuration +should prevent users from being able to assign themselves empty passwords. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - The runtime status of the net.ipv6.conf.default.accept_ra kernel parameter can be queried -by running the following command: -
$ sysctl net.ipv6.conf.default.accept_ra
-0. - Is it the case that the correct value is not returned? + To determine how the SSH daemon's PermitEmptyPasswords option is set, run the following command: + +
$ sudo grep -i PermitEmptyPasswords /etc/ssh/sshd_config
+ +If a line indicating no is returned, then the required value is set. + Is it the case that the required value is not set? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.default.accept_ra = 0
- medium + Disallow SSH login with empty passwords. +The default SSH configuration disables logins with empty passwords. The appropriate +configuration is used if no value is set for PermitEmptyPasswords. +
+To explicitly disallow SSH login from accounts with empty passwords, +add or correct the following line in + + +/etc/ssh/sshd_config: + +
+
PermitEmptyPasswords no
+Any accounts with empty passwords should be disabled immediately, and PAM configuration +should prevent users from being able to assign themselves empty passwords. + high @@ -56216,23 +56444,44 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-82252-8: Disable storing core dump + CCE-80897-2: Disable GSSAPI Authentication Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The Storage option in [Coredump] sectionof /etc/systemd/coredump.conf -can be set to none to disable storing core dumps permanently. + Unless needed, SSH should not permit extraneous or unnecessary +authentication mechanisms like GSSAPI. +
+The default SSH configuration disallows authentications based on GSSAPI. The appropriate +configuration is used if no value is set for GSSAPIAuthentication. +
+To explicitly disable GSSAPI authentication, add or correct the following line in + + +/etc/ssh/sshd_config: + +
GSSAPIAuthentication no
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify Red Hat Enterprise Linux 8 disables storing core dumps for all users by issuing the following command: + To determine how the SSH daemon's GSSAPIAuthentication option is set, run the following command: -$ grep -i storage /etc/systemd/coredump.conf +
$ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config
-Storage=none Is it the case that Storage is not set to none or is commented out and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned? +If a line indicating no is returned, then the required value is set. + Is it the case that the required value is not set? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The Storage option in [Coredump] sectionof /etc/systemd/coredump.conf -can be set to none to disable storing core dumps permanently. + Unless needed, SSH should not permit extraneous or unnecessary +authentication mechanisms like GSSAPI. +
+The default SSH configuration disallows authentications based on GSSAPI. The appropriate +configuration is used if no value is set for GSSAPIAuthentication. +
+To explicitly disable GSSAPI authentication, add or correct the following line in + + +/etc/ssh/sshd_config: + +
GSSAPIAuthentication no
medium @@ -56245,23 +56494,23 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-84052-0: Mount Remote Filesystems with nodev + CCE-86220-1: Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of -any NFS mounts. + To set the runtime status of the net.ipv4.conf.all.forwarding kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.forwarding=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.forwarding = 0
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To verify the nodev option is configured for all NFS mounts, run -the following command: -
$ mount | grep nfs
-All NFS mounts should show the nodev setting in parentheses. This -is not applicable if NFS is not implemented. Is it the case that the setting does not show? + The runtime status of the net.ipv4.conf.all.forwarding kernel parameter can be queried +by running the following command: +
$ sysctl net.ipv4.conf.all.forwarding
+0. +The ability to forward packets is only appropriate for routers. Is it the case that IP forwarding value is "1" and the system is not router? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of -any NFS mounts. + To set the runtime status of the net.ipv4.conf.all.forwarding kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.forwarding=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.forwarding = 0
medium @@ -56274,38 +56523,24 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-83411-9: Disable graphical user interface + CCE-84043-9: Ensure All User Initialization Files Have Mode 0740 Or Less Permissive Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - By removing the following packages, the system no longer has X Windows installed. - -xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland - -If X Windows is not installed then the system cannot boot into graphical user mode. -This prevents the system from being accidentally or maliciously booted into a graphical.target -mode. To do so, run the following command: - -
sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
+ Set the mode of the user initialization files to 0740 with the +following command: +
$ sudo chmod 0740 /home/USER/.INIT_FILE
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To ensure the X Windows package group is removed, run the following command: - -
$ rpm -qi xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
- -For each package mentioned above you should receive following line: -
package <package> is not installed
Is it the case that xorg related packages are not removed and run level is not correctly configured? + To verify that all user initialization files have a mode of 0740 or +less permissive, run the following command: +
$ sudo find /home -type f -name '\.*' \( -perm -0002 -o -perm -0020 \)
+There should be no output. Is it the case that they are not 0740 or more permissive? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - By removing the following packages, the system no longer has X Windows installed. - -xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland - -If X Windows is not installed then the system cannot boot into graphical user mode. -This prevents the system from being accidentally or maliciously booted into a graphical.target -mode. To do so, run the following command: - -
sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
+ Set the mode of the user initialization files to 0740 with the +following command: +
$ sudo chmod 0740 /home/USER/.INIT_FILE
medium @@ -56318,28 +56553,22 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80890-7: Set Default firewalld Zone for Incoming Packets + CCE-82976-2: Install policycoreutils Package Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To set the default zone to drop for -the built-in default zone which processes incoming IPv4 and IPv6 packets, -modify the following line in -/etc/firewalld/firewalld.conf to be: -
DefaultZone=drop
+ The policycoreutils package can be installed with the following command: +
+$ sudo yum install policycoreutils
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Inspect the file /etc/firewalld/firewalld.conf to determine -the default zone for the firewalld. It should be set to DefaultZone=drop: -
$ sudo grep DefaultZone /etc/firewalld/firewalld.conf
Is it the case that the default zone is not set to DROP? + Run the following command to determine if the policycoreutils package is installed: 
$ rpm -q policycoreutils
Is it the case that the policycoreutils package is not installed? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To set the default zone to drop for -the built-in default zone which processes incoming IPv4 and IPv6 packets, -modify the following line in -/etc/firewalld/firewalld.conf to be: -
DefaultZone=drop
- medium + The policycoreutils package can be installed with the following command: +
+$ sudo yum install policycoreutils
+ low @@ -56351,23 +56580,23 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80922-8: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces + CCE-82934-1: Harden the operation of the BPF just-in-time compiler Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.icmp_echo_ignore_broadcasts = 1
+ To set the runtime status of the net.core.bpf_jit_harden kernel parameter, run the following command: 
$ sudo sysctl -w net.core.bpf_jit_harden=2
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.core.bpf_jit_harden = 2
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - The runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter can be queried + The runtime status of the net.core.bpf_jit_harden kernel parameter can be queried by running the following command: -
$ sysctl net.ipv4.icmp_echo_ignore_broadcasts
-1. +
$ sysctl net.core.bpf_jit_harden
+2. Is it the case that the correct value is not returned? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.icmp_echo_ignore_broadcasts = 1
+ To set the runtime status of the net.core.bpf_jit_harden kernel parameter, run the following command: 
$ sudo sysctl -w net.core.bpf_jit_harden=2
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.core.bpf_jit_harden = 2
medium @@ -56380,26 +56609,35 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-84040-5: Ensure that Users Path Contains Only Local Directories + CCE-80649-7: Verify Only Root Has UID 0 Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - Ensure that all interactive user initialization files executable search -path statements do not contain statements that will reference a working -directory other than the users home directory. + If any account other than root has a UID of 0, this misconfiguration should +be investigated and the accounts other than root should be removed or have +their UID changed. +
+If the account is associated with system commands or applications the UID +should be changed to one greater than "0" but less than "1000." +Otherwise assign a UID greater than "1000" that has not already been +assigned. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify that all local interactive user initialization file executable search path statements do not contain statements that will reference a working directory other than user home directories with the following commands: - -
$ sudo grep -i path= /home/*/.*
-
-/home/[localinteractiveuser]/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin
Is it the case that any local interactive user initialization files have executable search path statements that include directories outside of their home directory and is not documented with the ISSO as an operational requirement? + Verify that only the "root" account has a UID "0" assignment with the +following command: +
$ awk -F: '$3 == 0 {print $1}' /etc/passwd
+
root
Is it the case that any accounts other than "root" have a UID of "0"? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - Ensure that all interactive user initialization files executable search -path statements do not contain statements that will reference a working -directory other than the users home directory. - medium + If any account other than root has a UID of 0, this misconfiguration should +be investigated and the accounts other than root should be removed or have +their UID changed. +
+If the account is associated with system commands or applications the UID +should be changed to one greater than "0" but less than "1000." +Otherwise assign a UID greater than "1000" that has not already been +assigned. + high @@ -56411,39 +56649,27 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-85953-8: Ensure There Are No Accounts With Blank or Null Passwords + CCE-80853-5: Ensure /var/log Located On Separate Partition Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - Check the "/etc/shadow" file for blank passwords with the -following command: -
$ sudo awk -F: '!$2 {print $1}' /etc/shadow
-If the command returns any results, this is a finding. -Configure all accounts on the system to have a password or lock -the account with the following commands: -Perform a password reset: -
$ sudo passwd [username]
-Lock an account: -
$ sudo passwd -l [username]
+ System logs are stored in the /var/log directory. + +Ensure that /var/log has its own partition or logical +volume at installation time, or migrate it using LVM. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To verify that null passwords cannot be used, run the following command: -
$ sudo awk -F: '!$2 {print $1}' /etc/shadow
-If this produces any output, it may be possible to log into accounts -with empty passwords. Is it the case that Blank or NULL passwords can be used? + Verify that a separate file system/partition has been created for /var/log with the following command: + +
$ mountpoint /var/log
+ Is it the case that "/var/log is not a mountpoint" is returned? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - Check the "/etc/shadow" file for blank passwords with the -following command: -
$ sudo awk -F: '!$2 {print $1}' /etc/shadow
-If the command returns any results, this is a finding. -Configure all accounts on the system to have a password or lock -the account with the following commands: -Perform a password reset: -
$ sudo passwd [username]
-Lock an account: -
$ sudo passwd -l [username]
- high + System logs are stored in the /var/log directory. + +Ensure that /var/log has its own partition or logical +volume at installation time, or migrate it using LVM. + low @@ -56455,26 +56681,57 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-85872-0: Ensure PAM password complexity module is enabled in system-auth + CCE-80873-3: Disable the Automounter Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To enable PAM password complexity in system-auth file: -Edit the password section in -/etc/pam.d/system-auth to show -password requisite pam_pwquality.so. + The autofs daemon mounts and unmounts filesystems, such as user +home directories shared via NFS, on demand. In addition, autofs can be used to handle +removable media, and the default configuration provides the cdrom device as /misc/cd. +However, this method of providing access to removable media is not common, so autofs +can almost always be disabled if NFS is not in use. Even if NFS is required, it may be +possible to configure filesystem mounts statically by editing /etc/fstab +rather than relying on the automounter. +

+ +The autofs service can be disabled with the following command: +
$ sudo systemctl mask --now autofs.service
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To check if pam_pwquality.so is enabled in system-auth, run the following command: -
$ grep pam_pwquality /etc/pam.d/system-auth
-The output should be similar to the following: -
password requisite pam_pwquality.so
Is it the case that pam_pwquality.so is not enabled in system-auth? + To check that the autofs service is disabled in system boot configuration, +run the following command: +
$ sudo systemctl is-enabled autofs
+Output should indicate the autofs service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +
$ sudo systemctl is-enabled autofs
 disabled
+ +Run the following command to verify autofs is not active (i.e. not running) through current runtime configuration: +
$ sudo systemctl is-active autofs
+ +If the service is not running the command will return the following output: +
inactive
+ +The service will also be masked, to check that the autofs is masked, run the following command: +
$ sudo systemctl show autofs | grep "LoadState\|UnitFileState"
+ +If the service is masked the command will return the following outputs: + +
LoadState=masked
+ +
UnitFileState=masked
Is it the case that the "autofs" is loaded and not masked? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To enable PAM password complexity in system-auth file: -Edit the password section in -/etc/pam.d/system-auth to show -password requisite pam_pwquality.so. + The autofs daemon mounts and unmounts filesystems, such as user +home directories shared via NFS, on demand. In addition, autofs can be used to handle +removable media, and the default configuration provides the cdrom device as /misc/cd. +However, this method of providing access to removable media is not common, so autofs +can almost always be disabled if NFS is not in use. Even if NFS is required, it may be +possible to configure filesystem mounts statically by editing /etc/fstab +rather than relying on the automounter. +

+ +The autofs service can be disabled with the following command: +
$ sudo systemctl mask --now autofs.service
medium @@ -56487,38 +56744,32 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-84220-3: Configure AIDE to Verify Access Control Lists (ACLs) + CCE-81033-3: Add nosuid Option to /boot Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - By default, the acl option is added to the FIPSR ruleset in AIDE. -If using a custom ruleset or the acl option is missing, add acl -to the appropriate ruleset. -For example, add acl to the following line in /etc/aide.conf: -
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
-AIDE rules can be configured in multiple ways; this is merely one example that is already -configured by default. - -The remediation provided with this rule adds acl to all rule sets available in -/etc/aide.conf + The nosuid mount option can be used to prevent +execution of setuid programs in /boot. The SUID and SGID permissions +should not be required on the boot partition. +Add the nosuid option to the fourth column of +/etc/fstab for the line which controls mounting of +/boot. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To determine that AIDE is verifying ACLs, run the following command: -
$ grep acl /etc/aide.conf
-Verify that the acl option is added to the correct ruleset. Is it the case that the acl option is missing or not added to the correct ruleset? + Verify the nosuid option is configured for the /boot mount point, + run the following command: + 
$ sudo mount | grep '\s/boot\s'
+ 
. . . /boot . . . nosuid . . .
+ Is it the case that the "/boot" file system does not have the "nosuid" option set? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - By default, the acl option is added to the FIPSR ruleset in AIDE. -If using a custom ruleset or the acl option is missing, add acl -to the appropriate ruleset. -For example, add acl to the following line in /etc/aide.conf: -
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
-AIDE rules can be configured in multiple ways; this is merely one example that is already -configured by default. - -The remediation provided with this rule adds acl to all rule sets available in -/etc/aide.conf - low + The nosuid mount option can be used to prevent +execution of setuid programs in /boot. The SUID and SGID permissions +should not be required on the boot partition. +Add the nosuid option to the fourth column of +/etc/fstab for the line which controls mounting of +/boot. + medium @@ -56530,26 +56781,28 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-81039-0: Uninstall Sendmail Package + CCE-80886-5: Enable rsyslog Service Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - Sendmail is not the default mail transfer agent and is -not installed by default. -The sendmail package can be removed with the following command: -
-$ sudo yum erase sendmail
+ The rsyslog service provides syslog-style logging by default on Red Hat Enterprise Linux 8. + +The rsyslog service can be enabled with the following command: +
$ sudo systemctl enable rsyslog.service
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Run the following command to determine if the sendmail package is installed: -
$ rpm -q sendmail
Is it the case that the package is installed? + + +Run the following command to determine the current status of the +rsyslog service: +
$ sudo systemctl is-active rsyslog
+If the service is running, it should return the following: 
active
Is it the case that the "rsyslog" service is disabled, masked, or not started.? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - Sendmail is not the default mail transfer agent and is -not installed by default. -The sendmail package can be removed with the following command: -
-$ sudo yum erase sendmail
+ The rsyslog service provides syslog-style logging by default on Red Hat Enterprise Linux 8. + +The rsyslog service can be enabled with the following command: +
$ sudo systemctl enable rsyslog.service
medium @@ -56562,25 +56815,26 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80851-9: Ensure /tmp Located On Separate Partition + CCE-84040-5: Ensure that Users Path Contains Only Local Directories Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The /tmp directory is a world-writable directory used -for temporary file storage. Ensure it has its own partition or -logical volume at installation time, or migrate it using LVM. + Ensure that all interactive user initialization files executable search +path statements do not contain statements that will reference a working +directory other than the users home directory. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify that a separate file system/partition has been created for /tmp with the following command: + Verify that all local interactive user initialization file executable search path statements do not contain statements that will reference a working directory other than user home directories with the following commands: -
$ mountpoint /tmp
- Is it the case that "/tmp is not a mountpoint" is returned? +
$ sudo grep -i path= /home/*/.*
+
+/home/[localinteractiveuser]/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin
Is it the case that any local interactive user initialization files have executable search path statements that include directories outside of their home directory and is not documented with the ISSO as an operational requirement? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The /tmp directory is a world-writable directory used -for temporary file storage. Ensure it has its own partition or -logical volume at installation time, or migrate it using LVM. - low + Ensure that all interactive user initialization files executable search +path statements do not contain statements that will reference a working +directory other than the users home directory. + medium @@ -56592,39 +56846,45 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-86377-9: Ensure sudo only includes the default configuration directory + CCE-82059-7: Disable CAN Support Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - Administrators can configure authorized sudo users via drop-in files, and it is possible to include -other directories and configuration files from the file currently being parsed. + The Controller Area Network (CAN) is a serial communications +protocol which was initially developed for automotive and +is now also used in marine, industrial, and medical applications. -Make sure that /etc/sudoers only includes drop-in configuration files from /etc/sudoers.d, -or that no drop-in file is included. -Either the /etc/sudoers should contain only one #includedir directive pointing to -/etc/sudoers.d, and no file in /etc/sudoers.d/ should include other files or directories; -Or the /etc/sudoers should not contain any #include, -@include, #includedir or @includedir directives. -Note that the '#' character doesn't denote a comment in the configuration file. +To configure the system to prevent the can +kernel module from being loaded, add the following line to the file /etc/modprobe.d/can.conf: +
install can /bin/true
+ +To configure the system to prevent the can from being used, +add the following line to file /etc/modprobe.d/can.conf: +
blacklist can
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To determine whether sudo command includes configuration files from the appropriate directory, -run the following command: -
$ sudo grep -rP '^[#@]include(dir)?' /etc/sudoers /etc/sudoers.d
-If only the line /etc/sudoers:#includedir /etc/sudoers.d is returned, then the drop-in include configuration is set correctly. -Any other line returned is a finding. Is it the case that the /etc/sudoers doesn't include /etc/sudores.d or includes other directories?? + +If the system is configured to prevent the loading of the can kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. + +These lines can also instruct the module loading system to ignore the can kernel module via blacklist keyword. + +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +
$ grep -r can /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - Administrators can configure authorized sudo users via drop-in files, and it is possible to include -other directories and configuration files from the file currently being parsed. + The Controller Area Network (CAN) is a serial communications +protocol which was initially developed for automotive and +is now also used in marine, industrial, and medical applications. -Make sure that /etc/sudoers only includes drop-in configuration files from /etc/sudoers.d, -or that no drop-in file is included. -Either the /etc/sudoers should contain only one #includedir directive pointing to -/etc/sudoers.d, and no file in /etc/sudoers.d/ should include other files or directories; -Or the /etc/sudoers should not contain any #include, -@include, #includedir or @includedir directives. -Note that the '#' character doesn't denote a comment in the configuration file. +To configure the system to prevent the can +kernel module from being loaded, add the following line to the file /etc/modprobe.d/can.conf: +
install can /bin/true
+ +To configure the system to prevent the can from being used, +add the following line to file /etc/modprobe.d/can.conf: +
blacklist can
medium @@ -56637,47 +56897,23 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-83422-6: Ensure invoking users password for privilege escalation when using sudo + CCE-80919-4: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The sudoers security policy requires that users authenticate themselves before they can use sudo. -When sudoers requires authentication, it validates the invoking user's credentials. -The expected output for: -
 sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)$'
-
 Defaults !targetpw
-      Defaults !rootpw
-      Defaults !runaspw
-or if cvtsudoers not supported: -
 sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \;
-
 /etc/sudoers:Defaults !targetpw
-      /etc/sudoers:Defaults !rootpw
-      /etc/sudoers:Defaults !runaspw
+ To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.default.accept_redirects = 0
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation: -
 sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)'
-or if cvtsudoers not supported: -
 sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \;
-If no results are returned, this is a finding. -If conflicting results are returned, this is a finding. -If "Defaults !targetpw" is not defined, this is a finding. -If "Defaults !rootpw" is not defined, this is a finding. -If "Defaults !runaspw" is not defined, this is a finding. Is it the case that invoke user passwd when using sudo? + The runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter can be queried +by running the following command: +
$ sysctl net.ipv4.conf.default.accept_redirects
+0. + Is it the case that the correct value is not returned? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The sudoers security policy requires that users authenticate themselves before they can use sudo. -When sudoers requires authentication, it validates the invoking user's credentials. -The expected output for: -
 sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)$'
-
 Defaults !targetpw
-      Defaults !rootpw
-      Defaults !runaspw
-or if cvtsudoers not supported: -
 sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \;
-
 /etc/sudoers:Defaults !targetpw
-      /etc/sudoers:Defaults !rootpw
-      /etc/sudoers:Defaults !runaspw
+ To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.default.accept_redirects = 0
medium @@ -56690,19 +56926,39 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-82414-4: Uninstall vsftpd Package + CCE-83411-9: Disable graphical user interface Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The vsftpd package can be removed with the following command: 
 $ sudo yum erase vsftpd
+ By removing the following packages, the system no longer has X Windows installed. + +xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland + +If X Windows is not installed then the system cannot boot into graphical user mode. +This prevents the system from being accidentally or maliciously booted into a graphical.target +mode. To do so, run the following command: + +
sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Run the following command to determine if the vsftpd package is installed: -
$ rpm -q vsftpd
Is it the case that the package is installed? + To ensure the X Windows package group is removed, run the following command: + +
$ rpm -qi xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
+ +For each package mentioned above you should receive following line: +
package <package> is not installed
Is it the case that xorg related packages are not removed and run level is not correctly configured? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The vsftpd package can be removed with the following command: 
 $ sudo yum erase vsftpd
- high + By removing the following packages, the system no longer has X Windows installed. + +xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland + +If X Windows is not installed then the system cannot boot into graphical user mode. +This prevents the system from being accidentally or maliciously booted into a graphical.target +mode. To do so, run the following command: + +
sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
+ medium @@ -56714,24 +56970,26 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-84043-9: Ensure All User Initialization Files Have Mode 0740 Or Less Permissive + CCE-85888-6: All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - Set the mode of the user initialization files to 0740 with the -following command: -
$ sudo chmod 0740 /home/USER/.INIT_FILE
+ Set the mode on files and directories in the local interactive user home +directory with the following command: +
$ sudo chmod 0750 /home/USER/FILE_DIR
+Files that begin with a "." are excluded from this requirement. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To verify that all user initialization files have a mode of 0740 or -less permissive, run the following command: -
$ sudo find /home -type f -name '\.*' \( -perm -0002 -o -perm -0020 \)
-There should be no output. Is it the case that they are not 0740 or more permissive? + To verify all files and directories contained in interactive user home +directory, excluding local initialization files, have a mode of 0750, +run the following command: +
$ sudo ls -lLR /home/USER
Is it the case that home directory files or folders have incorrect permissions? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - Set the mode of the user initialization files to 0740 with the -following command: -
$ sudo chmod 0740 /home/USER/.INIT_FILE
+ Set the mode on files and directories in the local interactive user home +directory with the following command: +
$ sudo chmod 0750 /home/USER/FILE_DIR
+Files that begin with a "." are excluded from this requirement. medium @@ -56744,51 +57002,41 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80835-2: Disable Modprobe Loading of USB Storage Driver + CCE-82211-4: Disable the use of user namespaces Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To prevent USB storage devices from being used, configure the kernel module loading system -to prevent automatic loading of the USB storage driver. - -To configure the system to prevent the usb-storage -kernel module from being loaded, add the following line to the file /etc/modprobe.d/usb-storage.conf: -
install usb-storage /bin/true
- -To configure the system to prevent the usb-storage from being used, -add the following line to file /etc/modprobe.d/usb-storage.conf: -
blacklist usb-storage
+ To set the runtime status of the user.max_user_namespaces kernel parameter, +run the following command: +
$ sudo sysctl -w user.max_user_namespaces=0
-This will prevent the modprobe program from loading the usb-storage -module, but will not prevent an administrator (or another program) from using the -insmod program to load the module manually. +To make sure that the setting is persistent, +add the following line to a file in the directory /etc/sysctl.d: +
user.max_user_namespaces = 0
+When containers are deployed on the machine, the value should be set +to large non-zero value. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - -If the system is configured to prevent the loading of the usb-storage kernel module, -it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. -These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. + Verify that Red Hat Enterprise Linux 8 disables the use of user namespaces with the following commands: -These lines can also instruct the module loading system to ignore the usb-storage kernel module via blacklist keyword. +Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. -Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -
$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned? +The runtime status of the user.max_user_namespaces kernel parameter can be queried +by running the following command: +
$ sysctl user.max_user_namespaces
+0. + Is it the case that the correct value is not returned? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To prevent USB storage devices from being used, configure the kernel module loading system -to prevent automatic loading of the USB storage driver. - -To configure the system to prevent the usb-storage -kernel module from being loaded, add the following line to the file /etc/modprobe.d/usb-storage.conf: -
install usb-storage /bin/true
- -To configure the system to prevent the usb-storage from being used, -add the following line to file /etc/modprobe.d/usb-storage.conf: -
blacklist usb-storage
+ To set the runtime status of the user.max_user_namespaces kernel parameter, +run the following command: +
$ sudo sysctl -w user.max_user_namespaces=0
-This will prevent the modprobe program from loading the usb-storage -module, but will not prevent an administrator (or another program) from using the -insmod program to load the module manually. +To make sure that the setting is persistent, +add the following line to a file in the directory /etc/sysctl.d: +
user.max_user_namespaces = 0
+When containers are deployed on the machine, the value should be set +to large non-zero value. medium @@ -56801,23 +57049,25 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80917-8: Disable Accepting ICMP Redirects for All IPv4 Interfaces + CCE-82424-3: Verify Permissions on SSH Server Private *_key Key Files Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.accept_redirects = 0
+ SSH server private keys - files that match the /etc/ssh/*_key glob, have to have restricted permissions. +If those files are owned by the root user and the root group, they have to have the 0600 permission or stricter. +If they are owned by the root user, but by a dedicated group ssh_keys, they can have the 0640 permission or stricter. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - The runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter can be queried -by running the following command: -
$ sysctl net.ipv4.conf.all.accept_redirects
-0. - Is it the case that the correct value is not returned? + To check the permissions of /etc/ssh/*_key, +run the command: +
$ ls -l /etc/ssh/*_key
+If properly configured, the output should indicate the following permissions: +-rw------- Is it the case that /etc/ssh/*_key does not have unix mode -rw-------? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.accept_redirects = 0
+ SSH server private keys - files that match the /etc/ssh/*_key glob, have to have restricted permissions. +If those files are owned by the root user and the root group, they have to have the 0600 permission or stricter. +If they are owned by the root user, but by a dedicated group ssh_keys, they can have the 0640 permission or stricter. medium @@ -56830,26 +57080,41 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-85877-9: Ensure PAM password complexity module is enabled in password-auth + CCE-80915-2: Restrict Exposed Kernel Pointer Addresses Access Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To enable PAM password complexity in password-auth file: -Edit the password section in -/etc/pam.d/password-auth to show -password requisite pam_pwquality.so. + To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command: 
$ sudo sysctl -w kernel.kptr_restrict=
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.kptr_restrict =
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To check if pam_pwquality.so is enabled in password-auth, run the following command: -
$ grep pam_pwquality /etc/pam.d/password-auth
-The output should be similar to the following: -
password requisite pam_pwquality.so
Is it the case that pam_pwquality.so is not enabled in password-auth? + The runtime status of the kernel.kptr_restrict kernel parameter can be queried +by running the following command: +
$ sysctl kernel.kptr_restrict
+The output of the command should indicate either: +kernel.kptr_restrict = 1 +or: +kernel.kptr_restrict = 2 +The output of the command should not indicate: +kernel.kptr_restrict = 0 + +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the 
/etc/sysctl.d
directory. +Verify that there is not any existing incorrect configuration by executing the following command: +
$ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d
+The command should not find any assignments other than: +kernel.kptr_restrict = 1 +or: +kernel.kptr_restrict = 2 + +Conflicting assignments are not allowed. Is it the case that the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To enable PAM password complexity in password-auth file: -Edit the password section in -/etc/pam.d/password-auth to show -password requisite pam_pwquality.so. + To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command: 
$ sudo sysctl -w kernel.kptr_restrict=
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.kptr_restrict =
medium @@ -56862,40 +57127,27 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80841-0: Prevent Login to Accounts With Empty Password + CCE-82859-0: Ensure rsyslog-gnutls is installed Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - If an account is configured for password authentication -but does not have an assigned password, it may be possible to log -into the account without authentication. Remove any instances of the -nullok in - -/etc/pam.d/system-auth and -/etc/pam.d/password-auth + TLS protocol support for rsyslog is installed. -to prevent logins with empty passwords. +The rsyslog-gnutls package can be installed with the following command: +
+$ sudo yum install rsyslog-gnutls
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To verify that null passwords cannot be used, run the following command: - -
$ grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth
- -If this produces any output, it may be possible to log into accounts -with empty passwords. Remove any instances of the nullok option to -prevent logins with empty passwords. Is it the case that NULL passwords can be used? + Run the following command to determine if the rsyslog-gnutls package is installed: +
$ rpm -q rsyslog-gnutls
Is it the case that the package is installed? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - If an account is configured for password authentication -but does not have an assigned password, it may be possible to log -into the account without authentication. Remove any instances of the -nullok in - -/etc/pam.d/system-auth and -/etc/pam.d/password-auth + TLS protocol support for rsyslog is installed. -to prevent logins with empty passwords. - high +The rsyslog-gnutls package can be installed with the following command: +
+$ sudo yum install rsyslog-gnutls
+ medium @@ -56907,57 +57159,26 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80873-3: Disable the Automounter + CCE-81037-4: Ensure the Default C Shell Umask is Set Correctly Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The autofs daemon mounts and unmounts filesystems, such as user -home directories shared via NFS, on demand. In addition, autofs can be used to handle -removable media, and the default configuration provides the cdrom device as /misc/cd. -However, this method of providing access to removable media is not common, so autofs -can almost always be disabled if NFS is not in use. Even if NFS is required, it may be -possible to configure filesystem mounts statically by editing /etc/fstab -rather than relying on the automounter. -

- -The autofs service can be disabled with the following command: -
$ sudo systemctl mask --now autofs.service
+ To ensure the default umask for users of the C shell is set properly, +add or correct the umask setting in /etc/csh.cshrc to read as follows: +
umask
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To check that the autofs service is disabled in system boot configuration, -run the following command: -
$ sudo systemctl is-enabled autofs
-Output should indicate the autofs service has either not been installed, -or has been disabled at all runlevels, as shown in the example below: -
$ sudo systemctl is-enabled autofs
 disabled
- -Run the following command to verify autofs is not active (i.e. not running) through current runtime configuration: -
$ sudo systemctl is-active autofs
- -If the service is not running the command will return the following output: -
inactive
- -The service will also be masked, to check that the autofs is masked, run the following command: -
$ sudo systemctl show autofs | grep "LoadState\|UnitFileState"
- -If the service is masked the command will return the following outputs: + Verify the "umask" setting is configured correctly in the "/etc/csh.cshrc" file with the following command: -
LoadState=masked
+$ grep umask /etc/csh.cshrc -
UnitFileState=masked
Is it the case that the "autofs" is loaded and not masked? +umask 077 +umask 077 Is it the case that the value for the "umask" parameter is not "", or the "umask" parameter is missing or is commented out? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The autofs daemon mounts and unmounts filesystems, such as user -home directories shared via NFS, on demand. In addition, autofs can be used to handle -removable media, and the default configuration provides the cdrom device as /misc/cd. -However, this method of providing access to removable media is not common, so autofs -can almost always be disabled if NFS is not in use. Even if NFS is required, it may be -possible to configure filesystem mounts statically by editing /etc/fstab -rather than relying on the automounter. -

- -The autofs service can be disabled with the following command: -
$ sudo systemctl mask --now autofs.service
+ To ensure the default umask for users of the C shell is set properly, +add or correct the umask setting in /etc/csh.cshrc to read as follows: +
umask
medium @@ -56970,24 +57191,23 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-84054-6: Prevent Unrestricted Mail Relaying + CCE-84055-3: Remove Host-Based Authentication Files Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - Modify the 
/etc/postfix/main.cf
file to restrict client connections -to the local network with the following command: -
$ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'
+ The shosts.equiv file lists remote hosts and users that are trusted by the local +system. To remove these files, run the following command to delete them from any location: +
$ sudo rm /[path]/[to]/[file]/shosts.equiv
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to prevent unrestricted mail relaying, -run the following command: -
$ sudo postconf -n smtpd_client_restrictions
Is it the case that the "smtpd_client_restrictions" parameter contains any entries other than "permit_mynetworks" and "reject"? + Verify that there are no shosts.equiv files on the system, run the following command: +
$ find / -name shosts.equiv
Is it the case that shosts.equiv files exist? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - Modify the 
/etc/postfix/main.cf
file to restrict client connections -to the local network with the following command: -
$ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'
- medium + The shosts.equiv file lists remote hosts and users that are trusted by the local +system. To remove these files, run the following command to delete them from any location: +
$ sudo rm /[path]/[to]/[file]/shosts.equiv
+ high @@ -56999,17 +57219,21 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80847-7: Ensure rsyslog is Installed + CCE-82998-6: Install firewalld Package Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - Rsyslog is installed by default. The rsyslog package can be installed with the following command: 
 $ sudo yum install rsyslog
+ The firewalld package can be installed with the following command: +
+$ sudo yum install firewalld
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Run the following command to determine if the rsyslog package is installed: 
$ rpm -q rsyslog
Is it the case that the package is not installed? + Run the following command to determine if the firewalld package is installed: 
$ rpm -q firewalld
Is it the case that the package is not installed? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - Rsyslog is installed by default. The rsyslog package can be installed with the following command: 
 $ sudo yum install rsyslog
+ The firewalld package can be installed with the following command: +
+$ sudo yum install firewalld
medium @@ -57022,23 +57246,46 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-81010-1: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces + CCE-80904-6: Enable Use of Strict Mode Checking Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.default.accept_redirects = 0
+ SSHs StrictModes option checks file and ownership permissions in +the user's home directory .ssh folder before accepting login. If world- +writable permissions are found, logon is rejected. +
+The default SSH configuration has StrictModes enabled. The appropriate +configuration is used if no value is set for StrictModes. +
+To explicitly enable StrictModes in SSH, add or correct the following line in + + +/etc/ssh/sshd_config: + +
StrictModes yes
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - The runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter can be queried -by running the following command: -
$ sysctl net.ipv6.conf.default.accept_redirects
-0. - Is it the case that the correct value is not returned? + To determine how the SSH daemon's StrictModes option is set, run the following command: + +
$ sudo grep -i StrictModes /etc/ssh/sshd_config
+ +If a line indicating yes is returned, then the required value is set. + Is it the case that the required value is not set? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.default.accept_redirects = 0
+ SSHs StrictModes option checks file and ownership permissions in +the user's home directory .ssh folder before accepting login. If world- +writable permissions are found, logon is rejected. +
+The default SSH configuration has StrictModes enabled. The appropriate +configuration is used if no value is set for StrictModes. +
+To explicitly enable StrictModes in SSH, add or correct the following line in + + +/etc/ssh/sshd_config: + +
StrictModes yes
medium @@ -57051,62 +57298,25 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-84049-6: Configure Multiple DNS Servers in /etc/resolv.conf + CCE-84039-7: User Initialization Files Must Not Run World-Writable Programs Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - -Determine whether the system is using local or DNS name resolution with the + Set the mode on files being executed by the user initialization files with the following command: -
$ sudo grep hosts /etc/nsswitch.conf
-hosts: files dns
-If the DNS entry is missing from the host's line in the "/etc/nsswitch.conf" -file, the "/etc/resolv.conf" file must be empty. -Verify the "/etc/resolv.conf" file is empty with the following command: -
$ sudo ls -al /etc/resolv.conf
--rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf
-If the DNS entry is found on the host's line of the "/etc/nsswitch.conf" file, -then verify the following:
- -Multiple Domain Name System (DNS) Servers should be configured -in /etc/resolv.conf. This provides redundant name resolution services -in the event that a domain server crashes. To configure the system to contain -as least 2 DNS servers, add a corresponding nameserver -ip_address entry in /etc/resolv.conf for each DNS -server where ip_address is the IP address of a valid DNS server. -For example: -
search example.com
-nameserver 192.168.0.1
-nameserver 192.168.0.2
+
$ sudo chmod o-w FILE
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify that DNS servers have been configured properly, perform the following: -
$ sudo grep nameserver /etc/resolv.conf
Is it the case that less than two lines are returned that are not commented out? + Verify that local initialization files do not execute world-writable programs with the following command: + +Note: The example will be for a system that is configured to create user home directories in the "/home" directory. + +
$ sudo find /home -perm -002 -type f -name ".[^.]*" -exec ls -ld {} \;
Is it the case that any local initialization files are found to reference world-writable files? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - -Determine whether the system is using local or DNS name resolution with the + Set the mode on files being executed by the user initialization files with the following command: -
$ sudo grep hosts /etc/nsswitch.conf
-hosts: files dns
-If the DNS entry is missing from the host's line in the "/etc/nsswitch.conf" -file, the "/etc/resolv.conf" file must be empty. -Verify the "/etc/resolv.conf" file is empty with the following command: -
$ sudo ls -al /etc/resolv.conf
--rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf
-If the DNS entry is found on the host's line of the "/etc/nsswitch.conf" file, -then verify the following:
- -Multiple Domain Name System (DNS) Servers should be configured -in /etc/resolv.conf. This provides redundant name resolution services -in the event that a domain server crashes. To configure the system to contain -as least 2 DNS servers, add a corresponding nameserver -ip_address entry in /etc/resolv.conf for each DNS -server where ip_address is the IP address of a valid DNS server. -For example: -
search example.com
-nameserver 192.168.0.1
-nameserver 192.168.0.2
+
$ sudo chmod o-w FILE
medium @@ -57119,23 +57329,30 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-84053-8: Mount Remote Filesystems with nosuid + CCE-85886-0: Ensure All World-Writable Directories Are Group Owned by a System Account Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of -any NFS mounts. + All directories in local partitions which are +world-writable should be group owned by root or another +system account. If any world-writable directories are not +group owned by a system account, this should be investigated. +Following this, the files should be deleted or assigned to an +appropriate group. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To verify the nosuid option is configured for all NFS mounts, run -the following command: -
$ mount | grep nfs
-All NFS mounts should show the nosuid setting in parentheses. This -is not applicable if NFS is not implemented. Is it the case that the setting does not show? + The following command will discover and print world-writable directories that +are not group owned by a system account, given the assumption that only system +accounts have a gid lower than 1000. Run it once for each local partition PART: +
$ sudo find PART -xdev -type d -perm -0002 -gid +999 -print
Is it the case that there is output? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of -any NFS mounts. + All directories in local partitions which are +world-writable should be group owned by root or another +system account. If any world-writable directories are not +group owned by a system account, this should be investigated. +Following this, the files should be deleted or assigned to an +appropriate group. medium @@ -57148,49 +57365,25 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-84028-0: Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 + CCE-82730-3: Ensure /var/tmp Located On Separate Partition Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - By default, GNOME will reboot the system if the -Ctrl-Alt-Del key sequence is pressed. -

-To configure the system to ignore the Ctrl-Alt-Del key sequence -from the Graphical User Interface (GUI) instead of rebooting the system, -add or set logout to '' in -/etc/dconf/db/local.d/00-security-settings. For example: -
[org/gnome/settings-daemon/plugins/media-keys]
-logout=''
-Once the settings have been added, add a lock to -/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent -user modification. For example: -
/org/gnome/settings-daemon/plugins/media-keys/logout
-After the settings have been set, run dconf update. + The /var/tmp directory is a world-writable directory used +for temporary file storage. Ensure it has its own partition or +logical volume at installation time, or migrate it using LVM. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To ensure the system is configured to ignore the Ctrl-Alt-Del sequence, -run the following command: -
$ gsettings get org.gnome.settings-daemon.plugins.media-keys logout
-
$ grep logout /etc/dconf/db/local.d/locks/*
-If properly configured, the output should be -/org/gnome/settings-daemon/plugins/media-keys/logout Is it the case that GNOME3 is configured to reboot when Ctrl-Alt-Del is pressed? - Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - By default, GNOME will reboot the system if the -Ctrl-Alt-Del key sequence is pressed. -

-To configure the system to ignore the Ctrl-Alt-Del key sequence -from the Graphical User Interface (GUI) instead of rebooting the system, -add or set logout to '' in -/etc/dconf/db/local.d/00-security-settings. For example: -
[org/gnome/settings-daemon/plugins/media-keys]
-logout=''
-Once the settings have been added, add a lock to -/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent -user modification. For example: -
/org/gnome/settings-daemon/plugins/media-keys/logout
-After the settings have been set, run dconf update. - high + Verify that a separate file system/partition has been created for /var/tmp with the following command: + +
$ mountpoint /var/tmp
+ Is it the case that "/var/tmp is not a mountpoint" is returned? + Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. + The /var/tmp directory is a world-writable directory used +for temporary file storage. Ensure it has its own partition or +logical volume at installation time, or migrate it using LVM. + medium @@ -57202,45 +57395,19 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80946-7: Disable vsyscalls + CCE-82436-7: Uninstall tftp-server Package Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To disable use of virtual syscalls, -add the argument vsyscall=none to the default -GRUB 2 command line for the Linux operating system. -To ensure that vsyscall=none is added as a kernel command line -argument to newly installed kernels, add vsyscall=none to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... vsyscall=none ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="vsyscall=none"
+ The tftp-server package can be removed with the following command: 
 $ sudo yum erase tftp-server
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes vsyscall=none, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
-If this option is set to true, then check that a line is output by the following command: -
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*vsyscall=none.*' /etc/default/grub
-If the recovery is disabled, check the line with -
$ sudo grep 'GRUB_CMDLINE_LINUX.*vsyscall=none.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -
$ sudo grubby --info=ALL | grep args | grep -v 'vsyscall=none'
-The command should not return any output. Is it the case that vsyscalls are enabled? + Run the following command to determine if the tftp-server package is installed: +
$ rpm -q tftp-server
Is it the case that the package is installed? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To disable use of virtual syscalls, -add the argument vsyscall=none to the default -GRUB 2 command line for the Linux operating system. -To ensure that vsyscall=none is added as a kernel command line -argument to newly installed kernels, add vsyscall=none to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... vsyscall=none ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="vsyscall=none"
- medium + The tftp-server package can be removed with the following command: 
 $ sudo yum erase tftp-server
+ high @@ -57287,87 +57454,47 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80865-9: Ensure Software Patches Installed + CCE-80834-5: Disable SCTP Support Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - -If the system is joined to the Red Hat Network, a Red Hat Satellite Server, -or a yum server, run the following command to install updates: -
$ sudo yum update
-If the system is not configured to use one of these sources, updates (in the form of RPM packages) -can be manually downloaded from the Red Hat Network and installed using rpm. + The Stream Control Transmission Protocol (SCTP) is a +transport layer protocol, designed to support the idea of +message-oriented communication, with several streams of messages +within one connection. -

-NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy -dictates. +To configure the system to prevent the sctp +kernel module from being loaded, add the following line to the file /etc/modprobe.d/sctp.conf: +
install sctp /bin/true
+ +To configure the system to prevent the sctp from being used, +add the following line to file /etc/modprobe.d/sctp.conf: +
blacklist sctp
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify Red Hat Enterprise Linux 8 security patches and updates are installed and up to date. -Updates are required to be applied with a frequency determined by organizational policy. - - -Obtain the list of available package security updates from Red Hat. The URL for updates is https://access.redhat.com/errata-search/. -It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed. - - -Check that the available package security updates have been installed on the system with the following command: - -$ sudo yum history list | more - -Loaded plugins: langpacks, product-id, subscription-manager -ID | Command line | Date and time | Action(s) | Altered -------------------------------------------------------------------------------- -70 | install aide | 2020-03-05 10:58 | Install | 1 -69 | update -y | 2020-03-04 14:34 | Update | 18 EE -68 | install vlc | 2020-02-21 17:12 | Install | 21 -67 | update -y | 2020-02-21 17:04 | Update | 7 EE - - -Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM. Is it the case that Red Hat Enterprise Linux 8 is in non-compliance with the organizational patching policy? - Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. -If the system is joined to the Red Hat Network, a Red Hat Satellite Server, -or a yum server, run the following command to install updates: -
$ sudo yum update
-If the system is not configured to use one of these sources, updates (in the form of RPM packages) -can be manually downloaded from the Red Hat Network and installed using rpm. - -

-NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy -dictates. - medium - - - - +If the system is configured to prevent the loading of the sctp kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. - - CCI-000366 - SRG-OS-000480-GPOS-00227 - TBD - Assigned by DISA after STIG release - The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. +These lines can also instruct the module loading system to ignore the sctp kernel module via blacklist keyword. - CCE-82233-8: Include Local Events in Audit Logs +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +
$ grep -r sctp /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned? + Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. + The Stream Control Transmission Protocol (SCTP) is a +transport layer protocol, designed to support the idea of +message-oriented communication, with several streams of messages +within one connection. - Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. +To configure the system to prevent the sctp +kernel module from being loaded, add the following line to the file /etc/modprobe.d/sctp.conf: +
install sctp /bin/true
-Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To configure Audit daemon to include local events in Audit logs, set -local_events to yes in /etc/audit/auditd.conf. -This is the default setting. - Applicable - Configurable - Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To verify that Audit Daemon is configured to include local events, run the -following command: -
$ sudo grep local_events /etc/audit/auditd.conf
-The output should return the following: -
local_events = yes
Is it the case that local_events isn't set to yes? - Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To configure Audit daemon to include local events in Audit logs, set -local_events to yes in /etc/audit/auditd.conf. -This is the default setting. +To configure the system to prevent the sctp from being used, +add the following line to file /etc/modprobe.d/sctp.conf: +
blacklist sctp
medium @@ -57380,36 +57507,32 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80901-2: Disable SSH Root Login + CCE-86534-5: All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The root user should never be allowed to login to a -system directly over a network. -To disable root login via SSH, add or correct the following line in - - -/etc/ssh/sshd_config: + Change the group of a local interactive users files and directories to a +group that the interactive user is a member of. To change the group owner of a +local interactive users files and directories, use the following command: +
$ sudo chgrp USER_GROUP /home/USER/FILE_DIR
-
PermitRootLogin no
+This rule ensures every file or directory under the home directory related +to an interactive user is group-owned by an interactive user. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To determine how the SSH daemon's PermitRootLogin option is set, run the following command: - -
$ sudo grep -i PermitRootLogin /etc/ssh/sshd_config
- -If a line indicating no is returned, then the required value is set. - Is it the case that the required value is not set? + To verify all files and directories in interactive user home directory are +group-owned by a group the user is a member of, run the +following command: +
$ sudo ls -lLR /home/USER
Is it the case that the group ownership is incorrect? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The root user should never be allowed to login to a -system directly over a network. -To disable root login via SSH, add or correct the following line in - - -/etc/ssh/sshd_config: + Change the group of a local interactive users files and directories to a +group that the interactive user is a member of. To change the group owner of a +local interactive users files and directories, use the following command: +
$ sudo chgrp USER_GROUP /home/USER/FILE_DIR
-
PermitRootLogin no
+This rule ensures every file or directory under the home directory related +to an interactive user is group-owned by an interactive user. medium @@ -57422,22 +57545,33 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-82904-4: Uninstall tuned Package + CCE-83380-6: Disable X Windows Startup By Setting Default Target Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The tuned package can be removed with the following command: -
-$ sudo yum erase tuned
+ Systems that do not require a graphical user interface should only boot by +default into multi-user.target mode. This prevents accidental booting of the system +into a graphical.target mode. Setting the system's default target to +multi-user.target will prevent automatic startup of the X server. To do so, run: +
$ systemctl set-default multi-user.target
+You should see the following output: +
Removed symlink /etc/systemd/system/default.target.
+Created symlink from /etc/systemd/system/default.target to /usr/lib/systemd/system/multi-user.target.
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Run the following command to determine if the tuned package is installed: -
$ rpm -q tuned
Is it the case that the package is installed? + Verify that Red Hat Enterprise Linux 8 is configured to boot to the command line: +
$ systemctl get-default
+
multi-user.target
Is it the case that the system default target is not set to "multi-user.target" and the Information System Security Officer (ISSO) lacks a documented requirement for a graphical user interface? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The tuned package can be removed with the following command: -
-$ sudo yum erase tuned
+ Systems that do not require a graphical user interface should only boot by +default into multi-user.target mode. This prevents accidental booting of the system +into a graphical.target mode. Setting the system's default target to +multi-user.target will prevent automatic startup of the X server. To do so, run: +
$ systemctl set-default multi-user.target
+You should see the following output: +
Removed symlink /etc/systemd/system/default.target.
+Created symlink from /etc/systemd/system/default.target to /usr/lib/systemd/system/multi-user.target.
medium @@ -57450,34 +57584,24 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80784-2: Disable Ctrl-Alt-Del Burst Action + CCE-80917-8: Disable Accepting ICMP Redirects for All IPv4 Interfaces Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - By default, SystemD will reboot the system if the Ctrl-Alt-Del -key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds. -

-To configure the system to ignore the CtrlAltDelBurstAction - -setting, add or modify the following to /etc/systemd/system.conf: -
CtrlAltDelBurstAction=none
+ To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.accept_redirects = 0
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To ensure the system is configured to ignore the Ctrl-Alt-Del setting, -enter the following command: -
$ sudo grep -i ctrlaltdelburstaction /etc/systemd/system.conf
-The output should return: -
CtrlAltDelBurstAction=none
Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed more than 7 times in 2 seconds.? + The runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter can be queried +by running the following command: +
$ sysctl net.ipv4.conf.all.accept_redirects
+0. + Is it the case that the correct value is not returned? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - By default, SystemD will reboot the system if the Ctrl-Alt-Del -key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds. -

-To configure the system to ignore the CtrlAltDelBurstAction - -setting, add or modify the following to /etc/systemd/system.conf: -
CtrlAltDelBurstAction=none
- high + To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.accept_redirects = 0
+ medium @@ -57489,41 +57613,26 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-81021-8: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces + CCE-85877-9: Ensure PAM password complexity module is enabled in password-auth Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.rp_filter = 1
+ To enable PAM password complexity in password-auth file: +Edit the password section in +/etc/pam.d/password-auth to show +password requisite pam_pwquality.so. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - The runtime status of the net.ipv4.conf.all.rp_filter parameter can be queried -by running the following command: -
$ sysctl net.ipv4.conf.all.rp_filter
-The output of the command should indicate either: -net.ipv4.conf.all.rp_filter = 1 -or: -net.ipv4.conf.all.rp_filter = 2 -The output of the command should not indicate: -net.ipv4.conf.all.rp_filter = 0 - -The preferable way how to assure the runtime compliance is to have -correct persistent configuration, and rebooting the system. - -The persistent sysctl parameter configuration is performed by specifying the appropriate -assignment in any file located in the 
/etc/sysctl.d
directory. -Verify that there is not any existing incorrect configuration by executing the following command: -
$ grep -r '^\s*net.ipv4.conf.all.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d
-The command should not find any assignments other than: -net.ipv4.conf.all.rp_filter = 1 -or: -net.ipv4.conf.all.rp_filter = 2 - -Conflicting assignments are not allowed. Is it the case that the net.ipv4.conf.all.rp_filter is not set to 1 or 2 or is configured to be 0? + To check if pam_pwquality.so is enabled in password-auth, run the following command: +
$ grep pam_pwquality /etc/pam.d/password-auth
+The output should be similar to the following: +
password requisite pam_pwquality.so
Is it the case that pam_pwquality.so is not enabled in password-auth? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.rp_filter = 1
+ To enable PAM password complexity in password-auth file: +Edit the password section in +/etc/pam.d/password-auth to show +password requisite pam_pwquality.so. medium @@ -57536,58 +57645,47 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-82251-0: Disable core dump backtraces + CCE-80878-2: Disable KDump Kernel Crash Analyzer (kdump) Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The ProcessSizeMax option in [Coredump] section -of /etc/systemd/coredump.conf -specifies the maximum size in bytes of a core which will be processed. -Core dumps exceeding this size may be stored, but the backtrace will not -be generated. + The kdump service provides a kernel crash dump analyzer. It uses the kexec +system call to boot a secondary kernel ("capture" kernel) following a system +crash, which can load information from the crashed kernel for analysis. + +The kdump service can be disabled with the following command: +
$ sudo systemctl mask --now kdump.service
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify Red Hat Enterprise Linux 8 disables core dump backtraces by issuing the following command: + To check that the kdump service is disabled in system boot configuration, +run the following command: +
$ sudo systemctl is-enabled kdump
+Output should indicate the kdump service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +
$ sudo systemctl is-enabled kdump
 disabled
-
$ grep -i process /etc/systemd/coredump.conf
+Run the following command to verify kdump is not active (i.e. not running) through current runtime configuration:
+
$ sudo systemctl is-active kdump

 
-ProcessSizeMax=0
Is it the case that the "ProcessSizeMax" item is missing, commented out, or the value is anything other than "0" and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned? - Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The ProcessSizeMax option in [Coredump] section -of /etc/systemd/coredump.conf -specifies the maximum size in bytes of a core which will be processed. -Core dumps exceeding this size may be stored, but the backtrace will not -be generated. - medium - - - - +If the service is not running the command will return the following output: +
inactive
- - CCI-000366 - SRG-OS-000480-GPOS-00227 - TBD - Assigned by DISA after STIG release - The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. +The service will also be masked, to check that the kdump is masked, run the following command: +
$ sudo systemctl show kdump | grep "LoadState\|UnitFileState"
- CCE-82934-1: Harden the operation of the BPF just-in-time compiler +If the service is masked the command will return the following outputs: - Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. +
LoadState=masked
-Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To set the runtime status of the net.core.bpf_jit_harden kernel parameter, run the following command: 
$ sudo sysctl -w net.core.bpf_jit_harden=2
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.core.bpf_jit_harden = 2
- Applicable - Configurable - Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - The runtime status of the net.core.bpf_jit_harden kernel parameter can be queried -by running the following command: -
$ sysctl net.core.bpf_jit_harden
-2. - Is it the case that the correct value is not returned? +
UnitFileState=masked
Is it the case that the "kdump" is loaded and not masked? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To set the runtime status of the net.core.bpf_jit_harden kernel parameter, run the following command: 
$ sudo sysctl -w net.core.bpf_jit_harden=2
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.core.bpf_jit_harden = 2
+ The kdump service provides a kernel crash dump analyzer. It uses the kexec +system call to boot a secondary kernel ("capture" kernel) following a system +crash, which can load information from the crashed kernel for analysis. + +The kdump service can be disabled with the following command: +
$ sudo systemctl mask --now kdump.service
medium @@ -57600,32 +57698,27 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-86534-5: All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group + CCE-80890-7: Set Default firewalld Zone for Incoming Packets Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - Change the group of a local interactive users files and directories to a -group that the interactive user is a member of. To change the group owner of a -local interactive users files and directories, use the following command: -
$ sudo chgrp USER_GROUP /home/USER/FILE_DIR
- -This rule ensures every file or directory under the home directory related -to an interactive user is group-owned by an interactive user. + To set the default zone to drop for +the built-in default zone which processes incoming IPv4 and IPv6 packets, +modify the following line in +/etc/firewalld/firewalld.conf to be: +
DefaultZone=drop
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To verify all files and directories in interactive user home directory are -group-owned by a group the user is a member of, run the -following command: -
$ sudo ls -lLR /home/USER
Is it the case that the group ownership is incorrect? + Inspect the file /etc/firewalld/firewalld.conf to determine +the default zone for the firewalld. It should be set to DefaultZone=drop: +
$ sudo grep DefaultZone /etc/firewalld/firewalld.conf
Is it the case that the default zone is not set to DROP? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - Change the group of a local interactive users files and directories to a -group that the interactive user is a member of. To change the group owner of a -local interactive users files and directories, use the following command: -
$ sudo chgrp USER_GROUP /home/USER/FILE_DIR
- -This rule ensures every file or directory under the home directory related -to an interactive user is group-owned by an interactive user. + To set the default zone to drop for +the built-in default zone which processes incoming IPv4 and IPv6 packets, +modify the following line in +/etc/firewalld/firewalld.conf to be: +
DefaultZone=drop
medium @@ -57638,46 +57731,40 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-82059-7: Disable CAN Support + CCE-80841-0: Prevent Login to Accounts With Empty Password Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The Controller Area Network (CAN) is a serial communications -protocol which was initially developed for automotive and -is now also used in marine, industrial, and medical applications. + If an account is configured for password authentication +but does not have an assigned password, it may be possible to log +into the account without authentication. Remove any instances of the +nullok in -To configure the system to prevent the can -kernel module from being loaded, add the following line to the file /etc/modprobe.d/can.conf: -
install can /bin/true
+/etc/pam.d/system-auth and +/etc/pam.d/password-auth -To configure the system to prevent the can from being used, -add the following line to file /etc/modprobe.d/can.conf: -
blacklist can
+to prevent logins with empty passwords. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - -If the system is configured to prevent the loading of the can kernel module, -it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. -These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. + To verify that null passwords cannot be used, run the following command: -These lines can also instruct the module loading system to ignore the can kernel module via blacklist keyword. +
$ grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth
-Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -
$ grep -r can /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned? +If this produces any output, it may be possible to log into accounts +with empty passwords. Remove any instances of the nullok option to +prevent logins with empty passwords. Is it the case that NULL passwords can be used? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The Controller Area Network (CAN) is a serial communications -protocol which was initially developed for automotive and -is now also used in marine, industrial, and medical applications. + If an account is configured for password authentication +but does not have an assigned password, it may be possible to log +into the account without authentication. Remove any instances of the +nullok in -To configure the system to prevent the can -kernel module from being loaded, add the following line to the file /etc/modprobe.d/can.conf: -
install can /bin/true
+/etc/pam.d/system-auth and +/etc/pam.d/password-auth -To configure the system to prevent the can from being used, -add the following line to file /etc/modprobe.d/can.conf: -
blacklist can
- medium +to prevent logins with empty passwords. + high @@ -57689,23 +57776,23 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80918-6: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces + CCE-80952-5: Disable Kernel Image Loading Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.send_redirects = 0
+ To set the runtime status of the kernel.kexec_load_disabled kernel parameter, run the following command: 
$ sudo sysctl -w kernel.kexec_load_disabled=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.kexec_load_disabled = 1
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - The runtime status of the net.ipv4.conf.all.send_redirects kernel parameter can be queried + The runtime status of the kernel.kexec_load_disabled kernel parameter can be queried by running the following command: -
$ sysctl net.ipv4.conf.all.send_redirects
-0. +
$ sysctl kernel.kexec_load_disabled
+1. Is it the case that the correct value is not returned? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.send_redirects = 0
+ To set the runtime status of the kernel.kexec_load_disabled kernel parameter, run the following command: 
$ sudo sysctl -w kernel.kexec_load_disabled=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.kexec_load_disabled = 1
medium @@ -57718,46 +57805,44 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80904-6: Enable Use of Strict Mode Checking + CCE-80898-0: Disable Kerberos Authentication Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - SSHs StrictModes option checks file and ownership permissions in -the user's home directory .ssh folder before accepting login. If world- -writable permissions are found, logon is rejected. + Unless needed, SSH should not permit extraneous or unnecessary +authentication mechanisms like Kerberos.
-The default SSH configuration has StrictModes enabled. The appropriate -configuration is used if no value is set for StrictModes. +The default SSH configuration disallows authentication validation through Kerberos. +The appropriate configuration is used if no value is set for KerberosAuthentication.
-To explicitly enable StrictModes in SSH, add or correct the following line in +To explicitly disable Kerberos authentication, add or correct the following line in /etc/ssh/sshd_config: -
StrictModes yes
+
KerberosAuthentication no
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To determine how the SSH daemon's StrictModes option is set, run the following command: + To determine how the SSH daemon's KerberosAuthentication option is set, run the following command: -
$ sudo grep -i StrictModes /etc/ssh/sshd_config
+
$ sudo grep -i KerberosAuthentication /etc/ssh/sshd_config
-If a line indicating yes is returned, then the required value is set. +If a line indicating no is returned, then the required value is set. Is it the case that the required value is not set? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - SSHs StrictModes option checks file and ownership permissions in -the user's home directory .ssh folder before accepting login. If world- -writable permissions are found, logon is rejected. + Unless needed, SSH should not permit extraneous or unnecessary +authentication mechanisms like Kerberos.
-The default SSH configuration has StrictModes enabled. The appropriate -configuration is used if no value is set for StrictModes. +The default SSH configuration disallows authentication validation through Kerberos. +The appropriate configuration is used if no value is set for KerberosAuthentication.
-To explicitly enable StrictModes in SSH, add or correct the following line in +To explicitly disable Kerberos authentication, add or correct the following line in /etc/ssh/sshd_config: -
StrictModes yes
+
KerberosAuthentication no
medium @@ -57770,39 +57855,28 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-82434-2: Ensure tftp Daemon Uses Secure Mode + CCE-82881-4: Disable acquiring, saving, and processing core dumps Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - If running the Trivial File Transfer Protocol (TFTP) service is necessary, -it should be configured to change its root directory at startup. To do so, -ensure /etc/xinetd.d/tftp includes -s as a command line argument, -as shown in the following example: -
server_args = -s
+ The systemd-coredump.socket unit is a socket activation of +the systemd-coredump@.service which processes core dumps. +By masking the unit, core dump processing is disabled. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify the TFTP daemon is configured to operate in secure mode. - -Check if a TFTP server is installed with the following command: - -
$ rpm -qa | grep tftp
- - -If a TFTP server is not installed, this is Not Applicable. -

- -If a TFTP server is installed, verify TFTP is configured by with -the -s option by running the following command: - -
grep "server_args" /etc/xinetd.d/tftp
-
server_args = -s
Is it the case that '"server_args" line does not have a "-s" option, and a subdirectory is not assigned'? + To verify that acquiring, saving, and processing core dumps is disabled, run the +following command: +
$ systemctl status systemd-coredump.socket
+The output should be similar to: +
● systemd-coredump.socket
+   Loaded: masked (Reason: Unit systemd-coredump.socket is masked.)
+   Active: inactive (dead) ...
+
Is it the case that unit systemd-coredump.socket is not masked or running? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - If running the Trivial File Transfer Protocol (TFTP) service is necessary, -it should be configured to change its root directory at startup. To do so, -ensure /etc/xinetd.d/tftp includes -s as a command line argument, -as shown in the following example: -
server_args = -s
+ The systemd-coredump.socket unit is a socket activation of +the systemd-coredump@.service which processes core dumps. +By masking the unit, core dump processing is disabled. medium @@ -57815,48 +57889,42 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-83360-8: Disable X11 Forwarding + CCE-82281-7: Enable SSH Print Last Log Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The X11Forwarding parameter provides the ability to tunnel X11 traffic -through the connection to enable remote graphic connections. -SSH has the capability to encrypt remote X11 connections when SSH's -X11Forwarding option is enabled. -
-The default SSH configuration disables X11Forwarding. The appropriate -configuration is used if no value is set for X11Forwarding. -
-To explicitly disable X11 Forwarding, add or correct the following line in + Ensure that SSH will display the date and time of the last successful account logon. +
+The default SSH configuration enables print of the date and time of the last login. +The appropriate configuration is used if no value is set for PrintLastLog. +
+To explicitly enable LastLog in SSH, add or correct the following line in /etc/ssh/sshd_config: -
X11Forwarding no
+
PrintLastLog yes
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To determine how the SSH daemon's X11Forwarding option is set, run the following command: + To determine how the SSH daemon's PrintLastLog option is set, run the following command: -
$ sudo grep -i X11Forwarding /etc/ssh/sshd_config
+
$ sudo grep -i PrintLastLog /etc/ssh/sshd_config
-If a line indicating no is returned, then the required value is set. +If a line indicating yes is returned, then the required value is set. Is it the case that the required value is not set? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The X11Forwarding parameter provides the ability to tunnel X11 traffic -through the connection to enable remote graphic connections. -SSH has the capability to encrypt remote X11 connections when SSH's -X11Forwarding option is enabled. -
-The default SSH configuration disables X11Forwarding. The appropriate -configuration is used if no value is set for X11Forwarding. -
-To explicitly disable X11 Forwarding, add or correct the following line in + Ensure that SSH will display the date and time of the last successful account logon. +
+The default SSH configuration enables print of the date and time of the last login. +The appropriate configuration is used if no value is set for PrintLastLog. +
+To explicitly enable LastLog in SSH, add or correct the following line in /etc/ssh/sshd_config: -
X11Forwarding no
+
PrintLastLog yes
medium @@ -57869,30 +57937,28 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-83789-8: Ensure Home Directories are Created for New Users + CCE-80859-2: Ensure cron Is Logging To Rsyslog Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - All local interactive user accounts, upon creation, should be assigned a home directory. -

-Configure the operating system to assign home directories to all new local interactive users by setting the CREATE_HOME -parameter in /etc/login.defs to yes as follows: -

-
CREATE_HOME yes
+ Cron logging must be implemented to spot intrusions or trace +cron job status. If cron is not logging to rsyslog, it +can be implemented by adding the following to the RULES section of +/etc/rsyslog.conf: +
cron.*                                                  /var/log/cron
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify all local interactive users on Red Hat Enterprise Linux 8 are assigned a home -directory upon creation with the following command: -
$ grep -i create_home /etc/login.defs
-
CREATE_HOME yes
Is it the case that the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out? + Verify that cron is logging to rsyslog, +run the following command: +
grep -rni "cron\.\*" /etc/rsyslog.*
+
cron.*                                                  /var/log/cron
Is it the case that cron is not logging to rsyslog? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - All local interactive user accounts, upon creation, should be assigned a home directory. -

-Configure the operating system to assign home directories to all new local interactive users by setting the CREATE_HOME -parameter in /etc/login.defs to yes as follows: -

-
CREATE_HOME yes
+ Cron logging must be implemented to spot intrusions or trace +cron job status. If cron is not logging to rsyslog, it +can be implemented by adding the following to the RULES section of +/etc/rsyslog.conf: +
cron.*                                                  /var/log/cron
medium @@ -57905,24 +57971,37 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80852-7: Ensure /var Located On Separate Partition + CCE-83733-6: Configure AIDE to Verify Extended Attributes Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The /var directory is used by daemons and other system -services to store frequently-changing data. Ensure that /var has its own partition -or logical volume at installation time, or migrate it using LVM. + By default, the xattrs option is added to the FIPSR ruleset in AIDE. +If using a custom ruleset or the xattrs option is missing, add xattrs +to the appropriate ruleset. +For example, add xattrs to the following line in /etc/aide.conf: +
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
+AIDE rules can be configured in multiple ways; this is merely one example that is already +configured by default. + +The remediation provided with this rule adds xattrs to all rule sets available in +/etc/aide.conf Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify that a separate file system/partition has been created for /var with the following command: - -
$ mountpoint /var
- Is it the case that "/var is not a mountpoint" is returned? + To determine that AIDE is verifying extended file attributes, run the following command: +
$ grep xattrs /etc/aide.conf
+Verify that the xattrs option is added to the correct ruleset. Is it the case that the xattrs option is missing or not added to the correct ruleset? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The /var directory is used by daemons and other system -services to store frequently-changing data. Ensure that /var has its own partition -or logical volume at installation time, or migrate it using LVM. + By default, the xattrs option is added to the FIPSR ruleset in AIDE. +If using a custom ruleset or the xattrs option is missing, add xattrs +to the appropriate ruleset. +For example, add xattrs to the following line in /etc/aide.conf: +
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
+AIDE rules can be configured in multiple ways; this is merely one example that is already +configured by default. + +The remediation provided with this rule adds xattrs to all rule sets available in +/etc/aide.conf low @@ -57935,22 +58014,29 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-82976-2: Install policycoreutils Package + CCE-82283-3: Ensure System is Not Acting as a Network Sniffer Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The policycoreutils package can be installed with the following command: -
-$ sudo yum install policycoreutils
+ The system should not be acting as a network sniffer, which can +capture all traffic on the network to which it is connected. Run the following +to determine if any interface is running in promiscuous mode: +
$ ip link | grep PROMISC
+Promiscuous mode of an interface can be disabled with the following command: +
$ sudo ip link set dev device_name multicast off promisc off
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Run the following command to determine if the policycoreutils package is installed: 
$ rpm -q policycoreutils
Is it the case that the policycoreutils package is not installed? + Verify that Promiscuous mode of an interface is disabled, run the following command: +
$ ip link | grep PROMISC
Is it the case that any network device is in promiscuous mode? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The policycoreutils package can be installed with the following command: -
-$ sudo yum install policycoreutils
- low + The system should not be acting as a network sniffer, which can +capture all traffic on the network to which it is connected. Run the following +to determine if any interface is running in promiscuous mode: +
$ ip link | grep PROMISC
+Promiscuous mode of an interface can be disabled with the following command: +
$ sudo ip link set dev device_name multicast off promisc off
+ medium @@ -57962,21 +58048,23 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-88248-0: Enable authselect + CCE-81011-9: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - Configure user authentication setup to use the authselect tool. -If authselect profile is selected, the rule will enable the profile. + To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.accept_source_route = 0
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify that authselect is enabled by running -
authselect current
-If authselect is enabled on the system, the output should show the ID of the profile which is currently in use. Is it the case that authselect is not used to manage user authentication setup on the system? + The runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter can be queried +by running the following command: +
$ sysctl net.ipv4.conf.all.accept_source_route
+0. + Is it the case that the correct value is not returned? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - Configure user authentication setup to use the authselect tool. -If authselect profile is selected, the rule will enable the profile. + To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.accept_source_route = 0
medium @@ -57989,31 +58077,40 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-81050-7: Add nosuid Option to /home + CCE-83499-4: Ensure All Files Are Owned by a User Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The nosuid mount option can be used to prevent -execution of setuid programs in /home. The SUID and SGID permissions -should not be required in these user data directories. -Add the nosuid option to the fourth column of -/etc/fstab for the line which controls mounting of -/home. + If any files are not owned by a user, then the +cause of their lack of ownership should be investigated. +Following this, the files should be deleted or assigned to an +appropriate user. The following command will discover and print +any files on local partitions which do not belong to a valid user: +
$ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser
+To search all filesystems on a system including network mounted +filesystems the following command can be run manually for each partition: +
$ sudo find PARTITION -xdev -nouser
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify the nosuid option is configured for the /home mount point, - run the following command: - 
$ sudo mount | grep '\s/home\s'
- 
. . . /home . . . nosuid . . .
- Is it the case that the "/home" file system does not have the "nosuid" option set? + The following command will discover and print any +files on local partitions which do not belong to a valid user. +
$ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser
+

+Either remove all files and directories from the system that do not have a +valid user, or assign a valid user to all unowned files and directories on +the system with the chown command: +
$ sudo chown user file
Is it the case that files exist that are not owned by a valid user? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The nosuid mount option can be used to prevent -execution of setuid programs in /home. The SUID and SGID permissions -should not be required in these user data directories. -Add the nosuid option to the fourth column of -/etc/fstab for the line which controls mounting of -/home. + If any files are not owned by a user, then the +cause of their lack of ownership should be investigated. +Following this, the files should be deleted or assigned to an +appropriate user. The following command will discover and print +any files on local partitions which do not belong to a valid user: +
$ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser
+To search all filesystems on a system including network mounted +filesystems the following command can be run manually for each partition: +
$ sudo find PARTITION -xdev -nouser
medium @@ -58026,22 +58123,48 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-82946-5: Uninstall iprutils Package + CCE-83360-8: Disable X11 Forwarding Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The iprutils package can be removed with the following command: -
-$ sudo yum erase iprutils
+ The X11Forwarding parameter provides the ability to tunnel X11 traffic +through the connection to enable remote graphic connections. +SSH has the capability to encrypt remote X11 connections when SSH's +X11Forwarding option is enabled. +
+The default SSH configuration disables X11Forwarding. The appropriate +configuration is used if no value is set for X11Forwarding. +
+To explicitly disable X11 Forwarding, add or correct the following line in + + +/etc/ssh/sshd_config: + +
X11Forwarding no
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Run the following command to determine if the iprutils package is installed: -
$ rpm -q iprutils
Is it the case that the package is installed? + To determine how the SSH daemon's X11Forwarding option is set, run the following command: + +
$ sudo grep -i X11Forwarding /etc/ssh/sshd_config
+ +If a line indicating no is returned, then the required value is set. + Is it the case that the required value is not set? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The iprutils package can be removed with the following command: -
-$ sudo yum erase iprutils
+ The X11Forwarding parameter provides the ability to tunnel X11 traffic +through the connection to enable remote graphic connections. +SSH has the capability to encrypt remote X11 connections when SSH's +X11Forwarding option is enabled. +
+The default SSH configuration disables X11Forwarding. The appropriate +configuration is used if no value is set for X11Forwarding. +
+To explicitly disable X11 Forwarding, add or correct the following line in + + +/etc/ssh/sshd_config: + +
X11Forwarding no
medium @@ -58054,23 +58177,26 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80919-4: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces + CCE-80877-4: Verify firewalld Enabled Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.default.accept_redirects = 0
+ +The firewalld service can be enabled with the following command: +
$ sudo systemctl enable firewalld.service
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - The runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter can be queried -by running the following command: -
$ sysctl net.ipv4.conf.default.accept_redirects
-0. - Is it the case that the correct value is not returned? + + +Run the following command to determine the current status of the +firewalld service: +
$ sudo systemctl is-active firewalld
+If the service is running, it should return the following: 
active
Is it the case that the "firewalld" service is disabled, masked, or not started.? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.default.accept_redirects = 0
+ +The firewalld service can be enabled with the following command: +
$ sudo systemctl enable firewalld.service
medium @@ -58083,22 +58209,29 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-82943-2: Uninstall gssproxy Package + CCE-83424-2: All Interactive Users Home Directories Must Exist Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The gssproxy package can be removed with the following command: -
-$ sudo yum erase gssproxy
+ Create home directories to all local interactive users that currently do not +have a home directory assigned. Use the following commands to create the user +home directory assigned in /etc/passwd: +
$ sudo mkdir /home/USER
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Run the following command to determine if the gssproxy package is installed: -
$ rpm -q gssproxy
Is it the case that the package is installed? + Verify the assigned home directories of all interactive users on the system exist with the following command: + +
$ sudo pwck -r
+
+user 'mailnull': directory 'var/spool/mqueue' does not exist
+ +The output should not return any interactive users. Is it the case that users home directory does not exist? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The gssproxy package can be removed with the following command: -
-$ sudo yum erase gssproxy
+ Create home directories to all local interactive users that currently do not +have a home directory assigned. Use the following commands to create the user +home directory assigned in /etc/passwd: +
$ sudo mkdir /home/USER
medium @@ -58111,39 +58244,39 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-83497-8: Ensure All Files Are Owned by a Group + CCE-82434-2: Ensure tftp Daemon Uses Secure Mode Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - If any files are not owned by a group, then the -cause of their lack of group-ownership should be investigated. -Following this, the files should be deleted or assigned to an -appropriate group. The following command will discover and print -any files on local partitions which do not belong to a valid group: -
$ df --local -P | awk '{if (NR!=1) print $6}' | sudo xargs -I '{}' find '{}' -xdev -nogroup
-To search all filesystems on a system including network mounted -filesystems the following command can be run manually for each partition: -
$ sudo find PARTITION -xdev -nogroup
+ If running the Trivial File Transfer Protocol (TFTP) service is necessary, +it should be configured to change its root directory at startup. To do so, +ensure /etc/xinetd.d/tftp includes -s as a command line argument, +as shown in the following example: +
server_args = -s
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - The following command will discover and print any -files on local partitions which do not belong to a valid group. -
$ df --local -P | awk '{if (NR!=1) print $6}' | sudo xargs -I '{}' find '{}' -xdev -nogroup
-
-Either remove all files and directories from the system that do not have a valid group, -or assign a valid group with the chgrp command: -
$ sudo chgrp group file
Is it the case that there is output? + Verify the TFTP daemon is configured to operate in secure mode. + +Check if a TFTP server is installed with the following command: + +
$ rpm -qa | grep tftp
+ + +If a TFTP server is not installed, this is Not Applicable. +

+ +If a TFTP server is installed, verify TFTP is configured by with +the -s option by running the following command: + +
grep "server_args" /etc/xinetd.d/tftp
+
server_args = -s
Is it the case that '"server_args" line does not have a "-s" option, and a subdirectory is not assigned'? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - If any files are not owned by a group, then the -cause of their lack of group-ownership should be investigated. -Following this, the files should be deleted or assigned to an -appropriate group. The following command will discover and print -any files on local partitions which do not belong to a valid group: -
$ df --local -P | awk '{if (NR!=1) print $6}' | sudo xargs -I '{}' find '{}' -xdev -nogroup
-To search all filesystems on a system including network mounted -filesystems the following command can be run manually for each partition: -
$ sudo find PARTITION -xdev -nogroup
+ If running the Trivial File Transfer Protocol (TFTP) service is necessary, +it should be configured to change its root directory at startup. To do so, +ensure /etc/xinetd.d/tftp includes -s as a command line argument, +as shown in the following example: +
server_args = -s
medium @@ -58156,30 +58289,24 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80788-3: Ensure PAM Displays Last Logon/Access Notification + CCE-81006-9: Configure Accepting Router Advertisements on All IPv6 Interfaces Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To configure the system to notify users of last logon/access using pam_lastlog, -add or correct the pam_lastlog settings in /etc/pam.d/postlogin -to include showfailed option, such as: -
session     [default=1]    pam_lastlog.so showfailed
-And make sure that the silent option is not set for this specific line. + To set the runtime status of the net.ipv6.conf.all.accept_ra kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.accept_ra=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.accept_ra = 0
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify users are provided with feedback on when account accesses last occurred with the following command: - -
$ sudo grep pam_lastlog /etc/pam.d/postlogin
-
-session [default=1] pam_lastlog.so showfailed
Is it the case that "pam_lastlog.so" is not properly configured in "/etc/pam.d/postlogin" file? + The runtime status of the net.ipv6.conf.all.accept_ra kernel parameter can be queried +by running the following command: +
$ sysctl net.ipv6.conf.all.accept_ra
+0. + Is it the case that the correct value is not returned? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To configure the system to notify users of last logon/access using pam_lastlog, -add or correct the pam_lastlog settings in /etc/pam.d/postlogin -to include showfailed option, such as: -
session     [default=1]    pam_lastlog.so showfailed
-And make sure that the silent option is not set for this specific line. - low + To set the runtime status of the net.ipv6.conf.all.accept_ra kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.accept_ra=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.accept_ra = 0
+ medium @@ -58191,30 +58318,57 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-85886-0: Ensure All World-Writable Directories Are Group Owned by a System Account + CCE-80876-6: Disable debug-shell SystemD Service Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - All directories in local partitions which are -world-writable should be group owned by root or another -system account. If any world-writable directories are not -group owned by a system account, this should be investigated. -Following this, the files should be deleted or assigned to an -appropriate group. + SystemD's debug-shell service is intended to +diagnose SystemD related boot issues with various systemctl +commands. Once enabled and following a system reboot, the root shell +will be available on tty9 which is access by pressing +CTRL-ALT-F9. The debug-shell service should only be used +for SystemD related issues and should otherwise be disabled. +

+By default, the debug-shell SystemD service is already disabled. + +The debug-shell service can be disabled with the following command: +
$ sudo systemctl mask --now debug-shell.service
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - The following command will discover and print world-writable directories that -are not group owned by a system account, given the assumption that only system -accounts have a gid lower than 1000. Run it once for each local partition PART: -
$ sudo find PART -xdev -type d -perm -0002 -gid +999 -print
Is it the case that there is output? + To check that the debug-shell service is disabled in system boot configuration, +run the following command: +
$ sudo systemctl is-enabled debug-shell
+Output should indicate the debug-shell service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +
$ sudo systemctl is-enabled debug-shell
 disabled
+ +Run the following command to verify debug-shell is not active (i.e. not running) through current runtime configuration: +
$ sudo systemctl is-active debug-shell
+ +If the service is not running the command will return the following output: +
inactive
+ +The service will also be masked, to check that the debug-shell is masked, run the following command: +
$ sudo systemctl show debug-shell | grep "LoadState\|UnitFileState"
+ +If the service is masked the command will return the following outputs: + +
LoadState=masked
+ +
UnitFileState=masked
Is it the case that the "debug-shell" is loaded and not masked? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - All directories in local partitions which are -world-writable should be group owned by root or another -system account. If any world-writable directories are not -group owned by a system account, this should be investigated. -Following this, the files should be deleted or assigned to an -appropriate group. + SystemD's debug-shell service is intended to +diagnose SystemD related boot issues with various systemctl +commands. Once enabled and following a system reboot, the root shell +will be available on tty9 which is access by pressing +CTRL-ALT-F9. The debug-shell service should only be used +for SystemD related issues and should otherwise be disabled. +

+By default, the debug-shell SystemD service is already disabled. + +The debug-shell service can be disabled with the following command: +
$ sudo systemctl mask --now debug-shell.service
medium @@ -58227,24 +58381,49 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-81015-0: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default + CCE-84028-0: Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.default.accept_source_route = 0
+ By default, GNOME will reboot the system if the +Ctrl-Alt-Del key sequence is pressed. +

+To configure the system to ignore the Ctrl-Alt-Del key sequence +from the Graphical User Interface (GUI) instead of rebooting the system, +add or set logout to '' in +/etc/dconf/db/local.d/00-security-settings. For example: +
[org/gnome/settings-daemon/plugins/media-keys]
+logout=''
+Once the settings have been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent +user modification. For example: +
/org/gnome/settings-daemon/plugins/media-keys/logout
+After the settings have been set, run dconf update. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - The runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter can be queried -by running the following command: -
$ sysctl net.ipv6.conf.default.accept_source_route
-0. - Is it the case that the correct value is not returned? + To ensure the system is configured to ignore the Ctrl-Alt-Del sequence, +run the following command: +
$ gsettings get org.gnome.settings-daemon.plugins.media-keys logout
+
$ grep logout /etc/dconf/db/local.d/locks/*
+If properly configured, the output should be +/org/gnome/settings-daemon/plugins/media-keys/logout Is it the case that GNOME3 is configured to reboot when Ctrl-Alt-Del is pressed? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.default.accept_source_route = 0
- medium + By default, GNOME will reboot the system if the +Ctrl-Alt-Del key sequence is pressed. +

+To configure the system to ignore the Ctrl-Alt-Del key sequence +from the Graphical User Interface (GUI) instead of rebooting the system, +add or set logout to '' in +/etc/dconf/db/local.d/00-security-settings. For example: +
[org/gnome/settings-daemon/plugins/media-keys]
+logout=''
+Once the settings have been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent +user modification. For example: +
/org/gnome/settings-daemon/plugins/media-keys/logout
+After the settings have been set, run dconf update. + high @@ -58256,27 +58435,47 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-81036-6: Ensure the Default Bash Umask is Set Correctly + CCE-83422-6: Ensure invoking users password for privilege escalation when using sudo Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To ensure the default umask for users of the Bash shell is set properly, -add or correct the umask setting in /etc/bashrc to read -as follows: -
umask
+ The sudoers security policy requires that users authenticate themselves before they can use sudo. +When sudoers requires authentication, it validates the invoking user's credentials. +The expected output for: +
 sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)$'
+
 Defaults !targetpw
+      Defaults !rootpw
+      Defaults !runaspw
+or if cvtsudoers not supported: +
 sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \;
+
 /etc/sudoers:Defaults !targetpw
+      /etc/sudoers:Defaults !rootpw
+      /etc/sudoers:Defaults !runaspw
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify the umask setting is configured correctly in the /etc/bashrc file with the following command: - -
$ sudo grep "umask" /etc/bashrc
-
-umask
Is it the case that the value for the "umask" parameter is not "", or the "umask" parameter is missing or is commented out? + Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation: +
 sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)'
+or if cvtsudoers not supported: +
 sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \;
+If no results are returned, this is a finding. +If conflicting results are returned, this is a finding. +If "Defaults !targetpw" is not defined, this is a finding. +If "Defaults !rootpw" is not defined, this is a finding. +If "Defaults !runaspw" is not defined, this is a finding. Is it the case that invoke user passwd when using sudo? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To ensure the default umask for users of the Bash shell is set properly, -add or correct the umask setting in /etc/bashrc to read -as follows: -
umask
+ The sudoers security policy requires that users authenticate themselves before they can use sudo. +When sudoers requires authentication, it validates the invoking user's credentials. +The expected output for: +
 sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)$'
+
 Defaults !targetpw
+      Defaults !rootpw
+      Defaults !runaspw
+or if cvtsudoers not supported: +
 sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \;
+
 /etc/sudoers:Defaults !targetpw
+      /etc/sudoers:Defaults !rootpw
+      /etc/sudoers:Defaults !runaspw
medium @@ -58289,29 +58488,23 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-83424-2: All Interactive Users Home Directories Must Exist + CCE-84054-6: Prevent Unrestricted Mail Relaying Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - Create home directories to all local interactive users that currently do not -have a home directory assigned. Use the following commands to create the user -home directory assigned in /etc/passwd: -
$ sudo mkdir /home/USER
+ Modify the 
/etc/postfix/main.cf
file to restrict client connections +to the local network with the following command: +
$ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify the assigned home directories of all interactive users on the system exist with the following command: - -
$ sudo pwck -r
-
-user 'mailnull': directory 'var/spool/mqueue' does not exist
- -The output should not return any interactive users. Is it the case that users home directory does not exist? + Verify that Red Hat Enterprise Linux 8 is configured to prevent unrestricted mail relaying, +run the following command: +
$ sudo postconf -n smtpd_client_restrictions
Is it the case that the "smtpd_client_restrictions" parameter contains any entries other than "permit_mynetworks" and "reject"? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - Create home directories to all local interactive users that currently do not -have a home directory assigned. Use the following commands to create the user -home directory assigned in /etc/passwd: -
$ sudo mkdir /home/USER
+ Modify the 
/etc/postfix/main.cf
file to restrict client connections +to the local network with the following command: +
$ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'
medium @@ -58324,23 +58517,23 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-82974-7: Disable Access to Network bpf() Syscall From Unprivileged Processes + CCE-81009-3: Disable Accepting ICMP Redirects for All IPv6 Interfaces Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command: 
$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.unprivileged_bpf_disabled = 1
+ To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.accept_redirects = 0
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - The runtime status of the kernel.unprivileged_bpf_disabled kernel parameter can be queried + The runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter can be queried by running the following command: -
$ sysctl kernel.unprivileged_bpf_disabled
-1. +
$ sysctl net.ipv6.conf.all.accept_redirects
+0. Is it the case that the correct value is not returned? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command: 
$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.unprivileged_bpf_disabled = 1
+ To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.accept_redirects = 0
medium @@ -58353,29 +58546,42 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-81044-0: Ensure /home Located On Separate Partition + CCE-85987-6: Only Authorized Local User Accounts Exist on Operating System Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - If user home directories will be stored locally, create a separate partition -for /home at installation time (or migrate it later using LVM). If -/home will be mounted from another system such as an NFS server, then -creating a separate partition is not necessary at installation time, and the -mountpoint can instead be configured later. + Enterprise Application tends to use the server or virtual machine exclusively. +Besides the default operating system user, there should be only authorized local +users required by the installed software groups and applications that exist on +the operating system. The authorized user list can be customized in the refine +value variable var_accounts_authorized_local_users_regex. +OVAL regular expression is used for the user list. +Configure the system so all accounts on the system are assigned to an active system, +application, or user account. Remove accounts that do not support approved system +activities or that allow for a normal user to perform administrative-level actions. +To remove unauthorized system accounts, use the following command: +
$ sudo userdel unauthorized_user
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify that a separate file system/partition has been created for /home with the following command: - -
$ mountpoint /home
- Is it the case that "/home is not a mountpoint" is returned? + To verify that there are no unauthorized local user accounts, run the following command: +
$ less /etc/passwd
+Inspect the results, and if unauthorized local user accounts exist, remove them by running +the following command: +
$ sudo userdel unauthorized_user
Is it the case that there are unauthorized local user accounts on the system? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - If user home directories will be stored locally, create a separate partition -for /home at installation time (or migrate it later using LVM). If -/home will be mounted from another system such as an NFS server, then -creating a separate partition is not necessary at installation time, and the -mountpoint can instead be configured later. - low + Enterprise Application tends to use the server or virtual machine exclusively. +Besides the default operating system user, there should be only authorized local +users required by the installed software groups and applications that exist on +the operating system. The authorized user list can be customized in the refine +value variable var_accounts_authorized_local_users_regex. +OVAL regular expression is used for the user list. +Configure the system so all accounts on the system are assigned to an active system, +application, or user account. Remove accounts that do not support approved system +activities or that allow for a normal user to perform administrative-level actions. +To remove unauthorized system accounts, use the following command: +
$ sudo userdel unauthorized_user
+ medium @@ -58423,140 +58629,33 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80649-7: Verify Only Root Has UID 0 - - Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. - -Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - If any account other than root has a UID of 0, this misconfiguration should -be investigated and the accounts other than root should be removed or have -their UID changed. -
-If the account is associated with system commands or applications the UID -should be changed to one greater than "0" but less than "1000." -Otherwise assign a UID greater than "1000" that has not already been -assigned. - Applicable - Configurable - Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify that only the "root" account has a UID "0" assignment with the -following command: -
$ awk -F: '$3 == 0 {print $1}' /etc/passwd
-
root
Is it the case that any accounts other than "root" have a UID of "0"? - Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - If any account other than root has a UID of 0, this misconfiguration should -be investigated and the accounts other than root should be removed or have -their UID changed. -
-If the account is associated with system commands or applications the UID -should be changed to one greater than "0" but less than "1000." -Otherwise assign a UID greater than "1000" that has not already been -assigned. - high - - - - - - - CCI-000366 - SRG-OS-000480-GPOS-00227 - TBD - Assigned by DISA after STIG release - The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - - CCE-80834-5: Disable SCTP Support - - Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. - -Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The Stream Control Transmission Protocol (SCTP) is a -transport layer protocol, designed to support the idea of -message-oriented communication, with several streams of messages -within one connection. - -To configure the system to prevent the sctp -kernel module from being loaded, add the following line to the file /etc/modprobe.d/sctp.conf: -
install sctp /bin/true
- -To configure the system to prevent the sctp from being used, -add the following line to file /etc/modprobe.d/sctp.conf: -
blacklist sctp
- Applicable - Configurable - Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - -If the system is configured to prevent the loading of the sctp kernel module, -it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. -These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. - -These lines can also instruct the module loading system to ignore the sctp kernel module via blacklist keyword. - -Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: -
$ grep -r sctp /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned? - Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The Stream Control Transmission Protocol (SCTP) is a -transport layer protocol, designed to support the idea of -message-oriented communication, with several streams of messages -within one connection. - -To configure the system to prevent the sctp -kernel module from being loaded, add the following line to the file /etc/modprobe.d/sctp.conf: -
install sctp /bin/true
- -To configure the system to prevent the sctp from being used, -add the following line to file /etc/modprobe.d/sctp.conf: -
blacklist sctp
- medium - - - - - - - CCI-000366 - SRG-OS-000480-GPOS-00227 - TBD - Assigned by DISA after STIG release - The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - - CCE-80785-9: Disable Ctrl-Alt-Del Reboot Activation + CCE-80784-2: Disable Ctrl-Alt-Del Burst Action Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. By default, SystemD will reboot the system if the Ctrl-Alt-Del -key sequence is pressed. +key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds.

-To configure the system to ignore the Ctrl-Alt-Del key sequence from the +To configure the system to ignore the CtrlAltDelBurstAction -command line instead of rebooting the system, do either of the following: -
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
-or -
systemctl mask ctrl-alt-del.target
-

-Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file, -as this file may be restored during future system updates. +setting, add or modify the following to /etc/systemd/system.conf: +
CtrlAltDelBurstAction=none
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To ensure the system is configured to mask the Ctrl-Alt-Del sequence, Check -that the ctrl-alt-del.target is masked and not active with the following -command: -
sudo systemctl status ctrl-alt-del.target
-The output should indicate that the target is masked and not active. It -might resemble following output: -
ctrl-alt-del.target
-Loaded: masked (/dev/null; bad)
-Active: inactive (dead)
Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed? + To ensure the system is configured to ignore the Ctrl-Alt-Del setting, +enter the following command: +
$ sudo grep -i ctrlaltdelburstaction /etc/systemd/system.conf
+The output should return: +
CtrlAltDelBurstAction=none
Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed more than 7 times in 2 seconds.? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. By default, SystemD will reboot the system if the Ctrl-Alt-Del -key sequence is pressed. +key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds.

-To configure the system to ignore the Ctrl-Alt-Del key sequence from the +To configure the system to ignore the CtrlAltDelBurstAction -command line instead of rebooting the system, do either of the following: -
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
-or -
systemctl mask ctrl-alt-del.target
-

-Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file, -as this file may be restored during future system updates. +setting, add or modify the following to /etc/systemd/system.conf: +
CtrlAltDelBurstAction=none
high @@ -58569,33 +58668,39 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80664-6: Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session + CCE-86377-9: Ensure sudo only includes the default configuration directory Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To configure the number of retry prompts that are permitted per-session: - -Edit the /etc/security/pwquality.conf to include + Administrators can configure authorized sudo users via drop-in files, and it is possible to include +other directories and configuration files from the file currently being parsed. -retry=, or a lower value if site -policy is more restrictive. The DoD requirement is a maximum of 3 prompts -per session. +Make sure that /etc/sudoers only includes drop-in configuration files from /etc/sudoers.d, +or that no drop-in file is included. +Either the /etc/sudoers should contain only one #includedir directive pointing to +/etc/sudoers.d, and no file in /etc/sudoers.d/ should include other files or directories; +Or the /etc/sudoers should not contain any #include, +@include, #includedir or @includedir directives. +Note that the '#' character doesn't denote a comment in the configuration file. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify Red Hat Enterprise Linux 8 is configured to limit the "pwquality" retry option to . - - -Check for the use of the "pwquality" retry option in the pwquality.conf file with the following command: -
$ grep retry /etc/security/pwquality.conf
Is it the case that the value of "retry" is set to "0" or greater than "", or is missing? + To determine whether sudo command includes configuration files from the appropriate directory, +run the following command: +
$ sudo grep -rP '^[#@]include(dir)?' /etc/sudoers /etc/sudoers.d
+If only the line /etc/sudoers:#includedir /etc/sudoers.d is returned, then the drop-in include configuration is set correctly. +Any other line returned is a finding. Is it the case that the /etc/sudoers doesn't include /etc/sudores.d or includes other directories?? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To configure the number of retry prompts that are permitted per-session: - -Edit the /etc/security/pwquality.conf to include + Administrators can configure authorized sudo users via drop-in files, and it is possible to include +other directories and configuration files from the file currently being parsed. -retry=, or a lower value if site -policy is more restrictive. The DoD requirement is a maximum of 3 prompts -per session. +Make sure that /etc/sudoers only includes drop-in configuration files from /etc/sudoers.d, +or that no drop-in file is included. +Either the /etc/sudoers should contain only one #includedir directive pointing to +/etc/sudoers.d, and no file in /etc/sudoers.d/ should include other files or directories; +Or the /etc/sudoers should not contain any #include, +@include, #includedir or @includedir directives. +Note that the '#' character doesn't denote a comment in the configuration file. medium @@ -58608,106 +58713,56 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-85888-6: All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive + CCE-80865-9: Ensure Software Patches Installed Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - Set the mode on files and directories in the local interactive user home -directory with the following command: -
$ sudo chmod 0750 /home/USER/FILE_DIR
-Files that begin with a "." are excluded from this requirement. + +If the system is joined to the Red Hat Network, a Red Hat Satellite Server, +or a yum server, run the following command to install updates: +
$ sudo yum update
+If the system is not configured to use one of these sources, updates (in the form of RPM packages) +can be manually downloaded from the Red Hat Network and installed using rpm. + +

+NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy +dictates. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To verify all files and directories contained in interactive user home -directory, excluding local initialization files, have a mode of 0750, -run the following command: -
$ sudo ls -lLR /home/USER
Is it the case that home directory files or folders have incorrect permissions? - Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - Set the mode on files and directories in the local interactive user home -directory with the following command: -
$ sudo chmod 0750 /home/USER/FILE_DIR
-Files that begin with a "." are excluded from this requirement. - medium - - - - - - - CCI-000366 - SRG-OS-000480-GPOS-00227 - TBD - Assigned by DISA after STIG release - The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. + Verify Red Hat Enterprise Linux 8 security patches and updates are installed and up to date. +Updates are required to be applied with a frequency determined by organizational policy. - CCE-82730-3: Ensure /var/tmp Located On Separate Partition - Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. +Obtain the list of available package security updates from Red Hat. The URL for updates is https://access.redhat.com/errata-search/. +It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed. -Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The /var/tmp directory is a world-writable directory used -for temporary file storage. Ensure it has its own partition or -logical volume at installation time, or migrate it using LVM. - Applicable - Configurable - Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify that a separate file system/partition has been created for /var/tmp with the following command: -
$ mountpoint /var/tmp
- Is it the case that "/var/tmp is not a mountpoint" is returned? - Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The /var/tmp directory is a world-writable directory used -for temporary file storage. Ensure it has its own partition or -logical volume at installation time, or migrate it using LVM. - medium - - - - +Check that the available package security updates have been installed on the system with the following command: - - CCI-000366 - SRG-OS-000480-GPOS-00227 - TBD - Assigned by DISA after STIG release - The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. +$ sudo yum history list | more - CCE-80944-2: Enable page allocator poisoning +Loaded plugins: langpacks, product-id, subscription-manager +ID | Command line | Date and time | Action(s) | Altered +------------------------------------------------------------------------------- +70 | install aide | 2020-03-05 10:58 | Install | 1 +69 | update -y | 2020-03-04 14:34 | Update | 18 EE +68 | install vlc | 2020-02-21 17:12 | Install | 21 +67 | update -y | 2020-02-21 17:04 | Update | 7 EE - Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. -Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To enable poisoning of free pages, -add the argument page_poison=1 to the default -GRUB 2 command line for the Linux operating system. -To ensure that page_poison=1 is added as a kernel command line -argument to newly installed kernels, add page_poison=1 to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... page_poison=1 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="page_poison=1"
- Applicable - Configurable - Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Inspect the form of default GRUB 2 command line for the Linux operating system -in /etc/default/grub. If it includes page_poison=1, -then the parameter will be configured for newly installed kernels. -First check if the GRUB recovery is enabled: -
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
-If this option is set to true, then check that a line is output by the following command: -
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*page_poison=1.*' /etc/default/grub
-If the recovery is disabled, check the line with -
$ sudo grep 'GRUB_CMDLINE_LINUX.*page_poison=1.*' /etc/default/grub
.Moreover, command line parameters for currently installed kernels should be checked as well. -Run the following command: -
$ sudo grubby --info=ALL | grep args | grep -v 'page_poison=1'
-The command should not return any output. Is it the case that page allocator poisoning is not enabled? +Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM. Is it the case that Red Hat Enterprise Linux 8 is in non-compliance with the organizational patching policy? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To enable poisoning of free pages, -add the argument page_poison=1 to the default -GRUB 2 command line for the Linux operating system. -To ensure that page_poison=1 is added as a kernel command line -argument to newly installed kernels, add page_poison=1 to the -default Grub2 command line for Linux operating systems. Modify the line within -/etc/default/grub as shown below: -
GRUB_CMDLINE_LINUX="... page_poison=1 ..."
-Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="page_poison=1"
+ +If the system is joined to the Red Hat Network, a Red Hat Satellite Server, +or a yum server, run the following command to install updates: +
$ sudo yum update
+If the system is not configured to use one of these sources, updates (in the form of RPM packages) +can be manually downloaded from the Red Hat Network and installed using rpm. + +

+NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy +dictates. medium @@ -58720,45 +58775,26 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-84058-7: Prevent remote hosts from connecting to the proxy display + CCE-84038-9: All Interactive User Home Directories Must Have mode 0750 Or Less Permissive Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The SSH daemon should prevent remote hosts from connecting to the proxy -display. -
-The default SSH configuration for X11UseLocalhost is yes, -which prevents remote hosts from connecting to the proxy display. -
-To explicitly prevent remote connections to the proxy display, add or correct -the following line in - - -/etc/ssh/sshd_config: - -X11UseLocalhost yes + Change the mode of interactive users home directories to 0750. To +change the mode of interactive users home directory, use the +following command: +
$ sudo chmod 0750 /home/USER
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To determine how the SSH daemon's X11UseLocalhost option is set, run the following command: - -
$ sudo grep -i X11UseLocalhost /etc/ssh/sshd_config
- -If a line indicating yes is returned, then the required value is set. Is it the case that the display proxy is listening on wildcard address? + To verify the assigned home directory of all interactive user home directories +have a mode of 
0750
or less permissive, run the following command: +
$ sudo ls -l /home
+Inspect the output for any directories with incorrect permissions. Is it the case that they are more permissive? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The SSH daemon should prevent remote hosts from connecting to the proxy -display. -
-The default SSH configuration for X11UseLocalhost is yes, -which prevents remote hosts from connecting to the proxy display. -
-To explicitly prevent remote connections to the proxy display, add or correct -the following line in - - -/etc/ssh/sshd_config: - -X11UseLocalhost yes + Change the mode of interactive users home directories to 0750. To +change the mode of interactive users home directory, use the +following command: +
$ sudo chmod 0750 /home/USER
medium @@ -58805,61 +58841,29 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80853-5: Ensure /var/log Located On Separate Partition + CCE-80947-5: The Installed Operating System Is Vendor Supported Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - System logs are stored in the /var/log directory. + The installed operating system must be maintained by a vendor. -Ensure that /var/log has its own partition or logical -volume at installation time, or migrate it using LVM. +Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise +Linux vendor, Red Hat, Inc. is responsible for providing security patches. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify that a separate file system/partition has been created for /var/log with the following command: - -
$ mountpoint /var/log
- Is it the case that "/var/log is not a mountpoint" is returned? - Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - System logs are stored in the /var/log directory. - -Ensure that /var/log has its own partition or logical -volume at installation time, or migrate it using LVM. - low - - - - - - - CCI-000366 - SRG-OS-000480-GPOS-00227 - TBD - Assigned by DISA after STIG release - The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - - CCE-80859-2: Ensure cron Is Logging To Rsyslog + To verify that the installed operating system is supported, run +the following command: - Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. +
$ grep -i "red hat" /etc/redhat-release
-Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - Cron logging must be implemented to spot intrusions or trace -cron job status. If cron is not logging to rsyslog, it -can be implemented by adding the following to the RULES section of -/etc/rsyslog.conf: -
cron.*                                                  /var/log/cron
- Applicable - Configurable - Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify that cron is logging to rsyslog, -run the following command: -
grep -rni "cron\.\*" /etc/rsyslog.*
-
cron.*                                                  /var/log/cron
Is it the case that cron is not logging to rsyslog? +
Red Hat Enterprise Linux 8
Is it the case that the installed operating system is not supported? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - Cron logging must be implemented to spot intrusions or trace -cron job status. If cron is not logging to rsyslog, it -can be implemented by adding the following to the RULES section of -/etc/rsyslog.conf: -
cron.*                                                  /var/log/cron
- medium + The installed operating system must be maintained by a vendor. + +Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise +Linux vendor, Red Hat, Inc. is responsible for providing security patches. + high @@ -58871,33 +58875,23 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-81035-8: Ensure the Default Umask is Set Correctly in /etc/profile + CCE-80920-2: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To ensure the default umask controlled by /etc/profile is set properly, -add or correct the umask setting in /etc/profile to read as follows: -
umask
- -Note that /etc/profile also reads scrips within /etc/profile.d directory. -These scripts are also valid files to set umask value. Therefore, they should also be -considered during the check and properly remediated, if necessary. + To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.default.accept_source_route = 0
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify the umask setting is configured correctly in the /etc/profile file -or scripts within /etc/profile.d directory with the following command: -
$ grep "umask" /etc/profile*
-
umask
Is it the case that the value for the "umask" parameter is not "", -or the "umask" parameter is missing or is commented out? + The runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter can be queried +by running the following command: +
$ sysctl net.ipv4.conf.default.accept_source_route
+0. + Is it the case that the correct value is not returned? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To ensure the default umask controlled by /etc/profile is set properly, -add or correct the umask setting in /etc/profile to read as follows: -
umask
- -Note that /etc/profile also reads scrips within /etc/profile.d directory. -These scripts are also valid files to set umask value. Therefore, they should also be -considered during the check and properly remediated, if necessary. + To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.default.accept_source_route = 0
medium @@ -58910,37 +58904,23 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-82742-8: Add nodev Option to Removable Media Partitions + CCE-84052-0: Mount Remote Filesystems with nodev Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The nodev mount option prevents files from being -interpreted as character or block devices. -Legitimate character and block devices should exist only in -the /dev directory on the root partition or within chroot -jails built for system services. -Add the nodev option to the fourth column of -/etc/fstab for the line which controls mounting of - - any removable media partitions. + Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of +any NFS mounts. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify file systems that are used for removable media are mounted with the "nodev" option with the following command: - -$ sudo more /etc/fstab - -UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0 Is it the case that a file system found in "/etc/fstab" refers to removable media and it does not have the "nodev" option set? + To verify the nodev option is configured for all NFS mounts, run +the following command: +
$ mount | grep nfs
+All NFS mounts should show the nodev setting in parentheses. This +is not applicable if NFS is not implemented. Is it the case that the setting does not show? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The nodev mount option prevents files from being -interpreted as character or block devices. -Legitimate character and block devices should exist only in -the /dev directory on the root partition or within chroot -jails built for system services. -Add the nodev option to the fourth column of -/etc/fstab for the line which controls mounting of - - any removable media partitions. + Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of +any NFS mounts. medium @@ -58953,35 +58933,19 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-82746-9: Add noexec Option to Removable Media Partitions + CCE-82414-4: Uninstall vsftpd Package Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The noexec mount option prevents the direct execution of binaries -on the mounted filesystem. Preventing the direct execution of binaries from -removable media (such as a USB key) provides a defense against malicious -software that may be present on such untrusted media. -Add the noexec option to the fourth column of -/etc/fstab for the line which controls mounting of - - any removable media partitions. + The vsftpd package can be removed with the following command: 
 $ sudo yum erase vsftpd
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To verify that binaries cannot be directly executed from removable media, run the following command: -
$ grep -v noexec /etc/fstab
-The resulting output will show partitions which do not have the noexec flag. Verify all partitions -in the output are not removable media. Is it the case that removable media partitions are present? + Run the following command to determine if the vsftpd package is installed: +
$ rpm -q vsftpd
Is it the case that the package is installed? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The noexec mount option prevents the direct execution of binaries -on the mounted filesystem. Preventing the direct execution of binaries from -removable media (such as a USB key) provides a defense against malicious -software that may be present on such untrusted media. -Add the noexec option to the fourth column of -/etc/fstab for the line which controls mounting of - - any removable media partitions. - medium + The vsftpd package can be removed with the following command: 
 $ sudo yum erase vsftpd
+ high @@ -58993,44 +58957,33 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80897-2: Disable GSSAPI Authentication + CCE-84036-3: All Interactive Users Must Have A Home Directory Defined Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - Unless needed, SSH should not permit extraneous or unnecessary -authentication mechanisms like GSSAPI. -
-The default SSH configuration disallows authentications based on GSSAPI. The appropriate -configuration is used if no value is set for GSSAPIAuthentication. -
-To explicitly disable GSSAPI authentication, add or correct the following line in - - -/etc/ssh/sshd_config: + Assign home directories to all interactive users that currently do not +have a home directory assigned. -
GSSAPIAuthentication no
+This rule checks if the home directory is properly defined in a folder which has +at least one parent folder, like "user" in "/home/user" or "/remote/users/user". +Therefore, this rule will report a finding for home directories like /users, +/tmp or /. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To determine how the SSH daemon's GSSAPIAuthentication option is set, run the following command: + Verify that interactive users on the system have a home directory assigned with the following command: -
$ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config
+
$ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd
-If a line indicating no is returned, then the required value is set. - Is it the case that the required value is not set? +Inspect the output and verify that all interactive users (normally users with a UID greater than 1000) have a home directory defined. Is it the case that users home directory is not defined? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - Unless needed, SSH should not permit extraneous or unnecessary -authentication mechanisms like GSSAPI. -
-The default SSH configuration disallows authentications based on GSSAPI. The appropriate -configuration is used if no value is set for GSSAPIAuthentication. -
-To explicitly disable GSSAPI authentication, add or correct the following line in - - -/etc/ssh/sshd_config: + Assign home directories to all interactive users that currently do not +have a home directory assigned. -
GSSAPIAuthentication no
+This rule checks if the home directory is properly defined in a folder which has +at least one parent folder, like "user" in "/home/user" or "/remote/users/user". +Therefore, this rule will report a finding for home directories like /users, +/tmp or /. medium @@ -59043,23 +58996,23 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-81011-9: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces + CCE-82974-7: Disable Access to Network bpf() Syscall From Unprivileged Processes Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.accept_source_route = 0
+ To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command: 
$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.unprivileged_bpf_disabled = 1
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - The runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter can be queried + The runtime status of the kernel.unprivileged_bpf_disabled kernel parameter can be queried by running the following command: -
$ sysctl net.ipv4.conf.all.accept_source_route
-0. +
$ sysctl kernel.unprivileged_bpf_disabled
+1. Is it the case that the correct value is not returned? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.conf.all.accept_source_route = 0
+ To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command: 
$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.unprivileged_bpf_disabled = 1
medium @@ -59072,66 +59025,37 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80863-4: Ensure Logs Sent To Remote Host + CCE-82742-8: Add nodev Option to Removable Media Partitions Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To configure rsyslog to send logs to a remote log server, -open /etc/rsyslog.conf and read and understand the last section of the file, -which describes the multiple directives necessary to activate remote -logging. -Along with these other directives, the system can be configured -to forward its logs to a particular log server by -adding or correcting one of the following lines, -substituting appropriately. -The choice of protocol depends on the environment of the system; -although TCP and RELP provide more reliable message delivery, -they may not be supported in all environments. -
-To use UDP for log message delivery: -
*.* @
-
-To use TCP for log message delivery: -
*.* @@
-
-To use RELP for log message delivery: -
*.* :omrelp:
-
-There must be a resolvable DNS CNAME or Alias record set to "" for logs to be sent correctly to the centralized logging utility. + The nodev mount option prevents files from being +interpreted as character or block devices. +Legitimate character and block devices should exist only in +the /dev directory on the root partition or within chroot +jails built for system services. +Add the nodev option to the fourth column of +/etc/fstab for the line which controls mounting of + + any removable media partitions. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To ensure logs are sent to a remote host, examine the file -/etc/rsyslog.conf. -If using UDP, a line similar to the following should be present: -
 *.* @
-If using TCP, a line similar to the following should be present: -
 *.* @@
-If using RELP, a line similar to the following should be present: -
 *.* :omrelp:
Is it the case that no evidence that the audit logs are being off-loaded to another system or media? + Verify file systems that are used for removable media are mounted with the "nodev" option with the following command: + +$ sudo more /etc/fstab + +UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0 Is it the case that a file system found in "/etc/fstab" refers to removable media and it does not have the "nodev" option set? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To configure rsyslog to send logs to a remote log server, -open /etc/rsyslog.conf and read and understand the last section of the file, -which describes the multiple directives necessary to activate remote -logging. -Along with these other directives, the system can be configured -to forward its logs to a particular log server by -adding or correcting one of the following lines, -substituting appropriately. -The choice of protocol depends on the environment of the system; -although TCP and RELP provide more reliable message delivery, -they may not be supported in all environments. -
-To use UDP for log message delivery: -
*.* @
-
-To use TCP for log message delivery: -
*.* @@
-
-To use RELP for log message delivery: -
*.* :omrelp:
-
-There must be a resolvable DNS CNAME or Alias record set to "" for logs to be sent correctly to the centralized logging utility. + The nodev mount option prevents files from being +interpreted as character or block devices. +Legitimate character and block devices should exist only in +the /dev directory on the root partition or within chroot +jails built for system services. +Add the nodev option to the fourth column of +/etc/fstab for the line which controls mounting of + + any removable media partitions. medium @@ -59173,25 +59097,60 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-84039-7: User Initialization Files Must Not Run World-Writable Programs + CCE-83425-9: The operating system must restrict privilege elevation to authorized personnel Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - Set the mode on files being executed by the user initialization files with the -following command: -
$ sudo chmod o-w FILE
+ The sudo command allows a user to execute programs with elevated +(administrator) privileges. It prompts the user for their password +and confirms your request to execute a command by checking a file, +called sudoers. +Restrict privileged actions by removing the following entries from the sudoers file: +ALL ALL=(ALL) ALL +ALL ALL=(ALL:ALL) ALL Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify that local initialization files do not execute world-writable programs with the following command: + Determine if "sudoers" file restricts sudo access run the following commands: +
$ sudo grep -PR '^\s*ALL\s+ALL\=\(ALL\)\s+ALL\s*$' /etc/sudoers /etc/sudoers.d/*
+
$ sudo grep -PR '^\s*ALL\s+ALL\=\(ALL\:ALL\)\s+ALL\s*$' /etc/sudoers /etc/sudoers.d/*
Is it the case that either of the commands returned a line? + Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. + The sudo command allows a user to execute programs with elevated +(administrator) privileges. It prompts the user for their password +and confirms your request to execute a command by checking a file, +called sudoers. +Restrict privileged actions by removing the following entries from the sudoers file: +ALL ALL=(ALL) ALL +ALL ALL=(ALL:ALL) ALL + medium + + + + -Note: The example will be for a system that is configured to create user home directories in the "/home" directory. + + CCI-000366 + SRG-OS-000480-GPOS-00227 + TBD - Assigned by DISA after STIG release + The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. -
$ sudo find /home -perm -002 -type f -name ".[^.]*" -exec ls -ld {} \;
Is it the case that any local initialization files are found to reference world-writable files? + CCE-80916-0: Enable Randomized Layout of Virtual Address Space + + Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. + +Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. + To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: 
$ sudo sysctl -w kernel.randomize_va_space=2
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.randomize_va_space = 2
+ Applicable - Configurable + Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. + The runtime status of the kernel.randomize_va_space kernel parameter can be queried +by running the following command: +
$ sysctl kernel.randomize_va_space
+2. + Is it the case that the correct value is not returned? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - Set the mode on files being executed by the user initialization files with the -following command: -
$ sudo chmod o-w FILE
+ To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: 
$ sudo sysctl -w kernel.randomize_va_space=2
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.randomize_va_space = 2
medium @@ -59204,26 +59163,37 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-84038-9: All Interactive User Home Directories Must Have mode 0750 Or Less Permissive + CCE-82744-4: Add nosuid Option to Removable Media Partitions Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - Change the mode of interactive users home directories to 0750. To -change the mode of interactive users home directory, use the -following command: -
$ sudo chmod 0750 /home/USER
+ The nosuid mount option prevents set-user-identifier (SUID) +and set-group-identifier (SGID) permissions from taking effect. These permissions +allow users to execute binaries with the same permissions as the owner and group +of the file respectively. Users should not be allowed to introduce SUID and SGID +files into the system via partitions mounted from removeable media. +Add the nosuid option to the fourth column of +/etc/fstab for the line which controls mounting of + + any removable media partitions. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To verify the assigned home directory of all interactive user home directories -have a mode of 
0750
or less permissive, run the following command: -
$ sudo ls -l /home
-Inspect the output for any directories with incorrect permissions. Is it the case that they are more permissive? + Verify file systems that are used for removable media are mounted with the "nosuid" option with the following command: + +$ sudo more /etc/fstab + +UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0 Is it the case that file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - Change the mode of interactive users home directories to 0750. To -change the mode of interactive users home directory, use the -following command: -
$ sudo chmod 0750 /home/USER
+ The nosuid mount option prevents set-user-identifier (SUID) +and set-group-identifier (SGID) permissions from taking effect. These permissions +allow users to execute binaries with the same permissions as the owner and group +of the file respectively. Users should not be allowed to introduce SUID and SGID +files into the system via partitions mounted from removeable media. +Add the nosuid option to the fourth column of +/etc/fstab for the line which controls mounting of + + any removable media partitions. medium @@ -59236,41 +59206,23 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-85987-6: Only Authorized Local User Accounts Exist on Operating System + CCE-81015-0: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - Enterprise Application tends to use the server or virtual machine exclusively. -Besides the default operating system user, there should be only authorized local -users required by the installed software groups and applications that exist on -the operating system. The authorized user list can be customized in the refine -value variable var_accounts_authorized_local_users_regex. -OVAL regular expression is used for the user list. -Configure the system so all accounts on the system are assigned to an active system, -application, or user account. Remove accounts that do not support approved system -activities or that allow for a normal user to perform administrative-level actions. -To remove unauthorized system accounts, use the following command: -
$ sudo userdel unauthorized_user
+ To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.default.accept_source_route = 0
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To verify that there are no unauthorized local user accounts, run the following command: -
$ less /etc/passwd
-Inspect the results, and if unauthorized local user accounts exist, remove them by running -the following command: -
$ sudo userdel unauthorized_user
Is it the case that there are unauthorized local user accounts on the system? + The runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter can be queried +by running the following command: +
$ sysctl net.ipv6.conf.default.accept_source_route
+0. + Is it the case that the correct value is not returned? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - Enterprise Application tends to use the server or virtual machine exclusively. -Besides the default operating system user, there should be only authorized local -users required by the installed software groups and applications that exist on -the operating system. The authorized user list can be customized in the refine -value variable var_accounts_authorized_local_users_regex. -OVAL regular expression is used for the user list. -Configure the system so all accounts on the system are assigned to an active system, -application, or user account. Remove accounts that do not support approved system -activities or that allow for a normal user to perform administrative-level actions. -To remove unauthorized system accounts, use the following command: -
$ sudo userdel unauthorized_user
+ To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.default.accept_source_route = 0
medium @@ -59283,33 +59235,34 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-83434-1: All Interactive User Home Directories Must Be Group-Owned By The Primary Group + CCE-82746-9: Add noexec Option to Removable Media Partitions Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - Change the group owner of interactive users home directory to the -group found in /etc/passwd. To change the group owner of -interactive users home directory, use the following command: -
$ sudo chgrp USER_GROUP /home/USER
+ The noexec mount option prevents the direct execution of binaries +on the mounted filesystem. Preventing the direct execution of binaries from +removable media (such as a USB key) provides a defense against malicious +software that may be present on such untrusted media. +Add the noexec option to the fourth column of +/etc/fstab for the line which controls mounting of -This rule ensures every home directory related to an interactive user is -group-owned by an interactive user. It also ensures that interactive users -are group-owners of one and only one home directory. + any removable media partitions. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To verify the assigned home directory of all interactive users is group- -owned by that users primary GID, run the following command: -
# ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)
Is it the case that the group ownership is incorrect? + To verify that binaries cannot be directly executed from removable media, run the following command: +
$ grep -v noexec /etc/fstab
+The resulting output will show partitions which do not have the noexec flag. Verify all partitions +in the output are not removable media. Is it the case that removable media partitions are present? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - Change the group owner of interactive users home directory to the -group found in /etc/passwd. To change the group owner of -interactive users home directory, use the following command: -
$ sudo chgrp USER_GROUP /home/USER
+ The noexec mount option prevents the direct execution of binaries +on the mounted filesystem. Preventing the direct execution of binaries from +removable media (such as a USB key) provides a defense against malicious +software that may be present on such untrusted media. +Add the noexec option to the fourth column of +/etc/fstab for the line which controls mounting of -This rule ensures every home directory related to an interactive user is -group-owned by an interactive user. It also ensures that interactive users -are group-owners of one and only one home directory. + any removable media partitions. medium @@ -59322,29 +59275,26 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80947-5: The Installed Operating System Is Vendor Supported + CCE-82215-5: Disable storing core dumps Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The installed operating system must be maintained by a vendor. - -Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise -Linux vendor, Red Hat, Inc. is responsible for providing security patches. + To set the runtime status of the kernel.core_pattern kernel parameter, run the following command: 
$ sudo sysctl -w kernel.core_pattern=|/bin/false
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.core_pattern = |/bin/false
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To verify that the installed operating system is supported, run -the following command: - -
$ grep -i "red hat" /etc/redhat-release
- -
Red Hat Enterprise Linux 8
Is it the case that the installed operating system is not supported? + The runtime status of the kernel.core_pattern kernel parameter can be queried +by running the following command: +
$ sysctl kernel.core_pattern
+|/bin/false. + Is it the case that the returned line does not have a value of "|/bin/false", or a line is not +returned and the need for core dumps is not documented with the Information +System Security Officer (ISSO) as an operational requirement? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The installed operating system must be maintained by a vendor. - -Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise -Linux vendor, Red Hat, Inc. is responsible for providing security patches. - high + To set the runtime status of the kernel.core_pattern kernel parameter, run the following command: 
$ sudo sysctl -w kernel.core_pattern=|/bin/false
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.core_pattern = |/bin/false
+ medium @@ -59390,41 +59340,23 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-82211-4: Disable the use of user namespaces + CCE-82252-8: Disable storing core dump Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To set the runtime status of the user.max_user_namespaces kernel parameter, -run the following command: -
$ sudo sysctl -w user.max_user_namespaces=0
- -To make sure that the setting is persistent, -add the following line to a file in the directory /etc/sysctl.d: -
user.max_user_namespaces = 0
-When containers are deployed on the machine, the value should be set -to large non-zero value. + The Storage option in [Coredump] sectionof /etc/systemd/coredump.conf +can be set to none to disable storing core dumps permanently. Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify that Red Hat Enterprise Linux 8 disables the use of user namespaces with the following commands: + Verify Red Hat Enterprise Linux 8 disables storing core dumps for all users by issuing the following command: -Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. +$ grep -i storage /etc/systemd/coredump.conf -The runtime status of the user.max_user_namespaces kernel parameter can be queried -by running the following command: -
$ sysctl user.max_user_namespaces
-0. - Is it the case that the correct value is not returned? +Storage=none Is it the case that Storage is not set to none or is commented out and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To set the runtime status of the user.max_user_namespaces kernel parameter, -run the following command: -
$ sudo sysctl -w user.max_user_namespaces=0
- -To make sure that the setting is persistent, -add the following line to a file in the directory /etc/sysctl.d: -
user.max_user_namespaces = 0
-When containers are deployed on the machine, the value should be set -to large non-zero value. + The Storage option in [Coredump] sectionof /etc/systemd/coredump.conf +can be set to none to disable storing core dumps permanently. medium @@ -59437,29 +59369,24 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-82201-5: Resolve information before writing to audit logs + CCE-81007-7: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To configure Audit daemon to resolve all uid, gid, syscall, -architecture, and socket address information before writing the -events to disk, set log_format to ENRICHED -in /etc/audit/auditd.conf. + To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.default.accept_ra = 0
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To verify that Audit Daemon is configured to resolve all uid, gid, syscall, -architecture, and socket address information before writing the event to disk, -run the following command: -
$ sudo grep log_format /etc/audit/auditd.conf
-The output should return the following: -
log_format = ENRICHED
Is it the case that log_format isn't set to ENRICHED? + The runtime status of the net.ipv6.conf.default.accept_ra kernel parameter can be queried +by running the following command: +
$ sysctl net.ipv6.conf.default.accept_ra
+0. + Is it the case that the correct value is not returned? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To configure Audit daemon to resolve all uid, gid, syscall, -architecture, and socket address information before writing the -events to disk, set log_format to ENRICHED -in /etc/audit/auditd.conf. - low + To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.default.accept_ra = 0
+ medium @@ -59471,26 +59398,38 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-82215-5: Disable storing core dumps + CCE-84220-3: Configure AIDE to Verify Access Control Lists (ACLs) Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To set the runtime status of the kernel.core_pattern kernel parameter, run the following command: 
$ sudo sysctl -w kernel.core_pattern=|/bin/false
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.core_pattern = |/bin/false
+ By default, the acl option is added to the FIPSR ruleset in AIDE. +If using a custom ruleset or the acl option is missing, add acl +to the appropriate ruleset. +For example, add acl to the following line in /etc/aide.conf: +
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
+AIDE rules can be configured in multiple ways; this is merely one example that is already +configured by default. + +The remediation provided with this rule adds acl to all rule sets available in +/etc/aide.conf Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - The runtime status of the kernel.core_pattern kernel parameter can be queried -by running the following command: -
$ sysctl kernel.core_pattern
-|/bin/false. - Is it the case that the returned line does not have a value of "|/bin/false", or a line is not -returned and the need for core dumps is not documented with the Information -System Security Officer (ISSO) as an operational requirement? - Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To set the runtime status of the kernel.core_pattern kernel parameter, run the following command: 
$ sudo sysctl -w kernel.core_pattern=|/bin/false
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.core_pattern = |/bin/false
- medium + To determine that AIDE is verifying ACLs, run the following command: +
$ grep acl /etc/aide.conf
+Verify that the acl option is added to the correct ruleset. Is it the case that the acl option is missing or not added to the correct ruleset? + Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. + By default, the acl option is added to the FIPSR ruleset in AIDE. +If using a custom ruleset or the acl option is missing, add acl +to the appropriate ruleset. +For example, add acl to the following line in /etc/aide.conf: +
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
+AIDE rules can be configured in multiple ways; this is merely one example that is already +configured by default. + +The remediation provided with this rule adds acl to all rule sets available in +/etc/aide.conf + low @@ -59502,24 +59441,28 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80916-0: Enable Randomized Layout of Virtual Address Space + CCE-84056-1: Remove User Host-Based Authentication Files Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: 
$ sudo sysctl -w kernel.randomize_va_space=2
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.randomize_va_space = 2
+ The ~/.shosts (in each user's home directory) files +list remote hosts and users that are trusted by the +local system. To remove these files, run the following command +to delete them from any location: +
$ sudo find / -name '.shosts' -type f -delete
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - The runtime status of the kernel.randomize_va_space kernel parameter can be queried -by running the following command: -
$ sysctl kernel.randomize_va_space
-2. - Is it the case that the correct value is not returned? + To verify that there are no .shosts files +on the system, run the following command: +
$ sudo find / -name '.shosts'
Is it the case that .shosts files exist? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: 
$ sudo sysctl -w kernel.randomize_va_space=2
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.randomize_va_space = 2
- medium + The ~/.shosts (in each user's home directory) files +list remote hosts and users that are trusted by the +local system. To remove these files, run the following command +to delete them from any location: +
$ sudo find / -name '.shosts' -type f -delete
+ high @@ -59531,31 +59474,27 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-83425-9: The operating system must restrict privilege elevation to authorized personnel + CCE-81036-6: Ensure the Default Bash Umask is Set Correctly Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - The sudo command allows a user to execute programs with elevated -(administrator) privileges. It prompts the user for their password -and confirms your request to execute a command by checking a file, -called sudoers. -Restrict privileged actions by removing the following entries from the sudoers file: -ALL ALL=(ALL) ALL -ALL ALL=(ALL:ALL) ALL + To ensure the default umask for users of the Bash shell is set properly, +add or correct the umask setting in /etc/bashrc to read +as follows: +
umask
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Determine if "sudoers" file restricts sudo access run the following commands: -
$ sudo grep -PR '^\s*ALL\s+ALL\=\(ALL\)\s+ALL\s*$' /etc/sudoers /etc/sudoers.d/*
-
$ sudo grep -PR '^\s*ALL\s+ALL\=\(ALL\:ALL\)\s+ALL\s*$' /etc/sudoers /etc/sudoers.d/*
Is it the case that either of the commands returned a line? + Verify the umask setting is configured correctly in the /etc/bashrc file with the following command: + +
$ sudo grep "umask" /etc/bashrc
+
+umask
Is it the case that the value for the "umask" parameter is not "", or the "umask" parameter is missing or is commented out? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - The sudo command allows a user to execute programs with elevated -(administrator) privileges. It prompts the user for their password -and confirms your request to execute a command by checking a file, -called sudoers. -Restrict privileged actions by removing the following entries from the sudoers file: -ALL ALL=(ALL) ALL -ALL ALL=(ALL:ALL) ALL + To ensure the default umask for users of the Bash shell is set properly, +add or correct the umask setting in /etc/bashrc to read +as follows: +
umask
medium @@ -59568,38 +59507,45 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-80902-0: Disable SSH Support for User Known Hosts + CCE-82028-2: Disable ATM Support Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - SSH can allow system users to connect to systems if a cache of the remote -systems public keys is available. This should be disabled. -

-To ensure this behavior is disabled, add or correct the following line in - + The Asynchronous Transfer Mode (ATM) is a protocol operating on +network, data link, and physical layers, based on virtual circuits +and virtual paths. -/etc/ssh/sshd_config: +To configure the system to prevent the atm +kernel module from being loaded, add the following line to the file /etc/modprobe.d/atm.conf: +
install atm /bin/true
-
IgnoreUserKnownHosts yes
+To configure the system to prevent the atm from being used, +add the following line to file /etc/modprobe.d/atm.conf: +
blacklist atm
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - To determine how the SSH daemon's IgnoreUserKnownHosts option is set, run the following command: + +If the system is configured to prevent the loading of the atm kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. -
$ sudo grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config
+These lines can also instruct the module loading system to ignore the atm kernel module via blacklist keyword. -If a line indicating yes is returned, then the required value is set. - Is it the case that the required value is not set? +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +
$ grep -r atm /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - SSH can allow system users to connect to systems if a cache of the remote -systems public keys is available. This should be disabled. -

-To ensure this behavior is disabled, add or correct the following line in - + The Asynchronous Transfer Mode (ATM) is a protocol operating on +network, data link, and physical layers, based on virtual circuits +and virtual paths. -/etc/ssh/sshd_config: +To configure the system to prevent the atm +kernel module from being loaded, add the following line to the file /etc/modprobe.d/atm.conf: +
install atm /bin/true
-
IgnoreUserKnownHosts yes
+To configure the system to prevent the atm from being used, +add the following line to file /etc/modprobe.d/atm.conf: +
blacklist atm
medium @@ -59612,34 +59558,22 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-83380-6: Disable X Windows Startup By Setting Default Target + CCE-82968-9: Install rng-tools Package Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - Systems that do not require a graphical user interface should only boot by -default into multi-user.target mode. This prevents accidental booting of the system -into a graphical.target mode. Setting the system's default target to -multi-user.target will prevent automatic startup of the X server. To do so, run: -
$ systemctl set-default multi-user.target
-You should see the following output: -
Removed symlink /etc/systemd/system/default.target.
-Created symlink from /etc/systemd/system/default.target to /usr/lib/systemd/system/multi-user.target.
+ The rng-tools package can be installed with the following command: +
+$ sudo yum install rng-tools
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - Verify that Red Hat Enterprise Linux 8 is configured to boot to the command line: -
$ systemctl get-default
-
multi-user.target
Is it the case that the system default target is not set to "multi-user.target" and the Information System Security Officer (ISSO) lacks a documented requirement for a graphical user interface? + Run the following command to determine if the rng-tools package is installed: 
$ rpm -q rng-tools
Is it the case that the package is not installed? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - Systems that do not require a graphical user interface should only boot by -default into multi-user.target mode. This prevents accidental booting of the system -into a graphical.target mode. Setting the system's default target to -multi-user.target will prevent automatic startup of the X server. To do so, run: -
$ systemctl set-default multi-user.target
-You should see the following output: -
Removed symlink /etc/systemd/system/default.target.
-Created symlink from /etc/systemd/system/default.target to /usr/lib/systemd/system/multi-user.target.
- medium + The rng-tools package can be installed with the following command: +
+$ sudo yum install rng-tools
+ low @@ -59651,58 +59585,54 @@ TBD - Assigned by DISA after STIG release The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-81006-9: Configure Accepting Router Advertisements on All IPv6 Interfaces + CCE-80922-8: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. - To set the runtime status of the net.ipv6.conf.all.accept_ra kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.accept_ra=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.accept_ra = 0
+ To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.icmp_echo_ignore_broadcasts = 1
Applicable - Configurable Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. - The runtime status of the net.ipv6.conf.all.accept_ra kernel parameter can be queried + The runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter can be queried by running the following command: -
$ sysctl net.ipv6.conf.all.accept_ra
-0. +
$ sysctl net.ipv4.icmp_echo_ignore_broadcasts
+1. Is it the case that the correct value is not returned? Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - To set the runtime status of the net.ipv6.conf.all.accept_ra kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv6.conf.all.accept_ra=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv6.conf.all.accept_ra = 0
+ To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: 
$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
net.ipv4.icmp_echo_ignore_broadcasts = 1
medium - - - - - CCI-000366 - SRG-OS-000480-GPOS-00228 + SRG-OS-000480-GPOS-00227 TBD - Assigned by DISA after STIG release - The operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. - - CCE-81037-4: Ensure the Default C Shell Umask is Set Correctly + The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access. - To ensure the default umask for users of the C shell is set properly, -add or correct the umask setting in /etc/csh.cshrc to read as follows: -
umask
- Applicable - Configurable - Verify the operating system defines default permissions for all authenticated users in such a way that the user can only read and modify their own files. If it does not, this is a finding. - Verify the "umask" setting is configured correctly in the "/etc/csh.cshrc" file with the following command: + CCE-81038-2: Disable Core Dumps for All Users -$ grep umask /etc/csh.cshrc + Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. -umask 077 -umask 077 Is it the case that the value for the "umask" parameter is not "", or the "umask" parameter is missing or is commented out? - Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files. - To ensure the default umask for users of the C shell is set properly, -add or correct the umask setting in /etc/csh.cshrc to read as follows: -
umask
+Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. + To disable core dumps for all users, add the following line to +/etc/security/limits.conf, or to a file within the +/etc/security/limits.d/ directory: +
*     hard   core    0
+ Applicable - Configurable + Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. + Verify that core dumps are disabled for all users, run the following command: +
$ grep core /etc/security/limits.conf
+
*     hard   core    0
Is it the case that the "core" item is missing, commented out, or the value is anything other than "0" and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core"? + Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. + To disable core dumps for all users, add the following line to +/etc/security/limits.conf, or to a file within the +/etc/security/limits.d/ directory: +
*     hard   core    0
medium @@ -59711,35 +59641,44 @@ CCI-000366 - SRG-OS-000480-GPOS-00228 + SRG-OS-000480-GPOS-00227 TBD - Assigned by DISA after STIG release - The operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. + The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. - CCE-81036-6: Ensure the Default Bash Umask is Set Correctly + CCE-80788-3: Ensure PAM Displays Last Logon/Access Notification - Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access. - To ensure the default umask for users of the Bash shell is set properly, -add or correct the umask setting in /etc/bashrc to read -as follows: -
umask
+ Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. + +Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. + To configure the system to notify users of last logon/access using pam_lastlog, +add or correct the pam_lastlog settings in /etc/pam.d/postlogin +to include showfailed option, such as: +
session     [default=1]    pam_lastlog.so showfailed
+And make sure that the silent option is not set for this specific line. Applicable - Configurable - Verify the operating system defines default permissions for all authenticated users in such a way that the user can only read and modify their own files. If it does not, this is a finding. - Verify the umask setting is configured correctly in the /etc/bashrc file with the following command: + Verify the operating system is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding. + Verify users are provided with feedback on when account accesses last occurred with the following command: -
$ sudo grep "umask" /etc/bashrc
+
$ sudo grep pam_lastlog /etc/pam.d/postlogin
 
-umask 
 Is it the case that the value for the "umask" parameter is not "", or the "umask" parameter is missing or is commented out?
-    Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
-    To ensure the default umask for users of the Bash shell is set properly,
-add or correct the umask setting in /etc/bashrc to read
-as follows:
-
umask 

-    medium
+session [default=1] pam_lastlog.so showfailed
Is it the case that "pam_lastlog.so" is not properly configured in "/etc/pam.d/postlogin" file? + Configure the operating system in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. + To configure the system to notify users of last logon/access using pam_lastlog, +add or correct the pam_lastlog settings in /etc/pam.d/postlogin +to include showfailed option, such as: +
session     [default=1]    pam_lastlog.so showfailed
+And make sure that the silent option is not set for this specific line. + low + + + + + CCI-000366 SRG-OS-000480-GPOS-00228 @@ -59777,6 +59716,36 @@ + + CCI-000366 + SRG-OS-000480-GPOS-00228 + TBD - Assigned by DISA after STIG release + The operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. + + CCE-81037-4: Ensure the Default C Shell Umask is Set Correctly + + Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access. + To ensure the default umask for users of the C shell is set properly, +add or correct the umask setting in /etc/csh.cshrc to read as follows: +
umask
+ Applicable - Configurable + Verify the operating system defines default permissions for all authenticated users in such a way that the user can only read and modify their own files. If it does not, this is a finding. + Verify the "umask" setting is configured correctly in the "/etc/csh.cshrc" file with the following command: + +$ grep umask /etc/csh.cshrc + +umask 077 +umask 077 Is it the case that the value for the "umask" parameter is not "", or the "umask" parameter is missing or is commented out? + Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files. + To ensure the default umask for users of the C shell is set properly, +add or correct the umask setting in /etc/csh.cshrc to read as follows: +
umask
+ medium + + + + + CCI-000366 SRG-OS-000480-GPOS-00228 @@ -59838,6 +59807,37 @@ + + CCI-000366 + SRG-OS-000480-GPOS-00228 + TBD - Assigned by DISA after STIG release + The operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. + + CCE-81036-6: Ensure the Default Bash Umask is Set Correctly + + Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access. + To ensure the default umask for users of the Bash shell is set properly, +add or correct the umask setting in /etc/bashrc to read +as follows: +
umask
+ Applicable - Configurable + Verify the operating system defines default permissions for all authenticated users in such a way that the user can only read and modify their own files. If it does not, this is a finding. + Verify the umask setting is configured correctly in the /etc/bashrc file with the following command: + +
$ sudo grep "umask" /etc/bashrc
+
+umask
Is it the case that the value for the "umask" parameter is not "", or the "umask" parameter is missing or is commented out? + Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files. + To ensure the default umask for users of the Bash shell is set properly, +add or correct the umask setting in /etc/bashrc to read +as follows: +
umask
+ medium + + + + + @@ -59895,43 +59895,6 @@ - - CCI-000366 - SRG-OS-000480-GPOS-00229 - TBD - Assigned by DISA after STIG release - The operating system must not allow an unattended or automatic logon to the system. - - CCE-80823-8: Disable GDM Automatic Login - - Failure to restrict system access to authenticated users negatively impacts operating system security. - The GNOME Display Manager (GDM) can allow users to automatically login without -user interaction or credentials. User should always be required to authenticate themselves -to the system that they are authorized to use. To disable user ability to automatically -login to the system, set the AutomaticLoginEnable to false in the -[daemon] section in /etc/gdm/custom.conf. For example: -
[daemon]
-AutomaticLoginEnable=false
- Applicable - Configurable - If the operating system provides a public access service, such as a kiosk, this is not applicable. Verify the operating system does not allow an unattended or automatic logon to the system. If it does, this is a finding. Automatic logon as an authorized user allows access to any user with physical access to the operating system. - To verify that automatic logins are disabled, run the following command: -
$ grep -Pzoi "^\[daemon]\\nautomaticlogin.*" /etc/gdm/custom.conf
-The output should show the following: -
[daemon]
-AutomaticLoginEnable=false
Is it the case that GDM allows users to automatically login? - If the operating system provides a public access service, such as a kiosk, this is not applicable. Configure the operating system to not allow an unattended or automatic logon to the system. Automatic logon as an authorized user allows access to any user with physical access to the operating system. - The GNOME Display Manager (GDM) can allow users to automatically login without -user interaction or credentials. User should always be required to authenticate themselves -to the system that they are authorized to use. To disable user ability to automatically -login to the system, set the AutomaticLoginEnable to false in the -[daemon] section in /etc/gdm/custom.conf. For example: -
[daemon]
-AutomaticLoginEnable=false
- high - - - - - CCI-000366 SRG-OS-000480-GPOS-00229 @@ -59978,36 +59941,48 @@ - - - - - CCI-000366 - SRG-OS-000480-GPOS-00230 + SRG-OS-000480-GPOS-00229 TBD - Assigned by DISA after STIG release - The operating system must limit the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders. + The operating system must not allow an unattended or automatic logon to the system. - CCE-82191-8: Install fapolicyd Package + CCE-80823-8: Disable GDM Automatic Login - Users' home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources. - The fapolicyd package can be installed with the following command: -
-$ sudo yum install fapolicyd
+ Failure to restrict system access to authenticated users negatively impacts operating system security. + The GNOME Display Manager (GDM) can allow users to automatically login without +user interaction or credentials. User should always be required to authenticate themselves +to the system that they are authorized to use. To disable user ability to automatically +login to the system, set the AutomaticLoginEnable to false in the +[daemon] section in /etc/gdm/custom.conf. For example: +
[daemon]
+AutomaticLoginEnable=false
Applicable - Configurable - Verify the operating system limits the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders. If it does not, this is a finding. - Run the following command to determine if the fapolicyd package is installed: 
$ rpm -q fapolicyd
Is it the case that the fapolicyd package is not installed? - Configure the operating system to limit the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders. - The fapolicyd package can be installed with the following command: -
-$ sudo yum install fapolicyd
- medium + If the operating system provides a public access service, such as a kiosk, this is not applicable. Verify the operating system does not allow an unattended or automatic logon to the system. If it does, this is a finding. Automatic logon as an authorized user allows access to any user with physical access to the operating system. + To verify that automatic logins are disabled, run the following command: +
$ grep -Pzoi "^\[daemon]\\nautomaticlogin.*" /etc/gdm/custom.conf
+The output should show the following: +
[daemon]
+AutomaticLoginEnable=false
Is it the case that GDM allows users to automatically login? + If the operating system provides a public access service, such as a kiosk, this is not applicable. Configure the operating system to not allow an unattended or automatic logon to the system. Automatic logon as an authorized user allows access to any user with physical access to the operating system. + The GNOME Display Manager (GDM) can allow users to automatically login without +user interaction or credentials. User should always be required to authenticate themselves +to the system that they are authorized to use. To disable user ability to automatically +login to the system, set the AutomaticLoginEnable to false in the +[daemon] section in /etc/gdm/custom.conf. For example: +
[daemon]
+AutomaticLoginEnable=false
+ high + + + + + CCI-000366 SRG-OS-000480-GPOS-00230 @@ -60040,65 +60015,35 @@ - - - - - CCI-000366 - SRG-OS-000480-GPOS-00232 + SRG-OS-000480-GPOS-00230 TBD - Assigned by DISA after STIG release - The operating system must enable an application firewall, if available. + The operating system must limit the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders. - CCE-80877-4: Verify firewalld Enabled + CCE-82191-8: Install fapolicyd Package - Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network. - -The firewalld service can be enabled with the following command: -
$ sudo systemctl enable firewalld.service
+ Users' home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources. + The fapolicyd package can be installed with the following command: +
+$ sudo yum install fapolicyd
Applicable - Configurable - Verify the operating system enabled an application firewall, if available. If it does not, this is a finding. If the operating system does not support an application firewall, this may be downgraded to a CAT III finding. - - -Run the following command to determine the current status of the -firewalld service: -
$ sudo systemctl is-active firewalld
-If the service is running, it should return the following: 
active
Is it the case that the "firewalld" service is disabled, masked, or not started.? - Ensure the operating system's application firewall is enabled, if available. - -The firewalld service can be enabled with the following command: -
$ sudo systemctl enable firewalld.service
+ Verify the operating system limits the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders. If it does not, this is a finding. + Run the following command to determine if the fapolicyd package is installed: 
$ rpm -q fapolicyd
Is it the case that the fapolicyd package is not installed? + Configure the operating system to limit the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders. + The fapolicyd package can be installed with the following command: +
+$ sudo yum install fapolicyd
medium - - CCI-000366 - SRG-OS-000480-GPOS-00232 - TBD - Assigned by DISA after STIG release - The operating system must enable an application firewall, if available. - CCE-82998-6: Install firewalld Package - Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network. - The firewalld package can be installed with the following command: -
-$ sudo yum install firewalld
- Applicable - Configurable - Verify the operating system enabled an application firewall, if available. If it does not, this is a finding. If the operating system does not support an application firewall, this may be downgraded to a CAT III finding. - Run the following command to determine if the firewalld package is installed: 
$ rpm -q firewalld
Is it the case that the package is not installed? - Ensure the operating system's application firewall is enabled, if available. - The firewalld package can be installed with the following command: -
-$ sudo yum install firewalld
- medium - - - - + + CCI-000366 @@ -60169,6 +60114,61 @@ + + CCI-000366 + SRG-OS-000480-GPOS-00232 + TBD - Assigned by DISA after STIG release + The operating system must enable an application firewall, if available. + + CCE-82998-6: Install firewalld Package + + Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network. + The firewalld package can be installed with the following command: +
+$ sudo yum install firewalld
+ Applicable - Configurable + Verify the operating system enabled an application firewall, if available. If it does not, this is a finding. If the operating system does not support an application firewall, this may be downgraded to a CAT III finding. + Run the following command to determine if the firewalld package is installed: 
$ rpm -q firewalld
Is it the case that the package is not installed? + Ensure the operating system's application firewall is enabled, if available. + The firewalld package can be installed with the following command: +
+$ sudo yum install firewalld
+ medium + + + + + + + CCI-000366 + SRG-OS-000480-GPOS-00232 + TBD - Assigned by DISA after STIG release + The operating system must enable an application firewall, if available. + + CCE-80877-4: Verify firewalld Enabled + + Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network. + +The firewalld service can be enabled with the following command: +
$ sudo systemctl enable firewalld.service
+ Applicable - Configurable + Verify the operating system enabled an application firewall, if available. If it does not, this is a finding. If the operating system does not support an application firewall, this may be downgraded to a CAT III finding. + + +Run the following command to determine the current status of the +firewalld service: +
$ sudo systemctl is-active firewalld
+If the service is running, it should return the following: 
active
Is it the case that the "firewalld" service is disabled, masked, or not started.? + Ensure the operating system's application firewall is enabled, if available. + +The firewalld service can be enabled with the following command: +
$ sudo systemctl enable firewalld.service
+ medium + + + + +